53-1002253-01 20 May 2011 BigIron RX Series Configuration Guide Supporting Multi-Service IronWare v02.8.
Copyright © 2011 Brocade Communications Systems, Inc. All Rights Reserved Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Contents Contents About This Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xli List of supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EXEC commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Global level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 CONFIG commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Navigating among command levels . . . . . . . . . . . . . . . . . . . . . . . 8 CLI command structure . . . . .
Flash memory and PCMCIA flash card file management commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Management focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Flash memory file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 PCMCIA flash card file system. . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring TACACS and TACACS+ security . . . . . . . . . . . . . . . . . . . . 82 How TACACS+ differs from TACACS . . . . . . . . . . . . . . . . . . . . . . . 83 TACACS and TACACS+ authentication, authorization, and accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 TACACS and TACACS+ configuration considerations . . . . . . . . . 86 Enabling SNMP to configure TACACS and TACACS. . . . . . . . . . . 87 Identifying the TACACS and TACACS+ servers . . . . . . . . . . . .
Configuring an interface as the source for Syslog packets . . . . . .123 Specifying a Simple Network Time Protocol (SNTP) server . . . . . .124 Setting the system clock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 New Daylight Saving Time (DST) . . . . . . . . . . . . . . . . . . . . . . . .127 Configuring CLI banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Setting a message of the day banner. . . . . . . . . . . . . . . . . . . .
Displaying mirror and monitor port configuration. . . . . . . . . . . . . .150 Enabling WAN PHY mode support . . . . . . . . . . . . . . . . . . . . . . . . . .151 Chapter 7 Configuring IP Overview of configuring IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 The IP packet flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 ARP cache table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Static ARP table . . . . . . . . .
Configuring forwarding parameters . . . . . . . . . . . . . . . . . . . . . . . . .194 Disabling ICMP messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Disabling ICMP redirect messages . . . . . . . . . . . . . . . . . . . . . .198 Configuring static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198 Static route tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203 Configuring a default network route . . . . . . . . . . . . . . . . . . . . .
General operating principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Operating modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 LLDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 TLV support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259 Syslog messages. . . . . . . . . . .
VLAN configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 VLAN ID range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 Tagged VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 VLAN hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 Multiple VLAN membership rules . . . . . . . . . . . . . . . . . . . . . . .290 Layer 2 control protocols on VLANs . . . . . . . . . . . .
Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Displaying VLAN information for specific ports . . . . . . . . . . . .322 Displaying VLAN status and port types. . . . . . . . . . . . . . . . . . .323 Displaying VLAN group information . . . . . . . . . . . . . . . . . . . . .324 Transparent firewall mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
State machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362 Handshake mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363 Convergence in a simple topology . . . . . . . . . . . . . . . . . . . . . . . . . .373 Convergence at start up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Convergence after a link failure . . . . . . . . . . . . . . . . . . . . . . . . 376 Convergence at link restoration . . . . . . . . . . . . . . . . . .
MRP CLI example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421 Commands on switch A (master node). . . . . . . . . . . . . . . . . . .422 Commands on switch B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 Commands on switch C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423 Commands on switch D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying topology group information . . . . . . . . . . . . . . . . . . . . . .449 Displaying topology group information . . . . . . . . . . . . . . . . . . .449 Chapter 17 Configuring VRRP and VRRPE Overview of VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451 Standard VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451 Brocade enhancements of VRRP . . . . . . . . . . . . . . . . . . . . . . .453 Overview of VRRPE . . . . . . . . . . .
Configuring ToS-based QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482 Enabling ToS-based QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482 Specifying trust level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482 Enabling marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482 Configuring the QoS mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . .483 Changing the CoS –> DSCP mappings. . . . . . . . . . . . . . .
Configuring rate limiting policies . . . . . . . . . . . . . . . . . . . . . . . . . . .508 Configuring a port-based rate limiting policy . . . . . . . . . . . . . .508 Configuring a port-and-priority-based rate limiting policy . . . .509 Configuring a port-and-VLAN-based rate limiting policy . . . . .509 Configuring a VLAN-group-based rate limiting policy. . . . . . . . 510 Configuring a port-and-IPv6 ACL-based traffic reduction . . . .512 NP based multicast, broadcast, and unknown-unicast rate limiting .
Displaying ACL definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .544 Displaying of TCP/UDP numbers in ACLs . . . . . . . . . . . . . . . . .545 ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555 Enabling the new logging method. . . . . . . . . . . . . . . . . . . . . . .556 Specifying the wait time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556 Modifying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 23 Configuring IP Multicast Protocols Overview of IP multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581 Multicast terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581 Changing global IP multicast parameters . . . . . . . . . . . . . . . . . . . .582 Defining the maximum number of DVMRP cache entries. . . .582 Defining the maximum number of PIM cache entries. . . . . . .582 IP multicast boundaries . . . . . . . . . . . . . . . . . . .
Changing the Shortest Path Tree (SPT) threshold . . . . . . . . . . . . .614 Changing the PIM join and prune message interval . . . . . . . .615 MLL optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615 Displaying PIM Sparse configuration information and statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615 Displaying basic PIM Sparse configuration information . . . . .616 Displaying a list of multicast groups . . . . . .
Configuring DVMRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651 Enabling DVMRP globally and on an interface. . . . . . . . . . . . .651 Modifying DVMRP global parameters . . . . . . . . . . . . . . . . . . . .651 Modifying DVMRP interface parameters . . . . . . . . . . . . . . . . .654 Displaying information about an upstream neighbor device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655 Configuring a static multicast route. . . .
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .685 Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .686 OSPF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .686 Enable OSPF on the router . . . . . . . . . . . . . . . . . . . . . . . . . . . .687 Assign OSPF areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687 Assigning an area range (optional) . . . . . . . . . . .
Chapter 26 Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .739 Relationship between the BGP4 route table and the IP route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 How BGP4 selects a path for a route . . . . . . . . . . . . . . . . . . . . 740 BGP4 message types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 Brocade implementation of BGP4 . . . . .
Configuring BGP4 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771 Removing route dampening from suppressed neighbor routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775 Encryption of BGP4 MD5 authentication keys. . . . . . . . . . . . . 776 Configuring a BGP4 peer group . . . . . . . . . . . . . . . . . . . . . . . . . . . .778 Peer group parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 27 Configuring MBGP Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .858 Configuring MBGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .858 Setting the maximum number of multicast routes supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .858 Enabling MBGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .859 Adding MBGP neighbors . . . . . . . . . . . . . . . . . .
Configuring IPv4 address family route parameters . . . . . . . . . . . .880 Changing the metric style . . . . . . . . . . . . . . . . . . . . . . . . . . . . .880 Changing the maximum number of load sharing paths . . . . .880 Enabling advertisement of a default route . . . . . . . . . . . . . . .880 Changing the administrative distance for IPv4 IS-IS . . . . . . . .881 Configuring summary addresses . . . . . . . . . . . . . . . . . . . . . . .882 Redistributing routes into IPv4 IS-IS . . . . . . . . . . . .
Chapter 30 Configuring Secure Shell In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .913 Overview of Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . .913 SSH version 2 support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .913 Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .914 Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .940 Multi-device port authentication with dynamic VLAN assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .941 Examples of multi-device port authentication and 802.1X authentication configuration on the same port. . . . . . . . . . . .943 Chapter 32 Using the MAC Port Security Feature and Transparent Port Flooding MAC Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How 802.1x port security works. . . . . . . . . . . . . . . . . . . . . . . . . . . .963 Device roles in an 802.1x configuration . . . . . . . . . . . . . . . . .963 Communication between the devices . . . . . . . . . . . . . . . . . . .964 Controlled and uncontrolled ports . . . . . . . . . . . . . . . . . . . . . .965 Message exchange during authentication . . . . . . . . . . . . . . . .966 Authenticating multiple clients connected to the same port . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 34 Protecting Against Denial of Service Attacks Protecting against Smurf attacks. . . . . . . . . . . . . . . . . . . . . . . . . . .995 Avoiding being an intermediary in a Smurf attack. . . . . . . . . .996 ACL-based DOS-attack prevention . . . . . . . . . . . . . . . . . . . . . .996 Protecting against TCP SYN attacks. . . . . . . . . . . . . . . . . . . . . . . . .997 TCP security enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . .998 Displaying statistics due DoS attacks . . . .
Chapter 37 Enabling the Foundry Discovery Protocol (FDP) and Reading Cisco Discovery Protocol (CDP) Packets Using FDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023 Configuring FDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023 Displaying FDP information . . . . . . . . . . . . . . . . . . . . . . . . . . .1024 Clearing FDP and CDP information. . . . . . . . . . . . . . . . . . . . .1027 Reading CDP packets . . . . . . . . . . . . . .
Chapter 40 Multiple Spanning Tree Protocol (MSTP) 802.1s 802.1s Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . .1051 Multiple spanning-tree regions . . . . . . . . . . . . . . . . . . . . . . . .1051 Configuring MSTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Setting the MSTP name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Setting the MSTP revision number . . . . . . . . . . . . . . . . . . . . 1053 Configuring an MSTP instance . . . .
Configuring IPv6 on each router interface. . . . . . . . . . . . . . . . . . Configuring a global or site-local IPv6 address . . . . . . . . . . Configuring a link-local IPv6 address . . . . . . . . . . . . . . . . . . Configuring IPv6 anycast addresses . . . . . . . . . . . . . . . . . . 1083 1084 1085 1086 Configuring the management port for an IPv6 automatic address configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086 IPv6 host support . . . . . . . . . . . . . . . . .
Configuring IPv6 neighbor discovery . . . . . . . . . . . . . . . . . . . . . . 1096 Neighbor solicitation and advertisement messages . . . . . . .1097 Router advertisement and solicitation messages . . . . . . . . 1098 Neighbor redirect messages . . . . . . . . . . . . . . . . . . . . . . . . . 1098 Setting neighbor solicitation parameters for duplicate address detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098 Setting IPv6 router advertisement parameters . . . . . . . . . .
Configuring BGP4+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 Enabling BGP4+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1131 Configuring BGP4+ neighbors using global or site-local IPv6 addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1131 Adding BGP4+ neighbors using link-local addresses . . . . . 1132 Configuring a BGP4+ peer group . . . . . . . . . . . . . . . . . . . . .
Using IPv6 ACLs as input to other features . . . . . . . . . . . . . . . . . 1198 Configuring an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default and implicit IPv6 ACL action. . . . . . . . . . . . . . . . . . . ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1198 1198 1200 1201 Applying an IPv6 ACL to an interface . . . . . . . . . . . . . . . . . . . .
Chapter 49 Configuring IPv6 Multicast Features IPv6 PIM sparse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PIM sparse router types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . RP paths and SPT paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring PIM sparse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 PIM-sparse mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Syslog service . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the Syslog configuration . . . . . . . . . . . . . . . . . . . Disabling or re-enabling Syslog. . . . . . . . . . . . . . . . . . . . . . . Specifying a Syslog server. . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying an additional Syslog server . . . . . . . . . . . . . . . . . Disabling logging of a message level . . . . . . . . . . . . . . . . . . Logging all CLI commands to Syslog . . . . . . . .
FDP/CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1338 IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1338 Metro Ring protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1341 IPv6 BGP4+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1342 IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1374 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1374 STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1375 SysLog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1375 System parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP.
TABLE 1 Supported features (Continued) Category Feature description Management Options Serial and Telnet access to industry-standard Command Line Interface (CLI) SSHv2 TFTP Web-based GUI SNMP versions 1, 2, and 3 IronView Network Manager or Brocade Network Advisor Security AAA Authentication Local passwords RADIUS Secure Shell (SSH) version 2 Secure Copy (SCP) TACACS and TACACS+ User accounts 802.
TABLE 1 Supported features (Continued) Category Feature description Rate Limiting Port-based, port-and-priority based, port-and-vlan-based, and port-and-ACL-based rate limiting on inbound ports are supported. SuperSpan A Brocade STP enhancement that allows Service Providers (SPs) to use STP in both SP networks and customer networks. Topology Groups A named set of VLANs that share a Layer 2 topology. You can use topology groups with the following Layer 2 protocols: • STP • Brocade MRP • VSRP • 802.
TABLE 1 Supported features (Continued) Category Feature description Multicast Routing Multicast cache L2 IGMP table DVMRP routes PIM-DM PIM-SM PIM-SSM PIM Snooping OSPF OSPF routes OSPF adjacencies - Dynamic OFPF LSAs OSPF filtering of advertised routes PBR Policy Based Routing RIP versions 1 and 2 RIP routes VRRP and VRRPE Virtual Router Redundancy Protocol (VRRP) and VRRP Extended (VRRPE) IPv6 features IPv6 ACLs Extended ACLs IPv6 Routing Protocols RIPng OSPFv3 BGP4+ IPv6 Multicast PIM-
What’s new in this document The following tables provide brief descriptions of the enhancements added in each BigIron RX software release and a reference to the specific chapter, and section in the BigIron RX Series Configuration Guide or the Brocade BigIron RX Series Installation Guide that contain a detailed description and operational details for the enhancement.
Enhancements in release 02.8.00 TABLE 2 xlvi Summary of enhancements in release 02.8.00 Enhancement Description See page Multi-device Port Authentication Multi-device port authentication is now supported on the BigIron RX tagged ports.
Enhancements in release 02.7.03 TABLE 3 Summary of enhancements in release 02.7.03 Enhancement Description See page System Monitoring Service (SYSMON) This feature was introduced in the 02.6.00c patch release. It monitors the hardware in the system to detect, report, and in some cases isolate and recover hardware errors in the system. When an error or event occurs, SYSMON generates Syslog messages, which must be reported to Brocade Technical Support This enhancement was introduced in Patch Release 02.
TABLE 3 Summary of enhancements in release 02.7.03 Enhancement Description See page MAC Port Security The MAC Port Security feature has been updated for the 02.7.03 release.
Enhancements in release 02.7.01 TABLE 5 Summary of enhancements in release 02.7.01 (Continued) Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP/LP console port. While the old session-based rconsole is a remote X-Window which is connected to one of the windows on the target system, the new rconsole is a remote desktop.
Enhancements in release 02.7.00 TABLE 6 Summary of enhancements in release 02.7.00 Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP/LP console port. While the old session-based rconsole is a remote X-Window which is connected to one of the windows on the target system, the new rconsole is a remote desktop.
TABLE 6 Summary of enhancements in release 02.7.00 (Continued) Enhancement Description See page CLI Change To globally enable MAC port security, the global-port-security command has been added. The port security command is now only used when configuring MAC port security on specific interfaces.
TABLE 7 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page Digital Optical Monitoring Beginning with release 0 2.6.00, Digital Optical Monitoring will only support newly qualified 1Gigabit optics. Digital Optical Monitoring for previous 1Gigabit optics that do not include "OM" after the model numbers will not be able to use this feature.
TABLE 7 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page IPv6 PIM-SM In Release 02.6.00 of the Multi-Service IronWare software, the BigIron RX supports IPv6 Protocol Independent Multicast (PIM) Sparse.
TABLE 7 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page Static Route ARP Validate Next Hop Beginning with release 02.6.00, you can configure the BigIron RX to perform multicast validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.
TABLE 8 Summary of enhancements in release 02.5.00c (Continued) Enhancement Description Limited/Fixed Boot Code Super ACLs See page Book: Foundry BigIron RX Configuration Guide Chapter: Section: With this patch release, the Multi-Service IronWare software supports Super ACLs that can match on fields in a Layer 2 or Layer 4 packet header. Book: BigIron RX Series Configuration Guide Chapter: “Access Control List” Section: “Configuring super ACLs” Enhancements in patch release 02.5.
TABLE 10 lvi Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page BigIron RX-32 Release 02.5.00 introduces the BigIron RX-32 device which runs the same Multi-Service IronWare software as other devices in the BigIron RX series. The new BigIron RX-32 device provide support for up to 32 interface modules.
TABLE 10 Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page Changes to the copy tftp Image command In Release 02.5.00 of the Multi-Service IronWare software, new option have been added to the copy tftp image command to enable the user to upgrade the boot, monitor, and MBRIDGE only when needed. Book: Release Notes for BigIron RX – Multi-Service IronWare Software Release 02.5.00.
Enhancements in release 02.4.00 TABLE 12 Summary of enhancements in release 02.4.00 Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP/LP console port. While the old session-based rconsole is a remote X-Window which is connected to one of the windows on the target system, the new rconsole is a remote desktop.
TABLE 12 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Increase Global Static ARP Entries The system max value for ip-static-arp can be configured to values up to 16,384 beginning with version 02.4.00 of the BigIron RX Multi-Service IronWare software.
TABLE 12 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page IPv6 Load Sharing over ECMP and Trunks When the device receives traffic for a destination, and the IPv6 route table contains multiple, equal-cost paths to that destination, the packets are load balanced between multiple next-hops including member ports of a trunk.
TABLE 12 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Passive Multicast Route Insertion (PMRI) This new feature prevents unwanted multicast traffic from being sent the CPU by conditionally dropping unwanted multicast traffic in hardware.
TABLE 12 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page CLI Logging This feature provides the logging of all valid CLI commands from each user session into the system log.
Enhancements in release 02.3.00 System enhancements TABLE 14 System enhancements Enhancement Description See... New Hardware Support The following new hardware is supported with the 02.3.00 software release for the BigIron RX: 1 10G-XFP-CX4 - part number 10G-XFP-CX4 , A new XFP Module is available for use in the BigIron RX Series and 10G Interface Modules with the following capabilities: • 10GBASE-CX4 compliant per 802.
TABLE 14 System enhancements (Continued) Enhancement Description See... Enhanced Digital Optical Monitoring You can configure the BigIron RX to monitor XFPs and SFPs in the system either globally or by specified port. Book: Brocade BigIron RX Series Installation Guide Chapter: Connecting a BigIron RX Series Switch to a Network Device Section: Enhanced Digital Optical Monitoring Re-distributing CAM Allocations In releases prior to 02.3.00, CAM partitioning was not configurable.
Layer 3 enhancements TABLE 16 Layer 3 enhancements Enhancement Description See... OSPF NBMA You can configure an interface to send OSPF unicast packets rather than broadcast packets to its neighbor by configuring non-broadcast multi-access (NBMA) networks.
TABLE 16 lxvi Layer 3 enhancements (Continued) Enhancement Description See... ACL Duplication Check The acl-duplication-check command has been changed to acl-duplication-check-disable. With this command, software checking for duplicate ACL entries will be disabled after an upgrade. Book: BigIron RX Series Configuration Guide Chapter: “Access Control List” Section:“Enabling ACL duplication check” ISIS v6 With this release of the Multi-Service IronWare software, IPv6 IS-IS is supported.
IP multicast enhancements TABLE 17 IP multicast enhancements Enhancement Description See... MBGP Multiprotocol BGP allows for the inclusion of information other than IPv4 routes via BGP packets is available in this release. Book: BigIron RX Series Configuration Guide Chapter: “Configuring MBGP” Multicast Source Discover Protocol (MSDP) This release supports the Multicast Source Discovery Protocol (MSDP).
TABLE 17 IP multicast enhancements (Continued) Enhancement Description See... IPv6 Embedded RP Embedded RP allows the router to learn RP information using the multicast group destination address instead of the statically configured RP. . IPv6 PIM SM IPv6 PIM SM provides the Multicast IP Sparse Mode protocol for routing multicast packets to multicast groups.
Network management TABLE 19 Network management Enhancement Description See... IPv6 Management TFTP, SSH, Telnet, AAA, and WEB You can perform system management tasks for the BigIron RX using the TFTP, telnet, AAA, and Secure Shell (SSH). Book: BigIron RX Series Configuration Guide Chapter:“Configuring Basic IPv6 Connectivity” Enhancements in release 02.2.
Layer 3 enhancements TABLE 22 lxx Layer 3 enhancements Enhancement Description See page Graceful Restart With this release, you can enable Graceful Restart for OSPF and BGP Book: BigIron RX Series Configuration Guide Chapter:“Configuring OSPF Version 2 (IPv4)” and “Configuring BGP4 (IPv4 and IPv6)” Section: “OSPF graceful restart” and “Graceful restart in BGP” BGP Null0 Routing With this release, BGP can use null0 to resolve the next hop and install null0 BGP routes to the routing table Book: Big
Multicast enhancement TABLE 23 Multicast enhancement Enhancement Description See page IGMP Snooping The BigIron RX supports IGMP snooping. Book: BigIron RX Series Configuration Guide Chapter:“Configuring IP Multicast Traffic Reduction” Section: “Enabling IP multicast traffic reduction” Security enhancements TABLE 24 Security enhancements Enhancement Description See page Multi-device Port Authentication Multi-device port authentication is now supported on the BigIron RX.
TABLE 24 Security enhancements (Continued) Enhancement Description See page MTU enhancements for IPv4 In this release, you can configure IPv4 MTU to be greater than 1500 bytes.
Enhancements in release 02.2.00g TABLE 26 Summary of enhancements in 02.2.00g Enhancement Description See page New Hardware Support The following new hardware is supported with the 02.2.01 software release for the BigIron RX: • 2-port 10 Gigabit Ethernet port module • DC Power Supply Book: Brocade BigIron RX Series Installation Guide Enhancements in release 02.2.00 TABLE 27 Summary of emhancements in 02.2.
TABLE 27 Summary of emhancements in 02.2.00 (Continued) Enhancement Description See page Multicast Entry Limit 1542 multicast entries are limited to IPv4 1542 entries provided every group has only one destination. N/A WAN PHY Mode Support This release supports WAN PHY Mode per 10 GB Ethernet port.
variable Variables are printed in italics enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” | Choose from one of the parameters. Notes, cautions, and danger notices The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards. NOTE A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.
NOTE The latest version of these guides is posted at http://www.brocade.com/ethernetproducts. Getting technical help or reporting errors E-mail and telephone access Go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.
Chapter 1 Getting Started with the Command Line Interface In this chapter • Logging on through the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • EXEC commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • CONFIG commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Accessing the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at this point in the command string. If you enter an invalid command followed by ?, a message appears indicating the command was unrecognized.
EXEC commands 1 Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. TABLE 28 CLI line-editing commands Ctrl-key combination Description Ctrl-A Moves to the first character on the command line. Ctrl-B Moves the cursor back one character.
1 CONFIG commands You reach this level by entering the enable [] or enable at the User EXEC level. BigIron RX>enable or BigIron RX>enable user1 mypassword After entering the enable command, you see the following prompt. BigIron RX>#. The prompt indicates that you are at the Privilege EXEC level. When you are at the Privilege EXEC level, you can enter commands that are available at that level.
CONFIG commands 1 Trunk level The trunk level allows you to change parameters for statically-configured trunk groups. You reach this level by entering a trunk command with the appropriate port parameters. Router RIP level The RIP level allows you to configure parameters for the RIP routing protocol. You reach this level by entering the router rip command at the global CONFIG level. Router OSPF level The OSPF level allows you to configure parameters for the OSPF routing protocol.
1 CONFIG commands Route Map level The Route Map level allows you to configure parameters for a BGP4 route map. You reach this level by entering the route-map command at the global CONFIG level. Router VRRP level The VRRP level allows you to configure parameters for the Virtual Router Redundancy Protocol (VRRP). You reach this level by entering the router vrrp command at the global CONFIG level, then entering the ip vrrp vrid command at the interface configuration level.
Accessing the CLI 1 MAC port security level The MAC port security level allows you to configure the port security feature. You reach this level by entering the global-port-security command at the at the Global or Interface levels. Accessing the CLI The CLI can be accessed through both serial and Telnet connections. For initial log on, you must use a serial connection. Once an IP address is assigned, you can access the CLI through Telnet.
1 Accessing the CLI BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX> User Level EXEC Command RX# Privileged Level EXEC Command RX(config)#Global Level CONFIG Command RX(config-if-e10000-5/1)#Interface Level CONFIG Command RX(config-lbif-1)#Loopback Interface CONFIG Command RX(config-ve-1)#Virtual Interface CONFIG Command RX(config-trunk-4/1-4/8)#Trunk group CONFIG Command RX(config-if-e10000-tunnel)
Searching and filtering output 1 Optional fields When two or more options are separated by a vertical bar, “| “, you must enter one of the options as part of the command. Syntax: priority normal | high For example, the "normal | high" entry in the Syntax above means that priority can be either priority normal or priority high. The command in the syntax above requires that you enter either normal or high as part of the command.
1 Searching and filtering output Displaying lines containing a specified string The following command filters the output of the show interface command for port 3/11 so it displays only lines containing the word “Internet”. This command can be used to display the IP address of the interface. BigIron RX# show interface e 3/11 | include Internet Internet address is 192.168.1.
Searching and filtering output 1 BigIron RX# ? append attrib boot cd chdir clear clock configure copy cp debug delete dir dm dot1x erase exit fastboot force-sync-standby Append one file to another Change file attribute Boot system from bootp/tftp server/flash image Change current working directory Change current working directory Clear table/statistics/keys Set clock Enter configuration mode Copy between flash, tftp, config/code Copy file commands Enable debugging functions (see also 'undebug') Delete fi
1 Searching and filtering output --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed. filtering...
Searching and filtering output TABLE 29 1 Special characters for regular expressions (Continued) Character Operation $ A dollar sign matches on the end of an input string.
1 Searching and filtering output • All digits Any of the following special characters are valid: • • • • • • • • • • • • • • • • $ % ' _ @ ~ ` ! ( ) { } ^ # & Syntax shortcuts A command or parameter can be abbreviated as long as enough text is entered to distinguish it from other commands at that level. For example, given the possible commands copy tftp… and config tftp…, possible shortcuts are cop tftp and con tftp respectively. In this case, co does not properly distinguish the two commands.
Chapter Getting Familiar With the BigIron RX Series Switch Management Applications 2 How to manage BigIron RX Series switch This chapter describes the different applications you can use to manage the BigIron RX Series Switch. The BigIron RX Series Switch supports the same management applications as other Brocade devices.
2 Logging on through the CLI NOTE By default, any user who can open a direct or Telnet connection to a BigIron RX Series Switch can access all these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can configure the device to use a RADIUS or TACACS and TACACS+ server for authentication. On-line help To display a list of available commands or command options, enter “?” or press Tab.
Logging on through the CLI 2 • Press Ctrl-C cancel the display. Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. TABLE 30 CLI line editing commands Ctrl-key combination Description Ctrl-A Moves to the first character on the command line. Ctrl-B Moves the cursor back one character.
2 Logging on through the CLI NOTE The vertical bar ( | ) is part of the command. NOTE The regular expression specified as the search string is case sensitive. In the example above, a search string of “Internet” would match the line containing the IP address, but a search string of “internet” would not. Displaying lines that do not contain a specified string The following command filters the output of the show who command so it displays only lines that do not contain the word “closed”.
Logging on through the CLI 2 BigIron RX# ? append attrib boot cd chdir clear clock configure copy cp debug delete dir dm dot1x erase exit fastboot force-sync-standby Append one file to another Change file attribute Boot system from bootp/tftp server/flash image Change current working directory Change current working directory Clear table/statistics/keys Set clock Enter configuration mode Copy between flash, tftp, config/code Copy file commands Enable debugging functions (see also 'undebug') Delete file o
2 Logging on through the CLI --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed: filtering...
Logging on through the CLI TABLE 31 2 Special characters for regular expressions (Continued) Character Operation _ An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) • ) (right parenthesis) • The beginning of the input string • The end of the input string • A blank space For example, the following regular expression matches on “100” but not on “1002”, “2100”, and so on: _100_ [] Square brackets enclose a range of
2 Logging on through the Web Management Interface • • • • • • • • • • • • • • • % ' _ @ ~ ` ! ( ) { } ^ # & Logging on through the Web Management Interface To use the Web Management Interface, open a Web browser and enter the IP address of a BigIron RX Series Switch’s management port in the Location or Address field. The Web browser contacts the device and displays the login panel for the BigIron RX Series Switch, as shown in Figure 1.
Logging on through the Web Management Interface FIGURE 2 2 Web Management Interface login dialog box The login username and password you enter depends on whether your device is configured with AAA authentication for SNMP. If AAA authentication for SNMP is not configured, you can use the user name “get” and the default read-only password “public” for read-only access.
2 24 Logging on through the Web Management Interface BigIron RX Series Configuration Guide 53-1002253-01
Chapter Using a Redundant Management Module 3 How management module redundancy works You can install a redundant management module in slot M1 or M2 of the BigIron RX Series devices. By default, the system considers the module installed in slot M1 to be the active management module and the module installed in slot M2 to be the redundant or standby module. If the active module becomes unavailable, the standby module automatically takes over management of the system.
3 How management module redundancy works The interface modules are not reset, as they are with the previous cold-restart redundancy feature. The interface modules continue to forward traffic while the standby management module takes over operation of the system. The new now-active management module receives updates from the interface modules and sends verification information to the interface modules to ensure that they are synchronized.
How management module redundancy works 3 • The active management module’s flash memory. • A PCMCIA flash card inserted in one of the PCMCIA slots in the active management module’s front panel. After the replacement module boots, the active module compares the standby module’s flash code and system-config file to its own. If differences exist, the active module synchronizes the standby module’s flash code and system-config file with its own.
3 How management module redundancy works Syslog and SNMP traps When a switchover occurs, the BigIron RX system sends a Syslog message to the local Syslog buffer and also to the Syslog server, if you have configured the system to use one. In addition, if you have configured an SNMP trap receiver, the system sends an SNMP trap to the receiver. When the system is powered on or otherwise reset normally, the system sends a cold start message and trap.
Management module redundancy configuration 3 Management module redundancy configuration Configuring management module redundancy consists of performing one optional task (changing the default active slot). The section explains how to perform this task. Changing the default active slot By default, the BigIron RX Series system considers the module installed in slot M1 to be the active management module. If desired, you can change the default active slot to M2.
3 Managing management module redundancy A BigIron RX Multi-Service IronWare image contains the layer 1 – 3 software run by the management module. During startup or switchover, the active module compares the standby module’s flash code to its own. If differences exist, the active module synchronizes the standby module’s flash code with its own. If you update the flash code on the active module, the active module automatically synchronizes (without comparison) the standby module’s flash code with its own.
Managing management module redundancy FIGURE 4 3 Active and standby management module file synchronization Synchronized at startup or switchover Also can be immediately synchronized using the CLI Startup-config also automatically updated with write memory command Automatically synchronized at regular, user-configurable intervals Not synchronized Also can be immediately synchronized using the CLI Active Management Module Flash code Startup-config file Running-config file Boot code Standby Manage
3 Managing management module redundancy To compare and immediately synchronize files between the active and standby modules if differences exist, enter the following command at the Privileged EXEC level of the CLI. BigIron RX# sync-standby Syntax: sync-standby Synchronizing files without comparison You can synchronize the flash code, system-config file, and running-config file immediately without comparison.
Monitoring management module redundancy 3 BigIron RX# boot system flash primary Syntax: boot system bootp | [flash primary | flash secondary] | slot | tftp The flash primary keyword specifies the primary BigIron RX Series Multi-Service IronWare image in the management module’s flash memory, while the flash secondary keyword specifies the secondary BigIron RX Series Multi-Service IronWare image in the flash memory.
3 Monitoring management module redundancy You can also observe the Pwr LED on each module. If this LED is on (green), the module is receiving power. If this LED is off, the module is not receiving power. (A module without power will not function as the active or standby module.) Software To display the status of the management modules, enter the following command at any CLI level. BigIron RX# show module Module M1 (upper): BigIron BI-RX Management Module M2 (lower): BigIron BI-RX Management Module ...
Monitoring management module redundancy 3 • Redundancy parameter settings and statistics, which include the number of switchover that have occurred. • System log or the traps logged on an SNMP trap receiver, which includes Information about whether a switchover has occurred. To view the redundancy parameter settings and statistics, enter the following command at any level of the CLI.
3 Flash memory and PCMCIA flash card file management commands BigIron RX# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 24 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Sep 28 Sep 28 Sep 28 Sep 28 Log Buffer: 11:31:25:A:Power 11:31:25:A:Power 11:31:25:A:Power 11:31:25:A:Power Supply Supply Supply Supply 1, 3, 4, 5, 1st left, not installed middle left, not inst
Flash memory and PCMCIA flash card file management commands • • • • • • • • • • 3 Create a subdirectory. Remove a subdirectory. Rename a file. Change the read-write attribute of a file. Delete a file. Recover or “undelete” a file. Append one file to another (join two files). Perform copy operations using the copy command. Perform copy operations using the cp command. Load the system software from flash memory, a flash card, or other sources during system reboot.
3 Flash memory and PCMCIA flash card file management commands For example, if you want to display a directory of files in flash memory and flash memory has the current management focus, you do not need to specify the flash keyword. However, if you want to display a directory of files for slot 1 and flash memory has the current focus, you must specify the slot1 keyword. Flash memory file system The flash memory file system is flat, which means that it does not support subdirectories.
Flash memory and PCMCIA flash card file management commands 3 PCMCIA flash card file system The PCMCIA flash card file system is hierarchical, which means that it supports subdirectories. Therefore, you can create or delete subdirectories in this file system using the md or mkdir and rd or rmdir commands, respectively. Also, when specifying the syntax for the various file management commands, you may need to specify a pathname to a subdirectory as appropriate to manipulate a file in a subdirectory.
3 Flash memory and PCMCIA flash card file management commands • & You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”. A subdirectory or file name can be a maximum of 256 characters long. A complete subdirectory path name cannot contain more than 256 characters. There is no maximum file size.
Flash memory and PCMCIA flash card file management commands 3 2048 bytes in each allocation unit. 39458 allocation units available on card. Syntax: format slot1 | slot2 The slot1 | slot2 keyword specifies the PCMCIA slot that contains the flash card you are formatting. Determining the current management focus For conceptual information about management focus, refer to “Management focus” on page 37. If you are not sure which file system has the current management focus, enter the following command.
3 Flash memory and PCMCIA flash card file management commands For the parameter for both cd and chdir commands, you can specify /slot1 or /slot2 to switch the focus to slot 1 or slot 2, respectively. Specify /flash to switch the focus to flash memory. After you have switched the focus to a slot 2, you can specify the parameter to switch the focus to a subdirectory on a flash card inserted in slot 2.
Flash memory and PCMCIA flash card file management commands 3 BigIron RX# dir Directory of /flash/ 07/28/2003 07/28/2003 07/28/2003 07/25/2003 00/00/0 07/28/2003 07/28/2003 07/28/2003 07/28/2003 07/28/2003 07/25/2003 07/28/2003 07/26/2003 07/25/2003 07/28/2003 15:57:45 15:56:10 16:00:08 18:00:23 00:00:00 14:40:19 15:18:18 09:56:16 15:08:12 16:02:23 18:02:14 14:28:47 12:16:29 18:11:01 09:40:54 15 File(s) 0 Dir(s) 3,077,697 3,077,697 3,077,697 292,701 12 840,007 840,007 391,524 3,077,697 1,757 1,178 1,662
3 Flash memory and PCMCIA flash card file management commands BigIron RX# dir /slot2/ Directory of /slot2/ 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 18:25:28 18:28:06 18:28:24 18:28:30 18:28:01 18:28:03 18:29:04 18:29:12 18:32:03 18:32:08 18:32:11 18:32:14 18:32:17 3,092,508 3,092,508 389,696 389,696 389,696 389,696 389,696
389,696 389,696 389,696 389,696 389,696 12 File(s) 1 Dir(s) PRIMARY primaFlash memory and PCMCIA flash card file management commands 3 For example, to display the contents of a file in flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# more cfg.cfg Syntax: more [//] Use the parameter to specify a directory in a file system that does not have current management focus. Use the parameter to specify the file you want to display.
3 Flash memory and PCMCIA flash card file management commands The software attempts to create a subdirectory in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to create a subdirectory in a file system that does not currently have management focus. In this case, you can specify the slot1 or slot2 keyword with the md or mkdir command to create the subdirectory in the desired file system.
Flash memory and PCMCIA flash card file management commands 3 The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters. To verify successful creation of the subdirectory, enter a command such as the following to change to the new subdirectory level.
3 Flash memory and PCMCIA flash card file management commands Renaming a file You can rename a file in the management module’s flash memory or on a flash card inserted in the management module’s slot 1 or slot 2 using the rename or mv command. The software attempts to rename the file in the file system that has the current management focus. By default, flash memory has the management focus.
Flash memory and PCMCIA flash card file management commands 3 For example, to change the attribute of a file in slot2 to read-only, if flash memory has the management focus, enter a command such as the following. BigIron RX# attrib slot2 ro goodcfg.cfg Syntax: attrib [slot1 | slot2] ro | rw Specify the slot1 or slot2 keyword to change the attribute of a file on the flash card in slot 1 or slot 2, respectively.
3 Flash memory and PCMCIA flash card file management commands For example, to delete all files with names that start with “test” from flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# delete test*.* For example, to delete all files on the flash card in slot 2, if flash memory has the current management focus, you can enter one of the following commands.
Flash memory and PCMCIA flash card file management commands 3 Appending a file to another file You can append a file in flash memory or on a flash card to the end of another file in one of these file systems. The software attempts to append one file to another in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to append one file to another in a file system that does not currently have management focus.
3 Flash memory and PCMCIA flash card file management commands • Load a running-config from a flash card or TFTP server into the device’s running-config (loading ACLs only) NOTE The copy options require you to explicitly specify the flash card. Therefore, you can perform a copy regardless of the flash card that currently has the management focus. Copying files from one flash card to the other To copy a file from one flash card to the other, enter the following command.
Flash memory and PCMCIA flash card file management commands 3 Copying software images between active and standby management modules To copy the monitor image from flash memory of the active management module to flash memory of the standby module, enter the following command.
3 Flash memory and PCMCIA flash card file management commands BigIron RX# copy flash tftp 10.10.10.1 secondary.bak secondary Syntax: copy flash tftp primary | secondary Copying files between a flash card and a TFTP server You can use the following methods to copy files between a flash card and a TFTP server. NOTE The BigIron RX Series system must have network access to the TFTP server. To copy a file from a flash card to a TFTP server, enter a command such as the following.
Flash memory and PCMCIA flash card file management commands 3 This command copies the startup configuration from the device’s flash memory to a flash card in slot 1 and names the file mfgtest.cfg. Copying the startup-config file between flash memory and a TFTP server Use the following methods to copy a startup-config between flash memory and a TFTP server to which the BigIron RX Series system has access.
3 Flash memory and PCMCIA flash card file management commands Syntax: ncopy slot1 | slot2 [\\] running The command in this example changes the device’s active configuration based on the information in the file. To copy a running-config from a TFTP server, enter a command such as the following. BigIron RX# copy tftp running-config 10.10.10.1 run.
Flash memory and PCMCIA flash card file management commands 3 Loading the software By default, the management module loads its BigIron RX Series Multi-Service IronWare image from the primary location in flash memory. You can change the system’s BigIron RX Series Multi-Service IronWare image source to one of the following sources for one reboot or for all future reboots: • • • • The secondary location in flash memory. A flash card inserted in slot 1 or 2. A TFTP server. A BOOTP server.
3 Flash memory and PCMCIA flash card file management commands To reboot the system from a BOOTP server, enter the following command. BigIron RX# boot system bootp Syntax: boot system bootp Configuring the boot source for future reboots To change the BigIron RX Series Multi-Service IronWare image source from the primary location in flash memory to another source for future reboots, enter a command such as the following at the global CONFIG level of the CLI.
Flash memory and PCMCIA flash card file management commands 3 BigIron RX# locate startup-config slot1 switch1.cfg BigIron RX# write memory The first command in this example sets the device to save configuration changes to the file named “switch1.cfg” in the flash card in slot 1. The second command saves the running-config to the switch1.cfg file on the flash card in slot 1. NOTE In this example, after you save the configuration changes using the write memory command, the switch1.
3 Flash memory and PCMCIA flash card file management commands TABLE 34 60 Flash card file management messages (Continued) This message... Means... Invalid DOS file name A filename you entered contains an invalid character (for example, “:” or “\”).
Chapter 4 Securing Access to Management Functions Securing access methods This chapter explains how to secure access to management functions on the device. NOTE For the device, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication. The following table lists the management access methods available on the device, how they are secured by default, and the ways in which they can be secured.
4 Securing access methods TABLE 35 Ways to secure management access to the device (Continued) Access method How the access method is secured by default Ways to secure the access method See page Secure Shell (SSH) access Not configured Configure SSH page 913 Regulate SSH access using ACLs page 64 Allow SSH access only from specific IP addresses page 67 Establish passwords for privilege levels of the CLI page 71 Set up local user accounts page 74 Configure TACACS and TACACS+ security page
Restricting remote access to management functions 4 Restricting remote access to management functions You can restrict access to management functions from remote sources, including Telnet, the Web management interface, and SNMP.
4 Restricting remote access to management functions The ipv6 parameter specifies the IPv6 access list. To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL. For example. BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# access-list 10 permit host 209.157.22.32 access-list 10 permit 209.157.23.0 0.0.0.255 access-list 10 permit 209.157.24.0 0.0.0.
Restricting remote access to management functions 4 The parameter specifies the number of a standard ACL, 1 – 99. The parameter specifies the standard access list name. The ipv6 parameter specifies the IPv6 access list. These commands configure ACL 12, then apply the ACL as the access list for Web management access. The device denies Web management access from the IP addresses listed in ACL 12 and permits Web management access from all other IP addresses.
4 Restricting remote access to management functions Configuring hardware-based remote access filtering on the device The following is an example of configuring device to perform hardware filtering for Telnet access.
Restricting remote access to management functions 4 Restricting SSH access to a specific IP address To allow SSH access to the device only to the host with IP address 209.157.22.39, enter the following command. BigIron RX(config)# ip ssh client 209.157.22.39 Syntax: [no] ip ssh client | ipv6 Restricting Web Management access to a specific IP address To allow Web Management access to the device only to the host with IP address 209.157.22.26, enter the following command.
4 Restricting remote access to management functions Restricting remote access to the device to specific VLAN IDs You can restrict management access to a device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods: • • • • Telnet access Web management access SNMP access TFTP access By default, access is allowed for all the methods listed above on all ports.
Restricting remote access to management functions 4 Restricting TFTP access to a specific VLAN To allow TFTP access only to clients in a specific VLAN, enter a command such as the following. BigIron RX(config)# tftp client enable vlan 40 The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
4 Setting passwords BigIron RX(config)# web-management Syntax: [no] web-management Disabling Web management access by HP ProCurve Manager By default, TCP ports 80 is enabled on the Brocade device. TCP port 80 (HTTP) allows access to the device’s Web management interface. By default, TCP port 280 for HP Top tools is disabled. This tool allows access to the device by HP ProCurve Manager. <> The no web-management command disables both TCP ports.
Setting passwords 4 Setting a Telnet password By default, the device does not require a user name or password when you log in to the CLI using Telnet. To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG level.
4 Setting passwords 1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode. BigIron RX> enable BigIron RX# 2. Access the CONFIG level of the CLI by entering the following command. BigIron RX# configure terminal BigIron RX(config)# 3. Enter the following command to set the Super User level password. BigIron RX(config)# enable super-user-password NOTE You must set the Super User level password before you can set other types of passwords.
Setting passwords 4 BigIron RX(config)# privilege configure level 4 ip In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands.
4 Setting up local user accounts 4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check. 5. Enter boot system flash primary at the prompt. 6. After the console prompt reappears, assign a new password. Displaying the SNMP community string If you want to display the SNMP community string, enter the following commands.
Setting up local user accounts 4 • Web Management access • SNMP access Local user accounts provide greater flexibility for controlling management access to the device than do management privilege level passwords and SNMP community strings of SNMP versions 1 and 2. You can continue to use the privilege level passwords and the SNMP community strings as additional means of access authentication.
4 Setting up local user accounts The privilege parameter specifies the privilege level for the account. You can specify one of the following: • 0 – Super User level (full read-write access) • 4 – Port Configuration level • 5 – Read Only level The default privilege level is 0. If you want to assign Super User level access to the account, you can enter the command without privilege 0, as shown in the command example above.
Setting up local user accounts 4 Using the Web Management Interface To change a local user password using the Web Management Interface, you must first delete the user account, then re-add it with the new password. Use the following procedure. NOTE Before you can change a local user account using the Web Management Interface, you must enable this capability by entering the CLI command "password-change any" at the global CONFIG level of the CLI. 1.
4 Setting up local user accounts • • • • • • Users must accept the message of the day when they log in. Users are locked out (disabled) if they fail to login in three login attempts. The last 15 passwords are stored in the CLI. A password can be set to expire. Passwords are masked during password creation. Passwords must not share four or more concurrent characters with any other password configured on the device. • Passwords that were previously used cannot be reused.
Setting up local user accounts 4 Enter a password such as TesT12$! that contains the required character combination.
4 Setting up local user accounts The variable specifies the number of days before the password expires. Enter 1 – 365 days. The default is 90 days. NOTE The enable strict-password-enforcement command must be enabled before this command is configured. Otherwise, the following message is displayed: "Password expire time is enabled only if strict-password-enforcement is set". Issue the show user command to display the password expiration date, as shown in bold in the following.
Configuring SSL security for the Web Management Interface 4 Configuring SSL security for the Web Management Interface When enabled, the SSL protocol uses digital certificates and public-private key pairs to establish a secure connection to the device. Digital certificates serve to prove the identity of a connecting client, and public-private key pairs provide a means to encrypt data sent between the device and the client.
4 Configuring TACACS and TACACS+ security Syntax: [no] ip ssl certificate-data-file tftp NOTE If you import a digital certificate from a client, it can be no larger than 2048 bytes. To import an RSA private key from a client using TFTP, enter a command such as the following. BigIron RX(config)# ip ssl private-key-file tftp 192.168.9.
Configuring TACACS and TACACS+ security 4 How TACACS+ differs from TACACS TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery. TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the device and the TACACS+ server.
4 Configuring TACACS and TACACS+ security 4. The device sends a request containing the username and password to the TACACS server. 5. The username and password are validated in the TACACS server’s database. 6. If the password is valid, the user is authenticated. TACACS+ authentication When TACACS+ authentication takes place, the following events occur. 1.
Configuring TACACS and TACACS+ security 4 4. If the user is authorized to use the command, the command is executed. TACACS+ accounting TACACS+ accounting works as follows. 1. One of the following events occur on the device: • A user logs into the management interface using Telnet or SSH • A user enters a command for which accounting has been configured • A system event occurs, such as a reboot or reloading of the configuration file 2.
4 Configuring TACACS and TACACS+ security User action Applicable AAA operations User logs out of Telnet/SSH session Command accounting (TACACS+): aaa accounting commands default start-stop EXEC accounting stop (TACACS+): aaa accounting exec default start-stop User enters system commands (for example, reload, boot system) Command authorization (TACACS+): aaa authorization commands default Command accounting (TACACS+): aaa ac
Configuring TACACS and TACACS+ security 4 • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select TACACS+ as the primary authentication method for Telnet CLI access, but you cannot also select RADIUS authentication as a primary method for the same type of access. However, you can configure backup authentication methods for each access type.
4 Configuring TACACS and TACACS+ security Identifying the TACACS and TACACS+ servers To use TACACS and TACACS+ servers to authenticate access to adevice, you must identify the servers to the device. For example, to identify three TACACS and TACACS+ servers, enter commands such as the following. BigIron RX(config)# tacacs-server host 207.94.6.161 BigIron RX(config)# tacacs-server host 207.94.6.191 BigIron RX(config)# tacacs-server host 207.94.6.
Configuring TACACS and TACACS+ security 4 BigIron RX(config)# tacacs-server host 1.2.3.4 auth-port 49 authentication-only key abc BigIron RX(config)# tacacs-server host 1.2.3.5 auth-port 49 authorization-only key def BigIron RX(config)# tacacs-server host 1.2.3.
4 Configuring TACACS and TACACS+ security When you display the configuration of the device, the TACACS+ keys are encrypted. BigIron RX(config)# tacacs-server key 1 abc BigIron RX(config)# write terminal ... tacacs-server host 1.2.3.5 auth-port 49 tacacs key 1 $!2d NOTE Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility.
Configuring TACACS and TACACS+ security 4 Within the authentication-method list, TACACS and TACACS+ is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If TACACS and TACACS+ authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
4 Configuring TACACS and TACACS+ security BigIron RX(config)# aaa authentication enable implicit-user Syntax: [no] aaa authentication enable implicit-user Telnet/SSH prompts when the TACACS+ server is unavailable When TACACS+ is the first method in the authentication method list, the device displays the login prompt received from the TACACS+ server.
Configuring TACACS and TACACS+ security 4 Also note that in order for the aaa authorization exec default tacacs+ command to work, either the aaa authentication enable default tacacs+ command, or the aaa authentication login privilege-mode command must also exist in the configuration.
4 Configuring TACACS and TACACS+ security In the example above, the A-V pair configured for the Exec service is privlvl = 15. The BigIron RX uses the value in this A-V pair to set the user’s privilege level to 0 (super-user), granting the user full read-write access. In a configuration that has both a “foundry-privlvl” A-V pair and a non-”foundry-privlvl” A-V pair for the Exec service, the non-”foundry-privlvl” A-V pair is ignored.
Configuring TACACS and TACACS+ security 4 AAA support for console commands To enable AAA support for commands entered at the console, enter the following command.
4 Configuring TACACS and TACACS+ security • 4 – Records commands available at the Port Configuration level (port-config and read-only commands) • 5 – Records commands available at the Read Only level (read-only commands) Configuring TACACS+ accounting for system events You can configure TACACS+ accounting to record when system events occur on the BigIron RX. System events include rebooting and when changes to the active configuration are made.
Configuring TACACS and TACACS+ security 4 Syntax: ip tacacs source-interface ethernet | loopback | ve The parameter is a loopback interface or virtual interface number. If you specify an Ethernet, the is the port’s number (including the slot number, if you are configuring a device). Displaying TACACS and TACACS+ statistics and configuration information The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device.
4 Configuring RADIUS security TABLE 37 Output of the show aaa command for TACACS and TACACS+ (Continued) Field Description Tacacs+ Server For each TACACS and TACACS+ server, the IP address, port, and the following statistics are displayed: opensNumber of times the port was opened for communication with the server closesNumber of times the port was closed normally timeoutsNumber of times port was closed due to a timeout errorsNumber of times an error occurred while opening the port packets inNumber of
Configuring RADIUS security 4 RADIUS authentication When RADIUS authentication takes place, the following events occur. 1. A user attempts to gain access to the BigIron RX by doing one of the following: • Logging into the device using Telnet, SSH, or the Web management interface • Entering the Privileged EXEC level or CONFIG level of the CLI 2. The user is prompted for a username and password. 3. The user enters a username and password. 4.
4 Configuring RADIUS security 4. If the command list indicates that the user is authorized to use the command, the command is executed. RADIUS accounting RADIUS accounting works as follows. 1. One of the following events occur on the BigIron RX: • A user logs into the management interface using Telnet or SSH • A user enters a command for which accounting has been configured • A system event occurs, such as a reboot or reloading of the configuration file 2.
Configuring RADIUS security 4 User action Applicable AAA operations User enters system commands (for example, reload, boot system) Command authorization: aaa authorization commands default Command accounting: aaa accounting commands default start-stop System accounting stop: aaa accounting system default start-stop User enters the command: [no] aaa accounting system default start-stop Command authorization: aa
4 Configuring RADIUS security • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access. However, you can configure backup authentication methods for each access type.
Configuring RADIUS security TABLE 38 4 Brocade vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Description brocade-privilege-level 1 integer Specifies the privilege level for the user. This attribute can be set to one of the following: 0 Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
4 Configuring RADIUS security Identifying the RADIUS server to the BigIron RX To use a RADIUS server to authenticate access to a BigIron RX, you must identify the server to the BigIron RX. BigIron RX(config)# radius-server host 209.157.22.99 Syntax: radius-server host | [auth-port acct-port ] The host | ipv6 | parameter is either an IP address or an ASCII text string.
Configuring RADIUS security 4 Setting the RADIUS key The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over the network. The value for the key parameter on the BigIron RX should match the one configured on the RADIUS server. The key can be from 1 – 32 characters in length and cannot include any space characters. Use the command to specify a RADIUS server key.
4 Configuring RADIUS security Within the authentication-method list, RADIUS is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If RADIUS authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
Configuring RADIUS security 4 BigIron RX(config)# aaa authentication enable implicit-user Syntax: [no] aaa authentication enable implicit-user Configuring RADIUS authorization The device supports RADIUS authorization for controlling access to management functions in the CLI.
4 Configuring RADIUS security Syntax: aaa authorization commands default radius | tacacs+ | none The parameter can be one of the following: • 0 – Authorization is performed (that is, the BigIron RX looks at the command list) for commands available at the Super User level (all commands) • 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-only commands) • 5 – Authorization is performed for commands available at
Configuring RADIUS security 4 Configuring RADIUS accounting The device supports RADIUS accounting for recording information about user activity and system events. When you configure RADIUS accounting on device, information is sent to a RADIUS accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
4 Configuring RADIUS security Configuring an interface as the source for all RADIUS packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all RADIUS packets from the device.
Configuring RADIUS security 4 BigIron Tacacs+ Tacacs+ Tacacs+ Tacacs+ Tacacs+ RX# show aaa key: brocade retries: 1 timeout: 15 seconds dead-time: 3 minutes Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 207.95.6.
4 Configuring authentication-method lists Configuring authentication-method lists To implement one or more authentication methods for securing access to the device, you configure authentication-method lists that set the order in which the authentication methods are consulted.
Configuring authentication-method lists 4 Configuration considerations for authenticationmethod lists Consider the following before configuring authentication-method lists: • For CLI access, you must configure authentication-method lists if you want the device to authenticate access using local user accounts or a RADIUS server. Otherwise, the device will authenticate using only the locally based password for the Super User privilege level.
4 Configuring authentication-method lists To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the following command. BigIron RX(config)# aaa authentication enable default local This command configures the device to use the local user accounts to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI.
Configuring authentication-method lists TABLE 40 4 Authentication method values (Continued) Method parameter Description radius Authenticate using the database on a RADIUS server. You also must identify the server to the device using the radius-server command. none Do not use any authentication method. The device automatically permits access.
4 116 Configuring authentication-method lists BigIron RX Series Configuration Guide 53-1002253-01
Chapter Configuring Basic Parameters 5 This chapter describes how to configure basic system parameters. The software comes with default parameters to allow you to begin using the basic features of the system immediately. However, many advanced features, such as VLANs or routing protocols for the router, must first be enabled at the system (global) level before they can be configured. You can find system level parameters at the Global CONFIG level of the CLI.
5 Configuring Simple Network Management Protocol traps Configuring Simple Network Management Protocol traps This section explains how to do the following: • • • • • Specify an SNMP trap receiver. Specify a source address and community string for all traps that the device sends. Change the holddown time for SNMP traps. Disable individual SNMP traps. (All traps are enabled by default.
Configuring Simple Network Management Protocol traps 5 The port parameter specifies the UDP port that will be used to receive traps. This parameter allows you to configure several trap receivers in a system. With this parameter, IronView Network Manager and another network management application can coexist in the same system. The device can be configured to send copies of traps to more than one network management application.
5 Configuring Simple Network Management Protocol traps You can change the holddown time to a value from one second to ten minutes. To change the holddown time for SNMP traps, enter a command such as the following at the global CONFIG level of the CLI. BigIron RX(config)# snmp-server enable traps holddown-time 30 The command changes the holddown time for SNMP traps to 30 seconds. The device waits 30 seconds to allow convergence in STP and OSPF before sending traps to the SNMP trap receiver.
Configuring Simple Network Management Protocol traps 5 Disabling Syslog messages and traps for CLI access The device sends Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature, enabled by default, applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS and TACACS+ server.
5 Configuring an interface as source for all Telnet packets The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session. Disabling the Syslog messages and traps Logging of CLI access is enabled by default. To disable logging of CLI access, enter the following commands.
Configuring an interface as the source for all TFTP packets BigIron BigIron BigIron BigIron 5 RX(config)# interface ethernet 1/4 RX(config-if-e10000-1/4)# ip address 209.157.22.110/24 RX(config-if-e10000-1/4)# exit RX(config)# ip telnet source-interface ethernet 1/4 Cancelling an outbound Telnet session If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the connection is frozen), you can terminate the Telnet session by doing the following. 1.
5 Specifying a Simple Network Time Protocol (SNTP) server The commands in this example configure virtual interface 1, assign IP address 10.0.0.4/24 to the interface, then designate the interface's address as the source address for all Syslog packets. Syntax: [no] ip syslog source-interface ethernet [/] | loopback | ve The parameter is a loopback interface or virtual interface number.
Specifying a Simple Network Time Protocol (SNTP) server TABLE 41 5 Output from the show sntp associations command This field... Displays...
5 Setting the system clock Setting the system clock In addition to SNTP support, the device also allows you to set the system time counter. It starts the system time and date clock with the time and date you specify. The time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP server. NOTE To synchronize the time counter with your SNTP server time, enter the sntp sync command from the Privileged EXEC level of the CLI.
Configuring CLI banners • • • • • • • • • 5 GMT + 10:30 GMT + 09:30 GMT + 06:30 GMT + 05:30 GMT + 04:30 GMT + 03:30 GMT - 03:30 GMT - 08:30 GMT - 09:30 To change the time zone to Australian East Coast time (which is normally 10 hours ahead of GMT), enter the following command.
5 Configuring CLI banners Setting a message of the day banner You can configure the device to display a message on a user’s terminal when he or she establishes a Telnet CLI session. For example, to display the message “Welcome to BigIron RX!” when a Telnet CLI session is established. BigIron RX(config)# banner motd $ (Press Return) Enter TEXT message, End with the character '$'. Welcome to BigIron RX!! $ A delimiting character is established on the first line of the banner motd command.
Configuring terminal display 5 As with the banner motd command, you begin and end the message with a delimiting character; in this example, the delimiting character is # (pound sign). To remove the banner, enter the no banner exec_mode command. Syntax: [no] banner exec_mode Displaying a message on the console when an incoming Telnet session is detected You can configure the device to display a message on the Console when a user establishes a Telnet session.
5 Enabling or disabling routing protocols BigIron RX(config)# show terminal Length: 24 lines Page display mode (session): enabled Page display mode (global): enabled Syntax: show terminal Enabling or disabling routing protocols The BigIron RX supports the following protocols: • • • • • • • • • BGP4 DVMRP FSRP IP OSPF PIM RIP VRRP VRRPE By default, IP routing is enabled on the device. All other protocols are disabled, so you must enable them to configure and use them.
Displaying and modifying system parameter default settings • • • • • 5 ARP entries IP routes IP route filters IP subnets per port and per device Static routes The tables you can configure as well the defaults and valid ranges for each table differ depending on the device you are configuring. NOTE If you increase the number of subnet addresses you can configure on each port to a higher amount, you might also need to increase the total number of subnets that you can configure on the device.
5 Displaying and modifying system parameter default settings BigIron RX# show default values telnet@ro(config)#show default values sys log buffers:50 mac age time:300 sec ip arp age:10 min ip addr per intf:24 bootp relay max hops:4 when multicast enabled : igmp group memb.:140 sec when ospf enabled : ospf dead:40 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
Enabling or disabling Layer 2 switching 5 Information for the configurable tables appears under the columns shown in bold type. To simplify configuration, the command parameter you enter to configure the table is used for the table name. For example, to increase the capacity of the IP route table, enter the following commands.
5 CAM partitioning for the BigIron RX To globally disable Layer 2 switching on the device, enter commands such as the following. BigIron BigIron BigIron BigIron RX(config)# route-only RX(config)# exit RX# write memory RX# reload To re-enable Layer 2 switching globally, enter the following.
CAM partitioning for the BigIron RX 5 The total amount of CAM entries available is 1024 for each packet processor. If you want to configure 600 for ACLs, 168 for PBR and Rate Limiters, and 256 for IPv6 multicast forwarding entries, enter commands such as the following. BigIron RX(config)#cam-partition rw session 768 BigIron RX(config)#cam-partition rw session rule-partition 600 If you want to configure 2 ACL entries and 2 IPv6 entries and 1020 Rate Limiting entries, enter a command such as the following.
5 Changing the MAC age time As of release 02.4.00, the Nexthop table is user configurable. If the router is installed in a network where there are many directly connected hosts, then the size of one-path partition should be increased. To configure the partition, use a command such as the following. BigIron RX(config)# cam-partition next-hop 2048 1024 512 512 The above command partitions the next-hop table into 2048 one-path, 1024 two-path, 512 four-path and 512 eight-path entries.
Pinging an IPv4 address 5 Pinging an IPv4 address To verify that a BigIron RX device can reach another device through the network, enter a command such as the following at any level of the CLI on the BigIron RX device: BigIron RX> ping 192.33.4.
5 Pinging an IPv4 address U = Indicates that a destination unreachable error PDU was received. I = Indicates that the user interrupted ping. NOTE The number of ! characters displayed may not correspond to the number of successful replies by the ping command. Similarly, the number of . characters displayed may not correspond to the number of server timeouts that occurred while waiting for a reply. The "success" or "timeout" results are shown in the display as “Success rate is XX percent (X/Y)".
Chapter Configuring Interface Parameters 6 Assigning a port name NOTE To modify Layer 2, Layer 3, or Layer 4 features on a port, refer to the appropriate section in this chapter or other chapters. For example, to modify Spanning Tree Protocol (STP) parameters for a port, refer to “Changing STP port parameters” on page 330. To configure trunk groups or dynamic link aggregation, refer to Chapter 8, “Link Aggregation”.
6 Speed/Duplex negotiation Speed/Duplex negotiation Speed/Duplex Negotiation detects the speed (10MBps, 100Mbps, 1000Mbps) and duplex (half-duplex or full-duplex) settings of the device on the other end of the wire and subsequently adjusts to match those settings. Each of the 10/100/1000BaseTX ports is designed to auto-sense and auto-negotiate the speed and mode of the connected device. If the attached device does not support this operation, you can manually enter the port speed.
Disabling or re-enabling a port 6 BigIron RX(config)#interface ethernet 2/4 BigIron RX(config-if-e10000-2/4)#speed-duplex 1000-slave Syntax: [no] speed-duplex {auto |1000-master |1000-slave |1000-full | 100-full | 100-half | 10-full | 10-half} auto - Autonegotiation 1000-master - Forces 1000 Mbps master port 1000-slave - Forces 1000 Mbps slave port 1000-full - Forces 1000 Mbps full-duplex operation 1000-half - Forces 100 Mbps half-duplex operation 100-full - Forces 100 Mbps full-duplex operation 100-hal
6 Disabling or re-enabling flow control • neg-full-auto – The port first tries to perform a negotiation with its peer port to exchange capability information. If the other port does not respond, the port reverts to the Negotiation-off state. • auto-gig – The port tries to performs a negotiation with its peer port to exchange capability information. if it is unable to reach an agreed upon speed it brings the link down. This is the default state.
Locking a port to restrict addresses 6 The device generates 802.3x PAUSE frames when the number of buffers available to a module's Buffer Manager (BM) drops below a threshold value. A module's BM can start running out of buffers when a port receives more traffic than it can handle. In addition, the device drops the lowest priority traffic when the number of available buffers drops below a second threshold.
6 Port transition hold timer NOTE With the wait-for-all-cards command enabled,10G ports will come up before 1G ports because Multi-Service IronWare software processes 10G port’s state changes first. Port transition hold timer Using the delay-link-event command will delay the sending of port "up" or "down" events to Layer 2 protocols.
Port transition hold timer 6 • The sampling time or window (the time during which the specified toggle threshold can occur before the wait period is activated) is triggered when the first "up to down" transition occurs. • "Up to down" transitions include UDLD-based toggles, as well as the physical link state. Configuring port flap dampening on an interface This feature is configured at the interface level.
6 Modifying port priority (QoS) Modifying port priority (QoS) You can give preference to the inbound traffic on specific ports by changing the Quality of Service (QoS) level on those ports. For information and procedures, refer to Chapter 18, “Configuring Quality of Service”. Assigning a mirror port and monitor ports You can monitor traffic on Brocade ports by configuring another port to “mirror” the traffic on the ports you want to monitor.
Assigning a mirror port and monitor ports 6 NOTE You cannot monitor outbound traffic from one armed router traffic. NOTE Mirror (analyzer) ports cannot be assigned to the 16x10 card. You can monitor traffic on 16x10 ports.
6 Monitoring an individual trunk port The following example configures two mirror ports on the same module and one mirror port on another module. It will illustrate how inbound traffic is mirrored to the two mirror ports on the same module even if the traffic is configured to be mirrored to only one mirror port on the module.
Mirror ports for Policy-Based Routing (PBR) traffic BigIron BigIron BigIron BigIron 6 RX(config)# mirror ethernet 2/1 RX(config)# trunk switch ethernet 4/1 to 4/8 RX(config-trunk-4/1-4/8)# config-trunk-ind RX(config-trunk-4/1-4/8)# monitor ethe-port-monitored 4/5 ethernet 2/1 in Syntax: [no] config-trunk-ind Syntax: [no] monitor ethe-port-monitored | named-port-monitored ethernet / in | out | both The config-trunk-ind command enables configuration of individual ports
6 Displaying mirror and monitor port configuration Configuring mirror ports for PBR traffic When you configure a physical or virtual port to act as a mirror port for PBR traffic, outgoing packets that match the permit Access Control List (ACL) clause in the route map are copied to the mirror ports that you specify. You can specify up to four mirror ports for each PBR route map instance.
Enabling WAN PHY mode support 6 Syntax: show monitor config This output does not display the input traffic mirrored to mirror port 1/2 from port 3/1 and mirrored to mirror port 1/1 from port 4/1 because the mirroring of this traffic is not explicitly configured. To display the actual traffic mirrored to each mirror port, enter the following command at any level of the CLI.
6 152 Enabling WAN PHY mode support BigIron RX Series Configuration Guide 53-1002253-01
Chapter 7 Configuring IP Overview of configuring IP The Internet Protocol (IP) is enabled by default. This chapter describes how to configure IP parameters on the device. The IP packet flow Figure 5 Shows how an IP packet moves through a device. FIGURE 5 IP Packet flow through a device ARP Table (software) Incoming Port IP ACLs (hardware) Deny Static ARP Table Drop Permit RIP Yes Lowest Metric PBR (hardware) IP Route Table (software) Lowest Admin.
7 The IP packet flow 1. When the device receives an IP packet, the device checks for IP ACL filters on the receiving interface. If a deny filter on the interface denies the packet, the device discards the packet and performs no further processing. If logging is enabled for the filter, then the device generates a Syslog entry and SNMP trap message. 2. If the packet is not denied, the device checks for Policy Based Routing (PBR).
The IP packet flow 7 The software places an entry from the static ARP table into the ARP cache when the entry’s interface comes up. Here is an example of a static ARP entry. Index 1 IP Address 207.95.6.111 MAC Address 0800.093b.d210 Port 1/1 Each entry lists the information you specified when you created the entry.
7 Basic IP parameters and defaults To configure a static IP route, refer to “Configuring static routes” on page 198. To clear a route from the IP route table, refer to “Clearing IP routes” on page 231. To increase the size of the IP route table for learned and static routes, refer to “Displaying and modifying system parameter default settings” on page 130. • For learned routes, modify the ip-route parameter. • For static routes, modify the ip-static-route parameter.
Basic IP parameters and defaults 7 When parameter changes take effect Most IP parameters described in this chapter are dynamic. They take effect immediately, as soon as you enter the CLI command. You can verify that a dynamic change has taken effect by displaying the running configuration. To display the running configuration, enter the show running-config or write terminal command at any CLI prompt.
7 Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... ARP rate limiting Lets you specify a maximum number of ARP packets the device will accept each second. If the device receives more ARP packets than you specify, the device drops additional ARP packets for the remainder of the one-second interval. Disabled page 188 ARP age The amount of time the device keeps a MAC address learned through ARP in the device’s ARP cache.
Basic IP parameters and defaults TABLE 43 7 IP global parameters (Continued) Parameter Description Default See page... ICMP Router Discovery Protocol (IRDP) An IP protocol a router can use to advertise the IP addresses of its router interfaces to directly attached hosts.
7 Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... Static route An IP route you place in the IP route table. No entries page 198 Source interface The IP address the router uses as the source address for Telnet, RADIUS, or TACACS and TACACS+ packets originated by the router. The router can select the source address based on either of the following: • The lowest-numbered IP address on the interface the packet is sent on.
Configuring IP parameters TABLE 44 7 IP interface parameters (Continued) Parameter Description DHCP gateway stamp The router can assist DHCP/BootP Discovery packets from one subnet to reach DHCP/BootP servers on a different subnet by placing the IP address of the router interface that receives the request in the request packet’s Gateway field. You can override the default and specify the IP address to use for the Gateway field in the packets. Default See page...
7 Configuring IP parameters NOTE Once you configure a virtual routing interface on a VLAN, you cannot configure Layer 3 interface parameters on individual ports in the VLAN. Instead, you must configure the parameters on the virtual routing interface itself. Also, once an IP address is configured on an interface, the hardware is programmed to route all IP packets that are received on the interface. Consequently, all IP packets not destined for this device’s MAC address will not be bridged but dropped.
Configuring IP parameters 7 Assigning an IP address to a loopback interface Loopback interfaces are always up, regardless of the states of physical interfaces. They can add stability to the network because they are not subject to route flap problems that can occur due to unstable links between a device and other devices. You can configure up to eight loopback interfaces on a device. You can add up to 24 IP addresses to each loopback interface.
7 Configuring IP parameters Syntax: interface ve The parameter specifies the virtual interface number. You can specify from 1 to the maximum number of virtual interfaces supported on the device. To display the maximum number of virtual interfaces supported on the device, enter the show default values command. The maximum is listed in the System Parameters section, in the Current column of the virtual-interface row.
Configuring IP parameters 7 GRE IP tunnel The BigIron RX allows the tunneling of packets of the following protocols over an IP network using the Generic Router Encapsulation (GRE) mechanism as described in RFC 2784: • OSPF • BGP • IS-IS point-to-point Using this feature, packets of these protocols can be encapsulated inside a transport protocol packet at a tunnel source and delivered to a tunnel destination where it is unpacked and made available for delivery. Figure 6 describes the GRE header format.
7 Configuring IP parameters • GRE Encapsulation • Loopback address for the Tunnel (required for de-encapsulation) • IP address for the Tunnel NOTE Sustained rates of small packet sizes may affect the ability of a 10 gigabit Ethernet port to maintain line rate GRE encapsulation and de-encapsulation performance. Configuring a tunnel interface To configure a tunnel interface, use the following command.
Configuring IP parameters 7 Configuring a loopback port for a tunnel interface On the device, a loopback port is required for de-encapsulating a packet exiting the tunnel. Fiber-optic components must be present on the interface module for the loopback port to work. Therefore, consider the following configuration rules for a loopback port: • 1-gigabit copper ports should not be configured as loopback ports. • 1-gigabit and 10-gigabit fiber ports can be configured as loopback port.
7 Configuring IP parameters FIGURE 7 GRE IP tunnel configuration example BigIron RX A port3/1 36.0.8.108 10.10.1.0/24 1 10.10.3.1 Internet 10.10.3.0 10.10.3.2 10.10.2.0/24 port5/1 131.108.5.2 BigIron RX B Configuration example for BigIron RX A BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX (config)# interface ethernet 3/1 RX (config-if-e1000-3/1)# ip address 36.0.8.
Configuring IP parameters 7 Syntax: show ip interface tunnel This display shows the following information. TABLE 45 CLI display of interface IP configuration information This field... Displays... Interface The tunnel and tunnel number. IP-Address The IP address of the tunnel interface. OK? Whether the IP address has been configured on the tunnel interface. Method Whether the IP address has been saved in NVRAM.
7 Configuring IP parameters IPv6 over IPv4 tunnels in hardware To enable communication between the isolated IPv6 domains using the IPv4 infrastructure, you can configure IPv6 over IPv4 tunnels. Brocade supports the following IPv6 over IPv4 tunneling in hardware mechanisms: • Manually configured tunnels In general, a manually configured tunnel establishes a permanent link between routers in IPv6 domains.
Configuring IP parameters BigIron BigIron BigIron BigIron BigIron 7 RX(config)# interface tunnel 1 RX(config-tnif-1)#tunnel source ethernet 3/1 RX(config-tnif-1)#tunnel destination 198.162.100.1 RX(config-tnif-1)#tunnel mode ipv6ip RX(config-tnif-1)#ipv6 address 2001:b78:384d:34::/64 eui-64 This example creates tunnel interface 1 and assigns a global IPv6 address with an automatically computed EUI-64 interface ID to it.
7 Configuring IP parameters BigIron RX# show ipv6 tunnel IP6 Tunnels Tunnel Mode Packet Received 1 configured 0 2 configured 0 Packet Sent 0 22419 Syntax: show ipv6 tunnel This display shows the following information. TABLE 46 IPv6 tunnel information This field... Displays... Tunnel The tunnel interface number. Mode The tunnel mode. Possible modes include the following: configured – Indicates a manually configured tunnel. 6to4 – Indicates an automatic 6to4 tunnel.
Configuring IP parameters TABLE 47 7 IPv6 tunnel interface information (Continued) This field... Tunnel source Displays... The tunnel source can be one of the following: An IPv4 address The IPv4 address associated with an interface or port. • • Tunnel destination The tunnel destination can an IPv4 address. Tunnel mode The tunnel mode can be one the following: • ipv6ip auto-tunnel – Indicates an automatic IPv4-compatible tunnel. • ipv6ip 6to4 – Indicates an automatic 6to4 tunnel.
7 Configuring IP parameters Configuring Domain Name Server (DNS) resolver The DNS resolver lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a device and thereby recognize all hosts within that domain. After you define a domain name, the device automatically appends the appropriate domain to the host and forwards it to the domain name server. For example, if the domain “newyork.
Configuring IP parameters 7 Use the no form of the command to remove a domain name from the domain-list. Displaying the domain name list To determine what domain names have been configured in the domain list, enter the following command. BigIron RX(config)#show ip dns domain-list Total number of entries : 3 Primary Domain Name: Domain Name List: seq:4 eng.company.co seq:5 facilities.company.com seq:12. support.company.
7 Configuring IP parameters Static cache entries You can manually add entries to the DNS cache table if you know a host’s complete, qualified name and its IP address. To add host names and their IP addresses to the DNS cache table, enter commands such as the following. BigIron RX(config)#ip dns cache-entry www.brocade.com 63.236.63.244 720 Syntax: [no] ip dns cache-entry Complete, qualified name . For example, enter www.company.com or host.company.com.
Configuring IP parameters TABLE 48 7 The show ip dns cache-table output This field... Displays... Host The complete, qualified domain name of the host. Flag Indicates if the entry is dynamic or static and if the information for the domain is up to date: • TMP – Entry is dynamic • STA – Entry is static • OK – Information for the entry is up to date • EX – The entry is expired and would not be used. Such an entry would be deleted from the cache table at next cache poll refresh.
7 Configuring IP parameters Syntax: show ip dns server-list Debugging the DNS feature To debug the DNS feature enter the following command. BigIron RX#debug ip dns IP: dns debugging is on Syntax: debug ip dns Using a DNS name to initiate a trace route Suppose you want to trace the route from a device to a remote server identified as NYC02 on domain newyork.com. FIGURE 9 Querying a host on the newyork.com domain Domain Name Server newyork.com [ nyc01 nyc02 207.95.6.
Configuring packet parameters 7 Type Control-c to abort Sending DNS Query to 209.157.22.199 Tracing Route to IP node 209.157.22.80 To ABORT Trace Route, Please use stop-traceroute command. Traced route to target IP node 209.157.22.80: IP Address Round Trip Time1 Round Trip Time2 207.95.6.30 93 msec 121 msec NOTE In the above example, 209.157.22.199 is the IP address of the domain name server (default DNS gateway address), and 209.157.22.80 represents the IP address of the NYC02 host.
7 Configuring packet parameters The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format. The device uses Ethernet II by default. You can change the IP encapsulation to Ethernet SNAP on individual ports if needed. NOTE All devices connected to the device port must use the same encapsulation type. To change the IP encapsulation type on interface 1/5 to Ethernet SNAP, enter the following commands.
Configuring packet parameters 7 To configure the untagged max-frame-size on a VLAN, enter a command such as the following at he Interface Configuration level. BigIron RX(config-vlan-20)# BigIron RX(config-vlan-20)#max-frame-size 5000 Please reload system! BigIron RX(config-vlan-20)# Syntax: max-frame-size The variable specifies the maximum frame size for each port that is connected the same PPCR as described in Table 49. Values can be from 64 to 9212 bytes. The default is 1518 bytes.
7 Changing the router ID Globally changing the IP MTU To globally enable jumbo support on all ports, enter commands such as the following. BigIron RX(config)# ip mtu 5000 BigIron RX(config)# write memory Syntax: [no] ip mtu The parameter specifies the maximum number of bytes an Ethernet frame can have in order to be forwarded on a port. Enter 64 – 9212, but this value must be 18 bytes less than the value of the global maximum frame size.
Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets 7 NOTE If you change the router ID, all current BGP4 sessions are cleared. By default, the router ID on a device is one of the following: • If the router has loopback interfaces, the default router ID is the IP address configured on the lowest numbered loopback interface configured on the device. For example, if you configure loopback interfaces 1, 2, and 3 as follows, the default router ID is 9.9.9.
7 Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets • If you specify a loopback interface as the single source for Telnet, TACACS, TACACS+, or RADIUS packets, servers can receive the packets regardless of the states of individual links. Thus, if a link to the server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Configuring an interface as the source for Syslog packets 7 RADIUS packets To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all RADIUS packets, enter commands such as the following. BigIron BigIron BigIron BigIron RX(config)# int ve 1 RX(config-vif-1)# ip address 10.0.0.3/24 RX(config-vif-1)# exit RX(config)# ip radius source-interface ve 1 The commands configure virtual interface 1, assign IP address 10.0.0.
7 Configuring an interface as the source for Syslog packets IP option attack protection An attack on the network could be accomplished using the options field of an IP packet header. For example, the source routing option makes it possible for the sender to specify a route to follow. To protect against attacks contained in the option field, devices drop any IP packet that contains an option in its header, except for packets. IGMP packets are processes even if they contain IP options.
Configuring ARP parameters 7 Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables the device to obtain the MAC address of another device’s interface when the device knows the IP address of the interface. ARP is enabled by default and cannot be disabled.
7 Configuring ARP parameters NOTE The ARP request broadcast is a MAC broadcast, which means the broadcast goes only to devices that are directly attached to the device. A MAC broadcast is not routed to other networks. However, some routers, including the device, can be configured to reply to ARP requests from one network on behalf of devices on another network. Refer to “Enabling proxy ARP” on page 190.
Configuring ARP parameters • • • • 7 The interface level configuration overrides the global configuration for a specific port. The command is supported on Layer 3 Switches only. There is no default value for . Enter 0–30,000. If the value of is entered as 0, the interface will stop processing ARP packets immediately. • You can go to interface trunk mode to configure the ARP port rate limit. When configured over trunk interface (i.e.
7 Configuring ARP parameters Clearing the rate limit for ARP packets To clear the ARP port rate limit data on every port of the LP, enter a command such as the following. LP-1# clear ip traffic arp Changing the ARP aging period When the device places an entry in the ARP cache, the device also starts an aging timer for the entry. The aging timer ensures that the ARP cache does not retain learned entries that are no longer valid.
Configuring ARP parameters 7 Syntax: [no] ip proxy-arp Creating static ARP entries The device has a static ARP table, in addition to the regular ARP cache. The static ARP table contains entries that you configure. Static entries are useful in cases where you want to pre-configure an entry for a device that is not connected to the device, or you want to prevent a particular entry from aging out.
7 Configuring ARP parameters To increase the maximum number of entries in the static ARP table you can configure, enter commands such as the following at the global CONFIG level of the CLI. BigIron BigIron BigIron BigIron RX(config)# system-max ip-static-arp 4000 RX(config)# write memory RX(config)# end RX# reload Syntax: system-max ip-static-arp The parameter indicates the maximum number of static ARP entries: 2048 - 4096 (default: 2048).
Configuring ARP parameters 7 BigIron RX(config)#ip route validate-nexthop-arp Syntax: [no] ip route validate-nexthop-arp Use the no form of the command to disable the ARP validation feature. When ARP validation is disabled, the static route will be installed without checking the validity of the next hop. Enabling the next hop validate ARP timer The next hop validate ARP timer works only on the ARP entries created when the ARP validation check feature has been enabled.
7 Configuring forwarding parameters For additional information on the command syntax, refer to the syntax of the show arp command under “Displaying the ARP cache” on page 224.
Configuring forwarding parameters 7 To disable the directed broadcasts, enter the following command in the CONFIG mode. BigIron RX(config)# no ip directed-broadcast To enable directed broadcasts on an individual interface instead of globally for all interfaces, enter commands such as the following.
7 Configuring forwarding parameters NOTE When you enable the device for zero-based subnet broadcasts, the device still treats IP packets with all ones the host portion as IP subnet broadcasts too. Thus, the device can be configured to support all ones only (the default) or all ones and all zeroes. NOTE This feature applies only to IP subnet broadcasts, not to local network broadcasts. The local network broadcast address is still expected to be all ones.
Configuring forwarding parameters 7 • Host – The destination network or subnet of the packet is directly connected to the device, but the host specified in the destination IP address of the packet is not on the network. • Network – The device cannot reach the network specified in the destination IP address of the packet. • Port – The destination host does not have the destination TCP or UDP port specified in the packet.
7 Configuring forwarding parameters BigIron RX(config)# ip icmp unreachable host BigIron RX(config)# ip icmp unreachable network The commands shown above re-enable ICMP Unreachable Host messages and ICMP Network Unreachable messages. Disabling ICMP redirect messages You can disable or re-enable ICMP redirect messages. By default, the device sends an ICMP redirect message to the source of a misdirected packet in addition to forwarding the packet to the appropriate router.
Configuring forwarding parameters 7 Static route types You can configure the following types of static IP routes: • Standard – the static route consists of the destination network address and network mask, and the IP address of the next-hop gateway. You can configure multiple standard static routes with the same metric for load sharing or with different metrics to provide a primary route and backup routes.
7 Configuring forwarding parameters • Path redundancy – When you add multiple static IP routes for the same destination, but give the routes different metrics or administrative distances, the device uses the route with the lowest administrative distance by default, but uses another route to the same destination of the first route becomes unavailable.
Configuring forwarding parameters 7 Configuring a static IP route To configure an IP static route with a destination address of 192.0.0.0 255.0.0.0 and a next-hop router IP address of 195.1.1.1, enter the following. BigIron RX(config)# ip route 192.0.0.0 255.0.0.0 195.1.1.1 To configure a default route, enter the following. BigIron RX(config)# ip route 0.0.0.0 0.0.0.0 To configure a static IP route with an Ethernet port instead of a next-hop address, enter a command such as the following.
7 Configuring forwarding parameters The distance parameter specifies the administrative distance of the route. When comparing otherwise equal routes to a destination, the device prefers lower administrative distances over higher ones, so make sure you use a low value for your default route. Possible values: 1 - 255. Default: 1. NOTE The device will replace the static route if it receives a route with a lower administrative distance.
Configuring forwarding parameters 7 Dropping traffic sent to the null0 interface in hardware Traffic sent to the null0 interface is done in hardware; that is, by programming the CAM to discard traffic sent to the null0 interface. This improves forwarding efficiency and reduces the burden on the device’s CPU. Hardware dropping for IP traffic sent to the null0 interface is supported. You can optionally configure the device to drop traffic sent to the default IP route address in hardware.
7 Configuring forwarding parameters • IP load sharing – If you configure more than one static route to the same destination, and the routes have different next-hop gateways but have the same metrics, the device load balances among the routes using basic round-robin. For example, if you configure two static routes with the same metrics but to different gateways, the device alternates between the two routes. For information about IP load balancing, refer to “Configuring IP load sharing” on page 209.
Configuring forwarding parameters 7 When the device has multiple routes to the same destination, the device always prefers the route with the lowest metric. Generally, when you configure a static route to a destination network, you assign the route a low metric so that the device prefers the static route over other routes to the destination. This feature is especially useful for the following configurations.
7 Configuring forwarding parameters FIGURE 11 Standard and null static routes to the same destination network Two static routes to 192.168.7.0/24: --Standard static route through gateway 192.168.6.157, with metric 1 --Null route, with metric 2 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.7/24 When standard static route is good, Router A uses that route. 192.168.7.69/24 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.
Configuring forwarding parameters FIGURE 12 7 Standard and interface routes to the same destination network Two static routes to 192.168.7.0/24: --Interface-based route through port1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. Router A 192.168.6.188/24 Port1/1 192.168.8.12/24 Port4/4 192.168.6.69/24 When route through interface 1/1 is available, Router A always uses that route. 192.168.8.
7 Configuring forwarding parameters Configuring a default network route The device enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Configuring forwarding parameters BigIron RX(config)# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected Destination Gateway 1 209.157.20.0 0.0.0.0 2 209.157.22.0 0.0.0.0 R:RIP 7 S:Static O:OSPF *:Candidate default Port Cost Type lb1 1 D 4/11 1 *D This example shows two routes. Both of the routes are directly attached, as indicated in the Type column. However, one of the routes is shown as type “*D”, with an asterisk (*).
7 Configuring forwarding parameters Administrative distance The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. It is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on, but not used when performing IP load sharing. The value of the administrative distance is determined by the source of the route.
Configuring forwarding parameters 7 • OSPF – The Path Cost associated with the path. The paths can come from any combination of inter-area, intra-area, and external Link State Advertisements (LSAs). • BGP4 – The path’s Multi-Exit Discriminator (MED) value. NOTE If the path is redistributed between two or more of the above sources before entering the IP route table, the cost can increase during the redistribution due to settings in redistribution filters.
7 Configuring forwarding parameters Changing the maximum number of load sharing paths By default, IP load sharing allows IP traffic to be balanced across up to four equal path. You can change the maximum number of paths that the device supports to a value of 2 – 8. For optimal results, set the maximum number of paths to a value equal to or greater than the maximum number of equal-cost paths that your network typically contains.
Configuring forwarding parameters 7 DIsplaying the ECMP load sharing Use the show run command to display the ECMP load sharing. BigIron RX(config)#show run ========show run ===================== ! logging console hostname RW ip route 0.0.0.0/0 100.1.1.2 ip route 0.0.0.0/0 100.1.2.2 ip route 0.0.0.0/0 100.1.3.2 ip route 0.0.0.0/0 100.1.4.2 ip route 10.0.0.0/8 10.43.2.1 ip route 40.0.0.0/24 100.1.1.
7 Configuring forwarding parameters BigIron RX(config)# ip receive access-list 10 Syntax: [no] ip receive access-list Specify an access list number for . The IP receive ACL is applied globally to all interfaces on the device. Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command.
Configuring forwarding parameters 7 • Hold time – Each Router Advertisement message contains a hold time value. This value specifies the maximum amount of time the host should consider an advertisement to be valid until a newer advertisement arrives. When a new advertisement arrives, the hold time is reset. The hold time is always longer than the maximum advertisement interval.
7 Configuring forwarding parameters The maxadvertinterval parameter specifies the maximum amount of time the device waits between sending Router Advertisements. You can specify a value from 1 to the current value of the holdtime parameter. The default is 600 seconds. The minadvertinterval parameter specifies the minimum amount of time the device can wait between sending Router Advertisements. The default is three-fourths (0.75) the value of the maxadvertinterval parameter.
Configuring forwarding parameters 7 NOTE As shown above, forwarding support for BootP/DHCP is enabled by default. If you are configuring the device to forward BootP/DHCP requests, refer to “Configuring BootP/DHCP forwarding parameters” on page 218. You can enable forwarding for other applications by specifying the application port number. You also can disable forwarding for an application.
7 Configuring forwarding parameters • tftp (port 69) In addition, you can specify any UDP application by using the application’s UDP port number. The parameter specifies the UDP application port number. If the application you want to enable is not listed above, enter the application port number. You also can list the port number for any of the applications listed above. To disable forwarding for an application, enter a command such as the following.
Configuring forwarding parameters 7 You can configure the device to forward BootP/DHCP requests. To do so, configure a helper address on the interface that receives the client requests, and specify the BootP/DHCP server’s IP address as the address you are helping the BootP/DHCP requests to reach. Instead of the server’s IP address, you can specify the subnet directed broadcast address of the IP subnet the server is in.
7 Displaying IP information BigIron RX(config)# int e 1/1 BigIron RX(config-if-e1000-1/1)# ip bootp-gateway 109.157.22.26 These commands change the CLI to the configuration level for port 1/1, then change the BootP/DHCP stamp address for requests received on port 1/1 to 192.157.22.26. The device will place this IP address in the Gateway Address field of BootP/DHCP requests that the device receives on port 1/1 and forwards to the BootP/DHCP server.
Displaying IP information 7 • OSPF information – refer to “Displaying OSPF information” on page 720. • BGP4 information – refer to “Displaying BGP4 information” on page 824. • DVMRP information – refer to “Displaying information about an upstream neighbor device” on page 655 • PIM information – refer to “Displaying PIM Sparse configuration information and statistics” on page 615. • VRRP or VRRPE information – refer to “Displaying VRRP and VRRPE information” on page 467.
7 Displaying IP information TABLE 51 CLI display of global IP configuration information (Continued) This field... Displays... bootp-relay-max-hops The maximum number of hops away a BootP server can be located from the Brocade router and still be used by the router’s clients for network booting. To change this value, refer to “Changing the maximum number of hops to a BootP relay server” on page 220. router-id The 32-bit number that uniquely identifies the Brocade router.
Displaying IP information TABLE 51 7 CLI display of global IP configuration information (Continued) This field... Displays... Port The Layer 4 TCP or UDP port the policy checks for in packets. The port can be displayed by its number or, for port types the router recognizes, by the well-known name. For example, TCP port 80 can be displayed as HTTP. NOTE: This field applies only if the IP protocol is TCP or UDP. Operator The comparison operator for TCP or UDP port names or numbers.
7 Displaying IP information BigIron RX# show ip interface ethernet 1/1 Interface Ethernet 1/1 port state: UP ip address: 192.168.9.51 subnet mask: 255.255.255.0 encapsulation: ETHERNET, mtu: 1500, metric: 1 directed-broadcast-forwarding: disabled proxy-arp: disabled ip arp-age: 10 minutes Ip Flow switching is disabled No Helper Addresses are configured.
Displaying IP information 7 BigIron RX# show arp Total number of ARP entries: 5 IP Address MAC Address 1 207.95.6.102 0800.5afc.ea21 2 207.95.6.18 00a0.24d2.04ed 3 207.95.6.54 00a0.24ab.cd2b 4 207.95.6.101 0800.207c.a7fa 5 207.95.6.211 00c0.2638.ac9c Type Dynamic Dynamic Dynamic Dynamic Dynamic Age 0 3 0 0 0 Port 6 6 6 6 6 Syntax: show arp [ve | ethernet | mac-address
7 Displaying IP information TABLE 53 CLI display of ARP cache (Continued) This field... Displays... Age The number of minutes the entry has remained unused. If this value reaches the ARP aging period, the entry is removed from the table. To display the ARP aging period, refer to “Displaying global IP configuration information” on page 221. To change the ARP aging interval, refer to “Changing the ARP aging period” on page 190. NOTE: Static entries do not age out.
7 Displaying IP information BigIron RX> show ip cache Cache Entry Usage on LPs: Module Host Network 15 6 6 Free 204788 Total 204800 Syntax: show ip cache [] [| begin | exclude | include ] The parameter displays the cache entry for the specified IP address. The show ip cache command shows the forwarding cache usage on each interface module CPU. The CPU on each interface module builds its own forwarding cache, depending on the traffic.
7 Displaying IP information TABLE 55 CLI display of IP forwarding cache (Continued) This field... Displays... Type The type of host entry, which can be one or more of the following: • D – Dynamic • P – Permanent • F – Forward • U – Us • C – Complex Filter • W – Wait ARP • I – ICMP Deny • K – Drop • R – Fragment • S – Snap Encap Port The port through which this device reaches the destination. For destinations that are located on this device, the port number is shown as “n/a”.
Displaying IP information 7 The option display the route table entry whose row number corresponds to the number you specify. For example, if you want to display the tenth row in the table, enter “10”. The parameter displays the route to the specified IP address. The parameter lets you specify a network mask or, if you prefer CIDR format, the number of bits in the network mask.
7 Displaying IP information BigIron RX(config)# show ip route 209.159.0.0/16 longer Starting index: 1 B:BGP D:Directly-Connected R:RIP S:Static O:OSPF Destination NetMask Gateway Port Cost Type 52 53 54 55 56 57 58 59 60 209.159.38.0 209.159.39.0 209.159.40.0 209.159.41.0 209.159.42.0 209.159.43.0 209.159.44.0 209.159.45.0 209.159.46.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 207.95.6.101 207.95.6.101 207.95.6.101 207.
Displaying IP information TABLE 56 7 CLI display of IP route table (Continued) This field... Displays... Type The route type, which can be one of the following: • B – The route was learned from BGP. • D – The destination is directly connected to this device. • R – The route was learned from RIP. • S – The route is a static route. • * – The route is a candidate default route. • O – The route is an OSPF route. Unless you use the ospf option to display the route table, “O” is used for all OSPF routes.
7 Displaying IP information BigIron RX> sh ip traffic IP Statistics 146806 total received, 72952 mp received, 6715542 sent, 0 forwarded 0 filtered, 0 fragmented, 0 bad header 0 failed reassembly, 0 reassembled, 0 reassembly required 0 no route, 0 unknown proto, 0 no buffer, 0 other errors, 0 rpf discard ARP Statistics 19022 total recv, 35761 req recv, 475 rep recv, 2803975 req sent, 1885 rep sent 0 pending drop, 0 invalid source, 0 invalid dest ICMP Statistics Received: 9 total, 0 errors, 0 unreachable, 0
Displaying IP information TABLE 57 7 CLI display of IP traffic statistics (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received. The field descriptions below apply to each. total The total number of ICMP messages sent or received by the device.
7 Displaying IP information TABLE 57 CLI display of IP traffic statistics (Continued) This field... Displays... input errors This information is used by Brocade customer support. in segments The number of TCP segments received by the device. out segments The number of TCP segments sent by the device.
Displaying IP information 7 This field... Displays...
7 236 Displaying IP information BigIron RX Series Configuration Guide 53-1002253-01
Chapter Link Aggregation 8 Link aggregation overview This chapter describes how to configure Link Aggregation Groups (LAG). You can use a single interface to configure any of the following LAG types: • Static LAGs – These trunk groups are manually-configured aggregate links containing multiple ports. • Dynamic LAGs – This LAG type uses the Link Aggregation Control Protocol (LACP), to maintain aggregate links over multiple port.
8 LAG formation rules • • • • • do not share the same SuperSpan customer id (or cid). do not share the same vlan membership do not share the same uplink vlan membership do not share the same protocol-vlan configuration are configured as marble primary and secondary interfaces • Layer 3 requirements. The trunk is rejected if any of the secondary trunk port has any Layer 3 configurations, such as Ipv4 or Ipv6 address, ospf, rip, ripng, isis, etc. • Layer 4 (ACL) requirements.
LAG formation rules FIGURE 13 8 Example of a 1-port keep alive LAG Port1/1 Port1/1 Port1/2 Port1/2 Port1/3 Port1/3 Port1/4 Port1/4 Port1/5 Port1/5 Port1/6 Port1/6 Port1/7 Port1/7 Port1/8 Port1/8 Figure 14 shows an example of a valid 2-port LAG link between devices where the ports on each end are on the same interface module. Ports in a valid 2-port LAG on one device are connected to two ports in a valid 2-port LAG on another device.
8 LAG load sharing LAG load sharing Traffic on BigIron RX switches is load balance over a LAG by using the Hash Based Load Sharing method. The Hash Based Load Sharing method is based on the packet type and cannot be changed. The device shares the traffic load evenly across the ports in a LAG group, while ensuring that packets in the flow are not reordered. Individual flows are assigned a trunk index to identify them.
Configuration of a LAG 8 Configuration of a LAG The following configuration procedures are used to configure a LAG. Depending upon whether you are configuring a static, dynamic or keep-alive LAG, the configuration procedures may or may not apply as described: • Creating a Link Aggregation Group – Required for all static, dynamic or keep alive LAGs. • Adding Ports to a LAG – Required for all static, dynamic, or keep alive LAGs.
8 Configuration of a LAG The ports added to a LAG are ethernet as specified for the slot/port where they reside. The ports can be added to the LAG sequentially as shown in the following example. BigIron RX(config-lag-blue)# ports ethernet 3/1 ethernet 7/2 ethernet 4/3 ethernet 3/ A range of ports from a single interface module can be specified. In the following example, Ethernet ports 1, 2, 3 and 4 on the interface module in slot 3 are configured in a single LAG.
Configuration of a LAG 8 Syntax: trunk-threshold You can specify a threshold from 1 (the default) up to the number of ports in the trunk group. When a LAG is shut down because the number of ports drops below the configured threshold, the LAG is kept intact and it is re-enabled if enough ports become active to reach the threshold. NOTE Trunk threshold should be configured only at one end of the trunk.
8 Deploying a LAG Deploying a LAG After configuring a LAG, you must explicitly enable it before it takes begins aggregating traffic. This is accomplished using the deploy command within the LAG configuration. Once the deploy command is executed, the LAG is in the aggregating mode. Only the primary port within the LAG is available at the individual interface level. Any configuration performed on the primary port applies to all ports within the LAG.
Deploying a LAG 8 Configuring ACL-based mirroring ACL-based mirroring can be configured for an individual port within a LAG using the acl-mirror-port command, as shown in the following.
8 Deploying a LAG Monitoring an individual LAG port By default, when you monitor the primary port in a LAG group, aggregated traffic for all the ports in the LAG is copied to the mirror port. You can configure the device to monitor individual ports in a LAG including Ethernet, or Named ports. You can monitor the primary port or a secondary port individually. NOTE You can use only one mirror port for each monitored trunk port.
Deploying a LAG 8 BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# sflow-forwarding ethernet 3/1 Syntax: [no] sflow-forwarding ethernet [slot/port] | port-name [text] Use the ethernet option with the appropriate [slot/port] variable to specify a Ethernet port within the LAG that you want to enable sFlow forwarding for.
8 Deploying a LAG === LAG "d1" (dynamic Deployed) === LAG Configuration: Ports: ethe 13/2 to 13/3 ethe 32/2 Primary Port: 32/2 LACP Key: 104 Deployment: Trunk ID 3 Port Link L2 State Dupl Speed Trunk Tag Priori MAC Name 3/2 Up Forward Full 10G 3 Yes level0 0004.80a0.44d9 13/3 Up Forward Full 10G 3 Yes level0 0004.80a0.44d9 32/2 Up Forward Full 10G 3 Yes level0 0004.80a0.
Deploying a LAG TABLE 58 8 Show LAG information (Continued) This field... Displays... Type The configured type of the LAG: static, dynamic, or keep-alive Deploy Status of LAG deployment: Y – yes, LAG is deployed. N – no, LAG is not deployed. Trunk The trunk ID number. Primary The primary port of the LAG. Port List The list of ports that are configured in the LAG. The following information is displayed per-LAG the show lag command for each LAG configured.
8 Deploying a LAG TABLE 58 This field... Act 250 Show LAG information (Continued) Displays... Indicates the link aggregation mode, which can be one of the following: No – The mode is passive on the port. If link aggregation is enabled (and the mode is passive), the port can send and receive LACPDU messages to participate in negotiation of an aggregate link initiated by another port, but cannot search for a link aggregation port or initiate negotiation of an aggregate link. • Yes – The mode is active.
Deploying a LAG TABLE 58 8 Show LAG information (Continued) This field... Displays... Def Indicates whether the port is using default link aggregation values. The port uses default values if it has not received link aggregation information through LACP from the port at the remote end of the link.
8 Deploying a LAG GiantPkts InBitsPerSec InPktsPerSec InUtilization 0 0 0 0.0% ShortPkts OutBitsPerSec OutPktsPerSec OutUtilization 0 0 0 0.
Chapter Configuring LLDP 9 Terms used in this chapter Link Layer Discovery Protocol (LLDP) – The Layer 2 network discovery protocol described in the IEEE 802.1AB standard, Station and Media Access Control Connectivity Discovery. This protocol enables a station to advertise its capabilities to, and to discover, other LLDP-enabled stations in the same 802 LAN segments. LLDP Agent – The protocol entity that implements LLDP for a particular IEEE 802 device.
9 LLDP overview Figure 16 illustrates LLDP connectivity.
General operating principles 9 • Can discover devices with misconfigured or unreachable IP addresses General operating principles LLDP use the services of the Data Link sublayers, Logical Link Control and Media Access Control, to transmit and receive information to and from other LLDP Agents (protocol entities that implement LLDP). LLDP is a one-way protocol.
9 General operating principles As shown in Figure 17, each LLDPDU has three mandatory TLVs, an End of LLDPDU TLV, plus optional TLVs as selected by network management. FIGURE 17 LLDPDU packet format Chassis ID TLV Port ID TLV M Time to Live TLV M Optional TLV ... Optional TLV End of LLDPDU TLV M M M = mandatory TLV (required for all LLDPDUs) Each LLDPDU consists of an untagged Ethernet header and a sequence of short, variable length information elements known as TLVs.
General operating principles 9 • Organizationally-specific TLVs are optional in LLDP implementations and are defined and encoded by individual organizations or vendors. These TLVs include support for, but are not limited to, the IEEE 802.1 and 802.3 standards and the TIA-1057 standard. Brocade devices support the following Organizationally-specific TLVs: • 802.1 organizationally-specific TLVs Port VLAN ID VLAN name TLV • 802.
9 General operating principles Chassis ID (MAC address): 0012.f233.e2c0 The Chassis ID TLV is always the first TLV in the LLDPDU. Port ID The Port ID identifies the port from which LLDP packets were sent. There are several ways in which a port may be identified, as shown in Table 60. A port ID subtype, included in the TLV, indicates how the port is being referenced in the Port ID field.
MIB support 9 • If the TTL field has a value other than zero, the receiving LLDP agent is notified to completely replace all information associated with the LLDP agent or port with the information in the received LLDPDU. • If the TTL field value is zero, the receiving LLDP agent is notified that all system information associated with the LLDP agent or port is to be deleted. This TLV may be used, for example, to signal that the sending port has initiated a port shutdown procedure.
9 Configuring LLDP TABLE 61 LLDP global configuration tasks and default behavior / value Global task Default behavior / value when LLDP is enabled Enabling LLDP on a global basis Disabled Specifying the maximum number of LLDP neighbors per device Automatically set to 392 neighbors per device Specifying the maximum number of LLDP neighbors per port Automatically set to 4 neighbors per port Enabling SNMP notifications and Syslog messages Disabled Changing the minimum time between SNMP traps and
Configuring LLDP 9 Enabling and disabling LLDP LLDP is enabled by default on individual ports. However, to run LLDP, you must first enable it on a global basis (on the entire device). To enable LLDP globally, enter the following command at the global CONFIG level of the CLI. BigIron RX(config)#lldp run Syntax: [no] lldp run Changing a port’s LLDP operating mode LLDP packets are not exchanged until LLDP is enabled on a global basis.
9 Configuring LLDP To change a port’s LLDP operating mode from transmit only to receive only, first disable the transmit only mode, then enable the receive only mode. Enter commands such as the following. BigIron RX(config)#no lldp enable transmit ports e 2/7 e 2/8 e 2/9 BigIron RX(config)#lldp enable receive ports e 2/7 e 2/8 e 2/9 The above commands change the LLDP operating mode on ports 2/7, 2/8, and 2/9, from transmit only to receive only.
Configuring LLDP 9 Per device You can change the maximum number of neighbors for which LLDP data will be retained for the entire system. For example, to change the maximum number of LLDP neighbors for the entire device to 26, enter the following command. BigIron RX(config)#lldp max-total-neighbors 26 Syntax: [no] lldp max-total-neighbors Use the [no] form of the command to remove the static configuration and revert to the default value of 392. where is a number between 16 and 65536.
9 Configuring LLDP You can list all of the ports individually, use the keyword to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Specifying the minimum time between SNMP traps and Syslog messages When SNMP notifications and Syslog messages for LLDP are enabled, the device will send no more than one SNMP notification and corresponding Syslog message within a five second period.
Configuring LLDP 9 where is a value between 1 and 8192. The default is two seconds. Note that this value must not be greater than one quarter of the LLDP transmission interval (CLI command lldp transmit-interval). Changing the interval between regular LLDP transmissions The LLDP transmit interval specifies the number of seconds between regular LLDP packet transmissions. When you enable LLDP, by default, the device will wait 30 seconds between regular LLDP packet transmissions.
9 Configuring LLDP Changing the minimum time between port reinitializations The LLDP re-initialization delay timer specifies the minimum number of seconds the device will wait from when LLDP is disabled on a port, until it will honor a request to re-enable LLDP on that port. When you enable LLDP, the system sets the re-initialization delay timer to two seconds. If desired, you can change the default behavior from two seconds to a value between one and ten seconds.
Configuring LLDP 9 • MAC/PHY configuration and status • Maximum frame size The above TLVs are described in detail in the following sections. NOTE The system description, VLAN name, and power-via-MDI information TLVs are not automatically enabled. The following sections show how to enable these advertisements.
9 Configuring LLDP Port description The port description TLV identifies the port from which the LLDP agent transmitted the advertisement. The port description is taken from the ifDescr MIB object from MIB-II. By default, the port description is automatically advertised when LLDP is enabled on a global basis. To disable advertisement of the port description, enter a command such as the following.
Configuring LLDP 9 You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
9 Configuring LLDP The system name will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). System name: “BigIron RX” Syntax: [no] lldp advertise system-name ports ethernet | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
Configuring LLDP 9 This section needs work. More info on this parm in the LLDP-MED spec.
9 Configuring LLDP The link-aggregation TLV indicates the following: • Whether the link is capable of being aggregated • Whether the link is currently aggregated • The primary trunk port Brocade devices advertise link aggregation information about standard link aggregation (LACP) as well as static trunk configuration. By default, link-aggregation information is automatically advertised when LLDP is enabled on a global basis. To disable this advertisement, enter a command such as the following.
Configuring LLDP 9 + 802.3 MAC/PHY : auto-negotiation enabled Advertised capabilities: 10baseT-HD, 10baseT-FD, 100baseTX-HD, 100baseTX-FD, fdxSPause, fdxBPause, 1000baseT-HD, 1000baseT-FD Operational MAU type: 100BaseTX-FD Syntax: [no] lldp advertise mac-phy-config-status ports ethernet | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
9 Configuring LLDP This above show commands are described in this section. LLDP configuration summary To display a summary of the LLDP configuration settings on the device, enter the show lldp command at any level of the CLI. The following shows an example report.
Configuring LLDP 9 BigIron RX#show lldp statistics Last neighbor change time: 23 hours 50 minutes 40 seconds ago Neighbor Neighbor Neighbor Neighbor entries added entries deleted entries aged out advertisements dropped Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Tx Pkts Total 60963 0 60963 60963 0 0 0 0 0 60974 0 0 0 0 Rx Pkts Total 75179 0 60963 121925 0 0 0 0 0 0 0 0 0 0 : : : : 14 5 4 0 Rx Pkts Rx Pkts Rx TLVs Rx TLVs Neighbors w/Errors Discarded Unrecognz Discarded Aged Out 0 0 0 0 4 0 0 0 0 0 0 0 0
9 Configuring LLDP This field... Displays... Rx Pkts Total The number of LLDP packets the port received. Rx Pkts w/Errors The number of LLDP packets the port received that have one or more detectable errors. Rx Pkts Discarded The number of LLDP packets the port received then discarded. Rx TLVs Unrecognz The number of TLVs the port received that were not recognized by the LLDP local agent.
Configuring LLDP 9 LLDP neighbors detail The show lldp neighbors detail command displays the LLDP advertisements received from LLDP neighbors. The following shows an example show lldp neighbors detail report. NOTE The show lldp neighbors detail output will vary depending on the data received. Also, values that are not recognized or do not have a recognizable format, may be displayed in hexadecimal binary form. BigIron RX#show lldp neighbors detail ports e 1/9 Local port: 1/9 Neighbor: 0800.0f18.
9 Configuring LLDP This field... Displays... Neighbor The source MAC address from which the packet was received, and the remaining TTL for the neighbor entry. Syntax: show lldp neighbors detail [ports ethernet | all] If you do not specify any ports or use the keyword all, by default, the report will show the LLDP neighbor details for all ports. You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
Resetting LLDP statistics 9 Resetting LLDP statistics To reset LLDP statistics, enter the clear lldp statistics command at the Global CONFIG level of the CLI. The Brocade device will clear the global and per-port LLDP neighbor statistics on the device (refer to “LLDP statistics” on page 274).
9 280 Resetting LLDP statistics BigIron RX Series Configuration Guide 53-1002253-01
Chapter Configuring Uni-Directional Link Detection (UDLD) 10 This chapter describes configuring Uni-Directional Link Detection.Uni-directional Link Detection (UDLD) monitors a link between two BigIron RX devices and provides a fast detection of link failures. UDLD brings the ports on both ends of the link down if the link goes down at any point between the two devices. This feature is useful for links that are individual ports and for trunk links. Figure 20 shows an example.
10 Configuration considerations Configuration considerations • The feature is supported only on Ethernet ports. • To configure UDLD on a trunk group, you must configure the feature on each port of the group individually. Configuring UDLD on a trunk group’s primary port enables the feature on that port only. • Dynamic trunking is not supported. If you want to configure a trunk group that contains ports on which UDLD is enabled, you must remove the UDLD configuration from the ports.
Displaying UDLD information 10 When UDLD is enabled on a port, The UDLD starts sending the keep-alive messages at a preconfigured interval. In the current implementation, if there is no keep-alive received from the other end of this link after 3 retries then this port is set to logical link down. With the new design, after the UDLD is enabled on a port, UDLD will be kept in a newly created suspended state until it receives first keep-alive message from the other end.
10 Displaying UDLD information TABLE 62 CLI display of UDLD information This field... Displays... Total link-keepalive enabled ports The total number of ports on which UDLD is enabled. Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down. Keepalive Interval The number of seconds between health check packets. Port The port number. Physical Link The state of the physical link.
Displaying UDLD information 10 BigIron RX(config)# show link-keepalive ethernet 4/1 Current State Local Port Local System ID Packets sent Transitions TABLE 63 : : : : : up 4/1 e0927400 254 1 Remote MAC Addr Remote Port Remote System ID Packets received : : : : 00e0.52d2.5100 2/1 e0d25100 255 CLI display of detailed UDLD information This field... Displays... Current State The state of the logical link.
10 Clearing UDLD statistics The show interface ethernet / command also displays the UDLD state for an individual port. In addition, the line protocol state listed in the first line will say “down” if UDLD has brought the port down. Here is an example: BigIron RX(config)# show interface ethernet 1/1 GigabitEthernet2/1 is disabled, line protocol is down, link keepalive is enabled Hardware is GigabitEthernet, address is 000c.dbe2.5900 (bia 000c.dbe2.
Chapter 11 VLANs Overview of Virtual Local Area Networks (VLANs) Virtual Local Area Networks (VLANs) allow you to segment traffic in a network by placing ports and interfaces into separate broadcast domains. Each broadcast domain is uniquely identified by VLAN IDs. These broadcast domains can span multiple devices. The device supports two types of VLANs: port-based VLANs and protocol-based VLANs. A port-based VLAN consists of interfaces that constitutes a Layer 2 broadcast domain.
11 Overview of Virtual Local Area Networks (VLANs) FIGURE 21 Packet containing Brocade’s 802.1QVLAN tag Untagged Packet Format 6 bytes 6 bytes 2 bytes Destination Address Source Address Type Field 6 bytes 6 bytes 2 bytes Destination Address Source Address Length Field Up to 1500 bytes 4 bytes Data Field CRC Up to 1496 bytes 4 bytes Data Field CRC Ethernet II IEEE 802.3 802.1q Tagged Packet Format 6 bytes 6 bytes 4 bytes 2 bytes Destination Address Source Address 802.
11 Overview of Virtual Local Area Networks (VLANs) FIGURE 22 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port T T Segment 1 T T T T T Segment 2 Segment 1 Segment 2 Tagging is required for the ports on Segment 1 because the ports are in multiple port-based VLANs. Tagging is not required for the ports on Segment 2 because each port is in only one port-based VLAN.
11 VLAN configuration rules If there are ports in a port-based VLAN that you want to exclude from protocol-based VLANs, the protocol-based VLAN can be configured to explicitly exclude those ports. VLAN configuration rules To create any type of VLAN on a device, Layer 2 forwarding must be enabled. When Layer 2 forwarding is enabled, the device becomes a switch on all ports for all non-routable protocols. The BigIron RX can only support up to 254 independent VLAN with Layer 2 protocols.
Configuring port-based VLANs 11 • A port can belong to multiple, overlapping Layer 2 port-based VLANs only if the port is a tagged port. Packets sent out of a tagged port use an 802.1q-tagged frame. • A port can belong to multiple, unique, overlapping Layer 3 protocol-based VLANs. • When both port and protocol-based VLANs are configured on a given device, all protocol-based VLANs must be strictly contained within a port-based VLAN.
11 Configuring port-based VLANs 2. Once an ID is assigned, the CLI directs you to the VLAN configuration level. At this level, you add ports to that VLAN and specify if the ports are tagged or untagged. BigIron RX(config-vlan-2)# untag e 1/9 to 1/16 BigIron RX(config-vlan-2)# tagged e 1/1 to 1/8 The example above configures a port-based VLAN, VLAN 2. It adds Ethernet ports 1/9 through 1/16 as untagged ports and ports 1/1 through 1/8 as tagged ports.
Configuring port-based VLANs • 11 If a port's VLAN has byte accounting enabled, you cannot enable rate limiting on that port. Similarly, if a port has rate limiting enabled, you cannot enable VLAN byte accounting on that port's VLAN. • Clearing the rate limiting counters using clear rate-limit counters will also clear VLAN byte-accounting counters. It is recommended that when using rate limiting along with VLAN byte accounting, use individual port rate limiting counters.
11 Configuring port-based VLANs TABLE 64 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR .
Configuring protocol-based VLANs 11 You must specify a VLAN ID that is not already in use. For example, if VLAN 10 exists, do not use “10” as the new VLAN ID for the default VLAN. Valid VLAN IDs are from 1 – 4089; however, do not use VLANs 4090 – 4094, which are reserved for control purposes. Configuring protocol-based VLANs Once port-based VLANs are created, you can further segment the broadcast domains by creating protocol-based VLANs, based on Layer 3 protocols.
11 Configuring virtual routing interfaces Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. To configure an MSTP instance and assign a range of VLANs, use a command such as the following at the Global Configuration level.
Configuring virtual routing interfaces 11 Enter 1 to the maximum number of virtual routing interfaces supported on the device for . Bridging and routing the same protocol simultaneously on the same device Some configurations may require simultaneous switching and routing of the same single protocol across different sets of ports on the same router. When IP routing is enabled on a device, you can route IP packets on specific interfaces while bridging them on other interfaces.
11 Configuring virtual routing interfaces Integrated Switch Routing (ISR) Brocade Integrated Switch Routing (ISR) feature enables VLANs configured on the device to route Layer 3 traffic from one protocol-based VLAN to another instead of forwarding the traffic to an external router. The VLANs provide Layer 3 broadcast domains for the protocols, but do not in themselves provide routing services. This is true even if the source and destination protocols are on the same device.
VLAN groups 11 There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN. Routing will occur independently across the port-based VLANs. Because each port-based VLAN’s STP domain is a single point-to-point backbone connection, you are guaranteed to never have an STP loop.
11 VLAN groups NOTE The device’s memory must be configured to contain at least the number of VLANs you specify for the higher end of the range. For example, if you specify 2048 as the VLAN ID at the high end of the range, you first must increase the memory allocation for VLANs to 2048 or higher. Refer to “Allocating memory for more VLANs or virtual routing interfaces” on page 319. 2. The CLI directs you to the VLAN group configuration level. Add tagged ports to the group.
Configuring super aggregated VLANs 11 The specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed. Configuring super aggregated VLANs A super aggregated VLAN allows multiple VLANs to be placed within another VLAN. This feature allows you to construct Layer 2 paths and channels. A path contains multiple channels, each of which is a dedicated circuit between two end points.
11 Configuring super aggregated VLANs Each client connected to the edge device is in its own port-based VLAN. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core. The device that aggregates the VLANs forwards the aggregated VLAN traffic through the core. The core can consist of multiple devices that forward the aggregated VLAN traffic.
Configuring super aggregated VLANs 11 This example shows a single link between the core devices. However, you can use a trunk group to add link-level redundancy. Configuring aggregated VLANs A maximum of 1526 bytes are supported on ports where super-aggregated VLANs are configured. This allows for an additional 8 bytes over the untagged port maximum to allow for support of two VLAN tags.
11 Configuring super aggregated VLANs • Enable VLAN aggregation. This support allows the core device to add an additional tag to each Ethernet frame that contains a VLAN packet from the edge device. The additional tag identifies the aggregate VLAN (the path). However, the additional tag can cause the frame to be longer than the maximum supported frame size. The larger frame support allows Ethernet frames up to 1530 bytes long. NOTE Enable the VLAN aggregation option only on the core devices.
Configuring super aggregated VLANs 11 Commands for device A BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX-A(config)# vlan 101 RX-A(config-vlan-101)# tagged ethernet 2/1 RX-A(config-vlan-101)# untagged ethernet 1/1 RX-A(config-vlan-101)# exit RX-A(config)# vlan 102 RX-A(config-vlan-102)# tagged ethernet 2/1 RX-A(config-vlan-102)# untagged ethernet 1/2 RX-A(config-vlan-102)# exit RX-
11 Configuring super aggregated VLANs BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX-C(config)# tag-type 9100 RX-C(config)# aggregated-vlan RX-C(config)# vlan 101 RX-C(config-vlan-101)# tagged ethernet 4/1 RX-C(config-vlan-101)# untagged ethernet 3/1 RX-C(config-vlan-101)# exit RX-C(config)# vlan 102 RX-C(config-vlan-102)# tagged ethernet 4/1 RX-C(config-vlan-102)# untagged ethernet 3/2 RX-C(config-vlan-102)# exit RX-C(config)# write memory Commands for device
Configuring 802.1q-in-q tagging 11 Commands for device F The commands for configuring device F are identical to the commands for configuring device E. In this example, since the port numbers on each side of the configuration in Figure 24 on page 302 are symmetrical, the configuration of device F is also identical to the configuration of device A and device B.
11 Configuring 802.1q-in-q tagging As shown in Figure 25, the ports to customer interfaces are untagged, whereas the uplink ports to the provider cloud are tagged, because multiple client VLANs share the uplink to the provider cloud. In this example, the device treats the customer’s private VLAN ID and 8100 tag type as normal payload, and adds the 9100 tag type to the packet when the packet is sent to the uplink and forwarded along the provider cloud.
Configuring 802.1q-in-q tagging 11 Enabling 802.1Q-in-Q tagging To enable the 802.1Q-in-Q feature, configure an 802.1Q tag type on the untagged edge links (the customer ports) to any value other than the 802.1Q tag for incoming traffic. For example, in Figure 27, the 802.1Q tag on the untagged edge links (ports 11 and 12) is 9100, whereas, the 802.1Q tag for incoming traffic is 8100. To configure 802.
11 Configuring 802.1q tag-type translation FIGURE 27 Example 802.1Q-in-Q configuration Client 1 Port1/1 VLAN 101 . . . Client 3 Port1/3 VLAN 103 Client 6 Port1/1 VLAN 101 Client 5 Port1/5 VLAN 105 . . . Client 1 192.168.1.69/24 . . . Client 8 Port1/3 VLAN 103 . . . Client 10 Port1/5 VLAN 105 Client 5 209.157.2.
Configuring 802.1q tag-type translation FIGURE 28 11 802.1q tag-type translation configuration example 1 Network Core Customer Edge Switch 1 Provider Core Switch 2 Provider Core Switch 1 Tagged 8100 DA SA 8100 Tagged 8100 Tagged 9100 Tagged 8100 Customer VLAN Customer Edge Switch 2 Tagged 8100 Tagged 9100 DA SA 9100 Provider VLAN DA SA 8100 Customer VLAN As illustrated in Figure 28, the devices process the packet as follows: • Customer Edge Switch 1 sends a packet with an 802.
11 Configuring 802.1q tag-type translation FIGURE 29 802.1q tag-type translation configuration example 2 Edge Switch 2 Global 802.1Q tag-type 8200 8200 T 8200 T T 8200 T 8200 T T 8300 Core Switch 1 Edge Switch 1 Incoming Frame on Core Switch 1 Multiple 802.1Q tag-types T U 8300 Core Switch 2 Outgoing Frame on Core Switch 1 Global 802.1Q tag-type 8500 8500 T 8400 Multiple 802.1Q tag-types 9100 U Global 802.1Q tag-type 8200 9100 T 8400 8500 Global 802.
Configuring 802.1q tag-type translation 11 • If you configure a port with an 802.1q tag-type, the device automatically applies the 802.1q tag-type to all ports within the same port region. • If you remove the 802.1q tag-type from a port, the device automatically removes the 802.1q tag-type from all ports within the same port region. • Brocade does not recommend configuring different 802.1q tag-types on ports that are part of a multi-slot trunk. Use the same 802.
11 Private VLANs Private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 30 shows an example of an application using a private VLAN. FIGURE 30 Private VLAN used to secure communication between a workstation and servers A private VLAN secures traffic between a primary port and host ports. Traffic between the hosts and the rest of the network must travel through the primary port.
Private VLANs 11 • Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN. • Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN. Each private VLAN must have a primary VLAN. The primary VLAN is the interface between the secured ports and the rest of the network.
11 Private VLANs • A primary VLAN can have multiple ports. All these ports are active, but the ports that will be used depends on the private VLAN mappings. Also, secondary VLANs (isolated and community VLANs) can be mapped to multiple primary VLAN ports.
Private VLANs 11 BigIron RX(config)# vlan 901 BigIron RX(config-vlan-901)# untagged ethernet 3/5 to 3/6 BigIron RX(config-vlan-901)# pvlan type community These commands create port-based VLAN 901, add ports 3/5 and 3/6 to the VLAN as untagged ports, then specify that the VLAN is a community private VLAN. Syntax: untagged ethernet [to | ethernet ] Syntax: [no] pvlan type community | isolated | primary The untagged command adds the ports to the VLAN.
11 Private VLANs Enabling broadcast, multicast or unknown unicast traffic to the private VLAN To enhance private VLAN security, the primary private VLAN does not forward broadcast or unknown unicast packets to its community and isolated VLANs. For example, if port 3/2 in Figure 30 on page 314 receives a broadcast packet from the firewall, the port does not forward the packet to the other private VLAN ports (3/5, 3/6, 3/9, and 3/10).
Other VLAN features 11 Other VLAN features Allocating memory for more VLANs or virtual routing interfaces By default, you can configure up to 512 VLANs and virtual routing interfaces on the device. Although this is the default maximum, the device can support up to 4089 VLANs and 4095 virtual routing interfaces. (VLAN IDs 0, 4090, 4091, 4092 and 4095 are reserved.) NOTE If many of your VLANs will have an identical configuration, you might want to configure VLAN groups.
11 Other VLAN features • You cannot enable this feature on the designated management VLAN for the device. • If you enable this feature on a VLAN that includes a trunk group, hardware flooding for Layer 2 multicast and broadcast packets occurs only on the trunk group’s primary port. Multicast and broadcast traffic for the other ports in the trunk group is handled by software. Unknown unicast flooding on VLAN ports Unknown unicast packets do not have a specific (or unicast) recipient.
Displaying VLAN information 11 Use the unknown-unicast parameter to specify CPU flooding for unknown unicast packets only. NOTE This command does not erase any multicast or unknown-unicast flooding configuration. If this command is enabled, then it supersedes the per-vlan configuration. Configuring uplink ports within a port-based VLAN You can configure a subset of the ports in a port-based VLAN as uplink ports.
11 Displaying VLAN information Displaying VLAN information Enter the following command at any CLI level.
Displaying VLAN information 11 The ethernet / parameter specifies a port. The command lists all the VLAN memberships for the port. The output shows the following information. TABLE 68 Output of show vlan ethernet This field... Displays... Port / is a member of # VLANs The number of VLANs a port is a member of. VLANs The IDs of the VLANs that the port is a member of.
11 Displaying VLAN information TABLE 69 Output of show vlan detail This field... Displays... Untagged Ports This line appears if you do not specify a VLAN. It lists all the ports that are configured as untagged ports in all the VLANs on the device. Tagged Ports This line appears if you do not specify a VLAN. It lists all the ports that are configured as tagged ports in all the VLANs on the device. Dual-mode ports This line appears if you do not specify a VLAN.
Transparent firewall mode 11 Transparent firewall mode The Transparent Firewall mode allows the device to switch self-originated control packets. By default, Brocade devices will drop control packets received with the device's MAC address as the packet's source MAC address (i.e. self originated packet from the switch or router). Under the Transparent Firewall mode, switching of self-originated packets is allowed. The Transparent Firewall mode feature is a per VLAN configuration and is disabled by default.
11 326 Transparent firewall mode BigIron RX Series Configuration Guide 53-1002253-01
Chapter 12 Configuring Spanning Tree Protocol IEEE 802.1D Spanning Tree Protocol (STP) The BigIron RX supports Spanning Tree Protocol (STP) as described in the IEEE 802.10-1998 specification. STP eliminates Layer 2 loops in networks, by selectively blocking some ports and allowing other ports to forward traffic, based on configurable bridge and port parameters. STP also ensures that the least cost path is taken when multiple paths exist between ports or VLANs.
12 IEEE 802.1D Spanning Tree Protocol (STP) NOTE When you configure a VLAN, the VLAN inherits the global STP settings. However, once you begin to define a VLAN, you can no longer configure standard STP parameters globally using the CLI. From that point on, you can configure STP only within individual VLANs. To enable STP for all ports in all VLANs on a device, enter the following command.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 72 12 Default STP bridge parameters (Continued) Parameter Description Default and valid values Hello Time The interval of time between each configuration BPDU sent by the root bridge. 2 seconds Possible values: 1 – 10 seconds Priority A parameter used to identify the root bridge in a spanning tree (instance of STP). The bridge with the lowest value has the highest priority and is the root.
12 IEEE 802.1D Spanning Tree Protocol (STP) NOTE The hello-time parameter applies only when the device or VLAN is the root bridge for its spanning tree. Changing STP port parameters To change the path and priority costs for a port, enter commands such as the following.
IEEE 802.1D Spanning Tree Protocol (STP) 12 Syntax: [no] spanning-tree root-protect Enter the no form of the command to disable STP Root Guard on the port. Setting the STP root guard timeout period To configure the STP Root protect timeout period globally, enter a command such as the following. BigIron RX(config)# spanning-tree root-protect timeout 120 Syntax: spanning-tree root-protect timeout The timeout in seconds parameter allows you to set the timeout period.
12 IEEE 802.1D Spanning Tree Protocol (STP) To prevent an end station from initiating or participating in STP topology changes, enter the following command at the interface level of the CLI. BigIron RX(config) interface ethe 2/1 BigIron RX(config-if-e1000-2/1)# spanning-tree protect This command causes the port to drop STP BPDUs sent from the device on the other end of the link.
IEEE 802.
12 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 CLI display of STP information (Continued) This field... Displays... Bridge Identifier The ID assigned by STP to this bridge for this spanning tree in hexadecimal. NOTE: If this address is the same as the Root ID, then this device or VLAN is the root bridge for its spanning tree.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 12 CLI display of STP information (Continued) This field... State Displays... The port’s STP state. The state can be one of the following: BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is FORWARDING. When a port is in this state, the port does not transmit or receive user frames, but the port does continue to receive STP BPDUs.
12 IEEE 802.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 75 12 CLI display of detailed STP information for ports This field... Displays... VLAN ID The VLAN that contains the listed ports and the number of STP instances on this VLAN. The STP type can be one of the following: • Brocade proprietary multiple Spanning Tree • IEEE 802.1Q Single Spanning Tree (SSTP) NOTE: If STP is disabled on a VLAN, the command displays the following message instead: “Spanning-tree of port-vlan is disabled.
12 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 75 CLI display of detailed STP information for ports (Continued) This field... Displays... STP port parameters Port number and STP state The internal port number and the port’s STP state. The internal port number is one of the following: • The port’s interface number, if the port is the designated port for the LAN. • The interface number of the designated port from the received BPDU, if the interface is not the designated port for the LAN.
IEEE 802.
12 IEEE Single Spanning Tree (SSTP) TABLE 76 CLI display of STP information for the specified Ethernet interface This field... Displays... The STP/RSTP/MSTP protocol information for the specified ethernet interface. NOTE: If the Ethernet interface is not added to any STP enabled VLANs, the command displays the following message instead: "No STP-configured VLANs for the port ”. STP port parameters Port Num The port number.
IEEE Single Spanning Tree (SSTP) 12 SSTP uses the same parameters, with the same value ranges and defaults, as the default STP supported on the device. Refer to “Default STP bridge and port parameters” on page 328. SSTP defaults SSTP is disabled by default. When you enable the feature, all VLANs on which STP is enabled become members of a single spanning tree.
12 IEEE Single Spanning Tree (SSTP) The commands shown above override the global setting for STP priority and set the priority to 10 for port 1/1. Here is the syntax for the global STP parameters. Syntax: [no] spanning-tree single [forward-delay ] [hello-time ] | [maximum-age
PVST/PVST+ compatibility 12 PVST/PVST+ compatibility Brocade’s support for Cisco's Per VLAN Spanning Tree plus (PVST+) allows the device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices1. Brocade ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected. When it is configured for MSTP, the device can interoperate with PVST.
12 PVST/PVST+ compatibility For the port to also support the other VLANs (the PVST+ VLANs) in tagged mode. The port must be a dual-mode port. The untagged frames are supported on the port’s native VLAN. By default, the native VLAN is the same as the device’s default VLAN1, which by default is VLAN 1. Thus, to support IEEE 802.1Q in a typical configuration, the port must be able to send and receive untagged frames for VLAN 1 and tagged frames for the other VLANs.
PVST/PVST+ compatibility 12 BigIron RX(config)# show span pvst-mode PVST+ Enabled on: Port Method 1/1 Set by configuration 1/2 Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 77 CLI Display of PVST+ Information This field... Displays... Port The Brocade port number. NOTE: The command lists information only for the ports on which PVST+ support is enabled.
12 PVST/PVST+ compatibility These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port. The dual-mode feature allows the port to send and receive untagged frames for the default VLAN (VLAN 1 in this case) in addition to tagged frames for VLANs 2, 3, and 4. Enabling the PVST+ support ensures that the port is ready to send and receive PVST+ BPDUs.
SuperSpan™ 12 • Drop tagged PVST BPDUs for VLAN 1. Note that when VLAN 1 is not the default VLAN, the ports must have an untagged VLAN enabled in order to process IEEE 802.1Q BPDUs. For example, the following configuration is incorrect.
12 SuperSpan™ FIGURE 34 SuperSpan example SuperSpan root bridge Cust 1 Port1/2 Port1/1 Cust 2 Port1/1 FWD Port1/1 BLK Port1/2 FWD BLK Port1/2 SP 1 Port2/1 SP 2 Port2/2 In this example, the SP network contains two devices that are running SuperSpan. The SP is connected to two customer networks. Each customer network is running its own instance of STP.
SuperSpan™ 12 Each Brocade device that is configured for SuperSpan forwards the BPDU using the changed destination MAC address. At the other end of the tunnel, the Brocade device connected to the customer's network changes the destination MAC address back to the bridge group address (01-80-c2-00-00-00). Preforwarding state To ensure that the customer's network has time to converge at Layer 2 and prevent loops, the Brocade devices configured for SuperSpan use a special forwarding state, Preforwarding.
12 SuperSpan™ Mixing single STP and multiple spanning trees You can use SuperSpan in any of the following combinations: • Customer and SP networks both use multiple spanning trees (a separate spanning tree in each VLAN). • Customer uses multiple spanning trees but SP uses Single STP (all STP-enabled VLANs are in the same spanning tree). • Customer uses Single STP but SP uses multiple spanning trees. • Customer and SP networks both use Single STP.
SuperSpan™ 12 In the above example, STP in VLAN 10 will select R10 as the root bridge and make 1/1 on R10 forwarding while blocking port 3/1 on R20. The opposite occurs for STP in VLAN 20. As a result, both links connecting the customer and SP regions are fully utilized and serve as backup links at the same time, providing loop-free, non-blocking connectivity.
12 SuperSpan™ Customer uses single STP but SP uses multiple spanning trees Figure 38 shows an example of SuperSpan where the customer network uses Single STP while the SP uses multiple spanning trees.
SuperSpan™ FIGURE 39 12 Customer and SP using single STP R R single span 1/1 2/1 2/2 single span Customer Region Provider Region 2/1 3/1 2/2 tagged to multiple vlan R xx Root bridge for VLAN xx stp-boundary untagged to vlan 100 (Super Aggregated VLAN) In this setup, both the customer and SP networks are running a single spanning tree at Layer 2. The traffic from VLAN 10 and 20 will be carried, or aggregated by VLAN 100 at the SP network as in the previous scenario.
12 SuperSpan™ These commands configure two interfaces on the Brocade device as SuperSpan boundary interfaces. Interface 1/1 is a boundary interface with customer 1. Interface 1/2 is a boundary interface with customer 2. Each boundary interface is associated with a number, which is the SuperSpan ID. The SuperSpan ID identifies the instance of SuperSpan you are associating with the interface. Use the same SuperSpan ID for each boundary interface with the same customer.
SuperSpan™ 12 BigIron RX(config)# show super-span CID 1 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed 1/1 1 0 0 0 1/2 0 0 0 0 Total 1 0 0 0 CID 2 Boundary Ports: Port C-BPDU C-BPDU Rxed Txed 2/1 0 0 2/2 0 0 Total 0 0 T-BPDU Rxed 3 0 3 T-BPDU Txed 0 0 0 In this example, the device has two SuperSpan customer IDs. Syntax: show superspan [cid ] The cid parameter specifies a SuperSpan customer ID.
12 356 SuperSpan™ BigIron RX Series Configuration Guide 53-1002253-01
Chapter Configuring Rapid Spanning Tree Protocol 13 Overview of Rapid Spanning Tree Protocol RSTP provides rapid convergence and takes advantage of point-to point wiring of the spanning tree. Failure in one forwarding path does not affect other forwarding paths. RSTP improves the operation of the spanning tree while maintaining backward compatibility. NOTE The total number of supported STP, RSTP, or MSTP indices is 128.
13 Overview of Rapid Spanning Tree Protocol Assignment of port roles At system start-up, all RSTP-enabled bridge ports assume a Designated role. Once start-up is complete, RSTP algorithm calculates the superiority or inferiority of the RST BPDU that is received and transmitted on a port. On a root bridge, each port is assigned a Designated port role, except for ports on the same bridge that are physically connected together.
Overview of Rapid Spanning Tree Protocol FIGURE 40 13 Simple RSTP topology Port7 Switch 1 Bridge priority = 100 Port2 Switch 3 Bridge priority = 300 Switch 2 Bridge priority = 200 Port2 Port4 Port3 Port3 Port2 Port8 Port3 Port4 Port3 Port4 Switch 4 Bridge priority = 400 Ports on Switch 1 All ports on Switch 1, the root bridge, are assigned Designated port roles. Ports on Switch 2 Port2 on Switch 2 directly connects to the root bridge; therefore, Port2 is the Root port.
13 Edge ports and edge port roles Ports Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4. The RST BPDUs received on Port3 are superior to the RST BPDUs received on port 4; therefore, Port3 becomes the Root port and Port4 becomes the Alternate port. Edge ports and edge port roles Brocade’s implementation of RSTP allows ports that are configured as Edge ports to be present in an RSTP topology.
Point-to-point ports 13 Point-to-point ports To take advantage of the RSTP features, ports on an RSTP topology should be explicitly configured as point-to-point links. Shared media should not be configured as point-to-point links. NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops. The topology in Figure 42 is an example of shared media that should not be configured as point-to-point links.
13 Edge port and non-edge port states If a port on one bridge has a Designated role and that port is connected to a port on another bridge that has an Alternate or Backup role, the port with a Designated role cannot be given a Root port role until two instances of the forward delay timer expires on that port. Edge port and non-edge port states As soon as a port is configured as an Edge port, it goes into a forwarding state instantly (in less than 100 msec).
State machines 13 • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode. It also flushes the MAC table when a topology change event takes place. • Port State Transition – This state machine transitions the port to a discarding, learning, or forwarding state and performs any necessary processing associated with the state changes.
13 State machines • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 43). The Designated port continues to send this flag in its RST BPDU until it is placed in a forwarding state (Figure 46) or is forced to operate in 802.1D mode. (Refer to “Compatibility of RSTP with 802.
State machines FIGURE 44 13 Sync stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync BigIron Switch 200 Port3 Sync Discarding Port2 Sync Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports.
13 State machines FIGURE 45 Synced stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Synced BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 400 Switch 300 Indicates a signal • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state.
State machines FIGURE 46 13 Agree stage Switch 100 Root Bridge Port1 Designated port Forwarding RST BPDU sent with an Agreed flag Port1 Root port Synced Forwarding BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 300 Switch 400 Indicates a signal At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200.
13 State machines FIGURE 47 Addition of a new root bridge Switch 100 Port2 Designated port Port2 Switch 60 Port4 Designated port Port1 Designated port Port1 Root port Switch 200 Port4 Port2 Port2 Switch 300 Port3 Port3 Switch 400 The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (“Handshake when no root port is elected” on page 363). The former root bridge becomes a non-root bridge and establishes a Root port (Figure 48).
13 State machines FIGURE 48 New root bridge sending a proposal flag Switch 100 Handshake Completed Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Proposing Port1 Proposing Port1 Root port Forwarding RST BPDU sent with a Proposing flag Switch 200 Port2 Port2 Switch 300 Port3 Port4 Designated port Proposed Port3 Switch 400 • Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge.
13 State machines FIGURE 49 Sync and reroot Switch 100 Port2 Designated port Port2 Root port Port4 Designated port Proposing Port1 Proposing Switch 60 Port1 Root port Sync Reroot Forwarding BigIron Switch 200 Port2 Sync Reroot Discarding Port3 Sync Reroot Discarding Port2 Port4 Root port Sync Reroot Discarding Port3 Switch 300 Switch 400 Indicates a signal • Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue t
13 State machines FIGURE 50 Sync and rerooted Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Port1 Proposing Port1 Designated port Sync Rerooted Discarding BigIron Switch 200 Port2 Sync Rerooted Discarding Port2 Switch 300 Port3 Sync Rerooted Discarding Port4 Root port Sync Rerooted Discarding Port3 Switch 400 Indicates an 802.
13 State machines FIGURE 51 Rerooted,synced, and agreed Switch 100 Port2 Designated port Switch 60 Port 2 Root port Port4 Designated port Forwarding Port1 Proposing Port1 Rerooted Synced Discarding RST BPDU sent with an Agreed flag BigIron Switch 200 Port2 Rerooted Synced Discarding Port3 Rerooted Synced Discarding Port2 Port4 Root port Rerooted Synced Forwarding Port3 Switch 300 Switch 400 Indicates a signal The old Root port on Switch 200 becomes an Alternate Port (Figure 52).
13 Convergence in a simple topology FIGURE 52 Handshake completed after election of new root port Switch 100 Port2 Designated port Port2 Root port Switch 60 Port4 Designated port Port1 Proposing Port1 Alternate port Switch 200 Port2 Port4 Root port Port3 Proposing Port2 Switch 300 Proposing Port3 Switch 400 Recall that Switch 200 sent the agreed flag to Port4/Switch 60 and not to Port1/Switch 100 (the port that connects Switch 100 to Switch 200).
13 Convergence in a simple topology NOTE The rapid convergence will not occur on ports connected to shared media devices, such as hubs. To take advantage of the rapid convergence provided by RSTP, make sure to explicitly configure all point-to-point links in a topology. Convergence at start up In Figure 53, two bridges Switch 2 and Switch 3 are powered up. There are point-to-point connections between Port3/Switch 2 and Port3/Switch 3.
Convergence in a simple topology FIGURE 54 13 Simple Layer 2 topology Port3 Designated port Switch 2 Port2 Root port Bridge priority = 1500 Switch 1 Port2 Designated port Port5 Backup port Bridge priority = 1000 Port4 Designated port Port3 Designated port Port3 Alternate port Port4 Root port Bridge priority = 2000 Switch 3 The point-to-point connections between the three bridges are as follows: • Port2/Switch 1 and Port2/Switch 2 • Port4/Switch 1 and Port4/Switch 3 • Port3/Switch 2 and Por
13 Convergence in a simple topology The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2.
Convergence in a simple topology FIGURE 56 13 Link failure in the topology Port3 Switch 2 Port2 Bridge priority = 1500 Port3 Port3 Port2 Switch 1 Port5 Bridge priority = 1000 Port4 Port4 Bridge priority = 2000 Switch 3 Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port. Port3/Switch 2, which currently has a Designated port role, sends an RST BPDU to Switch 3.
13 Convergence in a complex RSTP topology When Port2/Switch 2 receives the RST BPDUs, RSTP algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Convergence in a complex RSTP topology FIGURE 57 13 Complex RSTP topology Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port2 Port2 Port2 Port5 Port3 Port4 Switch 3 Bridge priority = 300 Port3 Port3 Port4 Port2 Port4 Port3 Port3 Switch 5 Bridge priority = 60 Port8 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 In Figure 57, Switch 5 is selected as the root bridge since it is the bridge with the highest priority.
13 Convergence in a complex RSTP topology Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is then given an Alternate port role, and remains in discarding state. Likewise, Port5/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is also given an Alternate port role, and remains in discarding state. Port2/Switch 2 transmits an RST BPDU with a proposal flag to Port2/Switch 1. Port2/Switch 1 becomes the Root port.
Convergence in a complex RSTP topology FIGURE 58 13 Active Layer 2 path in complex topology Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port5 Port2 Port3 Port3 Port4 Switch 3 Bridge priority = 300 Port2 Port2 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port4 Port3 Port3 Port4 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Propagation of topology change The Topology Change state m
13 Convergence in a complex RSTP topology FIGURE 59 Beginning of topology change notice Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port2 Port5 Port2 Port3 Port3 Port3 Port4 Port3 Port4 Port4 Switch 3 Bridge priority = 300 Port2 Port4 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port5 Switch 4 Bridge priority = 400 Port3 Port 5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Switch 2 then starts the TCN ti
Convergence in a complex RSTP topology FIGURE 60 13 Sending TCN to bridges connected to Switch 2 Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port2 Port5 Port2 Port3 Port3 Port4 Switch 3 Bridge priority = 300 Port2 Port4 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port3 Port3 Port4 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Then FRY1, Switch 5, an
13 Compatibility of RSTP with 802.1D FIGURE 61 Completing the TCN propagation Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port5 Port2 Switch 5 Bridge priority = 60 Port8 Port2 Port2 Port3 Port4 Port3 Port2 Port3 Port3 Port3 Port4 Port4 Switch 3 Bridge priority = 300 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Compatibility of RSTP with 802.
Configuring RSTP parameters 13 For example, in Figure 62, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 62 RSTP bridges with an 802.1D bridge Switch 10 802.1W Switch 20 802.1D Switch 30 802.1W Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other.
13 Configuring RSTP parameters BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# rstp Syntax: [no] rstp Enabling or disabling RSTP on a single spanning tree To globally enable RSTP for all ports of a single spanning tree, enter the following command. BigIron RX(config)# rstp single Syntax: [no] rstp single Disabling or enabling RSTP on a port The rstp command must be used to initially enable RSTP on ports.
Configuring RSTP parameters 13 The max-age parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. Possible values: 6 – 40 seconds. The default is 20 seconds. The value of max-age must be greater than the value of forward-delay to ensure that the downstream bridges do not age out faster than the upstream bridges (those bridges that are closer to the root bridge).
13 Configuring RSTP parameters TABLE 79 Recommended path cost values of RSTP (Continued) Link speed Recommended (default) RSTP path cost values Recommended RSTP path cost range 1 Gigabit per second 20,000 2,000 – 200,000,000 10 Gigabits per second 2,000 200 – 20,000 100 Gigabits per second 200 20 – 2,000 1 Terabits per second 20 2 – 200 10 Terabits per second 2 1 – 20 The priority parameter specifies the preference that RSTP gives to this port relative to other ports for forwar
Configuring RSTP parameters 13 In addition, Fast Port Span enhances overall network performance in the following ways: • Fast Port Span reduces the number of STP topology change notifications on the network. When an end station attached to a Fast Span port comes up or down, the Brocade device does not generate a topology change notification for the port. In this situation, the notification is unnecessary since a change in the state of the host does not affect the network’s topology.
13 Configuring RSTP parameters BigIron RX(config)# fast port-span BigIron RX(config)# write memory Excluding specific ports from fast port span You can exclude individual ports from Fast Port Span while leaving Fast Port Span enabled globally. To do so, use the following method. Using the CLI To exclude a port from Fast Port Span, enter commands such as the following.
Configuring RSTP parameters 13 You can use the Fast Uplink feature on a Brocade device deployed as a wiring closet switch to decrease the convergence time for the uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning). The wiring closet switch must be a Brocade device but the device at the other end of the link can be a Brocade device or another vendor’s switch. Configuration of the Fast Uplink Span feature takes place entirely on the Brocade device.
13 Displaying RSTP information Using the CLI To configure a group of ports for Fast Uplink Span, enter the following commands. BigIron RX(config)# fast uplink-span ethernet 4/1 to 4/4 BigIron RX(config)# write memory Syntax: [no] fast uplink-span [ethernet [ethernet … | to ]] This example configures four ports, 4/1 – 4/4, as a Fast Uplink Span group. In this example, all four ports are connected to a wiring closet switch.
Displaying RSTP information 13 BigIron RX(config)#show rstp vlan 10 VLAN 10 - RSTP instance 0 -------------------------------------------------------------------RSTP (IEEE 802.
13 Displaying RSTP information TABLE 80 CLI display of RSTP summary (Continued) This field... Displays... Designated Bridge Identifier The bridge from where the root information was received. It can be from the root bridge itself, but it could also be from another bridge. Root Port The port on which the root information was received. This is the port that is connected to the Designated Bridge. Max Age The max age is derived from the Root port.
Displaying RSTP information TABLE 80 13 CLI display of RSTP summary (Continued) This field... Displays... Role The current role of the port: Root Designated Alternate Backup Disabled Refer to “Bridges and bridge port roles” on page 357 for definitions of the roles. State The port’s current RSTP state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge port states” on page 361 and “Edge port and non-edge port states” on page 362.
13 Displaying RSTP information TABLE 81 The show rstp detail command output (Continued) This field... forceVersion the configured version of the bridge: 0 – The bridge has been forced to operate in an STP compatible mode. 2 – The bridge has been forced to operate in an RSTP mode. • • MigrateTime The number of seconds the bridge took to migrate from STP to RSTP mode. txHoldCount The number of BPDUs that can be transmitted per Hello Interval. The default is 3.
Displaying RSTP information TABLE 81 13 The show rstp detail command output (Continued) This field... Displays... ActiveTimers Shows what timers are currently active on this port and the number of seconds they have before they expire: • rrWhile – Recent root timer. A non-zero value means that the port has recently been a Root port. • rcvdInfoWhile – Received information timer. Shows the time remaining before the information held by this port expires (ages out).
13 Displaying RSTP information BigIron RX# show xstp Ethernet 3/1 STP information: -------------------------------------------------------------------No STP-configured VLANs for the port 3/1 RSTP information: ---------------------------------------------------------------------------RSTP (IEEE 802.
Displaying RSTP information 13 This field... Displays... P2P Mac Indicates if the point-to-point-mac parameter is configured to be a point-to-point link: • T – The link is configured as a point-to-point link. • F – The link is not configured as a point-to-point link. This is the default. Edge port Indicates if the port is configured as an operational Edge port: T – The port is configured as an Edge port. F – The port is not configured as an Edge port. This is the default.
13 400 Displaying RSTP information This field... Displays... Designated Cost The cost to the root bridge as advertised by the designated bridge that is connected to this port. If the designated bridge is the root bridge itself, then the cost is 0. The identity of the designated bridge is shown in the Design Bridge field. Designated Root The root bridge as recognized on this port. The value is the same as the root bridge ID listed in the Root ID field.
Chapter 14 Metro Ring Protocol (MRP) Phase 1 and 2 Metro Ring Protocol (MRP) phase 1 MRP Phase 1 is a Brocade proprietary protocol that prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies. It is an alternative to STP and is especially useful in Metropolitan Area Networks (MANs) where using STP has the following drawbacks: • STP allows a maximum of seven nodes. Metro rings can easily contain more nodes than this.
14 MRP rings without shared interfaces The ring in this example consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network. The nodes forward Layer 2 traffic to and from the customer networks through the ring. The ring interfaces are all in one port-based VLAN. Each customer interface can be in the same VLAN as the ring or in a separate VLAN. One node, is configured as the master node of the MRP ring.
Ring initialization FIGURE 64 14 Metro ring – multiple rings Master Node port1/1 port4/1 port1/2 port4/2 Ring 1 Ring 2 Master node Ring 3 In this example, two nodes are each configured with two MRP rings. Any node in a ring can be the master for its ring. A node also can be the master for more than one ring. Ring initialization The ring shown in Figure 63 shows the port states in a fully initialized ring without any broken links.
14 Ring initialization FIGURE 65 Metro ring – initial state Customer A F PF PF Switch B PF PF F Switch C Customer A PF All ports start in Preforwarding state. Primary port on Master node sends RHP 1 Switch A Master Node F Customer A PF Switch D PF PF F Customer A MRP uses Ring Health Packets (RHPs) to monitor the health of the ring. An RHP is an MRP protocol packet. The source address is the MAC address of the master node and the destination MAC address is a protocol address for MRP.
Ring initialization 14 When MRP is enabled, all ports begin in the Preforwarding state. The primary interface on the Master node, although it is in the Preforwarding state like the other ports, immediately sends an RHP onto the ring. The secondary port on the Master node listens for the RHP. • If the secondary port receives the RHP, all links in the ring are up and the port changes its state to Blocking. The primary port then sends another MRP with its forwarding bit set on.
14 How ring breaks are detected and healed How ring breaks are detected and healed Figure 67 Shows the ring forwarding state following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks.
How ring breaks are detected and healed 14 When the broken link is repaired, the link’s interfaces come up in the Preforwarding state, which allows RHPs to travel through the restored interfaces and reach the secondary interface on the Master node. • If an RHP reaches the Master node’s secondary interface, the ring is intact. The secondary interface changes to Blocking. The Master node sets the forwarding bit on in the next RHP.
14 Master VLANs and customer VLANs in a topology group 5. RHP packets continue to be sent on the primary interface by Switch A to detect if the ring has been healed. From a user perspective, there is no difference in the behavior of the ring. The only noticeable difference is a rapid convergence in the event of ring failure. There is no CLI command required to enable this feature.
Master VLANs and customer VLANs in a topology group FIGURE 69 14 Metro ring – ring VLAN and customer VLANs Customer B VLAN 40 Customer A VLAN 30 Switch B ====== ring 1 interfaces 1/1, 1/2 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1, 1/2, 2/1) member VLAN 40 (1/1, 1/2, 4/1) port4/1 port2/1 port1/2 port1/1 Switch B Switch D port1/2 port2/1 Customer A VLAN 30 port1/1 port4/1 Switch D ====== ring 1 interfaces 1/1, 1/2 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1,
14 Configuring MRP If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs. • The member VLAN for a customer must contain the two ring interfaces and the interfaces for the customer. Since these interfaces are shared with the master VLAN, they must be tagged. Do not add another customer’s interfaces to the VLAN.
Configuring MRP 14 Adding an MRP ring to a VLAN NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group’s master VLAN. To add an MRP ring to a VLAN, enter commands such as the following.
14 MRP phase 2 Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following. BigIron RX(config-vlan-2-mrp-1)# hello-time 200 BigIron RX(config-vlan-2-mrp-1)# preforwarding-time 400 These commands change the hello time to 200 ms and change the preforwarding time to 400 ms. NOTE The preforwarding time must be at least twice the value of the hello time and must be a multiple of the hello time.
MRP phase 2 FIGURE 70 14 Multiple MRP rings - MRP Phase 1 Master Node port1/1 port4/1 port1/2 port4/2 Ring 1 Ring 2 Master node Ring 3 With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN. Figure 70 shows examples of multiple MRP rings that share the same interface.
14 Ring initialization for shared interfaces Ring initialization for shared interfaces FIGURE 72 Interface IDs and types 1 1 1 T 2 2 2 S1 1 1,2 port1/1 2 Ring 2 Ring 1 1,2 port2/2 1 2 S2 1 1 1 T 2 2 2 C = customer port For example, in Figure 72, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2. Port 1/1 on node S1 and Port 2/2 on S2 have the IDs of 1 and 2 since the interfaces are shared by Rings 1 and 2.
Ring initialization for shared interfaces 14 node, the packet is forwarded through the secondary interface since it is currently in a preforwarding state. A secondary interface in preforwarding mode ignores any RHP packet that is not from its ring. The secondary interface changes to blocking mode only when the RHP packet forwarded by its primary interface is returned. The packet then continues around Ring 1, through the interfaces on S1 to Ring 2 until it reaches Ring 2’s master node.
14 Ring initialization for shared interfaces Normal flow Figure 73 shows an example of how RHP packets are processed normally in MRP rings with shared interfaces.
Ring initialization for shared interfaces 14 Flow when a link breaks If the link between shared interfaces breaks (Figure 74), the secondary interface on Ring 1’s master node changes to a preforwarding state. The RHP packet sent by port 3/1 on Ring 2 is forwarded through the interfaces on S4, then to S2. The packet is then forwarded through S2 to S3, but not from S2 to S1 since the link between the two nodes is not available.
14 Using MRP diagnostics BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# vlan 2 RX(config-vlan-2)# metro-ring 1 RX(config-vlan-2-mrp-1)# name CustomerA RX(config-vlan-2-mrp-1)# ring-interface ethernet 1/1 ethernet 1/2 RX(config-vlan-2-mrp-1)# enable RX(config-vlan-2-mrp-1)# metro-ring 2 RX(config-vlan-2-mrp-2)# name CustomerB RX(config-vlan-2-mrp-2)# ring-interface ethernet 1/1 ethernet 1/2 RX(config-vlan-2-mrp-1)# enable Syntax: [no] metro-ring The
Displaying MRP information 14 Displaying MRP diagnostics To display MRP diagnostics results, enter the following command on the Master node. BigIron RX(config)# show metro 2 diag Metro Ring 2 - CustomerA ============= diagnostics results Ring id 2 Diag state enabled Diag frame sent 1230 RHP average time(microsec) 125 Recommended hello time(ms) 100 Recommended Prefwing time(ms) 300 Diag frame lost 0 Syntax: show metro diag This display shows the following information.
14 Displaying MRP information Displaying ring information To display ring information, enter the following command.
MRP CLI example TABLE 84 14 CLI display of MRP ring information (Continued) This field... Displays... Prefwing time The number of milliseconds an MRP interface that has entered the Preforwarding state will wait before changing to the Forwarding state. If a member port in the Preforwarding state does not receive an RHP within the Preforwarding time (Prefwing time), the port assumes that a topology change has occurred and changes to the Forwarding state.
14 MRP CLI example Commands on switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node’s interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
MRP CLI example BigIron BigIron BigIron BigIron 14 RX(config)# topology-group 1 RX(config-topo-group-1)# master-vlan 2 RX(config-topo-group-1)# member-vlan 30 RX(config-topo-group-1)# member-vlan 40 Commands on switch C BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# vlan 2 RX(config-vlan-2)# tag ethernet 1/1 to 1/2 RX(config-vlan-2)# metro-ring 1 RX(config-vlan-2-mrp-1)# name “Metro A” R
14 424 MRP CLI example BigIron RX Series Configuration Guide 53-1002253-01
Chapter 15 Virtual Switch Redundancy Protocol (VSRP) Overview of Virtual Switch Redundancy Protocol (VSRP) VSRP is a Brocade proprietary protocol that provides redundancy and sub-second failover in Layer 2 and Layer 3 mesh topologies. Based on the Brocade’s proprietary Virtual Router Redundancy Protocol Extended (VRRPE), VSRP provides one or more backups for the device.
15 Overview of Virtual Switch Redundancy Protocol (VSRP) Following Master election (described below), one of the Brocade devices becomes the Master for the VRID and sets the state of all the VLAN’s ports to Forwarding. The other device is a Backup and sets all the ports in its VRID VLAN to Blocking. If a failover occurs, the Backup becomes the new Master and changes all its VRID ports to the Forwarding state. Other Brocade devices can use the redundant paths provided by the VSRP devices.
Overview of Virtual Switch Redundancy Protocol (VSRP) 15 Each Backup waits for a specific period of time, the Dead Interval, to receive a new Hello message from the Master. If the Backup does not receive a Hello message from the Master by the time the Dead Interval expires, the Backup sends a Hello message of its own, which includes the Backup's VSRP priority, to advertise the Backup's intent to become the Master. If there are multiple Backups for the VRID, each Backup sends a Hello message.
15 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 77 VSRP priority recalculation Internet or enterprise Intranet Internet or enterprise Intranet e 2/4 e 3/2 Router 2 Router 1 VRID1 Router1 = Master e 1/6 192.53.5.1 IP address = 192.53.5.1 Owner MAC address = 00-00-5E-00-01-01 Priority = 255 192.53.5.3 e 1/5 Backup VRID1 Router2 = Backup IP address = 192.53.5.1 MAC address = 00-00-5E-00-01-01 Priority = 100 Host1 Default Gateway 192.53.5.
Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 78 VSRP priority bias Configured priority = 150 Actual priority = 150 * (2/3) = 100 VSRP Master F Link down 15 F Configured priority = 100 Actual priority = 100 * (3/3) = 100 VSRP Backup optional link F B B B X VSRP Aware VSRP Aware VSRP Aware Track ports Optionally, you can configure track ports to be included during VSRP priority calculation.
15 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 79 Track port priority Configured priority = 100 Track priority 20 Actual priority = (100 - 0) * (3/3) = 100 VSRP Master F Track port is up F Configured priority = 100 Actual priority = 100 * (3/3) = 100 VSRP Backup optional link F VSRP Aware B B B VSRP Aware VSRP Aware In Figure 79, the track port is up. SInce the port is up, the track priority does not affect the VSRP priority calculation.
Configuring basic VSRP parameters 15 • If the port number is the same as the port that previously received a Hello message, the VSRP-aware device assumes that the message came from the same VSRP Master that sent the previous message. • If the port number does not match, the VSRP-aware device assumes that a VSRP failover has occurred to a new Master, and moves the MAC addresses learned on the previous port to the new port. The VRID records age out if unused.
15 Enabling Layer 3 VSRP BigIron RX(config-vlan-200-vrid-1)# enable Syntax: [no] enable or Syntax: [no] activate For information about the command’s optional parameters, see the following: • “Changing the backup priority” on page 435 • “Changing the default track priority” on page 438 Enabling Layer 3 VSRP Layer 2 VSRP is enabled globally by default on the device; it just needs to be activated or enabled on a VRID.
Configuring optional VSRP parameters 15 Syntax: [no] ip vsrp auth-type no-auth | simple-text-auth The auth-type no-auth parameter indicates that the VRID and the interface it is configured on do not use authentication. The auth-type simple-text-auth parameter indicates that the VRID and the interface it is configured on use a simple text password for authentication. The value is the password.
15 Configuring optional VSRP parameters BigIron RX(config-vlan-200-vrid-1)# ip-address 10.10.10.1 Syntax: [no] ip-address VSRP fast start VSRP fast start allows non-Brocade or non-VSRP aware devices that are connected to a Brocade device that is the VSRP Master to quickly switchover to the new Master when a VSRP failover occurs This feature causes the port on a VSRP Master to restart when a VSRP failover occurs.
15 Configuring optional VSRP parameters BigIron RX(config-vlan-10-vsrp-1)#sh vsrp VLAN 10 Auth-type no authentication VRID 1 ======== State Administrative-status Advertise-backup Preempt-mode Link-Redundancy Backup Enabled Disabled True Parameter Configured Current Unit/Formula Priority 100 100 (100-0)*(4.0/4.0) Hello-interval 1 1 sec/10 Hold-interval 3 3 sec/10 Initial-ttl 2 2 hops Disabled Master router 219.218.18.52 or MAC xxxx.dbda.
15 Configuring optional VSRP parameters • Backup Hello interval • Hold-down interval Each Backup saves the configured timer values to its startup configuration file when you save the device’s configuration. NOTE The Backups always use the value of the timer scale received from the Master, regardless of whether the timer values that are saved in the configuration are the values configured on the Backup or the values received from the Master.
Configuring optional VSRP parameters 15 Changing the hello interval The Master periodically sends Hello messages to the Backups. To change the Hello interval, enter a command such as the following at the configuration level for the VRID. BigIron RX(config-vlan-200-vrid-1)# hello-interval 10 Syntax: [no] hello-interval The parameter specifies the interval which and can be from 1 – 84 units. The default is 1 (1 unit = 100 milliseconds).
15 Configuring optional VSRP parameters Syntax: [no] backup-hello-interval The parameter specifies the message interval and can be from 60 – 3600 units (1 unit = 100 milliseconds). The default is 60 units (6000 milliseconds or 6 seconds). NOTE If you change the timer scale, the change affects the actual number of seconds.
Configuring optional VSRP parameters 15 Specifying a track port You can configure the VRID on one interface to track the link state of another interface on the device. This capability is useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy. Refer to “VSRP priority calculation” on page 427. To configure a VRID to track an interface, enter a command such as the following at the configuration level for the VRID.
15 Clearing VSRP information NOTE All trunk ports must have the same delayed-link-down-event configuration. The following command will delay the sending of port "down" event for 100ms when a port state is detected "down". If the port state is detected "up" afterwards within 100ms, the delayed "down" event is cancelled; otherwise, the "down" event is sent after 100ms. This allows the upper layer applications not to be affected by a port state flapping.
VSRP and MRP signaling 15 If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure 82.
15 Displaying VSRP information FIGURE 83 New path established Path 1 Path 2 MRP Member MRP Master MRP Member MRP MRP Member VSRP Backup MRP Member Host MRP Member VSRP Master X VSRP MRP MRP Member MRP Master VSRP Backup MRP Member Host MRP Member VSRP Master X VSRP Device 1 Device 1 There are no CLI commands used to configure this process.
Displaying VSRP information 15 This display shows the following information when you use the vrid or vlan parameter. For information about the display when you use the aware parameter, refer to “Displaying the active interfaces for a VRID” on page 446. TABLE 85 CLI display of VSRP VRID or VLAN information This field... Displays... Total number of VSRP routers defined The total number of VRIDs configured on this device. VLAN The VLAN on which VSRP is configured.
15 Displaying VSRP information TABLE 85 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the VRID. During negotiation, the Backup with the highest priority becomes the Master. If two or more Backups are tied with the highest priority, the Backup interface with the highest IP address becomes the Master for the VRID.
Displaying VSRP information BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 10 10 100 80 P Master Unknown Unknown 15 VIP None When the command is entered on a Layer 3 VSRP, it displays the following information. BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 100 1 150 1 P Initia xxxx.1414.1404 20.20.20.4 101 2 50 1 P Initia xxxx.1e1e.1e01 30.30.30.1 VIP 20.20.20.100 30.30.30.100 Syntax: show vsrp brief This field...
15 Displaying VSRP information Displaying the active interfaces for a VRID On a VSRP-aware device, you can display VLAN and port information for the connections to the VSRP devices (Master and Backups) using the show vsrp aware command. The command shows the active interfaces for the VRID. No output is displayed if the command is entered on a VSRP master or backup.
Chapter Topology Groups 16 Topology overview This chapter describes the different types of topology groups and how to configure them. A topology group is a named set of VLANs that share a Layer 2 control protocol. Topology groups simplify configuration and enhance scalability of Layer 2 protocols by allowing you to run a single instance of a Layer 2 protocol on multiple VLANs. One instance of the Layer 2 protocol controls all the VLANs.
16 Master VLANs and customer VLANs in MRP Master VLANs and customer VLANs in MRP A topology group enables you to control forwarding in multiple VLANs using a single instance of a Layer 2 protocol such as MRP. For more information on topology group and MRP, refer to “Master VLANs and customer VLANs in a topology group” on page 408.
Configuring a topology group 16 If you remove a member VLAN or VLAN group from a topology group, you will need to reconfigure the Layer 2 protocol information in the VLAN or VLAN group. Configuring a topology group To configure a topology group, enter commands such as the following.
16 Displaying topology group information BigIron RX(config)# show topology-group Topology Group 1 ================== Master VLAN : 2 Member VLAN : 10 20 30 Member Group : None Control Ports : ethe 2/2 ethe 3/18 ethe 4/1 to 4/2 Free Ports : Topology Group 2 ================== Master VLAN : 3 Member VLAN : 100 200 Member Group : None Control Ports : ethe 4/1 to 4/2 Free Ports : VLAN 2 - ethe 2/1 ethe 3/17 VLAN 10 - ethe 2/1 ethe 3/17 VLAN 20 - ethe 2/1 ethe 3/17 VLAN 30 - ethe 2/1 ethe 3/17 Syntax: show to
Chapter 17 Configuring VRRP and VRRPE Overview of VRRP This chapter describes how to configure the following router redundancy protocols: • Virtual Router Redundancy Protocol (VRRP) – The standard router redundancy protocol described in RFC 3768. • VRRP Extended (VRRPE) – A Brocade proprietary version of VRRP that overcomes limitations in the standard protocol. This protocol works only with Brocade devices.
17 Overview of VRRP As shown in this example, Host1 uses 192.53.5.1 on Router1 as the host’s default gateway out of the subnet. If this interface goes down, Host1 is cut off from the rest of the network. Router1 is thus a single point of failure for Host1’s access to other networks. If Router1 fails, you could configure Host1 to use Router2. Configuring one host with a different default gateway might not require too much extra administration.
Overview of VRRP 17 NOTE You can provide more redundancy by also configuring a second VRID with Router2 as the Owner and Router1 as the Backup. This type of configuration is sometimes called Multigroup VRRP. Master router election Virtual routers use the VRRP priority values associated with each VRRP router to determine which router becomes the Master. When you configure an Owner router, the device automatically sets the its VRRP priority to 255, the highest VRRP priority.
17 Overview of VRRP Track ports and track priority Brocade enhanced VRRP by giving a VRRP router the capability to monitor the state of the interfaces on the other end of the route path through the router. For example, in Figure 85 on page 452, interface e1/6 on Router1 owns the IP address to which Host1 directs route traffic on its default gateway. The exit path for this traffic is through Router1’s e2/4 interface. Suppose interface e2/4 goes down.
Overview of VRRPE 17 Forcing a master router to abdicate to a standby router You can force a VRRP Master to abdicate (give away control) of a virtual router to a Backup by temporarily changing the Master’s priority to a value less than the Backup’s. When you change a VRRP Owner’s priority, the change takes effect only for the current power cycle. The change is not saved to the startup configuration file when you save the configuration and is not retained across a reload or reboot.
17 Overview of VRRPE • VRRPE uses UDP to send Hello messages in IP multicast messages. The Hello packets use the interface’s actual MAC address and IP address as the source addresses. The destination MAC address is 01-00-5E-00-00-02, and the destination IP address is 224.0.0.2 (the well-known IP multicast address for “all routers”). Both the source and destination UDP port number is 8888. VRRP messages are encapsulated in the data portion of the packet.
Overview of VRRPE FIGURE 86 17 Router1 and Router2 are configured to provide dual redundant network access for the host Internet e 2/4 VRID 1 Router A = Master Virtual IP address 192.53.5.254 Priority = 110 Track port = e 2/4 Track priority = 20 e 3/2 Router1 Router2 e 1/6 192.53.5.2 VRID 2 Router A = Backup Virtual IP address 192.53.5.253 Priority = 100 (Default) Track Port = e 2/4 Track Priority = 20 Host1 Default Gateway 192.53.5.254 Host2 Default Gateway 192.53.5.254 e 5/1 192.53.5.
17 VRRP and VRRPE parameters VRRP and VRRPE parameters Table 88 lists the VRRP and VRRPE parameters. Most of the parameters and default values are the same for both protocols. The exceptions are noted in the table. TABLE 88 VRRP and VRRPE parameters Parameter Description Default See page...
VRRP and VRRPE parameters TABLE 88 17 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Whether the router is an Owner or a Backup. Owner (VRRP only) – The router on which the real IP address used by the VRID is configured. • Backup – Routers that can provide routing services for the VRID but do not have a real IP address matching the VRID. VRRP – The Owner is always the router that has the real IP address used by the VRID. All other routers for the VRID are Backups.
17 Configuring parameters specific to VRRP TABLE 88 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Track priority A VRRP or VRRPE priority value assigned to the tracked ports. If a tracked port’s link goes down, the VRID port’s VRRP or VRRPE priority changes. • VRRP – The priority changes to the value of the tracked port’s priority. • VRRPE – The VRID port’s priority is reduced by the amount of the tracked port’s priority.
Configuring parameters specific to VRRP 17 Configuring the owner Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-1/6)# ip address 192.53.5.1 Router1(config-if-1/6)# ip vrrp vrid 1 Router1(config-if-1/6-vrid-1)# owner Router1(config-if-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-1/6-vrid-1)# activate Configuring a backup To configure the VRRP Backup router, enter the following commands.
17 Configuring parameters specific to VRRPE Configuring parameters specific to VRRPE VRRPE is configured at the interface level. To implement a simple VRRPE configuration using all the default values, enter commands such as the following on each BigIron RX. BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# router vrrp-extended RX(config)# inter e 1/5 RX(config-if-e10000-1/5)# ip address 192.53.5.
Configuring additional VRRP and VRRPE parameters • • • • • • • • • 17 Backup priority Suppression of RIP advertisements on Backup routes for the backed up interface Hello interval Dead interval Backup Hello messages and message timer (Backup advertisement) Track port Track priority Backup preempt mode Master Router Abdication and Reinstatement Refer to “VRRP and VRRPE parameters” on page 458 for a summary of the parameters and their defaults.
17 Configuring additional VRRP and VRRPE parameters Suppression of RIP advertisements on backup routers for the backup up interface Normally, a VRRP or VRRPE Backup includes route information for the virtual IP address in RIP advertisements. As a result, other routers receive multiple paths for the Backup router and might sometimes unsuccessfully use the path to the Backup router rather than the path to the Master.
Configuring additional VRRP and VRRPE parameters 17 Syntax: dead-interval The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. The syntax is the same for VRRP and VRRPE. Backup hello message state and interval By default, Backup do not send Hello messages to advertise themselves to the Master. You can enable these messages if desired and also change the message interval. To enable a Backup to send Hello messages to the Master, enter commands such as the following.
17 Configuring additional VRRP and VRRPE parameters • For VRRP, the software changes the priority of the virtual router to a track priority that is lower than that of the virtual router priority and lower than the priorities configured on the Backups. For example, if the virtual router priority is 100 and a tracked interface with track priority 60 goes down, the software changes the virtual router priority to 60.
Displaying VRRP and VRRPE information 17 BigIron RX(config)# ip int eth 1/6 BigIron RX(config-if-e10000-1/6)# ip vrrp vrid 1 BigIron RX(config-if-e10000-1/6-vrid-1)# owner priority 99 Syntax: [no] owner priority | track-priority The parameter specifies the new priority and can be a number from 1 – 254. When you press Enter, the software changes the priority of the Master to the specified priority.
17 Displaying VRRP and VRRPE information BigIron RX(config)# show ip vrrp-extended brief Total number of VRRP-Extended routers defined: 41 Inte- VRID Current P State Master IP Backup IP Virtual IP rface Priority Address Address Address ----------------------------------------------------------------------------v21 21 95 P Backup 172.16.51.2 Local 172.16.51.1 v22 22 95 P Backup 172.16.52.2 Local 172.16.52.1 v23 23 95 P Backup 172.16.53.2 Local 172.16.53.1 v24 24 95 P Backup 172.16.54.2 Local 172.16.54.
Displaying VRRP and VRRPE information TABLE 89 17 CLI display of VRRP or VRRPE summary information (Continued) This field... Displays... State This device’s VRRP or VRRPE state for the virtual router. The state can be one of the following: • Init – The virtual router is not enabled (activated). If the state remains Init after you activate the virtual router, make sure that the virtual router is also configured on the other routers and that the routers can communicate with each other.
17 Displaying VRRP and VRRPE information The brief parameter displays summary information. Refer to “Displaying summary information” on page 467. The ethernet / parameter specifies an Ethernet port. If you use this parameter, the command displays VRRP or VRRPE information only for the specified port. The ve parameter specifies a virtual interface. If you use this parameter, the command displays VRRP or VRRPE information only for the specified virtual interface.
Displaying VRRP and VRRPE information TABLE 90 17 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the virtual router. During negotiation, the router with the highest priority becomes the Master. If two or more devices are tied with the highest priority, the Backup interface with the highest IP address becomes the active router for the virtual router.
17 Displaying VRRP and VRRPE information TABLE 90 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... backup router expires in
Configuration examples - - 17 . received packets dropped by owner = 0 . received packets with ip ttl errors = 0 . received packets with ip address mismatch = 0 . received packets with advertisement interval mismatch = 0 . received packets with invalid length = 0 total number of vrrp-extended packets sent = 2004 . sent backup advertisements = 0 .
17 Configuration examples Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-e10000-1/6)# ip address 192.53.5.1 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# owner track-priority 20 Router1(config-if-e10000-1/6-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-1/6-vrid-1)# ip-address 192.53.5.
Configuration examples 17 The activate command activates the virtual router configuration on this interface. The interface does not provide backup service for the virtual IP address until you activate the VRRP configuration.
17 Configuration examples Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 3/2 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.
Chapter Configuring Quality of Service 18 Overview of Quality of Service (QoS) Quality of Service (QoS) features are used to prioritize the use of bandwidth in a switch. When QoS features are enabled, traffic is classified as it arrives at the switch, and processed through on the basis of configured priorities. Traffic can be dropped, prioritized for guaranteed delivery, or subject to limited delivery options as configured by a number of different mechanisms.
18 Classification FIGURE 87 Priority resolution DSCP Priority 802.1p Priority No Trust Level Set Trust Level Set to COS (default) Trust Level Set to DSCP Determine Trust Level Set Classification to Higher of both Inputs Port-based Classification MAC-based Classification Port-based VLAN Classification As shown in the figure, the first criteria considered are port-based, MAC-based, and port-based VLAN classifications. The packet is primarily classified with the higher of these two criteria.
18 Classification TABLE 92 Default QoS mappings, columns 16 to 31 DSCP value 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 802.
18 Marking • COS to Internal Forwarding Priority Mapping – You can change the mapping between 802.1p (COS) values and the Internal Forwarding priority value from the default values shown in Table 91 through Table 94. This mapping is used for COS marking and determining the internal priority when the trust level is COS. “Changing the CoS –> internal forwarding priority mappings” on page 485. Marking Marking is the process of changing the packet’s QoS information (the 802.
Marking 18 When you apply a QoS priority to one of the items listed above, you specify a number from 0 – 7. The priority number specifies the IEEE 802.1p equivalent to one of the four Brocade QoS queues. The numbers correspond to the queues as follows. Priority level QoS forwarding queue 6, 7 3 4, 5 2 2, 3 1 0, 1 0 Changing a port’s priority To change a port’s QoS priority, use one of the following methods. The priority applies to inbound traffic on the port.
18 Configuring ToS-based QoS Configuring ToS-based QoS To configure ToS-based QoS, perform the following tasks: • Enable ToS-based QoS on an interface. Once you enable the feature on an individual interface, you can configure the trust level and marking for traffic that is received on that interface as described: • Specify the trust level for packets received on the interface. • Enable marking of packets received on the interface.
Configuring the QoS mappings 18 Configuring the QoS mappings The Brocade device maps a packet’s 802.1p or DSCP value to an internal forwarding priority. The default mappings are listed in Table 91 through Table 94. You can change the following mappings as described in this section: • • • • CoS –> DSCP DSCP –> DSCP DSCP –> internal forwarding priority CoS –> internal forwarding priority The mappings are globally configurable and apply to all interfaces.
18 Configuring the QoS mappings BigIron RX(config)# qos-tos map dscp-dscp 0 to 10 This command changes the mapping of DSCP value 0 to 10. Syntax: [no] qos-tos map dscp-dscp [...] to You can change up to seven DSCP values in the same commend. Changing the DSCP –> internal forwarding priority mappings This mapping is used when the trust level is set to DSCP.
Displaying QoS configuration information 18 The parameter specifies the internal forwarding priority. Changing the CoS –> internal forwarding priority mappings This mapping is used when the trust level is set to CoS. In addition to determining the internal-forwarding priority of a packet, the value also determines the outbound 802.1p value if CoS marking is enabled.
18 Displaying QoS configuration information BigIron RX# show qos-tos Interface QoS , Marking and Trust Level: i/f | QoS | Mark | Trust-Level -------+-----+----------+--------------1/2 | Yes | | Layer 2 CoS ve1 | No | | Layer 2 CoS ve4 | No | | Layer 2 CoS ve5 | No | | Layer 2 CoS ve20 | No | | Layer 2 CoS COS-DSCP map: COS: 0 1 2 3 4 5 6 7 ------------------------------------------------dscp: 0 8 16 24 32 40 48 56 DSCP-Priority map: (dscp = d1d2) d2 | 0 1 2 3 4 5 6 7 8 9 d1 | -----+-----------------------
Determining packet drop priority using WRED TABLE 95 18 ToS-based QoS configuration information (Continued) This field... Displays... Mark The marking type enabled on the interface. The marking type can be any of the following: • COS – CoS marking is enabled. • DSCP – DSCP marking is enabled. • No – Marking is not enabled. Trust-Level The trust level enabled on the interface. The trust level can be one of the following: • DSCP • L2 CoS CoS-DSCP map COS The CoS (802.1p) values.
18 Determining packet drop priority using WRED How WRED Operates The graph in Figure 88 describes the interaction of the previously described variables in the operation of WRED. When a packet arrives at a switch, the average queue size (q-size) is calculated (note that this is not the statistical average queue size - (refer to “Calculating avg-q-size” on page 488). If q-size as calculated is below the configured Min. Average Queue Size, then the packet is accepted.
Configuring packet drop priority using WRED Pdrop = pkt-size ----------------pkt-size-max 18 (avg-q-size - min-avg-q size) * Pmax * ----------------------------------------(max-avg-q-size - min-avg-q size) Using WRED with rate limiting When rate limiting is configured on a device, it directs the switch to drop traffic indiscriminately when the configured average-rate and maximum-burst thresholds are exceeded.
18 Configuring packet drop priority using WRED TABLE 96 Possible Wq values (Continued) Averaging weight setting Wq value as a percentage 3 12.5% 4 6.2% 5 3.12% 6 1.56% 7 0.78% 8 0.4% 9 0.2% 10 0.09% 11 0.05% 12 0.02% 13 0.01% To set the wq parameter for queues with a queue type of 1 to 25%, use the following command. BigIron RX(config)#qos queue-type 1 wred averaging-weight 25% This gives the current queue size a weight of 25% over the statistical average queue size.
Configuring packet drop priority using WRED 18 Setting the maximum drop probability To set the maximum drop probability when the queue size reaches the Max-average-q-size value to 20% use the following command.
18 Configuring packet drop priority using WRED The variable is the number of the forwarding queue type that you want to configure drop-precedence for. There are eight forwarding queue types on BigIron RX Routers. They are numbered 0 to 3. The variable for the drop-precedence parameter is the TOS/DSCP value in the IPv4 or IPv6 packet header. It determines drop precedence on a scale from 0 - 3.
18 Configuring packet drop priority using WRED TABLE 97 WRED default settings Queue type Drop precedence Minimum average queue size (KByte) Maximum average queue size (KByte) Maximum packet size (Byte) Maximum drop probability Maximum instantaneous queue size Average weight 0 0 356 1024 16384 2% 1024 0.2% 1 304 1024 16384 4% 2 256 1024 16384 9% 3 204 1024 16384 10% 0 356 1024 16384 2% 1024 0.
18 Scheduling traffic for forwarding Scheduling traffic for forwarding If the traffic being processed by a device is within the capacity of the switch, all traffic is forwarded as received. Once we reach the point where the switch is bandwidth constrained, it becomes subject to drop priority if configured as described in “Determining packet drop priority using WRED” on page 487 or traffic scheduling as described in this section.
Scheduling traffic for forwarding 18 Configuring strict priority-based traffic scheduling To configure strict priority-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler strict Syntax: qos scheduler strict Configuring enhanced strict priority-based traffic scheduling To configure enhanced strict priority-based scheduling use a command such as the following.
18 Scheduling traffic for forwarding The values of the remaining queues are calculated to be the following. q2 = 30%, q1 = 20%, and q0 = 10% Configuring WFQ destination-based traffic scheduling To configure WFQ destination-based scheduling use a command such as the following.
Scheduling traffic for forwarding 18 Syntax: qos scheduler max-rate The variable defines the maximum bandwidth allocated to forwarding queue 0 in Kbps. The variable defines the maximum bandwidth allocated to forwarding queue 1 in Kbps. The variable defines the maximum bandwidth allocated to forwarding queue 2 in Kbps.
18 Configuring multicast traffic engineering BigIron RX#show qos scheduler Port | Scheduler Type Prio0 Prio1 Prio2 Prio3 | (Rates where specified are in Kbps) -------+-------------------------------------+---------+---------+--------13/1 | strict 13/2 | enhanced-strict Rate 100000 200000 300000 Remaining 13/3 | min-rate Rate 102400 204800 307200 409600 13/4 | strict 13/5 | strict 13/6 | max-rate Rate 400000 400000 800000 10000000 13/7 | destination-weighted Weight 15 25 25 35 13/8 | strict 13/9 | source-w
Configuring multicast traffic engineering 18 To limit the multicast traffic through the packet processor that includes port 1/1 to 10 Mbps, use the following command. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos multicast best-effort rate 10000 Syntax: qos multicast best-effort rate The variable defines the bandwidth of multicast traffic that is allowed to pass through the packet processor that include the port this command is configured on.
18 Configuring multicast traffic engineering • Virtual interface subsets are not supported for engress ACLs. • The egress filtering of the 16x10 module only compares to 3 bits of TOS field (delay, throughput, reliability).
Configuring multicast traffic engineering 18 Setting the averaging-fair-weight (wfq) parameter The wfq parameter is configured as the averaging-fair-weight parameter. In this implementation, you can set one of 13 (1 - 13) possible values. These values represent a wfg value as described in Table 99 Calculating the values for WFQ storage mode traffic scheduling Weighted Fair Queueing (WFQ) scheduling is configured to be a percentage of available bandwidth using the following formula.
18 Configuring multicast traffic engineering Table 99 identifies the profile used for network control traffic which is identified using an independent flag.
Configuring multicast traffic engineering 18 NOTE The configurations for group port 1 will now be associated to s/1,s/5,s/9,s/13 3. To set the group port 2 weight, low prioriy traffic, BigIron RX(config-if-e10000-4/1)#qos rcv-scheduler wfq 1 2 1 4. To set the group port 2 weight, high prioriy traffic, BigIron RX(config-if-e10000-4/1)#qos rcv-scheduler wfq 1 2 1 2 NOTE The configurations for group port 2 will now be associated to s/2,s/6,s/10,s/14 5.
18 504 Configuring multicast traffic engineering BigIron RX Series Configuration Guide 53-1002253-01
Chapter 19 Configuring Traffic Reduction In this chapter • Traffic policing on the BigIron RX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . • Traffic reduction parameters and algorithm . . . . . . . . . . . . . . . . . . . . . . . . • Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring rate limiting policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19 Traffic reduction parameters and algorithm Traffic reduction parameters and algorithm A rate limiting policy specifies two parameters: requested rate and maximum burst. Requested rate The requested rate is the maximum number of bits a port is allowed to receive during a one-second interval. The rate of the traffic that matches the rate limiting policy will not exceed the requested rate.
Configuration considerations 19 The credit size is calculated using the following algorithm. Credit = (Average rate in bits per second)/(8*64453) One second is divided into 64,453 intervals. In each interval, the number of bytes equal to the credit size is added to the running total of the class. The running total of a class represents the number of bytes that can be allowed to pass through without being subject to rate limiting.
19 Configuring rate limiting policies • ACL-based rate limiting policies consume entries based on the number of statements in an ACL. • See the limits in Table 100. TABLE 100 .
Configuring rate limiting policies 19 The parameter specifies the maximum rate allowed on a port during a one-second interval. The minimum configurable requested rate is 20,345 bps. The maximum configurable rate limiting rate is near line-rate. Refer to “Requested rate” on page 506 for more details. The parameter specifies the extra bits above the requested rate that traffic can have. Refer to “Maximum burst” on page 506 for more details.
19 Configuring rate limiting policies The vlan parameter species the VLAN ID to which the policy applies. Refer to “Configuration considerations” on page 507 to determine the number of rate limiting policies that can be configured on a device. For information on the other parameters, refer to “Configuring a port-based rate limiting policy” on page 508. Configuring a VLAN-group-based rate limiting policy A rate limiting policy can be applied to a VLAN group.
Configuring rate limiting policies 19 The command applies the rate limiting policy for rate limiting VLAN group 10. This policy limits all traffic tagged with VLANs 3, 5, 6, or 7 on hardware forwarding queues 2 and 3 to a rate of 500 Mbps with a maximum burst size of 750 Mbits. Syntax: rate-limit in group priority The priority parameter specifies the 802.1p priority levels 0 - 7, equivalent to one of the four QoS queues.
19 Configuring rate limiting policies Average rate is adjusted to 499321856 bits per second BigIron RX(config-if-e1000-1/5)# rate-limit in access-group 60 100000000 200000000 Average rate is adjusted to 97523712 bits per second These commands first configure access-list groups that contain the ACLs that will be used in the rate limiting policy. Use the permit condition for traffic that will be rate limited. Traffic that match the condition are not subject to rate limiting and allowed to pass through.
NP based multicast, broadcast, and unknown-unicast rate limiting 19 The ipv6-named-access-group parameter identifies the IPv6 ACL used to permit or deny traffic on a port. Permitted traffic is subject to rate limiting. Denied traffic is forwarded on the port. For information on the other parameters, refer to “Configuring a port-based rate limiting policy” on page 508. NP based multicast, broadcast, and unknown-unicast rate limiting NOTE Beginning with release 02.7.
19 Displaying traffic reduction Displaying traffic reduction The show rate-limit command displays the rate limiting policies configured on the ports. For example. BigIron RX(config)# show rate-limit interface e 1/1 rate-limit input 499321856 750000000 interface e 1/3 rate-limit input vlan-id 10 499321856 750000000 rate-limit input vlan-id 20 97523712 200000000 To display bytes forwarded and dropped, enter the following command.
Displaying traffic reduction BigIron RX Series Configuration Guide 53-1002253-01 19 515
19 516 Displaying traffic reduction BigIron RX Series Configuration Guide 53-1002253-01
Chapter 20 Layer 2 ACLs This chapter presents information to configure and view Layer 2 ACLs. Layer 2 Access Control Lists (ACLs) filter incoming traffic based on Layer 2 MAC header fields in the Ethernet/IEEE 802.3 frame.
20 Configuring Layer 2 ACLs • You cannot add remarks to a Layer 2 ACL clause. Configuring Layer 2 ACLs Configuring a Layer 2 ACL is similar to configuring standard and extended ACLs. Layer 2 ACL table IDs range from 400 to 499, for a maximum of 100 configurable Layer 2 ACL tables. Within each Layer 2 ACL table, you can configure from 64 (default) to 256 clauses. Each clause or entry can define a set of Layer 2 parameters for filtering.
Configuring Layer 2 ACLs 20 The | any parameter specifies the source MAC address. You can enter a specific address and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using F’s and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the clause matches all source MAC addresses that contain “aabb” as the first two bytes and any values in the remaining bytes of the MAC address.
20 Viewing Layer 2 ACLs Inserting and deleting Layer 2 ACL clauses You can make changes to the Layer 2 ACL table definitions without unbinding and rebinding the table from an interface. For example, you can add a new clause to the ACL table, delete a clause from the table, delete the ACL table, etc. Binding a Layer 2 ACL table to an interface To enable Layer 2 ACL filtering, bind the Layer 2 ACL table to an interface. NOTE Layer 2 ACLs cannot be bound to virtual routing interfaces.
Viewing Layer 2 ACLs 20 Example of Layer 2 ACL deny by MAC address In the following example, an ACL is created that denies all traffic from the host with the MAC address 0012.3456.7890 being sent to the host with the MAC address 0011.2233.4455. BigIron RX(config)# access-list 401 deny 0012.3456.7890 ffff.ffff.ffff 0011.2233.4455 ffff.ffff.ffff BigIron RX(config)# access-list 401 permit any any Using the mask, you can make the access list apply to a range of addresses.
20 522 Viewing Layer 2 ACLs BigIron RX Series Configuration Guide 53-1002253-01
Chapter Access Control List 21 This chapter describes the IP Access Control List (ACL) feature, which enables you to filter traffic based on the information in the IP packet header. For details on Layer 2 ACLs, refer to “Types of IP ACLs” on page 524. You can use IP ACLs to provide input to other features such as route maps, distribution lists, rate limiting, and BGP. When you use an ACL this way, use permit statements in the ACL to specify the traffic that you want to send to the other feature.
21 Disabling or re-enabling Access Control Lists (ACLs) RX-BI-16XG (16 x 10GE ) Module EGRESS ACL Configuration Guidelines • The RX-BI-16XG 16 x 10GE module only supports standard, extended, named, and numbered ACLs for outbound access-group applications ACLs. • Egress filtering on subset ports of a VE is not supported, matching must apply to all VE ports . • • • • Matching the SPI field value is not supported for egress acl. Matching field of fragment or fragmentation-offset is not supported.
ACL IDs and entries 21 Standard or extended ACLs can be numbered or named. Standard ACLs are numbered from 1 – 99, extended ACLs are numbered 100 – 199. Super ACLs may be assigned numbered IDs only, from 500 - 599. IDs for standard or extended ACLs can also be a character string (named). In this document, an ACL with a string ID is called a named ACL.
21 ACL-based inbound mirroring ACL-based inbound mirroring ACLs can be used to select traffic for mirroring from one port to another. Using this feature, you can monitor traffic in the mirrored port using a protocol analyzer. Considerations when configuring ACL-based inbound mirroring The following must be considered when configuring ACL-based Inbound Mirroring: • • • • Configuring a Common Destination ACL Mirror Port for All Ports of a PPCR Support with ACL CAM Sharing Enabled.
ACL-based inbound mirroring 21 The mirror parameter directs selected traffic to the mirrored port. Traffic can only be selected using the permit clause. The mirror parameter is supported on rACLs. Applying the ACL to an interface You must apply the ACL to an interface using the ip access-group command as shown in the following.
21 ACL-based inbound mirroring BigIron RX(config)# trunk switch ethernet 1/1 to 1/2 BigIron RX(config-trunk-1/1-1/2)# config-trunk-ind BigIron RX(config-trunk-1/1-1/2)# acl-mirror-port ethe-port-monitored 1/1 ethernet 1/3 The following considerations apply when configuring ACL-based mirroring with trunks: • You must configure ACL-mirroring for a trunk within the trunk configuration as shown in the examples.
Configuring numbered and named ACLs 21 Configuring ACL-based mirroring for ACLs bound to virtual interfaces For configurations that have an ACL bound to a virtual interface, you must configure the acl-mirror-port command on a port for each PPCR that is a member of the virtual interface. For example, in the following configuration ports 4/1 and 4/2 share the same PPCR while port 4/3 uses another PPCR.
21 Configuring numbered and named ACLs Standard ACLs permit or deny packets based on source IP addresses. You can configure up to 99 standard ACLs. There is no limit to the number of ACL entries an ACL can contain, except for the system-wide limitation. For the number of ACL entries supported on a BigIron RX, refer to “ACL IDs and entries” on page 525. To configure a standard ACL and apply it to outgoing traffic on port 1/1, enter the following commands.
Configuring numbered and named ACLs 21 Specifies the portion of the source IP host address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the . Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
21 Configuring numbered and named ACLs • Destination TCP or UDP port (if the IP protocol is TCP or UDP) The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • • • • • • • Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Internet Gateway Routing Protocol (IGRP) Internet Protocol (IP) Open Shortest Path First (OSPF) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) For TCP and UDP, you also can specify a comp
Configuring numbered and named ACLs 21 The following commands apply ACL 102 to the incoming and outgoing traffic on port 1/2 and to the incoming traffic on port 4/3. BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# int eth 1/2 RX(config-if-e10000-1/2)# ip access-group 102 in RX(config-if-e10000-1/2)# exit RX(config)# int eth 4/3 RX(config-if-e10000-4/3)# ip access-group 102 in RX(config)# write memory Here is another example of an extended ACL. BigIron RX(config)# BigIron RX(config)# 209.157.
21 Configuring numbered and named ACLs [ ] [match-all ] [match-any ] [] [established] [precedence | ] [tos ] [dscp-matching ] [802.1p-priority-matching ] [dscp-marking 802.
Configuring numbered and named ACLs 21 Specifies the portion of the source IP host address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the . Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
21 Configuring numbered and named ACLs Specifies a comparison operator for the TCP or UDP port number. You can enter one of the following operators: • eq – The policy applies to the TCP or UDP port name or number you enter after eq. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.
Configuring numbered and named ACLs 21 Enter one of the following values, depending on the software version the device is running: • any-icmp-type • echo • echo-reply • information-request • log • mask-reply • mask-request • parameter-problem • redirect • source-quench • time-exceeded • timestamp-reply • timestamp-request • unreachable • NOTE: If the ACL is for the inbound traffic direction on a virtual routing interface, you also can specify a subset of ports within the VLAN containing
21 Configuring numbered and named ACLs • tos | • 802.1p-priority-matching Only packets that have the specified 802.1p priority will be matched. Valid range is 0-7. Specify the IP ToS name or number. You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2. • max-throughput or 4 – The ACL matches packets that have the maximum throughput ToS.
21 Configuring numbered and named ACLs • The dscp-cos-mapping parameter takes the DSCP value you specified and compares it to an internal QoS table, which is indexed by DSCP values. The corresponding 802.1p priority, internal forwarding priority, and DSCP value is assigned to the packet. For example, if you enter dscp-marking 7 and the internal QoS table is configured as shown in Table 101, the new QoS value for the packet is: • 802.
21 Configuring numbered and named ACLs The following examples show how to configure a named standard ACL entry and a named extended ACL entry. Configuration example for standard ACL To configure a named standard ACL entry, enter commands such as the following. BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# ip access-list standard Net1 RX(config-std-nacl)# deny host 209.157.22.26 log RX(config-std-nacl)# deny 209.157.29.
Configuring numbered and named ACLs 21 NOTE For convenience, the software allows you to configure numbered ACLs using the syntax for named ACLs. The software also still supports the older syntax for numbered ACLs. Although the software allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the startup-config and running-config files in using the older syntax, as follows. access-list access-list access-list access-list 1 deny host 209.157.22.26 log 1 deny 209.157.22.0 0.
21 Configuring numbered and named ACLs Syntax: [no] ip access-group in The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring extended numbered ACLs” on page 531. Configuring super ACLs This section describes how to configure super ACLs with numeric IDs. • For configuration information on named ACLs, refer to “Configuring standard or extended named ACLs” on page 539.
Configuring numbered and named ACLs 21 vlan-id | ip-pkt-len | ip-fragment-match {[fragment [fragment-offset <0 - 8191>]] | [non-fragment] | [first-fragment]} | ip-protocol | sip {/ | host } | dip {/ | host } | sp | dp | icmp-detail | dscp-matching <0 – 63> | 802.
21 Displaying ACL definitions sp Enables packet matching based on specified source TCP/UDP port. dp Enables packet matching based on specified destination TCP/UDP port. icmp-detail Enables packet matching based on ICMP information. 801.2-priority-matching Enables packet matching based on the specified 802.1p priority value. Valid range is 0-7. ipsec-spi This parameter filters packets based on their IPSEC Security Parameter Index (SPI). Enter this value in hexadecimal.
Displaying ACL definitions 21 BigIron RX(config)#show access-list name entry Standard IP access list entry deny host 5.6.7.8 deny host 192.168.12.3 permit any Syntax: show access-list name Enter the ACL name for the parameter or the ACL number for .
21 Displaying ACL definitions TABLE 102 546 TCP/UDP port numbers and names (Continued) Port service number Port name Description 39 rlp Resource Location Protocol 41 graphics Graphics 42 nameserver Host Name Server 43 nicname Who Is 44 mpm-flags MPM FLAGS Protocol 45 mpm Message Processing Module [recv] 46 mpm-snd MPM [default send] 47 ni-ftp NI FTP 48 auditd Digital Audit Daemon 50 re-mail-ck Remote Mail Checking Protocol 51 la-maint IMP Logical Address Maintenance
Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service number Port name Description 85 mit-ml-dev2 MIT ML Device 86 mfcobol Micro Focus Cobol 88 kerberos Kerberos 89 su-mit-tg SU/MIT Telnet Gateway 90 dnsix DNSIX Securit Attribute Token Map 91 mit-dov MIT Dover Spooler 92 npp Network Printing Protocol 93 dcp Device Control Protocol 94 objcall Tivoli Object Dispatcher 95 supdup SUPDUP 96 dixie DIXIE Protocol Specification 97 swift-
21 Displaying ACL definitions TABLE 102 548 TCP/UDP port numbers and names (Continued) Port service number Port name Description 121 erpc Encore Expedited Remote Pro.
Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service number Port name Description 159 nss-routing NSS-Routing 160 sgmp-traps SGMP-TRAPS 163 cmip-man CMIP/TCP Manager 164 cmip-agent CMIP/TCP Agent 165 xns-courier Xerox 166 s-net Sirius Systems 167 namp NAMP 168 rsvd RSVD 169 send SEND 170 print-srv Network PostScript 171 multiplex Network Innovations Multiplex 172 cl/1 Network Innovations CL/1 173 xyplex-mux Xyplex 174 mail
21 Displaying ACL definitions TABLE 102 550 TCP/UDP port numbers and names (Continued) Port service number Port name Description 196 dn6-smm-red DNSIX Session Mgt Module Audit Redir 197 dls Directory Location Service 198 dls-mon Directory Location Service Monitor 199 smux SMUX 200 src IBM System Resource Controller 201 at-rtmp AppleTalk Routing Maintenance 202 at-nbp AppleTalk Name Binding 203 at-3 AppleTalk Unused 204 at-echo AppleTalk Echo 205 at-5 AppleTalk Unused 20
Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service number Port name Description 348 csi-sgwp Cabletron Management Protocol 371 clearcase Clearcase 372 ulistserv ListProcessor 373 legent-1 Legent Corporation 374 legent-2 Legent Corporation 375 hassle Hassle 376 nip Amiga Envoy Network Inquiry Protocol 377 tnETOS NEC Corporation 378 dsETOS NEC Corporation 379 is99c TIA/EIA/IS-99 modem client 380 is99s TIA/EIA/IS-99 modem server 3
21 Displaying ACL definitions TABLE 102 552 TCP/UDP port numbers and names (Continued) Port service number Port name Description 406 imsp Interactive Mail Support Protocol 407 timbuktu Timbuktu 408 prm-sm Prospero Resource Manager Sys. Man. 409 prm-nm Prospero Resource Manager Node Man.
Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service number Port name Description 442 cvc_hostd cvc_hostd 443 ssl http protocol over TLS/SSL 444 snpp Simple Network Paging Protocol 445 microsoft-ds Microsoft-DS 446 ddm-rdb DDM-RDB 447 ddm-dfm DDM-RFM 448 ddm-byte DDM-BYTE 449 as-servermap AS Server Mapper 450 tserver Computer Supported Telecomunication Applications 512 exec remote process execution 513 login remote login a la teln
21 Displaying ACL definitions TABLE 102 554 TCP/UDP port numbers and names (Continued) Port service number Port name Description 570 meter-570 demon 571 meter-571 udemon 600 ipcserver SUN ipc sERVER 606 nqs nqs 607 urm urm 608 sift-uft Sender-Initiated or Unsolicited File Transfer 609 npmp-trap npmp-trap 610 npmp-local npmp-local 611 npmp-gui npmp-gui 634 ginad ginad 666 mdqs mdqs 667 doom doom ID software 704 elcsd errlog copy or server daemon 709 entrustmana
ACL logging TABLE 102 21 TCP/UDP port numbers and names (Continued) Port service number Port name Description 765 webster webster 767 phonebook phone 769 vid VID 770 cadlock-770 CADLOCK -770 771 rtip rtip 772 cycleserv2 CYCLE Server 773 submit SUBMIT 774 rpasswd rpasswd 775 entomb entomb 776 wpages wpages 780 wpgs wpgs 786 concert concert 800 mdbs_daemon mdbs_daemon 801 device device 996 xtreelic XTREE License Server 997 maitrd maitrd 998 busboy busbo
21 Modifying ACLs NOTE Logging is not currently supported on management interfaces. Enabling the new logging method There are no new CLI commands to enable this new processing method; it takes effect automatically if the following items have been configured: • Syslog logging is enabled. BigIron RX(config)#logging on • Add the log option to an ACL statement as in the following example.
Modifying ACLs 21 You can use the CLI to reorder entries within an ACL by individually removing the ACL entries and then re-adding them. To use this method, enter “no” followed by the command for an ACL entry, and repeat this for each ACL entry in the ACL you want to edit. After removing all the ACL entries from the ACL, re-add them. This method works well for small ACLs such as the example above, but can be impractical for ACLs containing many entries.
21 Modifying ACLs NOTE This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file. These are the only commands that are valid in a file you load using the copy tftp running-config… command. 7. To save the changes to the device’s startup-config file, enter the following command at the Privileged EXEC level of the CLI. write memory NOTE Do not place other commands in the file.
Modifying ACLs 21 NOTE An ACL remark is attached to each individual filter only, not to the entire ACL. Complete the syntax by specifying any options you want for the ACL entry. Options you can use to configure standard or extended numbered ACLs are discussed in “Configuring standard or extended named ACLs” on page 539. Numbered ACLs: deleting a comment To delete a remark from a numbered ACL, re-enter the remark command without any remark.
21 Deleting ACL entries • remark - adds a comment to the ACL entry. The comment can contain up to 255 characters. Comments must be entered separately from actual ACL entries; that is, you cannot enter an ACL entry and an ACL comment with the same command. Also, in order for the remark to be displayed correctly in the output of show commands, a comment must be entered immediately before the ACL entry it describes. • deny | permit - denies or permits specified traffic.
Deleting ACL entries 21 The parameter specifies the ACL entry to be deleted. The parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 1 – 99 for standard ACLs, 100 – 199 for extended ACLs, or 500 – 599 for super ACLs. You must enter the complete deny or permit statement for the variable. Complete the configuration by specifying options for the ACL entry.
21 Applying ACLs to interfaces Applying ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 529 show that you apply ACLs to interfaces using the ip access-group command. This section present additional information about applying ACLs to interfaces. Configuration examples for super ACLs appear in the section “Configuring super ACLs” on page 542.
Applying ACLs to interfaces 21 NOTE Applying an ACL to a subset of physical interfaces under a virtual routing interface multiplies the amount of CAM used by the number of physical interfaces specified. An ACL that successfully functions over a whole virtual routing interface may fail if you attempt to apply it to a subset of physical interfaces. To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following.
21 QoS options for IP ACLs When the first Syslog entry for a packet denied by an ACL is generated, the software starts an ACL timer. After this, the software sends Syslog messages every 1 to 10 minutes, depending on the value of the timer interval. If an ACL entry does not permit or deny any packets during the timer interval, the software does not generate a Syslog entry for that ACL entry.
Enabling ACL duplication check 21 Enabling ACL duplication check If desired, you can enable software checking for duplicate ACL entries. To do so, enter the following command at the Global CONFIG level of the CLI. BigIron RX(config)# acl-duplication-check-disable Syntax: [no] acl-duplication-check-disable This command is disabled by default. ACL accounting The BigIron RX monitors the number of times an ACL is used to filter incoming or outgoing traffic on an interface.
21 ACL accounting BigIron RX(config)#show access-list accounting brief Collecting ACL accounting summary for VE 1 ... Completed successfully. ACL Accounting Summary: (ac = accumulated since accounting started) Int In ACL Total In Hit VE 1 111 473963(1s) 25540391(1m) 87014178(5m) 112554569(ac) The display shows the following information. This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled.
ACL accounting 21 This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled. If enabled, it indicates if the feature is configured as passive or active. Collecting ACL accounting summary for Shows the interface included in the report and whether or not the collection was successful. Inbound ACL ID Shows the direction of the traffic on the interface and the ID of the ACL used.
21 Enabling ACL filtering of fragmented or non-fragmented packets Enabling ACL filtering of fragmented or non-fragmented packets By default, when an extended ACL is applied to a port, the port will use the ACL to permit or deny the first fragment of a fragmented packet, but forward subsequent fragments of the same packet in hardware. Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be completed without the entire packet.
ACL filtering for traffic switched within a virtual routing interface 21 Enter the fragment parameter to allow the ACL to filter fragmented packets. Use the non-fragmented parameter to filter non-fragmented packets. NOTE The fragmented and non-fragmented parameters cannot be used together in an ACL entry. Complete the configuration by specifying options for the ACL entry. Options you can use are discussed in the appropriate sections for configuring ACLs in this chapter.
21 ICMP filtering for extended ACLs Named ACLs For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following.
Troubleshooting ACLs TABLE 103 21 ICMP message types and codes (Continued) ICMP message type Type Code Information-reply 16 0 mask-reply 18 0 mask-request 17 0 net-redirect 5 0 net-tos-redirect 5 2 net-tos-unreachable 3 11 net-unreachable 3 0 packet-too-big 3 4 parameter-problem 12 0 port-unreachable 3 3 precedence-cutoff 3 15 protocol-unreachable 3 2 reassembly-timeout 11 1 redirect 5 x router-advertisement 9 0 router-solicitation 10 0 source-host-isol
21 Troubleshooting ACLs • To determine whether the issue is specific to fragmentation, remove the Layer 4 information (TCP or UDP application ports) from the ACL, then reapply the ACL. If you are using another feature that requires ACLs, use the same ACL entries for filtering and for the other feature.
Chapter Policy-Based Routing 22 Policy-Based Routing (PBR) Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set routing attributes for the traffic. A PBR policy specifies the next hop for traffic that matches the policy. Using standard ACLs with PBR, you can route IP packets based on their source IP address.
22 Configuring a PBR policy • ACL – 416 entries • Rate Limiting – 416, entries shared with PBR Configuring a PBR policy To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally or on individual interfaces. The device programs the ACLs into the Layer 4 CAM on the interfaces and routes traffic that matches the ACLs according to the instructions in the route maps.
Configuring a PBR policy 22 NOTE To specify the host name instead of the IP address, the host name must be configured using the Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI. The parameter specifies the mask value to compare against the host address specified by the parameter.
22 Configuring a PBR policy BigIron BigIron BigIron BigIron RX(config)# route-map test-route permit 99 RX(config-routemap test-route)# match ip address 99 RX(config-routemap test-route)# set ip next-hop 192.168.2.1 RX(config-routemap test-route)# exit The commands in this example configure an entry in a route map named “test-route”. The match statement matches on IP information in ACL 99. The set statement changes the next-hop IP address for packets that match to 192.168.2.1.
Configuration examples 22 Enabling PBR locally To enable PBR locally, enter commands such as the following. BigIron RX(config)# interface ve 1 BigIron RX(config-vif-1)# ip policy route-map test-route The commands in this example change the CLI to the Interface level for virtual interface 1, then apply the “test-route” route map to the interface. You can apply a PBR route map to Ethernet ports or virtual interfaces.
22 Configuration examples Setting the next hop The following commands configure the device to apply PBR to traffic from IP subnets 209.157.23.x, 209.157.24.x, and 209.157.25.x. In this example, route maps specify the next-hop gateway for packets from each of these subnets: • Packets from 209.157.23.x are sent to 192.168.2.1. • Packets from 209.157.24.x are sent to 192.168.2.2. • Packets from 209.157.25.x are sent to 192.168.2.3. The following commands configure three standard ACLs.
Trunk formation 22 Setting the output interface to the null interface The following commands configure a PBR to send all traffic from 192.168.1.204/32 to the null interface, thus dropping the traffic instead of forwarding it. BigIron RX(config)# access-list 56 permit 209.168.1.204 0.0.0.0 The following commands configure an entry in a route map called “file-13”. The first entry (permit 56) matches on the IP address information in ACL 56 above. For IP traffic from the host 209.168.1.
22 580 Trunk formation BigIron RX Series Configuration Guide 53-1002253-01
Chapter Configuring IP Multicast Protocols 23 Overview of IP multicasting Multicast protocols allow a group or channel to be accessed over different networks by multiple stations (clients) for the receipt and transmit of multicast data. Distribution of stock quotes, video transmissions such as news services and remote classrooms, and video conferencing are all examples of applications that use multicast routing.
23 Changing global IP multicast parameters Leaf Nodes: Routers that do not have any downstream routers. Multicast Tree: A unique tree is built for each source group (S,G) pair. A multicast tree is comprised of a root node and one or more nodes that are leaf or intermediate nodes. NOTE Multicast protocols can only be applied to 1 physical interface. You must create multiple VLANs with individual untagged ports and ve’s under which you configure PIM.
IP multicast boundaries 23 Configuration considerations • Normal ACL restrictions apply as to how many software ACLs can be created, but there are no hardware restrictions on ACLs with this feature. • Creation of a static IGMP client is allowed for a group on a port that may be prevented from participation in the group on account of an ACL bound to the port’s interface. In such a situation, the ACL would prevail and the port will not be added to the relevant entries.
23 Passive Multicast Route Insertion (PMRI) Passive Multicast Route Insertion (PMRI) To prevent unwanted multicast traffic from being sent to the CPU, Passive Multicast Route Insertion (PMRI) can be used together to ensure that multicast streams are only forwarded out ports with interested receivers and unwanted traffic is dropped in hardware on Layer 3 Switches. This feature does not apply to DVMRP traffic. PMRI enables a Layer 3 switch running PIM to create an entry for a multicast route (e.g.
Changing IGMP V1 and V2 parameters 23 Changing IGMP V1 and V2 parameters IGMP allows Brocade routers to limit the multicast of IGMP packets to only those ports on the router that are identified as IP Multicast members. The router actively sends out host queries to identify IP Multicast groups on the network The following IGMP V1 and V2 parameters apply to PIM and DVMRP: • IGMP query interval – Specifies how often the BigIron RX queries an interface for group membership. Possible values are 1 – 3600.
23 Adding an interface to a multicast group Modifying IGMP (V1 and V2) maximum response time Maximum response time defines how long the device will wait for an IGMP (V1 and V2) response from an interface before concluding that the group member on that interface is down and removing the interface from the group. Possible values are 1 – 10. The default is 10. To change the IGMP (V1 and V2) maximum response time, enter a command such as the following at the global CONFIG level of the CLI.
IGMP v3 23 IGMP v3 The Internet Group Management Protocol (IGMP) allows an IPV4 system to communicate IP Multicast group membership information to its neighboring routers. The routers in turn limit the multicast of IP packets with multicast destination addresses to only those interfaces on the router that are identified as IP Multicast group members. In IGMP V2, when a router sent a query to the interfaces, the clients on the interfaces respond with a membership report of multicast groups to the router.
23 IGMP v3 In response to membership reports from the interfaces, the router sends a Group-Specific or a Group-and-Source Specific query to the multicast interfaces. For example, a router receives a membership report with a Source-List-Change record to block old sources from an interface. The router sends Group-and-Source Specific Queries to the source and group (S,G) identified in the record.
IGMP v3 23 Enabling the IGMP version per interface setting To specify the IGMP version for a physical port, enter a command such as the following. BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip igmp version 3 To specify the IGMP version for a virtual routing interface on a physical port, enter a command such as the following.
23 IGMP v3 • No other client on the interface is receiving traffic from the group to which the client belongs. Every group on the physical interface of a virtual routing interface keeps its own tracking record. It can track by (source, group). For example, two clients (Client A and Client B) belong to group1 but each is receiving traffic streams from different sources. Client A receives a stream from (source_1, group1) and Client B receives it from (source_2, group1).
IGMP v3 23 Setting the query interval The IGMP query interval period defines how often a switch will query an interface for group membership. Possible values are 10 – 3,600 seconds and the default value is 125 seconds, but the value you enter must be a little more than twice the group membership time. To modify the default value for the IGMP query interval, enter the following.
23 IGMP v3 BigIron RX# show ip igmp group Interface v18 : 1 groups group phy-port 1 239.0.0.1 e4/20 Interface v110 : 3 groups group phy-port 2 239.0.0.1 e4/5 3 239.0.0.1 e4/6 4 224.1.10.1 e4/5 static querier life mode #_src no yes include 19 static no no no querier life mode #_src yes include 10 yes 100 exclude 13 yes include 1 To display the status of one IGMP multicast group, enter a command such as the following. BigIron RX# show ip igmp group 239.0.0.1 detail Display group 239.0.0.
IGMP v3 23 This field Displays Static A “yes” entry in this column indicates that the multicast group was configured as a static group; “No” means it was not. Static multicast groups can be configured in IGMP V2 using the ip igmp static command. In IGMP V3, static sources cannot be configured in static groups. Querier “Yes” means that the port is a querier port; “No” means it is not. A port becomes a non-querier port when it receives a query from a source with a lower source IP address than the port.
23 IGMP v3 Entering an address for displays information for a specified group on the specified interface. The report shows the following information. This field Displays Query interval Displays how often a querier sends a general query on the interface. Max response The maximum number of seconds a client can wait before it replies to the query. Group membership time The number of seconds multicast groups can be members of this group before aging out.
Configuring a static multicast route 23 This field Displays Leave Number of IGMP V2 “leave” messages on the interface. (See ToEx for IGMP V3.) IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from exclude to include. ToEX Number of times the interface mode changed from include to exclude.
23 Configuring a static multicast route Syntax: ip mroute interface ethernet / | ve [distance ] Or Syntax: ip mroute rpf_address The command specifies the PIM source for the route. NOTE In IP multicasting, a route is handled in terms of its source, rather than its destination. You can use the ethernet / parameter to specify a physical port or the ve parameter to specify a virtual interface.
PIM dense 23 To add a static route to a virtual interface, enter commands such as the following. BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 int ve 1 distance 1 BigIron RX(config)# write memory Next hop validation check You can configure the BigIron RX to perform multicast validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. You can enable ARP validation check on the global basis.
23 PIM dense NOTE Multicast protocols can only be applied to 1 physical interface. You must create multiple VLANs with individual untagged ports and ve’s under which you configure PIM. PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets. PIM is similar to DVMRP in that PIM builds source-routed multicast delivery trees and employs reverse path check when forwarding multicast packets.
23 PIM dense When a node on the multicast delivery tree has all of its downstream branches (downstream interfaces) in the prune state, a prune message is sent upstream. In the case of R4, if both R5 and R6 are in a prune state at the same time, R4 becomes a leaf node with no downstream interfaces and sends a prune message to R1. With R4 in a prune state, the resulting multicast delivery tree would consist only of leaf nodes R2 and R3.
23 PIM dense FIGURE 91 Pruning leaf nodes from a multicast tree 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
PIM dense 23 The primary difference between PIM DM V1 and V2 is the methods the protocols use for messaging: • PIM DM V1 – uses the IGMP to send messages. • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103. The CLI commands for configuring and managing PIM DM are the same for V1 and V2. The only difference is the command you use to enable the protocol on an interface.
23 PIM dense • Entering router pim command to enable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a BigIron RX (router pim level) only. Enabling a PIM version To enable PIM on an interface, globally enable PIM, then enable PIM on interface 1/3, enter the following commands.
PIM dense 23 Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds. To apply a PIM hello timer of 120 seconds to all ports on the router operating with PIM, enter the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# hello-timer 120 Syntax: hello-timer <10-3600> The default is 60 seconds.
23 PIM dense BigIron RX(config)#show ip pim dense Global PIM Dense Mode Settings Hello interval: 60, Neighbor timeout: 180 Graft Retransmit interval: 180, Inactivity interval: 180 Route Expire interval: 200, Route Discard interval: 340 Prune age: 180, Prune wait: 3 Syntax: show ip pim dense Modifying graft retransmit timer The Graft Retransmit Timer defines the interval between the transmission of graft messages. A graft message is sent by a router to cancel a prune state.
PIM Sparse Total number of IP routes: 19 B:BGP D:Connected R:RIP S:Static Destination NetMask O:OSPF *:Candidate default Gateway Port 23 Cost Type .. 9 172.17.41.4 255.255.255.252*137.80.127.3 v11 2 172.17.41.4 255.255.255.252 137.80.126.3 v10 2 172.17.41.4 255.255.255.252 137.80.129.1 v13 2 172.17.41.4 255.255.255.252 137.80.128.3 v12 2 172.17.41.8 255.255.255.252 0.0.0.
23 PIM Sparse FIGURE 92 Example PIM Sparse domain This interface is also the Bootstrap Router (BR) for this PIM Sparse domain, and the Rendezvous Point (RP) for the PIM Sparse groups in this domain. PIM Sparse router B Port2/1 207.95.8.10 Port2/2 207.95.7.1 Rendezvous Point (RP) path Port3/8 207.95.8.1 Port3/8 207.95.7.2 VE 1 207.95.6.2 VE 1 207.95.6.1 Shortest Path Tree (SPT) path PIM Sparse router A PIM Sparse router C 209.157.24.162 Source for Group 239.255.162.1 Receiver for Group 239.
PIM Sparse 23 from a group source to the group’s receivers. After the first packet, the BigIron RX calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The BigIron RX calculates a separate SPT for each source-receiver pair. NOTE Brocade recommends that you configure the same ports as candidate BSRs and RPs.
23 PIM Sparse NOTE Brocade recommends that you configure the same BigIron RX as both the BSR and the RP. Current limitations The implementation of PIM Sparse in the current software release has the following limitations: • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface. • You cannot configure or display PIM Sparse information using the Web management interface. (You can display some general PIM information, but not specific PIM Sparse information.
PIM Sparse 23 If the interface is on the border of the PIM Sparse domain, you also must enter the following command. BigIron RX(config-if-e10000-2/2)# ip pim border Syntax: [no] ip pim border NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release.
23 PIM Sparse The ethernet / | loopback | ve parameter specifies the interface. The BigIron RX will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet / for a physical interface (port). • Enter ve for a virtual interface. • Enter loopback for a loopback interface. By default, this command configures the BigIron RX as a candidate RP for all group numbers beginning with 224.
PIM Sparse 23 If you explicitly specify the RP, the BigIron RX uses the specified RP for all group-to-RP mappings and overrides the set of candidate RPs supplied by the BSR. NOTE Specify the same IP address as the RP on all PIM Sparse routers within the PIM Sparse domain. Make sure the router is on the backbone or is otherwise well connected to the rest of the network. To specify the IP address of the RP, enter commands such as the following.
23 Route selection precedence for multicast Displaying the static RP Use the show ip pim rp-set command to display static RP and the associated group ranges. BigIron RX(config)# show ip pim rp-set Static RP and associated group ranges ------------------------------------Static RP count: 4 130.1.1.1 permit 238.1.1.0/24 permit 239.1.0.0/16 permit 235.0.0.0/8 120.1.1.1 deny all 120.2.1.1 deny all 124.1.1.1 permit 224.0.0.0/4 Number of group prefixes Learnt from BSR: 0 No RP-Set present.
Route selection precedence for multicast 23 To specify a non-default route from the mRTM, then a non-default route from the uRTM, then a default route from the mRTM, and then a default route from the uRTM, enter commands such as the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# route-precedence mc-non-default uc-non-default mcdefault uc-default The none option may be used to fill up the precedence table in order to ignore certain types of routes.
23 Changing the Shortest Path Tree (SPT) threshold BigIron RX(config-pim-router)#show ip pim sparse Global PIM Sparse Mode Settings Hello interval : 30 Neighbor timeout : 105 Bootstrap Msg interval: 60 Candidate-RP Advertisement interval: 60 Join/Prune interval : 60 SPT Threshold : 1 Inactivity interval : 180 SSM Enabled : No Hardware Drop Enabled : Yes Route Selection : mc-non-default uc-non-default mc-default uc-default ---------+----------------+----+---+----------------------+------+-------------+ Int
Displaying PIM Sparse configuration information and statistics 23 The infinity | parameter specifies the number of packets. If you specify infinity, the BigIron RX sends packets using the RP indefinitely and does not switch over to the SPT. If you enter a specific number of packets, the BigIron RX does not switch over to using the SPT until it has sent the number of packets you specify using the RP.
23 Displaying PIM Sparse configuration information and statistics • The PIM flow cache • The PIM multicast cache • PIM traffic statistics Displaying basic PIM Sparse configuration information To display PIM Sparse configuration information, enter the following command at any CLI level.
Displaying PIM Sparse configuration information and statistics 23 This field... Displays... Join/Prune interval How frequently the BigIron RX sends PIM Sparse Join/Prune messages for the multicast groups it is forwarding. This field show the number of seconds between Join/Prune messages. The BigIron RX sends Join/Prune messages on behalf of multicast receivers who want to join or leave a PIM Sparse group.
23 Displaying PIM Sparse configuration information and statistics This field... Displays... Group The multicast group address Ports The BigIron RX ports connected to the receivers of the groups. Displaying BSR information To display BSR information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim bsr PIMv2 Bootstrap information This system is the elected Bootstrap Router (BSR) BSR address: 207.95.7.
Displaying PIM Sparse configuration information and statistics 23 This field... Displays... Next bootstrap message in NOTE: Indicates how many seconds will pass before the BSR sends its next Bootstrap message. NOTE: This field appears only if this BigIron RX is the BSR. Next Candidate-RP-advertisement message in Indicates how many seconds will pass before the BSR sends its next candidate PR advertisement message. NOTE: This field appears only if this BigIron RX is a candidate BSR.
23 Displaying PIM Sparse configuration information and statistics This field... Displays... group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP. NOTE: This field appears only if this BigIron RX is a candidate RP. Candidate-RP-advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages. NOTE: This field appears only if this BigIron RX is a candidate RP.
Displaying PIM Sparse configuration information and statistics 23 This field... Displays... RP Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the port or virtual interface through which this BigIron RX learned the identity of the RP. Info source Indicates the IP address on which the RP information was received. Following the IP address is the method through which this BigIron RX learned the identity of the RP.
23 Displaying PIM Sparse configuration information and statistics BigIron RX(config-pim-router)# show ip pim nbr Port Neighbor e3/8 Port 207.95.8.10 Neighbor v1 207.95.6.2 Holdtime sec 180 Holdtime sec 180 Age sec 60 Age sec 60 UpTime sec 900 UpTime sec 900 Syntax: show ip pim nbr This display shows the following information. This field... Displays... Port The interface through which the BigIron RX is connected to the neighbor. Neighbor The IP interface of the PIM neighbor interface.
Displaying PIM Sparse configuration information and statistics 23 BigIron RX# show ip pim rpf 1.2.3.4 no route BigIron RX# show ip pim rpf 1.10.10.24 upstream neighbor=1.1.20.1 on v21 using ip route Syntax: show ip pim | dvmrp rpf Where is a valid source IP address Displaying the PIM multicast cache To display the PIM multicast cache, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim mcache Total 6 entries 1 (10.161.32.200, 237.0.0.
23 Displaying PIM Sparse configuration information and statistics This field... Displays... (
23 PIM-SSMv4 Displaying PIM traffic statistics To display PIM traffic statistics, enter the following command at any CLI level.
23 Configuring Multicast Source Discovery Protocol (MSDP) The amount of unwanted traffic in the network is reduced, but because each multicast group is associated with a particular host, different hosts can be assigned the same multicast address for different streams. This greatly increases the number of multicast groups that can be used in the network. Another added benefit of SSM is that it increases security by reducing the possibility of a rogue source disrupting the traffic from a legitimate source.
Configuring Multicast Source Discovery Protocol (MSDP) FIGURE 93 23 PIM Sparse domains joined by MSDP routers PIM Sparse Domain 2 PIM Sparse Domain 1 Designated Router (DR) Rendezvous Point (RP) 2. RP sends SA message through MSDP to its MSDP peers in other PIM Sparse domains. Rendezvous Point (RP) 206.251.17.41 3. RP that receives the SA floods the SA to all its MSDP peers, except the one that sent the SA. Source Advertisement message 206.251.14.22 Source for Group 232.1.0.95 1.
23 Configuring Multicast Source Discovery Protocol (MSDP) Peer Reverse Path Forwarding (RPF) flooding When the MSDP router (also the RP) in domain 2 receives the Source Active message from its peer in domain 1, the MSDP router in domain 2 forwards the message to all its other peers. The propagation process is sometimes called “peer Reverse Path Forwarding (RPF) flooding”. This term refers to the fact that the MSDP router uses its PIM Sparse RPF tree to send the message to its peers within the tree.
Configuring Multicast Source Discovery Protocol (MSDP) 23 • Configure the MSDP peers NOTE The PIM Sparse Rendezvous Point (RP) is also an MSDP peer. Routers that run MSDP must also run BGP. Also, the source address used by the MSDP router must be the same source address used by BGP. Enabling MSDP NOTE You must save the configuration and reload the software to place the change into effect. To enable MSDP, enter the following commands.
23 Configuring Multicast Source Discovery Protocol (MSDP) Designating an interface’s IP address as the RP’s IP address When an RP receives a Source Active message, it checks its PIM Sparse multicast group table for receivers for the group. If it finds a receiver, the RP sends a Join message for that receiver back to the RP that originated the Source Active message. The originator RP is identified by its RP address.
Configuring Multicast Source Discovery Protocol (MSDP) 23 The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e1000-3/1)# ip address 2.2.2.98/24 BigIron RX(config-if-e1000-3/1)# exit The following commands configure a loopback interface. The BigIron RX will use this interface as the source address for communicating with the MSDP neighbors.
23 Configuring Multicast Source Discovery Protocol (MSDP) • sa-filter in 2.2.2.97 route-map msdp_map – This command ignores source-group pairs received from neighbor 2.2.2.97 if the pairs have source address 10.x.x.x and any group address. • sa-filter in 2.2.2.96 route-map msdp2_map rp-route-map msdp2_rp_map – This command accepts all source-group pairs except those associated with RP 2.2.42.3.
Configuring Multicast Source Discovery Protocol (MSDP) 23 The following commands enable MSDP and configure MSDP neighbors on port 3/1. BigIron BigIron BigIron BigIron RX(config)# router msdp RX(config-msdp-router)# msdp-peer 2.2.2.99 connect-source loopback 1 RX(config-msdp-router)# msdp-peer 2.2.2.97 connect-source loopback 1 RX(config-if-3/1)# exit The following commands configure the Source-Active filter.
23 Configuring Multicast Source Discovery Protocol (MSDP) 24 (117.1.0.25, 25 (117.1.0.66, 26 (117.1.0.39, 27 (117.1.0.53, 28 (117.1.0.26, 29 (117.1.0.67, 30 (117.1.0.40, 31 (117.1.0.54, 32 (117.1.0.27, 33 (117.1.0.68, 34 (117.1.0.41, 35 (117.1.0.55, 36 (117.1.0.28, 37 (117.1.0.69, 38 (117.1.0.42, 39 (117.1.0.56, 40 (117.1.0.29, 41 (117.1.0.43, 42 (117.1.0.57, 43 (117.1.0.30, 44 (117.1.0.44, 45 (117.1.0.58, 46 (117.1.0.31, 47 (117.1.0.45, 48 (117.1.0.59, 49 (117.1.0.32, 50 (117.1.0.
Configuring MSDP mesh groups TABLE 104 23 MSDP source active cache (Continued) This field... Displays... SourceAddr The IP address of the multicast source. GroupAddr The IP multicast group to which the source is sending information.
23 Configuring MSDP mesh groups FIGURE 94 Example of MSDP mesh group PIM Sparse Domain 1 Mesh GroupA 3. RPs within the domain receive the SA message and floods the SA message to its peers in other PIM Sparse domains 2. RP sends an SA message to its peers within the domain Designated Router (DR) RP 206.251.18.31 RP 206.251.21.31 206.251.14.22 Source for Group 232.1.0.95 RP 206.251.20.31 RP 206.251.19.31 1.
Configuring MSDP mesh groups 23 Syntax: [no] mesh-group The sample configuration above reflects the configuration in Figure 94. On RP 206.251.21.31 you specify its peers within the same domain (206.251.21.31, 206.251.17.31, and 206.251.13.31). You first configure the MSDP peers using the msdp-peer command to assign their IP addresses and the loopback interfaces. This information will be used as the source for sessions with the neighbor.
23 Configuring MSDP mesh groups Configuration for Device A The following set of commands configure the MSDP peers of Device A (1.1.1.1) that are inside and outside MSDP mesh group 1234. Device A’s peers inside the mesh group 1234 are 1.1.2.1, 1.1.3.1, and 1.1.4.1. Device 17.17.17.7 is a peer of Device A, but is outside mesh group 1234. Multicast is enabled on Device A’s interfaces. PIM and BGP are also enabled.
Configuring MSDP mesh groups 23 The following set of commands configure the MSDP peers of Device B. All Device B’s peers (1.1.1.1, 1.1.3.1, and 1.1.4.1) are in the MSDP mesh group 1234. Multicast is enabled on Device B’s interfaces. PIM and BGP are also enabled.
23 Configuring MSDP mesh groups BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# router pim RX(config)# router msdp RX(config-msdp-router)
Configuring MSDP mesh groups BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron 23 RX(co
23 Configuring MSDP mesh groups Displaying MSDP information You can display the following MSDP information: • Summary information – the IP addresses of the peers, the state of the BigIron RX’s MSDP session with each peer, and statistics for Keepalive, Source Active, and Notification messages sent to and received from each of the peers. • Peer information – the IP address of the peer, along with detailed MSDP and TCP statistics.
Configuring MSDP mesh groups 23 Displaying peer information To display MSDP peer information, use the following CLI method. BigIron RX# show ip msdp peer Total number of MSDP Peers: 2 1 IP Address 206.251.17.
23 Configuring MSDP mesh groups TABLE 106 MSDP peer information (Continued) This field... Displays... Keep Alive Message Received The number of Keep Alive messages the MSDP router has received from the peer. Notifications Sent The number of Notification messages the MSDP router has sent to the peer. Notifications Received The number of Notification messages the MSDP router has received from the peer. Source-Active Sent The number of Source Active messages the MSDP router has sent to the peer.
Configuring MSDP mesh groups TABLE 106 23 MSDP peer information (Continued) This field... Displays... TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
23 Clearing MSDP information Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method. BigIron RX# show ip msdp sa-cache Total Index 1 2 3 4 5 6 7 8 9 10 Entry 4096, Used 1800 Free 2296 SourceAddr GroupAddr Age (100.100.1.254, 232.1.0.95), RP:206.251.17.41, Age:0 (100.100.1.254, 237.1.0.98), RP:206.251.17.41, Age:30 (100.100.1.254, 234.1.0.48), RP:206.251.17.41, Age:30 (100.100.1.254, 239.1.0.51), RP:206.251.17.41, Age:30 (100.100.1.
DVMRP overview 23 BigIron RX# clear ip msdp peer 205.216.162.1 Remote connection closed Syntax: clear ip msdp peer The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed. Clearing the source active cache To clear the entries from the Source Active cache, enter the following command at the Privileged EXEC level of the CLI.
23 DVMRP overview Initiating DVMRP multicasts on a network Once DVMRP is enabled on each router, a network user can begin a video conference multicast from the server on R1. Multicast Delivery Trees are initially formed by source-originated multicast packets that are propagated to downstream interfaces as seen in Figure 96.
DVMRP overview FIGURE 96 23 Downstream broadcast of IP multicast packets from source host Video Conferencing Server 229.225.0.1 Group Member Group Member (207.95.5.1, 229.225.0.1) (Source, Group) 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 Leaf Node R4 R6 R5 Leaf Node Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Member Member Group Member 229.225.0.
23 DVMRP overview FIGURE 97 Pruning leaf nodes from a multicast tree 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
Configuring DVMRP 23 Configuring DVMRP Enabling DVMRP globally and on an interface Suppose you want to initiate the use of desktop video for fellow users on a sprawling campus network. All destination workstations have the appropriate hardware and software but the BigIron RXes that connect the various buildings need to be configured to support DVMRP multicasts from the designated video conference server as seen in Figure 96.
23 Configuring DVMRP • • • • • • • • Route expire time Route discard time Prune age Graft retransmit time Probe interval Report interval Trigger interval Default route Modifying neighbor timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down. Possible values are 40 – 8000 seconds. The default value is 180 seconds. To modify the neighbor timeout value to 100, enter the following.
Configuring DVMRP 23 Modifying graft retransmit time The Graft Retransmit Time defines the initial period of time that a router sending a graft message will wait for a graft acknowledgement from an upstream router before re-transmitting that message. Subsequent retransmissions are sent at an interval twice that of the preceding interval. Possible values are from 5 – 3600 seconds. The default value is 10 seconds. To modify the setting for graft retransmit time to 120, enter the following.
23 Configuring DVMRP BigIron RX(config-dvmrp-router)# default-gateway 192.35.4.1 Syntax: default-gateway Modifying DVMRP interface parameters DVMRP global parameters come with preset values. The defaults work well in most networks, but you can modify the following interface parameters if you need to: • TTL • Metric • Advertising Modifying the TTL The TTL defines the minimum value required in a packet in order for the packet to be forwarded out the interface.
Configuring a static multicast route 23 Displaying information about an upstream neighbor device You can view information about the upstream neighbor device for a given source IP address for IP PIM packets. The software uses the IP route table or multicast route table to lookup the upstream neighbor device. The following shows example messages that the Brocade device can display with this command. BigIron RX# show ip dvmrp rpf 1.1.20.
23 Configuring IP multicast traffic reduction NOTE Regardless of the administrative distances, the BigIron RX Series router always prefers directly connected routes over other routes. FIGURE 98 Example multicast static routes PIM Router D 9.9.9.101 e6/14 Client Multicast group 239.255.162.1 e4/11 207.95.6.1 PIM Router A e1/2 207.95.6.2 e2/3 207.95.7.2 PIM Router C PIM Router B e1/4 207.95.7.1 e1/5 207.95.8.10 e1/8 207.95.8.1 e3/11 e3/19 209.157.24.62 8.8.8.
Configuring IP multicast traffic reduction 23 When you enable IP Multicast Traffic Reduction, you also can configure the following features: • IGMP mode – When you enable IP Multicast Traffic Reduction, the device passively listens for IGMP Group Membership reports by default. If the multicast domain does not have a to send IGMP queries to elicit these Group Membership reports, you can enable the device to actively send the IGMP queries.
23 Configuring IP multicast traffic reduction NOTE When one or more BigIron RX devices are running Layer 2 IP Multicast Traffic reduction, configure one of the devices for active IGMP and leave the other devices configured for passive IGMP. However, if the IP multicast domain contains a multicast-capable, configure all the BigIron RX devices for passive IGMP and allow the to actively send the IGMP queries.
Configuring IP multicast traffic reduction 23 Syntax: Passive – When passive IGMP mode is enabled, the switch listens for IGMP Group Membership reports on the VLAN instance specified but does not send IGMP queries. The passive mode is called “IGMP snooping”. Use this mode when another device in the VLAN instance is actively sending queries.
23 Configuring IP multicast traffic reduction • Passive – When passive IGMP mode is enabled, the device listens for IGMP Group Membership reports but does not send IGMP queries. The passive mode is sometimes called “IGMP snooping”. Use this mode when another device in the network is actively sending queries. To enable active IGMP, enter the following command.
Configuring IP multicast traffic reduction 23 When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report. To enable IP multicast filtering, enter the following command.
23 Configuring IP multicast traffic reduction Use the port-list parameter to define the member ports on which the ACL is applied. The ACL will be applied to the multicast traffic arriving in both directions. Use the no multicast boundary command to remove the boundary on an IGMP enabled interface. NOTE The ACL, MyBrocadeAccessList can be configured using standard ACL syntax which can be found in the ACL section.
23 Configuring IP multicast traffic reduction FIGURE 99 PIM SM traffic reduction in enterprise network The switch snoops for PIM SM join and prune messages. The switch detects a source on port1/1 and a receiver for that source’s group on port5/1. It then forwards multicast data from the source on port1/1 out port5/1 only, which has the receiver. Source for Groups 239.255.162.1 239.255.162.
23 Configuring IP multicast traffic reduction Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device. This is required for the PIM SM snooping feature. The feature also requires the source and the downstream router to be on different IP subnets, as shown in Figure 99. Figure 100 shows another example application for PIM SM traffic snooping. This example shows devices on the edge of a Global Ethernet cloud (a Layer 2 Packet over SONET cloud).
Configuring IP multicast traffic reduction 23 • The PIM SM snooping feature assumes that the group source and the device are in different subnets and communicate through a router. The source must be in a different IP subnet than the receivers. A PIM SM router sends PIM join and prune messages on behalf of a multicast group receiver only when the router and the source are in different subnets. When the receiver and source are in the same subnet, they do not need the router in order to find one another.
23 Configuring IP multicast traffic reduction Syntax: [no] multicast pimsm-snooping Configuring PIM proxy per VLAN instance Using the PIM proxy function, multicast traffic can be reduced by configuring an BigIron RX switch to issue PIM join and prune messages on behalf of hosts that the configured switch discovers through standard PIM interfaces. The switch is then able to act as a proxy for the discovered hosts and perform PIM tasks upstream of the discovered hosts.
Configuring IP multicast traffic reduction 23 BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 uplink To configure the snooping device to statically join all multicast streams on the uplink interface excluding the stream with source address 10.43.1.12, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 exclude 10.43.1.
23 Configuring IP multicast traffic reduction The uplink parameter specifies the port as an uplink port that can receive multicast data for the configured multicast groups. Upstream traffic will be sent to the switch and will not use a port. The port-list parameter specifies the range of ports to include in the configuration. The no form of this command removes the static multicast definition. Each configuration must be deleted separately.
Chapter Configuring RIP 24 Overview of Routing Information Protocol (RIP) Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing distance) to measure the cost of a given route. The cost is a distance vector because the cost often is equivalent to the number of router hops between the device and the destination network. A device can receive multiple paths to a destination.
24 Configuring RIP parameters BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# ip rip v1-only Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only Configuring metric parameters By default, a device port increases the cost of a RIP route that is learned or advertised on the port by one. You can configure individual ports to add more than one to a learned or advertised route’s cost.
Configuring RIP parameters 24 Configuring redistribution You can configure the device to redistribute routes learned through OSPF or BGP4, connected into RIP, or static routes. When you redistribute a route from one of these other protocols into RIP, the device can use RIP to advertise the route to its RIP neighbors. To configure redistribution, perform the following tasks: • Configure redistribution filters.
24 Configuring RIP parameters Syntax: redistribute connected | bgp | ospf | static [metric | route-map ] The connected parameter applies redistribution to connected types. The bgp parameter applies redistribution to BGP4 routes. The ospf parameter applies redistribution to OSPF routes. The static parameter applies redistribution to IP static routes. The metric parameter sets the RIP metric value 1- 15 that will be applied to the routes imported into RIP.
Configuring RIP parameters 24 Syntax: [no] ip rip learn-default Configuring a RIP neighbor filter By default, a device learns RIP routes from all its RIP neighbors. Neighbor filters allow you to specify the neighbor routers from which the device can receive RIP routes. Neighbor filters apply globally to all ports. To configure a RIP neighbor filters, enter a command such as the following.
24 Configuring RIP parameters To disable split horizon and enable poison reverse on an interface, enter the command such as the following. BigIron RX(config-if-e10000-1/1)# ip rip poison-reverse You can configure the device to avoid routing loops by advertising local RIP routes with a cost of 16 (“infinite” or “unreachable”) when these routes go down.
Configuring RIP parameters BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# ip ip ip ip prefix-list prefix-list prefix-list prefix-list 24 list1 permit 192.53.4.1 255.255.255.0 list2 permit 192.53.5.1 255.255.255.0 list3 permit 192.53.6.1 255.255.255.0 list4 deny 192.53.7.1 255.255.255.0 The prefix lists permit routes to three networks, and deny the route to one network.
24 Displaying RIP filters Displaying RIP filters To display RIP filters, enter the following command at any CLI level.
Displaying RIP filters 24 Clearing the RIP routes from the routing table Clearing all the routes from the routing table To clear RIP local routes, enter a command such as the following. BigIron RX(config)#clear ip rip local routes Syntax: clear ip rip local routes To clear the RIP routes from the RIP database, enter a command such as the following.
24 678 Displaying RIP filters BigIron RX Series Configuration Guide 53-1002253-01
Chapter Configuring OSPF Version 2 (IPv4) 25 Overview of OSPF (Open Shortest Path First) OSPF is a link-state routing protocol. The protocol uses link-state advertisements (LSA) to update neighboring routers regarding its interfaces and information on those interfaces. The router floods these LSAs to all neighboring routers to update them regarding the interfaces.
25 Overview of OSPF (Open Shortest Path First) FIGURE 101 OSPF operating in a network Area 0.0.0.0 Backbone Area 200.5.0.0 Router D 208.5.1.1 Area Border Router (ABR) Area 192.5.1.0 Virtual Link Router A e8 206.5.1.1 Router B Router E Area Border Router (ABR) Router F Router C Area 195.5.0.
Overview of OSPF (Open Shortest Path First) 25 FIGURE 102 Designated and backup router election priority 10 Designated Backup Router Router A Designated Router priority 5 priority 20 Router C Router B If the DR goes off-line, the BDR automatically becomes the DR. The router with the next highest priority becomes the new BDR. This process is shown in Figure 103. NOTE Priority is a configurable option at the interface level. You can use this parameter to help bias one router as the DR.
25 Overview of OSPF (Open Shortest Path First) NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device. For more information or to change the router ID, refer to “Changing the router ID” on page 182.
Overview of OSPF (Open Shortest Path First) 25 FIGURE 104 AS external LSA reduction Routers D, E, and F are OSPF ASBRs and EBGP routers. OSPF Autonomous System (AS) Another routing domain (such as BGP4 or RIP) Router A Router D Router ID: 2.2.2.2 Router B Router F Router E Router ID: 1.1.1.1 Router C Notice that both Router D and Router E have a route to the other routing domain through Router F. OSPF eliminates the duplicate AS External LSAs.
25 Overview of OSPF (Open Shortest Path First) • A second ASBR comes on-line • A second ASBR that is already on-line begins advertising an equivalent route to the same destination. In either case above, the router with the higher router ID floods the AS External LSAs and the other router flushes its equivalent AS External LSAs. For example, if Router D is offline, Router E is the only source for a route to the external routing domain.
Configuring OSPF 25 2. Compare the networks that have the same network address, to determine which network is more specific. The more specific network is the one that has more contiguous one bits in its network mask. For example, network 10.0.0.0 255.255.0.0 is more specific than network 10.0.0.0 255.0.0.0, because the first network has 16 ones bits (255.255.0.0) whereas the second network has only 8 ones bits (255.0.0.0). • For the less specific network, use the network address as the ID.
25 Configuring OSPF Configuration rules • If a router is to operate as an ASBR, you must enable the ASBR capability at the system level. • Redistribution must be enabled on routers configured to operate as ASBRs. • All router ports must be assigned to one of the defined areas on an OSPF router. When a port is assigned to an area, all corresponding subnets on that port are automatically included in the assignment. OSPF parameters You can modify or set the following global and interface OSPF parameters.
Configuring OSPF 25 NOTE You set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, enter router ospf… at the global CONFIG Level. Interface parameters for OSPF are set at the interface CONFIG Level using the CLI command, ip ospf… Enable OSPF on the router When you enable OSPF on the router, the protocol is automatically activated. To enable OSPF on the router, use the following method.
25 Configuring OSPF • ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type-7 External LSAs are a special type of LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA. • ABRs translate type 7 LSAs into type 5 External LSAs, which can then be flooded throughout the AS. You can configure address ranges on the ABR of an NSSA so that the ABR converts multiple type-7 External LSAs received from the NSSA into a single type-5 External LSA.
Configuring OSPF 25 The stub parameter specifies an additional cost for using a route to or from this area and can be from 1 – 16777215. There is no default. Normal areas do not use the cost parameter. The no-summary parameter applies only to stub areas and disables summary LSAs from being sent into the area.
25 Configuring OSPF The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone. Since the NSSA is partially “stubby” the ABR does not flood external LSAs from the backbone into the NSSA. To provide access to the rest of the Autonomous System (AS), the ABR generates a default Type-7 LSA into the NSSA. Configuring an NSSA To configure OSPF area 1.1.1.
Configuring OSPF 25 The advertise | not-advertise parameter specifies whether you want the device to send type 3 LSAs for the specified range in this area. The default is advertise. Assigning an area range (optional) You can assign a range for an area, but it is not required. Ranges allow a specific IP address and mask to represent a range of IP addresses within an area, so that only that reference range address is advertised to the network, instead of all the addresses within that range.
25 Configuring OSPF • ip ospf hello-interval • ip ospf md5-authentication key-activation-wait-time | key-id [0 | 1] key • • • • ip ospf passive ip ospf priority ip ospf retransmit-interval ip ospf transmit-delay For a complete description of these parameters, see the summary of OSPF port parameters in the next section. OSPF interface parameters The following parameters apply to OSPF interfaces . 692 Area Assigns an interface to a specific area.
Configuring OSPF 25 MD5-authentication activation wait time The number of seconds the device waits until placing a new MD5 key into effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 – 14400 seconds. The default is 300 seconds (5 minutes). MD5-authentication key ID and key A method of authentication that requires you to configure a key ID and an MD5 key.
25 Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication.
Configuring OSPF 25 Block flooding of outbound LSAs on specific OSPF interfaces By default, the device floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area. After you apply filters to block the outbound LSAs, the filtering occurs during the database synchronization and flooding.
25 Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 106 Defining OSPF virtual links within a network OSPF Area 0 BigIronC Router ID 209.157.22.1 OSPF Area 1 “transit area” BigIronB OSPF Area 2 BigIronA Router ID 10.0.0.1 Figure 106 shows an OSPF area border router, BigIron RXA, that is cut off from the backbone area (area 0).
Configuring OSPF 25 The area | parameter specifies the transit area. The parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a device, enter the show ip command. Refer to “Modify virtual link parameters” on page 697 for descriptions of the optional parameters. Modify virtual link parameters OSPF has some parameters that you can modify for virtual links.
25 Configuring OSPF MD5 Authentication Wait Time This parameter determines when a newly configured MD5 authentication key is valid. This parameter provides a graceful transition from one MD5 key to another without disturbing the network. All new packets transmitted after the key activation wait time interval use the newly configured MD5 Key. OSPF packets that contain the old MD5 key are accepted for up to five minutes after the new MD5 key is in operation.
Configuring OSPF 25 For example, to configure the feature in a network with three routers connected by a hub or switch, each router must have the linking interface configured as a non-broadcast interface, and both of the other routers must be specified as neighbors. The output of the show ip ospf interface command has been enhanced to display information about non-broadcast interfaces and neighbors that are configured in the same sub-net. For example.
25 Configuring OSPF BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip ospf network point-to-point This command configures an OSPF point-to-point link on Interface 5 in slot 1. Syntax: [no] ip ospf network point-to-point Viewing configured OSPF point-to-point links You can use the show ip ospf interface command to display OSPF point-to-point information. Enter the following command at any CLI level. BigIron RX# show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.
Configuring OSPF TABLE 109 25 Output of the show ip ospf interface command This field Displays Type The area type, which can be one of the following: • Broadcast = 0x01 • NBMA = 0x02 • Point to Point = 0x03 • Virtual Link = 0x04 • Point to Multipoint = 0x05 Events OSPF Interface Event: Interface_Up = 0x00 Wait_Timer = 0x01 Backup_Seen = 0x02 Neighbor_Change = 0x03 Loop_Indication = 0x04 Unloop_Indication = 0x05 Interface_Down = 0x06 Interface_Passive = 0x07 • • • • • • • • Adjacent Neighbor Count
25 Configuring OSPF Changing the reference bandwidth for the cost on OSPF interfaces Each interface on which OSPF is enabled has a cost associated with it. The device advertises its interfaces and their costs to OSPF neighbors. For example, if an interface has an OSPF cost of ten, the device advertises the interface with a cost of ten to other OSPF routers. By default, an interface’s OSPF cost is based on the port speed of the interface.
Configuring OSPF 25 Changing the reference bandwidth To change the reference bandwidth, enter a command such as the following at the OSPF configuration level of the CLI: BigIron RX(config-ospf-router)# auto-cost reference-bandwidth 500 The reference bandwidth specified in this example results in the following costs: • 10 Mbps port’s cost = 500/10 = 50 • 100 Mbps port’s cost = 500/100 = 5 • 1000 Mbps port’s cost = 500/1000 = 0.
25 Configuring OSPF FIGURE 107 Redistributing OSPF and static routes to RIP routes RIP Domain ASBR (Autonomous System Border Router) OSPF Domain You also have the option of specifying import of just ISIS, RIP, OSPF, BGP4, or static routes, as well as specifying that only routes for a specific network or with a specific cost (metric) be imported, as shown in the command syntax below: Syntax: [no] redistribution bgp | connected | rip | static [route-map ] For example, to enable redistribution
Configuring OSPF 25 NOTE You also can define the cost on individual interfaces. The interface cost overrides the default cost. To assign a default metric of 4 to all routes imported into OSPF, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# default-metric 4 Syntax: default-metric The can be from 1 – 65535. The default is 10. Enable route redistribution NOTE Do not enable redistribution until you have configured the redistribution route map.
25 Configuring OSPF The redistribute static command enables redistribution of static IP routes into OSPF, and uses route map “abc“to control the routes that are redistributed. In this example, the route map allows a static IP route to be redistributed into OSPF only if the route has a metric of 5, and changes the metric to 8 before placing the route into the OSPF route table. The following command shows the result of the redistribution.
Configuring OSPF 25 The router software can use the route information it learns through OSPF to determine the paths and costs. Figure 108 shows an example of an OSPF network containing multiple paths to a destination (in this case, R1).
25 Configuring OSPF Configure external route summarization When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified address range. When you configure an address range, the range takes effect immediately. All the imported routes are summarized according to the configured address range.
Configuring OSPF Range-Address 1.0.0.0 1.0.1.0 1.0.2.0 25 Subnetmask 255.0.0.0 255.255.255.0 255.255.255.0 Syntax: show ip ospf config Configure default route origination When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to automatically generate a default external route into an OSPF routing domain. This feature is called “default route origination” or “default information origination”.
25 Configuring OSPF The metric-type parameter specifies the external link type associated with the default route advertised into the OSPF routing domain. The can be one of the following: • 1 – Type 1 external route • 2 – Type 2 external route If you do not use this option, the default redistribution metric type is used for the route type. NOTE If you specify a metric and metric type, the values you specify are used even if you do not use the always option.
Configuring OSPF 25 This example shows two routes. Both of the routes are directly attached, as indicated in the Type column. However, one of the routes is shown as type “*D”, with an asterisk (*). The asterisk indicates that this route is a candidate default network route.
25 Configuring OSPF Modify administrative distance The BigIron RX can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, ISIS, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. The default administrative distance for OSPF routes is 110. Refer to “Changing administrative distances” on page 767 for a list of the default distances for all route sources.
Configuring OSPF 25 Configure OSPF group Link State Advertisement pacing The BigIron RX paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the BigIron RX refreshes and sends out together in one or more packets.
25 Configuring OSPF • With this feature enabled in the “out” direction, all type 3 LSAs advertised by the ABR, based on information from this area to all other areas, are filtered by the prefix list. If the area range command has been configured for this area, Type 3 LSAs that corresponds to the area range command are treated like any other type 3 LSA. • Prefixes that are not permitted by the prefix list are implicitly denied.
Configuring OSPF 25 The in keyword specifies that prefix list is applied to prefixes advertised to the specified area from other areas. The out keyword specifies that prefix list is applied to prefixes advertised out of the specified area to other areas. Defining and applying IP prefix lists An IP prefix list specifies a list of networks. When you apply an IP prefix list to an area, the BigIron RX sends or receives only a route whose destination is in the IP prefix list.
25 Configuring OSPF Displaying the configured OSPF area prefix list To display the prefix-lists attached to the areas, enter the following command.
Configuring OSPF 25 1. Enabling SNMP traps for OSPF. (Refer to “Disabling and enabling SNMP traps for OSPF” on page 717.) 2. Enable OSPF logging. (Refer to “Enabling OSPF logging” on page 718.) Refer to Table 111 on page 717 for the list of the default settings for OSPF traps.
25 Configuring OSPF • • • • • virtual-interface-config-error-trap – [MIB object: ospfVirtIfConfigError] interface-authentication-failure-trap – [MIB object: ospfIfAuthFailure] virtual-interface-authentication-failure-trap – [MIB object: ospfVirtIfAuthFailure] interface-receive-bad-packet-trap – [MIB object: ospfIfrxBadPacket] virtual-interface-receive-bad-packet-trap – [MIB object: ospfVirtIfRxBadPacket] The following traps are disabled by default: • • • • • • interface-retransmit-packet-trap – [MIB o
Configuring OSPF 25 To configure a router to operate with the latest OSPF standard, RFC 2328, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# no rfc1583-compatibility Syntax: [no] rfc1583-compatibility Modify exit overflow interval If a database overflow condition occurs on a router, the router eliminates the condition by removing entries that originated on the router.
25 Displaying OSPF information Displaying OSPF information You can display the following OSPF information: • Trap, area, and interface information – refer to “Displaying general OSPF configuration information” on page 720. • CPU utilization statistics – refer to “Displaying CPU utilization and other OSPF tasks” on page 721. • • • • • Area information – refer to “Displaying OSPF area information” on page 723. Neighbor information – refer to “Displaying OSPF neighbor information” on page 724.
Displaying OSPF information 25 BigIron RX> show ip ospf config Router OSPF: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Redistribution Metric: Type2 OSPF External LSA Limit: 1447047 OSPF Database Overflow Interval: 0 RFC 1583 Compatibility: Enabled Router id: 207.95.11.
25 Displaying OSPF information BigIron RX#show tasks Task Name Pri State ---------- --- ----idle 0 ready monitor 20 wait int 16 wait timer 15 wait dbg 30 wait flash 17 wait wd 31 wait boot 17 wait main 3 wait itc 6 wait tmr 5 wait ip_rx 5 wait scp 5 wait console 5 wait vlan 5 wait mac_mgr 5 wait mrp_mgr 5 wait vsrp 5 wait snms 5 wait rtm 5 wait rtm6 5 wait ip_tx 5 ready rip 5 wait bgp 5 wait bgp_io 5 wait ospf 5 wait ospf_r_calc 5 wait isis_task 5 wait isis_spf 5 wait mcast 5 wait vrrp 5 wait ripng 5 wait
Displaying OSPF information TABLE 112 25 CLI display of show tasks (Continued) This field... Displays... PC current instruction for the task Stack Stack location for the task Size Stack size of the task CPU Usage(%) Percentage of the CPU being used by the task task id Task’s ID number assigned by the operating system. task vid A memory domain ID. Displaying OSPF area information To display OSPF area information, enter the following command at any CLI level. BigIron RX> show Indx Area 1 0.
25 Displaying OSPF information Displaying OSPF neighbor information To display OSPF neighbor information, enter the following command at any CLI level. BigIron RX# show ip ospf neighbor Port v10 v11 v12 v13 v14 Address 10.1.10.1 10.1.11.1 10.1.12.1 10.1.13.1 10.1.14.1 Pri 1 1 1 1 1 State FULL/DR FULL/DR FULL/DR FULL/DR FULL/DR Neigh Address 10.1.10.2 10.1.11.2 10.1.12.2 10.1.13.2 10.1.14.2 Neigh ID 10.65.12.1 10.65.12.1 10.65.12.1 10.65.12.1 10.65.12.
Displaying OSPF information TABLE 114 25 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the device and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor. • Attempt – This state is only valid for neighbors attached to non-broadcast networks.
25 Displaying OSPF information BigIron RX# show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0 Interface Address 0.0.0.0 Neighbor Count = 0, Adjacent Neighbor Count= 1 Neighbor: 2.2.2.
Displaying OSPF information TABLE 115 25 Output of the show ip ospf interface command (Continued) This field Displays Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor The neighbor router’s ID. Displaying OSPF route information To display OSPF route information, enter the following command at any CLI level. BigIron RX>#show ip ospf route OSPF Area 0x00000000 ASBR Routes 1: Destination Mask 10.65.12.1 255.255.255.255 Adv_Router Link_State 10.65.12.1 10.65.12.
25 Displaying OSPF information Syntax: show ip ospf routes [] The parameter specifies a destination IP address. If you use this parameter, only the route entries for that destination are shown. This display shows the following information. TABLE 116 CLI display of OSPF route information This field... Displays... Destination The IP address of the route's destination. Mask The network mask for the route. Path_Cost The cost of this route path. (A route can have multiple paths.
Displaying OSPF information 25 BigIron RX# show ip ospf redistribute route 4.3.0.0 255.255.0.0 static 3.1.0.0 255.255.0.0 static 10.11.61.0 255.255.255.0 connected 4.1.0.0 255.255.0.0 static In this example, four routes have been redistributed. Three of the routes were redistributed from static IP routes and one route was redistributed from a directly connected IP route.
25 Displaying OSPF information TABLE 117 CLI display of OSPF external link state information This field... Displays... Index ID of the entry Aging The age of the LSA, in seconds. LS ID The ID of the link-state advertisement from which the device learned this route. Router The router IP address. Netmask The subnet mask of the network. Metric The cost (value) of the route Flag State information for the route entry. This information is used by Brocade technical support.
Displaying OSPF information 25 NOTE You cannot use the extensive option in combination with other display options. The entire database is displayed. The link-state-id parameter displays the External LSAs for the LSA source specified by . The network option shows network information. The nssa option shows network information. The router-id parameter shows the External LSAs for the specified OSPF router.
25 Displaying OSPF information TABLE 119 CLI display of OSPF border routers This field... Displays... (Index) Displayed index number of the border router. Router ID ID of the OSPF router Router type Type of OSPF router: ABR or ASBR Next hop router ID of the next hop router Outgoing interface ID of the interface on the router for the outgoing route. Area ID of the OSPF area to which the OSPF router belongs Displaying OSPF trap status All traps are enabled by default when you enable OSPF.
Displaying OSPF information 25 vlan 1 name DEFAULT-VLAN ! ! clock summer-time clock timezone us Pacific hostname R11-RX8 router ospf area 2 area 1 area 1 virtual-link 131.1.1.10 FIGURE 109 OSPF virtual neighbor and virtual link example Area 0 7/1 3A4 131.1.1.10/16 DeviceA R10-MG8 192.168.148.10 6/1 135.14.1.10/16 Area 1 Area 2 1/17 135.14.1.1/16 DeviceE R14-RX8 192.168.148.14 5/1 7/23 Area 1 27.14.1.27/8 6/2 27.11.1.27/8 3A1 8.11.1.1/8 DeviceB R11-RX16 192.168.148.
25 Displaying OSPF information Displaying OSPF virtual link information Use the show ip ospf virtual link command to display OSPF virtual link information. The output below represents the virtual links configured in Figure 109. BigIron RX#show ip ospf virtual link Indx Transit Area Router ID Transit(sec) 1 1 131.1.1.
25 Displaying OSPF information Configuring OSPF graceful restart timer The OSPF graceful restart timer specifies the maximum amount of time an OSPF restarting router will take to re-establish OSPF adjacencies and relearn OSPF routes. This value will be sent to the neighboring routers in the grace LSA packets. Configure the timer by entering a command such as the following.
25 Displaying OSPF information BigIron RX#sh ip ospf neigh Port Address Pri State Neigh Address 3/1 30.1.0.5 0 FULL/OTHER 30.1.0.13 3/27 25.27.0.8 1 FULL/DR 25.27.0.14 < in graceful restart state, helping 1, timer 104 v31 21.23.0.5 1 FULL/DR 21.23.0.14 < in graceful restart state, helping 1, timer 104 v32 22.24.0.5 1 FULL/DR 22.24.0.14 < in graceful restart state, helping 1, timer 104 v33 23.25.0.5 1 FULL/DR 23.25.0.14 < in graceful restart state, helping 1, timer 104 v34 24.26.0.5 1 FULL/DR 24.26.0.
Displaying OSPF information 25 BigIron RX 1# show ip ospf neigh Port Address Pri State Neigh Address Neigh ID 3/7 40.0.1.1 1 EXST/DR 40.0.1.3 9.0.1.24 < in graceful restart state, helping 1, timer 112 sec > Ev Opt Cnt 24 2 0 BigIron RX 3# show ip Port Address 2/2 40.0.10.1 < in graceful restart Ev Opt Cnt 23 2 0 ospf neighbor Pri State Neigh Address Neigh ID 1 EXST/DR 40.0.10.3 8.0.0.23 state, helping 1, timer 111 sec > Note the "" entry appears only during restart.
25 738 Displaying OSPF information BigIron RX Series Configuration Guide 53-1002253-01
Chapter 26 Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 BGP4 is the standard Exterior Gateway Protocol (EGP) used on the Internet to route traffic between Autonomous Systems (AS) and to maintain loop-free routing. An autonomous system is a collection of networks that share the same routing and administration characteristics. For example, a corporate Intranet consisting of several networks under common administrative control might be considered an AS.
26 Overview of BGP4 Relationship between the BGP4 route table and the IP route table The device’s BGP4 route table can have multiple routes or paths to the same destination, which are learned from different BGP4 neighbors. A BGP4 neighbor is another router that also is running BGP4. BGP4 neighbors communicate using Transmission Control Protocol (TCP) port 179 for BGP communication.
Overview of BGP4 26 1. Is the next hop accessible though an Interior Gateway Protocol (IGP) route? If not, ignore the path. NOTE By default, the device does not use the default route to resolve BGP4 next hop. Also refer to “Enabling next-hop recursion” on page 783 and “Using the IP default route as a valid next hop for a BGP4 route” on page 782 2. Use the path with the largest weight. 3. If the weights are the same, prefer the path with the largest local preference. 4.
26 Overview of BGP4 9. If all the comparisons above are equal, prefer the route with the lowest IGP metric to the BGP4 next hop. This is the closest internal path inside the AS to reach the destination. 10. If the internal paths also are the same and BGP4 load sharing is enabled, load share among the paths otherwise go to Step 11. NOTE The BigIron RX supports BGP4 load sharing among multiple equal-cost paths.
Overview of BGP4 26 neighbors to always be up. For directly-attached neighbors, you can configure the BigIron RX to immediately close the TCP connection to the neighbor and clear entries learned from an EBGP neighbor if the interface to that neighbor goes down. This capability is provided by the fast external fallover feature, which is disabled by default. • BGP Identifier – The router ID. The BGP Identifier (router ID) identifies the BGP4 router to other BGP4 routers.
26 Brocade implementation of BGP4 BGP4 Router A sends a Hold Time of 5 seconds and BGP4 Router B sends a Hold Time of 4 seconds, both routers use 4 seconds as the Hold Time for their BGP4 session. The default Hold Time is 180 seconds. Generally, the Hold Time is configured to three times the value of the Keep Alive Time. If the Hold Time is 0, a BGP4 router assumes that its neighbor is alive regardless of how many seconds pass between receipt of UPDATE or KEEPALIVE messages.
Configuring BGP4 26 As a guideline, BigIron RX switches with a 2 GB Management 4 module can accommodate 150 – 200 neighbors, with the assumption that the BigIron RX receives about one million routes total from all neighbors and sends about eight million routes total to neighbors. For each additional one million incoming routes, the capacity for outgoing routes decreases by around two million. Configuring BGP4 Once you activate BGP, you can configure the BGP options.
26 Configuring BGP4 TABLE 120 IPv4 BGP commands at different configuration levels (Continued) Command Global (iPv4 and IPv6) as-path-ignore x bgp-redistribute-internal IPv4 address IPv4 address family unicast family multicast “Disabling or re-enabling comparison of the AS-path length” on page 760 x “Redistributing IBGP routes” on page 760 client-to-client-reflection cluster-id “Disabling or re-enabling client-to-client route reflection” on page 761 x community-filter “Configuring a route refl
Configuring BGP4 TABLE 120 IPv4 BGP commands at different configuration levels (Continued) Command Global (iPv4 and IPv6) redistribute show x table-map timers IPv4 address IPv4 address family unicast family multicast See x x “Modifying redistribution parameters” on page 786 x x “Displaying BGP4 information” on page 824 x x “Using a table map to set the tag value” on page 789 x “Changing the keep alive time and hold time” on page 789 update-time TABLE 121 26 x x “Changing the BGP4 n
26 Configuring BGP4 TABLE 121 IPv4 and IPv6 BGP Commands at Different Configuration Levels (Continued) Command Global (iPv4 and IPv6) default-information-ori ginate default-local-preferenc e IPv4 Address Family Multicast IPv6 Address Family Unicast See x x x “Originating the default route” on page 765 x default-metric “Changing the default local preference” on page 766 x x x “Changing the default metric used for redistribution” on page 766 distance x “Changing administrative distances”
Configuring BGP4 26 When parameter changes take effect Some parameter changes take effect immediately while others do not take full effect until the router’s sessions with its neighbors are reset. Immediately The following parameter changes take effect immediately: • • • • • • • Enable or disable BGP. • • • • • • • • • • • • • • • Enable or disable use of a default route to resolve a BGP4 next-hop route. Set or change the local AS. Add neighbors. Change the update timer for route changes.
26 Activating and disabling BGP4 After disabling and re-enabling redistribution The following parameter change takes effect only after you disable and then re-enable redistribution: • Change the default MED (metric). Activating and disabling BGP4 BGP4 is disabled by default. To enable BGP4 and place your BigIron RX into service as a BGP4 router, you must perform the following required steps. 1. Enable the BGP4 protocol. 2. Set the local AS number.
Entering and exiting the address family configuration level 26 The CLI displays a warning message such as the following. BigIron RX(config)# no router bgp router bgp mode now disabled. All bgp config data will be lost when writing to flash! The Web management interface does not display a warning message.
26 Filtering specific IP addresses NOTE Once you define a filter, the default action for addresses that do not match a filter is “deny”. To change the default action to “permit”, configure the last filter as “permit any any”. Address filters can be referred to by a BGP neighbor's distribute list number as well as by match statements in a route map. NOTE If the filter is referred to by a route map’s match statement, the filter is applied in the order in which the filter is listed in the match statement.
Defining an AS-path filter 26 If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in “/” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the filter regardless of whether the software is configured to display the masks in CIDR format. The parameter specifies the network mask.
26 Configuring a switch to allow routes with its own AS number NOTE If the filter is referred to by a route map’s match statement, the filter is applied in the order in which the filter is listed in the match statement. The permit | deny parameter indicates the action the router takes if the filter match is true. • If you specify permit, the router permits the route into the BGP4 table if the filter match is true.
BGP Null0 routing 26 BGP Null0 routing BGP can use the null0 route to resolve its next hop. Thus, null0 route in the routing table (for example, static route) is considered as a valid route by BGP. If the next hop for BGP resolves into a null0 route, the BGP route is also installed as a null0 route in the routing table. The null0 routing feature allows network administrators to block certain network prefixes, by using null0 routes and route-maps.
26 BGP Null0 routing 5. On Router 6, redistribute the static routes into BGP, using route-map (redistribute static route-map block user). 6. On Router 1, the router facing the internet, configure a null0 route matching the next-hop address in the route-map (ip route 199.199.1.1/32 null0). 7. Repeat step 3 for all routers interfacing with the internet (edge corporate routers). In this case, Router 2 has the same null0 route as Router 1. 8.
BGP Null0 routing 26 Router 2 The following configuration defines a null0 route to the specific next hop address. The next hop address 199.199.1.1 points to 128.178.1.101, which gets blocked. BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)#ip route 199.199.1.
26 BGP Null0 routing Router-6# show ip bgp route Total number of BGP Routes: 126 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight 1 30.0.1.0/24 40.0.1.3 0 100 0 AS_PATH: . .. . . . 9 110.0.0.16/30 90.0.1.3 100 0 AS_PATH: 85 10 110.0.0.40/29 192.168.0.1 1 1000000 32768 BL AS_PATH: 11 110.0.0.80/28 90.0.1.3 100 0 . .. . . . .. . . . 36 115.0.0.96/28 30.0.1.3 100 0 AS_PATH: 50 37 115.0.0.
Aggregating routes advertised to BGP4 neighbors 26 Aggregating routes advertised to BGP4 neighbors By default, the BigIron RX advertises individual routes for all the networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single network prefix. For example, without aggregation, the device will individually advertise routes for networks 207.95.1.0/24, 207.95.2.0/24, and 207.95.3.0/24.
26 Redistributing IBGP routes You can enable the device to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three ASs, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually. NOTE By default, value 0 (most favorable) is used in MED comparison when the MED attribute is not present.
Disabling or re-enabling client-to-client route reflection 26 BigIron RX(config-bgp)# bgp-redistribute-internal Syntax: [no] bgp-redistribute-internal To disable redistribution of IBGP routes into RIP, ISIS, and OSPF, enter the following command. BigIron RX(config-bgp)# no bgp-redistribute-internal Disabling or re-enabling client-to-client route reflection By default, the clients of a route reflector are not required to be fully meshed; the routes from a client are reflected to other clients.
26 Configuring confederations • If BGP4 load sharing is disabled (maximum-paths 1), the device selects the path that came from the neighbor with the lower router ID. • If BGP4 load sharing is enabled, the device load shares among the remaining paths. In this case, the router ID is not used to select a path. NOTE Router ID comparison is disabled by default. To enable router ID comparison, enter the following command at the BGP configuration level of the CLI.
Configuring confederations 26 FIGURE 114 Example BGP4 confederation AS 20 Confederation 10 Sub-AS 64512 IBGP Router B Router A EBGP EBGP Sub-AS 64513 This BGP4 router sees all traffic from Confederation 10 as traffic from AS 10. IBGP Router C Router D Routers outside the confederation do not know or care that the routers are subdivided into sub-ASs within a confederation. In this example, four routers are configured into two sub-ASs, each containing two of the routers.
26 Configuring confederations The procedures show how to implement the example confederation shown in Figure 26.3. To configure four devices to be a member of confederation 10, consisting of two sub-ASs (64512 and 64513), enter commands such as the following.
Configuring route flap dampening 26 Configuring route flap dampening Route Flap Dampening reduces the amount of change propagated by BGP due to routing state caused by unstable routes. Reducing change propagation will help reduce processing requirements. To enable route flap dampening using the default values, enter the following command.
26 Changing the default local preference BigIron RX(config-bgp)# default-information-originate Syntax: [no] default-information-originate Changing the default local preference When the router uses the BGP4 algorithm to select a route to send to the IP route table, one of the parameters the algorithm uses is the local preference. Local preference is an attribute that indicates a degree of preference for a route relative to other routes.
Changing administrative distances 26 Changing administrative distances The BigIron RX can learn about networks from various protocols, including the EBGP portion of BGP4 and IGPs such as OSPF, ISIS, and RIP. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. To select one route over another based on the source of the route information, the device can use the administrative distances assigned to the sources.
26 Requiring the first AS to be the neighbor’s AS The sets the EBGP distance and can be a value from 1 – 255. The sets the IBGP distance and can be a value from 1 – 255. The sets the Local BGP distance and can be a value from 1 – 255.
Setting the local AS number 26 The router waits for the Hold Time to expire before ending the connection to a directly-attached BGP4 neighbor that dies. For directly attached neighbors, the router immediately senses loss of a connection to the neighbor from a change of state of the port or interface that connects the router to its neighbor.
26 Treating missing MEDs as the worst MEDs Syntax: [no] maximum-paths The parameter specifies the maximum number of paths across which the BigIron RX can balance traffic to a given BGP4 destination. You can change the maximum number of paths to a value from 2 – 8. The default is 1. Treating missing MEDs as the worst MEDs By default, the BigIron RX favors a lower MED over a higher MED during MED comparison.
Configuring BGP4 neighbors 26 By default, load sharing applies to EBGP and IBGP paths, and does not apply to paths from different neighboring ASs. Configuring BGP4 neighbors The BGP4 protocol does not contain a peer discovery process. Therefore, for each of the router’s BGP4 neighbors (peers), you must indicate the neighbor’s IP address and the AS each neighbor is in. Neighbors that are in different ASs communicate using EBGP. Neighbors within the same AS communicate using IBGP.
26 Configuring BGP4 neighbors [remove-private-as] [route-map in | out ] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [unsuppress-map ] [update-source | ethernet / | loopback | ve ] [weight ] The | parameter indicates whether you are configuring an individual neighbor or a peer group.
Configuring BGP4 neighbors 26 NOTE The address filter must already be configured. Refer to “Filtering specific IP addresses” on page 751. ebgp-multihop [] specifies that the neighbor is more than one hop away and that the session type with the neighbor is thus EBGP-multihop. This option is disabled by default. The parameter specifies the TTL you are adding for the neighbor. You can specify a number from 0 – 255. The default is 0.
26 Configuring BGP4 neighbors • 0 – Disables encryption for the authentication string you specify with the command. The password or string is shown as clear text in the output of commands that display neighbor or peer group configuration information. • 1 – Assumes that the authentication string you enter is the encrypted form, and decrypts the value before using it. For more information, refer to “Encryption of BGP4 MD5 authentication keys” on page 776.
Configuring BGP4 neighbors 26 timers keep-alive hold-time overrides the global settings for the Keep Alive Time and Hold Time. For the Keep Alive Time, you can specify from 0 – 65535 seconds. For the Hold Time, you can specify 0 or 3 – 65535 (1 and 2 are not allowed). If you set the Hold Time to 0, the router waits indefinitely for messages from a neighbor without concluding that the neighbor is dead.
26 Configuring BGP4 neighbors If you want to override the summary-only parameter and allow a specific route to be advertised to a neighbor, enter commands such as the following. BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# ip prefix-list Unsuppress1 permit 209.1.44.0/24 RX(config)# route-map RouteMap1 permit 1 RX(config-routemap RouteMap1)# match prefix-list Unsuppress1 RX(config-routemap RouteMap1)# exit RX(config)# router bgp RX(config-bgp)# neighbor 10.1.0.
Configuring BGP4 neighbors 26 Encryption example The following commands configure a BGP4 neighbor and a peer group, and specify MD5 authentication strings (passwords) for authenticating packets exchanged with the neighbor or peer group. BigIron BigIron BigIron BigIron BigIron RX(config-bgp)# RX(config-bgp)# RX(config-bgp)# RX(config-bgp)# RX(config-bgp)# local-as neighbor neighbor neighbor neighbor 2 xyz peer-group xyz password abc 10.10.200.102 peer-group xyz 10.10.200.
26 Configuring a BGP4 peer group of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication. If you accidentally enter option 1 followed by the clear-text version of the password or string, authentication will fail because the value used by the software will not match the value you intended to use.
Configuring a BGP4 peer group 26 • You must configure a peer group before you can add neighbors to the peer group. • If you remove a parameter from a peer group, the value for that parameter is reset to the default for all the neighbors within the peer group, unless you have explicitly set that parameter on individual neighbors.
26 Configuring a BGP4 peer group The parameter specifies the name of the group and can be up to 80 characters long. The name can contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around the name. For example, the command neighbor “My Three Peers” peer-group is valid, but the command neighbor My Three Peers peer-group is not valid.
Specifying a list of networks to advertise 26 The parameter specifies the IP address of the neighbor. The parameter specifies the peer group name. NOTE You must add the peer group before you can add neighbors to it. Administratively shutting down a session with a BGP4 neighbor You can prevent the device from starting a BGP4 session with a neighbor by administratively shutting down the neighbor.
26 Using the IP default route as a valid next hop for a BGP4 route The is the network number and the specifies the network mask. The route-map parameter specifies the name of the route map you want to use to set or change BGP4 attributes for the network you are advertising. The route map must already be configured; otherwise, the default action is to deny redistribution. The weight parameter specifies a weight to be added to routes to this network.
Enabling next-hop recursion 26 BigIron RX(config-bgp)# next-hop-enable-default Syntax: [no] next-hop-enable-default Enabling next-hop recursion For each BGP4 route a BigIron RX learns, the device performs a route lookup to obtain the IP address of the route’s next hop. A BGP4 route becomes eligible for installation into the IP route table only if the following conditions are true: • The lookup succeeds in obtaining a valid next-hop IP address for the route.
26 Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight 1 0.0.0.0/0 10.1.0.2 0 100 0 AS_PATH: 65001 4355 701 80 2 102.0.0.0/24 10.0.0.1 1 100 0 AS_PATH: 65001 4355 1 3 104.0.0.0/24 10.1.0.2 0 100 0 AS_PATH: 65001 4355 701 1 189 4 240.0.0.0/24 102.0.0.1 1 100 0 AS_PATH: 65001 4355 3356 7170 1455 5 250.0.0.0/24 209.
Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf 1 0.0.0.0/0 10.1.0.2 0 100 AS_PATH: 65001 4355 701 80 2 102.0.0.0/24 10.0.0.1 1 100 AS_PATH: 65001 4355 1 3 104.0.0.0/24 10.1.0.2 0 100 AS_PATH: 65001 4355 701 1 189 4 240.0.0.0/24 102.0.0.1 1 100 AS_PATH: 65001 4355 3356 7170 1455 5 250.0.0.0/24 209.157.24.
26 Modifying redistribution parameters BigIron RX# show ip route 240.0.0.0/24 Total number of IP routes: 38 Network Address Gateway 240.0.0.0 10.0.0.1 AS_PATH: 65001 4355 1 Port 1/1 Cost 1 Type B This BigIron RX can use this route because the device has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table. Enabling recursive next-hop lookups The recursive next-hop lookups feature is disabled by default.
Modifying redistribution parameters 26 The static parameter indicates that you are redistributing static routes into BGP. Redistributing connected routes To configure BGP4 to redistribute directly connected routes, enter the following command. BigIron RX(config-bgp)# redistribute connected Syntax: redistribute connected [metric ] [route-map ] The connected parameter indicates that you are redistributing routes to directly attached devices into BGP4.
26 Modifying redistribution parameters The match internal | external1 | external2 parameter applies only to OSPF. This parameter specifies the types of OSPF routes to be redistributed into BGP4. The default is internal. NOTE If you do not enter a value for the match parameter, (for example, you enter redistribute ospf only) then only internal OSPF routes will be redistributed. The metric parameter changes the metric. You can specify a value from 0 – 4294967295. The default is not assigned.
Using a table map to set the tag value 26 The metric parameter changes the metric. You can specify a value from 0 – 4294967295. The default is 0. The route-map parameter specifies a route map to be consulted before adding the static route to the BGP4 route table. The route map you specify must already be configured on the router. Refer to “Defining route maps” on page 801 for information about defining route maps.
26 Changing the BGP4 next-hop update timer NOTE Generally, you should set the Hold Time to three times the value of the Keep Alive Time. NOTE You can override the global Keep Alive Time and Hold Time on individual neighbors. Refer to “Configuring BGP4 neighbors” on page 771 and “Configuring a BGP4 peer group” on page 778. To change the Keep Alive Time to 30 and Hold Time to 90, enter the following command.
Adding a loopback interface 26 NOTE A BigIron RX uses the same router ID for both OSPF and BGP4. If the router is already configured for OSPF, you may want to use the router ID that is already in use on the router rather than set a new one. To display the router ID, enter the show ip CLI command at any CLI level. To change the router ID, enter a command such as the following. BigIron RX(config)# ip router-id 209.157.22.26 Syntax: ip router-id The can be any valid, unique IP address.
26 Configuring route reflection parameters • Set the maximum number of paths. The default maximum number of BGP4 load sharing paths is 1, which means no BGP4 load sharing takes place by default. Refer to “Changing the maximum number of shared BGP4 paths” on page 769. NOTE The maximum number of BGP4 load sharing paths cannot be greater than the maximum number of IP load sharing paths.
Configuring route reflection parameters 26 • A route reflector client is an IGP router identified as a member of a cluster. You identify a router as a route reflector client on the router that is the route reflector, not on the client. The client itself requires no additional configuration. In fact, the client does not know that it is a route reflector client. The client just knows that it receives updates from its neighbors and does not know whether one or more of those neighbors are route reflectors.
26 Filtering • If a device receives a route whose ORIGINATOR_ID attribute has the value of the device’s own router ID, the device discards the route and does not advertise it. By discarding the route, the device prevents a routing loop. • The first time a route is reflected by a device configured as a route reflector, the route reflector adds the CLUSTER_LIST attribute to the route.
Filtering 26 • “Using a table map to set the tag value” on page 789 • “Configuring cooperative BGP4 route filtering” on page 809 Filtering AS-paths You can filter updates received from BGP4 neighbors based on the contents of the AS-path list accompanying the updates. For example, if you want to deny routes that have the AS 4.3.2.1 in the AS-path from entering the BGP4 route table, you can define a filter to deny such routes.
26 Filtering The neighbor command uses the filter-list parameter to apply the AS-path ACL to the neighbor. Refer to “Configuring BGP4 neighbors” on page 771 and “Configuring a BGP4 peer group” on page 778. Using regular expressions You use a regular expression for the parameter to specify a single character or multiple characters as a filter pattern. If the AS-path matches the pattern specified in the regular expression, the filter evaluation is true; otherwise, the evaluation is false.
Filtering TABLE 122 26 BGP4 special characters for regular expressions (Continued) Character Operation _ An underscore matches on one or more of the following: • • • • • • • • , (comma) { (left curly brace) } (right curly brace) ( (left parenthesis) ) (right parenthesis) The beginning of the input string The end of the input string A blank space For example, the following regular expression matches on “100” but not on “1002”, “2100”, and so on.
26 Filtering Filtering communities You can filter routes received from BGP4 neighbors based on community names. A community is an optional attribute that identifies the route as a member of a user-defined class of routes. Community names are arbitrary values made of two five-digit integers joined by a colon. You determine what the name means when you create the community name as one of a route’s attributes. Each string in the community name can be a number from 0 – 65535.
Filtering 26 The seq parameter is optional and specifies the community list’s sequence number. You can configure up to 199 entries in a community list. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with number 5. The software interprets the entries in a community list in numerical order, beginning with the lowest sequence number.
26 Filtering The seq parameter is optional and specifies the IP prefix list’s sequence number. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with prefix list entry 5. The software interprets the prefix list entries in numerical order, beginning with the lowest sequence number. The deny | permit parameter specifies the action the software takes if a neighbor’s route is in this prefix list.
Filtering 26 Defining route maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols. A route map consists of a sequence of instances. If you think of a route map as a table, an instance is a row in that table. The router evaluates a route according to a route map’s instances in ascending numerical order.
26 Filtering • • • • Set the MED (metric). Set the IP address of the next hop router. Set the origin to IGP or INCOMPLETE. Set the weight. For example, when you configure parameters for redistributing routes into BGP, one of the optional parameters is a route map. If you specify a route map as one of the redistribution parameters, the router will match the route against the match statements in the route map.
Filtering 26 Specifying the match conditions Use the following command to define the match conditions for instance 1 of the route map GET_ONE. This instance compares the route updates against BGP4 address filter 11. BigIron RX(config-routemap GET_ONE)# match address-filters 11 Syntax: match [as-path ] | [address-filters | as-path-filters | community-filters
26 Filtering The next-hop parameter compares the IP address of the route’s next hop to the specified IP address filters. The filters must already be configured. The route-type internal | external-type1 | external-type2 parameter applies only to OSPF routes. This parameter compares the route’s type to the specified value. The level-1 parameter compares ISIS routes only with routes within the same area.
Filtering 26 Matching based on next-hop router You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on the next-hop router, enter commands such as the following.
26 Filtering The parameter specifies the name of a community list ACL. You can specify up to five ACLs. Separate the ACL names or IDs with spaces. Here is another example. BigIron RX(config)# ip community-list standard std_2 permit 23:45 56:78 BigIron RX(config)# route-map bgp3 permit 1 BigIron RX(config-routemap bgp3)# match community std_1 std_2 exact-match These commands configure an additional community ACL, std_2, that contains community numbers 23:45 and 57:68.
Filtering 26 The dampening [ ] parameter sets route dampening parameters for the route. The parameter specifies the number of minutes after which the route’s penalty becomes half its value. The parameter specifies how low a route’s penalty must become before the route becomes eligible for use again after being suppressed. The parameter specifies how high a route’s penalty can become before the device suppresses the route.
26 Filtering BigIron BigIron BigIron BigIron RX(config)# access-list 1 permit 192.168.9.0 0.0.0.255 RX(config)# route-map bgp4 permit 1 RX(config-routemap bgp4)# match ip address 1 RX(config-routemap bgp4)# set metric-type internal The first command configures an ACL that matches on routes with destination network 192.168.9.0.
Filtering 26 Configuring cooperative BGP4 route filtering By default, the device performs all filtering of incoming routes locally, on the device itself. You can use cooperative BGP4 route filtering to cause the filtering to be performed by a neighbor before it sends the routes to the device. Cooperative filtering conserves resources by eliminating unnecessary route updates and filter processing.
26 Filtering Syntax: [no] neighbor | capability orf prefixlist [send | receive] The | parameter specifies the IP address of a neighbor or the name of a peer group of neighbors. The send | receive parameter specifies the support you are enabling: • send – The device sends the IP prefix lists to the neighbor. • receive – The device accepts filters from the neighbor. If you do not specify the capability, both capabilities are enabled.
Filtering 26 • The cooperative filtering configuration on the device. • The ORFs received from neighbors. To display the cooperative filtering configuration on the device, enter a command such as the following. The line shown in bold type shows the cooperative filtering status. BigIron RX# show ip bgp neighbor 10.10.10.1 1 IP Address: 10.10.10.1, AS: 65200 (IBGP), RouterID: 10.10.10.
26 Filtering NOTE The BigIron RX applies route flap dampening only to routes learned from EBGP neighbors. The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the device stops using that route and also stops advertising it to other routers. The mechanism also allows a route’s penalties to reduce over time if the route’s stability improves.
Filtering 26 BigIron RX(config)# router bgp BigIron RX(config-bgp)# address-filter 9 permit 209.157.22.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# address-filter 10 permit 209.157.23.0 255.255.255.0 255.255.255.0 255.255.255.
26 Filtering BigIron BigIron BigIron BigIron RX(config-routemap DAMPENING_MAP_NEIGHBOR_A)# exit RX(config)# router bgp RX(config-bgp)# dampening route-map DAMPENING_MAP_ENABLE RX(config-bgp)# neighbor 10.10.10.1 route-map in DAMPENING_MAP_NEIGHBOR_A In this example, the first command globally enables route flap dampening. This route map does not contain any match or set statements.
26 Filtering BigIron RX# show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network From Flaps Since h> 192.50.206.0/23 166.90.213.77 1 0 :0 :13 h> 203.255.192.0/20 166.90.213.77 1 0 :0 :13 h> 203.252.165.0/24 166.90.213.77 1 0 :0 :13 h> 192.50.208.0/23 166.90.213.77 1 0 :0 :13 h> 133.33.0.0/16 166.90.213.77 1 0 :0 :13 *> 204.17.220.0/24 166.90.213.
26 Filtering Clearing route flap dampening statistics NOTE Clearing the dampening statistics for a route does not change the dampening status of the route. To clear all the route dampening statistics, enter the following command at any level of the CLI.
Filtering 26 Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session. Soft reconfiguration does not request the neighbor or group to send its entire BGP4 table, nor does the feature reset the session with the neighbor or group. Instead, the soft reconfiguration feature stores all the route updates received from the neighbor or group.
26 Filtering NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 819. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the device saves all updates received from the specified neighbor or peer group. This includes updates that contain routes that are filtered out by the BGP4 route policies in effect on the device.
Filtering 26 BigIron RX# show ip bgp neighbor 192.168.4.106 routes There are 97345 received routes from neighbor 192.168.4.106 Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 3.0.0.0/8 192.168.4.106 100 0 BE AS_PATH: 65001 4355 701 80 2 4.0.0.0/8 192.168.4.106 100 0 BE AS_PATH: 65001 4355 1 3 4.60.212.0/22 192.168.4.
26 Filtering To request a dynamic refresh of all routes from a neighbor, enter a command such as the following. BigIron RX(config-bgp)# clear ip bgp neighbor 192.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again. The device applies its filters to the incoming routes and adds, modifies, or removes BGP4 routes as necessary.
Filtering 26 To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down. You can enter the command without optional parameters or with the soft out or soft-outbound option. Either way, you must specify a parameter for the neighbor (, , , or all).
26 Filtering If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use these methods to ensure that neighbors contain only the routes you want them to contain. • If you close a neighbor session, the device and the neighbor clear all the routes they learned from each other. When the device and neighbor establish a new BGP4 session, they exchange route tables again.
Filtering 26 BigIron RX# clear ip bgp neighbor 10.0.0.1 traffic To clear the BGP4 message counter for all neighbors within a peer group, enter a command such as the following. BigIron RX# clear ip bgp neighbor PeerGroup1 traffic Syntax: clear ip bgp neighbor all | | | traffic The all | | | specifies the neighbor. The parameter specifies a neighbor by its IP interface with the device.
26 Displaying BGP4 information Clearing diagnostic buffers The BigIron RX stores the following BGP4 diagnostic information in buffers: • The first 400 bytes of the last packet received that contained an error • The last NOTIFICATION message either sent or received by the device To display these buffers, use options with the show ip bgp neighbors command. Refer to “Displaying BGP4 neighbor information” on page 829.
Displaying BGP4 information 26 Displaying summary BGP4 information You can display the local AS number, the maximum number of routes and neighbors supported, and some BGP4 statistics. To view summary BGP4 information for the router, enter the following command at any CLI prompt. BigIron RX# show ip bgp summary BGP4 Summary Router ID: 101.0.0.
26 Displaying BGP4 information TABLE 124 BGP4 summary information (Continued) This field... Displays... Number of Attribute Entries Installed The number of BGP4 route-attribute entries in the router’s route-attributes table. To display the route-attribute table, refer to “Displaying BGP4 route-attribute entries” on page 847. Neighbor Address The IP addresses of this router’s BGP4 neighbors. AS# The AS number. State The state of this router’s neighbor session with each neighbor.
Displaying BGP4 information TABLE 124 26 BGP4 summary information (Continued) This field... Displays... Sent The number of BGP4 routes that the device has sent to the neighbor. ToSend The number of routes the device has queued to send to this neighbor. Displaying the active BGP4 configuration To view the active BGP4 configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
26 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 routes-summary 1 IP Address: 192.168.4.
Displaying BGP4 information TABLE 125 26 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the device discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The device’s configured maximum prefix amount had been reached. • AS Loop – An AS loop occurred. An AS loop occurs when the BGP4 AS-path attribute contains the local AS number.
26 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.
Displaying BGP4 information 26 The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
26 Displaying BGP4 information TABLE 126 BGP4 neighbor information (Continued) This field... Displays... Description The description you gave the neighbor when you configured it on the device. State The state of the router’s session with the neighbor. The states are from this router’s perspective of the session, not the neighbor’s perspective.
Displaying BGP4 information TABLE 126 26 BGP4 neighbor information (Continued) This field... Displays... DefaultOriginate Whether this option is enabled for the neighbor. MaximumPrefixLimit Lists the maximum number of prefixes the device will accept from this neighbor. RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this device has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability.
26 Displaying BGP4 information TABLE 126 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended.
Displaying BGP4 information TABLE 126 26 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
26 Displaying BGP4 information TABLE 126 836 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Displaying BGP4 information TABLE 126 26 BGP4 neighbor information (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed.
26 Displaying BGP4 information This display shows the following information. TABLE 127 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the device has received from the neighbor during the current BGP4 session. • Accepted/Installed – Indicates how many of the received routes the device accepted and installed in the BGP4 route table.
Displaying BGP4 information TABLE 127 26 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the device has sent to this neighbor in UPDATE messages. • Withdraws – The number of routes the device has sent to the neighbor to withdraw. • Replacements – The number of routes the device has sent to the neighbor to replace routes the neighbor already has.
26 Displaying BGP4 information Displaying the adj-RIB-out for a neighbor To display the device’s current BGP4 Routing Information Base (Adj-RIB-Out) for a specific neighbor and a specific destination network, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 rib-out-routes 192.168.1.0/24 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST I:IBGP L:LOCAL Prefix Next Hop Metric LocPrf Weight Status 1 200.1.1.0/24 0.0.0.
Displaying BGP4 information 26 This display shows the following information. TABLE 128 BGP4 summary route information This field... Displays... Total number of BGP routes (NLRIs) Installed The number of BGP4 routes the device has installed in the BGP4 route table. Distinct BGP destination networks The number of destination networks the installed routes represent. The BGP4 route table can have multiple routes to the same network.
26 Displaying BGP4 information Syntax: show ip bgp routes [[network] ] | | [age ] | [as-path-access-list ] | [best] | [cidr-only] | [community | no-export | no-advertise | internet | local-as] | [community-access-list ] | [community-list | [detail
Displaying BGP4 information 26 The unreachable option displays the routes that are unreachable because the device does not have a valid RIP, OSPF, or static route to the next hop. Displaying the best BGP4 routes To display all the BGP4 routes in the device’s BGP4 route table that are the best routes to their destinations, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp routes best Searching for matching routes, use ^C to quit...
26 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight *> 9.3.4.0/24 192.168.4.106 100 0 Last update to IP routing table: 0h11m38s, 1 path(s) Gateway Port 192.168.2.1 2/1 Route is advertised to 1 peers: 20.20.20.
Displaying BGP4 information TABLE 129 26 BGP4 network information (Continued) This field... Path Displays... The route’s AS path. NOTE: This field appears only if you do not enter the route option. Origin code A character the display uses to indicate the route’s origin. The origin code appears to the right of the AS path (Path field). The origin codes are described in the command’s output. NOTE: This field appears only if you do not enter the route option.
26 Displaying BGP4 information These displays show the following information. TABLE 130 BGP4 route information This field... Displays... Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route’s status. The status code is appears in the left column of the display, to the left of each route. The status codes are described in the command’s output. Prefix The network prefix and mask length.
Displaying BGP4 information TABLE 130 26 BGP4 route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP through EGP. • IGP – The routes with this set of attributes came to BGP through IGP. • INCOMPLETE – The routes came from an origin other than one of the above. For example, they may have been redistributed from OSPF or RIP.
26 Displaying BGP4 information BigIron RX# show ip bgp attribute-entries Total number of BGP Attribute Entries: 7753 1 Next Hop :192.168.11.1 Metric :0 Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.0 Local Pref:100 Communities:Internet AS Path :(65002) 65001 4355 2548 3561 5400 6669 5548 2 Next Hop :192.168.11.1 Metric :0 Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.
26 Displaying BGP4 information TABLE 131 BGP4 route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Displaying the routes BGP4 has placed in the IP route table The IP route table indicates the routes it has received from BGP4 by listing “BGP” as the route type.
26 Displaying BGP4 information The
parameter specifies a particular route. If you also use the optional longer-prefixes parameter, then all statistics for routes that match the specified route or have a longer prefix than the specified route are displayed. For example, if you specify 209.157.0.0 longer, then all routes with the prefix 209.157 or that have a longer prefix (such as 209.157.22) are displayed.Displaying BGP4 information 26 match address-filters 11 set community 11:12 no-export route-map permit1122 permit 12 match ip address 11 route-map permit1122 permit 13 match ip address std_22 This example shows that the running configuration contains six route maps. Notice that the match and set statements within each route map are listed beneath the command for the route map itself. In this simplified example, each route map contains only one match or set statement.
26 Displaying BGP4 information NOTE After configuring BGP Graceful Restart, you need to reset neighbor session whether or not the neighbor session is up to enable BGP graceful restart. Use the clear ip bgp neighbor command to clear and re-establish neighbor sessions. Configuring BGP graceful restart on a router Use the following command to enable the BGP graceful restart feature on a BigIron RX device.
Displaying BGP4 information 26 Router 1 BigIron BigIron BigIron BigIron BigIron RX(config)#router bgp RX(config-bgp)#local-as 100 RX(config-bgp)#graceful-restart RX(config-bgp)#neighbor 12.2.0.14 remote-as 200 RX(config-bgp)#write memory Router 2 BigIron BigIron BigIron BigIron BigIron BigIron RX(config)#router bgp RX(config-bgp)#local-as 200 RX(config-bgp)#graceful-restart RX(config-bgp)#neighbor 12.1.0.14 remote-as 100 RX(config-bgp)#neighbor 12.3.0.
26 Generalized TTL security mechanism support BigIron RX# show ip bgp neighbor 11.11.11.2 1 IP Address: 11.11.11.2, Remote AS: 101 (EBGP), RouterID: 101.101.101.
Generalized TTL security mechanism support 26 Syntax: [no] neighbor | ebgp-btsh NOTE For GTSM protection to work properly, it must be enabled on both the Brocade device and the neighbor.
26 856 Generalized TTL security mechanism support BigIron RX Series Configuration Guide 53-1002253-01
Chapter 27 Configuring MBGP This chapter provides details on how to configure Multi-protocol Border Gateway Protocol (MBGP). MBGP is an extension to BGP that allows a router to support separate unicast and multicast topologies. BGP4 cannot support a multicast network topology that differs from the network’s unicast topology. MBGP allows you to support a multicast topology that is distinct from the network’s unicast topology.
27 Configuration considerations Configuration considerations • MBGP does not redistribute DVMRP routes. It redistributes static routes only. • You cannot redistribute MBGP routes into BGP4. • The BigIron RX supports 8192 multicast routes by default. You may need to increase the maximum number of multicast routes for MBGP. You can configure the device to support up to 153,600 multicast routes. Configuring MBGP 1. Optional – Set the maximum number of multicast routes supported by the BigIron RX. 2.
Configuring MBGP 27 Enabling MBGP To enable MBGP4, you must enable PIM SM or DM and BGP4. Enter commands such as the following. BigIron RX> enable BigIron RX# configure terminal BigIron RX(config)# router pim BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-1/1)# ip address 1.1.1.1/24 BigIron RX(config-if-1/1)# ip pim BigIron RX(config-if-1/1)# exit BigIron RX(config)# router bgp BGP4: Please configure 'local-as' parameter in order to enable BGP4.
27 Configuring MBGP [password [0 | 1] ] [prefix-list in | out] [remote-as ] [remove-private-as] [route-map in | out ] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [update-source loopback ] [weight ] The | parameter indicates whether you are configuring an individual neighbor or a peer group.
Configuring MBGP 27 Configuring a network prefix to advertise By default, the BigIron RX advertises MBGP routes only for the networks you identify using the network command or that are redistributed into MBGP from IP multicast route tables. NOTE The exact route must exist in the IP multicast route table so that the device can create a local MBGP route. To configure the device to advertise network 207.95.22.0/24 as a multicast route, enter the following command. BigIron RX(config-bgp-ipv4m)# network 207.
27 Configuring MBGP NOTE The route map you specify must already be configured. Configuring static IP multicast routes To configure static IP multicast routes, enter commands such as the following. BigIron RX(config)# ip mroute 207.95.10.0 255.255.255.0 interface ethernet 1/2 BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 interface ethernet 2/3 The commands in this example configure two static multicast routes. The first route is for a specific source network, 207.95.10.0/24.
Displaying MBGP information 27 The and parameters specify the aggregate value for the networks. The as-set parameter causes the router to aggregate AS-path information for all the routes in the aggregate address into a single AS-path. The summary-only parameter prevents the router from advertising more specific routes contained within the aggregate route. The suppress-map parameter prevents the more specific routes contained in the specified route map from being advertised.
27 Displaying MBGP information BigIron RX# show ip mbgp summary BGP4 Summary Router ID: 9.9.9.1 Local AS Number : 200 Confederation Identifier : not configured Confederation Peers: Maximum Number of Paths Supported for Load Sharing : 1 Number of Neighbors Configured : 1, UP: 1 Number of Routes Installed : 5677 Number of Routes Advertising to All Neighbors : 5673 Number of Attribute Entries Installed : 3 Neighbor Address AS# State Time Rt:Accepted Filtered Sent 166.1.1.
Displaying MBGP information 27 Displaying MBGP neighbors To view MBGP neighbor information including the values for all the configured parameters, enter the following command. This display is similar to the show ip bgp neighbor display but has additional fields that apply only to MBGP. These fields are shown in bold type in the example and are explained below. NOTE The display shows all the configured parameters for the neighbor.
27 Displaying MBGP information The parameter specifies the neighbor’s IP address. Displaying MBGP routes To display the MBGP route table, enter the following command. BigIron RX#show ip mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 1 8.8.8.0/24 166.1.1.2 0 100 0 BI AS_PATH: 2 31.1.1.0/24 166.1.1.
Chapter Configuring IS-IS (IPv4) 28 The Intermediate System to Intermediate System (IS-IS) protocol is a link-state Interior Gateway Protocol (IGP) that is based on the International Standard for Organization/International Electrotechnical Commission (ISO/IEC) Open Systems Internet Networking model (OSI). In IS-IS, an intermediate system (router) is designated as either a Level 1 or Level 2 router. A Level 1 router routes traffic only within the area in which the router resides.
28 Configuring IS-IS (IPv4) • If the path provided by IS-IS has the lowest administrative distance, then the CPU places that IS-IS path in the IP route table. • If a path to the same destination supplied by another protocol has a lower administrative distance, the CPU installs the other protocol’s path in the IP route table instead. The administrative distance is a protocol-independent value from 1 – 255.
Configuring IS-IS (IPv4) 28 NOTE Since the Brocade implementation of IS-IS does not route OSI traffic but instead routes IP traffic, IP hosts are shown instead of ESs. The other basic IS-IS concepts illustrated in this figure are explained in the following sections. Domain and areas IS-IS is an IGP, and thus applies only to routes within a single routing domain. However, you can configure multiple areas within a domain.
28 Configuring IS-IS (IPv4) The Designated IS is elected based on the priority of each IS in the broadcast network. When an IS becomes operational, it sends a Level-1 or Level-2 Hello PDU to advertise itself to other ISs. If the IS is configured to be both a Level-1 and a Level-2 IS, the IS sends a separate advertisement for each level. • The Level-1 IS that has the highest priority becomes the Level-1 Designated IS for the broadcast network.
IS-IS CLI levels 28 Route calculation and selection The Designated IS uses a Shortest Path First (SPF) algorithm to calculate paths to destination ISs and ESs. The SPF algorithm uses Link State PDUs (LSPDUs) received from other ISs as input, and creates the paths as output. After calculating the paths, the Designated IS then selects the best paths and places them in the IS-IS route table. The Designated IS uses the following process to select the best paths. 1.
28 IS-IS CLI levels BigIron RX(config)#router isis BigIron RX(config-isis-router)# Syntax: [no] router isis The (config-isis-router)# prompt indicates that you are at the global level for IS-IS. Configurations you enter at this level apply to both IS-IS IPv4 and IS-IS IPv6. Address family configuration level The BigIron RX implementation of IS-IS includes the address family configuration level.
Configuring IPv4 IS-IS 28 Configuring IPv4 IS-IS Enabling IS-IS globally To configure IPv4 IS-IS, do the following. 1. Globally enable IS-IS by entering the following command. BigIron RX(config)# router isis ISIS: Please configure NET! Once you enter router isis, the device enters the IS-IS router configuration level. Syntax: [no] router isis To disable IS-IS, use the no form of this command. 2. If you have not already configured a NET for IS-IS, enter commands such as the following.
28 Globally configuring IS-IS on a device • Change the default metric. • Add, change, or negate route redistribution parameters. Some IS-IS parameter changes take effect immediately while others do not take full effect until you disable, then re-enable route redistribution. Globally configuring IS-IS on a device This section describes how to change the global IS-IS parameters. These parameter settings apply to both IS-IS IPv4 and IS-IS IPv6, although IPv6 is currently not supported.
Globally configuring IS-IS on a device 28 The on-startup parameter specifies the number of seconds following a reload to set the overload bit on. You can specify 0 or a number from 5 – 86400 (24 hours). The default is 0, which means the device starts performing IS-IS routing immediately following a successful software reload. Configuring authentication By default, the BigIron RX does not authenticate packets sent to or received from ESs or other ISs.
28 Globally configuring IS-IS on a device Changing the IS-IS Level globally By default, a BigIron RX can operate as both a Level-1 and IS-IS Level-2 router. To globally change the level supported from Level-1 and Level-2 to Level-1 only, enter the following command. BigIron RX(config-isis-router)# is-type level-1 Syntax: [no] is-type level-1 | level-1-2 | level-2 The level-1 | level-1-2 | level-2 parameter specifies the IS-IS type.
Globally configuring IS-IS on a device 28 BigIron RX(config-isis-router)# csnp-interval 15 Syntax: [no] csnp-interval The parameter specifies the interval and can be from 0 – 65535 seconds. The default is 10 seconds. NOTE Although the command name is csnp-interval, the interval also applies to PSNPs. Changing the maximum LSP lifetime The maximum LSP lifetime is the maximum number of seconds an un-refreshed LSP can remain in the device’s LSP database.
28 Globally configuring IS-IS on a device The parameter specifies the minimum refresh interval and can be from 1 – 120 seconds. The default is 10 seconds. Changing the LSP interval and retransmit interval You LSP interval is the rate of transmission, in milliseconds of the LSPs. The retransmit interval is the time the device waits before it retransmits LSPs. To define an LSP interval, enter a command such as the following.
Globally configuring IS-IS on a device 28 The padding consists of arbitrarily valued octets. A padded hello PDU indicates the largest PDU that the device can receive. Other ISs that receive a padded hello PDU from the device can therefore ensure that the IS-IS PDUs they send the device. Similarly, if the device receives a padded hello PDU from a neighbor IS, the device knows the maximum size PDU that the device can send to the neighbor.
28 Configuring IPv4 address family route parameters Configuring IPv4 address family route parameters This section describes how to modify the IS-IS parameters for the IS-IS IPv4 unicast address family. To enter the IPv4 unicast address family, refer to “Address family configuration level” on page 872. Changing the metric style The metric style specifies the Types, Lengths, and Values (TLVs) an IS-IS LSP can have.
Configuring IPv4 address family route parameters 28 NOTE This feature requires the presence of a default route in the IPv4 route table. To enable the device to advertise a default route that is originated a Level 2, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# default-information-originate This command enables the device to advertise a default route into the IPv4 IS-IS area to which the device is attached.
28 Configuring IPv4 address family route parameters For example, if the router has a path from RIP, from OSPF, and IPv4 IS-IS to the same destination, and all the paths are using their protocols’ default administrative distances, the router selects the OSPF path, because that path has a lower administrative distance than the RIP and IPv4 IS-IS paths.
Configuring IPv4 address family route parameters 28 The level-1 | level-1-2 | level-2 parameter specifies the route types to which the aggregate route applies. The default is level-2. Redistributing routes into IPv4 IS-IS To redistribute routes into IPv4 IS-IS, you can perform the following configuration tasks: • Change the default redistribution metric (optional). • Configure the redistribution of a particular route type into IPv4 IS-IS (mandatory).
28 Configuring IPv4 address family route parameters The parameter specifies the default metric. You can specify a value from 0 – 65535. The default is 0. To restore the default value for the default metric, enter the no form of this command. Redistributing static IPv4 routes into IPv4 IS-IS To redistribute static IPv4 routes from the IPv4 static route table into IPv4 IS-IS routes, enter the following command at the IPv4 IS-IS unicast address family configuration level.
Configuring IPv4 address family route parameters 28 Redistributing RIP routes into IPv4 IS-IS To redistribute RIP routes into IPv4 IS-IS, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# redistribute rip This command configures the device to redistribute all RIP routes into Level-2 IS-IS.
28 Configuring ISIS properties on an interface Redistributing IPv4 IS-IS routes within IPv4 IS-IS In addition to redistributing routes from other route sources into IPv4 IS-IS, the BigIron RX can redistribute Level 1 IPv4 IS-IS routes into Level 2 IPv4 IS-IS routes, and Level 2 IPv4 IS-IS routes into Level 1 IPv4 IS-IS routes. By default, the device redistributes routes from Level 1 into Level 2.
Configuring ISIS properties on an interface 28 NOTE The BigIron RX advertises an IS-IS interface to its area regardless of whether adjacency formation is enabled. To disable IS-IS adjacency formation on an interface, enter commands such as the following. BigIron RX(config)# interface ethernet 2/8 BigIron RX(config-if-e1000-2/8)# isis passive This command disables IS-IS adjacency formation on port 2/8.
28 Configuring ISIS properties on an interface The parameter specifies the password. You can enter an alphanumeric string up to 80 characters long. The password can contain blank spaces. If you use a blank space in the password, you must use quotation marks (“ “) around the entire password; for example, isis password “admin 2”. Changing the IS-IS level on an interface The section “Changing the IS-IS Level globally” on page 876 explains how to change the IS-IS level globally.
Configuring ISIS properties on an interface 28 The parameter specifies the interval, and can be from 1 – 65535 seconds. The default is 10 seconds. The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels. Changing the hello multiplier The hello multiplier is the number by which an IS-IS interface multiplies the hello interval to obtain the hold time for Level-1 and Level-2 IS-to-IS hello PDUs.
28 Displaying IPv4 IS-IS information The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels.
Displaying IPv4 IS-IS information 28 BigIron RX# show isis hostname Total number of entries in IS-IS Hostname Table: 1 System ID Hostname * = local IS * bbbb.cccc.dddd RX Syntax: show isis hostname The table in this example contains one mapping, for this device. The device’s IS-IS system ID is “bbbb.cccc.dddd“ and its hostname is “RX”. The display contains one entry for each IS that supports name mapping. NOTE Name mapping is enabled by default.
28 Displaying IPv4 IS-IS information TABLE 135 IS-IS neighbor information (Continued) This field... Displays... Type The IS-IS type of the adjacency. The type can be one of the following: • ISL1 – Level-1 IS • ISL2 – Level-2 IS • ES – ES NOTE: The device forms a separate adjacency for each IS-IS type. Thus, if the device has both types of IS-IS adjacencies with the neighbor, the display contains a separate row of information for each adjacency.
Displaying IPv4 IS-IS information TABLE 136 28 IS-IS Syslog messages Message level Message Explanation Alert ISIS MEMORY USE EXCEEDED IS-IS is requesting more memory than is available. Notification ISIS L1 ADJACENCY DOWN on interface The device’s adjacency with this Level-1 IS has gone down. The is the system ID of the IS. The is the ID of the interface over which the adjacency was established.
28 Displaying IPv4 IS-IS information BigIron RX# show isis interface Total number of IS-IS Interfaces: 1 Interface: Eth 7/1 Circuit State: UP Circuit Mode: LEVEL-1-2 Circuit Type: BCAST Passive State: FALSE Circuit Number: 0x01, MTU: 1497 Authentication password: None Level-1 Metric: 10, Level-1 Priority: 64 Level-1 Hello Interval: 10 Level-1 Hello Multiplier: 3 Level-1 Designated IS: RX-01 Level-1 DIS Changes: 8 Level-2 Metric: 10, Level-2 Priority: 64 Level-2 Hello Interval: 10 Level-2 Hello Multiplier:
Displaying IPv4 IS-IS information TABLE 137 28 IS-IS Interface information (Continued) This field... Displays... Passive State The passive state determines whether the interface is allowed to form an IS-IS adjacency with the IS at the other end of the circuit. The state can be one of the following: • FALSE – The passive option is disabled. The interface can form an adjacency with the IS at the other end of the link. • TRUE – The passive option is enabled.
28 Displaying IPv4 IS-IS information TABLE 137 IS-IS Interface information (Continued) This field... Displays... Bad LSP The number of times the interface received a bad LSP from an IS at the other end of the circuit. The following conditions can cause an LSP to be bad: • Invalid checksum • Invalid length • Invalid lifetime value Control Messages Sent The number of IS-IS control PDUs sent on this interface. Control Messages Received The number of IS-IS control PDUs received on this interface.
Displaying IPv4 IS-IS information TABLE 138 28 IS-IS route information (Continued) This field... Displays... Cost The IS-IS default metric for the route, which is the cost of using this route to reach the next-hop router to this destination. Type The route type, which can be one of the following: • L1 – Level-1 route • L2 – Level-2 route Tag The tag value associated with the route. Path The path number in the table.
28 Displaying IPv4 IS-IS information The parameter displays summary information about a particular LSP. Specify an LSPID for which you want to display information in HHHH.HHHH.HHHH.HH-HH format, for example, 3333.3333.3333.00-00. You can also enter name.HH-HH, for example, RX.00-00. The detail parameter displays detailed information about the LSPs. Refer to “Displaying detailed information” on page 898. The l1 and level1 parameters display the Level-1 LSPs only. You can use either parameter.
Displaying IPv4 IS-IS information BigIron RX# show isis database detail IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime RX.00-00* 0x0000000b 0x23fb 971 Area Address: 49 NLPID: CC(IP) Hostname: RX Metric: 10 IP-Internal 4.1.1.0/24 Up-bit: 0 Metric: 10 IS RX.01 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime RX.00-00* 0x0000000d 0x7d97 903 Area Address: 49 NLPID: CC(IP) Hostname: RX IP address: 4.1.1.1 Metric: 10 IP-Internal 4.1.1.
28 Displaying IPv4 IS-IS information TABLE 140 IS-IS detailed LSP database information (Continued) This field... Displays... IP address The IP address of the interface that sent the LSP. The device can use this address as the next hop in routes to the addresses listed in the rows below. Destination addresses The rows of information below the IP address row are the destinations advertised by the LSP. The device can reach these destinations by using the IP address listed above as the next hop.
Displaying IPv4 IS-IS information TABLE 141 28 IS-IS traffic statistics This field... Displays... Level-1 Hellos The number of Level-1 hello PDUs sent and received by the device. Level-2 Hellos The number of Level-2 hello PDUs sent and received by the device. Level-1 LSP The number of Level-1 link-state PDUs sent and received by the device. Level-2 LSP The number of Level-2 link-state PDUs sent and received by the device.
28 Clearing IS-IS information TABLE 142 IS-IS error statistics (Continued) This field... Displays... LSP Sequence Number Skipped The number of times the device received an LSP with a sequence number that was more than 1 higher than the sequence number of the previous LSP received from the same neighbor. LSP Max Sequence Number Exceeded The number of times the device attempted to set an LSP sequence number to a value higher than the highest number in the CSNP sent by the Designated IS.
Clearing IS-IS information 28 The neighbor parameter closes the device’s adjacencies with its IS-IS neighbors and clears the neighbor statistics. The route [ | / ] parameter clears the IS-IS route table or the specified matching route. The traffic parameter clears the PDU statistics. NOTE The traffic option also clears the values displayed in the show isis interface command’s Control Messages Sent and Control Messages Received fields.
28 904 Clearing IS-IS information BigIron RX Series Configuration Guide 53-1002253-01
Chapter BiDirectional Forwarding Detection (BFD) 29 The BigIron RX provides support for Bidirectional Forwarding Detection (BFD), which defines a method of rapid detection of the failure of a forwarding path by checking that the next hop router is alive. Without BFD enabled, it can take from 3 to 30 seconds to detect that a neighboring router is not operational causing packet loss due to incorrect routing information at a level unacceptable for real-time applications such as VOIP and video over IP.
29 Displaying Bidirectional Forwarding Detection information BigIron RX(config-if-e1000-3/1)# bfd interval 100 min-rx 100 multiplier 3 Syntax: [no] bfd interval min-rx multiplier The variable is the interval in milliseconds between which this router will send a BFD message to its peer informing it that it is still operational. This value is specified in milliseconds. Acceptable values are: 50 - 30000.
Displaying Bidirectional Forwarding Detection information 29 BigIron RX# show bfd BFD State: ENABLED Version: 1 Current Registered Protocols: ospf ospf6 All Sessions: Current: 2 Maximum Allowed: 100 Maximum Exceeded Count: 0 LP Sessions: Maximum Allowed on LP: 20 Maximum Exceeded Count for LPs: 0 LP Sessions LP Sessions LP Sessions LP Sessions 1 0 2 2 3 0 4 0 5 0 6 0 7 0 8 0 9 0 10 0 11 0 12 0 13 0 14 0 15 0 16 0 BFD Enabled ports count: 2 Port MinTx MinRx Mult Sessions eth 2/1 100 100 3 2 Syntax: show b
29 Displaying Bidirectional Forwarding Detection information TABLE 143 Display of BFD information (Continued) This field... Displays... Mult The number of times that the router will wait for the MinRx time on this port before it determines that its peer router is non-operational. Sessions The number of BFD sessions originating on this port. Displaying BFD application information The following example illustrates the output from the show bfd application command.
Displaying Bidirectional Forwarding Detection information TABLE 145 29 Display of BFD information (Continued) This field... Displays... Interface The logical port (physical or virtual port) on which the peer is known. The physical port can be either Ethernet or POS. Holddown The interval after which the session will transition to the down state if no message is received. Interval The negotiated interval at which the local router sends BFD messages to the remote peer. RH Heard from remote.
29 Displaying Bidirectional Forwarding Detection information TABLE 146 Display of BFD neighbor detail information (Continued) This field... Displays... Diag Value of the “diagnostic” field in the BFD Control Message as used by the local router in the last message sent. Demand Value of the “demand” bit in the BFD Control Message as used by the local router in the last message sent. Poll Value of the “poll” bit in the BFD Control Message as used by the local router in the last message sent.
Configuring BFD for the specified protocol 29 BigIron RX# clear bfd neighbor Syntax: clear bfd neighbor [ | ] The variable specifies the IPv4 address of a particular neighbor whose session you want to clear BFD. The variable specifies the IPv6 address of a particular neighbor whose session you want to clear BFD. Executing this command without specifying an IP or IPv6 address clears the sessions of all BFD neighbors.
29 Configuring BFD for the specified protocol Enabling BFD for OSPFv3 for all interfaces You can configure BFD for OSPFv3 on all of a router’s OSPFv3 enabled interfaces using the command shown in the following.
Chapter 30 Configuring Secure Shell In this chapter • Overview of Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying SSH connection information. . . . . . . . . . . . . . . . . . . . . . . . . . . . • Using secure copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30 Configuring SSH • SCP/SFTP/SSH URI Format If you are using redundant management modules, you can synchronize the DSA host key pair between the active and standby modules by entering the sync-standby command at the Privileged EXEC level of the CLI. Tested SSHv2 clients The following SSH clients have been tested with SSHv2: • • • • • • SSH Secure Shell 3.2.3 Van Dyke SecureCRT 4.0 and 4.1 F-Secure SSH Client 5.3 and 6.0 PuTTY 0.54 and 0.56 OpenSSH 3.5_p1 and 3.6.1p2 Solaris Sun-SSH-1.
Configuring SSH 30 • DSA challenge-response authentication, where a collection of public keys are stored on the device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH. • Password authentication, where users attempting to gain access to the device using an SSH client are authenticated with passwords stored on the device or on a TACACS, TACACS+ or RADIUS server Both kinds of user authentication are enabled by default.
30 Configuring SSH By default, public keys are hidden in the running configuration. You can optionally configure the device to display the DSA host key pair in the running configuration file entering the following command. BigIron RX# ssh show-host-keys Syntax: ssh show-host-keys To hide the public keys in the running configuration file, enter the following command.
Configuring SSH 30 1. Importing authorized public keys into the device. 2. Enabling DSA challenge response authentication Importing authorized public keys into the device SSH clients that support DSA authentication normally provide a utility to generate an DSA key pair. The private key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not protected.
30 Configuring SSH BigIron RX# show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80q
Configuring SSH 30 With DSA challenge-response authentication, a collection of clients’ public keys are stored on the device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
30 Configuring SSH Setting the SSH login timeout value When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects. You can change this timeout value to between 1 – 120 seconds. For example, to change the timeout value to 60 seconds.
Displaying SSH connection information 30 Filtering SSH access using ACLs You can permit or deny SSH access to the device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL. Then enter the following command. BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# access-list 10 permit host 192.168.144.241 access-list 10 deny host 192.168.144.
30 Using secure copy BigIron RX#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 established, client ip address 192.168.144.241, 1 minutes 16 seconds in idle 2 established, client ip address 192.168.144.241, you are connecting to this session 18 seconds in idle 3 established, client ip address 192.168.144.
Using secure copy 30 NOTE When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on the device. NOTE Certain SCP client options, including -p and -r, are ignored by the SCP server on the device. If an option is ignored, the client is notified. To copy a configuration file (c:\cfg\brocade.cfg) to the running configuration file on a device at 192.168.1.50 and log in as user terry, enter the following command on the SCP-enabled client. C:\> scp c:\cfg\brocade.
30 924 Using secure copy BigIron RX Series Configuration Guide 53-1002253-01
Chapter Configuring Multi-Device Port Authentication 31 How multi-device port authentication works Multi-device port authentication is a way to configure a BigIron RX to forward or block traffic from a MAC address based on information received from a RADIUS server.
31 How multi-device port authentication works Authentication-failure actions If the MAC address does not match the username and password of an entry in the users database on the RADIUS server, then the RADIUS server returns an Access-Reject message. When this happens, it is considered an authentication failure for the MAC address.
Configuring multi-device port authentication 31 Support for authenticating multiple MAC addresses on an interface The multi-device port authentication feature allows multiple MAC addresses to be authenticated or denied authentication on each interface. The maximum number of MAC addresses that can be authenticated on each interface is 256. The default is 32. Support for multi-device port authentication and 802.1x on the same interface On the BigIron RX, multi-device port authentication and 802.
31 Configuring multi-device port authentication You can enable the feature on an interface at the interface CONFIG level. Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate Clients. Brocade supports RADIUS authentication with 802.1x port security. To use RADIUS authentication with 802.1x port security, you create an authentication method list for 802.
Configuring multi-device port authentication • • • • • • 31 FilterId (11) – RFC 2865 Vendor-Specific Attributes (26) – RFC 2865 Tunnel-Type (64) – RFC 2868 Tunnel-Medium-Type (65) – RFC 2868 EAP Message (79) – RFC 2579 Tunnel-Private-Group-Id (81) – RFC 2868 Specifying the format of the MAC addresses sent to the RADIUS server When multi-device port authentication is configured, the device authenticates MAC addresses by sending username and password information to a RADIUS server.
31 Configuring multi-device port authentication To configure the device to drop traffic from non-authenticated MAC addresses in hardware, enter commands such as the following. BigIron RX(config)# interface e 3/1 BigIron RX(config-if-e100-3/1)# mac-authentication auth-fail-action block-traffic Syntax: [no] mac-authentication auth-fail-action block-traffic Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device port authentication is enabled.
Configuring multi-device port authentication 31 Syntax: [no] mac-authentication enable-dynamic-vlan Dynamic multiple VLAN assignment for Multi-device port authentication When you add attributes to a user profile on the RADIUS server, the value for the Tunnel-Private-Group-ID attribute can specify the name or number of one or more VLANs configured on the Brocade device. For example, to specify an untagged VLAN, use the following.
31 Configuring multi-device port authentication For a configuration example, refer to “Configuring dynamic VLAN assignment for 802.1x ports” on page 972. Configuring a port to remain in the restricted VLAN after a successful authentication attempt If a previous authentication attempt for a MAC address failed, and as a result the port was placed in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-Accept message may specify a VLAN for the port.
Configuring multi-device port authentication 31 Enabling dynamic VLAN support for tagged packets on non-member VLAN ports By default, the Brocade device drops tagged packets that are received on non-member VLAN ports. This process is called ingress filtering. Since the MAC address of the packets are not learned, authentication does not take place. The Brocade device can authenticate clients that send tagged packets on non-member VLAN ports.This enables the Brocade device to add the VLAN dynamically.
31 Configuring multi-device port authentication The port-configured-vlan keyword removes the port from its RADIUS-assigned VLAN and places it back in the VLAN where it was originally assigned. This is the default. The port-restrict-vlan keyword removes the port from its RADIUS-assigned VLAN and places it in the restricted VLAN. The system-default-vlan keyword removes the port from its RADIUS-assigned VLAN and places it in the DEFAULT-VLAN.
Configuring multi-device port authentication 31 Disabling aging for authenticated MAC addresses MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic is received from the MAC address for a certain period of time. • Authenticated MAC addresses or non-authenticated MAC addresses that have been placed in the restricted VLAN are aged out if no traffic is received from the MAC address over the device’s normal MAC aging interval.
31 Displaying multi-device port authentication information You can specify from 1 – 65535 seconds. The default is 120 seconds.
Displaying multi-device port authentication information 31 BigIron RX# show auth-mac configuration Feature enabled : Yes Global Fail-VLAN Id : None Username/Password format : xxxx.xxxx.
31 Displaying multi-device port authentication information TABLE 149 Output from the show auth-mac-address configuration command (Continued) This field... Displays... MAC-filter Whether a MAC filter has been applied to this port to specify pre-authenticated MAC addresses. DOS Enable Denial of Service status. This column will always show "No" since DOS is not supported. Protect Limit This is not applicable to the device, but the output always show "512".
Displaying multi-device port authentication information TABLE 150 31 Output from the show authenticated-mac-address command (Continued) This field... Displays... Port VLAN The VLAN to which the port is assigned, and whether the port had been dynamically assigned to the VLAN by a RADIUS server. DOS attack protection Whether denial of service attack protection has been enabled for multi-device port authentication, limiting the rate of authentication attempts sent to the RADIUS server.
31 Example configurations TABLE 151 Output from the show auth-mac-address
command (Continued) This field... Displays... Access Whether or not the MAC address was allowed or denied access into the network. Age The age of the MAC address entry in the authenticated MAC address list. Displaying the authenticated MAC addresses To display the MAC addresses that have been successfully authenticated, enter the following command.Example configurations 31 Multi-device port authentication with dynamic VLAN assignment Figure 120 illustrates multi-device port authentication with dynamic VLAN assignment on a Brocade device. In this configuration, a PC and an IP phone are connected to a hub, which is connected to port 2/1 on a Brocade device.
31 Example configurations The mac-authentication disable-ingress-filtering command enables tagged packets on the port, even if the port is not a member of the VLAN. If this feature is not enabled, authentication works as in “Example 2” Example 2 Figure 121 illustrates multi-device port authentication with dynamic VLAN assignment on a Brocade device. In this configuration, a PC and an IP phone are connected to a hub, which is connected to port 2/1 on a Brocade device.
Example configurations 31 The part of the running-config related to multi-device port authentication would be as follows. mac-authentication enable mac-authentication auth-fail-vlan-id 1023 interface ethernet 2/1 mac-authentication enable mac-authentication auth-fail-action restrict-vlan mac-authentication enable-dynamic-vlan Examples of multi-device port authentication and 802.
31 Example configurations FIGURE 122 Using multi-device port authentication and 802.1X authentication on the same port User 0050.048e.86ac (IP Phone) Profile: Foundry-802_1x-enable = 0 Tunnel-Private-Group-ID = T:IP-Phone-VLAN User 0002.3f7f.2e0a (PC) Profile: Foundry-y-802_1x-enable = 1 Tunnel-Private-Group-ID: = U:Login-VLAN RADIUS Server User 1 Profile: Tunnel-Private-Group-ID: = U:IP-User-VLAN BigIron Switch Port e1/3 Dual Mode Hub Hub Untagged PC MAC: 0002.3f7f.2e0a Tagged IP Phone MAC: 0050.
Example configurations 31 When the PC is authenticated using multi-device port authentication, the port PVID is changed to “Login-VLAN”, which is VLAN 1024 in this example. When User 1 is authenticated using 802.1X authentication, the port PVID is changed to “User-VLAN”, which is VLAN 3 in this example. Example 2 The configuration in Figure 123 requires that you create a profile on the RADIUS server for each MAC address to which a device or user can connect to the network.
31 Example configurations Since there is no profile for the PC MAC address on the RADIUS server, multi-device port authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port would be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in hardware. However, the device is configured to perform 802.
Chapter Using the MAC Port Security Feature and Transparent Port Flooding 32 This chapter discusses the MAC Port Security and transparent port flooding features. MAC Port Security The MAC Port Security feature restricts unauthorized access to an interface by limiting and identifying MAC addresses that are allowed to access an Ethernet interface on a device. You can configure the BigIron RX with a limited number of “secure” MAC addresses on an interface.
32 Configuring the MAC Port Security feature Local and global resources The MAC Port Security feature uses a concept of local and global “resources” to determine how many MAC addresses can be secured on each interface. In this context, a “resource” is the ability to store one secure MAC address entry. Each interface is allocated 64 local resources. When the MAC Port Security feature is enabled, the interface can store up to 64 secure MAC address using local resources.
Configuring the MAC Port Security feature 32 To disable the feature on all interfaces at once. BigIron RX(config)# global-port-security BigIron RX(config-port-security)# no enable Syntax: [no] global-port-security Syntax: [no] enable Enabling MAC Port Security on an interface To enable the feature on a specific interface.
32 Configuring the MAC Port Security feature Specifying static secure MAC addresses Static secure MAC addresses can be specified only on an interface. The number of static secure MAC addresses you can add depends on the maximum number of MAC addresses allowed on an interface. The maximum is 64. To specify a secure MAC address on an interface, enter commands such as the following.
Defining security violation actions 32 You can specify 15 – 1440 minutes. By default, secure MAC addresses are not autosaved to the startup-config file. Setting the MAC Port Security age timer By default, the learned MAC addresses stay secure indefinitely. The entries are cleared only when MAC Port Security is disabled or a clear port-secure command is issued. You can optionally configure the device to age out secure MAC addresses after a specified amount of time.
32 Defining security violation actions • Deny the packet from the unauthorized MAC address, but allow packets from secure MAC addresses. These actions can be configured on the global or interface level. The violation action on the global level is not used if violation action is configured on an interface level. Shutdown the interface By default, the device shuts down the interface on the first violation.
Defining security violation actions 32 BigIron RX(config)# int e 7/11 BigIron RX(config-if-e100-7/11)# port security BigIron RX(config-port-security-e100-7/11)# violation restrict 3200 Syntax: violation restrict [<#-denied-packets-processed> | force] Enter 1 – 64000 for #-denied-packets-processed. There is no default.
32 Understanding the rules for violation action configuration However, when deny-log-rate is configured, interface ethernet 14/1 disable port security enable maximum 5 violation restrict 1000 deny-log-rate 4 secure-mac-address 0000.0022.2222 secure-mac-address 0000.0022.2223 secure-mac-address 0000.0022.2224 secure-mac-address 0000.0022.2225 secure-mac-address 0000.0022.2226 10 10 10 10 10 The following Syslog messages are generated. Mar 10 17:38:51:I:Port security denied pkt: 198.19.1.2 -> 198.19.1.
Understanding the rules for violation action configuration 32 • If shutdown or restrict is the violation action configured at the global level and no violation action is configured in the interface level, then the interface inherits the secure MAC list configured at the global level. • If deny is the violation action at the global level and no violation action is configured at the interface level, then the interface inherits the global deny MAC list.
32 Re-enabling an interface • If the violation action configured for an interface is the same as the action the interface is currently inheriting from the global level, then the violation action for the interface is applied to the interface. It no longer inherits the action at the global level. Re-enabling an interface The violation action of violation shutdown or violation restrict have options that can be configured to cause an interface to shutdown.
Displaying MAC Port Security information 32 BigIron RX# show port security Port Security MacAddrs Violation PortShutdn(minutes) SecureMac Learn Learnt/Max Total/Count/Type Status/Time/Remain AgeTime ----- --------- ---------- ----------------------------------- --------- ----1/1 disabled 0/1 0/ 0/shutdown no/permanent permanent yes 1/2 disabled 0/1 0/ 0/shutdown no/permanent permanent yes 1/3 disabled 0/1 0/ 0/shutdown no/permanent permanent yes 1/4 disabled 0/1 0/ 0/shutdown no/permanent permanent yes 1/
32 Displaying MAC Port Security information TABLE 153 Output from the show port security mac command This field... Displays... Port The slot and port number of the interface. Count The number of MAC addresses secured on this interface. Secure-Src-Addr (S) The secure MAC address. (S) means "secure". VLAN ID of VLAN to which the interface is assigned. Age-Left The number of minutes the MAC address will remain secure.
Displaying MAC Port Security information TABLE 155 32 Output from the show port security statistics command (Continued) This field... Displays... Total violations The number of security violations encountered on the module. Total shutdown ports The number of interfaces on the module shut down as a result of security violations. Displaying a list of MAC addresses To display the list of all MAC addresses in the MAC table, enter the following commands.
32 Displaying MAC Port Security information TABLE 156 Output from the show port security mac command This field... Displays... Ports The ID of the interface Count The total number of times the secure or denied MAC address was received on the interface. Secure-Addr (S) Deny-Addr (D) The secure or denied MAC address that was received on the interface. Secure MAC addresses are labeled with (S), while denied MAC addresses are labeled with (D). VLAN The VLAN on which the MAC address was received.
Transparent port flooding 32 BigIron RX# show port security global-deny Global deny is enabled. Configured macs/Max macs = 1/512 Count Deny-Addr Vlan ----- ------------------ ---1 0030.0000.00a2 1200 Syntax: show port security global-deny TABLE 158 Output from the show port security global-deny command This field... Displays... Count The total number of times the MAC address was received on the device. Deny-Src-Addr The denied MAC address that was received on the interface.
32 Transparent port flooding 0 runts, 0 giants, DMA received 0 packets 0 packets output, 0 bytes, 0 underruns Transmitted 0 broadcasts, 0 multicasts, 0 unicasts 0 output errors, 0 collisions, DMA transmitted 0 packets 962 BigIron RX Series Configuration Guide 53-1002253-01
Chapter Configuring 802.1x Port Security 33 Overview of 802.1x port security BigIron RX supports the IEEE 802.1x standard for authenticating devices attached to LAN ports. Using 802.1x port security, you can configure a BigIron RX to grant access to a port based on information supplied by a client to an authentication server. When a user logs on to a network that uses 802.
33 How 802.1x port security works FIGURE 124 Authenticator, Client/Supplicant, and Authentication Server in an 802.1x configuration RADIUS Server (Authentication Server) BigIron Device (Authenticator) Client/Supplicant Authenticator – The device that controls access to the network. In an 802.1x configuration, the BigIron RX serves as the Authenticator. The Authenticator passes messages between the Client and the Authentication Server.
How 802.1x port security works 33 FIGURE 125 Authenticator PAE and supplicant PAE Authentication Server RADIUS Messages Authenticator PAE BigIron Device (Authenticator) EAPOL Messages Supplicant PAE 802.1X-Enabled Supplicant Authenticator PAE – The Authenticator PAE communicates with the Supplicant PAE, receiving identifying information from the Supplicant.
33 How 802.1x port security works FIGURE 126 Controlled and uncontrolled ports before and after client authentication Authentication Server Authentication Server Services PAE Services PAE BigIron Device (Authenticator) BigIron Device (Authenticator) Controlled Port (Unauthorized) Uncontrolled Port Controlled Port (Authorized) Uncontrolled Port Physical Port PAE 802.1X-Enabled Supplicant Before Authentication Physical Port PAE 802.
How 802.
33 How 802.1x port security works BigIron RX devices support MD5-challenge TLS and any other EAP-encapsulated authentication types in EAP Request/Response messages. In other words, the BigIron RX devices are transparent to the authentication scheme used. Authenticating multiple clients connected to the same port BigIron RX devices support 802.1x authentication for ports with more than one Client connected to them.
How 802.1x port security works 33 How 802.1x multiple client authentication works When multiple clients are connected to a single 802.1x-enabled port on a BigIron RX (as in Figure 128), 802.1x authentication is performed in the following way. 1. One of the 802.1x-enabled Clients attempts to log into a network in which a BigIron RX serves as an Authenticator. 2. The BigIron RX creates an internal session (called a dot1x-mac-session) for the Client.
33 802.1x port security and sFlow • When a Client has been denied access to the network, its dot1x-mac-session is aged out if no traffic is received from the Client’s MAC address over a fixed hardware aging period (70 seconds), plus a configurable software aging period. You can optionally change the software aging period for dot1x-mac-sessions or disable aging altogether.
Configuring 802.1x port security 33 Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate Clients. Brocade supports RADIUS authentication with 802.1x port security. To use RADIUS authentication with 802.1x port security, you create an authentication method list for 802.1x and specify RADIUS as an authentication method, then configure communication between the BigIron RX and RADIUS server. For example.
33 Configuring 802.1x port security • • • • Tunnel-Type (64) – RFC 2868 Tunnel-Medium-Type (65) – RFC 2868 EAP Message (79) – RFC 2579 Tunnel-Private-Group-Id (81) – RFC 2868 Configuring dynamic VLAN assignment for 802.1x ports Brocade’s 802.1x implementation supports assigning a port to a VLAN dynamically, based on information received from an Authentication (RADIUS) Server.
Configuring 802.1x port security 33 • If the string does not match the name of a VLAN, the BigIron RX checks whether the string, when converted to a number, matches the ID of a VLAN configured on the device. If it does, then the client’s port is placed in the VLAN with that ID. • If the string does not match either the name or the ID of a VLAN configured on the device, then the client will not become authorized. The show interface command displays the VLAN to which an 802.
33 Configuring 802.1x port security When strict security mode is enabled: • If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the client will not be authenticated, regardless of any other information in the message (for example, if the Tunnel-Private-Group-ID attribute specifies a VLAN to which to assign the port).
Configuring 802.1x port security 33 Dynamically applying existing ACLs or MAC address filter When a port is authenticated using 802.1x security, an IP ACL or MAC address filter that exists in the running configuration on the BigIron RX can be dynamically applied to the port. To do this, you configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the name or number of the Brocade IP ACL or MAC address filter.
33 Configuring 802.1x port security • Multiple IP ACLs and MAC address filters can be specified in the Filter ID attribute, allowing multiple filters to be simultaneously applied to an 802.1x authenticated port. Use commas, semicolons, or carriage returns to separate the filters (for example ip.3.in,mac.2.in). • If 802.1x is enabled on a VE port, ACLs, dynamic (802.1x assigned) or static (user configured), cannot be applied to the port.
Configuring 802.1x port security 33 At the dot1x configuration level, you can enable 802.1x port security on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to enable 802.1x port security on all interfaces on the device, enter the following command. BigIron RX(config-dot1x)# enable all Syntax: [no] enable all To enable 802.1x port security on interface 3/11, enter the following command.
33 Configuring 802.1x port security force-unauthorized – The controlled port is placed unconditionally in the unauthorized state. auto – The controlled port is unauthorized until authentication takes place between the Client and Authentication Server. Once the Client passes authentication, the port becomes authorized. This has the effect of activating authentication on an 802.1x-enabled interface. NOTES: You cannot enable 802.
Configuring 802.1x port security 33 For example, to re-authenticate Clients connected to interface 3/1, enter the following command. BigIron RX# dot1x re-authenticate e 3/1 Syntax: [no] dot1x re-authenticate Setting the quiet period If the BigIron RX is unable to authenticate the Client, the BigIron RX waits a specified amount of time before trying again. The amount of time the BigIron RX waits is specified with the quiet-period parameter.
33 Configuring 802.1x port security Syntax: maxreq Specifying a timeout for retransmission of messages to the authentication server When performing authentication, the BigIron RX receives EAPOL frames from the Client and passes the messages on to the RADIUS server. The device expects a response from the RADIUS server within 30 seconds. If the RADIUS server does not send a response within 30 seconds, the BigIron RX retransmits the message to the RADIUS server.
Configuring 802.1x port security • • • • • 33 Specify the authentication-failure action Specify the number of authentication attempts the device makes before dropping packets Disabling aging for dot1x-mac-sessions Configure aging time for blocked Clients Clear the dot1x-mac-session for a MAC address Specifying the authentication-failure action In an 802.
33 Displaying 802.1x information Clearing a dot1x-mac-session for a MAC address You can clear the dot1x-mac-session for a specified MAC address, so that the Client with that MAC address can be re-authenticated by the RADIUS server. For example, BigIron RX# clear dot1x mac-session 00e0.1234.abd4 Syntax: clear dot1x mac-session Displaying 802.1x information You can display the following 802.1x-related information: • • • • Information about the 802.
Displaying 802.1x information TABLE 160 33 Output from the show dot1x command This field... Displays... PAE Capability The Port Access Entity (PAE) role for the BigIron RX device. This is always “Authenticator Only”. system-auth-control Whether system authentication control is enabled on the device. The dot1x-enable command enables system authentication control on the device. Number of ports enabled Number of interfaces on the devices that have been enabled for 802.1x.
33 Displaying 802.1x information TABLE 160 Output from the show dot1x command (Continued) This field... Displays... Mac Session Aging Whether aging for dot1x-mac-sessions has been enabled or disabled for permitted or denied dot1x-mac-sessions. Mac Session max-age The configured software aging time for dot1x-mac-sessions. Maximum Failed Attempts The number of failed authentication attempts, if the authentication-failure action shows Restricted VLAN, To display information about the 802.
Displaying 802.1x information 33 BigIron RX# show dot1x statistics e 3/3 Port 1/3 Statistics: RX EAPOL Start: RX EAPOL Logoff: RX EAPOL Invalid: RX EAPOL Total: RX EAP Resp/Id: RX EAP Resp other than Resp/Id: RX EAP Length Error: Last EAPOL Version: Last EAPOL Source: TX EAPOL Total: TX EAP Req/Id: TX EAP Req other than Req/Id: Num Sessions: Num Restricted Sessions: Num Authorized Sessions: 0 0 0 2 1 1 0 1 0050.da0b.
33 Displaying 802.1x information Clearing 802.1x statistics You can clear the 802.1x statistics counters on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to clear the 802.1x statistics counters on all interfaces on the device, enter the following command. BigIron RX# clear dot1x statistics all Syntax: clear dot1x statistics all To clear the 802.1x statistics counters on interface e 3/11, enter the following command.
Displaying 802.1x information 33 Displaying information on MAC address filters and IP ACLs on an interface You can display information about the user-defined and dynamically applied MAC address filters and IP ACLs currently active on an interface. Displaying MAC address filters applied to an 802.1x-enabled port Use the show dot1x mac-address command to display information about MAC filters applied to an interface. If the MAC address filter is dynamically assigned by 802.
33 Displaying 802.1x information When the dynamically assigned IP ACL is removed from the port, the display shows the following information. BigIron RX#show dot1x ip-acl ethernet 1/1 Port 1/1 IP ACL information: Port default IP ACL in: ip access-list 100 in No outbound ip access-list is set Syntax: show dot1x ip-acl [all | ethernet | | begin | exclude | include ] The all keyword displays all dynamically applied IP ACLs active on the device.
Sample 802.1x configurations TABLE 163 33 Output from the show dot1x mac-session command (Continued) This field... Displays... ACL Whether or not an IP ACL is applied to incoming (i) and outgoing (o) traffic on the interface MAC Whether or not a MAC filter is applied to the port. Age The software age of the dot1x-mac-session. Displaying information about the ports in an 802.1x multiple client configuration To display information about the ports in an 802.
33 Sample 802.1x configurations Point-to-point configuration Figure 129 illustrates a sample 802.1x configuration with Clients connected to three ports on the BigIron RX device. In a point-to-point configuration, only one 802.1x Client can be connected to each port. FIGURE 129 Sample point-to-point 802.1x configuration RADIUS Server (Authentication Server) 192.168.9.22 BigIron Device (Authenticator) e2/1 e2/2 e2/3 Clients/Supplicants running 802.
Sample 802.1x configurations 33 Hub configuration Figure 130 illustrates a configuration where three 802.1x-enabled Clients are connected to a hub, which is connected to a port on the BigIron RX device. The configuration is similar to that in Figure 129, except that 802.1x port security is enabled on only one port, and the multiple-hosts command is used to allow multiple Clients on the port. FIGURE 130 Sample 802.1x configuration using a hub RADIUS Server (Authentication Server) 192.168.9.
33 Sample 802.1x configurations 802.1X Authentication with dynamic VLAN assignment Figure 131 illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration, two user PCs are connected to a hub, which is connected to port 2/1. Port 2/1 is configured as a dual-mode port. Both PCs transmit untagged traffic. The profile for User 1 on the RADIUS server specifies that User 1 PC should be dynamically assigned to VLAN 3.
Using multi-device port authentication and 802.1X security on the same port 33 ! interface ethernet 2/1 dot1x port-control auto If User 1 is successfully authenticated before User 2, the PVID for port 2/1 would be changed from the default VLAN to VLAN 3. Had User 2 been the first to be successfully authenticated, the PVID would be changed to 20, and User 1 would not be able to gain access to the network. If there were only one device connected to the port that was sending untagged traffic, and 802.
33 994 Using multi-device port authentication and 802.
Chapter 34 Protecting Against Denial of Service Attacks In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normal operation. The BigIron RX includes measures for defending against two types of DoS attacks, Smurf attacks and TCP SYN attacks. Protecting against Smurf attacks A Smurf attack is a kind of DoS attack where an attacker causes a victim to be flooded with ICMP echo (Ping) replies sent from another network. Figure 132 illustrates how a Smurf attack works.
34 Protecting against Smurf attacks Avoiding being an intermediary in a Smurf attack A Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on a target subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to a Layer 2 broadcast and sent to the connected hosts. This conversion takes place only when directed broadcast forwarding is enabled on the device.
Protecting against TCP SYN attacks 34 • If the total traffic volume (in bits per second) of packets that match the condition specified in the ACL exceeds the burst-normal value, the excess packets are dropped. • If the number of packets that match the condition specified in the ACL exceeds the burst-max value, all packets that match the condition specified in the ACL are dropped for the number of seconds specified by the lockup value.
34 Protecting against TCP SYN attacks BigIron RX(config)# access-list 101 permit tcp any any match-all +syn BigIron RX(config)# int e 3/11 BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000 burst-max 1000 lockup 300 TCP security enhancement TCP security enhancement improves upon the handling of TCP inbound segments.
Displaying statistics due DoS attacks 34 • If the SYN bit is set and the sequence number is an exact match to the next expected sequence, the device sends an ACK segment to the peer. Before sending the ACK segment, the software subtracts one from the value being acknowledged. • If the SYN bit is set and the sequence number is acceptable, the device sends an acknowledgement (ACK) segment to the peer. The TCP security enhancement is enabled by default.
34 Clear DoS attack statistics Port Port number Packet Drop Count Number of packets that are dropped when the port is in lockup mode. Packet Pass Count Number of packets that are forwarded when the port is in rate-limiting mode. Port Block Count Number of times the port was shut down for the particular traffic flow that matched the ACL.
Chapter 35 Inspecting and Tracking DHCP Packets For enhanced network security, you can configure the Brocade device to inspect and keep track of Dynamic Host Configuration Protocol (DHCP) assignments. To do so, use the following features.
35 Dynamic ARP inspection How DAI works DAI allows only valid ARP requests and responses to be forwarded. A Brocade device on which DAI is configured does the following: • Intercepts ARP packets received by the system CPU. • Inspects all ARP requests and responses received on untrusted ports. • Verifies that each of the intercepted packets has a valid IP-to-MAC address binding before updating the local ARP table, or before forwarding the packet to the appropriate destination.
Dynamic ARP inspection 35 • Inspection ARP – statically configured IP/MAC mapping, where the port is initially unspecified. The actual physical port mapping will be resolved and updated from validated ARP packets. Refer to “Configuring an inspection ARP entry” on page 1004. • DHCP-Snooping ARP – information collected from snooping DHCP packets when DHCP snooping is enabled on VLANs. The status of an ARP entry is either pending or valid: • Valid – the mapping is valid, and the port is resolved.
35 Dynamic ARP inspection Configuring an inspection ARP entry Static ARP and static inspection ARP entries need to be configured for hosts on untrusted ports. Otherwise, when DAI checks ARP packets from these hosts against entries in the ARP table, it will not find any entries for them, and the Brocade device will not allow and learn ARP from an untrusted host. When the inspection ARP entry is resolved with the correct IP/MAC mapping, its status changes from pending to valid.
Dynamic ARP inspection 35 BigIron RX#show ip arp inspection vlan 2 IP ARP inspection VLAN 2: Disabled Trusted Ports : ethe 1/4 Untrusted Ports : ethe 2/1 to 2/3 ethe 4/1 to 4/24 ethe 6/1 to 6/4 ethe 8/1 to 8/4 Syntax: show ip arp inspection [vlan ] The variable specifies the ID of a configured VLAN. Displaying the ARP table To display the ARP table, enter the following command. BigIron RX#show arp Total number of ARP entries: 10 IP Address MAC Address 1 20.20.20.39 0000.4623.
35 DHCP snooping TABLE 166 show arp command (Continued) This field... Displays.... Type The ARP type, which can be one of the following: • Dynamic – The Layer 3 Switch learned the entry from an incoming packet on a trusted port. • Inspect (Inspection ARP) – The entry from a statically configured IP/MAC mapping, where the port was initially unspecified. • Dhcp (DHCP-Snooping ARP) – The Layer 3 Switch learned the entry from DHCP.
DHCP snooping 35 DHCP Trusted DHCP client request packet Un trusted FIGURE 134 DHCP snooping at Work - on untrusted port Snooping DHCP server reply packet DHCP Server Brocade Device DHCP Trusted Untrusted FIGURE 135 DHCP snooping at Work - on trusted port DHCP server reply packet Snooping DHCP Client DHCP Server Brocade Device System reboot and the binding database To allow DAI and DHCP snooping to work smoothly across a system reboot, the binding database is saved to a file in the system
35 DHCP relay agent information (DHCP option 82) Feature Default DHCP snooping Disabled Trust setting for ports Untrusted Enabling DHCP snooping on a VLAN DHCP packets for a VLAN with DHCP snooping enabled are inspected. DHCP snooping is disabled by default. This feature must be enabled on the client and the DHCP server VLANs. To enable DHCP snooping, enter the following global command for these VLANs. BigIron RX(config)#ip dhcp snooping vlan 2 The command enables DHCP snooping on VLAN 2.
35 DHCP relay agent information (DHCP option 82) FIGURE 136 DHCP option 82 is added to the packet Untrusted option 82 option 82 + Trusted DHCP client request packet DHCP Snooping DHCP Client DHCP Server BigIron RX DHCP Relay Agent FIGURE 137 DHCP Option 82 Is Removed from the Packet DHCP Server reply packet option DHCP Client 82 option 82 Trusted Untrusted DHCP Snooping DHCP Server BigIron RX DHCP Relay Agent The option 82 insertion/deletion feature is available only when DHCP snooping
35 IP source guard Displaying DHCP snooping status and ports To display the DHCP snooping status for a VLAN and the trusted or untrusted ports in the VLAN, enter the following command.
IP source guard 35 IP source guard is used on client ports to prevent IP source address spoofing. Generally, IP source guard is used together with DHCP snooping and Dynamic ARP Inspection on untrusted ports. When IP source guard is first enabled, the client port allows only DHCP packets, and blocks all other IP traffic. When the system learns a valid IP address on the port, the client port then allows IP traffic. Client ports permit only the traffic with valid source IP addresses.
35 1012 IP source guard BigIron RX Series Configuration Guide 53-1002253-01
Chapter Securing SNMP Access 36 Simple Network Management Protocol (SNMP) is a set of protocols for managing complex networks. SNMP sends messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. This chapter introduces a few methods used to secure SNMP access to the BigIron RX.
36 Establishing SNMP community strings Syntax: snmp-server community [0] ro | rw [view ] [ | ] By default, the community string is encrypted. When you save the new community string to the startup configuration file, the software adds the following command to the file. snmp-server community 1 rw If you want to create a non-encrypted community string, use the 0 option as in the following example.
Using the user-based security model 36 Using the user-based security model SNMP version 3 (RFC 2570 through 2575) introduces a User-Based Security model (RFC 2574) for authentication and privacy services. SNMP version 1 and version 2 use community strings to authenticate SNMP access to management modules. This method can still be used for authentication.
36 Configuring your NMS 5. Create user accounts and associate these accounts to user groups using the snmp-server user command. Refer to “Defining an SNMP user account” on page 1017. If SNMP version 3 is not configured, then community strings by default are used to authenticate access. Defining the engine ID A default engine ID is generated during system start up. To determine what the default engine ID of the device is, enter the show snmp engineid command and find the following line.
Configuring your NMS 36 Syntax: [no] snmp-server group v1 | v2c | v3 auth | noauth | priv [access ] [read ] [write ] NOTE This command is not used for SNMP version 1 and SNMP version 2. In these versions, groups and group views are created internally using community strings. (Refer to “Establishing SNMP community strings” on page 1013.) When a community string is created, two groups are created, based on the community string name.
36 Configuring your NMS • Advanced Encryption Standard (AES) – The 128-bit encryption standard adopted by the U.S. government. This standard is a symmetric cipher algorithm chosen by the National Institute of Standards and Technology (NIST) as the replacement for DES. Here is an example of how to create the account. BigIron RX(config)# snmp-s user bob admin v3 access 2 auth md5 bobmd5 priv des bobdes The CLI for creating SNMP version 3 users has been updated as follows.
Configuring your NMS 36 The priv [encrypted] des parameter is optional after you enter the md5 or sha password. The priv parameter defines the type of encryption that will be used to encrypt the privacy password. If the "encryption" keyword is used, enter a 16-octet DES key in hexadecimal format for the des-password. If the "encryption" keyword is not used, enter a password string of at least 8 characters.
36 Defining SNMP views Displaying user information To display the definition of an SNMP user account, enter a command such as the following.
Defining SNMP views 36 You can create up to 10 views on the device. This number cannot be changed. To create an SNMP view, enter one of the following commands: BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# snmp-server view Maynes system included snmp-server view Maynes system.2 excluded snmp-server view Maynes 2.3.*.6 included write mem NOTE The snmp-server view command supports the MIB objects as defined in RFC 1445.
36 Defining SNMP views Simple SNMP v3 configuration BigIron RX(config)#snmp-server group admingrp v3 priv read all write all notify all BigIron RX(config)#snmp-server user adminuser admingrp v3 auth md5 admin priv admin1 BigIron RX(config)#snmp-server host 10.3.1.44 More detailed SNMP v3 configuration BigIron RX(config)#snmp-server view internet internet included BigIron RX(config)#snmp-server view system system included BigIron RX(config)#snmp-server community .....
Chapter Enabling the Foundry Discovery Protocol (FDP) and Reading Cisco Discovery Protocol (CDP) Packets 37 This chapter discusses the Foundry Discovery Protocol (FDP) – a protocol used by Brocade devices to advertise themselves to other Brocade devices, and Cisco Discovery Protocol (CDP) – a protocol used by Cisco devices to advertise themselves to other Cisco devices. Brocade devices use this protocol to learn device and interface information for Cisco devices in the network.
37 Using FDP Enabling FDP at the interface level You can enable FDP at the interface level by entering commands such as the following. BigIron RX(config)# int e 2/1 BigIron RX(config-if-e10000-2/1)# fdp enable Syntax: [no] fdp enable By default, the feature is enabled on an interface once FDP is enabled on the device. Changing the FDP update timer By default, a BigIron RX enabled for FDP sends an FDP update every 60 seconds. You can change the update timer to a value from 5 – 900 seconds.
Using FDP 37 NOTE If the BigIron RX has intercepted CDP updates, then the CDP information is also displayed. Displaying neighbor information To display a summary list of all the Brocade neighbors that have sent FDP updates to this device, enter the following command.
37 Using FDP TABLE 168 Detailed FDP and CDP neighbor information This line... Displays... Device ID The hostname of the neighbor. In addition, this line lists the VLAN memberships and other VLAN information for the neighbor port that sent the update to this device. Entry address(es) The Layer 3 protocol addresses configured on the neighbor port that sent the update to this device. If the neighbor is a Layer 2 Switch, this field lists the management IP address.
Using FDP 37 This example shows information for Ethernet port 2/3. The port sends FDP updates every 5 seconds. Neighbors that receive the updates can hold them for up to 180 seconds before discarding them. Syntax: show fdp interface [ethernet /] The ethernet / parameter lists the information only for the specified interface. Displaying FDP and CDP statistics To display FDP and CDP packet statistics, enter the following command.
37 Reading CDP packets Reading CDP packets Cisco Discovery Protocol (CDP) packets are used by Cisco devices to advertise themselves to other Cisco devices. By default, a BigIron RX forwards these packets without examining their contents. You can configure a device to intercept and display the contents of CDP packets. This feature is useful for learning device and interface information for Cisco devices in the network. BigIron RX supports intercepting and interpreting CDP version 1 and 2 packets.
Reading CDP packets 37 BigIron RX# show fdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater (*) indicates a Cisco device Device ID Local Int Holdtm Capability Platform Port ID -------------- ------------ ------ ---------- ----------- ------------(*)Router Eth 1/1 124 R cisco RSP4 FastEthernet5/0/0 Syntax: show fdp neighbors [detail | ethernet ] To display detailed information for the neighbors, enter the following com
37 Reading CDP packets BigIron RX# show fdp entry * Device ID: Router Entry address(es): IP address: 207.95.6.143 Platform: cisco RSP4, Capabilities: Router Interface: Eth 1/1, Port ID (outgoing port): FastEthernet5/0/0 Holdtime : 124 seconds Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-JSV-M), Version 12.0(5)T1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc.
Reading CDP packets 37 To clear CDP statistics, enter the following command.
37 1032 Reading CDP packets BigIron RX Series Configuration Guide 53-1002253-01
Chapter Remote Network Monitoring 38 Basic management This chapter describes the remote monitoring features available on Brocade products. The following sections contain procedures for basic system management tasks. Viewing system information You can access software and hardware specifics for a BigIron RX. To view the software and hardware details for the system, enter the show version command.
38 RMON support Clearing statistics You can clear statistics for many parameters with the clear option. To determine the available clear commands for the system, enter the following command. BigIron RX# clear ? Syntax: clear
RMON support 38 Syntax: show rmon statistics [ | ethernet | management | | begin | exclude | include ] The parameter specifies the port number. You can use the physical port number or the SNMP port number. The ports are numbered according to slot and port. For example, the first port in slot 1 is 1/1. The third port in slot 7 is 7/3. The SNMP numbers of the ports start at 1 and increase sequentially.
38 RMON support TABLE 169 Export configuration and statistics (Continued) This line... Displays... Jabbers The total number of packets received that were longer than 1518 octets and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). NOTE: This definition of jabber is different from the definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2).
RMON support 38 History (RMON group 2) All active ports by default will generate two history control data entries per active device interface. An active port is defined as one with a link up. If the link goes down the two entries are automatically be deleted.
38 RMON support A sample entry and syntax of the event control table is shown below.
Chapter Configuring sFlow 39 The sFlow feature is a system for observing traffic flow patterns and quantities within and among a set of BigIron RX devices. Participating devices also relay byte and packet counter data (counter samples) for ports to the collector. sFlow is described in RFC 3176, “InMon Corporation's sFlow, A Method for Monitoring Traffic in Switched and Routed Networks”. Refer to this RFC to determine the contents of the sampled packet.
39 Configuring sFlow NOTE sFlow does not export packets through the management port. NOTE sFlow does not use the management IP as the agent IP. Sampling rate The sampling rate is the average ratio of the number of packets incoming on an sflow enabled port, to the number of flow samples taken from those packets. Device ports send only the sampled traffic to the CPU.
Configuring sFlow 39 • Enable sFlow forwarding on individual interfaces. NOTE If you change the router ID or other IP address value that sFlow uses for its agent_address, you need to disable and then re-enable sFlow to cause the feature to use the new source address. Specifying the collector sFlow exports traffic statistics to an external collector. You can specify up to four collectors. You can specify more than one collector with the same IP address if the UDP port numbers are unique.
39 Configuring sFlow Changing the sampling rate The sampling rate is the average ratio of the number of packets incoming on an sFlow-enabled port, to the number of flow samples taken from those packets. By default, all sFlow-enabled ports use the default sampling rate, which is 2048. With a sampling rate of 2048, on average, one in every 2048 packets forwarded on an interface is sampled. You can change the default (global) sampling rate.
Configuring sFlow 39 The parameter specifies the average number of packets from which each sample will be taken. The sampling rate you configure is the actual sampling rate. You can enter 512 – 2147483648. The default is 2048. Changing the sampling rate on a port You can configure an individual port to use a different sampling rate than the global default sampling rate. This is useful in cases where ports have different bandwidths.
39 Configuring sFlow ACL-based inbound sFlow NOTE This feature is available only for IPv4. IPv4 ACL traffic samples can be sent to an sFlow collector. The data matching an ACL clause can be collected to observe traffic flow patterns and quantities between a set of switches and routers.
Configuring sFlow 39 FIGURE 138 sFlow packet format Sequence Flow for sFlow Records Packet Containing sFlow Sample L2 IP UDP Tag Type Length 1 Sequence # 1 Source ID . . . Tag Type Length 1991 . . . sFlow Tag Type Length 1 Sequence # 2 Source ID . . . Tag Type Length 1 Sequence # 3 Source ID . .
39 Configuring sFlow • L2 ACLs: The copy-sflow keyword is not supported for L2 ACLs. • If the copy-sflow keyword is used for a clause that is applied to the outbound direction, it is ignored. • The sampling rate is the average ratio of the number of packets incoming on an sFlow enabled port, to the number of flow samples taken from those packets. However, for ACL based sFlow, every matching packet goes to the CPU. Consequently, configured sampling rates do not affect ACL based sFlow.
Displaying sFlow information 39 Displaying sFlow information Use one of the following commands to display sFlow information. Display sFlow configuration and statistics To display sFlow configuration information and statistics, enter the following command at any level of the CLI. BigIron RX(config)# show sflow sFlow services are enabled. sFlow agent IP address: 30.30.30.2 Collector IP 10.10.10.1, UDP 6343 Polling interval is 20 seconds. Configured default sampling rate: 1 per 2048 packets.
39 Clearing sFlow statistics TABLE 170 sFlow information (Continued) This field... Displays... Port Sampling Rates The sampling rates of a port on which sFlow is enabled. Hardware Sample Rate The actual sampling rate. This is the same as the Global Sample Rate Displaying sFlow counters sFlow counters are included in the output of the show interface ethernet command.
Clearing sFlow statistics 39 • sFlow samples collected NOTE This command also clears the statistics counters used by other features.
39 1050 Clearing sFlow statistics BigIron RX Series Configuration Guide 53-1002253-01
Chapter Multiple Spanning Tree Protocol (MSTP) 802.1s 40 802.1s Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol (MSTP) as defined in IEEE 802.1s allows you to configure multiple STP instances. This will allow several VLANs to be mapped to a reduced number of spanning-tree instances. This ensures loop-free topology for 1 or more VLANs that have the same Layer 2 topology. Multiple spanning-tree regions Using MSTP, the entire network runs a common instance of RSTP.
40 802.
802.1s Multiple Spanning Tree Protocol 40 Configuring MSTP To configure a switch for MSTP, you could configure the name and the revision on each switch that is being configured for MSTP. This name is unique to each switch. You must then create an MSTP Instance and assign an ID. VLANs are then assigned to MSTP instances. These instances must be configured on all switches that interoperate with the same VLAN assignments.
40 802.1s Multiple Spanning Tree Protocol The revision parameter specifies the revision level for MSTP that you are configuring on the switch. It can be a number from 0 and 65535. Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. To configure an MSTP instance and assign a range of VLANs, use a command such as the following at the Global Configuration level.
802.1s Multiple Spanning Tree Protocol 40 You can set a priority to the instance that gives it forwarding preference over lower priority instances within a VLAN or on the switch. A higher number for the priority variable means a lower forwarding priority. Acceptable values are 0 - 61440 in increments of 4096. The default value is 32768. Setting the MSTP global parameters MSTP has many of the options available in RSTP as well as some unique options.
40 802.1s Multiple Spanning Tree Protocol BigIron RX(config)# mstp admin-pt2pt-mac ethernet 2/5 ethernet 4/5 Syntax: [no] mstp admin-pt2pt-mac ethernet The parameter specifies a port or range of ports to be configured for point-to-point links to increase the speed of convergence. Disabling MSTP on a port To disable MSTP on a specific port, use a command such as the following at the Global Configuration level.
802.
40 802.
802.1s Multiple Spanning Tree Protocol 40 Displaying MSTP statistics MSTP statistics can be displayed using the commands shown below. To display all general MSTP information, enter the following command.
40 802.1s Multiple Spanning Tree Protocol TABLE 171 Output from Show MSTP (Continued) This field... Displays... Root FwdDly sec FwdDly interval configured on the root bridge. Root Hop Cnt Current hop count from the root bridge. Root Bridge Bridge identifier of the root bridge. ExtPath Cost The configured path cost on a link connected to this port to an external MSTP region. Regional Root Bridge The Regional Root Bridge is the MAC address of the Root Bridge for the local region.
802.
40 802.
802.1s Multiple Spanning Tree Protocol 40 Syntax: show xstp ethernet The ethernet parameter displays the mstp protocol information for the specified Ethernet interface. TABLE 172 CLI display of MSTP information for the specified Ethernet interface This field... Displays... The MSTP protocol information for the specified ethernet interface.
40 1064 802.
Chapter Configuring IP Multicast Traffic Reduction 41 The BigIron RX forwards all IP multicast traffic by default based on the Layer 2 information in the packets. Optionally, you can enable the device to make forwarding decisions in hardware, based on multicast group by enabling the IP Multicast Traffic Reduction feature.
41 Enabling IP multicast traffic reduction Enabling IP multicast traffic reduction By default, the BigIron RX forwards all IP multicast traffic out all ports except the port on which the traffic was received. To reduce multicast traffic through the device, you can enable IP Multicast Traffic Reduction. This feature configures the device to forward multicast traffic only on the ports attached to multicast group members, instead of forwarding all multicast traffic to all ports.
Enabling IP multicast traffic reduction 41 BigIron RX(config)# show ip multicast IP multicast is enabled - Active Syntax: show ip multicast Changing the IGMP mode When you enable IP Multicast Traffic Reduction on the device, IGMP also is enabled. The device uses IGMP to maintain a table of the Group Membership reports received by the device. You can use active or passive IGMP mode. There is no default mode.
41 Enabling IP multicast traffic reduction When you enable IP multicast for a specific VLAN instance, IGMP snooping is enabled. The device uses IGMP to maintain a table of the Group Membership reports received by the device for the specified VLAN instance. You can use active or passive IGMP mode. There is no default mode.
Enabling IP multicast traffic reduction 41 When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report. To enable IP multicast filtering, enter the following command.
41 Enabling IP multicast traffic reduction Configuring a multicast static group uplink per VLAN When the multicast static-group uplink command is enabled on a snooping VLAN, the snooping device behaves like an IGMP host on ports connected to the multicast router. The snooping device will respond to IGMP queries from the uplink multicast PIM router for the groups and sources configured.
PIM SM traffic snooping 41 BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 ethernet 3/4 To configure the physical interface ethernet 3/4 to statically join all multicast streams on the uplink interface excluding the stream with source address of 10.43.1.12, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 exclude 10.43.1.
41 PIM SM traffic snooping NOTE This feature applies only to PIM SM version 2 (PIM V2). Application examples Figure 141 shows an example application of the PIM SM traffic snooping feature. In this example, a device is connected through an IP router to a PIM SM group source that is sending traffic for two PIM SM groups. The device also is connected to a receiver for each of the groups. FIGURE 141 PIM SM traffic reduction in enterprise network The switch snoops for PIM SM join and prune messages.
PIM SM traffic snooping 41 The IP multicast traffic reduction feature and the PIM SM traffic snooping feature together build a list of groups and forwarding ports for the VLAN. The list includes PIM SM groups learned through join messages as well as MAC addresses learned through IGMP group membership reports. In this case, even though the device never sees a join message for the receiver for group 239.255.162.69, the device nonetheless learns about the receiver and forwards group traffic to the receiver.
41 PIM SM traffic snooping NOTE Use the passive mode of IP multicast traffic reduction instead of the active mode. The passive mode assumes that a router is sending group membership queries as well as join and prune messages on behalf of receivers. The active mode configures the device to send group membership queries. • All the device ports connected to the source and receivers or routers must be in the same port-based VLAN.
Displaying IP multicast information 41 To disable the feature, enter the following command. BigIron RX(config)# no ip pimsm-snooping If you also want to disable IP multicast traffic reduction, enter the following command. BigIron RX(config)# no ip multicast Multicast traffic reduction per VLAN You can configure specified VLANs instances for multicast traffic reduction by these methods as described in the following sections.
41 Displaying IP multicast information BigIron RX(config)# show ip multicast IP multicast is enabled - Passive IP pimsm snooping is enabled VLAN ID 23 Active 10.10.10.10 Report ports: 1/1 7/1 Report FID 0X0400 Number of Multicast Groups: 2 1 Group: 225.1.0.291 IGMP report ports : Mapped mac address : 0100.5e01.001d Fid:0x041b PIMv2*G join ports : 1/1 2 Group: 225.1.0.24 IGMP report ports : 4/48 Mapped mac address : 0100.5e01.
Displaying IP multicast information Reports Received: Leaves Received: General Queries Received: Group Specific Queries Received: Others Received: General Queries Sent: Group Specific Queries Sent: 34 21 60 2 0 0 0 VLAN ID 2 Reports Received: Leaves Received: General Queries Received: Group Specific Queries Received: Others Received: General Queries Sent: Group Specific Queries Sent: 0 0 60 2 0 0 0 41 The command in this example shows statistics for two port-based VLANs.
41 Displaying IP multicast information To clear the learned IGMP flows for a specific IP multicast group, enter a command such as the following. BigIron RX# clear ip multicast group 239.255.162.5 The following example shows how to clear the IGMP flows for a specific group and retain reports for other groups. BigIron RX# show ip multicast IP multicast is enabled - Active VLAN ID 1 Active 192.168.2.30 Router Ports 4/13 Multicast Group: 239.255.162.5, Port: 4/4 4/13 Multicast Group: 239.255.162.
Chapter 42 IPv6 Addressing This chapter includes overview information about the following topics: • IPv6 addressing. • The IPv6 stateless autoconfiguration feature, which enables a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. IPv6 addressing A limitation of IPv4 is its 32-bit addressing format, which is unable to satisfy potential increases in the number of users, geographical needs, and emerging applications.
42 IPv6 addressing The parameter is specified as 16-bit hexadecimal values separated by a colon. The parameter is specified as a decimal value that indicates the left-most bits of the IPv6 address. The following is an example of an IPv6 prefix. 2001:FF08:49EA:D088::/64 IPv6 address types As with IPv4 addresses, you can assign multiple IPv6 addresses to a switch interface. Table 173 presents the three major types of IPv6 addresses that you can assign to a switch interface.
IPv6 addressing TABLE 173 . 42 IPv6 address types Address type Description Address structure Unicast An address for a single interface. A packet sent to a unicast address is delivered to the interface identified by the address. Depends on the type of the unicast address: • Aggregatable global address—An address equivalent to a global or public IPv4 address.
42 IPv6 stateless autoconfiguration IPv6 stateless autoconfiguration Brocade routers use the IPv6 stateless autoconfiguration feature to enable a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. The automatic configuration of a host interface is performed without the use of a server, such as a Dynamic Host Configuration Protocol (DHCP) server, or manual configuration.
Chapter Configuring Basic IPv6 Connectivity 43 This chapter explains how to get a Brocade Layer 3 Switch that supports IPv6 up and running. To configure basic IPv6 connectivity, you must do the following: • Enable IPv6 routing globally on the Brocade Layer 3 Switch. • Configure an IPv6 address or explicitly enable IPv6 on each router interface over which you plan to forward IPv6 traffic. • Configure IPv4 and IPv6 protocol stacks.
43 Configuring IPv6 on each router interface • An automatically computed EUI-64 interface ID. If you prefer to assign a link-local IPv6 address to the interface, you must explicitly enable IPv6 on the interface, which causes a link-local address to be automatically computed for the interface. If preferred, you can override the automatically configured link-local address with an address that you manually configure.
Configuring IPv6 on each router interface 43 Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID To configure a global or site-local IPv6 address with an automatically computed EUI-64 interface ID in the low-order 64-bits, enter commands such as the following.
43 Configuring the management port for an IPv6 automatic address configuration The link-local keyword indicates that the router interface should use the manually configured link-local address instead of the automatically computed link-local address. Configuring IPv6 anycast addresses In IPv6, an anycast address is an address for a set of interfaces belonging to different nodes.
IPv6 host support 43 Specifying an IPv6 SNMP trap receiver You can specify an IPv6 host as a trap receiver to ensure that all SNMP traps sent by the device will go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network. To do so, enter a command such as the following.
43 Configuring an IPv6 host address for a BigIron RX running a switch image Configuring an IPv6 host address for a BigIron RX running a switch image NOTE This feature is only available on the BigIron RX when it is configured as a switch. For this feature to work it must have the CHD code enabled on the BigIron RX. In the router configuration, each port can be configured separately with an IPv6 address.
Configuring an IPv6 host address for a BigIron RX running a switch image 43 Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID as the switch’s system-wide address To configure a global or site-local IPv6 address with an automatically computed EUI-64 interface ID in the low order 64-bits s the system-wide address, enter commands such as the following.
43 Configuring IPv4 and IPv6 protocol stacks Configuring IPv4 and IPv6 protocol stacks One situation in which you must configure a router to run both IPv4 and IPv6 protocol stacks is if it is deployed as an endpoint for an IPv6 over IPv4 tunnel. Each router interface that you want to send and receive both IPv4 and IPv6 traffic must be configured with an IPv4 address and an IPv6 address.
Configuring IPv6 Domain Name Server (DNS) resolver 43 Configuring IPv6 Domain Name Server (DNS) resolver The Domain Name Server (DNS) resolver feature lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a Brocade device and thereby recognize all hosts within that domain. After you define a domain name, the Brocade device automatically appends the appropriate domain to the host and forwards it to the domain name server.
43 ECMP load sharing for IPv6 As an example, in a configuration where ftp6.companynet.com is a server with an IPv6 protocol stack, when a user pings ftp6.companynet.com, the Brocade device attempts to resolve the AAAA DNS record. In addition, if the DNS server does not have an IPv6 address, as long as it is able to resolve AAAA records, it can still respond to DNS queries.
DHCP relay agent for IPv6 43 If you want to re-enable the feature after disabling it, you must specify the number of load-sharing paths. The maximum number of paths the device supports is a value from 2 – 8. By entering a command such as the following, iPv6 load-sharing will be re-enabled. BigIron RX(config)# ipv6 load-sharing 4 Syntax: [no] ipv6 load-sharing The parameter specifies the number of paths and can be from 2 – 8. The default is 4..
43 DHCP relay agent for IPv6 Configuring DHCP for IPv6 relay agent You can enable the DHCP for IPv6 relay agent function and specify the relay destination addresses on an interface by entering the command at the interface level.
Configuring IPv6 ICMP 43 BigIron RX# show ipv6 Global Settings unicast-routing enabled, hop-limit 64 No Inbound Access List Set No Outbound Access List Set Prefix-based IPv6 Load-sharing is Enabled, Number of load share paths: 4 Syntax: show ipv6 You can display the entries in the IPv6 forwarding cache; for example : BigIron RX# show ipv6 cache Total number of cache entries: 10 IPv6 Address 1 5000:2::2 2 2000:4::106 3 2000:4::110 4 2002:c0a8:46a::1 5 fe80::2e0:52ff:fe99:9737 6 fe80::ffff:ffff:feff:ffff
43 Configuring IPv6 neighbor discovery For example, to adjust the interval to 1000 milliseconds and the number of tokens to 100 tokens, enter the following command. BigIron RX(config)# ipv6 icmp error-interval 1000 100 Syntax: ipv6 icmp error-interval [] The interval in milliseconds at which tokens are placed in the bucket can range from 0 – 2147483647. The maximum number of tokens stored in the bucket can range from 1 – 200.
Configuring IPv6 neighbor discovery • • • • • • 43 Link-local address. Assigned unicast address. Loopback address. All-nodes multicast address. Solicited-node multicast address. Multicast address to all other groups to which it belongs. You can adjust the following IPv6 neighbor discovery features: • Neighbor solicitation messages for duplicate address detection. • Router advertisement messages: • Interval between router advertisement messages.
43 Configuring IPv6 neighbor discovery Router advertisement and solicitation messages Router advertisement and solicitation messages enable a node on a link to discover the routers on the same link. Each configured router interface on a link sends out a router advertisement message, which has a value of 134 in the Type field of the ICMP packet header, periodically to the all-nodes link-local multicast address (FF02::1).
Configuring IPv6 neighbor discovery 43 You can configure the following neighbor solicitation message parameters that affect duplicate address detection while it verifies that a tentative unicast IPv6 address is unique: • The number of consecutive neighbor solicitation messages that duplicate address detection sends on an interface. By default, duplicate address detection sends three neighbor solicitation messages without any follow-up messages.
43 Configuring IPv6 neighbor discovery Syntax: [no] ipv6 nd ra-interval Syntax: [no] ipv6 nd ra-lifetime The parameter in both commands indicates any numerical value. To restore the default interval or router lifetime value, use the no form of the respective command. Controlling prefixes advertised in IPv6 router advertisement messages By default, router advertisement messages include prefixes configured as addresses on router interfaces using the ipv6 address command.
Configuring IPv6 neighbor discovery 43 Setting flags in IPv6 router advertisement messages An IPv6 router advertisement message can include the following flags: • Managed Address Configuration—This flag indicates to hosts on a local link if they should use the stateful autoconfiguration feature to get IPv6 addresses for their interfaces. If the flag is set, the hosts use stateful autoconfiguration to get addresses as well as non-IPv6-address information.
43 Changing the IPv6 MTU Configuring reachable time for remote IPv6 nodes You can configure the duration (in seconds) that a router considers a remote IPv6 node reachable. By default, a router interface uses the value of 30 seconds. The router advertisement messages sent by a router interface include the amount of time specified by the ipv6 nd reachable-time command so that nodes on a link use the same reachable time duration. By default, the messages include a default value of 0.
Configuring static neighbor entries 43 To define IPv6 MTU globally, enter the following command. BigIron RX(config)#ipv6 mtu 1300 To define IPv6 MTU on an interface, enter the following command: BigIron RX(config-if-e1000-2/1)#ipv6 mtu Syntax: ipv6 mtu NOTE If a the size of a jumbo packet received on a port is equal to the maximum frame size – 18 (Layer 2 MAC header + CRC) and if this value is greater than the outgoing port’s IPv4/IPv6 MTU, then it will be forwarded in the CPU.
43 QoS for IPv6 traffic QoS for IPv6 traffic Configuring QoS for IPv6 traffic is generally the same as it is for IPv4 traffic. The QoS policies you configure on the Brocade device apply to both incoming IPv6 and IPv4 traffic. ACLs can be used to perform QoS for IPv6 traffic: • • • • • dscp fragments priority-force priority-mapping source routing To enable QoS for IPv6 traffic, enter the following commands.
Clearing global IPv6 information 43 • Interface type. For example, to remove entries for IPv6 address 2000:e0ff::1, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI. BigIron RX# clear ipv6 cache 2000:e0ff::1 Syntax: clear ipv6 cache [/ | | ethernet | tunnel | ve ] You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
43 Displaying global IPv6 information BigIron RX# clear ipv6 route 2000:7838::/32 Syntax: clear ipv6 route [/] The / parameter clears routes associated with a particular IPv6 prefix. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
Displaying global IPv6 information BigIron RX# show ipv6 cache Total number of cache entries: 10 IPv6 Address 1 5000:2::2 2 2000:4::106 3 2000:4::110 4 2002:c0a8:46a::1 5 fe80::2e0:52ff:fe99:9737 6 fe80::ffff:ffff:feff:ffff 7 fe80::c0a8:46a 8 fe80::c0a8:46a 9 2999::1 10 fe80::2e0:52ff:fe99:9700 Next Hop LOCAL LOCAL DIRECT LOCAL LOCAL LOCAL LOCAL LOCAL LOCAL LOCAL 43 Port tunnel 2 ethe 3/2 ethe 3/2 ethe 3/2 ethe 3/2 loopback 2 tunnel 2 tunnel 6 loopback 2 ethe 3/1 Syntax: show ipv6 cache [
43 Displaying global IPv6 information BigIron RX# show ipv6 interface Routing Protocols : R - RIP O - OSPF I - ISIS Interface Status Routing Global Unicast Address Ethernet 3/3 down/down R Ethernet 3/5 down/down Ethernet 3/17 up/up 2017::c017:101/64 Ethernet 3/19 up/up 2019::c019:101/64 VE 4 down/down VE 14 up/up 2024::c060:101/64 Loopback 1 up/up ::1/128 Loopback 2 up/up 2005::303:303/128 Loopback 3 up/up Syntax: show ipv6 interface [ [ |]] The parameter displ
Displaying global IPv6 information 43 BigIron RX# show ipv6 interface ethernet 3/1 Interface Ethernet 3/1 is up, line protocol is up IPv6 is enabled, link-local address is fe80::2e0:52ff:fe99:97 Global unicast address(es): Joined group address(es): ff02::9 ff02::1:ff99:9700 ff02::2 ff02::1 MTU is 1500 bytes ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 3 ND reachable time is 30 seconds ND advertised reachable time is 0 seconds ND retransmit interval is 1 seconds ND advertised retra
43 Displaying global IPv6 information To display the IPv6 neighbor table, enter the following command at any CLI level. BigIron RX(config)# show ipv6 neighbor Total number of Neighbor entries: 3 IPv6 Address 1 2000:4::110 2 fe80::2e0:52ff:fe91:bb37 3 fe80::2e0:52ff:fe91:bb40 LinkLayer-Addr 00e0.5291.bb37 00e0.5291.bb37 00e0.5291.
Displaying global IPv6 information 43 Displaying the IPv6 route table To display the IPv6 route table, enter the following command at any CLI level.
43 Displaying global IPv6 information TABLE 178 IPv6 route table fields (Continued) This field... Displays... Next-Hop Router The next-hop router. Interface The interface through which this router sends packets to reach the route's destination. Dis/Metric The route’s administrative distance and metric value. To display a summary of the IPv6 route table, enter the following command at any CLI level.
Displaying global IPv6 information TABLE 180 43 IPv6 local router information fields This field... Displays... Router on The IPv6 address for a particular router interface. Last update The amount of elapsed time (in minutes) between the current and previous updates received from a router. Hops The default value that should be included in the Hop Count field of the IPv6 header for outgoing IPv6 packets.
43 Displaying global IPv6 information TABLE 181 General IPv6 TCP connection fields This field... Displays... Local IP address:port The IPv4 or IPv6 address and port number of the local router interface over which the TCP connection occurs. Remote IP address:port The IPv4 or IPv6 address and port number of the remote router interface over which the TCP connection occurs. TCP state The state of the TCP connection. Possible states include the following: LISTEN – Waiting for a connection request.
Displaying global IPv6 information 43 BigIron RX# show ipv6 tcp status 2000:4::110 179 2000:4::106 8222 TCP: TCB = 0x217fc300 TCP: 2000:4::110:179 <-> 2000:4::106:8222: state: ESTABLISHED Port: 1 Send: initial sequence number = 242365900 Send: first unacknowledged sequence number = 242434080 Send: current send pointer = 242434080 Send: next sequence number to send = 242434080 Send: remote received window = 16384 Send: total unacknowledged sequence number = 0 Send: total used buffers 0 Receive: initial inc
43 Displaying global IPv6 information TABLE 182 Specific IPv6 TCP connection fields (Continued) This field... Displays... Send: total unacknowledged sequence number = The total number of unacknowledged sequence numbers sent by the local router. Send: total used buffers The total number of buffers used by the local router in setting up the TCP connection. Receive: initial incoming sequence number = The initial incoming sequence number received by the local router.
Displaying global IPv6 information 43 BigIron RX# show ipv6 traffic IP6 Statistics 36947 received, 66818 sent, 0 forwarded, 36867 delivered, 0 rawout 0 bad vers, 23 bad scope, 0 bad options, 0 too many hdr 0 no route, 0 can't forward, 0 redirect sent 0 frag recv, 0 frag dropped, 0 frag timeout, 0 frag overflow 0 reassembled, 0 fragmented, 0 ofragments, 0 can't frag 0 too short, 0 too small, 11 not member 0 no buffer, 66819 allocated, 21769 freed 0 forward cache hit, 46 forward cache miss ICMP6 Statistics
43 Displaying global IPv6 information TABLE 183 IPv6 traffic statistics fields (Continued) This field... Displays... bad options The number of IPv6 packets dropped by the router because of bad options. too many hdr The number of IPv6 packets dropped by the router because the packets had too many headers. no route The number of IPv6 packets dropped by the router because there was no route. can’t forward The number of IPv6 packets the router could not forward to another router.
Displaying global IPv6 information TABLE 183 43 IPv6 traffic statistics fields (Continued) This field... Displays... nei soli The number of Neighbor Solicitation messages sent or received by the router. nei adv The number of Router Advertisement messages sent or received by the router. redirect The number of redirect messages sent or received by the router. Applies to received only bad code The number of Bad Code messages received by the router.
43 Displaying global IPv6 information TABLE 183 1120 IPv6 traffic statistics fields (Continued) This field... Displays... active opens The number of TCP connections opened by the router by sending a TCP SYN to another device. passive opens The number of TCP connections opened by the router in response to connection requests (TCP SYNs) received from other devices. failed attempts This information is used by Brocade Technical Support.
Chapter Configuring RIPng 44 Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing a distance) to measure the cost of a given route. RIP uses a hop count as its cost or metric. IPv6 RIP, known as Routing Information Protocol Next Generation or RIPng, functions similarly to IPv4 RIP version 2. RIPng supports IPv6 addresses and prefixes. In addition, Brocade implements some new commands that are specific to RIPng.
44 Configuring RIPng For more information about performing these configuration tasks, refer to Chapter 43, “Configuring Basic IPv6 Connectivity”. By default, RIPng is disabled. To enable RIPng, you must enable it globally on the Brocade device and also on individual router interfaces. NOTE You are required to configure a router ID when running only IPv6 routing protocols. NOTE Enabling RIPng globally on the Brocade device does not enable it on individual router interfaces.
Configuring RIPng 44 • Brocade recommends setting the timeout timer value to at least three times the value of the update timer. • Brocade recommends a shorter hold-down timer interval, because a longer interval can cause delays in RIPng convergence. The following example sets updates to be broadcast every 45 seconds. If a route is not heard from in 135 seconds, the route is declared unusable. Further information is suppressed for an additional 10 seconds.
44 Configuring RIPng BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e100-3/1)# ipv6 rip default-information originate Syntax: [no] ipv6 rip default-information only | originate The only keyword originates the default routes and suppresses all other routes from the updates. The originate keyword originates the default routes and includes all other routes in the updates.
Configuring RIPng 44 Syntax: [no] ipv6 rip metric-offset [out] <1 – 16> To return the metric offset to its default value, use the no form of this command.
44 Clearing RIPng routes from IPv6 route table The out keyword indicates that the prefix list is applied to outgoing routing updates on the specified interface. For the parameter, you can specify the ethernet, loopback, ve, or tunnel keywords. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE or tunnel interface, also specify the VE or tunnel number. To remove the distribution list, use the no form of this command.
Displaying RIPng information 44 • RIPng routing table Displaying RIPng configuration To display RIPng configuration information, enter the following command at any CLI level.
44 Displaying RIPng information BigIron RX# show ipv6 rip route IPv6 RIP Routing Table - 4 entries: 2000:4::/64, from ::, null (0) CONNECTED, metric 1, tag 0, timers: 2002:c0a8:46a::/64, from ::, null (1) CONNECTED, metric 1, tag 0, timers: 2999::1/128, from ::, null (2) CONNECTED, metric 1, tag 0, timers: 5000:2::/64, from ::, null (3) CONNECTED, metric 1, tag 0, timers: none none none none Syntax: show ipv6 rip route [/ | ] The / pa
Chapter Configuring BGP4+ 45 Border Gateway Protocol version 4 (BGP4) cannot support a multicast network topology that differs from the network’s unicast topology. As a result, BGP4 was extended to include Multiprotocol BGP (MBGP). MBGP allows you to support a multicast topology that is distinct from the network’s unicast topology. For example, if you want to dedicate a link on your Internet router to multicast traffic, you can use MBGP to handle the routes on that link.
45 Configuring BGP4+ While at the BGP4+ unicast address family configuration level, you can access several commands that allow you to configure BGP4+ unicast routes. The commands that you enter at this level apply only to IPv6 unicast address family only. You can generate a configuration for BGP4+ unicast routes that is separate and distinct from configurations for IPv4 unicast routes and IPv4 BGP multicast routes.
Configuring BGP4+ 45 Enabling BGP4+ To enable BGP4+, enter commands such as the following. BigIron RX(config)# router bgp BGP: Please configure 'local-as' parameter in order to run BGP4. BigIron RX(config-bgp)# local-as 1000 These commands enables the BGP4+ switch and configure the autonomous system (1000) in which your switch resides. Syntax: [no] router bgp To disable BGP, enter the no form of this command. Syntax: local-as Specify the AS number in which the switch you are configuring resides.
45 Configuring BGP4+ NOTE The example above adds an IPv6 neighbor at the BGP4+ unicast address family configuration level. This neighbor, by default, is enabled to exchange BGP4+ unicast prefixes.
Configuring BGP4+ 45 Identifying a neighbor interface To specify Ethernet interface 3/1 as the neighbor interface over which the neighbor and local switch will exchange prefixes, enter the following command. BigIron RX(config-bgp)# neighbor fe80:4398:ab30:45de::1 update-source ethernet 3/1 Syntax: neighbor update-source | ethernet | loopback | ve The parameter specifies the IPv6 link-local address of the neighbor.
45 Configuring BGP4+ Syntax: match ipv6 address prefix-list The match ipv6 address prefix-list command distributes any routes that have a destination IPv6 address permitted by a prefix list. The parameter specifies an IPv6 prefix list name. Syntax: set ipv6 next-hop The parameter specifies the IPv6 global address of the next-hop switch. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
Configuring BGP4+ 45 NOTE The example above adds an IPv6 neighbor at the BGP4+ unicast address family configuration level. This neighbor, by default, is enabled to exchange BGP4+ unicast prefixes.
45 Configuring BGP4+ For example, to enable the BGP4+ switch to send the default route to a neighbor with the IPv6 address of 2001:efff:89::23, enter a command such as the following. BigIron RX(config-bgp-ipv6u)# neighbor 2001:efff:89::23 default-originate Syntax: [no] neighbor default-originate [route-map ] The parameter specifies a neighbor by its IPv6 address. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373.
Configuring BGP4+ 45 For example, to configure the redistribution of all RIPng routes into the BGP4+ unicast database, enter the following commands at the BGP4+ address family configuration level: BigIron RX(config-bgp-ipv6u)# redistribute rip Syntax: redistribute [level-1 | level-1-2 | level-2] [match external1 | external2 | internal] [metric ] [route-map ] The parameter can be connected, isis, ospf, rip, or static.
45 Clearing BGP4+ information NOTE For the suppress-map, advertise-map, and attribute-map parameters, the route map must already be defined. To remove an aggregate route from a BGP4 neighbor advertisement, use the no form of this command without any parameters. Using route maps You can use a route map to filter and change values in BGP4+ routes. Currently, you can apply a route map to IPv6 unicast routes that are independent of IPv4 routes.
Clearing BGP4+ information 45 Syntax: clear ipv6 bgp dampening [/] You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter. To un-suppress a specific route, enter a command such as the following.
45 Clearing BGP4+ information • • • • Reset a session to send and receive Outbound Route Filters (ORFs). Close a session, or reset a session and resend/receive an update. Clear traffic counters. Clear route flap dampening statistics. Clearing BGP4+ neighbor diagnostic buffers You can clear the following BGP4+ neighbor diagnostic information in buffers: • The first 400 bytes of the last packet that contained an error. • The last NOTIFICATION message either sent or received by the neighbor.
Clearing BGP4+ information 45 BigIron RX(config)# clear ipv6 bgp nei peer_group1 soft in prefix-filter Syntax: clear ipv6 bgp neighbor | [soft in prefix-filter] The parameter specifies a neighbor by its IPv6 address. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The specifies all neighbors in a specific peer group.
45 Clearing BGP4+ information Clearing BGP4+ neighbor traffic counters You can clear the BGP4+ message counter (reset them to 0) for all neighbors, a single neighbor, or all neighbors within a specific peer group or AS. For example, to clear the BGP4+ message counter for all neighbors within an AS 1001, enter a command such as the following at the Privileged EXEC level or any of the Config levels of the CLI.
Displaying BGP4+ information 45 The / parameter clears routes associated with a particular IPv6 prefix. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp routes Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 2002::/16 :: 1 100 32768 BL AS_PATH: 2 2002:1234::/32 :: 1 100 32768 BL AS_PATH: This display shows the following information. TABLE 187 1144 Summary of BGP4+ routes This field... Displays...
Displaying BGP4+ information TABLE 187 This field... Status 45 Summary of BGP4+ routes (Continued) Displays... The route’s status, which can be one or more of the following: A – AGGREGATE. The route is an aggregate route for multiple networks. • B – BEST. BGP4+ has determined that this is the optimal route to the destination.
45 Displaying BGP4+ information The as-path-filter parameter filters the display using the specified AS-path filter. The best keyword displays the routes received from neighbors that the switch selected as the best routes to their destinations. The cidr-only keyword lists only the routes whose network masks do not match their class network length. The community parameter lets you display routes for a specific community.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp routes detail Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED 1 Prefix: 2002::/16, Status: BL, Age: 2d17h10m42s NEXT_HOP: ::, Learned from Peer: Local Router LOCAL_PREF: 100, MED: 1, ORIGIN: incomplete, Weight: 32768 AS_PATH: Adj_RIB_out count: 1, Admin distance 190 2 Prefix: 2002:1234::/32, Status: BL, Age: 2d17h10m42s NEXT_HOP: ::, Learned
45 Displaying BGP4+ information TABLE 188 Detailed BGP4+ route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • A – AGGREGATE. The route is an aggregate route for multiple networks. • B – BEST. BGP4+ has determined that this is the optimal route to the destination.
Displaying BGP4+ information 45 The parameter specifies the table entry with which you want the display to start. For example, if you specify 100, the display shows entry 100 and all entries subsequent to entry 100. The age parameter displays only the routes that have been received or updated more recently than the number of seconds you specify. The as-path-access-list parameter filters the display using the specified AS-path ACL.
45 Displaying BGP4+ information Displaying BGP4+ route information You can display all BGP4+ routes known by a switch, only those routes that match a specified prefix, or routes that match a specified or longer prefix. To display all BGP4+ routes known by the switch, enter the following command at any level of the CLI.
Displaying BGP4+ information TABLE 189 45 BGP4+ route information This field... Displays... Total number of BGP Routes (appears in display of all BGP routes only) The number of routes known by the switch. Number of BGP Routes matching display condition (appears in display that matches specified and longer prefixes) The number of routes that matched the display parameters you entered. This is the number of routes displayed by the command.
45 Displaying BGP4+ information Syntax: show ipv6 bgp attribute-entries For information about display displaying route-attribute entries for a specified BGP4+ neighbor, refer to “Displaying BGP4+ neighbor route-attribute entries” on page 1169. This display shows the following information: TABLE 190 BGP4+ route-attribute entries information This field... Displays... Total number of BGP Attribute Entries The number of entries contained in the switch’s BGP4+ route-attribute entries table.
Displaying BGP4+ information 45 Displaying the BGP4+ running configuration To view the active BGP4+ configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
45 Displaying BGP4+ information TABLE 191 Dampened BGP4+ path information This field... Displays... Status codes A list of the characters the display uses to indicate the path’s status. The status code appears in the left column of the display, to the left of each route. The status codes are described in the command’s output. The status column displays a “d” for each dampened route. Network The destination network of the route. From The IPv6 address of the advertising peer.
Displaying BGP4+ information 45 The longer-prefixes keyword allows you to display routes that match a specified or longer IPv6 prefix. For example, if you specify 2002::/16 longer-prefixes, then all routes with the prefix 2002::/16 or that have a longer prefix (such as 2002:e016::/32) are displayed. The as-path-access-list parameter specifies an AS-path ACL. Specify an ACL name. Only the routes permitted by the AS-path ACL are displayed.
45 Displaying BGP4+ information TABLE 192 Summary of filtered-out BGP4+ route information (Continued) This field... Displays... Weight The value that this switch associates with routes from a specific neighbor. For example, if the switch receives routes to the same destination from two BGP4+ neighbors, the switch prefers the route from the neighbor with the larger weight.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp filtered-routes detail Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED 1 Prefix: 800:2:1::/64, Status: EF, Age: 0h0m10s NEXT_HOP: 2000:1:1::1, Learned from Peer: 2000:1:1::1 (100) LOCAL_PREF: 100, MED: 0, ORIGIN: incomplete, Weight: 0 AS_PATH: 100 2 Prefix: 900:1:18::/64, Status: EF, Age: 0h0m10s NEXT_HOP: 2000:1:1::1, Learned from Peer: 2000:1:1::1 (100) LOCA
45 Displaying BGP4+ information TABLE 193 Detailed filtered-rut BGP4+ route information (Continued) This field... Displays... Next hop For information about this field, refer to Table 192 on page 1155. Learned from peer The IPv6 address of the neighbor from which this route is learned. “Local router” indicates that the switch itself learned the route. Local pref For information about this field, refer to Table 192 on page 1155. MED The value of the advertised route’s MED attribute.
Displaying BGP4+ information BigIron RX# show ipv6 bgp flap-statistics Total number of flapping routes: 14 Status Code >:best d:damped h:history *:valid Network From Flaps Since Reuse h> 2001:2::/32 3001:23::47 1 0 :0 :13 0 :0 :0 *> 3892:34::/32 3001:23::47 1 0 :1 :4 0 :0 :0 45 Path 65001 4355 1 701 65001 4355 701 62 Syntax: show ipv6 bgp flap-statistics [/ [longer-prefixes] | as-path-filter | neighbor | regular-expression ] The
45 Displaying BGP4+ information TABLE 194 Route flap dampening statistics This field... Displays... Reuse The amount of time (in hh:mm:ss) after which the path is again available. Path The AS path of the route. You also can display all the dampened routes by using the show ipv6 bgp dampened-paths command. For more information, refer to “Displaying dampened BGP4+ paths” on page 1153.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp neighbor 2000:4::110 1 IP Address: 2000:4::110, AS: 65002 (EBGP), RouterID: 1.1.1.
45 Displaying BGP4+ information TABLE 195 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... EBGP/IBGP Whether the neighbor session is an IBGP session, an EBGP session, or a confederation EBGP session. • EBGP – The neighbor is in another AS. • EBGP_Confed – The neighbor is a member of another sub-AS in the same confederation. • IBGP – The neighbor is in the same AS. RouterID The neighbor’s router ID.
Displaying BGP4+ information TABLE 195 45 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Messages Sent and Received The number of messages this switch has sent to and received from the neighbor.
45 Displaying BGP4+ information TABLE 195 1164 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Last Connection Reset Reason (cont.
Displaying BGP4+ information TABLE 195 45 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Notification Sent If the switch receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
45 Displaying BGP4+ information TABLE 195 1166 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request.
Displaying BGP4+ information TABLE 195 45 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed.
45 Displaying BGP4+ information TABLE 196 Summary of route information advertised to a BGP4+ neighbor This field... Displays... Number of BGP4+ Routes advertised to specified neighbor (appears only in display for all routes) The number of routes displayed by the command. Status codes A list of the characters the display uses to indicate the route’s status. The status code appears in the Status column of the display. The status codes are described in the command’s output.
Displaying BGP4+ information TABLE 197 45 Detailed route information advertised to a BGP4+ neighbor This field... Displays... Number of BGP4+ Routes advertised to specified neighbor (appears only in display for all routes) For information about this field, refer to Table 196 on page 1168. Status codes For information about this field, refer to Table 196 on page 1168. Prefix For information about this field, refer to Table 196 on page 1168.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2000:4::110 attribute-entries Total number of BGP Attribute Entries: 1 1 Next Hop :2000:4::106 Metric :1 Origin:INCOMP Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.
Displaying BGP4+ information TABLE 198 45 BGP4+ neighbor route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Address For debugging purposes only. Hash For debugging purposes only. Reference Counts For debugging purposes only.
45 Displaying BGP4+ information Displaying last error packet from a BGP4+ neighbor You can display information about the last packet that contained an error from any of a switch’s neighbors. The displayed information includes the error packet's contents decoded in a human-readable format. For example, to display information about the last error packet from any of a switch’s neighbors, enter the following command.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp neighbor 2:2:2:2:: received-routes There are 4 received routes from neighbor 2:2:2:2:: Searching for matching routes, use ^C to quit...
45 Displaying BGP4+ information TABLE 201 Summary of route information received from a BGP4+ neighbor (Continued) This field... Displays... Weight The value that this switch associates with routes from a specific neighbor. For example, if the switch receives routes to the same destination from two BGP4+ neighbors, the switch prefers the route from the neighbor with the larger weight. Status The advertised route’s status, which can be one or more of the following: A – AGGREGATE.
Displaying BGP4+ information 45 BigIron RX# show ipv6 bgp neighbor 2000:1:1::1 received-routes detail There are 4 received routes from neighbor 2000:1:1::1 Searching for matching routes, use ^C to quit...
45 Displaying BGP4+ information TABLE 202 Detailed route information received from a BGP4+ neighbor (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP4+ through EGP. • IGP – The routes with this set of attributes came to BGP4+ through IGP. • INCOMPLETE – The routes came from an origin other than one of the above.
Displaying BGP4+ information 45 The detail / parameter displays detailed information about the specified RIB routes. If you do not specify this parameter, a summary of the RIB routes displays. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2000:4::110 rib-out-routes detail There are 2 RIB_out routes for neighbor 2000:4::110 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST E:EBGP I:IBGP L:LOCAL 1 Prefix: 2002:1234::/32, Status: BL, Age: 6d18h17m53s NEXT_HOP: ::, Learned from Peer: Local Router LOCAL_PREF: 100, MED: 1, ORIGIN: incomplete, Weight: 32768 AS_PATH: Adj_RIB_out count: 1, Admin distance 190 2 Prefix: 2002::/16, Status: BL, Age: 6d18h21m8s NEXT_HOP: ::, Learned from Pe
Displaying BGP4+ information 45 • Best routes – The “best” routes to their destinations, which are installed in the switch’s IPv6 route table. • Unreachable – The routes whose destinations are unreachable using any of the BGP4+ paths in the IPv6 route table. For example, to display a summary of the best routes to a destination received from neighbor 2000:4::106, enter the following command.
45 Displaying BGP4+ information TABLE 205 This field... Status Summary of best and unreachable routes from a BGP4+ neighbor (Continued) Displays... The route’s status, which can be one or more of the following: A – AGGREGATE. The route is an aggregate route for multiple networks. • B – BEST. BGP4+ has determined that this is the optimal route to the destination. • C – CONFED_EBGP. The route was learned from a neighbor in the same confederation and AS, but in a different sub-AS within the confederation.
Displaying BGP4+ information TABLE 206 45 Detailed best and unreachable routes from a BGP4+ neighbor This field... Displays... Number of accepted routes from a specified neighbor (appears only in display for all routes) For information about this field, refer to Table 205 on page 1179. Status codes For information about this field, refer to Table 205 on page 1179. Prefix For information about this field, refer to Table 205 on page 1179.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2000:4::110 routes-summary 1 IP Address: 2000:4::110 Routes Accepted/Installed:0, Filtered/Kept:0, Filtered:0 Routes Selected as BEST Routes:0 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0 History Routes:0 NLRIs Received in Update Message:0, Withdraws:0 (0), Replacements:0 NLRIs Discarded due to Maximum Prefix Limit:0, AS Loop:0 Invalid Nexthop:0, Invalid Nexthop Address:0.0.0.
Displaying BGP4+ information TABLE 207 45 BGP4+ neighbor route summary information (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the switch discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The switch’s configured maximum prefix amount had been reached. • AS Loop – An AS loop occurred. An AS loop occurs when the BGP4+ AS-path attribute contains the local AS number.
45 Displaying BGP4+ information BigIron RX# show ipv6 bgp peer-group peer1 1 BGP peer-group is pg1, Remote AS: 65002 Description: device group 1 NextHopSelf: yes Address family : IPV4 Unicast Address family : IPV4 Multicast Address family : IPV6 Unicast Members: IP Address: 192.169.102.2 IP Address: 192.169.100.2 IP Address: 192.169.101.2 IP Address: 192.169.103.2 IP Address: 192.169.104.2 IP Address: 192.169.105.2 IP Address: 192.169.106.2 IP Address: 192.169.107.2 IP Address: 192.169.108.
Displaying BGP4+ information TABLE 208 45 BGP4+ summary information (Continued) This field... Displays... Confederation Peers The numbers of the local ASs contained in the confederation. This list matches the confederation peer list you configure on the switch. Maximum Number of Paths Supported for Load Sharing The maximum number of route paths across which the switch can balance traffic to the same destination. The feature is enabled by default but the default number of paths is 1.
45 Displaying BGP4+ information TABLE 208 BGP4+ summary information (Continued) This field... Displays... State The state of this switch neighbor session with each neighbor. The states are from this switch’s perspective of the session, not the neighbor’s perspective. The state values can be one of the following for each switch: • IDLE – The BGP4+ process is waiting to be started. Usually, enabling BGP4+ or establishing a neighbor session starts the BGP4+ process.
Chapter Configuring IPv6 MBGP 46 Brocade’s implementation of IPv6 supports multi protocol BGP (MBGP) extensions, which allow IPv6 BGP (known as BGP4+) to distribute routing information for protocols such as IPv4 BGP. The supported protocols are identified by address families. The extensions allow a set of BGP4+ peers to exchange routing information for multiple address families and sub-address families.
46 Configuring IPv6 MBGP Setting the maximum number of multicast routes supported The BigIron RX supports up 1024 – 153,600 multicast routes. NOTE This procedure requires a software reload to place the change into effect. To increase the maximum number of multicast routes supported on the device, enter commands such as the following.
Configuring IPv6 MBGP 46 This command adds a router with IPv6 address 3001::1 as an MBGP neighbor. The remote-as 44 parameter specifies that the neighbor is in remote BGPv6 AS 44. The device will exchange only multicast routes with the neighbor. NOTE If the BigIron RX has multiple neighbors with similar attributes, you can simplify configuration by configuring a peer group, then adding individual neighbors to it.
46 Configuring IPv6 MBGP Advertising routes from the local AS to MBGP You can configure the device to advertise directly-connected and static multicast routes from the local AS to other ASs using the following methods: • For directly-connected routes: • Enable redistribution of directly-connected multicast routes. • For indirectly-connected routes: • Configure static IPv6 multicast routes. The corresponding IPv6 route must be present in the IPv6 multicast table.
Configuring IPv6 MBGP BigIron BigIron BigIron BigIron BigIron BigIron 46 RX(config)# access-list 10 permit 2001:100::/32 RX(config)# route-map mbgpmap permit 1 RX(config-routemap mbgpmap)# match ipv6 address 10 RX(config-routemap mbgpmap)# exit RX(config)# router bgp RX(config-bgp-ipv6m)# redistribute connected route-map mbgpmap The first command configures an ipv6 ACL for use in the route map. The ACL matches on the destination network for the route to be redistributed.
46 Displaying IPv6 MBGP information Aggregating routes advertised to IPv6 BGP neighbors By default, the device advertises individual MBGP routes for all the multicast networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single CIDR number. To aggregate MBGP routes, enter the following command.
Displaying IPv6 MBGP information TABLE 209 46 IPv6 MBGP Show commands (Continued) Command Description show ipv6 mbgp dampened-paths Displays IPv6 MBGP paths that have been dampened by route flap dampening. show ipv6 mbgp flap-statistics Displays route flap dampening statistics. show ipv6 mbgp filtered-routes Displays routes that have been filtered out. Displaying summary MBGP information To display summary MBGP information, enter the following command at any CLI prompt.
46 Displaying IPv6 MBGP information BigIron RX# show ipv6 mbgp config Current BGP configuration: router bgp local-as 200 neighbor 166.1.1.2 remote-as 200 address-family ipv6 unicast no neighbor 166.1.1.2 activate exit-address-family address-family ipv6 multicast redistribute connected redistribute static neighbor 166.1.1.
Displaying IPv6 MBGP information 46 BigIron RX # show ipv6 mbgp neighbor 4fee:2343:0:ee44::1 Total number of BGP Neighbors: 1 1 ipv6 Address: 8eff::0/32, Remote AS: 200 (IBGP), RouterID: 8.8.8.1 State: ESTABLISHED, Time: 0h33m26s, KeepAliveTime: 60, HoldTime: 180 KeepAliveTimer Expire in 9 seconds, HoldTimer Expire in 161 seconds PeerGroup: mbgp-mesh MD5 Password: $Gsig@U\ NextHopSelf: yes RefreshCapability: Received Messages: Open Update KeepAlive Notification Refresh-Req Sent : 2 3264 17 0 0 Received: 1
46 Displaying IPv6 MBGP information BigIron RX#show ipv6 mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 1 8.8.8.0/24 166.1.1.2 0 100 0 BI AS_PATH: 2 31.1.1.0/24 166.1.1.2 0 100 0 BI AS_PATH: Syntax: show ipv6 mbgp routes Displaying the IPv6 multicast route table To display the IPv6 multicast route table, enter the following command.
Chapter IPv6 Access Control Lists (ACLs) 47 IPv6 ACLs Brocade supports IPv6 Access Control Lists (ACLs), which you can use for traffic filtering. You can configure up to 100 IPv6 ACLs. An IPv6 ACL is composed of one or more conditional statements that pose an action (permit or deny) if a packet matches a specified source or destination prefix. There can be up to 1024 statements per device. In ACLs with multiple statements, you can specify a priority for each statement.
47 Using IPv6 ACLs as input to other features For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address. IPv6 ACLs also provide support for filtering packets based on DSCP.
Configuring an IPv6 ACL BigIron RX(config)# ipv6 access-list netw BigIron RX(config-ipv6-access-list-netw)# 2001:3782::/64 BigIron RX(config-ipv6-access-list-netw)# 2000:2383:e0aa:0::24 BigIron RX(config-ipv6-access-list-netw)# BigIron RX(config-ipv6-access-list-netw)# 47 permit icmp 2000:2383:e0bb::/64 deny ipv6 host 2000:2383:e0ac::2 host deny udp any any permit ipv6 any any The first condition permits ICMP traffic from hosts in the 2000:2383:e0bb::x network to hosts in the 2001:3782::x network.
47 Configuring an IPv6 ACL BigIron RX(config)# sh ipv6 access-list rtr ipv6 access-list rtr: 3 entries 10: deny tcp 2001:1570:21::/24 2001:1570:22::/24 20: deny udp any range 5 6 2001:1570:22::/24 30: permit ipv6 any any The following commands apply the ACL “rtr” to the incoming traffic on ports 2/1 and 2/2.
Configuring an IPv6 ACL 47 Furthermore, if you add the statement deny icmp any any in the access list, then all neighbor discovery messages will be denied. You must explicitly enter the permit icmp any any nd-na and permit icmp any any nd-ns statements just before the deny icmp statement if you want the ACLs to permit neighbor discovery as in the example below.
47 Configuring an IPv6 ACL For TCP Syntax: [no] ipv6 access-list Syntax: permit | deny | any | host [tcp-udp-operator [source-port-number]] | any | host [tcp-udp-operator [destination-port- number]] [ipv6-operator []] [match-all ] | [match-any ] |established [802.1p-priority-matching ] [dscp-marking 802.
Configuring an IPv6 ACL TABLE 210 47 Syntax descriptions (Continued) Arguments... Description... // parameter specify a source prefix th> and prefix length that a packet must match for the specified action (deny or permit) to occur. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
47 Configuring an IPv6 ACL TABLE 210 Syntax descriptions (Continued) Arguments... Description... tcp-udp-operator The parameter can be one of the following: eq – The policy applies to the TCP or UDP port name or number you enter after eq. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt. Enter "?" to list the port names.
Configuring an IPv6 ACL TABLE 210 47 Syntax descriptions (Continued) Arguments... Description... dscp-marking Use the dscp-marking parameter to specify a new QoS value to the packet. If a packet matches the filters in the ACL statement, this parameter assigns the DSCP value that you specify to the packet. Enter 0 – 63. 802.1p-priority-marking Use the 802.1p-priority-marking parameter to specify a new QoS value to the packet.
47 Applying an IPv6 ACL to an interface • • • • • • • • • • • • parameter-problem port-unreachable reassembly-timeout renum-command renum-result renum-seq-number router-advertisement router-renumbering router-solicitation sequence time-exceeded unreachable NOTE If you do not specify a message type, the ACL applies to all types ICMP messages types. Applying an IPv6 ACL to an interface To apply an IPv6 ACL, for example “access1”, to an interface, enter commands such as the following.
Adding a comment to an IPv6 ACL entry BigIron BigIron BigIron -psh BigIron 47 RX(config)# ipv6 access-list fdry RX (config-ipv6-access-list fdry)# permit tcp any any match-all +ack +syn RX(config-ipv6-access-list fdry)# permit tcp any any match-any -urg +syn RX (config-ipv6-access-list fdryl)# end Adding a comment to an IPv6 ACL entry You can optionally add a comment to describe entries in an IPv6 ACL. The comment appears in the output of show commands that display ACL information.
47 Displaying ACLs BigIron RX# show running-config ipv6 access-list rtr remark This entry permits ipv6 packets from 3002::2 to any destination permit ipv6 host 3000::2 any remark This entry denies udp packets from any source to any destination deny udp any any remark This entry denies IPv6 packets from any source to any destination deny ipv6 any any Syntax: show running-config The following example shows the comment text for the ACL named "rtr" in a show ipv6 access-list display.
Chapter Configuring OSPF Version 3 48 OSPF version 3 Open Shortest Path First (OSPF) is a link-state routing protocol. OSPF uses link-state advertisements (LSAs) to update neighboring routers about its interfaces and information on those interfaces. The switch floods LSAs to all neighboring routers to update them about the interfaces. Each router maintains an identical database that describes its area topology to help a router determine the shortest path between it and any neighboring router.
48 Configuring OSPFv3 • • • • • Interarea-prefix LSAs for ABRs (Type 3) Interarea-router LSAs for ASBRs (Type 4) Autonomous system external LSAs (Type 5) Link LSAs (Type 8) Intra-area prefix LSAs (Type 9) For more information about these LSAs, refer to RFC 2740. Configuring OSPFv3 To configure OSPFv3, you must do the following: • Enable OSPFv3 globally. • Assign OSPF areas. • Assign router interfaces to an OSPF area.
Configuring OSPFv3 48 After you enter this command, the Brocade device enters the IPv6 OSPF configuration level, where you can access several commands that allow you to configure OSPFv3. Syntax: [no] ipv6 router ospf To disable OSPFv3, enter the no form of this command. If you disable OSPFv3, the Brocade device removes all the configuration information for the disabled protocol from the running-config.
48 Configuring OSPFv3 Assigning a totally stubby area By default, the Brocade device sends summary LSAs (LSA type 3) into stub areas. You can further reduce the number of LSAs sent into a stub area by configuring the Brocade device to stop sending summary LSAs into the area. You can disable the summary LSAs when you are configuring the stub area or later after you have configured the area.
Configuring OSPFv3 48 Configuring virtual links All ABRs must have either a direct or indirect link to an OSPF backbone area (0.0.0.0 or 0). If an ABR does not have a physical link to a backbone area, you can configure a virtual link from the ABR to another router within the same area that has a physical connection to the backbone area.
48 Configuring OSPFv3 BigIron RX(config-ospf6-router)# virtual-link-if-address interface ethernet 3/1 To specify the global IPv6 address assigned to tunnel interface 1 on ABR2 as the source address for the virtual link on ABR2, enter the following command on ABR2.
Configuring OSPFv3 48 Changing the reference bandwidth for the cost on OSPFv3 interfaces Each interface on which OSPFv3 is enabled has a cost associated with it. The Brocade device advertises its interfaces and their costs to OSPFv3 neighbors. For example, if an interface has an OSPF cost of ten, the Brocade device advertises the interface with a cost of ten to other OSPF routers. By default, an interface’s OSPF cost is based on the port speed of the interface.
48 Configuring OSPFv3 • • • • 1000 Mbps port’s cost = 500/1000 = 0.5, which is rounded up to 1 155 Mbps port’s cost = 500/155 = 3.23, which is rounded up to 4 622 Mbps port’s cost = 500/622 = 0.80, which is rounded up to 1 2488 Mbps port’s cost = 500/2488 = 0.20, which is rounded up to 1 The costs for 10 Mbps, 100 Mbps, and 155 Mbps ports change as a result of the changed reference bandwidth. Costs for higher-speed interfaces remain the same.
Configuring OSPFv3 48 The level-1 | level-1-2 | level-2 keywords (for IPv6 IS-IS only) allow you to specify that the Brocade device redistributes level-1 routes only, level-2 routes only, or both level-1 and level-2 routes. The metric parameter specifies the metric used for the redistributed route.
48 Configuring OSPFv3 • set metric-type type-1 | type-2 • set tag NOTE You must configure the route map before you configure a redistribution filter that uses the route map. NOTE When you use a route map for route redistribution, the software disregards the permit or deny action of the route map.
Configuring OSPFv3 48 BigIron RX(config-ospf6-router)# metric-type type1 Syntax: [no] metric-type type1 | type2 To restore the metric type to the default value, use the no form of this command. Configuring external route summarization When the Brocade device is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified IPv6 address range.
48 Configuring OSPFv3 You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter. Filtering OSPFv3 routes You can filter the routes to be placed in the OSPFv3 route table by configuring distribution lists. OSPFv3 distribution lists can be applied globally or to an interface. The functionality of OSPFv3 distribution lists is similar to that of OSPFv2 distribution lists.
Configuring OSPFv3 48 BigIron RX(config)# ipv6 router ospf BigIron RX(config-ospf6-router)# distribute-list prefix-list filterOspfRoutes in Syntax: [no] distribute-list prefix-list in [] After this distribution list is configured, route 3010::/64 would be omitted from the OSPFv3 route table : BigIron RX# show ipv6 ospf route Current Route count: 4 Intra: 3 Inter: 0 External: 1 (Type1 0/Type2 1) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 300
48 Configuring OSPFv3 Configuring an OSPFv3 distribution list using a route map as input The following commands configure a route map that matches internal routes. BigIron RX(config)# route-map allowInternalRoutes permit 10 BigIron RX(config-routemap allowInternalRoutes)# match route-type internal Refer to Chapter 22, “Policy-Based Routing” for information on configuring route maps.
Configuring OSPFv3 48 For example, to create and advertise a default route with a metric of 2 and as a type 1 external route, enter the following command. BigIron RX(config-ospf6-router)# default-information-originate always metric 2 metric-type type1 Syntax: [no] default-information-originate [always] [metric ] [metric-type ] The always keyword originates a default route regardless of whether the device has learned a default route. This option is disabled by default.
48 Configuring OSPFv3 BigIron RX(config-ospf6-router)# timers spf 10 20 Syntax: timers spf For the and parameters, specify a value from 0 – 65535 seconds. To set the timers back to their default values, enter the no version of this command. Modifying administrative distance The Brocade device can learn about networks from various protocols, including BGP4+, IPv6 IS-IS, RIPng, and OSPFv3.
Configuring OSPFv3 48 To reset the administrative distance of a route type to its system default, enter the no form of this command. Configuring the OSPFv3 LSA pacing interval The Brocade device paces OSPFv3 LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the Brocade device refreshes and sends out together in one or more packets.
48 Configuring OSPFv3 For example, to change the maximum number entries from the default of 2000 to 3000, enter the following command. BigIron RX(config-ospf6-router)# external-lsdb-limit 3000 Syntax: ipv6 ospf area | The parameter can be a numerical value from 500 – 8000 seconds. To reset the maximum number of entries to its system default, enter the no form of this command. Modifying OSPFv3 interface defaults OSPFv3 has interface parameters that you can configure.
Displaying OSPFv3 information 48 • Transmit-delay: The time it takes to transmit Link State Update packets on this interface. The command syntax is ipv6 ospf transmit-delay . The value can be from 0 – 3600 seconds. The default is 1 second. Disabling or reenabling event logging OSPFv3 does not currently support the generation of SNMP traps. Instead, you can disable or re-enable the logging of OSPFv3-related events such as neighbor state changes and database overflow conditions.
48 Displaying OSPFv3 information BigIron RX# show ipv6 ospf area Area 0: Interface attached to this area: loopback 2 ethe 3/2 tunnel 2 Number of Area scoped LSAs is 6 Statistics of Area 0: SPF algorithm executed 16 times SPF last updated: 335256 sec ago Current SPF node count: 3 Router: 2 Network: 1 Maximum of Hop count to nodes: 2 ... Syntax: show ipv6 ospf area [] You can specify the parameter in the following formats: • As an IPv4 address, for example, 192.168.1.
Displaying OSPFv3 information BigIron RX# show ipv6 ospf database Area ID Type LS ID Adv Rtr 0 Link 000001e6 223.223.223.223 0 Link 000000d8 1.1.1.1 0 Link 00000185 223.223.223.223 0 Iap 00000077 223.223.223.223 0 Rtr 00000124 223.223.223.223 0 Net 00000016 223.223.223.223 0 Iap 000001d1 223.223.223.223 0 Iap 000000c3 1.1.1.1 0 Rtr 00000170 1.1.1.1 N/A Extn 00000062 223.223.223.223 N/A Extn 0000021d 223.223.223.
48 Displaying OSPFv3 information TABLE 212 OSPFv3 database summary fields (Continued) This field... Displays... Seq(Hex) The sequence number of the LSA. The OSPF neighbor that sent the LSA stamps it with a sequence number to enable the Brocade device and other OSPF routers to determine which LSA for a given route is the most recent. Age The age of the LSA, in seconds. Chksum A checksum for the LSA packet. The checksum is based on all the fields in the packet except the age field.
Displaying OSPFv3 information BigIron RX# show ipv6 ospf database extensive Area ID Type LS ID Adv Rtr Seq(Hex) Age 0 Link 00000031 1.1.1.1 80000001 35 Router Priority: 1 Options: V6E---R-LinkLocal Address: fe80::1 Number of Prefix: 1 Prefix Options: Prefix: 3002::/64 ... Area ID Type LS ID Adv Rtr Seq(Hex) Age 0 Iap 00000159 223.223.223.223 800000ab 357 Number of Prefix: 2 Referenced LS Type: Network Referenced LS ID: 00000159 Referenced Advertising Router: 223.223.223.
48 Displaying OSPFv3 information TABLE 213 OSPFv3 detailed database information fields This field... Displays... Router LSA (Type 1) (Rtr) fields 1232 Capability Bits A bit that indicates the capability of the Brocade device. The bit can be set to one of the following: • B – The device is an area border router. • E – The device is an AS boundary router. • V – The device is a virtual link endpoint. • W – The device is a wildcard multicast receiver.
Displaying OSPFv3 information TABLE 213 48 OSPFv3 detailed database information fields (Continued) This field... Displays... Network LSA (Type 2) (Net) fields Options A 24-bit field that enables IPv6 OSPF routers to support the optional capabilities. When set, the following bits indicate the following: V6 – The device should be included in IPv6 routing calculations. E – The device floods AS-external-LSAs as described in RFC 2740. MC – The device forwards multicast packets as described in RFC 1586.
48 Displaying OSPFv3 information TABLE 213 OSPFv3 detailed database information fields (Continued) This field... Prefix Options Prefix Displays... An 8-bit field of capabilities that serve as input to various routing calculations: NU – The prefix is excluded from IPv6 unicast calculations. LA – The prefix is an IPv6 interface address of the advertising router. MC – The prefix is included in IPv6 multicast routing calculations. P – NSSA area prefixes are readvertised at the NSSA area border.
Displaying OSPFv3 information TABLE 214 Summary of OSPFv3 interface information This field... Displays... Interface The interface type, and the port number or number of the interface. OSPF Status State Area 48 The state of OSPFv3 on the interface. Possible states include the following: Enabled. Disabled. • • The status of the link. Possible status include the following: Up. Down. • • The state of the interface.
48 Displaying OSPFv3 information TABLE 215 Detailed OSPFv3 interface information This field... Interface status The status of the interface. Possible status includes the following: Up. Down. • • Type The type of OSPFv3 circuit running on the interface. Possible types include the following: • BROADCAST • POINT TO POINT • UNKNOWN IPv6 Address The IPv6 address(es) assigned to the interface. Instance ID An identifier for an instance of OSPFv3. Router ID The IPv4 address of the Brocade device.
Displaying OSPFv3 information TABLE 215 48 Detailed OSPFv3 interface information (Continued) This field... Displays... Neighbor The router ID (IPv4 address) of the neighbor. This field also identifies the neighbor as a DR or BDR, if appropriate. Interface statistics The following statistics are provided for the interface: Unknown – The number of Unknown packets transmitted and received by the interface. Also, the total number of bytes associated with transmitted and received Unknown packets.
48 Displaying OSPFv3 information This display shows the following information. TABLE 216 OSPFv3 memory usage information This field... Displays... Total Static Memory Allocated A summary of the amount of static memory allocated, in bytes, to OSPFv3. Total Dynamic Memory Allocated A summary of the amount of dynamic memory allocated, in bytes, to OSPFv3. Memory Type The type of memory used by OSPFv3. (This information is for use by Brocade’s technical support in case of a problem.
Displaying OSPFv3 information TABLE 217 48 Summary of OSPFv3 neighbor information (Continued) Field Description BDR The router ID (IPv4 address) of the BDR. Interface [State] The interface through which the router is connected to the neighbor. The state of the interface can be one of the following: • DR – The interface is functioning as the Designated Router for OSPFv3. • BDR – The interface is functioning as the Backup Designated Router for OSPFv3.
48 Displaying OSPFv3 information TABLE 218 Detailed OSPFv3 neighbor information (Continued) Field Description DbDesc bit... The Database Description packet, which includes 3 bits of information: • The first bit can be “i” or “-”. “i” indicates the inet bit is set. “-” indicates the inet bit is not set. • The second bit can be “m” or “-”. “m” indicates the more bit is set. “-” indicates the more bit is not set. • The third bit can be “m” or “s”. An “m” indicates the master. An “s” indicates standby.
48 Displaying OSPFv3 information BigIron RX# show ipv6 ospf redistribute route Id Prefix snIpAsPathAccessListStringRegExpression 1 2002::/16 2 2002:1234::/32 Protocol Metric Type Metric Static Static Type-2 Type-2 1 1 Syntax: show ipv6 ospf redistribute route [] The parameter specifies an IPv6 network prefix. (You do not need to specify the length of the prefix.
48 Displaying OSPFv3 information BigIron RX# show ipv6 ospf routes Current Route count: 4 Intra: 4 Inter: 0 External: 0 (Type1 0/Type2 0) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 2000:4::/64 V6E---R-- 0.0.0.0 :: ethe 3/2 *IA 2002:c0a8:46a::/64 V6E---R-- 0.0.0.0 :: ethe 3/2 *IA 2999::1/128 --------- 0.0.0.0 :: loopback 2 *IA 2999::2/128 V6E---R-- 0.0.0.
Displaying OSPFv3 information TABLE 220 48 OSPFv3 route information (Continued) This field... Displays... Options A 24-bit field that enables IPv6 OSPF routers to support the optional capabilities. When set, the following bits indicate the following: V6 – The device should be included in IPv6 routing calculations. E – The device floods AS-external-LSAs as described in RFC 2740. MC – The device forwards multicast packets as described in RFC 1586.
48 Displaying OSPFv3 information • As an IPv4 address; for example, 192.168.1.1 • As a numerical value from 0 – 2,147,483,647 This display shows the following information. TABLE 221 OSPFv3 SPF node information This field... Displays... SPF node Each SPF node is identified by its router ID (IPv4 address). If the node is a child node, it is additionally identified by an interface on which the node can be reached appended to the router ID in the format :.
Displaying OSPFv3 information TABLE 222 OSPFv3 SPF Table This field... Displays... Destination 48 The destination of a route, which is identified by the following: “R”, which indicates the destination is a router. “N”, which indicates the destination is a network. • An SPF node’s router ID (IPv4 address). If the node is a child node, it is additionally identified by an interface on which the node can be reached appended to the router ID in the format :.
48 Displaying OSPFv3 information Displaying IPv6 OSPF virtual link information To display OSPFv3 virtual link information for the Brocade device, enter the following command at any level of the CLI. BigIron RX# show ipv6 ospf virtual-link Index Transit Area ID Router ID Interface Address 1 1 1.1.1.1 3003::2 State P2P Syntax: show ipv6 ospf virtual-link This display shows the following information. TABLE 223 OSPFv3 virtual link information This field... Displays...
Displaying OSPFv3 information TABLE 224 48 OSPFv3 virtual neighbor information (Continued) This field... Displays... State The state between the Brocade device and the virtual neighbor. The state can be one of the following: • Down • Attempt • Init • 2-Way • ExStart • Exchange • Loading • Full Interface The IPv6 address of the virtual neighbor.
48 1248 Displaying OSPFv3 information BigIron RX Series Configuration Guide 53-1002253-01
Chapter 49 Configuring IPv6 Multicast Features IPv6 PIM sparse This chapter presents the multicast features available for IPv6 routers. The BigIron RX supports IPv6 Protocol Independent Multicast (PIM) Sparse. IPv6 PIM Sparse provides multicasting that is especially suitable for widely distributed multicast environments.
49 IPv6 PIM sparse • BSR – The Bootstrap Router (BSR) distributes RP information to the other PIM Sparse routers within the domain. Each PIM Sparse domain has one active BSR. For redundancy, you can configure ports on multiple routers as candidate BSRs. The PIM Sparse protocol uses an election process to select one of the candidate BSRs as the BSR for the domain. The BSR with the highest BSR priority (a user-configurable parameter) is elected.
IPv6 PIM sparse 49 • Configure an IPv6 address on the interface • Enable IPv6 PIM Sparse • Identify the interface as a IPv6 PIM Sparse border, if applicable NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release. • Configure the following PIM Sparse global parameters: • Identify the BigIron RX as a candidate PIM Sparse Bootstrap Router (BSR), if applicable.
49 IPv6 PIM sparse Configuring BSRs In addition to the global and interface parameters in the sections above, you need to identify an interface on at least one BigIron RX as a candidate PIM Sparse Bootstrap router (BSR) and candidate PIM Sparse Rendezvous Point (RP). NOTE It is possible to configure the BigIron RX as only a candidate BSR or RP, but Brocade recommends that you configure the same interface on the same BigIron RX as both a BSR and an RP.
IPv6 PIM sparse 49 BigIron RX(config)#ipv6 router pim BigIron RX(config-ipv6-pim-router)# rp-candidate ethernet 2/2 Syntax: [no] rp-candidate ethernet / | loopback | ve l pos / The ethernet / | loopback | ve parameter specifies the interface. The device will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet / for a physical interface (port). • Enter ve for a virtual interface.
49 IPv6 PIM sparse ACL based RP assignment The rp-address command allows multiple static RP configurations. For each static RP, an ACL can be given as an option to define the multicast address ranges that the static RP permit or deny to serve. A static RP by default serves the range of ff00::/8. if the RP is configured without an ACL name. If an ACL name is given but the ACL is not defined, the static RP is set to inactive mode and it will not cover any multicast group ranges.
IPv6 PIM sparse 49 BigIron RX(config-ipv6-pim-router)#sho ipv6 pim rp-map Static RP and associated group ranges ------------------------------------Static RP count: 1 2000::16 Number of group prefixes Learnt from BSR: 1 Group prefix = ff00::/8 # RPs: 3 RP 1: 2000::8 priority=0 age=30 RP 2: 2000::4 priority=0 age=50 RP 3: 2000::16 priority=0 age=20 Syntax: show ipv6 pim rp-set Updating IPv6 PIM-sparse forwarding entries with new RP configuration If you make changes to your static RP configuration, the en
49 IPv6 PIM sparse • Shortest Path – Each IPv6 PIM Sparse router that is a DR for an IPv6 receiver calculates a short path tree (SPT) towards the source of the IPv6 multicast traffic. The first time a BigIron RX that is configured as an IPv6 PIM router receives a packet for an IPv6 group, it sends the packet to the RP for hat group, which in turn will forward it to all the intended DRs that have registered with the RP.
IPv6 PIM sparse 49 Syntax: [no] message-interval The parameter specifies the number of seconds and can be from 1 – 65535. The default is 60 seconds. Setting the inactivity timer The router deletes a forwarding entry if the entry is not used to send multicast packets. The IPv6 PIM inactivity timer defines how long a forwarding entry can remain unused before the router deletes it. To apply a IPv6 PIM inactivity timer of 160 seconds to all IPv6 PIM interfaces, enter the following.
49 IPv6 PIM sparse Syntax: [no] ssm-enable Displaying IPv6 PIM-sparse configuration information To display IPv6 PIM Sparse configuration information, use the show ipv6 pim sparse command as described in “Displaying IPv6 PIM-sparse configuration information” on page 1258.
IPv6 PIM sparse BigIron RX#show ipv6 pim sparse Global PIM Sparse Mode Settings Hello interval : 30 Bootstrap Msg interval: 60 Join/Prune interval : 60 SSM Enabled: Yes SSM Group Range: ff30::/12 Hardware Drop Enabled : Yes 49 Neighbor timeout : 105 Candidate-RP Advertisement interval: 60 SPT Threshold : 1 Syntax: show ipv6 pim sparse Displaying PIM sparse configuration information and statistics You can display the following PIM Sparse information: • • • • • • • • • • • • Basic PIM Sparse configurat
49 IPv6 PIM sparse This field... Displays... Global PIM sparse mode settings Hello interval How frequently the device sends IPv6 PIM Sparse hello messages to its IPv6 PIM Sparse neighbors. This field show the number of seconds between hello messages. IPv6 PIM Sparse routers use hello messages to discover one another.
IPv6 PIM sparse 49 BigIron RX# show ipv6 pim Interface v30 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: fe80::20c:dbff:fef6:a00 on e3/2 Link Local Address: fe80::20c:dbff:fef5:e900 Global Address: 1e1e::4 Interface v167 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: itself Link Local Address: fe80::20c:dbff:fef5:e900 Global Address: a7a7::1 Interface l1 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: itself Link Local Address: fe80::20c:dbff:fef5:e900 Global Addr
49 IPv6 PIM sparse group prefixes: ff00:: / 8 Candidate-RP-advertisement period: 60 BigIron RX# This example show information displayed on a device that has been elected as the BSR. The following example shows information displayed on a device that is not the BSR. Notice that some fields shown in the example above do not appear in the example below. BigIron RX>show PIMv2 Bootstrap BSR address = BSR priority = BigIron RX> ipv6 pim bsr information 2001:3e8:255:255::17 0 Syntax: show ipv6 pim bsr.
IPv6 PIM sparse 49 BigIron RX# show ipv6 pim rp-candidate Next Candidate-RP-advertisement in 00:00:10 RP: 1be::11:21 group prefixes: ff00:: / 8 Candidate-RP-advertisement period: 60 This example show information displayed on a device that is a candidate RP. The following example shows the message displayed on a device that is not a candidate RP. BigIron RX# show ipv6 pim rp-candidate This system is not a Candidate-RP. Syntax: show ipv6 pim rp-candidate This display shows the following information.
49 IPv6 PIM sparse Displaying RP information for a PIM sparse group To display RP information for a PIM Sparse group, enter the following command at any CLI level. BigIron RX#show ipv6 pim rp-hash ff1e::1:2 RP: 2001:3e8:255:255::17, v2 Info source: 2001:3e8:255:255::17, via bootstrap BigIron RX# Syntax: show ipv6 pim rp-hash The parameter is the address of an IPv6 PIM Sparse IP multicast group. This display shows the following information. This field... Displays...
IPv6 PIM sparse 49 This field... Displays... priority The RP priority of the candidate RP. During the election process, the candidate RP with the highest priority is elected as the RP. age The age (in seconds) of this RP-set. NOTE: If this device is not a BSR, this field contains zero. Only the BSR ages the RP-set. Displaying multicast neighbor information To display information about the device’s IPv6 PIM neighbors, enter the following command at any CLI level.
49 IPv6 PIM sparse BigIron RX# show ipv6 pim mcache Total 4 entries Free mll entries: 766 1 (*, ff7e:140:2001:3e8:16:0:1:2) RP2001:3e8:16::1 in NIL, cnt=0 Sparse Mode, RPT=1 SPT=0 Reg=0 No upstream neighbor because RP 2001:3e8:16::1 is itself num_oifs = 1 v312 L3 (SW) 1: e3/15(VL312) Flags fast=1 slow=0 leaf=0 prun=0 frag=0 tag=0 needRte=0 age=0 fid: 0405, mvid 1 2 (2001:3e8:0:170::101, ff7e:140:2001:3e8:16:0:1:2) in v23 (e3/23), cnt=2 Sparse Mode, RPT=0 SPT=1 Reg=0 upstream neighbor=fe80::45:0:160:4 num_
Multicast Listener Discovery and source specific multicast protocols (MLDv2) TABLE 225 49 Output of Show IPvG PIM resource (Continued) This field... Displays... allo-fail Number of allocated notes that failed up-limit Maximum number of nodes that can be allocated for a data structure. This may or may not be configurable, depending on the data structure Displaying PIM traffic statistics To display IPv6 PIM traffic statistics, enter the following command at any CLI level.
49 Multicast Listener Discovery and source specific multicast protocols (MLDv2) The IPv6 switch stores a list of multicast addresses for each attached link. For each multicast address, the IPv6 switch stores a filter mode and a source list. The filter mode is set to INCLUDE if all nodes in the source list for a multicast address are in the INCLUDE state. If the filter mode is INCLUDE, then only traffic from the addresses in the source list is allowed.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 49 Enabling MLDv2 MLDv1 is enabled once PIM Sparse (PIM-SM) is enabled on an interface. You then enable version 2 of MLD, the version that supports source filtering. MLDv2 interoperates with MLDv1. MLDv1 messages are understood by MLDv2. When an IPv6 router detects that the node is operating in MLDv1 mode, the router switches to MLDv1 for that node even though queries are sent in MLDv2. To enable PIM-SM, do the following. 1.
49 Multicast Listener Discovery and source specific multicast protocols (MLDv2) Setting the maximum response time You can define the maximum amount of time a multicast listener has to respond to queries by entering a command such as the following. BigIron RX(config)#ipv6 mld max-response-time 5 Syntax: ipv6 mld max-response-time Specify 1 – 64 for . The default is 5 seconds.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 49 Syntax: ipv6 mld version Enter 1or 2 for Default version 2 Specifying a port version At the interface level, you can specify the MLD version for a physical port within a virtual interface. You can set the version by entering a command such as the following at the interface level.
49 Multicast Listener Discovery and source specific multicast protocols (MLDv2) BigIron RX #show ipv6 mld group Interface e6/18 has 11 groups group phy-port static querier life mode 1 2 3 4 5 6 7 8 9 10 11 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 e6/18 ff33::6:b:1 ff33::6:a:1 ff33::6:9:1 ff33::6:8:1 ff33::6:7:1 ff33::6:6:1 ff33::6:5:1 ff33::6:4:1 ff33::6:3:1 ff33::6:2:1 ff33::6:1:1 no no no no no no no no no no no yes yes yes yes yes yes yes yes yes yes yes 0 0 0 0 0 0 0 0 0 0 0
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 49 This field... Displays... version Version of the MLD being used. query int Query interval in seconds. max resp time Number of seconds multicast groups have to respond to queries. group mem time Number of seconds multicast groups can be members of this group before aging out.
49 Multicast Listener Discovery and source specific multicast protocols (MLDv2) This field Displays Leave Number of MLDv1 “leave” messages on the interface. (See 2_Ex for MLDv2.) Is_IN Number of source addresses that were included in the traffic. Is_EX Number of source addresses that were excluded in the traffic. 2_IN Number of times the interface mode changed from exclude to include. 2_EX Number of times the interface mode changed from include to exclude.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 49 Enabling the embedded RP The following command may be used to enable the embedded RP feature.
49 1276 Multicast Listener Discovery and source specific multicast protocols (MLDv2) BigIron RX Series Configuration Guide 53-1002253-01
Chapter Configuring IPv6 Routes 50 Configuring a static IPv6 route This chapter provides information on how to configure a static IPv6 route. A static IPv6 route is a manually configured route, which creates a path between two IPv6 routers. A static IPv6 route is similar to a static IPv4 route. Static IPv6 routes have their advantages and disadvantages; for example, a static IPv6 route does not generate updates, which reduces processing time for an IPv6 router.
50 Configuring a static IPv6 route TABLE 226 Static IPv6 route parameters Parameter Configuration details Status The IPv6 prefix and prefix length of the route’s destination network. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter.
Configuring a IPv6 multicast route 50 Configuring a IPv6 multicast route IPv6 multicast routes allow you to control the network path used by multicast traffic. Static multicast routes are especially useful when the unicast and multicast topologies of a network are different. You can avoid the need to make the topologies similar by instead configuring static multicast routes. NOTE This feature is not supported for DVMRP. You can configure more than one static IPv6 multicast route.
50 Configuring a IPv6 multicast route BigIron RX(config)# ipv6 mroute 12.7.1.0 255.255.255.0 17.3.1.2 Syntax: [no] ipv6 mroute [ | ethernet | ve | null0] [] [distance < num>] The ip-addr and ip-mask parameters specifies the PIM source for the route. The ethernet parameter specifies a physical port. The ve parameter specifies a virtual interface. The null0 parameter is the same as dropping the traffic.
Chapter Continuous System Monitor 51 Continuous system monitoring (Sysmon) is implemented in BigIron RX to monitor the overall system’s health. The Sysmon makes the monitor service system-wide and modular. It monitors different system components of a router or a switch to determine if those components are operating correctly.
51 Continuous System Monitor • DRAM-CRC - Monitoring ingress DRAM CRC error, and isolate the ingress TM in case of severe error condition. • TX-BUFFER - Monitoring egress TM TX buffer stuck condition, this could result from ingress DRAM CRC errors not isolated in time. • • • • • • • PKT_PATH_SCAN - Sending and receiving packet to test path. FE_LINK - Monitoring FE serdes links. FE_FIFO - Monitoring congestion within FEs. FE_RW - Performing write/read tests to FEs.
Continuous System Monitor 51 Dec 29 17:19:26:E:System: LP15/TM1 has shutdown (TM Internal Error: LP15/TM1 (Reg: 0x444, Value: 0x70000) (shutdown)) TM_Q_SCANNER TM_Q_SCANNER event type monitors the traffic queues in the TM. If traffic is not flowing smoothly through the queues TM_Q_SCANNER event type will generate error messages. Here is an example from Syslog.
51 Continuous System Monitor Sep 13 15:01:29:E:System: ALARM: LP9/TM2 has shutdown (TM DRAM CRC: LP9/TM2 0xa50c, Value: 0x7) (shutdown)) (Reg: TX_BUFFER Tx stuck buffer is end result of ingress DRAM CRC, once its stuck, it will stop forwarding traffic. Here is an example from Syslog.
Continuous System Monitor 51 Display Commands You can use the following show commands to view the results of the monitoring activity. These show commands display information for all event types in one output. Displaying internal log messages Display the contents of the internal log by entering the following command.
51 Continuous System Monitor Reg 2838: monitor mask 003f8000, fap shutdown mask 00000000, syslog mask 00000000, log backoff number 1800 FAP shutdown threshold (non-zero only): Reg 2830: monitor mask ffffffff, fap shutdown mask 00000000, syslog mask 00000000, log backoff number 1800 FAP shutdown threshold (non-zero only): ------------------------------------ Event NP TCAM (Enabled) -------------------------------------- Event TM Q Scanner (Enabled) --Threshold: 4 / 10, Log Backoff Number: 1800 Action: ----
Continuous System Monitor BigIron RX Series Configuration Guide 53-1002253-01 51 1287
51 1288 Continuous System Monitor BigIron RX Series Configuration Guide 53-1002253-01
Appendix A Using Syslog This appendix describes how to display Syslog messages and how to configure the Syslog facility, and lists the Syslog messages that a BigIron RX can display during standard operation. NOTE This appendix does not list Syslog messages that can be displayed when a debug option is enabled.
A Displaying Syslog messages BigIron RX> show logging Syslog logging: enabled (0 messages dropped, 0 Buffer logging: level ACDMEINW, 3 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dynamic Log Buffer (50 entries): Dec 15 18:46:17:I:Interface ethernet 1/4, state up Dec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, changed
Configuring the Syslog service A Here is an example of how the Syslog messages are displayed. telnet@BigIron RX# terminal monitor Syslog trace was turned ON SYSLOG: <9>BigIron RX, Power supply 2, power supply on left connector, failed SYSLOG: <14>BigIron RX, Interface ethernet 1/6, state down SYSLOG: <14>BigIron RX, Interface ethernet 1/2, state up Configuring the Syslog service The procedures in this section describe how to perform the following Syslog configuration tasks: • Specify a Syslog server.
A Configuring the Syslog service TABLE 227 CLI display of Syslog buffer configuration This field... Displays... Syslog logging The state (enabled or disabled) of the Syslog buffer. messages dropped The number of Syslog messages dropped due to user-configured filters. By default, the software logs messages for all Syslog levels. You can disable individual Syslog levels, in which case the software filters out messages at those levels. Refer to “Disabling logging of a message level” on page 1296.
Configuring the Syslog service A BigIron RX(config)# show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 3 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dec 15 19:00:14:A:Fan 2, fan on left connector, failed Dynamic Log Buffer: Dec 15 18:46:17:I:Interface ethernet 1/4, state up Dec 15 18:45:21:I:Bri
A Configuring the Syslog service • ss – seconds For example, “Oct 15 17:38:03” means October 15 at 5:38 PM and 3 seconds.
Configuring the Syslog service A BigIron RX(config)# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dynamic Log Buffer (50 entries): 21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s) 19d07h03m30s:warning:list 101 denied tcp 209.157.
A Configuring the Syslog service For backward compatibility, the software reads the old command syntax from the startup configuration, and converts it to the new command syntax in the running configuration. Syntax: logging host | Disabling logging of a message level To change the message level, disable logging of specific message levels. You must disable the message levels on an individual basis.
Configuring the Syslog service A BigIron RX(config)# router bgp BigIron RX(config-bgp)# nei 10.1.1.8 remote 10 Using the show log command, you would see a series of log records as shown in the following.
A Configuring the Syslog service • • • • • • • • • • sys14 – reserved for system use cron – cron/at subsystem local0 – reserved for local use local1 – reserved for local use local2 – reserved for local use local3 – reserved for local use local4 – reserved for local use local5 – reserved for local use local6 – reserved for local use local7 – reserved for local use Displaying the interface name in Syslog messages By default, an interface’s slot number (if applicable) and port number are displayed when you
Syslog messages A Syslog messages Table 228 lists all of the Syslog messages. The messages are listed by message level, in the following order: • • • • • • • • Emergencies (none) Alerts Critical Errors Warnings Notifications Informational Debugging TABLE 228 Brocade Syslog messages Message level Message Explanation Alert Power supply , , failed A power supply has failed. The is the power supply number. The describes where the failed power supply is in the device.
A Syslog messages TABLE 228 1300 Brocade Syslog messages (Continued) Message level Message Explanation Alert OSPF LSA Overflow, LSA Type = Indicates an LSA database overflow. The parameter indicates the type of LSA that experienced the overflow condition. The LSA type is one of the following: • 1 – Router • 2 – Network • 3 – Summary • 4 – Summary • 5 – External Alert ISIS MEMORY USE EXCEEDED IS-IS is requesting more memory than is available.
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Critical Authentication shut down due to DOS attack Denial of Service (DoS) attack protection was enabled for multi-device port authentication on the specified , and the per-second rate of RADIUS authentication attempts for the port exceeded the configured limit. The device considers this to be a DoS attack and disables the port.
A Syslog messages TABLE 228 1302 Brocade Syslog messages (Continued) Message level Message Explanation Warning list denied () (Ethernet ) -> (), 1 events Indicates that an Access Control List (ACL) denied (dropped) packets. The indicates the ACL number. Numbers 1 – 99 indicate standard ACLs. Numbers 100 – 199 indicate extended ACLs.
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Notification Module was inserted to slot Indicates that a module was inserted into a device slot. The is the number of the device slot into which the module was inserted. Notification Module was removed from slot Indicates that a module was removed from a device slot. The is the number of the device slot from which the module was removed.
A Syslog messages TABLE 228 1304 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF interface state changed, rid , intf addr , state Indicates that the state of an OSPF interface has changed. The is the router ID of the device. The is the interface’s IP address.
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF neighbor has changed. The is the router ID of the device. The is the IP address of the neighbor. The is the router ID of the neighbor.
A Syslog messages TABLE 228 1306 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 228 1308 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 228 1310 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf rcvd bad pkt, rid , intf addr , pkt src addr , pkt type Indicates that an OSPF interface received a bad packet. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the device has retransmitted a Link State Advertisement (LSA). The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 228 1312 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf rcvd bad pkt: Bad Checksum, rid , intf addr , pkt size , checksum , pkt src addr , pkt type The device received an OSPF packet that had an invalid checksum. The rid is device’s router ID. The intf addr is the IP address of the Brocade interface that received the packet.
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Notification VRRP intf state changed, intf , vrid , state A state change has occurred in a Virtual Router Redundancy Protocol (VRRP) interface. The is the port. The is the virtual router ID (VRID) configured on the interface.
A Syslog messages TABLE 228 1314 Brocade Syslog messages (Continued) Message level Message Explanation Notification Local TCP exceeds burst packets, stopping for seconds!! Threshold parameters for local TCP traffic on the device have been configured, and the maximum burst size for TCP packets has been exceeded. The first is the maximum burst size (maximum number of packets allowed).
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Notification DOT1X issues software but not physical port up indication of Port to other software applications The device has indicated that the specified port has been authenticated, but the actual port may not be active.
A Syslog messages TABLE 228 1316 Brocade Syslog messages (Continued) Message level Message Explanation Informational Trunk group () created by 802.3ad link-aggregation module. 802.3ad link aggregation is configured on the device, and the feature has dynamically created a trunk group (aggregate link). The is a list of the ports that were aggregated to make the trunk group.
Syslog messages TABLE 228 A Brocade Syslog messages (Continued) Message level Message Explanation Informational vlan Bridge is RootBridge (MgmtPriChg) 802.1W changed the current bridge to be the root bridge of the given topology due to administrative change in bridge priority. Informational vlan Bridge is RootBridge (MsgAgeExpiry) The message age expired on the Root port so 802.1W changed the current bridge to be the root bridge of the topology.
A Syslog messages TABLE 228 Message Explanation Informational ACL added | deleted | modified from console | telnet | ssh | web | snmp session A user created, modified, deleted, or applied an ACL through the Web, SNMP, console, SSH, or Telnet session.
Appendix Software Specifications B This appendix lists the following information for the BigIron RX: • IEEE compliance • RFC support • Internet draft support IEEE compliance • • • • • • • • • • • • • 802.3ae —10-Gigabit Ethernet 802.3x — Flow Control 802.3ad — Link Aggregation 802.1Q — Virtual Bridged LANs 802.1D — MAC Bridges 802.1w — Rapid STP 802.1s — Multiple Spanning Trees 802.1X — User authentication 802.
B RFC compliance • • • • • 1269 — Managed Objects for BGP 1657 — Managed Objects for BGP-4 using SMIv2 3392 — Capabilities Advertisement with BGP-4 2385 — BGP Session Protection through TCP MD5 3682 — Generalized TTL Security Mechanism, for eBGP Session Protection RFC compliance - OSPF • • • • • • • • • • 2178 — OSPF 1583 — OSPF v2 3103 — OSPF NSSA 1745 — OSPF Interactions 1765 — OSPF Database Overflow 1850 — OSPF Traps 2328 — OSPF v2 1850 — OSPF v2 MIB 2370 — OSPF Opaque LSA Option 3623 — Graceful OSP
RFC compliance B • 3973 — PIM-DM • 1075 — DVMRP v2 • 4541 — Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches • DVMRP v3-07 • 2283 — MBGP RFC compliance - general protocols • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 791 — IP 792 — ICMP 793 — TCP 783 — TFTP 826 — ARP 768 — UDP 894 — IP over Ethernet 903 — RARP 906 — TFTP Bootstrap 1027 — Proxy ARP 950 — Subnets 951 — BootP 1122 — Host Extensions for IP Multicasting 12
B RFC compliance RFC compliance - management • • • • • • • • • • • • • • • • • • • 1757 — RMON Groups Partial 1, full for 2, 3, 9 • • • • 4251 — The Secure Shell (SSH) Protocol Architecture 2068 — HTTP 2030 — SNTP 2865 — RADIUS 2866 — RADIUS Accounting 2868 — RADIUS Attributes for Tunnel Protocol 2869 — RADIUS Extensions 3176 — sFlow 2578 — SNMPV2 2579 — Textual Conventions for SMIv2 3410 — SNMPV3 3411— Architecture for SNMP 3412 — Message Processing and Dispatching for SNMP 3413 — Simple Network Mana
Internet drafts • • • • • • • B 3513 — IPv6 Addressing Architecture 1981 — IPv6 Path MTU Discovery 3587 — IPv6 Global Unicast Address Format 2375 — IPv6 Multicast Address Assignments 2464 — Transmission of IPv6 over Ethernet Networks 2711 — IPv6 Router Alert Option 3596 — DNS support RFC compliance - IPv6 routing • 2080 — RIPng for IPv6 • 2740 — OSPFv3 for IPv6 • 2545 — Use of MP-BGP-4 for IPv6 RFC compliance - IPv6 multicast • • • • • 3810 — Multicast Listener Discovery Version 2 for IPv6 4601 — PIM-
B Internet drafts • Draft-ietf-idr-route-filter • Draft-holbrook-idmr-igmpv3-ssm - IGMPv3 & MLDv2 for SSM • Draft-ietf-ssm-arch SSM for IP 1324 BigIron RX Series Configuration Guide 53-1002253-01
Appendix C NIAP-CCEVS Certification Some Brocade devices have passed the Common Criteria (CC) certification testing. This testing is sponsored by the National Information Assurance Partnership (NIAP) - Common Criteria Evaluation and Validation Scheme (CCEVS). For more information regarding the NIAP-CCEVS certification process refer to the following link: http://www.niap-ccevs.org/.
C Local user password changes Local user password changes Please note that if existing usernames and passwords have been configured on a Brocade device with specific privilege levels (super-user, read-only, port-config) and if you attempt to change a user's password by executing the following syntax. BigIron RX(config)# user brcdreadonly password The privilege level of this particular user will be changed from its current value to "super-user".
Appendix Commands That Require a Reload D Most CLI commands take effect as soon as you enter them. However, a small number of commands require a software reload to take effect. Table 231 lists the commands. To place a configuration change made by one of these commands into effect, you must save the change to the startup-config file, then reload the software. If you reload the software without saving the change to the startup-config file, the device does not make the change.
D 1328 Commands That Require a Reload BigIron RX Series Configuration Guide 53-1002253-01
Appendix E Index to the CLI Commands This appendix lists the CLI commands discussed in this configuration guide. Look for the CLI command alphabetically by feature. You can also use your browser’s search function to find the command you want. When you find the command, click on the link to display the section that discusses that command. ACLs (IP) Numbered ACL Commands See ...
E ACLs (IP) Named ACL Commands See ...
ACLs (L2) E Commands See ... ip access-group I in “Configuring standard numbered ACLs” on page 529 “Configuring extended numbered ACLs” on page 531 “Configuring standard or extended named ACLs” on page 539 ip access-group in ethernet [...
E 1332 BGP4 Commands See ...
BGP4 E Commands See ...
E 1334 BGP4 Commands See ...
BGP4 E Commands See ...
E 1336 BGP4 Commands See ...
BGP4 Commands E See ... “Displaying route flap dampening statistics” on show ip bgp flap-statistics [regular-expression page 849 | [longer-prefixes] | neighbor | filter-list ...
E FDP/CDP Commands See ... snmp-server enable traps bgp “Generating traps for BGP” on page 816 timers keep-alive hold-time “Changing the keep alive time and hold time” on page 789 update-time “Changing the BGP4 next-hop update timer” on page 790 Commands See ...
IP E Commands See ...
E 1340 IP Commands See ...
Metro Ring protocol E Commands See ... show ip route summary “Displaying the IP route table” on page 228 show ip static-arp [ethernet | mac-address
E IPv6 BGP4+ IPv6 BGP4+ 1342 Commands See ...
IPv6 BGP4+ E Commands See ...
E IPv6 ACL Commands See ...
IPv6 basic connectivity Commands See ...
E 1346 IPv6 basic connectivity Commands See ...
IPv6 multicast E Commands See ...
E IPv6 RIPng Commands See ...
IPv6 OSPFv3 E Commands See ... show ipv6 rip route [/ | ] “Displaying RIPng routing table” on page 1127 timers “Configuring RIPng timers” on page 1122 Commands See ...
E IS-IS Commands See ...
IS-IS E Commands See ...
E 1352 IS-IS Commands See ...
Metro Ring E Metro Ring Commands See ...
E Multicast (IP) Commands See ...
Multicast (IP) E Commands See ...
E Multicast (L2) Commands See ... spt-threshold infinity | “Changing the Shortest Path Tree (SPT) threshold” on page 614 system-max dvmrp-mcache “Defining the maximum number of DVMRP cache entries” on page 582 system-max pim-mcache “Defining the maximum number of PIM cache entries” on page 582 trigger-interval <5-30> “Modifying trigger interval” on page 653 Multicast (L2) Commands See ...
OSPF version 4 E Commands See ...
E Port parameters Commands See ...
Port-based routing E Commands See ...
E 1360 Quality of Service (QoS) Commands See ...
Rate limiting E Commands See ... show qos-tos “Displaying QoS configuration information” on page 485 static-mac-address ethernet [priority ] “Assigning static MAC address entries to priority queues” on page 481 Commands See ...
E RMON Commands See ...
RSTP E Commands See ...
E 1364 Security/Management Commands See ... auth-fail-max-attempts “Specifying the number of authentication attempts the device makes before dropping packets” on page 981 auth-fail-vlanid “Specifying the authentication-failure action” on page 981 clear dot1x mac-session “Clearing a dot1x-mac-session for a MAC address” on page 982 clear dot1x statistics all I “Clearing 802.
Security/Management E Commands See ... timeout re-authperiod “Configuring periodic re-authentication” on page 978 timeout tx-period “Setting the interval for retransmission of EAP-request/ identity frames” on page 979 Access Commands See ... all-client “Restricting all remote management access to a specific IP address” on page 67 Authentication method list Commands See ...
E Security/Management RADIUS Commands See ...
Security/Management E SSH access Commands See ... ip ssh client “Restricting SSH access to a specific IP address” on page 67 ssh access-group | “Using ACLs to restrict SNMP access” on page 65 SSL Commands See ...
E Security/Management Commands See ... tacacs-server key [0 | 1] “Setting the TACACS+ key” on page 89 tacacs-server retransmit “Setting the retransmission limit” on page 90 tacacs-server timeout “Setting the timeout parameter” on page 90 Telnet access Commands See ...
Security/Management E Commands See ... web-management hp-top-tools “Disabling Web management access by HP ProCurve Manager” on page 70 web-management http | https “Enabling the SSL server on the device” on page 81 DoS Protection Commands See ...
E Security/Management Commands See ...
Redundant management module Commands See ... show port security statistics I “Displaying MAC Port Security statistics” on page 958 shutdown-time “Interface shutdown time” on page 956 violation restrict “Restricting interface access” on page 952 violation shutdown “Shutdown the interface” on page 952 E Redundant management module Commands See ...
E 1372 Redundant management module Commands See ...
SNMP E Commands See ...
E SSH SSH Commands See ...
STP E Commands See ... sflow polling-interval “Changing the polling interval” on page 1041 sflow sample “Changing the default sampling rate” on page 1042 “Changing the sampling rate on a port” on page 1043 show sflow “Displaying sFlow information” on page 1047 Commands See ...
E System parameters Commands See ...
Topology E Commands See ...
E LAG Commands See ... member-vlan “Configuring a topology group” on page 449 show topology-group [] “Displaying topology group information” on page 449 topology-group “Configuring a topology group” on page 449 Commands See ...
UDLD E UDLD Commands See ...
E VRRP/VRRPE Commands See ... uplink-switch ethernet [to | ethernet ] “Configuring uplink ports within a port-based VLAN” on page 321 vlan “Configuring port-based VLANs” on page 291 vlan [by port] “Configuring aggregated VLANs” on page 303 vlan [name ] “Configuring port-based VLANs” on page 291 vlan-group vlan to “Configuring a VLAN group” on page 299 VRRP/VRRPE 1380 Commands See ...
VSRP E Commands See ...
E 1382 VSRP BigIron RX Series Configuration Guide 53-1002253-01