53-1003086-04 30 July 2014 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide Supporting FastIron Software Release 08.0.
© 2014, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be trademarks of others.
Contents Preface...................................................................................................................................11 Document conventions....................................................................................11 Text formatting conventions................................................................ 11 Command syntax conventions............................................................ 11 Notes, cautions, and warnings.........................................
Configuring an interval for collecting MAC address move notifications..................................................................................33 Viewing MAC address movement statistics for the interval history...33 SNMP MAC-notification trap support............................................................ 35 Requirements and limitations for MAC-notification trap support....... 35 Configuring SNMP traps for MAC-notification ..................................35 MAC-notification events.............
Metro Ring Protocol configuration.......................................................85 Metro Ring Protocol diagnostics......................................................... 87 Displaying MRP information................................................................88 MRP CLI example............................................................................... 91 VSRP..............................................................................................................
Setting the sFlow sampling rate for a port in a LAG....................... 149 IP assignment within a LAG............................................................ 149 Displaying LAG information.............................................................149 Enabling LAG hardware failover .................................................... 154 Preboot eXecution Environment boot support............................................ 154 Enabling PXE boot support on a port.....................................
Increasing the maximum configurable value of the Leaveall timer... 220 Enabling GVRP................................................................................. 221 Disabling VLAN advertising...............................................................221 Disabling VLAN learning................................................................... 222 Changing the GVRP timers...............................................................
VLAN tags and dual mode.............................................................. 319 Configuring PVST+ support............................................................ 319 Displaying PVST+ support information........................................... 320 PVST+ configuration examples.......................................................321 PVRST compatibility................................................................................... 323 BPDU guard............................................
IP subnet, IPX network, and protocol-based VLAN configuration example....................................................................................... 376 IP subnet, IPX network, and protocol-based VLANs within port-based VLANs..................................................................................................... 377 Configuring Layer 3 VLANs on FSX-A.............................................. 378 Configuring Layer 3 VLANs on FSX-B..............................................
Displaying a port VLAN membership.............................................. 425 Displaying a port dual-mode VLAN membership............................ 426 Displaying port default VLAN IDs (PVIDs)...................................... 426 Displaying PVLAN information........................................................ 427 VXLAN................................................................................................................................ 429 Supported VXLAN features.................
Preface ● Document conventions....................................................................................................11 ● Brocade resources.......................................................................................................... 13 ● Contacting Brocade Technical Support...........................................................................13 ● Document feedback........................................................................................................
Notes, cautions, and warnings Convention Description value In Fibre Channel products, a fixed value provided as input to a command option is printed in plain text, for example, --show WWN. [] Syntax components displayed within square brackets are optional. Default responses to system prompts are enclosed in square brackets. {x|y|z} A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must select one of the options.
Brocade resources Brocade resources Visit the Brocade website to locate related documentation for your product and additional Brocade resources. You can download additional publications supporting your product at www.brocade.com. Select the Brocade Products tab to locate your product, then click the Brocade product name or image to open the individual product page. The user manuals are available in the resources module at the bottom of the page under the Documentation category.
Document feedback • Brocade Supplemental Support augments your existing OEM support contract, providing direct access to Brocade expertise. For more information, contact Brocade or your OEM. • For questions regarding service levels and response times, contact your OEM/Solution Provider. Document feedback To send feedback and report errors in the documentation you can use the feedback form posted with the document or you can e-mail the documentation team.
About This Document ● What’s new in this document.......................................................................................... 15 ● Supported Hardware....................................................................................................... 15 ● How command information is presented in this guide.....................................................16 What’s new in this document This document includes a description of the new information added to this guide for version 08.0.
How command information is presented in this guide For information about the specific models and modules supported in a product family, refer to the hardware installation guide for that product family. GUID-BD61815D-8E7F-4840-B7EFB69773CD6D2B lists the hardware installation guides. How command information is presented in this guide For all new content, command syntax and parameters are documented in a separate command reference section at the end of the publication.
Basic Layer 2 Features ● Supported basic Layer 2 features................................................................................... 17 ● About port regions...........................................................................................................19 ● Enabling or disabling the Spanning Tree Protocol (STP)................................................20 ● Management MAC address for stackable devices..........................................................
Basic Layer 2 Features Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800 FSX 1600 ICX 7750 Multi-port static MAC address 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 Yes 08.0.10 Static MAC entries with option to set traffic priority 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Flow-based MAC address learning No No No No No 08.0.01 No Port-based VLANs 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Address locking (for MAC addresses) 08.0.011 08.
About port regions About port regions This section describes port regions on FastIron switches. FastIron X Series device port regions Ports on the FastIron X Series devices are grouped into regions. For a few features, you will need to know the region to which a port belongs. However, for most features, a port region does not affect configuration or operation of the feature. NOTE Port regions do not apply to trunk group configurations on the FastIron X Series devices.
ICX 6430 device port regions ICX 6430 device port regions • A 24-port Gbps module has one port region. The four SFP ports on the device also belong to this single port region. • A 48-port Gbps module has two port regions: ‐ ‐ Ports 1-24 and SFP ports 1& 2 belong to port region 0 Ports 25-48 and SFP ports 3 & 4 belong to port region 1 ICX 6450 device port regions • A 24-port Gbps module has one port region. The four SFP+ ports on the device also belong to this single port region.
Modifying STP bridge and port parameters You can also enable and disable spanning tree on a port-based VLAN and on an individual port basis, and enable advanced STP features. Refer to Spanning Tree Protocol on page 251.
Changing the MAC age time and disabling MAC address learning Changing the MAC age time and disabling MAC address learning To change the MAC address age timer, enter a command such as the following. device(config)#mac-age-time 60 Syntax: [no] mac-age-time secs secs specifies the number of seconds. Possible values differ depending on the version of software running on your device, as follows: • On Brocade FCX Series devices, you can configure the MAC address age timer to 0 or a value from 10-1000 (seconds).
MAC address learning configuration notes and feature limitations MAC address learning configuration notes and feature limitations • This command is not available on virtual routing interfaces. Also, if this command is configured on the primary port of a trunk, MAC address learning will be disabled on all the ports in the trunk. • Entering the mac-learn-disable command on tagged ports disables MAC learning for that port in all VLANs to which that port is a member.
Multi-port static MAC address The default and maximum configurable MAC table sizes can differ depending on the device. To determine the default and maximum MAC table sizes for your device, display the system parameter values. Refer to Displaying and modifying system parameter default settings on page 37. Multi-port static MAC address Many applications, such as Microsoft NLB, Juniper IPS, and Netscreen Firewall, use the same MAC address to announce load-balancing services.
Configuring a VLAN to drop static MAC entries You can configure a maximum of 2048 static MAC address drop entries on a Brocade device. Use the CLI command show running-config to view the static MAC address drop entries currently configured on the device. Configuring a VLAN to drop static MAC entries To configure a VLAN to drop packets with a source or destination MAC address of 0000.0063.67FF, enter the following commands. device(config)#vlan 2 device(config-vlan-2)#static-mac-address 0000.0063.
Flow-based learning overview Flow-based learning overview With regular MAC address learning, when a new MAC address is learned, it is programmed in the same location (hardware index) in all packet processors in a FastIron Layer 2 or Layer 3 switch. There are multiple packet processors (one per port region) in a compact switch, and in each module in a chassis-based switch. With regular MAC address learning, MAC addresses are global , meaning the hardware MAC table is identical across all packet processors.
Flow-based learning configuration considerations NOTE Global MAC addresses have priority over dynamic flow-based MAC addresses. To ensure that global MAC addresses are in sync across all packet processors, flow-based MAC addresses may be overwritten in one or more packet processors. The MAC addresses will be relearned and reprogrammed using the flow-based method as needed by incoming traffic flows.
Increasing the capacity of the MAC address table (optional) Syntax: [no] mac-learning-flow-based Use the no form of the command to disable flow-based MAC address learning. When disabled, all dynamically-learned MAC addresses are flushed from the hardware and software MAC tables and are subsequently learned using global MAC address learning.
Clearing flow-based MAC address entries To display all of the packet processors that have a particular flow-based MAC address, use the show mac-address vlan command. device#show mac-address vlan 1 0000.0000.0001 Total active entries from all ports = 16 MAC-Address Port Type Index 0000.0000.0001 1/1 Dynamic NA Present in following devices (at hw index) :0 (8196 ) 4 (8196 ) In the above example, the MAC address 0000.0000.0001 is programmed in packet processors 0 and 4, and the hardware index is 8196.
Assigning IEEE 802.1Q tagging to a port NOTE The second command is optional and also creates the VLAN if the VLAN does not already exist. You can enter the first command after you enter the second command if you first exit to the global CONFIG level of the CLI. Assigning IEEE 802.1Q tagging to a port When a port is tagged, it allows communication among the different VLANs to which it is assigned.
Monitoring MAC address movement When you create a MAC address filter, it takes effect immediately. You do not need to reset the system. However, you do need to save the configuration to flash memory to retain the filters across system resets. Monitoring MAC address movement MAC address movement notification allows you to monitor the movement of MAC addresses that migrate from port to port.
Viewing the MAC address movement threshold rate configuration Syntax: [no] mac-movement notification threshold-rate move-count sampling-interval interval The move-count variable indicates the number of times a MAC address can move within the specified period until an SNMP trap is sent. It has no default value. The interval variable specifies the sampling period in seconds. It has no defaut value.
Configuring an interval for collecting MAC address move notifications TABLE 2 Field definitions for the show notification mac-movement threshold-rate command (Continued) Field Description MAC-Address The MAC address that has moved to a different port. from-Port The port from which the MAC address moved. to-Port The port to which the MAC address moved. Last Move-Time The time of the last move occurred.It uses the system up time If there is no time server configured.
Basic Layer 2 Features 1000 15 01:13:20 10 0000.0000.0051 1002 15 01:13:20 May 7/1 7/2 0000.0000.0050 1012 15 01:13:20 7/1 7/2 0000.0000.004f 1018 15 01:13:20 7/1 7/2 0000.0000.004e 1012 15 01:13:20 7/1 7/2 (output truncated) May 10 May 10 May 10 May 10 The following table defines the fields in the output of the show notification mac-movement intervalhistory command.
SNMP MAC-notification trap support SNMP MAC-notification trap support The SNMP MAC-notification trap functionality allows an SNMPv3 trap to be sent to the SNMP manager when MAC addresses are added or deleted in the device. The SNMP manager or management software can then use these traps to define a security policy based on the requirement of the enterprise where the device is installed.
MAC-notification events The following example shows enabling SNMP traps for MAC-notification on Ethernet interface 1/1/5: device(config)# mac-notification interval 30 device(config)# interface ethernet 1/1/5 device(config-if-e1000-1/1/5)# snmp-server enable traps mac-notification device(config-if-e1000-1/1/5)# exit device (config)# system-max mac-notification-buffer 4000 Use the show interfaces ethernet command to check whether a MACnotification SNMP trap is enabled or disabled on an interface.
Displaying and modifying system parameter default settings TABLE 4 MAC address notification events and values (Continued) Event Action Value Description Expected action by management software VLAN and port values REMOVE-ALLMAC-ON-PORT 4 This event is generated when all the MAC Management software addresses on a particular port are flushed, should clear all the for example, when the link goes down. MAC addresses learnt on this particular port from its forwarding table.
System default settings configuration considerations The tables you can configure, as well as the default values and valid ranges for each table, differ depending on the Brocade device you are configuring. To display the adjustable tables on your Brocade device, use the show default values command. The following shows example outputs. System default settings configuration considerations • Changing the table size for a parameter reconfigures the device memory.
Basic Layer 2 Features ip addr per intf:24 when multicast enabled : igmp group memb.:260 sec igmp query:125 sec when ospf enabled : ospf dead:40 sec ospf hello:10 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp keep alive:60 sec bgp metric:10 bgp local as:1 bgp ext. distance:20 bgp int.
Basic Layer 2 Features ip-static-route vlan spanning-tree mac-filter-port mac-filter-sys ip-subnet-port session-limit view virtual-interface hw-traffic-condition rmon-entries mld-max-group-addr igmp-snoop-mcache mld-snoop-mcache ip6-route ip6-static-route ip6-cache gre-tunnels hw-ip-route-tcam 64 64 32 16 32 24 8192 10 255 896 1024 8192 512 512 580 37 93 16 8192 2048 4095 254 256 512 128 16384 65535 512 896 32768 32768 8192 8192 1348 269 674 64 8192 2048 4095 254 256 512 128 16384 65535 512 896 32768 32
Basic Layer 2 Features when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
Modifying system parameter default values TABLE 5 System parameters in show default values command (Continued) Parameter Definition ip-route Learned IP routes ip-static-arp Static IP ARP entries ip-static-route Static IP routes ip-subnet-port IP subnets per port l3-vlan Layer 3 VLANs mac MAC entries mac-filter-port MAC address filter entries per port mac-filter-sys MAC address filter entries per system multicast-route Multicast routes pim-mcache PIM multicast cache entries rmon-entrie
Cut-through switching The num parameter specifies the maximum number of routes in the IP route table. The minimum value is 4096. The maximum value is 524288 (subject to route patterns for FSX). The default is 80000 IP routes. For ICX 6650, the minimum value is 2048. The maximum value is 7168. The default is 5120 IP routes. NOTE If you accidentally enter a value that is not within the valid range of values, the CLI will display the valid range for you.
Dynamic buffer allocation for QoS priorities for FastIron X Series devices • If there is any over-subscription on the egress port, either due to speed mismatch or network topology, the device will buffer the packets and the forwarding behavior will be similar to store-andforward mode. • If an FCS error is determined when the packet is processed by the ingress pipe, it is dropped at the end of the ingress pipe.
Default queue depth limits for FastIron X Series devices Default queue depth limits for FastIron X Series devices The following table defines the default maximum queue depth values per port, per traffic class. The Brocade device drops the packets that cause the port to exceed these limits. NOTE The SX-FI48GPP Interface module supports 48 tri-speed (10/100/1000) ports.
Configuring the transmit queue depth limit for a given traffic class on FastIron X Series devices Configuring the transmit queue depth limit for a given traffic class on FastIron X Series devices NOTE To configure transmit queue depth limits for an SX-FI48GPP module, refer to Buffer profile configuration on page 47. To set the transmit queue depth limit on a port for a given traffic class, first enter the transmit queue depth limit for the traffic class, and then specify the traffic class.
Buffer profile configuration Buffer profile configuration The following Interface modules support up to eight buffer profiles: • • • • • SX-FI48GPP SX-FI-24GPP SX-FI-24HF SX-FI-2XG SX-FI-8XG A buffer profile defines the total transmit queue depth limit for a port and the transmit queue depth limit for a given traffic class . On the listed supported Interface modules, each port is associated with a buffer profile.
Displaying the buffer profile configuration For ports that use buffer profile 2, packets with priority 1 are added to the outbound queue as long as the packets do not exceed 299 buffers. When the port reaches its queue depth limit of 300, packets with the given traffic class will be dropped. Syntax: [no] qd slotnum/portnum limit traffic-class The limit variable can be a value from 0 through 4095 and cannot exceed the total transmit queue depth limit configured in the previous step.
Dynamic buffer allocation for FCX and ICX devices Dynamic buffer allocation for FCX and ICX devices By default, the traditional stack architecture allocates fixed buffers on a per-priority queue, per-packet processor basis. The buffers control the total number of packets that can be queued in the outbound transmit for the port.
Basic Layer 2 Features NOTE For FCX devices, when you reset buffer values for the 10 Gbps ports, the buffer values for the rearpanel 10 Gbps and16 Gbps ports are also reset. 1. Configure the allowable port descriptors. Port descriptors set the limit for the ports. The minimum limit for the port descriptors is 16. The maximum limit of the port descriptors depends on the hardware device.
Configuring user-configurable buffer profiles on FCX and ICX devices Sample configuration for buffer profile with qd-descriptor and qd-buffer commands on FCX and ICX This sample configuration assumes a four-unit stack with the following topology. Note that there is no packet processor 3 or 7, because stack units 2 and 4 are 24-port devices.
Basic Layer 2 Features egress buffers and descriptors limits to the port and on its queues. This template is then applied to the device. NOTE Buffer profiles can be configured for 10 Gbps and 1 Gbps ports, but not for ICX 6610 40 Gbps ports. The 10 Gbps profile will apply to ICX 6430 and 6450 stacking ports, as well as FCX 16 Gbps stacking ports. Configuring and applying a user-configurable buffer profile is a two-step process.
Basic Layer 2 Features Port type modification resets the profile to its default value. All the port and queue buffers and descriptors will be set to either 1 Gbps or 10 Gbps defaults as per the configuration, which means all the user configurations for the port and its queues will be lost. NOTE Port type modifications on an active profile are not allowed. 3. Configure the port buffers. Port buffer sets the maximum buffer limit for the ports. The maximum limit depends on the hardware device.
Buffer and descriptor maximum and default allocation values The port-region variable is the device number on which the user-configurable buffer profile is applied. The user-profile-name variable is the name of the user-configured profile. Buffer and descriptor maximum and default allocation values This section lists the maximum and default buffers and descriptors values of a port and its queues on each hardware platform. The following tables are included: • • • • Table 8 describes FCX devices.
Basic Layer 2 Features TABLE 9 Port buffer and descriptors values on ICX 6610 devices (Continued) 1 Gbps buffers and descriptors 10 Gbps buffers and descriptors 40 Gbps buffers and descriptors TC1 32 48 64 TC2 32 48 64 TC3 32 48 64 TC4 32 48 64 TC5 64 96 144 TC6 64 96 144 TC7 64 96 144 TABLE 10 Port buffer and descriptors values on ICX 6430 devices1 1 Gbps buffers 10 Gbps buffers 1Gbps descriptors 10 Gbps descriptors Port Limit 4032 NA 3854 NA TC0 182 NA 182 NA
Displaying the user-configurable buffer profile configuration on FCX and ICX devices TABLE 11 Port buffer and descriptors values on ICX 6450 devices1 (Continued) 1 Gbps buffers 10 Gbps buffers 1Gbps descriptors 10 Gbps descriptors TC3 144 192 144 192 TC4 144 192 144 192 TC5 192 256 192 256 TC6 192 256 192 256 TC7 192 256 192 256 1 Values are the same for stand-alone and stacking systems.
Configuring buffer sharing on FCX and ICX devices TABLE 12 Field definitions for the output of show qd-buffer-profile command Field Description User Buffer Profile The name of the user-configurable buffer profile Port-type The type of the port: 1 Gbps or 10 Gbps or All Total Buffers The total number of buffers allocated to the port Total Descriptors The total number of descriptors allocated to the port Per Queue details The names of the queues Buffers The total number of buffers allocated to t
ICX 6610 buffer sharing levels If you configure buffers at the port or queue level (using qd commands or buffer profiles), the buffer sharing level automatically changes to 1. You can change it manually.
ICX 6430 and ICX 6450 buffer sharing levels TABLE 14 ICX 6610 buffer sharing level definitions (Continued) Buffer sharing level Shared buffer limit Shared buffer total (in kilobytes) Pool 0 sharing buffers (in kilobytes) 5 (default) 768 128 192 192 625 375 6 1024 128 192 192 750 500 7 1280 128 192 192 875 625 8 1536 128 192 192 1000 750 ICX 6430 and ICX 6450 buffer sharing levels The ICX 6430 and 6450 buffer sharing level configures the shared buffers on the device.
Removing buffer allocation limits on FCX and ICX Following is an example for ICX 6610 devices.
Buffer profiles for VoIP on FastIron stackable devices Buffer profiles for VoIP on FastIron stackable devices NOTE Configuring buffer profiles for VoIP traffic is not supported on FastIron X Series and ICX 6650 devices. Configuring VoIP buffer profiles adds buffer profiles for 1 GbE-to-100 Mbit traffic, simplifying configuration and improving performance. VoIP profiles allows you to configure a pre-defined set of buffers and descriptors for the priority 0 and 7.
Buffer and descriptor maximum and default allocation values for ICX 6650 The ingress descriptors are total of 16K buffers. Each buffer is 512 bytes. The 16K buffers are divided into 8 cores of 2K each. The egress descriptors are divided into two pools. Pool 1 is shared by ports 1/1/9 to 1/1/56, and pool 2 is shared by the rest of ports. Each pool is 8K. Frames targetting ports that belongs to core 0-3 uses descriptors from the first pool.
Displaying buffer sharing information on ICX 6650 TABLE 17 ICX 6650 buffer sharing level definitions Shared buffer limit Pool 0 –TC 0, 1 Pool 1 – TC 2, 3, 4 Pool 2 – TC 5, 6 Pool 3 – TC 7 Shared buffer total (in kilobytes) Pool 0 sharing buffers (in kilobytes) 768 128 192 192 625 375 Displaying buffer sharing information on ICX 6650 Viewing information about buffer sharing To display information about buffer sharing, enter the show qd-share-level command.
Enabling and disabling remote fault notification Enabling and disabling remote fault notification RFN is ON by default. To disable RFN, use the following command. device(config)#interface e 0/1/1 device(config-if-e1000-0/1/1)#gig-default neg-off To re-enable RFN, use the following command.
Viewing the status of LFS-enabled links Viewing the status of LFS-enabled links The status of an LFS-enabled link is shown in the output of the show interface and show interface brief commands, as shown in the following examples. device#show interface e 10/1 10GigabitEthernet10/1 is down (remote fault), line protocol is down Hardware is 10GigabitEthernet, address is 0000.0027.79d8 (bia 0000.0027.
Configuring Packet InError Detection Packet InError Detection counts an ingress frame that has one or more of the following errors as an inError packet: • • • • • Alignment error CRC error Oversized frame error Internal received MAC address error (Errors that do not fall in the above 3 types) Symbol error (includes the fragmented, short, or undersized frames) You can configure the number of inError packets allowed per port in a specified sampling interval.
Syslog message for error-disabled port due to inError packets Syslog message for error-disabled port due to inError packets The following syslog message is generated when a port is error-disabled because of inError packets.
Syslog message for error-disabled port due to inError packets 68 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
Metro Features ● Supported metro features............................................................................................... 69 ● Topology groups............................................................................................................. 69 ● Metro Ring Protocol ....................................................................................................... 73 ● VSRP...........................................................................................................
Master VLAN and member VLANs You can use topology groups with the following Layer 2 protocols: • • • • STP/RSTP MRP VSRP 802.1W Topology groups simplify Layer 2 configuration and provide scalability by enabling you to use the same instance of a Layer 2 protocol for multiple VLANs. For example, if a Brocade device is deployed in a Metro network and provides forwarding for two MRP rings that each contain 128 VLANs, you can configure a topology group for each ring.
Topology group configuration considerations Topology group configuration considerations • You must configure the master VLAN and member VLANs or member VLAN groups before you configure the topology group. • You can configure up to 30 (256 for ICX 6650) topology groups. Each group can control up to 4096 VLANs. A VLAN cannot be controlled by more than one topology group.
Displaying topology group information NOTE If you add a new master VLAN to a topology group that already has a master VLAN, the new master VLAN replaces the older master VLAN. All member VLANs and VLAN groups follow the Layer 2 protocol settings of the new master VLAN. Syntax: [no] member-vlan vlan-id The vlan-id parameter specifies a VLAN ID. The VLAN must already be configured. Syntax: [no] member-group num The num specifies a VLAN group ID. The VLAN group must already be configured.
Metro Ring Protocol Syntax: show topology-group [ group-id ] This display shows the following information. TABLE 18 CLI display of topology group information Field Description master-vlan The master VLAN for the topology group. The settings for STP, MRP, or VSRP on the control ports in the master VLAN apply to all control ports in the member VLANs within the topology group. member-vlan The member VLANs in the topology group.
Metro Ring Protocol configuration notes FIGURE 1 Metro ring - normal state The ring in this example consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network. The nodes forward Layer 2 traffic to and from the customer networks through the ring. The ring interfaces are all in one port-based VLAN. Each customer interface can be in the same VLAN as the ring or in a separate VLAN.
MRP rings without shared interfaces (MRP Phase 1) loop from occurring while you are configuring MRP on the ring nodes. Once MRP is configured and enabled on all the nodes, you can re-enable the interface. • The above configurations can be configured as MRP masters or MRP members (for different rings). • Brocade does not recommend configuring more than 15 MRP instances on FCX and ICX 6650 devices. Also, due to hardware limitations on this platforms, configuring 40 or more MRP instances may cause errors.
MRP rings with shared interfaces (MRP Phase 2) In this example, two nodes are each configured with two MRP rings. Any node in a ring can be the master for its ring. A node also can be the master for more than one ring. MRP rings with shared interfaces (MRP Phase 2) With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN. Figure 3 shows examples of multiple MRP rings that share the same interface.
Selection of master node FIGURE 4 Interface IDs and types For example, in Figure 4 , the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2. Port 1/1 on node S1 and Port 2/2 on S2 have the IDs of 1 and 2 since the interfaces are shared by Rings 1 and 2. The ring ID is also used to determine an interface priority. Generally, a ring ID is also the ring priority and the priority of all interfaces on that ring.
Ring initialization NOTE Any node on an MRP ring that has two shared interfaces cannot be elected as the master node. In Figure 4 on page 77, any of the nodes on Ring 1, even S1 or S2, can be a master node since none of its interfaces are tunnel ports. However in Ring 2, neither S1 nor S2 can be a master node since these nodes contain tunnel ports. Ring initialization The ring shown in Figure 1 on page 74 shows the port states in a fully initialized ring without any broken links.
RHP processing in MRP Phase 1 MRP uses Ring Health Packets (RHPs) to monitor the health of the ring. An RHP is an MRP protocol packet. The source address is the MAC address of the master node and the destination MAC address is a protocol address for MRP. The Master node generates RHPs and sends them on the ring. The state of a ring port depends on the RHPs.
RHP processing in MRP Phase 2 FIGURE 6 Metro ring - from preforwarding to forwarding Each RHP also has a sequence number. MRP can use the sequence number to determine the roundtrip time for RHPs in the ring. Refer to Metro Ring Protocol diagnostics on page 87. RHP processing in MRP Phase 2 Figure 7 shows an example of how RHP packets are processed normally in MRP rings with shared interfaces.
How ring breaks are detected and healed FIGURE 7 Flow of RHP packets on MRP rings with shared interfaces Port 2/1 on Ring 1 master node is the primary interface of the master node. The primary interface forwards an RHP packet on the ring. Since all the interfaces on Ring 1 are regular ports, the RHP packet is forwarded to all the interfaces until it reaches Port 2/2, the secondary interface of the master node. Port 2/2 then blocks the packet to complete the process.
Metro Features FIGURE 8 Metro ring - ring break If a break in the ring occurs, MRP heals the ring by changing the states of some of the ring interfaces: • Blocking interface - The Blocking interface on the Master node has a dead timer. If the dead time expires before the interface receives one of its ring RHPs, the interface changes state to Preforwarding.
Master VLANs and customer VLANs • If an RHP reaches the Master node secondary interface, the ring is intact. The secondary interface changes to Blocking. The Master node sets the forwarding bit on in the next RHP. When the restored interfaces receive this RHP, they immediately change state to Forwarding. • If an RHP does not reach the Master node secondary interface, the ring is still broken. The Master node does not send an RHP with the forwarding bit on.
Metro Features FIGURE 10 Metro ring - ring VLAN and customer VLANs Notice that each customer has their own VLAN. Customer A has VLAN 30 and Customer B has VLAN 40. Customer A host attached to Switch D can reach the Customer A host attached to Switch B at Layer 2 through the ring. Since Customer A and Customer B are on different VLANs, they will not receive each other traffic. You can configure MRP separately on each customer VLAN. However, this is impractical if you have many customers.
Metro Ring Protocol configuration If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs. • The member VLAN for a customer must contain the two ring interfaces and the interfaces for the customer. Since these interfaces are shared with the master VLAN, they must be tagged. Do not add another customer interfaces to the VLAN. For more information about topology groups, refer to Topology groups on page 69.
Metro Features device(config-vlan-2-mrp-1)#master device(config-vlan-2-mrp-1)#ring-interface ethernet 1/1 ethernet 1/2 device(config-vlan-2-mrp-1)#enable These commands configure an MRP ring on VLAN 2. The ring ID is 1, the ring name is CustomerA, and this node (this Brocade device) is the master for the ring. The ring interfaces are 1/1 and 1/2. Interface 1/1 is the primary interface and 1/2 is the secondary interface. The primary interface will initiate RHPs by default. The ring takes effect in VLAN 2.
Changing the hello and preforwarding times secondary interfaces on the Master node. Configuring multiple rings enables you to use all the ports in the ring. The same port can forward traffic one ring while blocking traffic for another ring. Syntax: [no] enable The enable command enables the ring. Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following.
Displaying MRP diagnostics NOTE This command is valid only on the master node. Displaying MRP diagnostics To display MRP diagnostics results, enter the following command on the Master node.
Displaying topology group information Displaying topology group information To display topology group information, enter the following command. Syntax: show topology-group [group-id] Refer to Displaying topology group information on page 72 for more information. Displaying ring information To display ring information, enter the following command.
Metro Features TABLE 20 CLI display of MRP ring information (Continued) Field Description Prefwing time The number of milliseconds an MRP interface that has entered the Preforwarding state will wait before changing to the Forwarding state. If a member port in the Preforwarding state does not receive an RHP within the Preforwarding time (Prefwing time), the port assumes that a topology change has occurred and changes to the Forwarding state.
MRP CLI example TABLE 20 CLI display of MRP ring information (Continued) Field Description Interface Type Shows if the interface is a regular port or a tunnel port. RHPs sent The number of RHPs sent on the interface. NOTE This field applies only to the master node. On non-master nodes, this field contains 0. This is because the RHPs are forwarded in hardware on the non-master nodes. RHPs rcvd The number of RHPs received on the interface.
MRP commands on Switch B device(config-vlan-2-mrp-1)#enable device(config-vlan-2-mrp-1)#exit device(config-vlan-2)#exit The following commands configure the customer VLANs. The customer VLANs must contain both the ring interfaces as well as the customer interfaces.
MRP commands on Switch D device(config-vlan-40)#exit device(config)#topology-group 1 device(config-topo-group-1)#master-vlan 2 device(config-topo-group-1)#member-vlan 30 device(config-topo-group-1)#member-vlan 40 MRP commands on Switch D device(config)#vlan 2 device(config-vlan-2)#tag ethernet 1/1 to 1/2 device(config-vlan-2)#metro-ring 1 device(config-vlan-2-mrp-1)#name "Metro A" device(config-vlan-2-mrp-1)#ring-interface ethernet 1/1 ethernet 1/2 device(config-vlan-2-mrp-1)#enable device(config-vlan-2)#
Metro Features FIGURE 11 VSRP mesh - redundant paths for Layer 2 and Layer 3 traffic In this example, two Brocade devices are configured as redundant paths for VRID 1. On each of the devices, a Virtual Router ID (VRID) is configured on a port-based VLAN. Since VSRP is primarily a Layer 2 redundancy protocol, the VRID applies to the entire VLAN. However, you can selectively remove individual ports from the VRID if needed.
VSRP configuration notes and feature limitations When you configure VSRP, make sure each of the non-VSRP Brocade devices connected to the VSRP devices has a separate link to each of the VSRP devices. VSRP configuration notes and feature limitations • VSRP and 802.1Q-n-Q tagging are not supported together on the same device. • VSRP and Super Aggregated VLANs are not supported together on the same device. NOTE 802.1Q-n-Q tagging and Aggregated VLANs are not supported on the Brocade ICX 6430-C devices.
VSRP failover VSRP failover Each Backup listens for Hello messages from the Master. The Hello messages indicate that the Master is still available. If the Backups stop receiving Hello messages from the Master, the election process occurs again and the Backup with the highest priority becomes the new Master. Each Backup waits for a specific period of time, the Dead Interval, to receive a new Hello message from the Master.
Metro Features FIGURE 12 VSRP priority However, if one of the VRID ports goes down on one of the Backups, that Backup priority is reduced. If the Master priority is reduced enough to make the priority lower than a Backup priority, the VRID fails over to the Backup. The following figure shows an example. FIGURE 13 VSRP priority recalculation You can reduce the sensitivity of a VSRP device to failover by increasing its configured VSRP priority.
Metro Features FIGURE 14 VSRP priority bias Track ports Optionally, you can configure track ports to be included during VSRP priority calculation. In VSRP, a track port is a port that is not a member of the VRID VLAN, but whose state is nonetheless considered when the priority is calculated. Typically, a track port represents the exit side of traffic received on the VRID ports. By default, no track ports are configured. When you configure a track port, you assign a priority value to the port.
MAC address failover on VSRP-aware devices In Figure 15 , the track port is up. SInce the port is up, the track priority does not affect the VSRP priority calculation. If the track port goes down, the track priority does affect VSRP priority calculation, as shown in the following figure. FIGURE 16 Track port priority subtracted during priority calculation MAC address failover on VSRP-aware devices VSRP-aware devices maintain a record of each VRID and its VLAN.
VSRP interval timers VSRP interval timers The VSRP Hello interval, Dead interval, Backup Hello interval, and Hold-down interval timers are individually configurable. You also can easily change all the timers at the same time while preserving the ratios among their values. To do so, change the timer scale. The timer scale is a value used by the software to calculate the timers. The software divides a timer value by the timer scale value. By default, the scale is 1.
Metro Features TABLE 21 VSRP parameters (Continued) Parameter Description Default For more information Timer scale The value used by the software to calculate all VSRP timers. Increasing the timer scale value decreases the length of all the VSRP timers equally, without changing the ratio of one timer to another.
Metro Features TABLE 21 VSRP parameters (Continued) Parameter Description Default For more information VRID IP address A gateway address you are backing up. Configuring an IP address provides VRRP-E Layer 3 redundancy in addition to VSRP LAyer 2 redundancy. None Configuring a VRID IP address on page 107 The VRID IP address must be in the same subnet as a real IP address configured on the VSRP interface, but cannot be the same as a real IP address configured on the interface.
Metro Features TABLE 21 VSRP parameters (Continued) Parameter Description Backup Hello state The amount of time between Hello messages and interval from a Backup to the Master. The message interval can be from 60 - 3600 seconds. Default For more information Disabled Changing the backup hello state and interval setting on page 110 60 seconds when enabled You must enable the Backup to send the messages. The messages are disabled by default on Backups.
Configuring basic VSRP parameters Configuring basic VSRP parameters To configure VSRP, perform the following required tasks: • Configure a port-based VLAN containing the ports for which you want to provide VSRP service. NOTE If you already have a port-based VLAN but only want to use VSRP on a sub-set of the VLANs ports, you can selectively remove ports from VSRP service in the VLAN. Refer to Removing a port from the VRID VLAN on page 107. • Configure a VRID: ‐ ‐ Specify that the device is a backup.
Changing the timer scale To re-enable the protocol, enter the following command. device(config)#router vsrp Syntax: [no] router vsrp Since VRRP and VRRP-E do not apply to Layer 2 Switches, there is no need to disable VSRP and there is no command to do so. The protocol is always enabled. Changing the timer scale To achieve sub-second failover times, you can shorten the duration of all scale timers for VSRP, VRRP, and VRRP-E by adjusting the timer scale.
Configuring authentication Configuring authentication If the interfaces on which you configure the VRID use authentication, the VSRP packets on those interfaces also must use the same authentication. VSRP supports the following authentication types: • No authentication - The interfaces do not use authentication. • Simple - The interfaces use a simple text-string as a password in packets sent on the interface.
Removing a port from the VRID VLAN Syntax: [no] vsrp-aware vrid vridnumber no-auth port-list portrange vrid number is a valid VRID (from 1 to 255). no-auth specifies no authentication as the preferred VSRP-aware security method. The VSRP device will not accept incoming packets that have authentication strings. simple-text-auth string specifies the authentication string for accepting VSRP hello packets, where string can be up to 8 characters.
Changing the backup priority Syntax: [no] ip-address ip-addr Changing the backup priority When you enter the backup command to configure the device as a VSRP Backup for the VRID, you also can change the backup priority and the track priority: • The backup priority is used for election of the Master. The VSRP Backup with the highest priority value for the VRID is elected as the Master for that VRID. The default priority is 100.
Changing the hello interval setting NOTE An MRP ring is considered to be a single hop, regardless of the number of nodes in the ring. To change the TTL for a VRID, enter a command such as the following at the configuration level for the VRID. device(config-vlan-200-vrid-1)#initial-ttl 5 Syntax: [no] initial-ttl num The num parameter specifies the TTL and can be from 1 - 255. The default TTL is 2. Changing the hello interval setting The Master periodically sends Hello messages to the Backups.
Changing the backup hello state and interval setting Changing the backup hello state and interval setting By default, Backups do not send Hello messages to advertise themselves to the Master. You can enable these messages if desired and also change the message interval. To enable a Backup to send Hello messages to the Master, enter a command such as the following at the configuration level for the VRID.
Specifying a track port setting The default track priority for all track ports is 5. You can change the default track priority or override the default for an individual track port. • To change the default track priority, use the backup priority value track-priority value command, described below. • To override the default track priority for a specific track port, use the track-port command. Refer to Specifying a track port setting on page 111.
Suppressing RIP advertisement from backups Syntax: [no] non-preempt-mode Suppressing RIP advertisement from backups Normally, for Layer 3 a VSRP Backup includes route information for a backed up IP address in RIP advertisements. As a result, other Layer 3 Switches receive multiple paths for the backed up interface and might sometimes unsuccessfully use the path to the Backup rather than the path to the Master.
Displaying VSRP information Displaying VSRP information You can display the following VSRP information: • Configuration information and current parameter values for a VRID or VLAN • The interfaces on a VSRP-aware device that are active for the VRID Displaying VRID information To display VSRP information, enter the following command.
Metro Features TABLE 22 CLI display of VSRP VRID or VLAN information (Continued) Field Description state This device VSRP state for the VRID. The state can be one of the following: • initialize - The VRID is not enabled (activated). If the state remains "initialize" after you activate the VRID, make sure that the VRID is also configured on the other routers and that the routers can communicate with each other.
Metro Features TABLE 22 CLI display of VSRP VRID or VLAN information (Continued) Field Description priority The device preferability for becoming the Master for the VRID. During negotiation, the Backup with the highest priority becomes the Master. If two or more Backups are tied with the highest priority, the Backup interface with the highest IP address becomes the Master for the VRID. hello-interval The number of seconds between Hello messages from the Master to the Backups for a given VRID.
Displaying the active interfaces for a VRID Displaying the active interfaces for a VRID On a VSRP-aware device, you can display VLAN and port information for the connections to the VSRP devices (Master and Backups). To display the active VRID interfaces, enter the following command on the VSRP-aware device. device#show vsrp aware Aware port listing VLAN ID VRID Last Port 100 1 3/2 200 2 4/1 Syntax: show vsrp aware This display shows the following information when you use the aware parameter.
Displaying ports that Have the VSRP fast start feature enabled This command shuts down all the ports that belong to the VLAN when a failover occurs. All the ports will have the specified VRID. To configure a single port on a VSRP-configured device to shut down when a failover occurs, then restart after a period of time, enter the following command.
Metro Features FIGURE 17 Two data paths from host on an MRP ring to a VSRP-linked device If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRPlinked device, as shown in the following figure.
Metro Features FIGURE 19 New path established There are no CLI commands used to configure this process.
VSRP and MRP signaling 120 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
UDLD and Protected Link Groups ● Supported UDLD and protected link group features..................................................... 121 ● UDLD overview............................................................................................................. 121 ● Protected link groups.................................................................................................... 127 Supported UDLD and protected link group features Lists UDLD and protected link group features.
UDLD for tagged ports FIGURE 20 UDLD example Normally, a Brocade device load balances traffic across the ports in a trunk group. In this example, each Brocade device load balances traffic across two ports. Without the UDLD feature, a link failure on a link that is not directly attached to one of the Brocade devices is undetected by the Brocade devices. As a result, the Brocade devices continue to send traffic on the ports connected to the failed link.
Enabling UDLD • To configure UDLD on a trunk group, you must enable and configure the feature on each port of the group individually. Configuring UDLD on a trunk group primary port enables the feature on that port only. • Low UDLD link-keepalive interval and retry options are not recommended as they are more sensitive and prone to flaps. • When UDLD is enabled on a trunk port, trunk threshold is not supported. • Dynamic trunking is not supported.
Changing the Keepalive interval Changing the Keepalive interval By default, ports enabled for UDLD send a link health-check packet once every 500 ms. You can change the interval to a value from 1 - 60, where 1 is 100 ms, 2 is 200 ms, and so on. To change the interval, enter a command such as the following. device(config)#link-keepalive interval 4 Syntax: [no] link-keepalive interval num The num parameter specifies how often the ports send a UDLD packet. You can specify from 1 - 60, in 100 ms increments.
Displaying information for a single port TABLE 24 CLI display of UDLD information (Continued) Field Description Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down. Keepalive Interval The number of seconds between health check packets. Port The port number. Physical Link The state of the physical link. This is the link between the Brocade port and the directly connected device. Logical Link The state of the logical link.
Clearing UDLD statistics TABLE 25 CLI display of detailed UDLD information (Continued) Field Description Local Port The port number on this Brocade device. Remote Port The port number on the Brocade device at the remote end of the link. Local System ID A unique value that identifies this Brocade device. The ID can be used by Brocade technical support for troubleshooting. Remote System ID A unique value that identifies the Brocade device at the remote end of the link.
Protected link groups This command clears the Packets sent, Packets received, and Transitions counters in the show link keepalive ethernet [slotnum /]portnum display. Protected link groups A protected link group minimizes disruption to the network by protecting critical links from loss of data and power. In a protected link group, one port in the group acts as the primary or active link, and the other ports act as secondary or standby links. The active link carries the traffic.
Creating a protected link group and assigning an active port • • • • This feature is supported with tagged and untaggedports. This feature is supported with trunk ports. The protected link groups feature is not supported with LACP. There is no restriction on the properties of ports in a protected link group. For example, member ports can be in the same VLAN or in different VLANs.
UDLD and Protected Link Groups that port. Since the above configuration consists of a statically configured active port, the active port pre-empts other ports in the protected link group. Refer to About active ports on page 127. Syntax: [no] protected-link-group group-ID ethernet port to port The group-ID parameter specifies the protected link group number. Enter a number from 1 - 32.
UDLD and Protected Link Groups Configured mdi mode AUTO, actual MDIX Member of 3 L2 VLANs, port is tagged, port state is protected-link-inactive BPDU guard is Disabled, ROOT protect is Disabled Link Error Dampening is Disabled STP configured to ON, priority is level0 .... some lines ommitted for brevity In the above output, the port state is protected-link-inactive which means port 3 is an inactive port in a protected link group.
Link Aggregation ● Supported link aggregation features............................................................................. 131 ● Overview of link aggregation.........................................................................................132 ● LAG formation rules...................................................................................................... 132 ● Configuration notes for FastIron devices in a traditional stack......................................
Overview of link aggregation Overview of link aggregation This chapter describes how to configure Link Aggregation Groups (LAG). Beginning with FastIron 08.0.00a, you can use a single interface to configure any of the following LAG types: Static LAGs - These LAGs are manually-configured aggregate links containing multiple ports. Dynamic LAGs - This LAG type uses the Link Aggregation Control Protocol (LACP), to maintain aggregate links over multiple port.
Link Aggregation • Layer 3 requirements: The LAG is rejected if any of the secondary LAG port has any Layer 3 configurations, such as IPv4 or IPv6 address, OSPF, RIP, RIPNG, IS-IS, and so on. • Layer 4 (ACL) requirements: All LAG ports must have the same ACL configurations; otherwise, the LAG is rejected.
Configuration notes for FastIron devices in a traditional stack Configuration notes for FastIron devices in a traditional stack In a Brocade traditional stack system, a LAG may have port members distributed across multiple stack units. Both static and dynamic LAGs are supported. NOTE Cascaded LAG between stack units are supported on Brocade ICX devices only.
Maximum number of LAGs FIGURE 23 Example of 2-port LAG The following figure shows an example of two devices connected over a 4 port LAG where the ports on each end of the LAG are on different interface modules. FIGURE 24 Examples of multi-slot, multi-port LAG Maximum number of LAGs The following table lists the maximum number of LAGs you can configure on a Brocade device and the valid number of ports in a LAG. The table applies to static and LACP ports.
Migrating from a previous release to 08.0.
Downgrade considerations a) b) c) A static LAG is created containing the port list specified in the trunk command. This LAG is then automatically deployed. The lowest-numbered port from the original trunk list is selected as the primary port of the LAG. The converted LAG is named "LAG_x", where "x" is a unique number assigned by the system starting from 1. 2.
Link Aggregation NOTE Layer 2 and Layer 3 AppleTalk traffic is not load-balanced. Layer 3 routed IP or IPX traffic also is not load balanced. These traffic types will however still be forwarded on the LAG ports. Support for IPv6 when sharing traffic across a LAG group Brocade devices that support IPv6 take the IPv6 address for a packet into account when sharing traffic across a LAG group.
LAG hashing on stacking products LAG hashing on stacking products This configuration is required when multicast routing is configured on a tunnel interface and if the IP multicast packets are tunnel terminating. For example, when ip pim, ip pim-sparse , ip igmp proxy multicast routing commands are configured on a tunnel interface. Removing Layer 2 information from LAG hash output NOTE Removing Layer 2 information from LAG hash output is not supported on FastIron X Series devices.
Creating a Link Aggregation Group (LAG) Creating a Link Aggregation Group (LAG) Before setting-up ports or configuring any other aspects of a LAG, you must create it as shown in the following: device(config)# lag blue static device(config-lag-blue)# Syntax: [no] lag lag-name { static | dynamic | keep-alive } The static option specifies that the LAG with the name specified by the lag-name variable will be configured as a static LAG.
Link Aggregation device(config)#lag lag3 static id 123 Error: LAG id 123 is already used. The next available LAG id is 2 . NOTE If you upgrade from an earlier version to a version with the LAG ID configuration feature, the old configuration file will be parsed correctly and each LAG configured will get a LAG ID automatically. ! lag lag1 static id 124 ports ethernet 1/1/2 to 1/1/3 primary-port 1/1/3 deploy ! : show lag command and the output.
Creating a keepalive LAG Trunk Type: hash-based Hardware failover mode: all-ports Creating a keepalive LAG To create a keep-alive LAG, enter the following. device(config)# lag lag1 keep-alive Syntax: [no] lag lag-name [ keep-alive ] The keep-alive option specifies that the LAG with the name specified by the lag-name variable will be configured a keep-alive LAG. The keep-alive LAG option allows you to configure a LAG for use in keep alive applications similar to the UDLD feature.
Specifying the LAG threshold for a LAG group To designate the primary port for the static LAG "blue", use the following command. device(config)# lag blue static device(config-lag-blue)# primary-port 1/3/2 Syntax: [no] primary-port stack/slot/port Once a primary port has been configured for a LAG, all configurations that apply to the primary port are applied to the other ports in the LAG. NOTE This configuration is only applicable for configuration of a static or dynamic LAGs.
Configuring an LACP timeout Configuring an LACP timeout In a dynamic or keep-alive LAG, a port's timeout can be configured as short (3 seconds) or long (90 seconds). After you configure a port timeout, the port remains in that timeout mode whether it is up or down and whether or not it is part of a LAG. All the ports in a LAG should have the same timeout mode. This requirement is checked when the LAG is enabled on the ports.
Commands available under LAG once it is deployed Syntax: [no] deploy [ passive ] When the deploy command is executed: For dynamic LAGs, LACP is activated on all LAG ports. When activating LACP, use active mode if passive is not specified; otherwise, use passive mode. For a keep-alive LAGs, no LAG is formed, and LACP is started on the LAG port. Once the deploy command is issued, all LAG ports will behave like a single port. If the no deploy command is executed, the LAG is removed.
Adding a Port to Currently Deployed LAG Syntax: [no] enable { ethernet stack/slot/port [ to stack/slot/port ] [ ethernet stack/slot/port ] | portname name } Use the ethernet option with the appropriate stack/slot/port variable to specify a Ethernet port within the LAG that you want to enable. Use the port-name option with the appropriate name variable to specify a named port within the LAG that you want to enable.
Monitoring an individual LAG port NOTE In an operational dynamic LAG, removing an operational port causes port flapping for all LAG ports. This may cause loss of traffic. Monitoring an individual LAG port By default, when you monitor the primary port in a LAG group, aggregated traffic for all the ports in the LAG is copied to the mirror port. You can configure the device to monitor individual ports in a LAG including Ethernet, or named ports.
Allowable characters for LAG names Allowable characters for LAG names When creating a LAG name, you can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: "a long subdirectory name". The maximum length for a string is 64 characters.
Setting the sFlow sampling rate for a port in a LAG Setting the sFlow sampling rate for a port in a LAG You can set the sFlow sampling rate for an individual port within a LAG using the sflow-subsampling command within the LAG configuration as shown in the following. device(config)# lag blue static device(config-lag-blue)# deploy device(config-lag-blue)# sflow sample 512 Syntax: [no] sflow sample number The number variable specifies the average number of packets from which each sample will be taken.
Link Aggregation Table 29 describes the information displayed by the show lag brief command. The following example displays the full option of the show lag command. device# show lag Total number of LAGs: 5 Total number of deployed LAGs: 3 Total number of trunks created:2 (253 available) LACP System Priority / ID: 1 / 0024.3889.
Link Aggregation The static option limits the display to static LAGs. The following table describes the information displayed by the show lag command. TABLE 29 Show LAG information This field... Displays... Total number of LAGS The total number of LAGs that have been configured on the device. Total number of deployed LAGS The total number of LAGs on the device that are currently deployed. Total number of trunks created The total number of LAGs that have been created on the LAG.
Link Aggregation TABLE 29 Show LAG information (Continued) This field... Displays... Link The status of the link which can be one of the following: • up • down State The L2 state for the port. Dupl The duplex state of the port, which can be one of the following: • Full • Half • None Speed The bandwidth of the interface. Trunk The LAG ID of the port. Tag Indicates whether the ports have 802.1q VLAN tagging. The value can be Yes or No.
Link Aggregation TABLE 29 Show LAG information (Continued) This field... Displays... Agg Indicates the link aggregation state of the port. The state can be one of the following: • Agg - Link aggregation is enabled on the port. • No - Link aggregation is disabled on the port. Syn Indicates the synchronization state of the port. The state can be one of the following: • No - The port is out of sync with the remote port.
Enabling LAG hardware failover Enabling LAG hardware failover LAG hardware failover reduces the time of packet loss if a LAG member is down, with minimal software intervention, using loopback on the down port. LAG hardware failover is disabled by default and is supported only on Brocade ICX 7750 devices. Enter the failover all command in dynamic LAG configuration mode to enable LAG hardware failover. failover next enables failover on the next port in LAG. .
Multi-Chassis Trunking ● Supported MCT features...............................................................................................155 ● Multi-Chassis Trunking Overview..................................................................................155 ● Layer 2 behavior with MCT........................................................................................... 173 ● Layer 3 behavior with MCT...........................................................................................
How MCT works jitter, not only on the affected devices locally, but throughout the span topology. With MCT, member links of the trunk are split and connected to two clustered MCT-supporting switches. MCT has integrated loop detections, which allows all links to be active. If a failure is detected, traffic is dynamically allocated across the remaining links. The failure detection and allocation of traffic occur in sub-second time, without impact on the rest of the network.
MCT terminology • For unknown unicast, multicast, and broadcast traffic received on ICL ports, the forwarding behavior depends on the peer MCT device’s ability to reach the same client. • Unknown unicast, multicast, and broadcast traffic received from CCEP is forwarded as usual, by default, flooding the entire VLAN. • The cluster ID must be unique when there are multiple clusters interconnected in a topology.
Multi-Chassis Trunking Broadcast, unknown unicast, and multicast (BUM) traffic from a client through a CCEP 1. Traffic originates at the client. 2. Because the link between the client switch and the MCT cluster is a trunk, the traffic travels over one physical link. In the example shown in the following figure, the traffic travels over the link toward cluster device 2. The traffic enters the MCT cluster through the CCEP of cluster device 2. 3. The traffic is sent to any local CEPs and CCEPs.
Multi-Chassis Trunking FIGURE 27 MCT data flow - unicast traffic from CCEP Broadcast, unknown unicast, and multicast (BUM) traffic from a client through a CEP 1. Traffic originates at the client and enters one of the MCT cluster devices through a CEP. 2. As shown in the following figure, the traffic is sent to the peer cluster device through the ICL link and is also sent to any local CCEPs and CEPs. Once traffic is received on the peer cluster device, it will be sent to its local CEPs. 3.
Multi-Chassis Trunking FIGURE 28 MCT data flow - BUM traffic from a CEP Unicast traffic from a client through a CEP to another CEP or a CCEP 1. Traffic originates at the client and enters one of the cluster devices through the CEP as shown in the following figure. 2. Depending on the destination, the traffic may pass over the ICL link to the other cluster device, or it may be sent to a local CCEP. 3. The traffic passes out to the destination.
Multi-Chassis Trunking FIGURE 29 MCT data flow - unicast traffic from a CEP Port failure on the cluster device 1. A CCEP on the cluster device that received the unicast or BUM traffic fails. 2. As shown in the following figure, the traffic is automatically redirected to the other MCT cluster device over the ICL and on to its destinations through CCEPs.
MCT and VLANs FIGURE 30 MCT data flow with port failure MCT and VLANs MCT relies on the following VLAN types: • Session VLAN: Provides the control channel for CCP. Brocade recommends keeping only ICL ports in the session VLAN. A virtual interface must be configured on the session VLAN for the router image. • Keep-alive VLAN: Provides a backup control path if the ICL goes down (optional, but strongly recommended). • MCT VLAN: Serves the customer data traffic.
MCT feature interaction • Cluster client automatic configuration is designed for generating new clients, not for updating an existing client. • A single client span across multiple devices is not supported (cascading MCT). For example, the configuration of cascading MCT through cluster client automatic configuration is not supported. • Multiple clients on the same device are not supported. • LACP client interface auto-detection is supported only for devices running release 7.
Basic MCT configuration ‐ If the trusted ports are off the CCEP, the arp inspection trust or dhcp snoop trust command must be used on the CCEPs and ICL ports. ‐ DHCP and ARP entries are created on both MCT cluster devices if the flow traverses both the CCEP and ICL. • Hitless failover. If the failover operation is performed with a cluster configuration, the TCP session is reestablished. The MAC addresses from the cluster peer devices are revalidated and programmed accordingly. • Hitless upgrade.
MCT configuration considerations FIGURE 31 Basic MCT configuration MCT configuration considerations • Configuring flow-based MAC address learning and MCT on the same device is not supported. • When running STP, the STP state should be the same on both cluster devices. For additional information on running STP with MCT, refer to "STP/RSTP" under MCT Layer 2 protocols and to related configuration examples. • One ICL can be configured per device, and a device can be in only one cluster.
Differences in configuring MCT for the switch and router image • • • • • • • • • • cluster. To avoid conflicts, ensure that the Cluster ID and the Cluster RBridge ID are unique within an MCT configuration and cannot be confused with each other. The cluster ID should be the same on both cluster devices. The cluster RBridgeID should not conflict with any client RBridgeID or with the peer RBridgeID. The client RBridgeID is unique and should be the same on cluster devices.
Step 2: Configure the MCT VLAN, MCT session VLAN, and recommended MCT keep-alive VLAN maintain aggregate links over multiple port. LACP PDUs are exchanged between ports on each device to determine if the connection is still active. The LAG then shuts down any port whose connection is no longer active. NOTE ICL LAGs only support static trunks. Syntax: [no] lag lag-name [ { static | dynamic } [ id number ] ] To configure an ICL static LAG, enter the following commands.
Step 3: Configure the cluster Step 3: Configure the cluster Cluster local configuration uses the cluster ID and RBridgeID for the local switch or router. Syntax: [no] cluster [ cluster-name ] cluster-id Syntax: [no] rbridge-id id Configuration of the peer device involves the peer's IP address, RBridgeID, and ICL specification. The cluster-name variable is optional; the device auto-generates the cluster name as CLUSTER-X when only the cluster ID is specified.
Setting up cluster client automatic configuration device-1(config-cluster-SX-client-1)#rbridge-id 200 device-1(config-cluster-SX-client-1)#client-interface ether 1/5 device-1(config-cluster-SX-client-1)#deploy To configure Client-2 on Brocade-2 in the topology of Figure 31 on page 165, enter the following command.
MCT failover scenarios Use the following command to enable or disable cluster client automatic configuration on a range of ports. Syntax: [no] client-auto-detect Ethernet x [ to y] Use the following command as an alternative to client-auto-detect config . This command also configures automatically detected clients into the running configuration and deploys all of the automatically detected clients.
Cluster failover mode ‐ lower RBridgeID becomes the master. If the client can be accessed only from one of the MCT devices, the cluster device on which it is reachable becomes the master. If the peer device cannot be reached over the keep-alive VLAN, then both cluster devices keep forwarding. NOTE Brocade recommends using keep-alive VLANs with the MCT configurations. This provides alternative access if the ICL interface goes down.
Shutting down all client interfaces MCT cluster devices can operate in two modes. Both peer devices should be configured in the same mode. Loose mode (default): When the CCP goes down, the peer device performs the master/slave negotiation. After negotiation, the slave shuts down its peer ports, but the master peer ports continue to forward traffic if a keep-alive VLAN is configured. If a keep-alive VLAN is not configured, both peer devices become masters, and both of the client ports stay up.
Setting keep-alive timers and hold-time • If no packets are received from the peer device for a period of three seconds, the peer is considered down. • If a keep-alive VLAN is not configured and both the peer devices are up, both peers keep forwarding traffic independently. Setting keep-alive timers and hold-time To specify the keep-alive timers and hold time for the peer devices, enter a command such as the following. device-1(config-cluster-SX))# peer 10.1.1.
Multi-Chassis Trunking Cluster Remote MAC (CR): MAC addresses that are learned via MDUP messages from the peer device (CL on the peer). The MAC addresses are always programmed on the ICL port and do not age. The CR is deleted only when the CL is deleted from the peer. An MDB entry is created for these MAC addresses with a cost of 1 and is associated with the peer RBridgeID. Cluster Client Local MAC (CCL): MAC addresses that are learned on the MCT VLAN and on CCEPs.
MAC show commands MAC show commands To display all local MAC address entries for a cluster, use the show mac cluster command. device# show mac cluster 1000 Total Cluster Enabled(CL+CR+CCL+CCR) MACs: 1 Total Cluster Local(CL) MACs: 1 CCL: Cluster Client Local CCR:Cluster Client Total active entries from all ports = 1 Total static entries from all ports = 3 MAC-Address Port Type 0000.0022.3333 8/1 Static 0000.0022.3333 8/3 Static 0000.0022.
Displaying MDUP packet statistics Clearing MCT VLAN-specific MAC addresses To clear MCT VLAN-specific MAC addresses in the system, enter a command such as the following. device# clear mac cluster AGG-1 vlan 1 local Syntax: clear mac cluster { cluster_id | cluster-name } vlan vlan_id { local | remote } Clearing cluster client vlan-specific MACs To clear cluster client-specific MAC addresses in the system, enter a command such as the following.
Port loop detection NOTE The LAG IDs are only significant locally and need not match on the two ends of a LAG. The LACP system ID in the MCT-supporting device normally comes from the port MAC address. To support LACP over MCT, the ID must be obtained in another way. MCT uses a pre-defined algorithm to obtain the ID. NOTE Each MCT cluster device has a unique cluster ID and one MCT client ID. The LACP key is predefined from the client ID and cluster ID. The user cannot change the key.
STP/RSTP STP/RSTP Configuring STP on MCT VLANs at MCT cluster devices is not recommended. By default, the spanning tree is disabled in the MCT VLANs. If the network topology may create Layer 2 loops through external connections, STP may be enabled on switches outside the MCT cluster to prevent the Layer 2 loop. The MCT cluster devices then performs a pass-through forwarding of STP BPDUs received through its ports in the MCT VLAN.
Uplink switch Uplink switch Uplink switch capability is supported on MCT VLANs. ICLs and CCEPs can be configured as uplinkswitch ports. Both cluster devices should have exactly the same uplink-switch port memberships configured for the ICL and CCEPs.
How failovers are handled for Layer 2 multicast over MCT • All control and data traffic is received on the ICL. The traffic is forwarded out of a CCEP only if the remote CCEP is down; otherwise, it is dropped by the egress filters on the CCEP. • The ICL is added as outgoing interface (OIF) by default whenever the CCEP is a source or a receiver. This provides faster convergence during MCT failover. • For IGMP/MLD joins/leaves: ‐ Only control packets received on a CCEP are synced to the MCT peer using CCP.
Forwarding entries for PIM-SM and PIM6-SM multicast snooping Forwarding entries for PIM-SM and PIM6-SM multicast snooping Table 30 and Table 31 list the forwarding entries for PIM-SM and PIM6-SM multicast snooping.
Multi-Chassis Trunking NOTE When multiple ports from the same server are connected to an ICX 6650, the port on the ICX 6650 connected to the PXE-capable port on the server is the port that must be configured to the force-up state. The PXE-capable port varies from server to server. Keep the following points in mind when configuring a port to a force-up state: • A port can only be configured as the force-up port before the client is deployed.
Layer 3 behavior with MCT Layer 3 behavior with MCT The following table lists the type of Layer 3 support available with MCT. Note that routing protocols are not supported on the ICL or on CCEPs. Brocade strongly recommends that you configure VRRP/VRRPE at the edge network when MCT is enabled.
Layer 3 unicast over MCT TABLE 32 Layer 3 Feature Support with MCT (Continued) Feature Sub-feature Session VLAN VE Member VLAN VE proxy-arp No Yes redirect No Yes rip No No tcp Yes Yes tunnel No No use-acl-on-arp Yes Yes vrrp No Yes vrrp-extended No Yes ipv6 No No Design Philosophy • • IPv6 is not supported for MCT management IPv6 not supported on member VLAN VE a.) *ICL: The ICL port is added as default whenever a CCEP is in OIF.
Device A FIGURE 32 Configuration for Layer 3 unicast Device A MCT Configuration ! vlan 10 by port tagged ethe 3/1 router-interface ve 10 ! interface ve 10 ip address 10.1.1.1 255.255.255.
Device B icl L3icl ethernet 3/1 peer 10.1.1.2 rbridge-id 102 icl L3icl deploy client s1 rbridge-id 300 client-interface ethernet 3/3 deploy ! VRRP-E Configuration ! vlan 100 by port tagged ethe 3/1 ethe 3/3 router-interface ve 100 ! router vrrp-extended ! interface ve 100 ip address 100.1.1.1 255.255.255.0 ip vrrp-extended vrid 1 backup priority 255 ip-address 100.1.1.254 enable ! Device B MCT Configuration ! vlan 10 by port tagged ethe 3/1 router-interface ve 10 ! interface ve 10 ip address 10.1.1.
Switch S1 Switch S1 ! lag "1" static id 1 ports ethernet 3 ethernet 4 primary-port 3 deploy ! vlan 100 by port tagged ethe 3 to 4 router-interface ve 100 ! interface ve 100 ip address 100.1.1.100 255.255.255.0 ! MCT for VRRP or VRRP-E A simple MCT topology addresses resiliency and efficient load balancing in Layer 2 network topologies. To interface with a Layer 3 network and add redundancy in Layer 3, MCT is configured with Virtual Router Redundancy Protocol (VRRP).
VRRP or VRRP-E configuration with MCT • If the ARP request reaches A directly, A replies through the same port on which it learned S1's MAC address. • If the request comes through B, S1's ARP response is learned on the ICL first and then it moves to the CCEP link when the MDUP message for S1's MAC address is received from B.
Multi-Chassis Trunking Configuration considerations • MCT devices must obtain complete routing information using static routes for Layer 3 forwarding on MCT VLANs. • For MCT devices configured with VRRP or VRRP-E, track-port features can be enabled to track the link status to the core devices so the VRRP or VRRP-E failover can be triggered. • Configuring several Layer 3 features on VE of the session VLAN is not supported.
VRRP-E short-path forwarding and revertible option VRRP-E short-path forwarding and revertible option At the VRRP-E VRID configuration level, use the following command to enable short-path forwarding. device(config-if-e1000-vrid-2)# short-path-forwarding revert-priority 60 Syntax: [no] short-path-forwarding [ revert-priority value] The revert-priority value in the short-path-forwarding command works in conjunction with the trackport command to control forwarding behavior.
Displaying state machine information Displaying state machine information Use the show cluster client command to display additional state machine information, including the reason a local CCEP has gone down. You can specify an individual cluster and client as an option.
Displaying information about Ethernet interfaces Rbridge ID of the peer 100 Session state of the peer OPERATIONAL Next message ID to be send 287 Keep Alive interval in seconds 30 Hold Time Out in seconds 90 Fast Failover is enable for the session UP Time 0 days: 2 hr:22 min:58 sec Number of tcp packet allocations failed 0 Message Init Keepalive Notify Application Badmessages Send 3 2421 2 53 0 Receive 3 2415 0 37 0 TCP connection is up TCP connection is initiated by 10.1.1.
Displaying STP information IPG MII 96 bits-time, IPG GMII 96 bits-time MTU 1500 bytes, encapsulation Ethernet CCEP for client c149_150 in cluster id 1 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 0 bits/sec, 0 packets/sec, 0.
Multi-Chassis Trunking 7/5 (age=10), 7/3 (age=10), 7/5 has 1 src: 10.0.0.2(10) 7/3 has 1 src: 11.0.0.2(10) device# show ip multicast pimsm-snooping vlan 100, has 1 caches. 1 (* 224.10.10.10) has 3 pim join ports out of 3 OIF 3/3 (age=20), 3/7 (age=20), 3/8 (age=20), 3/3 has 1 src: 10.0.0.2(20) 3/7 has 1 src: 10.0.0.2(20) Syntax: show ip multicast pimsm-snooping Use the show ip multicast cluster commands to display information about multicast snooping activity.
MCT configuration examples source: 7/3 has 1 src: 11.0.0.5(age, ref_count, owner flag, pruned flag) owner flag: 0x0: local, 0x1 remote cep, 0x2 remote ccep vlan 100, has 1 caches. 1 (* 224.10.10.10) has 2 pim join ports out of 2 OIF 7/3 (20, ICL, 1, 0x0, 0), 7/5 (20, CCEP, 1, 0x0, 0), 7/3 has 4 src: 10.0.0.5(20, 1, 0x0, 0), 10.0.0.4(20, 1, 0x0, 0), 10.0.0.3(20, 1, 0x0, 0), ...cut 7/5 has 4 src: 10.0.0.5(20, 1, 0x0, 0), 10.0.0.4(20, 1, 0x0, 0), 10.0.0.3(20, 1, 0x0, 0), ...
Client 1 - Configuration FIGURE 34 Single level MCT configuration Client 1 - Configuration If client 1 is a Brocade switch in Figure 34 on page 196, you can configure it as follows: ! vlan 1905 by port tagged ethe 7/1/1 to 7/1/3 ethe 8/1/1 to 8/1/3 spanning-tree ! ! lag lag_client1_1 dynamic id 100 ports ethe 7/1/1 to 7/1/3 ethe 8/1/1 to 8/1/3 primary-port 7/1/1 deploy ! Client 2- Configuration If client 2 is a Brocade switch in Figure 34 on page 196, you can configure it as follows: ! vlan 1905 by port
AGG-A (R1) - Configuration ports ethe 1/1/1 to 1/1/3 ethe 3/1/1 to 3/1/3 primary-port 1/1/1 deploy ! AGG-A (R1) - Configuration This section presents the configuration for the AGG-A (R1) cluster device in Figure 34 on page 196.
Two-level MCT example ports ethe 1/17 to 1/19 primary-port 1/17 deploy ! lag lag_agg_b_3 dynamic id 104 ports ethe 1/21 to 1/23 primary-port 1/21 deploy ! vlan 2 name session-vlan by port tagged ethe 2/1 to 2/2 router-interface ve 2 ! vlan 3 by port tagged ethe 1/11 router-interface ve 3 ! ! vlan 1905 by port tagged ethe 1/17 to 1/19 ethe 1/21 to 1/23 ethe 2/1 to 2/2 ! hostname R2 ! interface ve 2 ip address 10.1.1.2 255.255.255.0 ! interface ve 3 ip address 10.1.2.2 255.255.255.
AGG-A (R1) - Configuration FIGURE 35 Two-level MCT configuration NOTE In a two-level MCT configuration using dynamic LAGs, ensure that the upper and lower clusters have different Cluster IDs because the Cluster LACP module uses the Cluster ID as part of the LACPDU's system ID. The client configuration is the same as in the single-level example (refer to Single-level MCT example on page 195).
AGG-B (R2) - Configuration ports ethe 2/1 to 2/2 primary-port 2/1 deploy ! lag lag_agg_a_2 dynamic id 104 ports ethe 1/1 to 1/3 primary-port 1/1 deploy ! lag lag_agg_a_3 dynamic id 105 ports ethe 1/5 to 1/7 primary-port 1/5 deploy ! lag lag_agg_a_4 dynamic id 106 ports ethe 1/15 to 1/16 primary-port 1/15 deploy ! vlan 2 name session-vlan by port tagged ethe 2/1 to 2/2 router-interface ve 2 ! vlan 3 name keep-alive-vlan by port tagged ethe 1/12 router-interface ve 3 ! ! vlan 1905 by port tagged ethe 1/1 to
DIST-A (R3) - Configuration lag lag_agg_b_3 dynamic id 108 ports ethe 1/21 to 1/23 primary-port 1/21 deploy ! lag lag_agg_b_4 dynamic id 109 ports ethe 1/15 to 1/16 primary-port 1/15 deploy ! vlan 2 name session-vlan by port tagged ethe 2/1 to 2/2 router-interface ve 2 ! vlan 3 name keep-alive-vlan by port tagged ethe 1/11 router-interface ve 3 ! ! vlan 1905 by port tagged ethe 1/15 to 1/19 ethe 1/21 to 1/23 ethe 2/1 to 2/2 ! hostname R2 ! interface ve 2 ip address 10.1.1.2 255.255.255.
DIST-B (R4) - Configuration tagged ethe 11/25 to 11/36 router-interface ve 6 spanning-tree ! vlan 1905 by port tagged ethe 1/1 to 1/2 ethe 15/1 to 15/2 ! hostname R3 hitless-failover enable ! interface ve 5 ip address 10.2.1.1 255.255.255.0 ! interface ve 6 ip address 10.2.2.1 255.255.255.0 ! cluster MCT2 2 rbridge-id 3 session-vlan 5 keep-alive-vlan 6 icl BH3 ethernet 1/1 peer 10.2.1.
MCT configuration with VRRP-E example client AGG_Cluster rbridge-id 1801 client-interface ethe 1/1 deploy MCT configuration with VRRP-E example Figure 36 shows a sample MCT configuration with VRRP-E. The associated configuration follows. The configuration for VRRP is similar. FIGURE 36 Sample MCT configuration with VRRP-E SX800A - MCT configuration This example presents the MCT configuration for the SX800A cluster device in Figure 35 on page 199.
SX800A - VRRP-E configuration ! vlan 1000 name ICL-Session-VLAN by port tagged ethe 5/1 to 5/2 router-interface ve 1000 ! vlan 1001 name MCT-Keep-Alive by port tagged ethe 5/3 ! interface ve 1000 ip address 10.0.0.254 255.255.255.252 ! cluster FI-MCT 1750 rbridge-id 801 session-vlan 1000 keep-alive-vlan 1001 icl FI_SX-MCT ethernet 5/1 peer 10.0.0.
SX800B - VRRP-E configuration deploy client S1-SW rbridge-id 777 client-interface ethe 4/1 deploy ! SX800B - VRRP-E configuration This example presents the VRRP-E configuration for the SX800B cluster device in Figure 35 on page 199. ! router vrrp-extended ! interface ve 110 port-name S1-SW ip address 10.110.0.252 255.255.255.0 ip vrrp-extended vrid 110 backup ip-address 10.110.0.
Multi-Chassis Trunking FIGURE 37 Multicast snooping over MCT The following example shows the configuration for multicast snooping for the MCT1 cluster device in the previous figure.
Multi-Chassis Trunking ip address 10.1.1.2 255.255.255.0 ! cluster SX 3000 rbridge-id 2 session-vlan 3000 keep-alive-vlan 3001 icl SX-MCT ethernet 7/3 peer 10.1.1.3 rbridge-id 3 icl SX-MCT deploy client client-1 rbridge-id 100 client-interface ethernet 7/5 deploy ! The following example shows the configuration for multicast snooping for the MCT2 cluster device in Figure 37 .
MCT configuration examples using STP The following example shows the global configuration for multicast snooping for the MCT2 cluster device in Figure 37 . ! vlan 100 by port tagged ethe 3/3 untagged ethe 3/7 ethe 3/8 ! vlan 3000 name session by port tagged ethe 3/3 router-interface ve 3000 vlan 3001 name keep-alive-vlan tagged eth 3/4 ip multicast passive interface ve 3000 ip address 10.1.1.3 255.255.255.
Multi-Chassis Trunking FIGURE 38 Sample network topology - Using STP in an MCT configuration Router-1 configuration ! lag "1" static id 1 ports ethernet 1/1 ethernet 1/3 primary-port 1/1 deploy lag "1" static id 2 ports ethernet 1/5 ethernet 1/7 primary-port 1/5 deploy lag "1" static id 3 ports ethernet 2/1 ethernet 2/2 primary-port 2/1 deploy ! vlan 2 name session-vlan by port tagged ethe 2/1 to 2/2 router-interface ve 2 ! vlan 3 name keep-alive-vlan by port tagged ethe 1/12 router-interface ve 3 ! vlan
Multi-Chassis Trunking AGG-B (R2) - Configuration ! lag "1" static id 1 ports ethernet 1/17 ethernet 1/19 primary-port 1/17 deploy lag "1" static id 2 ports ethernet 1/21 ethernet 1/23 primary-port 1/21 deploy lag "1" static id 3 ports ethernet 2/1 ethernet 2/3 primary-port 2/1 deploy ! vlan 2 name session-vlan by port tagged ethe 2/1 to 2/2 router-interface ve 2 ! vlan 3 by port tagged ethe 1/11 router-interface ve 3 ! vlan 1905 name MAC-scaling-vlan by port tagged ethe 1/15 to 1/19 ethe 1/21 Client-1 -
Example 1: Configure the Per-VLAN Spanning Tree on the MCT Clients Example 1: Configure the Per-VLAN Spanning Tree on the MCT Clients External connections between clients other than the links in an MCT cluster can cause Layer 2 loops. Use Spanning Tree on the MCT clients so that the MCT cluster forwards Spanning Tree Bridge Protocol Data Units (BPDU) as if the cluster were in a pass-through mode. Configure per-VLAN Spanning Tree on the two MCT VLANS 1901 and 1905 to have Rapid Spanning Tree (RSTP/802.1w).
Example 3: Configure Multiple Spanning Tree (MSTP) on the MCT Clients Client-1 configuration Client-1(config)# spanning-tree single 802-1w Client-1(config)# show 802-1w vlan 1905 Single spanning tree is enabled. use "show 802-1w" command.
Multi-Chassis Trunking Client-1(config)# mstp instance 1 vlan 1905 Client-1(config)# Client-2 configuration Client-2(config)# mstp scope all Enter MSTP scope would remove STP and topology group related configuration for system Are you sure? (enter ‘y’ or ‘n’): y ‘MSTP Start" need to be entered in order to activate this MSTP feature Client-2(config)# mstp start Client-2(config)# mstp instance 1 vlan 1901 Client-2(config)# mstp instance 1 vlan 1905 Client-2(config) FastIron Ethernet Switch Platform and Lay
Example 3: Configure Multiple Spanning Tree (MSTP) on the MCT Clients 214 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
GVRP ● Supported GVRP features............................................................................................ 215 ● GVRP overview.............................................................................................................215 ● GVRP application examples......................................................................................... 216 ● VLAN names created by GVRP....................................................................................
GVRP application examples • Learn about VLANs from other Brocade devices and configure those VLANs on the ports that learn about the VLANs. The device listens for GVRP Protocol Data Units (PDUs) from other devices, and implements the VLAN configuration information in the PDUs. • Advertise VLANs configured on the device to other Brocade devices. The device sends GVRP PDUs advertising its VLANs to other devices. GVRP advertises statically configured VLANs and VLANs learned from other devices through GVRP.
Dynamic core and fixed edge • • • • Dynamic core and fixed edge Dynamic core and dynamic edge Fixed core and dynamic edge Fixed core and fixed edge Dynamic core and fixed edge In this configuration, all ports on the core device are enabled to learn and advertise VLAN information. The edge devices are configured to advertise their VLAN configurations on the ports connected to the core device. GVRP learning is disabled on the edge devices.
Dynamic core and dynamic edge Dynamic core and dynamic edge GVRP is enabled on the core device and on the edge devices. This type of configuration is useful if the devices in the edge clouds are running GVRP and advertise their VLANs to the edge devices. The edge devices learn the VLANs and also advertise them to the core. In this configuration, you do not need to statically configure the VLANs on the edge or core devices, although you can have statically configured VLANs on the devices.
GVRP configuration and reload the software. The maximum number you can specify is listed in the Maximum column of the show default values display. • The default VLAN (VLAN 1) is not advertised by the Brocade implementation of GVRP. The default VLAN contains all ports that are not members of statically configured VLANs or VLANs enabled for GVRP. NOTE The default VLAN has ID 1 by default. You can change the VLAN ID of the default VLAN, but only before GVRP is enabled.
GVRP configuration GVRP configuration To configure a device for GVRP, globally enable support for the feature, then enable the feature on specific ports. Optionally, you can disable VLAN learning or advertising on specific interfaces. You can also change the protocol timers and the GVRP base VLAN ID. Changing the GVRP base VLAN ID By default, GVRP uses VLAN 4093 as a base VLAN for the protocol. All ports that are enabled for GVRP become tagged members of this VLAN.
Enabling GVRP Enabling GVRP To enable GVRP, enter commands such as the following at the global CONFIG level of the CLI. device(config)#gvrp-enable device(config-gvrp)#enable all The first command globally enables support for the feature and changes the CLI to the GVRP configuration level. The second command enables GVRP on all ports on the device. The following command enables GVRP on ports 1/24, 2/24, and 4/17.
Disabling VLAN learning Disabling VLAN learning To disable VLAN learning on a port enabled for GVRP, enter a command such as the following at the GVRP configuration level. device(config-gvrp)#block-learning ethernet 6/24 This command disables learning of VLAN information on port 6/24. NOTE The port still advertises VLAN information unless you also disable VLAN advertising.
Timer configuration requirements NOTE The actual interval is a random value between the Leaveall interval and 1.5 * the Leaveall time or the maximum Leaveall time, whichever is lower. NOTE You can increase the maximum configurable value of the Leaveall timer from 300000 ms up to 1000000 ms using the gvrp-max-leaveall-timer command. (Refer to Increasing the maximum configurable value of the Leaveall timer on page 220.
Converting a VLAN created by GVRP into a statically-configured VLAN Converting a VLAN created by GVRP into a statically-configured VLAN You cannot configure VLAN parameters on VLANs created by GVRP. Moreover, VLANs and VLAN ports added by GVRP do not appear in the running-config and cannot be saved in the startup-config file. To be able to configure and save VLANs or ports added by GVRP, you must convert the VLAN ports to statically-configured ports.
Displaying GVRP configuration information Displaying GVRP configuration information To display GVRP configuration information, enter a command such as the following.
GVRP TABLE 34 CLI display of summary GVRP information (Continued) Field Description Spanning Tree The type of STP enabled on the device. NOTE The current release supports GVRP only with Single STP. Dropped Packets Count The number of GVRP packets that the device has dropped. A GVRP packet can be dropped for either of the following reasons: • GVRP packets are received on a port on which GVRP is not enabled.
Displaying GVRP VLAN information 4093 4094 FORBIDDEN FORBIDDEN This display shows the following information. TABLE 35 CLI display of detailed GVRP information for a port Field Description Port number The port for which information is being displayed. GVRP Enabled Whether GVRP is enabled on the port. GVRP Learning Whether the port can learn VLAN information from GVRP. GVRP Applicant Whether the port can advertise VLAN information into GVRP.
GVRP TABLE 36 CLI display of summary VLAN information for GVRP Field Description Number of VLANs in the GVRP Database The number of VLANs in the GVRP database. NOTE This number includes the default VLAN (1), the GVRP base VLAN (4093), and the single STP VLAN (4094). These VLANs are not advertised by GVRP but are included in the total count. Maximum Number of VLANs that can be present The maximum number of VLANs that can be configured on the device.
Displaying GVRP statistics TABLE 37 CLI display of summary VLAN information for GVRP (Continued) Field Description Timer to Delete Entry Running Whether all ports have left the VLAN and the timer to delete the VLAN itself is running. The timer is described in the note for the Leave timer in Changing the GVRP timers on page 222. Legend The meanings of the letter codes used in other parts of the display. Forbidden Members The ports that cannot become members of a VLAN advertised or leaned by GVRP.
GVRP TABLE 38 CLI display of GVRP statistics (Continued) Field Description Join Empty Received The number of Join Empty messages received. Join In Received The number of Join In messages received. Leave Empty Received The number of Leave Empty messages received. Leave In Received The number of Leave In messages received. Empty Received The number of Empty messages received. Leave All Transmitted The number of Leaveall messages sent.
Clearing GVRP statistics Clearing GVRP statistics To clear the GVRP statistics counters, enter the clear gvrp statistics all command. device#clear gvrp statistics all This command clears the counters for all ports. To clear the counters for a specific port only, enter a command such as the following.
Dynamic core and dynamic edge Enter the following commands on edge device B.
Fixed core and fixed edge device(config-gvrp)#enable ethernet 1/24 ethernet 6/24 ethernet 8/17 device(config-gvrp)#block-learning ethernet 1/24 ethernet 6/24 ethernet 8/17 These VLAN commands configure VLANs 20, 30, 40, and 50. The GVRP commands enable the protocol on the ports that are connected to the edge devices, and disable VLAN learning on those ports. All the VLANs are advertised by GVRP. Enter the following commands on edge devices A, B, and C.
Fixed core and fixed edge 234 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
Port mirroring and Monitoring ● Supported port mirroring and monitoring features........................................................ 235 ● Port mirroring and monitoring overview........................................................................ 235 ● Port mirroring and monitoring configuration.................................................................. 236 ● Mirroring configuration on a traditional stack................................................................
Port mirroring and monitoring configuration Port mirroring can be used as a diagnostic tool or debugging feature, especially for preventing attacks. Port mirroring can be managed locally or remotely. You can configure port mirroring, by assigning a port (known as the Monitor port), from which the packets are copied and sent to a destination port (known as the Mirror port). All packets received on the Monitor port or issued from it, are forwarded to the second port.
Configuration notes for port mirroring and monitoring Configuration notes for port mirroring and monitoring Refer to the following guidelines when configuring port mirroring and monitoring: • If you configure both ACL mirroring and ACL-based rate limiting on the same port, then all packets that match are mirrored, including the packets that exceed the rate limit. • ICX and FCX Series devices support sFlow and port monitoring together on the same port.
Command syntax for port mirroring and monitoring device(config-if-e1000-1/1/3)# acl-mirror-port ethernet 2/1/48 device(config-if-e1000-1/1/3)# ip access-group 102 in • Because of hardware limitations on the SX-FI48GPP interface module, if the monitored port is on the SX-FI48GPP module, mirrored packets vary slightly from original (monitored) packets, depending on the type of management or interface module on which the mirror port (analyzer) is configured: ‐ ‐ When ingress or egress mirroring is enabled b
Mirroring configuration on a traditional stack device(config)#mirror-port ethernet 1/1/1 device(config)#lag automation device(config-lag-automation)#monitor ethe-port-monitored 1/1/2 ethernet 1/1/1 both device#sh mirror Mirror port 1/1/1 Input monitoring Output monitoring : (U1/M1) : (U1/M1) 1 1 device#sh mirror ethernet 1/1/1 Mirror port 1/1/1 Input monitoring : (U1/M1) Output monitoring : (U1/M1) 1 1 device#sh run | i mirror mirror-port ethernet 1/1/1 device#sh run | i monitor ethe monitor ethe-port
Configuring mirroring for ports on the same stack member in a traditional stack example Configuring mirroring for ports on the same stack member in a traditional stack example In this example, the mirror ports are assigned to different monitor ports.
Destination mirror port • SX-FI-2XG • SX-FI-8XG On all other interface modules, you can select traffic to be mirrored using only a permit clause. Destination mirror port You can specify physical ports or a trunk to mirror traffic. If you complete the rest of the configuration but do not specify a destination mirror port, the port-mirroring ACL is non-operational. This can be useful if you want to be able to mirror traffic by a set criteria on demand.
Specifying the destination mirror port for trunk ports ACL 101 is mirrored to port 4/3 even though a destination port has not explicitly been defined for traffic from port 1/1.
Configuring ACL-based mirroring for ACLs bound to virtual interfaces device(config-lag-test)#ports ethernet 1/1/1 to 1/1/2 device(config-lag-test)#primary-port 1/1/1 device(config-lag-test)#deploy device(config-if-e-1/1/1)#acl-mirror-port ethernet 1/1/38 To delete the trunk, enter the following command.
MAC address filter-based mirroring MAC address filter-based mirroring NOTE The MAC address filter-based mirroring feature is not supported on FastIron X Series devices. This feature allows traffic entering an ingress port to be monitored from a mirror port connected to a data analyzer, based on specific source and destination MAC addresses. This feature supports mirroring of inbound traffic only. Outbound mirroring is not supported.
3. Applying the MAC address filter to an interface 3. Applying the MAC address filter to an interface Apply the MAC address filter to an interface using the mac-filter-group command. device(config)#interface ethernet 0/1/1 device(config-if-e10000-0/1/1)#mac filter-group 1 4.
Displaying VLAN-based mirroring status Displaying VLAN-based mirroring status The show vlan command displays the VLAN-based mirroring status.
Restrictions and capabilities of VLAN-based mirroring • SX-FI-2XG • SX-FI-8XG • SX-FI48GPP NOTE Egress VLAN-based mirroring is not currently supported on the stacking platforms. The FastIron X Series of modules are capable of monitoring 4096 VLANs. In a chassis environment, this introduces restrictions to the number of ports that can be configured as mirror ports.
Tagged versus untagged ports in VLANs TABLE 40 ACL and rate limiting effects ACL profile Ingress result Egress result Ingress ACL on port Packets ingress mirrored at expected (sent) rate Packets egress mirrored at expected (sent) rate Egress ACL on port Packets ingress mirrored at expected (sent) rate Packets egress mirrored at expected (sent) rate Ingress rate limiting on port Packets ingress mirrored at expected (sent) rate Packets egress mirrored at the limited rate Egress rate shaping on por
Configuring VLAN-based mirroring TABLE 42 VLAN-based mirroring behavior: Tagged versus untagged ports (Continued) Ingress tag type Egress tag type VLAN-based mirroring direction Mirrored traffic tag type Untagged Tagged Ingress Untagged Untagged Tagged Egress Tagged Tagged Untagged Ingress Tagged Tagged Untagged Egress Tagged Tagged Tagged Ingress Tagged Tagged Tagged Egress Tagged As illustrated in the above table, regardless of the egress port tag type, if a VLAN is egress mir
Displaying VLAN-based mirroring status Displaying VLAN-based mirroring status The show vlan command displays the VLAN-based mirroring status.
Spanning Tree Protocol ● Supported STP features................................................................................................251 ● STP overview................................................................................................................ 252 ● Standard STP parameter configuration.........................................................................252 ● STP feature configuration............................................................................................
STP overview Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800 FSX 1600 ICX 7750 Root Guard 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Port statistics 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Error disable recovery 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.
Spanning Tree Protocol TABLE 43 Default STP states (Continued) Device type Default STP type Default STP state Default STP state of new VLANs1 Base L3 image default No span Disabled Disabled Layer 2 switch MSTP2 Enabled Enabled Layer 3 switch MSTP Disabled Disabled ICX 6650 1. When you create a port-based VLAN, the new VLAN STP state is the same as the default STP state on the device. The new VLAN does not inherit the STP state of the default VLAN.
Enabling or disabling the Spanning Tree Protocol (STP) TABLE 45 Default STP port parameters Parameter Description Default and valid values Priority 128 The preference that STP gives this port relative to other ports for forwarding traffic out of the spanning tree. A higher numerical value means a lower priority. Path Cost The cost of using the port to reach the root bridge.
Enabling or disabling STP globally Enabling or disabling STP globally Use the following method to enable or disable STP on a device on which you have not configured portbased VLANs. NOTE When you configure a VLAN, the VLAN inherits the global STP settings. However, once you begin to define a VLAN, you can no longer configure standard STP parameters globally using the CLI. From that point on, you can configure STP only within individual VLANs.
Changing STP bridge and port parameters Changing STP bridge and port parameters Table 44 on page 253 and Table 45 on page 254 list the default STP parameters. If you need to change the default value for an STP parameter, use the following procedures. Changing STP bridge parameters NOTE If you plan to change STP bridge timers, Brocade recommends that you stay within the following ranges, from section 8.10.2 of the IEEE STP specification.
Changing STP port parameters Changing STP port parameters To change the path and priority costs for a port, enter commands such as the following. device(config)#vlan 10 device(config-vlan-10)#spanning-tree ethernet 5 path-cost 15 priority 64 Syntax: spanning-tree ethernet port path-cost value | priority value | disable | enable The path-cost value parameter specifies the port cost as a path to the spanning tree root bridge. STP prefers the path with the lowest cost. You can specify a value from 0 - 65535.
Clearing BPDU drop counters Enter the no form of the command to disable STP protection on the port. Clearing BPDU drop counters For each port that has STP Protection enabled, the Brocade device counts and records the number of dropped BPDUs. You can use CLI commands to clear the BPDU drop counters for all ports on the device, or for a specific port on the device.
Displaying STP information for an entire device Displaying STP information for an entire device To display STP information, enter the following command at any level of the CLI. device#show span VLAN 1 BPDU cam_index is 3 and the Master DMA Are(HEX) STP instance owned by VLAN 1 Global STP (IEEE 802.
Spanning Tree Protocol TABLE 46 CLI display of STP information (Continued) Field Description Priority Hex This device or VLAN STP priority. The value is shown in hexadecimal format. NOTE If you configure this value, specify it in decimal format. Refer to Changing STP bridge parameters on page 256. Max age sec The number of seconds this device or VLAN waits for a configuration BPDU from the root bridge before deciding the root has become unavailable and performing a reconvergence.
Displaying the STP state of a port-based VLAN TABLE 46 CLI display of STP information (Continued) Field Description State The port STP state. The state can be one of the following: • BLOCKING - STP has blocked Layer 2 traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is FORWARDING. When a port is in this state, the port does not transmit or receive user frames, but the port does continue to receive STP BPDUs.
Spanning Tree Protocol Untagged Untagged Untagged Tagged Uplink PORT-VLAN Untagged Untagged Tagged Uplink Ports: (S3) 17 18 19 20 21 22 23 24 Ports: (S4) 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Ports: (S4) 18 19 20 21 22 23 24 Ports: None Ports: None 2, Name greenwell, Priority level0, Spanning tree Off Ports: (S1) 1 2 3 4 5 6 7 8 Ports: (S4) 1 Ports: None Ports: None Syntax: show vlan [vlan-id | ethernet port] The vlan-id parameter specifies a VLAN for which you want to display the configuration informa
Spanning Tree Protocol TABLE 47 CLI display of detailed STP information for ports Field Description Active Spanning Tree protocol The VLAN that contains the listed ports and the active Spanning Tree protocol. The STP type can be one of the following: • MULTIPLE SPANNNG TREE (MSTP) • GLOBAL SINGLE SPANNING TREE (SSTP) NOTE If STP is disabled on a VLAN, the command displays the following message instead: "Spanning-tree of port-vlan vlan-id is disabled.
Spanning Tree Protocol TABLE 47 CLI display of detailed STP information for ports (Continued) Field Description Port number and STP state The internal port number and the port STP state. The internal port number is one of the following: • The port interface number, if the port is the designated port for the LAN. • The interface number of the designated port from the received BPDU, if the interface is not the designated port for the LAN.
Displaying detailed STP information for a single port in a specific VLAN TABLE 47 CLI display of detailed STP information for ports (Continued) Field Description Active Timers The current values for the following timers, if active: • Message age - The number of seconds this port has been waiting for a hello message from the root bridge. BPDUs Sent and Received • Forward delay - The number of seconds that have passed since the last topology change and consequent reconvergence.
STP feature configuration You also can display the STP states of all ports by entering the show interface brief command such as the following, which uses the brief parameter.
Disabling and re-enabling fast port span MAC aging interval is 5 minutes, the aging interval changes temporarily to the value of the forward delay (for example, 15 seconds) in response to an STP topology change. In normal STP, the accelerated cache aging occurs even when a single host goes up or down.
Fast Uplink Span To exclude a contiguous (unbroken) range of ports from Fast Span, enter commands such as the following. device(config)#fast port-span exclude ethernet 1 to 24 device(config)#write memory Syntax: [no] fast port-span [ exclude ethernet port [ethernet port] | to [port]] To re-enable Fast Port Span on a port, enter a command such as the following.
Active uplink port failure NOTE When the wiring closet switch (Brocade device) first comes up or when STP is first enabled, the uplink ports still must go through the standard STP state transition without any acceleration. This behavior guards against temporary routing loops as the switch tries to determine the states for all the ports. Fast Uplink Span acceleration applies only when a working uplink becomes unavailable.
Configuring a Fast Uplink Port Group Configuring a Fast Uplink Port Group To configure a group of ports for Fast Uplink Span, enter the following commands: device(config)# fast uplink-span ethernet 4/1 to 4/4 device(config)# write memory Syntax: [no] fast uplink-span [ ethernet port [ethernet port...| to port]] This example configures four ports, 4/1 - 4/4, as a Fast Uplink Span group. In this example, all four ports are connected to a wiring closet switch.
802.1W Rapid Spanning Tree (RSTP) STP instance owned by VLAN 2 Global STP (IEEE 802.
Spanning Tree Protocol Unique roles are assigned to ports on the root and non-root bridges. Role assignments are based on the following information contained in the Rapid Spanning Tree Bridge Packet Data Unit (RST BPDU): • • • • Root bridge ID Path cost value Transmitting bridge ID Designated port ID The 802.1W algorithm uses this information to determine if the RST BPDU received by a port is superior to the RST BPDU that the port transmits.
Spanning Tree Protocol The topology in the following figure contains four bridges. Switch 1 is the root bridge since it has the lowest bridge priority. Switch 2 through Switch 4 are non-root bridges. FIGURE 40 Simple 802.1W topology Assignment of ports on Switch 1 All ports on Switch 1, the root bridge, are assigned Designated port roles. Assignment of ports on Switch 2 Port2 on Switch 2 directly connects to the root bridge; therefore, Port2 is the Root port.
Edge ports and edge port roles Assignment of ports on Switch 3 Port2 on Switch 3 directly connects to the Designated port on the root bridge; therefore, it assumes the Root port role. The root path cost of the RST BPDUs received on Port4/Switch 3 is inferior to the RST BPDUs transmitted by the port; therefore, Port4/Switch 3 becomes the Designated port. Similarly Switch 3 has a bridge priority value inferior to Switch 2. Port3 on Switch 3 connects to Port 3 on Switch 2.
Spanning Tree Protocol FIGURE 41 Topology with edge ports However, if any incoming RST BPDU is received from a previously configured Edge port, 802.1W automatically makes the port as a non-edge port. This is extremely important to ensure a loop free Layer 2 operation since a non-edge port is part of the active RSTP topology. The 802.1W protocol can auto-detect an Edge port and a non-edge port. An administrator can also configure a port to be an Edge port using the CLI.
Point-to-point ports Point-to-point ports To take advantage of the 802.1W features, ports on an 802.1W topology should be explicitly configured as point-to-point links using the CLI. Shared media should not be configured as point-topoint links. NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops. The topology in the following figure is an example of shared media that should not be configured as point-to-point links.
Edge port and non-edge port states If a port on one bridge has a Designated role and that port is connected to a port on another bridge that has an Alternate or Backup role, the port with a Designated role cannot be given a Root port role until two instances of the forward delay timer expires on that port. Edge port and non-edge port states As soon as a port is configured as an Edge port using the CLI, it goes into a forwarding state instantly (in less than 100 msec).
Spanning Tree Protocol 802.1W state machines attempt to quickly place the ports into either a forwarding or discarding state. Root ports are quickly placed in forwarding state when both of the following events occur: • It is assigned to be the Root port. • It receives an RST BPDU with a proposal flag from a Designated port. The proposal flag is sent by ports with a Designated role when they are ready to move into a forwarding state.
Spanning Tree Protocol FIGURE 43 Proposing and proposed stage • Sync - Once the Root port is elected, it sets a sync signal on all the ports on the bridge. The signal tells the ports to synchronize their roles and states (Figure 44 ). Ports that are non-edge ports with a role of Designated port change into a discarding state. These ports have to negotiate with their peer ports to establish their new roles and states.
Spanning Tree Protocol FIGURE 44 Sync stage • Synced - Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports. Once all bridge ports asserts a synced signal, the Root port asserts its own synced signal as shown in the following figure.
Spanning Tree Protocol FIGURE 45 Synced stage • Agreed - The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state.
Spanning Tree Protocol FIGURE 46 Agree stage At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200. Switch 200 updates the information on the Switch 200 Designated ports (Port2 and Port3) and identifies the new root bridge. The Designated ports send RST BPDUs, containing proposal flags, to their downstream bridges, without waiting for the hello timers to expire on them. This process starts the handshake with the downstream bridges.
Spanning Tree Protocol Handshake when a root port has been elected If a non-root bridge already has a Root port, 802.1W uses a different type of handshake. For example, in the following figure, a new root bridge is added to the topology. FIGURE 47 Addition of a new root bridge The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (Handshake when no root port is elected).
Spanning Tree Protocol FIGURE 48 New root bridge sending a proposal flag • Sync and Reroot - The Root port then asserts a sync and a reroot signal on all the ports on the bridge. The signal tells the ports that a new Root port has been assigned and they are to renegotiate their new roles and states. The other ports on the bridge assert their sync and reroot signals. Information about the old Root port is discarded from all ports.
Spanning Tree Protocol FIGURE 49 Sync and reroot • Sync and Rerooted - When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue to assert their sync signals as they continue in their discarding states. They also continue to negotiate their roles and states with their peer ports as shown in the following figure.
Spanning Tree Protocol FIGURE 50 Sync and rerooted • Synced and Agree - When all the ports on the bridge assert their synced signals, the new Root port asserts its own synced signal and sends an RST BPDU to Port4/Switch 60 that contains an agreed flag as shown in the following figure. The Root port also moves into a forwarding state.
Spanning Tree Protocol FIGURE 51 Rerooted, synced, and agreed The old Root port on Switch 200 becomes an Alternate Port as shown in the following figure. Other ports on that bridge are elected to appropriate roles. The Designated port on Switch 60 goes into a forwarding state once it receives the RST BPDU with the agreed flag.
802.1W convergence in a simple topology FIGURE 52 Handshake completed after election of new root port Recall that Switch 200 sent the agreed flag to Port4/Switch 60 and not to Port1/Switch 100 (the port that connects Switch 100 to Switch 200). Therefore, Port1/Switch 100 does not go into forwarding state instantly. It waits until two instances of the forward delay timer expires on the port before it goes into forwarding state. At this point the handshake between the Switch 60 and Switch 200 is complete.
Spanning Tree Protocol Convergence at start up In the following figure, two bridges Switch 2 and Switch 3 are powered up. There are point-to-point connections between Port3/Switch 2 and Port3/Switch 3. FIGURE 53 Convergence between two bridges At power up, all ports on Switch 2 and Switch 3 assume Designated port roles and are at discarding states before they receive any RST BPDU. Port3/Switch 2, with a Designated role, transmits an RST BPDU with a proposal flag to Port3/Switch 3.
Spanning Tree Protocol FIGURE 54 Simple Layer 2 topology The point-to-point connections between the three bridges are as follows: • Port2/Switch 1 and Port2/Switch 2 • Port4/Switch 1 and Port4/Switch 3 • Port3/Switch 2 and Port3/Switch 3 Ports 3 and 5 on Switch 1 are physically connected together. At start up, the ports on Switch 1 assume Designated port roles, which are in discarding state. They begin sending RST BPDUs with proposal flags to move into a forwarding state.
Convergence after a link failure currently being received by the current Root port (Port4). Therefore, Port3 retains the role of Alternate port. Ports 3/Switch 1 and Port5/Switch 1 are physically connected. Port5/Switch 1 received RST BPDUs that are superior to those received on Port3/Switch 1; therefore, Port5/Switch 1 is given the Backup port role while Port3 is given the Designated port role. Port3/Switch 1, does not go directly into a forwarding state.
Convergence at link restoration FIGURE 56 Link failure in the topology Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port. Port3/Switch 2, which currently has a Designated port role, sends an RST BPDU to Switch 3. The RST BPDU contains a proposal flag and a bridge ID of Switch 2 as its root bridge ID. When Port3/Switch 3 receives the RST BPDUs, 802.
Convergence in a complex 802.1W topology Next, the following happens: • Port3/Switch 2, the Designated port, sends an RST BPDU, with a proposal flag to Port3/Switch 3. • Port2/Switch 2 also sends an RST BPDU with an agreed flag to Port2/Switch 1 and then places itself into a forwarding state. When Port2/Switch 1 receives the RST BPDU with an agreed flag sent by Port2/Switch 2, it puts that port into a forwarding state. The topology is now fully converged.
Spanning Tree Protocol Port5/Switch 2 then sends an RST BPDU with an agreed flag to Switch 5 to confirm that it is the new Root port and the port enters a forwarding state. Port7 and Port8 are informed of the identity of the new Root port. 802.1W algorithm selects Port7 as the Designated port while Port8 becomes the Backup port. Port3/Switch 5 sends an RST BPDU to Port3/Switch 6 with a proposal flag. When Port3/Switch 5 receives the RST BPDU, handshake mechanisms select Port3 as the Root port of Switch 6.
Propagation of topology change FIGURE 58 Active Layer 2 path in complex topology Propagation of topology change The Topology Change state machine generates and propagates the topology change notification messages on each port. When a Root port or a Designated port goes into a forwarding state, the Topology Change state machine on those ports send a topology change notice (TCN) to all the bridges in the topology to propagate the topology change.
Spanning Tree Protocol FIGURE 59 Beginning of topology change notice Switch 2 then starts the TCN timer on the Designated ports and sends RST BPDUs that contain the TCN as follows (Figure 60 ): • Port5/Switch 2 sends the TCN to Port2/Switch 5 • Port4/Switch 2 sends the TCN to Port4/Switch 6 • Port2/Switch 2 sends the TCN to Port2/Switch 1 296 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
Spanning Tree Protocol FIGURE 60 Sending TCN to bridges connected to Switch 2 Then Switch 1, Switch 5, and Switch 6 send RST BPDUs that contain the TCN to Switch 3 and Switch 4 to complete the TCN propagation as shown in the following figure.
Compatibility of 802.1W with 802.1D FIGURE 61 Completing the TCN propagation Compatibility of 802.1W with 802.1D 802.1W-enabled bridges are backward compatible with IEEE 802.1D bridges. This compatibility is managed on a per-port basis by the Port Migration state machine. However, intermixing the two types of bridges in the network topology is not advisable if you want to take advantage of the rapid convergence feature. Compatibility with 802.1D means that an 802.
Configuring 802.1W parameters on a Brocade device FIGURE 62 802.1W bridges with an 802.1D bridge Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other. This state will continue until the administrator enables the forcemigration-check command to force the bridge to send RSTP BPDU during a migrate time period.
Spanning Tree Protocol To enable 802.1W for all ports in a port-based VLAN, enter commands such as the following. device(config)#vlan 10 device(config-vlan-10)#spanning-tree 802-1w Syntax: [no] spanning-tree 802-1w Note regarding pasting 802.1W settings into the running configuration If you paste 802.1W settings into the running configuration, and the pasted configuration includes ports that are already up, the ports will initially operate in STP legacy mode before operating in 802.1W RSTP mode.
Spanning Tree Protocol NOTE If you change the 802.1W state of the primary port in a trunk group, the change affects all ports in that trunk group. To disable or enable 802.1W on an individual port, enter commands such as the following. device(config)#interface e 1 device(config-if-e1000-1)#no spanning-tree Syntax: [no] spanning-tree Changing 802.1W bridge parameters When you make changes to 802.1W bridge parameters, the changes are applied to individual ports on the bridge. To change 802.
Spanning Tree Protocol The priority value parameter specifies the priority of the bridge. You can enter a value from 0 - 65535. A lower numerical value means the bridge has a higher priority. Thus, the highest priority is 0. The default is 32768. You can specify some or all of these parameters on the same command line. If you specify more than one parameter, you must specify them in the order shown above, from left to right. Changing port parameters The 802.
Displaying information about 802-1W Example Suppose you want to enable 802.1W on a system with no active port-based VLANs and change the hello-time from the default value of 2 to 8 seconds. Additionally, suppose you want to change the path and priority costs for port 5 only. To do so, enter the following commands.
Spanning Tree Protocol TABLE 49 CLI display of 802.1W summary (Continued) Field Description txHoldCnt The number of BPDUs that can be transmitted per Hello Interval. The default is 3. Root Bridge Identifier ID of the Root bridge that is associated with this bridge Root Path Cost The cost to reach the root bridge from this bridge. If the bridge is the root bridge, then this parameter shows a value of zero. Designated Bridge Identifier The bridge from where the root information was received.
Spanning Tree Protocol TABLE 49 CLI display of 802.1W summary (Continued) Field Description Pri The configured priority of the port. The default is 128 or 0x80. Port Path Cost The configured path cost on a link connected to this port. P2P Mac Indicates if the point-to-point-mac parameter is configured to be a point-to-point link: Edge port • T - The link is configured as a point-to-point link. • F - The link is not configured as a point-to-point link. This is the default.
Spanning Tree Protocol MachineStates - PIM: CURRENT, PRT: DESIGNATED_PORT, PST: FORWARDING TCM: ACTIVE, PPM: SENDING_RSTP, PTX: TRANSMIT_IDLE Received - RST BPDUs 0, Config BPDUs 0, TCN BPDUs 0 Syntax: show 802-1w detail [ vlanvlan-id] The vlan vlan-id parameter displays 802.1W information for the specified port-based VLAN. The show spanning-tree 802.1W command shows the following information. TABLE 50 CLI display of show spanning-tree 802.
802.1W Draft 3 TABLE 50 CLI display of show spanning-tree 802.1W (Continued) Field Description AdminP2PMac Indicates if the point-to-point-mac parameter is configured to be a point-to-point link: • T - The link is a point-to-point link • F - The link is not a point-to-point link. This is the default. DesignatedPriority Shows the following: ActiveTimers • Root - Shows the ID of the root bridge for this bridge. • Bridge - Shows the ID of the Designated bridge that is associated with this port.
Spanning Tree Protocol 802.1W Draft 3 support is disabled by default. When the feature is enabled, if a root port on a Brocade device that is not the root bridge becomes unavailable, the device can automatically Switch over to an alternate root port, without reconvergence delays. 802.1W Draft 3 does not apply to the root bridge, since all the root bridge ports are always in the forwarding state. The following figure shows an example of an optimal STP topology.
Spanning Tree Protocol FIGURE 64 802.1W Draft 3 RSTP failover to alternate root port In this example, port 3/3 on Switch 3 has become unavailable. In standard STP (802.1D), if the root port becomes unavailable, the Switch must go through the listening and learning stages on the alternate port to reconverge with the spanning tree. Thus, port 3/4 must go through the listening and learning states before entering the forwarding state and thus reconverging with the spanning tree. 802.
Spanning tree reconvergence time Spanning tree reconvergence time Spanning tree reconvergence using 802.1W Draft 3 can occur within one second. After the spanning tree reconverges following the topology change, traffic also must reconverge on all the bridges attached to the spanning tree. This is true regardless of whether 802.1W Draft 3 or standard STP is used to reconverge the spanning tree.
Single Spanning Tree (SSTP) Enabling 802.1W Draft 3 when single STP is not enabled By default, each port-based VLAN on the device has its own spanning tree. To enable 802.1W Draft 3 in a port-based VLAN, enter commands such as the following. device(config)#vlan 10 device(config-vlan-10)#spanning-tree rstp Syntax: [no] spanning-tree rstp This command enables 802.1W Draft 3. You must enter the command separately in each port-based VLAN in which you want to run 802.1W Draft 3.
SSTP defaults SSTP defaults SSTP is disabled by default. When you enable the feature, all VLANs on which STP is enabled become members of a single spanning tree. All VLANs on which STP is disabled are excluded from the single spanning tree. To add a VLAN to the single spanning tree, enable STP on that VLAN.To remove a VLAN from the single spanning tree, disable STP on that VLAN.
Displaying SSTP information The commands shown above override the global setting for STP priority and set the priority to 10 for port 1/1. Here is the syntax for the global STP parameters. Syntax: [no] spanning-tree single [ forward-delay value] [hello-time value] | [maximum-age time] | [priority value] Here is the syntax for the STP port parameters. Syntax: [no] spanning-tree single [ ethernet port path-cost value | priority value] NOTE Both commands listed above are entered at the global CONFIG level.
STP load balancing FIGURE 65 STP per VLAN group example A master VLAN contains one or more member VLANs. Each of the member VLANs in the STP Group runs the same instance of STP and uses the STP parameters configured for the master VLAN. In this example, the FastIron switch is configured with VLANs 3, 4, 13, and 14. VLANs 3 and 4 are grouped in master VLAN 2, which is in STP group 1. VLANs 13 and 14 are grouped in master VLAN 12, which is in STP group 2.
Configuration example for STP load sharing device(config-vlan-2)#vlan 3 device(config-vlan-3)#tagged ethernet 1/1 to 1/4 device(config-vlan-3)#vlan 4 device(config-vlan-4)#tagged ethernet 1/1 to 1/4 device(config-vlan-4)#vlan 12 device(config-vlan-12)#spanning-tree priority 2 device(config-vlan-12)#tagged ethernet 1/1 to 1/4 device(config-vlan-12)#vlan 13 device(config-vlan-13)#tagged ethernet 1/1 to 1/4 device(config-vlan-13)#vlan 14 device(config-vlan-14)#tagged ethernet 1/1 to 1/4 device(config-vlan-14)
Spanning Tree Protocol FIGURE 66 More complex STP per VLAN group example In this example, each of the devices in the core is configured with a common set of master VLANs, each of which contains one or more member VLANs. Each of the member VLANs in an STP group runs the same instance of STP and uses the STP parameters configured for the master VLAN. The STP group ID identifies the STP instance. All VLANs within an STP group run the same instance of STP.
PVST/PVST+ compatibility device(config-vlan-1)#spanning-tree priority 1 device(config-vlan-1)#tag ethernet 1/1 ethernet 5/1 to 5/3 device(config-vlan-1)#vlan 201 device(config-vlan-201)#spanning-tree priority 2 device(config-vlan-201)#tag ethernet 1/2 ethernet 5/1 to 5/3 device(config-vlan-201)#vlan 401 device(config-vlan-401)#spanning-tree priority 3 device(config-vlan-401)#tag ethernet 1/3 ethernet 5/1 to 5/3 ...
Overview of PVST and PVST+ Support for Cisco's Per VLAN Spanning Tree plus (PVST+), allows a Brocade device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices. Brocade ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected.
VLAN tags and dual mode VLAN tags and dual mode The dual-mode feature enables a port to send and receive both tagged and untagged frames. When the dual-mode feature is enabled on a port, the port is an untagged member of one of its VLANs and is at the same time a tagged member of all its other VLANs. The untagged frames are supported on the port Port Native VLAN . The dual-mode feature must be enabled on a Brocade port in order to interoperate with another vendor device.
Enabling dual-mode support NOTE If 802.1W and pvst-mode (either by auto-detection or by explicit configuration) are enabled on a tagged VLAN port, 802.1W will treat the PVST BPDUs as legacy 802.1D BPDUs. Enabling dual-mode support To enable the dual-mode feature on a port, enter the following command at the interface configuration level for the port. device(config-if-1/1)#dual-mode Syntax: [no] dual-mode [vlan-id] The vlan-id specifies the port Port Native VLAN.
PVST+ configuration examples PVST+ configuration examples The following examples show configuration examples for two common configurations: • Untagged IEEE 802.1Q BPDUs on VLAN 1 and tagged PVST+ BPDUs on other VLANs • Tagged IEEE 802.1Q BPDUs on VLAN 1 and untagged BPDUs on another VLAN Tagged port using default VLAN 1 as its port native VLAN The following table shows an example of a PVST+ configuration that uses VLAN 1 as the untagged default VLAN and VLANs 2, 3, and 4 as tagged VLANs.
Spanning Tree Protocol FIGURE 69 Port Native VLAN 2 for Untagged BPDUs To implement this configuration, enter the following commands.
PVRST compatibility that there is no better bridge on the network and sets the ports to FORWARDING. This could cause a Layer 2 loop. The following configuration is correct.
Enabling BPDU protection by port Enabling BPDU protection by port You enable STP BPDU guard on individual interfaces. The feature is disabled by default. To enable STP BPDU guard on a specific port, enter a command such as the following. device(config) interface ethe 2/1 device(config-if-e1000-2/1)#stp-bpdu-guard Syntax: [no] stp-bpd-guard The no parameter disables the BPDU guard on this interface. You can also use the multiple interface command to enable this feature on multiple ports at once.
BPDU guard status example configurations Port Port Port Port Port Port 8 No 9 No 10 No 11 No 12 Yes 13 No BPDU guard status example configurations The following example shows how to configure BPDU guard at the interface level and to verify the configuration by issuing the show stp-bpdu-guard and the show interface commands.
Root guard A console message such as the following is generated after a BPDU guard violation occurs on a system that is running RSTP. device(config-vlan-1)#RSTP: Received BPDU on BPDU guard enabled Port 23 (vlan=1),errdisable Port 23 Root guard The standard STP (802.1D), RSTP (802.1W) or 802.1S does not provide any way for a network administrator to securely enforce the topology of a switched layer 2 network.
Displaying the STP root guard Displaying the STP root guard To display the STP root guard state, enter the show running configuration or the show span rootprotect command. device#show span root-protect Root Protection Enabled on: Port 1 Syntax: show span root-protect Displaying the root guard by VLAN You can display root guard information for all VLANs or for a specific VLAN. For example, to display root guard violation information for VLAN 7.
Enabling Designated Protection on a port NOTE You cannot enable Designated Protection and Root Guard on the same port. Enabling Designated Protection on a port To disallow the designated forwarding state on a port in STP (802.1d or 802.1w), run the spanningtree designated-protect command in interface configuration mode for that port. The following example shows that the designated forwarding state is disallowed on Ethernet interface 1/1/1.
Enabling an error-disabled port manually NOTE When automatic recovery re-enables the port, the port is not in the error-disabled state, but it can remain down for other reasons, such as the Tx/Rx of the fibre optic not being seated properly. Thus, the port is not able to receive the signal from the other side. In this case, after the optic is inserted correctly, you should manually disable the port and then enable it.
Displaying the recovery state for all conditions Displaying the recovery state for all conditions Use the show errdisable recovery command to display all the default error disable recovery state for all possible conditions. In this example, port 6 is undergoing a recovery.
Multiple spanning-tree regions Multiple spanning-tree regions Using MSTP, the entire network runs a common instance of RSTP. Within that common instance, one or more VLANs can be individually configured into distinct regions. The entire network runs the common spanning tree instance (CST) and the regions run a local instance. The local instance is known as Internal Spanning Tree (IST). The CST treats each instance of IST as a single bridge.
Configuration notes Common and Internal Spanning Trees (CIST) - CIST is a collection of the ISTs in each MST region and the CST that interconnects the MST regions and single spanning trees. Multiple Spanning Tree Instance (MSTI) - The MSTI is identified by an MST identifier (MSTid) value between 1 and 4094. MSTP Region - These are clusters of bridges that run multiple instances of the MSTP protocol.
Reduced occurrences of MSTP reconvergence Syntax: [no] mstp scope all NOTE MSTP is not operational however until the mstp start command is issued as described in Forcing ports to transmit an MSTP BPDU on page 338. Once the system is configured into MSTP mode, CIST (sometimes referred to as "instance 0") is created and all existing VLANs inside the MSTP scope are controlled by CIST. In addition, whenever you create a new VLAN inside MSTP scope, it is put under CIST control by default.
Deleting a VLAN to MSTI mapping tagged ethe 1 to 2 no spanning tree ! vlan 20 by port <----- VLAN 20 configuration tagged ethe 1 to 2 no spanning-tree ! mstp scope all mstp instance 0 vlan 1 mstp instance 1 vlan 20 mstp start some lines ommitted for brevity... device(config-vlan-20)#no vlan 20 device(config-vlan-20)#show run Current configuration: ! ver 04.2.
Configuring additional MSTP parameters Version : 3 (MSTP mode) Config Digest: 0x9bbda9c70d91f633e1e145fbcbf8d321 Status : Started Instance VLANs -------- -----------------------------------------------------0 1 1 10 20 Syntax: show mstp config Configuring additional MSTP parameters To configure a switch for MSTP, you could configure the name and the revision on each switch that is being configured for MSTP. You must then create an MSTP Instance and assign an ID. VLANs are then assigned to MSTP instances.
Configuring an MSTP instance The revision parameter specifies the revision level for MSTP that you are configuring on the switch. It can be a number from 0 and 65535. The default revision number is 0. Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. The Brocade implementation of MSTP allows you to assign VLANS or ranges of VLANs to an MSTP instance before or after they have been defined.
Setting the MSTP global parameters Setting the MSTP global parameters MSTP has many of the options available in RSTP as well as some unique options. To configure MSTP Global parameters for all instances on a switch. device(config)#mstp force-version 0 forward-delay 10 hello-time 4 max-age 12 max-hops 9 Syntax: [no] mstp force-version mode-number forward-delay value hello-time value max-age value max-hops value The force-version parameter forces the bridge to send BPDUs in a specific format.
Setting point-to-point link NOTE If this feature is enabled, it takes the port about 3 seconds longer to come to the enable state. Setting point-to-point link You can set a point-to-point link between ports to increase the speed of convergence. To create a point-to-point link between ports, use a command such as the following at the Global Configuration level.
Spanning Tree Protocol FIGURE 71 Sample MSTP configuration RTR1 on MSTP configuration device(config-vlan-4093)#tagged ethernet 10/1 to 10/2 device(config-vlan-4093)#exit device(config)#mstp scope all device(config)#mstp name Reg1 device(config)#mstp revision 1 device(config)#mstp admin-pt2pt-mac ethernet 10/1 to 10/2 device(config)#mstp start device(config)#hostname RTR1 Core 1 on MSTP configuration device(config)#trunk ethernet 2/9 to 2/12 ethernet 2/13 to 2/14 device(config-vlan-1)#name DEFAULT-VLAN by
Displaying MSTP statistics Core2 on MSTP configuration device(config)#trunk ethernet 3/5 to 3/6 ethernet device(config)#vlan 1 name DEFAULT-VLAN by port device(config-vlan-1)#exit device(config)#vlan 20 by port device(config-vlan-20)#tagged ethernet 3/5 to 3/6 device(config-vlan-20)#exit device(config)#vlan 21 by port device(config-vlan-21)#tagged ethernet 3/5 to 3/6 device(config-vlan-21)#exit device(config)#vlan 22 by port device(config-vlan-22)#tagged ethernet 3/5 to 3/6 device(config-vlan-22)#exit devi
Spanning Tree Protocol ---------------------------------------------------------------------------Bridge Max RegionalRoot IntPath Designated Root Root Identifier Hop Bridge Cost Bridge Port Hop hex cnt hex hex cnt 8001000cdb80af01 20 8001000cdb80af01 0 8001000cdb80af01 Root 20 Port Pri PortPath Role State Designa- Designated Num Cost ted cost bridge 3/1 128 2000 MASTER FORWARDING 0 8001000cdb80af01 Syntax: show mstp instance-number The instance-number variable specifies the MSTP instance that you want to
Displaying MSTP information for a specified instance TABLE 52 Output from Show MSTP (Continued) Field Description PortPath Cost Configured or auto detected path cost for port.
Displaying MSTP information for CIST instance 0 Displaying MSTP information for CIST instance 0 Instance 0 is the Common and Internal Spanning Tree Instance (CIST). When you display information for this instance there are some differences with displaying other instances. The following example displays MSTP information for CIST Instance 0.
Displaying MSTP information for CIST instance 0 344 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
VLANs ● Supported VLAN features............................................................................................. 345 ● VLAN overview..............................................................................................................346 ● Routing between VLANs............................................................................................... 371 ● Configuring IP subnet, IPX network and protocol-based VLANs..................................
VLAN overview Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800 FSX 1600 ICX 7750 Layer 3 Subnet VLANs (Appletalk, IP subnet network, and IPX) 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 VLAN groups 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Multi-range VLANs 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Private VLANs (PVLANs) 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10a 08.0.01 No Super Aggregated VLANs 08.0.01 08.0.01 08.0.
Layer 2 port-based VLANs • If the port belongs to an IP subnet VLAN, IPX network VLAN, or AppleTalk cable VLAN and the packet belongs to the corresponding IP subnet, IPX network, or AppleTalk cable range, the device forwards the packet to all the ports within that VLAN. • If the packet is a Layer 3 packet but cannot be forwarded as described above, but the port is a member of a Layer 3 protocol VLAN for the packet protocol, the device forwards the packet on all the Layer 3 protocol VLAN ports.
VLANs The following figure shows an example of a Brocade device on which a Layer 2 port-based VLAN has been configured. FIGURE 72 Brocade device containing user-defined Layer 2 port-based VLAN Configuring port-based VLANs Port-based VLANs allow you to provide separate spanning tree protocol (STP) domains or broadcast domains on a port-by-port basis.
VLANs • Change a VLAN priority • Enable or disable STP on the VLAN 1--Simple port-based VLAN configuration The following figure shows a simple port-based VLAN configuration using a single Brocade Layer 2 Switch. All ports within each VLAN are untagged. One untagged port within each VLAN is used to connect the Layer 2 Switch to a Layer 3 Switch (in this example, a FSX) for Layer 3 connectivity between the two port-based VLANs.
Configuring port-based VLANs on FSX-A STP priority is configured to force FSX-A to be the root bridge for VLANs RED and BLUE. The STP priority on FSX-B is configured so that FSX-B is the root bridge for VLANs GREEN and BROWN. FIGURE 74 More complex port-based VLAN To configure the Port-based VLANs on the FSX Layer 2 Switches in the above figure, use the following method. Configuring port-based VLANs on FSX-A Enter the following commands to configure FSX-A.
Configuring port-based VLANs on FSX-B Configuring port-based VLANs on FSX-B Enter the following commands to configure FSX-B.
Removing a port-based VLAN Removing a port-based VLAN Suppose you want to remove VLAN 5 from the example in Figure 74 on page 350. To do so, use the following procedure. 1. Access the global CONFIG level of the CLI on FSX-A by entering the following commands. device-A> enable No password has been assigned yet... device-A# configure terminal device-A(config)# 2. Enter the following command. device-A(config)# no vlan 5 device-A(config)# 3.
Multi-range VLAN Multi-range VLAN The multi-range VLAN feature allows users to use a single command to create and configure multiple VLANs. These VLANs can be continuous, for example from 2 to 7 or discontinuous, for example, 2 4 7. NOTE The maximum number of VLANs you can create or configure with a single command is 64. Creating a multi-range VLAN To create more than one VLAN with a single command, you can specify the VLAN number and range.
VLANs If a single multi-range VLAN command contains more than 64 VLANs, the CLI does not add the VLAN IDs but instead displays an error message. An example is given below. device(config)#vlan 100 to 356 ERROR -can't have more than 64 vlans at a time in a multi-range vlan command Configuring a multi-range VLAN You can configure multiple VLANs with a single command from the multi-range VLAN configuration level.
VLANs Command Explanation spanning-tree Set spanning tree for this VLAN static-mac-address Configure static MAC for this VLAN tagged 802.1Q tagged port uplink-switch Define uplink ports and enable uplink switching vsrp Configure VSRP vsrp-aware Configure VSRP Aware parameters write Write running configuration to flash or terminal NOTE In FSX platform, the mac-vlan-permit command is not available in the multi-range vlan configuration mode.
VLANs vlan 21 by port tagged ethe 1/1/1 spanning-tree 802-1w ! vlan 22 by port tagged ethe 1/1/1 spanning-tree 802-1w ! vlan 23 by port tagged ethe 1/1/1 spanning-tree 802-1w ! vlan 24 by port tagged ethe 1/1/1 spanning-tree 802-1w ! ! output omitted ! ! Now you can modify any one or some of the VLANs. See the example below. In the following example, disable the spanning tree 802.1w on VLANs 22,23 and 24, And, verify with show running-config output that the spanning tree 802.
VLANs In the following example, the first command will change the interface configuration level to the multirange VLAN mode for the VLANs 4, 5 and 6. In the multi-range VLAN mode, enter the command show 802.1w. The output will display the information of STP for VLANs 4, 5 and 6 device(config)#vlan 4 to 6 device(config-mvlan-4-6)#show 802-1w --- VLAN 4 [ STP Instance owned by VLAN 4 ] ---------------------------Bridge IEEE 802.
Layer 3 protocol-based VLANs TABLE 53 VLAN show parameters (Continued) Command Definition vsrp Show VSRP commands Layer 3 protocol-based VLANs If you want some or all of the ports within a port-based VLAN to be organized according to Layer 3 protocol, you must configure a Layer 3 protocol-based VLAN within the port-based VLAN. You can configure each of the following types of protocol-based VLAN within a port-based VLAN. All the ports in the Layer 3 VLAN must be in the same Layer 2 VLAN.
Integrated Switch Routing (ISR) FIGURE 75 Layer 3 protocol VLANs within a Layer 2 port-based VLAN Integrated Switch Routing (ISR) The Brocade Integrated Switch Routing (ISR) feature enables VLANs configured on Layer 3 Switches to route Layer 3 traffic from one protocol VLAN or IP subnet, IPX network, or AppleTalk cable VLAN to FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04 359
IP subnet, IPX network, and AppleTalk cable VLANs another. Normally, to route traffic from one IP subnet, IPX network, or AppleTalk cable VLAN to another, you would need to forward the traffic to an external router. The VLANs provide Layer 3 broadcast domains for these protocols but do not in themselves provide routing services for these protocols. This is true even if the source and destination IP subnets, IPX networks, or AppleTalk cable ranges are on the same device.
Default VLAN NOTE IP subnet VLANs are not the same thing as IP protocol VLANs. An IP protocol VLAN sends all IP broadcasts on the ports within the IP protocol VLAN. An IP subnet VLAN sends only the IP subnet broadcasts for the subnet of the VLAN. You cannot configure an IP protocol VLAN and an IP subnet VLAN within the same port-based VLAN. This note also applies to IPX protocol VLANs and IPX network VLANs, and to AppleTalk protocol VLANs and AppleTalk cable VLANs.
802.1Q tagging When you configure a port-based VLAN, one of the configuration items you provide is the ports that are in the VLAN. When you configure the VLAN, the Brocade device automatically removes the ports that you place in the VLAN from DEFAULT-VLAN. By removing the ports from the default VLAN, the Brocade device ensures that each port resides in only one Layer 2 broadcast domain. NOTE Information for the default VLAN is available only after you define another VLAN.
Support for 802.1ad (Q-in-Q) tagging If you configure a VLAN that spans multiple devices, you need to use tagging only if a port connecting one of the devices to the other is a member of more than one port-based VLAN. If a port connecting one device to the other is a member of only a single port-based VLAN, tagging is not required. If you use tagging on multiple devices, each device must be configured for tagging and must use the same tag value.
Spanning Tree Protocol (STP) • In addition to the default tag type 0x8100, you can now configure one additional global tag profile with a number from 0xffff. • Tag profiles on a single port, or a group of ports can be configured to point to the global tag profile. For example applications and configuration details, refer to 802.1ad tagging configuration on page 406. To configure a global tag profile, enter the following command in the configuration mode.
Virtual routing interfaces Virtual routing interfaces A virtual routing interface is a logical routing interface that Brocade Layer 3 Switches use to route Layer 3 protocol traffic between protocol VLANs. Brocade devices send Layer 3 traffic at Layer 2 within a protocol VLAN. However, Layer 3 traffic from one protocol VLAN to another must be routed.
VLAN and virtual routing interface groups FIGURE 79 Use virtual routing interfaces for routing between Layer 3 protocol VLANs VLAN and virtual routing interface groups Brocade FastIron devices support the configuration of VLAN groups. To simplify configuration, you can configure VLAN groups and virtual routing interface groups. When you create a VLAN group, the VLAN parameters you configure for the group apply to all the VLANs within the group.
Dynamic, static, and excluded port membership For configuration information, refer to VLAN groups and virtual routing interface group on page 394. Dynamic, static, and excluded port membership When you add ports to a protocol VLAN, IP subnet VLAN, IPX network VLAN, or AppleTalk cable VLAN, you can add them dynamically or statically: • Dynamic ports • Static ports You also can explicitly exclude ports. Dynamic ports Dynamic ports are added to a VLAN when you create the VLAN.
VLANs FIGURE 80 VLAN with dynamic ports--all ports are active when you create the VLAN SUBNET Ports in a new protocol VLAN that do not receive traffic for the VLAN protocol age out after 10 minutes and become candidate ports. The above figure shows what happens if a candidate port receives traffic for the VLAN protocol.
Static ports FIGURE 81 VLAN with dynamic ports--candidate ports become active again if they receive protocol traffic Static ports Static ports are permanent members of the protocol VLAN. The ports remain active members of the VLAN regardless of whether the ports receive traffic for the VLAN protocol. You must explicitly identify the port as a static port when you add it to the VLAN. Otherwise, the port is dynamic and is subject to aging out.
Excluded ports Excluded ports If you want to prevent a port in a port-based VLAN from ever becoming a member of a protocol, IP subnet, IPX network, or AppleTalk cable VLAN configured in the port-based VLAN, you can explicitly exclude the port. You exclude the port when you configure the protocol, IP subnet, IPX network, or AppleTalk cable VLAN. Excluded ports do not leak broadcast packets. Refer to Broadcast leaks on page 370.
Multiple VLAN membership rules NOTE You cannot have a protocol-based VLAN and a subnet or network VLAN of the same protocol type in the same port-based VLAN. For example, you can have an IPX protocol VLAN and IP subnet VLAN in the same port-based VLAN, but you cannot have an IP protocol VLAN and an IP subnet VLAN in the same port-based VLAN, nor can you have an IPX protocol VLAN and an IPX network VLAN in the same port-based VLAN.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) VLAN on the same router. A virtual routing interface can be associated with the ports in only a single port-based VLAN. Virtual router interfaces must be defined at the highest level of the VLAN hierarchy.
Dynamic port assignment (Layer 2 Switches and Layer 3 Switches) guaranteed to never have an STP loop. STP will never block the virtual router interfaces within the tagged port-based VLAN, and you will have a fully routed backbone. Dynamic port assignment (Layer 2 Switches and Layer 3 Switches) All Switch ports are dynamically assigned to any Layer 3 VLAN on Brocade Layer 2 Switches and any non-routable VLAN on Brocade Layer 3 Switches.
Viewing reassigned VLAN IDs for reserved VLANs 4091 and 4092 For vlan-id , enter a valid VLAN ID that is not already in use. For example, if you have already defined VLAN 20, do not try to use "20 as the new VLAN ID. Valid VLAN IDs are numbers from 1 - 4090, 4093, and 4095. VLAN ID 4094 is reserved for use by the Single Spanning Tree feature. Viewing reassigned VLAN IDs for reserved VLANs 4091 and 4092 To view the assigned VLAN IDs for reserved VLANs 4091 and 4092, use the show reserved-vlanmap command.
VLANs 1. Access the global CONFIG level of the CLI on FSX-A by entering the following commands. device-A> enable No password has been assigned yet... device-A# configure terminal device-A(config)# 2. Access the level of the CLI for configuring port-based VLAN 3 by entering the following command. device-A(config)# device-A(config)# vlan 3 device-A(config-vlan-3)# 3.
Configuring IP subnet, IPX network and protocol-based VLANs Configuring IP subnet, IPX network and protocol-based VLANs Protocol-based VLANs provide the ability to define separate broadcast domains for several unique Layer 3 protocols within a single Layer 2 broadcast domain. Some applications for this feature might include security between departments with unique protocol requirements. This feature enables you to limit the amount of broadcast traffic end-stations, servers, and routers need to accept.
IP subnet, IPX network, and protocol-based VLANs within port-based VLANs 1. To permanently assign ports 1 - 8 and port 25 to IP subnet VLAN 10.1.1.0, enter the following commands. device(config-vlan-2)# ip-subnet 10.1.1.0/24 name Green device(config-vlan-ip-subnet)# no dynamic device(config-vlan-ip-subnet)# static ethernet 1 to 8 ethernet 25 2. To permanently assign ports 9 - 16 and port 25 to IP subnet VLAN 10.1.2.0, enter the following commands. device(config-vlan-3)# ip-subnet 10.1.2.
Configuring Layer 3 VLANs on FSX-A The second STP domain (VLAN 3) requires that half the ports in the domain are dedicated to IP subnet 10.1.1.0/24 and the other ports are dedicated to IPX network 1. Similar to VLAN 2, Port 9 from VLAN 3 will be used to carry this IP subnet and IPX network to the FastIron router. No other protocols will be allowed to enter the network on VLAN 3. Also, no IP packets with a source address on subnet 10.1.1.
Configuring Layer 3 VLANs on FSX-B 3. Create the IP and IPX protocol-based VLANs and statically assign the ports within VLAN 2 that will be associated with each protocol-based VLAN.
Configuring Layer 3 VLANs on FSX-C device-B(config-vlan-ipx-proto)# exclude e1 to 4 device-B(config-vlan-other-proto)# vlan 3 name IP-Sub_IPX-Net_VLANs device-B(config-vlan-3)# untagged e9 to 16 device-B(config-vlan-3)# tagged e25 to 26 device-B(config-vlan-3)# spanning-tree device-B(config-vlan-3)# spanning-tree priority 500 device-B(config-vlan-3)# ip-sub 10.1.1.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) You can add the VLAN ports as static ports or dynamic ports. A static port is always an active member of the VLAN. Dynamic ports within any protocol VLAN age out after 10 minutes if no member protocol traffic is received on a port within the VLAN. The aged out port, however, remains as a candidate dynamic port for that VLAN. The port becomes active in the VLAN again if member protocol traffic is received on that port.
Configuring Layer 3 VLANs and virtual routing interfaces on the FSX-A FIGURE 84 Routing between protocol-based VLANs To configure the Layer 3 VLANs and virtual routing interfaces on the FSX Layer 3 Switch in the above figure, use the following procedure. Configuring Layer 3 VLANs and virtual routing interfaces on the FSX-A Enter the following commands to configure FSX-A. The following commands enable OSPF or RIP routing. device>en No password has been assigned yet...
VLANs device-A(config-vlan-other-proto)# no dynamic device-A(config-vlan-other-proto)# exclude ethernet 1 to 4 Once you have defined the port-based VLAN and created the virtual routing interface, you need to configure the virtual routing interface just as you would configure a physical interface. device-A(config-vlan-other-proto)# interface ve1 device-A(config-vif-1)# ip address 10.1.2.1/24 device-A(config-vif-1)# ip ospf area 0.0.0.0 Do the same thing for VLAN 8.
Configuring Layer 3 VLANs and virtual routing interfaces for FSX-B accessible using only one path through the network. The path that is blocked by STP is not available to the routing protocols until it is in the STP FORWARDING state. device-A(config-vif-5)# vlan 5 name Rtr_BB_to_Bldg.2 device-A(config-vlan-5)# tagged ethernet 25 device-A(config-vlan-5)# no spanning-tree device-A(config-vlan-5)# router-interface ve6 device-A(config-vlan-5)# vlan 6 name Rtr_BB_to_Bldg.
Configuring Layer 3 VLANs and virtual routing interfaces for FSX-C device-B(config-vlan-ipx-network)# router-interface ve4 device-B(config-vlan-ipx-network)# other-proto name block-other-protocols device-B(config-vlan-other-proto)# exclude ethernet 9 to 16 device-B(config-vlan-other-proto)# no dynamic device-B(config-vlan-other-proto)# interface ve 3 device-B(config-vif-3)# ip addr 10.1.7.1/24 device-B(config-vif-3)# ip ospf area 0.0.0.
Configuring protocol VLANs with dynamic ports device-C(config-vlan-other-proto)# interface ve 3 device-C(config-vif-3)# ip addr 10.1.10.1/24 device-C(config-vif-3)# ip ospf area 0.0.0.0 device-C(config-vif-3)# interface ve4 device-C(config-vif-4)# vlan 4 name Bridged_ALL_Protocols device-C(config-vlan-4)# untagged ethernet 17 to 24 device-C(config-vlan-4)# tagged ethernet 25 to 26 device-C(config-vlan-4)# spanning-tree device-C(config-vlan-4)# vlan 7 name Rtr_BB_to_Bldg.
Disabling membership aging of dynamic VLAN ports NOTE You can disable VLAN membership aging of dynamically added ports. Refer to Disabling membership aging of dynamic VLAN ports on page 387). Dynamic ports within any protocol VLAN age out after 10 minutes, if no member protocol traffic is received on a port within the VLAN. The aged out port, however, remains as a candidate dynamic port for that VLAN. The port becomes active in the VLAN again if member protocol traffic is received on that port.
Configuring an IP, IPX, or AppleTalk Protocol VLAN with Dynamic Ports NOTE In the Switch image, all the ports are dynamic ports by-default, so the dynamic command does not appear in the show running-config command output. If you configure the no dynamic command, it will appear in the output of the show running-config command. Similarly in Router image, no ports are dynamic by-default, so the no dynamic command does not appear in the output of the show running-config command.
Configuring an IPX network VLAN with dynamic ports These commands create a port-based VLAN on chassis ports 1/1 - 1/6 named "Mktg-LAN", configure an IP subnet VLAN within the port-based VLAN, and then add ports from the port-based VLAN dynamically. Syntax: vlan vlan-id name string [ by port ] Syntax: untagged ethernet [slotnum/]portnum to [slotnum/]portnum or Syntax: untagged ethernet [slotnum/]portnum ethernet [slotnum/]portnum NOTE Use the first untagged command for adding a range of ports.
Configuring uplink ports within a port-based VLAN Configuring uplink ports within a port-based VLAN You can configure a subset of the ports in a port-based VLAN as uplink ports. When you configure uplink ports in a port-based VLAN, the device sends all broadcast and unknown-unicast traffic from a port in the VLAN to the uplink ports, but not to other ports within the VLAN. Thus, the uplink ports provide tighter broadcast control within the VLAN.
VLANs NOTE This feature applies only to Layer 3 Switches. NOTE Before using the method described in this section, refer to VLAN groups and virtual routing interface group on page 394. You might be able to achieve the results you want using the methods in that section instead. The following figure shows an example of this type of configuration. FIGURE 85 Multiple port-based VLANs with separate protocol addresses As shown in this example, each VLAN has a separate IP subnet address.
VLANs FIGURE 86 Multiple port-based VLANs with the same protocol address Each VLAN still requires a separate virtual routing interface. However, all three VLANs now use the same IP subnet address. In addition to conserving IP subnet addresses, this feature allows containment of Layer 2 broadcasts to segments within an IP subnet.
VLANs routing interface MAC address, the device switches the packet on Layer 3 to the destination host on the VLAN. NOTE If the Brocade device ARP table does not contain the requested host, the Brocade device forwards the ARP request on Layer 2 to the same VLAN as the one that received the ARP request. Then the device sends an ARP for the destination to the other VLANs that are using the same IP subnet address.
VLAN groups and virtual routing interface group NOTE Because virtual routing interfaces 2 and 3 do not have their own IP subnet addresses but instead are "following" virtual routing interface a IP address, you still can configure an IPX or AppleTalk interface on virtual routing interfaces 2 and 3. VLAN groups and virtual routing interface group To simplify configuration when you have many VLANs with the same configuration, you can configure VLAN groups and virtual routing interface groups.
VLANs The first command in this example begins configuration for VLAN group 1, and assigns VLANs 2 through 257 to the group. The second command adds ports 1/1 and 1/2 as tagged ports. Because all the VLANs in the group share the ports, you must add the ports as tagged ports. Syntax: vlan-group num vlan vlan-id to vlan-id Syntax: tagged ethernet [slotnum/]portnum [to [slotnum/]portnum| ethernet [slotnum/]portnum] The vlan-groupnum parameter specifies the VLAN group ID and can be from 1 - 32.
Displaying information about VLAN groups Displaying information about VLAN groups To display VLAN group configuration information, use the show vlan-group command. device# show vlan-group 1 tagged ethe ! vlan-group 2 tagged ethe ! vlan-group vlan 2 to 20 1/1 to 1/2 vlan 21 to 40 1/1 to 1/2 Syntax: show vlan-group [group-id] The group-id specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed.
Displaying the VLAN group and virtual routing interface group information VLAN group to use the virtual routing interface group that has the same ID as the VLAN group. You can enter this command when you configure the VLAN group for the first time or later, after you have added tagged ports to the VLAN and so on. The num parameter in the interface group-venum command specifies the ID of the VLAN group with which you want to associate this virtual routing interface group.
Increasing the number of VLANs you can configure The number of VLANs and virtual routing interfaces supported on your product depends on the device and, for Chassis devices, the amount of DRAM on the management module. The following table lists the default and configurable maximum numbers of VLANs and virtual routing interfaces for Layer 2 and Layer 3 Switches. Unless otherwise noted, the values apply to both types of switches.
Super-aggregated VLAN configuration Super-aggregated VLAN configuration You can aggregate multiple VLANs within another VLAN. This feature allows you to construct Layer 2 paths and channels. This feature is particularly useful for Virtual Private Network (VPN) applications in which you need to provide a private, dedicated Ethernet connection for an individual client to transparently reach its subnet across multiple networks.
VLANs FIGURE 87 Conceptual model of the super aggregated VLAN application Each client connected to the edge device is in its own port-based VLAN, which is like an ATM channel. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core. The single VLAN that aggregates the clients’ VLANs is like an ATM path. The device that aggregates the VLANs forwards the aggregated VLAN traffic through the core.
VLANs The following figure shows an example application that uses aggregated VLANs. This configuration includes the client connections shown in Figure 87 . FIGURE 88 Example of a super aggregated VLAN application In this example, a collocation service provides private channels for multiple clients. Although the same devices are used for all the clients, the VLANs ensure that each client receives its own Layer 2 broadcast domain, separate from the broadcast domains of other clients.
Configuration notes for aggregated VLANs Configuration notes for aggregated VLANs • This feature is not supported on the 48-port 10/100/1000 Mbps (RJ45) Ethernet POE interface module (SX-FI48GPP). • Super Aggregated VLANs and VSRP are not supported together on the same device. • Super Aggregated VLANs and Q-in-Q are supported using the tag-profile command.
Configuring aggregated VLANs on a core device device(config-vlan-101)# exit device(config)# vlan 102 by port device(config-vlan-102)# tagged ethernet 2/1 device(config-vlan-102)# untagged ethernet 1/2 device(config-vlan-102)# exit device(config)# vlan 103 by port device(config-vlan-103)# tagged ethernet 2/1 device(config-vlan-103)# untagged ethernet 1/3 device(config-vlan-103)# exit device(config)# vlan 104 by port device(config-vlan-104)# tagged ethernet 2/1 device(config-vlan-104)# untagged ethernet 1/4
Commands for configuring aggregated VLANs on device A NOTE In these examples, the configurations of the edge devices (A, B, E, and F) are identical. The configurations of the core devices (C and D) also are identical. The aggregated VLAN configurations of the edge and core devices on one side must be symmetrical (in fact, a mirror image) to the configurations of the devices on the other side. For simplicity, the example in Figure 88 on page 401 is symmetrical in terms of the port numbers.
Commands for configuring aggregated VLANs on device C Commands for configuring aggregated VLANs on device C Because device C is aggregating channel VLANs from devices A and B into a single path, you need to change the tag type and enable VLAN aggregation.
Commands for configuring aggregated VLANs on device F Commands for configuring aggregated VLANs on device F The commands for configuring device F are identical to the commands for configuring device E. In this example, Because the port numbers on each side of the configuration in Figure 88 on page 401 are symmetrical, the configuration of device F is also identical to the configuration of device A and device B.
Configuration rules for 802.1ad tagging FIGURE 89 802.1ad configuration example In the above figure, the untagged ports (to customer interfaces) accept frames that have any 802.1Q tag other than the configured tag-type 9100. These packets are considered untagged on this incoming port and are re-tagged when they are sent out of the uplink towards the provider. The 802.
Enabling 802.1ad tagging • FastIron X Series devices support one configured tag-type per device along with the default tagtype of 8100. For example, if you configure an 802.1Q tag of 9100 on ports 1 - 12, then later configure an 802.1Q tag of 5100 on port 15, the device automatically applies the 5100 tag to all ports in the same port region as port 15, and also changes the 802.1Q tag-type on ports 1 - 12 to 5100. • 802.1ad tagging and VSRP are not supported together on the same device.
Configuring 802.1ad tag profiles FIGURE 90 Example 802.1ad configuration Configuring 802.1ad tag profiles NOTE 802.1ad tag profiles are not supported on FastIron X Series devices. The 802.1ad tagging feature supports a tag-profile command that allows you to add a tag profile with a value of 0 to 0xffff in addition to the default tag-type 0x8100. This enhancement also allows you to add a tag profile for a single port, or to direct a group of ports to a globally-configured tag profile.
CLI Syntax for 802.1ad tagging • Tag-type and tag-profile cannot be configured at the same time. You will see the message "unconfigure the tag-type to set the tag-profile." It tag-type is already configured, you will need to unconfigure it and then add the tag-profile . • Do not use the tag-type command in conjunction with the tag-profile command.
VLANs FIGURE 91 PVLAN used to secure communication between a workstation and servers This example uses a PVLAN to secure traffic between hosts and the rest of the network through a firewall. Five ports in this example are members of a PVLAN. The first port (port 3/2) is attached to a firewall. The next four ports (ports 3/5, 3/6, 3/9, and 3/10) are attached to hosts that rely on the firewall to secure traffic between the hosts and the rest of the network.
VLANs • Primary - The primary PVLAN ports are "promiscuous". They can communicate with all the isolated PVLAN ports and community PVLAN ports in the isolated and community VLANs that are mapped to the promiscuous port. • Isolated - Broadcasts and unknown unicasts received on isolated ports are sent only to the promiscuous ports and switch - switch ports. They are not flooded to other ports in the isolated VLAN.
VLANs FIGURE 93 Example PVLAN network with tagged ports The following table lists the differences between PVLANs and standard VLANs.
Configuration notes for PVLANs and standard VLANs Configuration notes for PVLANs and standard VLANs • PVLANs are supported on untagged ports on all FastIron platforms. PVLANs are also supported on tagged ports on devices other than FSX, ICX 6430 and ICX 6430-C12.
Configuring the primary VLAN TABLE 57 PVLAN support matrix (Continued) Platform Forwarding Type Tagged Port Untagge d Port ISL Port Multiple Promiscuous Port ICX-6430 Hardware No Yes No Yes ICX-6430 C12 Hardware No Yes No Yes FCX Hardware Yes Yes Yes Yes SXL Software No Yes No Yes Configuring the primary VLAN To configure a primary VLAN, enter commands such as the following.
Configuring an isolated or community PVLAN • The vlan-id parameter specifies another PVLAN. The other PVLAN you want to specify must already be configured. • The ethernet portnum parameter specifies the primary VLAN port to which you are mapping all the ports in the other PVLAN (the one specified by vlan-id ). The pvlan pvlan-trunk command identifies the switch-switch link for the PVLAN. There can be more than one switch-switch link for a single community VLAN.
Enabling broadcast or unknown unicast traffic to the PVLAN on FSX devices • community - Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN. • isolated - Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN. • primary - The primary PVLAN ports are "promiscuous".
CLI example for a general PVLAN network CLI example for a general PVLAN network To configure the PVLANs shown in Figure 91 on page 411, enter the following commands.
Multiple promiscuous ports support in private VLANs device(config-vlan-100)# pvlan type primary device(config-vlan-100)# pvlan pvlan-trunk 102 ethernet 1/1/10 to 1/1/11 device(config-vlan-100)# pvlan pvlan-trunk 101 ethernet 1/1/10 to 1/1/11 FCX Switch 4 device(config)# vlan 101 device(config-vlan-101)# device(config-vlan-101)# device(config)# vlan 102 device(config-vlan-102)# device(config-vlan-102)# device(config)# vlan 100 device(config-vlan-100)# device(config-vlan-100)# device(config-vlan-100)# devic
Dual-mode VLAN ports Dual-mode VLAN ports Configuring a tagged port as a dual-mode port allows it to accept and transmit both tagged traffic and untagged traffic at the same time. A dual-mode port accepts and transmits frames belonging to VLANs configured for the port, as well as frames belonging to the default VLAN (that is, untagged traffic). For example, in the following figure, port 2/11 is a dual-mode port belonging to VLAN 20.
VLANs FIGURE 94 Dual-mode VLAN port example To enable the dual-mode feature on port 2/11 in the above figure,enter the following commands.
VLANs device(config-if-e1000-2/11)# dual-mode device(config-if-e1000-2/11)# exit Syntax: [no] dual-mode You can configure a dual-mode port to transmit traffic for a specified VLAN (other than the DEFAULTVLAN) as untagged, while transmitting traffic for other VLANs as tagged. The following figure illustrates this enhancement. FIGURE 95 Specifying a default VLAN ID for a dual-mode port In the above figure, tagged port 2/11 is a dual-mode port belonging to VLANs 10 and 20.
Displaying VLAN information NOTE An error message is displayed while attempting to configure an existing dual-mode on a port range. Example: Port Port Port Port 1/1/6 1/1/7 1/1/8 1/1/9 has has has has already already already already been been been been configured configured configured configured as as as as dual dual dual dual mode mode mode mode on on on on VLAN VLAN VLAN VLAN 20 20 20 1 Notes: • If you do not specify a vlan-id in the dual mode command, the port default VLAN is set to 1.
Displaying VLANs in alphanumeric order Displaying VLANs in alphanumeric order By default, VLANs are displayed in alphanumeric order, as shown in the following example. device# show run ... vlan 2 by port ... vlan 10 by port ... vlan 100 by port ... Displaying system-wide VLAN information Use the show vlans command to display VLAN information for all the VLANs configured on the device.
Displaying global VLAN information Uplink Ports: None DualMode Ports: None Syntax: show vlans [vlan-id | ethernet [slotnum/]portnum] The vlan-id parameter specifies a VLAN for which you want to display the configuration information. The slotnum parameter is required on chassis devices. The portnum parameter specifies a port. If you use this parameter, the command lists all the VLAN memberships for the port.
Displaying a port dual-mode VLAN membership Syntax: show vlan brief ethernet [slotnum/]portnum The slotnum parameter is required on chassis devices. Displaying a port dual-mode VLAN membership The output of the show interfaces command lists dual-mode configuration and corresponding VLAN numbers. The following shows an example output.
Displaying PVLAN information Displaying PVLAN information To display the PVLAN configuration with respect to the primary VLAN and its associated secondary VLANs and to display the member ports, promiscous ports, and the switch-switch link ports of a PVLAN, enter a command such as the following.
Displaying PVLAN information 428 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
VXLAN ● Supported VXLAN features...........................................................................................429 ● VXLAN gateway overview.............................................................................................430 ● Inner frame VLAN tagging.............................................................................................432 ● Load balancing entropy ................................................................................................432 ● MAC learning..
VXLAN gateway overview VXLAN gateway overview Virtual Extensible Local Area Network (VXLAN) is an overlay technology to create a logical Layer 2 network on top of an Layer 3 IP network. Addressing the need for overlay networks in Layer 2 and Layer 3 data center networks that support multi-tenant environments, VXLAN functions as a framework to create a Layer 2 logical network over the existing Layer 3 infrastructure. In this way, VXLAN addresses the scalability requirements of cloud computing.
VXLAN Ethernet header, outer IP header, outer UDP header, and VXLAN header. The outer IP header contains the corresponding source and destination VTEP IP addresses. VTEPs are the nodes that provide the encapsulation and decapsulation functions and also map the tenant traffic to the virtual network and vice versa. The tenant’s Layer 2 frame is encapsulated with the Layer 3 UDP header to send it to the remote location (VTEP).
Inner frame VLAN tagging Inner frame VLAN tagging In the VXLAN gateway, by default, the encapsulating VTEP strips the inner VLAN tag of the packet before forwarding it to the remote VTEP. Upon reception, the remote VTEP decapsulates the packets and a VLAN tag is assigned to the packet based on the one-to-one mapping between the {Port, VLAN} pair and VNI. The assignment of VLAN tag also depends on whether the access port at the destination is tagged or untagged.
VXLAN configuration considerations • UDLD, LACP, or Keepalive • Path MTU discovery • Hitless and stacking support is not available for VXLAN feature on Brocade ICX 7750. VXLAN configuration considerations • • • • A {Port, VLAN} pair must have a one-to-one mapping to a VNI. One VNI can be carried by a single VXLAN Layer 2 tunnel only. Different VNIs can be carried in the same or different Layer 2 tunnels.
Configuring VXLAN 434 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
VXLAN-related syslog messages Following are VXLAN-related syslog messages: TABLE 58 VXLAN-related syslog messages Event Syslog Output VXLAN L2-Tunnel Up System: Interface vxlan_tnnl 2, state up VXLAN L2-Tunnel down due to no route to destination or ARP not resolved for the next hop address System: Interface vxlan_tnnl 1, state down - L2-Tunnel no destination route VXLAN L2-Tunnel down due to source interface down VXLAN L2-Tunnel down due to administrative "disable" command PORT: vxlan_tnnl 1 down due
VXLAN-related syslog messages 436 FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide 53-1003086-04
Layer 2 Commands ● clear notification-mac statistics..................................................................................... 438 ● errdisable packet-inerror-detect.................................................................................... 439 ● failover...........................................................................................................................440 ● force-up ethernet...........................................................................................
clear notification-mac statistics clear notification-mac statistics Clears the MAC-notification statistics, such as the number of trap messages and number of MACnotification events sent. Syntax Command Default Modes clear notification-mac statistics The MAC-notification statistics are available on the device. Global configuration Privileged EXEC Usage Guidelines Examples Clears details such as the number of trap messages and the number of MAC-notification events sent.
errdisable packet-inerror-detect errdisable packet-inerror-detect Enables the device to monitor configured ports for inError packets and defines the sampling time interval in which the number of inError packets is counted. The no form of this command disables this monitoring. Syntax errdisable packet-inerror-detect sampling-interval no errdisable packet-inerror-detect sampling-interval Command Default Parameters There is no monitoring for inError packets on any port of the device.
failover failover Enables or disables LAG hardware failover. Enables LAG hardware failover. The no form of this command disables LAG hardware failover. Syntax failover {next | all} no failover {next | all} Command Default Modes Usage Guidelines Examples LAG hardware failover is not enabled by default. Dynamic LAG configuration mode Use this command to enable or disable LAG hardware failover. Use the all parameter to enable failover on all ports in LAG.
force-up ethernet force-up ethernet Forces the member port of a dynamic LAG to be logically operational even when the dynamic LAG is not operating. The no form of the command causes the specified port to be logically operational only when the dynamic LAG is operating. Syntax force-up ethernet port no force-up ethernet port Command Default Parameters The member ports of a dynamic LAG are logically operational only when the dynamic LAG is operating. port Specifies the port.
interface l2-tunnel interface l2-tunnel Creates a Layer 2 tunnel interface. Syntax interface l2-tunnel tunnel-id no interface l2-tunnel tunnel-id Command Default Parameters The Layer 2 tunnel interface is not configured by default. tunnel-id Specifies the tunnel ID for the Layer 2 tunnel interface. Modes Usage Guidelines Global configuration mode Use this command to configure a Layer 2 tunnel interface and enter interface configuration mode. Only eight tunnels can be configured.
l2-tunnel l2-tunnel Configures the source and destination of the Layer 2 tunnel. Syntax l2-tunnel {source {source-ip | source-interface-type source-interface-number} | destination destination-ip} no l2-tunnel {source {source-ip | source-interface-type source-interface-number} | destination destination-ip} Command Default Parameters The Layer 2 tunnel is not configured by default. source Specifies the Layer 2 tunnel source address.
l2-tunnel mode vxlan eline l2-tunnel mode vxlan eline Configures the Layer 2 tunnel encapsulation method as VXLAN UDP encapsulation. Syntax l2-tunnel mode vxlan eline no l2-tunnel mode vxlan eline Command Default Modes Usage Guidelines Examples There is no Layer 2 tunnel encapsulation method by default. Layer 2 tunnel interface configuration mode Use this command to configure the Layer 2 tunnel encapsulation method as VXLAN UDP encapsulation. The no form of the command removes the configuration.
mac-notification interval mac-notification interval Specifies the MAC-notification interval in seconds between each set of generated traps. The no form of this command sets the interval to its default value. Syntax mac-notification interval secs no mac-notification interval Command Default Parameters There is no interval set for MAC-notification. secs Specifies the MAC-notification interval in seconds between each set of traps that are generated. The range is from 1 through 3600 seconds (1 hour).
packet-inerror-detect packet-inerror-detect Enables the monitoring of a port for inError packets and defines the maximum number of inError packets that is allowed for the port in the configured sampling interval. The no form of this command disables the monitoring of a port for inError packets. Syntax packet-inerror-detect inError-count no packet-inerror-detect inError-count Command Default Parameters The Packet InError Detect feature is disabled for the port.
show interface l2-tunnel show interface l2-tunnel Displays VXLAN Layer 2 tunnel interface details. Syntax Parameters show interface l2-tunnel tunnel-id tunnel-id Specifies the tunnel ID for the Layer 2 tunnel interface. Modes Privileged EXEC mode Global configuration mode Command Output Examples The show interface l2-tunnel command displays the following information: Output field Description L2-Tunnel Identifies the VXLAN tunnel and displays the source and destination addresses.
show notification-mac show notification-mac Displays whether the MAC-notification for SNMP traps is enabled or disabled. Syntax show notification-mac Modes Privileged EXEC Usage Guidelines Examples You can view statistics such as the configured interval, the number of traps sent, and the number of events sent.
show packet-inerror-detect show packet-inerror-detect Displays details related to the monitoring for inError packets for configured ports. Syntax show packet-inerror-detect Modes Privileged EXEC mode Global configuration mode Interface configuration mode Usage Guidelines You can use this show command to view details related to the monitoring for inError packets for configured ports.
show span designated-protect show span designated-protect Displays a list of all ports that are disallowed to go into the designated forwarding state.
snmp-server enable traps mac-notification snmp-server enable traps mac-notification Enables the MAC-notification trap whenever a MAC address event is generated on a device or an interface. The no form of this command disables the SNMP trap for MAC-notification events. Syntax snmp-server enable traps mac-notification no snmp-server enable traps mac-notification Command Default Modes MAC-notification traps are disabled on the device.
spanning-tree designated-protect spanning-tree designated-protect Disallows the designated forwarding state on a port in STP 802.1d or 802.1w. The no form of this command allows the designated forwarding state on a port in STP 802.1d or 802.1w. Syntax spanning-tree designated-protect no spanning-tree designated-protect Command Default Parameters Modes Usage Guidelines STP (802.1d or 802.1w) can put a port into designated forwarding state.
system-max mac-notification-buffer system-max mac-notification-buffer Changes the value of the MAC-notification buffer. Sets the buffer queue size to maintain MAC-notification events. The no form of the command sets the MAC-notification buffer to default size. Syntax system-max mac-notification-buffer size no system-max mac-notification-buffer size Command Default Parameters The default buffer size is 4000. size Sets the buffer queue size to maintain MAC-notification events.
vxlan vlan vxlan vlan Configures the VXLAN membership of the port by specifying the VLAN port and VNI for VXLAN mapping. Syntax vxlan vlan vlan-id vni vni-id l2-tunnel tunnel-id no vxlan vlan vlan-id vni vni-id l2-tunnel tunnel-id Command Default Parameters No VXLAN mapping to the tunnel. vlan-id Specifies the VLAN ID mapped to the VXLAN segment. vni-id Specifies the VXLAN segment ID to which the VLAN is mapped. This allows the extension of the Layer 2 VLAN segment to a remote location.
