53-1002484-04 19 March 2013 BigIron RX Series Configuration Guide Supporting Multi-Service IronWare v02.9.
Copyright © 2011-2013 Brocade Communications Systems, Inc. All Rights Reserved ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Document Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . .xliii List of supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliii Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvi What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii Enhancements in release 02.9.00a. . . . . . . . . . . . . . . . . . . . . xlvii Enhancements in release 02.9.00. . . .
Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Navigating among command levels . . . . . . . . . . . . . . . . . . . . . . . 8 CLI command structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Searching and filtering output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Allowable characters for LAG names . . . . . . . . . . . . . . . . . . . . . 13 Syntax shortcuts . . . . . . . . . . . . . . . . . . . . . . . .
Flash memory and PCMCIA flash card file management commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Management focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Flash memory file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 PCMCIA flash card file system. . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SSL security for the Web Management Interface . . . . . 73 Enabling the SSL server on the device. . . . . . . . . . . . . . . . . . . . 74 Importing digital certificates and RSA private key files. . . . . . . 74 Generating an SSL certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Configuring TACACS and TACACS+ security . . . . . . . . . . . . . . . . . . . . 75 How TACACS+ differs from TACACS . . . . . . . . . . . . . . . . . . . . . . .
Logging on through the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 On-line help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Command completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Scroll control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Line editing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Searching and filtering output from CLI commands . .
Chapter 6 Configuring Interface Parameters Assigning a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Assigning an IP address to a port . . . . . . . . . . . . . . . . . . . . . . . . . .144 Speed/Duplex negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Disabling or re-enabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Changing the default Gigabit negotiation mode . . . . . . . . . . . . . . .
Configuring packet parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Changing the encapsulation type . . . . . . . . . . . . . . . . . . . . . . .181 Setting maximum frame size per PPCR . . . . . . . . . . . . . . . . . .182 Changing the MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Changing the router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploying a LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 Commands available under LAG once it is deployed . . . . . . .245 Configuring ACL-based mirroring. . . . . . . . . . . . . . . . . . . . . . . .245 Disabling ports within a LAG . . . . . . . . . . . . . . . . . . . . . . . . . . .245 Enabling ports within a LAG . . . . . . . . . . . . . . . . . . . . . . . . . . .246 Monitoring an individual LAG port . . . . . . . . . . . . . . . . . . . . . .
Chapter 10 Configuring Uni-Directional Link Detection Uni-Directional Link Detection overview . . . . . . . . . . . . . . . . . . . . .281 Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Configuring UDLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Changing the keepalive interval . . . . . . . . . . . . . . . . . . . . . . . .282 Changing the keepalive retries . . . . . . . . . . . . . . . . . . . . . . . . .
Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Configuring a private VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Enabling broadcast, multicast or unknown unicast traffic to the private VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 13 Configuring Rapid Spanning Tree Protocol Overview of Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . .359 Bridges and bridge port roles . . . . . . . . . . . . . . . . . . . . . . . . . .359 Assignment of port roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Ports on Switch 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361 Ports on Switch 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ring initialization for shared interfaces. . . . . . . . . . . . . . . . . . . . . .418 How ring breaks are detected and healed between shared interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Selection of master node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 RHP processing in rings with shared interfaces . . . . . . . . . . . 419 Normal flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420 Flow when a link breaks . .
Displaying VSRP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446 Displaying VRID information . . . . . . . . . . . . . . . . . . . . . . . . . . .446 Displaying a summary of VSRP information. . . . . . . . . . . . . . .448 Displaying VSRP packet statistics for VSRP . . . . . . . . . . . . . . .449 Displaying the active interfaces for a VRID . . . . . . . . . . . . . . .450 Chapter 16 Topology Groups Topology overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying VRRP and VRRPE information . . . . . . . . . . . . . . . . . . . . 471 Displaying summary information . . . . . . . . . . . . . . . . . . . . . . .472 Displaying detailed information . . . . . . . . . . . . . . . . . . . . . . . .473 Displaying statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Clearing VRRP or VRRPE statistics . . . . . . . . . . . . . . . . . . . . . . 477 Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring multicast traffic engineering . . . . . . . . . . . . . . . . . . . .505 Displaying the multicast traffic engineering configuration . . .506 Qos profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507 Calculating the values for WFQ storage mode traffic scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508 Egress port shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508 Mirroring ports . . . .
Port loop detection support in MCT . . . . . . . . . . . . . . . . . . . . . . . . .563 Configuring port loop detection . . . . . . . . . . . . . . . . . . . . . . . .563 Displaying port loop detection information . . . . . . . . . . . . . . .565 Clearing port loop detection information . . . . . . . . . . . . . . . . .566 MAC Database Update over cluster control protocol . . . . . . . . . . .566 Cluster MAC entry types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567 MAC entry aging . . . . .
ACL-based inbound mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596 Considerations when configuring ACL-based inbound mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597 Configuring ACL-based inbound mirroring . . . . . . . . . . . . . . . .597 Creating an ACL with a mirroring clause . . . . . . . . . . . . . . . . .597 Applying the ACL to an interface . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 23 Policy-Based Routing Policy-Based Routing (PBR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645 Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645 Configuring a PBR policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646 Configure the ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646 Configure the route map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .648 Enabling PBR . . . . .
PIM dense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .670 Initiating PIM multicasts on a network . . . . . . . . . . . . . . . . . . . 671 Pruning a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671 Grafts to a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673 PIM DM versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673 Configuring PIM DM . . . . . . . . . . . . . . . . . . . . .
Configuring MSDP mesh groups . . . . . . . . . . . . . . . . . . . . . . . . . . .708 Configuring MSDP mesh group . . . . . . . . . . . . . . . . . . . . . . . . .709 Displaying summary information . . . . . . . . . . . . . . . . . . . . . . . 715 Displaying peer information . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 Displaying source active cache information. . . . . . . . . . . . . . . 719 Clearing MSDP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 26 Configuring OSPF Version 2 (IPv4) Overview of OSPF (Open Shortest Path First) . . . . . . . . . . . . . . . . .753 Designated routers in multi-access networks . . . . . . . . . . . . .754 Designated router election in multi-access networks . . . . . . .755 OSPF RFC 1583 and 2328 compliance . . . . . . . . . . . . . . . . . .756 Reduction of equivalent AS external LSAs . . . . . . . . . . . . . . . .756 Support for OSPF RFC 2328 appendix E . . . . . . . . . . . . . . . . .
Displaying OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .794 Displaying general OSPF configuration information . . . . . . . .795 Displaying CPU utilization and other OSPF tasks. . . . . . . . . . .796 Displaying OSPF area information . . . . . . . . . . . . . . . . . . . . . .797 Displaying OSPF neighbor information . . . . . . . . . . . . . . . . . . .798 Displaying OSPF interface information. . . . . . . . . . . . . . . . . . .799 Displaying OSPF route information . . . . .
Changing the default local preference . . . . . . . . . . . . . . . . . . . . . .841 Changing the default metric used for redistribution. . . . . . . . . . . .842 Changing administrative distances . . . . . . . . . . . . . . . . . . . . . . . . .842 Requiring the first AS to be the neighbor’s AS . . . . . . . . . . . . . . . .843 Neighbor local-AS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .844 Enabling fast external fallover . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .870 Filtering AS-paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .870 Filtering communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .873 Defining and applying IP prefix lists . . . . . . . . . . . . . . . . . . . . .875 Defining neighbor distribute lists . . . . . . . . . . . . . . . . . . . . . . . 876 Defining route maps . . . . . . . . . . . . . . . . .
Chapter 29 Configuring IS-IS (IPv4) IS-IS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .945 Relationship to IP route table . . . . . . . . . . . . . . . . . . . . . . . . . .946 Intermediate systems and end systems. . . . . . . . . . . . . . . . . .946 Domain and areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .947 Level-1 routing and Level-2 routing . . . . . . . . . . . . . . . . . . . . .947 Neighbors and adjacencies. . . . . . . .
Configuring ISIS properties on an interface . . . . . . . . . . . . . . . . . .964 Disabling and enabling IS-IS on an interface. . . . . . . . . . . . . .965 Disabling or re-enabling formation of adjacencies . . . . . . . . .965 Setting the priority for designated IS election . . . . . . . . . . . . .965 Limiting access to adjacencies with a neighbor . . . . . . . . . . .966 Changing the IS-IS level on an interface . . . . . . . . . . . . . . . . .966 Disabling and enabling hello padding on an interface . .
Chapter 32 Configuring Multi-Device Port Authentication How multi-device port authentication works. . . . . . . . . . . . . . . . 1005 RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005 Authentication-failure actions . . . . . . . . . . . . . . . . . . . . . . . . 1006 Supported RADIUS attributes . . . . . . . . . . . . . . . . . . . . . . . . 1006 Dynamic VLAN and ACL assignments. . . . . . . . . . . . . . . . . .
Configuring the MAC Port Security feature . . . . . . . . . . . . . . . . . 1030 Enabling the MAC Port Security feature . . . . . . . . . . . . . . . . 1030 Setting the maximum number of secure MAC addresses for an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1031 Specifying static secure MAC addresses . . . . . . . . . . . . . . . 1032 Enabling dynamic MAC address learning . . . . . . . . . . . . . . . 1032 Denying specific MAC addresses . . . . . . . . . . . . . .
Configuring 802.1x port security . . . . . . . . . . . . . . . . . . . . . . . . . 1052 Configuring an authentication method list for 802.1x . . . . 1053 Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Configuring dynamic VLAN assignment for 802.1x ports . . 1054 Disabling and enabling strict security mode for dynamic filter assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056 Dynamically applying existing ACLs or MAC address filter . .
Chapter 36 Inspecting and Tracking DHCP Packets Tracking of DHCP assignments . . . . . . . . . . . . . . . . . . . . . . . . . . 1083 Dynamic ARP inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083 ARP attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 How DAI works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Limits and restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using FDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 Configuring FDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 Displaying FDP information . . . . . . . . . . . . . . . . . . . . . . . . . . .1107 Clearing FDP and CDP information. . . . . . . . . . . . . . . . . . . . 1109 Reading CDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1110 Enabling interception of CDP packets globally . . . . . . . . .
Chapter 41 Multiple Spanning Tree Protocol (MSTP) 802.1s 802.1s Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . .1137 Multiple spanning-tree regions . . . . . . . . . . . . . . . . . . . . . . . .1137 Configuring MSTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1138 Setting the MSTP name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139 Setting the MSTP revision number . . . . . . . . . . . . . . . . . . . . 1139 Configuring an MSTP instance . . . .
Enabling IPv6 routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1170 Configuring IPv6 on each router interface. . . . . . . . . . . . . . . . . . .1170 Configuring a global or site-local IPv6 address . . . . . . . . . . .1170 Configuring a link-local IPv6 address . . . . . . . . . . . . . . . . . . .1172 Configuring IPv6 anycast addresses . . . . . . . . . . . . . . . . . . .1172 Configuring the management port for an IPv6 automatic address configuration. . . . . . . . . . . . . .
Configuring IPv6 neighbor discovery . . . . . . . . . . . . . . . . . . . . . . 1183 Neighbor solicitation and advertisement messages . . . . . . 1184 Router advertisement and solicitation messages . . . . . . . . 1184 Neighbor redirect messages . . . . . . . . . . . . . . . . . . . . . . . . . 1185 Setting neighbor solicitation parameters for duplicate address detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185 Setting IPv6 router advertisement parameters . . . . . . . . . .
Address family configuration level . . . . . . . . . . . . . . . . . . . . . . . . 1220 Configuring BGP4+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling BGP4+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring BGP4+ neighbors using global or site-local IPv6 addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding BGP4+ neighbors using link-local addresses . . . . . Configuring a BGP4+ peer group . . . . . . . . .
Chapter 48 IPv6 Access Control Lists (ACLs) IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 Using IPv6 ACLs as input to other features . . . . . . . . . . . . . . . . . 1288 Configuring an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default and implicit IPv6 ACL action. . . . . . . . . . . . . . . . . . . ACL syntax . . . . . . . . . . . . . .
Chapter 50 Configuring IPv6 Multicast Features IPv6 PIM sparse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1341 PIM sparse router types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1342 RP paths and SPT paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1342 Configuring PIM sparse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1342 IPv6 PIM-sparse mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Syslog service . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the Syslog configuration . . . . . . . . . . . . . . . . . . . Disabling or re-enabling Syslog. . . . . . . . . . . . . . . . . . . . . . . Specifying a Syslog server. . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying an additional Syslog server . . . . . . . . . . . . . . . . . Disabling logging of a message level . . . . . . . . . . . . . . . . . . Logging all CLI commands to Syslog . . . . . . . .
FDP/CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1427 IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1427 IPv6 BGP4+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1430 IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1433 IPv6 basic connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1464 SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1464 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1465 STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1466 SysLog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Document In this chapter • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliii • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lxxvii • Trademark references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lxxviii • Related publications . . . . . . . . .
TABLE 1 Supported features (Continued) Category Feature description Foundry Discovery Protocol (FDP) Enables Brocade devices to advertise themselves to other Brocade devices on the network.
TABLE 1 Supported features (Continued) Category Feature description Layer 2 Hitless failover Provides automatic failover from the active management module to the standby management module without interrupting operation of any interface modules in the chassis. Layer 2 IGMP Snooping The BigIron RX supports IGMP snooping. L2 ACL Filtering based on MAC layer-2 parameters.
TABLE 1 Supported features (Continued) Category Feature description BGP BGP routes BGP peers BGP dampening Graceful Restart FDR Foundry Direct Routing IP Forwarding IPv4 Routing IPv6 Routing IP Static entries Routes ARPs Virtual interfaces Secondary addresses IS-IS Routes BGP peers BGP dampening Multicast Routing Multicast cache L2 IGMP table DVMRP routes PIM-DM PIM-SM PIM-SSM PIM Snooping OSPF OSPF routes OSPF adjacencies - Dynamic OFPF LSAs OSPF filtering of advertised routes PBR Policy
• • • • • • MPLS NAT RARP VLAN translation Subnet VLANs Source IP Port Security What’s new in this document The following tables provide brief descriptions of the enhancements added in each BigIron RX software release and a reference to the specific chapter, and section in the BigIron RX Series Configuration Guide or the Brocade BigIron RX Series Hardware Installation Guide that contain a detailed description and operational details for the enhancement. Enhancements in release 02.9.
TABLE 2 Summary of enhancements in release 02.9.00a (Continued) Enhancement Description See page Counter support to identify port translation events The output of the show interface command has been enhanced to provide information about port translation events.
TABLE 4 Summary of enhancements in release 02.8.00 (Continued) Enhancement Description See page Enhanced command to display stp/rstp/mstp information for a particular Ethernet interface The show xstp command is newly added. It displays the stp/rstp/mstp protocol information of a particular Ethernet interface.
Enhancements in release 02.7.03 TABLE 5 l Summary of enhancements in release 02.7.03 Enhancement Description See page System Monitoring Service (SYSMON) This feature was introduced in the 02.6.00c patch release. It monitors the hardware in the system to detect, report, and in some cases isolate and recover hardware errors in the system.
TABLE 5 Summary of enhancements in release 02.7.03 (Continued) Enhancement Description See page MAC Port Security The MAC Port Security feature has been updated for the 02.7.03 release.
Enhancements in release 02.7.01 TABLE 7 Summary of enhancements in release 02.7.01 (Continued) Enhancement Description See page Limited/Fixed Boot Code Book: Foundry BigIron RX Configuration Guide System features The new 16 port 10GE oversubscribed module provides 4:1 over-subscription on the network ports. The new module is compatible with all previous modules on the BigIron RX.
TABLE 8 Summary of enhancements in release 02.7.00 (Continued) Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP/LP console port. While the old session-based rconsole is a remote X-Window which is connected to one of the windows on the target system, the new rconsole is a remote desktop.
TABLE 8 Summary of enhancements in release 02.7.00 (Continued) Enhancement Description See page SNMP MIBs for Layer 2 ACLs and Filters The following MIB tables have been added to this release: • Textual Conventions • Layer 2 ACL Next Clause Table • Layer 2 ACL Configuration Table • Layer 2 ACL Binding Configuration Table Book: MIB Reference Chapter: Filtering Traffic Section: Layer 2 ACLs Enhancements in release 02.6.00 TABLE 9 Summary of enhancements in release 02.6.
TABLE 9 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page Rate Limiting ARP Packets This new feature allows you to rate-limit ARP traffic that is destined for CPU of the BigIron RX router.
TABLE 9 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page Multicast Listening Discovery (MLD) Release 02.6.00 adds support for MLD Snooping (MLDv1 and MLDv2) on Brocade BigIron RX devices running IPv6. Book: BigIron RX Series Configuration Guide Chapter: “Configuring IPv6 Multicast Features” Section: “Multicast Listener Discovery and source specific multicast protocols (MLDv2)” IGMPv3 and IGMP Snooping In Release 02.6.
TABLE 9 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page Automatic ACL Rebind Beginning wirh release 02.6.00, the ACL automatic rebind feature allows the newly changed ACL filter definitions to be automatically applied to the ports where the ACL was bound. Book: BigIron RX Series Configuration Guide Chapter: “Access Control List” Section: “ACL automatic rebind” Support for BFD IETF draft mib version 3 (draft-ietf-bfdmib-03.
TABLE 11 Summary of enhancements in release 02.5.00b (Continued) Enhancement Description See page Limited/Fixed Boot Code ACL-based Inbound sFlow Book: Foundry BigIron RX Configuration Guide With this patch release, the Multi-Service IronWare software supports using an IPv4 ACL to select packets that should be collected as special sFlow samples, in addition to the regular statistical sampling of sFlow.
TABLE 12 Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page Multicast Mll Sharing In Release 02.5.00, the multicast hardware device drivers have been enhanced to optimize utilization and improve overall performance. N/A Multicast Starting release 02.5.00, low priority multicast traffic is rate-limited to 1.8 Gbps per packet processor.
Enhancements in release 02.4.00 TABLE 14 Summary of enhancements in release 02.4.00 Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP/LP console port. While the old session-based rconsole is a remote X-Window which is connected to one of the windows on the target system, the new rconsole is a remote desktop.
TABLE 14 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Increase Global Static ARP Entries The system max value for ip-static-arp can be configured to values up to 16,384 beginning with version 02.4.00 of the BigIron RX Multi-Service IronWare software.
TABLE 14 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page IPv6 Load Sharing over ECMP and Trunks When the device receives traffic for a destination, and the IPv6 route table contains multiple, equal-cost paths to that destination, the packets are load balanced between multiple next-hops including member ports of a trunk.
TABLE 14 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page IP Source Guard IP source guard is used on client ports to prevent IP source address spoofing. Book: BigIron RX Series Configuration Guide Chapter: “Inspecting and Tracking DHCP Packets.” Section: “IP source guard” Dynamic ARP Inspection Dynamic ARP Inspection (DAI) is a security feature that can prevent Man-in-the-Middle (MiM) or ARP spoofing/poisoning attacks.
TABLE 14 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Syslog Source Interface You can configure the BigIron RX to use the lowest-numbered IP or IPv6 address configured on a loopback interface, virtual interface, or Ethernet port as the source for all Syslog packets from the device.
Enhancements in release 02.3.00 System enhancements TABLE 16 System enhancements Enhancement Description See... New Hardware Support The following new hardware is supported with the 02.3.00 software release for the BigIron RX: 1 10G-XFP-CX4 - part number 10G-XFP-CX4 , A new XFP Module is available for use in the BigIron RX Series and 10G Interface Modules with the following capabilities: • 10GBASE-CX4 compliant per 802.
TABLE 16 System enhancements (Continued) Enhancement Description See... Enhanced Digital Optical Monitoring You can configure the BigIron RX to monitor XFPs and SFPs in the system either globally or by specified port. Book: Brocade BigIron RX Series Hardware Installation Guide Chapter: Connecting a BigIron RX Series Switch to a Network Device Section: Enhanced Digital Optical Monitoring Re-distributing CAM Allocations In releases prior to 02.3.00, CAM partitioning was not configurable.
TABLE 17 Layer 2 enhancements (Continued) Enhancement Description See... VSRP Slow-Start This feature allows for a hold down time before the backup returns ownership to the master after the link is seen. Book: BigIron RX Series Configuration Guide Chapter: “Virtual Switch Redundancy Protocol (VSRP)” Section:“VSRP slow start” 802.1s Multiple Spanning Tree Protocol (MSTP) With this release, you can configure multiple STP instances using MSTP protocol, as defined in IEEE 802.
TABLE 18 lxviii Layer 3 enhancements (Continued) Enhancement Description See... OSPF v3 IPv6 supports OSPF version 3 (OSPFv3), which functions similarly to OSPF version 2. Book: BigIron RX Series Configuration Guide Chapter: “Configuring OSPF Version 3” BGP+ Brocade’s implementation of IPv6 supports multi protocol BGP (MBGP) extensions, which allow IPv6 BGP (known as BGP4+) to distribute routing information for protocols such as IPv4 BGP.
TABLE 18 Layer 3 enhancements (Continued) Enhancement Description See... Default Route ECMP This feature allows for load distribution of traffic among the available default route next-hops.
TABLE 19 IP multicast enhancements (Continued) Enhancement Description See... IGMP v2/v3 Fast Leave IGMP Fast leave allows clients to leave groups without the three second waiting period, if certain conditions are met.
TABLE 20 IP service, security, and Layer 4 enhancements (Continued) Enhancement Description See... Port Security MAC Violation Limit This feature provides protection against physical link instability. It allows a user to configure it to keep a port in a down state in cases where the port has experienced some number of state transitions within a configured amount of time.
Layer 2 enhancements TABLE 23 Layer 2 enhancements Enhancement Description See page VLAN Byte Accounting With this release, you can configure a VLAN to account for the number of bytes received by all the member ports. Book: BigIron RX Series Configuration Guide Chapter:“VLANs” Section:“VLAN byte accounting” Super Aggregated VLANs (SAV) Multiple VLANs can be aggregated within another VLAN to allow you to construct Layer 2 paths and channels.
TABLE 24 Layer 3 enhancements (Continued) Enhancement Description See page OSPF point-to-point OSPF point-to-point eliminates the need for Designated and Backup Designated routers, allowing for faster convergence of the network. Book: BigIron RX Series Configuration Guide Chapter:“Configuring OSPF Version 2 (IPv4)” Section: “OSPF point-to-point links” Neighbor Local AS Neighbor Local Autonomous System (AS) feature allows a router that is a member of one AS to appear to be a member of another AS.
Security enhancements TABLE 26 lxxiv Security enhancements Enhancement Description See page Multi-device Port Authentication Multi-device port authentication is now supported on the BigIron RX. Book: BigIron RX Series Configuration Guide Chapter:“Using the MAC Port Security Feature and Transparent Port Floo ding” 802.1x Port Security This release allows you to enable 802.1X port security and multi-device port authentication on the same interface.
TABLE 26 Security enhancements (Continued) Enhancement Description See page Enhancements to passwords The following have been implemented to enhance the password features in the BigIron RX: • New rules for enable and user passwords • Users are now required to accept the message of the day • Users are locked out if they reach the maximum number of login attempts and have not logged in successfully. • Previous passwords used are now stored in the CLI.
Enhancements in release 02.2.00 TABLE 29 lxxvi Summary of emhancements in 02.2.00 Enhancement Description See page Quality of Service (QoS) Support QoS support on the BigIron RX is different than for the BigIron MG8. Book: BigIron RX Series Configuration Guide Chapter:“Configuring Quality of Service” Rate-limiting Support Rate-limiting can be performed based on ACL matching of flows and L2/L3 priority. It operates as on the BigIron MG8 except: • Only Inbound rate limiting is supported. • 802.
Document conventions This section describes text formatting conventions and important notice formats used in this document.
Trademark references This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only. Corporation Referenced Trademarks and Products HP HP Top Tools Related publications The following Brocade documents supplement the information in this guide and can be located at http://www.brocade.
Chapter 1 Getting Started with the Command Line Interface In this chapter • Logging on through the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • EXEC commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • CONFIG commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Accessing the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at this point in the command string. If you enter an invalid command followed by ?, a message appears indicating the command was unrecognized.
EXEC commands 1 Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. TABLE 30 CLI line-editing commands Ctrl-key combination Description Ctrl-A Moves to the first character on the command line. Ctrl-B Moves the cursor back one character.
1 CONFIG commands You reach this level by entering the enable [] or enable at the User EXEC level. BigIron RX>enable or BigIron RX>enable user1 mypassword After entering the enable command, you see the following prompt. BigIron RX>#. The prompt indicates that you are at the Privilege EXEC level. When you are at the Privilege EXEC level, you can enter commands that are available at that level.
CONFIG commands 1 • interface group-ve Trunk level The trunk level allows you to change parameters for statically-configured trunk groups. You reach this level by entering a trunk command with the appropriate port parameters. Router RIP level The RIP level allows you to configure parameters for the RIP routing protocol. You reach this level by entering the router rip command at the global CONFIG level.
1 CONFIG commands Route Map level The Route Map level allows you to configure parameters for a BGP4 route map. You reach this level by entering the route-map command at the global CONFIG level. Router VRRP level The VRRP level allows you to configure parameters for the Virtual Router Redundancy Protocol (VRRP). You reach this level by entering the router vrrp command at the global CONFIG level, then entering the ip vrrp vrid command at the interface configuration level.
Accessing the CLI 1 MAC port security level The MAC port security level allows you to configure the port security feature. You reach this level by entering the global-port security command at the at the Global or Interface levels. Accessing the CLI The CLI can be accessed through both serial and Telnet connections. For initial log on, you must use a serial connection. Once an IP address is assigned, you can access the CLI through Telnet.
1 Accessing the CLI BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX>User Level EXEC Command RX#Privileged Level EXEC Command RX(config)#Global Level CONFIG Command RX(config-if-e10000-5/1)#Interface Level CONFIG Command RX(config-lbif-1)#Loopback Interface CONFIG Command RX(config-ve-1)#Virtual Interface CONFIG Command RX(config-trunk-4/1-4/8)#Trunk group CONFIG Command RX(config-if-e10000-tunnel)#I
Searching and filtering output 1 Optional fields When two or more options are separated by a vertical bar, “| “, you must enter one of the options as part of the command. Syntax: priority normal | high For example, the "normal | high" entry in the Syntax above means that priority can be either priority normal or priority high. The command in the syntax above requires that you enter either normal or high as part of the command.
1 Searching and filtering output Displaying lines containing a specified string The following command filters the output of the show interface command for port 3/11 so it displays only lines containing the word “Internet”. This command can be used to display the IP address of the interface. BigIron RX# show interface e 3/11 | include Internet Internet address is 192.168.1.
Searching and filtering output 1 BigIron RX# ? append attrib boot cd chdir clear clock configure copy cp debug delete dir dm dot1x erase exit fastboot force-sync-standby Append one file to another Change file attribute Boot system from bootp/tftp server/flash image Change current working directory Change current working directory Clear table/statistics/keys Set clock Enter configuration mode Copy between flash, tftp, config/code Copy file commands Enable debugging functions (see also 'undebug') Delete fi
1 Searching and filtering output To display lines that do not contain a specified search string (similar to the exclude option for show commands) press the minus sign key ( - ) at the --More-- prompt and then enter the search string. --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed. filtering...
Searching and filtering output TABLE 31 1 Special characters for regular expressions (Continued) Character Operation ^ A caret (when not used within brackets) matches on the beginning of an input string. For example, the following regular expression matches output that begins with “deg”: ^deg $ A dollar sign matches on the end of an input string.
1 Searching and filtering output The following characters are valid in file names: • All upper and lowercase letters • All digits Any of the following special characters are valid: • • • • • • • • • • • • • • • • $ % ' _ @ ~ ` ! ( ) { } ^ # & Syntax shortcuts A command or parameter can be abbreviated as long as enough text is entered to distinguish it from other commands at that level.
Searching and filtering output 1 NOTE Most configuration changes are dynamic and thus do not require a software reload. If a command requires a software reload to take effect, the documentation states this.
1 16 Searching and filtering output BigIron RX Series Configuration Guide 53-1002484-04
Chapter 2 Using a Redundant Management Module In this chapter • How management module redundancy works . . . . . . . . . . . . . . . . . . . . . . . • Management module redundancy configuration . . . . . . . . . . . . . . . . . . . . . • Managing management module redundancy . . . . . . . . . . . . . . . . . . . . . . . . • Monitoring management module redundancy . . . . . . . . . . . . . . . . . . . . . . . • Flash memory and PCMCIA flash card file management commands . . . . .
2 How management module redundancy works After the modules boot, the active module compares the standby module’s flash code and system-config file to its own. If differences exist, the active module synchronizes the standby module’s flash code and system-config file with its own. During normal operation, the active module handles tasks such as obtaining network topology and reachability information and determining the best paths to known destinations. The active module also monitors the standby module.
How management module redundancy works 2 Manual switchover In some situations, you may want to manually switch the role of active management module from the currently active module to the standby module. For example, if the module in slot M2 is the active module and the module in slot M1 is the standby module and you want the module in M1 to be the active module and the module in M2 to be the standby module, you can perform a manual switchover using the switchover command.
2 How management module redundancy works The following sections explain the implications for these areas. Management sessions You can establish management sessions with the active management module’s management port. If a switchover occurs, the management port on the original active module shuts down and all open CLI, Web management interface, and Brocade Network Advisor sessions with that port close.
Management module redundancy configuration 2 Once booted, the redundant management module keeps up-to-date copies of the active module's running configuration. Layer 2 protocols such as STP, RSTP, MRP, and VSRP are run concurrently on both the active and standby management modules. Upon the failover of the active management module, the standby module takes over as the active management module and picks up where the active module left off, without interrupting any Layer 2 traffic.
2 Managing management module redundancy • Perform a manual switchover to the standby module. • Reboot the standby module. File synchronization between the active and standby management modules Each active and standby management module contains the following files that can be synchronized between the two modules are: • Flash code – The flash code can include the following files: • monitor, which contains the management module’s Real Time Operating System (RTOS).
Managing management module redundancy FIGURE 1 2 Active and standby management module file synchronization Synchronized at startup or switchover Also can be immediately synchronized using the CLI Startup-config also automatically updated with write memory command Automatically synchronized at regular, user-configurable intervals Not synchronized Also can be immediately synchronized using the CLI Active Management Module Flash code Startup-config file Running-config file Boot code Standby Manage
2 Managing management module redundancy To compare and immediately synchronize files between the active and standby modules if differences exist, enter the following command at the Privileged EXEC level of the CLI. BigIron RX# sync-standby Syntax: sync-standby Synchronizing files without comparison You can synchronize the flash code, system-config file, and running-config file immediately without comparison.
Monitoring management module redundancy 2 BigIron RX# boot system flash primary Syntax: boot system bootp | [flash primary | flash secondary] | slot | tftp The flash primary keyword specifies the primary BigIron RX Series Multi-Service IronWare image in the management module’s flash memory, while the flash secondary keyword specifies the secondary BigIron RX Series Multi-Service IronWare image in the flash memory.
2 Monitoring management module redundancy You can also observe the Pwr LED on each module. If this LED is on (green), the module is receiving power. If this LED is off, the module is not receiving power. (A module without power will not function as the active or standby module.) Software To display the status of the management modules, enter the following command at any CLI level. BigIron RX# show module Module M1 (upper): BigIron BI-RX Management Module M2 (lower): BigIron BI-RX Management Module ...
Monitoring management module redundancy 2 • Redundancy parameter settings and statistics, which include the number of switchover that have occurred. • System log or the traps logged on an SNMP trap receiver, which includes Information about whether a switchover has occurred. To view the redundancy parameter settings and statistics, enter the following command at any level of the CLI.
2 Flash memory and PCMCIA flash card file management commands BigIron RX# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 24 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Sep 28 Sep 28 Sep 28 Sep 28 Log Buffer: 11:31:25:A:Power 11:31:25:A:Power 11:31:25:A:Power 11:31:25:A:Power Supply Supply Supply Supply 1, 3, 4, 5, 1st left, not installed middle left, not inst
Flash memory and PCMCIA flash card file management commands • • • • • • • • • • 2 Create a subdirectory. Remove a subdirectory. Rename a file. Change the read-write attribute of a file. Delete a file. Recover or “undelete” a file. Append one file to another (join two files). Perform copy operations using the copy command. Perform copy operations using the cp command. Load the system software from flash memory, a flash card, or other sources during system reboot.
2 Flash memory and PCMCIA flash card file management commands For example, if you want to display a directory of files in flash memory and flash memory has the current management focus, you do not need to specify the flash keyword. However, if you want to display a directory of files for slot 1 and flash memory has the current focus, you must specify the slot1 keyword. Flash memory file system The flash memory file system is flat, which means that it does not support subdirectories.
Flash memory and PCMCIA flash card file management commands 2 PCMCIA flash card file system The PCMCIA flash card file system is hierarchical, which means that it supports subdirectories. Therefore, you can create or delete subdirectories in this file system using the md or mkdir and rd or rmdir commands, respectively. Also, when specifying the syntax for the various file management commands, you may need to specify a pathname to a subdirectory as appropriate to manipulate a file in a subdirectory.
2 Flash memory and PCMCIA flash card file management commands • • • • } ^ # & You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”. A subdirectory or file name can be a maximum of 256 characters long. A complete subdirectory path name cannot contain more than 256 characters. There is no maximum file size.
Flash memory and PCMCIA flash card file management commands 2 For example, to reformat a flash card in the management module’s slot 2, enter the following command. BigIron RX# format slot2 ....................................................... ....................................................... ....................................................... ...................................... 80809984 bytes total card space. 80809984 bytes available on card. 2048 bytes in each allocation unit.
2 Flash memory and PCMCIA flash card file management commands When you enter this command, the software changes the management focus to slot 2 then displays a new command prompt. If a slot you specify does not contain a flash card, the software displays the message shown in the following example.
Flash memory and PCMCIA flash card file management commands 2 BigIron RX# dir Directory of /flash/ 07/28/2003 07/28/2003 07/28/2003 07/25/2003 00/00/0 07/28/2003 07/28/2003 07/28/2003 07/28/2003 07/28/2003 07/25/2003 07/28/2003 07/26/2003 07/25/2003 07/28/2003 15:57:45 15:56:10 16:00:08 18:00:23 00:00:00 14:40:19 15:18:18 09:56:16 15:08:12 16:02:23 18:02:14 14:28:47 12:16:29 18:11:01 09:40:54 15 File(s) 0 Dir(s) 3,077,697 3,077,697 3,077,697 292,701 12 840,007 840,007 391,524 3,077,697 1,757 1,178 1,662
2 Flash memory and PCMCIA flash card file management commands BigIron RX# dir /slot2/ Directory of /slot2/ 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 08/01/2003 18:25:28 18:28:06 18:28:24 18:28:30 18:28:01 18:28:03 18:29:04 18:29:12 18:32:03 18:32:08 18:32:11 18:32:14 18:32:17 3,092,508 3,092,508 389,696 389,696 389,696 389,696 389,696
389,696 389,696 389,696 389,696 389,696 12 File(s) 1 Dir(s) PRIMARY primFlash memory and PCMCIA flash card file management commands 2 For example, to display the contents of a file in flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# more cfg.cfg Syntax: more [//] Use the parameter to specify a directory in a file system that does not have current management focus. Use the parameter to specify the file you want to display.
2 Flash memory and PCMCIA flash card file management commands The software attempts to create a subdirectory in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to create a subdirectory in a file system that does not currently have management focus. In this case, you can specify the slot1 or slot2 keyword with the md or mkdir command to create the subdirectory in the desired file system.
Flash memory and PCMCIA flash card file management commands 2 A subdirectory name can be a maximum of 256 characters long. A complete subdirectory path name cannot contain more than 260 characters. The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters. To verify successful creation of the subdirectory, enter a command such as the following to change to the new subdirectory level.
2 Flash memory and PCMCIA flash card file management commands Renaming a file You can rename a file in the management module’s flash memory or on a flash card inserted in the management module’s slot 1 or slot 2 using the rename or mv command. The software attempts to rename the file in the file system that has the current management focus. By default, flash memory has the management focus.
Flash memory and PCMCIA flash card file management commands 2 For example, to change the attribute of a file in slot2 to read-only, if flash memory has the management focus, enter a command such as the following. BigIron RX# attrib slot2 ro goodcfg.cfg Syntax: attrib [slot1 | slot2] ro | rw Specify the slot1 or slot2 keyword to change the attribute of a file on the flash card in slot 1 or slot 2, respectively.
2 Flash memory and PCMCIA flash card file management commands For example, to delete all files with names that start with “test” from flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# delete test*.* For example, to delete a speciifc file on the flash card in slot 2, if flash memory has the current management focus, enter a command such as the following.
Flash memory and PCMCIA flash card file management commands 2 Appending a file to another file You can append a file in flash memory or on a flash card to the end of another file in one of these file systems. The software attempts to append one file to another in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to append one file to another in a file system that does not currently have management focus.
2 Flash memory and PCMCIA flash card file management commands • Load a running-config from a flash card or TFTP server into the device’s running-config (loading ACLs only) NOTE The copy options require you to explicitly specify the flash card. Therefore, you can perform a copy regardless of the flash card that currently has the management focus. Copying files from one flash card to the other To copy a file from one flash card to the other, enter the following command.
Flash memory and PCMCIA flash card file management commands 2 Copying software images between active and standby management modules To copy the monitor image from flash memory of the active management module to flash memory of the standby module, enter the following command.
2 Flash memory and PCMCIA flash card file management commands BigIron RX# copy flash tftp 10.10.10.1 secondary.bak secondary Syntax: copy flash tftp primary | secondary Copying files between a flash card and a TFTP server You can use the following methods to copy files between a flash card and a TFTP server. NOTE The BigIron RX Series system must have network access to the TFTP server. To copy a file from a flash card to a TFTP server, enter a command such as the following.
Flash memory and PCMCIA flash card file management commands 2 This command copies the startup configuration from the device’s flash memory to a flash card in slot 1 and names the file mfgtest.cfg. Copying the startup-config file between flash memory and a TFTP server Use the following methods to copy a startup-config between flash memory and a TFTP server to which the BigIron RX Series system has access.
2 Flash memory and PCMCIA flash card file management commands Syntax: ncopy slot1 | slot2 [\\] running The command in this example changes the device’s active configuration based on the information in the file. To copy a running-config from a TFTP server, enter a command such as the following. BigIron RX# copy tftp running-config 10.10.10.1 run.
Flash memory and PCMCIA flash card file management commands 2 Loading the software By default, the management module loads its BigIron RX Series Multi-Service IronWare image from the primary location in flash memory. You can change the system’s BigIron RX Series Multi-Service IronWare image source to one of the following sources for one reboot or for all future reboots: • • • • The secondary location in flash memory. A flash card inserted in slot 1 or 2. A TFTP server. A BOOTP server.
2 Flash memory and PCMCIA flash card file management commands To reboot the system from a BOOTP server, enter the following command. BigIron RX# boot system bootp Syntax: boot system bootp Configuring the boot source for future reboots To change the BigIron RX Series Multi-Service IronWare image source from the primary location in flash memory to another source for future reboots, enter a command such as the following at the global CONFIG level of the CLI.
Flash memory and PCMCIA flash card file management commands 2 BigIron RX# locate startup-config slot1 switch1.cfg BigIron RX# write memory The first command in this example sets the device to save configuration changes to the file named “switch1.cfg” in the flash card in slot 1. The second command saves the running-config to the switch1.cfg file on the flash card in slot 1. NOTE In this example, after you save the configuration changes using the write memory command, the switch1.
2 Flash memory and PCMCIA flash card file management commands TABLE 34 52 Flash card file management messages (Continued) This message... Means... Invalid DOS file name A filename you entered contains an invalid character (for example, “:” or “\”).
Chapter 3 Securing Access to Management Functions In this chapter • Securing access methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 • Restricting remote access to management functions . . . . . . . . . . . . . . . . . 55 • Setting passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 • Setting up local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Securing access methods TABLE 35 Ways to secure management access to the device (Continued) Access method How the access method is secured by default Ways to secure the access method See page Telnet access Not secured Regulate Telnet access using ACLs page 56 Allow Telnet access only from specific IP addresses page 59 Allow Telnet access only to clients connected to a specific VLAN page 61 Specify the maximum number of login attempts for Telnet access page 60 Disable Telnet access page
3 Restricting remote access to management functions TABLE 35 Ways to secure management access to the device (Continued) Access method How the access method is secured by default Ways to secure the access method See page Web management access SNMP read or read-write community strings Regulate Web management access using ACLs page 57 Allow Web management access only from specific IP addresses page 60 Allow Web management access only to clients connected to a specific VLAN page 61 Disable Web m
3 Restricting remote access to management functions • Specifically disabling Telnet, Web management interface, or SNMP access to the device Using ACLs to restrict remote access You can use standard ACLs to control the following access methods to management functions on the device: • • • • Telnet access SSH access Web management access SNMP access To configure access control for these management access methods. 1. Configure an ACL with the IP addresses you want to allow to access the device 2.
Restricting remote access to management functions 3 The ACL in the example permits Telnet access only to the IP addresses in the permit entries and denies Telnet access from all other IP addresses. Using an ACL to restrict SSH access To configure an ACL that restricts SSH access to the device, enter commands such as the following. BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# access-list 12 deny host 209.157.22.
3 Restricting remote access to management functions Using ACLs to restrict SNMP access To restrict SNMP access to the device using ACLs, enter commands such as the following. NOTE The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet, SSH, and Web management access using ACLs.
Restricting remote access to management functions BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# 3 access-list 10 permit host 10.10.11.254 access-list 10 permit host 192.168.2.254 access-list 10 permit host 192.168.12.254 access-list 10 permit host 192.64.22.
3 Restricting remote access to management functions Restricting Web Management access to a specific IP address To allow Web Management access to the device only to the host with IP address 209.157.22.26, enter the following command. BigIron RX(config)# web client 209.157.22.26 Syntax: [no] web client | ipv6 Restricting SNMP access to a specific IP address To allow SNMP access (which includes Brocade Network Advisor) to the device only to the host with IP address 209.157.22.
Restricting remote access to management functions 3 • TFTP access By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given access method based on VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN. VLAN-based access control works in conjunction with other access control methods.
3 Restricting remote access to management functions The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access. Syntax: [no] tftp client enable vlan Disabling specific access methods You can specifically disable the following access methods.
Setting passwords 3 Disabling Web management access by HP ProCurve Manager By default, TCP ports 80 is enabled on the Brocade device. TCP port 80 (HTTP) allows access to the device’s Web management interface. By default, TCP port 280 for HP Top tools is disabled. This tool allows access to the device by HP ProCurve Manager. The no web-management command disables both TCP ports. However, if you want to disable only port 280 and leave port 80 enabled, use the hp-top-tools option with the command.
3 Setting passwords To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG level. BigIron RX(config)# enable telnet password letmein Syntax: [no] enable telnet password Suppressing Telnet connection rejection messages By default, if a device denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message.
Setting passwords 3 3. Enter the following command to set the Super User level password. BigIron RX(config)# enable super-user-password NOTE You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number. 4. Enter the following commands to set the Port Configuration level and Read Only level passwords.
3 Setting passwords Syntax: [no] privilege level The parameter specifies the CLI level and can be one of the following values: • • • • • • • • • • • • • exec – EXEC level; for example, BigIron RX> or BigIron RX# configure – CONFIG level; for example, BigIron RX(config)# interface – Interface level; for example, BigIron RX(config-if-e10000-6)# virtual-interface – Virtual-interface level; for example, BigIron RX(config-vif-6)# rip-router – RIP rou
Setting up local user accounts 3 Displaying the SNMP community string If you want to display the SNMP community string, enter the following commands. BigIron RX(config)# enable password-display BigIron RX(config)# show snmp server The enable password-display command enables display of the community string, but only in the output of the show snmp server command. Display of the string is still encrypted in the startup configuration file and running configuration.
3 Setting up local user accounts Local user accounts provide greater flexibility for controlling management access to the device than do management privilege level passwords and SNMP community strings of SNMP versions 1 and 2. You can continue to use the privilege level passwords and the SNMP community strings as additional means of access authentication. Alternatively, you can choose not to use local user accounts and instead continue to use only the privilege level passwords and SNMP community strings.
Setting up local user accounts 3 • 4 – Port Configuration level • 5 – Read Only level The default privilege level is 0. If you want to assign Super User level access to the account, you can enter the command without privilege 0, as shown in the command example above. The password | nopassword parameter indicates whether the user must enter a password. If you specify password, enter the string for the user's password.
3 Setting up local user accounts NOTE Before you can change a local user account using the Web Management Interface, you must enable this capability by entering the CLI command "password-change any" at the global CONFIG level of the CLI. 1. Log in to the Web Management Interface using a valid user name and password that has a read-write privilege level. 2. Select Configure->System->Management->User Account. 3. User account information is listed in a table.
Setting up local user accounts • • • • 3 The last 15 passwords are stored in the CLI. A password can be set to expire. Passwords are masked during password creation. Passwords must not share four or more concurrent characters with any other password configured on the device. • Passwords that were previously used cannot be reused.
3 Setting up local user accounts Once the enable strict-password-enforcement command is enabled, you can configure the features discussed in the following sections: • • • • • • “Requiring users to accept the message of the day” on page 72 “Locking out user accounts after three login attempts” on page 72 “Retaining password history” on page 72 “Setting passwords to expire” on page 72 “Creating an encrypted all-numeric password” on page 73 “Configuring SSL security for the Web Management Interface” on pag
Configuring SSL security for the Web Management Interface 3 NOTE The enable strict-password-enforcement command must be enabled before this command is configured. Otherwise, the following message is displayed: "Password expire time is enabled only if strict-password-enforcement is set". Issue the show user command to display the password expiration date, as shown in bold in the following.
3 Configuring SSL security for the Web Management Interface Enabling the SSL server on the device To enable the SSL server on the device, enter the following command. BigIron RX(config)# web-management https Syntax: [no] web-management http | https You can enable either the HTTP or HTTPs servers with this command. You can disable both the HTTP and HTTPs servers by entering the following command.
Configuring TACACS and TACACS+ security 3 Generating an SSL certificate If you did not already import a digital certificate from a client, the device can create a default certificate. To do this, enter the following command. BigIron RX(config)# crypto-ssl certificate generate Syntax: [no] crypto-ssl certificate generate Deleting the SSL certificate To delete the SSL certificate, enter the following command.
3 Configuring TACACS and TACACS+ security TACACS and TACACS+ authentication, authorization, and accounting When you configure a device to use a TACACS and TACACS+ server for authentication, the device prompts users who are trying to access the CLI for a user name and password, then verifies the password with the TACACS and TACACS+ server.
Configuring TACACS and TACACS+ security 3 5. The user is prompted for a password. 6. The user enters a password. 7. The device sends the password to the TACACS+ server. 8. The password is validated in the TACACS+ server’s database. 9. If the password is valid, the user is authenticated. TACACS+ authorization The device supports two kinds of TACACS+ authorization: • Exec authorization determines a user’s privilege level when they are authenticated.
3 Configuring TACACS and TACACS+ security 5. The TACACS+ accounting server records information about the event. 6. When the event is concluded, the device sends an Accounting Stop packet to the TACACS+ accounting server. 7. The TACACS+ accounting server acknowledges the Accounting Stop packet.
Configuring TACACS and TACACS+ security 3 User action Applicable AAA operations User enters the command: [no] aaa accounting system default start-stop Command authorization (TACACS+): aaa authorization commands default User enters other commands Command accounting (TACACS+): aaa accounting commands default start-stop System accounting start (TACACS+): aaa accounting system default start-stop Command authorizat
3 Configuring TACACS and TACACS+ security 3. Configure authentication-method lists. Refer to “Configuring authentication-method lists for TACACS and TACACS+” on page 83. TACACS+ configuration procedure For TACACS+ configurations, use the following procedure. 1. Enable TACACS, refer to “Enabling SNMP to configure TACACS and TACACS” on page 80 2. Identify TACACS+ servers. Refer to “Identifying the TACACS and TACACS+ servers” on page 80. 3. Set optional parameters.
Configuring TACACS and TACACS+ security 3 If you add multiple TACACS and TACACS+ authentication servers to the device, the device tries to reach them in the order you add them. For example, if you add three servers in the following order, the software tries the servers in the same order. 1. 207.94.6.161 2. 207.94.6.191 3. 207.94.6.122 You can remove a TACACS and TACACS+ server by entering no followed by the tacacs-server command. For example, to remove 207.94.6.161, enter the following command.
3 Configuring TACACS and TACACS+ security • Retransmit interval – This parameter specifies how many times the Brocade device will resend an authentication request when the TACACS and TACACS+ server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times. • Dead time – This parameter specifies how long the Brocade device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server.
Configuring TACACS and TACACS+ security 3 Setting the dead time parameter The dead-time parameter specifies how long the device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3 seconds. To set the TACACS and TACACS+ dead-time value, enter the following command.
3 Configuring TACACS and TACACS+ security The command above causes TACACS and TACACS+ to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS and TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
Configuring TACACS and TACACS+ security 3 Configuring TACACS+ authorization The device supports TACACS+ authorization for controlling access to management functions in the CLI.
3 Configuring TACACS and TACACS+ security service = exec { foundry-privlvl = 0 } } In this example, the A-V pair foundry-privlvl = 0 grants the user full read-write access. The value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user. Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5 is specified in the foundry-privlvl A-V pair, the default privilege level of 5 (read-only) is used.
Configuring TACACS and TACACS+ security 3 In this example, the user would be granted a privilege level of 4 (port-config level). The privlvl = 15 A-V pair is ignored by the BigIron RX. If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5 (read-only) is used. Configuring command authorization When TACACS+ command authorization is enabled, the BigIron RX consults a TACACS+ server to get authorization for commands entered by the user.
3 Configuring TACACS and TACACS+ security Configuring TACACS+ accounting The device supports TACACS+ accounting for recording information about user activity and system events. When you configure TACACS+ accounting on a device, information is sent to a TACACS+ accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring TACACS and TACACS+ security 3 Syntax: aaa accounting system default start-stop radius | tacacs+ | none Configuring an interface as the source for all TACACS and TACACS+ packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS and TACACS+ packets from the device.
3 Configuring TACACS and TACACS+ security BigIron Tacacs+ Tacacs+ Tacacs+ Tacacs+ Tacacs+ RX# show aaa key: brocade retries: 1 timeout: 15 seconds dead-time: 3 minutes Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 207.95.6.
Configuring RADIUS security 3 Configuring RADIUS security You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of access to the device: • • • • Telnet access SSH access Web management access Access to the Privileged EXEC level and CONFIG levels of the CLI NOTE The BigIron RX does not support RADIUS security for SNMP (Brocade Network Advisor) access.
3 Configuring RADIUS security • A list of commands • Whether the user is allowed or denied usage of the commands in the list The last two attributes are used with RADIUS authorization, if configured. 9. The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on the BigIron RX. The user is granted the specified privilege level. If you configure RADIUS authorization, the user is allowed or denied usage of the commands in the list.
Configuring RADIUS security 3 AAA operations for RADIUS The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a BigIron RX that has RADIUS security configured.
3 Configuring RADIUS security AAA security for commands pasted into the running configuration If AAA security is enabled on the device, commands pasted into the running configuration are subject to the same AAA operations as if they were entered manually. When you paste commands into the running configuration, and AAA command authorization or accounting is configured on the device, AAA operations are performed on the pasted commands.
Configuring RADIUS security 3 Configuring Brocade-specific attributes on the RADIUS server NOTE For the BigIron RX, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the device, authenticating the user.
3 Configuring RADIUS security TABLE 38 Brocade vendor-specific attributes for RADIUS (Continued) Attribute name Attribute ID Data type Description brocade-command-string 2 string Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured. The commands are delimited by semi-colons (;). You can specify an asterisk (*) as a wildcard at the end of a command string.
Configuring RADIUS security 3 Specifying different servers for individual AAA functions In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting. You can specify individual servers for authentication and accounting, but not for authorization. You can set the RADIUS key for each server.
3 Configuring RADIUS security BigIron RX(config)# radius-server key 1 abc BigIron RX(config)# write terminal ... radius-server host 1.2.3.5 radius key 1 $!2d NOTE Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts.
Configuring RADIUS security 3 The commands above cause RADIUS to be the primary authentication method for securing Telnet access to the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. To create an authentication-method list that specifies RADIUS as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.
3 Configuring RADIUS security Configuring Exec authorization NOTE Before you configure RADIUS exec authorization on the BigIron RX, make sure that the aaa authentication enable default radius command or the aaa authentication login privilege-mode command exist in the configuration. When RADIUS exec authorization is performed, the BigIron RX consults a RADIUS server to determine the privilege level of the authenticated user.
Configuring RADIUS security 3 NOTE RADIUS command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console. No authorization is performed for commands entered at the Web Management Interface, or Brocade Network Advisor. NOTE Since RADIUS command authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.
3 Configuring RADIUS security Configuring RADIUS accounting for CLI commands You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the BigIron RX to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Configuring RADIUS security 3 • If you specify a loopback interface as the single source for RADIUS packets, RADIUS servers can receive the packets regardless of the states of individual links. Thus, if a link to the RADIUS server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
3 Configuring authentication-method lists TABLE 39 Output of the show aaa command for RADIUS Field Description Radius key The setting configured with the radius-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is displayed instead of the text. Radius retries The setting configured with the radius-server retransmit command.
Configuring authentication-method lists 3 NOTE To authenticate Telnet access to the CLI, you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI. You cannot enable Telnet authentication using the Web management interface. NOTE You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses.
3 Configuring authentication-method lists • If you configure an authentication-method list for Web management access and specify “local” as the primary authentication method, users who attempt to access the device using the Web management interface must supply a user name and password configured in one of the local user accounts on the device. The user cannot access the device by entering “set” or “get” and the corresponding SNMP community string.
Configuring authentication-method lists 3 The snmp-server | web-server | enable | login | dot1x parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access. NOTE If you configure authentication for Web management access, authentication is performed each time a page is requested from the server. When frames are enabled on the Web management interface, the browser sends an HTTP request for each frame.
3 108 Configuring authentication-method lists BigIron RX Series Configuration Guide 53-1002484-04
Chapter Getting Familiar With the BigIron RX Series Switch Management Applications 4 In this chapter • How to manage BigIron RX Series switch . . . . . . . . . . . . . . . . . . . . . . . . . . 109 • Logging on through the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 • Logging on through the Web Management Interface . . . . . . . . . . . . . . . . .
4 Logging on through the CLI • CONFIG – Lets you make configuration changes to the device. To save the changes across software reloads and system resets, you need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for VLANs, for routing protocols, and other configuration areas. NOTE By default, any user who can open a direct or Telnet connection to a BigIron RX Series Switch can access all these CLI levels.
Logging on through the CLI 4 The software provides the following scrolling options: • Press the Space bar to display the next page (one screen at time). • Press the Return or Enter key to display the next line (one line at a time). • Press Ctrl-C cancel the display. Line editing commands The CLI supports the following line editing commands.
4 Logging on through the CLI Displaying lines containing a specified string The following command filters the output of the show interface command for port 3/1 so it displays only lines containing the word “Internet”. This command can be used to display the IP address of the interface. BigIron RX# show interface e 3/1 | include Internet Internet address is 192.168.1.
Logging on through the CLI 4 Searching and filtering output at the --More-- prompt The --More-- prompt displays when output extends beyond a single page. From this prompt, you can press the Space bar to display the next page, the Return or Enter key to display the next line, or Ctrl-C to cancel the display. In addition, you can search and filter output from this prompt.
4 Logging on through the CLI filtering... telnet Telnet by name or IP address To display lines that do not contain a specified search string (similar to the exclude option for show commands) press the minus sign key ( - ) at the --More-- prompt and then enter the search string. --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed: filtering...
Logging on through the CLI TABLE 42 4 Special characters for regular expressions (Continued) Character Operation ? The question mark matches on zero occurrences or one occurrence of a pattern. For example, the following regular expression matches output that contains "dg" or "deg": de?g NOTE: Normally when you type a question mark, the CLI lists the commands or options at that CLI level that begin with the character or string you entered.
4 Logging on through the Web Management Interface Allowable characters for LAG names When creating a LAG name, you can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”. The maximum length for a string is 64 characters.
Logging on through the Web Management Interface 4 NOTE If you are unable to connect with the device through a Web browser due to a proxy problem, it may be necessary to set your Web browser to direct Internet access instead of using a proxy. For information on how to change a proxy setting, refer to the on-line help provided with your Web browser. To log in, click on the Login link. Figure 3 shows the dialog box that displays.
4 Logging on through the Web Management Interface FIGURE 4 Panel for Layer 3 Switch features The left pane of the Web Management Interface window contains a “tree view,” similar to the one found in Windows Explorer. Configuration options are grouped into folders in the tree view. These folders, when expanded, reveal additional options. To expand a folder, click on the plus sign to the left of the folder icon.
Chapter 5 Configuring Basic Parameters In this chapter • Configuring basic system parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Entering system administration information . . . . . . . . . . . . . . . . . . . . . . . . • Configuring Simple Network Management Protocol traps . . . . . . . . . . . . . • Configuring an interface as source for all Telnet packets . . . . . . . . . . . . . • Configuring an interface as the source for all TFTP packets . . . . . . . . . . .
5 Entering system administration information Entering system administration information You can configure a system name, contact, and location for the device and save the information locally in the configuration file for future reference. The information is not required for system operation but recommended. When you configure a system name, it replaces the default system name in the CLI command prompt. To configure a system name, contact, and location, enter commands such as the following.
Configuring Simple Network Management Protocol traps 5 Specifying an SNMP trap receiver You can specify a trap receiver to ensure that all SNMP traps sent by the device go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network. When you specify the host, you also specify a community string. The device sends all the SNMP traps to the specified hosts and includes the specified community string.
5 Configuring Simple Network Management Protocol traps • If you specify a loopback interface as the single source for SNMP traps, SNMP trap receivers can receive traps regardless of the states of individual links. Thus, if a link to the trap receiver becomes unavailable but the receiver can be reached through another link, the receiver still receives the trap, and the trap still has the source IP address of the loopback interface.
Configuring Simple Network Management Protocol traps 5 NOTE By default, all SNMP traps are enabled at system startup. You can selectively disable one or more of the following traps: • • • • • • • • • • • • • • • • SNMP authentication key Power supply failure Fan failure Cold start Link up Link down Bridge new root Bridge topology change Locked address violation Module insert Module remove BGP4 OSPF FSRP VRRP VRRPE To stop link down occurrences from being reported, enter the following.
5 Configuring Simple Network Management Protocol traps • Whether the user logged in or out • The CLI level the user logged into or out of (User EXEC or Privileged EXEC level) NOTE Messages for accessing the User EXEC level apply only to access through Telnet. The device does not authenticate initial access through serial connections but does authenticate serial access to the Privileged EXEC level. Messages for accessing the Privileged EXEC level apply to access through the serial connection or Telnet.
Configuring an interface as source for all Telnet packets 5 Configuring an interface as source for all Telnet packets You can designate the lowest-numbered IP address configured an interface as the source IP address for all Telnet packets from the device.
5 Configuring an interface as the source for all TFTP packets Configuring an interface as the source for all TFTP packets You can configure the device to use the lowest-numbered IP address configured on a loopback interface, virtual routing interface, or Ethernet port as the source for all TFTP packets it sends. The software uses the lowest-numbered IP address configured on the interface as the source IP address for the packets.
Specifying a Simple Network Time Protocol (SNTP) server 5 Specifying a Simple Network Time Protocol (SNTP) server You can configure the BigIron RX to consult up to three SNTP servers to establish the current system time and date. The order in which the SNTP servers are configured is the order in which they are consulted. The server that was configured first is the first server consulted after the poll cycle; the next server will be consulted only if a positive ACK is not received from the first one.
5 Setting the system clock To display information about SNTP status, enter the following command. BigIron RX# show sntp status Clock is synchronized, stratum = 2, reference clock = 207.95.6.102 precision is 2**-16 reference time is 3472592840.0 clock offset is 225.21829605 msec, root delay is 0.000 msec root dispersion is 0.000 msec, peer dispersion is 0.000 msec round trip delay is 450.
Setting the system clock 5 By default, the device does not change the system time for daylight savings time. To enable daylight savings time, enter the following command. BigIron RX(config)# clock summer-time Syntax: clock summer-time Although SNTP servers typically deliver the time and date in Greenwich Mean Time (GMT), you can configure the device to adjust the time for any one-hour offset from GMT or for one of the following U.S.
5 Configuring CLI banners • GMT time zones (gmt): gmt+12, gmt+11, gmt+10...gmt+01, gmt+00, gmt-01...gmt-10, gmt-11, gmt-12. New Daylight Saving Time (DST) The new Daylight Saving Time (DST) change that went into effect on March 11th, 2007 affects only networks following the US time zones. This software release supports the DST automatic feature, but to trigger the device to the correct time, the device must be configured to the US time zone, not the GMT offset.
Configuring CLI banners 5 NOTE The banner command is equivalent to the banner motd command. When you access the Web Management Interface, the banner is displayed. Setting a privileged EXEC CLI level banner You can configure the device to display a message when a user enters the Privileged EXEC CLI level. BigIron RX(config)# banner exec_mode # (Press Return) Enter TEXT message, End with the character '#'.
5 Configuring terminal display To remove the banner, enter the no banner incoming command. Configuring terminal display You can configure and display the number of lines displayed on a terminal screen during the current CLI session. The terminal length command allows you to determine how many lines will be displayed on the screen during the current CLI session. This command is useful when reading multiple lines of displayed information, especially those that do not fit on one screen.
Displaying and modifying system parameter default settings 5 • VRRPE By default, IP routing is enabled on the device. All other protocols are disabled, so you must enable them to configure and use them. NOTE The following protocols require a system reset before the protocol will be active on the system: PIM, DVMRP, RIP, FSRP. To reset a system, enter the reload command at the privileged level of the CLI.
5 Displaying and modifying system parameter default settings BigIron RX# show default values telnet@ro(config)#show default values sys log buffers:50 mac age time:300 sec ip arp age:10 min ip addr per intf:24 bootp relay max hops:4 when multicast enabled : igmp group memb.:140 sec when ospf enabled : ospf dead:40 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
Displaying the full port name for an interface 5 Information for the configurable tables appears under the columns shown in bold type. To simplify configuration, the command parameter you enter to configure the table is used for the table name. For example, to increase the capacity of the IP route table, enter the following commands.
5 Displaying the full port name for an interface 1/9 Disabled None None No 1/10 Up Forward 1G No 1/11 Disabled None None No 1/12 Disabled None None No (output truncated for brevity)... 001b.ed24.3a00 001b.ed24.3a00 001b.ed24.3a00 001b.ed24.3a00 Syntax: show interface brief wide [ethernet | loopback | management | slot | tunnel | ve] The ethernet parameter specifies the Ethernet port for which you want to display the interface information.
Enabling or disabling Layer 2 switching 5 Enabling or disabling Layer 2 switching By default, device supports Layer 2 switching and switches the routing protocols that are not supported. You can disable Layer 2 switching globally or on individual ports. NOTE Make sure you really want to disable all Layer 2 switching operations before actually disabling it. Consult your reseller or Brocade for information. To globally disable Layer 2 switching on the device, enter commands such as the following.
5 CAM partitioning for the BigIron RX Re-distributing CAM allocations Depending on the needs of you network, the CAM allocations may need to be re-distributed. There are two steps to the command. 1. Change the allocation used between the rules + PBR/RL and the IPv6 multicast entries. 2. Change the allocation of the ACL rules and the PBR/RL entries. The total amount of CAM entries available is 1024 for each packet processor.
Changing the MAC age time 5 The Nexthop table is partitioned as follows: • • • • One-path partition: 2816 entries Two-path partition: 512 entries Four-path partition: 512 entries Eight-path partition: 256 entries NOTE A reload is required after a CAM partition command is configured for the CAM partition to take effect. As of release 02.4.00, the Nexthop table is user configurable.
5 Pinging an IPv4 address Pinging an IPv4 address To verify that a BigIron RX device can reach another device through the network, enter a command such as the following at any level of the CLI on the BigIron RX device: BigIron RX> ping 192.33.4.
Pinging an IPv4 address 5 U = Indicates that a destination unreachable error PDU was received. I = Indicates that the user interrupted ping. NOTE The number of ! characters displayed may not correspond to the number of successful replies by the ping command. Similarly, the number of . characters displayed may not correspond to the number of server timeouts that occurred while waiting for a reply. The "success" or "timeout" results are shown in the display as “Success rate is XX percent (X/Y)".
5 142 Pinging an IPv4 address BigIron RX Series Configuration Guide 53-1002484-04
Chapter 6 Configuring Interface Parameters In this chapter • Assigning a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Assigning an IP address to a port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Speed/Duplex negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Disabling or re-enabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Assigning an IP address to a port The parameter is an alphanumeric string. The name can be up to 255 characters long on the device. The name can contain blanks. You do not need to use quotation marks around the string, even when it contains blanks. Assigning an IP address to a port To assign an IP address to an interface, enter the following commands. BigIron RX(config)# interface ethernet 1/8 BigIron RX(config-if-e10000-1/8)# ip address 192.45.6.110 255.255.255.
Disabling or re-enabling a port 6 The following example configures the interface to 1000 Mbps, and designates it as the master port. To force the port to run at 1000 Mbps, set one of the link’s ports to be the master for the link. To set a port as a Gigabit master port, enter the following command at the interface configuration level for the port.
6 Changing the default Gigabit negotiation mode Syntax: enable Changing the default Gigabit negotiation mode You can configure the default Gigabit negotiation mode to be one of the following: • auto-full - The port tries to perform a negotiation with its peer port to exchange capability information.
Changing the load interval time 6 Specifying threshold values for flow control The 802.3x flow control specification provides a method for slowing traffic from a sender when a port is receiving more traffic than it can handle. Specifically, the receiving device can send out 802.3x PAUSE frames that request that the sender stop sending traffic for a period of time. The device generates 802.3x PAUSE frames when the number of buffers available to a module's Buffer Manager (BM) drops below a threshold value.
6 Port transition hold timer BigIron RX(config)# wait-for-all-cards Syntax: [no] wait-for-all-cards NOTE With the wait-for-all-cards command enabled,10G ports will come up before 1G ports because Multi-Service IronWare software processes 10G port’s state changes first. Port transition hold timer Using the delay-link-event command will delay the sending of port "up" or "down" events to Layer 2 protocols.
Port transition hold timer 6 • The Brocade device counts the number of times a port’s link state toggles from "up to down", and not from "down to up". • The sampling time or window (the time during which the specified toggle threshold can occur before the wait period is activated) is triggered when the first "up to down" transition occurs. • "Up to down" transitions include UDLD-based toggles, as well as the physical link state.
6 Modifying port priority (QoS) Modifying port priority (QoS) You can give preference to the inbound traffic on specific ports by changing the Quality of Service (QoS) level on those ports. For information and procedures, refer to Chapter 18, “Configuring Quality of Service”. Assigning a mirror port and monitor ports You can monitor traffic on Brocade ports by configuring another port to “mirror” the traffic on the ports you want to monitor.
Mirror ports for Policy-Based Routing (PBR) traffic 6 NOTE You cannot monitor outbound traffic from one armed router traffic. NOTE Mirror (analyzer) ports cannot be assigned to the 16x10 card. You can monitor traffic on 16x10 ports. The following example configures two mirror ports on the same module and one mirror port on another module.
6 Mirror ports for Policy-Based Routing (PBR) traffic The PBR mirror interface feature allows continued hardware forwarding and, at the same time, enables you to determine exactly which traffic flows get routed using the policies defined by PBR. The following section provides a general overview of hardware-based PBR. About hardware-based PBR Hardware-based Policy-Based Routing (PBR) routes traffic in hardware based on policies you define.
Displaying mirror and monitor port configuration 6 You can specify up to 4 mirror ports for each PBR route map instance. To do so, enter the set mirror interface command for each mirror port. Displaying mirror and monitor port configuration To display the inbound and outbound traffic mirrored to each mirror port, enter the following command at any level of the CLI.
6 154 Enabling WAN PHY mode support BigIron RX Series Configuration Guide 53-1002484-04
Chapter Configuring IP 7 In this chapter • Overview of configuring IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 • The IP packet flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 • Basic IP parameters and defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 • Configuring IP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 The IP packet flow FIGURE 5 IP Packet flow through a device ARP Table (software) Incoming Port IP ACLs (hardware) Deny Static ARP Table Drop Permit RIP Yes Lowest Metric PBR (hardware) IP Route Table (software) Lowest Admin. Distance OSPF BGP4 No Next Hop Table (hardware) Match IP Routing (hardware) No Match Forward to CPU Directly connected host forwarding cache (software) ECMP and Trunk Load Balancing (hardware) Outgoing Port Figure 5 Shows the following packet flow: 1.
The IP packet flow 7 ARP cache table The Address Resolution Protocol (ARP) is supported on the device. Refer to “IP fragmentation protection” on page 188. The ARP cache contains entries that map IP addresses to MAC addresses. Generally, the entries are for devices that are directly attached to the device or virtual interfaces. An exception is an ARP entry for an interface-based static IP route that goes to a destination that is one or more router hops away.
7 The IP packet flow IP Route table The IP route table contains paths to IP destinations.
7 Basic IP parameters and defaults There are two types of IP cache entries. 1. Directly connected host entries – These entries are created when the CPU receives the first packet destined to a directly connected host. Host entries are set to age out after a certain period if no traffic is seen for that entry. 2. Network entries – These entries are created when a route table entry is created in software. These entries are not subjected to aging.
7 Basic IP parameters and defaults TABLE 46 IP global parameters Parameter Description Default See page... IP state The Internet Protocol, version 4 Enabled n/a NOTE: You cannot disable IP. page 164 IP address and mask notation Format for displaying an IP address and its network mask information. You can enable one of the following: • Class-based format; example: 192.168.1.1 255.255.255.0 • Classless Interdomain Routing (CIDR) format; example: 192.168.1.
Basic IP parameters and defaults TABLE 46 7 IP global parameters (Continued) Parameter Description Default See page... Directed broadcast forwarding A directed broadcast is a packet containing all ones (or in some cases, all zeros) in the host portion of the destination IP address. When a router forwards such a broadcast, it sends a copy of the packet out each of its enabled IP interfaces.
7 Basic IP parameters and defaults TABLE 46 IP global parameters (Continued) Parameter Description Default See page... IP load sharing A Brocade feature that enables the router to balance traffic to a specific destination across multiple equal-cost paths. Load sharing is based on a combination of destination MAC address, source MAC address, destination IP address, source IP address, and IP protocol. Enabled page 211 NOTE: Load sharing is sometimes called Equal Cost Multi Path (ECMP).
Configuring IP parameters TABLE 47 7 IP interface parameters (Continued) Parameter Description Default See page... IP Maximum Transmission Unit (MTU) The maximum length (number of bytes) of an encapsulated IP datagram the router can forward. 1500 for Ethernet II encapsulated packets 1492 for SNAP encapsulated packets page 183 ARP age Locally overrides the global setting. Refer to Table 46 on page 160.
7 Configuring IP parameters Configuring IP addresses You can configure an IP address on the following types of the device interfaces: • Ethernet port • Virtual routing interface (also called a Virtual Ethernet or “VE”) • Loopback interface By default, you can configure up to 24 IP addresses on each interface. Also, the CAM can hold up to 256,000 IP address entries.
Configuring IP parameters 7 • ospf-passive – Disables adjacency formation with OSPF neighbors (but does not disable advertisement of the interface into OSPF). By default, when OSPF is enabled on an interface, the software forms OSPF router adjacencies between each primary IP address on the interface and the OSPF neighbor attached to the interface. • ospf-ignore – Disables OSPF adjacency formation and advertisement of the interface into OSPF. The subnet is completely ignored by OSPF.
7 Configuring IP parameters To add a virtual interface to a VLAN and configure an IP address on the interface, enter commands such as the following. BigIron RX(config)# vlan 2 name IP-Subnet_1.1.2.0/24 BigIron RX(config-vlan-2)# untag e1/1 to 1/4 BigIron RX(config-vlan-2)# router-interface ve1 BigIron RX(config-vlan-2)# interface ve1 BigIron RX(config-vif-1)# ip address 1.1.2.1/24 The first two commands create a Layer 3 protocol-based VLAN named “IP-Subnet_1.1.2.
Configuring IP parameters 7 Configuring the default gateway To manage a device using Telnet or Secure Shell (SSH) CLI connections or the Web management interface, you must configure an IP address for the device. To configure a default gateway, first define an IP address by entering the command such as the following. BigIron RX(config-if-e1000-1/1)# ip address 192.45.6.110 255.255.255.
7 Configuring IP parameters NOTE The encapsulated packets sent on a GRE tunnel have the DF bit set. Setting a GRE tunnel MTU to be greater than 1476 will cause the encapsulated packet to be greater than 1500 bytes. This may cause the transit routers to drop the encapsulated packet if that transit router's IP MTU is 1500 bytes (a typical default MTU value) since transit routers can not fragment a GRE packet.
Configuring IP parameters 7 NOTE Ensure a route to the tunnel destination exist on the tunnel source device. Create a static route if needed. Configuring a tunnel interface for GRE encapsulation To configure a specified tunnel interface for GRE encapsulation, enter the following command.
7 Configuring IP parameters Example of a GRE IP tunnel configuration In this example, a GRE IP Tunnel is configured between the device A switch and the device B switch. Traffic between networks 10.10.1.0/24 and 10.10.2.0/24 is encapsulated in a GRE IP packet sent through the tunnel on the 10.10.3.0 network. and unpacked and sent the destination network. A static route is configured at each router to go through the tunnel interface to the target network.
Configuring IP parameters BigIron BigIron BigIron BigIron 7 RX(config-tnif-1)# ip address 10.10.3.2/24 RX(config-tnif-1)# exit RX(config)# ip route 36.0.8.0/24 131.108.5.1 RX(config)# ip route 10.10.1.0/24 tunnel 1 Displaying GRE tunneling information You can display GRE Tunneling Information using the show ip interface, show ip route and show interface tunnel commands as shown in the following. BigIron RX# show ip interface tunnel 1 Interface Tunnel 1 port enabled port state: UP ip address: 10.10.3.
7 Configuring IP parameters 4 5 6 7 8 9 45.4.1.0/24 63.148.1.0/24 70.7.1.0/24 80.8.1.0/24 110.110.2.0/24 189.100.1.0/24 80.8.1.2 DIRECT DIRECT 70.7.1.1 63.148.1.1 110.110.2.12 tunnel 2 eth 2/11 eth 2/14 eth 2/14 eth 2/11 tunnel 1 0/0 0/0 0/0 1/1 1/1 0/0 D D D S S D The show interface tunnel command displays the status and configuration information for a tunnel interface as shown in the following.
Configuring IP parameters 7 • Manual tunnels provide static point-point connectivty NOTE IPV6 over IPV4 tunnel will not work when used with transperant VLAN flooding mode . FIGURE 8 Manually configured tunnel Dual-Stack IPv6 Network Dual-Stack IPv6 Network IPv4 Network Tunnel Source Tunnel Destination To configure a manual IPv6 tunnel, enter commands such as the following on a Layer 3 Switch running both IPv4 and IPv6 protocol stacks on each end of the tunnel.
7 Configuring IP parameters Clearing IPv6 tunnel statistics You can clear all IPv6 tunnel statistics (reset all fields to zero) or statistics for a specified tunnel interface. For example, to clear statistics for tunnel 1, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI. BigIron RX# clear ipv6 tunnel 1 Syntax: clear ipv6 tunnel The parameter specifies the tunnel number.
Configuring IP parameters 7 The parameter indicates the tunnel interface number for which you want to display information. This display shows the following information. TABLE 50 IPv6 tunnel interface information This field... Tunnel interface status Line protocol status Hardware is tunnel Tunnel source Displays... The status of the tunnel interface can be one of the following: up – The tunnel interface is functioning properly. down – The tunnel interface is not functioning and is down.
7 Configuring IP parameters ! interface tunnel 1 port-name ManualTunnel1 tunnel mode ipv6ip tunnel source loopback 1 tunnel destination 2.1.1.1 ipv6 address fe80::3:4:2 link-local ipv6 address 1011::1/64 ipv6 address 1001::1/64 ipv6 ospf area 0 Configuring Domain Name Server (DNS) resolver The DNS resolver lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a device and thereby recognize all hosts within that domain.
Configuring IP parameters BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# ip ip ip ip dns dns dns dns domain-list domain-list domain-list domain-list 7 company.com ds.company.com hw_company.com qa_company.com The domain names are tried in the order you enter them. Syntax: [no] ip dns domain-list sequence-number The parameter specifies the domain name to be added to the list.
7 Configuring IP parameters Adding host names to the DNS cache table Dynamic cache entries The entries in a DNS cache table are used to resolve host names to IP addresses. When a client initiates a DNS query, the Brocade device checks the DNS cache table to see if the host name can be resolved to any of the entries. If a match is found, the query is resolved. If a match is not found, the DNS resolver sends the query to the DNS servers.
Configuring IP parameters Host Flag border2.pc0-0-bbnet1.sje.pnap.net (TMP,OK) sl-internap-109-0.sprintlink.net (TMP,OK) sl-st21-sj-13-0.sprintlink.net (TMP,OK) mail.company.com (STA,OK) 7 Address 66.151.144.5 144.223.242.86 144.232.20.59 64.236.22.148 To display the individual entries in the cache-table, enter a command such as the following. BigIron RX(config)#show ip dns cache-table border2 Host Flag TTL/min Address border2.pc0-0-bbnet1.sje.pnap.net (TMP,OK) 720 66.151.144.
7 Configuring IP parameters Displaying the polling interval To display the current polling interval configured for the device, enter the following command. BigIron RX(config)# show ip dns poll-interval Current DNS polling interval is 7 minutes Syntax: show ip dns poll-interval Displaying the server list To display the current DNS server list configured for the device, enter the following command. BigIron RX#show ip dns server-list Total number of DNS Servers configured: 2 Server List: 10.51.17.30 10.51.
Configuring packet parameters 7 BigIron RX# traceroute nyc02 Syntax: traceroute [maxttl ] [minttl ] [numeric] [timeout ] [source-ip ] The only required parameter is the IP address of the host at the other end of the route. After you enter the command, a message indicating that the DNS query is in process and the current gateway address (IP address of the domain name server) being queried appear on the screen. Type Control-c to abort Sending DNS Query to 209.
7 Configuring packet parameters • An Ethernet broadcast address. The entire IP packet, including the source address, destination address, other control information, and the data, is placed in the data portion of the Layer 2 packet. Typically, an Ethernet network uses one of two different formats of Layer 2 packet: • Ethernet II • Ethernet SNAP (also called IEEE 802.3) The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format.
Configuring packet parameters BigIron BigIron BigIron BigIron BigIron 7 RX(config)# interface ethernet 6/1 RX(config-if-e1000-6/1)# max-frame-size 1500 RX(config-if-e1000-6/1)# write memory RX(config-if-e1000-6/1)# exit RX(config)# reload In this example the maximum frame size is applied to port 1 of a 24 x 1G Ethernet interface module. That means that this maximum will apply to ports 1 to 12 on the interface module.
7 Configuring packet parameters • Use the same IP MTU size on all ports that will be supporting jumbo frames. If the device needs to fragment a jumbo frame (and the frame does not have the DF bit set), the device fragments the frame into 1500-byte fragments, even if the outbound port has a larger IP MTU.
Changing the router ID 7 Changing the router ID In most configurations, a device has multiple IP addresses, usually configured on different interfaces. As a result, a device’s identity to other devices varies depending on the interface to which the other device is attached. Some routing protocols, including OSPF and BGP4, identify a device by just one of the IP addresses configured on the device, regardless of the interfaces that connect the devices. This IP address is the router ID.
7 Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets When the device originates a Telnet, TACACS, TACACS+, or RADIUS packet, the source address of the packet is the lowest-numbered IP address on the interface that sends the packet. You can configure the device to always use the lowest-numbered IP address on a specific interface as the source addresses for these types of packets.
Configuring an interface as the source for Syslog packets BigIron BigIron BigIron BigIron 7 RX(config)# interface ethernet 1/4 RX(config-if-e10000-1/4)# ip address 209.157.22.110/24 RX(config-if-e10000-1/4)# exit RX(config)# ip telnet source-interface ethernet 1/4 TACACS and TACACS+ packets To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all TACACS and TACACS+ packets, enter commands such as the following.
7 Configuring an interface as the source for Syslog packets Syntax: [no] ip syslog source-interface ethernet [/] | loopback | ve The parameter is a loopback interface or virtual interface number. If you specify an Ethernet, the /] is the port’s number including the slot number, if you are configuring a device. The default is the lowest-numbered IP or IPv6 address configured on the port through which the packet is sent.
Configuring ARP parameters 7 BigIron RX(config)# ip receive access-list 10 Syntax: [no] ip receive access-list Specify an access list number for . The IP receive ACL is applied globally to all interfaces on the device. Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command.
7 Configuring ARP parameters is reset to zero each time the device receives an ARP reply or ARP request containing the IP address and MAC address of the entry. If a dynamic entry reaches its maximum allowable age, the entry times out and the software removes the entry from the table. Static entries do not age out and can be removed only by you. • If the ARP cache does not contain an entry for the destination IP address, the device broadcasts an ARP request out all its IP interfaces.
Configuring ARP parameters 7 BigIron RX(config)# arp-port-rate-limit 100 This command configures the device to accept up to 100 ARP packets each second. If the device receives more than 100 ARP packets during a one-second interval, the device drops the additional ARP packets during the remainder of that one-second interval. Syntax: [no] arp-port- rate-limit The parameter specifies the number of ARP packets and can be from 0 – 30,000.
7 Configuring ARP parameters LP-1#show ip traffic arp ARP Statistics 1400 total recv, 1400 req recv, 0 req sent 0 pending drop, 0 invalid source, 0 invalid dest ARP Rate Limiting Statistics Interface Received ethernet1/1 184200 ethernet1/2 0 ethernet1/3 0 ethernet1/4 184200 Processed 700 0 0 700 Dropped(Rate-limted) 183500 0 0 183500 The example above displays the LP processed 50 packets every second and dropped any addtional packets. Syntax: show ip traffic arp This column... Displays...
Configuring ARP parameters 7 Enabling proxy ARP Proxy ARP allows the device to answer ARP requests from devices on one network on behalf of devices in another network. Since ARP requests are MAC-layer broadcasts, they reach only the devices that are directly connected to the sender of the ARP request. Thus, ARP requests do not cross routers. For example, if Proxy ARP is enabled on the device connected to two subnets, 10.10.10.0/24 and 20.20.20.0/24, the device can respond to an ARP request from 10.10.10.
7 Configuring ARP parameters The command specifies the IP address of the device that has the MAC address of the entry. The parameter specifies the MAC address of the entry. The ethernet command specifies the port number attached to the device that has the MAC address of the entry. The arp command allows you to specify only one port number.
Configuring ARP parameters 7 When a floating static ARP entry (Static ARP entry without the outgoing interface defined) is added to the ARP Inspection table, the mapping is checked against the current static ARP table. If an ARP entry with a matching IP but mismatch MAC is found, it will be deleted and a re-arp on the IP will be issued. When an ARP entry is deleted from ARP Inspection table, the corresponding entry in the static ARP table will also be deleted.
7 Configuring forwarding parameters The value parameter speocifies the amount of time before a nexthop down is replaced by an active nexthop. Possible values are10-200 seconds. Use the no form of the command to disable the validation timer. Displaying the routes waiting for the next hop ARP to resolve Use the following command to display which routes are waiting for the nexthop ARP to be resolved.
Configuring forwarding parameters 7 Changing the TTL threshold The TTL threshold prevents routing loops by specifying the maximum number of router hops an IP packet originated by the device can travel through. Each device capable of forwarding IP that receives the packet decreases the packet’s TTL by one. If a device receives a packet with a TTL of 1 and reduces the TTL to zero, the device drops the packet. The default TTL is 64. You can change the TTL to a value from 1– 255.
7 Configuring forwarding parameters • Strict source routing – requires the packet to pass through only the listed routers. If the device receives a strict source-routed packet but cannot reach the next hop interface specified by the packet, the device discards the packet and sends an ICMP Source-Route-Failure message to the sender. NOTE The device allows you to disable sending of the Source-Route-Failure messages. Refer to “Disabling ICMP messages” on page 199.
Configuring forwarding parameters 7 Disabling ICMP messages The device is enabled to reply to ICMP echo messages and send ICMP Destination Unreachable messages by default. You can selectively disable the following types of Internet Control Message Protocol (ICMP) messages: • Echo messages (ping messages) – The device replies to IP pings from other IP devices.
7 Configuring forwarding parameters NOTE Disabling an ICMP unreachable message type does not change the device’s ability to forward packets. Disabling ICMP unreachable messages prevents the device from generating or forwarding the unreachable messages. To disable all ICMP Unreachable messages, enter the following command.
Configuring forwarding parameters 7 NOTE The device forwards misdirected traffic to the appropriate router, even if you disable the redirect messages. To disable ICMP redirect messages globally, enter the following command at the global CONFIG level of the CLI. BigIron RX(config)# no ip icmp redirects Syntax: [no] ip icmp redirects To disable ICMP redirect messages on a specific interface, enter the following command at the configuration level for the interface.
7 Configuring forwarding parameters • The IP address and network mask for the route’s destination network. • The route’s path, which can be one of the following: • The IP address of a next-hop gateway • An Ethernet port • A virtual interface (a routing interface used by VLANs for routing Layer 3 protocol traffic among one another) • A “null” interface. The device drops traffic forwarded to the null interface.
Configuring forwarding parameters 7 This feature allows the device to adjust to changes in network topology. The device does not continue trying to use routes on unavailable paths but instead uses routes only when their paths are available. Figure 10 shows a network containing a static route. The static route is configured on Router A, as shown in the CLI following the figure. FIGURE 10 Example of a static route Router A Router B 207.95.6.188/24 e 1/2 207.95.6.157/24 207.95.7.7/24 207.95.7.
7 Configuring forwarding parameters Syntax: ip route | / | ethernet | ve | tunnel [] [tag ] [distance ] The is the route’s destination. The is the network mask for the route’s destination IP address. Alternatively, you can specify the network mask information by entering / followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.
Configuring forwarding parameters 7 Syntax: ip route | / null0 [] [tag ] [distance ] To display the maximum value for your device, enter the show default values command. The maximum number of static IP routes the system can hold is listed in the ip-static-route row in the System Parameters section of the display. To change the maximum value, use the system-max ip-static-route command at the global CONFIG level.
7 Configuring forwarding parameters Static route tagging Static routes can be configured with a tag value, which can be used to color routes and filter routes during a redistribution process. When tagged static routes are redistributed to OSPF or to a protocol that can carry tag information, they are redistributed with their tag values. To add a tag value to a static route, enter commands such as the following: BigIron RX(config)# ip route 192.122.12.1 255.255.255.0 192.122.1.
Configuring forwarding parameters 7 • IP load sharing – If you configure more than one static route to the same destination, and the routes have different next-hop gateways but have the same metrics, the device load balances among the routes using basic round-robin. For example, if you configure two static routes with the same metrics but to different gateways, the device alternates between the two routes. For information about IP load balancing, refer to “Configuring IP load sharing” on page 211.
7 Configuring forwarding parameters When the device has multiple routes to the same destination, the device always prefers the route with the lowest metric. Generally, when you configure a static route to a destination network, you assign the route a low metric so that the device prefers the static route over other routes to the destination. This feature is especially useful for the following configurations.
Configuring forwarding parameters FIGURE 11 7 Standard and null static routes to the same destination network Two static routes to 192.168.7.0/24: --Standard static route through gateway 192.168.6.157, with metric 1 --Null route, with metric 2 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.7/24 When standard static route is good, Router A uses that route. 192.168.7.69/24 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.
7 Configuring forwarding parameters FIGURE 12 Standard and interface routes to the same destination network Two static routes to 192.168.7.0/24: --Interface-based route through port1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. Router A 192.168.6.188/24 Port1/1 192.168.8.12/24 Port4/4 192.168.6.69/24 When route through interface 1/1 is available, Router A always uses that route. 192.168.8.
Configuring forwarding parameters 7 Configuring IP load sharing The IP route table can contain more than one path to a given destination. When this occurs, the device selects the path with the lowest cost as the path for forwarding traffic to the destination. If the IP route table contains more than one path to a destination and the paths each have the lowest cost, then the device uses IP load sharing to select a path to the destination.1 IP load sharing is based on the destination address of the traffic.
7 Configuring forwarding parameters • Static IP route – 1 (applies to all static routes, including default routes and default network routes) • • • • • • Exterior Border Gateway Protocol (EBGP) – 20 OSPF – 110 RIP – 120 Interior Gateway Protocol (IBGP) – 200 Local BGP – 200 Unknown – 255 (the router will not use this route) Lower administrative distances are preferred over higher distances.
Configuring forwarding parameters 7 Table 53 lists the default and configurable maximum numbers of paths for each IP route source that can provide equal-cost paths to the IP route table. The table also lists where to find configuration information for the route source’s load sharing parameters. The load sharing state for all the route sources is based on the state of IP load sharing.
7 Configuring forwarding parameters Response to path state changes If one of the load-balanced paths becomes unavailable, the IP route table in hardware is modified to stop using the unavailable path. The traffic is load balanced between the available paths using the same hashing mechanism described above. (Refer to “How IP load sharing works” on page 213.) Default route ECMP On the BigIron RX, IP load sharing (also known as ECMP load sharing) is done by the hardware.
Configuring forwarding parameters 7 1 0.0.0.0/0 100.1.1.2 eth 7/1 1/1 S 0.0.0.0/0 100.1.2.2 eth 7/2 1/1 S 0.0.0.0/0 100.1.3.2 eth 7/3 1/1 S 0.0.0.0/0 100.1.4.2 eth 7/4 1/1 S 2 10.0.0.0/8 10.43.2.1 mgmt 1 1/1 S 3 10.43.2.0/24 DIRECT mgmt 1 0/0 D 4 40.0.0.0/24 100.1.1.2 eth 7/1 1/1 S 5 70.1.1.0/24 DIRECT eth 7/9 0/0 D 6 100.1.1.0/24 DIRECT eth 7/1 0/0 D 7 100.1.2.0/24 DIRECT eth 7/2 0/0 D 8 100.1.3.0/24 DIRECT eth 7/3 0/0 D 9 100.1.4.
7 Configuring forwarding parameters Configuring IRDP The device uses ICMP Router Discovery Protocol (IRDP) to advertise the IP addresses of its router interfaces to directly attached hosts. IRDP is disabled by default. You can enable it globally or on individual port: • If you enable IRDP globally, all ports use the default values for the IRDP parameters. • If you leave IRDP disabled globally but enable it on individual ports, you also can configure the IRDP parameters on an individual port basis.
Configuring forwarding parameters 7 BigIron RX(config)# ip irdp This command enables IRDP on the IP interfaces on all ports. Each port uses the default values for the IRDP parameters. The parameters are not configurable when IRDP is globally enabled. Enabling IRDP on an individual port To enable IRDP on an individual interface and change IRDP parameters, enter commands such as the following.
7 Configuring forwarding parameters Configuring UDP broadcast and IP helper parameters Some applications rely on client requests sent as limited IP broadcasts addressed to the UDP’s application port. If a server for the application receives such a broadcast, the server can reply to the client. Routers do not forward subnet directed broadcasts, so the client and server must be on the same network for the broadcast to reach the server.
Configuring forwarding parameters 7 Enabling forwarding for a UDP application If you want the device to forward client requests for UDP applications that the device does not forward by default, you can enable forwarding support for the port. To enable forwarding support for a UDP application, use either of the following methods. You also can disable forwarding for an application using these methods.
7 Configuring forwarding parameters Configuring an IP helper address To forward a client’s broadcast request for a UDP application when the client and server are on different networks, you must configure a helper address on the interface connected to the client. Specify the server’s IP address or the subnet directed broadcast address of the IP subnet the server is in as the helper address. You can configure up to 16 helper addresses on each interface.
Configuring forwarding parameters 7 • Gateway address – The device places the IP address of the interface that received the BootP/DHCP request in the request packet’s Gateway Address field (sometimes called the Router ID field). When the server responds to the request, the server sends the response as a unicast packet to the IP address in the Gateway Address field.
7 Displaying IP information • If the hop count value is equal to or less than the maximum hop count the device allows, the device increments the hop count by one and forwards the request. • If the hop count is greater than the maximum hop count the device allows, the device discards the request. NOTE The BootP/DHCP hop count is not the TTL parameter. To modify the maximum number of BootP/DHCP hops, enter the following command.
Displaying IP information 7 BigIron RX> show ip Global Settings ttl: 64, arp-age: 10, bootp-relay-max-hops: 4 router-id : 207.95.11.128 enabled : UDP-Broadcast-Forwarding IRDP Proxy-ARP OSPF disabled: BGP4 Load-Sharing RIP DVMRP FSRP VRRP Static Routes Index IP Address Subnet Mask Next Hop Router 1 0.0.0.0 0.0.0.0 209.157.23.2 Policies Index Action Source Destination Protocol 1 deny 209.157.22.34 209.157.22.
7 Displaying IP information TABLE 54 CLI display of global IP configuration information (Continued) This field... Displays... Subnet Mask The network mask for the IP address. Next Hop Router The IP address of the router interface to which the Brocade router sends packets for the route. Metric The cost of the route. Usually, the metric represents the number of hops to the destination. Distance The administrative distance of the route.
Displaying IP information TABLE 55 7 CLI display of interface IP configuration information This field... Displays... Interface The type and the slot and port number of the interface. IP-Address The IP address of the interface. NOTE: If an “s” is listed following the address, this is a secondary address. When the address was configured, the interface already had an IP address in the same subnet, so the software required the “secondary” option before the software could add the interface.
7 Displaying IP information BigIron RX># show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 3 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dynamic Log Buffer (50 entries): Dec 15 18:46:17:I:Interface ethernet Lab2, state up Dec 15 18:45:15:I:Warm start Displaying ARP entries You can display the A
Displaying IP information 7 NOTE The parameter and parameter perform different operations. The parameter specifies the network mask for a specific IP address, whereas the parameter provides a filter for displaying multiple MAC addresses that have specific values in common. The parameter lets you display the table beginning with a specific entry number. NOTE The entry numbers in the ARP cache are not related to the entry numbers for static ARP table entries.
7 Displaying IP information For information on the command syntax, refer to the syntax of the show arp command under “Displaying the ARP cache” on page 226. TABLE 57 CLI display of static ARP table This field... Displays... Static ARP table size The maximum number of static entries that can be configured on the device using the current memory allocation. The range of valid memory allocations for static ARP entries is listed after the current allocation.
Displaying IP information 7 BigIron RX>rconsole 15 Connecting to slave CPU 15/1... (Press CTRL-Shift-6 X to exit) rconsole-15/1@LP>show ip network Total number of host cache entries 3 D: Dynamic P:Permanent, F:Forward U:Us C:Conected Network W:Wait ARP I:ICMP Deny K:Drop R:Frament S:Snap Encap N:CAMInvalid IP Address Next Hop MAC Type Port VLAN 1 0.0.0.0/0 DIRECT 0000.0000.0000 PK n/a 2 20.1.1.0/24 DIRECT 0000.0000.0000 PC n/a 3 40.40.40.0/24 30.1.1.10 0000.0000.
7 Displaying IP information BigIron RX> show ip route Total number of IP routes: 514 Start index: 1 B:BGP D:Connected Destination Gateway 1.1.0.0 99.1.1.2 1.2.0.0 99.1.1.2 1.3.0.0 99.1.1.2 1.4.0.0 99.1.1.2 1.5.0.0 99.1.1.2 1.6.0.0 99.1.1.2 1.7.0.0 99.1.1.2 1.8.0.0 99.1.1.2 1.9.0.0 99.1.1.2 1.10.0.0 99.1.1.
Displaying IP information 7 BigIron RX(config)# show ip route connected Start index: 1 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination Gateway Port Cost Type 209.157.22.0 0.0.0.0 4/11 1 D Notice that the route displayed in this example has “D” in the Type field, indicating the route is to a directly connected device. Here is an example of how to use the static option. To display only the static IP routes.
7 Displaying IP information The following table lists the information displayed by the show ip route command. TABLE 59 CLI display of IP route table This field... Displays... Destination The destination network of the route. NetMask The network mask of the destination address. Gateway The next-hop router. Port The port through which this router sends packets to reach the route's destination. Cost The route's cost.
Displaying IP information 7 BigIron RX> sh ip traffic IP Statistics 146806 total received, 72952 mp received, 6715542 sent, 0 forwarded 0 filtered, 0 fragmented, 0 bad header 0 failed reassembly, 0 reassembled, 0 reassembly required 0 no route, 0 unknown proto, 0 no buffer, 0 other errors, 0 rpf discard ARP Statistics 19022 total recv, 35761 req recv, 475 rep recv, 2803975 req sent, 1885 rep sent 0 pending drop, 0 invalid source, 0 invalid dest ICMP Statistics Received: 9 total, 0 errors, 0 unreachable, 0
7 Displaying IP information TABLE 60 CLI display of IP traffic statistics (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received. The field descriptions below apply to each. total The total number of ICMP messages sent or received by the device.
Displaying IP information TABLE 60 7 CLI display of IP traffic statistics (Continued) This field... Displays... input errors This information is used by Brocade customer support. in segments The number of TCP segments received by the device. out segments The number of TCP segments sent by the device.
7 236 Displaying IP information This field... Displays...
Chapter 8 Link Aggregation In this chapter • Link aggregation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • LAG formation rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • LAG load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration of a LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Deploying a LAG . . . . . . . . .
8 LAG formation rules NOTE The maximum number of trunk groups supported is 31. • A LAG must have its primary port selected before it can be deployed. • All ports configured in a LAG must be configured in the same VLAN. • All ports must have the same PBR configuration before deployment, during deployment the configuration on the primary port is replicated to all ports and on undeployment each port inherits the same PBR configuration. • VLAN and inner-VLAN translation.
LAG formation rules 8 • Make sure the device on the other end of the trunk link can support the same number of ports in the link. Figure 13 displays and example of a valid, Keep ALIVE LAG link between two devices. This configuration does not aggregate ports but uses the LACP PDUs to maintain the connection status between the two ports.
8 LAG load sharing FIGURE 15 Examples of multi-slot, multi-port LAG Port2/1 Port2/2 Port2/3 Port2/4 Port2/5 Port2/6 Port1/1 Port1/1 Port1/2 Port1/2 Port1/3 Port1/3 Port1/4 Port1/4 Port1/5 Port1/5 Port1/6 Port1/6 Port1/7 Port1/7 Port1/8 Port1/8 Port2/7 Port2/8 Port2/1 Port2/2 Port2/3 Port2/4 Port2/5 Port2/6 Port2/7 Port2/8 LAG load sharing Traffic on BigIron RX switches is load balance over a LAG by using the Hash Based Load Sharing method.
Configuration of a LAG 8 • IPv4 UDP packets: source MAC address and destination MAC address, source IP address and destination IP address, and UDP source port and UDP destination port. • IPv6 non-TCP/UDP packets: source MAC address and destination MAC address, source IP address and destination IP address. • IPv6 TCP packets: source MAC address and destination MAC address, source IP address and destination IP address and TCP source port and TCP destination port.
8 Configuration of a LAG The keep-alive option specifies that the LAG with the name specified by the variable will be configured as a keep-alive LAG. The keep-alive LAG configuration is a new configuration option to configure a LAG for use in keep alive applications similar to the UDLD feature. Adding ports to a LAG A static or dynamic LAG can have two to eight ports of the same type and speed that are on any interface module within the BigIron RX device.
Configuration of a LAG 8 Specifying the trunk threshold for a trunk Group You can configure the BigIron RX switch to disable all of the ports in a trunk group when the number of active member ports drops below a specified threshold value. For example, if a trunk group has 8 ports, and the threshold for the trunk group is 5, then the trunk group is disabled if the number of available ports in the trunk group drops below 5.
8 Deploying a LAG BigIron RX(config)# lag blue dynamic BigIron RX(config-lag-blue)# lacp-timeout short Syntax: [no] lacp-timeout [long | short] The long parameter configures the port for the long timeout mode. The short parameter configures the port for the short timeout mode. NOTE This configuration is only applicable for configuration of a dynamic or keep-alive LAGs. Deploying a LAG After configuring a LAG, you must explicitly enable it before it takes begins aggregating traffic.
Deploying a LAG 8 Commands available under LAG once it is deployed Once a LAG has been deployed, the following configurations can be performed on the deployed LAG: • • • • • • • Configuring ACL-based Mirroring Disabling Ports within a LAG Enabling Ports within a LAG Monitoring and Individual LAG Port Assigning a name to a port within a LAG Enabling sFlow Forwarding on a port within a LAG Setting the sFlow Sampling Rate for a port within a LAG Configuring ACL-based mirroring ACL-based mirroring can be c
8 Deploying a LAG Enabling ports within a LAG You can enable an individual port within a trunk using the disable command within the LAG configuration as shown in the following. BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# enable ethernet 3/1 Syntax: [no] enable ethernet | named Use the ethernet option with the appropriate variable to specify a Ethernet port within the LAG that you want to enable.
Deploying a LAG 8 BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# port-name orange ethernet 3/1 Syntax: [no] port-name ethernet The variable specifies the port name. The name can be up to 50 characters long. Use the ethernet option with the appropriate variable to apply the specified name to an Ethernet port within the LAG.
8 Deploying a LAG BigIron RX# show lag brief Total number of LAGs: 4 Total number of deployed LAGs: 3 Total number of trunks created:3 (31 available) LACP System Priority / ID: 0001 / 0004.80a0.
Deploying a LAG TABLE 61 8 Show LAG information This field... Displays... Total number of LAGS The total number of LAGs that have been configured on the switch. Total number of Deployed LAGS The total number of LAGs on the switch that are currently deployed. Total number of Trunks Created The total number of trunks that have been created on the LAG. The total number of Trunks available are shown also.
8 Deploying a LAG TABLE 61 Displays... Priori Indicates the Quality of Service (QoS) priority of the ports. The priority can be a value from 0 – 7. MAC The MAC address of the port. Name The name (if any) configured for the port. Sys P Lists the system priority configured for the device. Port P Lists the port’s link aggregation priority. Key Lists the link aggregation key. Act 250 Show LAG information (Continued) This field...
Deploying a LAG TABLE 61 8 Show LAG information (Continued) This field... Displays... Def Indicates whether the port is using default link aggregation values. The port uses default values if it has not received link aggregation information through LACP from the port at the remote end of the link.
8 Deploying a LAG GiantPkts InBitsPerSec InPktsPerSec InUtilization 0 0 0 0.0% ShortPkts OutBitsPerSec OutPktsPerSec OutUtilization 0 0 0 0.
Chapter 9 Configuring LLDP In this chapter • Terms used in this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • LLDP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • General operating principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Syslog messages . . . . . . .
9 LLDP overview LLDP overview LLDP enables a station attached to an IEEE 802 LAN or MAN to advertise its capabilities to, and to discover, other stations in the same 802 LAN segments. The advertisements describe the network’s physical topology and associated systems within that topology. For example, a station can advertise its management address, the address of the entities that manage the device, and the ID of the port to which the station is connected.
General operating principles 9 • Ensures proper aging so only valid network device data is presented • Network Inventory Data • Supports optional system name, system description, system capabilities and management address • System description can contain the device’s product name or model number, version of hardware type, and operating system • Provides device capability, such as switch, router, or WLAN access port • Network troubleshooting • Information generated through LLDP can be used to detect spee
9 General operating principles When an LLDP agent receives LLDP packets, it checks to ensure that the LLDPDUs contain the correct sequence of mandatory TLVs, then validates optional TLVs. If the LLDP agent detects any errors in the LLDPDUs and TLVs, it drops them in software. TLVs that are not recognized but do not contain basic formatting errors, are assumed to be valid and are assigned a temporary identification index and stored for future possible alter retrieval by network management.
General operating principles 9 Brocade devices support the following Basic Management TLVs: • • • • • • • • • Chassis ID (mandatory) Port ID (mandatory) Time to Live (mandatory) Port description System name System description System capabilities Management address End of LLDPDU • Organizationally-specific TLVs are optional in LLDP implementations and are defined and encoded by individual organizations or vendors. These TLVs include support for, but are not limited to, the IEEE 802.1 and 802.
9 General operating principles TABLE 62 Chassis ID subtypes (Continued) ID Subtype Description 2 Interface alias 3 Port component 4 MAC address 5 Network address 6 Interface name 7 Locally assigned 8 – 255 Reserved Brocade devices use Chassis ID subtype 4, the base MAC address of the device. Other third party devices may use a Chassis ID subtype other than 4.
MIB support 9 The Port ID TLV format is shown below. FIGURE 18 Port ID TLV packet format TLV Type = 2 7 bits TLV Information String Length 9 bits Port ID Subtype Port ID 1 < n < 255 octets 1 octet TLV Information String TLV Header TTL value The Time to Live (TTL) Value is the length of time the receiving device should maintain the information acquired through LLDP in its MIB. The TTL value is automatically computed based on the LLDP configuration settings.
9 Syslog messages Syslog messages Syslog messages for LLDP provide management applications with information related to MIB data consistency and general status. These Syslog messages correspond to the lldpRemTablesChange SNMP notifications. Web Management Web Management Interface is not supported. Configuring LLDP This section describes how to enable and configure LLDP. Table 64 lists the LLDP global-level tasks and the default behavior/value for each task.
Configuring LLDP 9 • Cisco Discovery Protocol (CDP) and Foundry Discovery Protocol (FDP) run independently of LLDP. Therefore, these discovery protocols can run simultaneously on the same device. • By default, the Brocade device limits the number of neighbors per port to four, and staggers the transmission of LLDP packets on different ports, in order to minimize any high-usage spikes to the CPU.
9 Configuring LLDP Use the [no] form of the command to disable the receipt and transmission of LLDP packets on a port. You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Configuring LLDP 9 The above commands change the LLDP operating mode on ports 2/7 and 2/8 from receive only mode to transmit only mode. Any incoming LLDP packets will be dropped in software. Note that if you do not disable receive only mode, you will configure the port to both receive and transmit LLDP packets. Syntax: [no] lldp enable transmit ports ethernet | all Use the [no] form of the command to disable the transmit only mode.
9 Configuring LLDP Use the show lldp command to view the configuration. Enabling LLDP SNMP notifications and Syslog messages SNMP notifications and Syslog messages for LLDP provide management applications with information related to MIB data updates and general status. When you enable LLDP SNMP notifications, corresponding Syslog messages are enabled as well.
Configuring LLDP 9 Changing the minimum time between LLDP transmissions The LLDP transmit delay timer limits the number of LLDP frames an LLDP agent can send within a specified time frame. When you enable LLDP, the system automatically sets the LLDP transmit delay timer to two seconds. If desired, you can change the default behavior from two seconds to a value between 1 and 8192 seconds.
9 Configuring LLDP Changing the holdtime multiplier for transmit TTL The holdtime multiplier for transmit TTL is used to compute the actual time-to-live (TTL) value used in an LLDP frame. The TTL value is the length of time the receiving device should maintain the information in its MIB. When you enable LLDP, the device automatically sets the holdtime multiplier for TTL to four. If desired, you can change the default behavior from four to a value between two and ten.
Configuring LLDP 9 • Port ID • TTL The above are mandatory TLVs. For more information, see “Mandatory TLVs” on page 257. When LLDP is enabled on a global basis, the Brocade device will automatically advertise the following information, except for the features noted: General system information: • • • • • Management address Port description System capabilities System description (not automatically advertised) System name 802.
9 Configuring LLDP Management address The management address is an IPv4 address that can be used to manage the device.
Configuring LLDP 9 You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
9 Configuring LLDP The system description will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info): BigIron RX# show lldp local-info Local port: 1/2 + Chassis ID (MAC address): 000c.dbf5.c000 + Port ID (MAC address): 000c.dbf5.c000 + Time to live: 120 seconds + System name : "rx4" + Port description : "10GigabitEthernet1/2" + System capabilities : bridge, router Enabled capabilities: bridge, router + 802.
Configuring LLDP 9 802.1 capabilities Except for the VLAN name, the Brocade device will advertise the following 802.1 attributes when LLDP is enabled on a global basis: • VLAN name (not automatically advertised) • Untagged VLAN ID VLAN name The VLAN name TLV contains the name and VLAN ID of a VLAN configured on a port. An LLDPDU may include multiple instances of this TLV, each for a different VLAN. To advertise the VLAN name, enter a command such as the following.
9 Configuring LLDP Untagged VLAN ID The port VLAN ID TLV advertises the Port VLAN Identifier (PVID) that will be associated with untagged or priority-tagged frames. If the port is not an untagged member of any VLAN (i.e., the port is strictly a tagged port), the value zero will indicate that. By default, the port VLAN ID is automatically advertised when LLDP is enabled on a global basis. To disable this advertisement, enter a command such as the following.
Configuring LLDP 9 Syntax: [no] lldp advertise link-aggregation ports ethernet | all The link aggregation advertisement will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Link aggregation: not capable You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
9 Configuring LLDP You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
Configuring LLDP 9 The following shows an example report. BigIron RX#show lldp LLDP transmit interval LLDP transmit hold multiplier LLDP transmit delay LLDP SNMP notification interval LLDP reinitialize delay LLDP maximum neighbors LLDP maximum neighbors per port : : : : : : : 10 seconds 4 (transmit TTL: 40 seconds) 1 seconds 5 seconds 1 seconds 392 4 Syntax: show lldp The following table describes the information displayed by the show lldp statistics command. This field... Displays...
9 Configuring LLDP BigIron RX# show lldp statistics Last neighbor change time: 23 hours 50 minutes 40 seconds ago Neighbor Neighbor Neighbor Neighbor entries added entries deleted entries aged out advertisements dropped Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Tx Pkts Total 60963 0 60963 60963 0 0 0 0 0 60974 0 0 0 0 Rx Pkts Total 75179 0 60963 121925 0 0 0 0 0 0 0 0 0 0 : : : : 14 5 4 0 Rx Pkts Rx Pkts Rx TLVs Rx TLVs Neighbors w/Errors Discarded Unrecognz Discarded Aged Out 0 0 0 0 4 0 0 0 0 0 0 0 0
Configuring LLDP 9 This field... Displays... Rx Pkts Total The number of LLDP packets the port received. Rx Pkts w/Errors The number of LLDP packets the port received that have one or more detectable errors. Rx Pkts Discarded The number of LLDP packets the port received then discarded. Rx TLVs Unrecognz The number of TLVs the port received that were not recognized by the LLDP local agent.
9 Configuring LLDP LLDP neighbors detail The show lldp neighbors detail command displays the LLDP advertisements received from LLDP neighbors. The following shows an example show lldp neighbors detail report. NOTE The show lldp neighbors detail output will vary depending on the data received. Also, values that are not recognized or do not have a recognizable format, may be displayed in hexadecimal binary form. BigIron RX# show lldp neighbors detail ports e 1/9 Local port: 1/9 Neighbor: 0800.0f18.
Configuring LLDP 9 This field... Displays... Neighbor The source MAC address from which the packet was received, and the remaining TTL for the neighbor entry. Syntax: show lldp neighbors detail [ports ethernet | all] If you do not specify any ports or use the keyword all, by default, the report will show the LLDP neighbor details for all ports. You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
9 Resetting LLDP statistics Resetting LLDP statistics To reset LLDP statistics, enter the clear lldp statistics command at the Global CONFIG level of the CLI. The Brocade device will clear the global and per-port LLDP neighbor statistics on the device (refer to “LLDP statistics” on page 275).
Chapter 10 Configuring Uni-Directional Link Detection In this chapter • Uni-Directional Link Detection overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring UDLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying UDLD information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Clearing UDLD statistics .
10 Configuration considerations first keep-alive message from the other end. In the active state, UDLD peers will continue to exchange keep alive messages periodically and if there are keep-alive messages are missed for certain number of times from the other end, UDLD will bring down the logical port. The UDLD will then transition from active to suspended state. Everytime UDLD is enabled on a port, the port will be transitioned into the suspended state to detect if the other end (peer) supports UDLD.
Displaying UDLD information 10 Changing the keepalive retries You can change the maximum number of keepalive attempts to a value from 3 – 10. To change the maximum number of attempts, enter a command such as the following. BigIron RX(config)# link-keepalive retries 4 Syntax: [no] link-keepalive retries The parameter specifies the maximum number of times the port will try the health check. You can specify a value from 3 – 10. The default is 5.
10 Displaying UDLD information BigIron RX(config)#sh link-keepalive Total link-keepalive enabled ports: 2 Keepalive Retries: 5 Keepalive Interval: 5 * 100 MilliSec. Port 1/15 2/15 Physical Link up up Link-keepalive init init Logical link up up Syntax: show link-keepalive TABLE 65 CLI display of UDLD information This field... Displays... Total link-keepalive enabled ports The total number of ports on which UDLD is enabled.
Displaying UDLD information BigIron RX(config)# show link-keepalive ethernet Current State : down Remote MAC Addr Local Port : 1/1 Remote Port Local System ID : e0eb8e00 Remote System ID Packets sent : 0 Packets received Transitions : 0 10 1/1 : 0000.0000.0000 : n/a : 00000000 : 0 Syntax: show link-keepalive ethernet Displaying information for a single port To display detailed UDLD information for a specific port, enter a command such as the following.
10 Clearing UDLD statistics Not member of any configured trunks No port name MTU 1522 bytes, encapsulation ethernet 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 0 bits/sec, 0 packets/sec, 0.
Chapter 11 VLANs In this chapter • Overview of Virtual Local Area Networks (VLANs) . . . . . . . . . . . . . . . . . . . . • VLAN configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring protocol-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring virtual routing interfaces. . . . . . . . . . . . . . . . . . . .
11 Overview of Virtual Local Area Networks (VLANs) Tagged ports allow the device to add a four-byte 802.1q tag to the packet. 802.1q tagging is an IEEE standard that allows a networking device to add information to Layer 2 packets. This information identifies the VLAN membership of the packet, as well as the VLAN ID of the VLAN from which the packet is sent. Furthermore, the default tag value of the 802.1q tag is 8100 (hexadecimal). This value comes from the 802.1q specification.
Overview of Virtual Local Area Networks (VLANs) 11 User-configured port-based VLAN T = 802.1Q tagged port T T Segment 1 T T T T T Segment 2 Segment 1 Segment 2 Tagging is required for the ports on Segment 1 because the ports are in multiple port-based VLANs. Tagging is not required for the ports on Segment 2 because each port is in only one port-based VLAN. Without tagging, a device receiving VLAN traffic from the other device would not be sure which VLAN the traffic is for.
11 VLAN configuration rules VLAN configuration rules To create any type of VLAN on a device, Layer 2 forwarding must be enabled. When Layer 2 forwarding is enabled, the device becomes a switch on all ports for all non-routable protocols. The BigIron RX can only support up to 254 independent VLAN with Layer 2 protocols. In addition to this rule, the sections below summarize the rules for configuring VLANs. VLAN ID range VLAN IDs can be one of the following: 1 – 4089.
Configuring port-based VLANs 11 • When both port and protocol-based VLANs are configured on a given device, all protocol-based VLANs must be strictly contained within a port-based VLAN. A protocol-based VLAN cannot include ports from multiple port-based VLANs. This rule is required to ensure that port-based VLANs remain loop-free Layer 2 broadcast domains. • One of each type of protocol-based VLAN can be configured within each port-based VLAN on the device.
11 Configuring port-based VLANs The variable specifies the VLAN name and can be up to 255 characters long. While configuring VLAN name with multiple words, it needs to be separated using '_' or '-'. Upgrading or downgrading to any other versions will deny the VLAN configuration depending on the number of characters supported for the variable in the specific version. NOTE In lower versions, the variable can accept only 32 characters.
Configuring port-based VLANs 11 Considerations when configuring VLAN byte accounting • VLAN byte accounting cannot be enabled for the default or control VLANs. • The number of VLANs on which byte accounting can be enabled system-wide is restricted by the number of VLANs with byte accounting enabled on a given packet processor and the number of rate limiting policies enabled on the same packet processor ports. Refer to Table 67 for details.
11 Configuring port-based VLANs Maximum number of rate limiting policies and VLANs with byte accounting The maximum number of ACL-based, and VLAN-based rate limiting policies that can be configured on ports controlled by the same packet processor also depends on the number of VLANs with byte accounting enabled on the same packet processor.
Configuring protocol-based VLANs 11 Assigning a different ID to the default VLAN As stated above, by default, all ports on a device belong to the default VLAN, which is VLAN 1, until it is assigned to a port-based VLAN. The default VLAN port membership is always untagged; however, if you want to use VLAN ID 1 as a configurable VLANs with tagged port members, you can assign a different VLAN ID as the default VLAN. Enter commands such as the following command.
11 Configuring virtual routing interfaces BigIron RX(config-vlan-group-ipv6-proto)# static e 1/1 e 1/24 BigIron RX(config-vlan-group-ipv6-proto)# exclude e 1/2 to 1/4 Syntax: [no] static | exclude ethernet / [to /] The static ethernet / [to /] parameter adds the specified ports within the port-based VLAN as static ports to the protocol-based VLAN.
Configuring virtual routing interfaces 11 The device can locally route IP packets between VLANs that are defined within a single router. All other routable protocols or protocol-based VLANs (for example, IPX and AppleTalk) must be routed by another external router capable of routing the protocol.
11 Configuring virtual routing interfaces BigIron BigIron BigIron BigIron BigIron BigIron RX(config-vlan-3)# exit RX(config)# interface ve 2 RX(config-ve-2)# ip address 10.1.1.1/24 RX(config-if-e1000-2/1)# exit RX(config)# interface ve 3 RX(config-ve-3)# ip address 11.1.1.2/24 IP packets are bridged (switched) within the same protocol VLAN if they are on the same subnet; they are routed if they are on a different VLAN.
VLAN groups 11 When designing an ISR network, pay attention to your use of virtual routing interfaces and the spanning-tree domain. If Layer 2 switching of your routed protocols (IP, IPX, AppleTalk) is not required across the backbone, then the use of virtual routing interfaces can be limited to edge switch ports within each router. Full backbone routing can be achieved by configuring routing on each physical interface that connects to the backbone.
11 VLAN groups Use 1 – 32 for parameter with the vlan-group command specifies the VLAN group ID and can be from. The vlan to parameters specify a continuous range (with no gaps) of VLAN IDs that have not been configured in the CLI. Specify the low VLAN ID first and the high VLAN ID second. The command adds all the VLANs in the range to the VLAN group.
Configuring super aggregated VLANs 11 BigIron RX# show vlan-group 10 Configured VLAN-Group entries : 1 Maximum VLAN-Group entries : 32 VLAN-GROUP 10 Number of VLANs: 4 VLANs: 10 to 13 Tagged ports: ethe 3/1 The example shows configuration information for two VLAN groups, group 1 and group 2. Syntax: show vlan-group [] The specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed.
11 Configuring super aggregated VLANs FIGURE 23 Conceptual model of the super aggregated VLAN application Client 1 . . . Client 3 . . . Client 5 Client 1 192.168.1.69/24 Path = a single VLAN into which client VLANs are aggregated Channel = a client VLAN nested inside a Path sub-net 192.168.1.0/24 Each client connected to the edge device is in its own port-based VLAN. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core.
11 Configuring super aggregated VLANs FIGURE 24 Example super aggregated VLAN application Client 1 Port1/1 VLAN 101 . . . Client 3 Port1/3 VLAN 103 Client 6 Port1/1 VLAN 101 Client 5 Port1/5 VLAN 105 . . . Client 1 192.168.1.69/24 . . . Client 8 Port1/3 VLAN 103 . . . Client 10 Port1/5 VLAN 105 209.157.2.
11 Configuring super aggregated VLANs To configure aggregated VLANs, configure tagged and untagged VLANs on the edge device, then configure the aggregated and other VLANs on the core device. Perform the following tasks. 1. On each edge device, configure a separate port-based VLAN for each client connected to the edge device. In each client VLAN: • Add the port connected to the client as an untagged port.
Configuring super aggregated VLANs 11 • Configure a VLAN tag type (tag ID) that is different than the tag type used on the edge devices. If you use the default tag type (8100) on the edge devices, set the tag type on the core devices to another value, such as 9100. The tag type must be the same on all the core devices. The edge devices also must have the same tag type but the type must be different from the tag type on the core devices.
11 Configuring super aggregated VLANs BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX-A(config-vlan-102)# untagged ethernet 1/2 RX-A(config-vlan-102)# exit RX-A(config)# vlan 103 RX-A(config-vlan-103)# tagged ethernet 2/1 RX-A(config-vlan-103)# untagged ethernet 1/3 RX-A(config-vlan-103)# exit RX-A(config)# vlan 104 RX-A(config-vlan-104)# tagged ethernet 2/1 RX-A(config-vlan-104)# untagged ethernet 1/4 RX-A(config-vlan-104)# exit
Configuring super aggregated VLANs BigIron BigIron BigIron BigIron 11 RX-C(config-vlan-102)# tagged ethernet 4/1 RX-C(config-vlan-102)# untagged ethernet 3/2 RX-C(config-vlan-102)# exit RX-C(config)# write memory Commands for device D Device D is at the other end of path and separates the channels back into individual VLANs. The tag type must be the same as tag type configured on the other core device (Device C). In addition, VLAN aggregation also must be enabled.
11 Configuring 802.
Configuring 802.1q-in-q tagging 11 Figure 26 shows an example application of the 802.1Q-in-Q enhancement. FIGURE 26 802.1Q-in-Q configuration example To customer interface Provider Edge Switch Uplink to provider cloud Configured tag-type 9100 Default tag-type 8100 Untagged DA SA 8100 Customer VLAN Tagged DA SA 8100 Provider VLAN 8100 Customer VLAN In Figure 26, the untagged ports (to customer interfaces) accept frames that have any 802.1Q tag other than the configured tag-type 9100.
11 Configuring 802.1q-in-q tagging Note that since ports 11 and 12 belong to the port region 1 – 12, the 802.1Q tag actually applies to ports 1 – 12. Syntax: [no] tag-type [ethernet / [to /]] The parameter specifies the tag-type number and can be a hexadecimal value from 0 - ffff. The default is 8100. The ethernet to parameter specifies the ports that will use the defined 802.1Q tag.
Configuring 802.1q tag-type translation 11 Configuring 802.1q tag-type translation The introduction of 802.1q tag-type translation provides finer granularity for configuring multiple 802.1q tag-types on a single device, by enabling you to configure 802.1q tag-types per port group. This enhancement allows for tag-type translation from one port group to the next on tagged interfaces. 802.1Q tag-type translation enables you to configure 802.
11 Configuring 802.1q tag-type translation FIGURE 29 802.1q tag-type translation configuration example 2 Edge Switch 2 Global 802.1Q tag-type 8200 8200 T 8200 T T 8200 T 8200 T T 8300 Core Switch 1 Edge Switch 1 Incoming Frame on Core Switch 1 Multiple 802.1Q tag-types T U 8300 Core Switch 2 Outgoing Frame on Core Switch 1 Global 802.1Q tag-type 8500 8500 T 8400 Multiple 802.1Q tag-types 9100 U Global 802.1Q tag-type 8200 9100 T 8400 8500 Global 802.
Configuring 802.1q tag-type translation 11 • If you configure a port with an 802.1q tag-type, the device automatically applies the 802.1q tag-type to all ports within the same port region. • If you remove the 802.1q tag-type from a port, the device automatically removes the 802.1q tag-type from all ports within the same port region. • Brocade does not recommend configuring different 802.1q tag-types on ports that are part of a multi-slot trunk. Use the same 802.
11 Private VLANs Private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 30 shows an example of an application using a private VLAN. FIGURE 30 Private VLAN used to secure communication between a workstation and servers A private VLAN secures traffic between a primary port and host ports. Traffic between the hosts and the rest of the network must travel through the primary port.
Private VLANs 11 • Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN. • Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN. Each private VLAN must have a primary VLAN. The primary VLAN is the interface between the secured ports and the rest of the network.
11 Private VLANs • A primary VLAN can have multiple ports. All these ports are active, but the ports that will be used depends on the private VLAN mappings. Also, secondary VLANs (isolated and community VLANs) can be mapped to multiple primary VLAN ports.
Private VLANs 11 BigIron RX(config)# vlan 901 BigIron RX(config-vlan-901)# untagged ethernet 3/5 to 3/6 BigIron RX(config-vlan-901)# pvlan type community These commands create port-based VLAN 901, add ports 3/5 and 3/6 to the VLAN as untagged ports, then specify that the VLAN is a community private VLAN. Syntax: untagged ethernet [to | ethernet ] Syntax: [no] pvlan type community | isolated | primary The untagged command adds the ports to the VLAN.
11 Private VLANs Enabling broadcast, multicast or unknown unicast traffic to the private VLAN To enhance private VLAN security, the primary private VLAN does not forward broadcast or unknown unicast packets to its community and isolated VLANs. For example, if port 3/2 in Figure 30 on page 314 receives a broadcast packet from the firewall, the port does not forward the packet to the other private VLAN ports (3/5, 3/6, 3/9, and 3/10).
Other VLAN features 11 Other VLAN features Allocating memory for more VLANs or virtual routing interfaces By default, you can configure up to 512 VLANs and virtual routing interfaces on the device. Although this is the default maximum, the device can support up to 4089 VLANs and 4095 virtual routing interfaces. (VLAN IDs 0, 4090, 4091, 4092 and 4095 are reserved.) NOTE If many of your VLANs will have an identical configuration, you might want to configure VLAN groups.
11 Other VLAN features • You cannot enable this feature on the designated management VLAN for the device. • If you enable this feature on a VLAN that includes a trunk group, hardware flooding for Layer 2 multicast and broadcast packets occurs only on the trunk group’s primary port. Multicast and broadcast traffic for the other ports in the trunk group is handled by software. Unknown unicast flooding on VLAN ports Unknown unicast packets do not have a specific (or unicast) recipient.
Other VLAN features 11 Use the multicast parameter to specify CPU flooding for broadcast and multicast packets. Use the unknown-unicast parameter to specify CPU flooding for unknown unicast packets only. NOTE This command does not erase any multicast or unknown-unicast flooding configuration. If this command is enabled, then it supersedes the per-vlan configuration. Configuring uplink ports within a port-based VLAN You can configure a subset of the ports in a port-based VLAN as uplink ports.
11 Displaying VLAN information Displaying VLAN information After you configure the VLANs, you can view and verify the configuration. Displaying VLAN information Enter the following command at any CLI level.
Displaying VLAN information 11 BigIron RX# show vlan e 4/1 Port 4/1 is a member of 2 VLANs VLANs 1 100 Syntax: show vlan ethernet / [| [begin | exclude | include ] The ethernet / parameter specifies a port. The command lists all the VLAN memberships for the port. The output shows the following information. TABLE 71 Output of show vlan ethernet This field... Displays...
11 Displaying VLAN information The output shows the following information. TABLE 72 Output of show vlan detail This field... Displays... Untagged Ports This line appears if you do not specify a VLAN. It lists all the ports that are configured as untagged ports in all the VLANs on the device. Tagged Ports This line appears if you do not specify a VLAN. It lists all the ports that are configured as tagged ports in all the VLANs on the device.
Transparent firewall mode 11 Transparent firewall mode The Transparent Firewall mode allows the device to switch self-originated control packets. By default, Brocade devices will drop control packets received with the device's MAC address as the packet's source MAC address (i.e. self originated packet from the switch or router). Under the Transparent Firewall mode, switching of self-originated packets is allowed. The Transparent Firewall mode feature is a per VLAN configuration and is disabled by default.
11 326 Transparent firewall mode BigIron RX Series Configuration Guide 53-1002484-04
Chapter 12 Configuring Spanning Tree Protocol In this chapter • IEEE 802.1D Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . • IEEE Single Spanning Tree (SSTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • PVST/PVST+ compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • SuperSpan™ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 342 345 349 IEEE 802.
12 IEEE 802.1D Spanning Tree Protocol (STP) • Individual VLAN – Affects all ports within the specified VLAN. When you enable or disable STP within a VLAN, the setting overrides the global setting. Thus, you can enable STP for the ports within a VLAN even when STP is globally disabled, or disable the ports within a port-based VLAN when STP is globally enabled. • Individual port – Affects only the individual port.
IEEE 802.1D Spanning Tree Protocol (STP) 12 Default STP bridge and port parameters Table 75 lists the default STP bridge parameters. The bridge parameters affect the entire spanning tree. If you are using MSTP, the parameters affect the VLAN. If you are using SSTP, the parameters affect all VLANs that are members of the single spanning tree.
12 IEEE 802.1D Spanning Tree Protocol (STP) BigIron RX(config)# vlan 20 BigIron RX(config-vlan-20)# spanning-tree priority 0 To make this change in the default VLAN, enter the following commands. BigIron RX(config)# vlan 1 BigIron RX(config-vlan-1)# spanning-tree priority 0 Syntax: [no] spanning-tree [forward-delay ] | [hello-time ] | [max-age ] | [priority ] You can specify some or all of the parameters on the same command line.
IEEE 802.1D Spanning Tree Protocol (STP) 12 Once the port stops receiving superior BPDUs, root protect will automatically set the port back to a FORWARDING state after the timeout period has expired. NOTE Root Guard may prevent network connectivity if improperly configured. It needs to be configured on the perimeter of the network rather than the core. Also, Root Guard should be configured only on the primary port of a LAG.
12 IEEE 802.1D Spanning Tree Protocol (STP) Reconfiguring the timeout period The timeout period timer is activated whenever a port encounters a superior BPDU, which then results in a Root Guard violation. If the timeout period is reconfigured while a timer is in use, the timer on that port is set to the new timeout period, minus the time elapsed since the superior BPDU was received. For example, the original timeout period on a device was configured for 60 seconds.
IEEE 802.1D Spanning Tree Protocol (STP) 12 The spanning-tree protocol detects and eliminates logical loops in a redundant network by selectively blocking some data paths and allowing only some data paths to forward traffic. In an STP environment, switches, end stations, and other Layer 2 devices use Bridge Protocol Data Units (BPDUs) to exchange information that STP will use to determine the best path for data flow.
12 IEEE 802.1D Spanning Tree Protocol (STP) • • • • • All the global and interface STP settings Detailed STP information for each interface STP state information for a VLAN STP state information for an individual interface STP information for blocked interfaces Displaying STP information for an entire device To display STP information, enter the following command at any level of the CLI.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 77 12 CLI display of STP information This field... Displays... Global STP parameters VLAN ID The port-based VLAN that contains this spanning tree and the number of STP instance on the VLAN. VLAN 1 is the default VLAN. If you have not configured port-based VLANs on this device, all STP information is for VLAN 1. Bridge parameters Bridge Identifier The ID assigned by STP to this bridge for this spanning tree in hexadecimal.
12 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 77 CLI display of STP information (Continued) This field... State Displays... The port’s STP state. The state can be one of the following: BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is FORWARDING. When a port is in this state, the port does not transmit or receive user frames, but the port does continue to receive STP BPDUs.
IEEE 802.
12 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 78 CLI display of detailed STP information for ports This field... Displays... VLAN ID The VLAN that contains the listed ports and the number of STP instances on this VLAN. The STP type can be one of the following: • Brocade proprietary multiple Spanning Tree • IEEE 802.1Q Single Spanning Tree (SSTP) NOTE: If STP is disabled on a VLAN, the command displays the following message instead: “Spanning-tree of port-vlan is disabled.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 78 12 CLI display of detailed STP information for ports (Continued) This field... Displays... STP port parameters Port number and STP state The internal port number and the port’s STP state. The internal port number is one of the following: • The port’s interface number, if the port is the designated port for the LAN. • The interface number of the designated port from the received BPDU, if the interface is not the designated port for the LAN.
12 IEEE 802.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 79 12 CLI display of STP information for the specified Ethernet interface This field... Displays... The STP/RSTP/MSTP protocol information for the specified ethernet interface. NOTE: If the Ethernet interface is not added to any STP enabled VLANs, the command displays the following message instead: "No STP-configured VLANs for the port ”. STP port parameters Port Num The port number.
12 IEEE Single Spanning Tree (SSTP) -------------------------------------------------------------------STP Port Parameters: Port Num 1/9 Prio Path rity Cost 128 4 State BLOCKING Designat- Designated Designated ed Cost Root Bridge 4 03e8001020010000 07d0000cdbfab700 Syntax: show spanning-tree blocked [ethernet | vlan ] The ethernet parameter displays blocked interfaces for the specified Ethernet interface.
IEEE Single Spanning Tree (SSTP) 12 SSTP defaults SSTP is disabled by default. When you enable the feature, all VLANs on which STP is enabled become members of a single spanning tree. All VLANs on which STP is disabled are excluded from the single spanning tree: • To add a VLAN to the single spanning tree, enable STP on that VLAN. • To remove a VLAN from the single spanning tree, disable STP on that VLAN.
12 IEEE Single Spanning Tree (SSTP) Here is the syntax for the global STP parameters. Syntax: [no] spanning-tree single [forward-delay ] [hello-time ] | [maximum-age
PVST/PVST+ compatibility 12 PVST/PVST+ compatibility Brocade’s support for Cisco's Per VLAN Spanning Tree plus (PVST+) allows the device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices1. Brocade ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected. When it is configured for MSTP, the device can interoperate with PVST.
12 PVST/PVST+ compatibility For the port to also support the other VLANs (the PVST+ VLANs) in tagged mode. The port must be a dual-mode port. The untagged frames are supported on the port’s native VLAN. By default, the native VLAN is the same as the device’s default VLAN1, which by default is VLAN 1. Thus, to support IEEE 802.1Q in a typical configuration, the port must be able to send and receive untagged frames for VLAN 1 and tagged frames for the other VLANs.
PVST/PVST+ compatibility 12 BigIron RX(config)# show span pvst-mode PVST+ Enabled on: Port Method 1/1 Set by configuration 1/2 Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 81 CLI Display of PVST+ Information This field... Displays... Port The Brocade port number. NOTE: The command lists information only for the ports on which PVST+ support is enabled.
12 PVST/PVST+ compatibility These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port. The dual-mode feature allows the port to send and receive untagged frames for the default VLAN (VLAN 1 in this case) in addition to tagged frames for VLANs 2, 3, and 4. Enabling the PVST+ support ensures that the port is ready to send and receive PVST+ BPDUs.
SuperSpan™ 12 Note that when VLAN 1 is not the default VLAN, the ports must have an untagged VLAN enabled in order to process IEEE 802.1Q BPDUs. For example, the following configuration is incorrect.
12 SuperSpan™ SuperSpan root bridge Cust 1 Port1/2 Port1/1 Cust 2 Port1/1 FWD Port1/1 BLK Port1/2 FWD BLK Port1/2 SP 1 Port2/1 SP 2 Port2/2 In this example, the SP network contains two devices that are running SuperSpan. The SP is connected to two customer networks. Each customer network is running its own instance of STP.
SuperSpan™ 12 Each Brocade device that is configured for SuperSpan forwards the BPDU using the changed destination MAC address. At the other end of the tunnel, the Brocade device connected to the customer's network changes the destination MAC address back to the bridge group address (01-80-c2-00-00-00). Preforwarding state To ensure that the customer's network has time to converge at Layer 2 and prevent loops, the Brocade devices configured for SuperSpan use a special forwarding state, Preforwarding.
12 SuperSpan™ Mixing single STP and multiple spanning trees You can use SuperSpan in any of the following combinations: • Customer and SP networks both use multiple spanning trees (a separate spanning tree in each VLAN). • Customer uses multiple spanning trees but SP uses Single STP (all STP-enabled VLANs are in the same spanning tree). • Customer uses Single STP but SP uses multiple spanning trees. • Customer and SP networks both use Single STP.
SuperSpan™ 12 In the above example, STP in VLAN 10 will select R10 as the root bridge and make 1/1 on R10 forwarding while blocking port 3/1 on R20. The opposite occurs for STP in VLAN 20. As a result, both links connecting the customer and SP regions are fully utilized and serve as backup links at the same time, providing loop-free, non-blocking connectivity.
12 SuperSpan™ Customer uses single STP but SP uses multiple spanning trees Figure 38 shows an example of SuperSpan where the customer network uses Single STP while the SP uses multiple spanning trees.
SuperSpan™ FIGURE 39 12 Customer and SP using single STP R R single span 1/1 2/1 2/2 single span Customer Region Provider Region 2/1 3/1 2/2 tagged to multiple vlan R xx Root bridge for VLAN xx stp-boundary untagged to vlan 100 (Super Aggregated VLAN) In this setup, both the customer and SP networks are running a single spanning tree at Layer 2. The traffic from VLAN 10 and 20 will be carried, or aggregated by VLAN 100 at the SP network as in the previous scenario.
12 SuperSpan™ These commands configure two interfaces on the Brocade device as SuperSpan boundary interfaces. Interface 1/1 is a boundary interface with customer 1. Interface 1/2 is a boundary interface with customer 2. Each boundary interface is associated with a number, which is the SuperSpan ID. The SuperSpan ID identifies the instance of SuperSpan you are associating with the interface. Use the same SuperSpan ID for each boundary interface with the same customer.
SuperSpan™ 12 BigIron RX(config)# show super-span CID 1 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed 1/1 1 0 0 0 1/2 0 0 0 0 Total 1 0 0 0 CID 2 Boundary Ports: Port C-BPDU C-BPDU Rxed Txed 2/1 0 0 2/2 0 0 Total 0 0 T-BPDU Rxed 3 0 3 T-BPDU Txed 0 0 0 In this example, the device has two SuperSpan customer IDs. Syntax: show superspan [cid ] The cid parameter specifies a SuperSpan customer ID.
12 358 SuperSpan™ BigIron RX Series Configuration Guide 53-1002484-04
Chapter 13 Configuring Rapid Spanning Tree Protocol In this chapter • Overview of Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . • Edge ports and edge port roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Point-to-point ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Bridge port states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13 Overview of Rapid Spanning Tree Protocol RSTP algorithm uses this information to determine if the RST BPDU received by a port is superior to the RST BPDU that the port transmits. The two values are compared in the order as given above, starting with the Root bridge ID. The RST BPDU with a lower value is considered superior. The superiority and inferiority of the RST BPDU is used to assign a role to a port.
Overview of Rapid Spanning Tree Protocol 13 The topology in Figure 40 contains four bridges. Switch 1 is the root bridge since it has the lowest bridge priority. Switch 2 through Switch 4 are non-root bridges.
13 Edge ports and edge port roles Ports Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4. The RST BPDUs received on Port3 are superior to the RST BPDUs received on port 4; therefore, Port3 becomes the Root port and Port4 becomes the Alternate port. Edge ports and edge port roles Brocade’s implementation of RSTP allows ports that are configured as Edge ports to be present in an RSTP topology.
Point-to-point ports 13 Point-to-point ports To take advantage of the RSTP features, ports on an RSTP topology should be explicitly configured as point-to-point links. Shared media should not be configured as point-to-point links. NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops. The topology in Figure 42 is an example of shared media that should not be configured as point-to-point links.
13 Edge port and non-edge port states If a port on one bridge has a Designated role and that port is connected to a port on another bridge that has an Alternate or Backup role, the port with a Designated role cannot be given a Root port role until two instances of the forward delay timer expires on that port. Edge port and non-edge port states As soon as a port is configured as an Edge port, it goes into a forwarding state instantly (in less than 100 msec).
State machines 13 • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode. It also flushes the MAC table when a topology change event takes place. • Port State Transition – This state machine transitions the port to a discarding, learning, or forwarding state and performs any necessary processing associated with the state changes.
13 State machines • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 43). The Designated port continues to send this flag in its RST BPDU until it is placed in a forwarding state (Figure 46) or is forced to operate in 802.1D mode. (Refer to “Compatibility of RSTP with 802.
State machines FIGURE 44 13 Sync stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync BigIron Switch 200 Port3 Sync Discarding Port2 Sync Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports.
13 State machines FIGURE 45 Synced stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Synced BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 400 Switch 300 Indicates a signal • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state.
State machines FIGURE 46 13 Agree stage Switch 100 Root Bridge Port1 Designated port Forwarding RST BPDU sent with an Agreed flag Port1 Root port Synced Forwarding BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 300 Switch 400 Indicates a signal At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200.
13 State machines FIGURE 47 Addition of a new root bridge Switch 100 Port2 Designated port Port2 Switch 60 Port4 Designated port Port1 Designated port Port1 Root port Switch 200 Port4 Port2 Port2 Switch 300 Port3 Port3 Switch 400 The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (“Handshake when no root port is elected” on page 365). The former root bridge becomes a non-root bridge and establishes a Root port (Figure 48).
13 State machines FIGURE 48 New root bridge sending a proposal flag Switch 100 Handshake Completed Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Proposing Port1 Proposing Port1 Root port Forwarding RST BPDU sent with a Proposing flag Switch 200 Port2 Port2 Switch 300 Port3 Port4 Designated port Proposed Port3 Switch 400 • Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge.
13 State machines FIGURE 49 Sync and reroot Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Proposing Port1 Proposing Port1 Root port Sync Reroot Forwarding BigIron Switch 200 Port2 Sync Reroot Discarding Port3 Sync Reroot Discarding Port2 Port4 Root port Sync Reroot Discarding Port3 Switch 300 Switch 400 Indicates a signal • Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue t
State machines FIGURE 50 13 Sync and rerooted Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Port1 Proposing Port1 Designated port Sync Rerooted Discarding BigIron Switch 200 Port2 Sync Rerooted Discarding Port2 Switch 300 Port3 Sync Rerooted Discarding Port4 Root port Sync Rerooted Discarding Port3 Switch 400 Indicates an 802.
13 State machines FIGURE 51 Rerooted,synced, and agreed Switch 100 Port2 Designated port Switch 60 Port 2 Root port Port4 Designated port Forwarding Port1 Proposing Port1 Rerooted Synced Discarding RST BPDU sent with an Agreed flag BigIron Switch 200 Port2 Rerooted Synced Discarding Port3 Rerooted Synced Discarding Port2 Port4 Root port Rerooted Synced Forwarding Port3 Switch 300 Switch 400 Indicates a signal The old Root port on Switch 200 becomes an Alternate Port (Figure 52).
Convergence in a simple topology FIGURE 52 13 Handshake completed after election of new root port Switch 100 Port2 Designated port Port2 Root port Switch 60 Port4 Designated port Port1 Proposing Port1 Alternate port Switch 200 Port2 Port4 Root port Port3 Proposing Port2 Switch 300 Proposing Port3 Switch 400 Recall that Switch 200 sent the agreed flag to Port4/Switch 60 and not to Port1/Switch 100 (the port that connects Switch 100 to Switch 200).
13 Convergence in a simple topology NOTE The rapid convergence will not occur on ports connected to shared media devices, such as hubs. To take advantage of the rapid convergence provided by RSTP, make sure to explicitly configure all point-to-point links in a topology. Convergence at start up In Figure 53, two bridges Switch 2 and Switch 3 are powered up. There are point-to-point connections between Port3/Switch 2 and Port3/Switch 3.
Convergence in a simple topology FIGURE 54 13 Simple Layer 2 topology Port3 Designated port Switch 2 Port2 Root port Bridge priority = 1500 Switch 1 Port2 Designated port Port5 Backup port Bridge priority = 1000 Port4 Designated port Port3 Designated port Port3 Alternate port Port4 Root port Bridge priority = 2000 Switch 3 The point-to-point connections between the three bridges are as follows: • Port2/Switch 1 and Port2/Switch 2 • Port4/Switch 1 and Port4/Switch 3 • Port3/Switch 2 and Por
13 Convergence in a simple topology The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2.
Convergence in a simple topology FIGURE 56 13 Link failure in the topology Port3 Switch 2 Port2 Bridge priority = 1500 Port3 Port3 Port2 Switch 1 Port5 Bridge priority = 1000 Port4 Port4 Bridge priority = 2000 Switch 3 Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port. Port3/Switch 2, which currently has a Designated port role, sends an RST BPDU to Switch 3.
13 Convergence in a simple topology When Port2/Switch 2 receives the RST BPDUs, RSTP algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Convergence in a complex RSTP topology 13 Convergence in a complex RSTP topology The following is an example of a complex RSTP topology.
13 Convergence in a complex RSTP topology Next Switch 2 sends RST BPDUs with a proposal flag to Port3/Switch 4. Port3 becomes the Root port for the bridge; all other ports are given a Designated port role with discarding states. Port3/Switch 4 sends an RST BPDU with an agreed flag to Switch 2 to confirm that it is the new Root port. The port then goes into a forwarding state. Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit.
Convergence in a complex RSTP topology FIGURE 58 13 Active Layer 2 path in complex topology Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port5 Port2 Port3 Port3 Port4 Switch 3 Bridge priority = 300 Port2 Port2 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port4 Port3 Port3 Port4 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Propagation of topology change The Topology Change state m
13 Convergence in a complex RSTP topology FIGURE 59 Beginning of topology change notice Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port2 Port5 Port2 Port3 Port3 Port3 Port4 Port3 Port4 Port4 Switch 3 Bridge priority = 300 Port2 Port4 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port5 Switch 4 Bridge priority = 400 Port3 Port 5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Switch 2 then starts the TCN tim
Convergence in a complex RSTP topology FIGURE 60 13 Sending TCN to bridges connected to Switch 2 Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port2 Port5 Port2 Port3 Port3 Port4 Switch 3 Bridge priority = 300 Port2 Port4 Port3 Port2 Switch 5 Bridge priority = 60 Port8 Port3 Port3 Port4 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Then FRY1, Switch 5, and
13 Compatibility of RSTP with 802.1D FIGURE 61 Completing the TCN propagation Switch 2 Bridge priority = 200 Switch 1 Bridge priority = 1000 Port7 Port5 Port2 Switch 5 Bridge priority = 60 Port8 Port2 Port2 Port3 Port4 Port3 Port2 Port3 Port3 Port3 Port4 Port4 Switch 3 Bridge priority = 300 Port4 Port5 Switch 4 Bridge priority = 400 Port3 Port5 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Compatibility of RSTP with 802.
Configuring RSTP parameters 13 For example, in Figure 62, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 62 RSTP bridges with an 802.1D bridge Switch 10 802.1W Switch 20 802.1D Switch 30 802.1W Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other.
13 Configuring RSTP parameters BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# rstp Syntax: [no] rstp Enabling or disabling RSTP on a single spanning tree To globally enable RSTP for all ports of a single spanning tree, enter the following command. BigIron RX(config)# rstp single Syntax: [no] rstp single Disabling or enabling RSTP on a port The rstp command must be used to initially enable RSTP on ports.
Configuring RSTP parameters 13 The max-age parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. Possible values: 6 – 40 seconds. The default is 20 seconds. The value of max-age must be greater than the value of forward-delay to ensure that the downstream bridges do not age out faster than the upstream bridges (those bridges that are closer to the root bridge).
13 Configuring RSTP parameters TABLE 83 Recommended path cost values of RSTP (Continued) Link speed Recommended (default) RSTP path cost values Recommended RSTP path cost range 1 Gigabit per second 20,000 2,000 – 200,000,000 10 Gigabits per second 2,000 200 – 20,000 100 Gigabits per second 200 20 – 2,000 1 Terabits per second 20 2 – 200 10 Terabits per second 2 1 – 20 The priority parameter specifies the preference that RSTP gives to this port relative to other ports for forwar
Configuring RSTP parameters 13 In addition, Fast Port Span enhances overall network performance in the following ways: • Fast Port Span reduces the number of STP topology change notifications on the network. When an end station attached to a Fast Span port comes up or down, the Brocade device does not generate a topology change notification for the port. In this situation, the notification is unnecessary since a change in the state of the host does not affect the network’s topology.
13 Configuring RSTP parameters BigIron RX(config)# fast port-span BigIron RX(config)# write memory Excluding specific ports from fast port span You can exclude individual ports from Fast Port Span while leaving Fast Port Span enabled globally. To do so, use the following method. Using the CLI To exclude a port from Fast Port Span, enter commands such as the following.
Configuring RSTP parameters 13 You can use the Fast Uplink feature on a Brocade device deployed as a wiring closet switch to decrease the convergence time for the uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning). The wiring closet switch must be a Brocade device but the device at the other end of the link can be a Brocade device or another vendor’s switch. Configuration of the Fast Uplink Span feature takes place entirely on the Brocade device.
13 Displaying RSTP information Using the CLI To configure a group of ports for Fast Uplink Span, enter the following commands. BigIron RX(config)# fast uplink-span ethernet 4/1 to 4/4 BigIron RX(config)# write memory Syntax: [no] fast uplink-span [ethernet [ethernet … | to ]] This example configures four ports, 4/1 – 4/4, as a Fast Uplink Span group. In this example, all four ports are connected to a wiring closet switch.
Displaying RSTP information 13 BigIron RX(config)#show rstp vlan 10 VLAN 10 - RSTP instance 0 -------------------------------------------------------------------RSTP (IEEE 802.
13 Displaying RSTP information TABLE 84 CLI display of RSTP summary (Continued) This field... Displays... Designated Bridge Identifier The bridge from where the root information was received. It can be from the root bridge itself, but it could also be from another bridge. Root Port The port on which the root information was received. This is the port that is connected to the Designated Bridge. Max Age The max age is derived from the Root port.
Displaying RSTP information TABLE 84 13 CLI display of RSTP summary (Continued) This field... Displays... Role The current role of the port: Root Designated Alternate Backup Disabled Refer to “Bridges and bridge port roles” on page 359 for definitions of the roles. State The port’s current RSTP state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge port states” on page 363 and “Edge port and non-edge port states” on page 364.
13 Displaying RSTP information TABLE 85 The show rstp detail command output (Continued) This field... forceVersion the configured version of the bridge: 0 – The bridge has been forced to operate in an STP compatible mode. 2 – The bridge has been forced to operate in an RSTP mode. • • MigrateTime The number of seconds the bridge took to migrate from STP to RSTP mode. txHoldCount The number of BPDUs that can be transmitted per Hello Interval. The default is 3.
Displaying RSTP information TABLE 85 13 The show rstp detail command output (Continued) This field... Displays... ActiveTimers Shows what timers are currently active on this port and the number of seconds they have before they expire: • rrWhile – Recent root timer. A non-zero value means that the port has recently been a Root port. • rcvdInfoWhile – Received information timer. Shows the time remaining before the information held by this port expires (ages out).
13 Displaying RSTP information BigIron RX# show xstp Ethernet 3/1 STP information: -------------------------------------------------------------------No STP-configured VLANs for the port 3/1 RSTP information: ---------------------------------------------------------------------------RSTP (IEEE 802.
Displaying RSTP information TABLE 86 13 CLI display of RSTP information for the specified Ethernet interface (Continued) This field... Displays... Role The current role of the port: Root Designated Alternate Backup Disabled Refer to “Bridges and bridge port roles” on page 359 for definitions of the roles. State The port’s current RSTP state.
13 Displaying RSTP information for the blocked interfaces Displaying RSTP information for the blocked interfaces To display all interfaces discarded by RSTP, enter the following command. BigIron RX# show rstp discard VLAN 128 - RSTP instance 0 -------------------------------------------------------------------RSTP (IEEE 802.
Displaying RSTP information for the blocked interfaces TABLE 87 13 Output parameters of the show rstp discard command (Continued) Field Role Description The current role of the port: Root Designated Alternate Backup Disabled • • • • • State The port’s current RSTP state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Designated Cost The best root path cost that this port received, including the best root path cost that it can transmit.
13 404 Displaying RSTP information for the blocked interfaces BigIron RX Series Configuration Guide 53-1002484-04
Chapter 14 Metro Ring Protocol (MRP) Phase 1 and 2 In this chapter • Metro Ring Protocol (MRP) phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • MRP rings without shared interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Ring initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • How ring breaks are detected and healed. . . . . . . . . . . . . . . . . . . . . . . . . .
14 Metro Ring Protocol (MRP) phase 1 FIGURE 63 Metro ring – normal state Customer A F Member Node F F Switch B F F Member Node F Switch A Switch C Master Node F Customer A Customer A F This interface blocks Layer 2 traffic to prevent a loop B Switch D F Member Node F F Customer A The ring in this example consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network.
MRP rings without shared interfaces 14 MRP rings without shared interfaces MRP Phase 1 allows you to configure multiple MRP rings, as shown in Figure 64, but the rings cannot share the same link. For example, you cannot configure ring 1 and ring 2 to each have interfaces 1/1 and 1/2. Also, when you configured an MRP ring, any node on the ring that can be designated as the master node for the ring. A master node can be the master node of more than one ring. (Refer to Figure 64.
14 Ring initialization FIGURE 65 Metro ring – initial state Customer A F PF PF Switch B PF PF F Switch C Customer A PF All ports start in Preforwarding state. Switch A Primary port on Master node sends RHP 1 Master Node F Customer A PF Switch D PF PF F Customer A MRP uses Ring Health Packets (RHPs) to monitor the health of the ring. An RHP is an MRP protocol packet. The source address is the MAC address of the master node and the destination MAC address is a protocol address for MRP.
Ring initialization 14 When MRP is enabled, all ports begin in the Preforwarding state. The primary interface on the Master node, although it is in the Preforwarding state like the other ports, immediately sends an RHP onto the ring. The secondary port on the Master node listens for the RHP. • If the secondary port receives the RHP, all links in the ring are up and the port changes its state to Blocking. The primary port then sends another MRP with its forwarding bit set on.
14 How ring breaks are detected and healed How ring breaks are detected and healed Figure 67 Shows the ring forwarding state following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks.
How ring breaks are detected and healed 14 When the broken link is repaired, the link’s interfaces come up in the Preforwarding state, which allows RHPs to travel through the restored interfaces and reach the secondary interface on the Master node. • If an RHP reaches the Master node’s secondary interface, the ring is intact. The secondary interface changes to Blocking. The Master node sets the forwarding bit on in the next RHP.
14 Master VLANs and customer VLANs in a topology group 5. RHP packets continue to be sent on the primary interface by Switch A to detect if the ring has been healed. From a user perspective, there is no difference in the behavior of the ring. The only noticeable difference is a rapid convergence in the event of ring failure. There is no CLI command required to enable this feature.
Master VLANs and customer VLANs in a topology group FIGURE 69 14 Metro ring – ring VLAN and customer VLANs Customer B VLAN 40 Customer A VLAN 30 Switch B ====== ring 1 interfaces 1/1, 1/2 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1, 1/2, 2/1) member VLAN 40 (1/1, 1/2, 4/1) port4/1 port2/1 port1/2 port1/1 Switch B Switch D port1/2 port2/1 Customer A VLAN 30 port1/1 port4/1 Switch D ====== ring 1 interfaces 1/1, 1/2 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1,
14 Configuring MRP • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs. • The member VLAN for a customer must contain the two ring interfaces and the interfaces for the customer. Since these interfaces are shared with the master VLAN, they must be tagged. Do not add another customer’s interfaces to the VLAN.
Configuring MRP 14 Adding an MRP ring to a VLAN NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group’s master VLAN. To add an MRP ring to a VLAN, enter commands such as the following.
14 MRP phase 2 Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following. BigIron RX(config-vlan-2-mrp-1)# hello-time 200 BigIron RX(config-vlan-2-mrp-1)# preforwarding-time 400 These commands change the hello time to 200 ms and change the preforwarding time to 400 ms. NOTE The preforwarding time must be at least twice the value of the hello time and must be a multiple of the hello time.
MRP phase 2 14 In MRP Phase 1, a node can have multiple MRP rings, but the rings cannot share the same interface. Also, when you configured an MRP ring, any node on the ring that is a device can be designated as the master node for the ring. Each ring is an independent ring and RHP packets are processed within each ring.
14 Ring initialization for shared interfaces On each node that will participate in the ring, you specify the ring’s ID and the interfaces that will be used for ring traffic. In a multiple ring configuration, a ring’s ID determines its priority. The lower the ring ID, the higher priority of a ring. A ring’s ID is also used to identify the interfaces that belong to a ring.
Ring initialization for shared interfaces 14 How ring breaks are detected and healed between shared interfaces If the link between shared interfaces breaks, the secondary interface on Ring 1’s master node changes to a preforwarding state. The RHP packet sent by port 3/1 on Ring 2 is forwarded through the interfaces on S4, then to S2. The packet is then forwarded through S2 to S3, but not from S2 to S1 since the link between the two nodes is not available.
14 Ring initialization for shared interfaces If the port is a tunnel port, MRP checks the priority of the RHP packet and compares it to the priority of the tunnel port: • If the RHP packet’s priority is less than or equal to the interface’s priority, the packet is forwarded through that interface. • If the priority of the RHP packet is greater than the priority of the interface, the RHP packet is dropped.
Ring initialization for shared interfaces 14 When the RHP packet from Ring 2 reached S2, it was also forwarded from S2 to S3 on Ring 1 since the port on S2 has a higher priority than the RHP packet. The packets is forwarded around Ring 1 until it reaches port 2/2, Ring 1’s the secondary port. The RHP packet is then blocked by that port. Flow when a link breaks If the link between shared interfaces breaks (Figure 74), the secondary interface on Ring 1’s master node changes to a preforwarding state.
14 Using MRP diagnostics Configuring MRP with shared interfaces MRP Phase 2 allows you to enter commands such as the following when configuring MRP.
Displaying MRP information 14 NOTE This command is valid only on the master node. Displaying MRP diagnostics To display MRP diagnostics results, enter the following command on the Master node.
14 Displaying MRP information Displaying topology group information To display topology group information, enter the following command. Syntax: show topology-group [] Refer to “Displaying topology group information” on page 454 for more information. Displaying ring information To display ring information, enter the following command.
MRP CLI example TABLE 89 14 CLI display of MRP ring information (Continued) This field... Displays... Prefwing time The number of milliseconds an MRP interface that has entered the Preforwarding state will wait before changing to the Forwarding state. If a member port in the Preforwarding state does not receive an RHP within the Preforwarding time (Prefwing time), the port assumes that a topology change has occurred and changes to the Forwarding state.
14 MRP CLI example Commands on switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node’s interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
MRP CLI example BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# vlan 40 RX(config-vlan-40)# tag ethernet 1/1 RX(config-vlan-40)# tag ethernet 4/1 RX(config-vlan-40)# exit RX(config)# topology-group 1 RX(config-topo-group-1)# master-vlan RX(config-topo-group-1)# member-vlan RX(config-topo-group-1)# member-vlan 14 to 1/2 2 30 40 Commands on switch C BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron
14 428 MRP CLI example BigIron RX Series Configuration Guide 53-1002484-04
Chapter 15 Virtual Switch Redundancy Protocol (VSRP) In this chapter • Overview of Virtual Switch Redundancy Protocol (VSRP) . . . . . . . . . . . . . . • Configuring basic VSRP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling Layer 3 VSRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring optional VSRP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Clearing VSRP information . . . . . . . . . . . . . . . .
15 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 75 VSRP mesh – redundant paths for Layer 2 and Layer 3 traffic VSRP Master F F VSRP Aware VSRP Backup optional link F B VSRP Aware B B VSRP Aware Hello packets In this example, two devices are configured as redundant paths for VRID 1. On each device, a Virtual Router ID (VRID) is configured on a port-based VLAN. Since VSRP is primarily a Layer 2 redundancy protocol, the VRID applies to the entire VLAN.
Overview of Virtual Switch Redundancy Protocol (VSRP) 15 Layer 2 and Layer 3 redundancy You can configure VSRP to provide redundancy for Layer 2 only or both for Layer 2 and Layer 3: • Layer 2 only – The Layer 2 links are backed up but specific IP addresses are not backed up. • Layer 2 and Layer 3 – The Layer 2 links are backed up and a specific IP address is also backed up. Layer 3 VSRP is the same as VRRPE. However, using VSRP provides redundancy at both layers at the same time.
15 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 76 VSRP priority Configured priority = 100 Actual priority = 100 * (3/3) = 100 VSRP Master F F Configured priority = 100 Actual priority = 100 * (3/3) = 100 VSRP Backup optional link F B B VSRP Aware VSRP Aware B VSRP Aware However, if one of the VRID’s ports goes down on one of the Backups, that Backup’s priority is reduced.
Overview of Virtual Switch Redundancy Protocol (VSRP) 15 You can reduce the sensitivity of a VSRP device to failover by increasing its configured VSRP priority. For example, you can increase the configured priority of the VSRP device on the left in Figure 77 to 150. In this case, failure of a single link does not cause failover. The link failure caused the priority to be reduced to 100, which is still equal to the priority of the other device. This is shown in Figure 78.
15 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 79 Track port priority Configured priority = 100 Track priority 20 Actual priority = (100 - 0) * (3/3) = 100 VSRP Master F F Track port is up Configured priority = 100 Actual priority = 100 * (3/3) = 100 VSRP Backup optional link F B B VSRP Aware VSRP Aware B VSRP Aware In Figure 79, the track port is up. SInce the port is up, the track priority does not affect the VSRP priority calculation.
Configuring basic VSRP parameters 15 • If the port number is the same as the port that previously received a Hello message, the VSRP-aware device assumes that the message came from the same VSRP Master that sent the previous message. • If the port number does not match, the VSRP-aware device assumes that a VSRP failover has occurred to a new Master, and moves the MAC addresses learned on the previous port to the new port. The VRID records age out if unused.
15 Enabling Layer 3 VSRP BigIron RX(config-vlan-200-vrid-1)# enable Syntax: [no] enable or Syntax: [no] activate For information about the command’s optional parameters, see the following: • “Changing the backup priority” on page 439 • “Changing the default track priority” on page 442 Enabling Layer 3 VSRP Layer 2 VSRP is enabled globally by default on the device; it just needs to be activated or enabled on a VRID.
Configuring optional VSRP parameters 15 Syntax: [no] vsrp auth-type no-auth | simple-text-auth The auth-type no-auth parameter indicates that the VRID and the interface it is configured on do not use authentication. The auth-type simple-text-auth parameter indicates that the VRID and the interface it is configured on use a simple text password for authentication. The value is the password.
15 Configuring optional VSRP parameters BigIron RX(config-vlan-200-vrid-1)# ip-address 10.10.10.1 Syntax: [no] ip-address VSRP fast start VSRP fast start allows non-Brocade or non-VSRP aware devices that are connected to a Brocade device that is the VSRP Master to quickly switchover to the new Master when a VSRP failover occurs This feature causes the port on a VSRP Master to restart when a VSRP failover occurs.
15 Configuring optional VSRP parameters BigIron RX(config-vlan-10-vsrp-1)# show vsrp VLAN 10 Auth-type no authentication VRID 1 ======== State Administrative-status Advertise-backup Preempt-mode Link-Redundancy Backup Enabled Disabled True Parameter Configured Current Unit/Formula Priority 100 100 (100-0)*(4.0/4.0) Hello-interval 1 1 sec/10 Hold-interval 3 3 sec/10 Initial-ttl 2 2 hops Disabled Master router 219.218.18.52 or MAC xxxx.dbda.
15 Configuring optional VSRP parameters • Backup Hello interval • Hold-down interval Each Backup saves the configured timer values to its startup configuration file when you save the device’s configuration. NOTE The Backups always use the value of the timer scale received from the Master, regardless of whether the timer values that are saved in the configuration are the values configured on the Backup or the values received from the Master.
Configuring optional VSRP parameters 15 The parameter specifies the TTL and can be from 1 – 255. The default TTL is 2. Changing the hello interval The Master periodically sends Hello messages to the Backups. To change the Hello interval, enter a command such as the following at the configuration level for the VRID. BigIron RX(config-vlan-200-vrid-1)# hello-interval 10 Syntax: [no] hello-interval The parameter specifies the interval which and can be from 1 – 84 units.
15 Configuring optional VSRP parameters To change the Backup Hello interval, enter a command such as the following at the configuration level for the VRID. BigIron RX(config-vlan-200-vrid-1)# backup-hello-interval 180 Syntax: [no] backup-hello-interval The parameter specifies the message interval and can be from 60 – 3600 units (1 unit = 100 milliseconds). The default is 60 units (6000 milliseconds or 6 seconds).
Configuring optional VSRP parameters 15 Specifying a track port You can configure the VRID on one interface to track the link state of another interface on the device. This capability is useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy. Refer to “VSRP priority calculation” on page 431. To configure a VRID to track an interface, enter a command such as the following at the configuration level for the VRID.
15 Clearing VSRP information NOTE All trunk ports must have the same delayed-link-down-event configuration. The following command will delay the sending of port "down" event for 100ms when a port state is detected "down". If the port state is detected "up" afterwards within 100ms, the delayed "down" event is cancelled; otherwise, the "down" event is sent after 100ms. This allows the upper layer applications not to be affected by a port state flapping.
VSRP and MRP signaling 15 If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure 82.
15 Displaying VSRP information FIGURE 83 New path established Path 1 Path 2 MRP Member MRP Master MRP Member MRP MRP Member VSRP Backup MRP Member Host MRP Member VSRP Master X MRP MRP Member MRP Master VSRP Backup VSRP Device 1 MRP Member Host MRP Member VSRP Master X VSRP Device 1 There are no CLI commands used to configure this process.
Displaying VSRP information 15 This display shows the following information when you use the vrid or vlan parameter. For information about the display when you use the aware parameter, refer to “Displaying the active interfaces for a VRID” on page 450. TABLE 90 CLI display of VSRP VRID or VLAN information This field... Displays... Total number of VSRP routers defined The total number of VRIDs configured on this device. VLAN The VLAN on which VSRP is configured.
15 Displaying VSRP information TABLE 90 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the VRID. During negotiation, the Backup with the highest priority becomes the Master. If two or more Backups are tied with the highest priority, the Backup interface with the highest IP address becomes the Master for the VRID.
Displaying VSRP information BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 10 10 100 80 P Master Unknown Unknown 15 VIP None When the command is entered on a Layer 3 VSRP, it displays the following information. BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 100 1 150 1 P Initia xxxx.1414.1404 20.20.20.4 101 2 50 1 P Initia xxxx.1e1e.1e01 30.30.30.1 VIP 20.20.20.100 30.30.30.100 Syntax: show vsrp brief This field...
15 Displaying VSRP information Displaying the active interfaces for a VRID On a VSRP-aware device, you can display VLAN and port information for the connections to the VSRP devices (Master and Backups) using the show vsrp aware command. The command shows the active interfaces for the VRID. No output is displayed if the command is entered on a VSRP master or backup.
Chapter 16 Topology Groups In this chapter • Topology overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Master VLAN and member VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Master VLANs and customer VLANs in MRP . . . . . . . . . . . . . . . . . . . . . . . . • Control ports and free ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration considerations . . . . . . . . . . . . . . . . . .
16 Master VLANs and customer VLANs in MRP • Member VLANs – The member VLANs are additional VLANs that share ports with the master VLAN. The Layer 2 protocol settings for the ports in the master VLAN apply to the same ports in the member VLANs. A change to the master VLAN’s Layer 2 protocol configuration or Layer 2 topology affects all the member VLANs. Member VLANs do not independently run a Layer 2 protocol. • Member VLAN groups – A VLAN group is a named set of VLANs.
Configuring a topology group 16 • If you add a new master VLAN to a topology group that already has a master VLAN, the new master VLAN replaces the older master VLAN. All member VLANs and VLAN groups follow the Layer 2 protocol settings of the new master VLAN. • If you remove the master VLAN (by entering no master-vlan ), the software selects the new master VLAN from member VLANs.
16 Displaying topology group information Displaying topology group information The following sections show how to display topology group information for VLANS. Displaying topology group information To display topology group information, enter the following command.
Chapter 17 Configuring VRRP and VRRPE In this chapter • Overview of VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Overview of VRRPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • VRRP and VRRPE parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring parameters specific to VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring parameters specific to VRRPE . .
17 Overview of VRRP FIGURE 84 Router1 is Host1’s default gateway but is a single point of failure Internet or enterprise Intranet Internet or enterprise Intranet e 2/4 e 3/2 Router1 Router2 e 1/6 192.53.5.1 e 1/5 Host1 Default Gateway 192.53.5.1 As shown in this example, Host1 uses 192.53.5.1 on Router1 as the host’s default gateway out of the subnet. If this interface goes down, Host1 is cut off from the rest of the network.
Overview of VRRP FIGURE 85 17 Router1 and Router2 are configured as a VRRP virtual router to provide redundant network access for Host1 Internet or enterprise Intranet Internet or enterprise Intranet e 2/4 e 3/2 Router1 Router2 VRID1 Router1 = Master e 1/6 192.53.5.1 IP address = 192.53.5.1 MAC address = 00-00-5E-00-01-01 Owner Priority = 255 192.53.5.3 e 1/5 VRID1 Router2 = Backup IP address = 192.53.5.1 MAC address = 00-00-5E-00-01-01 Priority = 100 Host1 Default Gateway 192.53.5.
17 Overview of VRRP Virtual routers use VRID Hello messages to determine if a Master router is available. They send Hello messages to IP Multicast address 224.0.0.18 at a specified frequency. The Backup routers waits for a duration of time for a Hello message from the Master. This duration is called the Dead Interval. If a Backup router does not receive a Hello message by the time the dead interval expires, the Backup router assumes that the Master router is dead.
Overview of VRRP 17 Figure 85 on page 457, Router1’s priority changes from 255 to 20. One of the parameters contained in the Hello messages the Master router sends to its Backups is the Master router’s priority. If the track port feature results in a change in the Master router’s priority, the Backup routers quickly become aware of the change and initiate a negotiation for Master router.
17 Overview of VRRPE Overview of VRRPE VRRPE is Brocade’s proprietary version of VRRP that overcomes limitations in the standard protocol. It is similar to VRRP, but differs in the following respects: • Owners and Backup: • VRRP has an Owner and one or more Backups for each virtual router. The Owner is the router that has the IP address used for the virtual router. All the other routers supporting the virtual router are Backups. • VRRPE does not use Owners.
Overview of VRRPE 17 • VRRPE reduces the priority of a VRRPE interface by the amount of a tracked interface’s priority if the tracked interface’s link goes down. For example, if the VRRPE interface’s priority is 200 and a tracked interface with track priority 20 goes down, the software changes the VRRPE interface’s priority to 180. If another tracked interface goes down, the software reduces the VRID’s priority again, by the amount of the tracked interface’s track priority.
17 VRRP and VRRPE parameters Similarly, Router2 is the master for VRID 2 (backup priority = 110) and Router1 is the backup for VRID 2 (backup priority = 100). Router1 and Router2 are both tracking the uplinks to the Internet. If an uplink failure occurs on Router2, its backup priority is decremented by 20 (track priority = 20), so that all traffic destined to the internet is sent through Router1 instead. The BigIron RX device configured for VRRPE can interoperate only with other BigIron RX devices.
VRRP and VRRPE parameters TABLE 93 17 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Authentication type The type of authentication the VRRP or VRRPE routers use to validate VRRP or VRRPE packets. The authentication type must match the authentication type the VRID’s port uses with other routing protocols such as OSPF. • No authentication – The interfaces do not use authentication. This is the VRRP default.
17 Configuring parameters specific to VRRP TABLE 93 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Track port Another device port or virtual interface whose link status is tracked by the VRID’s interface. If the link for a tracked interface goes down, the VRRP or VRRPE priority of the VRID interface is changed, causing the devices to renegotiate for Master. None page 458 page 469 Track priority A VRRP or VRRPE priority value assigned to the tracked ports.
Configuring parameters specific to VRRP 17 Configuring basic VRRP parameters To implement a simple VRRP configuration using all the default values, enter commands such as the following. Configuring the owner Router1(config)# router vrrp Router1(config)# interface ethernet 1/6 Router1(config-if-e10000-1/6)# ip default-network 192.53.5.1 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# owner Router1(config-if-e10000-1/6-vrid-1)# ip-address 192.53.5.
17 Configuring parameters specific to VRRPE • The Dead interval must be set to the same value on both the Owner and Backups for the virtual router. • The track priority on a router must be lower than the router’s VRRP priority. Also, the track priority on the Owner must be higher than the track priority on the Backups. Configuring parameters specific to VRRPE VRRPE is configured at the interface level.
Configuring additional VRRP and VRRPE parameters 17 Configuring additional VRRP and VRRPE parameters You can modify the following VRRP and VRRPE parameters on each individual virtual router.
17 Configuring additional VRRP and VRRPE parameters The auth-type simple-text-auth parameter indicates that the virtual router and the interface it is configured on use a simple text password for authentication. The parameter is the password. If you use this parameter, make sure all interfaces on all the routers supporting this virtual router are configured for simple password authentication and use the same password.
Configuring additional VRRP and VRRPE parameters 17 Dead interval The Dead interval is the number of seconds a Backup waits for a Hello message from the Master before determining that the Master is dead. When Backups determine that the Master is dead, the Backup with the highest priority becomes the new Master. The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. This is three times the default Hello interval (1 second) plus one-half second added by the router software.
17 Configuring additional VRRP and VRRPE parameters Router1(config)# interface ethernet 1/6 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# track-port e 2/4 Syntax: track-port ethernet / ve The syntax is the same for VRRP and VRRPE.
Displaying VRRP and VRRPE information 17 To disable preemption on a Backup, enter commands such as the following. Router1(config)# interface ethernet 1/6 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# non-preempt-mode Syntax: non-preempt-mode The syntax is the same for VRRP and VRRPE. Master router abdication and reinstatement To change the Master’s priority, enter commands such as the following.
17 Displaying VRRP and VRRPE information • Summary configuration and status information • Detailed configuration and status information • VRRP and VRRPE Statistics Displaying summary information To display summary information for a device, enter the following command at any level of the CLI.
Displaying VRRP and VRRPE information TABLE 94 17 CLI display of VRRP or VRRPE summary information (Continued) This field... Displays... P Whether the backup preempt mode is enabled. If the backup preempt mode is enabled, this field contains a “P”. If the mode is disabled, this field is blank. State This device’s VRRP or VRRPE state for the virtual router. The state can be one of the following: • Init – The virtual router is not enabled (activated).
17 Displaying VRRP and VRRPE information Syntax: show ip vrrp-extended [brief | ethernet / | ve | stat] The brief parameter displays summary information. Refer to “Displaying summary information” on page 472. The ethernet / parameter specifies an Ethernet port. If you use this parameter, the command displays VRRP or VRRPE information only for the specified port. The ve parameter specifies a virtual interface.
Displaying VRRP and VRRPE information TABLE 95 17 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... virtual MAC The virtual IP MAC address that this virtual router is backing up. priority The device’s preferability for becoming the Master for the virtual router. During negotiation, the router with the highest priority becomes the Master.
17 Displaying VRRP and VRRPE information TABLE 95 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... backup router expires in The IP addresses of Backups that have advertised themselves to this Master by sending Hello messages. The
Configuration examples - - 17 . received packets dropped by owner = 0 . received packets with ip ttl errors = 0 . received packets with ip address mismatch = 0 . received packets with advertisement interval mismatch = 0 . received packets with invalid length = 0 total number of vrrp-extended packets sent = 2004 . sent backup advertisements = 0 .
17 Configuration examples Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)# router vrrp Router1(config)# interface ethernet 1/6 Router1(config-if-e10000-1/6)# ip address 192.53.5.1 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# owner track-priority 20 Router1(config-if-e10000-1/6-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-1/6-vrid-1)# ip-address 192.53.5.
Configuration examples 17 The activate command activates the virtual router configuration on this interface. The interface does not provide backup service for the virtual IP address until you activate the VRRP configuration.
17 Configuration examples Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 3/2 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.
Chapter 18 Configuring Quality of Service In this chapter • Overview of Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring ToS-based QoS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18 Classification • Packet priority – Depending on the Trust level set, a packet can be classified by either the 802.1p priority or DSCP value that it has when it arrives at the switch. If no trust level is set, the packet will default to a priority set by earlier criteria. By default, the trust level is set to 802.1p. In addition, you can configure a port to override the DSCP value for every packet that arrives on it to a user-configured value.
18 Classification TABLE 96 Default QoS mappings, columns 0 to 15 DSCP value 0 1 2 3 4 5 6 7 8 9 10 11 12 12 14 15 802.
18 Marking • COS to DSCP Mapping – You can change the mapping between 802.1p (COS) values from the default values shown in Table 96 through Table 99. This mapping is used for DSCP marking when trust level is COS. Refer to “Changing the CoS –> DSCP mappings” on page 487. • DSCP to DSCP Mapping – You can alter the DSCP value of a packet that is received to a value configured on the switch. This mapping is used for DSCP marking when trust level is DSCP.
Marking 18 • Incoming port (sometimes called the ingress port) • Port-based VLAN membership • Static MAC entry The following sections describe how to change the priority for each of the items listed above. Although it is possible for a packet to qualify for an adjusted QoS priority based on more than one of the criteria above, the system determines the priority it will use for forwarding as described in “Processing of classified traffic” on page 482.
18 Configuring ToS-based QoS To configure a static MAC entry and assign the entry to the premium queue on a device, enter commands such as the following. BigIron RX(config)# vlan 9 BigIron RX(config-vlan-9)# static-mac-address 1145.1163.67FF ethernet 1/1 priority 7 Syntax: [no] static-mac-address ethernet / [priority ] The parameter can be from 0 – 7 and specifies the priority level1 equivalent to one of the four QoS queues.
Configuring the QoS mappings 18 Enabling marking This command enables marking of the 802.1p field or the DSCP field in the ToS byte of an IP header. Syntax: [no] qos-tos mark cos | dscp The cos | dscp parameter specifies the type of marking. • cos – The device changes the outbound packet’s 802.1p priority value to match the results of the device’s QoS mapping from the specified trust level.
18 Configuring the QoS mappings COS-DSCP map: COS: 0 1 2 3 4 5 6 7 --------------------------------------------------------dscp: 0 33 25 49 17 7 55 41 Syntax: [no] qos-tos cos-dscp The through parameters specify the DSCP values you are mapping the eight CoS values to. You must enter DSCP values for all eight CoS values, in order from CoS value 0 – 7.
Configuring the QoS mappings 18 DSCP-Priority map: (dscp = d1d2) d2| 0 1 2 3 4 5 6 7 8 9 d1 | -----+---------------------------------------0 | 1 0 1 1 1 0 0 0 5 1 1 | 6 1 1 1 1 1 4 2 2 2 2 | 2 2 2 2 2 3 3 3 3 3 3 | 3 3 0 4 4 4 4 4 4 4 4 | 7 5 5 5 5 5 5 5 3 6 5 | 6 6 6 6 6 6 6 7 7 7 6 | 7 7 7 7 For information about the rest of this display, refer to “Displaying QoS configuration information” on page 490. Syntax: [no] qos-tos map dscp-priority [...
18 Displaying QoS configuration information The through parameters specify the COS values you are mapping the eight internal priorities to. You must enter CoS values for all eight internal priorities, in order from priority 0 – 7. Displaying QoS configuration information To display configuration information, enter the following command at any level of the CLI.
Displaying QoS mapping information TABLE 100 18 ToS-based QoS configuration information This field... Displays... Interface QoS, marking and trust level information i/f The interface QoS The state of ToS-based QoS on the interface. The state can be one of the following: • No – Disabled • Yes – Enabled Mark The marking type enabled on the interface. The marking type can be any of the following: • COS – CoS marking is enabled. • DSCP – DSCP marking is enabled. • No – Marking is not enabled.
18 Displaying queueing statistics -----+---------------------------------------0 | 0 0 0 0 0 0 0 0 1 1 1 | 1 1 1 1 1 1 2 2 2 2 2 | 2 2 2 2 3 3 3 3 3 3 3 | 3 3 4 4 4 4 4 4 4 4 4 | 5 5 5 5 5 5 5 5 6 6 5 | 6 6 6 6 6 6 7 7 7 7 6 | 7 7 7 7 COS-DSCP map: COS: 0 1 2 3 4 5 6 7 -------------------------------------------------------dscp: 0 8 16 24 32 40 48 56 IP Precedence-DSCP map: ip-prec: 0 1 2 3 4 5 6 7 ------------------------------------------------------dscp: 0 8 16 24 32 40 48 56 Syntax: show qos-maps Ta
18 Displaying queueing statistics 1/3 | destination-weighted Weight 1/4 | strict 1/5 | strict 1/6 | strict 1/7 | strict 1/8 | strict 1/9 | strict 1/10 | strict 1/11 | strict 1/12 | strict 1/13 | enhanced-strict Rate 1/14 | strict 1/15 | strict 1/16 | strict 1/17 | strict 1/18 | strict 1/19 | strict 1/20 | strict 1/21 | strict 1/22 | strict 1/23 | strict 1/24 | strict 2/1 | destination-weighted Weight 2/2 | destination-weighted Weight (output truncated for brevity)...
18 Determining packet drop priority using WRED TABLE 102 Queueing configuration information (Continued) Field Description MaxQSz Specifies the instantaneous queue size in KB. DropPrec Specifies the drop precedence. MinAvgQSz Specifies the minimum average queue size in KB. MaxAvgQSz Specifies the maximum average queue size in KB. MaxDropProb Specifies the maximum drop precedence in percentage. MaxPktSz Specifies the maximum packet size in byte.
Determining packet drop priority using WRED 18 is accepted. If the average queue size is above the configured Max. Average Queue Size threshold, the packet is dropped. If the Average Queue size falls between the Min. Average Queue Size and the Max. Average Queue Size, packets are dropped according to the calculated probability described in “Calculating packets that are dropped” on page 495. FIGURE 88 WRED operation graph Pmax Min. Average Queue Size Max.
18 Configuring packet drop priority using WRED Using WRED with rate limiting When rate limiting is configured on a device, it directs the switch to drop traffic indiscriminately when the configured average-rate and maximum-burst thresholds are exceeded. If rate limiting is configured with WRED, the traffic that exceeds these thresholds can be subjected to the WRED algorithm which drops packets selectively by priority.
Configuring packet drop priority using WRED TABLE 103 18 Possible Wq values (Continued) Averaging weight setting Wq value as a percentage 6 1.56% 7 0.78% 8 0.4% 9 0.2% 10 0.09% 11 0.05% 12 0.02% 13 0.01% To set the wq parameter for queues with a queue type of 1 to 25%, use the following command. BigIron RX(config)#qos queue-type 1 wred averaging-weight 25% This gives the current queue size a weight of 25% over the statistical average queue size.
18 Configuring packet drop priority using WRED Syntax: [no] qos queue-type wred drop-precedence drop-probability-max The variable is the number of the forwarding queue that you want to configure drop-precedence for. There are four forwarding queues on device. They are numbered 0 to 3 with zero as the lowest priority queue and three the highest.
18 Configuring packet drop priority using WRED The variable is the average queue size below which all packets are accepted. Possible values are 1 - 32768 KBytes. It must be set in multiples of 64K. The default values are shown in Table 104. The variable is the average queue size above which all packets are dropped. (1 32768) (KBytes) in multiples of 64K. The default values are shown in Table 104.
18 Scheduling traffic for forwarding TABLE 104 Queue type 2 3 WRED default settings (Continued) Drop precedence Minimum average queue size (KByte) Maximum average queue size (KByte) Maximum packet size (Byte) Maximum drop probability 1 304 1024 16384 4% 2 256 1024 16384 9% 3 204 1024 16384 10% 0 408 1024 16384 2% 1 356 1024 16384 4% 2 304 1024 16384 9% 3 256 1024 16384 9% 0 408 1024 16384 2% 1 356 1024 16384 4% 2 304 1024 16384 9% 3 256 1024 163
Scheduling traffic for forwarding 18 • Strict priority-based scheduling – This scheme guarantees that higher-priority traffic is always serviced before lower priority traffic. The disadvantage of strict priority-based scheduling is that lower-priority traffic can be starved of any access. • Enhanced strict scheduling – With enhanced strict scheduling enabled, a configurable minimum bandwidth is allocated to lower-priority traffic so that it is not starved.
18 Scheduling traffic for forwarding Configuring enhanced strict priority-based traffic scheduling To configure enhanced strict priority-based scheduling use a command such as the following.
Scheduling traffic for forwarding 18 BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler destination-weighted 5 10 15 20 Syntax: qos scheduler destination-weighted The variable defines the relative value for queue0 in calculating queue0’s allocated bandwidth. The variable defines the relative value for queue1 in calculating queue1’s allocated bandwidth.
18 Scheduling traffic for forwarding The variable defines the maximum bandwidth allocated to forwarding queue 2 in Kbps. The variable defines the maximum bandwidth allocated to forwarding queue 3 in Kbps. Configuring minimum rate-based traffic scheduling To configure minimum rate-based scheduling use a command such as the following.
Configuring multicast traffic engineering 18 BigIron RX#show qos scheduler Port | Scheduler Type Prio0 Prio1 Prio2 Prio3 | (Rates where specified are in Kbps) -------+-------------------------------------+---------+---------+--------13/1 | strict 13/2 | enhanced-strict Rate 100000 200000 300000 Remaining 13/3 | min-rate Rate 102400 204800 307200 409600 13/4 | strict 13/5 | strict 13/6 | max-rate Rate 400000 400000 800000 10000000 13/7 | destination-weighted Weight 15 25 25 35 13/8 | strict 13/9 | source-w
18 Configuring multicast traffic engineering To limit the multicast traffic through the packet processor that includes port 1/1 to 10 Mbps, use the following command. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos multicast best-effort rate 10000 Syntax: qos multicast best-effort rate The variable defines the bandwidth of multicast traffic that is allowed to pass through the packet processor that include the port this command is configured on.
Configuring multicast traffic engineering 18 • Virtual interface subsets are not supported for engress ACLs. • The egress filtering of the 16x10 module only compares to 3 bits of TOS field (delay, throughput, reliability).
18 Configuring multicast traffic engineering Setting the averaging-fair-weight (wfq) parameter The wfq parameter is configured as the averaging-fair-weight parameter. In this implementation, you can set one of 13 (1 - 13) possible values. These values represent a wfg value as described in Table 106 Calculating the values for WFQ storage mode traffic scheduling Weighted Fair Queueing (WFQ) scheduling is configured to be a percentage of available bandwidth using the following formula.
Configuring multicast traffic engineering 18 Table 106 identifies the profile used for network control traffic which is identified using an independent flag.
18 Configuring multicast traffic engineering NOTE The configurations for group port 1 will now be associated to s/1,s/5,s/9,s/13 3. To set the group port 2 weight, low prioriy traffic, BigIron RX(config-if-e10000-4/1)# qos scheduler destination-weighted 1 2 1 4. To set the group port 2 weight, high prioriy traffic, BigIron RX(config-if-e10000-4/1)# qos scheduler destination-weighted 1 2 1 2 NOTE The configurations for group port 2 will now be associated to s/2,s/6,s/10,s/14 5.
Chapter 19 Configuring Traffic Reduction In this chapter • Traffic policing on the BigIron RX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . • Traffic reduction parameters and algorithm . . . . . . . . . . . . . . . . . . . . . . . . • Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring rate limiting policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19 Traffic reduction parameters and algorithm Traffic reduction parameters and algorithm A rate limiting policy specifies two parameters: requested rate and maximum burst. Requested rate The requested rate is the maximum number of bits a port is allowed to receive during a one-second interval. The rate of the traffic that matches the rate limiting policy will not exceed the requested rate.
Configuration considerations 19 Credits and credit total Each rate limiting policy is assigned a class. A class uses the average rate and maximum allowed burst in the rate limiting policy to calculate credits and credit totals. Credit size is measured in bytes. A credit is a forwarding allowance for a rate-limited port, and is the smallest number of bytes that can be allowed during a rate limiting interval. The minimum credit size can be 1 byte.
19 Configuring rate limiting policies • Certain features such as FDP, CDP, UDLD and LACP that make the port run in dual mode can cause traffic to be rate limited to less than the expected requested rate. When the port is in dual-mode, all incoming or outgoing packets are treated as tagged. An extra 4 bytes is added to the length of the packet to account for the tag, thus causing the requested rate to be less than the expected requested rate.
Configuring rate limiting policies 19 Syntax: [no] rate-limit input | output Input applies rate limiting to inbound traffic on the port. Input can be abbreviated as in. Output applies rate limiting to outbound traffic on the port. Output can be abbreviated as out. Notes: • For outbound ports with slow speed links (for example, GbE), the rate supported is in 0.65Mbps increments, starting with 0.65 Mbps. That is, supported rates are 0.65 Mbps, 1.3 Mbps, 1.95 Mbps, etc.
19 Configuring rate limiting policies BigIron BigIron Average BigIron Average RX(config)# interface ethernet 1/3 RX(config-if-e1000-1/3)# rate-limit in vlan 10 500000000 750000000 rate is adjusted to 499321856 bits per second RX(config-if-e1000-1/3)# rate-limit in vlan 20 100000000 600000000 rate is adjusted to 97523712 bits per second The commands configure two rate limiting policies that limit the requested rate of inbound traffic on port 1/3.
Configuring rate limiting policies 19 The command configures a rate limiting policy on port 1/4 that limits the rate of inbound traffic (packets tagged with VLANs 3, 5, 6, or 7 from VLAN group 10) from VLAN group 10 to 500 Mbps with a maximum burst size of 750 Mbits. Syntax: rate-limit in group The group parameter specifies the rate limiting VLAN group.
19 Configuring rate limiting policies • You can apply an ACL ID to a port-and-ACL-based rate limiting policy before you define the ACL. The rate limiting policy does not take effect until the ACL is defined. • It is not necessary to remove an ACL from a port-and-ACL-based rate limiting policy before deleting the ACL. Refer to the Chapter 22, “Access Control List” for details on how to configure ACLs. To configure a port-and-ACL-based rate limiting policy, enter commands such as the following.
NP based multicast, broadcast, and unknown-unicast rate limiting 19 BigIron RX(config)# ipv6 access-list sample BigIron RX(config-ipv6-access-list sample)# permit ipv6 10:10::0:0/64 any BigIron RX(config-ipv6-access-list sample)# deny ipv6 any any The following configuration creates a rate limiting policy on port 1/1. The policy limits the rate of all inbound IP traffic that matches the permit rules a rate of 100 Mbps with a maximum burst size of 200 Mbits.
19 Displaying traffic reduction The parameter specifies the total number bits that can pass during a burst. Possible values are from 1-429467295. The default value is 4294967295. The np parameter specifies the rate limit per network processor. The specifies the interface module and port to be rate limited. The all parameter specifies that you want all the ports to be rate limited.
Displaying traffic reduction 19 BigIron RX(config)# show rate-limit interface 1/3 interface ethernet 1/3 rate-limit input vlan-id 10 499321856 750000000 rate-limit input vlan-id 20 97523712 200000000 To display rate-limit VLAN groups, enter the following.
19 522 Displaying traffic reduction BigIron RX Series Configuration Guide 53-1002484-04
Chapter 20 Multi-Chassis Trunking In this chapter • Multi-Chassis Trunking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring MCT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Port loop detection support in MCT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • MAC Database Update over cluster control protocol . . . . . . . . . . . . . . . . . • MCT failover scenarios . . . . . . . . . . . . . . . . . . . .
20 Multi-Chassis Trunking overview Benefits of MCT The benefits of MCT are as follows: • Provides link-level and switch-level redundancy. • Provides increased capacity by using all the links (including the redundant ones) for traffic transport. This contrasts with the use of the Spanning Tree Protocol (STP), which does not use redundant links for traffic transport. • Provides traffic restoration in tens of milliseconds in case of link or switch failures.
Multi-Chassis Trunking overview 20 NOTE On the BigIron RX devices, Layer 2 multicast snooping is not supported in MCT. FIGURE 90 MCT architecture Transparent to MCT Support for third-party devices MCT Peers Acting as a single logical switch. Standard Link Aggregation IEEE 802.3ad MCT components Figure 91 shows an example of MCT deployment, functions, and features.
20 Multi-Chassis Trunking overview • MCT client - The MCT client is the device that connects with the MCT peer switches through an IEEE 802.3ad link. The client can be a switch or an endpoint server host in the single-level MCT topology or another pair of MCT switches in a multi-tier MCT topology. • ICL - A single-port or a multi-port 10 GbE interface between the two MCT peer switches. The ICL link is typically a standard IEEE 802.3ad LAG interface, which carries packets for multiple VLANs.
Multi-Chassis Trunking overview 20 • Cluster Client RBridge Reachability (CCRR) - The CCRR message is used to exchange information between the peers. Dynamic LAGs MCT client creates a single dynamic LAG towards the MCT nodes. For MCT nodes, the dynamic LAG consists of two LAGs, each configured on one of the MCT devices. A dynamic LAG runs Link Aggregation Control Protocol (LACP).
20 Multi-Chassis Trunking overview ICL traffic handling An ICL link on the BigIron RX device can be a single port, a static LAG, or an LACP LAG. On the BigIron RX device, only MCT VLANs are configured over the ICL. For MCT VLANs, MAC learning is disabled on the ICL ports. BUM traffic handling in MCT VLANs On the BigIron RX device, broadcast, unknown-unicast and multicast (BUM) traffic processing in MCT VLANs is handled by software due to hardware limitations.
Multi-Chassis Trunking overview 20 Rate limiting multicast traffic in MCT VLANs To configure the multicast rate limit at the NP level, enter a command such as the following. BigIron RX(config)# multicast rate-limit 1000000 1 np 2/2 Syntax: [no] multicast rate-limit np [slot/port | all] To configure the multicast rate limit at the port level, enter a command such as the following .
20 Multi-Chassis Trunking overview • BLK_BY_ICL state indicates that the superior BPDUs are being received on the interface, which leads to blocking of the ICL interface. • Due to the blocking of the ICL interface, the ICL port guard mechanism is triggered on the port. • FWD_BY_MCT state indicates that the MCT peer has set the CCEP state to FORWARDING. • BLK_BY_MCT state indicates that the MCT peer has set the CCEP state to BLOCKING.
Configuring MCT 20 • Hitless upgrade. If the operation is performed with the cluster configuration, the TCP session is re-established. The MAC entries from the cluster peers are revalidated and programmed accordingly. Brocade recommends shutting down all the CCEPs on the cluster node so that there is graceful upgrade and hitless operation can be performed. Configuring MCT Perform the following procedures to configure a single-level MCT scenario as shown in Figure 93. 1.
20 Configuring MCT • On the BigIron RX devices, the ICL ports can be a part of only MCT member VLANs and not regular VLANs. • The BigIron RX devices disable MAC learning on the ICL ports for the VLANs configured in the cluster. • • • • • • MDUP synchronizes all the MAC entries for the VLANs served by the ICL link. • • • • • MCT clients can support eight ports per LAG. On the CCEP, MCT does not support multicast and routing protocols. The Cluster ID must be the same on both the cluster switches.
Configuring MCT 20 On TOR-A, ports 1/3-1/4 and 1/5 are CCEPs, and port 1/7 is a CEP. On TOR-B, ports 1/3 and 1/4 are CCEPs, and port 1/5 is a CEP. Ports 1/1-1/2 are the ICL ports used for transport of the MCT control protocol packets or data packets.
20 Configuring MCT Syntax: [no] lag [static | dynamic] [id ] The static option specifies that the LAG with the name specified by the lag parameter is configured as a static LAG. The dynamic option specifies that the LAG with the name specified by the lag parameter is configured as a dynamic LAG. The id parameter is optional. The id parameter can take values from 1 through 256.
Configuring MCT 20 If the no deploy command is executed, then the LAG is removed. For dynamic LAGs, LACP is deactivated on all the LAG ports. If the no deploy command is issued and more than one LAG port is not disabled, the command is aborted and the following error message is displayed: “Error 2 or more ports in the LAG are not disabled, un-deploy the LAG may form a loop - aborted.” Using the forced option with the no deploy command, the LAG is not deployed. 5.
20 Configuring MCT BigIron RX(config-lag-3)# deploy 5. Assign a name to an individual port within LAG 3 by entering the following commands. BigIron RX(config-lag-2)# port-name lag-client-2:1/1 ethernet 1/5 BigIron RX(config-lag-2)# port-name lag-client-1:1/2 ethernet 1/4 Enabling Layer 2 switching By default, the BigIron RX devices support routing over Layer 2 switching. You can enable Layer 2 switching globally or on individual ports using the no route-only command.
Configuring MCT 20 The variable specifies the VLAN ID. The value can be from 1 through 4090. The range of VLAN IDs above 4090 has been reserved for internal control purposes. The variable specifies the VLAN name and can be up to 255 characters long. NOTE In lower versions, the variable can accept only 32 characters. The VLAN configuration is denied if you configure more than 32 characters for the VLAN name.
20 Configuring MCT Syntax: [no] port-name The variable is an alphanumeric string. The name can be up to 255 characters long and can include blank spaces. You must not use quotation marks (“) around the string even if the string, contains blank spaces. Adding a VE interface To add a VE interface and configure an IP address for the interface, enter commands such as the following. BigIron RX(config)# interface ve 100 BigIron RX(config-vif-100)# ip address 1.1.1.
Configuring MCT 20 NOTE The ICL ports must be tagged within the session VLAN. 4. Specify the VLAN range for the cluster to be used for MAC synchronization. Multiple VLAN ranges are supported for the configuration. To create a member VLAN, enter the following command. BigIron RX(config-cluster-TOR)# member-vlan 2 Syntax: [no] member-vlan to The and variables specify the VLAN range. NOTE The VLAN range is allowed to change even if the cluster is deployed. 5.
20 Configuring MCT Cluster client 1 1. Create a cluster client instance and change the mode to the client instance. If an instance is already present, then directly change the mode to the client instance mode. BigIron RX(config-cluster-TOR)# client client-1 Syntax: [no] client The variable specifies the client name and can be up to 64 characters in length. For a two-port MCT configuration, the maximum number of clients supported on the BigIron RX devices is 1536/2. 2.
Configuring MCT 20 BigIron RX(config-cluster-TOR-client-2)# client-interface ethernet 1/5 4. Deploy the cluster client by entering the following command. BigIron RX(config-cluster-TOR-client-2)# deploy Configuring the TOR-B MCT switch To configure the TOR-B MCT switch as shown in Figure 93, perform the following steps. Creating and deploying the LAGs You must create and deploy the LAGs on the TOR-B MCT switch. In the example as shown in Figure 93, there are three LAGs on the TOR-B MCT switch.
20 Configuring MCT Creating LAG 3 To create LAG 3, perform the following steps. 1. Create a LAG with the LAG ID option by entering the following command. BigIron RX(config)# lag 3 dynamic id 3 2. Define the ports to be used by LAG 3 by entering the following command. BigIron RX(config-lag-3)# ports ethernet 1/4 3. Assign the primary port explicitly by entering the following command. BigIron RX(config-lag-3)# primary-port 1/4 4. Deploy LAG 3 by entering the following command.
Configuring MCT 20 Assigning the host name (optional) Configure a host name for the device and save the information locally in the configuration file for future reference. Though this information is not required for system operation, Brocade recommends saving the information. When you configure a host name, it replaces the default system name in the CLI prompt. To configure a host name, enter the following command.
20 Configuring MCT BigIron RX(config-cluster-TOR)# peer 1.1.1.1 rbridge-id 1 icl TOR 7. Deploy the cluster configuration by entering the following command. BigIron RX(config-cluster-TOR)# deploy The cluster can be deployed separately without any clients configured, using the deploy command. After the cluster is deployed, the cluster configuration cannot be changed.
Configuring MCT 20 1. Create a cluster client instance by entering the following command. BigIron RX(config-cluster-TOR)# client client-2 2. Configure the client RBridge ID by entering the following command. BigIron RX(config-cluster-TOR-client-2)# rbridge-id 200 3. Create a cluster client interface by entering the following command. BigIron RX(config-cluster-TOR-client-2)# client-interface ethernet 1/4 4. Deploy the cluster client by entering the following command.
20 Configuring MCT If the keepalive VLAN is not configured, both the cluster nodes become the master. To configure the loose mode, enter the following command. BigIron RX(config-cluster-TOR)# client-isolation loose Syntax: [no] client-isolation loose • Strict mode - When the CCP goes down, the client interfaces on both the cluster nodes are administratively shut down. In this mode, the client is completely isolated from the network if the CCP is inactive.
Configuring MCT 20 • If the keepalive VLAN is not configured and both the peers are up, then both the peers keep forwarding the traffic independently. Setting the keepalive timers and hold time for the peers To specify the keepalive timers and hold time for the peers, enter the following command. BigIron RX(config-cluster-TOR)# peer 1.1.1.
20 Configuring MCT -----------Name Client1 Client2 Rbridge-id Config 2222 Deployed 222 Deployed Port 1/2 1/40 Trunk FSM-State 3 Up Up Syntax: show cluster [ | ] The variable specifies the cluster name. The variable specifies the client ID. Displaying cluster client reachability information To display cluster client reachability information, enter a command such as the following.
Configuring MCT 20 The variable specifies the name of the cluster. The variable specifies the cluster ID. The variable specifies the IP address of the peer. Clearing the MCT cluster information To clear the MCT cluster information, enter a command such as the following. BigIron RX# clear cluster abc peer 10.10.10.1 Syntax: clear cluster [ | ] peer The variable specifies the name of the cluster. The variable specifies the cluster ID.
20 Configuring MCT vlan 4090 name Session-VLAN tagged ethe 1/1 to 1/2 router-interface ve 100 ! hostname TOR-A ! interface ethernet 1/6 port-name CEP-PC enable ! interface ethernet 1/7 port-name to-L3-ECMP enable ! interface ve 100 ip address 1.1.1.1/24 ! ! cluster TOR 1 rbridge-id 1 session-vlan 4090 member-vlan 2 icl TOR ethernet 1/1 peer 1.1.1.
Configuring MCT 20 vlan 1 name DEFAULT-VLAN no untagged ethe 1/1 to 1/2 ! vlan 2 name client-VLAN untagged ethe 1/3 to 1/5 tagged ethe 1/1 to 1/2 ! vlan 4090 name Session-VLAN tagged ethe 1/1 to 1/2 router-interface ve 100 ! hostname TOR-B ! interface ethernet 1/5 port-name to-L3-ECMP enable ! interface ve 100 ip address 1.1.1.2/24 ! ! cluster TOR 1 rbridge-id 2 session-vlan 4090 member-vlan 2 icl TOR ethernet 1/1 peer 1.1.1.
20 Configuring MCT deploy port-name "lag-to TOR-A" ethernet 1/1 port-name "lag-to TOR-B" ethernet 1/2 ! interface ethernet 1/3 port-name to-Host-PC enable ! end Single-level MCT extension example Figure 94shows the extension of the single-level MCT topology.
Configuring MCT 20 lag "4" dynamic id 4 ports ethernet 1/5 primary-port 1/5 deploy port-name "lag-client-1:1/1" ethernet 1/5 ! no route-only ! vlan 1 name DEFAULT-VLAN no untagged ethe 1/3 to 1/4 ! vlan 2 name client-VLAN untagged ethe 1/1 to 1/2 ethe 1/5 to 1/6 tagged ethe 1/3 to 1/4 ! vlan 4090 name Session-VLAN tagged ethe 1/3 to 1/4 router-interface ve 100 ! hostname TOR-A ! interface ethernet 1/6 port-name CEP-PC enable ! interface ve 100 ip address 1.1.1.
20 Configuring MCT lag "2" dynamic id 2 ports ethernet 1/7 primary-port 1/7 deploy port-name "lag-client-3:1/2" ethernet 1/7 ! lag "3" dynamic id 3 ports ethernet 1/3 to 1/4 primary-port 1/3 deploy port-name "ICL-to-TOR-A:1/3" ethernet 1/3 port-name "ICL-to-TOR-A:1/4" ethernet 1/4 ! lag "4" dynamic id 4 ports ethernet 1/5 primary-port 1/5 deploy port-name "lag-client-1:1/2" ethernet 1/5 ! no route-only ! vlan 1 name DEFAULT-VLAN no untagged ethe 1/3 to 1/4 ! vlan 2 name client-VLAN untagged ethe 1/5 to 1/
Configuring MCT 20 Client #1 ! lag "1" dynamic id 1 ports ethernet 1/1 to 1/2 primary-port 1/1 deploy port-name "lag-to TOR-A" ethernet 1/1 port-name "lag-to TOR-B" ethernet 1/2 ! end ---------------------------------------- Client #2 ! lag "1" dynamic id 1 ports ethernet 1/1 to 1/2 primary-port 1/1 deploy port-name "lag-to TOR-A" ethernet 1/1 port-name "lag-to TOR-B" ethernet 1/2 ! vlan 2 untagged ethe 1/1 to 1/3 router-interface ve 2 ! router ospf area 0 ! interface ethernet 1/3 port-name L3-ECMP-Cloud
20 Configuring MCT ip address 10.10.10.2/24 ip ospf area 0 ! end Two-level MCT example Figure 95 shows the two-level MCT topology.
Configuring MCT 20 no route-only ! vlan 1 name DEFAULT-VLAN no untagged ethe 1/1 to 1/2 ! vlan 2 name client-VLAN untagged ethe 1/3 to 1/5 tagged ethe 1/1 to 1/2 ! vlan 4090 name Session-VLAN tagged ethe 1/1 to 1/2 router-interface ve 100 ! hostname TOR-A ! interface ve 100 ip address 1.1.1.1/24 ! ! cluster TOR 1 rbridge-id 1 session-vlan 4090 member-vlan 2 icl TOR ethernet 1/1 peer 1.1.1.
20 Configuring MCT ! vlan 2 name client-VLAN untagged ethe 1/3 to 1/5 tagged ethe 1/1 to 1/2 ! vlan 4090 name Session-VLAN tagged ethe 1/1 to 1/2 router-interface ve 100 ! hostname TOR-B ! interface ve 100 ip address 1.1.1.2/24 ! ! cluster TOR 1 rbridge-id 2 session-vlan 4090 member-vlan 2 icl TOR ethernet 1/1 peer 1.1.1.
Configuring MCT 20 vlan 4090 name Session-VLAN tagged ethe 1/1 to 1/2 router-interface ve 100 ! hostname ROUTER-C ! interface ethernet 1/5 port-name MPLS-Cloud enable ! interface ve 100 ip address 1.1.1.3/24 ! ! cluster Router 2 rbridge-id 3 session-vlan 4090 member-vlan 2 icl Router ethernet 1/1 peer 1.1.1.
20 Configuring MCT vlan 2 name client-VLAN untagged ethe 1/3 to 1/5 tagged ethe 1/1 to 1/2 ! vlan 4090 name Session-VLAN tagged ethe 1/1 to 1/2 router-interface ve 100 ! hostname ROUTER-D ! interface ethernet 1/5 port-name MPLS-cloud enable ! interface ve 100 ip address 1.1.1.4/24 ! ! cluster Router 2 rbridge-id 4 session-vlan 4090 member-vlan 2 icl Router ethernet 1/1 peer 1.1.1.
Configuring MCT 20 MRP integration with MCT example Figure 96 shows the MRP integration with the MCT topology.
20 Configuring MCT interface ethernet 1/5 port-name MRP-from-Master enable ! interface ve 100 ip address 1.1.1.1/24 ! cluster MRPRing 1 rbridge-id 1 session-vlan 4090 member-vlan 2 icl MRPRing ethernet 1/1 peer 1.1.1.
Port loop detection support in MCT 20 interface ve 100 ip address 1.1.1.2/24 ! ! cluster MRPRing 1 rbridge-id 2 session-vlan 4090 member-vlan 2 icl MRPRing ethernet 1/1 peer 1.1.1.
20 Port loop detection support in MCT BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# loop-detection Syntax: [no] loop-detection The no form of the loop-detection command disables the loop detection feature. To configure the loop detection for a VLAN, enter commands such as the following. BigIron RX(config)# vlan 20 BigIron RX(config-vlan-20)# loop-detection To configure the loop detection for a physical port on a specific VLAN, enter a command such as the following.
Port loop detection support in MCT 20 The variable specifies the configurable syslog interval in minutes. The configurable range is from 10 through 1440 minutes. The default value for syslog interval is 10. Setting the disable duration You can use the loop-detection disable-duration command to specify the duration for which the port must be disabled after a loop is detected. The port is automatically enabled after the specified duration.
20 MAC Database Update over cluster control protocol TABLE 108 Output parameters of the show loop-detection command Field Description loop detection packets interval Shows the interval for sending the PLD packets. loop detection disable duration Shows the duration for which the port must be disabled after a loop is detected. port-num Shows the port number for which the loop detection is enabled. vlan-id Shows the VLAN ID for which the loop detection is enabled.
MAC Database Update over cluster control protocol 20 Cluster MAC entry types The following types of MAC entries are defined for the cluster: • Cluster Local MAC (CL) - MAC entries that are learned locally from the VLANs that belong to the cluster VLAN range and on CEPs. MAC entries are synchronized to the cluster peer and are subject to aging. A local MDB is not created for the MAC entries and these entries are associated with a cluster RBridge ID.
20 MAC Database Update over cluster control protocol NOTE Every MAC entry deletion triggers the resolution algorithm if the deleted MAC entry is installed in the FDB. If the deleted MAC entry is installed in the MDB, only the MDB will be updated. MAC entry movement When the MAC entries move from the CEP to the CCEP or from the CCEP to the CEP, the MAC entry movement happens normally on the local node and deletes all the other MDBs from the peer to create a new local MDB.
MAC Database Update over cluster control protocol TABLE 109 20 Output parameters of the show mac command (Continued) Field Description VLAN Shows the VLAN ID of the port. Type Shows the type of the learned MAC entry. Displaying cluster-specific MAC entries To display the cluster-specific MAC entries, enter a command such as the following.
20 MAC Database Update over cluster control protocol 0000.0000.0001 4/3 0 400 CCL Syntax: show mac cluster | client [local | remote] The variable specifies the cluster ID. The variable specifies the cluster name. The variable specifies the client name. The local option displays the MAC entries that are learned locally. The remote option displays the MAC entries that are learned through the MDUP message from the peer.
MAC Database Update over cluster control protocol 0000.0000.0002 4/6 0 400 20 CL Syntax: show mac cluster | vlan [local | remote] The variable specifies the cluster ID. The variable specifies the cluster name. The variable specifies the VLAN ID. The local option displays the MAC entries that are learned locally. The remote option displays the MAC entries that are learned through the MDUP message from the peer.
20 MAC Database Update over cluster control protocol Add Intf Mac sent: 9 Del Mac sent: 1 Del Intf Mac sent: 0 Move Mac sent: 0 MDUP Mac Info Messages sent: 4 MDUP Flush Messages sent: 12 MDUP Update Messages received: 4 Add Mac received: 2 Add Intf Mac received: 1 Del Mac received: 2 Del Intf Mac received: 0 Move Mac received: 0 MDUP Mac Info Messages received: 0 MDUP Flush Messages received: 0 MDUP Add Mac Errors: 0 MDUP Del MAC Errors: 0 MDUP Move MAC Errors: 0 Syntax: show mac mdup-stats Table 111 de
MAC Database Update over cluster control protocol TABLE 112 20 Output parameters of the show mac mdup-stats command (Continued) Field Description MDUP Flush Messages received Shows the number of MDUP Flush messages received. MDUP Add Mac Errors Shows the number of MAC Add MDUP error messages. MDUP Del MAC Errors Shows the number of MAC Del MDUP error messages. MDUP Move MAC Errors Shows the number of MAC Move MDUP error messages.
20 MCT failover scenarios Syntax: clear mac vlan The variable specifies the VLAN ID. Clearing cluster VLAN-specific MAC entries To clear cluster VLAN-specific MAC entries, enter a command such as the following. BigIron RX# clear mac cluster TOR 1 vlan 1 local Syntax: clear mac cluster | vlan [local | remote] The variable specifies the cluster ID. The variable specifies the cluster name.
Syslogs and debugging 20 When an ICL or CCP goes down, the keepalive VLAN is used to find the cluster nodes reachability. If the peer node is reachable over the keepalive VLAN, then the MCT nodes perform the master and slave negotiation for each client. After negotiation, the slave shuts down its client ports, whereas the master client ports continue to forward the traffic. The master and slave negotiation is done for each MCT client based on the RBridge ID and the client reachability.
20 Syslogs and debugging Sample configuration The following show run command output is a sample configuration using port loop detection.
Syslogs and debugging 20 client c1 rbridge-id 300 client-interface ethernet 3/11 ! MCT debug commands The following are the MCT-related debug commands. The debug cluster forwarding command displays all the MCT forwarding-related events or messages in the Management Processor (MP) that can affect traffic forwarding. Some examples include remote CCEP status changes, MCT Filter ID (FID) creation, FID updates, and so on. Command output resembles the following example.
20 Syslogs and debugging The debug cluster ccp packet command displays information specific to the CCP packet exchange operation. Command output resembles the following example.
Syslogs and debugging 20 Jun 1 18:06:50 CLUSTER FSM: cluster id 1, peer rbridge id 2, old state: Loading, event: Loading Done Jun 1 18:06:50 CLUSTER FSM: sending EVENT_ID_MCT_CCP_UP event SYSLOG: Jun 1 18:06:50:<14>Jun 1 18:06:50 3P-19-5-TB3-4, CLUSTER FSM: Cluster mct (Id: 1), client c1 (RBridge Id: 3) - Remote client deployed Jun 1 18:06:50 CLUSTER FSM: sending EVENT_ID_MCT_REMOTE_DEPLOY event SYSLOG: Jun 1 18:06:50:<14>Jun 1 18:06:50 3P-19-5-TB3-4, CLUSTER FSM: Cluster mct (Id: 1), client c2 (RBridge I
20 Syslogs and debugging Nov 23 08:40:29 CLUSTER FSM: CCRR message sent for client for multiple clients Nov 23 08:40:29 CLUSTER FSM: new state: Loading Nov 23 08:40:29 CLUSTER FSM: Received CCRR message from peer when CCP is up Nov 23 08:40:29 CLUSTER FSM: cluster id 1, client id 101, old state: Init, event: CCP Up Nov 23 08:40:29 CLUSTER FSM: sending EVENT_ID_MCT_REMOTE_DEPLOY event Nov 23 08:40:29 CLUSTER FSM: new state: Admin Up, master: TRUE Nov 23 08:40:29 CLUSTER FSM: cluster id 1, client id 102, ol
Syslogs and debugging 20 SYSLOG: <44>Dec 5 15:55:50 Brocade LACP: ethernet 3/13 state changes from LACP_BLOCKED to DOWN Dec 5 15:55:50 CLUSTER FSM: sending EVENT_ID_MCT_LOCAL_CCEP_DOWN event SYSLOG: <46>Dec R4 (RBridge Id: Dec 5 15:55:50 Local Down Dec 5 15:55:50 Dec 5 15:55:50 Dec 5 15:55:51 = 01900016) 5 15:55:50 Brocade CLUSTER FSM: Cluster MCT-VPLS (Id: 1), client 400) - Local client CCEP down CLUSTER FSM: cluster id 1, client id 400, old state: Up, event: CLUSTER FSM: Sending client fsm state to LP,
20 MCT for VRRP or VRRP-E BigIron RX# Dec 5 16:04:35 CLUSTER MDUP: Received MAC FLUSH message, option: Flush Client Rbridge, cluster_id: 1, Peer Rbridge: 1, Flush Rbridge: 400, vlan: , port_id: 65535 Dec 5 16:04:35 CLUSTER MDUP: Received MAC FLUSH message, option: Flush Rbridge, cluster_id: 1, Peer Rbridge: 1, Flush Rbridge: 1, vlan: , port_id: 12 Dec 5 16:04:35 CLUSTER MDUP: Received MAC INFO message, Type: Rbridge, cluster: 1, vlan: , Rbridge id: 400 Dec 5 16:04:35 CLUSTER FSM: Received CCRR message fro
MCT for VRRP or VRRP-E FIGURE 97 20 Two-node MCT scenario Clients Clients Gatewayy Switch A Gatewayy Switch B VRRP-E master CEP CCEP VRRP-E backup MCT logical CEP switch CCEP ICL LAG MCT unaware switch S1 E1 E2 Layer 3 traffic forwarding from an end station to MCT When one MCT switch act as the VRRP or VRRP-E master router and the other MCT switch acts as a VRRP or VRRP-E backup router, as shown in Figure 97, the following traffic forwarding behavior is seen: • Packets sent to the VRRP-E virtua
20 MCT for VRRP or VRRP-E Advanced MCT scenario Figure 98 shows the advanced MCT scenario. In this scenario, there are two pairs of MCT peer switches, which are deployed on the two sites that are connected through the two independent Wide Area Network (WAN) links. Switch A and B form the MCT logical switch 1 and Switch C and D form the MCT logical switch 2. Switch A acts as the VRRP-E master router and the other MCT switches (Switch B, Switch C, and Switch D) act as the VRRP-E backup routers.
MCT for VRRP or VRRP-E 20 • The VRRP-E virtual MAC address must be synced and learned on the ICL ports on backup routers through the ICL. • The IPv4 multicast traffic must be supported on the ICLs: - For the VRRP or VRRP-E master router - Hello packets are broadcast to all the VLAN member ports including ICL ports. Normal VLAN FIDs are used for broadcasting.
20 586 MCT for VRRP or VRRP-E BigIron RX Series Configuration Guide 53-1002484-04
Chapter 21 Layer 2 ACLs In this chapter • Layer 2 ACLs overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Filtering based on ethertype. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration rules and notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring Layer 2 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing Layer 2 ACLs. . . . . . . . . . . . . .
21 Configuration rules and notes Configuration rules and notes • You cannot bind Layer 2 ACLs and IP ACLs to the same port. However, you can configure one port on the device to use Layer 2 ACLs and another port on the same device to use IP ACLs. • • • • You cannot bind a Layer 2 ACL to a virtual interface. The Layer 2 ACL feature cannot perform SNAP and LLC encapsulation type comparisons. BigIron RX processes ACLs in hardware. You can use Layer 2 ACLs to block management access to the BigIron RX.
Configuring Layer 2 ACLs 21 For more examples of valid Layer 2 ACL clauses, refer to “Example Layer 2 ACL clauses” on page 589. Syntax: [no] access-list permit | deny | any | any [ | any [etype ] [log-enable]] The parameter specifies the Layer 2 ACL table that the clause belongs to. The table ID can range from 400 to 499. You can define a total of 100 Layer 2 ACL tables.
21 Configuring Layer 2 ACLs BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# access-list access-list access-list access-list access-list access-list access-list access-list 400 400 400 400 400 400 400 400 permit permit permit permit permit permit permit permit any any any any any any any any any any any any any any any any log-enable 100 100 log-enable any any log-enable 100 etype ipv4 100
Viewing Layer 2 ACLs 21 Viewing Layer 2 ACLs Use the show access-list command to monitor configuration and statistics and to diagnose Layer 2 ACL tables. The following shows an example output. BigIron RX(config)# show access-list 400 L2 MAC Access List 400: permit any any 100 etype ipv4 deny any any any etype arp Syntax: show access-list The parameter specifies the Layer 2 ACL table ID.
21 592 Viewing Layer 2 ACLs BigIron RX Series Configuration Guide 53-1002484-04
Chapter 22 Access Control List In this chapter • Access Control List overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • How the BigIron RX processes ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Disabling or re-enabling Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . • Default ACL action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Types of IP ACLs . . . . . . . . . . . . . . . . . . . . .
22 How the BigIron RX processes ACLs You can use IP ACLs to provide input to other features such as route maps, distribution lists, rate limiting, and BGP. When you use an ACL this way, use permit statements in the ACL to specify the traffic that you want to send to the other feature. If you use deny statements, the traffic specified by the deny statements is not supplied to the other feature.
Disabling or re-enabling Access Control Lists (ACLs) 22 • ACLs that specify spi, .tos min monrtary cost, fragment or fragmentation-offset will cause a configuration conflict and an error message "ACL configuration conflict specified filter not supported" is entered in syslog. • 802.1p-priority is not supported as a matching egress acl condition. • dscp-marking is not available as a condition matching egress acl action. • deny-logging is not supported for egress ACLs.
22 Enabling support for additional ACL statements • ACL ID – An ACL ID is a number from 1 – 99 (standard), 100 – 199 (extended) or 500 – 599 (super) or a character string (super ACLs are numbered only). The ACL ID identifies a collection of individual ACL entries. When you apply ACL entries to an interface, you do so by applying the ACL ID that contains the ACL entries to the interface, instead of applying the individual entries to the interface.
ACL-based inbound mirroring 22 Considerations when configuring ACL-based inbound mirroring The following must be considered when configuring ACL-based Inbound Mirroring: • • • • Configuring a Common Destination ACL Mirror Port for All Ports of a PPCR Support with ACL CAM Sharing Enabled. The mirror and copy-sflow keywords are mutually exclusive on a per-ACL clause basis. ACL-based inbound mirroring and port-based inbound mirroring are mutually exclusive on a per-port basis.
22 ACL-based inbound mirroring Applying the ACL to an interface You must apply the ACL to an interface using the ip access-group command as shown in the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e10000-1/1)# ip access-group 101 in Specifying the destination mirror port You can specify physical ports or a trunk to mirror traffic from. The following sections describe how to perform each of these configurations.
ACL-based inbound mirroring 22 The following considerations apply when configuring ACL-based mirroring with trunks: • You must configure ACL-mirroring for a trunk within the trunk configuration as shown in the examples. Attempting to configure ACL-mirroring at the interface level for a port that is contained within a trunk will fail and display the following message Error: please use trunk config level to configure ACL based mirroring on trunk port.
22 Configuring numbered and named ACLs BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# tagged ethernet 4/1 to 4/3 BigIron RX(config-vlan-10)# router-interface ve 10 BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# interface ethernet 4/1 RX(config-if-e10000-4/1)# acl-mirror-port ethernet 5/1 RX(config)# interface ve 10 RX(config-vif-10)# ip address 10.10.10.
Configuring numbered and named ACLs BigIron BigIron BigIron BigIron BigIron BigIron BigIron 22 RX(config)# access-list 1 deny host 209.157.22.26 log RX(config)# access-list 1 deny 209.157.29.
22 Configuring numbered and named ACLs Specifies the portion of the source IP host address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the . Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
Configuring numbered and named ACLs 22 • Destination TCP or UDP port (if the IP protocol is TCP or UDP) The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • • • • • • • Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Internet Gateway Routing Protocol (IGRP) Internet Protocol (IP) Open Shortest Path First (OSPF) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) For TCP and UDP, you also can specify a comp
22 Configuring numbered and named ACLs The sixth entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL. The following commands apply ACL 102 to the incoming and outgoing traffic on port 1/2 and to the incoming traffic on port 4/3.
Configuring numbered and named ACLs 22 Syntax: [no] access-list deny | permit | [ ] | [ ] [match-all ] [match-any ] [] [established] [precedence | ] [tos ] [dscp-matching ] [802.1p-priority-matching ] [dscp-marking 802.
22 Configuring numbered and named ACLs Specifies the portion of the source IP host address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the . Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
Configuring numbered and named ACLs 22 Specifies a comparison operator for the TCP or UDP port number. You can enter one of the following operators: • eq – The policy applies to the TCP or UDP port name or number you enter after eq. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.
22 Configuring numbered and named ACLs Enter one of the following values, depending on the software version the device is running: • any-icmp-type • echo • echo-reply • information-request • log • mask-reply • mask-request • parameter-problem • redirect • source-quench • time-exceeded • timestamp-reply • timestamp-request • unreachable • NOTE: If the ACL is for the inbound traffic direction on a virtual routing interface, you also can specify a subset of ports within the VLAN containing
Configuring numbered and named ACLs 22 • tos | Specify the IP ToS name or number. You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2. • max-throughput or 4 – The ACL matches packets that have the maximum throughput ToS. The decimal value for this option is 4. • min-delay or 8 – The ACL matches packets that have the minimum delay ToS. The decimal value for this option is 8.
22 Configuring numbered and named ACLs • Enter 0 – 63 for the dscp-marking parameter. • The dscp-cos-mapping parameter takes the DSCP value you specified and compares it to an internal QoS table, which is indexed by DSCP values. The corresponding 802.1p priority, internal forwarding priority, and DSCP value is assigned to the packet. For example, if you enter dscp-marking 7 and the internal QoS table is configured as shown in Table 113, the new QoS value for the packet is: • 802.
Configuring numbered and named ACLs 22 Configuring standard or extended named ACLs The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry, you specify all the command parameters on the same command.
22 Configuring numbered and named ACLs The parameter is the ACL name. You can specify a string of up to 255 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The parameter allows you to specify an ACL number if you prefer. If you specify a number, you can specify from 1 – 99 for standard ACLs or 100 – 199 for extended ACLs.
Configuring numbered and named ACLs 22 [ ] [match-all ] [match-any ] [] [established] [precedence | ] Syntax: [no] ip access-list extended | deny | permit host any any [log] Syntax: [no] ip access-group in The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring extended numbered ACLs”
22 Configuring numbered and named ACLs Super ACL syntax Syntax: [no] access-list deny | permit | any | log | src-mac | dst-mac | vlan-id | ip-pkt-len | ip-fragment-match {[fragment [fragment-offset <0 - 8191>]] | [non-fragment] | [first-fragment]} | ip-protocol | sip {/ | host } | dip {/ | host } | sp | dp
Displaying ACL definitions 22 ip-pkt-len Specifies the IP packet length to be matched. ip-fragment-match Enables IP fragment matching. Specifies the IP protocols to be matched. Enables packet matching based on specific IP source addresses. Enables packet matching based on specified IP destination addresses. sp Enables packet matching based on specified source TCP/UDP port. dp Enables packet matching based on specified destination TCP/UDP port.
22 Displaying ACL definitions Enter all to display all of the ACLs configured on the device. Named ACL For a named ACL, enter a command such as the following. BigIron RX(config)#show access-list name entry Standard IP access list entry deny host 5.6.7.8 deny host 192.168.12.3 permit any Syntax: show access-list name Enter the ACL name for the parameter or the ACL number for .
Displaying ACL definitions TABLE 114 TCP/UDP port numbers and names (Continued) Port service number Port name Description 29 msg-icp MSG ICP 31 msg-auth MSG Authentication 33 dsp Display Support Protocol 38 rap Route Access Protocol 39 rlp Resource Location Protocol 41 graphics Graphics 42 nameserver Host Name Server 43 nicname Who Is 44 mpm-flags MPM FLAGS Protocol 45 mpm Message Processing Module [recv] 46 mpm-snd MPM [default send] 47 ni-ftp NI FTP 48 auditd Di
22 Displaying ACL definitions TABLE 114 618 TCP/UDP port numbers and names (Continued) Port service number Port name Description 81 hosts2-ns HOSTS2 Name Server 82 xfer XFER Utility 83 mit-ml-dev1 MIT ML Device 84 ctf Common Trace Facility 85 mit-ml-dev2 MIT ML Device 86 mfcobol Micro Focus Cobol 88 kerberos Kerberos 89 su-mit-tg SU/MIT Telnet Gateway 90 dnsix DNSIX Securit Attribute Token Map 91 mit-dov MIT Dover Spooler 92 npp Network Printing Protocol 93 dcp Dev
Displaying ACL definitions TABLE 114 TCP/UDP port numbers and names (Continued) Port service number Port name Description 117 uucp-path UUCP Path Service 118 sqlserv SQL Services 119 nntp Network News Transfer Protocol 120 cfdptkt CFDPTKT 121 erpc Encore Expedited Remote Pro.
22 Displaying ACL definitions TABLE 114 620 TCP/UDP port numbers and names (Continued) Port service number Port name Description 155 netsc-dev NETSC 156 sqlsrv SQL Service 157 knet-cmp KNET/VM Command/Message Protocol 158 pcmail-srv PCMail Server 159 nss-routing NSS-Routing 160 sgmp-traps SGMP-TRAPS 163 cmip-man CMIP/TCP Manager 164 cmip-agent CMIP/TCP Agent 165 xns-courier Xerox 166 s-net Sirius Systems 167 namp NAMP 168 rsvd RSVD 169 send SEND 170 print-srv
Displaying ACL definitions TABLE 114 TCP/UDP port numbers and names (Continued) Port service number Port name Description 192 osu-nms OSU Network Monitoring System 193 srmp Spider Remote Monitoring Protocol 194 irc Internet Relay Chat Protocol 195 dn6-nlm-aud DNSIX Network Level Module Audit 196 dn6-smm-red DNSIX Session Mgt Module Audit Redir 197 dls Directory Location Service 198 dls-mon Directory Location Service Monitor 199 smux SMUX 200 src IBM System Resource Controller
22 Displaying ACL definitions TABLE 114 622 TCP/UDP port numbers and names (Continued) Port service number Port name Description 344 pdap Prospero Data Access Protocol 345 pawserv Perf Analysis Workbench 346 zserv Zebra server 347 fatserv Fatmen Server 348 csi-sgwp Cabletron Management Protocol 371 clearcase Clearcase 372 ulistserv ListProcessor 373 legent-1 Legent Corporation 374 legent-2 Legent Corporation 375 hassle Hassle 376 nip Amiga Envoy Network Inquiry Protoc
Displaying ACL definitions TABLE 114 TCP/UDP port numbers and names (Continued) Port service number Port name Description 402 genie Genie Protocol 403 decap decap 404 nced nced 405 ncld ncld 406 imsp Interactive Mail Support Protocol 407 timbuktu Timbuktu 408 prm-sm Prospero Resource Manager Sys. Man. 409 prm-nm Prospero Resource Manager Node Man.
22 Displaying ACL definitions TABLE 114 624 TCP/UDP port numbers and names (Continued) Port service number Port name Description 438 dsfgw dsfgw 439 dasp dasp Thomas Obermair 440 sgcp sgcp 441 decvms-sysmgt decvms-sysmgt 442 cvc_hostd cvc_hostd 443 ssl http protocol over TLS/SSL 444 snpp Simple Network Paging Protocol 445 microsoft-ds Microsoft-DS 446 ddm-rdb DDM-RDB 447 ddm-dfm DDM-RFM 448 ddm-byte DDM-BYTE 449 as-servermap AS Server Mapper 450 tserver Computer
Displaying ACL definitions TABLE 114 TCP/UDP port numbers and names (Continued) Port service number Port name Description 561 monitor monitor 562 chshell chcmd 564 9pfs plan 9 file service 565 whoami whoami 570 meter-570 demon 571 meter-571 udemon 600 ipcserver SUN ipc sERVER 606 nqs nqs 607 urm urm 608 sift-uft Sender-Initiated or Unsolicited File Transfer 609 npmp-trap npmp-trap 610 npmp-local npmp-local 611 npmp-gui npmp-gui 634 ginad ginad 666 mdqs mdqs
22 ACL logging TABLE 114 TCP/UDP port numbers and names (Continued) Port service number Port name Description 761 rxe RXE 762 quotad QUOTAD 763 cycleserv Cycle Server 764 omserv Om Server 765 webster webster 767 phonebook phone 769 vid VID 770 cadlock-770 CADLOCK -770 771 rtip rtip 772 cycleserv2 CYCLE Server 773 submit SUBMIT 774 rpasswd rpasswd 775 entomb entomb 776 wpages wpages 780 wpgs wpgs 786 concert concert 800 mdbs_daemon mdbs_daemon 801 de
Modifying ACLs 22 sent to the CPU for logging. Then for a certain period of time, the next packets that match the deny condition are dropped in hardware; no other Syslog message is written for any denied packet during this time. Once this wait time expires, a Syslog message is written if the device receives another packet that matches the deny condition and the whole cycle is repeated. NOTE BigIron RX does not support permit logging. NOTE Logging is not currently supported on management interfaces.
22 Modifying ACLs Thus, if a packet matches the first entry in this ACL and is therefore denied, the software does not compare the packet to the remaining ACL entries. In this example, packets from host 209.157.22.26 will always be dropped, even though packets from this host match the second entry. You can use the CLI to reorder entries within an ACL by individually removing the ACL entries and then re-adding them.
Modifying ACLs 22 4. Enter the command “end” on a separate line at the end of the file. This command indicates to the software that the entire ACL list has been read from the file. 5. Save the text file. 6. On the device, enter the following command at the Privileged EXEC level of the CLI. copy tftp running-config NOTE This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file.
22 Modifying ACLs Simply entering access-list remark adds a remark to the next ACL entry you create. The remark adds a comment to the ACL entry. The remark can have up to 255 characters. The comment must be entered separately from the actual ACL entry; that is, you cannot enter the ACL entry and the ACL comment with the same command.
Deleting ACL entries 22 • - ACL name. You can specify a string of up to 255 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). • - ACL number (for example, super ACLs). Specify a number from 1 – 99 for standard ACLs, 100 – 199 for extended ACLs, and 500 – 599 for super ACLs. • remark - adds a comment to the ACL entry. The comment can contain up to 255 characters.
22 Deleting ACL entries BigIron RX(config)# show access-list 99 Standard IP access-list 99 deny host 1.2.4.5 permit any Syntax: no access-list The parameter specifies the ACL entry to be deleted. The parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 1 – 99 for standard ACLs, 100 – 199 for extended ACLs, or 500 – 599 for super ACLs.
Applying ACLs to interfaces 22 Applying ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 600 show that you apply ACLs to interfaces using the ip access-group command. This section present additional information about applying ACLs to interfaces. Configuration examples for super ACLs appear in the section “Configuring super ACLs” on page 613.
22 Applying ACLs to interfaces NOTE Applying an ACL to a subset of physical interfaces under a virtual routing interface multiplies the amount of CAM used by the number of physical interfaces specified. An ACL that successfully functions over a whole virtual routing interface may fail if you attempt to apply it to a subset of physical interfaces. To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following.
QoS options for IP ACLs 22 Displaying ACL log entries The first time an entry in an ACL denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for packets denied by ACLs are at the warning level of the Syslog. When the first Syslog entry for a packet denied by an ACL is generated, the software starts an ACL timer. After this, the software sends Syslog messages every 1 to 10 minutes, depending on the value of the timer interval.
22 Enabling ACL duplication check For a list of supported QoS ACL options refer to “Using ACL QoS options to filter packets” on page 608 Enabling ACL duplication check If desired, you can enable software checking for duplicate ACL entries. To do so, enter the following command at the Global CONFIG level of the CLI. BigIron RX(config)# acl-duplication-check-disable Syntax: [no] acl-duplication-check-disable This command is disabled by default.
ACL accounting 22 BigIron RX(config)#show access-list accounting brief Collecting ACL accounting summary for VE 1 ... Completed successfully. ACL Accounting Summary: (ac = accumulated since accounting started) Int In ACL Total In Hit VE 1 111 473963(1s) 25540391(1m) 87014178(5m) 112554569(ac) The display shows the following information. This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled.
22 ACL accounting This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled. If enabled, it indicates if the feature is configured as passive or active. Collecting ACL accounting summary for Shows the interface included in the report and whether or not the collection was successful. Inbound ACL ID Shows the direction of the traffic on the interface and the ID of the ACL used.
Enabling ACL filtering of fragmented or non-fragmented packets 22 Enabling ACL filtering of fragmented or non-fragmented packets By default, when an extended ACL is applied to a port, the port will use the ACL to permit or deny the first fragment of a fragmented packet, but forward subsequent fragments of the same packet in hardware. Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be completed without the entire packet.
22 ACL filtering for traffic switched within a virtual routing interface The | parameter allows you to specify an ACL name or number. If using a name, specify a string of up to 255 alphanumeric characters. You can use blanks in the ACL name, if you enclose the name in quotation marks (for example, “ACL for Net1”). The parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 100 – 199 for extended ACLs.
ICMP filtering for extended ACLs 22 The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. You can either enter the name of the message type for or the message’s and of the message type. Refer to Table 115 on page 641 for valid values. Named ACLs For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following.
22 ICMP filtering for extended ACLs TABLE 115 ICMP message types and codes (Continued) ICMP message type Type Code host-redirect 5 1 host-tos-redirect 5 3 host-tos-unreachable 3 12 host-unreachable 3 1 information-request 15 0 Information-reply 16 0 mask-reply 18 0 mask-request 17 0 net-redirect 5 0 net-tos-redirect 5 2 net-tos-unreachable 3 11 net-unreachable 3 0 packet-too-big 3 4 parameter-problem 12 0 port-unreachable 3 3 precedence-cutoff 3 15 prot
Disabling internal ACLs for BGP and BFD 22 Disabling internal ACLs for BGP and BFD To disable internal ACLs for BGP and BFD, use the hw-optimization bgp | bfd command. To deny BGP traffic on the interface 1/15, enter the following commands.
22 644 Troubleshooting ACLs BigIron RX Series Configuration Guide 53-1002484-04
Chapter 23 Policy-Based Routing In this chapter • Policy-Based Routing (PBR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring a PBR policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Trunk formation . . . . . . . . . . . . .
23 Configuring a PBR policy • PBR ignores explicit or implicit deny ip any any ACL entries, to ensure that for route maps that use multiple ACLs, the traffic is compared to all the ACLs. PBR also ignores any deny clauses in an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths. • PBR always selects the first next hop from the next hop list that is up. If a PBR policy's next hop goes down, the policy uses another next hop if available.
Configuring a PBR policy 23 Syntax: [no] access-list deny | permit host | Syntax: [no] access-list deny | permit any The parameter is the access list number and can be from 1 – 99. The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded). The parameter specifies the source IP address. Alternatively, you can specify the host name.
23 Configuring a PBR policy Configure the route map After you configure the ACLs, you can configure a PBR route map that matches based on the ACLs and sets routing information in the IP traffic. NOTE The match and set statements described in this section are the only route-map statements supported for PBR. Other route-map statements described in the documentation apply only to the protocols with which they are described. To configure a PBR route map, enter commands such as the following.
Configuration examples 23 Enabling PBR After you configure the ACLs and route map entries, you can enable PBR globally, on individual interfaces, or both as described in this section. To enable PBR, you apply a route map you have configured for PBR globally or locally. Enabling PBR globally To enable PBR globally, enter a command such as the following at the global CONFIG level.
23 Configuration examples BigIron 5.5.5.0 BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# access-list 101 permit tcp 10.10.10.0 0.0.0.255 eq http 0.0.0.255 RX(config)# route-map net10web permit 101 RX(config-routemap net10web)# match ip address 101 RX(config-routemap net10web)# set ip next-hop 1.1.1.1 RX(config-routemap net10web)# set ip next-hop 2.2.2.
Configuration examples BigIron BigIron BigIron BigIron 23 RX(config)# route-map test-route permit 51 RX(config-routemap test-route)# match ip address 51 RX(config-routemap test-route)# set ip next-hop 192.168.2.2 RX(config-routemap test-route)# exit The following commands configure the third entry in the test-route route map. This entry (permit 52) matches on the IP address information in ACL 52 above. For IP traffic from subnet 209.157.25.0/24, this route map entry sets the next-hop IP address to 192.
23 Trunk formation Trunk formation When a trunk is formed, the PBR policy on the primary port applies to all the secondary ports. If a different PBR policy exists on a secondary port at a time of a trunk formation, that policy is overridden by the PBR policy on the primary port. If the primary port does not have a PBR policy, then the secondary ports will not have any PBR policy. When a trunk is removed, reload the device to restore any PBR policies that were originally configured on the secondary ports.
Chapter 24 Configuring IP Multicast Protocols In this chapter • Overview of IP multicasting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Multicast terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Changing global IP multicast parameters . . . . . . . . . . . . . . . . . . . . . . . . . . • IP multicast boundaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24 Multicast terms PIM and DVMRP are broadcast and pruning multicast protocols that deliver IP multicast datagrams. The protocols employ reverse path lookup check and pruning to allow source-specific multicast delivery trees to reach all group members. DVMRP and PIM build a different multicast tree for each source and destination host group. Both DVMRP and PIM can concurrently operate on different ports of a BigIron RX. Also, the CAM can hold up to 1535 IPv4 multicast entries.
IP multicast boundaries 24 Defining the maximum number of DVMRP cache entries The DVMRP cache system parameter defines the maximum number of repeated DVMRP traffic being sent from the same source address and being received by the same destination address. To define this maximum, enter a command such as the following. BigIron RX(config)# system-max dvmrp-mcache 500 Syntax: system-max dvmrp-mcache The parameter specifies the maximum number of multicast cache entries for DVMRP.
24 Passive Multicast Route Insertion (PMRI) Configuring multicast boundaries To define boundaries for PIM enabled interfaces, enter a commands such as the following. BigIron RX(config)#interface ve 40 BigIron RX(config-vif-40)#ip multicast-boundary MyBrocadeAccessList Syntax: [no] ip multicast-boundary Use the acl-spec parameter to define the number or name identifying an access list that controls the range of group addresses affected by the boundary.
Changing IGMP V1 and V2 parameters 24 • If directly connected source passed source RPF check and completed data registration with RP or • If non directly connected source passed source RPF check. In PIM-DM • The route has no OIF and • passed source RPF check and • Router has no downstream PIM neighbor. If the OIF is inserted after the hardware-drop entries are installed, the hardware entries will be updated to include the OIFs.
24 Changing IGMP V1 and V2 parameters • IGMP group membership time – Specifies how many seconds an IP Multicast group can remain on a BigIron RX interface in the absence of a group report. Possible values are 1 – 7200. The default is 260. • IGMP maximum response time – Specifies how many seconds the BigIron RX will wait for an IGMP response from an interface before concluding that the group member on that interface is down and removing the interface from the group. Possible values are 1 – 10.
Adding an interface to a multicast group 24 Adding an interface to a multicast group You can manually add an interface to a multicast group. This is useful in the following cases: • Hosts attached to the interface are unable to add themselves as members of the group using IGMP. • There are no members for the group attached to the interface.
24 IGMP v3 In contrast, IGMP V3 provides selective filtering of traffic based on traffic source. A router running IGMP V3 sends queries to every multicast enabled interface at the specified interval. These general queries determine if any interface wants to receive traffic from the router. The following are the three variants of the Query message: • A "General Query" is sent by a multicast router to learn the complete multicast reception state of the neighboring interfaces.
IGMP v3 24 Default IGMP version IGMP V3 is available for BigIron RX Switches; however, these devices are shipped with IGMP V2-enabled. You must enable IGMP V3 globally or per interface. Also, you can specify what version of IGMP you want to run on a device globally, on each interface (physical port or virtual routing interface), and on each physical port within a virtual routing interface. If you do not specify an IGMP version, IGMP V2 will be used.
24 IGMP v3 Syntax: [no] ip igmp version Enter 1, 2, or 3 for . Version 2 is the default version. Enabling the IGMP version on a physical port within a virtual routing interface To specify the IGMP version recognized by a physical port that is a member of a virtual routing interface, enter a command such as the following.
IGMP v3 24 If a client sends a leave message, the client is immediately removed from the group. If a client does not send a report during the specified group membership time (the default is 140 seconds), that client is removed from the tracking list. To enable the tracking and fast leave feature, enter commands such as the following.
24 IGMP v3 To modify the default value for the IGMP query interval, enter the following. BigIron RX(config)# ip igmp query-interval 120 Syntax: ip igmp query-interval <10-3600> The interval must be a little more than two times the group membership time. Setting the group membership time Group membership time defines how long a group will remain active on an interface in the absence of a group report. Possible values are from 20 – 7200 seconds and the default value is 260 seconds.
IGMP v3 24 BigIron RX# show ip igmp group 239.0.0.1 detail Display group 239.0.0.1 in all interfaces. Interface v18 : 1 groups group phy-port static querier life mode #_src 1 239.0.0.1 e4/20 no yes include 19 group: 239.0.0.1, include, permit 19 (source, life): (3.3.3.1 40) (3.3.3.2 40) (3.3.3.3 40) (3.3.3.4 40) (3.3.3.5 40) (3.3.3.6 40) (3.3.3.7 40) (3.3.3.8 40) (3.3.3.9 40) (3.3.3.10 40) (3.3.3.11 40) (3.3.3.12 40) (3.3.3.13 40) (3.3.3.14 40) (3.3.3.15 40) (3.3.3.16 40) (3.3.3.17 40) (3.3.3.18 40) (3.3.
24 IGMP v3 This field Displays Mode Indicates current mode of the interface: Include or Exclude. If the interface is in Include mode, it admits traffic only from the source list. If an interface is in Exclude mode, it denies traffic from the source list and accepts the rest. #_src Identifies the source list that will be included or excluded on the interface.
IGMP v3 24 This field Displays Group membership time The number of seconds multicast groups can be members of this group before aging out.
24 Configuring a static multicast route This field Displays ALLOW Number of times that additional source addresses were allowed or denied on the interface. BLK Number of times that sources were removed from an interface. Clearing IGMP statistics To clear statistics for IGMP traffic, enter the following command. BigIron RX# clear ip igmp traffic Syntax: clear ip igmp traffic This command clears all the multicast traffic information on all interfaces on the device.
24 Configuring a static multicast route NOTE In IP multicasting, a route is handled in terms of its source, rather than its destination. You can use the ethernet / parameter to specify a physical port or the ve parameter to specify a virtual interface. NOTE The ethernet / parameter does not apply to PIM SM. The distance parameter sets the administrative distance for the route.
24 PIM dense Next hop validation check You can configure the BigIron RX to perform multicast validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. You can enable ARP validation check on the global basis. When feature is enabled, the multicast route will only be installed when the next hop ARP has been resolved. Configuring an ARP validation check To enable the ARP validation check globally, enter a command such as the following.
PIM dense 24 PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets. PIM is similar to DVMRP in that PIM builds source-routed multicast delivery trees and employs reverse path check when forwarding multicast packets. There are two modes in which PIM operates: Dense and Sparse. The Dense Mode is suitable for densely populated multicast groups, primarily in the LAN environment.
24 PIM dense FIGURE 100 Transmission of multicast packets from the source to host group members Video Conferencing Server 229.225.0.1 Group Member Group Member (207.95.5.1, 229.225.0.1) (Source, Group) 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 Leaf Node R4 R6 R5 Leaf Node Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Member Member Group Member 229.225.0.
PIM dense 24 FIGURE 101 Pruning leaf nodes from a multicast tree 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
24 PIM dense The primary difference between PIM DM V1 and V2 is the methods the protocols use for messaging: • PIM DM V1 – uses the IGMP to send messages. • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103. The CLI commands for configuring and managing PIM DM are the same for V1 and V2. The only difference is the command you use to enable the protocol on an interface.
PIM dense 24 The behavior of the [no] router pim command was as follows: • Entering router pim command to enable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a BigIron RX (router pim level) only. Enabling a PIM version To enable PIM on an interface, globally enable PIM, then enable PIM on interface 1/3, enter the following commands.
24 PIM dense The default is 180 seconds. Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds. To apply a PIM hello timer of 120 seconds to all ports on the router operating with PIM, enter the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# hello-timer 120 Syntax: hello-timer <10-3600> The default is 60 seconds.
PIM dense 24 BigIron RX(config)#show ip pim dense Global PIM Dense Mode Settings Hello interval: 60, Neighbor timeout: 180 Graft Retransmit interval: 180, Inactivity interval: 180 Route Expire interval: 200, Route Discard interval: 340 Prune age: 180, Prune wait: 3 Syntax: show ip pim dense Modifying graft retransmit timer The Graft Retransmit Timer defines the interval between the transmission of graft messages. A graft message is sent by a router to cancel a prune state.
24 PIM Sparse Total number of IP routes: 19 B:BGP D:Connected R:RIP S:Static Destination NetMask O:OSPF *:Candidate default Gateway Port Cost Type .. 9 172.17.41.4 255.255.255.252*137.80.127.3 v11 2 172.17.41.4 255.255.255.252 137.80.126.3 v10 2 172.17.41.4 255.255.255.252 137.80.129.1 v13 2 172.17.41.4 255.255.255.252 137.80.128.3 v12 2 172.17.41.8 255.255.255.252 0.0.0.
PIM Sparse 24 FIGURE 102 Example PIM Sparse domain This interface is also the Bootstrap Router (BR) for this PIM Sparse domain, and the Rendezvous Point (RP) for the PIM Sparse groups in this domain. PIM Sparse router B Port2/1 207.95.8.10 Port2/2 207.95.7.1 Rendezvous Point (RP) path Port3/8 207.95.8.1 Port3/8 207.95.7.2 VE 1 207.95.6.2 VE 1 207.95.6.1 Shortest Path Tree (SPT) path PIM Sparse router A PIM Sparse router C 209.157.24.162 Source for Group 239.255.162.1 Receiver for Group 239.
24 PIM Sparse from a group source to the group’s receivers. After the first packet, the BigIron RX calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The BigIron RX calculates a separate SPT for each source-receiver pair. NOTE Brocade recommends that you configure the same ports as candidate BSRs and RPs.
PIM Sparse 24 NOTE Brocade recommends that you configure the same BigIron RX as both the BSR and the RP. Current limitations The implementation of PIM Sparse in the current software release has the following limitations: • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface. • You cannot configure or display PIM Sparse information using the Web management interface. (You can display some general PIM information, but not specific PIM Sparse information.
24 PIM Sparse If the interface is on the border of the PIM Sparse domain, you also must enter the following command. BigIron RX(config-if-e10000-2/2)# ip pim border Syntax: [no] ip pim border NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release.
PIM Sparse 24 Syntax: [no] rp-candidate ethernet / | loopback | ve The ethernet / | loopback | ve parameter specifies the interface. The BigIron RX will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet / for a physical interface (port). • Enter ve for a virtual interface. • Enter loopback for a loopback interface.
24 PIM Sparse Statically specifying the RP Brocade recommends that you use the PIM Sparse protocol’s RP election process so that a backup RP can automatically take over if the active RP router becomes unavailable. However, if you do not want the RP to be selected by the RP election process but instead you want to explicitly identify the RP by its IP address, use the rp-address command.
Route selection precedence for multicast 24 Syntax: rp-address [] Use the ip address parameter to specify the IP address of the router you want to designate as an RP router. Use the acl name or id (optional) parameter to specify the name or ID of the ACL that specifies which multicast groups use this RP. Displaying the static RP Use the show ip pim rp-set command to display static RP and the associated group ranges.
24 Route selection precedence for multicast • • • • Non-default route from the mRTM Default route from the mRTM Non-default route from the uRTM Default route from the uRTM Using this command you may specify an option for all of the precedence levels. To specify a non-default route from the mRTM, then a non-default route from the uRTM, then a default route from the mRTM, and then a default route from the uRTM, enter commands such as the following.
Changing the Shortest Path Tree (SPT) threshold v125 125.0.0.1 v126 126.0.0.1 v127 127.0.0.1 l1 1.0.8.1 SM SM SM V2 V2 V2 SM Itself Itself Itself V2 Itself 24 1 None 1 None 1 None 1 None This example displays the route precedence selection as multicast non-default, then unicast non-default, then multicast default, and then unicast default.
24 Displaying PIM Sparse configuration information and statistics You can change the number of packets that the BigIron RX sends using the RP before switching to using the SPT. To change the number of packets the BigIron RX sends using the RP before switching to the SPT, enter commands such as the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# spt-threshold 1000 Syntax: [no] spt-threshold infinity | The infinity | parameter specifies the number of packets.
Displaying PIM Sparse configuration information and statistics • • • • • • • • • • 24 Group information BSR information Candidate RP information RP-to-group mappings RP information for a PIM Sparse group RP set list PIM Neighbor information The PIM flow cache The PIM multicast cache PIM traffic statistics Displaying basic PIM Sparse configuration information To display PIM Sparse configuration information, enter the following command at any CLI level.
24 Displaying PIM Sparse configuration information and statistics This field... Displays... Bootstrap Msg interval How frequently the BSR configured on the BigIron RX sends the RP set to the RPs within the PIM Sparse domain. The RP set is a list of candidate RPs and their group prefixes. A candidate RP’s group prefix indicates the range of PIM Sparse group numbers for which it can be an RP. NOTE: This field contains a value only if an interface on the BigIron RX is elected to be the BSR.
Displaying PIM Sparse configuration information and statistics This field... Displays... Total number of Groups Lists the total number of IP multicast groups the BigIron RX is forwarding. 24 NOTE: This list can include groups that are not PIM Sparse groups. If interfaces on the BigIron RX are configured for regular PIM (dense mode) or DVMRP, these groups are listed too. Index The index number of the table entry in the display.
24 Displaying PIM Sparse configuration information and statistics This field... Displays... Hash mask length The number of significant bits in the IP multicast group comparison mask. This mask determines the IP multicast group numbers for which the BigIron RX can be a BSR. The default is 32 bits, which allows the BigIron RX to be a BSR for any valid IP multicast group number. NOTE: This field appears only if this BigIron RX is a candidate BSR.
Displaying PIM Sparse configuration information and statistics 24 This field... Displays... Candidate-RP-advertisement in Indicates how many seconds will pass before the BSR sends its next RP message. NOTE: This field appears only if this BigIron RX is a candidate RP. RP Indicates the IP address of the Rendezvous Point (RP). NOTE: This field appears only if this BigIron RX is a candidate RP.
24 Displaying PIM Sparse configuration information and statistics This field... Displays... RP Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the port or virtual interface through which this BigIron RX learned the identity of the RP. Info source Indicates the IP address on which the RP information was received. Following the IP address is the method through which this BigIron RX learned the identity of the RP.
Displaying PIM Sparse configuration information and statistics 24 BigIron RX(config-pim-router)# show ip pim nbr Port Neighbor e3/8 Port 207.95.8.10 Neighbor v1 207.95.6.2 Holdtime sec 180 Holdtime sec 180 Age sec 60 Age sec 60 UpTime sec 900 UpTime sec 900 Syntax: show ip pim nbr This display shows the following information. This field... Displays... Port The interface through which the BigIron RX is connected to the neighbor. Neighbor The IP interface of the PIM neighbor interface.
24 Displaying PIM Sparse configuration information and statistics BigIron RX# show ip pim rpf 1.2.3.4 no route BigIron RX# show ip pim rpf 1.10.10.24 upstream neighbor=1.1.20.1 on v21 using ip route Syntax: show ip pim | dvmrp rpf Where is a valid source IP address Displaying the PIM multicast cache To display the PIM multicast cache, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim mcache Total 6 entries 1 (10.161.32.200, 237.0.0.
Displaying PIM Sparse configuration information and statistics 24 This field... Displays... (, ) The comma-separated values in parentheses is a source-group pair. The is the PIM source for the multicast . For example, the following entry means source 209.157.24.162 for group 239.255.162.1: (209.157.24.162,239.255.162.1) If the value is * (asterisk), this cache entry uses the RP path. The * value means “all sources”.
24 PIM-SSMv4 Displaying PIM traffic statistics To display PIM traffic statistics, enter the following command at any CLI level.
Configuring Multicast Source Discovery Protocol (MSDP) 24 The amount of unwanted traffic in the network is reduced, but because each multicast group is associated with a particular host, different hosts can be assigned the same multicast address for different streams. This greatly increases the number of multicast groups that can be used in the network. Another added benefit of SSM is that it increases security by reducing the possibility of a rogue source disrupting the traffic from a legitimate source.
24 Configuring Multicast Source Discovery Protocol (MSDP) FIGURE 103 PIM Sparse domains joined by MSDP routers PIM Sparse Domain 2 PIM Sparse Domain 1 Designated Router (DR) Rendezvous Point (RP) 2. RP sends SA message through MSDP to its MSDP peers in other PIM Sparse domains. Rendezvous Point (RP) 206.251.17.41 3. RP that receives the SA floods the SA to all its MSDP peers, except the one that sent the SA. Source Advertisement message 206.251.14.22 Source for Group 232.1.0.95 1.
Configuring Multicast Source Discovery Protocol (MSDP) 24 Peer Reverse Path Forwarding (RPF) flooding When the MSDP router (also the RP) in domain 2 receives the Source Active message from its peer in domain 1, the MSDP router in domain 2 forwards the message to all its other peers. The propagation process is sometimes called “peer Reverse Path Forwarding (RPF) flooding”. This term refers to the fact that the MSDP router uses its PIM Sparse RPF tree to send the message to its peers within the tree.
24 Configuring Multicast Source Discovery Protocol (MSDP) • Configure the MSDP peers NOTE The PIM Sparse Rendezvous Point (RP) is also an MSDP peer. Routers that run MSDP must also run BGP. Also, the source address used by the MSDP router must be the same source address used by BGP. Enabling MSDP NOTE You must save the configuration and reload the software to place the change into effect. To enable MSDP, enter the following commands.
Configuring Multicast Source Discovery Protocol (MSDP) 24 Designating an interface’s IP address as the RP’s IP address When an RP receives a Source Active message, it checks its PIM Sparse multicast group table for receivers for the group. If it finds a receiver, the RP sends a Join message for that receiver back to the RP that originated the Source Active message. The originator RP is identified by its RP address.
24 Configuring Multicast Source Discovery Protocol (MSDP) The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e1000-3/1)# ip address 2.2.2.98/24 BigIron RX(config-if-e1000-3/1)# exit The following commands configure a loopback interface. The BigIron RX will use this interface as the source address for communicating with the MSDP neighbors.
Configuring Multicast Source Discovery Protocol (MSDP) 24 NOTE The default action is to deny all source-group pairs from the specified neighbor. If you want to permit some pairs, use route maps. • sa-filter in 2.2.2.97 route-map msdp_map – This command ignores source-group pairs received from neighbor 2.2.2.97 if the pairs have source address 10.x.x.x and any group address. • sa-filter in 2.2.2.
24 Configuring Multicast Source Discovery Protocol (MSDP) The following commands configure a route map. The map matches on source address 10.x.x.x and any group address. Since the action is deny, the Source-Active filter that uses this route map will remove the source-group pairs that match this route map from the Source-Active messages to the neighbor.
Configuring Multicast Source Discovery Protocol (MSDP) 14 (117.1.0.36, 15 (117.1.0.50, 16 (117.1.0.23, 17 (117.1.0.64, 18 (117.1.0.37, 19 (117.1.0.51, 20 (117.1.0.24, 21 (117.1.0.65, 22 (117.1.0.38, 23 (117.1.0.52, 24 (117.1.0.25, 25 (117.1.0.66, 26 (117.1.0.39, 27 (117.1.0.53, 28 (117.1.0.26, 29 (117.1.0.67, 30 (117.1.0.40, 31 (117.1.0.54, 32 (117.1.0.27, 33 (117.1.0.68, 34 (117.1.0.41, 35 (117.1.0.55, 36 (117.1.0.28, 37 (117.1.0.69, 38 (117.1.0.42, 39 (117.1.0.56, 40 (117.1.0.29, 41 (117.1.0.43, 42 (117.
24 Configuring MSDP mesh groups TABLE 116 MSDP source active cache This field... Displays... Total Entry The total number of entries the cache can hold. Used The number of entries the cache currently contains. Free The number of additional entries for which the cache has room. Index The cache entry number. SourceAddr The IP address of the multicast source. GroupAddr The IP multicast group to which the source is sending information.
Configuring MSDP mesh groups 24 FIGURE 104 Example of MSDP mesh group PIM Sparse Domain 1 Mesh GroupA 3. RPs within the domain receive the SA message and floods the SA message to its peers in other PIM Sparse domains 2. RP sends an SA message to its peers within the domain Designated Router (DR) RP 206.251.18.31 RP 206.251.21.31 206.251.14.22 Source for Group 232.1.0.95 RP 206.251.20.31 RP 206.251.19.31 1.
24 Configuring MSDP mesh groups Syntax: [no] mesh-group The sample configuration above reflects the configuration in Figure 104. On RP 206.251.21.31 you specify its peers within the same domain (206.251.21.31, 206.251.17.31, and 206.251.13.31). You first configure the MSDP peers using the msdp-peer command to assign their IP addresses and the loopback interfaces. This information will be used as the source for sessions with the neighbor.
Configuring MSDP mesh groups 24 Configuration for Device A The following set of commands configure the MSDP peers of Device A (1.1.1.1) that are inside and outside MSDP mesh group 1234. Device A’s peers inside the mesh group 1234 are 1.1.2.1, 1.1.3.1, and 1.1.4.1. Device 17.17.17.7 is a peer of Device A, but is outside mesh group 1234. Multicast is enabled on Device A’s interfaces. PIM and BGP are also enabled.
24 Configuring MSDP mesh groups The following set of commands configure the MSDP peers of Device B. All Device B’s peers (1.1.1.1, 1.1.3.1, and 1.1.4.1) are in the MSDP mesh group 1234. Multicast is enabled on Device B’s interfaces. PIM and BGP are also enabled.
Configuring MSDP mesh groups BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron 24 RX(config)# router pim RX(config)# router msdp RX(config-msdp-router)
24 Configuring MSDP mesh groups BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron 714
Configuring MSDP mesh groups 24 Displaying MSDP information You can display the following MSDP information: • Summary information – the IP addresses of the peers, the state of the BigIron RX’s MSDP session with each peer, and statistics for Keepalive, Source Active, and Notification messages sent to and received from each of the peers. • Peer information – the IP address of the peer, along with detailed MSDP and TCP statistics.
24 Configuring MSDP mesh groups Displaying peer information To display MSDP peer information, use the following CLI method. BigIron RX# show ip msdp peer Total number of MSDP Peers: 2 1 IP Address 206.251.17.
Configuring MSDP mesh groups 24 TABLE 118 MSDP peer information (Continued) This field... Displays... Keep Alive Message Received The number of Keep Alive messages the MSDP router has received from the peer. Notifications Sent The number of Notification messages the MSDP router has sent to the peer. Notifications Received The number of Notification messages the MSDP router has received from the peer. Source-Active Sent The number of Source Active messages the MSDP router has sent to the peer.
24 718 Configuring MSDP mesh groups TABLE 118 MSDP peer information (Continued) This field... Displays... TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Clearing MSDP information 24 Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method. BigIron RX# show ip msdp sa-cache Total Index 1 2 3 4 5 6 7 8 9 10 Entry 4096, Used 1800 Free 2296 SourceAddr GroupAddr Age (100.100.1.254, 232.1.0.95), RP:206.251.17.41, Age:0 (100.100.1.254, 237.1.0.98), RP:206.251.17.41, Age:30 (100.100.1.254, 234.1.0.48), RP:206.251.17.41, Age:30 (100.100.1.254, 239.1.0.51), RP:206.251.17.41, Age:30 (100.100.1.
24 DVMRP overview BigIron RX# clear ip msdp peer 205.216.162.1 Remote connection closed Syntax: clear ip msdp peer The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed. Clearing the source active cache To clear the entries from the Source Active cache, enter the following command at the Privileged EXEC level of the CLI.
DVMRP overview 24 Initiating DVMRP multicasts on a network Once DVMRP is enabled on each router, a network user can begin a video conference multicast from the server on R1. Multicast Delivery Trees are initially formed by source-originated multicast packets that are propagated to downstream interfaces as seen in Figure 106.
24 DVMRP overview FIGURE 106 Downstream broadcast of IP multicast packets from source host Video Conferencing Server 229.225.0.1 Group Member Group Member (207.95.5.1, 229.225.0.1) (Source, Group) 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 Leaf Node R4 R6 R5 Leaf Node Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Member Member Group Member 229.225.0.
DVMRP overview 24 FIGURE 107 Pruning leaf nodes from a multicast tree 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
24 Configuring DVMRP Configuring DVMRP Enabling DVMRP globally and on an interface Suppose you want to initiate the use of desktop video for fellow users on a sprawling campus network. All destination workstations have the appropriate hardware and software but the BigIron RXes that connect the various buildings need to be configured to support DVMRP multicasts from the designated video conference server as seen in Figure 106.
Configuring DVMRP • • • • • • • • 24 Route expire time Route discard time Prune age Graft retransmit time Probe interval Report interval Trigger interval Default route Modifying neighbor timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down. Possible values are 40 – 8000 seconds. The default value is 180 seconds. To modify the neighbor timeout value to 100, enter the following.
24 Configuring DVMRP Modifying graft retransmit time The Graft Retransmit Time defines the initial period of time that a router sending a graft message will wait for a graft acknowledgement from an upstream router before re-transmitting that message. Subsequent retransmissions are sent at an interval twice that of the preceding interval. Possible values are from 5 – 3600 seconds. The default value is 10 seconds. To modify the setting for graft retransmit time to 120, enter the following.
Configuring DVMRP 24 BigIron RX(config-dvmrp-router)# default-gateway 192.35.4.1 Syntax: default-gateway Modifying DVMRP interface parameters DVMRP global parameters come with preset values. The defaults work well in most networks, but you can modify the following interface parameters if you need to: • TTL • Metric • Advertising Modifying the TTL The TTL defines the minimum value required in a packet in order for the packet to be forwarded out the interface.
24 Configuring a static multicast route Displaying information about an upstream neighbor device You can view information about the upstream neighbor device for a given source IP address for IP PIM packets. The software uses the IP route table or multicast route table to lookup the upstream neighbor device. The following shows example messages that the Brocade device can display with this command. BigIron RX# show ip dvmrp rpf 1.1.20.
24 Configuring IP multicast traffic reduction NOTE Regardless of the administrative distances, the BigIron RX Series router always prefers directly connected routes over other routes. FIGURE 108 Example multicast static routes PIM Router D 9.9.9.101 e6/14 Client Multicast group 239.255.162.1 e4/11 207.95.6.1 PIM Router A e1/2 207.95.6.2 e2/3 207.95.7.2 PIM Router C PIM Router B e1/4 207.95.7.1 e1/5 207.95.8.10 e1/8 207.95.8.1 e3/11 8.8.8.164 e3/19 209.157.24.
24 Configuring IP multicast traffic reduction When you enable IP Multicast Traffic Reduction, you also can configure the following features: • IGMP mode – When you enable IP Multicast Traffic Reduction, the device passively listens for IGMP Group Membership reports by default. If the multicast domain does not have a to send IGMP queries to elicit these Group Membership reports, you can enable the device to actively send the IGMP queries.
Configuring IP multicast traffic reduction 24 NOTE When one or more BigIron RX devices are running Layer 2 IP Multicast Traffic reduction, configure one of the devices for active IGMP and leave the other devices configured for passive IGMP. However, if the IP multicast domain contains a multicast-capable, configure all the BigIron RX devices for passive IGMP and allow the to actively send the IGMP queries.
24 Configuring IP multicast traffic reduction • Passive – When passive IGMP mode is enabled, the switch listens for IGMP Group Membership reports on the VLAN instance specified but does not send IGMP queries. The passive mode is called “IGMP snooping”. Use this mode when another device in the VLAN instance is actively sending queries.
Configuring IP multicast traffic reduction 24 • Passive – When passive IGMP mode is enabled, the device listens for IGMP Group Membership reports but does not send IGMP queries. The passive mode is sometimes called “IGMP snooping”. Use this mode when another device in the network is actively sending queries. To enable active IGMP, enter the following command.
24 Configuring IP multicast traffic reduction When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report. To enable IP multicast filtering, enter the following command.
Configuring IP multicast traffic reduction 24 Use the acl-spec parameter to define the number or name identifying an access list that controls the range of group addresses affected by the boundary. Use the port-list parameter to define the member ports on which the ACL is applied. The ACL will be applied to the multicast traffic arriving in both directions. Use the no multicast boundary command to remove the boundary on an IGMP enabled interface.
24 Configuring IP multicast traffic reduction FIGURE 109 PIM SM traffic reduction in enterprise network The switch snoops for PIM SM join and prune messages. The switch detects a source on port1/1 and a receiver for that source’s group on port5/1. It then forwards multicast data from the source on port1/1 out port5/1 only, which has the receiver. Source for Groups 239.255.162.1 239.255.162.
Configuring IP multicast traffic reduction 24 Figure 110 shows another example application for PIM SM traffic snooping. This example shows devices on the edge of a Global Ethernet cloud (a Layer 2 Packet over SONET cloud). Assume that each device is attached to numerous other devices such as other BigIron RXs. FIGURE 110 PIM SM traffic reduction in global Ethernet environment Switch A Source for Groups 239.255.162.1 239.255.162.69 VLAN 2 Port1/1 Router 10.10.10.5 20.20.20.
24 Configuring IP multicast traffic reduction • The PIM SM snooping feature assumes that the group source and the device are in different subnets and communicate through a router. The source must be in a different IP subnet than the receivers. A PIM SM router sends PIM join and prune messages on behalf of a multicast group receiver only when the router and the source are in different subnets. When the receiver and source are in the same subnet, they do not need the router in order to find one another.
Configuring IP multicast traffic reduction 24 Syntax: [no] multicast pimsm-snooping Configuring PIM proxy per VLAN instance Using the PIM proxy function, multicast traffic can be reduced by configuring an BigIron RX switch to issue PIM join and prune messages on behalf of hosts that the configured switch discovers through standard PIM interfaces. The switch is then able to act as a proxy for the discovered hosts and perform PIM tasks upstream of the discovered hosts.
24 Configuring IP multicast traffic reduction To configure the snooping device to statically join a multicast stream with the source address of 10.43.1.12 in the include mode, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 uplink To configure the snooping device to statically join all multicast streams on the uplink interface excluding the stream with source address 10.43.1.
Configuring IP multicast traffic reduction 24 The source-address parameter specifies the IP address of the multicast source. Each address must be added or deleted one line per source. The uplink parameter specifies the port as an uplink port that can receive multicast data for the configured multicast groups. Upstream traffic will be sent to the switch and will not use a port. The port-list parameter specifies the range of ports to include in the configuration.
24 742 Configuring IP multicast traffic reduction BigIron RX Series Configuration Guide 53-1002484-04
Chapter Configuring RIP 25 In this chapter • Overview of Routing Information Protocol (RIP). . . . . . . . . . . . . . . . . . . . . . 743 • Configuring RIP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 • Displaying RIP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25 Configuring RIP parameters Enabling RIP RIP is disabled by default. To enable RIP, you must enable it globally and also on individual interfaces on which you want to advertise RIP. Globally enabling the protocol does not enable it on individual interfaces. You can enable the protocol on physical interfaces as well as virtual routing interfaces. When you enable RIP on a port, you also must specify the version (version 1 only, version 2 only, or version 1 compatible with version 2).
Configuring RIP parameters 25 Changing the administrative distance By default, the device assigns the default RIP administrative distance (120) to RIP routes. When comparing routes based on administrative distance, the device selects the route with the lower distance. You can change the administrative distance for RIP routes. NOTE Refer to “Changing administrative distances” on page 842 for a list of the default distances for all route sources.
25 Configuring RIP parameters • If the route map contains a permit action, a route that matches a match statement is permitted; otherwise, the route is denied. • If the route map contains a deny action, a route that matches a match statement is denied. • If a route does not match any match statements in the route map, the route is denied. This is the default action. To change the default action, configure the last match statement in the last instance of the route map to “permit any any”.
Configuring RIP parameters 25 • Learning and advertising of RIP default routes – The device learns and advertises RIP default routes by default. You can disable learning and advertising of default routes on a global or individual interface basis. • Learning of standard RIP routes – By default, the device can learn RIP routes from all its RIP neighbors. You can configure RIP neighbor filters to explicitly permit or deny learning from specific neighbors.
25 Configuring RIP parameters • Poison reverse – The device assigns a cost of 16 (“infinite” or “unreachable”) to a route before advertising it on the same interface as the one on which the router learned the route. This is the default. These loop prevention methods are configurable on a global basis as well as on an individual interface basis. One of the methods is always in effect on an interface enabled for RIP. Thus, if you disable one method, the other method is enabled.
Configuring RIP parameters 25 Router2(config)# router rip Router2(config-rip-router)# use-vrrp-path Syntax: [no] use-vrrp-path The syntax is the same for VRRP and VRRPE. Using prefix lists and route maps as route filters You can configure prefix lists to permit or deny specific routes, then apply them globally or to individual interfaces and specify whether the lists apply to learned routes (in) or advertised routes (out).
25 Displaying RIP filters BigIron RX(config)# router rip BigIron RX(config)# interface ethernet 1/2 BigIron RX(config-if-e1000-1/2)# ip rip route-map map1 in Syntax: [no] ip rip route-map in | out The route-map can be a prefix list or an ACL. Setting this command can change the metric. In applies the route map to routes the device learns from its neighbor on the interface. Out applies the route map to routes the device advertises to its neighbor on the interface.
Displaying RIP filters 25 Syntax: show ip rip This display shows the following information. TABLE 120 CLI display of neighbor filter information This field... Displays... RIP Summary area Shows the current configuration of RIP on the device. Stat ic metric Shows the static metric configuration. ".not defined" means the route map has not been distributed. OSPF metric Shows what OSPF route map has been applied. Neighbor filter table area Index The filter number.
25 752 Displaying RIP filters BigIron RX Series Configuration Guide 53-1002484-04
Chapter Configuring OSPF Version 2 (IPv4) 26 In this chapter • Overview of OSPF (Open Shortest Path First) . . . . . . . . . . . . . . . . . . . . . . . 753 • Configuring OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759 • Displaying OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 Overview of OSPF (Open Shortest Path First) OSPF is a link-state routing protocol.
26 Overview of OSPF (Open Shortest Path First) An Autonomous System Boundary Router (ASBR) is a router that is running multiple protocols and serves as a gateway to routers outside an area and those operating with different protocols. The ASBR is able to import and translate different protocol routes into OSPF through a process known as redistribution. For more details on redistribution and configuration examples, refer to “Enable route redistribution” on page 779.
Overview of OSPF (Open Shortest Path First) 26 Designated router election in multi-access networks In a network with no designated router and no backup designated router, the neighboring router with the highest priority is elected as the DR, and the router with the next largest priority is elected as the BDR, as shown in Figure 112 FIGURE 112 Designated and backup router election priority 10 Designated Backup Router Router A Designated Router priority 5 priority 20 Router C Router B If the DR goes
26 Overview of OSPF (Open Shortest Path First) NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device. For more information or to change the router ID, refer to “Changing the router ID” on page 185.
Overview of OSPF (Open Shortest Path First) 26 FIGURE 114 AS external LSA reduction Routers D, E, and F are OSPF ASBRs and EBGP routers. OSPF Autonomous System (AS) Another routing domain (such as BGP4 or RIP) Router A Router D Router ID: 2.2.2.2 Router B Router F Router E Router ID: 1.1.1.1 Router C Notice that both Router D and Router E have a route to the other routing domain through Router F. OSPF eliminates the duplicate AS External LSAs.
26 Overview of OSPF (Open Shortest Path First) • A second ASBR comes on-line • A second ASBR that is already on-line begins advertising an equivalent route to the same destination. In either case above, the router with the higher router ID floods the AS External LSAs and the other router flushes its equivalent AS External LSAs. For example, if Router D is offline, Router E is the only source for a route to the external routing domain.
Configuring OSPF 26 2. Compare the networks that have the same network address, to determine which network is more specific. The more specific network is the one that has more contiguous one bits in its network mask. For example, network 10.0.0.0 255.255.0.0 is more specific than network 10.0.0.0 255.0.0.0, because the first network has 16 ones bits (255.255.0.0) whereas the second network has only 8 ones bits (255.0.0.0). • For the less specific network, use the network address as the ID.
26 Configuring OSPF Configuration rules • If a router is to operate as an ASBR, you must enable the ASBR capability at the system level. • Redistribution must be enabled on routers configured to operate as ASBRs. • All router ports must be assigned to one of the defined areas on an OSPF router. When a port is assigned to an area, all corresponding subnets on that port are automatically included in the assignment. OSPF parameters You can modify or set the following global and interface OSPF parameters.
Configuring OSPF 26 NOTE You set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, enter router ospf… at the global CONFIG Level. Interface parameters for OSPF are set at the interface CONFIG Level using the CLI command, ip ospf… Enable OSPF on the router When you enable OSPF on the router, the protocol is automatically activated. To enable OSPF on the router, use the following method.
26 Configuring OSPF • ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type-7 External LSAs are a special type of LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA. • ABRs translate type 7 LSAs into type 5 External LSAs, which can then be flooded throughout the AS. You can configure address ranges on the ABR of an NSSA so that the ABR converts multiple type-7 External LSAs received from the NSSA into a single type-5 External LSA.
Configuring OSPF 26 The stub parameter specifies an additional cost for using a route to or from this area and can be from 1 – 16777215. There is no default. Normal areas do not use the cost parameter. The no-summary parameter applies only to stub areas and disables summary LSAs from being sent into the area.
26 Configuring OSPF The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone. Since the NSSA is partially “stubby” the ABR does not flood external LSAs from the backbone into the NSSA. To provide access to the rest of the Autonomous System (AS), the ABR generates a default Type-7 LSA into the NSSA. Configuring an NSSA To configure OSPF area 1.1.1.
Configuring OSPF 26 The advertise | not-advertise parameter specifies whether you want the device to send type 3 LSAs for the specified range in this area. The default is advertise. Assigning an area range (optional) You can assign a range for an area, but it is not required. Ranges allow a specific IP address and mask to represent a range of IP addresses within an area, so that only that reference range address is advertised to the network, instead of all the addresses within that range.
26 Configuring OSPF • ip ospf hello-interval • ip ospf md5-authentication key-activation-wait-time | key-id [0 | 1] key • • • • ip ospf passive ip ospf priority ip ospf retransmit-interval ip ospf transmit-delay For a complete description of these parameters, see the summary of OSPF port parameters in the next section. OSPF interface parameters The following parameters apply to OSPF interfaces 766 Area Assigns an interface to a specific area.
Configuring OSPF 26 MD5-authentication activation wait time The number of seconds the device waits until placing a new MD5 key into effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 – 14400 seconds. The default is 300 seconds (5 minutes). MD5-authentication key ID and key A method of authentication that requires you to configure a key ID and an MD5 key.
26 Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication.
Configuring OSPF 26 Block flooding of outbound LSAs on specific OSPF interfaces By default, the device floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area. After you apply filters to block the outbound LSAs, the filtering occurs during the database synchronization and flooding.
26 Configuring OSPF NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device. For more information or to change the router ID, refer to “Changing the router ID” on page 185. NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link).
Configuring OSPF BigIron BigIron BigIron BigIron 26 RXC(config)#router ospf RXC(config-ospf-router)# area 0 RXC(config-ospf-router)# area 1 RXC(config-ospf-router)# area 1 virtual-link 10.0.0.
26 Configuring OSPF Authentication Key This parameter allows you to assign different authentication methods on a port-by-port basis. OSPF supports three methods of authentication for each interface—none, simple password, and MD5. Only one method of authentication can be active on an interface at a time. The simple password method of authentication requires you to configure an alphanumeric password on an interface. The password can be up to eight characters long.
Configuring OSPF 26 1. Create an OSPF area on an interface, then enable NBMA on that interface. BigIron BigIron BigIron BigIron RX(config)# int ve RX(config-vif-20)# RX(config-vif-20)# RX(config-vif-20)# 20 ip ospf area 0 ip ospf network non-broadcast exit Syntax: [no] ip ospf network non-broadcast 2. Then under the router OSPF level, specify the IP address of the neighbor in the OSPF configuration. The non-broadcast interface configuration must be done on the OSPF routers on both ends of the link.
26 Configuring OSPF OSPF point-to-point links In an OSPF point-to-point network, where a direct Layer 3 connection exists between a single pair of OSPF routers, there is no need for Designated and Backup Designated Routers, as is the case in OSPF multi-access networks. Without the need for Designated and Backup Designated routers, a point-to-point network establishes adjacency and converges faster. The neighboring routers become adjacent whenever they can communicate directly.
Configuring OSPF 26 The following table defines the highlighted fields shown in the above example output of the show ip ospf interface command. TABLE 121 Output of the show ip ospf interface command This field Displays IP Address The IP address of the interface. OSPF state ptr2ptr (point to point) Pri The link ID as defined in the router-LSA. This value can be one of the following.
26 Configuring OSPF When encryption of the passwords or authentication strings is enabled, they are encrypted in the CLI regardless of the access level you are using. The encryption option can be omitted (the default) or can be one of the following: • 0 – Disables encryption for the password or authentication string you specify with the command. The password or string is shown as clear text in the running configuration and the startup configuration file.
Configuring OSPF 26 • Virtual interface – The combined bandwidth of all the ports in the port-based VLAN that contains the virtual interface. The default reference bandwidth is 100 Mbps. You can change the reference bandwidth to a value from 1 – 4294967. If a change to the reference bandwidth results in a cost change to an interface, the device sends a link-state update to update the costs of interfaces advertised by the device.
26 Configuring OSPF NOTE The BigIron RX advertises the default route into OSPF even if redistribution is not enabled, and even if the default route is learned through an IBGP neighbor. IBGP routes (including the default route) are not redistributed into OSPF by OSPF redistribution (for example, by the OSPF redistribution command).
Configuring OSPF 26 For example, to enable redistribution of RIP and static IP routes into OSPF, enter the following commands. BigIron BigIron BigIron BigIron RX(config)# router ospf RX(config-ospf-router)# redistribution rip RX(config-ospf-router)# redistribution static RX(config-ospf-router)# write memory Modify default metric for redistribution The default metric is a global parameter that specifies the cost applied to all OSPF routes by default. The default value is 10.
26 Configuring OSPF BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# ip route 1.1.0.0 255.255.0.0 207.95.7.30 RX(config)# ip route 1.2.0.0 255.255.0.0 207.95.7.30 RX(config)# ip route 1.3.0.0 255.255.0.0 207.95.7.30 RX(config)# ip route 4.1.0.0 255.255.0.0 207.95.6.30 RX(config)# ip route 4.2.0.0 255.255.0.0 207.95.6.30 RX(config)# ip route 4.3.0.0 255.255.0.0 207.95.6.30 RX(config)# ip route 4.4.0.0 255.255.0.0 207.95.6.
Configuring OSPF 26 • set tag NOTE You must configure the route map before you configure a redistribution that uses the route map. NOTE When you use a route map for route redistribution, the software disregards the permit or deny action of the route map. NOTE For an external route that is redistributed into OSPF through a route map, the metric value of the route remains the same unless the metric is set by a set metric command inside the route map.
26 Configuring OSPF • BigIron RX ->R6 Normally, the BigIron RX will choose the path to the R1 with the lower metric. For example, if R3’s metric is 1400 and R4’s metric is 600, the BigIron RX will always choose R4. However, suppose the metric is the same for all four routers in this example. If the costs are the same, the router now has four equal-cost paths to R1. To allow the router to load share among the equal cost routes, enable IP load sharing.
Configuring OSPF 26 NOTE This option affects only imported, type 5 external routes. A single type 5 LSA is generated and flooded throughout the AS for multiple external routes. Type 7-route redistribution is not affected by this feature. All type 7 routes will be imported (if redistribution is enabled). To summarize type 7 LSAs or exported routes, use NSSA address range summarization. To configure a summary address for OSPF routes, enter commands such as the following.
26 Configuring OSPF If default route origination is enabled and you disable it, the default route originated by the BigIron RX is flushed. Default routes generated by other OSPF routers are not affected. If you re-enable the feature, the feature takes effect immediately and thus does not require you to reload the software.
Configuring OSPF 26 For example, if you configure 10.10.10.0/24 as a candidate default network route, if the IP route table does not contain an explicit default route (0.0.0.0/0), the software uses the default network route and automatically uses that route's next hop gateway as the default gateway. If a topology change occurs and as a result the default network route's next hop gateway changes, the software can still use the default network route.
26 Configuring OSPF To change the SPF delay and hold time, enter commands such as the following. BigIron RX(config-ospf-router)# timers spf 10 20 The command in this example changes the SPF delay to 10 seconds and changes the SPF hold time to 20 seconds. Syntax: timers spf The parameter specifies the SPF delay. The parameter specifies the SPF hold time. To set the timers back to their default values, enter a command such as the following.
Configuring OSPF 26 • External routes The default for all these OSPF route types is 110. NOTE This feature does not influence the choice of routes within OSPF. For example, an OSPF intra-area route is always preferred over an OSPF inter-area route, even if the intra-area route’s distance is greater than the inter-area route’s distance. To change the default administrative distances for inter-area routes, intra-area routes, and external routes, enter the following command.
26 Configuring OSPF The parameter specifies the number of seconds and can be from 10 – 1800 (30 minutes). The default is 240 seconds (four minutes). To restore the pacing interval to its default value, enter the following command.
Configuring OSPF 26 Configuring an OSPF area prefix list To filter prefixes advertised in type 3 link-state advertisements (LSAs) between (OSPF) areas of an Area Border Router (ABR), use the area prefix-list command in router configuration mode. To change or cancel the filter, use the no form of this command. Configuring OSPF ABR type 3 LSA filtering To filter inter-area routes into a specified area, use the following commands beginning in router configuration mode.
26 Configuring OSPF The parameter specifies the prefix list name. You use this name when applying the prefix list to a neighbor. The seq parameter is optional and specifies the IP prefix list’s sequence number. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with prefix list entry 5. The software interprets the prefix list entries in numerical order, beginning with the lowest sequence number.
Configuring OSPF 26 Originate LSA Trap: Disabled Originate MaxAge LSA Trap: Disabled Link State Database Overflow Trap: Disabled Link State Database Approaching Overflow Trap: Disabled OSPF Area currently defined: Area-ID Area-Type Cost Prefix List In Prefix List Out 0 normal 0 1 normal 0 Area_1_Pfx_list in Area_1_Pfx_List_Out Syntax: show ip ospf config DIsplaying the configured IP prefix list To only display the configured ip prefix-list, enter a command such as the following.
26 Configuring OSPF TABLE 123 Default settings for OSPF traps (Continued) Trap name default Originate LSA Trap Disabled Originate MaxAge LSA Trap Disabled Link State Database Overflow Trap Disabled Link State Database Approaching Overflow Trap Disabled Disabling and enabling SNMP traps for OSPF By default, most SNMP trap generation for OSPF is enabled (Refer to Table 123 on page 791 for the OSPF trap default values).
Configuring OSPF 26 To reinstate the trap, enter the following command. BigIron RX(config-ospf-router)# trap neighbor-state-change-trap Syntax: [no] snmp-server trap ospf Enabling OSPF logging By default, most OSPF logging is enabled (Refer to Table 123 on page 791 for a complete list of the OSPF default trap settings). If OSPF logging has been previously disabled, you must enable OSPF logging if you want SNMP traps to be generated for OSPF. Enter commands such as the following.
26 Displaying OSPF information Specify types of OSPF Syslog messages to log You can specify which kinds of OSPF-related Syslog messages are logged. By default, the only OSPF messages that are logged are those indicating possible system errors. If you want other kinds of OSPF messages to be logged, you can configure the device to log them. For example, to specify that all OSPF-related Syslog messages be logged, enter the following commands.
Displaying OSPF information 26 • ABR and ASBR information – refer to “Displaying OSPF ABR and ASBR information” on page 805. • Trap state information – refer to “Displaying OSPF trap status” on page 806. Displaying general OSPF configuration information To display general OSPF configuration information, enter the following command at any CLI level.
26 Displaying OSPF information Displaying CPU utilization and other OSPF tasks You can display CPU utilization statistics for OSPF and other tasks. To display CPU utilization statistics, enter the following command.
Displaying OSPF information TABLE 124 26 CLI display of show tasks This field... Displays... Task Name Name of task running on the device. Pri Priority of the task in comparison to other tasks State Current state of the task PC current instruction for the task Stack Stack location for the task Size Stack size of the task CPU Usage(%) Percentage of the CPU being used by the task task id Task’s ID number assigned by the operating system. task vid A memory domain ID.
26 Displaying OSPF information TABLE 125 CLI display of OSPF area information (Continued) This field... Displays... LSA The LSA number. Chksum(Hex) The checksum for the LSA packet. The checksum is based on all the fields in the packet except the age field. The device uses the checksum to verify that the packet is not corrupted. Displaying OSPF neighbor information To display OSPF neighbor information, enter the following command at any CLI level.
Displaying OSPF information TABLE 126 26 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the device and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor. • Attempt – This state is only valid for neighbors attached to non-broadcast networks.
26 Displaying OSPF information BigIron RX# show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0 Interface Address 0.0.0.0 Neighbor Count = 0, Adjacent Neighbor Count= 1 Neighbor: 2.2.2.
Displaying OSPF information TABLE 127 26 Output of the show ip ospf interface command (Continued) This field Displays Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor The neighbor router’s ID. Displaying OSPF route information To display OSPF route information, enter the following command at any CLI level. BigIron RX>#show ip ospf route OSPF Area 0x00000000 ASBR Routes 1: Destination Mask 10.65.12.1 255.255.255.255 Adv_Router Link_State 10.65.12.1 10.65.12.
26 Displaying OSPF information Syntax: show ip ospf routes [] The parameter specifies a destination IP address. If you use this parameter, only the route entries for that destination are shown. This display shows the following information. TABLE 128 CLI display of OSPF route information This field... Displays... Destination The IP address of the route's destination. Mask The network mask for the route. Path_Cost The cost of this route path. (A route can have multiple paths.
Displaying OSPF information 26 BigIron RX# show ip ospf redistribute route 4.3.0.0 255.255.0.0 static 3.1.0.0 255.255.0.0 static 10.11.61.0 255.255.255.0 connected 4.1.0.0 255.255.0.0 static In this example, four routes have been redistributed. Three of the routes were redistributed from static IP routes and one route was redistributed from a directly connected IP route.
26 Displaying OSPF information TABLE 129 CLI display of OSPF external link state information This field... Displays... Index ID of the entry Aging The age of the LSA, in seconds. LS ID The ID of the link-state advertisement from which the device learned this route. Router The router IP address. Netmask The subnet mask of the network. Metric The cost (value) of the route Flag State information for the route entry. This information is used by Brocade technical support.
Displaying OSPF information 26 NOTE You cannot use the extensive option in combination with other display options. The entire database is displayed. The link-state-id parameter displays the External LSAs for the LSA source specified by . The network option shows network information. The nssa option shows network information. The router-id parameter shows the External LSAs for the specified OSPF router.
26 Displaying OSPF information TABLE 131 CLI display of OSPF border routers This field... Displays... (Index) Displayed index number of the border router. Router ID ID of the OSPF router Router type Type of OSPF router: ABR or ASBR Next hop router ID of the next hop router Outgoing interface ID of the interface on the router for the outgoing route. Area ID of the OSPF area to which the OSPF router belongs Displaying OSPF trap status All traps are enabled by default when you enable OSPF.
Displaying OSPF information 26 vlan 1 name DEFAULT-VLAN ! ! clock summer-time clock timezone us Pacific hostname R11-RX8 router ospf area 2 area 1 area 1 virtual-link 131.1.1.10 FIGURE 119 OSPF virtual neighbor and virtual link example Area 0 7/1 3A4 131.1.1.10/16 DeviceA R10-MG8 192.168.148.10 6/1 135.14.1.10/16 Area 1 Area 2 1/17 135.14.1.1/16 DeviceE R14-RX8 192.168.148.14 5/1 7/23 Area 1 27.14.1.27/8 6/2 27.11.1.27/8 3A1 8.11.1.1/8 DeviceB R11-RX16 192.168.148.
26 Displaying OSPF information Displaying OSPF virtual link information Use the show ip ospf virtual link command to display OSPF virtual link information. The output below represents the virtual links configured in Figure 119. BigIron RX#show ip ospf virtual link Indx Transit Area Router ID Transit(sec) 1 1 131.1.1.
26 Displaying OSPF information Configuring OSPF graceful restart timer The OSPF graceful restart timer specifies the maximum amount of time an OSPF restarting router will take to re-establish OSPF adjacencies and relearn OSPF routes. This value will be sent to the neighboring routers in the grace LSA packets. Configure the timer by entering a command such as the following.
26 Displaying OSPF information BigIron RX#sh ip ospf neigh Port Address Pri State Neigh Address 3/1 30.1.0.5 0 FULL/OTHER 30.1.0.13 3/27 25.27.0.8 1 FULL/DR 25.27.0.14 < in graceful restart state, helping 1, timer 104 v31 21.23.0.5 1 FULL/DR 21.23.0.14 < in graceful restart state, helping 1, timer 104 v32 22.24.0.5 1 FULL/DR 22.24.0.14 < in graceful restart state, helping 1, timer 104 v33 23.25.0.5 1 FULL/DR 23.25.0.14 < in graceful restart state, helping 1, timer 104 v34 24.26.0.5 1 FULL/DR 24.26.0.
Displaying OSPF information 26 BigIron RX 1# show ip ospf neigh Port Address Pri State Neigh Address Neigh ID 3/7 40.0.1.1 1 EXST/DR 40.0.1.3 9.0.1.24 < in graceful restart state, helping 1, timer 112 sec > Ev Opt Cnt 24 2 0 BigIron RX 3# show ip Port Address 2/2 40.0.10.1 < in graceful restart Ev Opt Cnt 23 2 0 ospf neighbor Pri State Neigh Address Neigh ID 1 EXST/DR 40.0.10.3 8.0.0.23 state, helping 1, timer 111 sec > Note the "" entry appears only during restart.
26 812 Displaying OSPF information BigIron RX Series Configuration Guide 53-1002484-04
Chapter 27 Configuring BGP4 (IPv4 and IPv6) In this chapter • Overview of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Brocade implementation of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Memory considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27 Overview of BGP4 • Using the IP default route as a valid next hop for a BGP4 route . . . . . . . . • Enabling next-hop recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Modifying redistribution parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Using a table map to set the tag value . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Changing the keep alive time and hold time . . . . . . . . . . . . . . . . . . . . . . . .
27 Overview of BGP4 Figure 121 on page 815 shows a simple example of two BGP4 ASs. Each AS contains three BGP4 routers. All of the BGP4 routers within an AS communicate using IBGP. BGP4 routers communicate with other ASs using EBGP. Notice that each of the routers also is running an Interior Gateway Protocol (IGP). The routers in AS1 are running OSPF and the routers in AS2 are running RIP. The device can be configured to redistribute routes among BGP4, ISIS, RIP, and OSPF.
27 Overview of BGP4 NOTE The device re-advertises a learned best BGP4 route to the device’s neighbors even when the route table manager does not select that route for installation in the IP route table. This can happen if a route from another protocol, for example, OSPF, is preferred. The best BGP4 route is the route that BGP selects based on comparison of the BGP4 route path’s attributes.
Overview of BGP4 27 • The device compares the MEDs of two otherwise equivalent paths if and only if the routes were learned from the same neighboring AS. This behavior is called deterministic MED. Deterministic MED is always enabled and cannot be disabled. In addition, you can enable the device to always compare the MEDs, regardless of the AS information in the paths. To enable this comparison, enter the always-compare-med command at the BGP4 configuration level of the CLI.
27 Overview of BGP4 • KEEPALIVE • NOTIFICATION • ROUTE REFRESH OPEN message After a BGP4 router establishes a TCP connection with a neighboring BGP4 router, the routers exchange OPEN messages. An OPEN message indicates the following: • BGP version – Indicates the version of the protocol that is in use on the router. BGP version 4 supports Classless Interdomain Routing (CIDR) and is the version most widely used in the Internet. Version 4 also is the only version supported on the BigIron RX.
Brocade implementation of BGP4 27 • Path attributes – Parameters that indicate route-specific information such as path information, route preference, next hop values, and aggregation information. BGP4 uses the path attributes to make filtering and routing decisions. • Unreachable routes – A list of routes that have been in the sending router’s BGP4 table but are no longer feasible. The UPDATE message lists unreachable routes in the same format as new routes. /.
27 Memory considerations • • • • • • • RFC 2439 (Route Flap Dampening) RFC 2796 (Route Reflection) RFC 2842 and 3392 (Capability Advertisement) RFC 3065 (BGP4 Confederations) RFC 2858 (Multiprotocol Extensions) RFC 2918 (Route Refresh Capability) RFC 3392 (BGP Capability Advertisement) Memory considerations BGP4 handles a very large number of routes and therefore requires a lot of memory.
Configuring BGP4 27 The address family command also requires you to select a sub-address family, which is the type of routes for the configuration. You specify multicast or unicast routes.
27 Configuring BGP4 TABLE 132 IPv4 BGP commands at different configuration levels (Continued) Command Global (iPv4 and IPv6) default-local-preference x default-metric See “Changing the default local preference” on page 841 x x “Changing the default metric used for redistribution” on page 842 distance x “Changing administrative distances” on page 842 enforce-first-as x “Requiring the first AS to be the neighbor’s AS” on page 843 exit-address-family x fast-external-fallover x “Enabling
Configuring BGP4 TABLE 133 27 IPv4 and IPv6 BGP Commands at Different Configuration Levels Command Global (iPv4 and IPv6) IPv4 Address Family Unicast IPv4 Address Family Multicast IPv6 Address Family Unicast See address-family x x x x “Entering and exiting the address family configuration level” on page 826 address-filter x aggregate-address x always-compare-med x “Aggregating routes advertised to BGP4 neighbors” on page 834 “Configuring the device to always compare MEDs” on page 835
27 Configuring BGP4 TABLE 133 IPv4 and IPv6 BGP Commands at Different Configuration Levels (Continued) Command Global (iPv4 and IPv6) IPv4 Address Family Unicast IPv4 Address Family Multicast IPv6 Address Family Unicast See neighbor x x x x “Configuring BGP4 neighbors” on page 846 “Configuring a BGP4 peer group” on page 854 network x x x “Specifying a list of networks to advertise” on page 857 next-hop-enable-default x x “Using the IP default route as a valid next hop for a BGP4 rout
Activating and disabling BGP4 • • • • • • • • • 27 Enable next-hop recursion. Change the default metric. Disable or re-enable route reflection. Configure confederation parameters. Disable or re-enable load sharing. Change the maximum number of load-sharing paths. Change other load-sharing parameters. Define route flap dampening parameters. Add, change, or negate redistribution parameters (except changing the default MED; see below).
27 Entering and exiting the address family configuration level BigIron RX> enable BigIron RX# configure terminal BigIron RX(config)# router bgp BGP4: Please configure 'local-as' parameter in order to enable BGP4. BigIron RX(config-bgp)# local-as 10 BigIron RX(config-bgp)# write memory The router bgp command enables the BGP4 protocol. (For information on the local AS number, refer to “Setting the local AS number” on page 845.
Filtering specific IP addresses 27 BigIron RX(config-bgp)# address-family ipv4 unicast BigIron RX(config-bgp)# NOTE The CLI prompt for the global BGP level and the BGP address-family IPv4 unicast level are the same. To enter the IPv4 BGP multicast address family configuration level, enter the following command.
27 Defining an AS-path filter The permit | deny parameter indicates the action the device takes if the filter match is true. • If you specify permit, the device permits the route into the BGP4 table if the filter match is true. • If you specify deny, the device denies the route from entering the BGP4 table if the filter match is true. NOTE Once you define a filter, the default action for addresses that do not match a filter is “deny”.
Defining a community filter 27 NOTE If the filter is referred to by a route map’s match statement, the filter is applied in the order in which the filter is listed in the match statement. The permit | deny parameter indicates the action the router takes if the filter match is true. • If you specify permit, the router permits the route into the BGP4 table if the filter match is true. • If you specify deny, the router denies the route from entering the BGP4 table if the filter match is true.
27 Configuring a switch to allow routes with its own AS number The no-export keyword filters for routes with the well-known community “NO_EXPORT”. A route in this community should not be advertised to any BGP4 neighbors outside the local AS. If the router is a member of a confederation, the device advertises the route only within the confederation. For information about confederations, refer to “Configuring confederations” on page 837.
BGP Null0 routing 27 FIGURE 123 Sample Null0 routing application Internet R1 R2 R3 AS 100 R5 R6 R4 R7 The following steps configure a null0 routing application for stopping denial of service attacks from remote hosts on the internet. Configuration steps 1. Select one router, Router 6, to distribute null0 routes throughout the BGP network. 2. Configure a route-map to match a particular tag (50) and set the next-hop address to an unused network address (199.199.1.1). 3.
27 BGP Null0 routing Configuration examples Router 6 The following configuration defines specific prefixes to filter. BigIron RX(config)#ip route 110.0.0.40/29 ethernet 3/7 tag 50 BigIron RX(config)#ip route 115.0.0.192/27 ethernet 3/7 tag 50 BigIron RX(config)#ip route 120.0.14.0/23 ethernet 3/7 tag 50 The following configuration redistributes routes into BGP.
27 BGP Null0 routing BigIron BigIron BigIron BigIron RX(config-bgp-router)#neighbor RX(config-bgp-router)#neighbor RX(config-bgp-router)#neighbor RX(config-bgp-router)#neighbor address> address> address> remote-as remote-as remote-as remote-as 100 100 100 100 After configuring the null0 application, you can display the configuration using the show ip route static, show ip bgp route, and show ip route commands.
27 Aggregating routes advertised to BGP4 neighbors Issuing a show ip route on Router 1 and Router 2 shows “drop” under the Port column for the network prefixes you configured with null0 routing. BigIron RX# show ip route Total number of IP routes: 133 Type Codes - B:BGP D:Connected S:Static Destination Gateway 1 9.0.1.24/32 DIRECT 2 30.0.1.0/24 DIRECT 3 40.0.1.0/24 DIRECT . 13 110.0.0.6/31 90.0.1.3 14 110.0.0.16/30 90.0.1.3 15 110.0.0.40/29 DIRECT . .. . 42 115.0.0.192/27 DIRECT 43 115.0.1.128/26 30.0.1.
Configuring the device to always compare MEDs 27 The advertise-map parameter configures the router to advertise the more specific routes in the specified route map. The attribute-map parameter configures the router to set attributes for the aggregate routes based on the specified route map. NOTE For the suppress-map, advertise-map, and attribute-map parameters, the route map must already be defined.
27 Redistributing IBGP routes Syntax: [no] compare-med-empty-aspath Disabling or re-enabling comparison of the AS-path length AS-Path comparison is Step 5 in the algorithm BGP4 uses to select the next path for a route. Comparison of the AS-Path length is enabled by default. To disable it, enter the following command at the BGP configuration level of the CLI. BigIron RX(config-bgp)# as-path-ignore This command disables comparison of the AS-Path lengths of otherwise equal paths.
Configuring a route reflector 27 Configuring a route reflector You can configure one cluster ID on the router. All route-reflector clients for the router are members of the cluster. To configure a device as route reflector 1, enter the following command. BigIron RX(config-bgp)# cluster-id 1 Syntax: [no] cluster-id | The | parameter specifies the cluster ID (1 – 4294967295) or an IP address. The default is the router ID.
27 Configuring confederations The Brocade implementation of this feature is based on RFC 3065. Normally, all BGP routers within an AS must be fully meshed, so that each BGP router has BGP sessions to all the other BGP routers within the AS. This is feasible in smaller ASs but becomes unmanageable in ASs containing many BGP routers. When you configure BGP routers into a confederation, all the routers within a sub-AS (a subdivision of the AS) use IBGP and must be fully meshed.
Configuring confederations 27 In this example, four routers are configured into two sub-ASs, each containing two of the routers. The sub-ASs are members of confederation 10. Routers within a sub-AS must be fully meshed and communicate using IBGP. In this example, routers A and B use IBGP to communicate. Routers C and D also use IBGP. However, the sub-ASs communicate with one another using EBGP. For example, router A communicates with router C using EBGP.
27 Configuring route flap dampening Syntax: confederation peers [ …] The parameter with the confederation peers command indicates the sub-AS numbers for the sub-ASs in the confederation. You may list all sub-ASs in the confederation. Also, you must specify all the sub-ASs with which this router has peer sessions in the confederation. All the routers within the same sub-AS use IBGP to exchange router information.
Originating the default route 27 The parameter specifies how high a route’s penalty can become before the device suppresses the route. You can set the suppression threshold to a value from 1 – 20000. The default is 2000 (more than two “flaps”). The parameter specifies the maximum number of minutes that a route can be suppressed regardless of how unstable it is. You can set the maximum suppression time to a value from 1 – 255 minutes.
27 Changing the default metric used for redistribution NOTE To set the local preference for individual routes, use route maps. Refer to “Defining route maps” on page 876. Refer to “How BGP4 selects a path for a route” on page 816 for information about the BGP4 algorithm. To change the default local preference to 200, enter the following command.
Requiring the first AS to be the neighbor’s AS 27 Here are the default administrative distances on the BigIron RX: • Directly connected – 0 (this value is not configurable) • Static – 1 is the default and applies to all static routes, including default routes. This can be assigned a different value. • • • • • • • EBGP – 20 OSPF – 110 ISIS – 115 RIP – 120 IBGP – 200 Local BGP – 200 Unknown – 255 (the router will not use this route) Lower administrative distances are preferred over higher distances.
27 Enabling fast external fallover BigIron RX(config-bgp)# enforce-first-as Syntax: [no] enforce-first-as Neighbor local-AS The Neighbor Local Autonomous System (AS) allows a router that is a member of one AS to appear to also be a member of another AS. This feature is useful, for example, if Company A purchases Company B, but Company B does not want to modify its peering configurations. This feature can only be used for true EBGP peers.
Setting the local AS number 27 Setting the local AS number The local AS number identifies the AS the Brocade BGP4 router is in. To set the local AS number, enter commands such as the following. BigIron RX(config)# router bgp BGP4: Please configure 'local-as' parameter in order to enable BGP4. BigIron RX(config-bgp)# local-as 10 BigIron RX(config-bgp)# write memory Syntax: [no] local-as The parameter specifies the local AS number 1 – 65535. There is no default.
27 Customizing BGP4 load sharing NOTE This command affects route selection only when route paths are selected based on MED comparison. It is still possible for a route path that is missing its MED to be selected based on other criteria. For example, a route path with no MED can be selected if its weight is larger than the weights of the other route paths.
Configuring BGP4 neighbors 27 NOTE The BigIron RX attempts to establish a BGP4 session with a neighbor as soon as you enter a command specifying the neighbor’s IP address. If you want to completely configure the neighbor parameters before the device establishes a session with the neighbor, you can administratively shut down the neighbor. Refer to “Administratively shutting down a session with a BGP4 neighbor” on page 856.
27 Configuring BGP4 neighbors NOTE The advertisement-interval parameter is not supported in BigIron RX even though the CLI command is allowed at the BGP4 configuration level. capability orf prefixlist [send | receive] configures cooperative router filtering. The send | receive parameter specifies the support you are enabling: • send – The device sends the IP prefix lists as Outbound Route Filters (ORFs) to the neighbor.
Configuring BGP4 neighbors 27 Alternatively, you can specify filter-list in | out | weight to use an AS-path ACL instead of an AS-path filter list. In this case, is an AS-path ACL. NOTE By default, if an AS-path does not match any of the filters or ACLs, the device denies the route. To change the default behavior, configure the last filter or ACL as “permit any any”. NOTE The AS-path filter or ACL must already be configured. Refer to “Filtering AS-paths” on page 870.
27 Configuring BGP4 neighbors prefix-list in | out specifies an IP prefix list. You can use IP prefix lists to control routes to and from the neighbor. IP prefix lists are an alternative method to AS-path filters. The in | out keyword specifies whether the list is applied on updates received from the neighbor or sent to the neighbor. The filters can use the same prefix list or different prefix lists. To configure an IP prefix list, refer to “Defining and applying IP prefix lists” on page 875.
Configuring BGP4 neighbors 27 Removing route dampening from suppressed neighbor routes You can selectively unsuppress more-specific routes that have been suppressed due to aggregation, and allow the routes to be advertised to a specific neighbor or peer group. Here is an example. BigIron RX(config-bgp)# aggregate-address 209.1.0.0 255.255.0.0 summary-only BigIron RX(config-bgp)# show ip bgp route 209.1.0.
27 Configuring BGP4 neighbors The following command verifies that the route has been unsuppressed. BigIron RX(config-bgp)# show ip bgp route 209.1.44.0/24 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 209.1.44.0/24 10.2.0.1 1 101 32768 BLS AS_PATH: Route is advertised to 1 peers: 10.1.0.
Configuring BGP4 neighbors 27 BigIron RX(config-bgp)# show ip bgp config Current BGP configuration: router bgp local-as 2 neighbor xyz peer-group neighbor xyz password 1 $!2d neighbor 10.10.200.102 peer-group xyz neighbor 10.10.200.102 remote-as 1 neighbor 10.10.200.102 password 1 $on-o Notice that the software has converted the commands that specify an authentication string into the new syntax (described below), and has encrypted display of the authentication strings.
27 Configuring a BGP4 peer group NOTE The command also displays SNMP community strings in clear text, in the output of the show snmp server command. Configuring a BGP4 peer group A peer group is a set of BGP4 neighbors that share common parameters. Peer groups provide the following benefits: • Simplified neighbor configuration – You can configure a set of neighbor parameters and then apply them to multiple neighbors.
Configuring a BGP4 peer group 27 • If you do not specify a parameter for an individual neighbor, the neighbor uses the value in the peer group. • If you set the parameter for the individual neighbor, that value overrides the value you set in the peer group. • If you add a parameter to a peer group that already contains neighbors, the parameter value is applied to neighbors that do not already have the parameter explicitly set.
27 Configuring a BGP4 peer group [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [update-source loopback ] [weight ] The | parameter indicates whether you are configuring a peer group or an individual neighbor. You can specify a peer group name or IP address with the neighbor command. If you specify a peer group name, you are configuring a peer group.
Specifying a list of networks to advertise 27 NOTE The software also contains an option to end the session with a BGP4 neighbor and thus clear the routes learned from the neighbor. Unlike this clear option, the option for shutting down the neighbor can be saved in the startup configuration file and thus can prevent the device from establishing a BGP4 session with the neighbor even after reloading the software.
27 Using the IP default route as a valid next hop for a BGP4 route NOTE You must configure the route map before you can specify the route map name in a BGP4 network configuration; otherwise, the route is not imported into BGP. To configure a route map, and use it to set or change route attributes for a network you define for BGP4 to advertise, enter commands such as the following.
27 Enabling next-hop recursion By default, the software performs only one lookup for a BGP route’s next-hop IP address. If the next-hop lookup does not result in a valid next-hop IP address or the path to the next-hop IP address is a BGP path, the software considers the BGP route’s destination to be unreachable. The route is not eligible to be installed in the IP route table.
27 Enabling next-hop recursion The route to the next-hop gateway is a BGP route, not an IGP route, and thus cannot be used to reach 240.0.0.0/24. In this case, the device tries to use the default route, if present, to reach the subnet that contains the BGP route’s next-hop gateway. BigIron RX# show ip route 240.0.0.0/24 Total number of IP routes: 37 Network Address Gateway 0.0.0.0 10.0.0.
Modifying redistribution parameters 27 The next-hop IP address for 102.0.0.1 is not an IGP route, which means the BGP route’s destination still cannot be reached through IP. The recursive next-hop lookup feature performs a lookup on 10.0.0.1’s next-hop gateway: BigIron RX# show ip route 10.0.0.1 Total number of IP routes: 38 Network Address Gateway 10.0.0.0 0.0.0.0 AS_PATH: 65001 4355 1 Port 1/1 Cost 1 Type D This lookup results in an IGP route. In fact, this route is a directly-connected route.
27 Modifying redistribution parameters NOTE Entering redistribute ospf simply redistributes internal OSPF routes. If you want to redistribute external OSPF routes also, you must use the redistribute ospf match external... command. Refer to “Redistributing OSPF external routes” on page 863. NOTE When a route-map, prefix-list, or as-path ACL is modified, BGP will be notified. Outbound route polices will be updated automatically. No longer requires user to manually clear neighbor soft-outbound.
Modifying redistribution parameters 27 NOTE The route map you specify must already be configured on the router. Refer to “Defining route maps” on page 876 for information about defining route maps. Redistributing OSPF external routes To configure the device to redistribute OSPF external type 1 routes, enter the following command.
27 Using a table map to set the tag value The route-map parameter specifies a route map to be consulted before adding the OSPF route to the BGP4 route table. Redistributing static routes To configure the device to redistribute static routes, enter the following command. BigIron RX(config-bgp)# redistribute static Syntax: redistribute static [metric ] [route-map ] The static parameter indicates that you are redistributing static routes into BGP4.
Changing the keep alive time and hold time 27 Changing the keep alive time and hold time The Keep Alive Time specifies how frequently the router will send KEEPALIVE messages to its BGP4 neighbors. The Hold Time specifies how long the router will wait for a KEEPALIVE or UPDATE message from a neighbor before concluding that the neighbor is dead. When the router concludes that a BGP4 neighbor is dead, the router ends the BGP4 session and closes the TCP connection to the neighbor.
27 Adding a loopback interface • If the router has loopback interfaces, the default router ID is the IP address configured on the lowest numbered loopback interface configured on the device. For example, if you configure loopback interfaces 1, 2, and 3 as follows, the default router ID is 9.9.9.9/24: • Loopback interface 1, 9.9.9.9/24 • Loopback interface 2, 4.4.4.4/24 • Loopback interface 3, 1.1.1.
Changing the maximum number of paths for BGP4 load sharing 27 Changing the maximum number of paths for BGP4 load sharing Load sharing enables the device to balance traffic to a route across multiple equal-cost paths of the same type (EBGP or IBGP) for the route. To configure the device to perform BGP4 load sharing: • Enable IP load sharing if it is disabled. • Set the maximum number of paths.
27 Configuring route reflection parameters NOTE If the cluster contains more than one route reflector, you need to configure the same cluster ID on all the route reflectors in the cluster. The cluster ID helps route reflectors avoid loops within the cluster. • A route reflector is an IGP router configured to send BGP route information to all the clients (other BGP4 routers) within the cluster.
Configuring route reflection parameters 27 • The device adds the route reflection attributes only if it is a route reflector, and only when advertising IBGP route information to other IBGP neighbors. The attributes are not used when communicating with EBGP neighbors. • A device configured as a route reflector sets the ORIGINATOR_ID attribute to the router ID of the router that originated the route.
27 Filtering Filtering This section describes the following: • • • • • • • “Filtering AS-paths” on page 870 “Filtering communities” on page 873 “Defining and applying IP prefix lists” on page 875 “Defining neighbor distribute lists” on page 876 “Defining route maps” on page 876 “Using a table map to set the tag value” on page 864 “Configuring cooperative BGP4 route filtering” on page 884 Filtering AS-paths You can filter updates received from BGP4 neighbors based on the contents of the AS-path list acc
Filtering 27 The seq parameter is optional and specifies the AS-path list’s sequence number. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with number 5. The software interprets the entries in an AS-path list in numerical order, beginning with the lowest sequence number. The deny | permit parameter specifies the action the software takes if a route’s AS-path list matches a match statement in this ACL.
27 Filtering TABLE 134 BGP4 special characters for regular expressions (Continued) Character Operation + The plus sign matches on one or more sequences of a pattern. For example, the following regular expression matches on an AS-path that contains a sequence of “g”s, such as “deg”, “degg”, “deggg”, and so on. deg+ ? The question mark matches on zero occurrences or one occurrence of a pattern. For example, the following regular expression matches on an AS-path that contains “dg” or “deg”.
Filtering TABLE 134 27 BGP4 special characters for regular expressions (Continued) Character Operation | A vertical bar (sometimes called a pipe or a “logical or”) separates two alternative values or sets of values. The AS-path can match one or the other value. For example, the following regular expression matches on an AS-path that contains either “abc” or “defg”. (abc)|(defg) NOTE: The parentheses group multiple characters to be treated as one value.
27 Filtering Defining a community ACL To configure community ACL 1, enter a command such as the following. BigIron RX(config)# ip community-list 1 permit 123:2 This command configures a community ACL that permits routes that contain community 123:2. NOTE Refer to “Matching based on community ACL” on page 879 for information about how to use a community list as a match condition in a route map.
Filtering 27 Defining and applying IP prefix lists An IP prefix list specifies a list of networks. When you apply an IP prefix list to a neighbor, the device sends or receives only a route whose destination is in the IP prefix list. The software interprets the prefix lists in order, beginning with the lowest sequence number. To configure an IP prefix list and apply it to a neighbor, enter commands such as the following. BigIron RX(config)# ip prefix-list Routesfor20 permit 20.20.0.
27 Filtering Defining neighbor distribute lists A neighbor distribute list is a list of BGP4 address filters or ACLs that filter the traffic to or from a neighbor. To configure a distribute list that uses ACL 1, enter a command such as the following. BigIron RX(config-bgp)# neighbor 10.10.10.1 distribute-list 1 in This command configures the device to use ACL 1 to select the routes that the device will accept from neighbor 10.10.10.1.
Filtering • • • • • • • • • 27 A sequence of community filters A sequence of address filters The IP address of the next hop router The route’s tag For OSPF routes only, the route’s type (internal, external type-1, or external type-2) An AS-path ACL A community ACL An IP prefix list An IP ACL For routes that match all of the match statements, the route map’s set statements can perform one or more of the following modifications to the route’s attributes: • Prepend AS numbers to the front of the route’s A
27 Filtering The permit | deny parameter specifies the action the router will take if a route matches a match statement. • If you specify deny, the device does not advertise or learn the route. • If you specify permit, the device applies the match and set statements associated with this route map instance. The parameter specifies the instance of the route map you are defining. To delete a route map, enter a command such as the following.
Filtering 27 NOTE The filters must already be configured. The community parameter specifies a community ACL. NOTE The ACL must already be configured. The community exact-match parameter matches a route if (and only if) the route's community attributes field contains the same community numbers specified in the match statement. The ip address | next-hop | prefix-list parameter specifies an ACL or IP prefix list.
27 Filtering Syntax: match community The parameter specifies a community list ACL. To configure a community list ACL, use the ip community-list command. Refer to “Defining a community ACL” on page 874. Matching based on destination network You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on destination network, enter commands such as the following.
Filtering 27 The first command configures an IP ACL that matches on routes received from 192.168.6.0/24. The remaining commands configure a route map that matches on all BGP4 routes advertised by the BGP4 neighbors whose addresses match addresses in the IP prefix list. You can add a set statement to change a route attribute in the routes that match. You also can use the route map as input for other commands, such as the neighbor and network commands and some show commands.
27 Filtering Syntax: set [as-path [prepend
Filtering 27 The metric-type type-1 | type-2 parameter changes the metric type of a route redistributed into OSPF. The metric-type internal parameter sets the route's MED to the same value as the IGP metric of the BGP4 next-hop route. The parameter does this when advertising a BGP4 route to an EBGP neighbor. The next-hop parameter sets the IP address of the route’s next hop router. The origin igp | incomplete parameter sets the route’s origin to IGP or INCOMPLETE.
27 Filtering The value that the software substitutes for peer-address depends on whether the route map is used for inbound filtering or outbound filtering: • When you use the set ip next-hop peer-address command in an inbound route map filter, peer-address substitutes for the neighbor’s IP address. • When you use the set ip next-hop peer-address command in an outbound route map filter, peer-address substitutes for the local IP address of the BGP4 session.
Filtering 27 • Enable the cooperative route filtering feature on the device. You can enable the device to send ORFs to the neighbor, to receive ORFs from the neighbor, or both. The neighbor uses the ORFs you send as outbound filters when it sends routes to the device. Likewise, the device uses the ORFs it receives from the neighbor as outbound filters when sending routes to the neighbor. • Reset the BGP4 neighbor session to send and receive ORFs. • Perform these steps on the other device.
27 Filtering To activate cooperative filtering, reset the session with the neighbor. This is required because the cooperative filtering information is exchanged in Open messages during the start of a session. To place a prefix-list change into effect after activating cooperative filtering, perform a soft reset of the neighbor session. A soft reset does not end the current session, but sends the prefix list to the neighbor in the next route refresh message.
Filtering 27 BigIron RX# show ip bgp neighbor 10.10.10.1 1 IP Address: 10.10.10.1, AS: 65200 (IBGP), RouterID: 10.10.10.
27 Filtering The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the device stops using that route and also stops advertising it to other routers. The mechanism also allows a route’s penalties to reduce over time if the route’s stability improves. The route flap dampening mechanism uses the following parameters: • Suppression threshold – Specifies the penalty value at which the device stops using the route.
Filtering 27 BigIron RX(config)# router bgp BigIron RX(config-bgp)# address-filter 9 permit 209.157.22.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# address-filter 10 permit 209.157.23.0 255.255.255.0 255.255.255.0 255.255.255.
27 Filtering BigIron BigIron BigIron BigIron RX(config-routemap DAMPENING_MAP_NEIGHBOR_A)# exit RX(config)# router bgp RX(config-bgp)# dampening route-map DAMPENING_MAP_ENABLE RX(config-bgp)# neighbor 10.10.10.1 route-map in DAMPENING_MAP_NEIGHBOR_A In this example, the first command globally enables route flap dampening. This route map does not contain any match or set statements.
27 Filtering BigIron RX# show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network From Flaps Since h> 192.50.206.0/23 166.90.213.77 1 0 :0 :13 h> 203.255.192.0/20 166.90.213.77 1 0 :0 :13 h> 203.252.165.0/24 166.90.213.77 1 0 :0 :13 h> 192.50.208.0/23 166.90.213.77 1 0 :0 :13 h> 133.33.0.0/16 166.90.213.77 1 0 :0 :13 *> 204.17.220.0/24 166.90.213.
27 Filtering Clearing route flap dampening statistics NOTE Clearing the dampening statistics for a route does not change the dampening status of the route. To clear all the route dampening statistics, enter the following command at any level of the CLI.
Filtering 27 Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session. Soft reconfiguration does not request the neighbor or group to send its entire BGP4 table, nor does the feature reset the session with the neighbor or group. Instead, the soft reconfiguration feature stores all the route updates received from the neighbor or group.
27 Filtering NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 895. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the device saves all updates received from the specified neighbor or peer group. This includes updates that contain routes that are filtered out by the BGP4 route policies in effect on the device.
Filtering 27 BigIron RX# show ip bgp neighbor 192.168.4.106 routes There are 97345 received routes from neighbor 192.168.4.106 Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 3.0.0.0/8 192.168.4.106 100 0 BE AS_PATH: 65001 4355 701 80 2 4.0.0.0/8 192.168.4.106 100 0 BE AS_PATH: 65001 4355 1 3 4.60.212.0/22 192.168.4.
27 Filtering To request a dynamic refresh of all routes from a neighbor, enter a command such as the following. BigIron RX(config-bgp)# clear ip bgp neighbor 192.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again. The device applies its filters to the incoming routes and adds, modifies, or removes BGP4 routes as necessary.
Filtering 27 To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down. You can enter the command without optional parameters or with the soft out or soft-outbound option. Either way, you must specify a parameter for the neighbor (, , , or all).
27 Filtering If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use these methods to ensure that neighbors contain only the routes you want them to contain. • If you close a neighbor session, the device and the neighbor clear all the routes they learned from each other. When the device and neighbor establish a new BGP4 session, they exchange route tables again.
Filtering 27 BigIron RX# clear ip bgp neighbor 10.0.0.1 traffic To clear the BGP4 message counter for all neighbors within a peer group, enter a command such as the following. BigIron RX# clear ip bgp neighbor PeerGroup1 traffic Syntax: clear ip bgp neighbor all | | | traffic The all | | | specifies the neighbor. The parameter specifies a neighbor by its IP interface with the device.
27 Displaying BGP4 information Clearing diagnostic buffers The BigIron RX stores the following BGP4 diagnostic information in buffers: • The first 400 bytes of the last packet received that contained an error • The last NOTIFICATION message either sent or received by the device To display these buffers, use options with the show ip bgp neighbors command. Refer to “Displaying BGP4 neighbor information” on page 905.
Displaying BGP4 information 27 Displaying summary BGP4 information You can display the local AS number, the maximum number of routes and neighbors supported, and some BGP4 statistics. To view summary BGP4 information for the router, enter the following command at any CLI prompt. BigIron RX# show ip bgp summary BGP4 Summary Router ID: 101.0.0.
27 Displaying BGP4 information TABLE 136 BGP4 summary information (Continued) This field... Displays... Number of Attribute Entries Installed The number of BGP4 route-attribute entries in the router’s route-attributes table. To display the route-attribute table, refer to “Displaying BGP4 route-attribute entries” on page 924. Neighbor Address The IP addresses of this router’s BGP4 neighbors. AS# The AS number. State The state of this router’s neighbor session with each neighbor.
Displaying BGP4 information TABLE 136 27 BGP4 summary information (Continued) This field... Displays... Sent The number of BGP4 routes that the device has sent to the neighbor. ToSend The number of routes the device has queued to send to this neighbor. Displaying the active BGP4 configuration To view the active BGP4 configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
27 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 routes-summary 1 IP Address: 192.168.4.
Displaying BGP4 information TABLE 137 27 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the device discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The device’s configured maximum prefix amount had been reached. • AS Loop – An AS loop occurred. An AS loop occurs when the BGP4 AS-path attribute contains the local AS number.
27 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.
Displaying BGP4 information 27 The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
27 Displaying BGP4 information TABLE 138 BGP4 neighbor information (Continued) This field... Displays... RouterID The neighbor’s router ID. Description The description you gave the neighbor when you configured it on the device. State The state of the router’s session with the neighbor. The states are from this router’s perspective of the session, not the neighbor’s perspective.
Displaying BGP4 information TABLE 138 27 BGP4 neighbor information (Continued) This field... Displays... NextHopSelf Whether this option is enabled for the neighbor. DefaultOriginate Whether this option is enabled for the neighbor. MaximumPrefixLimit Lists the maximum number of prefixes the device will accept from this neighbor. RemovePrivateAs Whether this option is enabled for the neighbor.
27 Displaying BGP4 information TABLE 138 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended.
Displaying BGP4 information TABLE 138 27 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
27 Displaying BGP4 information TABLE 138 912 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Displaying BGP4 information TABLE 138 27 BGP4 neighbor information (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed.
27 Displaying BGP4 information This display shows the following information. TABLE 139 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the device has received from the neighbor during the current BGP4 session. • Accepted/Installed – Indicates how many of the received routes the device accepted and installed in the BGP4 route table.
Displaying BGP4 information TABLE 139 27 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the device has sent to this neighbor in UPDATE messages. • Withdraws – The number of routes the device has sent to the neighbor to withdraw. • Replacements – The number of routes the device has sent to the neighbor to replace routes the neighbor already has.
27 Displaying BGP4 information For information about the fields in this display, refer to Table 141 on page 921. The fields in this display also appear in the show ip bgp display. Displaying the adj-RIB-out for a neighbor To display the device’s current BGP4 Routing Information Base (Adj-RIB-Out) for a specific neighbor and a specific destination network, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 rib-out-routes 192.168.1.
Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp routes summary Total number of BGP routes (NLRIs) Installed Distinct BGP destination networks Filtered BGP routes for soft reconfig Routes originated by this router Routes selected as BEST routes BEST routes not installed in IP forwarding table Unreachable routes (no IGP route for NEXTHOP) IBGP routes selected as best routes EBGP routes selected as best routes : : : : : : : : : 27 20 20 100178 2 19 1 1 0 17 Syntax: show ip bgp routes summa
27 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp routes Total number of BGP Routes: 97371 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight 1 3.0.0.0/8 192.168.4.106 100 0 AS_PATH: 65001 4355 701 80 2 4.0.0.0/8 192.168.4.106 100 0 AS_PATH: 65001 4355 1 3 4.60.212.0/22 192.168.4.106 100 0 AS_PATH: 65001 4355 701 1 189 4 6.0.0.0/8 192.168.4.
Displaying BGP4 information 27 The no-best option displays the routes for which none of the routes to a given prefix were selected as the best route. The IP route table does not contain a BGP4 route for any of the routes listed by the command.
27 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp routes unreachable Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 8.8.8.0/24 192.168.5.1 0 101 0 AS_PATH: 65001 4355 1 Syntax: show ip bgp routes unreachable For information about the fields in this display, refer to Table 141 on page 921.
Displaying BGP4 information TABLE 141 27 BGP4 network information This field... Displays... Number of BGP Routes matching display condition The number of routes that matched the display parameters you entered. This is the number of routes displayed by the command. Status codes A list of the characters the display uses to indicate the route’s status. The status code appears in the left column of the display, to the left of each route. The status codes are described in the command’s output.
27 Displaying BGP4 information TABLE 141 BGP4 network information (Continued) This field... Displays... Origin code A character the display uses to indicate the route’s origin. The origin code appears to the right of the AS path (Path field). The origin codes are described in the command’s output. NOTE: This field appears only if you do not enter the route option. Status The route’s status, which can be one or more of the following: A – AGGREGATE.
Displaying BGP4 information TABLE 142 27 BGP4 route information This field... Displays... Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route’s status. The status code is appears in the left column of the display, to the left of each route. The status codes are described in the command’s output. Prefix The network prefix and mask length.
27 Displaying BGP4 information TABLE 142 BGP4 route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP through EGP. • IGP – The routes with this set of attributes came to BGP through IGP. • INCOMPLETE – The routes came from an origin other than one of the above. For example, they may have been redistributed from OSPF or RIP.
Displaying BGP4 information BigIron RX# show ip bgp attribute-entries Total number of BGP Attribute Entries: 7753 1 Next Hop :192.168.11.1 Metric :0 Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.0 Local Pref:100 Communities:Internet AS Path :(65002) 65001 4355 2548 3561 5400 6669 5548 2 Next Hop :192.168.11.1 Metric :0 Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.
27 Displaying BGP4 information TABLE 143 BGP4 route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Displaying the routes BGP4 has placed in the IP route table The IP route table indicates the routes it has received from BGP4 by listing “BGP” as the route type.
Displaying BGP4 information 27 The
parameter specifies a particular route. If you also use the optional longer-prefixes parameter, then all statistics for routes that match the specified route or have a longer prefix than the specified route are displayed. For example, if you specify 209.157.0.0 longer, then all routes with the prefix 209.157 or that have a longer prefix (such as 209.157.22) are displayed.27 Displaying BGP4 information match address-filters 11 set community 11:12 no-export route-map permit1122 permit 12 match ip address 11 route-map permit1122 permit 13 match ip address std_22 This example shows that the running configuration contains six route maps. Notice that the match and set statements within each route map are listed beneath the command for the route map itself. In this simplified example, each route map contains only one match or set statement.
Displaying BGP4 information 27 NOTE After configuring BGP Graceful Restart, you need to reset neighbor session whether or not the neighbor session is up to enable BGP graceful restart. Use the clear ip bgp neighbor command to clear and re-establish neighbor sessions. Configuring BGP graceful restart on a router Use the following command to enable the BGP graceful restart feature on a BigIron RX device.
27 Displaying BGP4 information Router 1 BigIron BigIron BigIron BigIron BigIron RX(config)#router bgp RX(config-bgp)#local-as 100 RX(config-bgp)#graceful-restart RX(config-bgp)#neighbor 12.2.0.14 remote-as 200 RX(config-bgp)#write memory Router 2 BigIron BigIron BigIron BigIron BigIron BigIron RX(config)#router bgp RX(config-bgp)#local-as 200 RX(config-bgp)#graceful-restart RX(config-bgp)#neighbor 12.1.0.14 remote-as 100 RX(config-bgp)#neighbor 12.3.0.
Generalized TTL security mechanism support 27 BigIron RX# show ip bgp neighbor 11.11.11.2 1 IP Address: 11.11.11.2, Remote AS: 101 (EBGP), RouterID: 101.101.101.
27 Generalized TTL security mechanism support Syntax: [no] neighbor | ebgp-btsh NOTE For GTSM protection to work properly, it must be enabled on both the Brocade device and the neighbor.
Chapter 28 Configuring MBGP In this chapter • Overview of MBGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring MBGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying MBGP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28 Configuration considerations An MBGP router learns MBGP routes from its neighbors in other ASs. An MBGP router also can advertise MBGP routes to its neighbors. The Brocade implementation of MBGP enables you to advertise multicast routes from the following sources: • Explicitly configured network prefixes • Static IP multicast routes • Directly-connected multicast routes redistributed into MBGP.
Configuring MBGP 28 To increase the maximum number of multicast routes supported on the device, enter commands such as the following. BigIron BigIron BigIron BigIron RX(config)# system-max multicast-route 12000 RX(config)# write memory RX(config)# end RX# reload These commands increase the maximum number of multicast routes supported, save the configuration change to the startup-config file, and reload the software to place the change into effect.
28 Configuring MBGP NOTE If the BigIron RX has multiple neighbors with similar attributes, you can simplify configuration by configuring a peer group, then adding individual neighbors to it. The configuration steps are similar, except you specify a peer group name instead of a neighbor IP address when configuring the neighbor parameters, then add individual neighbors to the peer group.
Configuring MBGP 28 NOTE This section shows some of the more common optional tasks, including all the tasks that require you to specify that they are for MBGP. Most tasks are configured only for BGP4 but apply both to BGP4 and MBGP. For information on these other tasks, refer to Chapter 27, “Configuring BGP4 (IPv4 and IPv6)”.
28 Configuring MBGP Enabling redistribution of directly-connected multicast routes into MBGP To redistribute a directly-connected multicast route into MBGP enable redistribution of directly-connected routes into MBGP, using a route map to specify the routes to be redistributed. Here is an example. BigIron BigIron BigIron BigIron BigIron BigIron RX(config)# access-list 10 permit 207.95.22.0 0.0.0.
Configuring MBGP 28 The ve parameter specifies a virtual interface. The null0 parameter is the same as dropping the traffic. The distance parameter sets the administrative distance for the route. The parameter specifies the cost metric of the route. Possible values are: 1 - 6 Default value: 1 NOTE Regardless of the administrative distances, the device always prefers directly connected routes over other routes.
28 Displaying MBGP information Displaying MBGP information All of the BGP show commands have MBGP equivalents. Use mbgp instead of bgp in the command syntax. For example, to display the MBGP route table, enter the show ip mbgp routes command instead of the show ip bgp routes command. Table 145 lists the MBGP show commands and describes their output. For information about a command, refer to Chapter 27, “Configuring BGP4 (IPv4 and IPv6)”.
Displaying MBGP information 28 Displaying the active MBGP configuration To display the active MBGP configuration information contained in the running-config without displaying the entire running-config, enter the following command at any level of the CLI. BigIron RX# show ip mbgp config Current BGP configuration: router bgp local-as 200 neighbor 166.1.1.2 remote-as 200 address-family ipv4 unicast no neighbor 166.1.1.
28 Displaying MBGP information BigIron RX # show ip mbgp neighbor 7.7.7.2 Total number of BGP Neighbors: 1 1 IP Address: 166.1.1.2, Remote AS: 200 (IBGP), RouterID: 8.8.8.
Displaying MBGP information 28 BigIron RX#show ip mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 1 8.8.8.0/24 166.1.1.2 0 100 0 BI AS_PATH: 2 31.1.1.0/24 166.1.1.2 0 100 0 BI AS_PATH: Syntax: show ip mbgp routes Displaying the IP multicast route table To display the IP multicast route table, enter the following command.
28 944 Displaying MBGP information BigIron RX Series Configuration Guide 53-1002484-04
Chapter 29 Configuring IS-IS (IPv4) In this chapter • IS-IS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • IS-IS CLI levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring IPv4 IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Globally configuring IS-IS on a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29 IS-IS overview • Portions of the Internet Draft “IS-IS extensions for Traffic Engineering” draft-ieff-isis-traffic-02.txt (dated 2000) that describe the Extended IP reachability TLV (TLV type 135) and the extended Intermediate System (IS) reachability TLV (TLV type 22). These portions provide support for the wide metric version of IS-IS. No other portion is supported on Brocade’s implementation of IS-IS.
IS-IS overview 29 FIGURE 127 An IS-IS network contains Intermediate Systems (ISs) and host systems IS-IS Routing Domain IS-IS Area 1 Router A Router B IS-IS Area 2 Router C Router D BGP4 IP Host IP Host IP Host An IS-IS routing domain can contain multiple areas. IS-IS routers route within an area at Level-1. Router E IS-IS routers route between areas at Level-2.
29 IS-IS overview Neighbors and adjacencies A device configured for IS-IS forms an adjacency with each of the IS-IS devices to which it is directly connected. An adjacency is a two-way direct link (a link without router hops) over which the two devices can exchange IS-IS routes and other protocol-related information. The link is sometimes called a “circuit”. The devices with which the device forms adjacencies are its neighbors, which are other ISs.
IS-IS overview FIGURE 128 29 Each broadcast network has a Level-1 designated IS and a Level-2 designated IS Broadcast Network 2 Broadcast Network 1 Router A Broadcast Network 3 Router C Router B 64 aaaa.bbbb.1111 10 20 64 aaaa.bbbb.1121 64 aaaa.bbbb.1122 Router D 64 aaaa.bbbb.
29 IS-IS CLI levels IS-IS CLI levels The CLI includes various levels of commands for IS-IS. Figure 129 diagrams these levels. FIGURE 129 IS-IS CLI levels IPv6 address-family level unicast sub-family router isis Global commands for IS-IS and all address families IPv4 address-family level unicast sub-family configure terminal isis interface commands The IS-IS CLI levels are as follows: • A global level for the configuration of the IS-IS protocol.
Configuring IPv4 IS-IS 29 Syntax: address-family ipv4 unicast The (config-isis-router-ipv4u)# prompt indicates that you are at the IPv4 IS-IS unicast address family configuration level. While at this level, you can access several commands that allow you to configure IPv4 IS-IS unicast settings. NOTE Each address family configuration level allows you to access commands that apply to that particular address family only.
29 Globally configuring IS-IS on a device Syntax: [no] net .. The parameter specifies the area and has the format xx or xx.xxxx. For example, 49 and 49.2211 are valid area IDs. The parameter specifies the router’s unique IS-IS router ID and has the format xxxx.xxxx.xxxx. You can specify any value for the system ID. A common practice is to use the device’s base MAC address as the system ID. The base MAC address is also the MAC address of port 1.
Globally configuring IS-IS on a device 29 • If an IS is in the overload state for Level-1, other Level-1 ISs stop using the overloaded IS to forward Level-1 traffic. However, the IS can still forward Level-2 traffic, if applicable. • If an IS is in the overload state for Level-2, other Level-2 ISs stop using the overloaded IS to forward Level-2 traffic. However, the IS can still forward Level-1 traffic, if applicable.
29 Globally configuring IS-IS on a device If you configure a password, the device checks for the password in IS-IS packets received by the device and includes the password in packets sent by the device. For example, the device checks all Level-2 LSPDUs received by the device for the domain password you configure, and includes the password in all Level-2 PDUs sent by the device. Configuring a domain password To configure an IS-IS domain password, enter a command such as the following.
Globally configuring IS-IS on a device 29 Disabling or re-enabling display of hostname Brocade’s implementation of IS-IS supports RFC 2763, which describes a mechanism for mapping IS-IS system IDs to the hostnames of the devices with those IDs. For example, if you set the hostname on the device to “IS-IS Router 1”, the mapping feature uses this name instead of the device’s IS-IS system ID in the output of the following commands.
29 Globally configuring IS-IS on a device Changing the maximum LSP lifetime The maximum LSP lifetime is the maximum number of seconds an un-refreshed LSP can remain in the device’s LSP database. The maximum LSP lifetime can be from 1 – 65535 seconds. The default is 1200 seconds (20 minutes). To change the maximum LSP lifetime to 2400 seconds, enter a command such as the following.
Globally configuring IS-IS on a device 29 Syntax: [no] lsp-interval Enter 1 – 4294967295 milliseconds for the LSP interval. The default is 33 milliseconds. To define an interval for retransmission of LSPs enter a command such as the following. BigIron RX(config-isis-router)# retransmit-interval 3 Syntax: [no] retransmit-interval Enter 0 – 65535 seconds for the retransmission interval. The default is 5 seconds.
29 Configuring IPv4 address family route parameters This command disables all hello PDU padding on the device. To re-enable padding, enter the following command. BigIron RX(config-isis-router)# hello padding Syntax: [no] hello padding By default, hello padding is enabled. Enter the no form of the command to disable hello padding. To disable hello padding on an interface, refer to “Disabling and enabling hello padding on an interface” on page 967.
Configuring IPv4 address family route parameters 29 Changing the maximum number of load sharing paths By default, IPv4 IS-IS can calculate and install four equal-cost paths into the IPv4 forwarding table. You can change the number of paths IPv4 IS-IS can calculate and install in the IPv4 forwarding table to a value from 1 – 8. If you change the number of paths to one, the device does not load share multiple route paths learned from IPv4 IS-IS.
29 Configuring IPv4 address family route parameters BigIron RX(config)# route-map default_level1 permit 1 BigIron RX(config-routemap default_level1)# set level level-1 BigIron RX(config-routemap default_level1)# exit BigIron RX(config)# router isis BigIron RX(config-isis-router)# address-family ipv4 unicast BigIron RX(config-isis-router-ipv4u)# default-information-originate route-map default_level1 These commands configure a route map to set the default advertisement level to Level 1 only.
Configuring IPv4 address family route parameters 29 This command changes the administrative distance for all IPv4 IS-IS routes to 100. The parameter specifies the administrative distance. You can specify a value from 1 – 255. (Routes with a distance value of 255 are not installed in the routing table.) The default for IPv4 IS-IS is 115. Configuring summary addresses You can configure summary addresses to aggregate IS-IS route information.
29 Configuring IPv4 address family route parameters The device automatically redistributes Level-1 routes into Level-2 routes. Thus, you do not need to enable this type of redistribution. You also can enable redistribution of Level-2 routes into Level-1 routes. The device attempts to use the redistributed route’s metric as the route’s IPv4 IS-IS metric. For example, if an OSPF route has an OSPF cost of 20, the router uses 20 as the route’s IPv4 IS-IS metric.
Configuring IPv4 address family route parameters 29 The route-map parameter restricts redistribution to those routes that match the specified route map. The route map must already be configured before you use the route map name with the redistribution command. For example, to configure a route map that redistributes only the static IPv4 routes to the destination networks 192.168.0.0/24, enter commands such as the following.
29 Configuring ISIS properties on an interface Most of the parameters are the same as the parameters for the redistribute static command. However, the redistribute ospf command also has the match external1 | external2 | internal parameter. This parameter specifies the OSPF route type you want to redistribute into IPv4 IS-IS. By default, the redistribute ospf command redistributes only internal routes. • external1 – An OSPF type 1 external route. • external2 – An OSPF type 2 external route.
Configuring ISIS properties on an interface 29 Disabling and enabling IS-IS on an interface In addition to enabling IS-IS globally, you also must enable the protocol on the individual interfaces connected to ISs or ESs. To enable IS-IS locally on specific interfaces, enter commands such as the following.
29 Configuring ISIS properties on an interface NOTE You can set the IS-IS priority on an individual interface basis only. You cannot set the priority globally. To set the IS-IS priority on an interface, enter commands such as the following. BigIron RX(config)# interface ethernet 2/8 BigIron RX(config-if-e1000-2/8)# isis priority 127 This command sets the IS-IS priority on port 1/1 to 127. Since the command does not specify Level-1 or Level-2, the new priority setting applies to both IS-IS levels.
Configuring ISIS properties on an interface 29 Disabling and enabling hello padding on an interface The section “Globally disabling or re-enabling hello padding” on page 957 explains what hello padding is, why it is important and how to globally disable or enable it on a device. You can also disable hello padding on a specific interface by entering commands such as the following.
29 Displaying IPv4 IS-IS information Changing the metric added to advertised routes When the device originates an IS-IS route or calculates a route, the device adds a metric (cost) to the route. Each IS-IS interface has a separate metric value. The default is 10. The device applies the interface-level metric to routes originated on the interface and also when calculating routes. The device does not apply the metric to link-state information that the device receives from one IS and floods to other ISs.
Displaying IPv4 IS-IS information 29 Displaying the IS-IS configuration in the running-config You can display the global IS-IS configuration commands that are in effect on the device using the following CLI method. NOTE The running-config does not list the default values. Only commands that change a setting or add configuration information are displayed. To list the global IS-IS configuration commands in the device’s running-config, enter the following command at any level of the CLI.
29 Displaying IPv4 IS-IS information BigIron RX# show isis neighbor Total number of IS-IS Neighbors: 2 System ID Interface SNPA State Holdtime Type Pri StateChgeTime 00e0.52b5.7800 Ether2/4 00e0.52b5.7843 UP 10 ISL2 64 0 :0 :16:8 00e0.52b5.7800 Ether2/4 00e0.52b5.7843 UP 10 ISL1 64 0 :0 :16:8 Syntax: show isis neighbor [detail] The detail option displays more details for each neighbor. This display shows the following information. TABLE 147 IS-IS neighbor information This field... Displays...
Displaying IPv4 IS-IS information 29 BigIron RX# show logging Syslog logging: enabled (0 messages dropped, 0 Buffer logging: level ACDMEINW, 3 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning Static Log Buffer: Dynamic Log Buffer (50 lines): 00d00h00m42s:N:BGP Peer 192.147.202.10 UP (ESTABLISHED) 00d00h00m18s:N:ISIS L2 ADJACENCY UP 1234.1234.1234 on interface 2/8 00d00h00m08s:N:ISIS L1 ADJACENCY UP 1234.1234.
29 Displaying IPv4 IS-IS information Displaying interface information To display information about the device’s IS-IS interfaces, enter the following command at any level of the CLI.
Displaying IPv4 IS-IS information TABLE 149 29 IS-IS Interface information (Continued) This field... Circuit State Displays... The state of the circuit, which can be one of the following: DOWN UP • • Passive State The passive state determines whether the interface is allowed to form an IS-IS adjacency with the IS at the other end of the circuit. The state can be one of the following: • FALSE – The passive option is disabled.
29 Displaying IPv4 IS-IS information TABLE 149 IS-IS Interface information (Continued) This field... Displays... Circuit Authentication Fails The number of times the device rejected a circuit because the authentication did not match the authentication configured on the device. Bad LSP The number of times the interface received a bad LSP from an IS at the other end of the circuit.
Displaying IPv4 IS-IS information TABLE 150 29 IS-IS route information (Continued) This field... Displays... Tag The tag value associated with the route. Path The path number in the table. The IS-IS route table can contain multiple equal-cost paths to the same destination, in which case the paths are numbered consecutively. When IP load sharing is enabled, the device can load balance traffic to the destination across the multiple paths.
29 Displaying IPv4 IS-IS information The l1 and level1 parameters display the Level-1 LSPs only. You can use either parameter. The l2 and level2 parameters display the Level-2 LSPs only. You can use either parameter. The show isis database summary display shows the following information. TABLE 151 IS-IS summary LSP database information This field... Displays... LSPID The LSP ID, which consists of the source ID (6 bytes), the pseudonode (1 byte), and LSPID (1 byte).
Displaying IPv4 IS-IS information BigIron RX# show isis database detail IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime RX.00-00* 0x0000000b 0x23fb 971 Area Address: 49 NLPID: CC(IP) Hostname: RX Metric: 10 IP-Internal 4.1.1.0/24 Up-bit: 0 Metric: 10 IS RX.01 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime RX.00-00* 0x0000000d 0x7d97 903 Area Address: 49 NLPID: CC(IP) Hostname: RX IP address: 4.1.1.1 Metric: 10 IP-Internal 4.1.1.
29 Displaying IPv4 IS-IS information TABLE 152 IS-IS detailed LSP database information (Continued) This field... Displays... IP address The IP address of the interface that sent the LSP. The device can use this address as the next hop in routes to the addresses listed in the rows below. Destination addresses The rows of information below the IP address row are the destinations advertised by the LSP. The device can reach these destinations by using the IP address listed above as the next hop.
Displaying IPv4 IS-IS information TABLE 153 29 IS-IS traffic statistics This field... Displays... Level-1 Hellos The number of Level-1 hello PDUs sent and received by the device. Level-2 Hellos The number of Level-2 hello PDUs sent and received by the device. Level-1 LSP The number of Level-1 link-state PDUs sent and received by the device. Level-2 LSP The number of Level-2 link-state PDUs sent and received by the device.
29 Clearing IS-IS information TABLE 154 IS-IS error statistics (Continued) This field... Displays... LSP Sequence Number Skipped The number of times the device received an LSP with a sequence number that was more than 1 higher than the sequence number of the previous LSP received from the same neighbor. LSP Max Sequence Number Exceeded The number of times the device attempted to set an LSP sequence number to a value higher than the highest number in the CSNP sent by the Designated IS.
Clearing IS-IS information 29 The neighbor parameter closes the device’s adjacencies with its IS-IS neighbors and clears the neighbor statistics. The route [ | / ] parameter clears the IS-IS route table or the specified matching route. The traffic parameter clears the PDU statistics. NOTE The traffic option also clears the values displayed in the show isis interface command’s Control Messages Sent and Control Messages Received fields.
29 982 Clearing IS-IS information BigIron RX Series Configuration Guide 53-1002484-04
Chapter 30 BiDirectional Forwarding Detection (BFD) In this chapter • BFD overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring BFD parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying Bidirectional Forwarding Detection information . . . . . . . . . . . . • Configuring BFD for the specified protocol . . . . . . . . . . . . . . . . . . . . . . . . .
30 Configuring BFD parameters NOTE BFD supports multi-slot trunks in cases where all BFD packet are transmitted only on a single path which does not change unless the trunk active membership changes. BFD is not be supported on multi-slot trunks where per-packet switching is used such that the path taken by the BFD packets will vary per packet. Configuring BFD parameters When you configure BFD you must set timing and interval parameters. These are configured on each interface.
Displaying Bidirectional Forwarding Detection information 30 Syntax: [no] logging enable bfd BFD logging is enabled by default. If you disable BFD logging as shown, you can re-enable it by using the logging enable bfd command. Displaying Bidirectional Forwarding Detection information You can display Bidirectional Forwarding Detection (BFD) information for the router you are logged-in to and for BFD configured neighbors as described in the following sections.
30 Displaying Bidirectional Forwarding Detection information TABLE 155 Display of BFD information (Continued) This field... Displays... Maximum Exceeded Count for LPs The number of times the request to set up a BFD session was declined because it would have resulted in exceeding the maximum number of BFD sessions allowed on an Interface module. LP The number of the Interface module that the Current Session Count is displayed for.
Displaying Bidirectional Forwarding Detection information 30 The interface ve option displays BFD neighbor information for the specified virtual interface only. This display shows the following information. TABLE 157 Display of BFD information This field... Displays... Total number of Neighbor entries The number of neighbors that have established BFD sessions with ports on this router. NeighborAddress The IPv4 or IPv6 address of the remote peer. State The current state of the BFD session.
30 Displaying Bidirectional Forwarding Detection information TABLE 158 Display of BFD neighbor detail information (Continued) This field... Displays... Interface The logical port on which the peer is known. Holddown The interval after which the session will transition to the down state if no message is received. Interval The interval at which the local router sends BFD messages to the remote peer. RH Heard from remote.
Configuring BFD for the specified protocol TABLE 158 30 Display of BFD neighbor detail information (Continued) This field... Displays... Stats: SysUpTime The amount of time that the system has been up. Session Uptime The amount of time the session has been in the UP state. LastSessionDownTimestamp The system time at which the session last transitioned from the UP state to some other state. Physical Port The physical port on which the peer is known.
30 Configuring BFD for the specified protocol While this command configures BFD for OSPFv2 on all of a router’s OSPFv2 enabled interfaces, it is not required that it be configured if you use the ip ospf bfd command to configure specific interfaces. It can be used independently or together with that command. Enabling or disabling BFD for OSPFv2 for a specific interface You can selectively enable or disable BFD on any OSPFv2 interface as shown in the following.
Configuring BFD for the specified protocol 30 Syntax: [no] bfd all-interfaces While this command configures BFD for IS-IS on all of a router’s IS-IS enabled interfaces, it is not required that it be configured if you use the isis bfd command to configure specific interfaces. It can be used independently or together with that command. Enabling or disabling BFD for IS-IS for a specific interface You can selectively enable or disable BFD on any IS-IS interface as shown in the following.
30 992 Configuring BFD for the specified protocol BigIron RX Series Configuration Guide 53-1002484-04
Chapter Configuring Secure Shell 31 In this chapter • Overview of Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993 • Configuring SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994 • Displaying SSH connection information. . . . . . . . . . . . . . . . . . . . . . . . . . . 1001 • Using secure copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31 Configuring SSH • SCP/SFTP/SSH URI Format If you are using redundant management modules, you can synchronize the DSA host key pair between the active and standby modules by entering the sync-standby command at the Privileged EXEC level of the CLI. Tested SSHv2 clients The following SSH clients have been tested with SSHv2: • • • • • • SSH Secure Shell 3.2.3 Van Dyke SecureCRT 4.0 and 4.1 F-Secure SSH Client 5.3 and 6.0 PuTTY 0.54 and 0.56 OpenSSH 3.5_p1 and 3.6.1p2 Solaris Sun-SSH-1.
Configuring SSH 31 • DSA challenge-response authentication, where a collection of public keys are stored on the device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH. • Password authentication, where users attempting to gain access to the device using an SSH client are authenticated with passwords stored on the device or on a TACACS, TACACS+ or RADIUS server Both kinds of user authentication are enabled by default.
31 Configuring SSH By default, public keys are hidden in the running configuration. You can optionally configure the device to display the DSA host key pair in the running configuration file entering the following command. BigIron RX# ssh show-host-keys Syntax: ssh show-host-keys To hide the public keys in the running configuration file, enter the following command.
Configuring SSH 31 1. Importing authorized public keys into the device. 2. Enabling DSA challenge response authentication Importing authorized public keys into the device SSH clients that support DSA authentication normally provide a utility to generate an DSA key pair. The private key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not protected.
31 Configuring SSH BigIron RX# show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80q
Configuring SSH 31 With DSA challenge-response authentication, a collection of clients’ public keys are stored on the device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
31 Configuring SSH Setting the SSH login timeout value When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects. You can change this timeout value to between 1 – 120 seconds. For example, to change the timeout value to 60 seconds.
Displaying SSH connection information 31 Filtering SSH access using ACLs You can permit or deny SSH access to the device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL. Then enter the following command. BigIron BigIron BigIron BigIron BigIron RX(config)# RX(config)# RX(config)# RX(config)# RX(config)# access-list 10 permit host 192.168.144.241 access-list 10 deny host 192.168.144.
31 Using secure copy BigIron RX#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 established, client ip address 192.168.144.241, 1 minutes 16 seconds in idle 2 established, client ip address 192.168.144.241, you are connecting to this session 18 seconds in idle 3 established, client ip address 192.168.144.
Using secure copy 31 NOTE When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on the device. NOTE Certain SCP client options, including -p and -r, are ignored by the SCP server on the device. If an option is ignored, the client is notified. To copy a configuration file (c:\cfg\brocade.cfg) to the running configuration file on a device at 192.168.1.50 and log in as user terry, enter the following command on the SCP-enabled client. C:\> scp c:\cfg\brocade.
31 1004 Using secure copy BigIron RX Series Configuration Guide 53-1002484-04
Chapter 32 Configuring Multi-Device Port Authentication In this chapter • How multi-device port authentication works . . . . . . . . . . . . . . . . . . . . . . • Configuring multi-device port authentication . . . . . . . . . . . . . . . . . . . . . . • Displaying multi-device port authentication information . . . . . . . . . . . . . • Example configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32 How multi-device port authentication works traffic from this MAC address is encountered on a MAC-authentication-enabled interface, the device sends the RADIUS server an Access-Request message with 0007e90feaa1 as both the username and password. The format of the MAC address sent to the RADIUS server is configurable through the CLI.
Configuring multi-device port authentication 32 To enable dynamic VLAN assignment for authenticated MAC addresses, you must add the following attributes to the profile for the MAC address on the RADIUS server. Dynamic VLAN assignment on multi-device port authentication-enabled interfaces is enabled by default.
32 Configuring multi-device port authentication • Disabling aging for authenticated MAC addresses (optional) • Specifying the aging time for blocked MAC addresses (optional) Enabling multi-device port authentication You globally enable multi-device port authentication on the device. To globally enable multi-device port authentication on the device, enter the following command.
Configuring multi-device port authentication 32 The dot1x parameter indicates that this RADIUS server supports the 802.1x standard. A RADIUS server that supports the 802.1x standard can also be used to authenticate non-802.1x authentication requests. NOTE To implement 802.1x port security, at least one of the RADIUS servers identified to the BigIron RX must support the 802.1x standard. Supported RADIUS attributes Many IEEE 802.1x Authenticators will function as RADIUS clients.
32 Configuring multi-device port authentication BigIron RX(config)# interface e 3/1 BigIron RX(config-if-e100-3/1)# mac-authentication auth-fail-action restrict-vlan 100 Syntax: [no] mac-authentication auth-fail-action restrict-vlan [] If the ID for the restricted VLAN is not specified at the interface level, the global restricted VLAN ID applies for the interface. To specify the VLAN ID of the restricted VLAN globally, enter the following command.
Configuring multi-device port authentication 32 Configuring dynamic VLAN assignment An interface can be dynamically assigned to a VLAN based on the MAC address learned on that interface. When a MAC address is successfully authenticated, the RADIUS server sends the device a RADIUS Access-Accept message that allows the device to forward traffic from that MAC address. The RADIUS Access-Accept message can also contain attributes set for the MAC address in its access profile on the RADIUS server.
32 Configuring multi-device port authentication In this example, the port is added to VLANs 12 or 20 or VLANs 12 or the VLAN named "marketing". When a tagged packet is authenticated, and a list of VLANs is specified on the RADIUS server for the MAC address, then the packet tag must match one of the VLANs in the list in order for the Client to be successfully authenticated. If authentication is successful, then the port is added to the packet VLAN specified in the list.
Configuring multi-device port authentication 32 • If the string does not match either the name or the ID of a VLAN configured on the device, then it is considered an authentication failure, and the configured authentication failure action is performed for the MAC address. • For untagged ports, if the VLAN ID provided by the RADIUS server is valid, then the port is removed from its current VLAN and moved to the RADIUS-specified VLAN as an untagged port.
32 Configuring multi-device port authentication Specifying to which VLAN a port is moved after its RADIUS-specified VLAN assignment expires When a port is dynamically assigned to a VLAN through the authentication of a MAC address, and the MAC session for that address is deleted on the device, then by default the port is removed from its RADIUS-assigned VLAN and placed back in the VLAN where it was originally assigned.
Configuring multi-device port authentication 32 Clearing authenticated MAC addresses The device maintains an internal table of the authenticated MAC addresses (viewable with the show authenticated-mac-address command). You can clear the contents of the authenticated MAC address table either entirely, or just for the entries learned on a specified interface. In addition, you can clear the MAC session for an address learned on a specific interface.
32 Displaying multi-device port authentication information denied-mac-only disables aging of denied sessions and enables aging of permitted sessions. permitted-mac-only disables aging of permitted (authenticated and restricted) sessions and enables aging of denied sessions. Specifying the aging time for blocked MAC addresses When the device is configured to drop traffic from non-authenticated MAC addresses, traffic from the blocked MAC addresses is dropped in hardware, without being sent to the CPU.
Displaying multi-device port authentication information 32 Displaying authenticated MAC address information To display information about authenticated MAC addresses on the ports where the multi-device port authentication feature is enabled, enter the following command.
32 Displaying multi-device port authentication information BigIron RX# show auth-mac configuration Feature enabled : Yes Global Fail-VLAN Id : None Username/Password format : xxxx.xxxx.
Displaying multi-device port authentication information TABLE 161 32 Output from the show auth-mac-address configuration command (Continued) This field... Displays... MAC-filter Whether a MAC filter has been applied to this port to specify pre-authenticated MAC addresses. DOS Enable Denial of Service status. This column will always show "No" since DOS is not supported. Protect Limit This is not applicable to the device, but the output always show "512".
32 Displaying multi-device port authentication information TABLE 162 Output from the show authenticated-mac-address command (Continued) This field... Displays... Port VLAN The VLAN to which the port is assigned, and whether the port had been dynamically assigned to the VLAN by a RADIUS server. DOS attack protection Whether denial of service attack protection has been enabled for multi-device port authentication, limiting the rate of authentication attempts sent to the RADIUS server.
Example configurations TABLE 163 32 Output from the show auth-mac-address
command (Continued) This field... Displays... Access Whether or not the MAC address was allowed or denied access into the network. Age The age of the MAC address entry in the authenticated MAC address list. Displaying the authenticated MAC addresses To display the MAC addresses that have been successfully authenticated, enter the following command.32 Example configurations Multi-device port authentication with dynamic VLAN assignment Figure 130 illustrates multi-device port authentication with dynamic VLAN assignment on a Brocade device. In this configuration, a PC and an IP phone are connected to a hub, which is connected to port 2/1 on a Brocade device.
Example configurations 32 The mac-authentication disable-ingress-filtering command enables tagged packets on the port, even if the port is not a member of the VLAN. If this feature is not enabled, authentication works as in “Example 2” Example 2 Figure 131 illustrates multi-device port authentication with dynamic VLAN assignment on a Brocade device. In this configuration, a PC and an IP phone are connected to a hub, which is connected to port 2/1 on a Brocade device.
32 Example configurations The part of the running-config related to multi-device port authentication would be as follows. mac-authentication enable mac-authentication auth-fail-vlan-id 1023 interface ethernet 2/1 mac-authentication enable mac-authentication auth-fail-action restrict-vlan mac-authentication enable-dynamic-vlan Examples of multi-device port authentication and 802.
Example configurations 32 FIGURE 132 Using multi-device port authentication and 802.1X authentication on the same port User 0050.048e.86ac (IP Phone) Profile: Foundry-802_1x-enable = 0 Tunnel-Private-Group-ID = T:IP-Phone-VLAN User 0002.3f7f.2e0a (PC) Profile: Foundry-y-802_1x-enable = 1 Tunnel-Private-Group-ID: = U:Login-VLAN RADIUS Server User 1 Profile: Tunnel-Private-Group-ID: = U:IP-User-VLAN FastIron Switch Port e1/3 Dual Mode Hub Hub Untagged PC MAC: 0002.3f7f.
32 Example configurations When the PC is authenticated using multi-device port authentication, the port PVID is changed to “Login-VLAN”, which is VLAN 1024 in this example. When User 1 is authenticated using 802.1X authentication, the port PVID is changed to “User-VLAN”, which is VLAN 3 in this example. Example 2 The configuration in Figure 133 requires that you create a profile on the RADIUS server for each MAC address to which a device or user can connect to the network.
Example configurations 32 Since there is no profile for the PC MAC address on the RADIUS server, multi-device port authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port would be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in hardware. However, the device is configured to perform 802.
32 1028 Example configurations BigIron RX Series Configuration Guide 53-1002484-04
Chapter 33 Using the MAC Port Security Feature and Transparent Port Flooding In this chapter • Overview of MAC port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring the MAC Port Security feature . . . . . . . . . . . . . . . . . . . . . . . • Defining security violation actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Understanding the rules for violation action configuration . . . . . . . . . . . • Re-enabling an interface. . . . . . . . . . .
33 Configuring the MAC Port Security feature The secure MAC addresses are not flushed when an interface is disabled and brought up again. The secure addresses can be kept secure permanently (the default), or can be configured to age out, at which time they are no longer secure. You can configure the device to automatically save the list of secure MAC addresses to the startup-config file at specified intervals, allowing addresses to be kept secure across system restarts.
Configuring the MAC Port Security feature 33 Globally enabling MAC Port Security To enable the feature globally. BigIron RX(config)# global-port security BigIron RX(config-port-security)# enable To disable the feature on all interfaces at once. BigIron RX(config)# global-port security BigIron RX(config-port-security)# no enable Syntax: [no] global-port security Syntax: [no] enable Enabling MAC Port Security on an interface To enable the feature on a specific interface.
33 Configuring the MAC Port Security feature NOTE If static and dynamic MAC addresses are used and the number of static MAC addresses is less than the maximum number configured for an interface, then the remaining MAC addresses can be learned dynamically. The secure MAC addresses are saved in the start-up configuration if autosave mode is enabled, or if the configuration is saved. Specifying static secure MAC addresses Static secure MAC addresses can be specified only on an interface.
Configuring the MAC Port Security feature 33 Autosaving secure MAC addresses to the startup-config The autosave attribute allows the device to learn secure MAC addresses dynamically then add them to the list of secure MAC addresses. The learned MAC addresses are automatically saved to the startup-config file at specified intervals. These addresses remain persistent after a reboot.
33 Defining security violation actions Defining security violation actions A MAC Port Security violation can occur when any of the following occurs: • The maximum number of secure MAC addresses has been exceeded. • The MAC address received is in the deny MAC address list. When a MAC Port Security violation occurs, an SNMP trap and Syslog message are generated.
Defining security violation actions 33 Entering the force parameter forces the interface to shutdown once the #-denied-packets-processed has been reached. If this parameter is not configured, then the system will ask to confirm whether or not the interface is to be shutdown.
33 Defining security violation actions The logged message contains the packet’s IP address and the MAC address of the denied packet. For example, the following configuration shows that violation restrict is configured; interface ethernet 14/1 port security enable maximum 5 violation restrict secure-mac-address 0000.0022.2222 secure-mac-address 0000.0022.2223 secure-mac-address 0000.0022.2224 secure-mac-address 0000.0022.2225 secure-mac-address 0000.0022.
Understanding the rules for violation action configuration 33 Syntax: [no] violation deny [force] If the force parameter is used, then the MAC addresses are denied automatically; otherwise, prompts are displayed to confirm whether or not the MAC addresses are to be denied. Understanding the rules for violation action configuration There are certain things to note when configuring or changing the violation action at the global or interface level.
33 Re-enabling an interface • Interfaces that are configured with deny violation action will continue to use the deny violation action; however, all entries in the MAC table are cleared and any MAC entries in the deny MAC address list that were inherited from the global deny MAC address list will no longer be denied. The interface will continue to use the deny MAC addresses configured in its own deny MAC address list.
Displaying MAC Port Security information 33 BigIron RX(config)# interface ethernet 7/11 BigIron RX(config-if-e100-7/11)#enable Syntax: enable Displaying MAC Port Security information The following sections present the reports that can be displayed for MAC Port Security. Displaying MAC Port Security settings You can display the MAC Port Security settings for the device.
33 Displaying MAC Port Security information Displaying the secure MAC addresses list on the device To list the secure MAC addresses configured on the device, enter the following command. BigIron RX# show port security mac Port Count Secure-Addr(S) Vlan ----- ----- --------------------3/2 1 0003.0000.0001 (S) 1 3/2 2 0003.0000.0002 (S) 1 3/2 3 0003.0000.0003 (S) 1 3/2 4 0003.0000.
Displaying MAC Port Security information 33 BigIron RX# show port security statistics 7 Module 7: Total ports: 0 Total MAC address(es): 0 Total violations: 0 Total shutdown ports 0 Syntax: show port security statistics TABLE 167 Output from the show port security statistics command This field... Displays... Total ports The number of interfaces on the module. Total MAC address(es) The total number of secure MAC addresses on the module.
33 Displaying MAC Port Security information BigIron RX# show port security mac Port Count Secure-Addr(S) Vlan AgeLeft Deny-Addr(D) ----- ----- ------------------ ---- --------2/8 1 0010.2222.2a12 (S) 4000 10 2/8 2 0010.2222.2b12 (S) 4000 10 2/8 3 0010.2222.2c12 (S) 4000 10 2/8 4 0010.2222.2d12 (S) 4000 10 Syntax: show port security mac [ethernet / ] Enter a value for ethernet / if you want the secure and denied MAC addresses for one interface.
Transparent port flooding TABLE 169 33 Output from the show port security denied-macs command (Continued) This field... Displays... Age How long the address has been denied access to the interface. Age left Amount of time left before the address ages out. After the age timer expires MAC address is removed from the deny list.
33 Transparent port flooding SA learning is disabled mirror disabled, monitor disabled Not member of any active trunks Not member of any configured trunks No port name MTU 1522 bytes, encapsulation ethernet 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 0 bits/sec, 0 packets/sec, 0.
Chapter Configuring 802.1x Port Security 34 In this chapter • Overview of 802.1x port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045 • How 802.1x port security works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045 • 802.1x port security and sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052 • Configuring 802.1x port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052 • Displaying 802.1x information . . . . .
34 How 802.1x port security works Device roles in an 802.1x configuration The 802.1x standard defines the roles of Client/Supplicant, Authenticator, and Authentication Server in a network. The Client (known as a Supplicant in the 802.1x standard) provides username/password information to the Authenticator. The Authenticator sends this information to the Authentication Server.
How 802.1x port security works 34 Communication between the devices For communication between the devices, 802.1x port security uses the Extensible Authentication Protocol (EAP), defined in RFC 2284. The 802.1x standard specifies a method for encapsulating EAP messages so that they can be carried over a LAN. This encapsulated form of EAP is known as EAP over LAN (EAPOL).
34 How 802.1x port security works Controlled and uncontrolled ports A physical port on the device used with 802.1x port security has two virtual access points, a controlled port and an uncontrolled port. The controlled port provides full access to the network. The uncontrolled port provides access only for EAPOL traffic between the Client and the Authentication Server. When a Client is successfully authenticated, the controlled port is opened to the Client. Figure 136 illustrates this concept.
How 802.1x port security works 34 Message exchange during authentication Figure 137 illustrates a sample exchange of messages between an 802.1x-enabled Client, a BigIron RX acting as Authenticator, and a RADIUS server acting as an Authentication Server.
34 How 802.1x port security works When a Client that supports 802.1x attempts to gain access through a non-802.1x-enabled port, it sends an EAP start frame to the BigIron RX device. When the device does not respond, the Client considers the port to be authorized, and starts sending normal traffic. BigIron RX devices support MD5-challenge TLS and any other EAP-encapsulated authentication types in EAP Request/Response messages.
How 802.1x port security works 34 By default, traffic from clients that cannot be authenticated by the RADIUS server is dropped in hardware. You can optionally configure the BigIron RX to assign the port to a “restricted” VLAN if authentication of the Client is unsuccessful. How 802.1x multiple client authentication works When multiple clients are connected to a single 802.1x-enabled port on a BigIron RX (as in Figure 138), 802.1x authentication is performed in the following way. 1. One of the 802.
34 802.1x port security and sFlow • If a Client has been denied access to the network (that is, the Client’s dot1x-mac-session is set to “access-denied”), then you can cause the Client to be re-authenticated by manually disconnecting the Client from the network, or by using the clear dot1x mac-session command. Refer to “Clearing a dot1x-mac-session for a MAC address” on page 1064 for information on this command.
Configuring 802.1x port security 34 NOTE Multi-Device Port Authentication and 802.1x authentication can both be enabled on a port; however only one of them can authenticate a MAC address/802.1x client. Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate Clients. Brocade supports RADIUS authentication with 802.1x port security. To use RADIUS authentication with 802.
34 Configuring 802.1x port security Supported RADIUS attributes Many IEEE 802.1x Authenticators will function as RADIUS clients. Some of the RADIUS attributes may be received as part of IEEE 802.1x authentication. The BigIron RX supports the following RADIUS attributes for IEEE 802.
Configuring 802.1x port security 34 • If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do have the values specified above, but there is no value specified for the Tunnel-Private-Group-ID attribute, the client will not become authorized. • When the BigIron RX receives the value specified for the Tunnel-Private-Group-ID attribute, it checks whether the string matches the name of a VLAN configured on the device.
34 Configuring 802.1x port security Disabling and enabling strict security mode for dynamic filter assignment By default, 802.1x dynamic filter assignment operates in strict security mode. When strict security mode is enabled, 802.1x authentication for a port fails if the Filter-ID attribute contains invalid information, or if insufficient system resources are available to implement the per-user IP ACLs or MAC address filters specified in the Vendor-Specific attribute.
Configuring 802.1x port security 34 To re-enable strict security mode for an interface, enter the following command. BigIron RX(config-if-e10000-1)# dot1x filter-strict-security Syntax: [no] dot1x filter-strict-security The output of the show dot1x and show dot1x config commands has been enhanced to indicate whether strict security mode is enabled or disabled globally and on an interface. Dynamically applying existing ACLs or MAC address filter When a port is authenticated using 802.
34 Configuring 802.1x port security • Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters are not supported. • MAC address filters are supported only for the inbound direction. Outbound MAC address filters are not supported. • Dynamically assigned IP ACLs and MAC address filters are subject to the same configuration restrictions as non-dynamically assigned IP ACLs and MAC address filters.
Configuring 802.1x port security 34 Enabling 802.1x port security By default, 802.1x port security is disabled on BigIron RX devices. To enable the feature on the device and enter the dot1x configuration level, enter the following command. BigIron RX(config)# dot1x-enable BigIron RX(config-dot1x)# Syntax: [no] dot1x-enable At the dot1x configuration level, you can enable 802.1x port security on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to enable 802.
34 Configuring 802.1x port security When an interface’s control type is set to auto, its controlled port is initially set to unauthorized, but is changed to authorized when the connecting Client is successfully authenticated by an Authentication Server. The port control type can be one of the following. force-authorized – The port’s controlled port is placed unconditionally in the authorized state, allowing all traffic. This is the default state for ports on the BigIron RX.
Configuring 802.1x port security 34 The re-authentication interval is a global setting, applicable to all 802.1x-enabled interfaces. If you want to re-authenticate Clients connected to a specific port manually, use the dot1x re-authenticate command. See “Re-authenticating a port manually”, below. Re-authenticating a port manually When periodic re-authentication is enabled, by default the BigIron RX re-authenticates Clients connected to an 802.
34 Configuring 802.1x port security Specifying the number of EAP-request/identity frame retransmissions If the BigIron RX does not receive a EAP-response/identity frame from a Client, the device waits 30 seconds (or the amount of time specified with the timeout tx-period command), then retransmits the EAP-request/identity frame. By default, the BigIron RX retransmits the EAP-request/identity frame a maximum of two times.
Configuring 802.1x port security 34 Initializing 802.1x on a port To initialize 802.1x port security on a port, or to flush all of its information on that port and start again, enter a command such as the following. BigIron RX# dot1x initialize e 3/1 Syntax: dot1x initialize Allowing multiple 802.1x clients to authenticate If there are multiple clients connected to a single 802.1x-enabled port, the BigIron RX authenticates each of them individually.
34 Displaying 802.1x information BigIron RX(config-dot1x)# auth-fail-max-attempts 2 Syntax: [no] auth-fail-max-attempts By default, the device makes 3 attempts to authenticate a Client before dropping packets from the Client. You can specify between 1 – 10 authentication attempts. Display commands The show port security global-deny command lists all the configured global deny MAC addresses. The show port security denied mac command lists all the denied MAC addresses in the system.
Displaying 802.
34 Displaying 802.1x information TABLE 172 Output from the show dot1x command (Continued) This field... Displays... server-timeout When the Authentication Server does not respond to a message sent from the Client, the amount of time before the BigIron RX retransmits the message. Refer to “Specifying a timeout for retransmission of messages to the authentication server” on page 1062 for information on how to change this setting.
Displaying 802.1x information TABLE 173 34 Output from the show dot1x config command for an interface This field... Displays... AuthControlledPortControl The port control type configured for the interface. If set to auto, authentication is activated on the 802.1x-enabled interface. multiple-hosts Whether the port is configured to allow multiple Supplicants accessing the interface on the BigIron RX through a hub. Refer to “Allowing multiple 802.
34 Displaying 802.1x information TABLE 174 Output from the show dot1x statistics command (Continued) This field... Displays... RX EAPOL Total The total number of EAPOL frames received on the port. RX EAP Resp/Id The number of EAP-Response/Identity frames received on the port RX EAP Resp other than Resp/Id The total number of EAPOL-Response frames received on the port that were not EAP-Response/Identity frames.
Displaying 802.1x information 34 BigIron RX# show interface e 12/2 GigabitEthernet1/3 is up, line protocol is up Hardware is GigabitEthernet, address is 000c.dbe2.5800 (bia 000c.dbe2.
34 Displaying 802.1x information BigIron RX#show dot1x mac-address ethernet 1/1 Port 1/1 MAC Address Filter information: Port default MAC Filter : mac access-list 400 in Syntax: show dot1x mac-address-filter [all | ethernet | | begin | exclude | include ] The all keyword displays all dynamically applied MAC address filters active on the device. Use the ethernet / parameter to display information for one port.
Displaying 802.1x information 34 BigIron RX# show dot1x mac-session Port MAC Username VLAN Auth State ACL|MAC Age i|o|f ------------------------------------------------------------------------------1/1 0050.da0b.8cd7 Mary M 1 DENIED n|n|n 0 1/2 0050.da0b.8cb3 adminmorn 4094 PERMITTED y|n|n 0 1/3 0050.da0b.8bef reports 4094 PERMITTED y|n|n 0 1/4 0010.5a1f.6a63 testgroup 4094 PERMITTED y|n|n 0 1/5 0050.da1a.
34 Sample 802.1x configurations Syntax: show dot1x mac-session brief [ | begin | exclude | include ] The following table describes the information displayed by the show dot1x mac-session brief command. TABLE 176 Output from the show dot1x mac-session brief command This field... Displays... Port Information about the users connected to each port.
Sample 802.1x configurations 34 FIGURE 139 Sample point-to-point 802.1x configuration RADIUS Server (Authentication Server) 192.168.9.22 BigIron Device (Authenticator) e2/1 e2/2 e2/3 Clients/Supplicants running 802.1X-compliant client software The following commands configure the BigIron RX in Figure 139.
34 Sample 802.1x configurations Hub configuration Figure 140 illustrates a configuration where three 802.1x-enabled Clients are connected to a hub, which is connected to a port on the BigIron RX device. The configuration is similar to that in Figure 139, except that 802.1x port security is enabled on only one port, and the multiple-hosts command is used to allow multiple Clients on the port. FIGURE 140 Sample 802.1x configuration using a hub RADIUS Server (Authentication Server) 192.168.9.
Sample 802.1x configurations 34 802.1X Authentication with dynamic VLAN assignment Figure 141 illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration, two user PCs are connected to a hub, which is connected to port 2/1. Port 2/1 is configured as a dual-mode port. Both PCs transmit untagged traffic. The profile for User 1 on the RADIUS server specifies that User 1 PC should be dynamically assigned to VLAN 3.
34 Using multi-device port authentication and 802.1X security on the same port ! interface ethernet 2/1 dot1x port-control auto If User 1 is successfully authenticated before User 2, the PVID for port 2/1 would be changed from the default VLAN to VLAN 3. Had User 2 been the first to be successfully authenticated, the PVID would be changed to 20, and User 1 would not be able to gain access to the network. If there were only one device connected to the port that was sending untagged traffic, and 802.
Chapter 35 Protecting Against Denial of Service Attacks In this chapter • Protecting against Smurf attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Protecting against TCP SYN attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying statistics due DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Clear DoS attack statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35 Protecting against Smurf attacks For each ICMP echo request packet sent by the attacker, a number of ICMP replies equal to the number of hosts on the intermediary network are sent to the victim. If the attacker generates a large volume of ICMP echo request packets, and the intermediary network contains a large number of hosts, the victim can be overwhelmed with ICMP replies.
Protecting against TCP SYN attacks 35 The burst-max value, 1 – 100000, is specified as number of packets. The lockup value can be from 1 – 10000 seconds. The number of incoming ICMP packets that match the condition specified in the ACL per second are measured and compared to the threshold values as follows: • If the total traffic volume (in bits per second) of packets that match the condition specified in the ACL exceeds the burst-normal value, the excess packets are dropped.
35 Protecting against TCP SYN attacks In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP addresses. For each of these TCP SYN packets, the destination host responds with a SYN ACK packet and adds information to the connection queue. However, since the source host does not exist, no ACK packet is sent back to the destination host, and an entry remains in the connection queue until it ages out (after around a minute).
Displaying statistics due DoS attacks 35 Protecting against a blind TCP reset attack using the SYN bit In a blind TCP reset attack, a perpetrator attempts to guess the SYN bits to prematurely terminate an active TCP session.
35 Clear DoS attack statistics BigIron RX(config-if-e1000-3/5)# show statistics dos-attack Collecting transit DOS attack statistic for port 3/5... Completed successfully. ------ DOS Attack Prevention Statistics -----Port Packet Drop Count Packet Pass Count Port Block Count ----- ------------------------------------------------3/5 12479732 436372 232 The display shows the following. TABLE 177 Output from the show statistics dos-attack This field... Displays...
Chapter 36 Inspecting and Tracking DHCP Packets In this chapter • Tracking of DHCP assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dynamic ARP inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • DHCP relay agent information (DHCP option 82) . . . . . . . . . . . . . . . . . . • IP source guard . . . . . . . . . . . . . . . . . . . .
36 Dynamic ARP inspection ARP attacks ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. Before a host can talk to another host, it must map the IP address to a MAC address first. If the host does not have the mapping in its ARP table, it sends an ARP request to resolve the mapping. All computers on the subnet will receive and process the ARP requests, and the host whose IP address matches the IP address in the request will send an ARP reply.
Dynamic ARP inspection 36 Trusted ARP packet Untrusted FIGURE 143 Dynamic ARP Inspection at work DAI ARP packet Brocade Device ARP entries DAI uses the IP/MAC mappings in the ARP table to validate ARP packets received on untrusted ports. ARP entries in the ARP table derive from the following: • Dynamic ARP – normal ARP learned from trusted ports. • Static ARP – statically configured IP/MAC/port mapping.
36 Dynamic ARP inspection Configuring DAI Configuring DAI consists of the following steps. 1. Configure inspection ARP entries for hosts on untrusted ports. Refer to “Configuring an inspection ARP entry” on page 1086. 2. Enable DAI on a VLAN to inspect ARP packets. Refer to “Enabling DAI on a VLAN” on page 1086. 3. Configure the trust settings of the VLAN members. ARP packets received on trusted ports bypass the DAI validation process.
Dynamic ARP inspection 36 Enabling trust on a port The default trust setting for a port is untrusted. For ports that are connected to host ports, leave their trust settings as untrusted. To enable trust on a port, enter commands such as the following. BigIron RX(config)#interface ethernet 1/4 BigIron RX(config-if-e10000-1/4)#arp inspection trust The commands change the CLI to the interface configuration level of port 1/4 and set the trust setting of port 1/4 to trusted.
36 DHCP snooping TABLE 179 show arp command This field... Displays.... IP Address The IP address of the device. MAC Address The MAC address of the device. Age The ARP Age, which can be one of the following: The number of minutes the entry has remained unused. If this value reaches the ARP aging period of 10 minutes, the entry is removed from the table. • The Inspect Pending entries are never removed from the ARP Table and are displayed in seconds not minutes.
DHCP snooping 36 How DHCP snooping works When enabled on a VLAN, DHCP snooping stands between untrusted ports (those connected to host ports) and trusted ports (those connected to DHCP servers). A VLAN with DHCP snooping enabled forwards DHCP request packets from clients and discards DHCP server reply packets on untrusted ports, and it forwards DHCP server reply packets on trusted ports to DHCP clients, as shown in the following figures.
36 DHCP relay agent information (DHCP option 82) 1. Enable DHCP snooping on a VLAN. Refer to “Enabling DHCP snooping on a VLAN” on page 1090. 2. For ports that are connected to a DHCP server, change their trust setting to trusted. Refer to “Enabling trust on a port” on page 1090. The following shows the default settings of DHCP snooping.
DHCP relay agent information (DHCP option 82) 36 FIGURE 146 DHCP option 82 is added to the packet + option 82 option 82 Untrusted DHCP Snooping Trusted DHCP client request packet DHCP Client DHCP Server BigIron RX DHCP Relay Agent FIGURE 147 DHCP Option 82 Is Removed from the Packet DHCP Server reply packet option 82 option 82 Trusted Untrusted DHCP Snooping DHCP Client DHCP Server BigIron RX DHCP Relay Agent The option 82 insertion/deletion feature is available only when DHCP snooping i
36 DHCP relay agent information (DHCP option 82) Displaying DHCP snooping status and ports To display the DHCP snooping status for a VLAN and the trusted or untrusted ports in the VLAN, enter the following command.
IP source guard 36 IP source guard You can use IP Source Guard together with Dynamic ARP Inspection on untrusted ports. Refer to “DHCP snooping” on page 1088 and “Dynamic ARP inspection” on page 1083. IP source guard is used on client ports to prevent IP source address spoofing. Generally, IP source guard is used together with DHCP snooping and Dynamic ARP Inspection on untrusted ports. When IP source guard is first enabled, the client port allows only DHCP packets, and blocks all other IP traffic.
36 IP source guard BigIron RX#show ip source guard eth 5/20 IP source guard on ethernet 5/20: Enabled Syntax: show ip source guard ethernet 1094 BigIron RX Series Configuration Guide 53-1002484-04
Chapter 37 Securing SNMP Access In this chapter • SNMP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Establishing SNMP community strings . . . . . . . . . . . . . . . . . . . . . . . . . . • Using the user-based security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring your NMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Defining SNMP views . . . . . . . . . . . . . . . . . . . . .
37 Establishing SNMP community strings Encryption is enabled by default. You can disable encryption for individual strings or trap receivers if desired. See the next section for information about encryption. Adding an SNMP community string When you add a community string, you can specify whether the string is encrypted or clear. By default, the string is encrypted. To add an encrypted community string, enter commands such as the following.
Using the user-based security model 37 The command in the first example indicates that ACL group 2 will filter incoming SNMP packets, whereas the command in the second example uses the ACL group called “myacl” to filter incoming packets. Refer to “Using ACLs to restrict SNMP access” on page 58 for more information. Displaying the SNMP community strings To display the configured community strings, enter the following command at any CLI level.
37 Configuring your NMS Configuring SNMP version 3 on the BigIron RX To configure SNMP version 3 on the BigIron RX, do the following. 1. Enter an engine ID for the management module using the snmp-server engineid command if you will not use the default engine ID. Refer to “Defining the engine ID” on page 1098. 2. Create views that will be assigned to SNMP user groups using the snmp-server view command. Refer to “Defining SNMP views” on page 1103 for details. 3.
Configuring your NMS 37 • Octets 6 through 11 form the MAC address of the lowest port in the management module. NOTE Engine ID must be a unique number among the various SNMP engines in the management domain. Using the default engine ID ensures the uniqueness of the numbers. Defining an SNMP group SNMP groups map SNMP users to SNMP views. For each SNMP group, you can configure a read view, a write view, or both. Users who are mapped to a group will use its views for access control.
37 Configuring your NMS NOTE If you will be using a view other than the "all" view, that view must be configured before creating the user group. Refer to “Defining SNMP views” on page 1103, especially for details on the include | exclude parameters. Defining an SNMP user account The snmp-server user command does the following: • • • • Creates an SNMP user. Defines the group to which the user will be associated. Defines the type of authentication to be used for SNMP access by this user.
Configuring your NMS 37 The encrypted parameter means that the MD5 or SHA password will be a digest value. MD5 has 16 octets in the digest. SHA has 20. The digest string has to be entered as a hexadecimal string. In this case, the agent need not generate any explicit digest. If the encrypted parameter is not used, the user is expected to enter the authentication password string for MD5 or SHA. The agent will convert the password string to a digest, as described in RFC 3414.
37 Configuring your NMS BigIron RX(config)# show snmp group groupname = exceptifgrp security model = v3 security level = authNoPriv ACL id = 2 readview = exceptif writeview = Syntax: show snmp group The value for security level can be one of the following. Security level Authentication If the security model shows v1 or v2, then security level is blank. User names are not used to authenticate users; community strings are used instead.
Defining SNMP views 37 Varbind object identifier Description 1. 3. 6. 1. 6. 3. 15. 1. 1. 2. 0 Not in time packet. 1. 3. 6. 1. 6. 3. 15. 1. 1. 3. 0 Unknown user name. This varbind may also be generated: • If the configured ACL for this user filters out this packet. • If the group associated with the user is unknown. 1. 3. 6. 1. 6. 3. 15. 1. 1. 4. 0 Unknown engine ID. The value of this varbind would be the correct authoritative engineID that should be used. 1. 3. 6. 1. 6. 3. 15. 1. 1. 5.
37 Defining SNMP views “admin” view will allow access to the Brocade MIBs objects that begin with the 1.3.6.1.4.1.1991 object identifier. Enter the following command. BigIron RX(config)# snmp-server view admin 1.3.6.1.4.1.1991 included You can exclude portions of the MIB within an inclusion scope. For example, if you want to exclude the snAgentSys objects, which begin with 1.3.6.1.4.1.1991.1.1.2 object identifier from the admin view, enter a second command such as the following.
Chapter Enabling the Foundry Discovery Protocol (FDP) and Reading Cisco Discovery Protocol (CDP) Packets 38 In this chapter • FDP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 • Using FDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 • Reading CDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38 Using FDP Enabling FDP globally To enable a Brocade device to globally send FDP packets, enter the following command at the global CONFIG level of the CLI. BigIron RX(config)# fdp run Syntax: [no] fdp run The feature is disabled by default. Enabling FDP at the interface level You can enable FDP at the interface level by entering commands such as the following.
Using FDP 38 Displaying FDP information You can display the following FDP information: • • • • FDP entries for Brocade neighbors Individual FDP entries FDP information for an interface on the device you are managing FDP packet statistics NOTE If the BigIron RX has intercepted CDP updates, then the CDP information is also displayed. Displaying neighbor information To display a summary list of all the Brocade neighbors that have sent FDP updates to this device, enter the following command.
38 Using FDP BigIron RXA# show fdp neighbor detail Device ID: BigIronB configured as default VLAN1, tag-type8100 Entry address(es): Platform: BigIron RX Router, Capabilities: Router Interface: Eth 2/9 Port ID (outgoing port): Eth 2/9 is TAGGED in following VLAN(s): 9 10 11 Holdtime : 176 seconds Version : Brocade, Inc. Router, IronWare Version 02.6.01b1T53 Compiled on Aug 29 2002 at 10:35:21 labeled as B2R07601b1 The show fdp neighbor detail command displays the following information.
Using FDP 38 The * | parameter specifies the device ID. If you enter *, the detailed updates for all neighbor devices are displayed. If you enter a specific device ID, the update for that device is displayed. For information about the display, refer to Table 181 on page 1108. Displaying FDP information for an interface To display FDP information for an interface, enter a command such as the following.
38 Reading CDP packets Clearing FDP and CDP statistics To clear FDP and CDP statistics, enter the following command. BigIron RX# clear fdp counters Syntax: clear fdp counters Reading CDP packets Cisco Discovery Protocol (CDP) packets are used by Cisco devices to advertise themselves to other Cisco devices. By default, a BigIron RX forwards these packets without examining their contents. You can configure a device to intercept and display the contents of CDP packets.
Reading CDP packets 38 • CDP entries for all Cisco neighbors or a specific neighbor • CDP packet statistics Displaying neighbors To display the Cisco neighbors the device has learned from CDP packets, enter the following command.
38 Reading CDP packets Displaying CDP entries To display CDP entries for all neighbors, enter the following command. BigIron RX# show fdp entry * Device ID: Router Entry address(es): IP address: 207.95.6.143 Platform: cisco RSP4, Capabilities: Router Interface: Eth 1/1, Port ID (outgoing port): FastEthernet5/0/0 Holdtime : 124 seconds Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-JSV-M), Version 12.
Reading CDP packets 38 BigIron RX# clear fdp table Syntax: clear fdp table To clear CDP statistics, enter the following command.
38 1114 Reading CDP packets BigIron RX Series Configuration Guide 53-1002484-04
Chapter Remote Network Monitoring 39 In this chapter • Basic management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115 • RMON support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119 Basic management This chapter describes the remote monitoring features available on Brocade products. The following sections contain procedures for basic system management tasks.
39 Basic management The output of the show interfaces command has been enhanced to display the following information: • Port translation counter • Last port state change • Port translation counter for last five minutes, one hour, 24 hours, and 30 days NOTE The port translation counter values are cleared only after clearing the logs by using clear logging command. The show interfaces command output resembles the following example.
Basic management TABLE 182 39 Output parameters of show interfaces command (Continued) This field... Displays... Hardware is The variable specifies a type of interface module, such as <#>Gigabit Ethernet. Address is The variable specifies the MAC address of the port. Configured speed and actual speed The speed that the module has been configured to operate at, and the actual speed it is currently operating at.
39 Basic management TABLE 182 Output parameters of show interfaces command (Continued) This field... Displays... packets input, bytes, no buffer • • • Received broadcasts, multicasts, unicasts The variable specifies the amount of traffic the interface module is receiving on broadcasts, multicasts, and unicast traffic.
RMON support TABLE 182 39 Output parameters of show interfaces command (Continued) This field... Displays... Last port state change at
39 RMON support Statistics (RMON group 1) Count information on multicast and broadcast packets, total packets sent, undersized and oversized packets, CRC alignment errors, jabbers, collision, fragments and dropped events is collected for each port on a device. No configuration is required to activate collection of statistics for the device. This activity is by default automatically activated at system start-up.
RMON support TABLE 183 39 Export configuration and statistics (Continued) This line... Displays... Broadcast pkts The total number of good packets received that were directed to the broadcast address. This number does not include multicast packets. Multicast pkts The total number of good packets received that were directed to a multicast address. This number does not include packets directed to the broadcast address.
39 RMON support TABLE 183 Export configuration and statistics (Continued) This line... Displays... 256 to 511 octets pkts The total number of packets received that were 256 – 511 octets long. This number includes bad packets. This number does not include framing bits but does include FCS octets. NOTE: Not supported in BigIron RX. 512 to 1023 octets pkts The total number of packets received that were 512 – 1023 octets long. This number includes bad packets.
RMON support 39 Alarm (RMON group 3) Alarm is designed to monitor configured thresholds for any SNMP integer, time tick, gauge or counter MIB object. Using the CLI, you can define what MIB objects are monitored, the type of thresholds that are monitored (falling, rising or both), the value of those thresholds, and the sample type (absolute or delta). An alarm event is reported each time that a threshold is exceeded.
39 1124 RMON support BigIron RX Series Configuration Guide 53-1002484-04
Chapter Configuring sFlow 40 In this chapter • sFlow overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125 • Displaying sFlow information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133 • Clearing sFlow statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40 sFlow overview NOTE The device uses the router ID only if the device also has an IP interface with the same address. NOTE If an IP address is not already configured when you enable sFlow, the feature uses the source address 0.0.0.0. To display the agent_address, enable sFlow, then enter the show sflow command. Refer to “Enabling sFlow forwarding” on page 1129 and “Displaying sFlow information” on page 1133.
sFlow overview 40 NOTE AS communities and local preferences are not included in the sampled packets. To obtain extended gateway information use “struct extended_gateway” as described in RFC 3176. Configuring and enabling sFlow To configure sFlow: • Specify collector information. The collector is the external device to which you are exporting the sFlow data. You can specify up to four collectors. • • • • Optional – Change the polling interval. Optional – Change the sampling rate.
40 sFlow overview The default polling interval is 20 seconds. You can change the interval to a value from 1 to any higher value. The interval value applies to all interfaces on which sFlow is enabled. If you set the polling interval to 0, counter data sampling is disabled. To change the polling interval, enter a command such as the following at the global CONFIG level of the CLI.
sFlow overview 40 Sampling rate for new ports When you enable sFlow on a port, the port's sampling rate is set to the global default sampling rate. This also applies to ports on which you disable and then re-enable sFlow. The port does not retain the sampling rate it had when you disabled sFlow on the port, even if you had explicitly set the sampling rate on the port.
40 sFlow overview NOTE When you enable sFlow forwarding on an 802.1x-enabled interface, the samples taken from the interface include the username used to obtain access to the inbound or outbound ports, if that information is available. For information about 802.1x, refer to Chapter 34, “Configuring 802.1x Port Security”. Enabling sFlow forwarding To enable sFlow forwarding, enter commands such as the following.
sFlow overview 40 ACL-based sFlow sample (which contains the Type 1 sample) is followed by an unencapsulated Tag Type 1 sFlow sample. That unencapsulated Tag Type 1 sFlow sample follows the sequence numbering of the first unencapsulated Tag Type 1 sFlow sample which gives it a sequence number of 2. This is useful in cases where an sFlow collector does not recognize Tag Type 1991. In these situations, the Tag Type 1991 samples can be ignored without disrupting the sFlow sequence numbers.
40 sFlow overview • Port-based monitoring: Port-based monitoring and ACL-based sFlow can co-exist on the same interface. • Port-based sFlow: Port and ACL-based sFlow can co-exist on the same interface. When both features are configured on an interface, packets that qualify as ACL-based sFlow packets are sent to the collector as ACL sample packets. Also, the user can configure ACL-based sFlow on an interface without configuring port-based sFlow.
Displaying sFlow information 40 Only inbound traffic is selected using sFlow. This applies to both standard sFlow and ACL-based sFlow. NOTE The sampling rate is the average ratio of the number of packets incoming on an sFlow-enabled port, to the number of flow samples taken from those packets. However for ACL based sFlow, every matching packet is sent to the CPU. Consequently, configured sampling rates do not affect ACL based sFlow.
40 Displaying sFlow information TABLE 184 sFlow information (Continued) This field... Displays... Configured default sampling rate The configured global sampling rate. If you changed the global sampling rate, the value you entered is shown here. The actual rate calculated by the software based on the value you entered is listed on the next line, ”Actual default sampling rate”. UDP packets exported The number of sFlow export packets the device has sent.
Clearing sFlow statistics 40 Clearing sFlow statistics To clear the UDP packet and sFlow sample counters in the show sflow display, enter the following command. BigIron RX(config)# clear statistics. Syntax: clear statistics This command clears the values in the following fields of the show sflow display: • UDP packets exported • sFlow samples collected NOTE This command also clears the statistics counters used by other features.
40 1136 Clearing sFlow statistics BigIron RX Series Configuration Guide 53-1002484-04
Chapter Multiple Spanning Tree Protocol (MSTP) 802.1s 41 In this chapter • 802.1s Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 1137 802.1s Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol (MSTP) as defined in IEEE 802.1s allows you to configure multiple STP instances. This will allow several VLANs to be mapped to a reduced number of spanning-tree instances. This ensures loop-free topology for 1 or more VLANs that have the same Layer 2 topology.
41 802.
802.
41 802.1s Multiple Spanning Tree Protocol Syntax: [no] mstp instance [ vlan | vlan-group ] The instance parameter defines the number for the instance of MSTP that you are configuring. The vlan parameter assigns one or more VLANs or a range of VLANs to the instance defined in this command. The vlan-group parameter assigns one or more VLAN groups to the instance defined in this command.
802.1s Multiple Spanning Tree Protocol 41 Syntax: [no] mstp force-version forward-delay hello-time max-age max-hops The force-version parameter forces the bridge to send BPDUs in a specific format. You can specify one of the following values: • 0 – The STP compatibility mode. Only STP BPDUs will be sent. This is equivalent to single STP. • 2 – The RSTP compatibility mode. Only RSTP BPDUS will be sent. This is equivalent to single STP.
41 802.1s Multiple Spanning Tree Protocol Syntax: [no] mstp disable ethernet The variable specifies the location of the port that you want to disable MSTP for. Forcing ports to transmit an MSTP BPDU To force a port to transmit an MSTP BPDU, use a command such as the following at the Global Configuration level.
802.
41 802.
802.
41 802.1s Multiple Spanning Tree Protocol TABLE 185 Output from Show MSTP (Continued) This field... Displays... ExtPath Cost The configured path cost on a link connected to this port to an external MSTP region. Regional Root Bridge The Regional Root Bridge is the MAC address of the Root Bridge for the local region. IntPath Cost The configured path cost on a link connected to this port within the internal MSTP region.
802.
41 802.
802.1s Multiple Spanning Tree Protocol 41 The ethernet parameter displays the mstp protocol information for the specified Ethernet interface. TABLE 186 CLI display of MSTP information for the specified Ethernet interface This field... Displays... The MSTP protocol information for the specified ethernet interface.
41 1150 802.
Chapter 42 Configuring IP Multicast Traffic Reduction In this chapter • IP multicast traffic reduction overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling IP multicast traffic reduction. . . . . . . . . . . . . . . . . . . . . . . . . . . • PIM SM traffic snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying IP multicast information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42 Enabling IP multicast traffic reduction NOTE IP multicast traffic reduction and PIM SM Traffic Snooping is available on the BigIron RX. Enabling IP multicast traffic reduction By default, the BigIron RX forwards all IP multicast traffic out all ports except the port on which the traffic was received. To reduce multicast traffic through the device, you can enable IP Multicast Traffic Reduction.
Enabling IP multicast traffic reduction 42 NOTE If the route-only feature is enabled on the device, then IP Multicast Traffic Reduction will not be supported. Also, this feature is not supported on the default VLAN of the BigIron RX. To verify that IP Multicast Traffic Reduction is enabled, enter the following command at any level of the CLI.
42 Enabling IP multicast traffic reduction BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# multicast passive To remove multicast traffic reduction configurations in VLAN 2, and take the global multicast traffic reduction configuration, enter the following command. BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# no multicast Syntax: [no] multicast active | passive When you enable IP multicast for a specific VLAN instance, IGMP snooping is enabled.
Enabling IP multicast traffic reduction 42 Filtering multicast groups By default, the BigIron RX forwards multicast traffic for all valid multicast groups. You can configure a device to filter out all multicast traffic for groups other than the ones for which the device has received Group Membership reports. When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report.
42 Enabling IP multicast traffic reduction Configuring a multicast static group uplink per VLAN When the multicast static-group uplink command is enabled on a snooping VLAN, the snooping device behaves like an IGMP host on ports connected to the multicast router. The snooping device will respond to IGMP queries from the uplink multicast PIM router for the groups and sources configured.
PIM SM traffic snooping 42 To configure the physical interface ethernet 3/4 to statically join a multicast stream with source address of 10.43.1.12 in the include mode, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 ethernet 3/4 To configure the physical interface ethernet 3/4 to statically join all multicast streams on the uplink interface excluding the stream with source address of 10.43.1.
42 PIM SM traffic snooping PIM SM traffic snooping requires IP multicast traffic reduction to be enabled on the device. IP multicast traffic reduction configures the device to listen for IGMP messages. PIM SM traffic snooping provides a finer level of multicast traffic control by configuring the device to listen specifically for PIM SM join and prune messages sent from one PIM SM router to another through the device. NOTE This feature applies only to PIM SM version 2 (PIM V2).
PIM SM traffic snooping 42 The IP multicast traffic reduction feature and the PIM SM traffic snooping feature together build a list of groups and forwarding ports for the VLAN. The list includes PIM SM groups learned through join messages as well as MAC addresses learned through IGMP group membership reports. In this case, even though the device never sees a join message for the receiver for group 239.255.162.69, the device nonetheless learns about the receiver and forwards group traffic to the receiver.
42 PIM SM traffic snooping NOTE Use the passive mode of IP multicast traffic reduction instead of the active mode. The passive mode assumes that a router is sending group membership queries as well as join and prune messages on behalf of receivers. The active mode configures the device to send group membership queries. • All the device ports connected to the source and receivers or routers must be in the same port-based VLAN.
Displaying IP multicast information 42 To disable the feature, enter the following command. BigIron RX(config)# no ip pimsm-snooping If you also want to disable IP multicast traffic reduction, enter the following command. BigIron RX(config)# no ip multicast Multicast traffic reduction per VLAN You can configure specified VLANs instances for multicast traffic reduction by these methods as described in the following sections.
42 Displaying IP multicast information BigIron RX(config)# show ip multicast IP multicast is enabled - Passive IP pimsm snooping is enabled VLAN ID 23 Active 10.10.10.10 Report ports: 1/1 7/1 Report FID 0X0400 Number of Multicast Groups: 2 1 Group: 225.1.0.291 IGMP report ports : Mapped mac address : 0100.5e01.001d Fid:0x041b PIMv2*G join ports : 1/1 2 Group: 225.1.0.24 IGMP report ports : 4/48 Mapped mac address : 0100.5e01.
Displaying IP multicast information Reports Received: Leaves Received: General Queries Received: Group Specific Queries Received: Others Received: General Queries Sent: Group Specific Queries Sent: 34 21 60 2 0 0 0 VLAN ID 2 Reports Received: Leaves Received: General Queries Received: Group Specific Queries Received: Others Received: General Queries Sent: Group Specific Queries Sent: 0 0 60 2 0 0 0 42 The command in this example shows statistics for two port-based VLANs.
42 Displaying IP multicast information To clear the learned IGMP flows for a specific IP multicast group, enter a command such as the following. BigIron RX# clear ip multicast group 239.255.162.5 The following example shows how to clear the IGMP flows for a specific group and retain reports for other groups. BigIron RX# show ip multicast IP multicast is enabled - Active VLAN ID 1 Active 192.168.2.30 Router Ports 4/13 Multicast Group: 239.255.162.5, Port: 4/4 4/13 Multicast Group: 239.255.162.
Chapter 43 IPv6 Addressing In this chapter • IPv6 addressing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165 • IPv6 addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165 • IPv6 stateless autoconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1168 IPv6 addressing overview This chapter includes overview information about the following topics: • IPv6 addressing.
43 IPv6 addressing • Compress the successive groups of zeros at the beginning, middle, or end of an IPv6 address to two colons (::) once per address; for example, 2001::200:2D:D0FF:FE48:4672. When specifying an IPv6 address in a command syntax, keep the following in mind: • You can use the two colons (::) once in the address to represent the longest successive hexadecimal fields of zeros. • The hexadecimal letters in the IPv6 addresses are not case-sensitive.
IPv6 addressing TABLE 187 43 IPv6 address types Address type Description Address structure Unicast An address for a single interface. A packet sent to a unicast address is delivered to the interface identified by the address. Depends on the type of the unicast address: • Aggregatable global address—An address equivalent to a global or public IPv4 address.
43 IPv6 stateless autoconfiguration IPv6 stateless autoconfiguration Brocade routers use the IPv6 stateless autoconfiguration feature to enable a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. The automatic configuration of a host interface is performed without the use of a server, such as a Dynamic Host Configuration Protocol (DHCP) server, or manual configuration.
Chapter Configuring Basic IPv6 Connectivity 44 In this chapter • IPv6 connectivity overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169 • Enabling IPv6 routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1170 • Configuring IPv6 on each router interface . . . . . . . . . . . . . . . . . . . . . . . . . 1170 • Configuring the management port for an IPv6 automatic address configuration 1173 • IPv6 host support . . . . . . . . . . . . . .
44 Enabling IPv6 routing • • • • • • Configure the IPv6 neighbor discovery feature. Change the IPv6 MTU. Configure an unnumbered interface. Configure static neighbor entries. Limit the hop count of an IPv6 packet. Configure Quality of Service (QoS) for IPv6 traffic Enabling IPv6 routing By default, IPv6 routing is disabled. To enable the forwarding of IPv6 traffic globally on the router, enter the following command.
Configuring IPv6 on each router interface 44 Additionally, the configured interface automatically joins the following required multicast groups for that link: • Solicited-node multicast group FF02:0:0:0:0:1:FF00::/104 for each unicast address assigned to the interface. • All-nodes link-local multicast group FF02::1 • All-routers link-local multicast group FF02::2 The neighbor discovery feature sends messages to these multicast groups.
44 Configuring IPv6 on each router interface Configuring a link-local IPv6 address To explicitly enable IPv6 on a router interface without configuring a global or site-local address for the interface, enter commands such as the following. BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e100-3/1)# ipv6 enable These commands enable IPv6 on Ethernet interface 3/1 and specify that the interface is assigned an automatically computed link-local address.
Configuring the management port for an IPv6 automatic address configuration 44 Configuring the management port for an IPv6 automatic address configuration You can have the management port configured to automatically obtain an IPv6 address. This process is the same for any other port and is described in detail in the “Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID” on page 1171 IPv6 host support You can configure the device to be an IPv6 host.
44 Configuring an IPv6 host address for a BigIron RX running a switch image Syntax: web access-group ipv6 where is a valid IPv6 ACL. Restricting web management access to an IPv6 host You can restrict Web management access to the device to the IPv6 host whose IP address you specify. No other device except the one with the specified IPv6 address can access the Brocade device’s Web management interface. For example.
Configuring an IPv6 host address for a BigIron RX running a switch image 44 The process for defining the system-wide interface for IPv6 is described in the following sections: • “Configuring a global or site-local IPv6 address with a manually configured interface ID as the switch’s system-wide address” on page 1175 • “Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID as the switch’s system-wide address” on page 1175 • Refer to the “Configuring a Link-Loc
44 Configuring IPv4 and IPv6 protocol stacks Configuring a link-local IPv6 address as the switch’s system-wide address To enable IPv6 and automatically configure a global interface enter commands such as the following. BigIron RX(config)# ipv6 enable This command enables IPv6 on the switch and specifies that the interface is assigned an automatically computed link-local address.
Configuring IPv6 Domain Name Server (DNS) resolver 44 You can specify the parameter in either dotted decimal notation or as a decimal value preceded by a slash mark (/). The secondary keyword specifies that the configured address is a secondary IPv4 address. To remove the IPv4 address from the interface, enter the no form of this command. Syntax: ipv6 address / [eui-64] This syntax specifies a global or site-local IPv6 address.
44 ECMP load sharing for IPv6 In this example, the first IP address in the ip dns server-address... command becomes the primary gateway address and all others are secondary addresses. Because IP address 201.98.7.15 is the last address listed, it is also the last address consulted to resolve a query. Defining an IPv6 DNS entry IPv6 defines new DNS record types to resolve queries for domain names to IPv6 addresses, as well as IPv6 addresses to domain names.
ECMP load sharing for IPv6 44 Brocade devices support the following ECMP load-sharing methods for IPv6 traffic: • Network-based – The Brocade device distributes traffic across equal-cost paths based on destination network address. The software selects a path based on a calculation involving the maximum number of load-sharing paths allowed and the actual number of paths to the destination network. This is the default ECMP load-sharing method for IPv6.
44 DHCP relay agent for IPv6 Syntax: [no] ipv6 load-sharing [ | default-route] This command enables host-based ECMP load sharing on the device. The command also disables network-based ECMP load-sharing at the same time. DHCP relay agent for IPv6 A client locates a DHCP server using a reserve, link-scoped multicast address. For this reason, it is a requirement for direct communication between the client and the server that they be attached by the same link.
DHCP relay agent for IPv6 44 Enabling support for network-based ECMP load sharing for IPv6 Network-based ECMP load sharing is supported. If this configuration is selected, traffic is distributed across equal-cost paths based on the destination network address. Routes to each network are stored in CAM and accessed when a path to a network is required. Because multiple hosts are likely to reside on a network, this method uses fewer CAM entries than load sharing by host.
44 Configuring IPv6 ICMP Configuring IPv6 ICMP As with the Internet Control Message Protocol (ICMP) for IPv4, ICMP for IPv6 provides error and informational messages. Brocade’s implementation of the stateless autoconfiguration, neighbor discovery, and path MTU discovery features use ICMP messages. This section explains how to configure the following IPv6 ICMP features: • ICMP rate limiting. • ICMP redirects.
Configuring IPv6 neighbor discovery 44 Disabling or reenabling ICMP redirect messages You can disable or re-enable the sending of ICMP redirect messages by a router. By default, a router can send an ICMP redirect message to a neighboring host to inform it of a better first-hop router on a path to a destination. No further configuration is required to enable the sending of ICMP redirect messages.
44 Configuring IPv6 neighbor discovery • Amount of time during which an IPv6 node considers a remote node reachable (for use by all nodes on a given link). Neighbor solicitation and advertisement messages Neighbor solicitation and advertisement messages enable a node to determine the link-layer address of another node (neighbor) on the same link. (This function is similar to the function provided by the Address Resolution Protocol [ARP] in IPv4.
Configuring IPv6 neighbor discovery 44 Because a host at system startup typically does not have a unicast IPv6 address, the source address in the router solicitation message is usually the unspecified IPv6 address (0:0:0:0:0:0:0:0). If the host has a unicast IPv6 address, the source address is the unicast IPv6 address of the host interface sending the router solicitation message.
44 Configuring IPv6 neighbor discovery BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e100-3/1)# ipv6 nd dad attempt 2 BigIron RX(config-if-e100-3/1)# ipv6 nd ns-interval 9 Syntax: [no] ipv6 nd dad attempt Syntax: [no] ipv6 nd ns-interval For the number of neighbor solicitation messages, you can specify any number of attempts. Configuring a value of 0 disables duplicate address detection processing on the specified interface.
Configuring IPv6 neighbor discovery 44 • Valid lifetime—(Mandatory) The time interval (in seconds) in which the specified prefix is advertised as valid. The default is 2592000 seconds (30 days). When the timer expires, the prefix is no longer considered to be valid. • Preferred lifetime—(Mandatory) The time interval (in seconds) in which the specified prefix is advertised as preferred. The default is 604800 seconds (7 days). When the timer expires, the prefix is no longer considered to be preferred.
44 Configuring IPv6 neighbor discovery NOTE When determining if hosts can use stateful autoconfiguration to get non-IPv6-address information, a set Managed Address Configuration flag overrides an unset Other Stateful Configuration flag. In this situation, the hosts can obtain nonaddress information. However, if the Managed Address Configuration flag is not set and the Other Stateful Configuration flag is set, then the setting of the Other Stateful Configuration flag is used.
Changing the IPv6 MTU 44 Brocade does not recommend configuring a short reachable time duration, because a short duration causes the IPv6 network devices to process the information at a greater frequency. For example, to configure the reachable time of 40 seconds for Ethernet interface 3/1, enter the following commands.
44 Configuring static neighbor entries Configuring static neighbor entries In some special cases, a neighbor cannot be reached using the neighbor discovery feature. In this situation, you can add a static entry to the IPv6 neighbor discovery cache, which causes a neighbor to be reachable at all times without using neighbor discovery. (A static entry in the IPv6 neighbor discovery cache functions like a static ARP entry in IPv4.
Clearing global IPv6 information 44 To enable QoS for IPv6 traffic, enter the following commands. BigIron BigIron BigIron BigIron RX(config)# port-priority RX(config)# write memory RX(config)# end RX# reload Syntax: [no] port-priority NOTE You must save the configuration and reload the software to place the change into effect. This applies whether you are enabling QoS for IPv6 or IPv4 traffic. The port-priority command globally enables QoS for IPv6 traffic on all interfaces.
44 Clearing global IPv6 information You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The ethernet | tunnel | ve parameter specifies the interfaces for which you can remove cache entries. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE or tunnel interface, also specify the VE or tunnel number, respectively.
Displaying global IPv6 information 44 Clearing IPv6 traffic statistics To clear all IPv6 traffic statistics (reset all fields to zero), enter the following command at the Privileged EXEC level or any of the Config levels of the CLI. BigIron RX(config)# clear ipv6 traffic Syntax: clear ipv6 traffic Displaying global IPv6 information You can display output for the following global IPv6 parameters: • • • • • • • • IPv6 cache. IPv6 interfaces. IPv6 neighbors. IPv6 route table. Local IPv6 routers.
44 Displaying global IPv6 information The / parameter restricts the display to the entries for the specified IPv6 prefix. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter.
Displaying global IPv6 information TABLE 189 44 General IPv6 interface information fields This field... Displays... Routing protocols A one-letter code that represents a routing protocol that can be enabled on an interface. Interface The interface type, and the port number or number of the interface. Status The status of the interface. The entry in the Status field will be either “up/up” or “down/down”. Routing The routing protocols enabled on the interface.
44 Displaying global IPv6 information TABLE 190 Detailed IPv6 interface information fields (Continued) This field... Displays... MTU The setting of the maximum transmission unit (MTU) configured for the IPv6 interface. The MTU is the maximum length an IPv6 packet can have to be transmitted on the interface. If an IPv6 packet is longer than an MTU, the host that originated the packet fragments the packet and transmits its contents in multiple packets that are shorter than the configured MTU.
Displaying global IPv6 information TABLE 191 IPv6 neighbor information fields (Continued) This field... Displays... Link-Layer Address The 48-bit interface ID of the neighbor. State 44 The current state of the neighbor. Possible states are as follows: INCOMPLETE – Address resolution of the entry is being performed. REACH – The forward path to the neighbor is functioning properly. STALE – This entry has remained unused for the maximum interval.
44 Displaying global IPv6 information The isis keyword restricts the display to entries for IPv6 IS-IS routes. The ospf keyword restricts the display to entries for OSPFv3 routes. The rip keyword restricts the display to entries for RIPng routes. The static keyword restricts the display to entries for static IPv6 routes. The summary keyword displays a summary of the prefixes and different route types. The following table lists the information displayed by the show ipv6 route command.
Displaying global IPv6 information 44 From the IPv6 host, you can display information about IPv6 routers to which the host is connected. The host learns about the routers through their router advertisement messages. To display information about the IPv6 routers connected to an IPv6 host, enter the following command at any CLI level.
44 Displaying global IPv6 information • Detailed information about a specified TCP connection. To display general information about each TCP connection on the router, enter the following command at any CLI level. BigIron RX# show ipv6 tcp Local IP address:port <-> 192.168.182.110:23 <-> 192.168.182.110:8218 <-> 192.168.182.110:8039 <-> 192.168.182.110:8159 <-> 2000:4::110:179 <-> Total 5 TCP connections connections Remote IP address:port 192.168.8.186:4933 192.168.182.106:179 192.168.2.119:179 192.168.2.
Displaying global IPv6 information TABLE 195 44 General IPv6 TCP connection fields (Continued) This field... TCP state Displays... The state of the TCP connection. Possible states include the following: LISTEN – Waiting for a connection request. SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
44 Displaying global IPv6 information BigIron RX# show ipv6 tcp status 2000:4::110 179 2000:4::106 8222 TCP: TCB = 0x217fc300 TCP: 2000:4::110:179 <-> 2000:4::106:8222: state: ESTABLISHED Port: 1 Send: initial sequence number = 242365900 Send: first unacknowledged sequence number = 242434080 Send: current send pointer = 242434080 Send: next sequence number to send = 242434080 Send: remote received window = 16384 Send: total unacknowledged sequence number = 0 Send: total used buffers 0 Receive: initial inc
Displaying global IPv6 information TABLE 196 44 Specific IPv6 TCP connection fields (Continued) This field... Displays... Send: total unacknowledged sequence number = The total number of unacknowledged sequence numbers sent by the local router. Send: total used buffers The total number of buffers used by the local router in setting up the TCP connection. Receive: initial incoming sequence number = The initial incoming sequence number received by the local router.
44 Displaying global IPv6 information BigIron RX# show ipv6 traffic IP6 Statistics 36947 received, 66818 sent, 0 forwarded, 36867 delivered, 0 rawout 0 bad vers, 23 bad scope, 0 bad options, 0 too many hdr 0 no route, 0 can't forward, 0 redirect sent 0 frag recv, 0 frag dropped, 0 frag timeout, 0 frag overflow 0 reassembled, 0 fragmented, 0 ofragments, 0 can't frag 0 too short, 0 too small, 11 not member 0 no buffer, 66819 allocated, 21769 freed 0 forward cache hit, 46 forward cache miss ICMP6 Statistics
Displaying global IPv6 information TABLE 197 44 IPv6 traffic statistics fields (Continued) This field... Displays... bad options The number of IPv6 packets dropped by the router because of bad options. too many hdr The number of IPv6 packets dropped by the router because the packets had too many headers. no route The number of IPv6 packets dropped by the router because there was no route. can’t forward The number of IPv6 packets the router could not forward to another router.
44 Displaying global IPv6 information TABLE 197 IPv6 traffic statistics fields (Continued) This field... Displays... nei soli The number of Neighbor Solicitation messages sent or received by the router. nei adv The number of Router Advertisement messages sent or received by the router. redirect The number of redirect messages sent or received by the router. Applies to received only bad code The number of Bad Code messages received by the router.
Displaying global IPv6 information TABLE 197 44 IPv6 traffic statistics fields (Continued) This field... Displays... active opens The number of TCP connections opened by the router by sending a TCP SYN to another device. passive opens The number of TCP connections opened by the router in response to connection requests (TCP SYNs) received from other devices. failed attempts This information is used by Brocade Technical Support.
44 1208 Displaying global IPv6 information BigIron RX Series Configuration Guide 53-1002484-04
Chapter 45 Configuring RIPng In this chapter • RIPng overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring RIPng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Clearing RIPng routes from IPv6 route table . . . . . . . . . . . . . . . . . . . . . . • Displaying RIPng information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45 Configuring RIPng • Configure poison reverse parameters Enabling RIPng Before configuring the Brocade device to run RIPng, you must do the following: • Enable the forwarding of IPv6 traffic on the Brocade device using the ipv6 unicast-routing command. • Enable IPv6 on each interface over which you plan to enable RIPng. You enable IPv6 on an interface by configuring an IPv6 address or explicitly enabling IPv6 on that interface.
Configuring RIPng TABLE 198 45 RIPng timers (Continued) Timer Description Default Hold-down Amount of time (in seconds) during which information about other paths is ignored. 180 seconds. Garbage-collection Amount of time (in seconds) after which a route is removed from the routing table. 120 seconds. You can adjust these timers for RIPng.
45 Configuring RIPng Configuring default route learning and advertising By default, the Brocade device does not learn IPv6 default routes (::/0). You can originate default routes into RIPng, which causes individual router interfaces to include the default routes in their updates.
Configuring RIPng 45 Changing the metric of routes learned and advertised on an interface A router interface increases the metric of an incoming RIPng route it learns by an offset (the default is one). The Brocade device then places the route in the route table. When the Brocade device sends an update, it advertises the route with the metric plus the default offset of zero in an outgoing update message.
45 Configuring RIPng For example, to permit the inclusion of routes with the prefix 209.1.44.0/24 in RIPng routing updates sent from Ethernet interface 3/1, enter the following commands. BigIron RX(config)# ip prefix-list routesfor2001 permit 209.1.44.0/24 BigIron RX(config)# ipv6 router rip BigIron RX(config-ripng-router)# distribute-list prefix-list routesfor2001 out ethernet 3/1 To deny prefix lengths greater than 24 bits in routes that have the prefix 209.1.44.
Clearing RIPng routes from IPv6 route table 45 BigIron RX(config)# ipv6 router rip BigIron RX(config-ripng-router)# poison-local-routes Syntax: [no] poison-local-routes To disable the sending of a triggered update, use the no version of this command. Clearing RIPng routes from IPv6 route table To clear all RIPng routes from the RIPng route table and the IPv6 main route table and reset the routes, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI.
45 Displaying RIPng information TABLE 199 RIPng configuration fields (Continued) This field... Displays... Holddown/garbage collection The settings of the RIPng hold-down and garbage-collection timers. Split horizon/poison reverse The status of the RIPng split horizon and poison reverse features. Possible status is “on” or “off.” Default routes The status of RIPng default routes. Periodic updates/trigger updates The number of periodic updates and triggered updates sent by the RIPng router.
Displaying RIPng information TABLE 200 45 RIPng routing table fields This field... Displays... RIPng Routing Table entries The total number of entries in the RIPng routing table. / The IPv6 prefix and prefix length. The IPv6 address. Next-hop router The next-hop router for this Brocade device. If:: appears, the route is originated locally. Interface The interface name. If “null” appears, the interface is originated locally.
45 1218 Displaying RIPng information BigIron RX Series Configuration Guide 53-1002484-04
Chapter 46 Configuring BGP4+ In this chapter • BGP4+ overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Address family configuration level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring BGP4+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Clearing BGP4+ information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying BGP4+ information . . . . . . . . . . . . . .
46 Address family configuration level Address family configuration level Brocade’s implementation of BGP4+ includes a new configuration level: address family. For IPv6, Brocade currently supports the BGP4+ unicast address family configuration level only. (For IPv4, Brocade supports the BGP4 unicast and BGP4 multicast address family configuration levels.) The switch enters the BGP4+ unicast address family configuration level when you enter the following command while at the global BGP configuration level.
Configuring BGP4+ 46 • Create a peer group and add neighbors individually. The following configuration tasks are optional: • • • • • Advertise the default route. Import specified routes into BGP4+. Redistribute prefixes into BGP4+. Aggregate routes advertised to BGP4 neighbors. Use route maps. Enabling BGP4+ To enable BGP4+, enter commands such as the following. BigIron RX(config)# router bgp BGP: Please configure 'local-as' parameter in order to run BGP4.
46 Configuring BGP4+ Configuring BGP4+ neighbors using global or site-local IPv6 addresses To configure BGP4+ neighbors using global or site-local IPv6 addresses, you must add the IPv6 address of a neighbor in a remote AS to the BGP4+ neighbor table of the local switch. You must repeat this procedure for each neighbor that you want to add to a local switch.
Configuring BGP4+ 46 NOTE The example above adds an IPv6 neighbor at the BGP4+ unicast address family configuration level. This neighbor, by default, is enabled to exchange BGP4+ unicast prefixes.
46 Configuring BGP4+ Syntax: neighbor route-map [in | out] The parameter specifies the IPv6 link-local address of the neighbor. A link-local address has a fixed prefix of FE80::/64. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The in keyword applies the route map to incoming routes. The out keyword applies the route map to outgoing routes. The parameter specifies a route map name.
Configuring BGP4+ 46 Specify a name for the peer group. To delete the peer group, enter the no form of this command. Adding a neighbor to a local router To add the IPv6 address 2001:efff:89::23 of a neighbor in remote AS 1001 to the BGP4+ neighbor table of a switch, enter the following command. BigIron RX(config-bgp-ipv6u)# neighbor 2001:efff:89::23 remote-as 1001 NOTE The example above adds an IPv6 neighbor at the BGP4+ unicast address family configuration level.
46 Configuring BGP4+ To enable the BGP4+ switch to advertise the default route, enter the following command. BigIron RX(config-bgp-ipv6u)# default-information-originate Syntax: [no] default-information-originate You can also enable the BGP4+ switch to send the default route to a particular neighbor by specifying the neighbor default-originate command at the BGP4+ unicast address family configuration level.
Configuring BGP4+ 46 • OSPFv3. • RIPng. You can redistribute routes in the following ways: • By route types, for example, the switch redistributes all IPv6 static and RIPng routes. • By using a route map to filter which routes to redistribute, for example, the switch redistributes specified IPv6 static and RIPng routes only.
46 Clearing BGP4+ information The suppress-map parameter prevents the more specific routes contained in the specified route map from being advertised. The advertise-map parameter configures the switch to advertise the more specific routes in the specified route map. The attribute-map parameter configures the switch to set attributes for the aggregate routes based on the specified route map.
Clearing BGP4+ information 46 Removing route flap dampening You can un-suppress routes by removing route flap dampening from the routes. The switch allows you to un-suppress all routes at once or un-suppress individual routes.
46 Clearing BGP4+ information BigIron RX# clear ipv6 bgp local routes Syntax: clear ipv6 bgp local routes Clearing BGP4+ neighbor information You can perform the following tasks related to BGP4+ neighbor information: • • • • • Clear diagnostic buffers. Reset a session to send and receive Outbound Route Filters (ORFs). Close a session, or reset a session and resend/receive an update. Clear traffic counters. Clear route flap dampening statistics.
Clearing BGP4+ information 46 To perform a hard reset of a neighbor session and send ORFs to the neighbor, enter a command such as the following. BigIron RX# clear ipv6 bgp neighbor 2000:e0ff:38::1 This command resets the BGP4+ session with neighbor 2000:e0ff:38::1 and sends the ORFs to the neighbor when the neighbor comes up again. If the neighbor sends ORFs to the switch, the switch accepts them if the send capability is enabled.
46 Clearing BGP4+ information Use the soft-outbound keyword to perform a soft reset of a neighbor session and resend only route update changes to a neighbor. Use the soft in parameter to perform a soft reset of a neighbor session and requests a route update from a neighbor. Use the soft out parameter to perform a soft reset of a neighbor session and resend all routes to a neighbor.
Displaying BGP4+ information 46 For example, to clear all BGP4+ routes and reset them, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI. BigIron RX# clear ipv6 bgp routes Syntax: clear ip bgp routes [/] The / parameter clears routes associated with a particular IPv6 prefix. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
46 Displaying BGP4+ information BigIron RX# show ipv6 bgp routes Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 2002::/16 :: 1 100 32768 BL AS_PATH: 2 2002:1234::/32 :: 1 100 32768 BL AS_PATH: This display shows the following information. TABLE 201 1234 Summary of BGP4+ routes This field... Displays...
Displaying BGP4+ information TABLE 201 This field... Status 46 Summary of BGP4+ routes (Continued) Displays... The route’s status, which can be one or more of the following: A – AGGREGATE. The route is an aggregate route for multiple networks. • B – BEST. BGP4+ has determined that this is the optimal route to the destination.
46 Displaying BGP4+ information The best keyword displays the routes received from neighbors that the switch selected as the best routes to their destinations. The cidr-only keyword lists only the routes whose network masks do not match their class network length. The community parameter lets you display routes for a specific community. You can specify local-as, no-export, no-advertise, internet, or a private community number.
Displaying BGP4+ information 46 BigIron RX# show ipv6 bgp routes detail Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED 1 Prefix: 2002::/16, Status: BL, Age: 2d17h10m42s NEXT_HOP: ::, Learned from Peer: Local Router LOCAL_PREF: 100, MED: 1, ORIGIN: incomplete, Weight: 32768 AS_PATH: Adj_RIB_out count: 1, Admin distance 190 2 Prefix: 2002:1234::/32, Status: BL, Age: 2d17h10m42s NEXT_HOP: ::, Learned
46 Displaying BGP4+ information TABLE 202 Detailed BGP4+ route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • A – AGGREGATE. The route is an aggregate route for multiple networks. • B – BEST. BGP4+ has determined that this is the optimal route to the destination.
Displaying BGP4+ information 46 The parameter specifies the table entry with which you want the display to start. For example, if you specify 100, the display shows entry 100 and all entries subsequent to entry 100. The age parameter displays only the routes that have been received or updated more recently than the number of seconds you specify. The as-path-access-list parameter filters the display using the specified AS-path ACL.
46 Displaying BGP4+ information Displaying BGP4+ route information You can display all BGP4+ routes known by a switch, only those routes that match a specified prefix, or routes that match a specified or longer prefix. To display all BGP4+ routes known by the switch, enter the following command at any level of the CLI.
Displaying BGP4+ information TABLE 203 46 BGP4+ route information This field... Displays... Total number of BGP Routes (appears in display of all BGP routes only) The number of routes known by the switch. Number of BGP Routes matching display condition (appears in display that matches specified and longer prefixes) The number of routes that matched the display parameters you entered. This is the number of routes displayed by the command.
46 Displaying BGP4+ information Syntax: show ipv6 bgp attribute-entries For information about display displaying route-attribute entries for a specified BGP4+ neighbor, refer to “Displaying BGP4+ neighbor route-attribute entries” on page 1259. This display shows the following information: TABLE 204 BGP4+ route-attribute entries information This field... Displays... Total number of BGP Attribute Entries The number of entries contained in the switch’s BGP4+ route-attribute entries table.
Displaying BGP4+ information 46 Displaying the BGP4+ running configuration To view the active BGP4+ configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
46 Displaying BGP4+ information TABLE 205 Dampened BGP4+ path information This field... Displays... Status codes A list of the characters the display uses to indicate the path’s status. The status code appears in the left column of the display, to the left of each route. The status codes are described in the command’s output. The status column displays a “d” for each dampened route. Network The destination network of the route. From The IPv6 address of the advertising peer.
Displaying BGP4+ information 46 The longer-prefixes keyword allows you to display routes that match a specified or longer IPv6 prefix. For example, if you specify 2002::/16 longer-prefixes, then all routes with the prefix 2002::/16 or that have a longer prefix (such as 2002:e016::/32) are displayed. The as-path-access-list parameter specifies an AS-path ACL. Specify an ACL name. Only the routes permitted by the AS-path ACL are displayed.
46 Displaying BGP4+ information TABLE 206 Summary of filtered-out BGP4+ route information (Continued) This field... Displays... Weight The value that this switch associates with routes from a specific neighbor. For example, if the switch receives routes to the same destination from two BGP4+ neighbors, the switch prefers the route from the neighbor with the larger weight.
Displaying BGP4+ information 46 BigIron RX# show ipv6 bgp filtered-routes detail Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED 1 Prefix: 800:2:1::/64, Status: EF, Age: 0h0m10s NEXT_HOP: 2000:1:1::1, Learned from Peer: 2000:1:1::1 (100) LOCAL_PREF: 100, MED: 0, ORIGIN: incomplete, Weight: 0 AS_PATH: 100 2 Prefix: 900:1:18::/64, Status: EF, Age: 0h0m10s NEXT_HOP: 2000:1:1::1, Learned from Peer: 2000:1:1::1 (100) LOCA
46 Displaying BGP4+ information TABLE 207 Detailed filtered-rut BGP4+ route information (Continued) This field... Displays... Next hop For information about this field, refer to Table 206 on page 1245. Learned from peer The IPv6 address of the neighbor from which this route is learned. “Local router” indicates that the switch itself learned the route. Local pref For information about this field, refer to Table 206 on page 1245. MED The value of the advertised route’s MED attribute.
Displaying BGP4+ information BigIron RX# show ipv6 bgp flap-statistics Total number of flapping routes: 14 Status Code >:best d:damped h:history *:valid Network From Flaps Since Reuse h> 2001:2::/32 3001:23::47 1 0 :0 :13 0 :0 :0 *> 3892:34::/32 3001:23::47 1 0 :1 :4 0 :0 :0 46 Path 65001 4355 1 701 65001 4355 701 62 Syntax: show ipv6 bgp flap-statistics [/ [longer-prefixes] | as-path-filter | neighbor | regular-expression ] The
46 Displaying BGP4+ information TABLE 208 Route flap dampening statistics This field... Displays... Reuse The amount of time (in hh:mm:ss) after which the path is again available. Path The AS path of the route. You also can display all the dampened routes by using the show ipv6 bgp dampened-paths command. For more information, refer to “Displaying dampened BGP4+ paths” on page 1243.
Displaying BGP4+ information 46 BigIron RX# show ipv6 bgp neighbor 2000:4::110 1 IP Address: 2000:4::110, AS: 65002 (EBGP), RouterID: 1.1.1.
46 Displaying BGP4+ information TABLE 209 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... EBGP/IBGP Whether the neighbor session is an IBGP session, an EBGP session, or a confederation EBGP session. • EBGP – The neighbor is in another AS. • EBGP_Confed – The neighbor is a member of another sub-AS in the same confederation. • IBGP – The neighbor is in the same AS. RouterID The neighbor’s router ID.
Displaying BGP4+ information TABLE 209 46 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Messages Sent and Received The number of messages this switch has sent to and received from the neighbor.
46 Displaying BGP4+ information TABLE 209 1254 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Last Connection Reset Reason (cont.
Displaying BGP4+ information TABLE 209 46 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... Notification Sent If the switch receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
46 Displaying BGP4+ information TABLE 209 1256 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request.
Displaying BGP4+ information TABLE 209 46 BGP4+ neighbor configuration information and statistics (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed.
46 Displaying BGP4+ information TABLE 210 Summary of route information advertised to a BGP4+ neighbor This field... Displays... Number of BGP4+ Routes advertised to specified neighbor (appears only in display for all routes) The number of routes displayed by the command. Status codes A list of the characters the display uses to indicate the route’s status. The status code appears in the Status column of the display. The status codes are described in the command’s output.
Displaying BGP4+ information TABLE 211 46 Detailed route information advertised to a BGP4+ neighbor This field... Displays... Number of BGP4+ Routes advertised to specified neighbor (appears only in display for all routes) For information about this field, refer to Table 210 on page 1258. Status codes For information about this field, refer to Table 210 on page 1258. Prefix For information about this field, refer to Table 210 on page 1258.
46 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2000:4::110 attribute-entries Total number of BGP Attribute Entries: 1 1 Next Hop :2000:4::106 Metric :1 Origin:INCOMP Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.
Displaying BGP4+ information 46 TABLE 212 BGP4+ neighbor route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Address For debugging purposes only. Hash For debugging purposes only. Reference Counts For debugging purposes only.
46 Displaying BGP4+ information Displaying last error packet from a BGP4+ neighbor You can display information about the last packet that contained an error from any of a switch’s neighbors. The displayed information includes the error packet's contents decoded in a human-readable format. For example, to display information about the last error packet from any of a switch’s neighbors, enter the following command.
Displaying BGP4+ information 46 BigIron RX# show ipv6 bgp neighbor 2:2:2:2:: received-routes There are 4 received routes from neighbor 2:2:2:2:: Searching for matching routes, use ^C to quit...
46 Displaying BGP4+ information TABLE 215 Summary of route information received from a BGP4+ neighbor (Continued) This field... Displays... Weight The value that this switch associates with routes from a specific neighbor. For example, if the switch receives routes to the same destination from two BGP4+ neighbors, the switch prefers the route from the neighbor with the larger weight. Status The advertised route’s status, which can be one or more of the following: A – AGGREGATE.
Displaying BGP4+ information 46 BigIron RX# show ipv6 bgp neighbor 2000:1:1::1 received-routes detail There are 4 received routes from neighbor 2000:1:1::1 Searching for matching routes, use ^C to quit...
46 Displaying BGP4+ information TABLE 216 Detailed route information received from a BGP4+ neighbor (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP4+ through EGP. • IGP – The routes with this set of attributes came to BGP4+ through IGP. • INCOMPLETE – The routes came from an origin other than one of the above.
Displaying BGP4+ information 46 The detail / parameter displays detailed information about the specified RIB routes. If you do not specify this parameter, a summary of the RIB routes displays. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
46 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2000:4::110 rib-out-routes detail There are 2 RIB_out routes for neighbor 2000:4::110 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST E:EBGP I:IBGP L:LOCAL 1 Prefix: 2002:1234::/32, Status: BL, Age: 6d18h17m53s NEXT_HOP: ::, Learned from Peer: Local Router LOCAL_PREF: 100, MED: 1, ORIGIN: incomplete, Weight: 32768 AS_PATH: Adj_RIB_out count: 1, Admin distance 190 2 Prefix: 2002::/16, Status: BL, Age: 6d18h21m8s NEXT_HOP: ::, Learned from Pe
Displaying BGP4+ information 46 • Best routes – The “best” routes to their destinations, which are installed in the switch’s IPv6 route table. • Unreachable – The routes whose destinations are unreachable using any of the BGP4+ paths in the IPv6 route table. For example, to display a summary of the best routes to a destination received from neighbor 2000:4::106, enter the following command.
46 Displaying BGP4+ information TABLE 219 This field... Status Summary of best and unreachable routes from a BGP4+ neighbor (Continued) Displays... The route’s status, which can be one or more of the following: A – AGGREGATE. The route is an aggregate route for multiple networks. • B – BEST. BGP4+ has determined that this is the optimal route to the destination. • C – CONFED_EBGP. The route was learned from a neighbor in the same confederation and AS, but in a different sub-AS within the confederation.
Displaying BGP4+ information TABLE 220 46 Detailed best and unreachable routes from a BGP4+ neighbor This field... Displays... Number of accepted routes from a specified neighbor (appears only in display for all routes) For information about this field, refer to Table 219 on page 1269. Status codes For information about this field, refer to Table 219 on page 1269. Prefix For information about this field, refer to Table 219 on page 1269.
46 Displaying BGP4+ information BigIron RX# show ipv6 bgp neighbor 2000:4::110 routes-summary 1 IP Address: 2000:4::110 Routes Accepted/Installed:0, Filtered/Kept:0, Filtered:0 Routes Selected as BEST Routes:0 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0 History Routes:0 NLRIs Received in Update Message:0, Withdraws:0 (0), Replacements:0 NLRIs Discarded due to Maximum Prefix Limit:0, AS Loop:0 Invalid Nexthop:0, Invalid Nexthop Address:0.0.0.
Displaying BGP4+ information TABLE 221 46 BGP4+ neighbor route summary information (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the switch discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The switch’s configured maximum prefix amount had been reached. • AS Loop – An AS loop occurred. An AS loop occurs when the BGP4+ AS-path attribute contains the local AS number.
46 Displaying BGP4+ information BigIron RX# show ipv6 bgp peer-group peer1 1 BGP peer-group is pg1, Remote AS: 65002 Description: device group 1 NextHopSelf: yes Address family : IPV4 Unicast Address family : IPV4 Multicast Address family : IPV6 Unicast Members: IP Address: 192.169.102.2 IP Address: 192.169.100.2 IP Address: 192.169.101.2 IP Address: 192.169.103.2 IP Address: 192.169.104.2 IP Address: 192.169.105.2 IP Address: 192.169.106.2 IP Address: 192.169.107.2 IP Address: 192.169.108.
Displaying BGP4+ information TABLE 222 46 BGP4+ summary information (Continued) This field... Displays... Confederation Peers The numbers of the local ASs contained in the confederation. This list matches the confederation peer list you configure on the switch. Maximum Number of Paths Supported for Load Sharing The maximum number of route paths across which the switch can balance traffic to the same destination. The feature is enabled by default but the default number of paths is 1.
46 Displaying BGP4+ information TABLE 222 BGP4+ summary information (Continued) This field... Displays... State The state of this switch neighbor session with each neighbor. The states are from this switch’s perspective of the session, not the neighbor’s perspective. The state values can be one of the following for each switch: • IDLE – The BGP4+ process is waiting to be started. Usually, enabling BGP4+ or establishing a neighbor session starts the BGP4+ process.
Chapter 47 Configuring IPv6 MBGP In this chapter • IPv6 MBGP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring IPv6 MBGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying IPv6 MBGP information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47 Configuring IPv6 MBGP 3. Identify the neighboring IPv6 MBGP routers. 4. Optional – Configure an IPv6 MBGP default route. 5. Optional – Configure an IPv6 multicast static route. 6. Optional – Configure an IPv6 MBGP aggregate address. 7. Optional – Configure a route map to apply routing policy to multicast routes. 8. Save the configuration changes to the startup-config file. Setting the maximum number of multicast routes supported The BigIron RX supports up 1024 – 153,600 multicast routes.
Configuring IPv6 MBGP 47 Once MBGP is enabled, MBGP parameters are configured under the IPv6 multicast address family. Enter the following command to enter the IPv6 multicast address family level. BigIron RX(config-bgp)#address-family ipv6 multicast BigIron RX(config-bgp-ipv6m)# Syntax: address-family ipv6 multicast l unicast Adding IPv6 MBGP neighbors To add an MBGP neighbor, enter a command such as the following.
47 Configuring IPv6 MBGP The remote-as parameter specifies the AS the MBGP neighbor is in. The can be a number from 1 – 65535. There is no default. Optional configuration tasks The following sections describe how to perform some optional BGPv6 configuration tasks. NOTE This section shows some of the more common optional tasks, including all the tasks that require you to specify that they are for MBGP. Most tasks are configured only for BGP4 but apply both to BGP4 and MBGP.
Configuring IPv6 MBGP 47 The backdoor parameter changes the administrative distance of the route to this network from the EBGP administrative distance (20 by default) to the Local BGP weight (200 by default), thus tagging the route as a backdoor route. The weight parameter specifies a weight to be added to routes to this network.
47 Displaying IPv6 MBGP information The ve parameter specifies a virtual interface. The null0 parameter is the same as dropping the traffic. The distance parameter sets the administrative distance for the route. The parameter specifies the cost metric of the route. Possible values are: 1 - 6 Default value: 1 Regardless of the administrative distances, the BigIron RX Series router always prefers directly connected routes over other routes.
Displaying IPv6 MBGP information TABLE 223 47 IPv6 MBGP Show commands Command Description show ipv6 mbgp summary Displays summary configuration information and statistics. show ipv6 mbgp config Shows the configuration commands in the running-config. show ipv6 mbgp neighbors Displays information about MBGP neighbors. show ipv6 mbgp peer-group Displays information about IPv6 MBGP peer groups. show ipv6 mbgp routes Displays IPv6 MBGP routes.
47 Displaying IPv6 MBGP information BigIron RX# show ipv6 mbgp config Current BGP configuration: router bgp local-as 200 neighbor 166.1.1.2 remote-as 200 address-family ipv6 unicast no neighbor 166.1.1.2 activate exit-address-family address-family ipv6 multicast redistribute connected redistribute static neighbor 166.1.1.
Displaying IPv6 MBGP information 47 BigIron RX # show ipv6 mbgp neighbor 4fee:2343:0:ee44::1 Total number of BGP Neighbors: 1 1 ipv6 Address: 8eff::0/32, Remote AS: 200 (IBGP), RouterID: 8.8.8.
47 Displaying IPv6 MBGP information BigIron RX#show ipv6 mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 1 8.8.8.0/24 166.1.1.2 0 100 0 BI AS_PATH: 2 31.1.1.0/24 166.1.1.2 0 100 0 BI AS_PATH: Syntax: show ipv6 mbgp routes Displaying the IPv6 multicast route table To display the IPv6 multicast route table, enter the following command.
Chapter 48 IPv6 Access Control Lists (ACLs) In this chapter • IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Using IPv6 ACLs as input to other features . . . . . . . . . . . . . . . . . . . . . . . • Configuring an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Applying an IPv6 ACL to an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Adding TCP flags to an IPv6 ACL entry . . . . .
48 Using IPv6 ACLs as input to other features • Destination TCP or UDP port (if the IPv6 protocol is TCP or UDP) The IPv6 protocol can be one of the following well-known names or any IPv6 protocol number from 0 – 255: • • • • • • • Authentication Header (AHP) Encapsulating Security Payload (ESP) Internet Control Message Protocol (ICMP) Internet Protocol Version 6 (IPv6) Stream Control Transmission Protocol (SCTP) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) For TCP and UDP, you also
Configuring an IPv6 ACL BigIron BigIron telnet BigIron BigIron BigIron BigIron BigIron BigIron 48 RX(config)# ipv6 access-list fdry RX(config-ipv6-access-list-fdry)# deny tcp host 2000:2382:e0bb::2 any eq RX(config-ipv6-access-list-fdry)# permit ipv6 any any RX(config-ipv6-access-list-fdry)# exit RX(config)# interface ethernet 1/1 RX(config-if-1/1)# ipv6 traffic-filter fdry in RX(config-if-1/1)# exit RX(config)# write memory Here is another example of commands for configuring an ACL and applying it to a
48 Configuring an IPv6 ACL The third condition permits all packets containing source and destination addresses that are not explicitly denied by the first two. Without this entry, the ACL would deny all incoming IPv6 traffic on the ports to which you assign the ACL. A show running-config command displays the following.
Configuring an IPv6 ACL 48 For example, if you want to deny ICMP neighbor discovery acknowledgement, then permit any remaining IPv6 traffic, enter commands such as the following.
48 Configuring an IPv6 ACL For ICMP Syntax: [no] ipv6 access-list Syntax: permit | deny icmp | any | host | any | host [ipv6-operator []] [ [][] ] | [] [802.1p-priority-matching ] [dscp-marking 802.
Configuring an IPv6 ACL TABLE 224 48 Syntax descriptions Arguments... Description... ipv6 access-list Enables the IPv6 configuration level and defines the name of the IPv6 ACL. The can contain up to 199 characters and numbers, but cannot begin with a number and cannot contain any spaces or quotation marks. permit The ACL will permit (forward) packets that match a policy in the access list. deny The ACL will deny (drop) packets that match a policy in the access list.
48 Configuring an IPv6 ACL TABLE 224 Syntax descriptions (Continued) Arguments... Description... / The / parameter specify a source prefix and prefix length that a packet must match for the specified action (deny or permit) to occur. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
Configuring an IPv6 ACL TABLE 224 48 Syntax descriptions (Continued) Arguments... ipv6-operator Description... Allows you to filter the packets further by using one of the following options: dscp – The policy applies to packets that match the traffic class value in the traffic class field of the IPv6 packet header. This operator allows you to filter traffic based on TOS or IP precedence. You can specify a value from 0 – 63.
48 Configuring an IPv6 ACL TABLE 224 Syntax descriptions (Continued) Arguments... Description... dscp-marking Use the dscp-marking dscp-cos-mapping parameters parameters to specify a DSCP value and map that value to an internal QoS table to obtain the packet’s new QoS value. The following occurs when you use these parameters. • You enter 0 – 63 for the dscp-marking parameter.
Applying an IPv6 ACL to an interface • • • • 48 router-solicitation sequence time-exceeded unreachable NOTE If you do not specify a message type, the ACL applies to all types ICMP messages types. Applying an IPv6 ACL to an interface To apply an IPv6 ACL, for example “access1”, to an interface, enter commands such as the following.
48 Adding a comment to an IPv6 ACL entry Adding a comment to an IPv6 ACL entry You can optionally add a comment to describe entries in an IPv6 ACL. The comment appears in the output of show commands that display ACL information. You can add a comment by entering the remark command immediately preceding an ACL entry, or specify the ACL entry to which the comment applies. For example, to enter comments for preceding an ACL entry, enter commands such as the following.
Displaying ACLs 48 BigIron RX# show running-config ipv6 access-list rtr remark This entry permits ipv6 packets from 3002::2 to any destination permit ipv6 host 3000::2 any remark This entry denies udp packets from any source to any destination deny udp any any remark This entry denies IPv6 packets from any source to any destination deny ipv6 any any Syntax: show running-config The following example shows the comment text for the ACL named "rtr" in a show ipv6 access-list display.
48 1300 Displaying ACLs BigIron RX Series Configuration Guide 53-1002484-04
Chapter 49 Configuring OSPF Version 3 In this chapter • OSPF version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Link state advertisement types for OSPFv3 . . . . . . . . . . . . . . . . . . . . . . • Configuring OSPFv3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying OSPFv3 information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49 Link state advertisement types for OSPFv3 NOTE You are required to configure a router ID when running only IPv6 routing protocols.
Configuring OSPFv3 49 • Enable the forwarding of IPv6 traffic on the Brocade device using the ipv6 unicast-routing command. • Enable IPv6 on each interface over which you plan to enable OSPFv3. You enable IPv6 on an interface by configuring an IPv6 address or explicitly enabling IPv6 on that interface. For more information about performing these configuration tasks, refer to Chapter 44, “Configuring Basic IPv6 Connectivity”. By default, OSPFv3 is disabled. To enable OSPFv3, you must enable it globally.
49 Configuring OSPFv3 For example, to set up OSPFv3 areas 0.0.0.0, 200.5.0.0, 192.5.1.0, and 195.5.0.0, enter the following commands. BigIron BigIron BigIron BigIron RX(config-ospf6-router)# RX(config-ospf6-router)# RX(config-ospf6-router)# RX(config-ospf6-router)# area area area area 0.0.0.0 200.5.0.0 192.5.1.0 195.5.0.0 Syntax: [no] area | The | parameter specifies the area number, which can be a number or in IPv4 address format.
Configuring OSPFv3 49 Assigning interfaces to an area After you define OSPFv3 areas, you must assign router interfaces to the areas. All router interfaces must be assigned to one of the defined areas on an OSPF router. When an interface is assigned to an area, all corresponding subnets on that interface are automatically included in the assignment. For example, to assign Ethernet interface 3/1 to area 192.5.0.0, enter the following commands.
49 Configuring OSPFv3 BigIron RX(config-ospf6-router)# area 1 virtual-link 10.0.0.1 Syntax: area | virtual-link The area | parameter specifies the transit area. The parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a router, enter the show ip command.
Configuring OSPFv3 49 For example, to change the dead interval to 60 seconds on the virtual links defined on ABR1 and ABR2, enter the following command on ABR1. BigIron RX(config-ospf6-router)# area 1 virtual-link 209.157.22.1 dead-interval 60 Enter the following command on ABR2. BigIron RX(config-ospf6-router)# area 1 virtual-link 10.0.0.
49 Configuring OSPFv3 NOTE If you specify the cost for an individual interface, the cost you specify overrides the cost calculated by the software. Some interface types are not affected by the reference bandwidth and always have the same cost regardless of the reference bandwidth in use: • The cost of a loopback interface is always 0. • The cost of a virtual link is calculated using the Shortest Path First (SPF) algorithm and is not affected by the auto-cost feature.
Configuring OSPFv3 49 • IPv6 IS-IS • RIPng You can redistribute routes in the following ways: • By route types, for example, the Brocade device redistributes all IPv6 static and RIPng routes. • By using a route map to filter which routes to redistribute, for example, the Brocade device redistributes specified IPv6 static and RIPng routes only. For example, to configure the redistribution of all IPv6 static,RIPng, and IPv6 IS-IS level-1 and level-2 routes, enter the following commands.
49 Configuring OSPFv3 The redistribution command configures the redistribution of static IPv6 routes into OSPFv3, and uses route map “abc“ to control the routes that are redistributed. In this example, the route map allows a static IPv6 route to be redistributed into OSPF only if the route has a metric of 5, and changes the metric to 8 before placing the route into the OSPF route redistribution table.
Configuring OSPFv3 49 To assign a default metric of 4 to all routes imported into OSPFv3, enter the following command. BigIron RX(config-ospf6-router)# default-metric 4 Syntax: [no] default-metric You can specify a value from 0 – 65535. The default is 0. To restore the default metric to the default value, use the no form of this command.
49 Configuring OSPFv3 NOTE If you disable redistribution, all the aggregate routes are flushed, along with other imported routes. NOTE This option affects only imported, type 5 external routes. A single type 5 LSA is generated and flooded throughout the AS for multiple external routes. To configure the summary address 2201::/24 for routes redistributed into OSPFv3, enter the following command.
Configuring OSPFv3 49 BigIron RX# show ipv6 ospf route Current Route count: 5 Intra: 3 Inter: 0 External: 2 (Type1 0/Type2 2) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 3001::/64 --------- 0.0.0.1 :: ve 10 *E2 3010::/64 --------- 0.0.0.0 fe80::2e0:52ff:fe00:10 ve 10 *IA 3015::/64 V6E---R-- 0.0.0.0 fe80::2e0:52ff:fe00:10 ve 10 *IA 3020::/64 --------- 0.0.0.0 :: ve 11 *E2 6001:5000::/64 --------- 0.0.0.
49 Configuring OSPFv3 The following commands specify an IPv6 prefix list called filterOspfRoutesVe that denies route 3015::/64. BigIron RX(config)# ipv6 prefix-list filterOspfRoutesVe seq 5 deny 3015::/64 BigIron RX(config)# ipv6 prefix-list filterOspfRoutesVe seq 10 permit ::/0 ge 1 le 128 The following commands configure a distribution list that applies the filterOspfRoutesVe prefix list to routes pointing to virtual interface 10.
Configuring OSPFv3 49 BigIron RX# show ipv6 ospf route Current Route count: 3 Intra: 3 Inter: 0 External: 0 (Type1 0/Type2 0) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 3001::/64 --------- 0.0.0.1 :: ve 10 *IA 3015::/64 V6E---R-- 0.0.0.0 fe80::2e0:52ff:fe00:10 ve 10 *IA 3020::/64 --------- 0.0.0.
49 Configuring OSPFv3 • 2 – Type 2 external route If you do not use this option, the default redistribution metric type is used for the route type. NOTE If you specify a metric and metric type, the values you specify are used even if you do not use the always option. To disable default route origination, enter the no form of the command.
Configuring OSPFv3 49 The device selects one route over another based on the source of the route information. To do so, the device can use the administrative distances assigned to the sources. You can influence the device’s decision by changing the default administrative distance for OSPFv3 routes. Configuring administrative distance based on route type You can configure a unique administrative distance for each type of OSPFv3 route.
49 Configuring OSPFv3 The pacing interval is inversely proportional to the number of LSAs the Brocade device is refreshing and aging. For example, if you have approximately 10,000 LSAs, decreasing the pacing interval enhances performance. If you have a very small database (40 – 100 LSAs), increasing the pacing interval to 10 – 20 minutes might enhance performance only slightly. To change the OSPFv3 LSA pacing interval to two minutes (120 seconds), enter the following command.
Configuring OSPFv3 49 Modifying OSPFv3 interface defaults OSPFv3 has interface parameters that you can configure. For simplicity, each of these parameters has a default value. No change to these default values is required except as needed for specific network configurations. You can modify the default values for the following OSPF interface parameters: • Cost: Indicates the overhead required to send a packet across an interface.
49 Displaying OSPFv3 information To disable the logging of events, enter the following command. BigIron RX(config-ospf6-router)# no log-status-change Syntax: [no] log-status-change To re-enable the logging of events, enter the following command.
Displaying OSPFv3 information TABLE 225 49 OSPFv3 area information fields This field... Displays... Area The area number. Interface attached to this area The router interfaces attached to the area. Number of Area scoped LSAs Number of LSAs with a scope of the specified area. SPF algorithm executed The number of times the OSPF Shortest Path First (SPF) algorithm is executed within the area. SPF last updated The interval in seconds that the SPF algorithm was last executed within the area.
49 Displaying OSPFv3 information The intra-prefix keyword displays detailed information about the intra-area prefix LSAs only. The link keyword displays detailed information about the link LSAs only. The link-id parameter displays detailed information about the specified link LSAs only. The network displays detailed information about the network LSAs only. The router displays detailed information about the router LSAs only.
Displaying OSPFv3 information BigIron RX# show ipv6 ospf database extensive Area ID Type LS ID Adv Rtr Seq(Hex) Age 0 Link 00000031 1.1.1.1 80000001 35 Router Priority: 1 Options: V6E---R-LinkLocal Address: fe80::1 Number of Prefix: 1 Prefix Options: Prefix: 3002::/64 ... Area ID Type LS ID Adv Rtr Seq(Hex) Age 0 Iap 00000159 223.223.223.223 800000ab 357 Number of Prefix: 2 Referenced LS Type: Network Referenced LS ID: 00000159 Referenced Advertising Router: 223.223.223.
49 Displaying OSPFv3 information TABLE 227 OSPFv3 detailed database information fields This field... Displays... Router LSA (Type 1) (Rtr) fields 1324 Capability Bits A bit that indicates the capability of the Brocade device. The bit can be set to one of the following: • B – The device is an area border router. • E – The device is an AS boundary router. • V – The device is a virtual link endpoint. • W – The device is a wildcard multicast receiver.
Displaying OSPFv3 information TABLE 227 49 OSPFv3 detailed database information fields (Continued) This field... Displays... Network LSA (Type 2) (Net) fields Options A 24-bit field that enables IPv6 OSPF routers to support the optional capabilities. When set, the following bits indicate the following: V6 – The device should be included in IPv6 routing calculations. E – The device floods AS-external-LSAs as described in RFC 2740. MC – The device forwards multicast packets as described in RFC 1586.
49 Displaying OSPFv3 information TABLE 227 OSPFv3 detailed database information fields (Continued) This field... Prefix Options Prefix Displays... An 8-bit field of capabilities that serve as input to various routing calculations: NU – The prefix is excluded from IPv6 unicast calculations. LA – The prefix is an IPv6 interface address of the advertising router. MC – The prefix is included in IPv6 multicast routing calculations. P – NSSA area prefixes are readvertised at the NSSA area border.
Displaying OSPFv3 information TABLE 228 Summary of OSPFv3 interface information This field... Displays... Interface The interface type, and the port number or number of the interface. OSPF Status State Area 49 The state of OSPFv3 on the interface. Possible states include the following: Enabled. Disabled. • • The status of the link. Possible status include the following: Up. Down. • • The state of the interface.
49 Displaying OSPFv3 information TABLE 229 Detailed OSPFv3 interface information This field... Interface status The status of the interface. Possible status includes the following: Up. Down. • • Type The type of OSPFv3 circuit running on the interface. Possible types include the following: • BROADCAST • POINT TO POINT • UNKNOWN IPv6 Address The IPv6 address(es) assigned to the interface. Instance ID An identifier for an instance of OSPFv3. Router ID The IPv4 address of the Brocade device.
Displaying OSPFv3 information TABLE 229 49 Detailed OSPFv3 interface information (Continued) This field... Displays... Neighbor The router ID (IPv4 address) of the neighbor. This field also identifies the neighbor as a DR or BDR, if appropriate. Interface statistics The following statistics are provided for the interface: Unknown – The number of Unknown packets transmitted and received by the interface. Also, the total number of bytes associated with transmitted and received Unknown packets.
49 Displaying OSPFv3 information This display shows the following information. TABLE 230 OSPFv3 memory usage information This field... Displays... Total Static Memory Allocated A summary of the amount of static memory allocated, in bytes, to OSPFv3. Total Dynamic Memory Allocated A summary of the amount of dynamic memory allocated, in bytes, to OSPFv3. Memory Type The type of memory used by OSPFv3. (This information is for use by Brocade’s technical support in case of a problem.
Displaying OSPFv3 information TABLE 231 49 Summary of OSPFv3 neighbor information (Continued) Field Description BDR The router ID (IPv4 address) of the BDR. Interface [State] The interface through which the router is connected to the neighbor. The state of the interface can be one of the following: • DR – The interface is functioning as the Designated Router for OSPFv3. • BDR – The interface is functioning as the Backup Designated Router for OSPFv3.
49 Displaying OSPFv3 information TABLE 232 Detailed OSPFv3 neighbor information (Continued) Field Description DbDesc bit... The Database Description packet, which includes 3 bits of information: • The first bit can be “i” or “-”. “i” indicates the inet bit is set. “-” indicates the inet bit is not set. • The second bit can be “m” or “-”. “m” indicates the more bit is set. “-” indicates the more bit is not set. • The third bit can be “m” or “s”. An “m” indicates the master. An “s” indicates standby.
49 Displaying OSPFv3 information BigIron RX# show ipv6 ospf redistribute route Id Prefix snIpAsPathAccessListStringRegExpression 1 2002::/16 2 2002:1234::/32 Protocol Metric Type Metric Static Static Type-2 Type-2 1 1 Syntax: show ipv6 ospf redistribute route [] The parameter specifies an IPv6 network prefix. (You do not need to specify the length of the prefix.
49 Displaying OSPFv3 information BigIron RX# show ipv6 ospf routes Current Route count: 4 Intra: 4 Inter: 0 External: 0 (Type1 0/Type2 0) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 2000:4::/64 V6E---R-- 0.0.0.0 :: ethe 3/2 *IA 2002:c0a8:46a::/64 V6E---R-- 0.0.0.0 :: ethe 3/2 *IA 2999::1/128 --------- 0.0.0.0 :: loopback 2 *IA 2999::2/128 V6E---R-- 0.0.0.
Displaying OSPFv3 information TABLE 234 49 OSPFv3 route information (Continued) This field... Displays... Options A 24-bit field that enables IPv6 OSPF routers to support the optional capabilities. When set, the following bits indicate the following: V6 – The device should be included in IPv6 routing calculations. E – The device floods AS-external-LSAs as described in RFC 2740. MC – The device forwards multicast packets as described in RFC 1586.
49 Displaying OSPFv3 information • As an IPv4 address; for example, 192.168.1.1 • As a numerical value from 0 – 2,147,483,647 This display shows the following information. TABLE 235 OSPFv3 SPF node information This field... Displays... SPF node Each SPF node is identified by its router ID (IPv4 address). If the node is a child node, it is additionally identified by an interface on which the node can be reached appended to the router ID in the format :.
Displaying OSPFv3 information TABLE 236 This field... Destination 49 OSPFv3 SPF Table Displays... The destination of a route, which is identified by the following: “R”, which indicates the destination is a router. “N”, which indicates the destination is a network. • An SPF node’s router ID (IPv4 address). If the node is a child node, it is additionally identified by an interface on which the node can be reached appended to the router ID in the format :.
49 Displaying OSPFv3 information Displaying IPv6 OSPF virtual link information To display OSPFv3 virtual link information for the Brocade device, enter the following command at any level of the CLI. BigIron RX# show ipv6 ospf virtual-link Index Transit Area ID Router ID Interface Address 1 1 1.1.1.1 3003::2 State P2P Syntax: show ipv6 ospf virtual-link This display shows the following information. TABLE 237 OSPFv3 virtual link information This field... Displays...
Displaying OSPFv3 information TABLE 238 49 OSPFv3 virtual neighbor information (Continued) This field... Displays... State The state between the Brocade device and the virtual neighbor. The state can be one of the following: • Down • Attempt • Init • 2-Way • ExStart • Exchange • Loading • Full Interface The IPv6 address of the virtual neighbor.
49 1340 Displaying OSPFv3 information BigIron RX Series Configuration Guide 53-1002484-04
Chapter 50 Configuring IPv6 Multicast Features In this chapter • IPv6 PIM sparse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1341 • Multicast Listener Discovery and source specific multicast protocols (MLDv2) 1359 IPv6 PIM sparse This chapter presents the multicast features available for IPv6 routers. The BigIron RX supports IPv6 Protocol Independent Multicast (PIM) Sparse.
50 IPv6 PIM sparse PIM sparse router types Routers that are configured with PIM Sparse interfaces also can be configured to fill one or more of the following roles: • BSR – The Bootstrap Router (BSR) distributes RP information to the other PIM Sparse routers within the domain. Each PIM Sparse domain has one active BSR. For redundancy, you can configure ports on multiple routers as candidate BSRs.
IPv6 PIM sparse 50 • Enable the IPv6 PIM Sparse mode of multicast routing • Enable the IPv6 unicast-routing • Configure the following interface parameters: • Configure an IPv6 address on the interface • Enable IPv6 PIM Sparse • Identify the interface as a IPv6 PIM Sparse border, if applicable NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release.
50 IPv6 PIM sparse Configuring BSRs In addition to the global and interface parameters in the sections above, you need to identify an interface on at least one BigIron RX as a candidate PIM Sparse Bootstrap router (BSR) and candidate PIM Sparse Rendezvous Point (RP). NOTE It is possible to configure the BigIron RX as only a candidate BSR or RP, but Brocade recommends that you configure the same interface on the same BigIron RX as both a BSR and an RP.
IPv6 PIM sparse 50 BigIron RX(config)#ipv6 router pim BigIron RX(config-ipv6-pim-router)# rp-candidate ethernet 2/2 Syntax: [no] rp-candidate ethernet / | loopback | ve l pos / The ethernet / | loopback | ve parameter specifies the interface. The device will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet / for a physical interface (port). • Enter ve for a virtual interface.
50 IPv6 PIM sparse ACL based RP assignment The rp-address command allows multiple static RP configurations. For each static RP, an ACL can be given as an option to define the multicast address ranges that the static RP permit or deny to serve. A static RP by default serves the range of ff00::/8. if the RP is configured without an ACL name. If an ACL name is given but the ACL is not defined, the static RP is set to inactive mode and it will not cover any multicast group ranges.
IPv6 PIM sparse 50 BigIron RX(config-ipv6-pim-router)#sho ipv6 pim rp-map Static RP and associated group ranges ------------------------------------Static RP count: 1 2000::16 Number of group prefixes Learnt from BSR: 1 Group prefix = ff00::/8 # RPs: 3 RP 1: 2000::8 priority=0 age=30 RP 2: 2000::4 priority=0 age=50 RP 3: 2000::16 priority=0 age=20 Syntax: show ipv6 pim rp-set Updating IPv6 PIM-sparse forwarding entries with new RP configuration If you make changes to your static RP configuration, the en
50 IPv6 PIM sparse • Shortest Path – Each IPv6 PIM Sparse router that is a DR for an IPv6 receiver calculates a short path tree (SPT) towards the source of the IPv6 multicast traffic. The first time a BigIron RX that is configured as an IPv6 PIM router receives a packet for an IPv6 group, it sends the packet to the RP for hat group, which in turn will forward it to all the intended DRs that have registered with the RP.
IPv6 PIM sparse 50 Syntax: [no] message-interval The parameter specifies the number of seconds and can be from 1 – 65535. The default is 60 seconds. Setting the inactivity timer The router deletes a forwarding entry if the entry is not used to send multicast packets. The IPv6 PIM inactivity timer defines how long a forwarding entry can remain unused before the router deletes it. To apply a IPv6 PIM inactivity timer of 160 seconds to all IPv6 PIM interfaces, enter the following.
50 IPv6 PIM sparse Syntax: [no] ssm-enable Displaying IPv6 PIM-sparse configuration information To display IPv6 PIM Sparse configuration information, use the show ipv6 pim sparse command as described in “Displaying IPv6 PIM-sparse configuration information” on page 1350.
IPv6 PIM sparse This field... 50 Displays... Global PIM sparse mode settings Hello interval How frequently the device sends IPv6 PIM Sparse hello messages to its IPv6 PIM Sparse neighbors. This field show the number of seconds between hello messages. IPv6 PIM Sparse routers use hello messages to discover one another.
50 IPv6 PIM sparse BigIron RX# show ipv6 pim Interface v30 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: fe80::20c:dbff:fef6:a00 on e3/2 Link Local Address: fe80::20c:dbff:fef5:e900 Global Address: 1e1e::4 Interface v167 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: itself Link Local Address: fe80::20c:dbff:fef5:e900 Global Address: a7a7::1 Interface l1 PIM Version : V2 MODE : PIM SM TTL Threshold: 1, Enabled DR: itself Link Local Address: fe80::20c:dbff:fef5:e900 Global Addr
IPv6 PIM sparse 50 group prefixes: ff00:: / 8 Candidate-RP-advertisement period: 60 BigIron RX# This example show information displayed on a device that has been elected as the BSR. The following example shows information displayed on a device that is not the BSR. Notice that some fields shown in the example above do not appear in the example below.
50 IPv6 PIM sparse BigIron RX# show ipv6 pim rp-candidate Next Candidate-RP-advertisement in 00:00:10 RP: 1be::11:21 group prefixes: ff00:: / 8 Candidate-RP-advertisement period: 60 This example show information displayed on a device that is a candidate RP. The following example shows the message displayed on a device that is not a candidate RP. BigIron RX# show ipv6 pim rp-candidate This system is not a Candidate-RP. Syntax: show ipv6 pim rp-candidate This display shows the following information.
IPv6 PIM sparse 50 This field... Displays... Group address Indicates the IPv6 PIM Sparse multicast group address using the listed RP. RP address Indicates the Iv6 address of the Rendezvous Point (RP) for the listed PIM Sparse group. Displaying RP information for a PIM sparse group To display RP information for a PIM Sparse group, enter the following command at any CLI level.
50 IPv6 PIM sparse This field... Displays... RP Indicates the RP number. If there are multiple RPs in the IPv6 PIM Sparse domain, a line of information for each of them is listed, and they are numbered in ascending numerical order. priority The RP priority of the candidate RP. During the election process, the candidate RP with the highest priority is elected as the RP. age The age (in seconds) of this RP-set. NOTE: If this device is not a BSR, this field contains zero.
IPv6 PIM sparse 50 BigIron RX# show ipv6 pim mcache Total 4 entries Free mll entries: 766 1 (*, ff7e:140:2001:3e8:16:0:1:2) RP2001:3e8:16::1 in NIL, cnt=0 Sparse Mode, RPT=1 SPT=0 Reg=0 No upstream neighbor because RP 2001:3e8:16::1 is itself num_oifs = 1 v312 L3 (SW) 1: e3/15(VL312) Flags fast=1 slow=0 leaf=0 prun=0 frag=0 tag=0 needRte=0 age=0 fid: 0405, mvid 1 2 (2001:3e8:0:170::101, ff7e:140:2001:3e8:16:0:1:2) in v23 (e3/23), cnt=2 Sparse Mode, RPT=0 SPT=1 Reg=0 upstream neighbor=fe80::45:0:160:4 num_
50 IPv6 PIM sparse phy-ports 1024 exist-phy-port 1024 group-query 128 sources 2000 Hardware-related Resources: MLL Entries 768 Total (S,G) entries 0 Total SW FWD entries 0 Total HW FWD entries 0 0 0 0 0 1024 1024 128 2000 0 0 0 0 no-limit no-limit no-limit no-limit 1 767 0 768 This display shows the following information. TABLE 239 Output of Show IPvG PIM resource This field... Displays... allocated Number of nodes of that data that are currently allocated in memory.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 50 Multicast Listener Discovery and source specific multicast protocols (MLDv2) The Multicast Listener Discovery Version 2 (MLDv2) protocol is available on the BigIron RX that is running IPv6. IPv6 routers use the MLDv2 protocol to discover multicast listeners, or nodes that wish to receive multicast packets on directly attached links.
50 Multicast Listener Discovery and source specific multicast protocols (MLDv2) • General Query, used to learn which multicast addresses have listeners on an attached link. • Multicast-Address-Specific Query, used to learn if a particular multicast address has any listeners on an attached link.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 50 Enter the ssm-enable command under the IPv6 router PIM level to globally enable source specific multicast filtering. Setting the query interval You can define the frequency at which MLD query messages are sent. For example, if you want queries to be sent every 50 seconds, enter a command such as the following.
50 Multicast Listener Discovery and source specific multicast protocols (MLDv2) Setting the robustness You can specify the number of times that the switch sends each MLD message from this interface. Use a higher value to ensure high reliability from MLD. You can set the robustness by entering a command such as the following. BigIron RX(config)#ipv6 mld robustness 3 Syntax: ipv6 mld robustness Specify 2 – 7 for .
Multicast Listener Discovery and source specific multicast protocols (MLDv2) 50 Setting the interface MLD version You can use this command to set the MLD version (1 or 2) for the interface. You can select the version of MLD by entering a command such as the following at the interface level. BigIron RX(config-lbif-1)#ipv6 mld version Syntax: ipv6 mld version Enter 1or 2 for .
50 Multicast Listener Discovery and source specific multicast protocols (MLDv2) Displaying MLD definitions for an interface To display the MLD parameters on an interface, including the various timers, the current querying router, and whether or not MLD is enabled, enter the following command.
Multicast Listener Discovery and source specific multicast protocols (MLDv2) BigIron RX #show ipv6 traffic Recv QryV1 QryV2 G-Qry GSQry MbrV1 MbrV2 Leave IS_IN IS_EX 2_IN 2_EX ALLO e3/1 0 0 0 0 0 0 0 0 0 0 0 0 e3/2 0 0 0 0 0 0 0 0 0 0 0 0 e6/18 0 0 0 0 0 176 0 110 0 0 0 66 e6/19 0 0 0 0 0 176 0 110 0 0 0 66 e6/20 0 0 0 0 0 176 0 110 0 0 0 66 e6/25 0 0 0 0 0 176 0 110 0 0 0 66 l1 0 0 0 0 0 0 0 0 0 0 0 0 Send QryV1 QryV2 G-Qry GSQry e3/1 0 0 0 0 e3/2 0 0 0 0 e6/18 0 10 10 0 e6/19 0 10 10 0 e6/20 0 10 10 0 e6
50 Multicast Listener Discovery and source specific multicast protocols (MLDv2) Embedded Rendezvous Point (RP) Embedded RP which enables a router to learn the RP information using the multicast group destination address. This eliminates the need to maintain the RP table through the RP state machine. For routers that are the RP, the router is statically configured as the RP. This router is not required to be configured as a RP candidate.
Chapter Configuring IPv6 Routes 51 In this chapter • Configuring a static IPv6 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367 • Configuring a IPv6 multicast route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1369 Configuring a static IPv6 route This chapter provides information on how to configure a static IPv6 route. A static IPv6 route is a manually configured route, which creates a path between two IPv6 routers.
51 Configuring a static IPv6 route Table 240 describes the parameters associated with this command and indicates the status of each parameter. TABLE 240 Static IPv6 route parameters Parameter Configuration details Status The IPv6 prefix and prefix length of the route’s destination network. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
Configuring a IPv6 multicast route 51 The administrative distance is a value that the router uses to compare this route with routes from other route sources that have the same destination. (The router performs this comparison before placing a route in the IPv6 route table.) This parameter does not apply to routes that are already in the IPv6 route table. In general, a low administrative distance indicates a preferred route.
51 Configuring a IPv6 multicast route NOTE Regardless of the administrative distances, the switch always prefers directly connected routes over other routes. The ipv6 mroute command is used to direct multicast traffic along a specific path. The ipv6 mroute command starts with the ipv6 address or ingress ipv6 address the source traffic is received upon. The ingress interface network mask, and the next hop address leading back to the ingress source ipv6 address.
Chapter Continuous System Monitor 52 In this chapter • Continuous system monitor overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1371 Continuous system monitor overview Continuous system monitoring (Sysmon) is implemented in BigIron RX to monitor the overall system’s health. The Sysmon makes the monitor service system-wide and modular. It monitors different system components of a router or a switch to determine if those components are operating correctly.
52 Continuous system monitor overview • • • • • • TM_ECC - Monitoring TM memory ECC errors. TM_CLOCK_SYNC - Monitoring clock synchronization among all TMs. TM_REG - Monitoring TM register bits, each of which indicates a problem in the TM. TM_Q_SCANNER - Monitoring TM queues. TCAM_SCAN - Scanning TCAM to discover corruptions. DRAM-CRC - Monitoring ingress DRAM CRC error, and isolate the ingress TM in case of severe error condition.
Continuous system monitor overview 52 TM_REG This event type is a special type of event. Instead of detecting a particular error condition, it reads a set of registers monitoring many error conditions simultaneously. TM register monitor shutdown action is enabled by default. You can use the no sysmon tm reg shutdown CLI command to disable this action. The display does not show the detailed error descriptions, only registers and offending values are shown. Here is an example from Syslog.
52 Continuous system monitor overview NOTE If the count of tx_err or rx_data_err is greater than zero, ALARM message will be generated else INFO message will be generated. DRAM_CRC The event type DRAM_CRC monitors a special type of monitoring register, which stores the number of ingress DRAM CRC errors and detects CRC errors quickly.
Continuous system monitor overview 52 MBridge FPGA The event MBRIDGE FPGA is monitoring the MP MBridge FPGA status. If MBridge FPGA failure is detected then send the sysmon error log and initiate the MP “switchover”. Here is an example from Syslog.
52 Continuous system monitor overview --- Event TM Reg (Enabled) --Threshold: 1 / 10, FAP Shutdown: Allowed Reg 0440: monitor mask 00fefbff, fap shutdown mask 003e0000, syslog mask 003e0000, log backoff number 1800 FAP shutdown threshold (non-zero only): bit17-1 bit18-1 bit19-1 bit20-1 bit21-1 Reg 0444: monitor mask 0007f8c7, fap shutdown mask 0007e001, syslog mask 0007e001, log backoff number 1800 FAP shutdown threshold (non-zero only): bit0-1 bit4-1 bit13-1 bit14-1 bit15-1 bit16-1 bit17-1 bit18-1 Reg b9
Continuous system monitor overview 52 ------------------------------------ Event FE Write-Read Test (Enabled) --Threshold: 1 / 10, Log Backoff Number: 1800 Action: SYSLOG ------------------------------------ Event MP Disco-DX (Enabled) --Threshold: 3 / 10, Log Backoff Number: 1800 Action: FAILOVER ------------------------------------ Event MP MBridge FPGA (Enabled) --Threshold: 0 / 0, Log Backoff Number: 1800 Action: SYSLOG ---------------------------------- BigIron RX Series Configuration Guide 53-10024
52 1378 Continuous system monitor overview BigIron RX Series Configuration Guide 53-1002484-04
Appendix A Using Syslog This appendix describes how to display Syslog messages and how to configure the Syslog facility, and lists the Syslog messages that a BigIron RX can display during standard operation. NOTE This appendix does not list Syslog messages that can be displayed when a debug option is enabled.
A Displaying Syslog messages BigIron RX> show logging Syslog logging: enabled (0 messages dropped, 0 Buffer logging: level ACDMEINW, 3 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dynamic Log Buffer (50 entries): Dec 15 18:46:17:I:Interface ethernet 1/4, state up Dec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, changed
Configuring the Syslog service A Here is an example of how the Syslog messages are displayed. telnet@BigIron RX# terminal monitor Syslog trace was turned ON SYSLOG: <9>BigIron RX, Power supply 2, power supply on left connector, failed SYSLOG: <14>BigIron RX, Interface ethernet 1/6, state down SYSLOG: <14>BigIron RX, Interface ethernet 1/2, state up Configuring the Syslog service The procedures in this section describe how to perform the following Syslog configuration tasks: • Specify a Syslog server.
A Configuring the Syslog service TABLE 241 CLI display of Syslog buffer configuration This field... Displays... Syslog logging The state (enabled or disabled) of the Syslog buffer. messages dropped The number of Syslog messages dropped due to user-configured filters. By default, the software logs messages for all Syslog levels. You can disable individual Syslog levels, in which case the software filters out messages at those levels. Refer to “Disabling logging of a message level” on page 1386.
Configuring the Syslog service A BigIron RX(config)# show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 3 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dec 15 19:00:14:A:Fan 2, fan on left connector, failed Dynamic Log Buffer: Dec 15 18:46:17:I:Interface ethernet 1/4, state up Dec 15 18:45:21:I:Bri
A Configuring the Syslog service • ss – seconds For example, “Oct 15 17:38:03” means October 15 at 5:38 PM and 3 seconds.
Configuring the Syslog service A BigIron RX(config)# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dynamic Log Buffer (50 entries): 21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s) 19d07h03m30s:warning:list 101 denied tcp 209.157.
A Configuring the Syslog service BigIron RX(config)# logging host 10.0.0.99 For backward compatibility, the software reads the old command syntax from the startup configuration, and converts it to the new command syntax in the running configuration. Syntax: logging host | Disabling logging of a message level To change the message level, disable logging of specific message levels. You must disable the message levels on an individual basis.
Configuring the Syslog service A In the next example, a console session configures router bgp and the BGP neighbor command as shown. BigIron RX(config)# router bgp BigIron RX(config-bgp)# nei 10.1.1.8 remote 10 Using the show log command, you would see a series of log records as shown in the following.
A Configuring the Syslog service • • • • • • • • • • • • • • sys10 – reserved for system use sys11 – reserved for system use sys12 – reserved for system use sys13 – reserved for system use sys14 – reserved for system use cron – cron/at subsystem local0 – reserved for local use local1 – reserved for local use local2 – reserved for local use local3 – reserved for local use local4 – reserved for local use local5 – reserved for local use local6 – reserved for local use local7 – reserved for local use Displa
Syslog messages A Syslog messages Table 242 lists all of the Syslog messages. The messages are listed by message level, in the following order: • • • • • • • • Emergencies (none) Alerts Critical Errors Warnings Notifications Informational Debugging TABLE 242 Brocade Syslog messages Message level Message Explanation Alert Power supply , , failed A power supply has failed. The is the power supply number. The describes where the failed power supply is in the device.
A Syslog messages TABLE 242 Message level Message Explanation OSPF LSA Overflow, LSA Type = Indicates an LSA database overflow. The parameter indicates the type of LSA that experienced the overflow condition. The LSA type is one of the following: • 1 – Router • 2 – Network • 3 – Summary • 4 – Summary • 5 – External Alert ISIS MEMORY USE EXCEEDED IS-IS is requesting more memory than is available.
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Critical Authentication shut down due to DOS attack Denial of Service (DoS) attack protection was enabled for multi-device port authentication on the specified , and the per-second rate of RADIUS authentication attempts for the port exceeded the configured limit. The device considers this to be a DoS attack and disables the port.
A Syslog messages TABLE 242 Message Explanation Warning list denied () (Ethernet ) -> (), 1 events Indicates that an Access Control List (ACL) denied (dropped) packets. The indicates the ACL number. Numbers 1 – 99 indicate standard ACLs. Numbers 100 – 199 indicate extended ACLs. The indicates the IP protocol of the denied packets.
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Notification Module was inserted to slot Indicates that a module was inserted into a device slot. The is the number of the device slot into which the module was inserted. Notification Module was removed from slot Indicates that a module was removed from a device slot. The is the number of the device slot from which the module was removed.
A Syslog messages TABLE 242 1394 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF interface state changed, rid , intf addr , state Indicates that the state of an OSPF interface has changed. The is the router ID of the device. The is the interface’s IP address.
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF neighbor has changed. The is the router ID of the device. The is the IP address of the neighbor. The is the router ID of the neighbor.
A Syslog messages TABLE 242 1396 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 242 1398 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 242 1400 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf rcvd bad pkt, rid , intf addr , pkt src addr , pkt type Indicates that an OSPF interface received a bad packet. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the device has retransmitted a Link State Advertisement (LSA). The is the router ID of the device. The is the IP address of the interface on the device.
A Syslog messages TABLE 242 Message level Message Explanation OSPF intf rcvd bad pkt: Bad Checksum, rid The device received an OSPF packet that had an invalid checksum. The rid is device’s router ID. The intf addr is the IP address of the Brocade interface that received the packet. The pkt size is the number of bytes in the packet. The checksum is the checksum value for the packet. The pkt src addr is the IP address of the neighbor that sent the packet.
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Notification VRRP intf state changed, intf , vrid , state A state change has occurred in a Virtual Router Redundancy Protocol (VRRP) interface. The is the port. The is the virtual router ID (VRID) configured on the interface.
A Syslog messages TABLE 242 Brocade Syslog messages (Continued) Message level Message Explanation Notification Local TCP exceeds burst packets, stopping for seconds!! Threshold parameters for local TCP traffic on the device have been configured, and the maximum burst size for TCP packets has been exceeded. The first is the maximum burst size (maximum number of packets allowed).
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Notification DOT1X issues software but not physical port up indication of Port to other software applications The device has indicated that the specified port has been authenticated, but the actual port may not be active.
A Syslog messages TABLE 242 Brocade Syslog messages (Continued) Message level Message Explanation Informational Trunk group () created by 802.3ad link-aggregation module. 802.3ad link aggregation is configured on the device, and the feature has dynamically created a trunk group (aggregate link). The is a list of the ports that were aggregated to make the trunk group.
Syslog messages TABLE 242 A Brocade Syslog messages (Continued) Message level Message Explanation Informational vlan Bridge is RootBridge (MgmtPriChg) 802.1W changed the current bridge to be the root bridge of the given topology due to administrative change in bridge priority. Informational vlan Bridge is RootBridge (MsgAgeExpiry) The message age expired on the Root port so 802.1W changed the current bridge to be the root bridge of the topology.
A Syslog messages TABLE 242 Brocade Syslog messages (Continued) Message level Message Explanation Informational ACL added | deleted | modified from console | telnet | ssh | web | snmp session A user created, modified, deleted, or applied an ACL through the Web, SNMP, console, SSH, or Telnet session.
Appendix Software Specifications B This appendix lists the following information for the BigIron RX: • IEEE compliance • RFC support • Internet draft support IEEE compliance • • • • • • • • • • • • • 802.3ae —10-Gigabit Ethernet 802.3x — Flow Control 802.3ad — Link Aggregation 802.1Q — Virtual Bridged LANs 802.1D — MAC Bridges 802.1w — Rapid STP 802.1s — Multiple Spanning Trees 802.1X — User authentication 802.
B RFC compliance • • • • • 1269 — Managed Objects for BGP 1657 — Managed Objects for BGP-4 using SMIv2 3392 — Capabilities Advertisement with BGP-4 2385 — BGP Session Protection through TCP MD5 3682 — Generalized TTL Security Mechanism, for eBGP Session Protection RFC compliance - OSPF • • • • • • • • • • 2178 — OSPF 1583 — OSPF v2 3103 — OSPF NSSA 1745 — OSPF Interactions 1765 — OSPF Database Overflow 1850 — OSPF Traps 2328 — OSPF v2 1850 — OSPF v2 MIB 2370 — OSPF Opaque LSA Option 3623 — Graceful OSP
RFC compliance B • 3973 — PIM-DM • 1075 — DVMRP v2 • 4541 — Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches • DVMRP v3-07 • 2283 — MBGP RFC compliance - general protocols • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 791 — IP 792 — ICMP 793 — TCP 783 — TFTP 826 — ARP 768 — UDP 894 — IP over Ethernet 903 — RARP 906 — TFTP Bootstrap 1027 — Proxy ARP 950 — Subnets 951 — BootP 1122 — Host Extensions for IP Multicasting 12
B RFC compliance RFC compliance - management • • • • • • • • • • • • • • • • • • • 1757 — RMON Groups Partial 1, full for 2, 3, 9 • • • • 4251 — The Secure Shell (SSH) Protocol Architecture 2068 — HTTP 2030 — SNTP 2865 — RADIUS 2866 — RADIUS Accounting 2868 — RADIUS Attributes for Tunnel Protocol 2869 — RADIUS Extensions 3176 — sFlow 2578 — SNMPV2 2579 — Textual Conventions for SMIv2 3410 — SNMPV3 3411— Architecture for SNMP 3412 — Message Processing and Dispatching for SNMP 3413 — Simple Network Mana
Internet drafts • • • • • • • B 3513 — IPv6 Addressing Architecture 1981 — IPv6 Path MTU Discovery 3587 — IPv6 Global Unicast Address Format 2375 — IPv6 Multicast Address Assignments 2464 — Transmission of IPv6 over Ethernet Networks 2711 — IPv6 Router Alert Option 3596 — DNS support RFC compliance - IPv6 routing • 2080 — RIPng for IPv6 • 2740 — OSPFv3 for IPv6 • 2545 — Use of MP-BGP-4 for IPv6 RFC compliance - IPv6 multicast • • • • • 3810 — Multicast Listener Discovery Version 2 for IPv6 4601 — PIM-
B Internet drafts • Draft-ietf-idr-route-filter • Draft-holbrook-idmr-igmpv3-ssm - IGMPv3 & MLDv2 for SSM • Draft-ietf-ssm-arch SSM for IP 1414 BigIron RX Series Configuration Guide 53-1002484-04
Appendix C NIAP-CCEVS Certification Some Brocade devices have passed the Common Criteria (CC) certification testing. This testing is sponsored by the National Information Assurance Partnership (NIAP) - Common Criteria Evaluation and Validation Scheme (CCEVS). For more information regarding the NIAP-CCEVS certification process refer to the following link: http://www.niap-ccevs.org/.
C Local user password changes Local user password changes Please note that if existing usernames and passwords have been configured on a Brocade device with specific privilege levels (super-user, read-only, port-config) and if you attempt to change a user's password by executing the following syntax. BigIron RX(config)# user brcdreadonly password The privilege level of this particular user will be changed from its current value to "super-user".
Appendix Commands That Require a Reload D Most CLI commands take effect as soon as you enter them. However, a small number of commands require a software reload to take effect. Table 245 lists the commands. To place a configuration change made by one of these commands into effect, you must save the change to the startup-config file, then reload the software. If you reload the software without saving the change to the startup-config file, the device does not make the change.
D 1418 Commands That Require a Reload BigIron RX Series Configuration Guide 53-1002484-04
Appendix E Index to the CLI Commands This appendix lists the CLI commands discussed in this configuration guide. Look for the CLI command alphabetically by feature. You can also use your browser’s search function to find the command you want. When you find the command, click on the link to display the section that discusses that command. ACLs (IP) Numbered ACL Commands See ...
E ACLs (IP) Named ACL Commands See ...
ACLs (L2) E Commands See ... ip access-group I in “Configuring standard numbered ACLs” on page 600 “Configuring extended numbered ACLs” on page 602 “Configuring standard or extended named ACLs” on page 611 ip access-group in ethernet [...
E BGP4 Commands See ...
BGP4 E Commands See ...
E BGP4 Commands See ...
BGP4 E Commands See ...
E BGP4 Commands See ... show ip bgp flap-statistics [regular-expression | [longer-prefixes] | neighbor | filter-list ...
FDP/CDP E Commands See ... snmp-server enable traps bgp “Generating traps for BGP” on page 892 timers keep-alive hold-time “Changing the keep alive time and hold time” on page 865 update-time “Changing the BGP4 next-hop update timer” on page 865 Commands See ...
E 1428 IP Commands See ...
IP E Commands See ...
E IPv6 BGP4+ Commands See ... show ip route summary “Displaying the IP route table” on page 229 show ip static-arp [ethernet | mac-address
IPv6 BGP4+ E Commands See ...
E 1432 IPv6 BGP4+ Commands See ...
IPv6 ACL E IPv6 ACL Commands See ...
E IPv6 basic connectivity IPv6 basic connectivity 1434 Commands See ...
IPv6 basic connectivity E Commands See ...
E IPv6 multicast IPv6 multicast Commands See ...
IPv6 OSPFv3 E Commands See ...
E IPv6 OSPFv3 Commands See ...
IS-IS E IS-IS Commands See ...
E 1440 IS-IS Commands See ... maximum-paths “Changing the maximum number of load sharing paths” on page 959 max-lsp-lifetime “Changing the maximum LSP lifetime” on page 956 metric-style wide [level-1-only | level-2-only] “Changing the metric style” on page 958 net ..
Metro Ring E Commands See ... show isis traffic “Displaying traffic statistics” on page 978 show logging “Displaying IS-IS Syslog messages” on page 970 spf-interval “Changing the SPF timer” on page 957 summary-address [level-1-only | level-1-2 | level-2-only] “Configuring summary addresses” on page 961 Commands See ...
E MSTP Commands See ...
Multi-Chassis Trunking E Multi-Chassis Trunking Commands See ...
E Multi-Chassis Trunking Commands See ...
Multicast (IP) E Multicast (IP) Commands See ...
E 1446 Multicast (IP) Commands See ...
Multicast (L2) E Multicast (L2) Commands See ...
E OSPF version 4 Commands See ...
Port parameters E Commands See ...
E Port-based routing Port-based routing Commands See ...
Rate limiting E Commands See ...
E RIP Commands See ...
RMON E Commands See ...
E RSTP RSTP Commands See ...
Security/Management E Commands See ... dot1x re-authenticate “Re-authenticating a port manually” on page 1061 dot1x-enable “Enabling 802.1x port security” on page 1059 enable all I [to ] “Enabling 802.
E Security/Management Authentication method list Commands See ... aaa authentication snmp-server | web-server | enable | login | dot1x default [] [] [] [] [] [] “Examples of authentication-method lists” on page 106 Passwords Commands See ...
Security/Management E Commands See ...
E Security/Management Commands See ... ip ssl port “Specifying a port for SSL communication” on page 74 ip ssl private-key-file tftp “Importing digital certificates and RSA private key files” on page 74 web-management https “Enabling the SSL server on the device” on page 74 TACACS and TACACS+ Commands See ...
Security/Management E Commands See ... telnet server enable vlan “Restricting Telnet access to a specific VLAN” on page 61 telnet server suppress-reject-message “Suppressing Telnet connection rejection messages” on page 64 telnet-server “Disabling Telnet access” on page 62 TFTP access Commands See ... tftp client enable vlan “Restricting TFTP access to a specific VLAN” on page 61 User account Commands See ...
E Security/Management Commands See ... ip tcp tcp-security “Disabling the TCP security enhancement” on page 1081 show statistics dos-attack [| begin | exclude | include ] “Displaying statistics due DoS attacks” on page 1081 MAC authentication 1460 Commands See ...
Security/Management E Commands See ... show auth-mac-address detail “Displaying multi-device port authentication configuration information” on page 1017 show auth-mac-address “Displaying authenticated MAC address information” on page 1017 show auth-mac-addresses authorized-mac “Displaying the authenticated MAC addresses” on page 1021 show auth-mac-addresses unauthorized-mac “Displaying the non-authenticated MAC addresses” on page 1021 MAC port security Commands See ...
E Redundant management module Redundant management module 1462 Commands See ...
Redundant management module Commands See ...
E SNMP Commands See ... locate startup-config “Displaying the current location for saving configuration changes” on page 50 locate startup-config [slot1 | slot2 | flash-memory] [//] “Specifying the location for saving configuration changes” on page 50 Commands See ...
sFlow E Commands See ...
E STP STP Commands See ...
System parameters E Commands See ... show logging “Displaying the Syslog configuration” on page 1381 terminal monitor “Enabling real-time display of Syslog messages” on page 1380 System parameters Commands See ...
E Topology Commands See ...
LAG E LAG Commands See ...
E VLAN Commands See ... show link-keepalive [ethernet ] “Displaying information for all ports” on page 283 “Displaying information for a single port” on page 285 show link-keepalive ethernet “Displaying information for all ports” on page 283 Commands See ...
VRRP/VRRPE E VRRP/VRRPE Commands See ...
E VSRP VSRP 1472 Commands See ...
