53-1001986-01 31 August 2010 BigIron RX Series Configuration Guide Supporting Multi-Service IronWare v02.7.
Copyright © 2010 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Contents About This Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xli List of supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONFIG commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Navigating among command levels . . . . . . . . . . . . . . . . . . . . . . . 8 CLI command structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Searching and filtering output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Allowable characters for LAG names . . . . . . .
Flash memory and PCMCIA flash card file management commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Management focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Flash memory file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 PCMCIA flash card file system. . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SSL security for the Web Management Interface . . . . . 82 Enabling the SSL server on the device. . . . . . . . . . . . . . . . . . . . 83 Importing digital certificates and RSA private key files. . . . . . . 83 Generating an SSL certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Configuring TACACS and TACACS+ security . . . . . . . . . . . . . . . . . . . . 84 How TACACS+ differs from TACACS . . . . . . . . . . . . . . . . . . . . . . .
Configuring an interface as source for all Telnet packets . . . . . . .122 Cancelling an outbound Telnet session . . . . . . . . . . . . . . . . . .123 Configuring an interface as the source for all TFTP packets . . . . .123 Configuring an interface as the source for Syslog packets . . . . . .123 Specifying a Simple Network Time Protocol (SNTP) server . . . . . .124 Setting the system clock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 New Daylight Saving Time (DST) . . . . . . . . .
Monitoring an individual trunk port . . . . . . . . . . . . . . . . . . . . . . . . . 147 Mirror ports for Policy-Based Routing (PBR) traffic. . . . . . . . . . . . .148 About hardware-based PBR . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Configuring mirror ports for PBR traffic . . . . . . . . . . . . . . . . . .149 Displaying mirror and monitor port configuration. . . . . . . . . . . . . .149 Enabling WAN PHY mode support . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring forwarding parameters . . . . . . . . . . . . . . . . . . . . . . . . .192 Disabling ICMP messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Disabling ICMP redirect messages . . . . . . . . . . . . . . . . . . . . . .196 Configuring static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Static route tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Configuring a default network route . . . . . . . . . . . . . . . . . . . . .
General operating principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Operating modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 LLDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 TLV support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259 Syslog messages. . . . . . . . . . .
VLAN configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 VLAN ID range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 Tagged VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 VLAN hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 Multiple VLAN membership rules . . . . . . . . . . . . . . . . . . . . . . .288 Layer 2 control protocols on VLANs . . . . . . . . . . . .
Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320 Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . .320 Displaying VLAN information for specific ports . . . . . . . . . . . .321 Displaying VLAN status and port types. . . . . . . . . . . . . . . . . . .321 Displaying VLAN group information . . . . . . . . . . . . . . . . . . . . .323 Transparent firewall mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
State machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358 Handshake mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359 Convergence in a simple topology . . . . . . . . . . . . . . . . . . . . . . . . . .369 Convergence at start up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Convergence after a link failure . . . . . . . . . . . . . . . . . . . . . . . .372 Convergence at link restoration . . . . . . . . . . . . . . . . . . .
MRP CLI example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413 Commands on switch A (master node). . . . . . . . . . . . . . . . . . . 414 Commands on switch B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Commands on switch C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Commands on switch D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying topology group information . . . . . . . . . . . . . . . . . . . . . .441 Displaying topology group information . . . . . . . . . . . . . . . . . . .441 Chapter 17 Configuring VRRP and VRRPE Overview of VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443 Standard VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443 Brocade enhancements of VRRP . . . . . . . . . . . . . . . . . . . . . . .445 Overview of VRRPE . . . . . . . . . . .
Configuring ToS-based QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Enabling ToS-based QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Specifying trust level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Enabling marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Configuring the QoS mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . .475 Changing the CoS –> DSCP mappings. . . . . . . . . . . . .
Configuring rate limiting policies . . . . . . . . . . . . . . . . . . . . . . . . . . .502 Configuring a port-based rate limiting policy . . . . . . . . . . . . . .502 Configuring a port-and-priority-based rate limiting policy . . . .503 Configuring a port-and-VLAN-based rate limiting policy . . . . .503 Configuring a VLAN-group-based rate limiting policy. . . . . . . .504 Configuring a port-and-IPv6 ACL-based traffic reduction . . . .506 NP based multicast, broadcast, and unknown-unicast rate limiting . .
Displaying ACL definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536 Displaying of TCP/UDP numbers in ACLs . . . . . . . . . . . . . . . . .537 ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547 Enabling the new logging method. . . . . . . . . . . . . . . . . . . . . . .548 Specifying the wait time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .548 Modifying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 23 Configuring IP Multicast Protocols Overview of IP multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573 Multicast terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573 Changing global IP multicast parameters . . . . . . . . . . . . . . . . . . . . 574 Defining the maximum number of DVMRP cache entries. . . . 574 Defining the maximum number of PIM cache entries. . . . . . . 574 IP multicast boundaries . . . . . . . . . . . . . . . . . .
Changing the Shortest Path Tree (SPT) threshold . . . . . . . . . . . . .606 Changing the PIM join and prune message interval . . . . . . . .607 MLL optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607 Displaying PIM Sparse configuration information and statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607 Displaying basic PIM Sparse configuration information . . . . .608 Displaying a list of multicast groups . . . . . .
Configuring DVMRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643 Enabling DVMRP globally and on an interface. . . . . . . . . . . . .643 Modifying DVMRP global parameters . . . . . . . . . . . . . . . . . . . .643 Modifying DVMRP interface parameters . . . . . . . . . . . . . . . . .646 Displaying information about an upstream neighbor device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647 Configuring a static multicast route. . . .
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677 Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678 OSPF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678 Enable OSPF on the router . . . . . . . . . . . . . . . . . . . . . . . . . . . .679 Assign OSPF areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .679 Assigning an area range (optional) . . . . . . . . . . .
Chapter 26 Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .731 Relationship between the BGP4 route table and the IP route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .732 How BGP4 selects a path for a route . . . . . . . . . . . . . . . . . . . .732 BGP4 message types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .734 Brocade implementation of BGP4 . . . . . .
Configuring BGP4 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 Removing route dampening from suppressed neighbor routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765 Encryption of BGP4 MD5 authentication keys. . . . . . . . . . . . .766 Configuring a BGP4 peer group . . . . . . . . . . . . . . . . . . . . . . . . . . . .768 Peer group parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 27 Configuring MBGP Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .848 Configuring MBGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .848 Setting the maximum number of multicast routes supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .848 Enabling MBGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849 Adding MBGP neighbors . . . . . . . . . . . . . . . . . .
Configuring IPv4 address family route parameters . . . . . . . . . . . .870 Changing the metric style . . . . . . . . . . . . . . . . . . . . . . . . . . . . .870 Changing the maximum number of load sharing paths . . . . .870 Enabling advertisement of a default route . . . . . . . . . . . . . . .870 Changing the administrative distance for IPv4 IS-IS . . . . . . . . 871 Configuring summary addresses . . . . . . . . . . . . . . . . . . . . . . .872 Redistributing routes into IPv4 IS-IS . . . . . . . . . . .
Chapter 30 Configuring Secure Shell Overview of Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . .905 SSH version 2 support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .905 Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .906 Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .906 Generating a host key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 32 Using the MAC Port Security Feature and Transparent Port Flooding MAC Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931 Violation actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931 Local and global resources . . . . . . . . . . . . . . . . . . . . . . . . . . . .932 Configuring the MAC Port Security feature . . . . . . . . . . . . . . . . . . .932 Enabling the MAC Port Security feature . . . . . . . . . . . . . . . . .
Configuring 802.1x port security . . . . . . . . . . . . . . . . . . . . . . . . . . .954 Configuring an authentication method list for 802.1x . . . . . .955 Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .955 Configuring dynamic VLAN assignment for 802.1x ports . . . .956 Disabling and enabling strict security mode for dynamic filter assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .957 Dynamically applying existing ACLs or MAC address filter .
Chapter 35 Inspecting and Tracking DHCP Packets Dynamic ARP inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .983 ARP attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .983 How DAI works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .984 Limits and restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .985 Configuring DAI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reading CDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1010 Enabling interception of CDP packets globally . . . . . . . . . . .1010 Enabling interception of CDP packets on an interface . . . . .1010 Displaying CDP information. . . . . . . . . . . . . . . . . . . . . . . . . . .1010 Clearing CDP information . . . . . . . . . . . . . . . . . . . . . . . . . . . .1012 Chapter 38 Remote Network Monitoring Basic management . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 41 Configuring IP Multicast Traffic Reduction Enabling IP multicast traffic reduction . . . . . . . . . . . . . . . . . . . . 1046 Changing the IGMP mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .1047 Modifying the query interval . . . . . . . . . . . . . . . . . . . . . . . . . 1048 Modifying the age interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 1048 Filtering multicast groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 1048 Static IGMP membership. . . . . .
Configuring an IPv6 host address for a BigIron RX running a switch image 1068 Configuring a global or site-local IPv6 address with a manually configured interface ID as the switch’s system-wide address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1068 Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID as the switch’s system-wide address. . . . . . . . . . . . . . . . . . . . . . . .
Clearing global IPv6 information . . . . . . . . . . . . . . . . . . . . . . . . . Clearing the IPv6 cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clearing IPv6 neighbor information . . . . . . . . . . . . . . . . . . . Clearing IPv6 routes from the IPv6 route table . . . . . . . . . . Clearing IPv6 traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . Deleting IPv6 session flows. . . . . . . . . . . . . . . . . . . . . . . . . .
Clearing BGP4+ information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing route flap dampening. . . . . . . . . . . . . . . . . . . . . . Clearing route flap dampening statistics . . . . . . . . . . . . . . . Clearing BGP4+ local route information. . . . . . . . . . . . . . . . Clearing BGP4+ neighbor information . . . . . . . . . . . . . . . . . Clearing and resetting BGP4+ routes in the IPv6 route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 48 Configuring OSPF Version 3 OSPF version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1189 Link state advertisement types for OSPFv3 . . . . . . . . . . . . . . . . 1189 Configuring OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Enabling OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Assigning OSPFv3 areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1191 Configuring virtual links. .
Multicast Listener Discovery and source specific multicast protocols (MLDv2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1247 MLD version distinctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1248 Enabling MLDv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249 Enabling source specific multicast . . . . . . . . . . . . . . . . . . . . 1249 Setting the query interval . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFC compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFC compliance - BGPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFC compliance - OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFC compliance - IS-IS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFC compliance - RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFC compliance - IP Multicast . . . . . . . . . . . . . . . . . . . . . . .
Multicast (IP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1325 Multicast (L2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327 OSPF version 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327 Port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1329 Port-based routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xl BigIron RX Series Configuration Guide 53-1001986-01
About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP. Supported hardware and software Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc.
TABLE 1 Supported features (Continued) Category Feature description Management Options Serial and Telnet access to industry-standard Command Line Interface (CLI) SSHv2 TFTP Web-based GUI SNMP versions 1, 2, and 3 IronView Network Manager . Security AAA Authentication Local passwords RADIUS Secure Shell (SSH) version 2 Secure Copy (SCP) TACACS and TACACS+ User accounts 802.
TABLE 1 Supported features (Continued) Category Feature description Rate Limiting Port-based, port-and-priority based, port-and-vlan-based, and port-and-ACL-based rate limiting on inbound ports are supported. SuperSpan A Brocade STP enhancement that allows Service Providers (SPs) to use STP in both SP networks and customer networks. Topology Groups A named set of VLANs that share a Layer 2 topology. You can use topology groups with the following Layer 2 protocols: • STP • Brocade MRP • VSRP • 802.
TABLE 1 Supported features (Continued) Category Feature description Multicast Routing Multicast cache L2 IGMP table DVMRP routes PIM-DM PIM-SM PIM-SSM PIM Snooping OSPF OSPF routes OSPF adjacencies - Dynamic OFPF LSAs OSPF filtering of advertised routes PBR Policy Based Routing (Release 02.2.
What’s new in this document The following tables provide brief descriptions of the enhancements added in each BigIron RX software release and a reference to the specific chapter, and section in the BigIron RX Configuration Guide or the Brocade BigIron RX Series Installation Guide that contain a detailed description and operational details for the enhancement. Enhancements in release 02.7.03 TABLE 2 Summary of enhancements in release 02.7.
TABLE 2 Summary of enhancements in release 02.7.03 Enhancement Description See page MAC Port Security The MAC Port Security feature has been updated for the 02.7.03 release.
Enhancements in release 02.7.01 TABLE 4 Summary of enhancements in release 02.7.01 (Continued) Enhancement Description See page 128-bit AES encryption support for SNMP V3 The Advanced Encryption Standard (AES) provides one of the most advanced encryption capabilities available today. This release adds AES for SNMPv3 as specified in RFC 3826. To enable AES encryption, specify the aes encryption type when defining an SNMP user account.
TABLE 5 Summary of enhancements in release 02.7.00 (Continued) Enhancement Description See page DHCP Relay Enhancement Beginning with this release, the IP subnet configured on the port which is directly connected to the device sending a BootP/DHCP request, does not have to match the subnet of the IP address given by the DHCP server.
TABLE 6 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page VSRP Fast Start Non-Brocade or non-VSRP aware devices connected to a VSRP master can now quickly switch over to the new master when a VSRP failover occurs. Book: BigIron RX Series Configuration Guide Chapter: “Virtual Switch Redundancy Protocol (VSRP)” Section: “VSRP fast start” LACP Enhancements Beginning with release 02.6.
TABLE 6 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page IGMPv3 and IGMP Snooping In Release 02.6.00 of the Multi-Service IronWare software, creating an IGMP static-group allows the BigIron RX switch having L2 interfaces configured with snooping to pull traffic from upstream sources using IGMP joins. When using the uplink option, you avoid burning a dedicated port. This is supported for IGMP v2 and v3.
Enhancements in patch release 02.5.00c TABLE 7 Summary of enhancements in release 02.5.00c Enhancement Description See page Super ACLs With this patch release, the Multi-Service IronWare software supports Super ACLs that can match on fields in a Layer 2 or Layer 4 packet header. Book: BigIron RX Series Configuration Guide Chapter: “Access Control List” Section: “Configuring super ACLs” Enhancements in patch release 02.5.00b TABLE 8 Summary of enhancements in release 02.5.
TABLE 9 Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page Static Route ARP Validate Next Hop Beginning with release 02.5.00, you can configure the BigIron RX to perform validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Book: BigIron RX Series Configuration Guide Chapter: “Configuring IP” Section: “Static route ARP validation check” Multicast Mll Sharing In Release 02.5.
Enhancements in release 02.4.00 TABLE 11 Summary of enhancements in release 02.4.00 Enhancement Description See page US Daylight Saving Time scheme The new Daylight Saving Time (DST) change that went into effect on March 11th, 2007 affects only networks following the US time zones. However, to trigger the device to the correct time, the device must be configured to the US time zone, not the GMT offset.
TABLE 11 liv Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page New show OSPF neighbor by area command This feature allows OSPF to display the OSPF neighbors existing in a particular area. Book: BigIron RX Series Configuration Guide Chapter: “Configuring OSPF Version 2 (IPv4)” Section: “Displaying OSPF neighbor information” Track IP route time in show command The show ip route command has been enhanced to include the elapse time since an IP route was installed.
TABLE 11 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Multicast Boundaries The Multicast Boundary feature is designed to selectively allow or disallow multicast flows to configured interfaces. Book: BigIron RX Series Configuration Guide Chapter: “Configuring IP Multicast Protocols” Section: “IP multicast boundaries” MBGP for IPv6 This release supports the Multi-protocol Border Gateway Protocol (MBGP) for IPv6.
TABLE 11 lvi Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page ACL-Based Mirroring With this release, the Multi-Service IronWare software supports using an ACL to select traffic for mirroring from one port to another. Book: BigIron RX Series Configuration Guide Chapter:“Access Control List” Section: “ACL-based inbound mirroring” ip dns domain-list command This feature is designed to define a list od domain names that are used in order to resolve a host.
Enhancements in patch release 02.3.00a TABLE 12 Summary of enhancements in patch release 02.3.00a Enhancement Description See... Transparent Port Flooding When the Transparent Port Flooding feature in enabled for a port, all MAC learning will be disabled for that port. This will result in all Layer 2 traffic to be flooded to all other ports within the VLAN. Starting with release 02.3.00a.
Enhancements in release 02.3.00 System enhancements TABLE 13 lviii System enhancements Enhancement Description See... New Hardware Support The following new hardware is supported with the 02.3.00 software release for the BigIron RX: 1 10G-XFP-CX4 - part number 10G-XFP-CX4 , A new XFP Module is available for use in the BigIron RX Series and 10G Interface Modules with the following capabilities: • 10GBASE-CX4 compliant per 802.
TABLE 13 System enhancements (Continued) Enhancement Description See... Enhanced Digital Optical Monitoring You can configure the BigIron RX to monitor XFPs and SFPs in the system either globally or by specified port. Book: Brocade BigIron RX Series Installation Guide Chapter: Connecting a BigIron RX Series Switch to a Network Device Section: Enhanced Digital Optical Monitoring Re-distributing CAM Allocations In releases prior to 02.3.00, CAM partitioning was not configurable.
Layer 3 enhancements TABLE 15 lx Layer 3 enhancements Enhancement Description See... OSPF NBMA You can configure an interface to send OSPF unicast packets rather than broadcast packets to its neighbor by configuring non-broadcast multi-access (NBMA) networks.
TABLE 15 Layer 3 enhancements (Continued) Enhancement Description See... Default Originate Route for BGP In this release, if a default route is not present in the IP routing table, the user can configure a major route to be used for forwarding packets to all unknown destination. Starting with release 02.3.00a.
TABLE 16 IP multicast enhancements (Continued) Enhancement Description See... MSDP Mesh Groups This release supports Multicast Source Discovery Protocol (MSDP) Mesh Groups. This feature allows you to connect several RPs to each other which reduces the forwarding of SA messages within a domain. Book: BigIron RX Series Configuration Guide Chapter:“Configuring IP Multicast Protocols” Section:“Configuring MSDP mesh group” IGMP v3 IGMP v3 provides selective filtering of traffic based on traffic source.
TABLE 17 IP service, security, and Layer 4 enhancements (Continued) Enhancement Description See... Port Security MAC Violation Limit This feature provides protection against physical link instability. It allows a user to configure it to keep a port in a down state in cases where the port has experienced some number of state transitions within a configured amount of time.
Layer 2 enhancements TABLE 20 Layer 2 enhancements Enhancement Description See page VLAN Byte Accounting With this release, you can configure a VLAN to account for the number of bytes received by all the member ports. Book: BigIron RX Series Configuration Guide Chapter:“VLANs” Section:“VLAN byte accounting” Super Aggregated VLANs (SAV) Multiple VLANs can be aggregated within another VLAN to allow you to construct Layer 2 paths and channels.
TABLE 21 Layer 3 enhancements (Continued) Enhancement Description See page OSPF point-to-point OSPF point-to-point eliminates the need for Designated and Backup Designated routers, allowing for faster convergence of the network. Book: BigIron RX Series Configuration Guide Chapter:“Configuring OSPF Version 2 (IPv4)” Section: “OSPF point-to-point links” Neighbor Local AS Neighbor Local Autonomous System (AS) feature allows a router that is a member of one AS to appear to be a member of another AS.
TABLE 23 lxvi Security enhancements (Continued) Enhancement Description See page Port Security MAC Deny With this release, you can configure deny mac addresses on a global level or on a per port level. Book: BigIron RX Series Configuration Guide Chapter:“Using the MAC Port Security Feature and Transparent Port Flooding” IP Fragmentation Protection Fragmented IP packets with undersized fragments and overlapping fragments are dropped.
TABLE 23 Security enhancements (Continued) Enhancement Description See page Port Security Enhancements You can specify how many packets from denied MAC addresses can be received on a port in a one-second interval before the BigIron RX shuts the port down.
Enhancements in release 02.2.00 TABLE 26 Summary of emhancements in 02.2.00 Enhancement Description See page Quality of Service (QoS) Support QoS support on the BigIron RX is different than for the BigIron MG8. Book: BigIron RX Series Configuration Guide Chapter:“Configuring Quality of Service” Rate-limiting Support Rate-limiting can be performed based on ACL matching of flows and L2/L3 priority. It operates as on the BigIron MG8 except: • Only Inbound rate limiting is supported. • 802.
Document conventions This section describes text formatting conventions and important notice formats used in this document.
CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. Notice to the reader This document may contain references to the trademarks of the following corporations.
Web access The Knowledge Portal (KP) contains the latest version of this guide and other user guides for the product. You can also report errors on the KP. Log in to my.Brocade.com, click the Product Documentation tab, then click on the link to the Knowledge Portal (KP). Then click on Cases > Create a New Ticket to report an error. Make sure you specify the document title in the ticket description. E-mail and telephone access Go to http://www.brocade.com/services-support/index.
lxxii BigIron RX Series Configuration Guide 53-1001986-01
Chapter 1 Getting Started with the Command Line Interface In this chapter • Logging on through the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • EXEC commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • CONFIG commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Accessing the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at this point in the command string. If you enter an invalid command followed by ?, a message appears indicating the command was unrecognized.
EXEC commands 1 Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. TABLE 27 CLI line-editing commands Ctrl-key combination Description Ctrl-A Moves to the first character on the command line. Ctrl-B Moves the cursor back one character.
1 CONFIG commands You reach this level by entering the enable [] or enable at the User EXEC level. BigIron RX>enable or BigIron RX>enable user1 mypassword After entering the enable command, you see the following prompt. BigIron RX>#. The prompt indicates that you are at the Privilege EXEC level. When you are at the Privilege EXEC level, you can enter commands that are available at that level.
CONFIG commands 1 Trunk level The trunk level allows you to change parameters for statically-configured trunk groups. You reach this level by entering a trunk command with the appropriate port parameters. Router RIP level The RIP level allows you to configure parameters for the RIP routing protocol. You reach this level by entering the router rip command at the global CONFIG level. Router OSPF level The OSPF level allows you to configure parameters for the OSPF routing protocol.
1 CONFIG commands Route Map level The Route Map level allows you to configure parameters for a BGP4 route map. You reach this level by entering the route-map command at the global CONFIG level. Router VRRP level The VRRP level allows you to configure parameters for the Virtual Router Redundancy Protocol (VRRP). You reach this level by entering the router vrrp command at the global CONFIG level, then entering the ip vrrp vrid command at the interface configuration level.
Accessing the CLI 1 MAC port security level The MAC port security level allows you to configure the port security feature. You reach this level by entering the global-port-security command at the at the Global or Interface levels. Accessing the CLI The CLI can be accessed through both serial and Telnet connections. For initial log on, you must use a serial connection. Once an IP address is assigned, you can access the CLI through Telnet.
1 Accessing the CLI BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX> User Level EXEC Command RX# Privileged Level EXEC Command RX(config)#Global Level CONFIG Command RX(config-if-e10000-5/1)#Interface Level CONFIG Command RX(config-lbif-1)#Loopback Interface CONFIG Command RX(config-ve-1)#Virtual Interface CONFIG Command RX(config-trunk-4/1-4/8)#Trunk group CONFIG Command RX(config-if-e10000-tunnel)
Searching and filtering output 1 Optional fields When two or more options are separated by a vertical bar, “| “, you must enter one of the options as part of the command. Syntax: priority normal | high For example, the "normal | high" entry in the Syntax above means that priority can be either priority normal or priority high. The command in the syntax above requires that you enter either normal or high as part of the command.
1 Searching and filtering output Displaying lines containing a specified string The following command filters the output of the show interface command for port 3/11 so it displays only lines containing the word “Internet”. This command can be used to display the IP address of the interface. BigIron RX# show interface e 3/11 | include Internet Internet address is 192.168.1.
Searching and filtering output 1 BigIron RX# ? append attrib boot cd chdir clear clock configure copy cp debug delete dir dm dot1x erase exit fastboot force-sync-standby Append one file to another Change file attribute Boot system from bootp/tftp server/flash image Change current working directory Change current working directory Clear table/statistics/keys Set clock Enter configuration mode Copy between flash, tftp, config/code Copy file commands Enable debugging functions (see also 'undebug') Delete fi
1 Searching and filtering output --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed. filtering...
Searching and filtering output TABLE 28 1 Special characters for regular expressions (Continued) Character Operation $ A dollar sign matches on the end of an input string.
1 Searching and filtering output • All digits Any of the following special characters are valid: • • • • • • • • • • • • • • • • $ % ' _ @ ~ ` ! ( ) { } ^ # & Syntax shortcuts A command or parameter can be abbreviated as long as enough text is entered to distinguish it from other commands at that level. For example, given the possible commands copy tftp… and config tftp…, possible shortcuts are cop tftp and con tftp respectively. In this case, co does not properly distinguish the two commands.
Chapter Getting Familiar With the BigIron RX Series Switch Management Applications 2 How to manage BigIron RX Series switch This chapter describes the different applications you can use to manage the BigIron RX Series Switch. The BigIron RX Series Switch supports the same management applications as other Brocade devices.
2 Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at this point in the command string. If you enter an invalid command followed by ?, a message appears indicating the command was unrecognized.
Logging on through the CLI TABLE 29 2 CLI line editing commands Ctrl-key combination Description Ctrl-A Moves to the first character on the command line. Ctrl-B Moves the cursor back one character. Ctrl-C Escapes and terminates command prompts and ongoing tasks (such as lengthy displays), and displays a fresh command prompt. Ctrl-D Deletes the character at the cursor. Ctrl-E Moves to the end of the current command line. Ctrl-F Moves the cursor forward one character.
2 Logging on through the CLI NOTE The regular expression specified as the search string is case sensitive. In the example above, a search string of “Internet” would match the line containing the IP address, but a search string of “internet” would not. Displaying lines that do not contain a specified string The following command filters the output of the show who command so it displays only lines that do not contain the word “closed”.
Logging on through the CLI 2 BigIron RX# ? append attrib boot cd chdir clear clock configure copy cp debug delete dir dm dot1x erase exit fastboot force-sync-standby Append one file to another Change file attribute Boot system from bootp/tftp server/flash image Change current working directory Change current working directory Clear table/statistics/keys Set clock Enter configuration mode Copy between flash, tftp, config/code Copy file commands Enable debugging functions (see also 'undebug') Delete file o
2 Logging on through the CLI --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed: filtering...
Logging on through the CLI TABLE 30 2 Special characters for regular expressions (Continued) Character Operation _ An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) • ) (right parenthesis) • The beginning of the input string • The end of the input string • A blank space For example, the following regular expression matches on “100” but not on “1002”, “2100”, and so on: _100_ [] Square brackets enclose a range of
2 Logging on through the Web Management Interface • • • • • • • • • • • • • • • % ' _ @ ~ ` ! ( ) { } ^ # & Logging on through the Web Management Interface To use the Web Management Interface, open a Web browser and enter the IP address of a BigIron RX Series Switch’s management port in the Location or Address field. The Web browser contacts the device and displays the login panel for the BigIron RX Series Switch, as shown in Figure 1.
Logging on through the Web Management Interface FIGURE 2 2 Web Management Interface login dialog box The login username and password you enter depends on whether your device is configured with AAA authentication for SNMP. If AAA authentication for SNMP is not configured, you can use the user name “get” and the default read-only password “public” for read-only access.
2 Logging on through IronView Network Manager Logging on through IronView Network Manager Refer to the IronView Network Management User’s Guide for information about using IronView Network Manager.
Chapter Using a Redundant Management Module 3 How management module redundancy works You can install a redundant management module in slot M1 or M2 of the BigIron RX Series chassis. By default, the system considers the module installed in slot M1 to be the active management module and the module installed in slot M2 to be the redundant or standby module. If the active module becomes unavailable, the standby module automatically takes over management of the system.
3 How management module redundancy works The interface modules are not reset, as they are with the previous cold-restart redundancy feature. The interface modules continue to forward traffic while the standby management module takes over operation of the system. The new now-active management module receives updates from the interface modules and sends verification information to the interface modules to ensure that they are synchronized.
How management module redundancy works 3 • The active management module’s flash memory. • A PCMCIA flash card inserted in one of the PCMCIA slots in the active management module’s front panel. After the replacement module boots, the active module compares the standby module’s flash code and system-config file to its own. If differences exist, the active module synchronizes the standby module’s flash code and system-config file with its own.
3 How management module redundancy works Syslog and SNMP traps When a switchover occurs, the BigIron RX system sends a Syslog message to the local Syslog buffer and also to the Syslog server, if you have configured the system to use one. In addition, if you have configured an SNMP trap receiver, the system sends an SNMP trap to the receiver. When the system is powered on or otherwise reset normally, the system sends a cold start message and trap.
Management module redundancy configuration 3 Management module redundancy configuration Configuring management module redundancy consists of performing one optional task (changing the default active chassis slot). The section explains how to perform this task. Changing the default active Chassis slot By default, the BigIron RX Series system considers the module installed in slot M1 to be the active management module. If desired, you can change the default active chassis slot to M2.
3 Managing management module redundancy During startup or switchover, the active module compares the standby module’s flash code to its own. If differences exist, the active module synchronizes the standby module’s flash code with its own. If you update the flash code on the active module, the active module automatically synchronizes (without comparison) the standby module’s flash code with its own. • System-config file – The flash code also includes the system-config file.
Managing management module redundancy FIGURE 4 3 Active and standby management module file synchronization Synchronized at startup or switchover Also can be immediately synchronized using the CLI Startup-config also automatically updated with write memory command Automatically synchronized at regular, user-configurable intervals Not synchronized Also can be immediately synchronized using the CLI Active Management Module Flash code Startup-config file Running-config file Boot code Standby Manage
3 Managing management module redundancy To compare and immediately synchronize files between the active and standby modules if differences exist, enter the following command at the Privileged EXEC level of the CLI. BigIron RX# sync-standby Syntax: sync-standby Synchronizing files without comparison You can synchronize the flash code, system-config file, and running-config file immediately without comparison.
Monitoring management module redundancy 3 BigIron RX# boot system flash primary Syntax: boot system bootp | [flash primary | flash secondary] | slot | tftp The flash primary keyword specifies the primary RX Series IronWare image in the management module’s flash memory, while the flash secondary keyword specifies the secondary RX Series IronWare image in the flash memory.
3 Monitoring management module redundancy Software To display the status of the management modules, enter the following command at any CLI level. BigIron RX# show module Module M1 (upper): BigIron BI-RX Management Module M2 (lower): BigIron BI-RX Management Module ... Status Ports Active Standby (Ready) Starting MAC Syntax: show module The Status column indicates the module status.
Monitoring management module redundancy 3 To view the redundancy parameter settings and statistics, enter the following command at any level of the CLI.
3 Flash memory and PCMCIA flash card file management commands BigIron RX# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 24 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Sep 28 Sep 28 Sep 28 Sep 28 Log Buffer: 11:31:25:A:Power 11:31:25:A:Power 11:31:25:A:Power 11:31:25:A:Power Supply Supply Supply Supply 1, 3, 4, 5, 1st left, not installed middle left, not inst
Flash memory and PCMCIA flash card file management commands • • • • • • • • • • 3 Create a subdirectory. Remove a subdirectory. Rename a file. Change the read-write attribute of a file. Delete a file. Recover or “undelete” a file. Append one file to another (join two files). Perform copy operations using the copy command. Perform copy operations using the cp command. Load the system software from flash memory, a flash card, or other sources during system reboot.
3 Flash memory and PCMCIA flash card file management commands For example, if you want to display a directory of files in flash memory and flash memory has the current management focus, you do not need to specify the flash keyword. However, if you want to display a directory of files for slot 1 and flash memory has the current focus, you must specify the slot1 keyword. Flash memory file system The flash memory file system is flat, which means that it does not support subdirectories.
Flash memory and PCMCIA flash card file management commands 3 PCMCIA flash card file system The PCMCIA flash card file system is hierarchical, which means that it supports subdirectories. Therefore, you can create or delete subdirectories in this file system using the md or mkdir and rd or rmdir commands, respectively. Also, when specifying the syntax for the various file management commands, you may need to specify a pathname to a subdirectory as appropriate to manipulate a file in a subdirectory.
3 Flash memory and PCMCIA flash card file management commands • & You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”. A subdirectory or file name can be a maximum of 256 characters long. A complete subdirectory path name cannot contain more than 256 characters. There is no maximum file size.
Flash memory and PCMCIA flash card file management commands 3 2048 bytes in each allocation unit. 39458 allocation units available on card. Syntax: format slot1 | slot2 The slot1 | slot2 keyword specifies the PCMCIA slot that contains the flash card you are formatting. Determining the current management focus For conceptual information about management focus, refer to “Management focus” on page 37. If you are not sure which file system has the current management focus, enter the following command.
3 Flash memory and PCMCIA flash card file management commands For the parameter for both cd and chdir commands, you can specify /slot1 or /slot2 to switch the focus to slot 1 or slot 2, respectively. Specify /flash to switch the focus to flash memory. After you have switched the focus to a slot 2, you can specify the parameter to switch the focus to a subdirectory on a flash card inserted in slot 2.
Flash memory and PCMCIA flash card file management commands 3 BigIron RX# dir Directory of /flash/ 07/28/2003 07/28/2003 07/28/2003 07/25/2003 00/00/0 07/28/2003 07/28/2003 07/28/2003 07/28/2003 07/28/2003 07/25/2003 07/28/2003 07/26/2003 07/25/2003 07/28/2003 15:57:45 15:56:10 16:00:08 18:00:23 00:00:00 14:40:19 15:18:18 09:56:16 15:08:12 16:02:23 18:02:14 14:28:47 12:16:29 18:11:01 09:40:54 15 File(s) 0 Dir(s) 3,077,697 3,077,697 3,077,697 292,701 12 840,007 840,007 391,524 3,077,697 1,757 1,178 1,662
3 Flash memory and PCMCIA flash card file management commands BigIron RX# dir /slot2/ Directory of /slot2/ 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 18:25:28 18:28:06 18:28:24 18:28:30 18:28:01 18:28:03 18:29:04 18:29:12 18:32:03 18:32:08 18:32:11 18:32:14 18:32:17 3,092,508 3,092,508 389,696 389,696 389,696 389,696 389,696
389,696 389,696 389,696 389,696 389,696 12 File(s) 1 Dir(s) PRIMARY primaFlash memory and PCMCIA flash card file management commands 3 For example, to display the contents of a file in flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# more cfg.cfg Syntax: more [//] Use the parameter to specify a directory in a file system that does not have current management focus. Use the parameter to specify the file you want to display.
3 Flash memory and PCMCIA flash card file management commands The software attempts to create a subdirectory in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to create a subdirectory in a file system that does not currently have management focus. In this case, you can specify the slot1 or slot2 keyword with the md or mkdir command to create the subdirectory in the desired file system.
Flash memory and PCMCIA flash card file management commands 3 The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters. To verify successful creation of the subdirectory, enter a command such as the following to change to the new subdirectory level.
3 Flash memory and PCMCIA flash card file management commands Renaming a file You can rename a file in the management module’s flash memory or on a flash card inserted in the management module’s slot 1 or slot 2 using the rename or mv command. The software attempts to rename the file in the file system that has the current management focus. By default, flash memory has the management focus.
Flash memory and PCMCIA flash card file management commands 3 For example, to change the attribute of a file in slot2 to read-only, if flash memory has the management focus, enter a command such as the following. BigIron RX# attrib slot2 ro goodcfg.cfg Syntax: attrib [slot1 | slot2] ro | rw Specify the slot1 or slot2 keyword to change the attribute of a file on the flash card in slot 1 or slot 2, respectively.
3 Flash memory and PCMCIA flash card file management commands For example, to delete all files with names that start with “test” from flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# delete test*.* For example, to delete all files on the flash card in slot 2, if flash memory has the current management focus, you can enter one of the following commands.
Flash memory and PCMCIA flash card file management commands 3 Appending a file to another file You can append a file in flash memory or on a flash card to the end of another file in one of these file systems. The software attempts to append one file to another in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to append one file to another in a file system that does not currently have management focus.
3 Flash memory and PCMCIA flash card file management commands NOTE The copy options require you to explicitly specify the flash card. Therefore, you can perform a copy regardless of the flash card that currently has the management focus. Copying files from one flash card to the other To copy a file from one flash card to the other, enter the following command. BigIron RX# copy slot1 slot2 sales.
Flash memory and PCMCIA flash card file management commands 3 Specify the optional standby keyword to copy the RX Series IronWare image from the secondary location in the active management module’s flash memory to the primary location in the standby module’s flash memory. To copy the RX Series IronWare image from the primary location in the active management module’s flash memory to the secondary location in the active module’s flash memory, enter the following command.
3 Flash memory and PCMCIA flash card file management commands The command in this example copies a file from slot 1 to a TFTP server. In this case, the software uses the same name for the source file and for the destination file. Optionally, you can specify a different file name for the destination file. To copy a software image from a TFTP server to a flash card, enter a command such as the following. BigIron RX# copy tftp slot1 192.168.1.17 nmpr02200.
Flash memory and PCMCIA flash card file management commands 3 To copy a startup-config file from a TFTP server to flash memory, enter a command such as the following. BigIron RX# copy tftp startup-config 10.10.10.1 test.cfg Syntax: copy tftp startup-config [/] Copying the running-config to a flash card or a TFTP server Use the following method to copy the BigIron RX Series Switch’s running-config to a flash card or a TFTP server.
3 Flash memory and PCMCIA flash card file management commands • Copy files from flash memory to flash memory. • Copy files from flash memory to a flash card or vice versa. • Copy files from one flash card to another flash card. The software attempts to copy a file in a file system to another location in the file system that has the current management focus. By default, flash memory has the management focus.
Flash memory and PCMCIA flash card file management commands 3 Rebooting from the system To use another source instead of the RX Series IronWare image in the primary location in flash memory for one reboot, enter a command such as the following at the Privileged EXEC level of the CLI. BigIron RX# boot system slot1 /slot1/nmpr02200.bin The command in this example reboots the system using the image nmpr02200.bin located on the flash card in slot 1.
3 Flash memory and PCMCIA flash card file management commands Syntax: boot system slot1 | slot2 | flash secondary | tftp | bootp NOTE The command syntax is the same for immediately reloading and for changing the primary source, except the must be the full path name. You cannot specify a relative path name. If the first character in the path name is not a slash ( / ), the CLI treats the name you specify as relative to the root directory.
System Monitoring Service 3 Specify the parameter if you want to save the configuration changes to a directory other than the root directory of a flash card file system. The parameter indicates the name of the saved configuration file. To change the save location back to flash memory, enter a command such as the following. BigIron RX# locate startup-config flash-memory switch1.
3 System Monitoring Service • The DRAM CRC detection feature has two methods to detect errors; an interrupt routine is used to detect these errors quickly then triggers a shutdown of the failed Traffic Manager (TM). Long term polling detects low rate CRC errors which will be repothe egress port. This process generates a Syslog message. NOTE As a result of the extended monitoring enhancements, any marginal hardware used in previous releases may be reported as defective.
System Monitoring Service TABLE 34 3 Syslog messages generated by SYSMON Syslog message examples Event Description Sep 13 15:01:29:E:System: ALARM:FE Read-Write Test Error: SNM4/FE1 Reg 0x14, Read 0x48000000 != Written 0x0 Switch fabric element read/write error A failure has occurred on the specified switch fabric module Sep 13 15:01:29:E:System: ALARM: LP9/TM2 has shutdown (TM DRAM CRC: LP9/TM2 (Reg: 0xa50c, Value: 0x7) (shutdown)) TM ingress DRAM CRC error A failure was detected on the ingress
3 62 System Monitoring Service BigIron RX Series Configuration Guide 53-1001986-01
Chapter 4 Securing Access to Management Functions Securing access methods This chapter explains how to secure access to management functions on the device. NOTE For the device, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication. The following table lists the management access methods available on the device, how they are secured by default, and the ways in which they can be secured.
4 Securing access methods TABLE 35 Ways to secure management access to the device (Continued) Access method How the access method is secured by default Ways to secure the access method See page Secure Shell (SSH) access Not configured Configure SSH page 905 Regulate SSH access using ACLs page 66 Allow SSH access only from specific IP addresses page 68 Establish passwords for privilege levels of the CLI page 73 Set up local user accounts page 76 Configure TACACS and TACACS+ security page
Restricting remote access to management functions 4 Restricting remote access to management functions You can restrict access to management functions from remote sources, including Telnet, the Web management interface, and SNMP.
4 Restricting remote access to management functions To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL. For example. BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# access-list 10 permit host 209.157.22.32 access-list 10 permit 209.157.23.0 0.0.0.255 access-list 10 permit 209.157.24.0 0.0.0.255 access-list 10 permit 209.157.25.
Restricting remote access to management functions 4 These commands configure ACL 12, then apply the ACL as the access list for Web management access. The device denies Web management access from the IP addresses listed in ACL 12 and permits Web management access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny Web management access from all IP addresses.
4 Restricting remote access to management functions BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# vlan 3 by port RX(config-vlan-3)# untagged ethe 3/1 to 3/5 RX(config-vlan-3)# router-interface ve 3 RX(config-vlan-3)# exit RX(config)# interface ve 3 RX(config-ve-1)# ip address 10.10.11.1 255.255.255.0 RX(config-ve-1)# exit RX(config)# access-list 10 permit host 10.10.11.
Restricting remote access to management functions 4 BigIron RX(config)# ip ssh client 209.157.22.39 Syntax: [no] ip ssh client Restricting Web Management access to a specific IP address To allow Web Management access to the device only to the host with IP address 209.157.22.26, enter the following command. BigIron RX(config)# web client 209.157.22.
4 Restricting remote access to management functions • Web management access • SNMP access • TFTP access By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given access method based on VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN. VLAN-based access control works in conjunction with other access control methods.
Restricting remote access to management functions 4 The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access. Syntax: [no] tftp client enable vlan Disabling specific access methods You can specifically disable the following access methods.
4 Setting passwords Disabling Web management access by HP ProCurve Manager By default, TCP ports 80 is enabled on the Brocade device. TCP port 80 (HTTP) allows access to the device’s Web management interface. By default, TCP port 280 for HP Top tools is disabled. This tool allows access to the device by HP ProCurve Manager. The no web-management command disables both TCP ports. However, if you want to disable only port 280 and leave port 80 enabled, use the hp-top-tools option with the command.
Setting passwords 4 To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG level. BigIron RX(config)# enable telnet password letmein Syntax: [no] enable telnet password Suppressing Telnet connection rejection messages By default, if a device denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message.
4 Setting passwords 3. Enter the following command to set the Super User level password. BigIron RX(config)# enable super-user-password NOTE You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number. 4. Enter the following commands to set the Port Configuration level and Read Only level passwords.
Setting passwords 4 The parameter specifies the CLI level and can be one of the following values: • • • • • • • • • • • • • exec – EXEC level; for example, BigIron RX> or BigIron RX# configure – CONFIG level; for example, BigIron RX(config)# interface – Interface level; for example, BigIron RX(config-if-e10000-6)# virtual-interface – Virtual-interface level; for example, BigIron RX(config-vif-6)# rip-router – RIP router level; for example, BigIron RX(config-rip-router)# ospf-router – OSPF ro
4 Setting up local user accounts BigIron RX(config)# enable password-display BigIron RX(config)# show snmp server The enable password-display command enables display of the community string, but only in the output of the show snmp server command. Display of the string is still encrypted in the startup configuration file and running configuration. Enter the command at the global CONFIG level of the CLI.
Setting up local user accounts 4 If you configure local user accounts, you also need to configure an authentication-method list for Telnet access, Web management access, and SNMP access. Refer to “Configuring authentication-method lists” on page 113. For each local user account, you specify a user name which can have up to 255 characters.
4 Setting up local user accounts NOTE You must be logged on with Super User access (privilege level 0) to add user accounts or configure other access parameters. To display user account information, enter the following command. BigIron RX(config)# show users Syntax: show users Changing local user passwords This section shows how to change the password for an existing local user account.
Setting up local user accounts 4 3. User account information is listed in a table. Click on the Delete button next to the user account whose password you wish to change. 4. Click on Add User Account. 5. Enter the user name in the Username field. The name cannot contain blanks. 6. Enter the password in the Password field. The password cannot contain blanks. 7. If necessary, select the management privilege level from the Privilege pulldown menu.
4 Setting up local user accounts • • • • At least two upper case characters At least two lower case characters At least two numeric characters At least two special character NOTE Password minimum and combination requirements are strictly enforced. Configuring the strict password feature Use the enable strict-password-enforcement command to enable the password security feature. Enter a command such as the following.
Setting up local user accounts 4 Requiring users to accept the message of the day If a message of the day (MOTD) is configured, a user can be required to press the "Enter" key before he or she can login. To enable this requirement, enter the command as shown. BigIron RX(config)# banner motd require-enter-key Syntax: [no] banner motd require-enter-key Locking out user accounts after three login attempts A user has three login attempts.
4 Configuring SSL security for the Web Management Interface BigIron RX(config)# user sandy enable NetIron(config)# show user Username Password Encrypt Priv Status Expire Time ============================================================================== sandy $1$Gz...uX/$wQ44fVGtsqbKWkQknzAZ6.
Configuring SSL security for the Web Management Interface 4 Enabling the SSL server on the device To enable the SSL server on the device, enter the following command. BigIron RX(config)# web-management https Syntax: [no] web-management http | https You can enable either the HTTP or HTTPs servers with this command. You can disable both the HTTP and HTTPs servers by entering the following command.
4 Configuring TACACS and TACACS+ security Generating an SSL certificate If you did not already import a digital certificate from a client, the device can create a default certificate. To do this, enter the following command. BigIron RX(config)# crypto-ssl certificate generate Syntax: [no] crypto-ssl certificate generate Deleting the SSL certificate To delete the SSL certificate, enter the following command.
Configuring TACACS and TACACS+ security 4 TACACS and TACACS+ authentication, authorization, and accounting When you configure a device to use a TACACS and TACACS+ server for authentication, the device prompts users who are trying to access the CLI for a user name and password, then verifies the password with the TACACS and TACACS+ server.
4 Configuring TACACS and TACACS+ security 5. The user is prompted for a password. 6. The user enters a password. 7. The device sends the password to the TACACS+ server. 8. The password is validated in the TACACS+ server’s database. 9. If the password is valid, the user is authenticated. TACACS+ authorization The device supports two kinds of TACACS+ authorization: • Exec authorization determines a user’s privilege level when they are authenticated.
Configuring TACACS and TACACS+ security 4 5. The TACACS+ accounting server records information about the event. 6. When the event is concluded, the device sends an Accounting Stop packet to the TACACS+ accounting server. 7. The TACACS+ accounting server acknowledges the Accounting Stop packet.
4 Configuring TACACS and TACACS+ security User action Applicable AAA operations User enters the command: [no] aaa accounting system default start-stop Command authorization (TACACS+): aaa authorization commands default User enters other commands Command authorization (TACACS+): aaa authorization commands default Command accounting (TACACS+): aaa accounting commands default start-stop System
Configuring TACACS and TACACS+ security 4 3. Configure authentication-method lists. Refer to “Configuring authentication-method lists for TACACS and TACACS+” on page 92. TACACS+ configuration procedure For TACACS+ configurations, use the following procedure. 1. Enable TACACS, refer to “Enabling SNMP to configure TACACS and TACACS” on page 89 2. Identify TACACS+ servers. Refer to “Identifying the TACACS and TACACS+ servers” on page 89. 3. Set optional parameters.
4 Configuring TACACS and TACACS+ security If you add multiple TACACS and TACACS+ authentication servers to the device, the device tries to reach them in the order you add them. For example, if you add three servers in the following order, the software tries the servers in the same order. 1. 207.94.6.161 2. 207.94.6.191 3. 207.94.6.122 You can remove a TACACS and TACACS+ server by entering no followed by the tacacs-server command. For example, to remove 207.94.6.161, enter the following command.
Configuring TACACS and TACACS+ security 4 • Retransmit interval – This parameter specifies how many times the Brocade device will resend an authentication request when the TACACS and TACACS+ server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times. • Dead time – This parameter specifies how long the Brocade device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server.
4 Configuring TACACS and TACACS+ security Setting the dead time parameter The dead-time parameter specifies how long the device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3 seconds. To set the TACACS and TACACS+ dead-time value, enter the following command.
Configuring TACACS and TACACS+ security 4 The command above causes TACACS and TACACS+ to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS and TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
4 Configuring TACACS and TACACS+ security Configuring TACACS+ authorization The device supports TACACS+ authorization for controlling access to management functions in the CLI.
Configuring TACACS and TACACS+ security 4 service = exec { foundry-privlvl = 0 } } In this example, the A-V pair foundry-privlvl = 0 grants the user full read-write access. The value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user. Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5 is specified in the foundry-privlvl A-V pair, the default privilege level of 5 (read-only) is used.
4 Configuring TACACS and TACACS+ security If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5 (read-only) is used. Configuring command authorization When TACACS+ command authorization is enabled, the BigIron RX consults a TACACS+ server to get authorization for commands entered by the user. You enable TACACS+ command authorization by specifying a privilege level whose commands require authorization.
Configuring TACACS and TACACS+ security 4 Configuring TACACS+ accounting The device supports TACACS+ accounting for recording information about user activity and system events. When you configure TACACS+ accounting on a device, information is sent to a TACACS+ accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
4 Configuring TACACS and TACACS+ security Configuring an interface as the source for all TACACS and TACACS+ packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS and TACACS+ packets from the device.
Configuring TACACS and TACACS+ security 4 BigIron Tacacs+ Tacacs+ Tacacs+ Tacacs+ Tacacs+ RX# show aaa key: brocade retries: 1 timeout: 15 seconds dead-time: 3 minutes Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 207.95.6.
4 Configuring RADIUS security Configuring RADIUS security You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of access to the device: • • • • Telnet access SSH access Web management access Access to the Privileged EXEC level and CONFIG levels of the CLI NOTE The BigIron RX does not support RADIUS security for SNMP (IronView Network Manager) access.
Configuring RADIUS security 4 • A list of commands • Whether the user is allowed or denied usage of the commands in the list The last two attributes are used with RADIUS authorization, if configured. 9. The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on the BigIron RX. The user is granted the specified privilege level. If you configure RADIUS authorization, the user is allowed or denied usage of the commands in the list.
4 Configuring RADIUS security AAA operations for RADIUS The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a BigIron RX that has RADIUS security configured.
Configuring RADIUS security 4 AAA security for commands pasted into the running configuration If AAA security is enabled on the device, commands pasted into the running configuration are subject to the same AAA operations as if they were entered manually. When you paste commands into the running configuration, and AAA command authorization or accounting is configured on the device, AAA operations are performed on the pasted commands.
4 Configuring RADIUS security Configuring Brocade-specific attributes on the RADIUS server NOTE For the BigIron RX, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the device, authenticating the user.
Configuring RADIUS security TABLE 38 4 Brocade vendor-specific attributes for RADIUS (Continued) Attribute name Attribute ID Data type Description brocade-command-string 2 string Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured. The commands are delimited by semi-colons (;). You can specify an asterisk (*) as a wildcard at the end of a command string.
4 Configuring RADIUS security Specifying different servers for individual AAA functions In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting. You can specify individual servers for authentication and accounting, but not for authorization. You can set the RADIUS key for each server.
Configuring RADIUS security 4 NOTE Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts. When an authentication request times out, the Brocade software will retransmit the request up to the maximum number of retransmissions configured. The default retransmit value is 3 retries.
4 Configuring RADIUS security BigIron RX(config)# aaa authentication enable default radius local none The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
Configuring RADIUS security 4 Configuring Exec authorization NOTE Before you configure RADIUS exec authorization on the BigIron RX, make sure that the aaa authentication enable default radius command or the aaa authentication login privilege-mode command exist in the configuration. When RADIUS exec authorization is performed, the BigIron RX consults a RADIUS server to determine the privilege level of the authenticated user.
4 Configuring RADIUS security NOTE RADIUS command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console. No authorization is performed for commands entered at the Web Management Interface or IronView Network Manager, . NOTE Since RADIUS command authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.
Configuring RADIUS security 4 Configuring RADIUS accounting for CLI commands You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the BigIron RX to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
4 Configuring RADIUS security • If you specify a loopback interface as the single source for RADIUS packets, RADIUS servers can receive the packets regardless of the states of individual links. Thus, if a link to the RADIUS server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Configuring authentication-method lists TABLE 39 4 Output of the show aaa command for RADIUS Field Description Radius key The setting configured with the radius-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is displayed instead of the text. Radius retries The setting configured with the radius-server retransmit command.
4 Configuring authentication-method lists NOTE To authenticate Telnet access to the CLI, you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI. You cannot enable Telnet authentication using the Web management interface. NOTE You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses.
Configuring authentication-method lists 4 • If you configure an authentication-method list for Web management access and specify “local” as the primary authentication method, users who attempt to access the device using the Web management interface must supply a user name and password configured in one of the local user accounts on the device. The user cannot access the device by entering “set” or “get” and the corresponding SNMP community string.
4 Configuring authentication-method lists NOTE If you configure authentication for Web management access, authentication is performed each time a page is requested from the server. When frames are enabled on the Web management interface, the browser sends an HTTP request for each frame. The Brocade device authenticates each HTTP request from the browser. To limit authentications to one per page, disable frames on the Web management interface.
Chapter Configuring Basic Parameters 5 This chapter describes how to configure basic system parameters. The software comes with default parameters to allow you to begin using the basic features of the system immediately. However, many advanced features, such as VLANs or routing protocols for the router, must first be enabled at the system (global) level before they can be configured. You can find system level parameters at the Global CONFIG level of the CLI.
5 Configuring Simple Network Management Protocol traps Configuring Simple Network Management Protocol traps This section explains how to do the following: • • • • • Specify an SNMP trap receiver. Specify a source address and community string for all traps that the device sends. Change the holddown time for SNMP traps. Disable individual SNMP traps. (All traps are enabled by default.
Configuring Simple Network Management Protocol traps 5 The port parameter specifies the UDP port that will be used to receive traps. This parameter allows you to configure several trap receivers in a system. With this parameter, IronView Network Manager and another network management application can coexist in the same system. The device can be configured to send copies of traps to more than one network management application.
5 Configuring Simple Network Management Protocol traps You can change the holddown time to a value from one second to ten minutes. To change the holddown time for SNMP traps, enter a command such as the following at the global CONFIG level of the CLI. BigIron RX(config)# snmp-server enable traps holddown-time 30 The command changes the holddown time for SNMP traps to 30 seconds. The device waits 30 seconds to allow convergence in STP and OSPF before sending traps to the SNMP trap receiver.
Configuring Simple Network Management Protocol traps 5 Disabling Syslog messages and traps for CLI access The device sends Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature, enabled by default, applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS and TACACS+ server.
5 Configuring an interface as source for all Telnet packets The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session. Disabling the Syslog messages and traps Logging of CLI access is enabled by default. To disable logging of CLI access, enter the following commands.
Configuring an interface as the source for all TFTP packets BigIron BigIron BigIron BigIron 5 RX(config)# interface ethernet 1/4 RX(config-if-e10000-1/4)# ip address 209.157.22.110/24 RX(config-if-e10000-1/4)# exit RX(config)# ip telnet source-interface ethernet 1/4 Cancelling an outbound Telnet session If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the connection is frozen), you can terminate the Telnet session by doing the following. 1.
5 Specifying a Simple Network Time Protocol (SNTP) server The commands in this example configure virtual interface 1, assign IP address 10.0.0.4/24 to the interface, then designate the interface's address as the source address for all Syslog packets. Syntax: [no] ip syslog source-interface ethernet [/] | loopback | ve The parameter is a loopback interface or virtual interface number.
Specifying a Simple Network Time Protocol (SNTP) server 5 The following table describes the information displayed by the show sntp associations command. TABLE 41 Output from the show sntp associations command This field... Displays...
5 Setting the system clock Setting the system clock In addition to SNTP support, the device also allows you to set the system time counter. It starts the system time and date clock with the time and date you specify. The time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP server. NOTE To synchronize the time counter with your SNTP server time, enter the sntp sync command from the Privileged EXEC level of the CLI.
Setting the system clock • • • • • • • • • 5 GMT + 10:30 GMT + 09:30 GMT + 06:30 GMT + 05:30 GMT + 04:30 GMT + 03:30 GMT - 03:30 GMT - 08:30 GMT - 09:30 Beginning with the Multi-Service IronWare 02.8.01 release, you can now set the system time clock for countries like India that fall in the ½ hour time zone.
5 Configuring CLI banners To verify the change, run a show clock command. BigIron RX(config)#show clock Syntax: show clock Refer to October 19, 2006 - Daylight Savings Time 2007 Advisory, posted on kp.foundrynet.com for more information. Configuring CLI banners The device can be configured to display a greeting message on users’ terminals when they enter the Privileged EXEC CLI level or access the device through Telnet.
Configuring CLI banners 5 Setting a privileged EXEC CLI level banner You can configure the device to display a message when a user enters the Privileged EXEC CLI level. BigIron RX(config)# banner exec_mode # (Press Return) Enter TEXT message, End with the character '#'. You are entering Privileged EXEC level Don’t foul anything up! # As with the banner motd command, you begin and end the message with a delimiting character; in this example, the delimiting character is # (pound sign).
5 Configuring terminal display Configuring terminal display You can configure and display the number of lines displayed on a terminal screen during the current CLI session. The terminal length command allows you to determine how many lines will be displayed on the screen during the current CLI session. This command is useful when reading multiple lines of displayed information, especially those that do not fit on one screen.
Displaying and modifying system parameter default settings 5 NOTE The following protocols require a system reset before the protocol will be active on the system: PIM, DVMRP, RIP, FSRP. To reset a system, enter the reload command at the privileged level of the CLI. To enable a protocol on a device, enter router at the global CONFIG level, followed by the protocol to be enabled. The following example shows how to enable OSPF.
5 Displaying and modifying system parameter default settings BigIron RX# show default values telnet@ro(config)#show default values sys log buffers:50 mac age time:300 sec ip arp age:10 min ip addr per intf:24 bootp relay max hops:4 when multicast enabled : igmp group memb.:140 sec when ospf enabled : ospf dead:40 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
Enabling or disabling Layer 2 switching 5 Information for the configurable tables appears under the columns shown in bold type. To simplify configuration, the command parameter you enter to configure the table is used for the table name. For example, to increase the capacity of the IP route table, enter the following commands.
5 CAM partitioning for the BigIron RX To globally disable Layer 2 switching on the device, enter commands such as the following. BigIron BigIron BigIron BigIron RX(config)# route-only RX(config)# exit RX# write memory RX# reload To re-enable Layer 2 switching globally, enter the following.
CAM partitioning for the BigIron RX 5 The total amount of CAM entries available is 1024 for each packet processor. If you want to configure 600 for ACLs, 168 for PBR and Rate Limiters, and 256 for IPv6 multicast forwarding entries, enter commands such as the following. BigIron RX(config)#cam-partition rw session 768 BigIron RX(config)#cam-partition rw session rule-partition 600 If you want to configure 2 ACL entries and 2 IPv6 entries and 1020 Rate Limiting entries, enter a command such as the following.
5 Changing the MAC age time As of release 02.4.00, the Nexthop table is user configurable. If the router is installed in a network where there are many directly connected hosts, then the size of one-path partition should be increased. To configure the partition, use a command such as the following. BigIron RX(config)# cam-partition next-hop 2048 1024 512 512 The above command partitions the next-hop table into 2048 one-path, 1024 two-path, 512 four-path and 512 eight-path entries.
Pinging an IPv4 address 5 Pinging an IPv4 address To verify that a Brocade device can reach another device through the network, enter a command such as the following at any level of the CLI on the Brocade device: BigIron RX> ping 192.33.4.
5 Pinging an IPv4 address U = Indicates that a destination unreachable error PDU was received. I = Indicates that the user interrupted ping. NOTE The number of ! characters displayed may not correspond to the number of successful replies by the ping command. Similarly, the number of . characters displayed may not correspond to the number of server timeouts that occurred while waiting for a reply. The "success" or "timeout" results are shown in the display as “Success rate is XX percent (X/Y)".
Chapter Configuring Interface Parameters 6 Assigning a port name NOTE To modify Layer 2, Layer 3, or Layer 4 features on a port, refer to the appropriate section in this chapter or other chapters. For example, to modify Spanning Tree Protocol (STP) parameters for a port, refer to “Changing STP port parameters” on page 328. To configure trunk groups or dynamic link aggregation, refer to Chapter 8, “Link Aggregation”.
6 Speed/Duplex negotiation Speed/Duplex negotiation Speed/Duplex Negotiation detects the speed (10MBps, 100Mbps, 1000Mbps) and duplex (half-duplex or full-duplex) settings of the device on the other end of the wire and subsequently adjusts to match those settings. Each of the 10/100/1000BaseTX ports is designed to auto-sense and auto-negotiate the speed and mode of the connected device. If the attached device does not support this operation, you can manually enter the port speed.
Disabling or re-enabling a port 6 BigIron RX(config)#interface ethernet 2/4 BigIron RX(config-if-e10000-2/4)#speed-duplex 1000-slave Syntax: [no] speed-duplex {auto |1000-master |1000-slave |1000-full | 100-full | 100-half | 10-full | 10-half} auto - Autonegotiation 1000-master - Forces 1000 Mbps master port 1000-slave - Forces 1000 Mbps slave port 1000-full - Forces 1000 Mbps full-duplex operation 1000-half - Forces 100 Mbps half-duplex operation 100-full - Forces 100 Mbps full-duplex operation 100-hal
6 Disabling or re-enabling flow control • auto-gig – The port tries to performs a negotiation with its peer port to exchange capability information. This is the default state. • neg-off – The port does not try to perform a negotiation with its peer port. Unless the ports at both ends of a Gigabit Ethernet link use the same mode (either auto-gig or neg-off), the ports cannot establish a link.
Locking a port to restrict addresses 6 NOTE To use this feature, 802.3x flow control must be enabled globally on the device. By default, 802.3x flow control is enabled on the device, but can be disabled with the no flow-control command. To specify threshold values for flow control, enter the following command.
6 Port transition hold timer Port transition hold timer Using the delay-link-event command will delay the sending of port "up" or "down" events to Layer 2 protocols. While link down events are reported immediately in syslog, their effect on higher level protocols such as OSPF is delayed according to how the delay-link-event is configured. This command affects the physical link events. However, the resulting logical link events are also delayed. This is a per-interface command.
Modifying port priority (QoS) 6 Configuring port flap dampening on an interface This feature is configured at the interface level. BigIron RX(config)# interface ethernet 2 BigIron RX(config-if-e100-2)# link-error-disable 10 3 10 Syntax: [no] link-error-disable The is the number of times a port’s link state goes from up to down and down to up before the wait period is activated. The default is 0. Enter a value from 1 – 50.
6 Assigning a mirror port and monitor ports Assigning a mirror port and monitor ports You can monitor traffic on Brocade ports by configuring another port to “mirror” the traffic on the ports you want to monitor. By attaching a protocol analyzer to the mirror port, you can observe the traffic on the monitored ports. Monitoring traffic on a port is a two-step process: • Enable a port to act as the mirror port. This is the port to which you connect your protocol analyzer.
Monitoring an individual trunk port 6 The following example configures two mirror ports on the same module and one mirror port on another module. It will illustrate how inbound traffic is mirrored to the two mirror ports on the same module even if the traffic is configured to be mirrored to only one mirror port on the module.
6 Mirror ports for Policy-Based Routing (PBR) traffic BigIron BigIron BigIron BigIron RX(config)# mirror ethernet 2/1 RX(config)# trunk switch ethernet 4/1 to 4/8 RX(config-trunk-4/1-4/8)# config-trunk-ind RX(config-trunk-4/1-4/8)# monitor ethe-port-monitored 4/5 ethernet 2/1 in Syntax: [no] config-trunk-ind Syntax: [no] monitor ethe-port-monitored | named-port-monitored ethernet / in | out | both The config-trunk-ind command enables configuration of individual ports
Displaying mirror and monitor port configuration 6 Configuring mirror ports for PBR traffic When you configure a physical or virtual port to act as a mirror port for PBR traffic, outgoing packets that match the permit Access Control List (ACL) clause in the route map are copied to the mirror ports that you specify. You can specify up to four mirror ports for each PBR route map instance.
6 Enabling WAN PHY mode support Syntax: show monitor config This output does not display the input traffic mirrored to mirror port 1/2 from port 3/1 and mirrored to mirror port 1/1 from port 4/1 because the mirroring of this traffic is not explicitly configured. To display the actual traffic mirrored to each mirror port, enter the following command at any level of the CLI.
Chapter 7 Configuring IP Overview of configuring IP The Internet Protocol (IP) is enabled by default. This chapter describes how to configure IP parameters on the device. The IP packet flow Figure 5 Shows how an IP packet moves through a device. FIGURE 5 IP Packet flow through a device ARP Table (software) Incoming Port IP ACLs (hardware) Deny Static ARP Table Drop Permit RIP Yes Lowest Metric PBR (hardware) IP Route Table (software) Lowest Admin.
7 The IP packet flow 1. When the device receives an IP packet, the device checks for IP ACL filters on the receiving interface. If a deny filter on the interface denies the packet, the device discards the packet and performs no further processing. If logging is enabled for the filter, then the device generates a Syslog entry and SNMP trap message. 2. If the packet is not denied, the device checks for Policy Based Routing (PBR).
The IP packet flow 7 The software places an entry from the static ARP table into the ARP cache when the entry’s interface comes up. Here is an example of a static ARP entry. Index 1 IP Address 207.95.6.111 MAC Address 0800.093b.d210 Port 1/1 Each entry lists the information you specified when you created the entry.
7 Basic IP parameters and defaults To configure a static IP route, refer to “Configuring static routes” on page 197. To clear a route from the IP route table, refer to “Clearing IP routes” on page 229. To increase the size of the IP route table for learned and static routes, refer to “Displaying and modifying system parameter default settings” on page 131. • For learned routes, modify the ip-route parameter. • For static routes, modify the ip-static-route parameter.
Basic IP parameters and defaults 7 When parameter changes take effect Most IP parameters described in this chapter are dynamic. They take effect immediately, as soon as you enter the CLI command. You can verify that a dynamic change has taken effect by displaying the running configuration. To display the running configuration, enter the show running-config or write terminal command at any CLI prompt.
7 Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... ARP rate limiting Lets you specify a maximum number of ARP packets the device will accept each second. If the device receives more ARP packets than you specify, the device drops additional ARP packets for the remainder of the one-second interval. Disabled page 186 ARP age The amount of time the device keeps a MAC address learned through ARP in the device’s ARP cache.
Basic IP parameters and defaults TABLE 43 7 IP global parameters (Continued) Parameter Description Default See page... ICMP Router Discovery Protocol (IRDP) An IP protocol a router can use to advertise the IP addresses of its router interfaces to directly attached hosts.
7 Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... Static route An IP route you place in the IP route table. No entries page 197 Source interface The IP address the router uses as the source address for Telnet, RADIUS, or TACACS and TACACS+ packets originated by the router. The router can select the source address based on either of the following: • The lowest-numbered IP address on the interface the packet is sent on.
Configuring IP parameters TABLE 44 7 IP interface parameters (Continued) Parameter Description DHCP gateway stamp The router can assist DHCP/BootP Discovery packets from one subnet to reach DHCP/BootP servers on a different subnet by placing the IP address of the router interface that receives the request in the request packet’s Gateway field. You can override the default and specify the IP address to use for the Gateway field in the packets. Default See page...
7 Configuring IP parameters NOTE Once you configure a virtual routing interface on a VLAN, you cannot configure Layer 3 interface parameters on individual ports in the VLAN. Instead, you must configure the parameters on the virtual routing interface itself. Also, once an IP address is configured on an interface, the hardware is programmed to route all IP packets that are received on the interface. Consequently, all IP packets not destined for this device’s MAC address will not be bridged but dropped.
Configuring IP parameters 7 Assigning an IP address to a loopback interface Loopback interfaces are always up, regardless of the states of physical interfaces. They can add stability to the network because they are not subject to route flap problems that can occur due to unstable links between a device and other devices. You can configure up to eight loopback interfaces on a device. You can add up to 24 IP addresses to each loopback interface.
7 Configuring IP parameters Syntax: interface ve The parameter specifies the virtual interface number. You can specify from 1 to the maximum number of virtual interfaces supported on the device. To display the maximum number of virtual interfaces supported on the device, enter the show default values command. The maximum is listed in the System Parameters section, in the Current column of the virtual-interface row.
Configuring IP parameters 7 GRE IP tunnel The BigIron RX allows the tunneling of packets of the following protocols over an IP network using the Generic Router Encapsulation (GRE) mechanism as described in RFC 2784: • OSPF • BGP • IS-IS point-to-point Using this feature, packets of these protocols can be encapsulated inside a transport protocol packet at a tunnel source and delivered to a tunnel destination where it is unpacked and made available for delivery. Figure 6 describes the GRE header format.
7 Configuring IP parameters • GRE Encapsulation • Loopback address for the Tunnel (required for de-encapsulation) • IP address for the Tunnel NOTE Sustained rates of small packet sizes may affect the ability of a 10 gigabit Ethernet port to maintain line rate GRE encapsulation and de-encapsulation performance. Configuring a tunnel interface To configure a tunnel interface, use the following command.
Configuring IP parameters 7 Configuring a loopback port for a tunnel interface On the device, a loopback port is required for de-encapsulating a packet exiting the tunnel. Fiber-optic components must be present on the interface module for the loopback port to work. Therefore, consider the following configuration rules for a loopback port: • 1-gigabit copper ports should not be configured as loopback ports. • 1-gigabit and 10-gigabit fiber ports can be configured as loopback port.
7 Configuring IP parameters FIGURE 7 GRE IP tunnel configuration example BigIron RX A port3/1 36.0.8.108 10.10.1.0/24 1 10.10.3.1 Internet 10.10.3.0 10.10.3.2 10.10.2.0/24 port5/1 131.108.5.2 BigIron RX B Configuration example for BigIron RX A BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX (config)# interface ethernet 3/1 RX (config-if-e1000-3/1)# ip address 36.0.8.
Configuring IP parameters 7 Syntax: show ip interface tunnel This display shows the following information. TABLE 45 CLI display of interface IP configuration information This field... Displays... Interface The tunnel and tunnel number. IP-Address The IP address of the tunnel interface. OK? Whether the IP address has been configured on the tunnel interface. Method Whether the IP address has been saved in NVRAM.
7 Configuring IP parameters IPv6 over IPv4 tunnels in hardware To enable communication between the isolated IPv6 domains using the IPv4 infrastructure, you can configure IPv6 over IPv4 tunnels. Brocade supports the following IPv6 over IPv4 tunneling in hardware mechanisms: • Manually configured tunnels In general, a manually configured tunnel establishes a permanent link between routers in IPv6 domains.
Configuring IP parameters BigIron BigIron BigIron BigIron BigIron 7 RX(config)# interface tunnel 1 RX(config-tnif-1)#tunnel source ethernet 3/1 RX(config-tnif-1)#tunnel destination 198.162.100.1 RX(config-tnif-1)#tunnel mode ipv6ip RX(config-tnif-1)#ipv6 address 2001:b78:384d:34::/64 eui-64 This example creates tunnel interface 1 and assigns a global IPv6 address with an automatically computed EUI-64 interface ID to it.
7 Configuring IP parameters BigIron RX# show ipv6 tunnel IP6 Tunnels Tunnel Mode Packet Received 1 configured 0 2 configured 0 Packet Sent 0 22419 Syntax: show ipv6 tunnel This display shows the following information. TABLE 46 IPv6 tunnel information This field... Displays... Tunnel The tunnel interface number. Mode The tunnel mode. Possible modes include the following: configured – Indicates a manually configured tunnel. 6to4 – Indicates an automatic 6to4 tunnel.
Configuring IP parameters TABLE 47 7 IPv6 tunnel interface information (Continued) This field... Tunnel source Displays... The tunnel source can be one of the following: An IPv4 address The IPv4 address associated with an interface or port. • • Tunnel destination The tunnel destination can an IPv4 address. Tunnel mode The tunnel mode can be one the following: • ipv6ip auto-tunnel – Indicates an automatic IPv4-compatible tunnel. • ipv6ip 6to4 – Indicates an automatic 6to4 tunnel.
7 Configuring IP parameters Configuring Domain Name Server (DNS) resolver The DNS resolver lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a device and thereby recognize all hosts within that domain. After you define a domain name, the device automatically appends the appropriate domain to the host and forwards it to the domain name server. For example, if the domain “newyork.
Configuring IP parameters 7 Use the no form of the command to remove a domain name from the domain-list. Displaying the domain name list To determine what domain names have been configured in the domain list, enter the following command. BigIron RX(config)#show ip dns domain-list Total number of entries : 3 Primary Domain Name: Domain Name List: seq:4 eng.company.co seq:5 facilities.company.com seq:12. support.company.
7 Configuring IP parameters Static cache entries You can manually add entries to the DNS cache table if you know a host’s complete, qualified name and its IP address. To add host names and their IP addresses to the DNS cache table, enter commands such as the following. BigIron RX(config)#ip dns cache-entry www.foundrynet.com 63.236.63.244 720 Syntax: [no] ip dns cache-entry Complete, qualified name . For example, enter www.company.com or host.company.com.
Configuring IP parameters TABLE 48 7 The show ip dns cache-table output This field... Displays... Host The complete, qualified domain name of the host. Flag Indicates if the entry is dynamic or static and if the information for the domain is up to date: • TMP – Entry is dynamic • STA – Entry is static • OK – Information for the entry is up to date • EX – The entry is expired and would not be used. Such an entry would be deleted from the cache table at next cache poll refresh.
7 Configuring IP parameters Syntax: show ip dns server-list Debugging the DNS feature To debug the DNS feature enter the following command. BigIron RX#debug ip dns IP: dns debugging is on Syntax: debug ip dns Using a DNS name to initiate a trace route Suppose you want to trace the route from a device to a remote server identified as NYC02 on domain newyork.com. FIGURE 9 Querying a host on the newyork.com domain Domain Name Server newyork.com [ nyc01 nyc02 207.95.6.
Configuring packet parameters 7 Type Control-c to abort Sending DNS Query to 209.157.22.199 Tracing Route to IP node 209.157.22.80 To ABORT Trace Route, Please use stop-traceroute command. Traced route to target IP node 209.157.22.80: IP Address Round Trip Time1 Round Trip Time2 207.95.6.30 93 msec 121 msec NOTE In the above example, 209.157.22.199 is the IP address of the domain name server (default DNS gateway address), and 209.157.22.80 represents the IP address of the NYC02 host.
7 Configuring packet parameters The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format. The device uses Ethernet II by default. You can change the IP encapsulation to Ethernet SNAP on individual ports if needed. NOTE All devices connected to the device port must use the same encapsulation type. To change the IP encapsulation type on interface 1/5 to Ethernet SNAP, enter the following commands.
Configuring packet parameters 7 To configure the untagged max-frame-size on a VLAN, enter a command such as the following at he Interface Configuration level. BigIron RX(config-vlan-20)# BigIron RX(config-vlan-20)#max-frame-size 5000 Please reload system! BigIron RX(config-vlan-20)# Syntax: max-frame-size The variable specifies the maximum frame size for each port that is connected the same PPCR as described in Table 49. Values can be from 64 to 9212 bytes. The default is 1518 bytes.
7 Changing the router ID Globally changing the IP MTU To globally enable jumbo support on all ports, enter commands such as the following. BigIron RX(config)# ip mtu 5000 BigIron RX(config)# write memory Syntax: [no] ip mtu The parameter specifies the maximum number of bytes an Ethernet frame can have in order to be forwarded on a port. Enter 64 – 9212, but this value must be 18 bytes less than the value of the global maximum frame size.
Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets 7 NOTE If you change the router ID, all current BGP4 sessions are cleared. By default, the router ID on a device is one of the following: • If the router has loopback interfaces, the default router ID is the IP address configured on the lowest numbered loopback interface configured on the device. For example, if you configure loopback interfaces 1, 2, and 3 as follows, the default router ID is 9.9.9.
7 Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets • If you specify a loopback interface as the single source for Telnet, TACACS, TACACS+, or RADIUS packets, servers can receive the packets regardless of the states of individual links. Thus, if a link to the server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Configuring an interface as the source for Syslog packets 7 RADIUS packets To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all RADIUS packets, enter commands such as the following. BigIron BigIron BigIron BigIron RX(config)# int ve 1 RX(config-vif-1)# ip address 10.0.0.3/24 RX(config-vif-1)# exit RX(config)# ip radius source-interface ve 1 The commands configure virtual interface 1, assign IP address 10.0.0.
7 Configuring an interface as the source for Syslog packets IP fragmentation protection Beginning with this release, IP packet filters on the device switches will drop undersized fragments and overlapping packet fragments to prevent tiny fragment attacks as explained in RFC 1858. When packets are fragmented on the network, the first fragment of a packet must be large enough to contain all the necessary header information.
Configuring ARP parameters 7 Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command. BigIron RX# show access-list bindings L4 configuration: ip receive access-list 101 Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables the device to obtain the MAC address of another device’s interface when the device knows the IP address of the interface.
7 Configuring ARP parameters • If the ARP cache does not contain an entry for the destination IP address, the device broadcasts an ARP request out all its IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to the device, the device sends an ARP response containing its MAC address. The response is a unicast packet addressed directly to the device. The device places the information from the ARP response into the ARP cache.
Configuring ARP parameters 7 Applying a rate limit to ARP packets on an interface To prevent the CPU from becoming flooded by ARP packets in a busy network, you can restrict the number of ARP packets an interface will accept each second. When ARP rate limit is configured on an interface, the interface will accept up to the maximum number of packets you specify, but drops additional ARP packets received during the one-second interval.
7 Configuring ARP parameters LP-1#show ip traffic arp ARP Statistics 1400 total recv, 1400 req recv, 0 req sent 0 pending drop, 0 invalid source, 0 invalid dest ARP Rate Limiting Statistics Interface Received ethernet1/1 184200 ethernet1/2 0 ethernet1/3 0 ethernet1/4 184200 Processed 700 0 0 700 Dropped(Rate-limted) 183500 0 0 183500 The example above displays the LP processed 50 packets every second and dropped any addtional packets. Syntax: show ip traffic arp This column... Displays...
Configuring ARP parameters 7 Enabling proxy ARP Proxy ARP allows the device to answer ARP requests from devices on one network on behalf of devices in another network. Since ARP requests are MAC-layer broadcasts, they reach only the devices that are directly connected to the sender of the ARP request. Thus, ARP requests do not cross routers. For example, if Proxy ARP is enabled on the device connected to two subnets, 10.10.10.0/24 and 20.20.20.0/24, the device can respond to an ARP request from 10.10.10.
7 Configuring ARP parameters The parameter specifies the MAC address of the entry. The ethernet command specifies the port number attached to the device that has the MAC address of the entry. The arp command allows you to specify only one port number. To create a static ARP entry for a static MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static MAC entry.
Configuring ARP parameters 7 When an ARP entry is deleted from ARP Inspection table, the corresponding entry in the static ARP table will also be deleted. To create a floating static ARP entry for a static MAC entry, enter a command such as the following. BigIron RX(config)# arp 192.53.4.2 1245.7654.2348 The command adds a floating static ARP entry that maps IP address 192.53.4.2 to MAC address 1245.7654.2348.
7 Configuring forwarding parameters Displaying the routes waiting for the next hop ARP to resolve Use the following command to display which routes are waiting for the nexthop ARP to be resolved. BigIron RX# show ip static route IP Static Routing Table - 2 entries: Type Codes: '*' - Installed, '+' - Waiting for ARP resolution IP Prefix Next Hop Interface Dis/Metric/Tag *10.0.0.0/8 10.43.14.1 1/1/0 +20.1.1.0/24 12.1.1.2 1/1/0 *20.1.1.0/24 12.1.1.6 1/1/0 +20.1.1.0/24 12.1.1.7 5/1/0 20.1.1.0/24 10.43.14.
Configuring forwarding parameters 7 To modify the TTL threshold to 25, enter the following commands. BigIron RX(config)# ip ttl 25 Syntax: ip ttl <1-255> Enabling forwarding of directed broadcasts A directed broadcast is an IP broadcast to all devices within a single directly-attached network or subnet. A net-directed broadcast goes to all devices on a given network. A subnet-directed broadcast goes to all devices within a given subnet.
7 Configuring forwarding parameters • Loose source routing – requires that the packet pass through all of the listed routers but also allows the packet to travel through other routers, which are not listed in the packet. The device forwards both types of source-routed packets by default. You cannot enable or disable strict or loose source routing separately. To disable forwarding of IP source-routed packets, enter the following command.
Configuring forwarding parameters 7 • Destination Unreachable messages – If the device receives an IP packet that it cannot deliver to its destination, the device discards the packet and sends a message back to the device that sent the packet. The message informs the device that the destination cannot be reached by the device. Disabling replies to broadcast ping requests By default, the device is enabled to respond to broadcast ICMP echo packets, which are ping requests.
7 Configuring forwarding parameters Syntax: [no] ip icmp unreachable [network | host | protocol | administration | fragmentation-needed | port | source-route-fail] • If you enter the command without specifying a message type (as in the example above), all types of ICMP Unreachable messages listed above are disabled. If you want to disable only specific types of ICMP Unreachable messages, you can specify the message type.
Configuring forwarding parameters 7 BigIron RX(config)# int e 3/11 BigIron RX(config-if-e100-3/11)# no ip redirect Syntax: [no] ip redirect Configuring static routes The IP route table can receive routes from the following sources: • Directly-connected networks – When you add an IP interface, the device automatically creates a route for the network the interface is in. • RIP – If RIP is enabled, the device can learn about routes from the advertisements other RIP routers send to the device.
7 Configuring forwarding parameters • A “null” interface. The device drops traffic forwarded to the null interface. The following parameters are optional: • The route’s metric – The value the device uses when comparing this route to other routes in the IP route table to the same destination. The metric applies only to routes that the device has already placed in the IP route table. The default metric for static IP routes is 1.
Configuring forwarding parameters FIGURE 10 7 Example of a static route Router A Router B 207.95.6.188/24 e 1/2 207.95.6.157/24 207.95.7.7/24 207.95.7.69/24 The following command configures a static route to 207.95.7.0, using 207.95.6.157 as the next-hop gateway. BigIron RX(config)# ip route 207.95.7.0/24 207.95.6.157 When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or device interface through which the device can reach the route.
7 Configuring forwarding parameters The is the route’s destination. The is the network mask for the route’s destination IP address. Alternatively, you can specify the network mask information by entering / followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as 192.0.0.0/.24. The is the IP address of the next-hop router (gateway) for the route. For a default route, enter 0.0.0.0 0.0.0.0 xxx.xxx.xxx.
Configuring forwarding parameters 7 To display the maximum value for your device, enter the show default values command. The maximum number of static IP routes the system can hold is listed in the ip-static-route row in the System Parameters section of the display. To change the maximum value, use the system-max ip-static-route command at the global CONFIG level. The parameter specifies the network or host address.
7 Configuring forwarding parameters To add a tag value to a static route, enter commands such as the following: BigIron RX(config)#ip route 192.122.12.1 255.255.255.0 192.122.1.1 tag 20 Syntax: ip route | / tag The is the route’s destination. The is the network mask for the route’s destination IP address.
Configuring forwarding parameters 7 The following commands configure static IP routes to the same destination, but with different metrics. The route with the lowest metric is used by default. The other routes are backups in case the first route becomes unavailable. The device uses the route with the lowest metric if the route is available. BigIron RX(config)# ip route 192.128.2.69 255.255.255.0 209.157.22.1 BigIron RX(config)# ip route 192.128.2.69 255.255.255.0 192.111.10.
7 Configuring forwarding parameters FIGURE 11 Standard and null static routes to the same destination network Two static routes to 192.168.7.0/24: --Standard static route through gateway 192.168.6.157, with metric 1 --Null route, with metric 2 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.7/24 When standard static route is good, Router A uses that route. 192.168.7.69/24 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.
Configuring forwarding parameters FIGURE 12 7 Standard and interface routes to the same destination network Two static routes to 192.168.7.0/24: --Interface-based route through port1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. Router A 192.168.6.188/24 Port1/1 192.168.8.12/24 Port4/4 192.168.6.69/24 When route through interface 1/1 is available, Router A always uses that route. 192.168.8.
7 Configuring forwarding parameters Configuring a default network route The device enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Configuring forwarding parameters BigIron RX(config)# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected Destination Gateway 1 209.157.20.0 0.0.0.0 2 209.157.22.0 0.0.0.0 R:RIP 7 S:Static O:OSPF *:Candidate default Port Cost Type lb1 1 D 4/11 1 *D This example shows two routes. Both of the routes are directly attached, as indicated in the Type column. However, one of the routes is shown as type “*D”, with an asterisk (*).
7 Configuring forwarding parameters Administrative distance The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. It is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on, but not used when performing IP load sharing. The value of the administrative distance is determined by the source of the route.
Configuring forwarding parameters 7 • OSPF – The Path Cost associated with the path. The paths can come from any combination of inter-area, intra-area, and external Link State Advertisements (LSAs). • BGP4 – The path’s Multi-Exit Discriminator (MED) value. NOTE If the path is redistributed between two or more of the above sources before entering the IP route table, the cost can increase during the redistribution due to settings in redistribution filters.
7 Configuring forwarding parameters Changing the maximum number of load sharing paths By default, IP load sharing allows IP traffic to be balanced across up to four equal path. You can change the maximum number of paths that the device supports to a value of 2 – 8. For optimal results, set the maximum number of paths to a value equal to or greater than the maximum number of equal-cost paths that your network typically contains.
Configuring forwarding parameters 7 DIsplaying the ECMP load sharing Use the show run command to display the ECMP load sharing. BigIron RX(config)#show run ========show run ===================== ! logging console hostname RW ip route 0.0.0.0/0 100.1.1.2 ip route 0.0.0.0/0 100.1.2.2 ip route 0.0.0.0/0 100.1.3.2 ip route 0.0.0.0/0 100.1.4.2 ip route 10.0.0.0/8 10.43.2.1 ip route 40.0.0.0/24 100.1.1.
7 Configuring forwarding parameters BigIron RX(config)# ip receive access-list 10 Syntax: [no] ip receive access-list Specify an access list number for . The IP receive ACL is applied globally to all interfaces on the device. Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command.
Configuring forwarding parameters 7 • Hold time – Each Router Advertisement message contains a hold time value. This value specifies the maximum amount of time the host should consider an advertisement to be valid until a newer advertisement arrives. When a new advertisement arrives, the hold time is reset. The hold time is always longer than the maximum advertisement interval.
7 Configuring forwarding parameters The maxadvertinterval parameter specifies the maximum amount of time the device waits between sending Router Advertisements. You can specify a value from 1 to the current value of the holdtime parameter. The default is 600 seconds. The minadvertinterval parameter specifies the minimum amount of time the device can wait between sending Router Advertisements. The default is three-fourths (0.75) the value of the maxadvertinterval parameter.
Configuring forwarding parameters 7 NOTE As shown above, forwarding support for BootP/DHCP is enabled by default. If you are configuring the device to forward BootP/DHCP requests, refer to “Configuring BootP/DHCP forwarding parameters” on page 216. You can enable forwarding for other applications by specifying the application port number. You also can disable forwarding for an application.
7 Configuring forwarding parameters • tftp (port 69) In addition, you can specify any UDP application by using the application’s UDP port number. The parameter specifies the UDP application port number. If the application you want to enable is not listed above, enter the application port number. You also can list the port number for any of the applications listed above. To disable forwarding for an application, enter a command such as the following.
Configuring forwarding parameters 7 You can configure the device to forward BootP/DHCP requests. To do so, configure a helper address on the interface that receives the client requests, and specify the BootP/DHCP server’s IP address as the address you are helping the BootP/DHCP requests to reach. Instead of the server’s IP address, you can specify the subnet directed broadcast address of the IP subnet the server is in.
7 Displaying IP information BigIron RX(config)# int e 1/1 BigIron RX(config-if-e1000-1/1)# ip bootp-gateway 109.157.22.26 These commands change the CLI to the configuration level for port 1/1, then change the BootP/DHCP stamp address for requests received on port 1/1 to 192.157.22.26. The device will place this IP address in the Gateway Address field of BootP/DHCP requests that the device receives on port 1/1 and forwards to the BootP/DHCP server.
Displaying IP information 7 • OSPF information – refer to “Displaying OSPF information” on page 712. • BGP4 information – refer to “Displaying BGP4 information” on page 814. • DVMRP information – refer to “Displaying information about an upstream neighbor device” on page 647 • PIM information – refer to “Displaying PIM Sparse configuration information and statistics” on page 607. • VRRP or VRRPE information – refer to “Displaying VRRP and VRRPE information” on page 459.
7 Displaying IP information TABLE 51 CLI display of global IP configuration information (Continued) This field... Displays... bootp-relay-max-hops The maximum number of hops away a BootP server can be located from the Brocade router and still be used by the router’s clients for network booting. To change this value, refer to “Changing the maximum number of hops to a BootP relay server” on page 218. router-id The 32-bit number that uniquely identifies the Brocade router.
Displaying IP information TABLE 51 7 CLI display of global IP configuration information (Continued) This field... Displays... Port The Layer 4 TCP or UDP port the policy checks for in packets. The port can be displayed by its number or, for port types the router recognizes, by the well-known name. For example, TCP port 80 can be displayed as HTTP. NOTE: This field applies only if the IP protocol is TCP or UDP. Operator The comparison operator for TCP or UDP port names or numbers.
7 Displaying IP information BigIron RX# show ip interface ethernet 1/1 Interface Ethernet 1/1 port state: UP ip address: 192.168.9.51 subnet mask: 255.255.255.0 encapsulation: ETHERNET, mtu: 1500, metric: 1 directed-broadcast-forwarding: disabled proxy-arp: disabled ip arp-age: 10 minutes Ip Flow switching is disabled No Helper Addresses are configured.
Displaying IP information 7 BigIron RX# show arp Total number of ARP entries: 5 IP Address MAC Address 1 207.95.6.102 0800.5afc.ea21 2 207.95.6.18 00a0.24d2.04ed 3 207.95.6.54 00a0.24ab.cd2b 4 207.95.6.101 0800.207c.a7fa 5 207.95.6.211 00c0.2638.ac9c Type Dynamic Dynamic Dynamic Dynamic Dynamic Age 0 3 0 0 0 Port 6 6 6 6 6 Syntax: show arp [ethernet | mac-address
7 Displaying IP information TABLE 53 CLI display of ARP cache (Continued) This field... Displays... Age The number of minutes the entry has remained unused. If this value reaches the ARP aging period, the entry is removed from the table. To display the ARP aging period, refer to “Displaying global IP configuration information” on page 219. To change the ARP aging interval, refer to “Changing the ARP aging period” on page 188. NOTE: Static entries do not age out.
7 Displaying IP information BigIron RX> show ip cache Cache Entry Usage on LPs: Module Host Network 15 6 6 Free 204788 Total 204800 Syntax: show ip cache [] [| begin | exclude | include ] The parameter displays the cache entry for the specified IP address. The show ip cache command shows the forwarding cache usage on each interface module CPU. The CPU on each interface module builds its own forwarding cache, depending on the traffic.
7 Displaying IP information TABLE 55 CLI display of IP forwarding cache (Continued) This field... Displays... Type The type of host entry, which can be one or more of the following: • D – Dynamic • P – Permanent • F – Forward • U – Us • C – Complex Filter • W – Wait ARP • I – ICMP Deny • K – Drop • R – Fragment • S – Snap Encap Port The port through which this device reaches the destination. For destinations that are located on this device, the port number is shown as “n/a”.
Displaying IP information 7 The option display the route table entry whose row number corresponds to the number you specify. For example, if you want to display the tenth row in the table, enter “10”. The parameter displays the route to the specified IP address. The parameter lets you specify a network mask or, if you prefer CIDR format, the number of bits in the network mask.
7 Displaying IP information BigIron RX(config)# show ip route 209.159.0.0/16 longer Starting index: 1 B:BGP D:Directly-Connected R:RIP S:Static O:OSPF Destination NetMask Gateway Port Cost Type 52 53 54 55 56 57 58 59 60 209.159.38.0 209.159.39.0 209.159.40.0 209.159.41.0 209.159.42.0 209.159.43.0 209.159.44.0 209.159.45.0 209.159.46.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 207.95.6.101 207.95.6.101 207.95.6.101 207.
Displaying IP information TABLE 56 7 CLI display of IP route table (Continued) This field... Displays... Type The route type, which can be one of the following: • B – The route was learned from BGP. • D – The destination is directly connected to this device. • R – The route was learned from RIP. • S – The route is a static route. • * – The route is a candidate default route. • O – The route is an OSPF route. Unless you use the ospf option to display the route table, “O” is used for all OSPF routes.
7 Displaying IP information BigIron RX> sh ip traffic IP Statistics 146806 total received, 72952 mp received, 6715542 sent, 0 forwarded 0 filtered, 0 fragmented, 0 bad header 0 failed reassembly, 0 reassembled, 0 reassembly required 0 no route, 0 unknown proto, 0 no buffer, 0 other errors, 0 rpf discard ARP Statistics 19022 total recv, 35761 req recv, 475 rep recv, 2803975 req sent, 1885 rep sent 0 pending drop, 0 invalid source, 0 invalid dest ICMP Statistics Received: 9 total, 0 errors, 0 unreachable, 0
Displaying IP information TABLE 57 7 CLI display of IP traffic statistics (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received. The field descriptions below apply to each. total The total number of ICMP messages sent or received by the device.
7 Displaying IP information TABLE 57 CLI display of IP traffic statistics (Continued) This field... Displays... input errors This information is used by Brocade customer support. in segments The number of TCP segments received by the device. out segments The number of TCP segments sent by the device.
Displaying IP information 7 This field... Displays...
7 234 Displaying IP information BigIron RX Series Configuration Guide 53-1001986-01
Chapter Link Aggregation 8 Link aggregation overview This chapter describes how to configure Link Aggregation Groups (LAG). Beginning with release 02.6.00 of the Multi-Service IronWare software, you can use a single interface to configure any of the following LAG types: • Static LAGs – These trunk groups are manually-configured aggregate links containing multiple ports. • Dynamic LAGs – This LAG type uses the Link Aggregation Control Protocol (LACP), to maintain aggregate links over multiple port.
8 LAG formation rules • Any number or combination of ports between 1 and 8 within the same chassis can be used to configure a LAG. The maximum number of LAG ports is checked when adding ports to a LAG. • • • • • • All ports configured in a LAG must be of equal bandwidth. For example all 10 G ports. All ports configured in a LAG must be configured with the same port attributes. Trunk formation rules are checked when a static or dynamic LAG is deployed.
LAG formation rules 8 To change port parameters, you must change them on the primary port. The software automatically applies the changes to the other ports in the LAG. • Make sure the device on the other end of the trunk link can support the same number of ports in the link. Figure 13 displays and example of a valid, Keep ALIVE LAG link between two devices. This configuration does not aggregate ports but uses the LACP PDUs to maintain the connection status between the two ports.
8 LAG load sharing FIGURE 15 Examples of multi-slot, multi-port LAG Port2/1 Port2/2 Port2/3 Port2/4 Port2/5 Port2/6 Port1/1 Port1/2 Port1/2 Port1/3 Port1/3 Port1/4 Port1/4 Port1/5 Port1/5 Port1/6 Port1/6 Port1/7 Port1/7 Port1/8 Port1/8 Port2/7 Port2/8 Port1/1 Port2/1 Port2/2 Port2/3 Port2/4 Port2/5 Port2/6 Port2/7 Port2/8 LAG load sharing Traffic on BigIron RX switches is load balance over a LAG by using the Hash Based Load Sharing method.
Migration from a pre-02.6.00 trunk or LACP configuration 8 • IPv4 TCP packets: source MAC address and destination MAC address, source IP address and destination IP address, and TCP source port and TCP destination port. • IPv4 UDP packets: source MAC address and destination MAC address, source IP address and destination IP address, and UDP source port and UDP destination port. • IPv6 non-TCP/UDP packets: source MAC address and destination MAC address, source IP address and destination IP address.
8 Configuration of a LAG c. If the original mode is passive, the converted dynamic LAG will be configured as deploy passive. Otherwise active mode is the default. d. The timeout configuration set by the command link-aggregate configure timeout will be converted to the lacp-timeout command. e. Individual port priority set by the command link-aggregate configure port-priority will be converted to the lacp-port-priority command. f.
Configuration of a LAG 8 Syntax: [no] lag static | dynamic | keep-alive Refer to “Allowable characters for LAG names” on page 13 for guidelines on LAG naming conventions. The static option specifies that the LAG with the name specified by the variable will be configured as a static LAG. The static LAG configuration is much the same as the Trunk feature available in releases prior to 02.6.00.
8 Configuration of a LAG Syntax: [no] primary port Once a primary port has been configured for a LAG, all configurations that apply to the primary port are applied to the other ports in the LAG. NOTE This configuration is only applicable for configuration of a static or dynamic LAGs.
Deploying a LAG 8 Configuring an LACP timeout In a dynamic or keep-alive LAG, a port's timeout can be configured as short or long. Once a port is configured with a timeout option, it will remain in that timeout mode whether it's up or down, or part of a trunk or not. All the ports in a trunk should have the same timeout mode. This is checked when the LAG is enabled on ports. To configure a port for a short LACP timeout use the following command.
8 Deploying a LAG If the no deploy command is issued and more than 1 LAG port is not disabled the command is aborted and the following error message is displayed: “Error 2 or more ports in the LAG are not disabled, un-deploy this LAG may form a loop - aborted.” Using the forced keyword with the no deploy command in the previous situation, the un-deployment of the LAG is executed.
Deploying a LAG 8 Use the named option with the appropriate [slot/port] variable to specify a named port within the LAG that you want to disable. Enabling ports within a LAG You can enable an individual port within a trunk using the disable command within the LAG configuration as shown in the following.
8 Deploying a LAG Assigning a name to a port within a LAG You can assign a name to an individual port within a LAG using the port-name command within the LAG configuration as shown in the following. BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# port-name orange ethernet 3/1 Syntax: [no] port-name ethernet [slot/port] The variable specifies the port name. The name can be up to 50 characters long.
Deploying a LAG 8 Displaying LAG information You can display LAG information for a BigIron RX switch in either a full or brief mode. The examples below show both options of the show lag command. BigIron RX# show lag brief Total number of LAGs: 4 Total number of deployed LAGs: 3 Total number of trunks created:3 (31 available) LACP System Priority / ID: 0001 / 0004.80a0.
8 Deploying a LAG Port 2/1 2/3 2/5 [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] 1 1 105 Yes L Agg Syn Col Dis No No Ope 1 1 105 Yes L Agg Syn Col Dis No No Ope 1 1 105 Yes L Agg Syn Col Dis No No Ope Syntax: show lag [brief] [deployed] [dynamic] [keep-alive] [static] Table 58 describes the information displayed by the show lag command. TABLE 58 Show LAG information This field... Displays...
Deploying a LAG TABLE 58 This field... Dupl 8 Show LAG information (Continued) Displays... The duplex state of the port, which can be one of the following: Full Half None • • • Speed The bandwidth of the interface. Trunk The Trunk ID of the port. Tag Indicates whether the ports have 802.1q VLAN tagging. The value can be Yes or No. Priori Indicates the Quality of Service (QoS) priority of the ports. The priority can be a value from 0 – 7. MAC The MAC address of the port.
8 Deploying a LAG TABLE 58 Show LAG information (Continued) This field... Displays... Syn Indicates the synchronization state of the port. The state can be one of the following: • No – The port is out of sync with the remote port. The port does not understand the status of the LACPDU process and is not prepared to enter a trunk link. • Syn – The port is in sync with the remote port.
Deploying a LAG BigIron RX# show statistics brief lag LAG Packets [Receive OutErr] LAG d1 1173 LAG e 1268 BigIron RX# show statistics lag LAG d1 Counters: InOctets 127986 InPkts 1149 InBroadcastPkts 0 InMulticastPkts 852 InUnicastPkts 297 InDiscards 0 InErrors 0 InCollisions 0 Alignment GiantPkts InBitsPerSec InPktsPerSec InUtilization 0 0 0 0 0.
8 252 Deploying a LAG BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring LLDP 9 Terms used in this chapter Link Layer Discovery Protocol (LLDP) – The Layer 2 network discovery protocol described in the IEEE 802.1AB standard, Station and Media Access Control Connectivity Discovery. This protocol enables a station to advertise its capabilities to, and to discover, other LLDP-enabled stations in the same 802 LAN segments. LLDP Agent – The protocol entity that implements LLDP for a particular IEEE 802 device.
9 LLDP overview FIGURE 16 LLDP Connectivity port A19 F3 device Switch OP-PBX info xxxx xxxx I’m a PBX port A4 B6 B21 device IP-Phone PC Switch info xxxx xxxx xxxx I’m a switch I’m a switch I’m a switch I’m a switch I’m a switch I’m an IP Phone I’m a PC Benefits of LLDP LLDP provides the following benefits: • Network Management • Simplifies the use of and enhances the ability of network management tools in multi-vendor environments • Enables discovery of accurate physical network topologies
General operating principles 9 General operating principles LLDP use the services of the Data Link sublayers, Logical Link Control and Media Access Control, to transmit and receive information to and from other LLDP Agents (protocol entities that implement LLDP). LLDP is a one-way protocol.
9 General operating principles FIGURE 17 LLDPDU packet format Chassis ID TLV Port ID TLV M Time to Live TLV M Optional TLV ... Optional TLV End of LLDPDU TLV M M M = mandatory TLV (required for all LLDPDUs) Each LLDPDU consists of an untagged Ethernet header and a sequence of short, variable length information elements known as TLVs.
General operating principles 9 • 802.1 organizationally-specific TLVs Port VLAN ID VLAN name TLV • 802.3 organizationally-specific TLVs MAC/PHY configuration/status Link aggregation Maximum frame size Mandatory TLVs When an LLDP agent transmits LLDP packets to other agents in the same 802 LAN segments, the following mandatory TLVs are always included: • Chassis ID • Port ID • Time to Live (TTL) This section describes the above TLVs in detail.
9 General operating principles There are several ways in which a port may be identified, as shown in Table 60. A port ID subtype, included in the TLV, indicates how the port is being referenced in the Port ID field.
MIB support 9 • If the TTL field value is zero, the receiving LLDP agent is notified that all system information associated with the LLDP agent or port is to be deleted. This TLV may be used, for example, to signal that the sending port has initiated a port shutdown procedure. The LLDPDU format is shown in “LLDPDU packet format” on page 256. The TTL TLV format is shown below.
9 Configuring LLDP TABLE 61 LLDP global configuration tasks and default behavior / value (Continued) Global task Default behavior / value when LLDP is enabled Enabling and disabling TLV advertisements When LLDP transmit is enabled, by default, the Brocade device will automatically advertise LLDP capabilities, except for the system description, VLAN name, and power-via-MDI information, which may be configured by the system administrator.
Configuring LLDP 9 Changing a port’s LLDP operating mode LLDP packets are not exchanged until LLDP is enabled on a global basis. When LLDP is enabled on a global basis, by default, each port on the Brocade device will be capable of transmitting and receiving LLDP packets.
9 Configuring LLDP Use the [no] form of the command to disable the receive only mode. You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Enabling and disabling transmit only mode When LLDP is enabled on a global basis, by default, each port on the Brocade device will be capable of transmitting and receiving LLDP packets.
Configuring LLDP 9 where is a number between 16 and 65536. The default number of LLDP neighbors per device is 392. Use the show lldp command to view the configuration. Per port You can change the maximum number of LLDP neighbors for which LLDP data will be retained for each port. By default, the maximum number is four and you can change this to a value between one and 64. For example, to change the maximum number of LLDP neighbors to six, enter the following command.
9 Configuring LLDP NOTE Because LLDP Syslog messages are rate limited, some LLDP information given by the system will not match the current LLDP statistics (as shown in the show lldp statistics command output). To change the minimum time interval between traps and Syslog messages, enter a command such as the following. FastIron(config)#lldp snmp-notification-interval 60 When the above command is applied, the LLDP agent will send no more than one SNMP notification and Syslog message every 60 seconds.
Configuring LLDP 9 The above command causes the LLDP agent to transmit LLDP frames every 40 seconds. Syntax: [no] lldp transmit-interval where is a value from 5 to 32768. The default is 30 seconds. NOTE Setting the transmit interval or transmit holdtime multiplier to inappropriate values can cause the LLDP agent to transmit LLDPDUs with TTL values that are excessively high. This in turn can affect how long a receiving device will retain the information if it is not refreshed.
9 Configuring LLDP LLDP TLVs advertised by the Brocade device When LLDP is enabled on a global basis, the Brocade device will automatically advertise the following information, except for the features noted: General system information: • • • • • Management address Port description System capabilities System description (not automatically advertised) System name 802.1 capabilities: • VLAN name (not automatically advertised) • Untagged VLAN ID 802.
Configuring LLDP 9 If no IP address is configured, the port’s current MAC address will be advertised. The management address will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Management address (IPv4): 209.157.2.1 Port description The port description TLV identifies the port from which the LLDP agent transmitted the advertisement. The port description is taken from the ifDescr MIB object from MIB-II.
9 Configuring LLDP Syntax: [no] lldp advertise system-capabilities ports ethernet | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
Configuring LLDP 9 FastIron(config)#no lldp advertise system-name ports e 2/4 to 2/12 The system name will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). System name: “BigIron RX” Syntax: [no] lldp advertise system-name ports ethernet | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
9 Configuring LLDP The untagged VLAN ID will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Port VLAN ID: 99 Syntax: [no] lldp advertise port-vlan-id ports ethernet | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Configuring LLDP • • • • • 9 Auto-negotiation capability and status Speed and duplex mode Flow control capabilities for auto-negotiation Port speed down-shift and maximum port speed advertisement If applicable, indicates if the above settings are the result of auto-negotiation during link initiation or of a manual set override action The advertisement reflects the effects of the following CLI commands: • • • • speed-duplex flow-control gig-default link-config By default, the MAC/PHY configuration and
9 Configuring LLDP You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
Configuring LLDP 9 This field... Displays... LLDP reinitialize delay The minimum number of seconds the device will wait from when LLDP is disabled on a port, until a request to re-enable LLDP on that port will be honored. LLDP maximum neighbors The maximum number of LLDP neighbors for which LLDP data will be retained, per device. LLDP maximum neighbors per port The maximum number of LLDP neighbors for which LLDP data will be retained, per port.
9 Configuring LLDP This field... Displays... Last neighbor change time The elapsed time (in hours, minutes, and seconds) since a neighbor last advertised information. For example, the elapsed time since a neighbor was last added, deleted, or its advertised information changed. Neighbor entries added The number of new LLDP neighbors detected since the last reboot or since the last time the clear lldp statistics all command was issued.
Configuring LLDP 9 This field... Displays... Lcl Port The local LLDP port number. Chassis ID The identifier for the chassis. Brocade devices use the base MAC address of the device as the Chassis ID. Port ID The identifier for the port. Brocade devices use the permanent MAC address associated with the port as the port ID. Port Description The description for the port. Brocade devices use the ifDescr MIB object from MIB-II as the port description.
9 Configuring LLDP FastIron#show lldp neighbors detail ports e 1/9 Local port: 1/9 Neighbor: 0800.0f18.cc03, TTL 101 seconds + Chassis ID (network address): 10.43.39.151 + Port ID (MAC address): 0800.0f18.cc03 + Time to live: 120 seconds + Port description : "LAN port" + System name : "regDN 1015,MITEL 5235 DM" + System description : "regDN 1015,MITEL 5235 DM,h/w rev 2,ASIC rev 1,f/w\ Boot 02.01.00.11,f/w Main 02.01.00.
Resetting LLDP statistics 9 LLDP configuration details The show lldp local-info command displays the local information advertisements (TLVs) that will be transmitted by the LLDP agent. NOTE The show lldp local-info output will vary based on LLDP configuration settings. The following shows an example report. BigIron RX#show lldp local-info ports ethernet 4/1 Local port: 4/1 + Chassis ID (MAC address): 000c.dbfa.f900 + Port ID (MAC address): 000c.dbfa.
9 278 Resetting LLDP statistics BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring Uni-Directional Link Detection (UDLD) 10 This chapter describes configuring Uni-Directional Link Detection.Uni-directional Link Detection (UDLD) monitors a link between two BigIron RX devices and provides a fast detection of link failures. UDLD brings the ports on both ends of the link down if the link goes down at any point between the two devices. This feature is useful for links that are individual ports and for trunk links. Figure 20 shows an example.
10 Configuration considerations Configuration considerations • The feature is supported only on Ethernet ports. • To configure UDLD on a trunk group, you must configure the feature on each port of the group individually. Configuring UDLD on a trunk group’s primary port enables the feature on that port only. • Dynamic trunking is not supported. If you want to configure a trunk group that contains ports on which UDLD is enabled, you must remove the UDLD configuration from the ports.
Displaying UDLD information 10 When UDLD is enabled on a port, The UDLD starts sending the keep-alive messages at a preconfigured interval. In the current implementation, if there is no keep-alive received from the other end of this link after 3 retries then this port is set to logical link down. With the new design, after the UDLD is enabled on a port, UDLD will be kept in a newly created suspended state until it receives first keep-alive message from the other end.
10 Displaying UDLD information TABLE 62 CLI display of UDLD information This field... Displays... Total link-keepalive enabled ports The total number of ports on which UDLD is enabled. Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down. Keepalive Interval The number of seconds between health check packets. Port The port number. Physical Link The state of the physical link.
Displaying UDLD information 10 BigIron RX(config)# show link-keepalive ethernet 4/1 Current State Local Port Local System ID Packets sent Transitions TABLE 63 : : : : : up 4/1 e0927400 254 1 Remote MAC Addr Remote Port Remote System ID Packets received : : : : 00e0.52d2.5100 2/1 e0d25100 255 CLI display of detailed UDLD information This field... Displays... Current State The state of the logical link.
10 Clearing UDLD statistics The show interface ethernet / command also displays the UDLD state for an individual port. In addition, the line protocol state listed in the first line will say “down” if UDLD has brought the port down. Here is an example: BigIron RX(config)# show interface ethernet 1/1 GigabitEthernet2/1 is disabled, line protocol is down, link keepalive is enabled Hardware is GigabitEthernet, address is 000c.dbe2.5900 (bia 000c.dbe2.
Chapter 11 VLANs Overview of Virtual Local Area Networks (VLANs) Virtual Local Area Networks (VLANs) allow you to segment traffic in a network by placing ports and interfaces into separate broadcast domains. Each broadcast domain is uniquely identified by VLAN IDs. These broadcast domains can span multiple devices. The device supports two types of VLANs: port-based VLANs and protocol-based VLANs. A port-based VLAN consists of interfaces that constitutes a Layer 2 broadcast domain.
11 Overview of Virtual Local Area Networks (VLANs) FIGURE 21 Packet containing Brocade’s 802.1QVLAN tag Untagged Packet Format 6 bytes 6 bytes 2 bytes Destination Address Source Address Type Field 6 bytes 6 bytes 2 bytes Destination Address Source Address Length Field Up to 1500 bytes 4 bytes Data Field CRC Up to 1496 bytes 4 bytes Data Field CRC Ethernet II IEEE 802.3 802.1q Tagged Packet Format 6 bytes 6 bytes 4 bytes 2 bytes Destination Address Source Address 802.
11 Overview of Virtual Local Area Networks (VLANs) FIGURE 22 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port T T Segment 1 T T T T T Segment 2 Segment 1 Segment 2 Tagging is required for the ports on Segment 1 because the ports are in multiple port-based VLANs. Tagging is not required for the ports on Segment 2 because each port is in only one port-based VLAN.
11 VLAN configuration rules If there are ports in a port-based VLAN that you want to exclude from protocol-based VLANs, the protocol-based VLAN can be configured to explicitly exclude those ports. VLAN configuration rules To create any type of VLAN on a device, Layer 2 forwarding must be enabled. When Layer 2 forwarding is enabled, the device becomes a switch on all ports for all non-routable protocols. The BigIron RX can only support up to 254 independent VLAN with Layer 2 protocols.
Configuring port-based VLANs 11 • A port can belong to multiple, overlapping Layer 2 port-based VLANs only if the port is a tagged port. Packets sent out of a tagged port use an 802.1q-tagged frame. • A port can belong to multiple, unique, overlapping Layer 3 protocol-based VLANs. • When both port and protocol-based VLANs are configured on a given device, all protocol-based VLANs must be strictly contained within a port-based VLAN.
11 Configuring port-based VLANs 2. Once an ID is assigned, the CLI directs you to the VLAN configuration level. At this level, you add ports to that VLAN and specify if the ports are tagged or untagged. BigIron RX(config-vlan-2)# untag e 1/9 to 1/16 BigIron RX(config-vlan-2)# tagged e 1/1 to 1/8 The example above configures a port-based VLAN, VLAN 2. It adds Ethernet ports 1/9 through 1/16 as untagged ports and ports 1/1 through 1/8 as tagged ports.
Configuring port-based VLANs • 11 If a port's VLAN has byte accounting enabled, you cannot enable rate limiting on that port. Similarly, if a port has rate limiting enabled, you cannot enable VLAN byte accounting on that port's VLAN. • Clearing the rate limiting counters using clear rate-limit counters will also clear VLAN byte-accounting counters. It is recommended that when using rate limiting along with VLAN byte accounting, use individual port rate limiting counters.
11 Configuring port-based VLANs TABLE 64 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR .
Configuring protocol-based VLANs 11 You must specify a VLAN ID that is not already in use. For example, if VLAN 10 exists, do not use “10” as the new VLAN ID for the default VLAN. Valid VLAN IDs are from 1 – 4089; however, do not use VLANs 4090 – 4094, which are reserved for control purposes. Configuring protocol-based VLANs Once port-based VLANs are created, you can further segment the broadcast domains by creating protocol-based VLANs, based on Layer 3 protocols.
11 Configuring virtual routing interfaces Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. To configure an MSTP instance and assign a range of VLANs, use a command such as the following at the Global Configuration level.
Configuring virtual routing interfaces 11 Enter 1 to the maximum number of virtual routing interfaces supported on the device for . Bridging and routing the same protocol simultaneously on the same device Some configurations may require simultaneous switching and routing of the same single protocol across different sets of ports on the same router. When IP routing is enabled on a device, you can route IP packets on specific interfaces while bridging them on other interfaces.
11 Configuring virtual routing interfaces Integrated Switch Routing (ISR) Brocade Integrated Switch Routing (ISR) feature enables VLANs configured on the device to route Layer 3 traffic from one protocol-based VLAN to another instead of forwarding the traffic to an external router. The VLANs provide Layer 3 broadcast domains for the protocols, but do not in themselves provide routing services. This is true even if the source and destination protocols are on the same device.
VLAN groups 11 There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN. Routing will occur independently across the port-based VLANs. Because each port-based VLAN’s STP domain is a single point-to-point backbone connection, you are guaranteed to never have an STP loop.
11 VLAN groups NOTE The device’s memory must be configured to contain at least the number of VLANs you specify for the higher end of the range. For example, if you specify 2048 as the VLAN ID at the high end of the range, you first must increase the memory allocation for VLANs to 2048 or higher. Refer to “Allocating memory for more VLANs or virtual routing interfaces” on page 317. 2. The CLI directs you to the VLAN group configuration level. Add tagged ports to the group.
Configuring super aggregated VLANs 11 The specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed. Configuring super aggregated VLANs A super aggregated VLAN allows multiple VLANs to be placed within another VLAN. This feature allows you to construct Layer 2 paths and channels. A path contains multiple channels, each of which is a dedicated circuit between two end points.
11 Configuring super aggregated VLANs Each client connected to the edge device is in its own port-based VLAN. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core. The device that aggregates the VLANs forwards the aggregated VLAN traffic through the core. The core can consist of multiple devices that forward the aggregated VLAN traffic.
Configuring super aggregated VLANs 11 This example shows a single link between the core devices. However, you can use a trunk group to add link-level redundancy. Configuring aggregated VLANs A maximum of 1526 bytes are supported on ports where super-aggregated VLANs are configured. This allows for an additional 8 bytes over the untagged port maximum to allow for support of two VLAN tags.
11 Configuring super aggregated VLANs • Enable VLAN aggregation. This support allows the core device to add an additional tag to each Ethernet frame that contains a VLAN packet from the edge device. The additional tag identifies the aggregate VLAN (the path). However, the additional tag can cause the frame to be longer than the maximum supported frame size. The larger frame support allows Ethernet frames up to 1530 bytes long. NOTE Enable the VLAN aggregation option only on the core devices.
Configuring super aggregated VLANs 11 Commands for device A BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX-A(config)# vlan 101 RX-A(config-vlan-101)# tagged ethernet 2/1 RX-A(config-vlan-101)# untagged ethernet 1/1 RX-A(config-vlan-101)# exit RX-A(config)# vlan 102 RX-A(config-vlan-102)# tagged ethernet 2/1 RX-A(config-vlan-102)# untagged ethernet 1/2 RX-A(config-vlan-102)# exit RX-
11 Configuring super aggregated VLANs BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX-C(config)# tag-type 9100 RX-C(config)# aggregated-vlan RX-C(config)# vlan 101 RX-C(config-vlan-101)# tagged ethernet 4/1 RX-C(config-vlan-101)# untagged ethernet 3/1 RX-C(config-vlan-101)# exit RX-C(config)# vlan 102 RX-C(config-vlan-102)# tagged ethernet 4/1 RX-C(config-vlan-102)# untagged ethernet 3/2 RX-C(config-vlan-102)# exit RX-C(config)# write memory Commands for device
Configuring 802.1q-in-q tagging 11 Commands for device F The commands for configuring device F are identical to the commands for configuring device E. In this example, since the port numbers on each side of the configuration in Figure 24 on page 300 are symmetrical, the configuration of device F is also identical to the configuration of device A and device B.
11 Configuring 802.1q-in-q tagging As shown in Figure 25, the ports to customer interfaces are untagged, whereas the uplink ports to the provider cloud are tagged, because multiple client VLANs share the uplink to the provider cloud. In this example, the device treats the customer’s private VLAN ID and 8100 tag type as normal payload, and adds the 9100 tag type to the packet when the packet is sent to the uplink and forwarded along the provider cloud.
Configuring 802.1q-in-q tagging 11 Enabling 802.1Q-in-Q tagging To enable the 802.1Q-in-Q feature, configure an 802.1Q tag type on the untagged edge links (the customer ports) to any value other than the 802.1Q tag for incoming traffic. For example, in Figure 27, the 802.1Q tag on the untagged edge links (ports 11 and 12) is 9100, whereas, the 802.1Q tag for incoming traffic is 8100. To configure 802.
11 Configuring 802.1q tag-type translation FIGURE 27 Example 802.1Q-in-Q configuration Client 1 Port1/1 VLAN 101 . . . Client 3 Port1/3 VLAN 103 Client 6 Port1/1 VLAN 101 Client 5 Port1/5 VLAN 105 . . . Client 1 192.168.1.69/24 . . . Client 8 Port1/3 VLAN 103 . . . Client 10 Port1/5 VLAN 105 Client 5 209.157.2.
Configuring 802.1q tag-type translation FIGURE 28 11 802.1q tag-type translation configuration example 1 Network Core Customer Edge Switch 1 Provider Core Switch 2 Provider Core Switch 1 Tagged 8100 DA SA 8100 Tagged 8100 Tagged 9100 Tagged 8100 Customer VLAN Customer Edge Switch 2 Tagged 8100 Tagged 9100 DA SA 9100 Provider VLAN DA SA 8100 Customer VLAN As illustrated in Figure 28, the devices process the packet as follows: • Customer Edge Switch 1 sends a packet with an 802.
11 Configuring 802.1q tag-type translation FIGURE 29 802.1q tag-type translation configuration example 2 Edge Switch 2 Global 802.1Q tag-type 8200 8200 T 8200 T T 8200 T 8200 T T 8300 Core Switch 1 Edge Switch 1 Incoming Frame on Core Switch 1 Multiple 802.1Q tag-types T U 8300 Core Switch 2 Outgoing Frame on Core Switch 1 Global 802.1Q tag-type 8500 8500 T 8400 Multiple 802.1Q tag-types 9100 U Global 802.1Q tag-type 8200 9100 T 8400 8500 Global 802.
Configuring 802.1q tag-type translation 11 • If you configure a port with an 802.1q tag-type, the device automatically applies the 802.1q tag-type to all ports within the same port region. • If you remove the 802.1q tag-type from a port, the device automatically removes the 802.1q tag-type from all ports within the same port region. • Brocade does not recommend configuring different 802.1q tag-types on ports that are part of a multi-slot trunk. Use the same 802.
11 Private VLANs Private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 30 shows an example of an application using a private VLAN. FIGURE 30 Private VLAN used to secure communication between a workstation and servers A private VLAN secures traffic between a primary port and host ports. Traffic between the hosts and the rest of the network must travel through the primary port.
Private VLANs 11 • Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN. • Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN. Each private VLAN must have a primary VLAN. The primary VLAN is the interface between the secured ports and the rest of the network.
11 Private VLANs • There is currently no support for IGMP Snooping within Private VLANs. In order to let clients in Private VLANs get multicast traffic, IGMP Snooping must be disabled, so that all multicast packets are treated as unregistered multicast packets and get flooded in software to all the ports. • You can configure private VLANs and dual-mode VLAN ports on the same device. However, the dual-mode VLAN ports cannot be members of Private VLANs. • A primary VLAN can have multiple ports.
Private VLANs 11 Configuring an isolated or community private VLAN To configure an isolated or a community private VLAN, use the following CLI methods. Using the CLI To configure a community private VLAN, enter commands such as the following.
11 Private VLANs The pvlan mapping command identifies the other private VLANs for which this VLAN is the primary. The command also specifies the primary VLAN ports to which you are mapping the other private VLANs. • The parameter specifies another private VLAN. The other private VLAN you want to specify must already be configured. • The ethernet parameter specifies the primary VLAN port to which you are mapping all the ports in the other private VLAN (the one specified by ).
Other VLAN features BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config-vlan-903)# untagged ethernet 3/5 to RX(config-vlan-903)# pvlan type community RX(config-vlan-903)# exit RX(config)# vlan 7 RX(config-vlan-7)# untagged ethernet 3/2 RX(config-vlan-7)# pvlan type primary RX(config-vlan-7)# pvlan mapping 901 ethernet RX(config-vlan-7)# pvlan mapping 902 ethernet RX(config-vlan-7)# pvlan mapping 903 ethernet 11 3/6 3/2 3/2 3/2 Other VLAN features Allocating memory for mor
11 Other VLAN features Syntax: [no] multicast-flooding NOTES: • This feature is supported on the 10 Gigabit Ethernet module. • This feature cannot be enabled on an empty VLAN; the VLAN must already have ports assigned to it prior to enabling this feature. • • • • This feature is not supported on Layer 3 protocol-based VLANs. This feature is not supported on private VLANs. You cannot enable this feature on the designated management VLAN for the device.
Other VLAN features 11 To enable flow based MAC learning and CPU flooding for unknown unicast packets only, enter the following command at the global configuration level. BigIron RX(config)# cpu-flooding unknown-unicast To enable CPU based flooding for broadcast and multicast packets, enter the following command at the global configuration level.
11 Displaying VLAN information Other configuration options You can also configure the following on a VLAN: • “Configuring static ARP entries” on page 136 • “Setting maximum frame size per PPCR” on page 178 Displaying VLAN information After you configure the VLANs, you can view and verify the configuration. Displaying VLAN information Enter the following command at any CLI level.
Displaying VLAN information TABLE 67 11 Output of show vlan (Continued) This field... Displays... Untagged/Tagged Ports ID of the untagged or tagged ports that are members of the VLAN (protocol-based VLANs) If protocol based VLANs are configured, their type and name appear after the list of ports. Displaying VLAN information for specific ports To determine which VLANs a port is a member of, enter the following command.
11 Displaying VLAN information BigIron RX# show vlan detail Untagged Ports : ethe 2/1 to 2/24 ethe 4/4 Tagged Ports : None Dual-mode Ports : ethe 3/1 to 3/24 ethe 4/1 to 4/3 Default VLAN : 1 Control VLAN : 4095 VLAN Tag-type : 0x8100 PORT-VLAN 1, Name DEFAULT-VLAN, Priority Level0 ---------------------------------------------------------Port Type Tag-Mode Protocol State 2/1 PHYSICAL UNTAGGED NONE DISABLED 2/2 PHYSICAL UNTAGGED NONE DISABLED 2/3 PHYSICAL UNTAGGED NONE DISABLED 2/4 PHYSICAL UNTAGGED NONE DI
Transparent firewall mode TABLE 69 11 Output of show vlan detail (Continued) This field... Displays... Protocol Protocol configured on the VLAN. State Current state of the port such as disabled, blocking, forwarding, etc. Displaying VLAN group information To display information about VLAN groups, enter the following command.
11 Transparent firewall mode Syntax: [no] transparent-fw-mode 324 BigIron RX Series Configuration Guide 53-1001986-01
Chapter 12 Configuring Spanning Tree Protocol IEEE 802.1D Spanning Tree Protocol (STP) The BigIron RX supports Spanning Tree Protocol (STP) as described in the IEEE 802.10-1998 specification. STP eliminates Layer 2 loops in networks, by selectively blocking some ports and allowing other ports to forward traffic, based on configurable bridge and port parameters. STP also ensures that the least cost path is taken when multiple paths exist between ports or VLANs.
12 IEEE 802.1D Spanning Tree Protocol (STP) NOTE When you configure a VLAN, the VLAN inherits the global STP settings. However, once you begin to define a VLAN, you can no longer configure standard STP parameters globally using the CLI. From that point on, you can configure STP only within individual VLANs. To enable STP for all ports in all VLANs on a device, enter the following command.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 72 12 Default STP bridge parameters (Continued) Parameter Description Default and valid values Hello Time The interval of time between each configuration BPDU sent by the root bridge. 2 seconds Possible values: 1 – 10 seconds Priority A parameter used to identify the root bridge in a spanning tree (instance of STP). The bridge with the lowest value has the highest priority and is the root.
12 IEEE 802.1D Spanning Tree Protocol (STP) NOTE The hello-time parameter applies only when the device or VLAN is the root bridge for its spanning tree. Changing STP port parameters To change the path and priority costs for a port, enter commands such as the following.
IEEE 802.1D Spanning Tree Protocol (STP) 12 Syntax: [no] spanning-tree root-protect Enter the no form of the command to disable STP Root Guard on the port. Setting the STP root guard timeout period To configure the STP Root protect timeout period globally, enter a command such as the following. BigIron RX(config)# spanning-tree root-protect timeout 120 Syntax: spanning-tree root-protect timeout The timeout in seconds parameter allows you to set the timeout period.
12 IEEE 802.1D Spanning Tree Protocol (STP) To prevent an end station from initiating or participating in STP topology changes, enter the following command at the interface level of the CLI. BigIron RX(config) interface ethe 2/1 BigIron RX(config-if-e1000-2/1)# spanning-tree protect This command causes the port to drop STP BPDUs sent from the device on the other end of the link.
IEEE 802.
12 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 CLI display of STP information (Continued) This field... Displays... Bridge Identifier The ID assigned by STP to this bridge for this spanning tree in hexadecimal. NOTE: If this address is the same as the Root ID, then this device or VLAN is the root bridge for its spanning tree.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 12 CLI display of STP information (Continued) This field... State Displays... The port’s STP state. The state can be one of the following: BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is FORWARDING. When a port is in this state, the port does not transmit or receive user frames, but the port does continue to receive STP BPDUs.
12 IEEE 802.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 75 12 CLI display of detailed STP information for ports This field... Displays... VLAN ID The VLAN that contains the listed ports and the number of STP instances on this VLAN. The STP type can be one of the following: • Brocade proprietary multiple Spanning Tree • IEEE 802.1Q Single Spanning Tree (SSTP) NOTE: If STP is disabled on a VLAN, the command displays the following message instead: “Spanning-tree of port-vlan is disabled.
12 IEEE Single Spanning Tree (SSTP) TABLE 75 CLI display of detailed STP information for ports (Continued) This field... Displays... STP port parameters Port number and STP state The internal port number and the port’s STP state. The internal port number is one of the following: • The port’s interface number, if the port is the designated port for the LAN. • The interface number of the designated port from the received BPDU, if the interface is not the designated port for the LAN.
IEEE Single Spanning Tree (SSTP) 12 • To remove a VLAN from the single spanning tree, disable STP on that VLAN. When you enable SSTP, all the ports that are in port-based VLANs with STP enabled become members of a single spanning tree domain. Thus, the ports share a single BPDU broadcast domain. The device places all the ports in a non-configurable VLAN, 4095, to implement the SSTP domain. However, this VLAN does not affect port membership in the port-based VLANs you have configured.
12 PVST/PVST+ compatibility For the parameter definitions and possible values, refer to “Default STP port parameters” on page 327. NOTE Both commands listed above are entered at the global CONFIG level. Also, you can use the rstp single command to control the topology for VLANs. Refer to “Enabling or disabling RSTP on a single spanning tree” on page 382. Displaying SSTP information To verify that SSTP is in effect, enter the following commands at any level of the CLI.
PVST/PVST+ compatibility 12 Overview of PVST and PVST+ Per VLAN Spanning Tree (PVST) is a Cisco proprietary protocol that allows a Cisco device to have multiple spanning trees. The Cisco device can interoperate with spanning trees on other PVST devices but cannot interoperate with IEEE 802.1Q devices. An IEEE 802.1Q device has all its ports running a single spanning tree.
12 PVST/PVST+ compatibility If you want to use tagged frames on VLAN 1, you can change the default VLAN ID to an ID other than 1. You also can specify the VLAN on which you want the port to send and receive untagged frames (the native VLAN). The Port Native VLAN ID does not need to be the same as the default VLAN. NOTE Support for the IEEE 802.1Q spanning tree always uses VLAN 1, regardless of whether the devices are configured to use tagged or untagged frames on the VLAN.
PVST/PVST+ compatibility 12 BigIron RX(config)# show span pvst-mode PVST+ Enabled on: Port Method 1/1 Set by configuration 1/2 Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 76 CLI Display of PVST+ Information This field... Displays... Port The Brocade port number. NOTE: The command lists information only for the ports on which PVST+ support is enabled.
12 PVST/PVST+ compatibility These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port. The dual-mode feature allows the port to send and receive untagged frames for the default VLAN (VLAN 1 in this case) in addition to tagged frames for VLANs 2, 3, and 4. Enabling the PVST+ support ensures that the port is ready to send and receive PVST+ BPDUs.
SuperSpan™ 12 • Drop tagged PVST BPDUs for VLAN 1. Note that when VLAN 1 is not the default VLAN, the ports must have an untagged VLAN enabled in order to process IEEE 802.1Q BPDUs. For example, the following configuration is incorrect.
12 SuperSpan™ FIGURE 34 SuperSpan example SuperSpan root bridge Cust 1 Port1/2 Port1/1 Cust 2 Port1/1 FWD Port1/1 BLK Port1/2 FWD BLK Port1/2 SP 1 Port2/1 SP 2 Port2/2 In this example, the SP network contains two devices that are running SuperSpan. The SP is connected to two customer networks. Each customer network is running its own instance of STP.
SuperSpan™ 12 Each Brocade device that is configured for SuperSpan forwards the BPDU using the changed destination MAC address. At the other end of the tunnel, the Brocade device connected to the customer's network changes the destination MAC address back to the bridge group address (01-80-c2-00-00-00). Preforwarding state To ensure that the customer's network has time to converge at Layer 2 and prevent loops, the Brocade devices configured for SuperSpan use a special forwarding state, Preforwarding.
12 SuperSpan™ Mixing single STP and multiple spanning trees You can use SuperSpan in any of the following combinations: • Customer and SP networks both use multiple spanning trees (a separate spanning tree in each VLAN). • Customer uses multiple spanning trees but SP uses Single STP (all STP-enabled VLANs are in the same spanning tree). • Customer uses Single STP but SP uses multiple spanning trees. • Customer and SP networks both use Single STP.
SuperSpan™ 12 In the above example, STP in VLAN 10 will select R10 as the root bridge and make 1/1 on R10 forwarding while blocking port 3/1 on R20. The opposite occurs for STP in VLAN 20. As a result, both links connecting the customer and SP regions are fully utilized and serve as backup links at the same time, providing loop-free, non-blocking connectivity.
12 SuperSpan™ Customer uses single STP but SP uses multiple spanning trees Figure 38 shows an example of SuperSpan where the customer network uses Single STP while the SP uses multiple spanning trees.
SuperSpan™ FIGURE 39 12 Customer and SP using single STP R R single span 1/1 2/1 2/2 single span Customer Region Provider Region 2/1 3/1 2/2 tagged to multiple vlan R xx Root bridge for VLAN xx stp-boundary untagged to vlan 100 (Super Aggregated VLAN) In this setup, both the customer and SP networks are running a single spanning tree at Layer 2. The traffic from VLAN 10 and 20 will be carried, or aggregated by VLAN 100 at the SP network as in the previous scenario.
12 SuperSpan™ These commands configure two interfaces on the Brocade device as SuperSpan boundary interfaces. Interface 1/1 is a boundary interface with customer 1. Interface 1/2 is a boundary interface with customer 2. Each boundary interface is associated with a number, which is the SuperSpan ID. The SuperSpan ID identifies the instance of SuperSpan you are associating with the interface. Use the same SuperSpan ID for each boundary interface with the same customer.
SuperSpan™ 12 BigIron RX(config)# show super-span CID 1 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed 1/1 1 0 0 0 1/2 0 0 0 0 Total 1 0 0 0 CID 2 Boundary Ports: Port C-BPDU C-BPDU Rxed Txed 2/1 0 0 2/2 0 0 Total 0 0 T-BPDU Rxed 3 0 3 T-BPDU Txed 0 0 0 In this example, the device has two SuperSpan customer IDs. Syntax: show superspan [cid ] The cid parameter specifies a SuperSpan customer ID.
12 352 SuperSpan™ BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring Rapid Spanning Tree Protocol 13 Overview of Rapid Spanning Tree Protocol RSTP provides rapid convergence and takes advantage of point-to point wiring of the spanning tree. Failure in one forwarding path does not affect other forwarding paths. RSTP improves the operation of the spanning tree while maintaining backward compatibility. NOTE The total number of supported STP, RSTP, or MSTP indices is 128.
13 Overview of Rapid Spanning Tree Protocol Assignment of port roles At system start-up, all RSTP-enabled bridge ports assume a Designated role. Once start-up is complete, RSTP algorithm calculates the superiority or inferiority of the RST BPDU that is received and transmitted on a port. On a root bridge, each port is assigned a Designated port role, except for ports on the same bridge that are physically connected together.
Overview of Rapid Spanning Tree Protocol FIGURE 40 13 Simple RSTP topology Port7 Switch 1 Bridge priority = 100 Port2 Switch 3 Bridge priority = 300 Switch 2 Bridge priority = 200 Port2 Port4 Port3 Port3 Port2 Port8 Port3 Port4 Port3 Port4 Switch 4 Bridge priority = 400 Ports on Switch 1 All ports on Switch 1, the root bridge, are assigned Designated port roles. Ports on Switch 2 Port2 on Switch 2 directly connects to the root bridge; therefore, Port2 is the Root port.
13 Edge ports and edge port roles Ports Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4. The RST BPDUs received on Port3 are superior to the RST BPDUs received on port 4; therefore, Port3 becomes the Root port and Port4 becomes the Alternate port. Edge ports and edge port roles Brocade’s implementation of RSTP allows ports that are configured as Edge ports to be present in an RSTP topology.
Point-to-point ports 13 Point-to-point ports To take advantage of the RSTP features, ports on an RSTP topology should be explicitly configured as point-to-point links. Shared media should not be configured as point-to-point links. NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops. The topology in Figure 42 is an example of shared media that should not be configured as point-to-point links.
13 Edge port and non-edge port states If a port on one bridge has a Designated role and that port is connected to a port on another bridge that has an Alternate or Backup role, the port with a Designated role cannot be given a Root port role until two instances of the forward delay timer expires on that port. Edge port and non-edge port states As soon as a port is configured as an Edge port, it goes into a forwarding state instantly (in less than 100 msec).
State machines 13 • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode. It also flushes the MAC table when a topology change event takes place. • Port State Transition – This state machine transitions the port to a discarding, learning, or forwarding state and performs any necessary processing associated with the state changes.
13 State machines • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 43). The Designated port continues to send this flag in its RST BPDU until it is placed in a forwarding state (Figure 46) or is forced to operate in 802.1D mode. (Refer to “Compatibility of RSTP with 802.
State machines FIGURE 44 13 Sync stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync BigIron Switch 200 Port3 Sync Discarding Port2 Sync Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports.
13 State machines FIGURE 45 Synced stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Synced BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 400 Switch 300 Indicates a signal • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state.
State machines FIGURE 46 13 Agree stage Switch 100 Root Bridge Port1 Designated port Forwarding RST BPDU sent with an Agreed flag Port1 Root port Synced Forwarding BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 300 Switch 400 Indicates a signal At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200.
13 State machines FIGURE 47 Addition of a new root bridge Switch 100 Port2 Designated port Port2 Switch 60 Port4 Designated port Port1 Designated port Port1 Root port Switch 200 Port4 Port2 Port2 Switch 300 Port3 Port3 Switch 400 The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (“Handshake when no root port is elected” on page 359). The former root bridge becomes a non-root bridge and establishes a Root port (Figure 48).
13 State machines FIGURE 48 New root bridge sending a proposal flag Switch 100 Handshake Completed Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Proposing Port1 Proposing Port1 Root port Forwarding RST BPDU sent with a Proposing flag Switch 200 Port2 Port2 Switch 300 Port3 Port4 Designated port Proposed Port3 Switch 400 • Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge.
13 State machines FIGURE 49 Sync and reroot Switch 100 Port2 Designated port Port2 Root port Port4 Designated port Proposing Port1 Proposing Switch 60 Port1 Root port Sync Reroot Forwarding BigIron Switch 200 Port2 Sync Reroot Discarding Port3 Sync Reroot Discarding Port2 Port4 Root port Sync Reroot Discarding Port3 Switch 300 Switch 400 Indicates a signal • Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue t
13 State machines FIGURE 50 Sync and rerooted Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Port1 Proposing Port1 Designated port Sync Rerooted Discarding BigIron Switch 200 Port2 Sync Rerooted Discarding Port2 Switch 300 Port3 Sync Rerooted Discarding Port4 Root port Sync Rerooted Discarding Port3 Switch 400 Indicates an 802.
13 State machines FIGURE 51 Rerooted,synced, and agreed Switch 100 Port2 Designated port Switch 60 Port 2 Root port Port4 Designated port Forwarding Port1 Proposing Port1 Rerooted Synced Discarding RST BPDU sent with an Agreed flag BigIron Switch 200 Port2 Rerooted Synced Discarding Port3 Rerooted Synced Discarding Port2 Port4 Root port Rerooted Synced Forwarding Port3 Switch 300 Switch 400 Indicates a signal The old Root port on Switch 200 becomes an Alternate Port (Figure 52).
13 Convergence in a simple topology FIGURE 52 Handshake completed after election of new root port Switch 100 Port2 Designated port Port2 Root port Switch 60 Port4 Designated port Port1 Proposing Port1 Alternate port Switch 200 Port2 Port4 Root port Port3 Proposing Port2 Switch 300 Proposing Port3 Switch 400 Recall that Switch 200 sent the agreed flag to Port4/Switch 60 and not to Port1/Switch 100 (the port that connects Switch 100 to Switch 200).
13 Convergence in a simple topology NOTE The rapid convergence will not occur on ports connected to shared media devices, such as hubs. To take advantage of the rapid convergence provided by RSTP, make sure to explicitly configure all point-to-point links in a topology. Convergence at start up In Figure 53, two bridges Switch 2 and Switch 3 are powered up. There are point-to-point connections between Port3/Switch 2 and Port3/Switch 3.
Convergence in a simple topology FIGURE 54 13 Simple Layer 2 topology Port3 Designated port Switch 2 Port2 Root port Bridge priority = 1500 Switch 1 Port2 Designated port Port5 Backup port Bridge priority = 1000 Port4 Designated port Port3 Designated port Port3 Alternate port Port4 Root port Bridge priority = 2000 Switch 3 The point-to-point connections between the three bridges are as follows: • Port2/Switch 1 and Port2/Switch 2 • Port4/Switch 1 and Port4/Switch 3 • Port3/Switch 2 and Por
13 Convergence in a simple topology The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2.
Convergence in a simple topology FIGURE 56 13 Link failure in the topology Port3 Switch 2 Port2 Bridge priority = 1500 Port3 Port3 Port2 Switch 1 Port5 Bridge priority = 1000 Port4 Port4 Bridge priority = 2000 Switch 3 Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port. Port3/Switch 2, which currently has a Designated port role, sends an RST BPDU to Switch 3.
13 Convergence in a complex RSTP topology When Port2/Switch 2 receives the RST BPDUs, RSTP algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Convergence in a complex RSTP topology FIGURE 57 13 Complex RSTP topology Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port2 Port2 Port2 Port5 Port3 Port4 Switch 3 Bridge priority = 300 Port3 Port3 Port4 Port2 Port4 Port3 Port3 Switch 5 Bridge priority = 60 Port8 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 In Figure 57, Switch 5 is selected as the root bridge since it is the bridge with the highest priority.
13 Convergence in a complex RSTP topology Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is then given an Alternate port role, and remains in discarding state. Likewise, Port5/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is also given an Alternate port role, and remains in discarding state. Port2/Switch 2 transmits an RST BPDU with a proposal flag to Port2/Switch 1. Port2/Switch 1 becomes the Root port.
Convergence in a complex RSTP topology FIGURE 58 13 Active Layer 2 path in complex topology Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port5 Port2 Port3 Port3 Port4 Switch 3 Bridge priority = 300 Port2 Port2 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port4 Port3 Port3 Port4 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Propagation of topology change The Topology Change state m
13 Convergence in a complex RSTP topology FIGURE 59 Beginning of topology change notice Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port2 Port5 Port2 Port3 Port3 Port3 Port4 Port3 Port4 Port4 Switch 3 Bridge priority = 300 Port2 Port4 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port5 Switch 4 Bridge priority = 400 Port3 Port 5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Switch 2 then starts the TCN ti
Convergence in a complex RSTP topology FIGURE 60 13 Sending TCN to bridges connected to Switch 2 Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port2 Port5 Port2 Port3 Port3 Port4 Switch 3 Bridge priority = 300 Port2 Port4 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port3 Port3 Port4 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Then FRY1, Switch 5, an
13 Compatibility of RSTP with 802.1D FIGURE 61 Completing the TCN propagation Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port5 Port2 Switch 5 Bridge priority = 60 Port8 Port2 Port2 Port3 Port4 Port3 Port2 Port3 Port3 Port3 Port4 Port4 Switch 3 Bridge priority = 300 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Compatibility of RSTP with 802.
Configuring RSTP parameters 13 For example, in Figure 62, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 62 RSTP bridges with an 802.1D bridge Switch 10 802.1W Switch 20 802.1D Switch 30 802.1W Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other.
13 Configuring RSTP parameters BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# rstp Syntax: [no] rstp Enabling or disabling RSTP on a single spanning tree To globally enable RSTP for all ports of a single spanning tree, enter the following command. BigIron RX(config)# rstp single Syntax: [no] rstp single Disabling or enabling RSTP on a port The rstp command must be used to initially enable RSTP on ports.
Configuring RSTP parameters 13 The max-age parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. Possible values: 6 – 40 seconds. The default is 20 seconds. The value of max-age must be greater than the value of forward-delay to ensure that the downstream bridges do not age out faster than the upstream bridges (those bridges that are closer to the root bridge).
13 Configuring RSTP parameters TABLE 78 Recommended path cost values of RSTP (Continued) Link speed Recommended (default) RSTP path cost values Recommended RSTP path cost range 1 Gigabit per second 20,000 2,000 – 200,000,000 10 Gigabits per second 2,000 200 – 20,000 100 Gigabits per second 200 20 – 2,000 1 Terabits per second 20 2 – 200 10 Terabits per second 2 1 – 20 The priority parameter specifies the preference that RSTP gives to this port relative to other ports for forwar
Configuring RSTP parameters 13 In addition, Fast Port Span enhances overall network performance in the following ways: • Fast Port Span reduces the number of STP topology change notifications on the network. When an end station attached to a Fast Span port comes up or down, the Brocade device does not generate a topology change notification for the port. In this situation, the notification is unnecessary since a change in the state of the host does not affect the network’s topology.
13 Configuring RSTP parameters BigIron RX(config)# fast port-span BigIron RX(config)# write memory Excluding specific ports from fast port span You can exclude individual ports from Fast Port Span while leaving Fast Port Span enabled globally. To do so, use the following method. Using the CLI To exclude a port from Fast Port Span, enter commands such as the following.
Configuring RSTP parameters 13 You can use the Fast Uplink feature on a Brocade device deployed as a wiring closet switch to decrease the convergence time for the uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning). The wiring closet switch must be a Brocade device but the device at the other end of the link can be a Brocade device or another vendor’s switch. Configuration of the Fast Uplink Span feature takes place entirely on the Brocade device.
13 Displaying RSTP information Using the CLI To configure a group of ports for Fast Uplink Span, enter the following commands. BigIron RX(config)# fast uplink-span ethernet 4/1 to 4/4 BigIron RX(config)# write memory Syntax: [no] fast uplink-span [ethernet [ethernet … | to ]] This example configures four ports, 4/1 – 4/4, as a Fast Uplink Span group. In this example, all four ports are connected to a wiring closet switch.
Displaying RSTP information 13 BigIron RX(config)#show rstp vlan 10 VLAN 10 - RSTP instance 0 -------------------------------------------------------------------RSTP (IEEE 802.
13 Displaying RSTP information TABLE 79 CLI display of RSTP summary (Continued) This field... Displays... Designated Bridge Identifier The bridge from where the root information was received. It can be from the root bridge itself, but it could also be from another bridge. Root Port The port on which the root information was received. This is the port that is connected to the Designated Bridge. Max Age The max age is derived from the Root port.
Displaying RSTP information TABLE 79 13 CLI display of RSTP summary (Continued) This field... Displays... Role The current role of the port: Root Designated Alternate Backup Disabled Refer to “Bridges and bridge port roles” on page 353 for definitions of the roles. State The port’s current RSTP state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge port states” on page 357 and “Edge port and non-edge port states” on page 358.
13 Displaying RSTP information TABLE 80 This field... forceVersion 392 The show rstp detail command output (Continued) Displays... the configured version of the bridge: 0 – The bridge has been forced to operate in an STP compatible mode. 2 – The bridge has been forced to operate in an RSTP mode. • • MigrateTime The number of seconds the bridge took to migrate from STP to RSTP mode. txHoldCount The number of BPDUs that can be transmitted per Hello Interval. The default is 3.
Chapter 14 Metro Ring Protocol (MRP) Phase 1 and 2 Metro Ring Protocol (MRP) phase 1 MRP Phase 1 is a Brocade proprietary protocol that prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies. It is an alternative to STP and is especially useful in Metropolitan Area Networks (MANs) where using STP has the following drawbacks: • STP allows a maximum of seven nodes. Metro rings can easily contain more nodes than this.
14 MRP rings without shared interfaces The ring in this example consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network. The nodes forward Layer 2 traffic to and from the customer networks through the ring. The ring interfaces are all in one port-based VLAN. Each customer interface can be in the same VLAN as the ring or in a separate VLAN. One node, is configured as the master node of the MRP ring.
Ring initialization FIGURE 64 14 Metro ring – multiple rings Master Node port1/1 port4/1 port1/2 port4/2 Ring 1 Ring 2 Master node Ring 3 In this example, two nodes are each configured with two MRP rings. Any node in a ring can be the master for its ring. A node also can be the master for more than one ring. Ring initialization The ring shown in Figure 63 shows the port states in a fully initialized ring without any broken links.
14 Ring initialization FIGURE 65 Metro ring – initial state Customer A F PF PF Switch B PF PF F Switch C Customer A PF All ports start in Preforwarding state. Primary port on Master node sends RHP 1 Switch A Master Node F Customer A PF Switch D PF PF F Customer A MRP uses Ring Health Packets (RHPs) to monitor the health of the ring. An RHP is an MRP protocol packet. The source address is the MAC address of the master node and the destination MAC address is a protocol address for MRP.
Ring initialization 14 When MRP is enabled, all ports begin in the Preforwarding state. The primary interface on the Master node, although it is in the Preforwarding state like the other ports, immediately sends an RHP onto the ring. The secondary port on the Master node listens for the RHP. • If the secondary port receives the RHP, all links in the ring are up and the port changes its state to Blocking. The primary port then sends another MRP with its forwarding bit set on.
14 How ring breaks are detected and healed How ring breaks are detected and healed Figure 67 Shows the ring forwarding state following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks.
How ring breaks are detected and healed 14 When the broken link is repaired, the link’s interfaces come up in the Preforwarding state, which allows RHPs to travel through the restored interfaces and reach the secondary interface on the Master node. • If an RHP reaches the Master node’s secondary interface, the ring is intact. The secondary interface changes to Blocking. The Master node sets the forwarding bit on in the next RHP.
14 Master VLANs and customer VLANs in a topology group 5. RHP packets continue to be sent on the primary interface by Switch A to detect if the ring has been healed. From a user perspective, there is no difference in the behavior of the ring. The only noticeable difference is a rapid convergence in the event of ring failure. There is no CLI command required to enable this feature.
Master VLANs and customer VLANs in a topology group FIGURE 69 14 Metro ring – ring VLAN and customer VLANs Customer B VLAN 40 Customer A VLAN 30 Switch B ====== ring 1 interfaces 1/1, 1/2 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1, 1/2, 2/1) member VLAN 40 (1/1, 1/2, 4/1) port4/1 port2/1 port1/2 port1/1 Switch B Switch D port1/2 port2/1 Customer A VLAN 30 port1/1 port4/1 Switch D ====== ring 1 interfaces 1/1, 1/2 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1,
14 Configuring MRP If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs. • The member VLAN for a customer must contain the two ring interfaces and the interfaces for the customer. Since these interfaces are shared with the master VLAN, they must be tagged. Do not add another customer’s interfaces to the VLAN.
Configuring MRP 14 Adding an MRP ring to a VLAN NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group’s master VLAN. To add an MRP ring to a VLAN, enter commands such as the following.
14 MRP phase 2 Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following. BigIron RX(config-vlan-2-mrp-1)# hello-time 200 BigIron RX(config-vlan-2-mrp-1)# preforwarding-time 400 These commands change the hello time to 200 ms and change the preforwarding time to 400 ms. NOTE The preforwarding time must be at least twice the value of the hello time and must be a multiple of the hello time.
MRP phase 2 FIGURE 70 14 Multiple MRP rings - MRP Phase 1 Master Node port1/1 port4/1 port1/2 port4/2 Ring 1 Ring 2 Master node Ring 3 With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN. Figure 70 shows examples of multiple MRP rings that share the same interface.
14 Ring initialization for shared interfaces Ring initialization for shared interfaces FIGURE 72 Interface IDs and types 1 1 1 T 2 2 2 S1 1 1,2 port1/1 2 Ring 2 Ring 1 1,2 port2/2 1 2 S2 1 1 1 T 2 2 2 C = customer port For example, in Figure 72, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2. Port 1/1 on node S1 and Port 2/2 on S2 have the IDs of 1 and 2 since the interfaces are shared by Rings 1 and 2.
Ring initialization for shared interfaces 14 node, the packet is forwarded through the secondary interface since it is currently in a preforwarding state. A secondary interface in preforwarding mode ignores any RHP packet that is not from its ring. The secondary interface changes to blocking mode only when the RHP packet forwarded by its primary interface is returned. The packet then continues around Ring 1, through the interfaces on S1 to Ring 2 until it reaches Ring 2’s master node.
14 Ring initialization for shared interfaces Normal flow Figure 73 shows an example of how RHP packets are processed normally in MRP rings with shared interfaces.
Ring initialization for shared interfaces 14 Flow when a link breaks If the link between shared interfaces breaks (Figure 74), the secondary interface on Ring 1’s master node changes to a preforwarding state. The RHP packet sent by port 3/1 on Ring 2 is forwarded through the interfaces on S4, then to S2. The packet is then forwarded through S2 to S3, but not from S2 to S1 since the link between the two nodes is not available.
14 Using MRP diagnostics BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# vlan 2 RX(config-vlan-2)# metro-ring 1 RX(config-vlan-2-mrp-1)# name CustomerA RX(config-vlan-2-mrp-1)# ring-interface ethernet 1/1 ethernet 1/2 RX(config-vlan-2-mrp-1)# enable RX(config-vlan-2-mrp-1)# metro-ring 2 RX(config-vlan-2-mrp-2)# name CustomerB RX(config-vlan-2-mrp-2)# ring-interface ethernet 1/1 ethernet 1/2 RX(config-vlan-2-mrp-1)# enable Syntax: [no] metro-ring The
Displaying MRP information 14 Displaying MRP diagnostics To display MRP diagnostics results, enter the following command on the Master node. BigIron RX(config)# show metro 2 diag Metro Ring 2 - CustomerA ============= diagnostics results Ring id 2 Diag state enabled Diag frame sent 1230 RHP average time(microsec) 125 Recommended hello time(ms) 100 Recommended Prefwing time(ms) 300 Diag frame lost 0 Syntax: show metro diag This display shows the following information.
14 Displaying MRP information Displaying ring information To display ring information, enter the following command.
MRP CLI example TABLE 82 14 CLI display of MRP ring information (Continued) This field... Displays... Prefwing time The number of milliseconds an MRP interface that has entered the Preforwarding state will wait before changing to the Forwarding state. If a member port in the Preforwarding state does not receive an RHP within the Preforwarding time (Prefwing time), the port assumes that a topology change has occurred and changes to the Forwarding state.
14 MRP CLI example Commands on switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node’s interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
MRP CLI example BigIron BigIron BigIron BigIron 14 RX(config)# topology-group 1 RX(config-topo-group-1)# master-vlan 2 RX(config-topo-group-1)# member-vlan 30 RX(config-topo-group-1)# member-vlan 40 Commands on switch C BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# vlan 2 RX(config-vlan-2)# tag ethernet 1/1 to 1/2 RX(config-vlan-2)# metro-ring 1 RX(config-vlan-2-mrp-1)# name “Metro A” R
14 416 MRP CLI example BigIron RX Series Configuration Guide 53-1001986-01
Chapter 15 Virtual Switch Redundancy Protocol (VSRP) Overview of Virtual Switch Redundancy Protocol (VSRP) VSRP is a Brocade proprietary protocol that provides redundancy and sub-second failover in Layer 2 and Layer 3 mesh topologies. Based on the Brocade’s proprietary Virtual Router Redundancy Protocol Extended (VRRPE), VSRP provides one or more backups for the device.
15 Overview of Virtual Switch Redundancy Protocol (VSRP) Following Master election (described below), one of the Brocade devices becomes the Master for the VRID and sets the state of all the VLAN’s ports to Forwarding. The other device is a Backup and sets all the ports in its VRID VLAN to Blocking. If a failover occurs, the Backup becomes the new Master and changes all its VRID ports to the Forwarding state. Other Brocade devices can use the redundant paths provided by the VSRP devices.
Overview of Virtual Switch Redundancy Protocol (VSRP) 15 Each Backup waits for a specific period of time, the Dead Interval, to receive a new Hello message from the Master. If the Backup does not receive a Hello message from the Master by the time the Dead Interval expires, the Backup sends a Hello message of its own, which includes the Backup's VSRP priority, to advertise the Backup's intent to become the Master. If there are multiple Backups for the VRID, each Backup sends a Hello message.
15 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 77 VSRP priority recalculation Internet or enterprise Intranet Internet or enterprise Intranet e 2/4 e 3/2 Router 2 Router 1 VRID1 Router1 = Master e 1/6 192.53.5.1 IP address = 192.53.5.1 Owner MAC address = 00-00-5E-00-01-01 Priority = 255 192.53.5.3 e 1/5 Backup VRID1 Router2 = Backup IP address = 192.53.5.1 MAC address = 00-00-5E-00-01-01 Priority = 100 Host1 Default Gateway 192.53.5.
Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 78 VSRP priority bias Configured priority = 150 Actual priority = 150 * (2/3) = 100 VSRP Master F Link down 15 F Configured priority = 100 Actual priority = 100 * (3/3) = 100 VSRP Backup optional link F B B B X VSRP Aware VSRP Aware VSRP Aware Track ports Optionally, you can configure track ports to be included during VSRP priority calculation.
15 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 79 Track port priority Configured priority = 100 Track priority 20 Actual priority = (100 - 0) * (3/3) = 100 VSRP Master F Track port is up F Configured priority = 100 Actual priority = 100 * (3/3) = 100 VSRP Backup optional link F VSRP Aware B B B VSRP Aware VSRP Aware In Figure 79, the track port is up. SInce the port is up, the track priority does not affect the VSRP priority calculation.
Configuring basic VSRP parameters 15 • If the port number is the same as the port that previously received a Hello message, the VSRP-aware device assumes that the message came from the same VSRP Master that sent the previous message. • If the port number does not match, the VSRP-aware device assumes that a VSRP failover has occurred to a new Master, and moves the MAC addresses learned on the previous port to the new port. The VRID records age out if unused.
15 Enabling Layer 3 VSRP BigIron RX(config-vlan-200-vrid-1)# enable Syntax: [no] enable or Syntax: [no] activate For information about the command’s optional parameters, see the following: • “Changing the backup priority” on page 427 • “Changing the default track priority” on page 430 Enabling Layer 3 VSRP Layer 2 VSRP is enabled globally by default on the device; it just needs to be activated or enabled on a VRID.
Configuring optional VSRP parameters 15 Syntax: [no] ip vsrp auth-type no-auth | simple-text-auth The auth-type no-auth parameter indicates that the VRID and the interface it is configured on do not use authentication. The auth-type simple-text-auth parameter indicates that the VRID and the interface it is configured on use a simple text password for authentication. The value is the password.
15 Configuring optional VSRP parameters BigIron RX(config-vlan-200-vrid-1)# ip-address 10.10.10.1 Syntax: [no] ip-address VSRP fast start VSRP fast start allows non-Brocade or non-VSRP aware devices that are connected to a Brocade device that is the VSRP Master to quickly switchover to the new Master when a VSRP failover occurs This feature causes the port on a VSRP Master to restart when a VSRP failover occurs.
15 Configuring optional VSRP parameters BigIron RX(config-vlan-10-vsrp-1)#sh vsrp VLAN 10 Auth-type no authentication VRID 1 ======== State Administrative-status Advertise-backup Preempt-mode Link-Redundancy Backup Enabled Disabled True Parameter Configured Current Unit/Formula Priority 100 100 (100-0)*(4.0/4.0) Hello-interval 1 1 sec/10 Hold-interval 3 3 sec/10 Initial-ttl 2 2 hops Disabled Master router 219.218.18.52 or MAC xxxx.dbda.
15 Configuring optional VSRP parameters • Backup Hello interval • Hold-down interval Each Backup saves the configured timer values to its startup configuration file when you save the device’s configuration. NOTE The Backups always use the value of the timer scale received from the Master, regardless of whether the timer values that are saved in the configuration are the values configured on the Backup or the values received from the Master.
Configuring optional VSRP parameters 15 Changing the hello interval The Master periodically sends Hello messages to the Backups. To change the Hello interval, enter a command such as the following at the configuration level for the VRID. BigIron RX(config-vlan-200-vrid-1)# hello-interval 10 Syntax: [no] hello-interval The parameter specifies the interval which and can be from 1 – 84 units. The default is 1 (1 unit = 100 milliseconds).
15 Configuring optional VSRP parameters Syntax: [no] backup-hello-interval The parameter specifies the message interval and can be from 60 – 3600 units (1 unit = 100 milliseconds). The default is 60 units (6000 milliseconds or 6 seconds). NOTE If you change the timer scale, the change affects the actual number of seconds.
Configuring optional VSRP parameters 15 Specifying a track port You can configure the VRID on one interface to track the link state of another interface on the device. This capability is useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy. Refer to “VSRP priority calculation” on page 419. To configure a VRID to track an interface, enter a command such as the following at the configuration level for the VRID.
15 Clearing VSRP information NOTE All trunk ports must have the same delayed-link-down-event configuration. The following command will delay the sending of port "down" event for 100ms when a port state is detected "down". If the port state is detected "up" afterwards within 100ms, the delayed "down" event is cancelled; otherwise, the "down" event is sent after 100ms. This allows the upper layer applications not to be affected by a port state flapping.
VSRP and MRP signaling 15 If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure 82.
15 Displaying VSRP information FIGURE 83 New path established Path 1 Path 2 MRP Member MRP Master MRP Member MRP MRP Member VSRP Backup MRP Member Host MRP Member VSRP Master X VSRP MRP MRP Member MRP Master VSRP Backup MRP Member Host MRP Member VSRP Master X VSRP Device 1 Device 1 There are no CLI commands used to configure this process.
Displaying VSRP information 15 This display shows the following information when you use the vrid or vlan parameter. For information about the display when you use the aware parameter, refer to “Displaying the active interfaces for a VRID” on page 438. TABLE 83 CLI display of VSRP VRID or VLAN information This field... Displays... Total number of VSRP routers defined The total number of VRIDs configured on this device. VLAN The VLAN on which VSRP is configured.
15 Displaying VSRP information TABLE 83 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the VRID. During negotiation, the Backup with the highest priority becomes the Master. If two or more Backups are tied with the highest priority, the Backup interface with the highest IP address becomes the Master for the VRID.
Displaying VSRP information BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 10 10 100 80 P Master Unknown Unknown 15 VIP None When the command is entered on a Layer 3 VSRP, it displays the following information. BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 100 1 150 1 P Initia xxxx.1414.1404 20.20.20.4 101 2 50 1 P Initia xxxx.1e1e.1e01 30.30.30.1 VIP 20.20.20.100 30.30.30.100 Syntax: show vsrp brief This field...
15 Displaying VSRP information Displaying the active interfaces for a VRID On a VSRP-aware device, you can display VLAN and port information for the connections to the VSRP devices (Master and Backups) using the show vsrp aware command. The command shows the active interfaces for the VRID. No output is displayed if the command is entered on a VSRP master or backup.
Chapter Topology Groups 16 Topology overview This chapter describes the different types of topology groups and how to configure them. A topology group is a named set of VLANs that share a Layer 2 control protocol. Topology groups simplify configuration and enhance scalability of Layer 2 protocols by allowing you to run a single instance of a Layer 2 protocol on multiple VLANs. One instance of the Layer 2 protocol controls all the VLANs.
16 Master VLANs and customer VLANs in MRP Master VLANs and customer VLANs in MRP A topology group enables you to control forwarding in multiple VLANs using a single instance of a Layer 2 protocol such as MRP. For more information on topology group and MRP, refer to “Master VLANs and customer VLANs in a topology group” on page 400.
Configuring a topology group 16 If you remove a member VLAN or VLAN group from a topology group, you will need to reconfigure the Layer 2 protocol information in the VLAN or VLAN group. Configuring a topology group To configure a topology group, enter commands such as the following.
16 Displaying topology group information BigIron RX(config)# show topology-group Topology Group 1 ================== Master VLAN : 2 Member VLAN : 10 20 30 Member Group : None Control Ports : ethe 2/2 ethe 3/18 ethe 4/1 to 4/2 Free Ports : Topology Group 2 ================== Master VLAN : 3 Member VLAN : 100 200 Member Group : None Control Ports : ethe 4/1 to 4/2 Free Ports : VLAN 2 - ethe 2/1 ethe 3/17 VLAN 10 - ethe 2/1 ethe 3/17 VLAN 20 - ethe 2/1 ethe 3/17 VLAN 30 - ethe 2/1 ethe 3/17 Syntax: show to
Chapter 17 Configuring VRRP and VRRPE Overview of VRRP This chapter describes how to configure the following router redundancy protocols: • Virtual Router Redundancy Protocol (VRRP) – The standard router redundancy protocol described in RFC 3768. • VRRP Extended (VRRPE) – A Brocade proprietary version of VRRP that overcomes limitations in the standard protocol. This protocol works only with Brocade devices.
17 Overview of VRRP As shown in this example, Host1 uses 192.53.5.1 on Router1 as the host’s default gateway out of the subnet. If this interface goes down, Host1 is cut off from the rest of the network. Router1 is thus a single point of failure for Host1’s access to other networks. If Router1 fails, you could configure Host1 to use Router2. Configuring one host with a different default gateway might not require too much extra administration.
Overview of VRRP 17 NOTE You can provide more redundancy by also configuring a second VRID with Router2 as the Owner and Router1 as the Backup. This type of configuration is sometimes called Multigroup VRRP. Master router election Virtual routers use the VRRP priority values associated with each VRRP router to determine which router becomes the Master. When you configure an Owner router, the device automatically sets the its VRRP priority to 255, the highest VRRP priority.
17 Overview of VRRP Track ports and track priority Brocade enhanced VRRP by giving a VRRP router the capability to monitor the state of the interfaces on the other end of the route path through the router. For example, in Figure 85 on page 444, interface e1/6 on Router1 owns the IP address to which Host1 directs route traffic on its default gateway. The exit path for this traffic is through Router1’s e2/4 interface. Suppose interface e2/4 goes down.
Overview of VRRPE 17 Forcing a master router to abdicate to a standby router You can force a VRRP Master to abdicate (give away control) of a virtual router to a Backup by temporarily changing the Master’s priority to a value less than the Backup’s. When you change a VRRP Owner’s priority, the change takes effect only for the current power cycle. The change is not saved to the startup configuration file when you save the configuration and is not retained across a reload or reboot.
17 Overview of VRRPE • VRRPE uses UDP to send Hello messages in IP multicast messages. The Hello packets use the interface’s actual MAC address and IP address as the source addresses. The destination MAC address is 01-00-5E-00-00-02, and the destination IP address is 224.0.0.2 (the well-known IP multicast address for “all routers”). Both the source and destination UDP port number is 8888. VRRP messages are encapsulated in the data portion of the packet.
Overview of VRRPE FIGURE 86 17 Router1 and Router2 are configured to provide dual redundant network access for the host Internet e 2/4 VRID 1 Router A = Master Virtual IP address 192.53.5.254 Priority = 110 Track port = e 2/4 Track priority = 20 e 3/2 Router1 Router2 e 1/6 192.53.5.2 VRID 2 Router A = Backup Virtual IP address 192.53.5.253 Priority = 100 (Default) Track Port = e 2/4 Track Priority = 20 Host1 Default Gateway 192.53.5.254 Host2 Default Gateway 192.53.5.254 e 5/1 192.53.5.
17 VRRP and VRRPE parameters VRRP and VRRPE parameters Table 86 lists the VRRP and VRRPE parameters. Most of the parameters and default values are the same for both protocols. The exceptions are noted in the table. TABLE 86 VRRP and VRRPE parameters Parameter Description Default See page...
VRRP and VRRPE parameters TABLE 86 17 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Whether the router is an Owner or a Backup. Owner (VRRP only) – The router on which the real IP address used by the VRID is configured. • Backup – Routers that can provide routing services for the VRID but do not have a real IP address matching the VRID. VRRP – The Owner is always the router that has the real IP address used by the VRID. All other routers for the VRID are Backups.
17 Configuring parameters specific to VRRP TABLE 86 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Track priority A VRRP or VRRPE priority value assigned to the tracked ports. If a tracked port’s link goes down, the VRID port’s VRRP or VRRPE priority changes. • VRRP – The priority changes to the value of the tracked port’s priority. • VRRPE – The VRID port’s priority is reduced by the amount of the tracked port’s priority.
Configuring parameters specific to VRRP 17 Configuring the owner Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-1/6)# ip address 192.53.5.1 Router1(config-if-1/6)# ip vrrp vrid 1 Router1(config-if-1/6-vrid-1)# owner Router1(config-if-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-1/6-vrid-1)# activate Configuring a backup To configure the VRRP Backup router, enter the following commands.
17 Configuring parameters specific to VRRPE Configuring parameters specific to VRRPE VRRPE is configured at the interface level. To implement a simple VRRPE configuration using all the default values, enter commands such as the following on each BigIron RX. BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# router vrrp-extended RX(config)# inter e 1/5 RX(config-if-e10000-1/5)# ip address 192.53.5.
Configuring additional VRRP and VRRPE parameters • • • • • • • • • 17 Backup priority Suppression of RIP advertisements on Backup routes for the backed up interface Hello interval Dead interval Backup Hello messages and message timer (Backup advertisement) Track port Track priority Backup preempt mode Master Router Abdication and Reinstatement Refer to “VRRP and VRRPE parameters” on page 450 for a summary of the parameters and their defaults.
17 Configuring additional VRRP and VRRPE parameters Suppression of RIP advertisements on backup routers for the backup up interface Normally, a VRRP or VRRPE Backup includes route information for the virtual IP address in RIP advertisements. As a result, other routers receive multiple paths for the Backup router and might sometimes unsuccessfully use the path to the Backup router rather than the path to the Master.
Configuring additional VRRP and VRRPE parameters 17 Syntax: dead-interval The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. The syntax is the same for VRRP and VRRPE. Backup hello message state and interval By default, Backup do not send Hello messages to advertise themselves to the Master. You can enable these messages if desired and also change the message interval. To enable a Backup to send Hello messages to the Master, enter commands such as the following.
17 Configuring additional VRRP and VRRPE parameters • For VRRP, the software changes the priority of the virtual router to a track priority that is lower than that of the virtual router priority and lower than the priorities configured on the Backups. For example, if the virtual router priority is 100 and a tracked interface with track priority 60 goes down, the software changes the virtual router priority to 60.
Displaying VRRP and VRRPE information 17 BigIron RX(config)# ip int eth 1/6 BigIron RX(config-if-e10000-1/6)# ip vrrp vrid 1 BigIron RX(config-if-e10000-1/6-vrid-1)# owner priority 99 Syntax: [no] owner priority | track-priority The parameter specifies the new priority and can be a number from 1 – 254. When you press Enter, the software changes the priority of the Master to the specified priority.
17 Displaying VRRP and VRRPE information BigIron RX(config)# show ip vrrp-extended brief Total number of VRRP-Extended routers defined: 41 Inte- VRID Current P State Master IP Backup IP Virtual IP rface Priority Address Address Address ----------------------------------------------------------------------------v21 21 95 P Backup 172.16.51.2 Local 172.16.51.1 v22 22 95 P Backup 172.16.52.2 Local 172.16.52.1 v23 23 95 P Backup 172.16.53.2 Local 172.16.53.1 v24 24 95 P Backup 172.16.54.2 Local 172.16.54.
Displaying VRRP and VRRPE information TABLE 87 17 CLI display of VRRP or VRRPE summary information (Continued) This field... Displays... State This device’s VRRP or VRRPE state for the virtual router. The state can be one of the following: • Init – The virtual router is not enabled (activated). If the state remains Init after you activate the virtual router, make sure that the virtual router is also configured on the other routers and that the routers can communicate with each other.
17 Displaying VRRP and VRRPE information The brief parameter displays summary information. Refer to “Displaying summary information” on page 459. The ethernet / parameter specifies an Ethernet port. If you use this parameter, the command displays VRRP or VRRPE information only for the specified port. The ve parameter specifies a virtual interface. If you use this parameter, the command displays VRRP or VRRPE information only for the specified virtual interface.
Displaying VRRP and VRRPE information TABLE 88 17 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the virtual router. During negotiation, the router with the highest priority becomes the Master. If two or more devices are tied with the highest priority, the Backup interface with the highest IP address becomes the active router for the virtual router.
17 Displaying VRRP and VRRPE information TABLE 88 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... backup router expires in
Configuration examples - - 17 . received packets dropped by owner = 0 . received packets with ip ttl errors = 0 . received packets with ip address mismatch = 0 . received packets with advertisement interval mismatch = 0 . received packets with invalid length = 0 total number of vrrp-extended packets sent = 2004 . sent backup advertisements = 0 .
17 Configuration examples Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-e10000-1/6)# ip address 192.53.5.1 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# owner track-priority 20 Router1(config-if-e10000-1/6-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-1/6-vrid-1)# ip-address 192.53.5.
Configuration examples 17 The activate command activates the virtual router configuration on this interface. The interface does not provide backup service for the virtual IP address until you activate the VRRP configuration.
17 Configuration examples Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 3/2 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.
Chapter Configuring Quality of Service 18 Overview of Quality of Service (QoS) Quality of Service (QoS) features are used to prioritize the use of bandwidth in a switch. When QoS features are enabled, traffic is classified as it arrives at the switch, and processed through on the basis of configured priorities. Traffic can be dropped, prioritized for guaranteed delivery, or subject to limited delivery options as configured by a number of different mechanisms.
18 Classification FIGURE 87 Priority resolution DSCP Priority 802.1p Priority No Trust Level Set Trust Level Set to COS (default) Trust Level Set to DSCP Determine Trust Level Set Classification to Higher of both Inputs Port-based Classification MAC-based Classification Port-based VLAN Classification As shown in the figure, the first criteria considered are port-based, MAC-based, and port-based VLAN classifications. The packet is primarily classified with the higher of these two criteria.
18 Classification TABLE 90 Default QoS mappings, columns 16 to 31 DSCP value 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 802.
18 Marking • COS to Internal Forwarding Priority Mapping – You can change the mapping between 802.1p (COS) values and the Internal Forwarding priority value from the default values shown in Table 89 through Table 92. This mapping is used for COS marking and determining the internal priority when the trust level is COS. “Changing the CoS –> internal forwarding priority mappings” on page 477. Marking Marking is the process of changing the packet’s QoS information (the 802.
Marking 18 When you apply a QoS priority to one of the items listed above, you specify a number from 0 – 7. The priority number specifies the IEEE 802.1p equivalent to one of the four Brocade QoS queues. The numbers correspond to the queues as follows. Priority level QoS forwarding queue 6, 7 3 4, 5 2 2, 3 1 0, 1 0 Changing a port’s priority To change a port’s QoS priority, use one of the following methods. The priority applies to inbound traffic on the port.
18 Configuring ToS-based QoS Configuring ToS-based QoS To configure ToS-based QoS, perform the following tasks: • Enable ToS-based QoS on an interface. Once you enable the feature on an individual interface, you can configure the trust level and marking for traffic that is received on that interface as described: • Specify the trust level for packets received on the interface. • Enable marking of packets received on the interface.
Configuring the QoS mappings 18 Configuring the QoS mappings The Brocade device maps a packet’s 802.1p or DSCP value to an internal forwarding priority. The default mappings are listed in Table 89 through Table 92. You can change the following mappings as described in this section: • • • • CoS –> DSCP DSCP –> DSCP DSCP –> internal forwarding priority CoS –> internal forwarding priority The mappings are globally configurable and apply to all interfaces.
18 Configuring the QoS mappings BigIron RX(config)# qos-tos map dscp-dscp 0 to 10 This command changes the mapping of DSCP value 0 to 10. Syntax: [no] qos-tos map dscp-dscp [...] to You can change up to seven DSCP values in the same commend. Changing the DSCP –> internal forwarding priority mappings This mapping is used when the trust level is set to DSCP.
Displaying QoS configuration information 18 The parameter specifies the internal forwarding priority. Changing the CoS –> internal forwarding priority mappings This mapping is used when the trust level is set to CoS. In addition to determining the internal-forwarding priority of a packet, the value also determines the outbound 802.1p value if CoS marking is enabled.
18 Displaying QoS configuration information BigIron RX# show qos-tos Interface QoS , Marking and Trust Level: i/f | QoS | Mark | Trust-Level -------+-----+----------+--------------1/2 | Yes | | Layer 2 CoS ve1 | No | | Layer 2 CoS ve4 | No | | Layer 2 CoS ve5 | No | | Layer 2 CoS ve20 | No | | Layer 2 CoS COS-DSCP map: COS: 0 1 2 3 4 5 6 7 ------------------------------------------------dscp: 0 8 16 24 32 40 48 56 DSCP-Priority map: (dscp = d1d2) d2 | 0 1 2 3 4 5 6 7 8 9 d1 | -----+-----------------------
Determining packet drop priority using WRED TABLE 93 18 ToS-based QoS configuration information (Continued) This field... Displays... Mark The marking type enabled on the interface. The marking type can be any of the following: • COS – CoS marking is enabled. • DSCP – DSCP marking is enabled. • No – Marking is not enabled. Trust-Level The trust level enabled on the interface. The trust level can be one of the following: • DSCP • L2 CoS CoS-DSCP map COS The CoS (802.1p) values.
18 Determining packet drop priority using WRED How WRED Operates The graph in Figure 88 describes the interaction of the previously described variables in the operation of WRED. When a packet arrives at a switch, the average queue size (q-size) is calculated (note that this is not the statistical average queue size - (refer to “Calculating avg-q-size” on page 480). If q-size as calculated is below the configured Min. Average Queue Size, then the packet is accepted.
Configuring packet drop priority using WRED Pdrop = pkt-size ----------------pkt-size-max 18 (avg-q-size - min-avg-q size) * Pmax * ----------------------------------------(max-avg-q-size - min-avg-q size) Using WRED with rate limiting When rate limiting is configured on a device, it directs the switch to drop traffic indiscriminately when the configured average-rate and maximum-burst thresholds are exceeded.
18 Configuring packet drop priority using WRED TABLE 94 Possible Wq values (Continued) Averaging weight setting Wq value as a percentage 3 12.5% 4 6.2% 5 3.12% 6 1.56% 7 0.78% 8 0.4% 9 0.2% 10 0.09% 11 0.05% 12 0.02% 13 0.01% To set the wq parameter for queues with a queue type of 1 to 25%, use the following command. BigIron RX(config)#qos queue-type 1 wred averaging-weight 25% This gives the current queue size a weight of 25% over the statistical average queue size.
Configuring packet drop priority using WRED 18 Setting the maximum drop probability To set the maximum drop probability when the queue size reaches the Max-average-q-size value to 20% use the following command.
18 Configuring packet drop priority using WRED The variable is the number of the forwarding queue type that you want to configure drop-precedence for. There are eight forwarding queue types on BigIron RX Routers. They are numbered 0 to 3. The variable for the drop-precedence parameter is the TOS/DSCP value in the IPv4 or IPv6 packet header. It determines drop precedence on a scale from 0 - 3.
18 Configuring packet drop priority using WRED TABLE 95 WRED default settings Queue type Drop precedence Minimum average queue size (KByte) Maximum average queue size (KByte) Maximum packet size (Byte) Maximum drop probability Maximum instantaneous queue size Average weight 0 0 356 1024 16384 2% 1024 0.2% 1 304 1024 16384 4% 2 256 1024 16384 9% 3 204 1024 16384 10% 0 356 1024 16384 2% 1024 0.
18 Scheduling traffic for forwarding Scheduling traffic for forwarding If the traffic being processed by a device is within the capacity of the switch, all traffic is forwarded as received. Once we reach the point where the switch is bandwidth constrained, it becomes subject to drop priority if configured as described in “Determining packet drop priority using WRED” on page 479 or traffic scheduling as described in this section.
Scheduling traffic for forwarding 18 Configuring strict priority-based traffic scheduling To configure strict priority-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler strict Syntax: qos scheduler strict Configuring enhanced strict priority-based traffic scheduling To configure enhanced strict priority-based scheduling use a command such as the following.
18 Scheduling traffic for forwarding The values of the remaining queues are calculated to be the following. q2 = 30%, q1 = 20%, and q0 = 10% Configuring WFQ destination-based traffic scheduling To configure WFQ destination-based scheduling use a command such as the following.
Scheduling traffic for forwarding 18 Syntax: qos scheduler max-rate The variable defines the maximum bandwidth allocated to forwarding queue 0 in Kbps. The variable defines the maximum bandwidth allocated to forwarding queue 1 in Kbps. The variable defines the maximum bandwidth allocated to forwarding queue 2 in Kbps.
18 Configuring multicast traffic engineering BigIron RX#show qos scheduler Port | Scheduler Type Prio0 Prio1 Prio2 Prio3 | (Rates where specified are in Kbps) -------+-------------------------------------+---------+---------+--------13/1 | strict 13/2 | enhanced-strict Rate 100000 200000 300000 Remaining 13/3 | min-rate Rate 102400 204800 307200 409600 13/4 | strict 13/5 | strict 13/6 | max-rate Rate 400000 400000 800000 10000000 13/7 | destination-weighted Weight 15 25 25 35 13/8 | strict 13/9 | source-w
Configuring multicast traffic engineering 18 To limit the multicast traffic through the packet processor that includes port 1/1 to 10 Mbps, use the following command. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos multicast best-effort rate 10000 Syntax: qos multicast best-effort rate The variable defines the bandwidth of multicast traffic that is allowed to pass through the packet processor that include the port this command is configured on.
18 QoS for the oversubscribed 16 x 10GE modules QoS for the oversubscribed 16 x 10GE modules The 16-port 10 Gigabit Ethernet oversubscribed module plugs into any port slot of the BigIron RX switch and is compatible with all previous generations of card on that switch. It provides interfaces to 16 X 10GE ports. This module will provide 4:1 oversubscription on the 16 x10GE network ports. Aggregation NP QOS modes The 16x10 module supports two ingress scheduling modes: Server and Storage.
QoS for the oversubscribed 16 x 10GE modules 18 For both Server or Storage mode, the network control traffic will use Drop Precedence 0. (DP0) The incoming network control traffic will be assigned DP0 and all other traffic will be assigned DP1. This will allow the module to prefer network control during congestion conditions. Network control traffic will always be assigned to the high priority queue that is associated to the incoming network port.
18 QoS for the oversubscribed 16 x 10GE modules TABLE 96 QOS profile table (Continued) 12 4 0 0 or 4 High priority TC DP0 (Network control) 13 5 0 1 or 5 High priority TC DP0 (Network control) 14 6 0 2 or 6 High priority TC DP0 (Network control) 15 7 0 3 or 7 High priority TC DP0 (Network control) Setting the group port weights The command qos rcv-scheduler wfq 1 2 3 4 5 6 7 8 1 2 1 2 1 2 is used for Storage mode. This mode uses weighting to determine the queue scheduling.
QoS for the oversubscribed 16 x 10GE modules 18 The values of the remaining weights are calculated to be the following: w0 = 4.17%, w1 = 20.83%, w2 = 4.17%, w4 = 4.17%, w5 = 20.83%, w6 = 4.17%, and w7 = 20.83% Egress port shaping The 16x10GE module is designed to provide port fairness, but the cost is a smaller number of usable queues per input port (on egress). Traffic received on a network port will be assigned to one of 2 egress queues with a specific drop precedence value.
18 QoS for the oversubscribed 16 x 10GE modules Configuring QoS for the 16 x 10G module New CLI commands have been added to allow alternating between server and storage modes on the 10 x 16GE module. The new commands are part of the qos group, and configured at the interface level. Configuration steps 1. To set the group port 1 weight, low prioriy traffic, enter the following command. BigIron RX(config-if-e10000-4/1)#qos rcv-scheduler wfq 1 2.
QoS for the oversubscribed 16 x 10GE modules 18 Use the wfq parameter to set the 16x10G module to weighted fair queuing mode. Use the num parameter to set the port weight. Refer to Table 97 on page 495 for additional information on possible values. The no qos rcv-scheduler command is used to return to the default mode (Server).
18 498 QoS for the oversubscribed 16 x 10GE modules BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring Traffic Reduction 19 Traffic policing on the BigIron RX Series The BigIron RX Series Router provides line-rate traffic policing in hardware on inbound ports and outbound ports. You can configure a BigIron RX Series Router to use one of the following modes of traffic policing policies: • Port-based – Limits the rate on an individual physical port to a specified rate. Only one inbound and one outbound port-based traffic policing policy can be applied to a port.
19 Traffic reduction parameters and algorithm The requested rate represents a percentage of an interface's line rate (bandwidth), expressed in bits per second (bps). Requested Rate must be entered in multiples of 515,624 bps. If you enter a number that is not a multiple of 515,624, the software adjusts the rate down to the lowest multiple of the number so that the calculation of credits does not result in a remainder of a partial Credit.
Configuration considerations 19 The running total can never exceed the maximum credit total. When packets arrive at the port, a class is assigned to the packet, based on the rate limiting policies. If the running total of the class is less than the size of the packet, then the packet is dropped. Otherwise, the size of the packet is subtracted from the running total and the packet is forwarded.
19 Configuring rate limiting policies TABLE 98 .
Configuring rate limiting policies 19 The parameter specifies the extra bits above the requested rate that traffic can have. Refer to “Maximum burst” on page 500 for more details. Configuring a port-and-priority-based rate limiting policy 802.1p packet priority is used by default. The priority number specifies the IEEE 802.1 equivalent to one of the four Brocade QoS queues. You can configure port-and-priority-based rate limiting for each of the priority numbers 1 - 7 on a port.
19 Configuring rate limiting policies Configuring a VLAN-group-based rate limiting policy A rate limiting policy can be applied to a VLAN group. VLANs that are members of a VLAN group share the specified bandwidth defined in the rate limiting policy applied to that group. To configure a rate limiting policy for a VLAN group, do the following. 1. Define the VLANs that you want to place in a rate limiting VLAN group. 2.
Configuring rate limiting policies 19 The priority parameter specifies the 802.1p priority levels 0 - 7, equivalent to one of the four QoS queues. For information on the priority levels and the corresponding queue, refer to “Assigning QoS priorities to traffic” on page 472. For information on the requested rate and maximum burst, refer to “Configuring a port-based rate limiting policy” on page 502.
19 Configuring rate limiting policies These commands first configure access-list groups that contain the ACLs that will be used in the rate limiting policy. Use the permit condition for traffic that will be rate limited. Traffic that match the condition are not subject to rate limiting and allowed to pass through. Refer to “Configuring a port-and-IPv6 ACL-based traffic reduction” on page 506 for information on how to drop traffic that matches deny conditions.
NP based multicast, broadcast, and unknown-unicast rate limiting 19 NP based multicast, broadcast, and unknown-unicast rate limiting NOTE Beginning with release 02.7.00, the multicast limit, broadcast limit, and the unknown-unicast limit commands have been superseded with the multicast rate-limit, broadcast rate-limit, and the unknown-unicast rate-limit commands. You must reconfigure the rate limiting when upgrading to the 02.7.00 Multi-Service Ironware. Beginning with release 02.7.
19 Displaying traffic reduction BigIron RX(config)# show rate-limit interface e 1/1 rate-limit input 499321856 750000000 interface e 1/3 rate-limit input vlan-id 10 499321856 750000000 rate-limit input vlan-id 20 97523712 200000000 To display bytes forwarded and dropped, enter the following command.
Chapter 20 Layer 2 ACLs This chapter presents information to configure and view Layer 2 ACLs. Layer 2 Access Control Lists (ACLs) filter incoming traffic based on Layer 2 MAC header fields in the Ethernet/IEEE 802.3 frame.
20 Configuring Layer 2 ACLs • You cannot add remarks to a Layer 2 ACL clause. Configuring Layer 2 ACLs Configuring a Layer 2 ACL is similar to configuring standard and extended ACLs. Layer 2 ACL table IDs range from 400 to 499, for a maximum of 100 configurable Layer 2 ACL tables. Within each Layer 2 ACL table, you can configure from 64 (default) to 256 clauses. Each clause or entry can define a set of Layer 2 parameters for filtering.
Configuring Layer 2 ACLs 20 The | any parameter specifies the source MAC address. You can enter a specific address and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using F’s and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the clause matches all source MAC addresses that contain “aabb” as the first two bytes and any values in the remaining bytes of the MAC address.
20 Viewing Layer 2 ACLs Inserting and deleting Layer 2 ACL clauses You can make changes to the Layer 2 ACL table definitions without unbinding and rebinding the table from an interface. For example, you can add a new clause to the ACL table, delete a clause from the table, delete the ACL table, etc. Binding a Layer 2 ACL table to an interface To enable Layer 2 ACL filtering, bind the Layer 2 ACL table to an interface. NOTE Layer 2 ACLs cannot be bound to virtual routing interfaces.
Viewing Layer 2 ACLs 20 Example of Layer 2 ACL deny by MAC address In the following example, an ACL is created that denies all traffic from the host with the MAC address 0012.3456.7890 being sent to the host with the MAC address 0011.2233.4455. BigIron RX(config)# access-list 401 deny 0012.3456.7890 ffff.ffff.ffff 0011.2233.4455 ffff.ffff.ffff BigIron RX(config)# access-list 401 permit any any Using the mask, you can make the access list apply to a range of addresses.
20 514 Viewing Layer 2 ACLs BigIron RX Series Configuration Guide 53-1001986-01
Chapter Access Control List 21 This chapter describes the IP Access Control List (ACL) feature, which enables you to filter traffic based on the information in the IP packet header. For details on Layer 2 ACLs, refer to “Types of IP ACLs” on page 516. You can use IP ACLs to provide input to other features such as route maps, distribution lists, rate limiting, and BGP. When you use an ACL this way, use permit statements in the ACL to specify the traffic that you want to send to the other feature.
21 Disabling or re-enabling Access Control Lists (ACLs) RX-BI-16XG (16 x 10GE ) Module EGRESS ACL Configuration Guidelines • The RX-BI-16XG 16 x 10GE module only supports standard, extended, named, and numbered ACLs for outbound access-group applications ACLs. • Egress filtering on subset ports of a VE is not supported, matching must apply to all VE ports . • • • • Matching the SPI field value is not supported for egress acl. Matching field of fragment or fragmentation-offset is not supported.
ACL IDs and entries 21 Standard or extended ACLs can be numbered or named. Standard ACLs are numbered from 1 – 99, extended ACLs are numbered 100 – 199. Super ACLs may be assigned numbered IDs only, from 500 - 599. IDs for standard or extended ACLs can also be a character string (named). In this document, an ACL with a string ID is called a named ACL.
21 ACL-based inbound mirroring ACL-based inbound mirroring With IronWare Release 02.4.00, the Multi-Service IronWare software supports using an ACL to select traffic for mirroring from one port to another. Using this feature, you can monitor traffic in the mirrored port using a protocol analyzer.
ACL-based inbound mirroring 21 BigIron RX(config)#access-list 101 permit ip any any mirror The mirror parameter directs selected traffic to the mirrored port. Traffic can only be selected using the permit clause. The mirror parameter is supported on rACLs. Applying the ACL to an interface You must apply the ACL to an interface using the ip access-group command as shown in the following.
21 ACL-based inbound mirroring BigIron RX(config)# trunk switch ethernet 1/1 to 1/2 BigIron RX(config-trunk-1/1-1/2)# config-trunk-ind BigIron RX(config-trunk-1/1-1/2)# acl-mirror-port ethe-port-monitored 1/1 ethernet 1/3 The following considerations apply when configuring ACL-based mirroring with trunks: • You must configure ACL-mirroring for a trunk within the trunk configuration as shown in the examples.
Configuring numbered and named ACLs 21 Configuring ACL-based mirroring for ACLs bound to virtual interfaces For configurations that have an ACL bound to a virtual interface, you must configure the acl-mirror-port command on a port for each PPCR that is a member of the virtual interface. For example, in the following configuration ports 4/1 and 4/2 share the same PPCR while port 4/3 uses another PPCR.
21 Configuring numbered and named ACLs Standard ACLs permit or deny packets based on source IP addresses. You can configure up to 99 standard ACLs. There is no limit to the number of ACL entries an ACL can contain, except for the system-wide limitation. For the number of ACL entries supported on a BigIron RX, refer to “ACL IDs and entries” on page 517. To configure a standard ACL and apply it to outgoing traffic on port 1/1, enter the following commands.
Configuring numbered and named ACLs 21 Specifies the portion of the source IP host address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the . Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
21 Configuring numbered and named ACLs • Destination TCP or UDP port (if the IP protocol is TCP or UDP) The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • • • • • • • Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Internet Gateway Routing Protocol (IGRP) Internet Protocol (IP) Open Shortest Path First (OSPF) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) For TCP and UDP, you also can specify a comp
Configuring numbered and named ACLs 21 The following commands apply ACL 102 to the incoming and outgoing traffic on port 1/2 and to the incoming traffic on port 4/3. BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# int eth 1/2 RX(config-if-e10000-1/2)# ip access-group 102 in RX(config-if-e10000-1/2)# exit RX(config)# int eth 4/3 RX(config-if-e10000-4/3)# ip access-group 102 in RX(config)# write memory Here is another example of an extended ACL. BigIron RX(config)# BigIron RX(config)# 209.157.
21 Configuring numbered and named ACLs [ ] [match-all ] [match-any ] [] [established] [precedence | ] [tos ] [dscp-matching ] [802.1p-priority-matching ] [dscp-marking 802.
Configuring numbered and named ACLs 21 Specifies the portion of the source IP host address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the . Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
21 Configuring numbered and named ACLs Specifies a comparison operator for the TCP or UDP port number. You can enter one of the following operators: • eq – The policy applies to the TCP or UDP port name or number you enter after eq. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.
Configuring numbered and named ACLs 21 Enter one of the following values, depending on the software version the device is running: • any-icmp-type • echo • echo-reply • information-request • log • mask-reply • mask-request • parameter-problem • redirect • source-quench • time-exceeded • timestamp-reply • timestamp-request • unreachable • NOTE: If the ACL is for the inbound traffic direction on a virtual routing interface, you also can specify a subset of ports within the VLAN containing
21 Configuring numbered and named ACLs • tos | • 802.1p-priority-matching Only packets that have the specified 802.1p priority will be matched. Valid range is 0-7. Specify the IP ToS name or number. You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2. • max-throughput or 4 – The ACL matches packets that have the maximum throughput ToS.
21 Configuring numbered and named ACLs • The dscp-cos-mapping parameter takes the DSCP value you specified and compares it to an internal QoS table, which is indexed by DSCP values. The corresponding 802.1p priority, internal forwarding priority, and DSCP value is assigned to the packet. For example, if you enter dscp-marking 7 and the internal QoS table is configured as shown in Table 99, the new QoS value for the packet is: • 802.
21 Configuring numbered and named ACLs The following examples show how to configure a named standard ACL entry and a named extended ACL entry. Configuration example for standard ACL To configure a named standard ACL entry, enter commands such as the following. BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# ip access-list standard Net1 RX(config-std-nacl)# deny host 209.157.22.26 log RX(config-std-nacl)# deny 209.157.29.
Configuring numbered and named ACLs 21 NOTE For convenience, the software allows you to configure numbered ACLs using the syntax for named ACLs. The software also still supports the older syntax for numbered ACLs. Although the software allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the startup-config and running-config files in using the older syntax, as follows. access-list access-list access-list access-list 1 deny host 209.157.22.26 log 1 deny 209.157.22.0 0.
21 Configuring numbered and named ACLs Syntax: [no] ip access-group in The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring extended numbered ACLs” on page 523. Configuring super ACLs This section describes how to configure super ACLs with numeric IDs. • For configuration information on named ACLs, refer to “Configuring standard or extended named ACLs” on page 531.
Configuring numbered and named ACLs 21 vlan-id | ip-pkt-len | ip-fragment-match {[fragment [fragment-offset <0 - 8191>]] | [non-fragment] | [first-fragment]} | ip-protocol | sip {/ | host } | dip {/ | host } | sp | dp | icmp-detail | dscp-matching <0 – 63> | 802.
21 Displaying ACL definitions sp Enables packet matching based on specified source TCP/UDP port. dp Enables packet matching based on specified destination TCP/UDP port. icmp-detail Enables packet matching based on ICMP information. 801.2-priority-matching Enables packet matching based on the specified 802.1p priority value. Valid range is 0-7. ipsec-spi This parameter filters packets based on their IPSEC Security Parameter Index (SPI). Enter this value in hexadecimal.
Displaying ACL definitions 21 BigIron RX(config)#show access-list name entry Standard IP access list entry deny host 5.6.7.8 deny host 192.168.12.3 permit any Syntax: show access-list name Enter the ACL name for the parameter or the ACL number for .
21 Displaying ACL definitions TABLE 100 538 TCP/UDP port numbers and names (Continued) Port service number Port name Description 39 rlp Resource Location Protocol 41 graphics Graphics 42 nameserver Host Name Server 43 nicname Who Is 44 mpm-flags MPM FLAGS Protocol 45 mpm Message Processing Module [recv] 46 mpm-snd MPM [default send] 47 ni-ftp NI FTP 48 auditd Digital Audit Daemon 50 re-mail-ck Remote Mail Checking Protocol 51 la-maint IMP Logical Address Maintenance
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service number Port name Description 85 mit-ml-dev2 MIT ML Device 86 mfcobol Micro Focus Cobol 88 kerberos Kerberos 89 su-mit-tg SU/MIT Telnet Gateway 90 dnsix DNSIX Securit Attribute Token Map 91 mit-dov MIT Dover Spooler 92 npp Network Printing Protocol 93 dcp Device Control Protocol 94 objcall Tivoli Object Dispatcher 95 supdup SUPDUP 96 dixie DIXIE Protocol Specification 97 swift-
21 Displaying ACL definitions TABLE 100 540 TCP/UDP port numbers and names (Continued) Port service number Port name Description 121 erpc Encore Expedited Remote Pro.
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service number Port name Description 159 nss-routing NSS-Routing 160 sgmp-traps SGMP-TRAPS 163 cmip-man CMIP/TCP Manager 164 cmip-agent CMIP/TCP Agent 165 xns-courier Xerox 166 s-net Sirius Systems 167 namp NAMP 168 rsvd RSVD 169 send SEND 170 print-srv Network PostScript 171 multiplex Network Innovations Multiplex 172 cl/1 Network Innovations CL/1 173 xyplex-mux Xyplex 174 mail
21 Displaying ACL definitions TABLE 100 542 TCP/UDP port numbers and names (Continued) Port service number Port name Description 196 dn6-smm-red DNSIX Session Mgt Module Audit Redir 197 dls Directory Location Service 198 dls-mon Directory Location Service Monitor 199 smux SMUX 200 src IBM System Resource Controller 201 at-rtmp AppleTalk Routing Maintenance 202 at-nbp AppleTalk Name Binding 203 at-3 AppleTalk Unused 204 at-echo AppleTalk Echo 205 at-5 AppleTalk Unused 20
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service number Port name Description 348 csi-sgwp Cabletron Management Protocol 371 clearcase Clearcase 372 ulistserv ListProcessor 373 legent-1 Legent Corporation 374 legent-2 Legent Corporation 375 hassle Hassle 376 nip Amiga Envoy Network Inquiry Protocol 377 tnETOS NEC Corporation 378 dsETOS NEC Corporation 379 is99c TIA/EIA/IS-99 modem client 380 is99s TIA/EIA/IS-99 modem server 3
21 Displaying ACL definitions TABLE 100 544 TCP/UDP port numbers and names (Continued) Port service number Port name Description 406 imsp Interactive Mail Support Protocol 407 timbuktu Timbuktu 408 prm-sm Prospero Resource Manager Sys. Man. 409 prm-nm Prospero Resource Manager Node Man.
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service number Port name Description 442 cvc_hostd cvc_hostd 443 ssl http protocol over TLS/SSL 444 snpp Simple Network Paging Protocol 445 microsoft-ds Microsoft-DS 446 ddm-rdb DDM-RDB 447 ddm-dfm DDM-RFM 448 ddm-byte DDM-BYTE 449 as-servermap AS Server Mapper 450 tserver Computer Supported Telecomunication Applications 512 exec remote process execution 513 login remote login a la teln
21 Displaying ACL definitions TABLE 100 546 TCP/UDP port numbers and names (Continued) Port service number Port name Description 570 meter-570 demon 571 meter-571 udemon 600 ipcserver SUN ipc sERVER 606 nqs nqs 607 urm urm 608 sift-uft Sender-Initiated or Unsolicited File Transfer 609 npmp-trap npmp-trap 610 npmp-local npmp-local 611 npmp-gui npmp-gui 634 ginad ginad 666 mdqs mdqs 667 doom doom ID software 704 elcsd errlog copy or server daemon 709 entrustmana
ACL logging TABLE 100 21 TCP/UDP port numbers and names (Continued) Port service number Port name Description 765 webster webster 767 phonebook phone 769 vid VID 770 cadlock-770 CADLOCK -770 771 rtip rtip 772 cycleserv2 CYCLE Server 773 submit SUBMIT 774 rpasswd rpasswd 775 entomb entomb 776 wpages wpages 780 wpgs wpgs 786 concert concert 800 mdbs_daemon mdbs_daemon 801 device device 996 xtreelic XTREE License Server 997 maitrd maitrd 998 busboy busbo
21 Modifying ACLs NOTE Logging is not currently supported on management interfaces. Enabling the new logging method There are no new CLI commands to enable this new processing method; it takes effect automatically if the following items have been configured: • Syslog logging is enabled. BigIron RX(config)#logging on • Add the log option to an ACL statement as in the following example.
Modifying ACLs 21 You can use the CLI to reorder entries within an ACL by individually removing the ACL entries and then re-adding them. To use this method, enter “no” followed by the command for an ACL entry, and repeat this for each ACL entry in the ACL you want to edit. After removing all the ACL entries from the ACL, re-add them. This method works well for small ACLs such as the example above, but can be impractical for ACLs containing many entries.
21 Modifying ACLs NOTE This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file. These are the only commands that are valid in a file you load using the copy tftp running-config… command. 7. To save the changes to the device’s startup-config file, enter the following command at the Privileged EXEC level of the CLI. write memory NOTE Do not place other commands in the file.
Modifying ACLs 21 NOTE An ACL remark is attached to each individual filter only, not to the entire ACL. Complete the syntax by specifying any options you want for the ACL entry. Options you can use to configure standard or extended numbered ACLs are discussed in “Configuring standard or extended named ACLs” on page 531. Numbered ACLs: deleting a comment To delete a remark from a numbered ACL, re-enter the remark command without any remark.
21 Deleting ACL entries • remark - adds a comment to the ACL entry. The comment can contain up to 128 characters. Comments must be entered separately from actual ACL entries; that is, you cannot enter an ACL entry and an ACL comment with the same command. Also, in order for the remark to be displayed correctly in the output of show commands, a comment must be entered immediately before the ACL entry it describes. • deny | permit - denies or permits specified traffic.
Deleting ACL entries 21 The parameter specifies the ACL entry to be deleted. The parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 1 – 99 for standard ACLs, 100 – 199 for extended ACLs, or 500 – 599 for super ACLs. You must enter the complete deny or permit statement for the variable. Complete the configuration by specifying options for the ACL entry.
21 Applying ACLs to interfaces Applying ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 521 show that you apply ACLs to interfaces using the ip access-group command. This section present additional information about applying ACLs to interfaces. Configuration examples for super ACLs appear in the section “Configuring super ACLs” on page 534.
Applying ACLs to interfaces 21 NOTE Applying an ACL to a subset of physical interfaces under a virtual routing interface multiplies the amount of CAM used by the number of physical interfaces specified. An ACL that successfully functions over a whole virtual routing interface may fail if you attempt to apply it to a subset of physical interfaces. To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following.
21 QoS options for IP ACLs When the first Syslog entry for a packet denied by an ACL is generated, the software starts an ACL timer. After this, the software sends Syslog messages every 1 to 10 minutes, depending on the value of the timer interval. If an ACL entry does not permit or deny any packets during the timer interval, the software does not generate a Syslog entry for that ACL entry.
Enabling ACL duplication check 21 Enabling ACL duplication check If desired, you can enable software checking for duplicate ACL entries. To do so, enter the following command at the Global CONFIG level of the CLI. BigIron RX(config)# acl-duplication-check-disable Syntax: [no] acl-duplication-check-disable This command is disabled by default. ACL accounting The BigIron RX monitors the number of times an ACL is used to filter incoming or outgoing traffic on an interface.
21 ACL accounting BigIron RX(config)#show access-list accounting brief Collecting ACL accounting summary for VE 1 ... Completed successfully. ACL Accounting Summary: (ac = accumulated since accounting started) Int In ACL Total In Hit VE 1 111 473963(1s) 25540391(1m) 87014178(5m) 112554569(ac) The display shows the following information. This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled.
ACL accounting 21 This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled. If enabled, it indicates if the feature is configured as passive or active. Collecting ACL accounting summary for Shows the interface included in the report and whether or not the collection was successful. Inbound ACL ID Shows the direction of the traffic on the interface and the ID of the ACL used.
21 Enabling ACL filtering of fragmented or non-fragmented packets Enabling ACL filtering of fragmented or non-fragmented packets By default, when an extended ACL is applied to a port, the port will use the ACL to permit or deny the first fragment of a fragmented packet, but forward subsequent fragments of the same packet in hardware. Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be completed without the entire packet.
ACL filtering for traffic switched within a virtual routing interface 21 Enter the fragment parameter to allow the ACL to filter fragmented packets. Use the non-fragmented parameter to filter non-fragmented packets. NOTE The fragmented and non-fragmented parameters cannot be used together in an ACL entry. Complete the configuration by specifying options for the ACL entry. Options you can use are discussed in the appropriate sections for configuring ACLs in this chapter.
21 ICMP filtering for extended ACLs Named ACLs For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following.
Troubleshooting ACLs TABLE 101 21 ICMP message types and codes (Continued) ICMP message type Type Code Information-reply 16 0 mask-reply 18 0 mask-request 17 0 net-redirect 5 0 net-tos-redirect 5 2 net-tos-unreachable 3 11 net-unreachable 3 0 packet-too-big 3 4 parameter-problem 12 0 port-unreachable 3 3 precedence-cutoff 3 15 protocol-unreachable 3 2 reassembly-timeout 11 1 redirect 5 x router-advertisement 9 0 router-solicitation 10 0 source-host-isol
21 Troubleshooting ACLs • To determine whether the issue is specific to fragmentation, remove the Layer 4 information (TCP or UDP application ports) from the ACL, then reapply the ACL. If you are using another feature that requires ACLs, use the same ACL entries for filtering and for the other feature.
Chapter Policy-Based Routing 22 Policy-Based Routing (PBR) Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set routing attributes for the traffic. A PBR policy specifies the next hop for traffic that matches the policy. Using standard ACLs with PBR, you can route IP packets based on their source IP address.
22 Configuring a PBR policy • ACL – 416 entries • Rate Limiting – 416, entries shared with PBR Configuring a PBR policy To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally or on individual interfaces. The device programs the ACLs into the Layer 4 CAM on the interfaces and routes traffic that matches the ACLs according to the instructions in the route maps.
Configuring a PBR policy 22 NOTE To specify the host name instead of the IP address, the host name must be configured using the Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI. The parameter specifies the mask value to compare against the host address specified by the parameter.
22 Configuring a PBR policy BigIron BigIron BigIron BigIron RX(config)# route-map test-route permit 99 RX(config-routemap test-route)# match ip address 99 RX(config-routemap test-route)# set ip next-hop 192.168.2.1 RX(config-routemap test-route)# exit The commands in this example configure an entry in a route map named “test-route”. The match statement matches on IP information in ACL 99. The set statement changes the next-hop IP address for packets that match to 192.168.2.1.
Configuration examples 22 Enabling PBR locally To enable PBR locally, enter commands such as the following. BigIron RX(config)# interface ve 1 BigIron RX(config-vif-1)# ip policy route-map test-route The commands in this example change the CLI to the Interface level for virtual interface 1, then apply the “test-route” route map to the interface. You can apply a PBR route map to Ethernet ports or virtual interfaces.
22 Configuration examples Setting the next hop The following commands configure the device to apply PBR to traffic from IP subnets 209.157.23.x, 209.157.24.x, and 209.157.25.x. In this example, route maps specify the next-hop gateway for packets from each of these subnets: • Packets from 209.157.23.x are sent to 192.168.2.1. • Packets from 209.157.24.x are sent to 192.168.2.2. • Packets from 209.157.25.x are sent to 192.168.2.3. The following commands configure three standard ACLs.
Trunk formation 22 Setting the output interface to the null interface The following commands configure a PBR to send all traffic from 192.168.1.204/32 to the null interface, thus dropping the traffic instead of forwarding it. BigIron RX(config)# access-list 56 permit 209.168.1.204 0.0.0.0 The following commands configure an entry in a route map called “file-13”. The first entry (permit 56) matches on the IP address information in ACL 56 above. For IP traffic from the host 209.168.1.
22 572 Trunk formation BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring IP Multicast Protocols 23 Overview of IP multicasting Multicast protocols allow a group or channel to be accessed over different networks by multiple stations (clients) for the receipt and transmit of multicast data. Distribution of stock quotes, video transmissions such as news services and remote classrooms, and video conferencing are all examples of applications that use multicast routing.
23 Changing global IP multicast parameters Leaf Nodes: Routers that do not have any downstream routers. Multicast Tree: A unique tree is built for each source group (S,G) pair. A multicast tree is comprised of a root node and one or more nodes that are leaf or intermediate nodes. NOTE Multicast protocols can only be applied to 1 physical interface. You must create multiple VLANs with individual untagged ports and ve’s under which you configure PIM.
IP multicast boundaries 23 Configuration considerations • Normal ACL restrictions apply as to how many software ACLs can be created, but there are no hardware restrictions on ACLs with this feature. • Creation of a static IGMP client is allowed for a group on a port that may be prevented from participation in the group on account of an ACL bound to the port’s interface. In such a situation, the ACL would prevail and the port will not be added to the relevant entries.
23 Passive Multicast Route Insertion (PMRI) Passive Multicast Route Insertion (PMRI) To prevent unwanted multicast traffic from being sent to the CPU, Passive Multicast Route Insertion (PMRI) can be used together to ensure that multicast streams are only forwarded out ports with interested receivers and unwanted traffic is dropped in hardware on Layer 3 Switches running software release 02.4.00 and later. This feature does not apply to DVMRP traffic.
Changing IGMP V1 and V2 parameters 23 Changing IGMP V1 and V2 parameters IGMP allows Brocade routers to limit the multicast of IGMP packets to only those ports on the router that are identified as IP Multicast members. The router actively sends out host queries to identify IP Multicast groups on the network The following IGMP V1 and V2 parameters apply to PIM and DVMRP: • IGMP query interval – Specifies how often the BigIron RX queries an interface for group membership. Possible values are 1 – 3600.
23 Adding an interface to a multicast group Modifying IGMP (V1 and V2) maximum response time Maximum response time defines how long the device will wait for an IGMP (V1 and V2) response from an interface before concluding that the group member on that interface is down and removing the interface from the group. Possible values are 1 – 10. The default is 10. To change the IGMP (V1 and V2) maximum response time, enter a command such as the following at the global CONFIG level of the CLI.
IGMP v3 23 IGMP v3 The Internet Group Management Protocol (IGMP) allows an IPV4 system to communicate IP Multicast group membership information to its neighboring routers. The routers in turn limit the multicast of IP packets with multicast destination addresses to only those interfaces on the router that are identified as IP Multicast group members. In IGMP V2, when a router sent a query to the interfaces, the clients on the interfaces respond with a membership report of multicast groups to the router.
23 IGMP v3 In response to membership reports from the interfaces, the router sends a Group-Specific or a Group-and-Source Specific query to the multicast interfaces. For example, a router receives a membership report with a Source-List-Change record to block old sources from an interface. The router sends Group-and-Source Specific Queries to the source and group (S,G) identified in the record.
IGMP v3 23 Enter 1, 2, or 3 for . Version 2 is the default version. Enabling the IGMP version per interface setting To specify the IGMP version for a physical port, enter a command such as the following. BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip igmp version 3 To specify the IGMP version for a virtual routing interface on a physical port, enter a command such as the following.
23 IGMP v3 • If the interface, to which the client belongs, has IGMP V3 clients only. Therefore, all physical ports on a virtual routing interface must have IGMP V3 enabled and no IGMP V1 or V2 clients can be on the interface. (Although IGMP V3 can handle V1 and V2 clients, these two clients cannot be on the interface in order for fast leave to take effect.) • No other client on the interface is receiving traffic from the group to which the client belongs.
IGMP v3 23 NOTE Static IGMP groups are supported only in Layer 3 mode. Setting the query interval The IGMP query interval period defines how often a switch will query an interface for group membership. Possible values are 10 – 3,600 seconds and the default value is 125 seconds, but the value you enter must be a little more than twice the group membership time. To modify the default value for the IGMP query interval, enter the following.
23 IGMP v3 BigIron RX# show ip igmp group Interface v18 : 1 groups group phy-port 1 239.0.0.1 e4/20 Interface v110 : 3 groups group phy-port 2 239.0.0.1 e4/5 3 239.0.0.1 e4/6 4 224.1.10.1 e4/5 static querier life mode #_src no yes include 19 static no no no querier life mode #_src yes include 10 yes 100 exclude 13 yes include 1 To display the status of one IGMP multicast group, enter a command such as the following. BigIron RX# show ip igmp group 239.0.0.1 detail Display group 239.0.0.
IGMP v3 23 This field Displays Static A “yes” entry in this column indicates that the multicast group was configured as a static group; “No” means it was not. Static multicast groups can be configured in IGMP V2 using the ip igmp static command. In IGMP V3, static sources cannot be configured in static groups. Querier “Yes” means that the port is a querier port; “No” means it is not. A port becomes a non-querier port when it receives a query from a source with a lower source IP address than the port.
23 IGMP v3 Entering an address for displays information for a specified group on the specified interface. The report shows the following information. This field Displays Query interval Displays how often a querier sends a general query on the interface. Max response The maximum number of seconds a client can wait before it replies to the query. Group membership time The number of seconds multicast groups can be members of this group before aging out.
Configuring a static multicast route 23 This field Displays Leave Number of IGMP V2 “leave” messages on the interface. (See ToEx for IGMP V3.) IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from exclude to include. ToEX Number of times the interface mode changed from include to exclude.
23 Configuring a static multicast route Syntax: ip mroute interface ethernet / | ve [distance ] Or Syntax: ip mroute rpf_address The command specifies the PIM source for the route. NOTE In IP multicasting, a route is handled in terms of its source, rather than its destination. You can use the ethernet / parameter to specify a physical port or the ve parameter to specify a virtual interface.
PIM dense 23 To add a static route to a virtual interface, enter commands such as the following. BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 int ve 1 distance 1 BigIron RX(config)# write memory Next hop validation check Beginning with release 02.6.00, you can configure the BigIron RX to perform multicast validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. You can enable ARP validation check on the global basis.
23 PIM dense NOTE Multicast protocols can only be applied to 1 physical interface. You must create multiple VLANs with individual untagged ports and ve’s under which you configure PIM. PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets. PIM is similar to DVMRP in that PIM builds source-routed multicast delivery trees and employs reverse path check when forwarding multicast packets.
23 PIM dense When a node on the multicast delivery tree has all of its downstream branches (downstream interfaces) in the prune state, a prune message is sent upstream. In the case of R4, if both R5 and R6 are in a prune state at the same time, R4 becomes a leaf node with no downstream interfaces and sends a prune message to R1. With R4 in a prune state, the resulting multicast delivery tree would consist only of leaf nodes R2 and R3.
23 PIM dense FIGURE 91 Pruning leaf nodes from a multicast tree 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
PIM dense 23 The primary difference between PIM DM V1 and V2 is the methods the protocols use for messaging: • PIM DM V1 – uses the IGMP to send messages. • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103. The CLI commands for configuring and managing PIM DM are the same for V1 and V2. The only difference is the command you use to enable the protocol on an interface.
23 PIM dense • Entering router pim command to enable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a BigIron RX (router pim level) only. Enabling a PIM version To enable PIM on an interface, globally enable PIM, then enable PIM on interface 1/3, enter the following commands.
PIM dense 23 Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds. To apply a PIM hello timer of 120 seconds to all ports on the router operating with PIM, enter the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# hello-timer 120 Syntax: hello-timer <10-3600> The default is 60 seconds.
23 PIM dense BigIron RX(config)#show ip pim dense Global PIM Dense Mode Settings Hello interval: 60, Neighbor timeout: 180 Graft Retransmit interval: 180, Inactivity interval: 180 Route Expire interval: 200, Route Discard interval: 340 Prune age: 180, Prune wait: 3 Syntax: show ip pim dense Modifying graft retransmit timer The Graft Retransmit Timer defines the interval between the transmission of graft messages. A graft message is sent by a router to cancel a prune state.
PIM Sparse Total number of IP routes: 19 B:BGP D:Connected R:RIP S:Static Destination NetMask O:OSPF *:Candidate default Gateway Port 23 Cost Type .. 9 172.17.41.4 255.255.255.252*137.80.127.3 v11 2 172.17.41.4 255.255.255.252 137.80.126.3 v10 2 172.17.41.4 255.255.255.252 137.80.129.1 v13 2 172.17.41.4 255.255.255.252 137.80.128.3 v12 2 172.17.41.8 255.255.255.252 0.0.0.
23 PIM Sparse FIGURE 92 Example PIM Sparse domain This interface is also the Bootstrap Router (BR) for this PIM Sparse domain, and the Rendezvous Point (RP) for the PIM Sparse groups in this domain. PIM Sparse router B Port2/1 207.95.8.10 Port2/2 207.95.7.1 Rendezvous Point (RP) path Port3/8 207.95.8.1 Port3/8 207.95.7.2 VE 1 207.95.6.2 VE 1 207.95.6.1 Shortest Path Tree (SPT) path PIM Sparse router A PIM Sparse router C 209.157.24.162 Source for Group 239.255.162.1 Receiver for Group 239.
PIM Sparse 23 from a group source to the group’s receivers. After the first packet, the BigIron RX calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The BigIron RX calculates a separate SPT for each source-receiver pair. NOTE Brocade recommends that you configure the same ports as candidate BSRs and RPs.
23 PIM Sparse NOTE Brocade recommends that you configure the same BigIron RX as both the BSR and the RP. Current limitations The implementation of PIM Sparse in the current software release has the following limitations: • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface. • You cannot configure or display PIM Sparse information using the Web management interface. (You can display some general PIM information, but not specific PIM Sparse information.
PIM Sparse 23 If the interface is on the border of the PIM Sparse domain, you also must enter the following command. BigIron RX(config-if-e10000-2/2)# ip pim border Syntax: [no] ip pim border NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release.
23 PIM Sparse The ethernet / | loopback | ve parameter specifies the interface. The BigIron RX will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet / for a physical interface (port). • Enter ve for a virtual interface. • Enter loopback for a loopback interface. By default, this command configures the BigIron RX as a candidate RP for all group numbers beginning with 224.
PIM Sparse 23 If you explicitly specify the RP, the BigIron RX uses the specified RP for all group-to-RP mappings and overrides the set of candidate RPs supplied by the BSR. NOTE Specify the same IP address as the RP on all PIM Sparse routers within the PIM Sparse domain. Make sure the router is on the backbone or is otherwise well connected to the rest of the network. To specify the IP address of the RP, enter commands such as the following.
23 Route selection precedence for multicast Displaying the static RP Use the show ip pim rp-set command to display static RP and the associated group ranges. BigIron RX(config)# show ip pim rp-set Static RP and associated group ranges ------------------------------------Static RP count: 4 130.1.1.1 permit 238.1.1.0/24 permit 239.1.0.0/16 permit 235.0.0.0/8 120.1.1.1 deny all 120.2.1.1 deny all 124.1.1.1 permit 224.0.0.0/4 Number of group prefixes Learnt from BSR: 0 No RP-Set present.
Route selection precedence for multicast 23 To specify a non-default route from the mRTM, then a non-default route from the uRTM, then a default route from the mRTM, and then a default route from the uRTM, enter commands such as the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# route-precedence mc-non-default uc-non-default mcdefault uc-default The none option may be used to fill up the precedence table in order to ignore certain types of routes.
23 Changing the Shortest Path Tree (SPT) threshold BigIron RX(config-pim-router)#show ip pim sparse Global PIM Sparse Mode Settings Hello interval : 30 Neighbor timeout : 105 Bootstrap Msg interval: 60 Candidate-RP Advertisement interval: 60 Join/Prune interval : 60 SPT Threshold : 1 Inactivity interval : 180 SSM Enabled : No Hardware Drop Enabled : Yes Route Selection : mc-non-default uc-non-default mc-default uc-default ---------+----------------+----+---+----------------------+------+-------------+ Int
Displaying PIM Sparse configuration information and statistics 23 The infinity | parameter specifies the number of packets. If you specify infinity, the BigIron RX sends packets using the RP indefinitely and does not switch over to the SPT. If you enter a specific number of packets, the BigIron RX does not switch over to using the SPT until it has sent the number of packets you specify using the RP.
23 Displaying PIM Sparse configuration information and statistics • The PIM flow cache • The PIM multicast cache • PIM traffic statistics Displaying basic PIM Sparse configuration information To display PIM Sparse configuration information, enter the following command at any CLI level.
Displaying PIM Sparse configuration information and statistics 23 This field... Displays... Join/Prune interval How frequently the BigIron RX sends PIM Sparse Join/Prune messages for the multicast groups it is forwarding. This field show the number of seconds between Join/Prune messages. The BigIron RX sends Join/Prune messages on behalf of multicast receivers who want to join or leave a PIM Sparse group.
23 Displaying PIM Sparse configuration information and statistics This field... Displays... Group The multicast group address Ports The BigIron RX ports connected to the receivers of the groups. Displaying BSR information To display BSR information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim bsr PIMv2 Bootstrap information This system is the elected Bootstrap Router (BSR) BSR address: 207.95.7.
Displaying PIM Sparse configuration information and statistics 23 This field... Displays... Next bootstrap message in NOTE: Indicates how many seconds will pass before the BSR sends its next Bootstrap message. NOTE: This field appears only if this BigIron RX is the BSR. Next Candidate-RP-advertisement message in Indicates how many seconds will pass before the BSR sends its next candidate PR advertisement message. NOTE: This field appears only if this BigIron RX is a candidate BSR.
23 Displaying PIM Sparse configuration information and statistics This field... Displays... group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP. NOTE: This field appears only if this BigIron RX is a candidate RP. Candidate-RP-advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages. NOTE: This field appears only if this BigIron RX is a candidate RP.
Displaying PIM Sparse configuration information and statistics 23 This field... Displays... RP Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the port or virtual interface through which this BigIron RX learned the identity of the RP. Info source Indicates the IP address on which the RP information was received. Following the IP address is the method through which this BigIron RX learned the identity of the RP.
23 Displaying PIM Sparse configuration information and statistics BigIron RX(config-pim-router)# show ip pim nbr Port Neighbor e3/8 Port 207.95.8.10 Neighbor v1 207.95.6.2 Holdtime sec 180 Holdtime sec 180 Age sec 60 Age sec 60 UpTime sec 900 UpTime sec 900 Syntax: show ip pim nbr This display shows the following information. This field... Displays... Port The interface through which the BigIron RX is connected to the neighbor. Neighbor The IP interface of the PIM neighbor interface.
Displaying PIM Sparse configuration information and statistics 23 BigIron RX# show ip pim rpf 1.2.3.4 no route BigIron RX# show ip pim rpf 1.10.10.24 upstream neighbor=1.1.20.1 on v21 using ip route Syntax: show ip pim | dvmrp rpf Where is a valid source IP address Displaying the PIM multicast cache To display the PIM multicast cache, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim mcache Total 6 entries 1 (10.161.32.200, 237.0.0.
23 Displaying PIM Sparse configuration information and statistics This field... Displays... (, ) The comma-separated values in parentheses is a source-group pair. The is the PIM source for the multicast . For example, the following entry means source 209.157.24.162 for group 239.255.162.1: (209.157.24.162,239.255.162.1) If the value is * (asterisk), this cache entry uses the RP path. The * value means “all sources”.
23 PIM-SSMv4 Displaying PIM traffic statistics To display PIM traffic statistics, enter the following command at any CLI level.
23 Configuring Multicast Source Discovery Protocol (MSDP) The amount of unwanted traffic in the network is reduced, but because each multicast group is associated with a particular host, different hosts can be assigned the same multicast address for different streams. This greatly increases the number of multicast groups that can be used in the network. Another added benefit of SSM is that it increases security by reducing the possibility of a rogue source disrupting the traffic from a legitimate source.
Configuring Multicast Source Discovery Protocol (MSDP) FIGURE 93 23 PIM Sparse domains joined by MSDP routers PIM Sparse Domain 2 PIM Sparse Domain 1 Designated Router (DR) Rendezvous Point (RP) 2. RP sends SA message through MSDP to its MSDP peers in other PIM Sparse domains. Rendezvous Point (RP) 206.251.17.41 3. RP that receives the SA floods the SA to all its MSDP peers, except the one that sent the SA. Source Advertisement message 206.251.14.22 Source for Group 232.1.0.95 1.
23 Configuring Multicast Source Discovery Protocol (MSDP) Peer Reverse Path Forwarding (RPF) flooding When the MSDP router (also the RP) in domain 2 receives the Source Active message from its peer in domain 1, the MSDP router in domain 2 forwards the message to all its other peers. The propagation process is sometimes called “peer Reverse Path Forwarding (RPF) flooding”. This term refers to the fact that the MSDP router uses its PIM Sparse RPF tree to send the message to its peers within the tree.
Configuring Multicast Source Discovery Protocol (MSDP) 23 • Configure the MSDP peers NOTE The PIM Sparse Rendezvous Point (RP) is also an MSDP peer. Routers that run MSDP must also run BGP. Also, the source address used by the MSDP router must be the same source address used by BGP. Enabling MSDP NOTE You must save the configuration and reload the software to place the change into effect. To enable MSDP, enter the following commands.
23 Configuring Multicast Source Discovery Protocol (MSDP) Designating an interface’s IP address as the RP’s IP address When an RP receives a Source Active message, it checks its PIM Sparse multicast group table for receivers for the group. If it finds a receiver, the RP sends a Join message for that receiver back to the RP that originated the Source Active message. The originator RP is identified by its RP address.
Configuring Multicast Source Discovery Protocol (MSDP) 23 The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e1000-3/1)# ip address 2.2.2.98/24 BigIron RX(config-if-e1000-3/1)# exit The following commands configure a loopback interface. The BigIron RX will use this interface as the source address for communicating with the MSDP neighbors.
23 Configuring Multicast Source Discovery Protocol (MSDP) • sa-filter in 2.2.2.97 route-map msdp_map – This command ignores source-group pairs received from neighbor 2.2.2.97 if the pairs have source address 10.x.x.x and any group address. • sa-filter in 2.2.2.96 route-map msdp2_map rp-route-map msdp2_rp_map – This command accepts all source-group pairs except those associated with RP 2.2.42.3.
Configuring Multicast Source Discovery Protocol (MSDP) 23 The following commands enable MSDP and configure MSDP neighbors on port 3/1. BigIron BigIron BigIron BigIron RX(config)# router msdp RX(config-msdp-router)# msdp-peer 2.2.2.99 connect-source loopback 1 RX(config-msdp-router)# msdp-peer 2.2.2.97 connect-source loopback 1 RX(config-if-3/1)# exit The following commands configure the Source-Active filter.
23 Configuring Multicast Source Discovery Protocol (MSDP) 24 (117.1.0.25, 25 (117.1.0.66, 26 (117.1.0.39, 27 (117.1.0.53, 28 (117.1.0.26, 29 (117.1.0.67, 30 (117.1.0.40, 31 (117.1.0.54, 32 (117.1.0.27, 33 (117.1.0.68, 34 (117.1.0.41, 35 (117.1.0.55, 36 (117.1.0.28, 37 (117.1.0.69, 38 (117.1.0.42, 39 (117.1.0.56, 40 (117.1.0.29, 41 (117.1.0.43, 42 (117.1.0.57, 43 (117.1.0.30, 44 (117.1.0.44, 45 (117.1.0.58, 46 (117.1.0.31, 47 (117.1.0.45, 48 (117.1.0.59, 49 (117.1.0.32, 50 (117.1.0.
Configuring MSDP mesh groups TABLE 102 23 MSDP source active cache (Continued) This field... Displays... SourceAddr The IP address of the multicast source. GroupAddr The IP multicast group to which the source is sending information.
23 Configuring MSDP mesh groups FIGURE 94 Example of MSDP mesh group PIM Sparse Domain 1 Mesh GroupA 3. RPs within the domain receive the SA message and floods the SA message to its peers in other PIM Sparse domains 2. RP sends an SA message to its peers within the domain Designated Router (DR) RP 206.251.18.31 RP 206.251.21.31 206.251.14.22 Source for Group 232.1.0.95 RP 206.251.20.31 RP 206.251.19.31 1.
Configuring MSDP mesh groups 23 Syntax: [no] mesh-group The sample configuration above reflects the configuration in Figure 94. On RP 206.251.21.31 you specify its peers within the same domain (206.251.21.31, 206.251.17.31, and 206.251.13.31). You first configure the MSDP peers using the msdp-peer command to assign their IP addresses and the loopback interfaces. This information will be used as the source for sessions with the neighbor.
23 Configuring MSDP mesh groups Configuration for Device A The following set of commands configure the MSDP peers of Device A (1.1.1.1) that are inside and outside MSDP mesh group 1234. Device A’s peers inside the mesh group 1234 are 1.1.2.1, 1.1.3.1, and 1.1.4.1. Device 17.17.17.7 is a peer of Device A, but is outside mesh group 1234. Multicast is enabled on Device A’s interfaces. PIM and BGP are also enabled.
Configuring MSDP mesh groups 23 The following set of commands configure the MSDP peers of Device B. All Device B’s peers (1.1.1.1, 1.1.3.1, and 1.1.4.1) are in the MSDP mesh group 1234. Multicast is enabled on Device B’s interfaces. PIM and BGP are also enabled.
23 Configuring MSDP mesh groups BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# router pim RX(config)# router msdp RX(config-msdp-router)
Configuring MSDP mesh groups BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron 23 RX(co
23 Configuring MSDP mesh groups Displaying MSDP information You can display the following MSDP information: • Summary information – the IP addresses of the peers, the state of the BigIron RX’s MSDP session with each peer, and statistics for Keepalive, Source Active, and Notification messages sent to and received from each of the peers. • Peer information – the IP address of the peer, along with detailed MSDP and TCP statistics.
Configuring MSDP mesh groups 23 Displaying peer information To display MSDP peer information, use the following CLI method. BigIron RX# show ip msdp peer Total number of MSDP Peers: 2 1 IP Address 206.251.17.
23 Configuring MSDP mesh groups TABLE 104 MSDP peer information (Continued) This field... Displays... Keep Alive Message Received The number of Keep Alive messages the MSDP router has received from the peer. Notifications Sent The number of Notification messages the MSDP router has sent to the peer. Notifications Received The number of Notification messages the MSDP router has received from the peer. Source-Active Sent The number of Source Active messages the MSDP router has sent to the peer.
Configuring MSDP mesh groups TABLE 104 23 MSDP peer information (Continued) This field... Displays... TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
23 Clearing MSDP information Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method. BigIron RX# show ip msdp sa-cache Total Index 1 2 3 4 5 6 7 8 9 10 Entry 4096, Used 1800 Free 2296 SourceAddr GroupAddr Age (100.100.1.254, 232.1.0.95), RP:206.251.17.41, Age:0 (100.100.1.254, 237.1.0.98), RP:206.251.17.41, Age:30 (100.100.1.254, 234.1.0.48), RP:206.251.17.41, Age:30 (100.100.1.254, 239.1.0.51), RP:206.251.17.41, Age:30 (100.100.1.
DVMRP overview 23 BigIron RX# clear ip msdp peer 205.216.162.1 Remote connection closed Syntax: clear ip msdp peer The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed. Clearing the source active cache To clear the entries from the Source Active cache, enter the following command at the Privileged EXEC level of the CLI.
23 DVMRP overview Initiating DVMRP multicasts on a network Once DVMRP is enabled on each router, a network user can begin a video conference multicast from the server on R1. Multicast Delivery Trees are initially formed by source-originated multicast packets that are propagated to downstream interfaces as seen in Figure 96.
DVMRP overview FIGURE 96 23 Downstream broadcast of IP multicast packets from source host Video Conferencing Server 229.225.0.1 Group Member Group Member (207.95.5.1, 229.225.0.1) (Source, Group) 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 Leaf Node R4 R6 R5 Leaf Node Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Member Member Group Member 229.225.0.
23 DVMRP overview FIGURE 97 Pruning leaf nodes from a multicast tree 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
Configuring DVMRP 23 Configuring DVMRP Enabling DVMRP globally and on an interface Suppose you want to initiate the use of desktop video for fellow users on a sprawling campus network. All destination workstations have the appropriate hardware and software but the BigIron RXes that connect the various buildings need to be configured to support DVMRP multicasts from the designated video conference server as seen in Figure 96.
23 Configuring DVMRP • • • • • • • • Route expire time Route discard time Prune age Graft retransmit time Probe interval Report interval Trigger interval Default route Modifying neighbor timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down. Possible values are 40 – 8000 seconds. The default value is 180 seconds. To modify the neighbor timeout value to 100, enter the following.
Configuring DVMRP 23 Modifying graft retransmit time The Graft Retransmit Time defines the initial period of time that a router sending a graft message will wait for a graft acknowledgement from an upstream router before re-transmitting that message. Subsequent retransmissions are sent at an interval twice that of the preceding interval. Possible values are from 5 – 3600 seconds. The default value is 10 seconds. To modify the setting for graft retransmit time to 120, enter the following.
23 Configuring DVMRP BigIron RX(config-dvmrp-router)# default-gateway 192.35.4.1 Syntax: default-gateway Modifying DVMRP interface parameters DVMRP global parameters come with preset values. The defaults work well in most networks, but you can modify the following interface parameters if you need to: • TTL • Metric • Advertising Modifying the TTL The TTL defines the minimum value required in a packet in order for the packet to be forwarded out the interface.
Configuring a static multicast route 23 Displaying information about an upstream neighbor device You can view information about the upstream neighbor device for a given source IP address for IP PIM packets. The software uses the IP route table or multicast route table to lookup the upstream neighbor device. The following shows example messages that the Brocade device can display with this command. BigIron RX# show ip dvmrp rpf 1.1.20.
23 Configuring IP multicast traffic reduction NOTE Regardless of the administrative distances, the BigIron RX Series router always prefers directly connected routes over other routes. FIGURE 98 Example multicast static routes PIM Router D 9.9.9.101 e6/14 Client Multicast group 239.255.162.1 e4/11 207.95.6.1 PIM Router A e1/2 207.95.6.2 e2/3 207.95.7.2 PIM Router C PIM Router B e1/4 207.95.7.1 e1/5 207.95.8.10 e1/8 207.95.8.1 e3/11 e3/19 209.157.24.62 8.8.8.
Configuring IP multicast traffic reduction 23 When you enable IP Multicast Traffic Reduction, you also can configure the following features: • IGMP mode – When you enable IP Multicast Traffic Reduction, the device passively listens for IGMP Group Membership reports by default. If the multicast domain does not have a to send IGMP queries to elicit these Group Membership reports, you can enable the device to actively send the IGMP queries.
23 Configuring IP multicast traffic reduction NOTE When one or more BigIron RX devices are running Layer 2 IP Multicast Traffic reduction, configure one of the devices for active IGMP and leave the other devices configured for passive IGMP. However, if the IP multicast domain contains a multicast-capable, configure all the BigIron RX devices for passive IGMP and allow the to actively send the IGMP queries.
Configuring IP multicast traffic reduction 23 Syntax: Passive – When passive IGMP mode is enabled, the switch listens for IGMP Group Membership reports on the VLAN instance specified but does not send IGMP queries. The passive mode is called “IGMP snooping”. Use this mode when another device in the VLAN instance is actively sending queries.
23 Configuring IP multicast traffic reduction • Passive – When passive IGMP mode is enabled, the device listens for IGMP Group Membership reports but does not send IGMP queries. The passive mode is sometimes called “IGMP snooping”. Use this mode when another device in the network is actively sending queries. To enable active IGMP, enter the following command.
Configuring IP multicast traffic reduction 23 When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report. To enable IP multicast filtering, enter the following command.
23 Configuring IP multicast traffic reduction Use the port-list parameter to define the member ports on which the ACL is applied. The ACL will be applied to the multicast traffic arriving in both directions. Use the no multicast boundary command to remove the boundary on an IGMP enabled interface. NOTE The ACL, MyBrocadeAccessList can be configured using standard ACL syntax which can be found in the ACL section.
23 Configuring IP multicast traffic reduction FIGURE 99 PIM SM traffic reduction in enterprise network The switch snoops for PIM SM join and prune messages. The switch detects a source on port1/1 and a receiver for that source’s group on port5/1. It then forwards multicast data from the source on port1/1 out port5/1 only, which has the receiver. Source for Groups 239.255.162.1 239.255.162.
23 Configuring IP multicast traffic reduction Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device. This is required for the PIM SM snooping feature. The feature also requires the source and the downstream router to be on different IP subnets, as shown in Figure 99. Figure 100 shows another example application for PIM SM traffic snooping. This example shows devices on the edge of a Global Ethernet cloud (a Layer 2 Packet over SONET cloud).
Configuring IP multicast traffic reduction 23 • The PIM SM snooping feature assumes that the group source and the device are in different subnets and communicate through a router. The source must be in a different IP subnet than the receivers. A PIM SM router sends PIM join and prune messages on behalf of a multicast group receiver only when the router and the source are in different subnets. When the receiver and source are in the same subnet, they do not need the router in order to find one another.
23 Configuring IP multicast traffic reduction Syntax: [no] multicast pimsm-snooping Configuring PIM proxy per VLAN instance Using the PIM proxy function, multicast traffic can be reduced by configuring an BigIron RX switch to issue PIM join and prune messages on behalf of hosts that the configured switch discovers through standard PIM interfaces. The switch is then able to act as a proxy for the discovered hosts and perform PIM tasks upstream of the discovered hosts.
Configuring IP multicast traffic reduction 23 BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 uplink To configure the snooping device to statically join all multicast streams on the uplink interface excluding the stream with source address 10.43.1.12, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 exclude 10.43.1.
23 Configuring IP multicast traffic reduction The uplink parameter specifies the port as an uplink port that can receive multicast data for the configured multicast groups. Upstream traffic will be sent to the switch and will not use a port. The port-list parameter specifies the range of ports to include in the configuration. The no form of this command removes the static multicast definition. Each configuration must be deleted separately.
Chapter Configuring RIP 24 Overview of Routing Information Protocol (RIP) Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing distance) to measure the cost of a given route. The cost is a distance vector because the cost often is equivalent to the number of router hops between the device and the destination network. A device can receive multiple paths to a destination.
24 Configuring RIP parameters BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# ip rip v1-only Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only Configuring metric parameters By default, a device port increases the cost of a RIP route that is learned or advertised on the port by one. You can configure individual ports to add more than one to a learned or advertised route’s cost.
Configuring RIP parameters 24 Configuring redistribution You can configure the device to redistribute routes learned through OSPF or BGP4, connected into RIP, or static routes. When you redistribute a route from one of these other protocols into RIP, the device can use RIP to advertise the route to its RIP neighbors. To configure redistribution, perform the following tasks: • Configure redistribution filters.
24 Configuring RIP parameters Syntax: redistribute connected | bgp | ospf | static [metric | route-map ] The connected parameter applies redistribution to connected types. The bgp parameter applies redistribution to BGP4 routes. The ospf parameter applies redistribution to OSPF routes. The static parameter applies redistribution to IP static routes. The metric parameter sets the RIP metric value 1- 15 that will be applied to the routes imported into RIP.
Configuring RIP parameters 24 Syntax: [no] ip rip learn-default Configuring a RIP neighbor filter By default, a device learns RIP routes from all its RIP neighbors. Neighbor filters allow you to specify the neighbor routers from which the device can receive RIP routes. Neighbor filters apply globally to all ports. To configure a RIP neighbor filters, enter a command such as the following.
24 Configuring RIP parameters To disable split horizon and enable poison reverse on an interface, enter the command such as the following. BigIron RX(config-if-e10000-1/1)# ip rip poison-reverse You can configure the device to avoid routing loops by advertising local RIP routes with a cost of 16 (“infinite” or “unreachable”) when these routes go down.
Configuring RIP parameters BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# ip ip ip ip prefix-list prefix-list prefix-list prefix-list 24 list1 permit 192.53.4.1 255.255.255.0 list2 permit 192.53.5.1 255.255.255.0 list3 permit 192.53.6.1 255.255.255.0 list4 deny 192.53.7.1 255.255.255.0 The prefix lists permit routes to three networks, and deny the route to one network.
24 Displaying RIP filters Displaying RIP filters To display RIP filters, enter the following command at any CLI level.
Displaying RIP filters 24 Clearing the RIP routes from the routing table Clearing all the routes from the routing table To clear RIP local routes, enter a command such as the following. BigIron(config)#clear ip rip local routes Syntax: clear ip rip local routes To clear the RIP routes from the RIP database, enter a command such as the following.
24 670 Displaying RIP filters BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring OSPF Version 2 (IPv4) 25 Overview of OSPF (Open Shortest Path First) OSPF is a link-state routing protocol. The protocol uses link-state advertisements (LSA) to update neighboring routers regarding its interfaces and information on those interfaces. The router floods these LSAs to all neighboring routers to update them regarding the interfaces.
25 Overview of OSPF (Open Shortest Path First) FIGURE 101 OSPF operating in a network Area 0.0.0.0 Backbone Area 200.5.0.0 Router D 208.5.1.1 Area Border Router (ABR) Area 192.5.1.0 Virtual Link Router A e8 206.5.1.1 Router B Router E Area Border Router (ABR) Router F Router C Area 195.5.0.
Overview of OSPF (Open Shortest Path First) 25 FIGURE 102 Designated and backup router election priority 10 Designated Backup Router Router A Designated Router priority 5 priority 20 Router C Router B If the DR goes off-line, the BDR automatically becomes the DR. The router with the next highest priority becomes the new BDR. This process is shown in Figure 103. NOTE Priority is a configurable option at the interface level. You can use this parameter to help bias one router as the DR.
25 Overview of OSPF (Open Shortest Path First) NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device. For more information or to change the router ID, refer to “Changing the router ID” on page 180.
Overview of OSPF (Open Shortest Path First) 25 FIGURE 104 AS external LSA reduction Routers D, E, and F are OSPF ASBRs and EBGP routers. OSPF Autonomous System (AS) Another routing domain (such as BGP4 or RIP) Router A Router D Router ID: 2.2.2.2 Router B Router F Router E Router ID: 1.1.1.1 Router C Notice that both Router D and Router E have a route to the other routing domain through Router F. OSPF eliminates the duplicate AS External LSAs.
25 Overview of OSPF (Open Shortest Path First) • A second ASBR comes on-line • A second ASBR that is already on-line begins advertising an equivalent route to the same destination. In either case above, the router with the higher router ID floods the AS External LSAs and the other router flushes its equivalent AS External LSAs. For example, if Router D is offline, Router E is the only source for a route to the external routing domain.
Configuring OSPF 25 2. Compare the networks that have the same network address, to determine which network is more specific. The more specific network is the one that has more contiguous one bits in its network mask. For example, network 10.0.0.0 255.255.0.0 is more specific than network 10.0.0.0 255.0.0.0, because the first network has 16 ones bits (255.255.0.0) whereas the second network has only 8 ones bits (255.0.0.0). • For the less specific network, use the network address as the ID.
25 Configuring OSPF Configuration rules • If a router is to operate as an ASBR, you must enable the ASBR capability at the system level. • Redistribution must be enabled on routers configured to operate as ASBRs. • All router ports must be assigned to one of the defined areas on an OSPF router. When a port is assigned to an area, all corresponding subnets on that port are automatically included in the assignment. OSPF parameters You can modify or set the following global and interface OSPF parameters.
Configuring OSPF 25 NOTE You set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, enter router ospf… at the global CONFIG Level. Interface parameters for OSPF are set at the interface CONFIG Level using the CLI command, ip ospf… Enable OSPF on the router When you enable OSPF on the router, the protocol is automatically activated. To enable OSPF on the router, use the following method.
25 Configuring OSPF • ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type-7 External LSAs are a special type of LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA. • ABRs translate type 7 LSAs into type 5 External LSAs, which can then be flooded throughout the AS. You can configure address ranges on the ABR of an NSSA so that the ABR converts multiple type-7 External LSAs received from the NSSA into a single type-5 External LSA.
Configuring OSPF 25 The stub parameter specifies an additional cost for using a route to or from this area and can be from 1 – 16777215. There is no default. Normal areas do not use the cost parameter. The no-summary parameter applies only to stub areas and disables summary LSAs from being sent into the area.
25 Configuring OSPF The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone. Since the NSSA is partially “stubby” the ABR does not flood external LSAs from the backbone into the NSSA. To provide access to the rest of the Autonomous System (AS), the ABR generates a default Type-7 LSA into the NSSA. Configuring an NSSA To configure OSPF area 1.1.1.
Configuring OSPF 25 The advertise | not-advertise parameter specifies whether you want the device to send type 3 LSAs for the specified range in this area. The default is advertise. Assigning an area range (optional) You can assign a range for an area, but it is not required. Ranges allow a specific IP address and mask to represent a range of IP addresses within an area, so that only that reference range address is advertised to the network, instead of all the addresses within that range.
25 Configuring OSPF • ip ospf hello-interval • ip ospf md5-authentication key-activation-wait-time | key-id [0 | 1] key • • • • ip ospf passive ip ospf priority ip ospf retransmit-interval ip ospf transmit-delay For a complete description of these parameters, see the summary of OSPF port parameters in the next section. OSPF interface parameters The following parameters apply to OSPF interfaces . 684 Area Assigns an interface to a specific area.
Configuring OSPF 25 MD5-authentication activation wait time The number of seconds the device waits until placing a new MD5 key into effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 – 14400 seconds. The default is 300 seconds (5 minutes). MD5-authentication key ID and key A method of authentication that requires you to configure a key ID and an MD5 key.
25 Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication.
Configuring OSPF 25 Block flooding of outbound LSAs on specific OSPF interfaces By default, the device floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area. After you apply filters to block the outbound LSAs, the filtering occurs during the database synchronization and flooding.
25 Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 106 Defining OSPF virtual links within a network OSPF Area 0 BigIronC Router ID 209.157.22.1 OSPF Area 1 “transit area” BigIronB OSPF Area 2 BigIronA Router ID 10.0.0.1 Figure 106 shows an OSPF area border router, BigIron RXA, that is cut off from the backbone area (area 0).
Configuring OSPF 25 The area | parameter specifies the transit area. The parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a device, enter the show ip command. Refer to “Modify virtual link parameters” on page 689 for descriptions of the optional parameters. Modify virtual link parameters OSPF has some parameters that you can modify for virtual links.
25 Configuring OSPF MD5 Authentication Wait Time This parameter determines when a newly configured MD5 authentication key is valid. This parameter provides a graceful transition from one MD5 key to another without disturbing the network. All new packets transmitted after the key activation wait time interval use the newly configured MD5 Key. OSPF packets that contain the old MD5 key are accepted for up to five minutes after the new MD5 key is in operation.
Configuring OSPF 25 For example, to configure the feature in a network with three routers connected by a hub or switch, each router must have the linking interface configured as a non-broadcast interface, and both of the other routers must be specified as neighbors. The output of the show ip ospf interface command has been enhanced to display information about non-broadcast interfaces and neighbors that are configured in the same sub-net. For example.
25 Configuring OSPF Configuring an OSPF point-to-point link To configure an OSPF point-to-point link, enter commands such as the following. BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip ospf network point-to-point This command configures an OSPF point-to-point link on Interface 5 in slot 1. Syntax: [no] ip ospf network point-to-point Viewing configured OSPF point-to-point links You can use the show ip ospf interface command to display OSPF point-to-point information.
Configuring OSPF TABLE 107 25 Output of the show ip ospf interface command This field Displays Type The area type, which can be one of the following: • Broadcast = 0x01 • NBMA = 0x02 • Point to Point = 0x03 • Virtual Link = 0x04 • Point to Multipoint = 0x05 Events OSPF Interface Event: Interface_Up = 0x00 Wait_Timer = 0x01 Backup_Seen = 0x02 Neighbor_Change = 0x03 Loop_Indication = 0x04 Unloop_Indication = 0x05 Interface_Down = 0x06 Interface_Passive = 0x07 • • • • • • • • Adjacent Neighbor Count
25 Configuring OSPF Changing the reference bandwidth for the cost on OSPF interfaces Each interface on which OSPF is enabled has a cost associated with it. The device advertises its interfaces and their costs to OSPF neighbors. For example, if an interface has an OSPF cost of ten, the device advertises the interface with a cost of ten to other OSPF routers. By default, an interface’s OSPF cost is based on the port speed of the interface.
Configuring OSPF 25 Changing the reference bandwidth To change the reference bandwidth, enter a command such as the following at the OSPF configuration level of the CLI: BigIron RX(config-ospf-router)# auto-cost reference-bandwidth 500 The reference bandwidth specified in this example results in the following costs: • 10 Mbps port’s cost = 500/10 = 50 • 100 Mbps port’s cost = 500/100 = 5 • 1000 Mbps port’s cost = 500/1000 = 0.
25 Configuring OSPF FIGURE 107 Redistributing OSPF and static routes to RIP routes RIP Domain ASBR (Autonomous System Border Router) OSPF Domain You also have the option of specifying import of just ISIS, RIP, OSPF, BGP4, or static routes, as well as specifying that only routes for a specific network or with a specific cost (metric) be imported, as shown in the command syntax below: Syntax: [no] redistribution bgp | connected | rip | static [route-map ] For example, to enable redistribution
Configuring OSPF 25 NOTE You also can define the cost on individual interfaces. The interface cost overrides the default cost. To assign a default metric of 4 to all routes imported into OSPF, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# default-metric 4 Syntax: default-metric The can be from 1 – 65535. The default is 10. Enable route redistribution NOTE Do not enable redistribution until you have configured the redistribution route map.
25 Configuring OSPF The redistribute static command enables redistribution of static IP routes into OSPF, and uses route map “abc“to control the routes that are redistributed. In this example, the route map allows a static IP route to be redistributed into OSPF only if the route has a metric of 5, and changes the metric to 8 before placing the route into the OSPF route table. The following command shows the result of the redistribution.
Configuring OSPF 25 The router software can use the route information it learns through OSPF to determine the paths and costs. Figure 108 shows an example of an OSPF network containing multiple paths to a destination (in this case, R1).
25 Configuring OSPF Configure external route summarization When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified address range. When you configure an address range, the range takes effect immediately. All the imported routes are summarized according to the configured address range.
Configuring OSPF Range-Address 1.0.0.0 1.0.1.0 1.0.2.0 25 Subnetmask 255.0.0.0 255.255.255.0 255.255.255.0 Syntax: show ip ospf config Configure default route origination When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to automatically generate a default external route into an OSPF routing domain. This feature is called “default route origination” or “default information origination”.
25 Configuring OSPF The metric-type parameter specifies the external link type associated with the default route advertised into the OSPF routing domain. The can be one of the following: • 1 – Type 1 external route • 2 – Type 2 external route If you do not use this option, the default redistribution metric type is used for the route type. NOTE If you specify a metric and metric type, the values you specify are used even if you do not use the always option.
Configuring OSPF 25 This example shows two routes. Both of the routes are directly attached, as indicated in the Type column. However, one of the routes is shown as type “*D”, with an asterisk (*). The asterisk indicates that this route is a candidate default network route.
25 Configuring OSPF Modify administrative distance The BigIron RX can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, ISIS, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. The default administrative distance for OSPF routes is 110. Refer to “Changing administrative distances” on page 757 for a list of the default distances for all route sources.
Configuring OSPF 25 Configure OSPF group Link State Advertisement pacing The BigIron RX paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the BigIron RX refreshes and sends out together in one or more packets.
25 Configuring OSPF • With this feature enabled in the “out” direction, all type 3 LSAs advertised by the ABR, based on information from this area to all other areas, are filtered by the prefix list. If the area range command has been configured for this area, Type 3 LSAs that corresponds to the area range command are treated like any other type 3 LSA. • Prefixes that are not permitted by the prefix list are implicitly denied.
Configuring OSPF 25 The in keyword specifies that prefix list is applied to prefixes advertised to the specified area from other areas. The out keyword specifies that prefix list is applied to prefixes advertised out of the specified area to other areas. Defining and applying IP prefix lists An IP prefix list specifies a list of networks. When you apply an IP prefix list to an area, the BigIron RX sends or receives only a route whose destination is in the IP prefix list.
25 Configuring OSPF Displaying the configured OSPF area prefix list To display the prefix-lists attached to the areas, enter the following command.
Configuring OSPF 25 1. Enabling SNMP traps for OSPF. (Refer to “Disabling and enabling SNMP traps for OSPF” on page 709.) 2. Enable OSPF logging. (Refer to “Enabling OSPF logging” on page 710.) Refer to Table 109 on page 709 for the list of the default settings for OSPF traps.
25 Configuring OSPF • • • • • virtual-interface-config-error-trap – [MIB object: ospfVirtIfConfigError] interface-authentication-failure-trap – [MIB object: ospfIfAuthFailure] virtual-interface-authentication-failure-trap – [MIB object: ospfVirtIfAuthFailure] interface-receive-bad-packet-trap – [MIB object: ospfIfrxBadPacket] virtual-interface-receive-bad-packet-trap – [MIB object: ospfVirtIfRxBadPacket] The following traps are disabled by default: • • • • • • interface-retransmit-packet-trap – [MIB o
Configuring OSPF 25 To configure a router to operate with the latest OSPF standard, RFC 2328, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# no rfc1583-compatibility Syntax: [no] rfc1583-compatibility Modify exit overflow interval If a database overflow condition occurs on a router, the router eliminates the condition by removing entries that originated on the router.
25 Displaying OSPF information Displaying OSPF information You can display the following OSPF information: • Trap, area, and interface information – refer to “Displaying general OSPF configuration information” on page 712. • CPU utilization statistics – refer to “Displaying CPU utilization and other OSPF tasks” on page 713. • • • • • Area information – refer to “Displaying OSPF area information” on page 715. Neighbor information – refer to “Displaying OSPF neighbor information” on page 716.
Displaying OSPF information 25 BigIron RX> show ip ospf config Router OSPF: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Redistribution Metric: Type2 OSPF External LSA Limit: 1447047 OSPF Database Overflow Interval: 0 RFC 1583 Compatibility: Enabled Router id: 207.95.11.
25 Displaying OSPF information BigIron RX#show tasks Task Name Pri State ---------- --- ----idle 0 ready monitor 20 wait int 16 wait timer 15 wait dbg 30 wait flash 17 wait wd 31 wait boot 17 wait main 3 wait itc 6 wait tmr 5 wait ip_rx 5 wait scp 5 wait console 5 wait vlan 5 wait mac_mgr 5 wait mrp_mgr 5 wait vsrp 5 wait snms 5 wait rtm 5 wait rtm6 5 wait ip_tx 5 ready rip 5 wait bgp 5 wait bgp_io 5 wait ospf 5 wait ospf_r_calc 5 wait isis_task 5 wait isis_spf 5 wait mcast 5 wait vrrp 5 wait ripng 5 wait
Displaying OSPF information TABLE 110 25 CLI display of show tasks (Continued) This field... Displays... PC current instruction for the task Stack Stack location for the task Size Stack size of the task CPU Usage(%) Percentage of the CPU being used by the task task id Task’s ID number assigned by the operating system. task vid A memory domain ID. Displaying OSPF area information To display OSPF area information, enter the following command at any CLI level. BigIron RX> show Indx Area 1 0.
25 Displaying OSPF information Displaying OSPF neighbor information To display OSPF neighbor information, enter the following command at any CLI level. BigIron RX# show ip ospf neighbor Port v10 v11 v12 v13 v14 Address 10.1.10.1 10.1.11.1 10.1.12.1 10.1.13.1 10.1.14.1 Pri 1 1 1 1 1 State FULL/DR FULL/DR FULL/DR FULL/DR FULL/DR Neigh Address 10.1.10.2 10.1.11.2 10.1.12.2 10.1.13.2 10.1.14.2 Neigh ID 10.65.12.1 10.65.12.1 10.65.12.1 10.65.12.1 10.65.12.
Displaying OSPF information TABLE 112 25 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the device and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor. • Attempt – This state is only valid for neighbors attached to non-broadcast networks.
25 Displaying OSPF information BigIron RX# show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0 Interface Address 0.0.0.0 Neighbor Count = 0, Adjacent Neighbor Count= 1 Neighbor: 2.2.2.
Displaying OSPF information TABLE 113 25 Output of the show ip ospf interface command (Continued) This field Displays Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor The neighbor router’s ID. Displaying OSPF route information To display OSPF route information, enter the following command at any CLI level. BigIron RX>#show ip ospf route OSPF Area 0x00000000 ASBR Routes 1: Destination Mask 10.65.12.1 255.255.255.255 Adv_Router Link_State 10.65.12.1 10.65.12.
25 Displaying OSPF information Syntax: show ip ospf routes [] The parameter specifies a destination IP address. If you use this parameter, only the route entries for that destination are shown. This display shows the following information. TABLE 114 CLI display of OSPF route information This field... Displays... Destination The IP address of the route's destination. Mask The network mask for the route. Path_Cost The cost of this route path. (A route can have multiple paths.
Displaying OSPF information 25 BigIron RX# show ip ospf redistribute route 4.3.0.0 255.255.0.0 static 3.1.0.0 255.255.0.0 static 10.11.61.0 255.255.255.0 connected 4.1.0.0 255.255.0.0 static In this example, four routes have been redistributed. Three of the routes were redistributed from static IP routes and one route was redistributed from a directly connected IP route.
25 Displaying OSPF information TABLE 115 CLI display of OSPF external link state information This field... Displays... Index ID of the entry Aging The age of the LSA, in seconds. LS ID The ID of the link-state advertisement from which the device learned this route. Router The router IP address. Netmask The subnet mask of the network. Metric The cost (value) of the route Flag State information for the route entry. This information is used by Brocade technical support.
Displaying OSPF information 25 NOTE You cannot use the extensive option in combination with other display options. The entire database is displayed. The link-state-id parameter displays the External LSAs for the LSA source specified by . The network option shows network information. The nssa option shows network information. The router-id parameter shows the External LSAs for the specified OSPF router.
25 Displaying OSPF information TABLE 117 CLI display of OSPF border routers This field... Displays... (Index) Displayed index number of the border router. Router ID ID of the OSPF router Router type Type of OSPF router: ABR or ASBR Next hop router ID of the next hop router Outgoing interface ID of the interface on the router for the outgoing route. Area ID of the OSPF area to which the OSPF router belongs Displaying OSPF trap status All traps are enabled by default when you enable OSPF.
Displaying OSPF information 25 vlan 1 name DEFAULT-VLAN ! ! clock summer-time clock timezone us Pacific hostname R11-RX8 router ospf area 2 area 1 area 1 virtual-link 131.1.1.10 FIGURE 109 OSPF virtual neighbor and virtual link example Area 0 7/1 3A4 131.1.1.10/16 DeviceA R10-MG8 192.168.148.10 6/1 135.14.1.10/16 Area 1 Area 2 1/17 135.14.1.1/16 DeviceE R14-RX8 192.168.148.14 5/1 7/23 Area 1 27.14.1.27/8 6/2 27.11.1.27/8 3A1 8.11.1.1/8 DeviceB R11-RX16 192.168.148.
25 Displaying OSPF information Displaying OSPF virtual link information Use the show ip ospf virtual link command to display OSPF virtual link information. The output below represents the virtual links configured in Figure 109. BigIron RX#show ip ospf virtual link Indx Transit Area Router ID Transit(sec) 1 1 131.1.1.
25 Displaying OSPF information Configuring OSPF graceful restart timer The OSPF graceful restart timer specifies the maximum amount of time an OSPF restarting router will take to re-establish OSPF adjacencies and relearn OSPF routes. This value will be sent to the neighboring routers in the grace LSA packets. Configure the timer by entering a command such as the following.
25 Displaying OSPF information BigIron RX#sh ip ospf neigh Port Address Pri State Neigh Address 3/1 30.1.0.5 0 FULL/OTHER 30.1.0.13 3/27 25.27.0.8 1 FULL/DR 25.27.0.14 < in graceful restart state, helping 1, timer 104 v31 21.23.0.5 1 FULL/DR 21.23.0.14 < in graceful restart state, helping 1, timer 104 v32 22.24.0.5 1 FULL/DR 22.24.0.14 < in graceful restart state, helping 1, timer 104 v33 23.25.0.5 1 FULL/DR 23.25.0.14 < in graceful restart state, helping 1, timer 104 v34 24.26.0.5 1 FULL/DR 24.26.0.
Displaying OSPF information 25 BigIron RX 1# show ip ospf neigh Port Address Pri State Neigh Address Neigh ID 3/7 40.0.1.1 1 EXST/DR 40.0.1.3 9.0.1.24 < in graceful restart state, helping 1, timer 112 sec > Ev Opt Cnt 24 2 0 BigIron RX 3# show ip Port Address 2/2 40.0.10.1 < in graceful restart Ev Opt Cnt 23 2 0 ospf neighbor Pri State Neigh Address Neigh ID 1 EXST/DR 40.0.10.3 8.0.0.23 state, helping 1, timer 111 sec > Note the "" entry appears only during restart.
25 730 Displaying OSPF information BigIron RX Series Configuration Guide 53-1001986-01
Chapter 26 Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 BGP4 is the standard Exterior Gateway Protocol (EGP) used on the Internet to route traffic between Autonomous Systems (AS) and to maintain loop-free routing. An autonomous system is a collection of networks that share the same routing and administration characteristics. For example, a corporate Intranet consisting of several networks under common administrative control might be considered an AS.
26 Overview of BGP4 Relationship between the BGP4 route table and the IP route table The device’s BGP4 route table can have multiple routes or paths to the same destination, which are learned from different BGP4 neighbors. A BGP4 neighbor is another router that also is running BGP4. BGP4 neighbors communicate using Transmission Control Protocol (TCP) port 179 for BGP communication.
Overview of BGP4 26 1. Is the next hop accessible though an Interior Gateway Protocol (IGP) route? If not, ignore the path. NOTE By default, the device does not use the default route to resolve BGP4 next hop. Also refer to “Enabling next-hop recursion” on page 773 and “Using the IP default route as a valid next hop for a BGP4 route” on page 772 2. Use the path with the largest weight. 3. If the weights are the same, prefer the path with the largest local preference. 4.
26 Overview of BGP4 9. If all the comparisons above are equal, prefer the route with the lowest IGP metric to the BGP4 next hop. This is the closest internal path inside the AS to reach the destination. 10. If the internal paths also are the same and BGP4 load sharing is enabled, load share among the paths otherwise go to Step 11. NOTE The BigIron RX supports BGP4 load sharing among multiple equal-cost paths.
Overview of BGP4 26 neighbors to always be up. For directly-attached neighbors, you can configure the BigIron RX to immediately close the TCP connection to the neighbor and clear entries learned from an EBGP neighbor if the interface to that neighbor goes down. This capability is provided by the fast external fallover feature, which is disabled by default. • BGP Identifier – The router ID. The BGP Identifier (router ID) identifies the BGP4 router to other BGP4 routers.
26 Brocade implementation of BGP4 BGP4 Router A sends a Hold Time of 5 seconds and BGP4 Router B sends a Hold Time of 4 seconds, both routers use 4 seconds as the Hold Time for their BGP4 session. The default Hold Time is 180 seconds. Generally, the Hold Time is configured to three times the value of the Keep Alive Time. If the Hold Time is 0, a BGP4 router assumes that its neighbor is alive regardless of how many seconds pass between receipt of UPDATE or KEEPALIVE messages.
Configuring BGP4 26 As a guideline, BigIron RX switches with a 2 GB Management 4 module can accommodate 150 – 200 neighbors, with the assumption that the BigIron RX receives about one million routes total from all neighbors and sends about eight million routes total to neighbors. For each additional one million incoming routes, the capacity for outgoing routes decreases by around two million. Configuring BGP4 Once you activate BGP, you can configure the BGP options.
26 Configuring BGP4 TABLE 118 IPv4 BGP commands at different configuration levels (Continued) Command Global (iPv4 and IPv6) as-path-ignore x bgp-redistribute-internal IPv4 address IPv4 address family unicast family multicast “Disabling or re-enabling comparison of the AS-path length” on page 750 x “Redistributing IBGP routes” on page 750 client-to-client-reflection cluster-id “Disabling or re-enabling client-to-client route reflection” on page 751 x community-filter “Configuring a route refl
Configuring BGP4 TABLE 118 26 IPv4 BGP commands at different configuration levels (Continued) Command Global (iPv4 and IPv6) redistribute show x table-map timers IPv4 address IPv4 address family unicast family multicast See x x “Modifying redistribution parameters” on page 776 x x “Displaying BGP4 information” on page 814 x x “Using a table map to set the tag value” on page 779 x update-time “Changing the keep alive time and hold time” on page 779 x x “Changing the BGP4 next-hop upda
26 Activating and disabling BGP4 • Change other load-sharing parameters. • Define route flap dampening parameters. • Add, change, or negate redistribution parameters (except changing the default MED; see below). • Add, change, or negate route maps (when used by the network command or a redistribution command). • Aggregate routes.
Entering and exiting the address family configuration level 26 NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP interface address configured on the device. For more information, refer to “Changing the router ID” on page 780. If you change the router ID, all current BGP4 sessions are cleared.
26 Filtering specific IP addresses The default is the ipv4 unicast address family level. To exit an address family configuration level, enter the following command. BigIron RX(config-bgp-ipv6u)# exit-address-family BigIron RX(config-bgp)# Syntax: exit-address-family Filtering specific IP addresses You can configure the router to explicitly permit or deny specific IP addresses received in updates from BGP4 neighbors by defining IP address filters. The router permits all IP addresses by default.
Defining an AS-path filter 26 The parameter specifies the portion of the IP address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the . Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
26 Defining a community filter Defining a community filter To define filter 3 to permit routes that have the NO_ADVERTISE community, enter the following command. BigIron RX(config-bgp)# community-filter 3 permit no-advertise Syntax: [no] community-filter permit | deny : | internet | local-as | no-advertise | no-export The parameter identifies the filter’s position in the community filter list and can be from 1 – 100. Thus, the community filter list can contain up to 100 filters.
BGP Null0 routing 26 To configure a switch to disable the AS_PATH check function for routes sent to it by its BGP neighbor for a maximum limit of 3 occurrences of the route, enter the following command at the BGP configuration level. BigIron RX(config-bgp-ipv4u)# neighbor 33.33.36.2 allowas-in 3 Syntax: neighbor allowas-in The variable is the IP address of the neighbor.
26 BGP Null0 routing The following steps configure a null0 routing application for stopping denial of service attacks from remote hosts on the internet. Configuration steps 1. Select one router, Router 6, to distribute null0 routes throughout the BGP network. 2. Configure a route-map to match a particular tag (50) and set the next-hop address to an unused network address (199.199.1.1). 3. Set the local-preference to a value higher than any possible internal or external local-preference (50). 4.
BGP Null0 routing 26 Router 1 The following configuration defines the null0 route to the specific next hop address. The next hop address 199.199.1.1 points to 128.178.1.101, which gets blocked. BigIron RX(config)# ip route 199.199.1.
26 BGP Null0 routing Router-6# show ip bgp route Total number of BGP Routes: 126 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight 1 30.0.1.0/24 40.0.1.3 0 100 0 AS_PATH: . .. . . . 9 110.0.0.16/30 90.0.1.3 100 0 AS_PATH: 85 10 110.0.0.40/29 192.168.0.1 1 1000000 32768 BL AS_PATH: 11 110.0.0.80/28 90.0.1.3 100 0 . .. . . . .. . . . 36 115.0.0.96/28 30.0.1.3 100 0 AS_PATH: 50 37 115.0.0.
Aggregating routes advertised to BGP4 neighbors 26 Aggregating routes advertised to BGP4 neighbors By default, the BigIron RX advertises individual routes for all the networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single network prefix. For example, without aggregation, the device will individually advertise routes for networks 207.95.1.0/24, 207.95.2.0/24, and 207.95.3.0/24.
26 Redistributing IBGP routes You can enable the device to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three ASs, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually. NOTE By default, value 0 (most favorable) is used in MED comparison when the MED attribute is not present.
Disabling or re-enabling client-to-client route reflection 26 To enable the device to redistribute BGP4 routes into OSPF, RIP, or ISIS, enter the following command. BigIron RX(config-bgp)# bgp-redistribute-internal Syntax: [no] bgp-redistribute-internal To disable redistribution of IBGP routes into RIP, ISIS, and OSPF, enter the following command.
26 Configuring confederations When router ID comparison is enabled, the path comparison algorithm compares the router IDs of the neighbors that sent the otherwise equal paths. • If BGP4 load sharing is disabled (maximum-paths 1), the device selects the path that came from the neighbor with the lower router ID. • If BGP4 load sharing is enabled, the device load shares among the remaining paths. In this case, the router ID is not used to select a path. NOTE Router ID comparison is disabled by default.
Configuring confederations 26 FIGURE 114 Example BGP4 confederation AS 20 Confederation 10 Sub-AS 64512 IBGP Router B Router A EBGP EBGP Sub-AS 64513 This BGP4 router sees all traffic from Confederation 10 as traffic from AS 10. IBGP Router C Router D Routers outside the confederation do not know or care that the routers are subdivided into sub-ASs within a confederation. In this example, four routers are configured into two sub-ASs, each containing two of the routers.
26 Configuring confederations The procedures show how to implement the example confederation shown in Figure 26.3. To configure four devices to be a member of confederation 10, consisting of two sub-ASs (64512 and 64513), enter commands such as the following.
Configuring route flap dampening 26 Configuring route flap dampening Route Flap Dampening reduces the amount of change propagated by BGP due to routing state caused by unstable routes. Reducing change propagation will help reduce processing requirements. To enable route flap dampening using the default values, enter the following command.
26 Changing the default local preference BigIron RX(config-bgp)# default-information-originate Syntax: [no] default-information-originate Changing the default local preference When the router uses the BGP4 algorithm to select a route to send to the IP route table, one of the parameters the algorithm uses is the local preference. Local preference is an attribute that indicates a degree of preference for a route relative to other routes.
Changing administrative distances 26 Changing administrative distances The BigIron RX can learn about networks from various protocols, including the EBGP portion of BGP4 and IGPs such as OSPF, ISIS, and RIP. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. To select one route over another based on the source of the route information, the device can use the administrative distances assigned to the sources.
26 Requiring the first AS to be the neighbor’s AS The sets the EBGP distance and can be a value from 1 – 255. The sets the IBGP distance and can be a value from 1 – 255. The sets the Local BGP distance and can be a value from 1 – 255.
Setting the local AS number 26 The router waits for the Hold Time to expire before ending the connection to a directly-attached BGP4 neighbor that dies. For directly attached neighbors, the router immediately senses loss of a connection to the neighbor from a change of state of the port or interface that connects the router to its neighbor.
26 Treating missing MEDs as the worst MEDs Syntax: [no] maximum-paths The parameter specifies the maximum number of paths across which the BigIron RX can balance traffic to a given BGP4 destination. You can change the maximum number of paths to a value from 2 – 8. The default is 1. Treating missing MEDs as the worst MEDs By default, the BigIron RX favors a lower MED over a higher MED during MED comparison.
Configuring BGP4 neighbors 26 By default, load sharing applies to EBGP and IBGP paths, and does not apply to paths from different neighboring ASs. Configuring BGP4 neighbors The BGP4 protocol does not contain a peer discovery process. Therefore, for each of the router’s BGP4 neighbors (peers), you must indicate the neighbor’s IP address and the AS each neighbor is in. Neighbors that are in different ASs communicate using EBGP. Neighbors within the same AS communicate using IBGP.
26 Configuring BGP4 neighbors [remove-private-as] [route-map in | out ] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [unsuppress-map ] [update-source | ethernet / | loopback | ve ] [weight ] The | parameter indicates whether you are configuring an individual neighbor or a peer group.
Configuring BGP4 neighbors 26 ebgp-multihop [] specifies that the neighbor is more than one hop away and that the session type with the neighbor is thus EBGP-multihop. This option is disabled by default. The parameter specifies the TTL you are adding for the neighbor. You can specify a number from 0 – 255. The default is 0. If you leave the EBGP TTL value set to 0, the software uses the IP TTL value. filter-list in | out specifies an AS-path filter list or a list of AS-path ACLs.
26 Configuring BGP4 neighbors NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string.
Configuring BGP4 neighbors 26 unsuppress-map removes route suppression from a neighbor’s routes when those routes have been suppressed due to aggregation. Refer to “Removing route dampening from suppressed neighbor routes” on page 765. update-source | ethernet / | loopback | ve configures the router to communicate with the neighbor through the specified interface. There is no default.
26 Configuring BGP4 neighbors BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# ip prefix-list Unsuppress1 permit 209.1.44.0/24 RX(config)# route-map RouteMap1 permit 1 RX(config-routemap RouteMap1)# match prefix-list Unsuppress1 RX(config-routemap RouteMap1)# exit RX(config)# router bgp RX(config-bgp)# neighbor 10.1.0.2 unsuppress-map RouteMap1 RX(config-bgp)# clear ip bgp neighbor 10.1.0.2 soft-out The ip prefix-list command configures an IP prefix list for network 209.1.44.
Configuring BGP4 neighbors 26 Encryption example The following commands configure a BGP4 neighbor and a peer group, and specify MD5 authentication strings (passwords) for authenticating packets exchanged with the neighbor or peer group. BigIron BigIron BigIron BigIron BigIron RX(config-bgp)# RX(config-bgp)# RX(config-bgp)# RX(config-bgp)# RX(config-bgp)# local-as neighbor neighbor neighbor neighbor 2 xyz peer-group xyz password abc 10.10.200.102 peer-group xyz 10.10.200.
26 Configuring a BGP4 peer group of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication. If you accidentally enter option 1 followed by the clear-text version of the password or string, authentication will fail because the value used by the software will not match the value you intended to use.
Configuring a BGP4 peer group 26 • You must configure a peer group before you can add neighbors to the peer group. • If you remove a parameter from a peer group, the value for that parameter is reset to the default for all the neighbors within the peer group, unless you have explicitly set that parameter on individual neighbors.
26 Configuring a BGP4 peer group The parameter specifies the name of the group and can be up to 80 characters long. The name can contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around the name. For example, the command neighbor “My Three Peers” peer-group is valid, but the command neighbor My Three Peers peer-group is not valid.
Specifying a list of networks to advertise 26 The parameter specifies the IP address of the neighbor. The parameter specifies the peer group name. NOTE You must add the peer group before you can add neighbors to it. Administratively shutting down a session with a BGP4 neighbor You can prevent the device from starting a BGP4 session with a neighbor by administratively shutting down the neighbor.
26 Using the IP default route as a valid next hop for a BGP4 route The is the network number and the specifies the network mask. The route-map parameter specifies the name of the route map you want to use to set or change BGP4 attributes for the network you are advertising. The route map must already be configured; otherwise, the default action is to deny redistribution. The weight parameter specifies a weight to be added to routes to this network.
Enabling next-hop recursion 26 BigIron RX(config-bgp)# next-hop-enable-default Syntax: [no] next-hop-enable-default Enabling next-hop recursion For each BGP4 route a BigIron RX learns, the device performs a route lookup to obtain the IP address of the route’s next hop. A BGP4 route becomes eligible for installation into the IP route table only if the following conditions are true: • The lookup succeeds in obtaining a valid next-hop IP address for the route.
26 Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight 1 0.0.0.0/0 10.1.0.2 0 100 0 AS_PATH: 65001 4355 701 80 2 102.0.0.0/24 10.0.0.1 1 100 0 AS_PATH: 65001 4355 1 3 104.0.0.0/24 10.1.0.2 0 100 0 AS_PATH: 65001 4355 701 1 189 4 240.0.0.0/24 102.0.0.1 1 100 0 AS_PATH: 65001 4355 3356 7170 1455 5 250.0.0.0/24 209.
Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf 1 0.0.0.0/0 10.1.0.2 0 100 AS_PATH: 65001 4355 701 80 2 102.0.0.0/24 10.0.0.1 1 100 AS_PATH: 65001 4355 1 3 104.0.0.0/24 10.1.0.2 0 100 AS_PATH: 65001 4355 701 1 189 4 240.0.0.0/24 102.0.0.1 1 100 AS_PATH: 65001 4355 3356 7170 1455 5 250.0.0.0/24 209.157.24.
26 Modifying redistribution parameters BigIron RX# show ip route 240.0.0.0/24 Total number of IP routes: 38 Network Address Gateway 240.0.0.0 10.0.0.1 AS_PATH: 65001 4355 1 Port 1/1 Cost 1 Type B This BigIron RX can use this route because the device has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table. Enabling recursive next-hop lookups The recursive next-hop lookups feature is disabled by default.
Modifying redistribution parameters 26 The static parameter indicates that you are redistributing static routes into BGP. Redistributing connected routes To configure BGP4 to redistribute directly connected routes, enter the following command. BigIron RX(config-bgp)# redistribute connected Syntax: redistribute connected [metric ] [route-map ] The connected parameter indicates that you are redistributing routes to directly attached devices into BGP4.
26 Modifying redistribution parameters The match internal | external1 | external2 parameter applies only to OSPF. This parameter specifies the types of OSPF routes to be redistributed into BGP4. The default is internal. NOTE If you do not enter a value for the match parameter, (for example, you enter redistribute ospf only) then only internal OSPF routes will be redistributed. The metric parameter changes the metric. You can specify a value from 0 – 4294967295. The default is not assigned.
Using a table map to set the tag value 26 The metric parameter changes the metric. You can specify a value from 0 – 4294967295. The default is 0. The route-map parameter specifies a route map to be consulted before adding the static route to the BGP4 route table. The route map you specify must already be configured on the router. Refer to “Defining route maps” on page 791 for information about defining route maps.
26 Changing the BGP4 next-hop update timer NOTE Generally, you should set the Hold Time to three times the value of the Keep Alive Time. NOTE You can override the global Keep Alive Time and Hold Time on individual neighbors. Refer to “Configuring BGP4 neighbors” on page 761 and “Configuring a BGP4 peer group” on page 768. To change the Keep Alive Time to 30 and Hold Time to 90, enter the following command.
Adding a loopback interface 26 NOTE A BigIron RX uses the same router ID for both OSPF and BGP4. If the router is already configured for OSPF, you may want to use the router ID that is already in use on the router rather than set a new one. To display the router ID, enter the show ip CLI command at any CLI level. To change the router ID, enter a command such as the following. BigIron RX(config)# ip router-id 209.157.22.26 Syntax: ip router-id The can be any valid, unique IP address.
26 Configuring route reflection parameters • Set the maximum number of paths. The default maximum number of BGP4 load sharing paths is 1, which means no BGP4 load sharing takes place by default. Refer to “Changing the maximum number of shared BGP4 paths” on page 759. NOTE The maximum number of BGP4 load sharing paths cannot be greater than the maximum number of IP load sharing paths.
Configuring route reflection parameters 26 • A route reflector client is an IGP router identified as a member of a cluster. You identify a router as a route reflector client on the router that is the route reflector, not on the client. The client itself requires no additional configuration. In fact, the client does not know that it is a route reflector client. The client just knows that it receives updates from its neighbors and does not know whether one or more of those neighbors are route reflectors.
26 Filtering • If a device receives a route whose ORIGINATOR_ID attribute has the value of the device’s own router ID, the device discards the route and does not advertise it. By discarding the route, the device prevents a routing loop. • The first time a route is reflected by a device configured as a route reflector, the route reflector adds the CLUSTER_LIST attribute to the route.
Filtering 26 • “Using a table map to set the tag value” on page 779 • “Configuring cooperative BGP4 route filtering” on page 799 Filtering AS-paths You can filter updates received from BGP4 neighbors based on the contents of the AS-path list accompanying the updates. For example, if you want to deny routes that have the AS 4.3.2.1 in the AS-path from entering the BGP4 route table, you can define a filter to deny such routes.
26 Filtering The neighbor command uses the filter-list parameter to apply the AS-path ACL to the neighbor. Refer to “Configuring BGP4 neighbors” on page 761 and “Configuring a BGP4 peer group” on page 768. Using regular expressions You use a regular expression for the parameter to specify a single character or multiple characters as a filter pattern. If the AS-path matches the pattern specified in the regular expression, the filter evaluation is true; otherwise, the evaluation is false.
Filtering TABLE 119 26 BGP4 special characters for regular expressions (Continued) Character Operation _ An underscore matches on one or more of the following: • • • • • • • • , (comma) { (left curly brace) } (right curly brace) ( (left parenthesis) ) (right parenthesis) The beginning of the input string The end of the input string A blank space For example, the following regular expression matches on “100” but not on “1002”, “2100”, and so on.
26 Filtering Filtering communities You can filter routes received from BGP4 neighbors based on community names. A community is an optional attribute that identifies the route as a member of a user-defined class of routes. Community names are arbitrary values made of two five-digit integers joined by a colon. You determine what the name means when you create the community name as one of a route’s attributes. Each string in the community name can be a number from 0 – 65535.
Filtering 26 The seq parameter is optional and specifies the community list’s sequence number. You can configure up to 199 entries in a community list. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with number 5. The software interprets the entries in a community list in numerical order, beginning with the lowest sequence number.
26 Filtering The seq parameter is optional and specifies the IP prefix list’s sequence number. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with prefix list entry 5. The software interprets the prefix list entries in numerical order, beginning with the lowest sequence number. The deny | permit parameter specifies the action the software takes if a neighbor’s route is in this prefix list.
Filtering 26 Defining route maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols. A route map consists of a sequence of instances. If you think of a route map as a table, an instance is a row in that table. The router evaluates a route according to a route map’s instances in ascending numerical order.
26 Filtering • • • • Set the MED (metric). Set the IP address of the next hop router. Set the origin to IGP or INCOMPLETE. Set the weight. For example, when you configure parameters for redistributing routes into BGP, one of the optional parameters is a route map. If you specify a route map as one of the redistribution parameters, the router will match the route against the match statements in the route map.
Filtering 26 Specifying the match conditions Use the following command to define the match conditions for instance 1 of the route map GET_ONE. This instance compares the route updates against BGP4 address filter 11. BigIron RX(config-routemap GET_ONE)# match address-filters 11 Syntax: match [as-path ] | [address-filters | as-path-filters | community-filters
26 Filtering The next-hop parameter compares the IP address of the route’s next hop to the specified IP address filters. The filters must already be configured. The route-type internal | external-type1 | external-type2 parameter applies only to OSPF routes. This parameter compares the route’s type to the specified value. The level-1 parameter compares ISIS routes only with routes within the same area.
Filtering 26 Matching based on next-hop router You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on the next-hop router, enter commands such as the following.
26 Filtering The parameter specifies the name of a community list ACL. You can specify up to five ACLs. Separate the ACL names or IDs with spaces. Here is another example. BigIron RX(config)# ip community-list standard std_2 permit 23:45 56:78 BigIron RX(config)# route-map bgp3 permit 1 BigIron RX(config-routemap bgp3)# match community std_1 std_2 exact-match These commands configure an additional community ACL, std_2, that contains community numbers 23:45 and 57:68.
Filtering 26 The dampening [ ] parameter sets route dampening parameters for the route. The parameter specifies the number of minutes after which the route’s penalty becomes half its value. The parameter specifies how low a route’s penalty must become before the route becomes eligible for use again after being suppressed. The parameter specifies how high a route’s penalty can become before the device suppresses the route.
26 Filtering BigIron BigIron BigIron BigIron RX(config)# access-list 1 permit 192.168.9.0 0.0.0.255 RX(config)# route-map bgp4 permit 1 RX(config-routemap bgp4)# match ip address 1 RX(config-routemap bgp4)# set metric-type internal The first command configures an ACL that matches on routes with destination network 192.168.9.0.
Filtering 26 Configuring cooperative BGP4 route filtering By default, the device performs all filtering of incoming routes locally, on the device itself. You can use cooperative BGP4 route filtering to cause the filtering to be performed by a neighbor before it sends the routes to the device. Cooperative filtering conserves resources by eliminating unnecessary route updates and filter processing.
26 Filtering Syntax: [no] neighbor | capability orf prefixlist [send | receive] The | parameter specifies the IP address of a neighbor or the name of a peer group of neighbors. The send | receive parameter specifies the support you are enabling: • send – The device sends the IP prefix lists to the neighbor. • receive – The device accepts filters from the neighbor. If you do not specify the capability, both capabilities are enabled.
Filtering 26 • The cooperative filtering configuration on the device. • The ORFs received from neighbors. To display the cooperative filtering configuration on the device, enter a command such as the following. The line shown in bold type shows the cooperative filtering status. BigIron RX# show ip bgp neighbor 10.10.10.1 1 IP Address: 10.10.10.1, AS: 65200 (IBGP), RouterID: 10.10.10.
26 Filtering NOTE The BigIron RX applies route flap dampening only to routes learned from EBGP neighbors. The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the device stops using that route and also stops advertising it to other routers. The mechanism also allows a route’s penalties to reduce over time if the route’s stability improves.
Filtering 26 BigIron RX(config)# router bgp BigIron RX(config-bgp)# address-filter 9 permit 209.157.22.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# address-filter 10 permit 209.157.23.0 255.255.255.0 255.255.255.0 255.255.255.
26 Filtering BigIron BigIron BigIron BigIron RX(config-routemap DAMPENING_MAP_NEIGHBOR_A)# exit RX(config)# router bgp RX(config-bgp)# dampening route-map DAMPENING_MAP_ENABLE RX(config-bgp)# neighbor 10.10.10.1 route-map in DAMPENING_MAP_NEIGHBOR_A In this example, the first command globally enables route flap dampening. This route map does not contain any match or set statements.
26 Filtering BigIron RX# show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network From Flaps Since h> 192.50.206.0/23 166.90.213.77 1 0 :0 :13 h> 203.255.192.0/20 166.90.213.77 1 0 :0 :13 h> 203.252.165.0/24 166.90.213.77 1 0 :0 :13 h> 192.50.208.0/23 166.90.213.77 1 0 :0 :13 h> 133.33.0.0/16 166.90.213.77 1 0 :0 :13 *> 204.17.220.0/24 166.90.213.
26 Filtering Clearing route flap dampening statistics NOTE Clearing the dampening statistics for a route does not change the dampening status of the route. To clear all the route dampening statistics, enter the following command at any level of the CLI.
Filtering 26 Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session. Soft reconfiguration does not request the neighbor or group to send its entire BGP4 table, nor does the feature reset the session with the neighbor or group. Instead, the soft reconfiguration feature stores all the route updates received from the neighbor or group.
26 Filtering NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 809. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the device saves all updates received from the specified neighbor or peer group. This includes updates that contain routes that are filtered out by the BGP4 route policies in effect on the device.
Filtering 26 BigIron RX# show ip bgp neighbor 192.168.4.106 routes There are 97345 received routes from neighbor 192.168.4.106 Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 3.0.0.0/8 192.168.4.106 100 0 BE AS_PATH: 65001 4355 701 80 2 4.0.0.0/8 192.168.4.106 100 0 BE AS_PATH: 65001 4355 1 3 4.60.212.0/22 192.168.4.
26 Filtering To request a dynamic refresh of all routes from a neighbor, enter a command such as the following. BigIron RX(config-bgp)# clear ip bgp neighbor 192.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again. The device applies its filters to the incoming routes and adds, modifies, or removes BGP4 routes as necessary.
Filtering 26 To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down. You can enter the command without optional parameters or with the soft out or soft-outbound option. Either way, you must specify a parameter for the neighbor (, , , or all).
26 Filtering If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use these methods to ensure that neighbors contain only the routes you want them to contain. • If you close a neighbor session, the device and the neighbor clear all the routes they learned from each other. When the device and neighbor establish a new BGP4 session, they exchange route tables again.
Filtering 26 BigIron RX# clear ip bgp neighbor 10.0.0.1 traffic To clear the BGP4 message counter for all neighbors within a peer group, enter a command such as the following. BigIron RX# clear ip bgp neighbor PeerGroup1 traffic Syntax: clear ip bgp neighbor all | | | traffic The all | | | specifies the neighbor. The parameter specifies a neighbor by its IP interface with the device.
26 Displaying BGP4 information Clearing diagnostic buffers The BigIron RX stores the following BGP4 diagnostic information in buffers: • The first 400 bytes of the last packet received that contained an error • The last NOTIFICATION message either sent or received by the device To display these buffers, use options with the show ip bgp neighbors command. Refer to “Displaying BGP4 neighbor information” on page 819.
Displaying BGP4 information 26 Displaying summary BGP4 information You can display the local AS number, the maximum number of routes and neighbors supported, and some BGP4 statistics. To view summary BGP4 information for the router, enter the following command at any CLI prompt. BigIron RX# show ip bgp summary BGP4 Summary Router ID: 101.0.0.
26 Displaying BGP4 information TABLE 121 BGP4 summary information (Continued) This field... Displays... Number of Attribute Entries Installed The number of BGP4 route-attribute entries in the router’s route-attributes table. To display the route-attribute table, refer to “Displaying BGP4 route-attribute entries” on page 837. Neighbor Address The IP addresses of this router’s BGP4 neighbors. AS# The AS number. State The state of this router’s neighbor session with each neighbor.
Displaying BGP4 information TABLE 121 26 BGP4 summary information (Continued) This field... Displays... Sent The number of BGP4 routes that the device has sent to the neighbor. ToSend The number of routes the device has queued to send to this neighbor. Displaying the active BGP4 configuration To view the active BGP4 configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
26 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 routes-summary 1 IP Address: 192.168.4.
Displaying BGP4 information TABLE 122 26 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the device discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The device’s configured maximum prefix amount had been reached. • AS Loop – An AS loop occurred. An AS loop occurs when the BGP4 AS-path attribute contains the local AS number.
26 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.
Displaying BGP4 information 26 The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
26 Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... Description The description you gave the neighbor when you configured it on the device. State The state of the router’s session with the neighbor. The states are from this router’s perspective of the session, not the neighbor’s perspective.
Displaying BGP4 information TABLE 123 26 BGP4 neighbor information (Continued) This field... Displays... DefaultOriginate Whether this option is enabled for the neighbor. MaximumPrefixLimit Lists the maximum number of prefixes the device will accept from this neighbor. RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this device has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability.
26 Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended.
Displaying BGP4 information TABLE 123 26 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
26 Displaying BGP4 information TABLE 123 826 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Displaying BGP4 information TABLE 123 26 BGP4 neighbor information (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed.
26 Displaying BGP4 information This display shows the following information. TABLE 124 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the device has received from the neighbor during the current BGP4 session. • Accepted/Installed – Indicates how many of the received routes the device accepted and installed in the BGP4 route table.
Displaying BGP4 information TABLE 124 26 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the device has sent to this neighbor in UPDATE messages. • Withdraws – The number of routes the device has sent to the neighbor to withdraw. • Replacements – The number of routes the device has sent to the neighbor to replace routes the neighbor already has.
26 Displaying BGP4 information Displaying the adj-RIB-out for a neighbor To display the device’s current BGP4 Routing Information Base (Adj-RIB-Out) for a specific neighbor and a specific destination network, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 rib-out-routes 192.168.1.0/24 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST I:IBGP L:LOCAL Prefix Next Hop Metric LocPrf Weight Status 1 200.1.1.0/24 0.0.0.
Displaying BGP4 information 26 This display shows the following information. TABLE 125 BGP4 summary route information This field... Displays... Total number of BGP routes (NLRIs) Installed The number of BGP4 routes the device has installed in the BGP4 route table. Distinct BGP destination networks The number of destination networks the installed routes represent. The BGP4 route table can have multiple routes to the same network.
26 Displaying BGP4 information Syntax: show ip bgp routes [[network] ] | | [age ] | [as-path-access-list ] | [best] | [cidr-only] | [community | no-export | no-advertise | internet | local-as] | [community-access-list ] | [community-list | [detail
Displaying BGP4 information 26 The unreachable option displays the routes that are unreachable because the device does not have a valid RIP, OSPF, or static route to the next hop. Displaying the best BGP4 routes To display all the BGP4 routes in the device’s BGP4 route table that are the best routes to their destinations, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp routes best Searching for matching routes, use ^C to quit...
26 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight *> 9.3.4.0/24 192.168.4.106 100 0 Last update to IP routing table: 0h11m38s, 1 path(s) Gateway Port 192.168.2.1 2/1 Route is advertised to 1 peers: 20.20.20.
Displaying BGP4 information TABLE 126 26 BGP4 network information (Continued) This field... Path Displays... The route’s AS path. NOTE: This field appears only if you do not enter the route option. Origin code A character the display uses to indicate the route’s origin. The origin code appears to the right of the AS path (Path field). The origin codes are described in the command’s output. NOTE: This field appears only if you do not enter the route option.
26 Displaying BGP4 information These displays show the following information. TABLE 127 BGP4 route information This field... Displays... Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route’s status. The status code is appears in the left column of the display, to the left of each route. The status codes are described in the command’s output. Prefix The network prefix and mask length.
Displaying BGP4 information TABLE 127 26 BGP4 route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP through EGP. • IGP – The routes with this set of attributes came to BGP through IGP. • INCOMPLETE – The routes came from an origin other than one of the above. For example, they may have been redistributed from OSPF or RIP.
26 Displaying BGP4 information BigIron RX# show ip bgp attribute-entries Total number of BGP Attribute Entries: 7753 1 Next Hop :192.168.11.1 Metric :0 Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.0 Local Pref:100 Communities:Internet AS Path :(65002) 65001 4355 2548 3561 5400 6669 5548 2 Next Hop :192.168.11.1 Metric :0 Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.
26 Displaying BGP4 information TABLE 128 BGP4 route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Displaying the routes BGP4 has placed in the IP route table The IP route table indicates the routes it has received from BGP4 by listing “BGP” as the route type.
26 Displaying BGP4 information The
parameter specifies a particular route. If you also use the optional longer-prefixes parameter, then all statistics for routes that match the specified route or have a longer prefix than the specified route are displayed. For example, if you specify 209.157.0.0 longer, then all routes with the prefix 209.157 or that have a longer prefix (such as 209.157.22) are displayed.Displaying BGP4 information 26 match address-filters 11 set community 11:12 no-export route-map permit1122 permit 12 match ip address 11 route-map permit1122 permit 13 match ip address std_22 This example shows that the running configuration contains six route maps. Notice that the match and set statements within each route map are listed beneath the command for the route map itself. In this simplified example, each route map contains only one match or set statement.
26 Displaying BGP4 information NOTE After configuring BGP Graceful Restart, you need to reset neighbor session whether or not the neighbor session is up to enable BGP graceful restart. Use the clear ip bgp neighbor command to clear and re-establish neighbor sessions. Configuring BGP graceful restart on a router Use the following command to enable the BGP graceful restart feature on a BigIron RX Switch.
Displaying BGP4 information 26 Router 1 BigIron BigIron BigIron BigIron BigIron RX(config)#router bgp RX(config-bgp)#local-as 100 RX(config-bgp)#graceful-restart RX(config-bgp)#neighbor 12.2.0.14 remote-as 200 RX(config-bgp)#write memory Router 2 BigIron BigIron BigIron BigIron BigIron BigIron RX(config)#router bgp RX(config-bgp)#local-as 200 RX(config-bgp)#graceful-restart RX(config-bgp)#neighbor 12.1.0.14 remote-as 100 RX(config-bgp)#neighbor 12.3.0.
26 Generalized TTL security mechanism support BigIron RX# show ip bgp neighbor 11.11.11.2 1 IP Address: 11.11.11.2, Remote AS: 101 (EBGP), RouterID: 101.101.101.
Generalized TTL security mechanism support 26 Syntax: [no] neighbor | ebgp-btsh NOTE For GTSM protection to work properly, it must be enabled on both the Brocade device and the neighbor.
26 846 Generalized TTL security mechanism support BigIron RX Series Configuration Guide 53-1001986-01
Chapter 27 Configuring MBGP This chapter provides details on how to configure Multi-protocol Border Gateway Protocol (MBGP). MBGP is an extension to BGP that allows a router to support separate unicast and multicast topologies. BGP4 cannot support a multicast network topology that differs from the network’s unicast topology. MBGP allows you to support a multicast topology that is distinct from the network’s unicast topology.
27 Configuration considerations Configuration considerations • MBGP does not redistribute DVMRP routes. It redistributes static routes only. • You cannot redistribute MBGP routes into BGP4. • The BigIron RX supports 8192 multicast routes by default. You may need to increase the maximum number of multicast routes for MBGP. You can configure the device to support up to 153,600 multicast routes. Configuring MBGP 1. Optional – Set the maximum number of multicast routes supported by the BigIron RX. 2.
Configuring MBGP 27 Enabling MBGP To enable MBGP4, you must enable PIM SM or DM and BGP4. Enter commands such as the following. BigIron RX> enable BigIron RX# configure terminal BigIron RX(config)# router pim BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-1/1)# ip address 1.1.1.1/24 BigIron RX(config-if-1/1)# ip pim BigIron RX(config-if-1/1)# exit BigIron RX(config)# router bgp BGP4: Please configure 'local-as' parameter in order to enable BGP4.
27 Configuring MBGP [password [0 | 1] ] [prefix-list in | out] [remote-as ] [remove-private-as] [route-map in | out ] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [update-source loopback ] [weight ] The | parameter indicates whether you are configuring an individual neighbor or a peer group.
Configuring MBGP 27 Configuring a network prefix to advertise By default, the BigIron RX advertises MBGP routes only for the networks you identify using the network command or that are redistributed into MBGP from IP multicast route tables. NOTE The exact route must exist in the IP multicast route table so that the device can create a local MBGP route. To configure the device to advertise network 207.95.22.0/24 as a multicast route, enter the following command. BigIron RX(config-bgp-ipv4m)# network 207.
27 Configuring MBGP NOTE The route map you specify must already be configured. Configuring static IP multicast routes To configure static IP multicast routes, enter commands such as the following. BigIron RX(config)# ip mroute 207.95.10.0 255.255.255.0 interface ethernet 1/2 BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 interface ethernet 2/3 The commands in this example configure two static multicast routes. The first route is for a specific source network, 207.95.10.0/24.
Displaying MBGP information 27 The and parameters specify the aggregate value for the networks. The as-set parameter causes the router to aggregate AS-path information for all the routes in the aggregate address into a single AS-path. The summary-only parameter prevents the router from advertising more specific routes contained within the aggregate route. The suppress-map parameter prevents the more specific routes contained in the specified route map from being advertised.
27 Displaying MBGP information BigIron RX# show ip mbgp summary BGP4 Summary Router ID: 9.9.9.1 Local AS Number : 200 Confederation Identifier : not configured Confederation Peers: Maximum Number of Paths Supported for Load Sharing : 1 Number of Neighbors Configured : 1, UP: 1 Number of Routes Installed : 5677 Number of Routes Advertising to All Neighbors : 5673 Number of Attribute Entries Installed : 3 Neighbor Address AS# State Time Rt:Accepted Filtered Sent 166.1.1.
Displaying MBGP information 27 Displaying MBGP neighbors To view MBGP neighbor information including the values for all the configured parameters, enter the following command. This display is similar to the show ip bgp neighbor display but has additional fields that apply only to MBGP. These fields are shown in bold type in the example and are explained below. NOTE The display shows all the configured parameters for the neighbor.
27 Displaying MBGP information The parameter specifies the neighbor’s IP address. Displaying MBGP routes To display the MBGP route table, enter the following command. BigIron RX#show ip mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 1 8.8.8.0/24 166.1.1.2 0 100 0 BI AS_PATH: 2 31.1.1.0/24 166.1.1.
Chapter Configuring IS-IS (IPv4) 28 The Intermediate System to Intermediate System (IS-IS) protocol is a link-state Interior Gateway Protocol (IGP) that is based on the International Standard for Organization/International Electrotechnical Commission (ISO/IEC) Open Systems Internet Networking model (OSI). In IS-IS, an intermediate system (router) is designated as either a Level 1 or Level 2 router. A Level 1 router routes traffic only within the area in which the router resides.
28 Configuring IS-IS (IPv4) • If the path provided by IS-IS has the lowest administrative distance, then the CPU places that IS-IS path in the IP route table. • If a path to the same destination supplied by another protocol has a lower administrative distance, the CPU installs the other protocol’s path in the IP route table instead. The administrative distance is a protocol-independent value from 1 – 255.
Configuring IS-IS (IPv4) 28 NOTE Since the Brocade implementation of IS-IS does not route OSI traffic but instead routes IP traffic, IP hosts are shown instead of ESs. The other basic IS-IS concepts illustrated in this figure are explained in the following sections. Domain and areas IS-IS is an IGP, and thus applies only to routes within a single routing domain. However, you can configure multiple areas within a domain.
28 Configuring IS-IS (IPv4) The Designated IS is elected based on the priority of each IS in the broadcast network. When an IS becomes operational, it sends a Level-1 or Level-2 Hello PDU to advertise itself to other ISs. If the IS is configured to be both a Level-1 and a Level-2 IS, the IS sends a separate advertisement for each level. • The Level-1 IS that has the highest priority becomes the Level-1 Designated IS for the broadcast network.
IS-IS CLI levels 28 Route calculation and selection The Designated IS uses a Shortest Path First (SPF) algorithm to calculate paths to destination ISs and ESs. The SPF algorithm uses Link State PDUs (LSPDUs) received from other ISs as input, and creates the paths as output. After calculating the paths, the Designated IS then selects the best paths and places them in the IS-IS route table. The Designated IS uses the following process to select the best paths. 1.
28 IS-IS CLI levels BigIron RX(config)#router isis BigIron RX(config-isis-router)# Syntax: [no] router isis The (config-isis-router)# prompt indicates that you are at the global level for IS-IS. Configurations you enter at this level apply to both IS-IS IPv4 and IS-IS IPv6. Address family configuration level The BigIron RX implementation of IS-IS includes the address family configuration level.
Configuring IPv4 IS-IS 28 Configuring IPv4 IS-IS Enabling IS-IS globally To configure IPv4 IS-IS, do the following. 1. Globally enable IS-IS by entering the following command. BigIron RX(config)# router isis ISIS: Please configure NET! Once you enter router isis, the device enters the IS-IS router configuration level. Syntax: [no] router isis To disable IS-IS, use the no form of this command. 2. If you have not already configured a NET for IS-IS, enter commands such as the following.
28 Globally configuring IS-IS on a device • Change the default metric. • Add, change, or negate route redistribution parameters. Some IS-IS parameter changes take effect immediately while others do not take full effect until you disable, then re-enable route redistribution. Globally configuring IS-IS on a device This section describes how to change the global IS-IS parameters. These parameter settings apply to both IS-IS IPv4 and IS-IS IPv6, although IPv6 is currently not supported.
Globally configuring IS-IS on a device 28 The on-startup parameter specifies the number of seconds following a reload to set the overload bit on. You can specify 0 or a number from 5 – 86400 (24 hours). The default is 0, which means the device starts performing IS-IS routing immediately following a successful software reload. Configuring authentication By default, the BigIron RX does not authenticate packets sent to or received from ESs or other ISs.
28 Globally configuring IS-IS on a device Changing the IS-IS Level globally By default, a BigIron RX can operate as both a Level-1 and IS-IS Level-2 router. To globally change the level supported from Level-1 and Level-2 to Level-1 only, enter the following command. BigIron RX(config-isis-router)# is-type level-1 Syntax: [no] is-type level-1 | level-1-2 | level-2 The level-1 | level-1-2 | level-2 parameter specifies the IS-IS type.
Globally configuring IS-IS on a device 28 BigIron RX(config-isis-router)# csnp-interval 15 Syntax: [no] csnp-interval The parameter specifies the interval and can be from 0 – 65535 seconds. The default is 10 seconds. NOTE Although the command name is csnp-interval, the interval also applies to PSNPs. Changing the maximum LSP lifetime The maximum LSP lifetime is the maximum number of seconds an un-refreshed LSP can remain in the device’s LSP database.
28 Globally configuring IS-IS on a device The parameter specifies the minimum refresh interval and can be from 1 – 120 seconds. The default is 10 seconds. Changing the LSP interval and retransmit interval You LSP interval is the rate of transmission, in milliseconds of the LSPs. The retransmit interval is the time the device waits before it retransmits LSPs. To define an LSP interval, enter a command such as the following.
Globally configuring IS-IS on a device 28 The padding consists of arbitrarily valued octets. A padded hello PDU indicates the largest PDU that the device can receive. Other ISs that receive a padded hello PDU from the device can therefore ensure that the IS-IS PDUs they send the device. Similarly, if the device receives a padded hello PDU from a neighbor IS, the device knows the maximum size PDU that the device can send to the neighbor.
28 Configuring IPv4 address family route parameters Configuring IPv4 address family route parameters This section describes how to modify the IS-IS parameters for the IS-IS IPv4 unicast address family. To enter the IPv4 unicast address family, refer to “Address family configuration level” on page 862. Changing the metric style The metric style specifies the Types, Lengths, and Values (TLVs) an IS-IS LSP can have.
Configuring IPv4 address family route parameters 28 NOTE This feature requires the presence of a default route in the IPv4 route table. To enable the device to advertise a default route that is originated a Level 2, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# default-information-originate This command enables the device to advertise a default route into the IPv4 IS-IS area to which the device is attached.
28 Configuring IPv4 address family route parameters For example, if the router has a path from RIP, from OSPF, and IPv4 IS-IS to the same destination, and all the paths are using their protocols’ default administrative distances, the router selects the OSPF path, because that path has a lower administrative distance than the RIP and IPv4 IS-IS paths.
Configuring IPv4 address family route parameters 28 The level-1 | level-1-2 | level-2 parameter specifies the route types to which the aggregate route applies. The default is level-2. Redistributing routes into IPv4 IS-IS To redistribute routes into IPv4 IS-IS, you can perform the following configuration tasks: • Change the default redistribution metric (optional). • Configure the redistribution of a particular route type into IPv4 IS-IS (mandatory).
28 Configuring IPv4 address family route parameters The parameter specifies the default metric. You can specify a value from 0 – 65535. The default is 0. To restore the default value for the default metric, enter the no form of this command. Redistributing static IPv4 routes into IPv4 IS-IS To redistribute static IPv4 routes from the IPv4 static route table into IPv4 IS-IS routes, enter the following command at the IPv4 IS-IS unicast address family configuration level.
Configuring IPv4 address family route parameters 28 Redistributing RIP routes into IPv4 IS-IS To redistribute RIP routes into IPv4 IS-IS, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# redistribute rip This command configures the device to redistribute all RIP routes into Level-2 IS-IS.
28 Configuring ISIS properties on an interface Redistributing IPv4 IS-IS routes within IPv4 IS-IS In addition to redistributing routes from other route sources into IPv4 IS-IS, the BigIron RX can redistribute Level 1 IPv4 IS-IS routes into Level 2 IPv4 IS-IS routes, and Level 2 IPv4 IS-IS routes into Level 1 IPv4 IS-IS routes. By default, the device redistributes routes from Level 1 into Level 2.
Configuring ISIS properties on an interface 28 NOTE The BigIron RX advertises an IS-IS interface to its area regardless of whether adjacency formation is enabled. To disable IS-IS adjacency formation on an interface, enter commands such as the following. BigIron RX(config)# interface ethernet 2/8 BigIron RX(config-if-e1000-2/8)# isis passive This command disables IS-IS adjacency formation on port 2/8.
28 Configuring ISIS properties on an interface The parameter specifies the password. You can enter an alphanumeric string up to 80 characters long. The password can contain blank spaces. If you use a blank space in the password, you must use quotation marks (“ “) around the entire password; for example, isis password “admin 2”. Changing the IS-IS level on an interface The section “Changing the IS-IS Level globally” on page 866 explains how to change the IS-IS level globally.
Configuring ISIS properties on an interface 28 The parameter specifies the interval, and can be from 1 – 65535 seconds. The default is 10 seconds. The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels. Changing the hello multiplier The hello multiplier is the number by which an IS-IS interface multiplies the hello interval to obtain the hold time for Level-1 and Level-2 IS-to-IS hello PDUs.
28 Displaying IPv4 IS-IS information The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels.
Displaying IPv4 IS-IS information 28 BigIron RX# show isis hostname Total number of entries in IS-IS Hostname Table: 1 System ID Hostname * = local IS * bbbb.cccc.dddd RX Syntax: show isis hostname The table in this example contains one mapping, for this device. The device’s IS-IS system ID is “bbbb.cccc.dddd“ and its hostname is “RX”. The display contains one entry for each IS that supports name mapping. NOTE Name mapping is enabled by default.
28 Displaying IPv4 IS-IS information TABLE 132 IS-IS neighbor information (Continued) This field... Displays... Type The IS-IS type of the adjacency. The type can be one of the following: • ISL1 – Level-1 IS • ISL2 – Level-2 IS • ES – ES NOTE: The device forms a separate adjacency for each IS-IS type. Thus, if the device has both types of IS-IS adjacencies with the neighbor, the display contains a separate row of information for each adjacency.
Displaying IPv4 IS-IS information TABLE 133 28 IS-IS Syslog messages Message level Message Explanation Alert ISIS MEMORY USE EXCEEDED IS-IS is requesting more memory than is available. Notification ISIS L1 ADJACENCY DOWN on interface The device’s adjacency with this Level-1 IS has gone down. The is the system ID of the IS. The is the ID of the interface over which the adjacency was established.
28 Displaying IPv4 IS-IS information BigIron RX# show isis interface Total number of IS-IS Interfaces: 1 Interface: Eth 7/1 Circuit State: UP Circuit Mode: LEVEL-1-2 Circuit Type: BCAST Passive State: FALSE Circuit Number: 0x01, MTU: 1497 Authentication password: None Level-1 Metric: 10, Level-1 Priority: 64 Level-1 Hello Interval: 10 Level-1 Hello Multiplier: 3 Level-1 Designated IS: RX-01 Level-1 DIS Changes: 8 Level-2 Metric: 10, Level-2 Priority: 64 Level-2 Hello Interval: 10 Level-2 Hello Multiplier:
Displaying IPv4 IS-IS information TABLE 134 28 IS-IS Interface information (Continued) This field... Displays... Passive State The passive state determines whether the interface is allowed to form an IS-IS adjacency with the IS at the other end of the circuit. The state can be one of the following: • FALSE – The passive option is disabled. The interface can form an adjacency with the IS at the other end of the link. • TRUE – The passive option is enabled.
28 Displaying IPv4 IS-IS information TABLE 134 IS-IS Interface information (Continued) This field... Displays... Bad LSP The number of times the interface received a bad LSP from an IS at the other end of the circuit. The following conditions can cause an LSP to be bad: • Invalid checksum • Invalid length • Invalid lifetime value Control Messages Sent The number of IS-IS control PDUs sent on this interface. Control Messages Received The number of IS-IS control PDUs received on this interface.
Displaying IPv4 IS-IS information TABLE 135 28 IS-IS route information (Continued) This field... Displays... Cost The IS-IS default metric for the route, which is the cost of using this route to reach the next-hop router to this destination. Type The route type, which can be one of the following: • L1 – Level-1 route • L2 – Level-2 route Tag The tag value associated with the route. Path The path number in the table.
28 Displaying IPv4 IS-IS information The parameter displays summary information about a particular LSP. Specify an LSPID for which you want to display information in HHHH.HHHH.HHHH.HH-HH format, for example, 3333.3333.3333.00-00. You can also enter name.HH-HH, for example, RX.00-00. The detail parameter displays detailed information about the LSPs. Refer to “Displaying detailed information” on page 888. The l1 and level1 parameters display the Level-1 LSPs only. You can use either parameter.
Displaying IPv4 IS-IS information BigIron RX# show isis database detail IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime RX.00-00* 0x0000000b 0x23fb 971 Area Address: 49 NLPID: CC(IP) Hostname: RX Metric: 10 IP-Internal 4.1.1.0/24 Up-bit: 0 Metric: 10 IS RX.01 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime RX.00-00* 0x0000000d 0x7d97 903 Area Address: 49 NLPID: CC(IP) Hostname: RX IP address: 4.1.1.1 Metric: 10 IP-Internal 4.1.1.
28 Displaying IPv4 IS-IS information TABLE 137 IS-IS detailed LSP database information (Continued) This field... Displays... IP address The IP address of the interface that sent the LSP. The device can use this address as the next hop in routes to the addresses listed in the rows below. Destination addresses The rows of information below the IP address row are the destinations advertised by the LSP. The device can reach these destinations by using the IP address listed above as the next hop.
Displaying IPv4 IS-IS information TABLE 138 28 IS-IS traffic statistics This field... Displays... Level-1 Hellos The number of Level-1 hello PDUs sent and received by the device. Level-2 Hellos The number of Level-2 hello PDUs sent and received by the device. Level-1 LSP The number of Level-1 link-state PDUs sent and received by the device. Level-2 LSP The number of Level-2 link-state PDUs sent and received by the device.
28 Clearing IS-IS information TABLE 139 IS-IS error statistics (Continued) This field... Displays... LSP Sequence Number Skipped The number of times the device received an LSP with a sequence number that was more than 1 higher than the sequence number of the previous LSP received from the same neighbor. LSP Max Sequence Number Exceeded The number of times the device attempted to set an LSP sequence number to a value higher than the highest number in the CSNP sent by the Designated IS.
Clearing IS-IS information 28 The neighbor parameter closes the device’s adjacencies with its IS-IS neighbors and clears the neighbor statistics. The route [ | / ] parameter clears the IS-IS route table or the specified matching route. The traffic parameter clears the PDU statistics. NOTE The traffic option also clears the values displayed in the show isis interface command’s Control Messages Sent and Control Messages Received fields.
28 894 Clearing IS-IS information BigIron RX Series Configuration Guide 53-1001986-01
Chapter BiDirectional Forwarding Detection (BFD) 29 The BigIron RX provides support for Bidirectional Forwarding Detection (BFD) in Version 02.6.00 of the Multi-Service IronWare software. BFD defines a method of rapid detection of the failure of a forwarding path by checking that the next hop router is alive.
29 Configuring BFD parameters Configuring BFD parameters When you configure BFD you must set timing and interval parameters. These are configured on each interface. When two adjacent interfaces with BFD are configured, they negotiate the conditions for determining if the connection between them is still active. The following command is used to set the BFD parameters.
Displaying Bidirectional Forwarding Detection information 29 Displaying Bidirectional Forwarding Detection information You can display Bidirectional Forwarding Detection (BFD) information for the router you are logged-in to and for BFD configured neighbors as described in the following sections. Displaying BFD information on a router The following example illustrates the output from the show bfd command.
29 Displaying Bidirectional Forwarding Detection information TABLE 140 Display of BFD information (Continued) This field... Displays... BFD Enabled ports count The number of ports on the router that have been enabled for BFD. Port The port that BFD is enabled on. MinTx The interval in milliseconds between which the router desires to send a BFD message from this port to its peer. MinRx The interval in milliseconds that this router desires to receive a BFD message from its peer on this port.
Displaying Bidirectional Forwarding Detection information 29 TABLE 142 Display of BFD information This field... Displays... Total number of Neighbor entries The number of neighbors that have established BFD sessions with ports on this router. NeighborAddress The IPv4 or IPv6 address of the remote peer. State The current state of the BFD session. Up - Up Down - Down A.DOWN – The administrative down state. INIT – The Init state. UNKNOWN – The current state is unknown.
29 Displaying Bidirectional Forwarding Detection information TABLE 143 Display of BFD neighbor detail information (Continued) This field... Displays... Interval The interval at which the local router sends BFD messages to the remote peer. RH Heard from remote. Registered Protocols Specifies which protocols are registered to use BFD on this port. Local Disc Value of the “local discriminator” field in the BFD Control Message as used by the local router in the last message sent.
Configuring BFD for the specified protocol 29 TABLE 143 Display of BFD neighbor detail information (Continued) This field... Displays... LastSessionDownTimestamp The system time at which the session last transitioned from the UP state to some other state. Physical Port The physical port on which the peer is known. Vlan Id The VLAN ID of the VLAN that the physical port is resident on.
29 Configuring BFD for the specified protocol Enabling or disabling BFD for OSPFv2 for a specific interface You can selectively enable or disable BFD on any OSPFv2 interface as shown in the following. BigIron RX# (config-if-e1000-3/1)# ip ospf bfd Syntax: ip ospf bfd [disable] The disable option disables BFD for OSPFv2 on the interface.
Configuring BFD for the specified protocol 29 Enabling or disabling BFD for IS-IS for a specific interface You can selectively enable or disable BFD on any IS-IS interface as shown in the following. BigIron RX#(config-if-e1000-3/1)# isis bfd Syntax: isis bfd [disable] The disable option disables BFD for IS-IS on the interface.
29 904 Configuring BFD for the specified protocol BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring Secure Shell 30 Overview of Secure Shell (SSH) Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on a BigIron RX. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet. However, unlike Telnet, which provides no security, SSH provides a secure, encrypted connection to the device. SSHv2 is supported on the device.
30 Configuring SSH • • • • • Van Dyke SecureCRT 4.0 and 4.1 F-Secure SSH Client 5.3 and 6.0 PuTTY 0.54 and 0.56 OpenSSH 3.5_p1 and 3.6.1p2 Solaris Sun-SSH-1.0 Supported features The SSH server allows secure remote access management functions on a device. SSH provides a function that is similar to Telnet, but unlike Telnet, SSH provides a secure, encrypted connection. SSHv2 support includes the following: • The following encryption cipher algorithm are supported.
Configuring SSH 30 1. Generate a host DSA public and private key pair for the device. 2. Configure DSA challenge-response authentication. 3. Set optional parameters. You can also view information about active SSH connections on the device as well as terminate them. Generating a host key pair When SSH is configured, a public and private host DSA key pair is generated for the device.
30 Configuring SSH Providing the public key to clients If you are using SSH to connect to a device from a UNIX system, you may need to add the device’s public key to a “known hosts” file; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a known hosts file.
Configuring SSH 30 ---- BEGIN SSH2 PUBLIC KEY ---Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7
30 Configuring SSH BigIron RX# show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80q
Configuring SSH 30 With DSA challenge-response authentication, a collection of clients’ public keys are stored on the device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
30 Configuring SSH Setting the SSH login timeout value When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects. You can change this timeout value to between 1 – 120 seconds. For example, to change the timeout value to 60 seconds.
Displaying SSH connection information 30 Filtering SSH access using ACLs You can permit or deny SSH access to the device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL. Then enter the following command. BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# access-list 10 permit host 192.168.144.241 access-list 10 deny host 192.168.144.
30 Using secure copy BigIron RX#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 established, client ip address 192.168.144.241, 1 minutes 16 seconds in idle 2 established, client ip address 192.168.144.241, you are connecting to this session 18 seconds in idle 3 established, client ip address 192.168.144.
Using secure copy 30 NOTE When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on the device. NOTE Certain SCP client options, including -p and -r, are ignored by the SCP server on the device. If an option is ignored, the client is notified. To copy a configuration file (c:\cfg\foundry.cfg) to the running configuration file on a device at 192.168.1.50 and log in as user terry, enter the following command on the SCP-enabled client. C:\> scp c:\cfg\foundry.
30 916 Using secure copy BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring Multi-Device Port Authentication 31 How multi-device port authentication works Multi-device port authentication is a way to configure a BigIron RX to forward or block traffic from a MAC address based on information received from a RADIUS server. Multi-device port authentication is supported in the device software release 02.2.01 and later.
31 How multi-device port authentication works Authentication-failure actions If the MAC address does not match the username and password of an entry in the users database on the RADIUS server, then the RADIUS server returns an Access-Reject message. When this happens, it is considered an authentication failure for the MAC address.
Configuring multi-device port authentication 31 Support for authenticating multiple MAC addresses on an interface The multi-device port authentication feature allows multiple MAC addresses to be authenticated or denied authentication on each interface. The maximum number of MAC addresses that can be authenticated on each interface is 256. The default is 32. Support for multi-device port authentication and 802.1x on the same interface On the BigIron RX, multi-device port authentication and 802.
31 Configuring multi-device port authentication You can enable the feature on an interface at the interface CONFIG level. Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate Clients. Brocade supports RADIUS authentication with 802.1x port security. To use RADIUS authentication with 802.1x port security, you create an authentication method list for 802.
Configuring multi-device port authentication • • • • • • 31 FilterId (11) – RFC 2865 Vendor-Specific Attributes (26) – RFC 2865 Tunnel-Type (64) – RFC 2868 Tunnel-Medium-Type (65) – RFC 2868 EAP Message (79) – RFC 2579 Tunnel-Private-Group-Id (81) – RFC 2868 Specifying the format of the MAC addresses sent to the RADIUS server When multi-device port authentication is configured, the device authenticates MAC addresses by sending username and password information to a RADIUS server.
31 Configuring multi-device port authentication BigIron RX(config)# interface e 3/1 BigIron RX(config-if-e100-3/1)# mac-authentication auth-fail-action block-traffic Syntax: [no] mac-authentication auth-fail-action block-traffic Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device port authentication is enabled. Defining MAC address filters You can specify MAC addresses that do not have to go through multi-device port authentication.
Configuring multi-device port authentication 31 If a previous authentication attempt for a MAC address failed, and as a result the port was placed in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-Accept message may specify a VLAN for the port. By default, the device moves the port out of the restricted VLAN and into the RADIUS-specified VLAN.
31 Configuring multi-device port authentication BigIron RX(config)# interface e 3/1 BigIron RX(config-if-e100-3/1)# mac-auth move-back-to-old-vlan port-restrict-vlan Syntax: [no] mac-authentication move-back-to-old-vlan disable | port-configured-vlan | port-restrict-vlan | system-default-vlan The disable keyword disables moving the port back to its original VLAN. The port would stay in its RADIUS-assigned VLAN.
Configuring multi-device port authentication 31 This command removes the Layer 2 CAM entry created for the specified MAC address. If the device receives traffic from the MAC address again, the MAC address is authenticated again. Disabling aging for authenticated MAC addresses MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic is received from the MAC address for a certain period of time.
31 Displaying multi-device port authentication information To change the length of the software aging period for blocked MAC addresses, enter a command such as the following. BigIron RX(config)# mac-authentication max-age 180 Syntax: [no] mac-authentication max-age You can specify from 1 – 65535 seconds. The default is 120 seconds.
Displaying multi-device port authentication information 31 Displaying multi-device port authentication configuration information To display a summary of multi-device port authentication that have been configured on the device, enter the following command. BigIron RX# show auth-mac configuration Feature enabled : Yes Global Fail-VLAN Id : None Username/Password format : xxxx.xxxx.
31 Displaying multi-device port authentication information TABLE 146 Output from the show auth-mac-address configuration command (Continued) This field... Displays... Override Restricted Whether or not a port in a restricted VLAN (due to a failed authentication) is removed from the restricted VLAN on a subsequent successful authentication on the port. Revert VLAN The VLAN that the port reverts to when the RADIUS-assigned dynamic VLAN expires.
Displaying multi-device port authentication information TABLE 147 31 Output from the show authenticated-mac-address command (Continued) This field... Displays... Override-restrict-vlan Whether a port can be dynamically assigned to a VLAN specified by a RADIUS server, if the port had been previously placed in the restricted VLAN because a previous attempt at authenticating a MAC address on that port failed.
31 Displaying multi-device port authentication information TABLE 148 Output from the show auth-mac-address
command This field... Displays... MAC/IP Address The MAC address for which information is displayed. If the packet for which multi-device port authentication was performed also contained an IP address, then the IP address is displayed as well. Port The port on which the MAC address was learned. VLAN The VLAN to which the MAC address was assigned.Chapter Using the MAC Port Security Feature and Transparent Port Flooding 32 This chapter discusses the MAC Port Security and transparent port flooding features. MAC Port Security The MAC Port Security feature restricts unauthorized access to an interface by limiting and identifying MAC addresses that are allowed to access an Ethernet interface on a device. You can configure the BigIron RX with a limited number of “secure” MAC addresses on an interface.
32 Configuring the MAC Port Security feature Local and global resources The MAC Port Security feature uses a concept of local and global “resources” to determine how many MAC addresses can be secured on each interface. In this context, a “resource” is the ability to store one secure MAC address entry. Each interface is allocated 64 local resources. When the MAC Port Security feature is enabled, the interface can store up to 64 secure MAC address using local resources.
Configuring the MAC Port Security feature 32 To disable the feature on all interfaces at once. BigIron RX(config)# global-port-security BigIron RX(config-port-security)# no enable Syntax: [no] global-port-security Syntax: [no] enable Enabling MAC Port Security on an interface To enable the feature on a specific interface.
32 Configuring the MAC Port Security feature Specifying static secure MAC addresses Static secure MAC addresses can be specified only on an interface. The number of static secure MAC addresses you can add depends on the maximum number of MAC addresses allowed on an interface. The maximum is 64. To specify a secure MAC address on an interface, enter commands such as the following.
Defining security violation actions 32 You can specify 15 – 1440 minutes. By default, secure MAC addresses are not autosaved to the startup-config file. Setting the MAC Port Security age timer By default, the learned MAC addresses stay secure indefinitely. The entries are cleared only when MAC Port Security is disabled or a clear port-secure command is issued. You can optionally configure the device to age out secure MAC addresses after a specified amount of time.
32 Defining security violation actions • Deny the packet from the unauthorized MAC address, but allow packets from secure MAC addresses. These actions can be configured on the global or interface level. The violation action on the global level is not used if violation action is configured on an interface level. Shutdown the interface By default, the device shuts down the interface on the first violation.
Defining security violation actions 32 BigIron RX(config)# int e 7/11 BigIron RX(config-if-e100-7/11)# port security BigIron RX(config-port-security-e100-7/11)# violation restrict 3200 Syntax: violation restrict [<#-denied-packets-processed> | force] Enter 1 – 64000 for #-denied-packets-processed. There is no default.
32 Understanding the rules for violation action configuration However, when deny-log-rate is configured, interface ethernet 14/1 disable port security enable maximum 5 violation restrict 1000 deny-log-rate 4 secure-mac-address 0000.0022.2222 secure-mac-address 0000.0022.2223 secure-mac-address 0000.0022.2224 secure-mac-address 0000.0022.2225 secure-mac-address 0000.0022.2226 10 10 10 10 10 The following Syslog messages are generated. Mar 10 17:38:51:I:Port security denied pkt: 198.19.1.2 -> 198.19.1.
Understanding the rules for violation action configuration 32 • If shutdown or restrict is the violation action configured at the global level and no violation action is configured in the interface level, then the interface inherits the secure MAC list configured at the global level. • If deny is the violation action at the global level and no violation action is configured at the interface level, then the interface inherits the global deny MAC list.
32 Re-enabling an interface • If the violation action configured for an interface is the same as the action the interface is currently inheriting from the global level, then the violation action for the interface is applied to the interface. It no longer inherits the action at the global level. Re-enabling an interface The violation action of violation shutdown or violation restrict have options that can be configured to cause an interface to shutdown.
Displaying MAC Port Security information 32 BigIron RX# show port security Port Security MacAddrs Violation PortShutdn(minutes) SecureMac Learn Learnt/Max Total/Count/Type Status/Time/Remain AgeTime ----- --------- ---------- ----------------------------------- --------- ----1/1 disabled 0/1 0/ 0/shutdown no/permanent permanent yes 1/2 disabled 0/1 0/ 0/shutdown no/permanent permanent yes 1/3 disabled 0/1 0/ 0/shutdown no/permanent permanent yes 1/4 disabled 0/1 0/ 0/shutdown no/permanent permanent yes 1/
32 Displaying MAC Port Security information TABLE 150 Output from the show port security mac command This field... Displays... Port The slot and port number of the interface. Count The number of MAC addresses secured on this interface. Secure-Src-Addr (S) The secure MAC address. (S) means "secure". VLAN ID of VLAN to which the interface is assigned. Age-Left The number of minutes the MAC address will remain secure.
Displaying MAC Port Security information TABLE 152 32 Output from the show port security statistics command (Continued) This field... Displays... Total violations The number of security violations encountered on the module. Total shutdown ports The number of interfaces on the module shut down as a result of security violations. Displaying a list of MAC addresses To display the list of all MAC addresses in the MAC table, enter the following commands.
32 Displaying MAC Port Security information TABLE 153 Output from the show port security mac command This field... Displays... Ports The ID of the interface Count The total number of times the secure or denied MAC address was received on the interface. Secure-Addr (S) Deny-Addr (D) The secure or denied MAC address that was received on the interface. Secure MAC addresses are labeled with (S), while denied MAC addresses are labeled with (D). VLAN The VLAN on which the MAC address was received.
Transparent port flooding 32 BigIron RX# show port security global-deny Global deny is enabled. Configured macs/Max macs = 1/512 Count Deny-Addr Vlan ----- ------------------ ---1 0030.0000.00a2 1200 Syntax: show port security global-deny TABLE 155 Output from the show port security global-deny command This field... Displays... Count The total number of times the MAC address was received on the device. Deny-Src-Addr The denied MAC address that was received on the interface.
32 Transparent port flooding 0 runts, 0 giants, DMA received 0 packets 0 packets output, 0 bytes, 0 underruns Transmitted 0 broadcasts, 0 multicasts, 0 unicasts 0 output errors, 0 collisions, DMA transmitted 0 packets 946 BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring 802.1x Port Security 33 Overview of 802.1x port security BigIron RX supports the IEEE 802.1x standard for authenticating devices attached to LAN ports. Using 802.1x port security, you can configure a BigIron RX to grant access to a port based on information supplied by a client to an authentication server. When a user logs on to a network that uses 802.
33 How 802.1x port security works FIGURE 120 Authenticator, Client/Supplicant, and Authentication Server in an 802.1x configuration RADIUS Server (Authentication Server) BigIron Device (Authenticator) Client/Supplicant Authenticator – The device that controls access to the network. In an 802.1x configuration, the BigIron RX serves as the Authenticator. The Authenticator passes messages between the Client and the Authentication Server.
How 802.1x port security works 33 FIGURE 121 Authenticator PAE and supplicant PAE Authentication Server RADIUS Messages Authenticator PAE BigIron Device (Authenticator) EAPOL Messages Supplicant PAE 802.1X-Enabled Supplicant Authenticator PAE – The Authenticator PAE communicates with the Supplicant PAE, receiving identifying information from the Supplicant.
33 How 802.1x port security works FIGURE 122 Controlled and uncontrolled ports before and after client authentication Authentication Server Authentication Server Services PAE Services PAE BigIron Device (Authenticator) BigIron Device (Authenticator) Controlled Port (Unauthorized) Uncontrolled Port Controlled Port (Authorized) Uncontrolled Port Physical Port PAE 802.1X-Enabled Supplicant Before Authentication Physical Port PAE 802.
How 802.
33 How 802.1x port security works BigIron RX devices support MD5-challenge TLS and any other EAP-encapsulated authentication types in EAP Request/Response messages. In other words, the BigIron RX devices are transparent to the authentication scheme used. Authenticating multiple clients connected to the same port BigIron RX devices support 802.1x authentication for ports with more than one Client connected to them.
How 802.1x port security works 33 How 802.1x multiple client authentication works When multiple clients are connected to a single 802.1x-enabled port on a BigIron RX (as in Figure 124), 802.1x authentication is performed in the following way. 1. One of the 802.1x-enabled Clients attempts to log into a network in which a BigIron RX serves as an Authenticator. 2. The BigIron RX creates an internal session (called a dot1x-mac-session) for the Client.
33 802.1x port security and sFlow • When a Client has been denied access to the network, its dot1x-mac-session is aged out if no traffic is received from the Client’s MAC address over a fixed hardware aging period (70 seconds), plus a configurable software aging period. You can optionally change the software aging period for dot1x-mac-sessions or disable aging altogether.
Configuring 802.1x port security 33 Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate Clients. Brocade supports RADIUS authentication with 802.1x port security. To use RADIUS authentication with 802.1x port security, you create an authentication method list for 802.1x and specify RADIUS as an authentication method, then configure communication between the BigIron RX and RADIUS server. For example.
33 Configuring 802.1x port security • • • • Tunnel-Type (64) – RFC 2868 Tunnel-Medium-Type (65) – RFC 2868 EAP Message (79) – RFC 2579 Tunnel-Private-Group-Id (81) – RFC 2868 Configuring dynamic VLAN assignment for 802.1x ports Brocade’s 802.1x implementation supports assigning a port to a VLAN dynamically, based on information received from an Authentication (RADIUS) Server.
Configuring 802.1x port security 33 • If the string does not match the name of a VLAN, the BigIron RX checks whether the string, when converted to a number, matches the ID of a VLAN configured on the device. If it does, then the client’s port is placed in the VLAN with that ID. • If the string does not match either the name or the ID of a VLAN configured on the device, then the client will not become authorized. The show interface command displays the VLAN to which an 802.
33 Configuring 802.1x port security NOTE If the Access-Accept message contains values for both the Filter-ID and Vendor-Specific attributes, then the value in the Vendor-Specific attribute (the per-user filter) takes precedence. Also, if authentication for a port fails because the Filter-ID attribute referred to a non-existent filter, or there were insufficient system resources to implement the filter, then a Syslog message is generated.
Configuring 802.1x port security Value Description ip..in Applies the specified numbered ACL to the 802.1x authenticated port in the inbound direction. ip..in Applies the specified named ACL to the 802.1x authenticated port in the inbound direction. mac..in Applies the specified numbered MAC address filter to the 802.1x authenticated port in the inbound direction.
33 Configuring 802.1x port security Configuring per-user IP ACLs or MAC address filters Per-user IP ACLs and MAC address filters make use of the Vendor-Specific (type 26) attribute to dynamically apply filters to ports. Defined in the Vendor-Specific attribute are Brocade ACL or MAC address filter statements.
Configuring 802.1x port security 33 To enable 802.1x port security on interface 3/11, enter the following command. BigIron RX(config-dot1x)# enable ethernet 3/11 Syntax: [no] enable To enable 802.1x port security on interfaces 3/11 through 3/16, enter the following command. BigIron RX(config-dot1x)# enable ethernet 3/11 to 3/16 Syntax: [no] enable to Setting the port control To activate authentication on an 802.
33 Configuring 802.1x port security • • • • • • • • • Static MAC configurations Link aggregation Metro Ring Protocol (MRP) Tagged port Mirror port Trunk port MAC port security Management Port VE members Configuring periodic re-authentication You can configure the device to periodically re-authenticate Clients connected to 802.1x-enabled interfaces. When you enable periodic re-authentication, the device re-authenticates Clients every 3,600 seconds by default.
Configuring 802.1x port security 33 Setting the quiet period If the BigIron RX is unable to authenticate the Client, the BigIron RX waits a specified amount of time before trying again. The amount of time the BigIron RX waits is specified with the quiet-period parameter. This timer also indicates how long a client that failed authentication would have its blocked entry programmed into the hardware.The quiet-period parameter can be from 0 – 4294967295 seconds. The default is 60 seconds.
33 Configuring 802.1x port security Specifying a timeout for retransmission of messages to the authentication server When performing authentication, the BigIron RX receives EAPOL frames from the Client and passes the messages on to the RADIUS server. The device expects a response from the RADIUS server within 30 seconds. If the RADIUS server does not send a response within 30 seconds, the BigIron RX retransmits the message to the RADIUS server.
Configuring 802.1x port security 33 • Disabling aging for dot1x-mac-sessions • Configure aging time for blocked Clients • Clear the dot1x-mac-session for a MAC address Specifying the authentication-failure action In an 802.1x multiple client configuration, if RADIUS authentication for a Client is unsuccessful, traffic from that Client is either dropped in hardware (the default), or the Client’s port is placed in a “restricted” VLAN.
33 Displaying 802.1x information Syntax: clear dot1x mac-session Displaying 802.1x information You can display the following 802.1x-related information: • • • • Information about the 802.1x configuration on the device and on individual ports Statistics about the EAPOL frames passing through the device Information about 802.
Displaying 802.1x information TABLE 157 33 Output from the show dot1x command (Continued) This field... Displays... re-authentication Whether periodic re-authentication is enabled on the device. Refer to “Configuring periodic re-authentication” on page 962. When periodic re-authentication is enabled, the device automatically re-authenticates Clients every 3,600 seconds by default. global-filter-strict-security Whether or not strict security mode is enabled globally.
33 Displaying 802.1x information BigIron RX# show dot1x config e 1/3 Port 1/3 Configuration: AuthControlledPortControl max-clients multiple-clients filter-strict-security : : : : Auto 32 Enable Enable Syntax: show dot1x config ethernet The following additional information is displayed in the show dot1x config command for an interface. TABLE 158 Output from the show dot1x config command for an interface This field... Displays...
Displaying 802.1x information TABLE 159 33 Output from the show dot1x statistics command This field... Displays... RX EAPOL Start The number of EAPOL-Start frames received on the port. RX EAPOL Logoff The number of EAPOL-Logoff frames received on the port. RX EAPOL Invalid The number of invalid EAPOL frames received on the port. RX EAPOL Total The total number of EAPOL frames received on the port.
33 Displaying 802.1x information BigIron RX# show interface e 12/2 GigabitEthernet1/3 is up, line protocol is up Hardware is GigabitEthernet, address is 000c.dbe2.5800 (bia 000c.dbe2.
Displaying 802.1x information 33 Port 1/1 MAC Address Filter information: Port default MAC Filter : mac access-list 400 in Syntax: show dot1x mac-address-filter [all | ethernet | | begin | exclude | include ] The all keyword displays all dynamically applied MAC address filters active on the device. Use the ethernet / parameter to display information for one port. Displaying IP ACLs applied to an 802.
33 Displaying 802.1x information BigIron RX# show dot1x mac-session Port MAC Username VLAN Auth State ACL|MAC Age i|o|f ------------------------------------------------------------------------------1/1 0050.da0b.8cd7 Mary M 1 DENIED n|n|n 0 1/2 0050.da0b.8cb3 adminmorn 4094 PERMITTED y|n|n 0 1/3 0050.da0b.8bef reports 4094 PERMITTED y|n|n 0 1/4 0010.5a1f.6a63 testgroup 4094 PERMITTED y|n|n 0 1/5 0050.da1a.
Sample 802.1x configurations 33 Syntax: show dot1x mac-session brief [ | begin | exclude | include ] The following table describes the information displayed by the show dot1x mac-session brief command. TABLE 161 Output from the show dot1x mac-session brief command This field... Displays... Port Information about the users connected to each port.
33 Sample 802.1x configurations FIGURE 125 Sample point-to-point 802.1x configuration RADIUS Server (Authentication Server) 192.168.9.22 BigIron Device (Authenticator) e2/1 e2/2 e2/3 Clients/Supplicants running 802.1X-compliant client software The following commands configure the BigIron RX in Figure 125.
Sample 802.1x configurations 33 FIGURE 126 Sample 802.1x configuration using a hub RADIUS Server (Authentication Server) 192.168.9.22 BigIron Device (Authenticator) e2/1 Hub Clients/Supplicants running 802.1X-compliant client software The following commands configure the BigIron RX in Figure 126. BigIron BigIron default BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# aaa authentication dot1x default radius RX(config)# radius-server host 192.168.9.
33 976 Sample 802.
Chapter 34 Protecting Against Denial of Service Attacks In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normal operation. The BigIron RX includes measures for defending against two types of DoS attacks, Smurf attacks and TCP SYN attacks. Protecting against Smurf attacks A Smurf attack is a kind of DoS attack where an attacker causes a victim to be flooded with ICMP echo (Ping) replies sent from another network. Figure 127 illustrates how a Smurf attack works.
34 Protecting against Smurf attacks Avoiding being an intermediary in a Smurf attack A Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on a target subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to a Layer 2 broadcast and sent to the connected hosts. This conversion takes place only when directed broadcast forwarding is enabled on the device.
Protecting against TCP SYN attacks 34 • If the total traffic volume (in bits per second) of packets that match the condition specified in the ACL exceeds the burst-normal value, the excess packets are dropped. • If the number of packets that match the condition specified in the ACL exceeds the burst-max value, all packets that match the condition specified in the ACL are dropped for the number of seconds specified by the lockup value.
34 Protecting against TCP SYN attacks BigIron RX(config)# access-list 101 permit tcp any any match-all +syn BigIron RX(config)# int e 3/11 BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000 burst-max 1000 lockup 300 TCP security enhancement TCP security enhancement improves upon the handling of TCP inbound segments.
Displaying statistics due DoS attacks 34 • If the SYN bit is set and the sequence number is an exact match to the next expected sequence, the device sends an ACK segment to the peer. Before sending the ACK segment, the software subtracts one from the value being acknowledged. • If the SYN bit is set and the sequence number is acceptable, the device sends an acknowledgement (ACK) segment to the peer. The TCP security enhancement is enabled by default.
34 Clear DoS attack statistics Port Port number Packet Drop Count Number of packets that are dropped when the port is in lockup mode. Packet Pass Count Number of packets that are forwarded when the port is in rate-limiting mode. Port Block Count Number of times the port was shut down for the particular traffic flow that matched the ACL.
Chapter 35 Inspecting and Tracking DHCP Packets The features described in this chapter were introduced in software release 02.3.00 for the BigIron RX Series devices. For enhanced network security, you can configure the Brocade device to inspect and keep track of Dynamic Host Configuration Protocol (DHCP) assignments. To do so, use the following features.
35 Dynamic ARP inspection gratuitous replies without having received any ARP requests. A malicious host can also send out ARP packets claiming to have an IP address that actually belongs to another host (e.g. the default router). After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host. How DAI works DAI allows only valid ARP requests and responses to be forwarded.
Dynamic ARP inspection 35 ARP entries in the ARP table derive from the following: • Dynamic ARP – normal ARP learned from trusted ports. • Static ARP – statically configured IP/MAC/port mapping. • Inspection ARP – statically configured IP/MAC mapping, where the port is initially unspecified. The actual physical port mapping will be resolved and updated from validated ARP packets. Refer to “Configuring an inspection ARP entry” on page 986.
35 Dynamic ARP inspection Configuring an inspection ARP entry Static ARP and static inspection ARP entries need to be configured for hosts on untrusted ports. Otherwise, when DAI checks ARP packets from these hosts against entries in the ARP table, it will not find any entries for them, and the Brocade device will not allow and learn ARP from an untrusted host. When the inspection ARP entry is resolved with the correct IP/MAC mapping, its status changes from pending to valid.
Dynamic ARP inspection 35 FastIron SuperX Switch#show ip arp inspection vlan 2 IP ARP inspection VLAN 2: Disabled Trusted Ports : ethe 1/4 Untrusted Ports : ethe 2/1 to 2/3 ethe 4/1 to 4/24 ethe 6/1 to 6/4 ethe 8/1 to 8/4 Syntax: show ip arp inspection [vlan ] The variable specifies the ID of a configured VLAN. Displaying the ARP table To display the ARP table, enter the following command. BigIron RX#show arp Total number of ARP entries: 10 IP Address MAC Address 1 20.20.20.39 0000.
35 DHCP snooping TABLE 163 show arp command (Continued) This field... Displays.... Type The ARP type, which can be one of the following: • Dynamic – The Layer 3 Switch learned the entry from an incoming packet on a trusted port. • Inspect (Inspection ARP) – The entry from a statically configured IP/MAC mapping, where the port was initially unspecified. • Dhcp (DHCP-Snooping ARP) – The Layer 3 Switch learned the entry from DHCP.
DHCP snooping 35 DHCP Trusted DHCP client request packet Un trusted FIGURE 129 DHCP snooping at Work - on untrusted port Snooping DHCP server reply packet DHCP Server Foundry Device DHCP Trusted Untrusted FIGURE 130 DHCP snooping at Work - on trusted port DHCP server reply packet Snooping DHCP Client DHCP Server Foundry Device System reboot and the binding database To allow DAI and DHCP snooping to work smoothly across a system reboot, the binding database is saved to a file in the system
35 DHCP relay agent information (DHCP option 82) Enabling DHCP snooping on a VLAN DHCP packets for a VLAN with DHCP snooping enabled are inspected. DHCP snooping is disabled by default. This feature must be enabled on the client and the DHCP server VLANs. To enable DHCP snooping, enter the following global command for these VLANs. FastIron SuperX Switch(config)#ip dhcp snooping vlan 2 The command enables DHCP snooping on VLAN 2.
35 DHCP relay agent information (DHCP option 82) FIGURE 132 DHCP Option 82 Is Removed from the Packet DHCP Server reply packet option 82 option 82 Trusted Untrusted DHCP Snooping DHCP Client DHCP Server BigIron RX DHCP Relay Agent The option 82 insertion/deletion feature is available only when DHCP snooping is enabled for the client/server ports, and when the device is configured as a DHCP relay agent.
35 IP source guard DHCP snooping configuration example The following example configures VLAN 2 and VLAN 20, and changes the CLI to the global configuration level to enable DHCP snooping on the two VLANs. The commands are as follows.
IP source guard 35 By default, if the IP source guard is enabled without any IP source binding on the port, an ACL that denies all IP traffic is loaded on the port. Similarly, when the IP source guard is disabled, any IP source per-port IP ACL will be removed from the interface.
35 994 IP source guard BigIron RX Series Configuration Guide 53-1001986-01
Chapter Securing SNMP Access 36 Simple Network Management Protocol (SNMP) is a set of protocols for managing complex networks. SNMP sends messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. This chapter introduces a few methods used to secure SNMP access to the BigIron RX.
36 Establishing SNMP community strings Syntax: snmp-server community [0] ro | rw [view ] [ | ] By default, the community string is encrypted. When you save the new community string to the startup configuration file, the software adds the following command to the file. snmp-server community 1 rw If you want to create a non-encrypted community string, use the 0 option as in the following example.
Using the user-based security model 36 Using the user-based security model SNMP version 3 (RFC 2570 through 2575) introduces a User-Based Security model (RFC 2574) for authentication and privacy services. SNMP version 1 and version 2 use community strings to authenticate SNMP access to management modules. This method can still be used for authentication.
36 Configuring your NMS 5. Create user accounts and associate these accounts to user groups using the snmp-server user command. Refer to “Defining an SNMP user account” on page 999. If SNMP version 3 is not configured, then community strings by default are used to authenticate access. Defining the engine ID A default engine ID is generated during system start up. To determine what the default engine ID of the device is, enter the show snmp engineid command and find the following line.
Configuring your NMS 36 Syntax: [no] snmp-server group v1 | v2c | v3 auth | noauth | priv [access ] [read ] [write ] NOTE This command is not used for SNMP version 1 and SNMP version 2. In these versions, groups and group views are created internally using community strings. (Refer to “Establishing SNMP community strings” on page 995.) When a community string is created, two groups are created, based on the community string name.
36 Configuring your NMS • Advanced Encryption Standard (AES) – The 128-bit encryption standard adopted by the U.S. government. This standard is a symmetric cipher algorithm chosen by the National Institute of Standards and Technology (NIST) as the replacement for DES. Here is an example of how to create the account. BigIron RX(config)# snmp-s user bob admin v3 access 2 auth md5 bobmd5 priv des bobdes The CLI for creating SNMP version 3 users has been updated as follows.
Configuring your NMS 36 The priv [encrypted] des parameter is optional after you enter the md5 or sha password. The priv parameter defines the type of encryption that will be used to encrypt the privacy password. If the "encryption" keyword is used, enter a 16-octet DES key in hexadecimal format for the des-password. If the "encryption" keyword is not used, enter a password string of at least 8 characters.
36 Defining SNMP views Displaying user information To display the definition of an SNMP user account, enter a command such as the following.
Defining SNMP views 36 You can create up to 10 views on the device. This number cannot be changed. To create an SNMP view, enter one of the following commands: BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# snmp-server view Maynes system included snmp-server view Maynes system.2 excluded snmp-server view Maynes 2.3.*.6 included write mem NOTE The snmp-server view command supports the MIB objects as defined in RFC 1445.
36 Defining SNMP views Simple SNMP v3 configuration BigIron RX(config)#snmp-server group admingrp v3 priv read all write all notify all BigIron RX(config)#snmp-server user adminuser admingrp v3 auth md5 admin priv admin1 BigIron RX(config)#snmp-server host 10.3.1.44 More detailed SNMP v3 configuration BigIron RX(config)#snmp-server view internet internet included BigIron RX(config)#snmp-server view system system included BigIron RX(config)#snmp-server community .....
Chapter Enabling the Foundry Discovery Protocol (FDP) and Reading Cisco Discovery Protocol (CDP) Packets 37 This chapter discusses the Discovery Protocol (FDP) – a protocol used by Brocade devices to advertise themselves to other Brocade devices, and Cisco Discovery Protocol (CDP) – a protocol used by Cisco devices to advertise themselves to other Cisco devices. Brocade devices use this protocol to learn device and interface information for Cisco devices in the network.
37 Using FDP Enabling FDP at the interface level You can enable FDP at the interface level by entering commands such as the following. BigIron RX(config)# int e 2/1 BigIron RX(config-if-e10000-2/1)# fdp enable Syntax: [no] fdp enable By default, the feature is enabled on an interface once FDP is enabled on the device. Changing the FDP update timer By default, a BigIron RX enabled for FDP sends an FDP update every 60 seconds. You can change the update timer to a value from 5 – 900 seconds.
Using FDP 37 NOTE If the BigIron RX has intercepted CDP updates, then the CDP information is also displayed. Displaying neighbor information To display a summary list of all the Brocade neighbors that have sent FDP updates to this device, enter the following command.
37 Using FDP TABLE 165 Detailed FDP and CDP neighbor information This line... Displays... Device ID The hostname of the neighbor. In addition, this line lists the VLAN memberships and other VLAN information for the neighbor port that sent the update to this device. Entry address(es) The Layer 3 protocol addresses configured on the neighbor port that sent the update to this device. If the neighbor is a Layer 2 Switch, this field lists the management IP address.
Using FDP 37 This example shows information for Ethernet port 2/3. The port sends FDP updates every 5 seconds. Neighbors that receive the updates can hold them for up to 180 seconds before discarding them. Syntax: show fdp interface [ethernet /] The ethernet / parameter lists the information only for the specified interface. Displaying FDP and CDP statistics To display FDP and CDP packet statistics, enter the following command.
37 Reading CDP packets Reading CDP packets Cisco Discovery Protocol (CDP) packets are used by Cisco devices to advertise themselves to other Cisco devices. By default, a BigIron RX forwards these packets without examining their contents. You can configure a device to intercept and display the contents of CDP packets. This feature is useful for learning device and interface information for Cisco devices in the network. BigIron RX supports intercepting and interpreting CDP version 1 and 2 packets.
Reading CDP packets 37 BigIron RX# show fdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater (*) indicates a Cisco device Device ID Local Int Holdtm Capability Platform Port ID -------------- ------------ ------ ---------- ----------- ------------(*)Router Eth 1/1 124 R cisco RSP4 FastEthernet5/0/0 Syntax: show fdp neighbors [detail | ethernet ] To display detailed information for the neighbors, enter the following com
37 Reading CDP packets BigIron RX# show fdp entry * Device ID: Router Entry address(es): IP address: 207.95.6.143 Platform: cisco RSP4, Capabilities: Router Interface: Eth 1/1, Port ID (outgoing port): FastEthernet5/0/0 Holdtime : 124 seconds Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-JSV-M), Version 12.0(5)T1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc.
Reading CDP packets 37 To clear CDP statistics, enter the following command.
37 1014 Reading CDP packets BigIron RX Series Configuration Guide 53-1001986-01
Chapter Remote Network Monitoring 38 Basic management This chapter describes the remote monitoring features available on Brocade products. The following sections contain procedures for basic system management tasks. Viewing system information You can access software and hardware specifics for a BigIron RX. To view the software and hardware details for the system, enter the show version command.
38 RMON support Clearing statistics You can clear statistics for many parameters with the clear option. To determine the available clear commands for the system, enter the following command. BigIron RX# clear ? Syntax: clear
RMON support 38 Syntax: show rmon statistics [ | ethernet | management | | begin | exclude | include ] The parameter specifies the port number. You can use the physical port number or the SNMP port number. The physical port number is based on the product: • If the product is a Stackable device, the ports are numbered sequentially starting with 1. • If the product is a Chassis device, the ports are numbered according to slot and port.
38 RMON support TABLE 166 Export configuration and statistics (Continued) This line... Displays... Oversize packets The total number of packets received that were longer than 1518 octets and were otherwise well formed. This number does not include framing bits but does include FCS octets.
RMON support 38 History (RMON group 2) All active ports by default will generate two history control data entries per active device interface. An active port is defined as one with a link up. If the link goes down the two entries are automatically be deleted.
38 RMON support A sample entry and syntax of the event control table is shown below.
Chapter Configuring sFlow 39 The sFlow feature is a system for observing traffic flow patterns and quantities within and among a set of BigIron RX devices. Participating devices also relay byte and packet counter data (counter samples) for ports to the collector. sFlow is described in RFC 3176, “InMon Corporation's sFlow, A Method for Monitoring Traffic in Switched and Routed Networks”. Refer to this RFC to determine the contents of the sampled packet.
39 Configuring sFlow NOTE sFlow does not export packets through the management port. NOTE sFlow does not use the management IP as the agent IP. Sampling rate The sampling rate is the average ratio of the number of packets incoming on an sflow enabled port, to the number of flow samples taken from those packets. Device ports send only the sampled traffic to the CPU.
Configuring sFlow 39 • Enable sFlow forwarding on individual interfaces. NOTE If you change the router ID or other IP address value that sFlow uses for its agent_address, you need to disable and then re-enable sFlow to cause the feature to use the new source address. Specifying the collector sFlow exports traffic statistics to an external collector. You can specify up to four collectors. You can specify more than one collector with the same IP address if the UDP port numbers are unique.
39 Configuring sFlow Changing the sampling rate The sampling rate is the average ratio of the number of packets incoming on an sFlow-enabled port, to the number of flow samples taken from those packets. By default, all sFlow-enabled ports use the default sampling rate, which is 2048. With a sampling rate of 2048, on average, one in every 2048 packets forwarded on an interface is sampled. You can change the default (global) sampling rate.
Configuring sFlow 39 The parameter specifies the average number of packets from which each sample will be taken. The sampling rate you configure is the actual sampling rate. You can enter 512 – 2147483648. The default is 2048. Changing the sampling rate on a port You can configure an individual port to use a different sampling rate than the global default sampling rate. This is useful in cases where ports have different bandwidths.
39 Configuring sFlow ACL-based inbound sFlow NOTE This feature is available only for IPv4. Beginning with release 02.5.00b, the Multi-Service IronWare software supports using an IPv4 ACL to select sample traffic to be sent to an sFlow collector. The data matching an ACL clause can be collected to observe traffic flow patterns and quantities between a set of switches and routers.
Configuring sFlow 39 FIGURE 133 sFlow packet format Sequence Flow for sFlow Records Packet Containing sFlow Sample L2 IP UDP Tag Type Length 1 Sequence # 1 Source ID . . . Tag Type Length 1991 . . . sFlow Tag Type Length 1 Sequence # 2 Source ID . . . Tag Type Length 1 Sequence # 3 Source ID . .
39 Configuring sFlow • L2 ACLs: The copy-sflow keyword is not supported for L2 ACLs. • If the copy-sflow keyword is used for a clause that is applied to the outbound direction, it is ignored. • The sampling rate is the average ratio of the number of packets incoming on an sFlow enabled port, to the number of flow samples taken from those packets. However, for ACL based sFlow, every matching packet goes to the CPU. Consequently, configured sampling rates do not affect ACL based sFlow.
Displaying sFlow information 39 Displaying sFlow information Use one of the following commands to display sFlow information. Display sFlow configuration and statistics To display sFlow configuration information and statistics, enter the following command at any level of the CLI. BigIron RX(config)# show sflow sFlow services are enabled. sFlow agent IP address: 30.30.30.2 Collector IP 10.10.10.1, UDP 6343 Polling interval is 20 seconds. Configured default sampling rate: 1 per 2048 packets.
39 Clearing sFlow statistics TABLE 167 sFlow information (Continued) This field... Displays... Port Sampling Rates The sampling rates of a port on which sFlow is enabled. Hardware Sample Rate The actual sampling rate. This is the same as the Global Sample Rate Displaying sFlow counters sFlow counters are included in the output of the show interface ethernet command.
Clearing sFlow statistics 39 • sFlow samples collected NOTE This command also clears the statistics counters used by other features.
39 1032 Clearing sFlow statistics BigIron RX Series Configuration Guide 53-1001986-01
Chapter Multiple Spanning Tree Protocol (MSTP) 802.1s 40 802.1s Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol (MSTP) as defined in IEEE 802.1s allows you to configure multiple STP instances. This will allow several VLANs to be mapped to a reduced number of spanning-tree instances. This ensures loop-free topology for 1 or more VLANs that have the same Layer 2 topology. Multiple spanning-tree regions Using MSTP, the entire network runs a common instance of RSTP.
40 802.
802.1s Multiple Spanning Tree Protocol 40 Configuring MSTP To configure a switch for MSTP, you could configure the name and the revision on each switch that is being configured for MSTP. This name is unique to each switch. You must then create an MSTP Instance and assign an ID. VLANs are then assigned to MSTP instances. These instances must be configured on all switches that interoperate with the same VLAN assignments.
40 802.1s Multiple Spanning Tree Protocol The revision parameter specifies the revision level for MSTP that you are configuring on the switch. It can be a number from 0 and 65535. Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. To configure an MSTP instance and assign a range of VLANs, use a command such as the following at the Global Configuration level.
802.1s Multiple Spanning Tree Protocol 40 You can set a priority to the instance that gives it forwarding preference over lower priority instances within a VLAN or on the switch. A higher number for the priority variable means a lower forwarding priority. Acceptable values are 0 - 61440 in increments of 4096. The default value is 32768. Setting the MSTP global parameters MSTP has many of the options available in RSTP as well as some unique options.
40 802.1s Multiple Spanning Tree Protocol BigIron RX(config)# mstp admin-pt2pt-mac ethernet 2/5 ethernet 4/5 Syntax: [no] mstp admin-pt2pt-mac ethernet The parameter specifies a port or range of ports to be configured for point-to-point links to increase the speed of convergence. Disabling MSTP on a port To disable MSTP on a specific port, use a command such as the following at the Global Configuration level.
802.
40 802.
802.1s Multiple Spanning Tree Protocol 40 Displaying MSTP statistics MSTP statistics can be displayed using the commands shown below. To display all general MSTP information, enter the following command.
40 802.1s Multiple Spanning Tree Protocol TABLE 168 Output from Show MSTP (Continued) This field... Displays... Root FwdDly sec FwdDly interval configured on the root bridge. Root Hop Cnt Current hop count from the root bridge. Root Bridge Bridge identifier of the root bridge. ExtPath Cost The configured path cost on a link connected to this port to an external MSTP region. Regional Root Bridge The Regional Root Bridge is the MAC address of the Root Bridge for the local region.
802.
40 802.
Chapter Configuring IP Multicast Traffic Reduction 41 The BigIron RX forwards all IP multicast traffic by default based on the Layer 2 information in the packets. Optionally, you can enable the device to make forwarding decisions in hardware, based on multicast group by enabling the IP Multicast Traffic Reduction feature.
41 Enabling IP multicast traffic reduction Enabling IP multicast traffic reduction By default, the BigIron RX forwards all IP multicast traffic out all ports except the port on which the traffic was received. To reduce multicast traffic through the device, you can enable IP Multicast Traffic Reduction. This feature configures the device to forward multicast traffic only on the ports attached to multicast group members, instead of forwarding all multicast traffic to all ports.
Enabling IP multicast traffic reduction 41 BigIron RX(config)# show ip multicast IP multicast is enabled - Active Syntax: show ip multicast Changing the IGMP mode When you enable IP Multicast Traffic Reduction on the device, IGMP also is enabled. The device uses IGMP to maintain a table of the Group Membership reports received by the device. You can use active or passive IGMP mode. There is no default mode.
41 Enabling IP multicast traffic reduction When you enable IP multicast for a specific VLAN instance, IGMP snooping is enabled. The device uses IGMP to maintain a table of the Group Membership reports received by the device for the specified VLAN instance. You can use active or passive IGMP mode. There is no default mode.
Enabling IP multicast traffic reduction 41 When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report. To enable IP multicast filtering, enter the following command.
41 Enabling IP multicast traffic reduction Configuring a multicast static group uplink per VLAN When the multicast static-group uplink command is enabled on a snooping VLAN, the snooping device behaves like an IGMP host on ports connected to the multicast router. The snooping device will respond to IGMP queries from the uplink multicast PIM router for the groups and sources configured.
PIM SM traffic snooping 41 BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 ethernet 3/4 To configure the physical interface ethernet 3/4 to statically join all multicast streams on the uplink interface excluding the stream with source address of 10.43.1.12, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 exclude 10.43.1.
41 PIM SM traffic snooping NOTE This feature applies only to PIM SM version 2 (PIM V2). Application examples Figure 136 shows an example application of the PIM SM traffic snooping feature. In this example, a device is connected through an IP router to a PIM SM group source that is sending traffic for two PIM SM groups. The device also is connected to a receiver for each of the groups. FIGURE 136 PIM SM traffic reduction in enterprise network The switch snoops for PIM SM join and prune messages.
PIM SM traffic snooping 41 The IP multicast traffic reduction feature and the PIM SM traffic snooping feature together build a list of groups and forwarding ports for the VLAN. The list includes PIM SM groups learned through join messages as well as MAC addresses learned through IGMP group membership reports. In this case, even though the device never sees a join message for the receiver for group 239.255.162.69, the device nonetheless learns about the receiver and forwards group traffic to the receiver.
41 PIM SM traffic snooping NOTE Use the passive mode of IP multicast traffic reduction instead of the active mode. The passive mode assumes that a router is sending group membership queries as well as join and prune messages on behalf of receivers. The active mode configures the device to send group membership queries. • All the device ports connected to the source and receivers or routers must be in the same port-based VLAN.
Displaying IP multicast information 41 To disable the feature, enter the following command. BigIron RX(config)# no ip pimsm-snooping If you also want to disable IP multicast traffic reduction, enter the following command. BigIron RX(config)# no ip multicast Multicast traffic reduction per VLAN With release 02.6.00 of the Multi-Service IronWare software, you can configure specified VLANs instances for multicast traffic reduction by these methods as described in the following sections.
41 Displaying IP multicast information BigIron RX(config)# show ip multicast IP multicast is enabled - Passive IP pimsm snooping is enabled VLAN ID 23 Active 10.10.10.10 Report ports: 1/1 7/1 Report FID 0X0400 Number of Multicast Groups: 2 1 Group: 225.1.0.291 IGMP report ports : Mapped mac address : 0100.5e01.001d Fid:0x041b PIMv2*G join ports : 1/1 2 Group: 225.1.0.24 IGMP report ports : 4/48 Mapped mac address : 0100.5e01.
Displaying IP multicast information Reports Received: Leaves Received: General Queries Received: Group Specific Queries Received: Others Received: General Queries Sent: Group Specific Queries Sent: 34 21 60 2 0 0 0 VLAN ID 2 Reports Received: Leaves Received: General Queries Received: Group Specific Queries Received: Others Received: General Queries Sent: Group Specific Queries Sent: 0 0 60 2 0 0 0 41 The command in this example shows statistics for two port-based VLANs.
41 Displaying IP multicast information To clear the learned IGMP flows for a specific IP multicast group, enter a command such as the following. BigIron RX# clear ip multicast group 239.255.162.5 The following example shows how to clear the IGMP flows for a specific group and retain reports for other groups. BigIron RX# show ip multicast IP multicast is enabled - Active VLAN ID 1 Active 192.168.2.30 Router Ports 4/13 Multicast Group: 239.255.162.5, Port: 4/4 4/13 Multicast Group: 239.255.162.
Chapter 42 IPv6 Addressing This chapter includes overview information about the following topics: • IPv6 addressing. • The IPv6 stateless autoconfiguration feature, which enables a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. IPv6 addressing A limitation of IPv4 is its 32-bit addressing format, which is unable to satisfy potential increases in the number of users, geographical needs, and emerging applications.
42 IPv6 addressing The parameter is specified as 16-bit hexadecimal values separated by a colon. The parameter is specified as a decimal value that indicates the left-most bits of the IPv6 address. The following is an example of an IPv6 prefix. 2001:FF08:49EA:D088::/64 IPv6 address types As with IPv4 addresses, you can assign multiple IPv6 addresses to a switch interface. Table 169 presents the three major types of IPv6 addresses that you can assign to a switch interface.
IPv6 addressing TABLE 169 . 42 IPv6 address types Address type Description Address structure Unicast An address for a single interface. A packet sent to a unicast address is delivered to the interface identified by the address. Depends on the type of the unicast address: • Aggregatable global address—An address equivalent to a global or public IPv4 address.
42 IPv6 stateless autoconfiguration IPv6 stateless autoconfiguration Brocade routers use the IPv6 stateless autoconfiguration feature to enable a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. The automatic configuration of a host interface is performed without the use of a server, such as a Dynamic Host Configuration Protocol (DHCP) server, or manual configuration.
Chapter Configuring Basic IPv6 Connectivity 43 This chapter explains how to get a Brocade Layer 3 Switch that supports IPv6 up and running. To configure basic IPv6 connectivity, you must do the following: • Enable IPv6 routing globally on the Brocade Layer 3 Switch. • Configure an IPv6 address or explicitly enable IPv6 on each router interface over which you plan to forward IPv6 traffic. • Configure IPv4 and IPv6 protocol stacks.
43 Configuring IPv6 on each router interface • An automatically computed EUI-64 interface ID. If you prefer to assign a link-local IPv6 address to the interface, you must explicitly enable IPv6 on the interface, which causes a link-local address to be automatically computed for the interface. If preferred, you can override the automatically configured link-local address with an address that you manually configure.
Configuring IPv6 on each router interface 43 Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID To configure a global or site-local IPv6 address with an automatically computed EUI-64 interface ID in the low-order 64-bits, enter commands such as the following.
43 Configuring the management port for an IPv6 automatic address configuration The link-local keyword indicates that the router interface should use the manually configured link-local address instead of the automatically computed link-local address. Configuring IPv6 anycast addresses In IPv6, an anycast address is an address for a set of interfaces belonging to different nodes.
IPv6 host support 43 Specifying an IPv6 SNMP trap receiver You can specify an IPv6 host as a trap receiver to ensure that all SNMP traps sent by the device will go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network. To do so, enter a command such as the following.
43 Configuring an IPv6 host address for a BigIron RX running a switch image Configuring an IPv6 host address for a BigIron RX running a switch image NOTE This feature is only available on the BigIron RX when it is configured as a switch. For this feature to work it must have the CHD code enabled on the BigIron RX. In the router configuration, each port can be configured separately with an IPv6 address.
Configuring an IPv6 host address for a BigIron RX running a switch image 43 Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID as the switch’s system-wide address To configure a global or site-local IPv6 address with an automatically computed EUI-64 interface ID in the low order 64-bits s the system-wide address, enter commands such as the following.
43 Configuring IPv4 and IPv6 protocol stacks Configuring IPv4 and IPv6 protocol stacks One situation in which you must configure a router to run both IPv4 and IPv6 protocol stacks is if it is deployed as an endpoint for an IPv6 over IPv4 tunnel. Each router interface that you want to send and receive both IPv4 and IPv6 traffic must be configured with an IPv4 address and an IPv6 address.
Configuring IPv6 Domain Name Server (DNS) resolver 43 Configuring IPv6 Domain Name Server (DNS) resolver The Domain Name Server (DNS) resolver feature lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a Brocade device and thereby recognize all hosts within that domain. After you define a domain name, the Brocade device automatically appends the appropriate domain to the host and forwards it to the domain name server.
43 ECMP load sharing for IPv6 As an example, in a configuration where ftp6.companynet.com is a server with an IPv6 protocol stack, when a user pings ftp6.companynet.com, the Brocade device attempts to resolve the AAAA DNS record. In addition, if the DNS server does not have an IPv6 address, as long as it is able to resolve AAAA records, it can still respond to DNS queries.
DHCP relay agent for IPv6 43 If you want to re-enable the feature after disabling it, you must specify the number of load-sharing paths. The maximum number of paths the device supports is a value from 2 – 8. By entering a command such as the following, iPv6 load-sharing will be re-enabled. BigIron RX(config)# ipv6 load-sharing 4 Syntax: [no] ipv6 load-sharing The parameter specifies the number of paths and can be from 2 – 8. The default is 4..
43 DHCP relay agent for IPv6 Configuring DHCP for IPv6 relay agent You can enable the DHCP for IPv6 relay agent function and specify the relay destination addresses on an interface by entering the command at the interface level.
Configuring IPv6 ICMP 43 BigIron RX# show ipv6 Global Settings unicast-routing enabled, hop-limit 64 No Inbound Access List Set No Outbound Access List Set Prefix-based IPv6 Load-sharing is Enabled, Number of load share paths: 4 Syntax: show ipv6 You can display the entries in the IPv6 forwarding cache; for example : BigIron RX# show ipv6 cache Total number of cache entries: 10 IPv6 Address 1 5000:2::2 2 2000:4::106 3 2000:4::110 4 2002:c0a8:46a::1 5 fe80::2e0:52ff:fe99:9737 6 fe80::ffff:ffff:feff:ffff
43 Configuring IPv6 neighbor discovery For example, to adjust the interval to 1000 milliseconds and the number of tokens to 100 tokens, enter the following command. BigIron RX(config)# ipv6 icmp error-interval 1000 100 Syntax: ipv6 icmp error-interval [] The interval in milliseconds at which tokens are placed in the bucket can range from 0 – 2147483647. The maximum number of tokens stored in the bucket can range from 1 – 200.
Configuring IPv6 neighbor discovery • • • • • • 43 Link-local address. Assigned unicast address. Loopback address. All-nodes multicast address. Solicited-node multicast address. Multicast address to all other groups to which it belongs. You can adjust the following IPv6 neighbor discovery features: • Neighbor solicitation messages for duplicate address detection. • Router advertisement messages: • Interval between router advertisement messages.
43 Configuring IPv6 neighbor discovery Router advertisement and solicitation messages Router advertisement and solicitation messages enable a node on a link to discover the routers on the same link. Each configured router interface on a link sends out a router advertisement message, which has a value of 134 in the Type field of the ICMP packet header, periodically to the all-nodes link-local multicast address (FF02::1).
Configuring IPv6 neighbor discovery 43 You can configure the following neighbor solicitation message parameters that affect duplicate address detection while it verifies that a tentative unicast IPv6 address is unique: • The number of consecutive neighbor solicitation messages that duplicate address detection sends on an interface. By default, duplicate address detection sends three neighbor solicitation messages without any follow-up messages.
43 Configuring IPv6 neighbor discovery Syntax: [no] ipv6 nd ra-interval Syntax: [no] ipv6 nd ra-lifetime The parameter in both commands indicates any numerical value. To restore the default interval or router lifetime value, use the no form of the respective command. Controlling prefixes advertised in IPv6 router advertisement messages By default, router advertisement messages include prefixes configured as addresses on router interfaces using the ipv6 address command.
Configuring IPv6 neighbor discovery 43 Setting flags in IPv6 router advertisement messages An IPv6 router advertisement message can include the following flags: • Managed Address Configuration—This flag indicates to hosts on a local link if they should use the stateful autoconfiguration feature to get IPv6 addresses for their interfaces. If the flag is set, the hosts use stateful autoconfiguration to get addresses as well as non-IPv6-address information.
43 Changing the IPv6 MTU Configuring reachable time for remote IPv6 nodes You can configure the duration (in seconds) that a router considers a remote IPv6 node reachable. By default, a router interface uses the value of 30 seconds. The router advertisement messages sent by a router interface include the amount of time specified by the ipv6 nd reachable-time command so that nodes on a link use the same reachable time duration. By default, the messages include a default value of 0.
Configuring static neighbor entries 43 To define IPv6 MTU globally, enter the following command. BigIron RX(config)#ipv6 mtu 1300 To define IPv6 MTU on an interface, enter the following command: BigIron RX(config-if-e1000-2/1)#ipv6 mtu Syntax: ipv6 mtu NOTE If a the size of a jumbo packet received on a port is equal to the maximum frame size – 18 (Layer 2 MAC header + CRC) and if this value is greater than the outgoing port’s IPv4/IPv6 MTU, then it will be forwarded in the CPU.
43 QoS for IPv6 traffic QoS for IPv6 traffic Configuring QoS for IPv6 traffic is generally the same as it is for IPv4 traffic. The QoS policies you configure on the Brocade device apply to both incoming IPv6 and IPv4 traffic. ACLs can be used to perform QoS for IPv6 traffic: • • • • • dscp fragments priority-force priority-mapping source routing To enable QoS for IPv6 traffic, enter the following commands.
Clearing global IPv6 information 43 • Interface type. For example, to remove entries for IPv6 address 2000:e0ff::1, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI. BigIron RX# clear ipv6 cache 2000:e0ff::1 Syntax: clear ipv6 cache [/ | | ethernet | tunnel | ve ] You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
43 Displaying global IPv6 information BigIron RX# clear ipv6 route 2000:7838::/32 Syntax: clear ipv6 route [/] The / parameter clears routes associated with a particular IPv6 prefix. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
Displaying global IPv6 information BigIron RX# show ipv6 cache Total number of cache entries: 10 IPv6 Address 1 5000:2::2 2 2000:4::106 3 2000:4::110 4 2002:c0a8:46a::1 5 fe80::2e0:52ff:fe99:9737 6 fe80::ffff:ffff:feff:ffff 7 fe80::c0a8:46a 8 fe80::c0a8:46a 9 2999::1 10 fe80::2e0:52ff:fe99:9700 Next Hop LOCAL LOCAL DIRECT LOCAL LOCAL LOCAL LOCAL LOCAL LOCAL LOCAL 43 Port tunnel 2 ethe 3/2 ethe 3/2 ethe 3/2 ethe 3/2 loopback 2 tunnel 2 tunnel 6 loopback 2 ethe 3/1 Syntax: show ipv6 cache [
43 Displaying global IPv6 information BigIron RX# show ipv6 interface Routing Protocols : R - RIP O - OSPF I - ISIS Interface Status Routing Global Unicast Address Ethernet 3/3 down/down R Ethernet 3/5 down/down Ethernet 3/17 up/up 2017::c017:101/64 Ethernet 3/19 up/up 2019::c019:101/64 VE 4 down/down VE 14 up/up 2024::c060:101/64 Loopback 1 up/up ::1/128 Loopback 2 up/up 2005::303:303/128 Loopback 3 up/up Syntax: show ipv6 interface [ [ |]] The parameter displ
Displaying global IPv6 information 43 BigIron RX# show ipv6 interface ethernet 3/1 Interface Ethernet 3/1 is up, line protocol is up IPv6 is enabled, link-local address is fe80::2e0:52ff:fe99:97 Global unicast address(es): Joined group address(es): ff02::9 ff02::1:ff99:9700 ff02::2 ff02::1 MTU is 1500 bytes ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 3 ND reachable time is 30 seconds ND advertised reachable time is 0 seconds ND retransmit interval is 1 seconds ND advertised retra
43 Displaying global IPv6 information To display the IPv6 neighbor table, enter the following command at any CLI level. BigIron RX(config)# show ipv6 neighbor Total number of Neighbor entries: 3 IPv6 Address 1 2000:4::110 2 fe80::2e0:52ff:fe91:bb37 3 fe80::2e0:52ff:fe91:bb40 LinkLayer-Addr 00e0.5291.bb37 00e0.5291.bb37 00e0.5291.
Displaying global IPv6 information 43 Displaying the IPv6 route table To display the IPv6 route table, enter the following command at any CLI level.
43 Displaying global IPv6 information TABLE 174 IPv6 route table fields (Continued) This field... Displays... Next-Hop Router The next-hop router. Interface The interface through which this router sends packets to reach the route's destination. Dis/Metric The route’s administrative distance and metric value. To display a summary of the IPv6 route table, enter the following command at any CLI level.
Displaying global IPv6 information TABLE 176 43 IPv6 local router information fields This field... Displays... Router on The IPv6 address for a particular router interface. Last update The amount of elapsed time (in minutes) between the current and previous updates received from a router. Hops The default value that should be included in the Hop Count field of the IPv6 header for outgoing IPv6 packets.
43 Displaying global IPv6 information TABLE 177 General IPv6 TCP connection fields This field... Displays... Local IP address:port The IPv4 or IPv6 address and port number of the local router interface over which the TCP connection occurs. Remote IP address:port The IPv4 or IPv6 address and port number of the remote router interface over which the TCP connection occurs. TCP state The state of the TCP connection. Possible states include the following: LISTEN – Waiting for a connection request.
Displaying global IPv6 information 43 BigIron RX# show ipv6 tcp status 2000:4::110 179 2000:4::106 8222 TCP: TCB = 0x217fc300 TCP: 2000:4::110:179 <-> 2000:4::106:8222: state: ESTABLISHED Port: 1 Send: initial sequence number = 242365900 Send: first unacknowledged sequence number = 242434080 Send: current send pointer = 242434080 Send: next sequence number to send = 242434080 Send: remote received window = 16384 Send: total unacknowledged sequence number = 0 Send: total used buffers 0 Receive: initial inc
43 Displaying global IPv6 information TABLE 178 Specific IPv6 TCP connection fields (Continued) This field... Displays... Send: total unacknowledged sequence number = The total number of unacknowledged sequence numbers sent by the local router. Send: total used buffers The total number of buffers used by the local router in setting up the TCP connection. Receive: initial incoming sequence number = The initial incoming sequence number received by the local router.
Displaying global IPv6 information 43 BigIron RX# show ipv6 traffic IP6 Statistics 36947 received, 66818 sent, 0 forwarded, 36867 delivered, 0 rawout 0 bad vers, 23 bad scope, 0 bad options, 0 too many hdr 0 no route, 0 can't forward, 0 redirect sent 0 frag recv, 0 frag dropped, 0 frag timeout, 0 frag overflow 0 reassembled, 0 fragmented, 0 ofragments, 0 can't frag 0 too short, 0 too small, 11 not member 0 no buffer, 66819 allocated, 21769 freed 0 forward cache hit, 46 forward cache miss ICMP6 Statistics
43 Displaying global IPv6 information TABLE 179 IPv6 traffic statistics fields (Continued) This field... Displays... bad options The number of IPv6 packets dropped by the router because of bad options. too many hdr The number of IPv6 packets dropped by the router because the packets had too many headers. no route The number of IPv6 packets dropped by the router because there was no route. can’t forward The number of IPv6 packets the router could not forward to another router.
Displaying global IPv6 information TABLE 179 43 IPv6 traffic statistics fields (Continued) This field... Displays... nei soli The number of Neighbor Solicitation messages sent or received by the router. nei adv The number of Router Advertisement messages sent or received by the router. redirect The number of redirect messages sent or received by the router. Applies to received only bad code The number of Bad Code messages received by the router.
43 Displaying global IPv6 information TABLE 179 1100 IPv6 traffic statistics fields (Continued) This field... Displays... active opens The number of TCP connections opened by the router by sending a TCP SYN to another device. passive opens The number of TCP connections opened by the router in response to connection requests (TCP SYNs) received from other devices. failed attempts This information is used by Brocade Technical Support.
Chapter Configuring RIPng 44 Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing a distance) to measure the cost of a given route. RIP uses a hop count as its cost or metric. IPv6 RIP, known as Routing Information Protocol Next Generation or RIPng, functions similarly to IPv4 RIP version 2. RIPng supports IPv6 addresses and prefixes. In addition, Brocade implements some new commands that are specific to RIPng.
44 Configuring RIPng For more information about performing these configuration tasks, refer to Chapter 43, “Configuring Basic IPv6 Connectivity”. By default, RIPng is disabled. To enable RIPng, you must enable it globally on the Brocade device and also on individual router interfaces. NOTE You are required to configure a router ID when running only IPv6 routing protocols. NOTE Enabling RIPng globally on the Brocade device does not enable it on individual router interfaces.
Configuring RIPng 44 • Brocade recommends setting the timeout timer value to at least three times the value of the update timer. • Brocade recommends a shorter hold-down timer interval, because a longer interval can cause delays in RIPng convergence. The following example sets updates to be broadcast every 45 seconds. If a route is not heard from in 135 seconds, the route is declared unusable. Further information is suppressed for an additional 10 seconds.
44 Configuring RIPng BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e100-3/1)# ipv6 rip default-information originate Syntax: [no] ipv6 rip default-information only | originate The only keyword originates the default routes and suppresses all other routes from the updates. The originate keyword originates the default routes and includes all other routes in the updates.
Configuring RIPng 44 Syntax: [no] ipv6 rip metric-offset [out] <1 – 16> To return the metric offset to its default value, use the no form of this command.
44 Clearing RIPng routes from IPv6 route table The out keyword indicates that the prefix list is applied to outgoing routing updates on the specified interface. For the parameter, you can specify the ethernet, loopback, ve, or tunnel keywords. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE or tunnel interface, also specify the VE or tunnel number. To remove the distribution list, use the no form of this command.
Displaying RIPng information 44 • RIPng routing table Displaying RIPng configuration To display RIPng configuration information, enter the following command at any CLI level.
44 Displaying RIPng information BigIron RX# show ipv6 rip route IPv6 RIP Routing Table - 4 entries: 2000:4::/64, from ::, null (0) CONNECTED, metric 1, tag 0, timers: 2002:c0a8:46a::/64, from ::, null (1) CONNECTED, metric 1, tag 0, timers: 2999::1/128, from ::, null (2) CONNECTED, metric 1, tag 0, timers: 5000:2::/64, from ::, null (3) CONNECTED, metric 1, tag 0, timers: none none none none Syntax: show ipv6 rip route [/ | ] The / pa
Chapter Configuring BGP4+ 45 Brocade’s implementation of IPv6 supports multi protocol BGP (MBGP) extensions, which allow IPv6 BGP (known as BGP4+) to distribute routing information for protocols such as IPv4 BGP. The supported protocols are identified by address families. The extensions allow a set of BGP4+ peers to exchange routing information for multiple address families and sub-address families.
45 Configuring BGP4+ NOTE Each address family configuration level allows you to access commands that apply to that particular address family only. To enable a feature in a particular address family, you must specify any associated commands for that feature in that particular address family. You cannot expect the feature, which you may have configured in the BGP4 unicast address family, to work in the BGP4+ unicast address family unless it is explicitly configured in the BGP4+ unicast address family.
Configuring BGP4+ 45 Syntax: local-as Specify the AS number in which the switch you are configuring resides. After enabling BGP4+, you can add neighbors to a BGP4+ switch by entering a commands such as the following.
45 Configuring BGP4+ Adding BGP4+ neighbors using link-local addresses To configure BGP4+ neighbors that use link-local addresses, you must do the following: • Add the IPv6 address of a neighbor in a remote AS to the BGP4+ neighbor table of the local switch. • Identify the neighbor interface over which the neighbor and local switch will exchange prefixes. • Configure a route map to set up a global next hop for packets destined for the neighbor.
Configuring BGP4+ 45 Configuring a route map To configure a route map that filters routes advertised to a neighbor or sets up a global next hop for packets destined for the neighbor with the IPv6 link-local address fe80:4393:ab30:45de::1, enter commands such as the following (start at the BGP4+ unicast address family configuration level).
45 Configuring BGP4+ NOTE You can add IPv6 neighbors only to an IPv6 peer group. You cannot add an IPv4 neighbor to an IPv6 peer group and vice versa. IPv6 and IPv6 peer groups must remain separate. To configure a BGP4+ peer group, you must do the following. 1. Create a peer group. 2. Add a neighbor to the local switch. 3. Assign the IPv6 neighbor to the peer group.
Configuring BGP4+ 45 The parameter specifies the IPv6 address of the neighbor. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The peer-group parameter indicates the name of the already created peer group. To delete the mapping of the neighbor IPv6 address to the peer group, enter the no form of this command.
45 Configuring BGP4+ You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter. You can specify the optional route-map parameter if you want to change attributes of a route when importing it into BGP4+.
Configuring BGP4+ 45 Aggregating routes advertised to BGP4 neighbors By default, a switch advertises individual BGP4+ routes for all the networks. The aggregation feature allows you to configure a switch to aggregate routes in a range of networks into a single IPv6 prefix. For example, without aggregation, a switch will individually advertise routes for networks ff00:f000:0001:0000::/64, ff00:f000:0002:0000::/64,ff00:f000:0003:0000::/64, and so on.
45 Clearing BGP4+ information BigIron BigIron BigIron BigIron RX(config-bgp-ipv6u)# exit RX(config)# ipv6 prefix-list ipv6_uni seq 10 permit 2001:eff3::/32 RX(config)# route-map map1 permit 10 RX(config-routemap-map1)# match ipv6 address prefix-list ipv6_uni This example configures a route map named “map1” that permits incoming IPv6 unicast routes that match the prefix list named “ipv6_uni” (2001:eff3::/32). Note that you apply the route map while at the BGP4+ unicast address family configuration level.
Clearing BGP4+ information 45 NOTE Clearing the dampening statistics for a route does not change the dampening status of the route.
45 Clearing BGP4+ information You can clear the buffers for all neighbors, for an individual neighbor, or for all the neighbors within a specific peer group or AS. To clear these buffers for neighbor 2000:e0ff:37::1, enter the following commands at the Privileged EXEC level or any of the Config levels of the CLI.
Clearing BGP4+ information 45 If you close a neighbor session, the switch and the neighbor clear all the routes they learned from each other. When the switch and neighbor establish a new BGP4+ session, they exchange route tables again. Use this method if you want the switch to relearn routes from the neighbor and resend its own route table to the neighbor.
45 Displaying BGP4+ information Clearing BGP4+ neighbor route flap dampening statistics The switch allows you to clear all route flap dampening statistics for a specified BGP4+ neighbor. NOTE Clearing the dampening statistics for a neighbor does not change the dampening status of a route. To clear all of the route flap dampening statistics for a neighbor, enter a command such as the following at the Privileged EXEC level or any of the Config levels of the CLI.
Displaying BGP4+ information • • • • • • • • • 45 BGP4+ route information. BGP4+ route-attribute entries. BGP4+ configuration information. Dampened BGP4+ paths. Filtered-out BGP4+ routes. BGP4+ route flap dampening statistics. BGP4+ neighbor information. BGP4+ peer group configuration information. BGP4+ summary information. NOTE The show commands implemented for BGP4+ correspond to the show commands implemented for IPv4 BGP.
45 Displaying BGP4+ information TABLE 183 Summary of BGP4+ routes (Continued) This field... Displays... LocPrf The degree of preference for the advertised route relative to other routes in the local AS. When the BGP4+ algorithm compares routes on the basis of local preferences, the route with the higher local preference is chosen. The preference can have a value from 0 – 4294967295. Weight The value that this switch associates with routes from a specific neighbor.
Displaying BGP4+ information 45 The parameter specifies the table entry with which you want the display to start. For example, if you specify 100, the display shows entry 100 and all entries subsequent to entry 100. The age parameter displays only the routes that have been received or updated more recently than the number of seconds you specify. The as-path-access-list parameter filters the display using the specified AS-path ACL.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp routes detail Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED 1 Prefix: 2002::/16, Status: BL, Age: 2d17h10m42s NEXT_HOP: ::, Learned from Peer: Local Router LOCAL_PREF: 100, MED: 1, ORIGIN: incomplete, Weight: 32768 AS_PATH: Adj_RIB_out count: 1, Admin distance 190 2 Prefix: 2002:1234::/32, Status: BL, Age: 2d17h10m42s NEXT_HOP: ::, Learned
Displaying BGP4+ information TABLE 184 45 Detailed BGP4+ route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • A – AGGREGATE. The route is an aggregate route for multiple networks. • B – BEST. BGP4+ has determined that this is the optimal route to the destination.
45 Displaying BGP4+ information The parameter specifies the table entry with which you want the display to start. For example, if you specify 100, the display shows entry 100 and all entries subsequent to entry 100. The age parameter displays only the routes that have been received or updated more recently than the number of seconds you specify. The as-path-access-list parameter filters the display using the specified AS-path ACL.
Displaying BGP4+ information 45 Displaying BGP4+ route information You can display all BGP4+ routes known by a switch, only those routes that match a specified prefix, or routes that match a specified or longer prefix. To display all BGP4+ routes known by the switch, enter the following command at any level of the CLI.
45 Displaying BGP4+ information TABLE 185 BGP4+ route information This field... Displays... Total number of BGP Routes (appears in display of all BGP routes only) The number of routes known by the switch. Number of BGP Routes matching display condition (appears in display that matches specified and longer prefixes) The number of routes that matched the display parameters you entered. This is the number of routes displayed by the command.
Displaying BGP4+ information 45 Syntax: show ipv6 bgp attribute-entries For information about display displaying route-attribute entries for a specified BGP4+ neighbor, refer to “Displaying BGP4+ neighbor route-attribute entries” on page 1148. This display shows the following information: TABLE 186 BGP4+ route-attribute entries information This field... Displays... Total number of BGP Attribute Entries The number of entries contained in the switch’s BGP4+ route-attribute entries table.
45 Displaying BGP4+ information Displaying the BGP4+ running configuration To view the active BGP4+ configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
Displaying BGP4+ information TABLE 187 45 Dampened BGP4+ path information This field... Displays... Status codes A list of the characters the display uses to indicate the path’s status. The status code appears in the left column of the display, to the left of each route. The status codes are described in the command’s output. The status column displays a “d” for each dampened route. Network The destination network of the route. From The IPv6 address of the advertising peer.
45 Displaying BGP4+ information The longer-prefixes keyword allows you to display routes that match a specified or longer IPv6 prefix. For example, if you specify 2002::/16 longer-prefixes, then all routes with the prefix 2002::/16 or that have a longer prefix (such as 2002:e016::/32) are displayed. The as-path-access-list parameter specifies an AS-path ACL. Specify an ACL name. Only the routes permitted by the AS-path ACL are displayed.
Displaying BGP4+ information TABLE 188 45 Summary of filtered-out BGP4+ route information (Continued) This field... Displays... Weight The value that this switch associates with routes from a specific neighbor. For example, if the switch receives routes to the same destination from two BGP4+ neighbors, the switch prefers the route from the neighbor with the larger weight.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp filtered-routes detail Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED 1 Prefix: 800:2:1::/64, Status: EF, Age: 0h0m10s NEXT_HOP: 2000:1:1::1, Learned from Peer: 2000:1:1::1 (100) LOCAL_PREF: 100, MED: 0, ORIGIN: incomplete, Weight: 0 AS_PATH: 100 2 Prefix: 900:1:18::/64, Status: EF, Age: 0h0m10s NEXT_HOP: 2000:1:1::1, Learned from Peer: 2000:1:1::1 (100) LOCA
Displaying BGP4+ information TABLE 189 45 Detailed filtered-rut BGP4+ route information (Continued) This field... Displays... Next hop For information about this field, refer to Table 188 on page 1134. Learned from peer The IPv6 address of the neighbor from which this route is learned. “Local router” indicates that the switch itself learned the route. Local pref For information about this field, refer to Table 188 on page 1134. MED The value of the advertised route’s MED attribute.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp flap-statistics Total number of flapping routes: 14 Status Code >:best d:damped h:history *:valid Network From Flaps Since Reuse h> 2001:2::/32 3001:23::47 1 0 :0 :13 0 :0 :0 *> 3892:34::/32 3001:23::47 1 0 :1 :4 0 :0 :0 Path 65001 4355 1 701 65001 4355 701 62 Syntax: show ipv6 bgp flap-statistics [/ [longer-prefixes] | as-path-filter | neighbor | regular-expression ] The
Displaying BGP4+ information TABLE 190 Route flap dampening statistics This field... Displays... Reuse The amount of time (in hh:mm:ss) after which the path is again available. Path The AS path of the route. 45 You also can display all the dampened routes by using the show ipv6 bgp dampened-paths command. For more information, refer to “Displaying dampened BGP4+ paths” on page 1132.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2000:4::110 1 IP Address: 2000:4::110, AS: 65002 (EBGP), RouterID: 1.1.1.
Displaying BGP4+ information TABLE 191 45 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... EBGP/IBGP Whether the neighbor session is an IBGP session, an EBGP session, or a confederation EBGP session. • EBGP – The neighbor is in another AS. • EBGP_Confed – The neighbor is a member of another sub-AS in the same confederation. • IBGP – The neighbor is in the same AS. RouterID The neighbor’s router ID.
45 Displaying BGP4+ information TABLE 191 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Messages Sent and Received The number of messages this switch has sent to and received from the neighbor.
Displaying BGP4+ information TABLE 191 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Last Connection Reset Reason (cont.
45 Displaying BGP4+ information TABLE 191 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Notification Sent If the switch receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
Displaying BGP4+ information TABLE 191 45 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request.
45 Displaying BGP4+ information TABLE 191 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed.
Displaying BGP4+ information TABLE 192 45 Summary of route information advertised to a BGP4+ neighbor This field... Displays... Number of BGP4+ Routes advertised to specified neighbor (appears only in display for all routes) The number of routes displayed by the command. Status codes A list of the characters the display uses to indicate the route’s status. The status code appears in the Status column of the display. The status codes are described in the command’s output.
45 Displaying BGP4+ information TABLE 193 Detailed route information advertised to a BGP4+ neighbor This field... Displays... Number of BGP4+ Routes advertised to specified neighbor (appears only in display for all routes) For information about this field, refer to Table 192 on page 1147. Status codes For information about this field, refer to Table 192 on page 1147. Prefix For information about this field, refer to Table 192 on page 1147.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp neighbor 2000:4::110 attribute-entries Total number of BGP Attribute Entries: 1 1 Next Hop :2000:4::106 Metric :1 Origin:INCOMP Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.
45 Displaying BGP4+ information TABLE 194 BGP4+ neighbor route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Address For debugging purposes only. Hash For debugging purposes only. Reference Counts For debugging purposes only.
Displaying BGP4+ information 45 Displaying last error packet from a BGP4+ neighbor You can display information about the last packet that contained an error from any of a switch’s neighbors. The displayed information includes the error packet's contents decoded in a human-readable format. For example, to display information about the last error packet from any of a switch’s neighbors, enter the following command.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2:2:2:2:: received-routes There are 4 received routes from neighbor 2:2:2:2:: Searching for matching routes, use ^C to quit...
Displaying BGP4+ information TABLE 197 45 Summary of route information received from a BGP4+ neighbor (Continued) This field... Displays... Weight The value that this switch associates with routes from a specific neighbor. For example, if the switch receives routes to the same destination from two BGP4+ neighbors, the switch prefers the route from the neighbor with the larger weight. Status The advertised route’s status, which can be one or more of the following: A – AGGREGATE.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2000:1:1::1 received-routes detail There are 4 received routes from neighbor 2000:1:1::1 Searching for matching routes, use ^C to quit...
Displaying BGP4+ information TABLE 198 45 Detailed route information received from a BGP4+ neighbor (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP4+ through EGP. • IGP – The routes with this set of attributes came to BGP4+ through IGP. • INCOMPLETE – The routes came from an origin other than one of the above.
45 Displaying BGP4+ information The detail / parameter displays detailed information about the specified RIB routes. If you do not specify this parameter, a summary of the RIB routes displays. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp neighbor 2000:4::110 rib-out-routes detail There are 2 RIB_out routes for neighbor 2000:4::110 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST E:EBGP I:IBGP L:LOCAL 1 Prefix: 2002:1234::/32, Status: BL, Age: 6d18h17m53s NEXT_HOP: ::, Learned from Peer: Local Router LOCAL_PREF: 100, MED: 1, ORIGIN: incomplete, Weight: 32768 AS_PATH: Adj_RIB_out count: 1, Admin distance 190 2 Prefix: 2002::/16, Status: BL, Age: 6d18h21m8s NEXT_HOP: ::, Learned from Pe
45 Displaying BGP4+ information • Best routes – The “best” routes to their destinations, which are installed in the switch’s IPv6 route table. • Unreachable – The routes whose destinations are unreachable using any of the BGP4+ paths in the IPv6 route table. For example, to display a summary of the best routes to a destination received from neighbor 2000:4::106, enter the following command.
Displaying BGP4+ information TABLE 201 This field... Status 45 Summary of best and unreachable routes from a BGP4+ neighbor (Continued) Displays... The route’s status, which can be one or more of the following: A – AGGREGATE. The route is an aggregate route for multiple networks. • B – BEST. BGP4+ has determined that this is the optimal route to the destination. • C – CONFED_EBGP. The route was learned from a neighbor in the same confederation and AS, but in a different sub-AS within the confederation.
45 Displaying BGP4+ information TABLE 202 Detailed best and unreachable routes from a BGP4+ neighbor This field... Displays... Number of accepted routes from a specified neighbor (appears only in display for all routes) For information about this field, refer to Table 201 on page 1158. Status codes For information about this field, refer to Table 201 on page 1158. Prefix For information about this field, refer to Table 201 on page 1158.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp neighbor 2000:4::110 routes-summary 1 IP Address: 2000:4::110 Routes Accepted/Installed:0, Filtered/Kept:0, Filtered:0 Routes Selected as BEST Routes:0 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0 History Routes:0 NLRIs Received in Update Message:0, Withdraws:0 (0), Replacements:0 NLRIs Discarded due to Maximum Prefix Limit:0, AS Loop:0 Invalid Nexthop:0, Invalid Nexthop Address:0.0.0.
45 Displaying BGP4+ information TABLE 203 BGP4+ neighbor route summary information (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the switch discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The switch’s configured maximum prefix amount had been reached. • AS Loop – An AS loop occurred. An AS loop occurs when the BGP4+ AS-path attribute contains the local AS number.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp peer-group peer1 1 BGP peer-group is pg1, Remote AS: 65002 Description: device group 1 NextHopSelf: yes Address family : IPV4 Unicast Address family : IPV4 Multicast Address family : IPV6 Unicast Members: IP Address: 192.169.102.2 IP Address: 192.169.100.2 IP Address: 192.169.101.2 IP Address: 192.169.103.2 IP Address: 192.169.104.2 IP Address: 192.169.105.2 IP Address: 192.169.106.2 IP Address: 192.169.107.2 IP Address: 192.169.108.
45 Displaying BGP4+ information TABLE 204 1164 BGP4+ summary information (Continued) This field... Displays... Confederation Peers The numbers of the local ASs contained in the confederation. This list matches the confederation peer list you configure on the switch. Maximum Number of Paths Supported for Load Sharing The maximum number of route paths across which the switch can balance traffic to the same destination. The feature is enabled by default but the default number of paths is 1.
Displaying BGP4+ information TABLE 204 45 BGP4+ summary information (Continued) This field... Displays... State The state of this switch’s neighbor session with each neighbor. The states are from this switch’s perspective of the session, not the neighbor’s perspective. The state values can be one of the following for each switch: • IDLE – The BGP4+ process is waiting to be started. Usually, enabling BGP4+ or establishing a neighbor session starts the BGP4+ process.
45 1166 Displaying BGP4+ information BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring IPv6 MBGP 46 Brocade’s implementation of IPv6 supports multi protocol BGP (MBGP) extensions, which allow IPv6 BGP (known as BGP4+) to distribute routing information for protocols such as IPv4 BGP. The supported protocols are identified by address families. The extensions allow a set of BGP4+ peers to exchange routing information for multiple address families and sub-address families.
46 Configuring IPv6 MBGP Setting the maximum number of multicast routes supported The BigIron RX supports up 1024 – 153,600 multicast routes. NOTE This procedure requires a software reload to place the change into effect. To increase the maximum number of multicast routes supported on the device, enter commands such as the following.
Configuring IPv6 MBGP 46 This command adds a router with IPv6 address 3001::1 as an MBGP neighbor. The remote-as 44 parameter specifies that the neighbor is in remote BGPv6 AS 44. The device will exchange only multicast routes with the neighbor. NOTE If the BigIron RX has multiple neighbors with similar attributes, you can simplify configuration by configuring a peer group, then adding individual neighbors to it.
46 Configuring IPv6 MBGP Advertising routes from the local AS to MBGP You can configure the device to advertise directly-connected and static multicast routes from the local AS to other ASs using the following methods: • For directly-connected routes: • Enable redistribution of directly-connected multicast routes. • For indirectly-connected routes: • Configure static IPv6 multicast routes. The corresponding IPv6 route must be present in the IPv6 multicast table.
Configuring IPv6 MBGP BigIron BigIron BigIron BigIron BigIron BigIron 46 RX(config)# access-list 10 permit 2001:100::/32 RX(config)# route-map mbgpmap permit 1 RX(config-routemap mbgpmap)# match ipv6 address 10 RX(config-routemap mbgpmap)# exit RX(config)# router bgp RX(config-bgp-ipv6m)# redistribute connected route-map mbgpmap The first command configures an ipv6 ACL for use in the route map. The ACL matches on the destination network for the route to be redistributed.
46 Displaying IPv6 MBGP information Aggregating routes advertised to IPv6 BGP neighbors By default, the device advertises individual MBGP routes for all the multicast networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single CIDR number. To aggregate MBGP routes, enter the following command.
Displaying IPv6 MBGP information TABLE 205 46 IPv6 MBGP Show commands (Continued) Command Description show ipv6 mbgp dampened-paths Displays IPv6 MBGP paths that have been dampened by route flap dampening. show ipv6 mbgp flap-statistics Displays route flap dampening statistics. show ipv6 mbgp filtered-routes Displays routes that have been filtered out. Displaying summary MBGP information To display summary MBGP information, enter the following command at any CLI prompt.
46 Displaying IPv6 MBGP information BigIron RX# show ipv6 mbgp config Current BGP configuration: router bgp local-as 200 neighbor 166.1.1.2 remote-as 200 address-family ipv6 unicast no neighbor 166.1.1.2 activate exit-address-family address-family ipv6 multicast redistribute connected redistribute static neighbor 166.1.1.
Displaying IPv6 MBGP information 46 BigIron RX # show ipv6 mbgp neighbor 4fee:2343:0:ee44::1 Total number of BGP Neighbors: 1 1 ipv6 Address: 8eff::0/32, Remote AS: 200 (IBGP), RouterID: 8.8.8.
46 Displaying IPv6 MBGP information BigIron RX#show ipv6 mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 1 8.8.8.0/24 166.1.1.2 0 100 0 BI AS_PATH: 2 31.1.1.0/24 166.1.1.2 0 100 0 BI AS_PATH: Syntax: show ipv6 mbgp routes Displaying the IPv6 multicast route table To display the IPv6 multicast route table, enter the following command.
Chapter IPv6 Access Control Lists (ACLs) 47 IPv6 ACLs Brocade supports IPv6 Access Control Lists (ACLs), which you can use for traffic filtering. You can configure up to 100 IPv6 ACLs. An IPv6 ACL is composed of one or more conditional statements that pose an action (permit or deny) if a packet matches a specified source or destination prefix. There can be up to 1024 statements per device. In ACLs with multiple statements, you can specify a priority for each statement.
47 Using IPv6 ACLs as input to other features For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address. IPv6 ACLs also provide support for filtering packets based on DSCP.
Configuring an IPv6 ACL BigIron RX(config)# ipv6 access-list netw BigIron RX(config-ipv6-access-list-netw)# 2001:3782::/64 BigIron RX(config-ipv6-access-list-netw)# 2000:2383:e0aa:0::24 BigIron RX(config-ipv6-access-list-netw)# BigIron RX(config-ipv6-access-list-netw)# 47 permit icmp 2000:2383:e0bb::/64 deny ipv6 host 2000:2383:e0ac::2 host deny udp any any permit ipv6 any any The first condition permits ICMP traffic from hosts in the 2000:2383:e0bb::x network to hosts in the 2001:3782::x network.
47 Configuring an IPv6 ACL BigIron RX(config)# sh ipv6 access-list rtr ipv6 access-list rtr: 3 entries 10: deny tcp 2001:1570:21::/24 2001:1570:22::/24 20: deny udp any range 5 6 2001:1570:22::/24 30: permit ipv6 any any The following commands apply the ACL “rtr” to the incoming traffic on ports 2/1 and 2/2.
Configuring an IPv6 ACL 47 Furthermore, if you add the statement deny icmp any any in the access list, then all neighbor discovery messages will be denied. You must explicitly enter the permit icmp any any nd-na and permit icmp any any nd-ns statements just before the deny icmp statement if you want the ACLs to permit neighbor discovery as in the example below.
47 Configuring an IPv6 ACL For TCP Syntax: [no] ipv6 access-list Syntax: permit | deny | any | host [tcp-udp-operator [source-port-number]] | any | host [tcp-udp-operator [destination-port- number]] [ipv6-operator []] [match-all ] | [match-any ] |established [802.1p-priority-matching ] [dscp-marking 802.
Configuring an IPv6 ACL TABLE 206 47 Syntax descriptions (Continued) Arguments... Description... // parameter specify a source prefix th> and prefix length that a packet must match for the specified action (deny or permit) to occur. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
47 Configuring an IPv6 ACL TABLE 206 Syntax descriptions (Continued) Arguments... Description... tcp-udp-operator The parameter can be one of the following: eq – The policy applies to the TCP or UDP port name or number you enter after eq. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt. Enter "?" to list the port names.
Configuring an IPv6 ACL TABLE 206 47 Syntax descriptions (Continued) Arguments... Description... dscp-marking Use the dscp-marking parameter to specify a new QoS value to the packet. If a packet matches the filters in the ACL statement, this parameter assigns the DSCP value that you specify to the packet. Enter 0 – 63. 802.1p-priority-marking Use the 802.1p-priority-marking parameter to specify a new QoS value to the packet.
47 Applying an IPv6 ACL to an interface • • • • • • • • • • • • parameter-problem port-unreachable reassembly-timeout renum-command renum-result renum-seq-number router-advertisement router-renumbering router-solicitation sequence time-exceeded unreachable NOTE If you do not specify a message type, the ACL applies to all types ICMP messages types. Applying an IPv6 ACL to an interface To apply an IPv6 ACL, for example “access1”, to an interface, enter commands such as the following.
Adding a comment to an IPv6 ACL entry BigIron BigIron BigIron -psh BigIron 47 RX(config)# ipv6 access-list fdry RX (config-ipv6-access-list fdry)# permit tcp any any match-all +ack +syn RX(config-ipv6-access-list fdry)# permit tcp any any match-any -urg +syn RX (config-ipv6-access-list fdryl)# end Adding a comment to an IPv6 ACL entry You can optionally add a comment to describe entries in an IPv6 ACL. The comment appears in the output of show commands that display ACL information.
47 Displaying ACLs BigIron RX# show running-config ipv6 access-list rtr remark This entry permits ipv6 packets from 3002::2 to any destination permit ipv6 host 3000::2 any remark This entry denies udp packets from any source to any destination deny udp any any remark This entry denies IPv6 packets from any source to any destination deny ipv6 any any Syntax: show running-config The following example shows the comment text for the ACL named "rtr" in a show ipv6 access-list display.
Chapter Configuring OSPF Version 3 48 OSPF version 3 Open Shortest Path First (OSPF) is a link-state routing protocol. OSPF uses link-state advertisements (LSAs) to update neighboring routers about its interfaces and information on those interfaces. The switch floods LSAs to all neighboring routers to update them about the interfaces. Each router maintains an identical database that describes its area topology to help a router determine the shortest path between it and any neighboring router.
48 Configuring OSPFv3 • • • • • Interarea-prefix LSAs for ABRs (Type 3) Interarea-router LSAs for ASBRs (Type 4) Autonomous system external LSAs (Type 5) Link LSAs (Type 8) Intra-area prefix LSAs (Type 9) For more information about these LSAs, refer to RFC 2740. Configuring OSPFv3 To configure OSPFv3, you must do the following: • Enable OSPFv3 globally. • Assign OSPF areas. • Assign router interfaces to an OSPF area.
Configuring OSPFv3 48 After you enter this command, the Brocade device enters the IPv6 OSPF configuration level, where you can access several commands that allow you to configure OSPFv3. Syntax: [no] ipv6 router ospf To disable OSPFv3, enter the no form of this command. If you disable OSPFv3, the Brocade device removes all the configuration information for the disabled protocol from the running-config.
48 Configuring OSPFv3 Assigning a totally stubby area By default, the Brocade device sends summary LSAs (LSA type 3) into stub areas. You can further reduce the number of LSAs sent into a stub area by configuring the Brocade device to stop sending summary LSAs into the area. You can disable the summary LSAs when you are configuring the stub area or later after you have configured the area.
Configuring OSPFv3 48 Configuring virtual links All ABRs must have either a direct or indirect link to an OSPF backbone area (0.0.0.0 or 0). If an ABR does not have a physical link to a backbone area, you can configure a virtual link from the ABR to another router within the same area that has a physical connection to the backbone area.
48 Configuring OSPFv3 BigIron RX(config-ospf6-router)# virtual-link-if-address interface ethernet 3/1 To specify the global IPv6 address assigned to tunnel interface 1 on ABR2 as the source address for the virtual link on ABR2, enter the following command on ABR2.
Configuring OSPFv3 48 Changing the reference bandwidth for the cost on OSPFv3 interfaces Each interface on which OSPFv3 is enabled has a cost associated with it. The Brocade device advertises its interfaces and their costs to OSPFv3 neighbors. For example, if an interface has an OSPF cost of ten, the Brocade device advertises the interface with a cost of ten to other OSPF routers. By default, an interface’s OSPF cost is based on the port speed of the interface.
48 Configuring OSPFv3 • • • • 1000 Mbps port’s cost = 500/1000 = 0.5, which is rounded up to 1 155 Mbps port’s cost = 500/155 = 3.23, which is rounded up to 4 622 Mbps port’s cost = 500/622 = 0.80, which is rounded up to 1 2488 Mbps port’s cost = 500/2488 = 0.20, which is rounded up to 1 The costs for 10 Mbps, 100 Mbps, and 155 Mbps ports change as a result of the changed reference bandwidth. Costs for higher-speed interfaces remain the same.
Configuring OSPFv3 48 The level-1 | level-1-2 | level-2 keywords (for IPv6 IS-IS only) allow you to specify that the Brocade device redistributes level-1 routes only, level-2 routes only, or both level-1 and level-2 routes. The metric parameter specifies the metric used for the redistributed route.
48 Configuring OSPFv3 • set metric-type type-1 | type-2 • set tag NOTE You must configure the route map before you configure a redistribution filter that uses the route map. NOTE When you use a route map for route redistribution, the software disregards the permit or deny action of the route map.
Configuring OSPFv3 48 BigIron RX(config-ospf6-router)# metric-type type1 Syntax: [no] metric-type type1 | type2 To restore the metric type to the default value, use the no form of this command. Configuring external route summarization When the Brocade device is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified IPv6 address range.
48 Configuring OSPFv3 You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter. Filtering OSPFv3 routes You can filter the routes to be placed in the OSPFv3 route table by configuring distribution lists. OSPFv3 distribution lists can be applied globally or to an interface. The functionality of OSPFv3 distribution lists is similar to that of OSPFv2 distribution lists.
Configuring OSPFv3 48 BigIron RX(config)# ipv6 router ospf BigIron RX(config-ospf6-router)# distribute-list prefix-list filterOspfRoutes in Syntax: [no] distribute-list prefix-list in [] After this distribution list is configured, route 3010::/64 would be omitted from the OSPFv3 route table : BigIron RX# show ipv6 ospf route Current Route count: 4 Intra: 3 Inter: 0 External: 1 (Type1 0/Type2 1) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 300
48 Configuring OSPFv3 Configuring an OSPFv3 distribution list using a route map as input The following commands configure a route map that matches internal routes. BigIron RX(config)# route-map allowInternalRoutes permit 10 BigIron RX(config-routemap allowInternalRoutes)# match route-type internal Refer to Chapter 22, “Policy-Based Routing” for information on configuring route maps.
Configuring OSPFv3 48 For example, to create and advertise a default route with a metric of 2 and as a type 1 external route, enter the following command. BigIron RX(config-ospf6-router)# default-information-originate always metric 2 metric-type type1 Syntax: [no] default-information-originate [always] [metric ] [metric-type ] The always keyword originates a default route regardless of whether the device has learned a default route. This option is disabled by default.
48 Configuring OSPFv3 BigIron RX(config-ospf6-router)# timers spf 10 20 Syntax: timers spf For the and parameters, specify a value from 0 – 65535 seconds. To set the timers back to their default values, enter the no version of this command. Modifying administrative distance The Brocade device can learn about networks from various protocols, including BGP4+, IPv6 IS-IS, RIPng, and OSPFv3.
Configuring OSPFv3 48 To reset the administrative distance of a route type to its system default, enter the no form of this command. Configuring the OSPFv3 LSA pacing interval The Brocade device paces OSPFv3 LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the Brocade device refreshes and sends out together in one or more packets.
48 Configuring OSPFv3 For example, to change the maximum number entries from the default of 2000 to 3000, enter the following command. BigIron RX(config-ospf6-router)# external-lsdb-limit 3000 Syntax: ipv6 ospf area | The parameter can be a numerical value from 500 – 8000 seconds. To reset the maximum number of entries to its system default, enter the no form of this command. Modifying OSPFv3 interface defaults OSPFv3 has interface parameters that you can configure.
Displaying OSPFv3 information 48 • Transmit-delay: The time it takes to transmit Link State Update packets on this interface. The command syntax is ipv6 ospf transmit-delay . The value can be from 0 – 3600 seconds. The default is 1 second. Disabling or reenabling event logging OSPFv3 does not currently support the generation of SNMP traps. Instead, you can disable or re-enable the logging of OSPFv3-related events such as neighbor state changes and database overflow conditions.
48 Displaying OSPFv3 information BigIron RX# show ipv6 ospf area Area 0: Interface attached to this area: loopback 2 ethe 3/2 tunnel 2 Number of Area scoped LSAs is 6 Statistics of Area 0: SPF algorithm executed 16 times SPF last updated: 335256 sec ago Current SPF node count: 3 Router: 2 Network: 1 Maximum of Hop count to nodes: 2 ... Syntax: show ipv6 ospf area [] You can specify the parameter in the following formats: • As an IPv4 address, for example, 192.168.1.
Displaying OSPFv3 information BigIron RX# show ipv6 ospf database Area ID Type LS ID Adv Rtr 0 Link 000001e6 223.223.223.223 0 Link 000000d8 1.1.1.1 0 Link 00000185 223.223.223.223 0 Iap 00000077 223.223.223.223 0 Rtr 00000124 223.223.223.223 0 Net 00000016 223.223.223.223 0 Iap 000001d1 223.223.223.223 0 Iap 000000c3 1.1.1.1 0 Rtr 00000170 1.1.1.1 N/A Extn 00000062 223.223.223.223 N/A Extn 0000021d 223.223.223.
48 Displaying OSPFv3 information TABLE 208 OSPFv3 database summary fields (Continued) This field... Displays... Seq(Hex) The sequence number of the LSA. The OSPF neighbor that sent the LSA stamps it with a sequence number to enable the Brocade device and other OSPF routers to determine which LSA for a given route is the most recent. Age The age of the LSA, in seconds. Chksum A checksum for the LSA packet. The checksum is based on all the fields in the packet except the age field.
Displaying OSPFv3 information BigIron RX# show ipv6 ospf database extensive Area ID Type LS ID Adv Rtr Seq(Hex) Age 0 Link 00000031 1.1.1.1 80000001 35 Router Priority: 1 Options: V6E---R-LinkLocal Address: fe80::1 Number of Prefix: 1 Prefix Options: Prefix: 3002::/64 ... Area ID Type LS ID Adv Rtr Seq(Hex) Age 0 Iap 00000159 223.223.223.223 800000ab 357 Number of Prefix: 2 Referenced LS Type: Network Referenced LS ID: 00000159 Referenced Advertising Router: 223.223.223.
48 Displaying OSPFv3 information TABLE 209 OSPFv3 detailed database information fields This field... Displays... Router LSA (Type 1) (Rtr) fields 1212 Capability Bits A bit that indicates the capability of the Brocade device. The bit can be set to one of the following: • B – The device is an area border router. • E – The device is an AS boundary router. • V – The device is a virtual link endpoint. • W – The device is a wildcard multicast receiver.
Displaying OSPFv3 information TABLE 209 48 OSPFv3 detailed database information fields (Continued) This field... Displays... Network LSA (Type 2) (Net) fields Options A 24-bit field that enables IPv6 OSPF routers to support the optional capabilities. When set, the following bits indicate the following: V6 – The device should be included in IPv6 routing calculations. E – The device floods AS-external-LSAs as described in RFC 2740. MC – The device forwards multicast packets as described in RFC 1586.
48 Displaying OSPFv3 information TABLE 209 OSPFv3 detailed database information fields (Continued) This field... Prefix Options Prefix Displays... An 8-bit field of capabilities that serve as input to various routing calculations: NU – The prefix is excluded from IPv6 unicast calculations. LA – The prefix is an IPv6 interface address of the advertising router. MC – The prefix is included in IPv6 multicast routing calculations. P – NSSA area prefixes are readvertised at the NSSA area border.
Displaying OSPFv3 information TABLE 210 Summary of OSPFv3 interface information This field... Displays... Interface The interface type, and the port number or number of the interface. OSPF Status State Area 48 The state of OSPFv3 on the interface. Possible states include the following: Enabled. Disabled. • • The status of the link. Possible status include the following: Up. Down. • • The state of the interface.
48 Displaying OSPFv3 information TABLE 211 Detailed OSPFv3 interface information This field... Interface status The status of the interface. Possible status includes the following: Up. Down. • • Type The type of OSPFv3 circuit running on the interface. Possible types include the following: • BROADCAST • POINT TO POINT • UNKNOWN IPv6 Address The IPv6 address(es) assigned to the interface. Instance ID An identifier for an instance of OSPFv3. Router ID The IPv4 address of the Brocade device.
Displaying OSPFv3 information TABLE 211 48 Detailed OSPFv3 interface information (Continued) This field... Displays... Neighbor The router ID (IPv4 address) of the neighbor. This field also identifies the neighbor as a DR or BDR, if appropriate. Interface statistics The following statistics are provided for the interface: Unknown – The number of Unknown packets transmitted and received by the interface. Also, the total number of bytes associated with transmitted and received Unknown packets.
48 Displaying OSPFv3 information This display shows the following information. TABLE 212 OSPFv3 memory usage information This field... Displays... Total Static Memory Allocated A summary of the amount of static memory allocated, in bytes, to OSPFv3. Total Dynamic Memory Allocated A summary of the amount of dynamic memory allocated, in bytes, to OSPFv3. Memory Type The type of memory used by OSPFv3. (This information is for use by Brocade’s technical support in case of a problem.
Displaying OSPFv3 information TABLE 213 48 Summary of OSPFv3 neighbor information (Continued) Field Description BDR The router ID (IPv4 address) of the BDR. Interface [State] The interface through which the router is connected to the neighbor. The state of the interface can be one of the following: • DR – The interface is functioning as the Designated Router for OSPFv3. • BDR – The interface is functioning as the Backup Designated Router for OSPFv3.
48 Displaying OSPFv3 information TABLE 214 Detailed OSPFv3 neighbor information (Continued) Field Description DbDesc bit... The Database Description packet, which includes 3 bits of information: • The first bit can be “i” or “-”. “i” indicates the inet bit is set. “-” indicates the inet bit is not set. • The second bit can be “m” or “-”. “m” indicates the more bit is set. “-” indicates the more bit is not set. • The third bit can be “m” or “s”. An “m” indicates the master. An “s” indicates standby.
48 Displaying OSPFv3 information BigIron RX# show ipv6 ospf redistribute route Id Prefix snIpAsPathAccessListStringRegExpression 1 2002::/16 2 2002:1234::/32 Protocol Metric Type Metric Static Static Type-2 Type-2 1 1 Syntax: show ipv6 ospf redistribute route [] The parameter specifies an IPv6 network prefix. (You do not need to specify the length of the prefix.
48 Displaying OSPFv3 information BigIron RX# show ipv6 ospf routes Current Route count: 4 Intra: 4 Inter: 0 External: 0 (Type1 0/Type2 0) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 2000:4::/64 V6E---R-- 0.0.0.0 :: ethe 3/2 *IA 2002:c0a8:46a::/64 V6E---R-- 0.0.0.0 :: ethe 3/2 *IA 2999::1/128 --------- 0.0.0.0 :: loopback 2 *IA 2999::2/128 V6E---R-- 0.0.0.
Displaying OSPFv3 information TABLE 216 48 OSPFv3 route information (Continued) This field... Displays... Options A 24-bit field that enables IPv6 OSPF routers to support the optional capabilities. When set, the following bits indicate the following: V6 – The device should be included in IPv6 routing calculations. E – The device floods AS-external-LSAs as described in RFC 2740. MC – The device forwards multicast packets as described in RFC 1586.
48 Displaying OSPFv3 information • As an IPv4 address; for example, 192.168.1.1 • As a numerical value from 0 – 2,147,483,647 This display shows the following information. TABLE 217 OSPFv3 SPF node information This field... Displays... SPF node Each SPF node is identified by its router ID (IPv4 address). If the node is a child node, it is additionally identified by an interface on which the node can be reached appended to the router ID in the format :.
Displaying OSPFv3 information TABLE 218 OSPFv3 SPF Table This field... Displays... Destination 48 The destination of a route, which is identified by the following: “R”, which indicates the destination is a router. “N”, which indicates the destination is a network. • An SPF node’s router ID (IPv4 address). If the node is a child node, it is additionally identified by an interface on which the node can be reached appended to the router ID in the format :.
48 Displaying OSPFv3 information Displaying IPv6 OSPF virtual link information To display OSPFv3 virtual link information for the Brocade device, enter the following command at any level of the CLI. BigIron RX# show ipv6 ospf virtual-link Index Transit Area ID Router ID Interface Address 1 1 1.1.1.1 3003::2 State P2P Syntax: show ipv6 ospf virtual-link This display shows the following information. TABLE 219 OSPFv3 virtual link information This field... Displays...
Displaying OSPFv3 information TABLE 220 48 OSPFv3 virtual neighbor information (Continued) This field... Displays... State The state between the Brocade device and the virtual neighbor. The state can be one of the following: • Down • Attempt • Init • 2-Way • ExStart • Exchange • Loading • Full Interface The IPv6 address of the virtual neighbor.
48 1228 Displaying OSPFv3 information BigIron RX Series Configuration Guide 53-1001986-01
Chapter 49 Configuring IPv6 Multicast Features IPv6 PIM sparse This chapter presents the multicast features available for IPv6 routers. The BigIron RX supports IPv6 Protocol Independent Multicast (PIM) Sparse. IPv6 PIM Sparse provides multicasting that is especially suitable for widely distributed multicast environments.
49 IPv6 PIM sparse • BSR – The Bootstrap Router (BSR) distributes RP information to the other PIM Sparse routers within the domain. Each PIM Sparse domain has one active BSR. For redundancy, you can configure ports on multiple routers as candidate BSRs. The PIM Sparse protocol uses an election process to select one of the candidate BSRs as the BSR for the domain. The BSR with the highest BSR priority (a user-configurable parameter) is elected.
IPv6 PIM sparse 49 • Configure an IPv6 address on the interface • Enable IPv6 PIM Sparse • Identify the interface as a IPv6 PIM Sparse border, if applicable NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release. • Configure the following PIM Sparse global parameters: • Identify the BigIron RX as a candidate PIM Sparse Bootstrap Router (BSR), if applicable.
49 IPv6 PIM sparse Configuring BSRs In addition to the global and interface parameters in the sections above, you need to identify an interface on at least one BigIron RX as a candidate PIM Sparse Bootstrap router (BSR) and candidate PIM Sparse Rendezvous Point (RP). NOTE It is possible to configure the BigIron RX as only a candidate BSR or RP, but Brocade recommends that you configure the same interface on the same BigIron RX as both a BSR and an RP.
IPv6 PIM sparse 49 BigIron RX(config)#ipv6 router pim BigIron RX(config-ipv6-pim-router)# rp-candidate ethernet 2/2 Syntax: [no] rp-candidate ethernet / | loopback | ve l pos / The ethernet / | loopback | ve parameter specifies the interface. The device will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet / for a physical interface (port). • Enter ve for a virtual interface.
49 IPv6 PIM sparse ACL based RP assignment The rp-address command allows multiple static RP configurations. For each static RP, an ACL can be given as an option to define the multicast address ranges that the static RP permit or deny to serve. A static RP by default serves the range of ff00::/8. if the RP is configured without an ACL name. If an ACL name is given but the ACL is not defined, the static RP is set to inactive mode and it will not cover any multicast group ranges.
IPv6 PIM sparse 49 BigIron RX(config-ipv6-pim-router)#sho ipv6 pim rp-map Static RP and associated group ranges ------------------------------------Static RP count: 1 2000::16 Number of group prefixes Learnt from BSR: 1 Group prefix = ff00::/8 # RPs: 3 RP 1: 2000::8 priority=0 age=30 RP 2: 2000::4 priority=0 age=50 RP 3: 2000::16 priority=0 age=20 Syntax: show ipv6 pim rp-set Updating IPv6 PIM-sparse forwarding entries with new RP configuration If you make changes to your static RP configuration, the en
49 IPv6 PIM sparse • Shortest Path – Each IPv6 PIM Sparse router that is a DR for an IPv6 receiver calculates a short path tree (SPT) towards the source of the IPv6 multicast traffic. The first time a BigIron RX that is configured as an IPv6 PIM router receives a packet for an IPv6 group, it sends the packet to the RP for hat group, which in turn will forward it to all the intended DRs that have registered with the RP.
IPv6 PIM sparse 49 Syntax: [no] message-interval The parameter specifies the number of seconds and can be from 1 – 65535. The default is 60 seconds. Setting the inactivity timer The router deletes a forwarding entry if the entry is not used to send multicast packets. The IPv6 PIM inactivity timer defines how long a forwarding entry can remain unused before the router deletes it. To apply a IPv6 PIM inactivity timer of 160 seconds to all IPv6 PIM interfaces, enter the following.
49 IPv6 PIM sparse Syntax: [no] ssm-enable Displaying IPv6 PIM-sparse configuration information To display IPv6 PIM Sparse configuration information, use the show ipv6 pim sparse command as described in “Displaying IPv6 PIM-sparse configuration information” on page 1238.
IPv6 PIM sparse BigIron RX#show ipv6 pim sparse Global PIM Sparse Mode Settings Hello interval : 30 Bootstrap Msg interval: 60 Join/Prune interval : 60 SSM Enabled: Yes SSM Group Range: ff30::/12 Hardware Drop Enabled : Yes 49 Neighbor timeout : 105 Candidate-RP Advertisement interval: 60 SPT Threshold : 1 Syntax: show ipv6 pim sparse Displaying PIM sparse configuration information and statistics You can display the following PIM Sparse information: • • • • • • • • • • • • Basic PIM Sparse configurat
49 IPv6 PIM sparse This field... Displays... Global PIM sparse mode settings Hello interval How frequently the device sends IPv6 PIM Sparse hello messages to its IPv6 PIM Sparse neighbors. This field show the number of seconds between hello messages. IPv6 PIM Sparse routers use hello messages to discover one another.
IPv6 PIM sparse 49 BigIron RX# show ipv6 pim Interface v30 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: fe80::20c:dbff:fef6:a00 on e3/2 Link Local Address: fe80::20c:dbff:fef5:e900 Global Address: 1e1e::4 Interface v167 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: itself Link Local Address: fe80::20c:dbff:fef5:e900 Global Address: a7a7::1 Interface l1 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: itself Link Local Address: fe80::20c:dbff:fef5:e900 Global Addr
49 IPv6 PIM sparse group prefixes: ff00:: / 8 Candidate-RP-advertisement period: 60 BigIron RX# This example show information displayed on a device that has been elected as the BSR. The following example shows information displayed on a device that is not the BSR. Notice that some fields shown in the example above do not appear in the example below. BigIron RX>show PIMv2 Bootstrap BSR address = BSR priority = BigIron RX> ipv6 pim bsr information 2001:3e8:255:255::17 0 Syntax: show ipv6 pim bsr.
IPv6 PIM sparse 49 BigIron RX# show ipv6 pim rp-candidate Next Candidate-RP-advertisement in 00:00:10 RP: 1be::11:21 group prefixes: ff00:: / 8 Candidate-RP-advertisement period: 60 This example show information displayed on a device that is a candidate RP. The following example shows the message displayed on a device that is not a candidate RP. BigIron RX# show ipv6 pim rp-candidate This system is not a Candidate-RP. Syntax: show ipv6 pim rp-candidate This display shows the following information.
49 IPv6 PIM sparse Displaying RP information for a PIM sparse group To display RP information for a PIM Sparse group, enter the following command at any CLI level. BigIron RX#show ipv6 pim rp-hash ff1e::1:2 RP: 2001:3e8:255:255::17, v2 Info source: 2001:3e8:255:255::17, via bootstrap BigIron RX# Syntax: show ipv6 pim rp-hash The parameter is the address of an IPv6 PIM Sparse IP multicast group. This display shows the following information. This field... Displays...
IPv6 PIM sparse 49 This field... Displays... priority The RP priority of the candidate RP. During the election process, the candidate RP with the highest priority is elected as the RP. age The age (in seconds) of this RP-set. NOTE: If this device is not a BSR, this field contains zero. Only the BSR ages the RP-set. Displaying multicast neighbor information To display information about the device’s IPv6 PIM neighbors, enter the following command at any CLI level.
49 IPv6 PIM sparse BigIron RX# show ipv6 pim mcache Total 4 entries Free mll entries: 766 1 (*, ff7e:140:2001:3e8:16:0:1:2) RP2001:3e8:16::1 in NIL, cnt=0 Sparse Mode, RPT=1 SPT=0 Reg=0 No upstream neighbor because RP 2001:3e8:16::1 is itself num_oifs = 1 v312 L3 (SW) 1: e3/15(VL312) Flags fast=1 slow=0 leaf=0 prun=0 frag=0 tag=0 needRte=0 age=0 fid: 0405, mvid 1 2 (2001:3e8:0:170::101, ff7e:140:2001:3e8:16:0:1:2) in v23 (e3/23), cnt=2 Sparse Mode, RPT=0 SPT=1 Reg=0 upstream neighbor=fe80::45:0:160:4 num_
Multicast Listener Discovery and source specific multicast protocols (MLDv2) TABLE 221 49 Output of Show IPvG PIM resource (Continued) This field... Displays... allo-fail Number of allocated notes that failed up-limit Maximum number of nodes that can be allocated for a data structure. This may or may not be configurable, depending on the data structure Displaying PIM traffic statistics To display IPv6 PIM traffic statistics, enter the following command at any CLI level.
49 Multicast Listener Discovery and source specific multicast protocols (MLDv2) The IPv6 switch stores a list of multicast addresses for each attached link. For each multicast address, the IPv6 switch stores a filter mode and a source list. The filter mode is set to INCLUDE if all nodes in the source list for a multicast address are in the INCLUDE state. If the filter mode is INCLUDE, then only traffic from the addresses in the source list is allowed.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 49 Enabling MLDv2 MLDv1 is enabled once PIM Sparse (PIM-SM) is enabled on an interface. You then enable version 2 of MLD, the version that supports source filtering. MLDv2 interoperates with MLDv1. MLDv1 messages are understood by MLDv2. When an IPv6 router detects that the node is operating in MLDv1 mode, the router switches to MLDv1 for that node even though queries are sent in MLDv2. To enable PIM-SM, do the following. 1.
49 Multicast Listener Discovery and source specific multicast protocols (MLDv2) Setting the maximum response time You can define the maximum amount of time a multicast listener has to respond to queries by entering a command such as the following. BigIron RX(config)#ipv6 mld max-response-time 5 Syntax: ipv6 mld max-response-time Specify 1 – 64 for . The default is 5 seconds.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 49 Syntax: ipv6 mld version Enter 1or 2 for Default version 2 Specifying a port version At the interface level, you can specify the MLD version for a physical port within a virtual interface. You can set the version by entering a command such as the following at the interface level.
49 Multicast Listener Discovery and source specific multicast protocols (MLDv2) BigIron RX #show ipv6 mld group Interface e6/18 has 11 groups group phy-port static querier life mode 1 2 3 4 5 6 7 8 9 10 11 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 ff33::6:b:1 ff33::6:a:1 ff33::6:9:1 ff33::6:8:1 ff33::6:7:1 ff33::6:6:1 ff33::6:5:1 ff33::6:4:1 ff33::6:3:1 ff33::6:2:1 ff33::6:1:1 no no no no no no no no no no no yes yes yes yes yes yes yes yes yes yes yes 0 0 0 0 0 0 0 0 0 0 0
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 49 This field... Displays... version Version of the MLD being used. query int Query interval in seconds. max resp time Number of seconds multicast groups have to respond to queries. group mem time Number of seconds multicast groups can be members of this group before aging out.
49 Multicast Listener Discovery and source specific multicast protocols (MLDv2) This field Displays Leave Number of MLDv1 “leave” messages on the interface. (See 2_Ex for MLDv2.) Is_IN Number of source addresses that were included in the traffic. Is_EX Number of source addresses that were excluded in the traffic. 2_IN Number of times the interface mode changed from exclude to include. 2_EX Number of times the interface mode changed from include to exclude.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 49 Enabling the embedded RP The following command may be used to enable the embedded RP feature.
49 1256 Multicast Listener Discovery and source specific multicast protocols (MLDv2) BigIron RX Series Configuration Guide 53-1001986-01
Chapter Configuring IPv6 Routes 50 Configuring a static IPv6 route This chapter provides information on how to configure a static IPv6 route. A static IPv6 route is a manually configured route, which creates a path between two IPv6 routers. A static IPv6 route is similar to a static IPv4 route. Static IPv6 routes have their advantages and disadvantages; for example, a static IPv6 route does not generate updates, which reduces processing time for an IPv6 router.
50 Configuring a static IPv6 route TABLE 222 Static IPv6 route parameters Parameter Configuration details Status The IPv6 prefix and prefix length of the route’s destination network. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter.
Configuring a IPv6 multicast route 50 Configuring a IPv6 multicast route IPv6 multicast routes allow you to control the network path used by multicast traffic. Static multicast routes are especially useful when the unicast and multicast topologies of a network are different. You can avoid the need to make the topologies similar by instead configuring static multicast routes. NOTE This feature is not supported for DVMRP. You can configure more than one static IPv6 multicast route.
50 Configuring a IPv6 multicast route BigIron RX(config)# ipv6 mroute 12.7.1.0 255.255.255.0 17.3.1.2 Syntax: [no] ipv6 mroute [ | ethernet | ve | null0] [] [distance < num>] The ip-addr and ip-mask parameters specifies the PIM source for the route. The ethernet parameter specifies a physical port. The ve parameter specifies a virtual interface. The null0 parameter is the same as dropping the traffic.
Appendix A Using Syslog This appendix describes how to display Syslog messages and how to configure the Syslog facility, and lists the Syslog messages that a BigIron RX can display during standard operation. NOTE This appendix does not list Syslog messages that can be displayed when a debug option is enabled.
A Displaying Syslog messages BigIron RX> show logging Syslog logging: enabled (0 messages dropped, 0 Buffer logging: level ACDMEINW, 3 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dynamic Log Buffer (50 entries): Dec 15 18:46:17:I:Interface ethernet 1/4, state up Dec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, changed
Configuring the Syslog service A Here is an example of how the Syslog messages are displayed. telnet@BigIron RX# terminal monitor Syslog trace was turned ON SYSLOG: <9>BigIron RX, Power supply 2, power supply on left connector, failed SYSLOG: <14>BigIron RX, Interface ethernet 1/6, state down SYSLOG: <14>BigIron RX, Interface ethernet 1/2, state up Configuring the Syslog service The procedures in this section describe how to perform the following Syslog configuration tasks: • Specify a Syslog server.
A Configuring the Syslog service TABLE 223 CLI display of Syslog buffer configuration This field... Displays... Syslog logging The state (enabled or disabled) of the Syslog buffer. messages dropped The number of Syslog messages dropped due to user-configured filters. By default, the software logs messages for all Syslog levels. You can disable individual Syslog levels, in which case the software filters out messages at those levels. Refer to “Disabling logging of a message level” on page 1268.
Configuring the Syslog service A BigIron RX(config)# show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 3 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dec 15 19:00:14:A:Fan 2, fan on left connector, failed Dynamic Log Buffer: Dec 15 18:46:17:I:Interface ethernet 1/4, state up Dec 15 18:45:21:I:Bri
A Configuring the Syslog service • ss – seconds For example, “Oct 15 17:38:03” means October 15 at 5:38 PM and 3 seconds.
Configuring the Syslog service A BigIron RX(config)# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dynamic Log Buffer (50 entries): 21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s) 19d07h03m30s:warning:list 101 denied tcp 209.157.
A Configuring the Syslog service For backward compatibility, the software reads the old command syntax from the startup configuration, and converts it to the new command syntax in the running configuration. Syntax: logging host | Disabling logging of a message level To change the message level, disable logging of specific message levels. You must disable the message levels on an individual basis.
Configuring the Syslog service A BigIron RX(config)# router bgp BigIron RX(config-bgp)# nei 10.1.1.8 remote 10 Using the show log command, you would see a series of log records as shown in the following.
A Configuring the Syslog service • • • • • • • • • • sys14 – reserved for system use cron – cron/at subsystem local0 – reserved for local use local1 – reserved for local use local2 – reserved for local use local3 – reserved for local use local4 – reserved for local use local5 – reserved for local use local6 – reserved for local use local7 – reserved for local use Displaying the interface name in Syslog messages By default, an interface’s slot number (if applicable) and port number are displayed when you
Syslog messages A Syslog messages Table 224 lists all of the Syslog messages. The messages are listed by message level, in the following order: • • • • • • • • Emergencies (none) Alerts Critical Errors Warnings Notifications Informational Debugging TABLE 224 Brocade Syslog messages Message level Message Explanation Alert Power supply , , failed A power supply has failed. The is the power supply number. The describes where the failed power supply is in the chassis.
A Syslog messages TABLE 224 1272 Brocade Syslog messages (Continued) Message level Message Explanation Alert OSPF LSA Overflow, LSA Type = Indicates an LSA database overflow. The parameter indicates the type of LSA that experienced the overflow condition. The LSA type is one of the following: • 1 – Router • 2 – Network • 3 – Summary • 4 – Summary • 5 – External Alert ISIS MEMORY USE EXCEEDED IS-IS is requesting more memory than is available.
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Critical Authentication shut down due to DOS attack Denial of Service (DoS) attack protection was enabled for multi-device port authentication on the specified , and the per-second rate of RADIUS authentication attempts for the port exceeded the configured limit. The device considers this to be a DoS attack and disables the port.
A Syslog messages TABLE 224 1274 Brocade Syslog messages (Continued) Message level Message Explanation Warning list denied () (Ethernet ) -> (), 1 events Indicates that an Access Control List (ACL) denied (dropped) packets. The indicates the ACL number. Numbers 1 – 99 indicate standard ACLs. Numbers 100 – 199 indicate extended ACLs.
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Notification Module was inserted to slot Indicates that a module was inserted into a chassis slot. The is the number of the chassis slot into which the module was inserted. Notification Module was removed from slot Indicates that a module was removed from a chassis slot. The is the number of the chassis slot from which the module was removed.
A Syslog messages TABLE 224 1276 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF interface state changed, rid , intf addr , state Indicates that the state of an OSPF interface has changed. The is the router ID of the device. The is the interface’s IP address.
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF neighbor has changed. The is the router ID of the device. The is the IP address of the neighbor. The is the router ID of the neighbor.
A Syslog messages TABLE 224 1278 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 224 1280 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 224 1282 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf rcvd bad pkt, rid , intf addr , pkt src addr , pkt type Indicates that an OSPF interface received a bad packet. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the device has retransmitted a Link State Advertisement (LSA). The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 224 1284 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf rcvd bad pkt: Bad Checksum, rid , intf addr , pkt size , checksum , pkt src addr , pkt type The device received an OSPF packet that had an invalid checksum. The rid is device’s router ID. The intf addr is the IP address of the Brocade interface that received the packet.
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Notification VRRP intf state changed, intf , vrid , state A state change has occurred in a Virtual Router Redundancy Protocol (VRRP) interface. The is the port. The is the virtual router ID (VRID) configured on the interface.
A Syslog messages TABLE 224 1286 Brocade Syslog messages (Continued) Message level Message Explanation Notification Local TCP exceeds burst packets, stopping for seconds!! Threshold parameters for local TCP traffic on the device have been configured, and the maximum burst size for TCP packets has been exceeded. The first is the maximum burst size (maximum number of packets allowed).
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Notification DOT1X issues software but not physical port up indication of Port to other software applications The device has indicated that the specified port has been authenticated, but the actual port may not be active.
A Syslog messages TABLE 224 1288 Brocade Syslog messages (Continued) Message level Message Explanation Informational Trunk group () created by 802.3ad link-aggregation module. 802.3ad link aggregation is configured on the device, and the feature has dynamically created a trunk group (aggregate link). The is a list of the ports that were aggregated to make the trunk group.
Syslog messages TABLE 224 A Brocade Syslog messages (Continued) Message level Message Explanation Informational vlan Bridge is RootBridge (MgmtPriChg) 802.1W changed the current bridge to be the root bridge of the given topology due to administrative change in bridge priority. Informational vlan Bridge is RootBridge (MsgAgeExpiry) The message age expired on the Root port so 802.1W changed the current bridge to be the root bridge of the topology.
A Syslog messages TABLE 224 Message Explanation Informational ACL added | deleted | modified from console | telnet | ssh | web | snmp session A user created, modified, deleted, or applied an ACL through the Web, SNMP, console, SSH, or Telnet session.
Appendix Software Specifications B This appendix lists the following information for the BigIron RX: • IEEE compliance • RFC support • Internet draft support IEEE compliance • • • • • • • • • • • • • 802.3ae —10-Gigabit Ethernet 802.3x — Flow Control 802.3ad — Link Aggregation 802.1Q — Virtual Bridged LANs 802.1D — MAC Bridges 802.1w — Rapid STP 802.1s — Multiple Spanning Trees 802.1X — User authentication 802.
B RFC compliance • • • • • 1269 — Managed Objects for BGP 1657 — Managed Objects for BGP-4 using SMIv2 3392 — Capabilities Advertisement with BGP-4 2385 — BGP Session Protection through TCP MD5 3682 — Generalized TTL Security Mechanism, for eBGP Session Protection RFC compliance - OSPF • • • • • • • • • • 2178 — OSPF 1583 — OSPF v2 3103 — OSPF NSSA 1745 — OSPF Interactions 1765 — OSPF Database Overflow 1850 — OSPF Traps 2328 — OSPF v2 1850 — OSPF v2 MIB 2370 — OSPF Opaque LSA Option 3623 — Graceful OSP
RFC compliance B • 3973 — PIM-DM • 1075 — DVMRP v2 • 4541 — Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches • DVMRP v3-07 • 2283 — MBGP RFC compliance - general protocols • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 791 — IP 792 — ICMP 793 — TCP 783 — TFTP 826 — ARP 768 — UDP 894 — IP over Ethernet 903 — RARP 906 — TFTP Bootstrap 1027 — Proxy ARP 950 — Subnets 951 — BootP 1122 — Host Extensions for IP Multicasting 12
B RFC compliance RFC compliance - management • • • • • • • • • • • • • • • • • • • 1757 — RMON Groups Partial 1, full for 2, 3, 9 • • • • 4251 — The Secure Shell (SSH) Protocol Architecture 2068 — HTTP 2030 — SNTP 2865 — RADIUS 2866 — RADIUS Accounting 2868 — RADIUS Attributes for Tunnel Protocol 2869 — RADIUS Extensions 3176 — sFlow 2578 — SNMPV2 2579 — Textual Conventions for SMIv2 3410 — SNMPV3 3411— Architecture for SNMP 3412 — Message Processing and Dispatching for SNMP 3413 — Simple Network Mana
Internet drafts • • • • • • • B 3513 — IPv6 Addressing Architecture 1981 — IPv6 Path MTU Discovery 3587 — IPv6 Global Unicast Address Format 2375 — IPv6 Multicast Address Assignments 2464 — Transmission of IPv6 over Ethernet Networks 2711 — IPv6 Router Alert Option 3596 — DNS support RFC compliance - IPv6 routing • 2080 — RIPng for IPv6 • 2740 — OSPFv3 for IPv6 • 2545 — Use of MP-BGP-4 for IPv6 RFC compliance - IPv6 multicast • • • • • 3810 — Multicast Listener Discovery Version 2 for IPv6 4601 — PIM-
B Internet drafts • Draft-ietf-idr-route-filter • Draft-holbrook-idmr-igmpv3-ssm - IGMPv3 & MLDv2 for SSM • Draft-ietf-ssm-arch SSM for IP 1296 BigIron RX Series Configuration Guide 53-1001986-01
Appendix C NIAP-CCEVS Certification Some Brocade devices have passed the Common Criteria (CC) certification testing. This testing is sponsored by the National Information Assurance Partnership (NIAP) - Common Criteria Evaluation and Validation Scheme (CCEVS). For more information regarding the NIAP-CCEVS certification process refer to the following link: http://www.niap-ccevs.org/.
C Local user password changes Local user password changes Please note that if existing usernames and passwords have been configured on a Brocade device with specific privilege levels (super-user, read-only, port-config) and if you attempt to change a user's password by executing the following syntax. BigIron RX(config)# user brcdreadonly password The privilege level of this particular user will be changed from its current value to "super-user".
Appendix Commands That Require a Reload D Most CLI commands take effect as soon as you enter them. However, a small number of commands require a software reload to take effect. Table 227 lists the commands. To place a configuration change made by one of these commands into effect, you must save the change to the startup-config file, then reload the software. If you reload the software without saving the change to the startup-config file, the device does not make the change.
D 1300 Commands That Require a Reload BigIron RX Series Configuration Guide 53-1001986-01
Appendix E Index to the CLI Commands This appendix lists the CLI commands discussed in this configuration guide. Look for the CLI command alphabetically by feature. You can also use your browser’s search function to find the command you want. When you find the command, click on the link to display the section that discusses that command. ACLs (IP) Numbered ACL Commands See ...
E ACLs (IP) Named ACL Commands See ...
ACLs (L2) E Commands See ... ip access-group I in “Configuring standard numbered ACLs” on page 521 “Configuring extended numbered ACLs” on page 523 “Configuring standard or extended named ACLs” on page 531 ip access-group in ethernet [...
E 1304 BGP4 Commands See ...
BGP4 E Commands See ...
E 1306 BGP4 Commands See ...
BGP4 E Commands See ...
E BGP4 Commands See ... “Displaying route flap dampening statistics” on show ip bgp flap-statistics [regular-expression page 839 | [longer-prefixes] | neighbor | filter-list ...
FDP/CDP E Commands See ... snmp-server enable traps bgp “Generating traps for BGP” on page 806 timers keep-alive hold-time “Changing the keep alive time and hold time” on page 779 update-time “Changing the BGP4 next-hop update timer” on page 780 Commands See ...
E 1310 IP Commands See ...
IP E Commands See ...
E Metro Ring protocol Commands See ... show ip route summary “Displaying the IP route table” on page 226 show ip static-arp [ethernet | mac-address
IPv6 BGP4+ E IPv6 BGP4+ Commands See ...
E 1314 IPv6 BGP4+ Commands See ...
IPv6 ACL E Commands See ...
E IPv6 basic connectivity Commands See ...
IPv6 basic connectivity E Commands See ...
E IPv6 multicast Commands See ...
IPv6 RIPng E Commands See ...
E IPv6 OSPFv3 Commands See ... show ipv6 rip route [/ | ] “Displaying RIPng routing table” on page 1107 timers “Configuring RIPng timers” on page 1102 Commands See ...
IS-IS E Commands See ...
E 1322 IS-IS Commands See ...
IS-IS E Commands See ...
E Metro Ring Metro Ring Commands See ...
Multicast (IP) E Commands See ... show mstp “Displaying MSTP statistics” on page 1041 show mstp [ | configuration | detail] [ | begin | exclude | include ] Enter an MSTP ID for “Displaying MSTP statistics” on page 1041 “Displaying MSTP information for a specified instance” on page 1042 “Displaying MSTP information for CIST instance 0” on page 1043 Multicast (IP) Commands See ...
E 1326 Multicast (IP) Commands See ...
Multicast (L2) E Commands See ... system-max dvmrp-mcache “Defining the maximum number of DVMRP cache entries” on page 574 system-max pim-mcache “Defining the maximum number of PIM cache entries” on page 574 trigger-interval <5-30> “Modifying trigger interval” on page 645 Multicast (L2) Commands See ...
E 1328 OSPF version 4 Commands See ...
Port parameters E Commands See ...
E Port-based routing Commands See ... show monitor config “Displaying mirror and monitor port configuration” on page 149 speed-duplex “Speed/Duplex negotiation” on page 140 Port-based routing Commands See ...
Quality of Service (QoS) E Commands See ...
E Rate limiting Rate limiting Commands See ...
RMON E Commands See ...
E RSTP RSTP Commands See ...
Security/Management E Commands See ... enable all I [to ] “Enabling 802.
E Security/Management Authentication method list Commands See ... aaa authentication snmp-server | web-server | enable | login | dot1x default [] [] [] [] [] [] “Examples of authentication-method lists” on page 115 Passwords Commands See ...
Security/Management E Commands See ...
E Security/Management Commands See ... ip ssl port “Specifying a port for SSL communication” on page 83 ip ssl private-key-file tftp “Importing digital certificates and RSA private key files” on page 83 web-management https “Enabling the SSL server on the device” on page 83 TACACS and TACACS+ Commands See ...
Security/Management E Commands See ... telnet server enable vlan “Restricting Telnet access to a specific VLAN” on page 70 telnet server suppress-reject-message “Suppressing Telnet connection rejection messages” on page 73 telnet-server “Disabling Telnet access” on page 71 TFTP access Commands See ... tftp client enable vlan “Restricting TFTP access to a specific VLAN” on page 70 User account Commands See ...
E Security/Management Commands See ... ip tcp tcp-security “Disabling the TCP security enhancement” on page 981 show statistics dos-attack [| begin | exclude | include ] “Displaying statistics due DoS attacks” on page 981 MAC authentication 1340 Commands See ...
Security/Management E Commands See ... show auth-mac-address detail “Displaying multi-device port authentication configuration information” on page 927 show auth-mac-address “Displaying authenticated MAC address information” on page 926 show auth-mac-addresses authorized-mac “Displaying the authenticated MAC addresses” on page 930 show auth-mac-addresses unauthorized-mac “Displaying the non-authenticated MAC addresses” on page 930 MAC port security Commands See ...
E Redundant management module Redundant management module 1342 Commands See ...
Redundant management module E Commands See ...
E SNMP Commands See ... locate startup-config “Displaying the current location for saving configuration changes” on page 58 locate startup-config [slot1 | slot2 | flash-memory] [//] “Specifying the location for saving configuration changes” on page 58 Commands See ...
sFlow E Commands See ...
E STP STP Commands See ...
System parameters E Commands See ... show logging “Displaying the Syslog configuration” on page 1263 terminal monitor “Enabling real-time display of Syslog messages” on page 1262 System parameters Commands See ...
E Topology Commands See ...
LAG E LAG Commands See ...
E VLAN Commands See ... show link-keepalive [ethernet ] “Displaying information for all ports” on page 281 “Displaying information for a single port” on page 282 show link-keepalive ethernet “Displaying information for all ports” on page 281 Commands See ...
VRRP/VRRPE E VRRP/VRRPE Commands See ...
E VSRP VSRP 1352 Commands See ...
