53-1003225-04 19 June 2014 Network OS Administrator’s Guide Supporting Network OS v4.1.
© 2014, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be trademarks of others.
Contents Preface...................................................................................................................................19 Document conventions....................................................................................19 Text formatting conventions................................................................ 19 Command syntax conventions............................................................ 19 Notes, cautions, and warnings.........................................
Basic Switch Management....................................................................................................47 Switch management overview...................................................................... 47 Connecting to a switch...................................................................... 47 Telnet and SSH overview..................................................................48 SSH server key exchange and authentication..................................
Date and time settings........................................................................ 97 Time zone settings.............................................................................. 97 Configuring NTP..............................................................................................98 Configuration considerations for NTP................................................. 98 Setting the date and time....................................................................
Upgrading firmware by using the manual option.............................118 Downloading firmware by using the default-config option...............119 Monitoring and verifying a firmware download session.................. 119 Upgrading firmware in Brocade fabric cluster mode................................... 120 Upgrading firmware in Brocade logical chassis cluster mode.....................120 Verifying firmware download in logical chassis cluster mode.........
Administering Zones............................................................................................................. 167 Zoning overview............................................................................................ 167 Example zoning topology.................................................................. 167 LSAN zones ..................................................................................... 169 Managing domain IDs.....................................................
Using System Monitor and Threshold Monitor......................................................................235 System Monitor overview............................................................................ 235 Monitored components....................................................................235 Monitored FRUs.............................................................................. 235 Configuring System Monitor........................................................................
Password policies overview.............................................................. 265 Configuring password policies.......................................................... 267 Understanding and managing role-based access control (RBAC)................269 Default roles...................................................................................... 269 User-defined roles.............................................................................269 Displaying a role............................
Configuring SSH server key exchange........................................... 307 Configuring an authentication policy .............................................. 307 Configuring DH-CHAP shared secrets............................................308 Setting up secret keys ....................................................................309 Setting the authentication policy parameters.................................. 309 Activating the authentication policy.............................................
Assigning an FCoE map onto a LAG member ................................. 351 Configuring FCoE over LAG............................................................. 352 Troubleshooting FCoE interfaces..................................................................354 Configuring 802.1Q VLANs....................................................................................................355 802.1Q VLAN overview.................................................................................
RSTP...............................................................................................408 MSTP.............................................................................................. 409 PVST+ and Rapid PVST+ ..............................................................410 Spanning Tree Protocol and VCS mode......................................... 411 Configuring and managing STP and STP variants..................................... 412 Understanding the default STP configuration.......
Clearing LLDP-related information....................................................459 Configuring ACLs ..................................................................................................................461 ACL overview................................................................................................ 461 ACL benefits......................................................................................461 IP ACLs.................................................................
Configuring sFlow .............................................................................................................. 525 sFlow protocol overview..............................................................................525 Interface flow samples.................................................................... 525 Packet counter samples..................................................................526 Hardware support matrix for sFlow.................................................
IP Route Policy......................................................................................................................561 IP route policy overview................................................................................ 561 IP prefix lists......................................................................................561 Route maps.......................................................................................561 Configuring IP route policy.................................
Disabling OSPF on the router......................................................... 595 Configuring VRRP............................................................................................................... 597 VRRP overview........................................................................................... 597 Basic VRRP topology......................................................................597 VRRP multigroup clusters...............................................................
Using route maps.............................................................................. 632 Configuring BGP........................................................................................... 636 Adjusting defaults to improve routing performance...........................636 Using route maps with match and set statements............................ 636 Clearing configurations..................................................................... 639 Configuring IGMP.............................
CID card is corrupted...................................................................... 680 CPU use is unexpectedly high........................................................ 682 ECMP not load balancing as expected........................................... 682 ENS not working correctly ..............................................................682 FCoE devices unable to log in........................................................ 683 Traffic is not being forwarded ...............................
Preface ● Document conventions....................................................................................................19 ● Brocade resources.......................................................................................................... 21 ● Contacting Brocade Technical Support...........................................................................21 ● Document feedback........................................................................................................
Notes, cautions, and warnings Convention Description value In Fibre Channel products, a fixed value provided as input to a command option is printed in plain text, for example, --show WWN. [] Syntax components displayed within square brackets are optional. Default responses to system prompts are enclosed in square brackets. {x|y|z} A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must select one of the options.
Brocade resources Brocade resources Visit the Brocade website to locate related documentation for your product and additional Brocade resources. You can download additional publications supporting your product at www.brocade.com. • Adapter documentation is available on the Downloads and Documentation for Brocade Adapters page. Select your platform and scroll down to the Documentation section.
Document feedback • OEM/Solution Providers are trained and certified by Brocade to support Brocade® products. • Brocade provides backline support for issues that cannot be resolved by the OEM/Solution Provider. • Brocade Supplemental Support augments your existing OEM support contract, providing direct access to Brocade expertise. For more information, contact Brocade or your OEM. • For questions regarding service levels and response times, contact your OEM/Solution Provider.
About This Document ● Supported hardware and software.................................................................................. 23 ● What’s new in this document.......................................................................................... 24 ● Related documents ........................................................................................................
What’s new in this document What’s new in this document This document supports Network OS 4.1.1; and the new features in this release include: • VXLAN For complete information, refer to the Release Notes. Related documents The documents that support this release are listed below. For details on how to obtain supporting documents, refer to "Brocade resources" in the Preface. TABLE 1 Documents supporting this release Document Description Network OS Administration Guide This document.
Section I: Network OS Administration • • • • • • • • • • • • • • • Introduction to Network OS and Brocade VCS Fabric Technology on page 27 Using the Network OS CLI on page 41 Basic Switch Management on page 47 Using Network Time Protocol on page 97 Configuration Management on page 101 Installing and Maintaining Firmware on page 111 Configuring SNMP on page 133 Configuring Brocade VCS Fabrics on page 145 Configuring Metro VCS on page 157 Administering Zones on page 167 Configuring Fibre Channel Ports on pag
Section I: Network OS Administration 26 Network OS Administrator’s Guide 53-1003225-04
Introduction to Network OS and Brocade VCS Fabric Technology ● Introduction to Brocade Network OS...............................................................................27 ● Introduction to Brocade VCS Fabric technology............................................................. 28 ● Brocade VCS Fabric technology use cases....................................................................33 ● Topology and scaling.......................................................................................
Brocade VCS Fabric terminology Network convergence Data Center Bridging (DCB)-based lossless Ethernet service provides isolation between IP and storage traffic over a unified network infrastructure. Multi-hop Fibre Channel over Ethernet (FCoE) allows an FCoE initiator to communicate with an FCoE target that is a number of hops away. Refer to End-to-end FCoE on page 338 for more information about multi-hop FCoE.
Automation The following shows an example of a data center with a classic hierarchical Ethernet architecture and the same data center with a Brocade VCS Fabric architecture. The Brocade VCS Fabric architecture provides a simpler core-edge topology and is easily scalable as you add more server racks.
Distributed intelligence FIGURE 2 Ethernet fabric with multiple paths The Ethernet fabric has the following characteristics: • It is a switched network. The Ethernet fabric utilizes an emerging standard called Transparent Interconnection of Lots of Links (TRILL) as the underlying technology. • All switches automatically know about each other and all connected physical and logical devices. • All paths in the fabric are available. Traffic is always distributed across equal-cost paths.
Logical chassis FIGURE 3 Distributed intelligence in an Ethernet fabric Distributed intelligence has the following characteristics: • The fabric is self-forming. When two Brocade VCS Fabric mode-enabled switches are connected, the fabric is automatically created and the switches discover the common fabric configuration. • The fabric is masterless. No single switch stores configuration information or controls fabric operations.
Ethernet fabric formation FIGURE 4 Logical chassis in Ethernet fabric Each physical switch in the fabric is managed as if it were a blade in a chassis. When a Brocade VCS Fabric mode-enabled switch is connected to the fabric, it inherits the configuration of the fabric and the new ports become available immediately. Ethernet fabric formation Brocade VCS Fabric protocols are designed to aid the formation of an Ethernet fabric with minimal user configuration.
Automatic ISL formation and hardware-based trunking Automatic ISL formation and hardware-based trunking When a switch joins an Ethernet fabric, ISLs automatically form between directly connected switches within the fabric. If more than one ISL exists between two switches, then Brocade ISL trunks can form automatically. All ISLs connected to the same neighboring Brocade switch attempt to form a trunk. The trunks are formed only when the ports belong to the same port group.
Introduction to Network OS and Brocade VCS Fabric Technology FIGURE 5 Pair of Brocade VDX switches at the top of each server rack The servers perceive a single top-of-rack switch, allowing for active/active connections running end-toend.
Large-scale server virtualization use case Large-scale server virtualization use case The following shows a logical two-tier architecture with Brocade VCS fabrics at the edge. Each Brocade VCS fabric appears as a single virtual switch to the switches outside the fabric, which results in flattening the network.
Brocade VCS Fabric connectivity with Fibre Channel SAN Brocade VCS Fabric connectivity with Fibre Channel SAN In Network OS 2.1.1 and later, Fibre Channel ports on the Brocade VDX 6730 provide support for connecting a Brocade VCS Fabric to a Fibre Channel SAN. Fibre Channel routers provide the connectivity, which provides access to Fibre Channel devices while preserving isolation between the fabrics.
Topology and scaling Topology and scaling Up to 24 switches can exist in a Brocade VCS Fabric.
Ring topology High performance and low latency are ensured because throughput is high and the hop count is low. Throughput is high because multiple core switches share the load. Two hops get you from any edge switch to any other edge switch. If you need greater throughput, simply add another core switch. Scaling the topology also requires additional core switches and links. However, the number of additional links you need is typically not as great as with, for example, a full mesh topology.
Introduction to Network OS and Brocade VCS Fabric Technology FIGURE 10 Full mesh topology This topology is highly reliable and fast, but it does not scale well. It is reliable because it provides many paths through the fabric in case of cable or node failure. It is fast with low latency because you can get to any node in the fabric in just one hop. It does not scale well because each additional node increases the number of fabric links and switch ports exponentially.
Full mesh topology 40 Network OS Administrator’s Guide 53-1003225-04
Using the Network OS CLI ● Network OS CLI overview............................................................................................... 41 ● Accessing the Network OS CLI through Telnet ..............................................................42 ● Saving your configuration changes................................................................................. 42 ● Network OS CLI command modes..................................................................................
Accessing the Network OS CLI through Telnet For information on creating a user-defined role, refer to User-defined roles on page 269. Accessing the Network OS CLI through Telnet NOTE While this example uses the admin role to log in to the switch, both roles can be used. The procedure to access the Network OS CLI is the same through either the console interface or through a Telnet session; both access methods bring you to the login prompt.
Using the do command as a shortcut TABLE 2 Network OS CLI keyboard shortcuts (Continued) Keystroke Description Ctrl+A Moves the cursor to the beginning of the command line. Ctrl+E Moves the cursor to the end of the command line. Esc B Moves the cursor back one word. Esc F Moves the cursor forward one word. Ctrl+Z Returns to privileged EXEC mode. Ctrl+P (or the up arrow key) Displays commands in the history buffer with the most recent command displayed first.
Displaying Network OS CLI commands and command syntax If there is more than one command or keyword associated with the characters typed, the Network OS CLI displays all choices. For example, at the CLI command prompt, type show l and press Tab. switch# show l The CLI displays the following command. Possible completions: lacp LACP commands license Display license keys installed on the switch. lldp Link Layer Discovery Protocol(LLDP).
Using Network OS CLI command output modifiers The Network OS CLI accepts abbreviations for commands. This example is the abbreviation for the show qos interface all command. switch# sh q i a If the switch does not recognize a command after Enter is pressed, an error message displays. switch# hookup ^ syntax error: unknown argument. If an incomplete command is entered, an error message displays. switch# show ^ syntax error: unknown argument.
Considerations for show command output Considerations for show command output Network OS contains many versions of the show command. The output of the show command changes depending on your configuration and situation. However, in general terms the show command falls into one of two categories: • Any show commands that are fabric (global configuration) in nature, such as VLAN, MAC Address table, AMPP, Zoning, and so on, should display or clear the information for all nodes in a logical chassis.
Basic Switch Management ● Switch management overview........................................................................................ 47 ● Ethernet management interfaces.................................................................................... 52 ● Stateless IPv6 autoconfiguration.....................................................................................53 ● Switch attributes...........................................................................................................
Telnet and SSH overview Telnet and SSH overview Telnet and Secure Shell (SSH) are mechanisms for allowing secure access to management functions on a remote networking device. SSH provides a function similar to Telnet, but unlike Telnet, which offers no security, SSH provides a secure, encrypted connection to the device. SSH and Telnet support is available in privileged EXEC mode on all Brocade VDX platforms. Both IPv4 and IPv6 addresses are supported.
Feature support for Telnet Feature support for Telnet The following features are not supported with Telnet: • Displaying Telnet sessions • Terminating hung Telnet sessions Feature support for SSH SSHv2 is the supported version of SSH, but not all features typically available with SSHv2 are supported on the Brocade VDX family of switches.
Basic Switch Management configuration. For node replacement in logical chassis cluster mode, the switch is set to the default configuration. NOTE The DAD process is disruptive to traffic. You must be using DHCP to use DAD. You utilize the DHCP process to retrieve certain parameters (for example, the firmware path, VCS ID, VCS mode, RBridge ID, and preset configuration file) needed by the DAD process to perform the firmware and configuration downloads. Currently, only DHCPv4 is supported.
Configuring the DHCP Automatic Deployment process for replacing logical chassis cluster switches Configuring the DHCP Automatic Deployment process for replacing logical chassis cluster switches Provides procedures for configuring DHCP Automatic Deployment (DAD) when replacing switches in logical chassis cluster mode. The following procedure configures DHCP Automatic Deployment (DAD) when replacing switches in logical chassis cluster mode. 1. Disconnect the existing switch from the cluster. 2.
Telnet and SSH considerations and limitations 1. Establish a DAD environment for the new switch. (Make sure DHCP is enabled on the management interface.) a) b) c) d) e) The management interface of the switch must be set up as DHCP. After setting up the management interface on a switch in either standalone mode or fabric cluster mode, you must use the copy running-config startup-config for the configuration to take effect. The DHCP server must have the FTP server IP address and configuration file path.
Brocade VDX Ethernet interfaces Brocade VDX Ethernet interfaces The Brocade VDX compact switches have a single configurable Ethernet interface, Eth0, which can be configured as a management interface. The modular chassis, the Brocade VDX 8770-8 and the Brocade VDX 8770-4, have two redundant management modules, MM1 and MM2. Each management module can communicate with each of the line cards (interface modules) through an Ethernet connection. Each management module has two Ethernet interfaces, Eth0 and Eth2.
Switch attributes Switch attributes A switch can be identified by its IP address, World Wide Name (WWN), switch ID or RBridge ID, or by its host name and chassis name. You can customize the host name and chassis name with the switch-attributes command. • A host name can be from 1 through 30 characters long. It must begin with a letter, and can contain letters, numbers, and underscore characters. The default host name is "sw0." The host name is displayed at the system prompt.
Operational modes TABLE 4 Mapping switchType to Brocade product names (Continued) switchType Brocade product name Description 1001.x VDX 8770-8 8 I/O slot chassis supporting 48x1 GbE, 48x10 GbE, 48x10G-T, 12x40 GbE, 27x40 GbE, or 6x100 GbE line cards Operational modes Network OS supports three operational modes for Brocade VDX switches. The three operational modes are: • Logical chassis cluster mode — One of two types of "VCS" modes for a switch. This mode requires Network OS 4.0.0 or later.
Logical chassis cluster mode characteristics Logical chassis cluster mode characteristics The following are the main characteristics of logical chassis cluster mode: • The maximum number of nodes supported in a logical chassis cluster is 24 for the Brocade VDX 6710, 6720, and 6730; the maximum is 32 for the Brocade VDX 6740, 6740T, 6740T-1G, and 8770. • Physical connectivity requirements for logical chassis cluster deployment are the same as those for fabric cluster deployment.
Logical chassis cluster mode configuration Logical chassis cluster mode configuration In logical chassis cluster mode, any operation that results in writing to the configuration database gets automatically distributed. There are no exceptions. Each node in the logical chassis cluster maintains an individual copy of the configuration to enable high availability of the cluster. The following illustrates nodes in a logical chassis cluster.
Standalone mode • Brocade VDX 6740 • Brocade VDX 6740T • Brocade VDX 6740T-1G If the chassis is not connected to another switch, it forms a "single node VCS fabric." This means that the chassis operates as a standalone system, but the operational mode is always VCS-enabled. You cannot disable the VCS mode on any of the models listed above. Standalone mode All Brocade VDX compact switches (VDX 6710, VDX 6720, and VDX 6730) boot up in standalone (SA) mode.
Management modules Management modules Two management modules (MMs) provide redundancy and act as the main controller on the Brocade VDX 8770-4 and VDX 8770-8 chassis. The management modules host the distributed Network OS that provides the overall control plane management for the chassis. You can install a redundant management module in slot M1 or M2 in any of the Brocade VDX 8770 chassis.
Switch fabric modules ISSUs are supported in both fabric cluster mode and logical chassis cluster mode for the following downgrade path: 4.1.0 to 4.0.1 High Availability behavior during ISSUs is the same as that of warm recovery described in HA failover on page 59. For more information, refer to Upgrading firmware on a modular chassis on page 112.
Slot numbering and configuration Slot numbering and configuration The slot number specifies the physical location of a module in a switch or router, and the number of available slots of each type (interface, management, or switch fabric) depends on the router. Slot configuration is done on a slot-by-slot basis, and the configurations are stored in a persistent database on the switch. Slot numbering The slot numbering on the Brocade VDX 8770 chassis is based on the module type.
Establishing a physical connection for a Telnet or SSH session • Refer to the Brocade VDX Hardware Reference manuals for information on connecting through the serial port. • Refer to Configuring Ethernet management interfaces on page 66 for details on configuring the network interface. Establishing a physical connection for a Telnet or SSH session 1. Connect through a serial port to the switch. 2.
Shutting down the Telnet service NOTE You can override the default port by using the telnet ip_address command with the optional port operand (range 0-65535). However, the device must be listening on that port for the connection to succeed. The following example overrides the default port. switch# telnet 10.17.37.157 87 Trying 10.17.37.157... Connected to 10.17.37.157. Escape character is '^]'.
Connecting with SSH Connecting with SSH Connecting to a switch using the SSH (Secure Socket Handling) protocol permits a secure (encrypted) connection. For a listing and description of all configuration modes discussed here, refer to Operational modes on page 55. Establishing a SSH connection A SSH (Secure Socket Handling) connection allows you to securely access a switch remotely. You must be in privileged EXEC mode to make a SSH connection to a switch. 1.
Deleting an SSH public key NOTE If you are in VCS mode, you must enter RBridge ID configuration mode before issuing the command, as shown in the example below. switch# certutil import sshkey user admin host 10.70.4.106 directory /users/home40/ bmeenaks/.ssh file id_rsa.pub login fvt rbridge-id 3 Deleting an SSH public key Deleting an SSH public key from a switch prevents it from being used for an authenticated login. You must be in privileged EXEC mode to delete an SSH public key from a switch.
Re-enabling the SSH service Re-enabling the SSH service Re-enabling the SSH (Secure Socket Handling) service permits SSH access to a switch. You must be in global configuration mode to shut down the SSH service on a switch. To re-enable the SSH service on a switch enter no ssh server shutdown. switch(config)# no ssh server shutdown switch(config)# NOTE If you are in VCS mode, you must enter RBridge ID configuration mode before issuing the command, as shown in the example below.
Configuring static IP addresses ATTENTION Setting static IP addresses and using DHCP are mutually exclusive. If DHCP is enabled, remove the DHCP client before you configure a static IP address. NOTE You must connect through the serial port to set the IP address if the network interface is not configured already. Refer to the Brocade VDX Hardware Reference manual for your specific product for information on connecting through the serial port.
Configuring a static IPv6 Ethernet address enter, "209.157.22.99/24" for an IP address that has a network mask with 24 leading 1s in the network mask, representing 255.255.255.0. switch(config-Management-1/0)# do show running-config interface management interface Management 1/0 no ip address dhcp ip address 10.24.85.81/20 r-bridge-id1 ip route 0.0.0.0/0 10.24.80.1 no ipv6 address autoconfig 8.
Configuring IPv6 autoconfiguration NOTE When you connect the DHCP-enabled switch to the network and power on the switch, the switch automatically obtains the Ethernet IP address, prefix length, and default gateway address from the DHCP server. The DHCP client can only connect to a DHCP server on the same subnet as the switch. Do not enable DHCP if the DHCP server is not on the same subnet as the switch. The following example enables DHCP for IPv4 addresses.
Configuring the management interface speed ipv6 ipv6-address [ ] ipv6 ipv6-gateways [ fe80::21b:edff:fe0f:bc00 fe80::21b:edff:fe0c:c200 ] line-speed actual "1000baseT, Duplex: Full" line-speed configured Auto The following example shows the management interfaces on a Brocade VDX 8770-4. IPv6 autoconfiguration is enabled for the entire chassis, and, as a result, a stateless IPv6 address is assigned to both management interfaces. switch# show interface management interface Management 110/1 ip address 10.20.
Configuring switch attributes Do the following to set and display a banner. 1. In privileged EXEC mode, issue the configure terminal command to enter global configuration mode. 2. Enter the banner login command and a text message enclosed in double quotation marks (" "). 3. Enter the do show running-config banner command to display the configured banner.
Setting and displaying the chassis name Setting and displaying the chassis name 1. In privileged EXEC mode, issue the configure terminal command to enter global configuration mode. 2. Enter the switch-attributes command, followed by a question mark (?) to determine the local RBridge ID. 3. Enter the switch-attributes command, followed by the RBridge ID. 4. Enter the chassis-name operand, followed by the chassis name. 5. Save the configuration changes using the do copy running-config startup-config command.
Basic Switch Management FIGURE 12 Five-node logical chassis cluster To create a logical chassis cluster, follow the steps in the example below: 1. Log into one switch that will be a member of the logical chassis cluster you are creating: 2. In privileged EXEC mode, enter the vcs command with options to set the VCD ID, the RBridge ID and enable logical chassis mode for the switch. The VCS ID and RBridge IDs shown below are chosen for the purposes of this example.
Taking precautions for mode transitions Taking precautions for mode transitions Ensure that all nodes to be transitioned are running the same version of Network OS. Logical chassis cluster mode is supported starting with Network OS release 4.0.0 If you are merging multiple global configuration files to create one new global configuration file, be sure that the same entity name does not exist in the merged file.
Converting a fabric cluster to a logical chassis cluster spanning-tree shutdown mac access-group test2 in no shutdown ATTENTION Be sure to take the following precautions. • Note that the copy default-config to startup-config command in logical chassis cluster mode causes a cluster-wide reboot and returns the entire logical chassis cluster to the default configuration. Therefore, use this command only if you want to purge all existing configuration in the logical chassis cluster.
Converting a fabric cluster while preserving configuration NOTE You can enter the RBridge ID configuration mode for any RBridge in the cluster from the cluster principal node. NOTE You can change the principal node by using the logical-chassis principal priority and logical chassis principal switchover commands. For more information about cluster principal nodes, refer to Selecting a principal node for the cluster on page 77.
Selecting a principal node for the cluster 9. Verify that the global configuration is available by running the show global-running-config command. 10.While logged on to the principal node in the logical chassis cluster, copy each saved local configuration file from the remote location to the principal node as follows: copy location_config_filename running-config NOTE You must run this command for each local configuration file you saved (one for each node).
Converting to a fabric cluster while preserving configuration 3. Run the following command to convert all RBridge IDs: no vcs logical-chassis enable rbridge-id all default-config. NOTE To convert just one RBridge ID, specify the ID as shown in the following example: no vcs logicalchassis enable rbridge-id rbridge-id default-config. The nodes automatically reboot in fabric cluster mode. Plan for some down time for this transition. 4.
Rejoining a node to the cluster standalone mode.) If the no vcs logical-chassis enable command is executed on a switch that is currently in logical chassis cluster mode, the switch boots in fabric cluster mode. Once the node is removed, all configurations corresponding to that node are removed from the cluster configuration database. Similarly, the removed node does not retain any configurations corresponding to the other nodes in the cluster. The following shows the cluster after node N5 has been removed.
Merging two logical chassis clusters NOTE If the new node is not yet VCS enabled, you can do so at the same time you assign the RBridge ID. Refer to the vcs command options in the Network OS Command Reference. Merging two logical chassis clusters You can merge two logical chassis clusters that have the same VCS ID. Follow these steps: 1. Make all required physical connections between the two independent clusters. 2. Decide which cluster should retain the configuration after the merge.
Examples of global and local configurations Examples of global and local configurations The table below provides examples of global and local configuration commands that are available under the respective configuration modes. These settings can be viewed respectively by means of the show global-running-config command and the show local-running-config command.
Configuring a switch in fabric cluster mode Configuring a switch in fabric cluster mode Refer also to Fabric cluster mode on page 57. When you issue the show vcs command to display the VCS configuration for the chassis, the command output shows a single-node VCS with a VCS ID of 1 and an RBridge ID of 1. Use the vcs command to change the default values.
Displaying slots and module status information Enter the show interface interface_type rbridge_id/slot/port command to display the configuration details for the specified interface. switch# show interface tengigabitethernet 1/1/9 tengigabitethernet 1/1/9 is up, line protocol is up (connected) Hardware is Ethernet, address is 0005.3315.df5a Current address is 0005.3315.
Replacing a line card config startup-config command after the line card reaches the online state and before the system reboots. Replacing a line card You can remove a line card without powering it off. However, doing so will not remove the configuration. When you replace a card with a different type, you must first remove the configuration and then reconfigure the slot for the new line card type. Install a new line card only if it is supported by the firmware running in the chassis.
Configuring high availability Configuring high availability The following sections provide you with information on configuring High Availability (HA) support on Brocade switches. Using HA commands A variety of high-availability (HA) commands are available on the switch in privileged EXEC mode. • show ha displays the management module status.
Disabling and enabling a chassis TABLE 8 Expected behaviors for uncontrolled failover Command syntax Behavior in fabric cluster and logical chassis cluster Panic Warm failover to standby MM. MM removal Warm failover to standby MM. Power cycle MMs will retain the HA roles upon booting up. Disabling and enabling a chassis The chassis is enabled after power is turned on, and diagnostics and switch initialization routines have finished. All interfaces are online.
Rebooting a modular chassis Rebooting a modular chassis A chassis reboot brings up the system in sequential phases. First, software services are launched on the management modules and brought up to the active state. Then, the line cards are powered on and initialized. Software services are launched on the line cards and brought up to the active state. When the line card initialization reaches the final state, the chassis is ready to accept user commands from the CLI interface.
Displaying the status of a supportSave operation 1. Enter the usb on command to enable the USB device. 2. Enter the usb dir command to display the default directories. 3. Enter the copy support usbdirectory command.
Displaying the autoupload configuration Displaying the autoupload configuration Enter the show running-config support autoupload-param command to display the autoupload configuration on the local switch. switch(config)# do show running-config support autoupload-param support autoupload-param hostip 10.31.2.
Configuring hardware profiles TABLE 9 Options for optimizing route profiles (Continued) Keyword Optimizes resources for . . . ipv4-min-v6 IPv4 routes in dual-stack configurations ipv6-max-route Maximum number of IPv6 routes ipv6-max-nd Maximum number of IPv6 Neighbor Discovery entries The following describes the available command options (keywords) to optimize TCAM profiles, available under the tcam keyword. TABLE 10 Options for optimizing TCAM profiles Keyword Optimizes resources for . . .
Guidelines for changing hardware profiles ATTENTION The hardware-profile command is disruptive. To apply the most recent profile, you must reboot (reload) the switch.
Using hardware profile show commands Using hardware profile show commands You can view route table and TCAM profiles in the running configuration, and also see the current active profile information and subtype details for each profile type and RBridge ID, as in the following examples. Refer also to the show hardware-profile command in the Network OS Command Reference.
Basic Switch Management Displaying the hardware profile configuration default profile in fabric cluster mode The following shows the use of the show hardware-profile command in fabric cluster mode, with the current keyword to show the results of a default profile on a Brocade VDX 6740.
Brocade support for Openstack Brocade support for Openstack Openstack is an open source infrastructure as a service (IaaS) initiative for creating and managing large groups of virtual private servers in a cloud computing environment. Brocade Neutron Plugin for VDX/VCS provides a means to interface Openstack's Networking to orchestrate Brocade's physical switches.
Basic Switch Management 3. The physical switch configuration parameters and the Brocade-specific database configuration is specified in the brocade.ini configuration file. % cat /etc/neutron/plugins/brocade/brocade.ini [SWITCH] username password address ostype = = = = admin password NOS [DATABASE] sql_connection = mysql://root:pass@localhost/brcd_Neutron?charset=utf8 4. Run setup.
Configuring Openstack to access Network OS 96 Network OS Administrator’s Guide 53-1003225-04
Using Network Time Protocol ● Network Time Protocol overview.....................................................................................97 ● Configuring NTP..............................................................................................................98 Network Time Protocol overview Network Time Protocol (NTP) maintains uniform time across all switches in a network.
Configuring NTP Configuring NTP The following sections discuss how to correctly configure the Network Time Protocol for Brocade switches. Configuration considerations for NTP If you are in Standalone mode, Network Time Protocol (NTP) commands must be configured on each individual switch. Network time synchronization is guaranteed only when a common external time server is used by all switches.
Displaying the current local clock and time zone Refer to refer to Using Network Time Protocol on page 97 for a complete list of configurable regions and cities. Enter the clock timezone region/city command.
Displaying the active NTP server Enter the ntp server ip_address command. switch(config)# ntp server 192.168.10.1 Displaying the active NTP server Use the show ntp status command to display the current active NTP server IP address. If an NTP server is not configured or the server is unreachable, the output displays LOCL (for local switch time. Otherwise, the command displays the NTP server IP address. The command displays the local NTP server configuration only.
Configuration Management ● Configuration management overview............................................................................101 ● Displaying configurations.............................................................................................. 103 ● Saving configuration changes....................................................................................... 103 ● Backing up configurations.............................................................................................
Default configuration TABLE 11 Standard switch configuration files (Continued) Configuration file Description Running configuration Current configuration active on the switch. Whenever you make a configuration change, it is written to the running configuration. For fabric cluster mode, the running configuration does not persist across reboot, unless you copy it to the startup configuration.
Displaying configurations • The running configuration is nonpersistent. • To save configuration changes, you must copy the running configuration to the startup configuration. If you are not sure about the changes, you can copy the changes to a file, and apply the changes later. Displaying configurations The following examples illustrate how to display the default, startup, and running configurations, respectively.
Saving the running configuration Saving the running configuration To save the configuration changes you made, copy the running configuration to the startup configuration. The next time the switch reboots, it uses the startup configuration and the changes you made earlier become effective. NOTE When the switch is in logical chassis cluster mode, the running-config file is saved automatically and it does not need to be copied. Enter the copy running-config startup-config command in privileged EXEC mode.
Uploading the startup configuration to an external host NOTE This operation is not supported in logical chassis cluster mode, because the running-config will be autosynced to the startup-config. The following recommendations apply: • Keep backup copies of the startup configuration for all switches in the fabric. • Upload the configuration backup copies to an external host or to an attached Brocade-branded USB device. • Avoid copying configuration files from one switch to another.
Restoring a previous startup configuration from backup • Interface management IP address • Software feature licenses installed on the switch • Virtual IP address NOTE Configuration files that were created using Brocade Network OS 2.x should not be loaded onto a system running Brocade Network OS 3.x or later. The ACL and VLAN configuration information has changed in Brocade Network OS 3.x or later, and the affected lines of configuration are skipped when loading a Brocade Network OS 2.x configuration file.
Managing configurations on a modular chassis Managing configurations on a modular chassis NOTE When the switch is in logical chassis cluster mode, the running-config file is saved automatically and does not need to be copied. There is no startup configuration for logical chassis cluster mode; therefore, the information about startup configuration does not apply to logical chassis cluster mode. The configuration data on a modular chassis are managed in a distributed fashion.
Managing configurations in Brocade VCS Fabric mode • When you change the VCS configuration (VCS mode, RBridge ID, or VCS ID), the configuration change is synchronized with the standby management module and saved persistently. This event triggers a chassis reboot after the synchronization is complete. • When you initiate a firmware download. Refer to Configuration Management on page 101 for more information.
Managing flash files 1. Configure one switch. 2. Copy the running configuration to the startup configuration as described in Saving the running configuration on page 104. 3. Upload the configuration to an external host (Uploading the startup configuration to an external host on page 105) or to an attached USB device as described in Backing up the startup configuration to a USB device on page 105. 4. Download the configuration file to each of the target switches.
Configuration Management priority-group-table 2 weight 60 pfc off priority-group-table 15.0 pfc off priority-table 2 2 2 1 2 2 2 15.0 ! interface Vlan 1 shutdown ! port-profile default vlan-profile switchport switchport mode trunk switchport trunk allowed vlan all ! protocol lldp ! end ! NOTE To display the contents of the running configuration, use the show running-config command. To display the contents of the startup configuration, use the show startup-config command.
Installing and Maintaining Firmware ● Firmware management overview.................................................................................. 111 ● Upgrading firmware on a local switch........................................................................... 114 ● Upgrading firmware in Brocade fabric cluster mode..................................................... 120 ● Upgrading firmware in Brocade logical chassis cluster mode.......................................
Obtaining and decompressing firmware The firmware can only be downloaded from the file server through the management Ethernet port, so all nodes must have the management Ethernet port connected. Only one logical-chassis firmware download command instance can run at any given time. If you are in logical chassis cluster mode, after you perform a firmware upgrade, you might find that the switch reverts to its default configurations.
Automatic firmware synchronization Automatic firmware synchronization When you replace or insert a second management module into a chassis, the active management module automatically synchronizes the hot-plugged standby management module with the same firmware version. The standby management module reboots with the upgraded firmware.
Upgrading firmware on a local switch Upgrading firmware on a local switch This section provides overviews and examples of upgrading firmware in a variety of ways. Preparing for a firmware download To prepare for a firmware download, perform the tasks listed in this section. In the unlikely event of a failure or timeout, you will be able to provide your switch support provider the information required to troubleshoot the firmware download. 1. Verify the current firmware version.
Obtaining the firmware version Use the show interface management command to display the IP addresses for the management modules. switch# show interface management interface Management 10/1 ip address 10.24.73.130/20 ip gateway-address 10.24.64.1 ipv6 ipv6-address [ ] ipv6 ipv6-gateways [ ] line-speed actual "1000baseT, Duplex: Full" line-speed configured Auto interface Management 10/2 ip address 10.24.74.23/20 ip gateway-address 10.24.64.
Downloading firmware from a USB device firmware. On a modular chassis, if you enter if you enter the firmware download command on the active MM without any options, the command by default will invoke the ISSU process to upgrade the entire system.
Downloading firmware by using the noactivate option 1. Ensure that the USB device is connected to the switch. 2. Enter the usb on command in privileged EXEC mode. switch# usb on Trying to enable USB device. Please wait... USB storage enabled 3. Enter the usb dir command. switch# usb dir firmwarekey\ 0B 2013 Jun 15 15:13 support\ 106MB 2013 Jun 24 05:36 config\ 0B 2013 Jun 15 15:13 firmware\ 380MB 2013 Jun 15 15:13 NOS_v4.0.0\ 379MB 2013 Jun 15 15:31 Available space on usbstorage 74% 4.
Downloading firmware by using the manual option Downloading firmware by using the manual option The following procedure applies to a compact switch or a single management module. 1. Verify that the FTP, SFTP, or SSH server is running on the host server and that you have a user ID on that server. 2. Obtain the firmware file from the Brocade website at http://www.mybrocade.com or from your switch support provider and store the file on the FTP, SFTP, or SSH server. 3. Unpack the compressed firmware archive.
Downloading firmware by using the default-config option 4. At the Do Auto-Commit after Reboot [y/n]: prompt, enter n if you want to commit the firmware manually after downloading the firmware. switch# firmware download interactive Server name or IP address: 10.31.2.25 File name: /users/home40/Builds/NOS_v4.1.0 Protocol (ftp, scp): ftp User: fvt Password: ********** Do manual download [y/n]: y Reboot system after download? [y/n]:n Do Auto-Commit after Reboot? [y/n]:n System sanity check passed.
Upgrading firmware in Brocade fabric cluster mode After the firmware download completes, you can verity that the download has completed properly by doing the following: 1. Execute the show version all-partitions command to verify that the MMs and all line-card partitions have the correct firmware. 2. Execute the show ha all-partitions command to verify that the MMs and all line-card partitions are in HA sync. 3.
Installing and Maintaining Firmware Another method for upgrading the logical chassis cluster is by specifying the logical-chassis and rbridge-id options in the firmware download command, which is also referred to as the firmware download logical-chassis command. This command allows users to upgrade one or more nodes in the cluster from the principal node. The nodes to be upgraded are specified in the rbridge-id option.
Verifying firmware download in logical chassis cluster mode NOTE All of the nodes specified in the rbridge-id parameter in the firmware activate command will be rebooted at the same time. switch# firmware activate rbridge-id 1-2,3 This command will activate the firmware on the following nodes. Rbridge-id Sanity Result ------------------------------------1 Non-disruptive(ISSU) 2 Disruptive 3 Disruptive It will cause these nodes to reboot at the same time.
Tested topology • VDX 6730-60 • VDX 6740 and VDX 6740T • VDX 8770-4 and VDX 8770-8 The example approach presented here, tested in a Brocade lab topology, is intended as a bestpractices model that is to be modified for existing customer deployments. Software release versions will vary. Tested topology Tested topology The tested topology, illustrated below, is a four-node VDX cluster VCS 8192. The cluster consists of two spine nodes and two leaf nodes, connected to the core through a vLAG.
Installing and Maintaining Firmware FIGURE 15 Tested topology The following table summarizes the tested components. TABLE 13 Tested components and roles 124 Position VCS name Chassis type Description Leaf 8192 VDX 6720-60 Dual-homed TOR VDX Spine 8192 VDX 6720-24 Dual-homed Core NA VDX 8770 Connected to spine nodes of VCS 8192 through 16port vLAG Servers NA ESX 5.
Upgrading nodes by using an odd/even approach Upgrading nodes by using an odd/even approach To reduce downtimes during planned software upgrades, the network design illustrated here has been provisioned with redundancy in all layers. Once such in-built redundancy is in place, an "odd/even" approach is used, whereby the cluster is split equally into odd and even nodes that represent both sides of the redundant traffic path.
Installing and Maintaining Firmware ! sw87# 4. Check the state of the system by using the following show commands. a) Verify that all the nodes to be upgraded are running the same version, by using the show version command. sw87# show version Network Operating System Software Network Operating System Version: 3.0.1 Copyright (c) 1995-2012 Brocade Communications Systems, Inc. Firmware name: 3.0.1c Build Time: 23:15:48 Oct 18, 2013 Install Time: 04:27:13 Dec 3, 2013 Kernel: 2.6.34.
Installing and Maintaining Firmware Link: Link: Link: Link: Link: Link: Link: Link: Link: Link: Link: Te Te Te Te Te Te Te Te Te Te Te 87/0/14 87/0/15 87/0/16 87/0/17 87/0/18 87/0/19 87/0/20 87/0/21 87/0/22 87/0/23 87/0/24 (0x571807000D) (0x571807800E) (0x571808000F) (0x5718088010) (0x5718090011) (0x5718098012) (0x57180A0013) (0x57180A8014) (0x57180B0015) (0x57180B8016) (0x57180C0017) sync: sync: sync: sync: sync: sync: sync: sync: sync: sync: sync: 1 1 1 1 1 1 1 1 1 1 1 sw87# e) Verify that the re
Optimizing reconvergence in the VCS Fabric a) NOTE In logical chassis cluster mode, the copy running-config startup-config command is not applicable. Use copy running-config ftp or copy running-config scp. Identify the principal node (RBridge), by using the show fabric all command. sw87# show fabric all VCS Id: 8192 Config Mode: Local-Only Rbridge-id WWN IP Address Name --------------------------------------------------------------------------79 10:00:00:27:F8:44:50:C2 10.20.53.
Maintaining the VCS Fabric • Access ports that face servers or hosts. These can be port-channel or physical interfaces, depending upon the host or server configuration. • Uplink interfaces that connect to the core (port-channel 6144 in our example topology). • Interfaces supporting the VCS Fabric topology on all core and end-devices. NOTE ISL interfaces have flow control enabled by default. Do the following to optimize reconvergence. 1.
Understanding traffic outages NOTE Because the fabric principal and multicast rood nodes have already been identified previously as "even" nodes, we reload the "odd" nodes first, then the "even" nodes. In the example below, sw87 and sw81 are reloaded at the same time. Refer to Understanding traffic outages on page 130 for details of the traffic outages that occurred at different phases of the process in the tested topology. 4.
Restoring firmware in the VCS Fabric TABLE 15 Traffic outage times: "Odd" switches, upgrading from 3.0.1c to 4.0.1 Tool Traffic path 2 Traffic path 1 Layer 2 traffic 0 ms (within same rack) ~118 ms (ping from server to sw137) Layer 3 traffic-generator traffic N/A 0 ms TABLE 16 Traffic outage times: "Odd" switches, reloading within 3.0.
Downgrading firmware in the VCS Fabric Downgrading firmware in the VCS Fabric Do the following to downgrade firmware on nodes in the VCS Fabric. CAUTION The downgrade process will disrupt service. 1. Ensure that the VCS cluster is in fabric cluster mode. 2. Back up the running configuration. 3. NOTE You can back up this file to an FTP or SCP server. Download the previous version of firmware onto the nodes to be downgraded. ATTENTION Do not reboot at this point.
Configuring SNMP ● Simple Network Management Protocol overview..........................................................133 ● SNMP configuration...................................................................................................... 139 Simple Network Management Protocol overview Simple Network Management Protocol (SNMP) is a set of protocols for managing complex networks. SNMP protocols are application layer protocols.
Basic SNMP operation Basic SNMP operation Every Brocade device carries an agent and management information base (MIB), as shown in the next figure. The agent accesses information about a device and makes it available to an SNMP network management station. FIGURE 16 SNMP structure When active, the management station can "get" information or "set" information when it queries an agent.
Brocade MIB structure Brocade MIB structure Each MIB variable is assigned an object identifier (OID). The OID is the sequence of numeric labels on the nodes along a path from the root to the object. For example, as shown in the figure below, the Entity MIB OID is: 1.3.6.1.2.1.47 The corresponding name is: iso.org.dod.internet.mgmt.mib-2.
Brocade MIBs TABLE 19 MIB access levels Access level Description not accessible You cannot read or write to this variable. read create Specifies a tabular object that can be read, modified, or created as a new row in a table. read only - Public You can only monitor information. read-write - Private You can read or modify this variable. accessible-to-notify You can read this information only through traps.
Standard MIBs TABLE 20 Agent Capabilities (Continued) Capability MIBs Description BROCADE-LLDP-EXT-DOT3-CAPABILITY-MIB Provides the implementation details for the LLDP-EXTDOT3-MIB Standard MIBs Standard MIBs are not distributed through Brocade. You can download the following MIBs from http:// www.oidview.
Configuring SNMP TABLE 21 Brocade SNMP MIB dependencies MIB Name Dependencies Brocade-REG-MIB RFC1155-SMI Brocade-TC Brocade-REG-MIB SNMPv2-TC SNMPv2-SMI BRCD_NOS_PRODUCTS.mib SNMPv2-SMI Brocade-REG-MIB BROCADE-PRODUCTS-MIB.mib SNMPv2-SMI Brocade-REG-MIB SWBase.mib SNMPv2-TC SNMPv2-SMI Brocade-REG-MIB Resource.mib SNMPv2-TC SNMPv2-SMI SWBASE-MIB System.mib SNMPv2-TC Brocade-TC SWBASE-MIB FA.
SNMP configuration TABLE 21 Brocade SNMP MIB dependencies (Continued) MIB Name Dependencies FOUNDRY-SN-NOTIFICATION.mib SNMPv2-SMI FOUNDRY-SN-ROOT-MIB IF-MIB DOT3-OAM-MIB FOUNDRY-SN-SWITCH-GROUP-MIB FOUNDRY-SN-AGENT-MIB FOUNDRY-SN-SWITCH-GROUP-MIB FOUNDRY-SN-SW-L4-SWITCH-GROUP-MIB FOUNDRY-SN-WIRELESS-GROUP-MIB FOUNDRY-SN-OSPF-GROUP-MIB IEEE8021-CFM-MIB SNMP configuration The following sections discuss configuring the Simple Network Management Protocol on Brocade devices.
Changing the access of a read-only community string • The string variable specifies the community string name. The string can be from 2 to 16 characters long. • The ro or rw option specifies whether the string is read-only (ro) or read-write (rw). The command in the example adds the read-write SNMP community string "private" with read-write access. Changing the access of a read-only community string This example changes the access of "user123" from read-only to read-write. 1.
Removing the SNMP server host • The ipv4_host | ipv6_host | dns_host variable specifies the IP address of the host. • The community-string variable sets the community string. • The version option specifies either SNMPv1- or SNMPv2c-related configuration parameters. These parameters include the community string. The default SNMP version is 1. • The udp-port port option specifies the UDP port where SNMP traps will be received. The default port is 162. The acceptable range of ports is from 0 through 65535.
Setting the SNMP server description The example changes the default location string to "Building 3 Room 214." You must enclose the text in double quotes if the text contains spaces. Setting the SNMP server description Use the snmp-server sys-descr command to set the SNMP server description string. The default SNMP server description string is "Brocade-VDX-VCS ." The number of characters allowed is from 4 through 255. 1. Enter the configure terminal command. 2.
Configuring SNMP Enter the show running-config snmp-server command. switch# show running-config snmp-server snmp-server contact "Field Support." snmp-server location "End User Premise." snmp-server sys-descr "Brocade VDX Switch.
Displaying SNMP configurations 144 Network OS Administrator’s Guide 53-1003225-04
Configuring Brocade VCS Fabrics ● Fabric overview............................................................................................................. 145 ● Configuring a Brocade VCS Fabric............................................................................... 148 Fabric overview The Brocade VCS Fabric Ethernet fabric is defined as a group of switches that exchange information between each other to implement distributed intelligence.
How RBridges work ‐ Brocade Link Discovery Protocol (BLDP) attempts to discover if a Brocade VCS Fabriccapable switch is connected to any of the edge ports. Refer to Neighbor discovery on page 146 for more information. ‐ BLDP attempts to merge the adjacent Brocade switch into the Brocade VCS Fabric environment at the link level. • A series of FC fabric formation protocols (RDI, DIA, and FSPF) are initiated once a link level relationship has been established between two neighbor switches.
Brocade trunks Brocade trunks Network OS 4.0.0 and later supports Brocade trunks (hardware-based link aggregation groups, or LAGs). These LAGs are dynamically formed between two adjacent switches. The trunk formation is controlled by the same Fibre Channel Trunking protocol that controls the trunk formation on FC switches. As such, it does not require user intervention or configuration except enabling or disabling, which instructs the switch software to form a trunk at the global level or not.
RBridge ID allocation NOTE Brocade VDX Data Center switches are shipped with factory-programmed world wide names (WWNs) that are unique. NOTE In a logical chassis cluster, you can select the principal node by using the command line interface. For more information, refer to Selecting a principal node for the cluster on page 77. RBridge ID allocation RBridge ID assignment is implemented by leveraging proven Domain ID assignment protocols from FC SANs.
Configuring Brocade VCS Fabrics TABLE 22 Command examples for enabling logical chassis cluster mode (Continued) Command Command Behavior switch# vcs vcsid 22 rbridge-id 15 logical-chassis enable The VCS ID is changed to 22, the RBridge ID is changed to 15, and Brocade VCS logical chassis cluster mode is enabled. switch# vcs vcsid 11 logical-chassis enable The VCS ID is changed to 11, the RBridge ID is not changed, and Brocade VCS logical chassis cluster mode is enabled.
Adding a new switch into a fabric Adding a new switch into a fabric Complete the following configuration steps to add a new switch into a fabric. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the vcs rbridge-id rbridge-id enable command. The switch remembers its RBridge ID once it has been assigned. The vcs rbridge-id rbridge-id enable command also sets the insistent RBridge ID property on the switch. 3. Reboot the system.
Disabling a fabric ISL the local interface is ISL disabled. Upon receiving such information, a neighbor switch stops its ISL formation activity regardless of its current interface state. NOTE After you repair any segmented or disabled ISL ports, toggle the fabric ISL in order to propagate the changes. NOTE A shutdown command on an operating ISL interface not only brings down the physical link but also its FSPF adjacency.
Multicast distribution tree-root selection Multicast distribution tree-root selection Network OS v4.0.0 software supports the following distribution tree behaviors. • The root of the distribution tree is the switch with the lowest RBridge ID. The automated selection process does not require any user intervention. • Each switch in the cluster optionally carries a multicast root priority. This priority setting overrides the automatically-selected multicast root.
Configuring VCS virtual IP addresses Configuring VCS virtual IP addresses A virtual IP address is assigned for each VCS cluster. This virtual IP address is tied to the principal switch in the cluster. The management interface of the principal switch can be accessed by means of this virtual IP address. Because the virtual IP address is a property of the fabric cluster and logical chassis cluster, in the event that the principal switch goes down, the next principal switch is assigned this address.
Configuring fabric ECMP load balancing TABLE 25 Virtual IP address configuration scenarios (Continued) Scenario Description Virtual IP configuration When you configure the virtual IP address for a cluster the first time, the address is bound to the management interface of the principal switch.
Configuring Brocade VCS Fabrics TABLE 26 ECMP load-balancing operands Operand Description dst-mac-vid Destination MAC address and VID-based load balancing src-dst-ip Source and Destination IP address-based load balancing src-dst-ip-mac-vid Source and Destination IP and MAC address and VID-based load balancing src-dst-ip-mac-vid-port Source and Destination IP, MAC address, VID and TCP/UDP port based load balancing src-dst-ip-port Source and Destination IP and TCP/UDP port-based load balancing src-
Configuring fabric ECMP load balancing 156 Network OS Administrator’s Guide 53-1003225-04
Configuring Metro VCS ● Metro VCS overview..................................................................................................... 157 ● Configuring a Metro VCS port....................................................................................... 164 ● Configuring Distributed Ethernet Fabrics using vLAG...................................................
Metro VCS using long-distance ISLs FIGURE 20 Metro VCS configuration example If Metro VCS is configured by using standard ISLs, with distances of up to 1000 m, no limitations occur for supported service types or the supported number of MAC addresses. Also, no special buffer arrangements (long-distance ISL configuration) need to be done. Refer to Metro VCS using longdistance ISLs on page 158.
Configuring Metro VCS Metro VCS supports long-distance ISL ports up to 30 km on the Brocade VDX platforms listed below. Links up to 10 km are lossless. You can have eight 1-km links forming a Brocade trunk. You can also have mixed-length cables forming the ISL. For ECMP purposes, you can have eight 8-link ECMP trunks.
Guidelines and restrictions for long-distance Metro VCS TABLE 28 Conditions for long-distance Metro VCS (Continued) Condition Extended ISL up to 2 km Extended ISL up to 5 km Extended ISL up to 10 km Extended ISL up to 30 km Node redundancy check yes yes yes yes vMotion yes yes yes yes Maximum PFCs supported 3 (2 on the Brocade 3(2 on the Brocade VDX 6740, 6740T, VDX 6740, 6740T, 6740T-1G) 6740T-1G) 3 (2 on the Brocade 3 (2 on the Brocade VDX 6740, 6740T, VDX 6740, 6740T, 6740T-1G) 6740T-1G)
Metro VCS using standard-distance ISLs Metro VCS using standard-distance ISLs In order to deploy Metro VCS using standard-distance ISLs, no configuration is required on the ISL. The default configuration on the 10-Gbps interface by means of the fabric isl enable and fabric trunk enable commands allows ISL formation with other Brocade VDX switches in the same VCS cluster automatically. BLDP negotiation takes place to form ISLs for distances up to 30 km. (Refer to Configuring Brocade VCS Fabrics on page 145.
Guidelines and restrictions for standard-distance Metro VCS TABLE 30 Standard Metro VCS port-group schema Platform Port groups Number of port groups on platform Brocade VDX 6720-60 (10 GbE) 1–10, 11–20, 21–30, 31–40, 41–50, 51–60 6 Brocade VDX 6730-76 (10 GbE) 1–10, 11–20, 21–30, 31–40, 41–50, 51–60 6 Brocade VDX 6740 1–16, 17–32, 33–40, 41–48 4 1–8, 9–16, 17–24, 25–32, 33–40, 41–48 6 per 10GbE blade Brocade VDX 6740T Brocade VDX 6740T-1G Brocade VDX 8770 (VDX LC48x10G line card) Guidelines an
Supported platforms for Distributed Ethernet Fabrics using vLAG FIGURE 22 Metro VCS and distributed Ethernet fabrics In order to connect two distinct VCS Ethernet fabrics between data centers, a third Metro VCS fabric can be formed, and the distinct local VCS Ethernet fabrics can connect to the Metro VCS fabric by means of Virtual Link Aggregation (vLAG).
Guidelines and restrictions for Distributed Ethernet Fabrics using vLAG FIGURE 23 Connecting local VCS clusters over long-distance using vLAG Guidelines and restrictions for Distributed Ethernet Fabrics using vLAG Note the following guidelines and restrictions for Distributed Ethernet Fabrics using vLAG . • Only dynamic vLAG is supported. • DCB/FCoE lossless Ethernet traffic is not supported. • The maximum supported distance is 100 km.
Configuring Distributed Ethernet Fabrics using vLAG Src Src Nbr Nbr Index Interface Index Interface Nbr-WWN BW Trunk Nbr-Name ---------------------------------------------------------------------------------------------4 Te 51/0/1 4 Te 53/0/1 10:00:00:05:33:65:3B:50 10G Yes "VCS3-53" switch(conf-if-te-51/0/1)# do show fabric islports Name: VCS3-51 Type: 131.
Configuring Metro VCS switchport trunk tag native-vlan spanning-tree shutdown shutdown 5. Add member interfaces to the port-channel interface by using the channel-group command. Do this for all interfaces that need to be part of the port-channel.
Administering Zones ● Zoning overview............................................................................................................ 167 ● Configuring and managing zones ................................................................................ 175 Zoning overview Zoning is a fabric-based service that enables you to partition your network into logical groups of devices that can access each other and prevent access from outside the group.
Administering Zones FIGURE 24 Zoning Connecting to another network through a Fibre Channel (FC) router, you can create a Logical SAN (LSAN) zone to include zone objects on other fabrics, including Fabric OS networks. No merging takes place across the FC router when you create an LSAN zone. The figure below shows an example in which Server 1, which is connected to switch in a Brocade VCS Fabric cluster, has access to local storage and to RAID storage on a Fabric OS fabric.
LSAN zones FIGURE 25 LSAN zoning NOTE Zoning in Network OS 4.0.0 and later has the following restrictions: • Zone objects based on physical port number or port ID (D,I ports) are not supported. • You cannot access a target on a Network OS fabric from a server on the Fabric OS fabric. LSAN zones LSAN zones are distinct from conventional zones. This section details how to define and manage LSAN zones and provides recommendations about LSAN zone naming.
LSAN naming You can define and manage LSANs using the same zone management tools as for regular zones. The FC router makes LSAN zoning possible by importing devices in effective zones. For example, consider two devices: • 11:22:33:44:55:66:77:99 is connected to a switch in a Brocade VCS Fabric cluster. • 11:22:33:44:55:66:77:88 is connected to a switch in a Fabric OS fabric.
Approaches to zoning Refer to the Fabric OS Command Reference Manual for details about the portCfgExport and fcrXlateConfig commands. Approaches to zoning The following lists the various approaches you can take when implementing zoning in a Network OS fabric. TABLE 31 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Zoning by single HBA most closely re-creates the original SCSI bus.
Zone objects TABLE 31 Approaches to fabric-based zoning (Continued) Zoning approach Description No zoning Using no zoning is the least desirable zoning option because it allows devices to have unrestricted access on the fabric and causes RSCN storms. Additionally, any device attached to the fabric, intentionally or maliciously, likewise has unrestricted access to the fabric.
Naming conventions Several zone configurations can reside on a switch at once, and you can quickly alternate between them. For example, you might want to have one configuration enabled during the business hours and another enabled overnight. However, only one zone configuration can be enabled at a time. The different types of zone configurations are: • Defined Configuration The complete set of all zone objects defined in the fabric.
Operational considerations for zoning TABLE 32 Considerations for zoning architecture (Continued) Item Description Confirming operation After changing or enabling a zone configuration, you should confirm that the nodes and storage can identify and access one another. Depending on the platform, you might need to reboot one or more nodes in the fabric with the new changes. Use of aliases The use of aliases is optional with zoning. Using aliases requires structure when defining zones.
Configuring and managing zones | cfg-disable} command or the zoning enabled-configuration cfg-name cfg_name command to commit the operation before re-attempting a firmware download. 2. An open zone transaction in progress. You must either commit or abort the current open transaction before re-attempting a firmware download. Use the zoning enabled-configuration cfg-action {cfgsave | cfg-disable} command or the zoning enabled-configuration cfg-name cfg_name command to commit the current open transaction.
Understanding and managing default zoning access modes If a fabric segments, the newly elected principal RBridge determines whether transaction data are retained. If a segment retains the original principal, it also retains ongoing transaction data. If a segment elects a new principal, the transaction is aborted. The zone startup configuration is always equal to the running configuration.
Understanding and managing zone database size 3. Enter the zoning enabled-configuration cfg-action cfg-save or zoning enabled-configuration cfg-name command to commit the ongoing transaction and save the access mode change to nonvolatile memory. 4. Enter the show running-config zoning enabled-configuration command to verify the access mode change.
Creating an alias Creating an alias 1. In privileged EXEC mode, enter the show name-server detail command to list the WWNs of devices and targets available in the Brocade VCS Fabric. 2. Enter the configure terminal command to enter global configuration mode. 3. Enter the zoning defined-configuration alias command followed by a name for the alias. A subconfiguration mode prompt appears. 4. Enter the subconfiguration mode member-entry command to specify at least one member entry.
Removing a member from an alias switch(config)# zoning defined-configuration alias alias1 switch(config-alias-alias1)# member-entry 10:00:00:00:00:00:00:02;10:00:00:00:00:00:00:03 switch(config-alias-alias1)# exit switch(config)# zoning enabled-configuration cfg-action cfg-save switch(config)# Removing a member from an alias 1. In privileged EXEC mode, enter the show running-config zoning command to display the alias and its member WWNs. 2.
Creating zones switch(config)# no zoning defined-configuration alias alias1 switch(config)# do show running-config zoning zoning enabled-configuration cfg-name "" zoning enabled-configuration default-zone-access allaccess zoning enabled-configuration cfg-action cfg-none switch(config)# zoning enabled-configuration cfg-action cfg-save Creating zones Consider the topics below when creating zones. Creating a zone A zone cannot persist without any zone members.
Adding a member to a zone Adding a member to a zone 1. In privileged EXEC mode, enter the show name-server detail command to list the WWNs of devices and targets available on the Brocade VCS Fabric cluster. 2. Enter the configure terminal command to enter global configuration mode. 3. Enter the zoning defined-configuration zone command and enter the name of an existing zone. A subconfiguration mode prompt appears. 4.
Deleting a zone switch(config)# zoning defined-configuration zone zone1 switch(config-zone-zone1)# no member-entry 50:05:07:61:00:09:20:b4 switch(config-zone-zone1)# no member-entry alias3 switch(config-zone-zone1)# exit switch(config)# zoning enabled-configuration cfg-action cfg-save Deleting a zone Before deleting a zone, ensure that the zone is not a member of any enabled zone configuration.
Viewing the enabled configuration member-zone zone_0_3 member-zone zone_0_4 member-zone zone_same ! zoning defined-configuration cfg cfg1 member-zone zone_1_1 member-zone zone_1_2 member-zone zone_1_3 member-zone zone_1_4 member-zone zone_same ! zoning defined-configuration cfg cfg2 member-zone zone_2_1 member-zone zone_2_2 member-zone zone_2_3 member-zone zone_2_4 member-zone zone_same ! zoning defined-configuration cfg cfg4 member-zone zone2 member-zone zone3 ! zoning defined-configuration zone zone0 me
Creating a zone configuration CAUTION When edits are made to the defined configuration, and those edits affect a currently enabled zone configuration, issuing a "cfg-save" command makes the enabled configuration effectively stale. Until the enabled configuration is reenabled, the merging of new RBridges into the cluster is not recommended. This merging may cause unpredictable results, with the potential for mismatched enabled-zoning configurations among the RBridges in the cluster.
Removing a zone from a zone configuration The command prompt changes to indicate a subconfiguration mode. 3. Enter the member-zone subconfiguration mode command and specify the name of at least one member zone. Add multiple zones in one operation by separating each zone name with a semicolon (;). 4. Enter the exit command to return to global configuration mode. 5. Enter the zoning enabled-configuration cfg-action cfg-save command to save the modified configuration to nonvolatile memory.
Disabling a zone configuration 1. In privileged EXEC mode, enter the configure terminal command to enter global configuration mode. 2. Enter the zoning enabled-configuration cfg-name command with the name of the configuration you want to enable. In addition to enabling the specified configuration, this command also saves any changes made to the zoning database in volatile memory to nonvolatile memory. The saved configuration is persistent.
Clearing changes to a zone configuration 1. In privileged EXEC mode, enter the configure terminal command to enter global configuration mode. 2. Enter the no zoning defined-configuration cfg command and the name of the zone configuration you want to delete. 3. Enter the zoning enabled-configuration cfg-action cfg-save command to save the modified defined configuration to nonvolatile memory.
Backing up the zone configuration • If no enabled zone configuration exists, enter the zoning enabled-configuration cfg-action cfg-save command. • If an enabled zone configuration exists, enter the no zoning enabled-configuration cfg-name command to disable and clear the zone configuration in nonvolatile memory for all switches in the fabric.
Zone configuration scenario example The following example adds the configuration in the file named myconfig on the attached USB device to the defined configuration. switch# copy usb://myconfig running-config Zone configuration scenario example This example creates the zone configuration shown below. The example assumes that two hosts need access to the same storage device, while each host needs private storage of its own.
Merging zones 8. Enter the zoning running-config defined-configuration command to view the defined zone configuration. 9. Enter the zoning enabled-configuration cfg-name command to enable cfg2. 10.Verify the enabled zoning configuration, by means of the show zoning enabled-configuration command.
Administering Zones If you are adding a switch that is already configured for zoning, you must clear the zone configuration on that switch before connecting it to the zoned fabric. Refer to Clearing all zone configurations on page 187 for instructions. Adding a new fabric that has no zone configuration information to an existing zoned fabric is very similar to adding a new switch. All switches in the new fabric inherit the zone configuration data.
Fabric segmentation and zoning The transaction state after the merge depends on which switch is elected as the principal RBridge. The newly elected principal RBridge retains the same transaction information it had before the merge. Transaction data is discarded from any switch that lost its principal status during the merge. • Merge conflicts When a merge conflict is present, a merge does not take place and the ISLs will segment.
Administering Zones TABLE 33 Zone merging scenarios: Defined and enabled configurations (Continued) Description Switch A Switch B Expected results Switch A and Switch B have the same defined configuration. Neither have an enabled configuration. defined: cfg1 zone1: 10:00:00:90:69:00:00:8a; 10:00:00:90:69:00:00:8b defined: cfg1 zone1: 10:00:00:90:69:00:00:8a; 10:00:00:90:69:00:00:8b No change (clean merge).
Administering Zones TABLE 34 Zone merging scenarios: Different content Description Switch A Switch B Expected results Enabled configuration mismatch.
Configuring LSAN zones — device sharing example TABLE 36 Zone merging scenarios: Default access mode (Continued) Description Switch A Switch B Enabled zone configuration. No enabled configuration. enabled: cfg2 Enabled zone configuration. No enabled configuration. enabled: cfg2 Enable zone configuration. enabled: cfg1 No enabled configuration. default zone: No Access default zone: No Access enabled: cfg1 No enabled configuration.
Administering Zones FIGURE 27 LSAN zones example The following example steps create this set of LSAN zones. 1. Obtain the host WWN in fabric_01: a) b) Log in to any switch in fabric_01. On the fabric_01 switch, enter the show name-server detail command to list the WWN of the host (10:00:00:00:c9:2b:c9:0c). NOTE The show name-server detail output displays both the port WWN and node WWN; the port WWN must be used for LSANs.
Administering Zones Fabric Port Name: 20:08:00:05:1e:34:11:e5 Permanent Port Name: 50:05:07:61:00:5b:62:ed NL 0508ef; 3; 50:05:07:61:00:49:20:b4; 50:05:07:61:00:09:20:b4; na FC4s: FCP [IBM DNEF-309170 F90F] Fabric Port Name: 20:08:00:05:1e:34:11:e5 Permanent Port Name: 50:05:07:61:00:49:20:b4 The Local Name Server has 2 entries } 3. Create an LSAN zone in the Network OS fabric (fabric_01) 4.
Administering Zones Exists PID in Fabric -------------------------------------------75 10:00:00:00:c9:2b:c9:0c c70000 2 50:05:07:61:00:49:20:b4 0100ef 2 50:05:07:61:00:5b:62:ed 0100e8 Total devices displayed: 3 The fcrProxyDevShow command shows the proxy devices in the LSAN.
Configuring Fibre Channel Ports ● Fibre Channel ports overview....................................................................................... 199 ● Connecting to a FC Fabric through an FC Router........................................................ 199 ● Fibre Channel port configuration...................................................................................
Fibre Channel port configuration storage and services. Refer to Fibre Channel ports overview on page 199 for information on how to create LSAN zones. The following shows an FC connection between a Network OS fabric and Fibre Channel SAN.
Activating and deactivating Fibre Channel ports attributes (desire-distance, fill-word, isl-r_rdy, long-distance, speed, trunk-enable, and vc-linkinit commands). • show running-config interface FibreChannel - A privileged EXEC mode command that displays Fibre Channel port configuration information. • show interface FibreChannel - A privileged EXEC mode command that displays hardware counters that monitor activity and status of a Fibre Channel port.
Configuring and viewing Fibre Channel port attributes Configuring and viewing Fibre Channel port attributes This section introduces the options for configuring a variety of Fibre Channel port attributes and confirming the status of those attributes. Using Fibre Channel port commands Network OS v2.1.
Viewing Fibre Channel port attributes Viewing Fibre Channel port attributes To view the Fibre Channel port attributes for a single port, in privileged EXEC mode, enter the show running-config interface FibreChannel rbridge-id/slot/port command for the port you want to view. To view the Fibre Channel port attributes for all Fibre Channel ports in the fabric, enter the show runningconfig interface FibreChannel command without any additional parameters.
Configuring Fibre Channel ports for long-distance operation The following example sets the port speed to 4 Gbps. switch# configure terminal Entering configuration mode terminal switch(config)# interface FibreChannel 8/0/1 switch(config-FibreChannel-8/0/1)# speed 4 Configuring Fibre Channel ports for long-distance operation Configuring a port for long-distance operation reserves the appropriate number of full-size frame buffers for various long-distance modes.
Configuring a Fibre Channel port for long-distance operation Configuring a Fibre Channel port for long-distance operation To configure a Fibre Channel port for long-distance operation, follow these steps: 1. In privileged EXEC mode, enter the configure terminal command to enter the global configuration mode. 2. Enter the interface FibreChannel rbridge-id/slot/port command for the Fibre Channel port you want to configure. A configuration submode prompt appears. 3.
Monitoring Fibre Channel ports Monitoring Fibre Channel ports To monitor a Fibre Channel port, in privileged EXEC mode, enter the show interface FibreChannel rbridge-id/slot/port command for the Fibre Channel port you want to monitor. The command output provides lots of information about the various hardware counters associated with the port. This command has a basic version and a detail version.
Configuring Fibre Channel Ports tim_txcrd_z_vc 4- 7: tim_txcrd_z_vc 8-11: tim_txcrd_z_vc 12-15: Error Statistics: er_enc_in 0 er_crc 0 er_trunc 0 er_toolong 0 er_bad_eof 0 er_enc_out 0 er_bad_os 1 er_rx_c3_timeout 0 er_tx_c3_timeout 0 er_c3_dest_unreach 0 er_other_discard 0 er_type1_miss 0 er_type2_miss 0 er_type6_miss 0 er_zone_miss 0 er_lun_zone_miss 0 er_crc_good_eof 0 er_inv_arb 0 0 0 0 0 0 0 0 0 0 0 0 0 Encoding errors inside of frames Frames with CRC errors Frames shorter than minimum Frames lon
Monitoring Fibre Channel ports 208 Network OS Administrator’s Guide 53-1003225-04
Using Access Gateway ● Access Gateway basic concepts...................................................................................209 ● Enabling Access Gateway mode.................................................................................. 219 ● Disabling Access Gateway mode..................................................................................220 ● Display Access Gateway configuration data.................................................................
Using Access Gateway FIGURE 29 Hosts connecting to FC fabric through VDX Switch in AG mode NOTE An AG switch can connect to only one Fibre Channel SAN. Ports on this switch connecting to a second FC SAN are disabled. Multiple AG switches, each belonging to a different VCS cluster, can connect to the same SAN fabric. The following figure illustrates an alternate connection of hosts (servers) to a FC fabric through a VDX 6730 Switch is not in Access Gateway mode.
Using Access Gateway FIGURE 30 Connecting Network OS fabric to FC fabric without AG mode Switches in AG mode are logically transparent to the host and the fabric. Therefore, you can increase the number of hosts that have access to the fabric without increasing the number of switch domains. This simplifies configuration and management in a large fabric by reducing the number of domain IDs and ports. VCS mode must be enabled to enable Access Gateway on the switch. In addition, a FCoE license is required.
Access Gateway and native VCS modes FIGURE 31 Using AG VDX switch for connecting FC and VCS fabrics Access Gateway and native VCS modes In this document, VCS "native" mode refers to a VDX switch enabled in VCS mode, whereas Access Gateway mode refers to a switch in VCS mode enabled for the Access Gateway feature. In native VCS mode the switch can function as part of a VCS Fabric cluster, but cannot connect to a FC fabric through N_Ports.
Access Gateway in logical chassis cluster For more information enabling and disabling AG mode, refer to Enabling Access Gateway mode on page 219 and Disabling Access Gateway mode on page 220. Access Gateway in logical chassis cluster Although operations of a VDX switch configured in Access Gateway mode are similar to a node configured in native VCS mode while in Logical Chassis Cluster mode, there are some unique considerations that you should be aware of.
Comparison of Access Gateway, ISL, and FC switch ports ‐ ‐ ‐ By default, each switch is assigned 64 VF_Ports. There is no limit the number of VF_Ports that you can map to an N_Port. Up to 64 NPIV logins are allowed per VF_Port. Default port numbers are specific to the switch platform: ‐ ‐ VDX 6730-76 — Valid VF_Ports are 75–139 VDX 6730-32 — Valid VF_Ports are 32–95 NOTE In Network OS commands, VF_Ports are designated by the format domain/rbridge-id/VF_Port.
Using Access Gateway A non-AG VDX 6730 switch using an ISL connection between its FC E_Port and an EX_Port on an FCR, consumes domain ID resources that may impact scalability as VCS and FC fabrics grow. In addition, connection through a FCR may limit connection to multivendor FC fabrics. Finally, connection through an ISL provides limited device port connections to the FC fabric.
Access Gateway features, requirements and limitations FIGURE 33 VDX 6730 and FC switch ports Access Gateway features, requirements and limitations Although Access Gateway provides standard features for connection to Fibre Channel SANs, you can configure a number of optional features as well. There are also requirements and limitations that you should be aware of when using this feature in a VCS cluster and FC fabric environment.
Using Access Gateway For more information on Port Grouping policy modes, refer to Port Grouping policy modes on page 230. N_Port Monitoring for unreliable links The N_Port monitoring for unreliable links feature monitors links from all N_Ports on the VDX switch to F_Ports on the FC fabric. If online and offline static change notifications (SCNs) exceed a set threshold during a specific time period, the link is considered unreliable, and the N_Port is taken offline.
Using Access Gateway ‐ ‐ FC hosts or targets cannot be directly attached to the VDX switch. The VDX AG switch cannot be connected to a Fabric OS Access Gateway in a Cascaded configuration. • Access Gateway does not "bridge" the VCS and FC fabrics: ‐ ‐ ‐ ‐ ‐ Hosts connected to VF_Ports mapped to Access Gateway N_Ports appear on the FC fabric only. Device FC IDs are assigned by the FC fabric F_Ports connected to the Access Gateway N_Ports.
Enabling Access Gateway mode ‐ ‐ ‐ You can configure the maximum number of FCoE devices that can be logged into a switch by using the fcoe_enodes command. Newly allocated VF_Ports are mapped to existing N_Ports sequentially in a roundrobin fashion, which assigns all VF_Ports sequentially and evenly to the N_Ports. Newly deallocated VF_Ports are removed from existing VF_Port to N_Port mappings.
Disabling Access Gateway mode The switch reboots and AG mode is enabled. Switch FC ports are automatically enabled as N_Ports and mapped to VF_Ports. The N_Ports and VF_Ports are allocated to the switch based on the switch model. Refer to Default port mapping on page 225 for more information. 3. You can configure additional FC port attributes for the N_Ports as you would on switches not in Access Gateway mode. Port trunking is not supported, however.
Using Access Gateway NOTE Display of current, active mapping, or configured mapping for a port group using the show ag rbridgeid rbridge-id and show running-config rbridge-id rbridge-id ag commands depend on the enabled or disabled state of Login Balancing mode. For more information, refer to Automatic Login Balancing Mode on page 230. 1. Make sure you are in Privileged EXEC mode and have a switch prompt such as the following. switch# 2.
VF_Port to N_Port mapping Port Group information : PG_ID PG_Name PG_Mode PG_Members ---------------------------------------------------------0 pg0 lb 5/0/1, 5/0/2, 5/0/3, 5/0/4, 5/0/5, 5/0/6, 5/0/7, 5/0/8 ---------------------------------------------------------Fabric Information : Attached Fabric Name N_Ports(Fi) ---------------------------------------------------------10:00:00:05:33:72:f5:5a 5/0/1, 5/0/2 N_Port(Fi) information : Port PortID Attached PWWN IP_Addr VF_Ports ---------------------------------
Displaying port mapping Displaying port mapping You can display current and configured VF_Port to N_Port mapping on a specific switch or on all switches enabled for Access Gateway in the VCS cluster. Access Gateway and must be enabled for this command to succeed. Display current, active VF_Port to N_Port mapping on a specific switch or on all switches enabled for Access Gateway in the VCS cluster using the show ag map rbridge-id rbridge-id command while in Privileged EXEC mode.
Using Access Gateway Current and configured mapping display Display of current, active mapping, or configured mapping for a port group using the show ag map and show running-config rbridge-id rbridge id ag commands depend on the enabled or disabled state of Login Balancing mode. For more information, refer to Automatic Login Balancing Mode on page 230. The following is example output from the show ag map rbridge-id rbridge-id command, which shows current, active port mapping.
Default port mapping Default port mapping When Access Gateway is enabled for the switch, VF_Ports are mapped to available N_Ports in a roundrobin fashion as Enodes log in. This distributes the VF_Ports evenly amount the N_Ports. You can modify this port mapping using Network OS commands. The following table shows the factory-default ports assigned to supported VDX switches when AG mode is enabled. By default, 64 VF_Ports are assigned to the VDX 6730 switches.
Port Grouping policy 1. Perform steps under Displaying port mapping on page 223 to display current and configured port mapping. 2. Enter the configure terminal command to enter global configuration mode. switch# configure terminal 3. Enter the rbridge-id id command to enter RBridge ID mode for the specific switch. switch(config)# rbridge-id 2 4. Enter the ag command to enter Access Gateway configuration mode. switch(config-rbridge-id-2)# ag 5.
Displaying port grouping information FIGURE 34 Port groups connecting to FC fabric Following are considerations and limitations for the Port Grouping policy. • An ENode can log in • A port cannot be a member of more than one port group. • The PG policy is enabled by default in when you enable AG mode. A default port group “0” (PG0) is created, which contains all N_Ports and mapped VF_Ports on the switch.
Creating and removing port groups The following is an example of command output for RBridge 5: switch# show ag pg rbridge-id 5 Rbridge-ID 5: ------------------------------------------------------------------------------------PG_ID PG_Name PG_Mode N_Ports(Fi) VF_Ports ------------------------------------------------------------------------------------0 pg0 lb 5/0/1, 5/0/2, 5/0/3, 5/0/4, 1/5/1, 1/5/2, 1/5/3, 1/5/4, 5/0/5, 5/0/6, 5/0/7, 5/0/8 1/5/5, 1/5/6, 1/5/7, 1/5/8, 1/5/9, 1/5/10, 1/5/11, 1/5/12, 1/5/13,
Naming a port group 1. Enter the configure terminal command to enter global configuration mode. switch# configure terminal 2. Enter the rbridge-id id command to enter RBridge ID mode for the specific switch. switch(config)# rbridge-id 3 3. Enter the ag command to enter Access Gateway configuration mode. switch(config-rbridge-id-3)# ag 4. Perform one of the following steps: • To create a port group, enter the pg pgid command. The port group ID (pgid) must not exceed 64 characters.
Port Grouping policy modes NOTE N_Ports are designated by the format rbridge-id/slot/N_Port, such as 3/0/4 for RBridge 3, slot 0, and N_Port 4. You must use this format to correctly identify the N_Port. 1. Determine the port group on the switch where the port is currently a member by entering the show ag pg rbridge-id rbridge-id while in the privileged EXEC command mode. switch# show ag pg rbridge-id 3 2. Enter the configure terminal command to enter global configuration mode.
Enabling and disabling Login Balancing mode • When LB mode is disabled for a port group, the same configured VF_Port to N_Port mapping displays for the show running-config ag or show ag commands. This is because configured and active mapping are the same. • When LB mode is enabled for a port group, the show ag command displays the current, active mapping because VF_Port to N_Port mapping is based on the current distributed load across all N_Ports.
Modified Managed Fabric Name Monitoring mode Modified Managed Fabric Name Monitoring mode Modified Managed Fabric Name Monitoring (M-MFNM) mode prevents connections from the AG VDX switch to multiple SANs to ensure that all N_Ports in a port group connect to the same FC fabric. Modified Managed Fabric Name Monitoring (M-MFNM) mode is enabled with LB mode. It queries the FC fabric name for a default time out value of 120 seconds.
Setting and displaying the reliability counter for N_Port monitoring N_Port also go offline. Once the number of SCNs drops below the set threshold, the port is deemed reliable again and the N_Port and mapped VF_Ports go back online. The default threshold is 25 SCNs per 5 minutes. You can set from 10 to 100 SCNs per 5 minutes. Modify default threshold of SCNs counted in 5 minutes using the counter reliability value command while in ag command mode.
Setting and displaying the reliability counter for N_Port monitoring 234 Network OS Administrator’s Guide 53-1003225-04
Using System Monitor and Threshold Monitor ● System Monitor overview.............................................................................................. 235 ● Configuring System Monitor..........................................................................................237 ● Threshold Monitor overview.......................................................................................... 240 ● Configuring Threshold Monitor.....................................................................
Using System Monitor and Threshold Monitor • • • • • Fan Power supply CID card SFP Line card Possible states for all monitored FRUs are removed, inserted, on, off, and faulty. A state of none indicates the switch is not configured. If the FRU is removed, inserted, or goes into a faulty state, System Monitor sends a RASLog message or an e-mail alert, depending on the configuration. Based on the configured threshold, each component can be in a marginal state or a down state.
Configuring System Monitor TABLE 37 Hardware platform default settings for supported switches (Continued) Platform Brocade VDX 6730-76 Brocade VDX 8770-4 Brocade VDX 8770-8 Hardware component Default setting Marginal thresholds Down thresholds Fan 2 1 2 Power supply 2 1 2 Temperature sensor 6 1 2 Compact flash 1 1 0 Fan 5 1 2 Power supply 2 1 2 Temperature sensor 3 1 2 Compact flash 1 1 0 Fan 2 1 2 Power supply 3 6 7 Temperature sensor 3 1 2 Compact flash
Using System Monitor and Threshold Monitor TABLE 38 Hardware platform default settings for supported switches (Continued) Platform Brocade VDX 6720-60 single board 60-portswitch Brocade VDX 6730-32 Brocade VDX 6730-76 Brocade VDX 8770-4 Brocade VDX 8770-8 Hardware component Default setting Marginal thresholds Down thresholds Fan 2 1 2 Power supply 2 1 2 Temperature sensor 6 1 2 Compact flash 1 1 0 Fan 5 1 2 Power supply 2 1 2 Temperature sensor 3 1 2 Compact flash 1 1
Setting system thresholds Setting system thresholds Each component can be in one of two states, down or marginal, based on factory-defined or userconfigured thresholds. (The default thresholds are listed in Configuring System Monitor on page 237.) 1. Issue the configure terminal command to enter global configuration mode. 2. Enter RBridge ID configuration mode, as in the following example. switch(config)# rbridge-id 154 3. Change down-threshold and marginal-threshold values for the SFM.
Viewing system SFP optical monitoring defaults Sendmail agent configuration The following system-monitor-mail relay host commands allow the sendmail agent on the switch to resolve the domain name and forward all e-mail messages to a relay server. • To create a mapping: switch(config)# system-monitor-mail relay ip-address 1.2.3.4 domain-name domain_name1.brocade.com • To delete the mapping: switch(config)# no system-monitor-mail relay ip-address 1.2.3.4 domain-name domain_name1.brocade.
CPU and memory monitoring apply actions and thresholds separately. For example, you can choose to use default threshold settings together with a customized subset of available actions, or you can modify some of the threshold settings and use the default action settings. You can also pause monitoring and actions by means of the pause keyword. For detailed information on the variables and keywords (operands) of the threshold-monitor series of commands, refer to the Network OS Command Reference.
SFP monitoring TABLE 39 Default values for CPU and memory threshold monitoring (Continued) Operand Memory CPU retry 3 3 SFP monitoring The SFP parameters that can be monitored are listed and described below. TABLE 40 SFP parameter descriptions SFP parameter Description Suggested SFP impact Temperature Measures the temperature of the SFP, in High temperature suggests the SFP might be degrees Celsius. damaged. Receive power (RXP) Measures the amount of incoming laser, in µWatts.
Using System Monitor and Threshold Monitor TABLE 41 Factory thresholds for SFP types and monitoring areas (Continued) SfpType 1 GLR 10 GSR 10 GLR 10 GUSR QSFP Network OS Administrator’s Guide 53-1003225-04 Area Default Value TXP (µW) 1000 60 Current (mA) 12 2 Temperature (C) 90 -45 Voltage (mV) 3700 2900 RXP (µW) 501 6 TXP (µW) 794 71 Current (m) 45 1 Temperature (C) 90 -5 Voltage (mVolt) 3600 3000 RXP (µW) 1000 32 TXP (µW) 794 251 Current (mA) 11 4 Temperature
Threshold values TABLE 41 Factory thresholds for SFP types and monitoring areas (Continued) SfpType Area Default Value Current (mA) 10 1 Threshold values High and low threshold values are the values at which potential problems might occur. For example, in configuring a temperature threshold for SFPs, you can select the temperatures at which a potential problem can occur because of overheating or overcooling.
Port Fencing TABLE 43 Interface errors that can be monitored on external interfaces Interface area Description MissingTerminationCharacter Number of frames terminated by anything other than the Terminate character; this includes termination due to the Error character.
Viewing threshold status NOTE For CLI details, refer to the Network OS Command Reference Viewing threshold status To view the status of currently configured thresholds, enter the show running-config thresholdmonitor command with the RBridge ID, as follows: switch# show running-config rbridge-id rbridge_id threshold-monitor NOTE Default values are not displayed under the show running-config threshold-monitor command. Only custom values are displayed when a user applies a policy.
Configuring memory monitoring thresholds and alerts The following example changes the thresholds from the default, adjusts polling and retry attempts, and causes a RASLog message to be sent when thresholds are exceeded. switch(config-rbridge-id-154)# threshold-monitor cpu actions raslog limit 65 poll 60 retry 10 NOTE This command does not support low-limit or high-limit under the raslog alert option.
Security monitoring Security monitoring Security monitoring allows you to set security threshold and alert options, including login-violation or telnet-violation alerts. Viewing security defaults To display the default values of security threshold and alert options, enter the show defaults security area command with the login-violation or telnet-violation options. switch# show defaults security area login-violation Configuring security monitoring 1.
Using System Monitor and Threshold Monitor To disable monitoring of a particular type, enter the threshold-monitor [cpu |interface | memory | security | sfp] pause command. To re-enable monitoring, enter the no version of the above command. NOTE Not all functions of this command can be disabled. Continue to enter ? at each level of the command synopsis to confirm which functions can be disabled.
Pausing and continuing threshold monitoring 250 Network OS Administrator’s Guide 53-1003225-04
Using VMware vCenter ● vCenter and Network OS integration overview............................................................. 251 ● vCenter discovery......................................................................................................... 252 ● vCenter configuration....................................................................................................
vCenter discovery • Special characters in the port group names are replaced with the URL-encoded values. • Standard port groups with the same name that reside in different ESX/ESXi hosts must have identical VLAN settings across all hosts. • For all vCenter port groups, Network OS automatically creates a port profile with the following format: auto-vcenter_name-datacenter_ID-port-group-name. User editing of these auto port groups is not supported.
Step 1: Enabling QoS Step 1: Enabling QoS You must edit the network resource pool settings and set QoS priorities. Refer to the latest VMware vSphere Networking documentation. Step 2: Enabling CDP/LLDP In order for an Ethernet Fabric to detect the ESX/ESXi hosts, you must first enable Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) on all the virtual switches (vSwitches) and distributed vSwitches (dvSwitches) in the vCenter Inventory.
Activating the vCenter An invalid state or condition of a vCenter can cause the deletion of all auto-port-profiles in a system. To prevent this from happening, configure the ignore-delete-all-response operand of the vcenter command to ignore the “delete-all” responses from the vCenter. switch# vcenter MYVC discover ignore-delete-all-response 5 Activating the vCenter After adding the vCenter, you must activate the configured vCenter instance.
Viewing the discovered virtual assets • When a switch boots up. • When a new vCenter is configured on the VDX switch and activated (activation turns on the timer processing, set to 180-second intervals.) • When the discovery is explicitly initiated with the CLI. Use the vnetwork vcenter command to trigger a vCenter discovery manually. switch# vnetwork vcenter myvcenter discover An invalid state or condition of a vCenter can cause the deletion of all auto-port-profiles in a system.
Viewing the discovered virtual assets 256 Network OS Administrator’s Guide 53-1003225-04
Configuring Remote Monitoring ● RMON overview............................................................................................................ 257 ● Configuring and Managing RMON................................................................................ 257 RMON overview Remote monitoring (RMON) is an Internet Engineering Task Force (IETF) standard monitoring specification that allows various network agents and console systems to exchange network monitoring data.
Configuring RMON Ethernet group statistics collection Configuring RMON Ethernet group statistics collection You can collect RMON Ethernet group statistics on an interface. RMON alarms and events must be configured for you to display collection statistics. By default, RMON Ethernet group statistics are not enabled. To collect RMON Ethernet group statistics on an interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode.
Section II: Network OS Security Configuration • Managing User Accounts on page 261 • Configuring External Server Authentication on page 277 • Configuring Fabric Authentication on page 303 Network OS Administrator’s Guide 53-1003225-04 259
Section II: Network OS Security Configuration 260 Network OS Administrator’s Guide 53-1003225-04
Managing User Accounts ● Understanding and managing user accounts................................................................261 ● Understanding and managing password policies..........................................................265 ● Understanding and managing role-based access control (RBAC)................................269 ● Understanding and managing command access rules................................................. 271 ● Logging and analyzing security events................................
Configuring user accounts TABLE 44 User account attributes Parameter Description name The name of the account. The user account name is case-sensitive, must not exceed 40 characters, and must begin with a letter. The text string can contain letters, numbers, underscore (__), and periods (.). If the user name specified already exists, the username command modifies the existing role. role The role assigned to the user defines the RBAC access privileges for the account.
Modifying an existing user account Examples Use the show running-config username command in privileged EXEC mode to display all configured users. switch# show running-config username username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role admin desc Administrator username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role user desc User Use the show running-config username username command in privileged EXEC mode to display a single user.
Unlocking a user account Unlocking a user account A user account is automatically locked by the system when the configured threshold for repeated failed login attempts has been reached. The account lockout threshold is a configurable parameter. Refer to Account lockout policy on page 266 for more information. If a user account is locked out of a switch, that same user can still try to log in on another switch in the cluster.
Understanding and managing password policies 3. Enter user configuration mode. switch(config-alias-config)# user john smith 4. Set the user-level alias. switch(config-alias-config-user)# alias manager engineering Understanding and managing password policies Password policies overview Password policies define and enforce a set of rules that make passwords more secure by subjecting all new passwords to global restrictions.
Password encryption policy TABLE 45 Password policy parameters (Continued) Parameter Description max-retry Specifies the number of failed password logins permitted before a user is locked out. The lockout threshold can range from 0 through 16. The default value is 0. When a password fails more than one of the strength attributes, an error is reported for only one of the attributes at a time. NOTE Passwords can have a maximum of 40 characters.
Denial of service implications The account remains locked until explicit administrative action is taken to unlock the account. A user account cannot be locked manually. An account that is not locked cannot be unlocked. Failed login attempts are tracked on the local switch only. in VCS mode, the user account is locked only on the switch where the lockout occurred; the same user can still try to log in on another switch in the VCS fabric.
Creating a password policy 1. In privileged EXEC mode, use the configure terminal command to enter global configuration mode. 2. Enter the password-attributes command with the specified parameter. switch# configure terminal Entering configuration mode terminal switch(config)# password-attributes max-retry 4 When a user account is locked, it can be unlocked using the procedure described in Unlocking a user account on page 264.
Understanding and managing role-based access control (RBAC) switch# show running-config password-attributes password-attributes max-retry 4 password-attributes character-restriction numeric 1 password-attributes character-restriction special-char 1 switch# configure terminal switch(config)# no password-attributes special-char switch(config)# exit switch# show running-config password-attributes % No entries found.
Displaying a role A user-defined role has a mandatory name and an optional description, as shown in the following table. TABLE 46 Role attributes Parameter Description name The role name must be unique, begin with a letter, and can contain alphanumeric characters and underscores. The length of the role name should be between 4 and 32 characters. The name cannot be same as that of an existing user, an existing default role, or an existing user-defined role. desc An optional description of the role.
Creating a VCS Fabric security administrator role and account Creating a VCS Fabric security administrator role and account The following steps create and configure a typical Brocade VCS Fabric security administrator role. 1. Create a role for a Brocade VCS Fabric security administrator. switch(config)# role name NetworkSecurityAdmin desc "Manages security CLIs" 2. Create a user account associated with the newly created role.
Specifying rule commands with multiple options TABLE 47 Command access rule attributes Parameter Description index A numeric identifier of the rule in the range between 1 and 512. role The name of the role for which the rule is defined. command The command for which access is defined. operation Optional. Defines the general access mode granted by the rule. Access can be read-only or read-write (default). action Optional. A modifier restricting the general access mode.
Configuring rules for operational commands Configuring rules for operational commands Rules can be created for the specified operational commands. By default, every role can display all the operational commands but cannot execute them. The show commands can be accessed by all the roles. The following rules govern operational commands: • If a role has a rule with a read-write operation and the accept action for an operational command, the user associated with this role can execute the command.
Configuring a placeholder rule In the following example, the user associated with the NetworkAdmin role cannot perform some of the clear and show operations related to all tengigabitethernet instances. switch(config)# rule 30 role NetworkAdmin action reject command interface tengigabitethernet • A rule created with the no-operation command does not enforce any authorization rules. Instead, the no-operation instance can be considered as a placeholder for a valid command that will be added later.
Adding a rule Adding a rule You add a rule to a role by entering the rule command with appropriate options. Any updates to the authorization rules will not apply to the active sessions of the users. The changes are applied only when users log out from the current session and log in to a new session. The following example creates the rules that authorize the security administrator role to create and manage user accounts: 1.
Displaying a rule After rule 155 is deleted, the SecAdminUser can no longer access the role command. Displaying a rule Enter the show running-config rule command in privileged EXEC mode to display all configured rules. You can modify the output by using the command and specifying additional parameters.
Configuring External Server Authentication ● Understanding and configuring remote server authentication.......................................277 ● Understanding and configuring RADIUS.......................................................................280 ● Understanding and configuring TACACS+ ...................................................................285 ● Understanding and configuring LDAP...........................................................................
Conditions for conformance By default, external AAA services are disabled, and AAA services default to the switch-local user database. Any environment requiring more than 64 users should adopt AAA servers for user management. When the authentication, authorization, and accounting (AAA) mode is changed, an appropriate message is broadcast to all logged-in users, and the active login sessions end.
Setting and verifying the login authentication mode Setting and verifying the login authentication mode The following procedure configures TACACS+ as the primary source of authentication and the switchlocal user database as the secondary source. 1. In privileged EXEC mode, use the configure terminal command to enter global configuration mode. switch# configure terminal Entering configuration mode terminal 2. Enter the aaa authentication login command with the specified parameters.
Understanding and configuring RADIUS Understanding and configuring RADIUS The remote authentication dial-in user service (RADIUS) protocol manages authentication, authorization, and accounting (AAA) services centrally. The supported management access channels that integrate with RADIUS are serial port, Telnet, and SSH. If you are in logical chassis cluster mode, the configuration is applied to all nodes in the cluster.
Configuring server side RADIUS support Configuring server side RADIUS support With RADIUS servers, you should set up user accounts by their true network-wide identity, rather than by the account names created on a Brocade switch. Along with each account name, you must assign appropriate switch access roles. A user account can exist on a RADIUS server with the same name as a user on the switch at the same time.
Configuring a Brocade user account Configuring a Brocade user account When you use network information service (NIS) for authentication, the only way to enable authentication with the password file is to force the Brocade switch to authenticate using password authentication protocol (PAP); this requires the setting the pap option with the radius-server host command. 1. Open the $PREFIX/etc/raddb/users file in a text editor. 2. Add the user name and associated the permissions.
Configuring client side RADIUS support FIGURE 35 Windows server VSA configuration Configuring client side RADIUS support Each Brocade switch client must be individually configured to use RADIUS servers. You use the radius-server command to specify the server IP address, authentication protocols, and other parameters. You can configure a maximum of 5 RADIUS servers on a Brocade switch for AAA service. NOTE RADIUS requires that you configure both the client and the server.
Adding a RADIUS server to the client server list TABLE 49 RADIUS server parameters (Continued) Parameter Description protocol The authentication protocol to be used. Options include CHAP, PAP, and PEAP. The default protocol is CHAP. IPv6 hosts are not supported if PEAP is the configured protocol. key The shared secret between the switch and the RADIUS server. The default value is "sharedsecret." The key cannot contain spaces and must be from 8 through 40 characters in length.
Modifying the client-side RADIUS server configuration 3. Enter the exit command to return to global configuration mode. switch(config-host-10.38.37.180)# exit 4. Enter the do show running-config radius-server host host_IP command to verify the configuration. switch# show running-config radius-server host 10.38.37.180 radius-server host 10.38.37.180 protocol pap key "new# virgo*secret" timeout 10 Modifying the client-side RADIUS server configuration 1.
TACACS+ authorization support, management of Brocade switches seamlessly integrates into these environments. Once configured to use TACACS+, a Brocade switch becomes a network access server. If you are in logical chassis cluster mode, the configuration is applied to all nodes in the cluster. TACACS+ authorization The TACACS+ server is used only for authentication and accounting. Authorization is enforced by the Brocade role-based access control (RBAC) protocol at the switch level.
Adding a TACACS+ server to the client server list TABLE 50 TACACS+ server parameters Parameter Description host IP address (IPv4 or IPv6) or domain/host name of the TACACS+ server. Host name requires prior DNS configuration. The maximum supported length for the host name is 40 characters. port The TCP port used to connect the TACACS+ server for authentication. The port range is 1 through 65535; the default port is 49. protocol The authentication protocol to be used. Options include CHAP and PAP.
Modifying the client-side TACACS+ server configuration 1. In the privileged EXEC mode, enter configure terminal to enter the global configuration mode. switch# configure terminal Entering configuration mode terminal 2. Enter tacacs-server and specify the server IP address. switch(config)# tacacs-server host fec0:60:69bc:94:211:25ff:fec4:6010 Upon execution of the command you are placed into the tacacs-server configuration sub-mode where you can specify additional parameters. 3.
Configuring TACACS+ accounting on the client side Configuring TACACS+ accounting on the client side Once the fundamentals of TACACS+ authentication support are configured on the client, a variety of options are available for tracking user activity. Client-side TACACS+ accounting overview The TACACS+ protocol supports accounting as a function distinctly separate from authentication. You can use TACACS+ for authentication only, for accounting only, or for both.
Enabling login accounting operations. To enable login or command accounting, at least one TACACS+ server must be configured. Similarly, if either login or command accounting is enabled, you cannot remove a TACACS + server, if it is the only server in the list. Enabling login accounting The following procedure enables login accounting on a switch where accounting is disabled. 1. In privileged EXEC mode, use the configure terminal command to enter global configuration mode.
Configuring TACACS+ on the server side Example: Command accounting The following example record shows the successful execution of the username command by the admin user. <102> 2012-04-09 15:21:43 4/9/2012 3:21:43 PM NAS_IP=10.17.37.
Changing a server-side TACACS+ account password pap = cleartext "pap password" service = exec { brcd-role = vlanadmin; } } The following example assigns the user "Agnes" a single password for all types of login authentication. user = Agnes { global = cleartext "Agnes global password" } Alternatively, a user can be authenticated using the /etc/passwd file. Configure the account as shown in the following example.
Configuring TACACS+ for a mixed vendor environment Configuring TACACS+ for a mixed vendor environment Network OS uses Role Based Access Control (RBAC) to authorize access to system objects by authenticated users. In AAA environments users may need to be authorized across Brocade and nonBrocade platforms. You can use TACACS+ to provide centralized AAA services to multiple network access servers or clients.
User authentication If you are in logical chassis cluster mode, the configuration is applied to all nodes in the cluster. User authentication A Brocade switch can be configured as an LDAP client for authentication with an Active Directory (AD) server, supporting authentication with a clear text password over the Transport Layer Security (TLS) channel. Optionally, it supports server authentication during the TLS handshake.
Server authorization Server authorization The Active Directory (AD) server is used only for authentication. Command authorization of the AD users is not supported in the AD server. Instead, the access control of AD users is enforced locally by role-based access control (RBAC) on the switch. A user on an AD server should be assigned a nonprimary group, and that group name should be either matched or mapped to one of the existing roles on the switch; otherwise, authentication will fail.
Deleting LDAP CA certificates 1. In privileged EXEC mode, enter configure terminal to change to global configuration mode. switch# configure terminal Entering configuration mode terminal 2. Enter certutil import ldapca with the specified parameters. switch# certutil import ldapca directory /usr/ldapcacert file cacert.pem protocol SCP host 10.23.24.56 user admin password ***** 3. Verify the import by entering show cert-util ldapcacert.
Changing LDAP server parameters 1. In privileged EXEC mode, use the configure terminal command to enter global configuration mode. switch# configure terminal Entering configuration mode terminal 2. Use the ldap-server-host command to set the parameters for the LDAP server. This command places you into the ldap-server configuration submode where you can modify the server default settings. switch(config)# ldap-server host 10.24.65.6 basedn sec.brocade.com port 3890 switch(config-ldap-server-10.24.65.6)# 3.
Deleting an LDAP CA certificate Standalone mode switch# certutil import ldapca directory /usr/ldapcacert/ file cacert.pem protocol SCP host 10.23.24.56 user jane password password: **** Logical chassis cluster mode switch# certutil import ldapca directory /usr/ldapcacert/ file cacert.pem protocol SCP host 10.23.24.
Importing a syslog CA certificate Logical chassis cluster mode To view the output in logical chassis cluster mode, enter show cert-util ldapcacert followed by the desired RBridge ID. This example displays the certificate for rbridge-id 3. switch# show cert-util syslogcacert rbridge-id 3 Importing a syslog CA certificate The following procedure imports the syslog CA certificate from the remote host to the switch. 1. Connect to the switch and log in using an account with admin role permissions. 2.
Viewing the syslog CA certificate When no syslog CA certificate is present switch# no certutil syslogcacert % Error: syslog CA certificate does not exist. When a syslog CA certificate exists on the switch switch# no certutil syslogcacert Do you want to delete syslog CA certificate? [y/n]:n Viewing the syslog CA certificate The following procedure allows you to view the syslog CA certificate that has been imported on the switch. 1.
Removing the mapping of an Active Directory to a switch role Removing the mapping of an Active Directory to a switch role The following example removes the mapping between the Brocade admin role and the Active Directory (AD) Administrator group. A Brocade user with the admin role can no longer perform the operations associated with the AD Administrator group. To unmap an AD group to a switch role, perform the following steps from privileged EXEC mode. 1.
Configuring LDAP users on an AD server 3. In global configuration mode, set the login authentication mode on the switch to use LDAP only and verify the change. switch# configure terminal Entering configuration mode terminal switch(config)# no aaa authentication login switch(config)# aaa authentication login ldap switch(config)# do show running-config aaa aaa authentication login ldap 4.
Configuring Fabric Authentication ● Fabric authentication overview......................................................................................303 ● Understanding fabric authentication..............................................................................307 ● Configuring port security...............................................................................................
Switch connection control (SCC) policy the local device may authenticate. Every device may share a secret key pair with any other device or host in a fabric. Shared secret keys have the following characteristics: • The shared secrets must be configured locally on every device. • If shared secrets are not set up for a link, authentication fails. The "Authentication Failed" error is reported for the port. • The minimum length of a shared secret is 8 bytes and the maximum 40 bytes.
Port security database, the connecting device is allowed to join the fabric. If the neighboring device is not specified in the SCC policy active list, both devices are segmented. By default, any device is allowed to join the fabric; the SCC policy is not enforced until it is created and activated. Creating a policy without any entries blocks access from all devices. The local switch is not required to be included in a switch-local SCC policy. SCC policy commands are not distributed across the cluster.
Configuring Fabric Authentication Port security configuration commands Port security is enabled on an interface by means of a series of switchport commands. For configuration examples, refer to Configuring port security on page 314. The following summarizes the configuration commands. For command details, refer to the Network OS Command Reference Command Description switchport port-security Enables or disables port security on an interface port.
Understanding fabric authentication • A port mode change is not allowed when port security is enabled on the interface. • Organizationally Unique Identifier (OUI)-based port security is not supported on the Brocade VDX 6710 and VDX 6720 platforms. • A maximum of 4 OUIs are allowed per secure port. A maximum of 20 secure ports are allowed to enable OUI-based port security. • Static secure MAC addresses are not supported for OUI-based port security.
Configuring DH-CHAP shared secrets By default the policy is set to PASSIVE and you can change the policy. All changes to the AUTH policy take effect during the next authentication request. This includes starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE, and clearing the authentication requirement if the policy is changed to OFF. Authentication policy configuration is not distributed across the cluster.
Setting up secret keys • The world wide name (WWN) of the peer. • The secret of the peer that authenticates the peer to the local switch. • The local secret that authenticates the local switch to the peer. NOTE Only the following non-alphanumeric characters are valid for the secret key:@ $ % ^ & * ( ) _ + - < > { } [];': switch# fcsp auth-secret dh-chap node 10:00:00:05:1e:7a:c3:00 peer-secret local-secret 87654321 Shared secret is configured successfully.
Configuring a Brocade VDX 6730 to access a SAN fabric fcsp auth hash md5 fcsp auth policy switch on Configuring a Brocade VDX 6730 to access a SAN fabric Configuring a Brocade VDX 6730 switch to access a SAN fabric connected through an FC Router involves the following steps: 1. Configure the matching shared secret pairs on the VDX 6730 and on the FC router. 2. Configure the authentication policy on the VDX 6730 switch (The FC router configuration is fixed). 3. Activate the authentication policy.
Configuring Fabric Authentication This command places you into the defined SCC configuration mode where you can add policy member WWNs. 3. Specify a policy member with the member-entry WWN command. 4. Specify a second policy member with the member-entry WWN command. 5. Exit the defined SCC configuration mode. 6. Enter the do show running-config secpolicy defined-policy command to verify the configuration.
Modifying the SCC policy Modifying the SCC policy The same command sequence that creates the Switch Connection Control (SCC) policy adds additional members. The defined SCC member entries are cumulative. Use the no member-entry command to remove members from the policy.
Removing the SCC Policy VCS mode example switch# secpolicy activate rbridge-id 3 switch# do show running-config rbridge-id 3 secpolicy defined-policy rbridge-id 3 secpolicy defined-policy SCC_POLICY member-entry aa:aa:aa:aa:aa:aa:aa:aa ! member-entry bb:bb:bb:bb:bb:bb:bb:bb ! member-entry cc:cc:cc:cc:cc:cc:cc:cc ! ! Removing the SCC Policy 1. In privileged EXEC mode, issue the configure terminal command to enter global configuration mode. 2. Enter the no secpolicydefined-policy SCC_POLICY command. 3.
Configuring port security Removing the SCC_POLICY entry of rbridge-id 3 in VCS mode switch# config Entering configuration mode terminal switch(config)# rbridge-id 3 switch(config-rbridge-id-3)# no secpolicy defined-policy SCC_POLICY switch(config)# exit switch# do show running-config secpolicy active-policy % No entries found.
Configuring port-security shutdown time 1. Enable interface subconfiguration mode for the interface you want to modify. switch(config)# interface TenGigabitEthernet 1/0 2. Put the interface in Layer 2 mode by using the switchport command. switch(conf-if-te-1/0)# switchport 3. Set the MAC address and VLAN ID for the interface. switch(conf-if-te-1/0)# switchport port-security mac-address 1000.2000.
Configuring Fabric Authentication 3. Enable switchport security by using the switchport port-security command. switch(conf-if-te-1/0)# switchport port-security oui 2000.3000.4000 4. Configure the sticky option.
Section III: Network OS Layer 2 Switch Features • • • • • • • • • • • • • • • • Administering Edge-Loop Detection on page 319 Configuring AMPP on page 327 Configuring FCoE interfaces on page 337 Configuring 802.
Section III: Network OS Layer 2 Switch Features 318 Network OS Administrator’s Guide 53-1003225-04
Administering Edge-Loop Detection ● Edge-loop detection overview....................................................................................... 319 ● Configuring edge-loop detection................................................................................... 322 Edge-loop detection overview Edge-loop detection (ELD) detects and disables Layer 2 loops that would cause broadcast storms. Typically, these loops are caused by misconfigurations.
Administering Edge-Loop Detection FIGURE 37 Missing LAG causes loop The following figure shows another example for which ELD could be used to detect and break a Layer 2 loop. In this case, multiple Brocade VCS Fabric clusters are interconnected in a manner that creates a Layer 2 loop.
How ELD detects loops FIGURE 38 Interconnected Brocade VCS Fabric clusters cause loop How ELD detects loops ELD works by multicasting Protocol Data Unit (PDU) packets on edge ports. A device recognizes a loop when it receives a PDU that it initiated. Once the device recognizes that a Layer 2 loop exists, it can take action to disable a port and break the Layer 2 loop.
Configuring edge-loop detection FIGURE 39 Interconnected Brocade VCS Fabric clusters with ELD enabled With all ELD enabled edge ports sending PDUs at the same rate, VCS1 reaches its pdu-rx-limit first. Port 2/0/1 has a lower priority (higher priority number) than port 1/0/1, and is therefore selected to be disabled. If both ports have the same priority, the port with the higher port-ID is disabled. If the port being shutdown by ELD is part of a LAG, all member ports of the LAG are also shutdown.
Setting global ELD parameters for a Brocade VCS Fabric cluster any port before determining that a loop exists. This value is the pdu-rx-limit . You must also set the interval between sending PDUs by using the hello-interval command The combination of pdu-rx-limit and hello-interval timer determines the time it takes for ELD to detect and break a Layer 2 loop. At the interface level, you must enable ELD on each port you want it to run on and set the port priority.
Setting interface parameters on a port The number value must be in the range 10 through 1440 (10 minutes through 24 hours). The default value is 0, indicating that the port is not automatically re-enabled. Setting interface parameters on a port Perform this procedure for every port you want to be monitored by ELD. 1. Log in to any switch in a Brocade VCS Fabric cluster. 2.
Administering Edge-Loop Detection NOTE If an edge-port becomes an ISL port because a remote port’s VCS ID was changed, a port that was already shutdown by ELD must be cycled with the shutdown and no shutdown commands to be detected as an ISL port. • To re-enable all ports disabled by ELD, enter clear edge-loop-detection.
Troubleshooting edge-loop detection 326 Network OS Administrator’s Guide 53-1003225-04
Configuring AMPP ● AMPP overview.............................................................................................................327 ● Configuring AMPP profiles............................................................................................ 331 AMPP overview Server virtualization infrastructure associates a server-side Virtual Ethernet Bridge (VEB) port-profile with each Ethernet MAC address used by a virtual machine (VM) to access the network through a VEB port.
AMPP and Switched Port Analyzer The italic text in the following example highlights the vLAG information in the port profile: switch# show port-profile status Port-Profile auto-dvPortGroup auto-dvPortGroup2 auto-dvPortGroup3 auto-dvPortGroup_4_0 auto-dvPortGroup_vlag auto-for_iscsi PPID 1 2 3 4 5 6 Activated Yes Yes Yes Yes Yes Yes auto-VM_Network 9 Yes auto-VM_kernel 10 Yes auto-VM_NW_1G 11 Yes auto-VMkernel 12 Yes auto-VMkernel_VS 13 Yes auto-Management+Network auto-Virtual+Machine+Netw
AMPP scalability destination port as the profiled port, or the reverse. SPAN allows the capability to mirror the traffic learnt on the profiled port. For complete information on SPAN, refer to Configuring Switched Port Analyzer on page 533. AMPP scalability The following table describes the Auto Migrating Port Profile (AMPP) scalability values supported by Network OS 4.0.0.
Life of a port-profile In addition, all the combinations can be mixed up with some security rules grouped under a securityprofile. NOTE A port-profile does not contain some of the interface level configurations, such as LLDP, SPAN, LAG, and so on. A port-profile operates as a self-contained configuration container.
Configuring AMPP profiles TABLE 56 AMPP behavior and failure descriptions (Continued) AMPP event Applicable behavior and failures De-activate port-profile • • Modify port-profile • • • Associate MAC addresses to a port-profile This event removes the applied port-profile configuration from all the profiledports. De-activation is allowed even if there are MAC addresses associated with the port-profile. Port-profile can be edited only in the pre-activation stage.
Configuring VLAN profiles 1. Configure the physical interface, LAG, or vLAG as a port-profile port. switch(if-te-2/0/1)# port-profile-port 2. Create and configure a new port-profile name. switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Configuring FCoE profiles Configuring FCoE profiles Only the FCoE profile of the default profile can be modified. The FCoE profile can only be part of the default profile. When it is part of the default profile, FCoE is enabled globally and all the profiled ports automatically become FCoE ports. In the absence of the FCoE profile in the default AMPP profile, you can configure FCoE on a perinterface basis, based on the profiled ports. Refer to Configuring FCoE interfaces on page 337 for details.
Configuring security profiles • Without PFC. switch(config-qos-profile)# qos flowcontrol tx on rx on • With PFC for each CoS. switch(config-qos-profile)# qos flowcontrol pfc 1 tx on rx on switch(config-qos-profile)# qos flowcontrol pfc 2 tx on rx on 8. Exit QoS profile mode. switch(config-qos-profile)# exit 9. Activate the profile. switch(config)# port-profile vm1-port-profile activate 10.Associate the profile to the MAC address for each host.
Deleting a port-profile The following example activates the mode for the 10-gigabit Ethernet interface in slot 0/port 0. switch(config)# interface tengigabitethernet 1/0/1 2. Unconfigure port-profile-port on the physical interface. switch(conf-int-te-1/0/1)# no port-profile-port switch(conf-int-te-1/0/1)# no shutdown Deleting a port-profile To delete a port-profile, perform the following steps in privileged EXEC mode. 1. Enter global configuration mode.
Configuring AMPP 1 005a.8402.0006 Dynamic 1 005a.8402.0007 Dynamic 1 005b.8402.0001 Dynamic 1 005c.8402.0001 Dynamic 100 005a.8402.0000 Dynamic 100 005a.8402.0001 Dynamic 100 005a.8402.0003 Dynamic 100 005a.8402.0005 Dynamic 100 005a.8402.
Configuring FCoE interfaces ● FCoE overview..............................................................................................................337 ● FCoE interface configuration.........................................................................................350 ● Troubleshooting FCoE interfaces..................................................................................
End-to-end FCoE TABLE 57 FCoE terminology Term Description FCoE Fibre Channel over Ethernet DCB Data Center Bridging VN_Port FCoE equivalent of an FC N_Port VF_Port FCoE equivalent of an FC F_Port ENode An FCoE device that supports FCoE VN_Ports (servers and target devices) End-to-end FCoE The Brocade VCS Fabric is a convergence-ready fabric. This means it is capable of providing lossless service and other features expected of a CEE-capable network.
Configuring FCoE interfaces and the network happens to the router’s MAC address at Layer 2. This means VN1 is always communicating with VF1 at Layer 2. 2. In a Brocade VCS Fabric implementation, all FC services are available on every cluster unit. This means there is Fibre Channel Network Switch (FCNS) available on both FCF1 and FCF2. The FCNS service functions identically as it does in an FC SAN. As a result, VN1 discovers VN2. 3.
FCoE and Layer 2 Ethernet original MAC header is now transformed as follows: the DA is changed from VF1 to FCF-C and the SA is changed from VN1 to FCF-A. This occurs at point 2 in the previous figure. 6. The frame gets a Transparent Interconnection of Lots of Links (TRILL) header and traverses across the fabric to reach FCF-C. The TRILL header indicates that the source is RBridge 1 and the destination is RBridge 3. This occurs at point 2 in the previous figure. 7.
Layer 2 forwarding FIGURE 42 Multiple switch fabric configuration Layer 2 forwarding Layer 2 Ethernet frames are forwarded on the DCB ports. 802.1Q VLAN support is used to tag incoming frames to specific VLANs, and 802.3ac VLAN tagging support is used to accept VLAN tagged frames from external devices. Network OS uses the following 802.
802.1Q VLAN tagging For detailed information on configuring these protocols, refer to Configuring STP-Type Protocols on page 407. The Brocade VDX hardware handles Ethernet frames as follows: • When the destination MAC address is not in the lookup table, the frame is flooded on all ports in the same VLAN, except the ingress port. • When the destination MAC address is present in the lookup table, the frame is switched only to the correct egress port.
Support for Virtual Fabrics NOTE Only a single switch-wide VLAN is capable of forwarding FCoE traffic. For detailed information on configuring VLANs, refer to Configuring 802.1Q VLANs on page 355. Support for Virtual Fabrics Network OS provides a Virtual Fabrics feature that supports multitenancy by extending the standard (802.1Q) VLAN ID space from 4096 through 8191, enabling the use of classified VLANs. Following an upgrade to Network OS 4.
Congestion control and queuing Congestion control and queuing The Brocade VDX hardware supports several congestion control and queuing strategies. As an output queue approaches congestion, Random Early Detection (RED) is used to selectively and proactively drop frames to maintain maximum link utilization.
Access control The traffic rate of the traffic streams that are uncongested remains high. The outbound ports should carry some multicast frames from all the inbound ports. • Scheduling — A typical example of scheduling policy (using Strict Priority 0 and Strict Priority 1 modes) is where ports 0 through 7 carry inbound traffic, each port has a unique priority level, port 0 has priority 0, port 1 has priority 1, and so on. All traffic is switched to the same outbound port.
Flow control The 802.3ad Link Aggregation Control Protocol (LACP) is used to combine multiple links to create a trunk with the combined bandwidth of all the individual links. For detailed information on configuring LACP, refer to Configuring Link Aggregation on page 437. NOTE Brocade software supports a maximum of 24 LAG interfaces. Flow control 802.3x Ethernet pause and Ethernet Priority-based Flow Control (PFC) are used to prevent dropped frames by slowing traffic at the source end of a link.
FIP login • VLAN 1 — The Brocade VDX hardware should not forward FIP frames on VLAN 1 because it is reserved for management traffic only. • A fabric-provided MAC address is supported. NOTE In the fabric-provided MAC address format, VN_Port MAC addresses are based on a 48-bit fabricsupplied value. The first three bytes of this value are referred to as the FCMAP. The next three bytes are the FC ID, which is assigned by the switch when the ENode logs in to the switch.
Name server operation If FKA timeouts are enabled on the switch, the VN_Port will be implicitly logged out in the event of a VN_Port FKA timeout. Name server operation The Brocade VDX hardware name server function operates as follows: • ENode login and logout to and from the Brocade VDX hardware updates the name server in the FC fabric. The Brocade VDX hardware maintains the MAC address to WWN and PID mappings.
FCoE queuing command with the keyword of local (the default). The user can choose the global keyword to maintain the previous configuration model In this case, the user cannot modify fcoe-enodes in an RBridge context or max-enodes in a global context. The global keyword is provided only to support a downgrade from the current release to the previous release. FCoE queuing The QoS configuration controls the FCoE traffic distribution.
FCoE interface configuration ‐ Extra FCoE interfaces (the difference between the value of max-enodes and that of fcoeenodes) are deleted. ‐ In logical chassis cluster mode, the value of "Total-FCoE-Enodes" in the fabric map is set to the total number of FCoE interfaces created in the cluster. In fabric cluster mode, that value is set to the number of FCoE interfaces created on the respective RBridge.
Assigning an FCoE map onto an interface Assigning an FCoE map onto an interface The FCoE map cannot be edited if it is associated with any interfaces. The FCoE map can be applied, irrespective of whether or not the interface is in "switchport" mode. However, the FCoE map cannot be applied on an interface if the same interface already has a CEE map assigned to it. To assign the FCoE map onto an interface, perform the following steps in global configuration mode. 1.
Configuring FCoE over LAG 6. Confirm the changes to the interface with the show running-config command. switch# show running-config interface tengigabitethernet 3/0/19 interface TenGigabitEthernet 3/0/19 fabric isl enable fabric trunk enable channel-group 10 mode active type standard lacp timeout long fcoeport default no shutdown 7. Use the show fcoe interface brief command to confirm the current status of the FCoE logins. switch# show fcoe interface brief 8.
Configuring logical FCoE ports Configuring logical FCoE ports When the switch boots, a pool of 64 FCoE ports is created. These ports are not bound to any physical ports. The bindings are created when an FLOGI is received on the switch. Any free port that is available from the pool is selected and bound to the physical port where the FLOGI is received. The default number of logical ports is 64, and the range of valid values is from 0 through 1000.
Troubleshooting FCoE interfaces Troubleshooting FCoE interfaces The following commands can be used to troubleshoot FCoE interfaces. Command Description show fcoe fabric-map Displays VLAN and fabric-map state, among other items show vlan brief Displays VLANs that are configured, provisioned, and unprovisioned, among other items For details and example output, refer to the Network OS Command Reference.
Configuring 802.1Q VLANs ● 802.1Q VLAN overview.................................................................................................355 ● Configuring and managing 802.1Q VLANs................................................................... 357 ● Private VLANs...............................................................................................................364 802.1Q VLAN overview NOTE This chapter addresses the use of standard Virtual LANs (VLANs) as defined by IEEE 802.1Q.
Configuring 802.1Q VLANs ‐ ‐ Any tagged frames coming with a VLAN tag equal to the configured native VLAN are processed. For ingress and egress, non-native VLAN tagged frames are processed according to the allowed VLAN user specifications. This is called trunk mode. NOTE Ingress VLAN filtering is enabled by default on all Layer 2 interfaces. This ensures that VLANs are filtered on the incoming port (depending on the user configuration).
VLAN configuration guidelines and restrictions • The VLAN filtering behavior on logical Layer 2 interfaces such as LAG interfaces is the same as on port interfaces. • The VLAN filtering database (FDB) determines the forwarding of an incoming frame. Additionally, there are important facts you should know about the VLAN FDB: • The VLAN FDB contains information that helps determine the forwarding of an arriving frame based on MAC address and VLAN ID data.
Configuring interfaces to support VLANs TABLE 59 Default VLAN configuration Parameter Default setting Default VLAN VLAN 1 Interface VLAN assignment All interfaces assigned to VLAN 1 VLAN state Active MTU size 2500 bytes NOTE Enter the copy running-config startup-config command to save your configuration changes. Configuring interfaces to support VLANs This section details the various tasks required to configure and manage VLAN traffic.
Creating a VLAN 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the interface port type and slot/port number. The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8 in VCS mode. The prompt for these ports has the format: switch(config-if-gi-22/0/1)#. switch(config)# interface tengigabitethernet 0/1 3.
Disabling STP on a VLAN Disabling STP on a VLAN Once all of the interface ports have been configured for a VLAN, you can disable STP for all members of the VLAN with a single command. To disable STP for a VLAN, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to select the VLAN interface number. switch(config)# interface vlan 55 3.
Disabling a VLAN on a trunk interface 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8 in VCS mode. The prompt for these ports is in the format: switch(config-if-gi-22/0/1)#. switch(config)# interface tengigabitethernet 0/19 3.
Configuring protocol-based VLAN classifier rules Configuring protocol-based VLAN classifier rules You can configure VLAN classifier rules to define specific rules for classifying frames to selected VLANs based on protocol and MAC addresses. Sets of rules can be grouped into VLAN classifier groups (refer to Deleting a VLAN classifier rule on page 363). VLAN classifier rules (1 through 256) are a set of configurable rules that reside in one of these categories: • 802.
Deleting a VLAN classifier rule 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2. Enter the vlan classifier rule command to configure a MAC address-based VLAN classifier rule. switch(config)# vlan classifier rule 5 mac 0008.744c.7fid Deleting a VLAN classifier rule VLAN classifier groups (1 through 16) can contain any number of VLAN classifier rules.
Configuring the MAC address table 1. Enter the show interface command to display the configuration and status of the specified interface. The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8 in VCS mode. The prompt for these ports is in the format: switch(config-if-gi-22/0/1)#. switch# show interface tengigabitethernet 0/10 port-channel 10 switchport 2. Enter the show vlan command to display the specified VLAN information.
PVLAN configuration guidelines and restrictions VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs. Secondary VLANs can be configured as one of two types: either isolated VLANs or community VLANs. Only one isolated VLAN can be part of one PVLAN domain. An isolated VLAN is a secondary VLAN whose distinctive characteristic is that all hosts connected to its ports are isolated at Layer 2.
Associating the primary and secondary VLANs • For private VLANs, egress ACLs on the primary VLAN are applied only for the traffic that ingresses and egresses from the primary VLAN, and not for the traffic that gets translated from the secondary VLAN to the primary VLAN. • For private VLANs, egress ACLs on the primary VLAN are also applied to the traffic that gets translated to the secondary VLAN. • STP is not supported on private VLAN host ports.
Configuring an interface as a PVLAN trunk port Configuring a tagged PVLAN host port. switch(conf-if-te-0/1)# switchport mode private-vlan trunk host Configuring a tagged PVLAN host port. switch(conf-if-te-0/1)# switchport mode private-vlan host 4. Configure the interface as a PVLAN host port that is untagged. switch(conf-if-te-0/1)# switchport mode private-vlan host 5. Associate the interface with a PVLAN.
Displaying PVLAN information 368 Network OS Administrator’s Guide 53-1003225-04
Configuring a VXLAN Gateway ● Introduction to VXLAN Gateway................................................................................... 369 ● VXLAN tunnel endpoints............................................................................................... 370 ● High-level communication in a VXLAN environment.....................................................370 ● Coordination of activities...............................................................................................
VXLAN tunnel endpoints VXLAN tunnel endpoints VXLAN creates large-scale, isolated virtual L2 networks for virtualized and multi-tenant environments by encapsulating frames in VXLAN packets. Frame encapsulation is performed by an VXLAN tunnel endpoint (VTEP). A VTEP originates and/or terminates VXLAN tunnels. High-level communication in a VXLAN environment The following illustration provides a basic view of the interaction of components in a VXLAN environment.
Coordination of activities Coordination of activities Be sure to coordinate your activities with the administrators of the virtual network and NSX Controller to help ensure a successful setup. Provide the NSX administrator with an inventory of switches, ports and VLANs in your VCS cluster. The NSX administrator creates the virtual network, assigns a VXLAN Network Identifier (VNI) to this network, and selects ports which are to be attached to this virtual network.
VXLAN gateway configuration example 9. Enter the virtual ip address of the virtual-router-extended group, as in the following example: switch(config-vrrp-extended-group-100)# virtual-ip 60.60.60.230 10.Enable short-path forwarding on the virtual router: switch(config-vrrp-extended-group-100)# short-path-forwarding 11.Enter the end command to exit configuration mode. 12.Enter global configuration mode: switch# configure 13.
Configuring a VXLAN Gateway d) Run the attach vlan vlan_ID command to export specified VLANs (these are VLANs than can be mapped to VXLAN domains), as shown in the example below: switch(config-overlay-gateway1)# attach vlan 5,14-17 All the MAC addresses that the VXLAN gateway learns on these VLANs are shared with the NSX controller. When a MAC address ages out in VCS, the MAC address is removed from the NSX controller. e) There is also an option to list specific MAC addresses.
Additional commands Additional commands Most of the VXLAN-gateway-related commands were used in the configuration example in the section VXLAN Gateway configuration steps on page 371. For complete information on the those commands as well as other VXLAN gateway commands and commands related to nsx-controller, refer to the Network OS Command Reference. Some additional commands you may want to use include the following: • show nsx controller—Displays connection status for the NSX controller.
Configuring Virtual Fabrics ● Virtual Fabrics overview................................................................................................ 375 ● Configuring and managing Virtual Fabrics....................................................................
Virtual Fabrics features A service VF thus represents a virtualized, normalized VLAN domain, where different link-protocol VLAN identifiers (port number, MAC address, and customer VLAN ID, or C-VID) are mapped to the same VLAN. In other words, VMs on the same service VF belong to the same forwarding domain, even though the attachment interfaces use different classification rules. When a VM moves among these interfaces, the Layer 2 forwarding domain does not change.
Virtual Fabrics upgrade and downgrade considerations STP support The correct configuration of xSTP is the responsibility of the user. Much as the user must ensure that VLAN configurations and VLAN instance mappings are consistent on all switch ports, so also the user must understand whether a specific protocol, whether RSTP, MSTP, or PVST, is applicable to the underlying physical topology when 802.1Q VLANs and VFs coexist in the fabric.
Virtual Fabrics operations frames that arrive on an ISL. If the frame exists in the fabric, it must have been allowed to enter the fabric at the edge. In fabric cluster mode, Network OS 4.0.0 configuration rules still apply; the user must configure VLANs on every RBridge. Mixed fabric interoperability Releases prior to Network OS 4.1.0 can support only 802.1Q VLAN configurations. However, although Network OS 4.1.0 can support both 802.
Virtual Fabrics configuration overview NOTE If the fabric state is VF-incapable, the vcs virtual-fabric enable command will not succeed. Disabling VFs To disable VFs in the fabric, the user must first remove all VF configurations in the fabric before issuing the no vcs virtual-fabric enable command. This command is distributed to all RBridges in the fabric. Each RBridge reverses the stage execution from what was done to enable the VF.
Configuring Virtual Fabrics Feature scalability The scalability numbers of VLAN features remains same as in the previous release. The following lists VF resource numbers for the Brocade VDX 8770 series and VDX 6740 series. TABLE 61 VF resource numbers for Brocade VDX 8770 and VDX 6740 series Resources VDX 8770 series VDX 6740 series 802.
VLAN virtualization A VLAN ACL requires an IVID allocation for the target VLAN. If the target VLAN is configured on the local switch port, the ACL can be applied on the IVID for this VLAN. However, on the switch where the VLAN is transiting (that is, it is not configured on any switch port), an IVID must still be allocated for the ACL entry.
Virtual data center deployment FIGURE 45 VLAN virtualization Virtual data center deployment The following illustrates an example VDC infrastructure that supports a VMware deployment.
Configuring Virtual Fabrics FIGURE 46 VDC infrastructure In a VMware-based cloud provider network, a VCS Fabric is connected to multiple vCenters, where each data center manages its own set of tenant networks. VMware vCloud/OpenStack is responsible for orchestrating tenant VLAN configuration through the vCenter agent integrated into a VCS RBridge and its ESXi servers. Each data center connects to the VCS Fabric by means of dedicated edge ports. The ability of the VCS Fabric to support 802.
AMPP provisioning with service VFs AMPP provisioning with service VFs When the Automatic Migration of Port Profiles (AMPP) feature is used in Network OS 4.1.0 and later, a VCS Fabric is partitioned into port-profile (PP) domains. A PP domain is a set of port-profiles whose service VF ID cannot have conflicting C-TAG or MAC classifications. A port-profile domain supports a maximum of 4096 service VFs. The scope of VM mobility is defined by the set of interfaces onto which the port-profile domain is applied.
Configuring Virtual Fabrics a. switchport access vlan 8001 b. switchport access vlan 8002 mac 2.2.2 c. switchport access vlan 8002 mac 3.3.3 6. The following example configurations are disallowed across all profiles in the same PP domain. a. Overlapping VF VLANs b. a. switchport trunk allow vlan add 8000 ctag 80 b. switchport trunk allow vlan add 8000 ctag 800 Overlapping C-TAG: c. a. switchport trunk allow vlan add 5000 ctag 10 b.
Configuring Virtual Fabrics • The deleted user or auto port-profile is automatically deleted from the default port-profile domain. • The show running-config command or the show port-profile domain command shows the portprofiles in the default-profile-domain. • The user is not allowed to edit the default port-profile domain. The following rules apply after service VFs are enabled in the fabric. • The user can edit the UpgradedVlanProfile just like any other port-profile.
STP with service VFs TABLE 62 Configuration status before and after upgrade Network OS 4.0.0 Network OS 4.1.
STP-with-service-VFs topology configurations, whether 802.1Q or service VF. This is necessary for STP to operate correctly across the fabric. All other switch ports that do not participate in this domain must have STP disabled. STP-with-service-VFs topology The following illustrates an example VCS Fabric that is connected to three vDCs. There must not be any external physical connectivity among the vDCs.
STP participation ‐ ‐ ‐ ‐ ‐ ‐ The VCS Fabric and the attached vDCs belong to the same MSTP region. VLAN-to-instance mapping must be the same in the VCS Fabric and for each vDC. An MSTP instance topology is formed by the VCS Fabric (which appears as a single logical switch) and all attached vDCs. Service VF configuration is allowed. Service VFs (VLAN IDs greater than 4095) are not assigned to any instance and are always in a forwarding state.
PVLANs with service VFs from the flood membership of the VLAN. For tagged BPDUs (as in PVST), a BPDU is tunneled on its own service-VF flood domain. PVLANs with service VFs Private VLAN (PVLAN) configurations apply to service VFs. A service VF can be a primary or a secondary VLAN. However, before an association between the primary and secondary VLAN can be made at the trunk port, the classification of a PVLAN that is a service VF must have been configured.
Configuring Virtual Fabrics FIGURE 49 Transport service The transport VFs that can extend outside of the VCS Fabric are numbered up through 4095, bound by the 802.1Q interface. Because the extension port cannot support QinQ encapsulation, transport VFs that have overlapping C-TAGs cannot be configured on the same port. In the initial release of this feature, no Layer 2 or Layer 3 configuration is supported.
Configuring Virtual Fabrics ‐ Untagged control traffic is not subject to transport VF classification rules. It is handled according to the respective protocol configuration (that is, trapped, dropped, forwarded). ‐ Tagged control traffic received on a transport VF is forwarded on the transport VF domain as is data traffic. (PVST cannot be established on a transport VF and is always in the shutdown state.
Service and transport VF classification with native VLANs Service and transport VF classification with native VLANs This section addresses two ways to classify service and transport VFs with native VLANs: a default native VLAN mode, and a nondefault native VLAN mode. Default-native-VLAN trunk mode When a port is configured in normal trunk mode, a default native VLAN exists. Consequently, the native VLAN complies with the existing native VLAN configuration and forwarding behavior in this mode.
No-default-native-VLAN trunk mode • VLAN 1 cannot be used as a classification CTAG. • Ingress and egress tagging behavior is controlled by the interface-level configuration, not by the global configuration. The following summarizes the native service VF (VLAN ID > 4095) classifications that can or cannot be supported with the respective commands.
Configuring Virtual Fabrics • Default VLAN 1 is not implicitly created in this mode. • Native VLAN commands that are applicable in default-VLAN trunk mode are not supported in this mode. • Native VLAN commands that are applicable in this mode are not supported in default-VLAN trunk mode. Because of the different mode behaviors, the user must be aware of the following: • A port in default-VLAN trunk mode cannot use the new classifications.
Configuring Virtual Fabrics ‐ switchport trunk tag native-vlan ‐ switchport trunk native vlan vlan_id ‐ dot1q tag native-vlan (a global command that does not apply to a port) • All service and transport VF configurations that are available in default-VLAN trunk mode continue to be supported. An 802.1Q native VLAN can be classified to a service or transport VF with the new commands.
Configuring and managing Virtual Fabrics The following illustrates configuration in no-default-native-VLAN trunk mode. switch(config)# int vlan 5000 switch(config)# int vlan 6000 switch(config-Vlan-6000)# transport-service 60 switch(config)# int vlan 7000 switch(config-Vlan-7000)# transport-service 70 In the new mode, the default behavior is to drop all packets.
Configuring a service VF instance Configuring a service VF instance Configuring a service VF instance consists of enabling VF configuration in the fabric, and then configuring a service VF instance that is greater than 4095, The initial release of this feature supports up through 8192 VLANs, with 8191 being the largest number that can be assigned. The vcs virtual-fabric enable command , issued in global configuration mode, expands the VLAN ID address space beyond the 802.
Configuring transport VF classification to a trunk interface Configuring transport VF classification to a trunk interface The following example command sequence illustrates the configuration of VF classification to a trunk interface.
Configuring a native VLAN in no-default-native-VLAN trunk mode Configuring a native VLAN in no-default-native-VLAN trunk mode The following examples illustrate the configuration of a native VLAN in a trunk mode where the native VLAN does not exist. The native VLAN must be explicitly created in this mode. The following native VLAN commands are supported in this mode: • switchport trunk native-vlan-untagged • switchport trunk native-vlan-xtagged 1.
Configuring physical interfaces Configuring physical interfaces 1. Create classification rules for the primary and secondary VLAN at the respective primary and host ports. The classification must be done before the primary-to-secondary VLAN associations are specified. In following example, the same C-TAG is used to classify the primary and secondary VLANs. Interface te 1/0/1 is a primary trunk port.
Understanding PVLAN configuration failures The following configures non-PVLAN VFs. switch(conf-if-te-1/4/1)# switchport private-vlan trunk allowed vlan add 400 switch(conf-if-te-1/4/1)# switchport private-vlan trunk allowed vlan add 5000 ctag 100 Understanding PVLAN configuration failures The following example conditions, with error messages, that determine the success or failure of a PVLAN configuration.
Configuring an interface for service VF MAC address access NOTE Only one MAC address can be deleted at a time. switch(config)# mac-group 1 switch(config-mac-group 1)# no mac 0004.0004.0004 Configuring an interface for service VF MAC address access The following illustrates various options and errors that can occur in configuring an interface for service VF MAC address access. 1. In interface configuration mode, set switchport mode to access and change the default VLAN to a service VF.
Upgrading and downgrading firmware with Virtual Fabrics Layer 3 configurations are applicable to service VFs, by means of existing interface ve commands. Each virtual Ethernet (VE) interface is mapped to a service VF, and all VE interfaces share the router's MAC address. A VE interface can be assigned to a VRF instance, with per-VRF OSPF instances exchanging routes between RBridges in that VRF instance. Virtual Router Redundancy Protocol (VRRP) provides high availability.
Troubleshooting Virtual Fabrics a) b) c) Remove all service or transport VF configurations in the fabric. In global configuration mode, issue the no vcs virtual-fabric enable command to disable service or transport VF configurations. The fabric reaches a VF-incapable state. This command will succeed only if the switch state is capable of supporting existing 802.1Q VLANs in a VF-disabled state.
Troubleshooting Virtual Fabrics 406 Network OS Administrator’s Guide 53-1003225-04
Configuring STP-Type Protocols ● STP overview................................................................................................................ 407 ● Configuring and managing STP and STP variants....................................................... 412 STP overview The IEEE 802.1D Spanning Tree Protocol (STP) runs on bridges and switches that are 802.1Dcompliant. STP prevents loops in the network by providing redundant links.
STP configuration guidelines and restrictions • From learning to forwarding, blocking, or disabled • From forwarding to disabled The following STP features are considered optional features although you might use them in your STP configuration: • Root guard — Refer to Enabling guard root (DCB) on page 426. • Port fast BPDU guard and BPDU filter — Refer to Enabling port fast (DCB) on page 428.
MSTP provides rapid reconvergence of edge ports, new root ports, and ports connected through point-to-point links. The RSTP interface states for every Layer 2 interface running RSTP are as follows: • Learning — The interface prepares to participate in frame forwarding. • Forwarding — The interface forwards frames. • Discarding — The interface discards frames. Note that the 802.1D disabled, blocking, and listening states are merged into the RSTP discarding state.
PVST+ and Rapid PVST+ NOTE In MSTP mode, RSTP is automatically enabled to provide rapid convergence. Multiple switches must be configured consistently with the same MSTP configuration to participate in multiple spanning tree instances. A group of interconnected switches that have the same MSTP configuration is called an MSTP region. NOTE Brocade supports 32 MSTP instances and one MSTP region. MSTP introduces a hierarchical way of managing switch domains using regions.
PVST+ and R-PVST+ guidelines and restrictions PVST+ is not a scalable model when there are many VLANs in the network, as it consumes a lot of CPU power. A reasonable compromise between the two extremes of RSTP and R-PVST+ is the Multiple Spanning Tree protocol (MSTP), which was standardized as IEEE 802.1s and later incorporated into the IEEE 802.1Q-2003 standard. MSTP runs multiple instances of spanning tree that are independent of VLANs. It then maps a set of VLANs to each instance. NOTE Network OS 4.
Configuring and managing STP and STP variants tree topology. Each RBridge updates all the other members about its best information for a given spanning tree instance. Each RBridge maintains a table of best information from the other RBridges in the cluster. This table is identical across all the RBridges in the cluster. This information is used to derive the port roles for the local edge ports.
Saving configuration changes The following table lists those switch defaults which apply only to MSTP configurations. TABLE 68 Default MSTP configuration Parameter Default setting Cisco interoperability Disabled Switch priority (when mapping a VLAN to an MSTP instance) 32768 Maximum hops 20 hops Revision number 0 The following table lists the switch defaults for the 10-gigabit Ethernet DCB interface-specific configuration.
Configuring basic STP Configuring basic STP NOTE The gigabitethernet rbridge-id/slot/port keyword is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8 switches. The prompt for these ports is in this format: switch(config-if-gi-22/0/1)#. The process for configuring STP is as follows: 1. Enter global configuration mode. 2. Enable STP by using the global protocol spanning-tree command. For details, refer to Enabling STP, RSTP, MSTP, PVST+ or R-PVST+ on page 419.
Configuring RSTP All other switch ports connect to other switches and bridges are automatically placed in blocking mode. This does not apply to ports connected to workstations or PCs; these ports remain in the forwarding state. 8. Return to privileged EXEC mode. switch(conf-if-te-0/12)# end 9. Enter the copy command to save the running-config file to the startup-config file.
Configuring MSTP NOTE Port fast only needs to be enabled on ports that connect to workstations or PCs. Repeat these commands for every port connected to workstations or PCs. Do not enable port fast on ports that connect to other switches. NOTE Enabling port fast on ports can cause temporary bridging loops, in both trunking and nontrunking mode.
Configuring additional MSTP parameters 5. Map a VLAN to an MSTP instance by using the instance command. Refer to Mapping a VLAN to an MSTP instance on page 417 for more details. switch(config-mstp)# instance 1 vlan 2, 3 switch(config-mstp)# instance 2 vlan 4-6 switch(config-mstp)# instance 1 priority 4096 6. Specify the maximum hops for a BPDU to prevent the messages from looping indefinitely on the interface by using the max-hops hop_count command.
Specifying the maximum number of hops for a BPDU (MSTP) To map a VLAN to an MSTP instance, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2. Enter the protocol command to enable MSTP. switch(config)# protocol spanning-tree mstp 3. Map a VLAN to an MSTP instance. switch(config-mstp)# instance 5 vlan 300 4. Return to privileged EXEC mode. switch(config-mstp)# end 5.
Configuring PVST+ or R-PVST+ To specify a revision number for an MSTP configuration, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2. Enter the protocol command to enable MSTP. switch(config)# protocol spanning-tree mstp 3. Enter the revision command to specify a revision number for an MSTP configuration. switch(config-mstp)# revision 17 4. Return to privileged EXEC mode.
Shutting down STP, RSTP, MSTP, PVST+, or R-PVST+ globally Shutting down STP, RSTP, MSTP, PVST+, or R-PVST+ globally To shut down STP, RSTP, MSTP, PVST+, or R-PVST+ globally, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2. Enter the shutdown command to globally shutdown STP, RSTP, MSTP, PVST+, or R-PVST+. The shutdown command below works in all modes.
Specifying the bridge forward delay 3. Specify the bridge priority. The range is 0 through 61440 and the priority values can be set only in increments of 4096. The default priority is 32678. switch(conf-stp)# bridge-priority 20480 4. Specify the bridge priority for a specific VLAN.
Specifying the bridge hello time 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST+, or R-PVST+. switch(config)# protocol spanning-tree stp 3. Specify the bridge maximum aging time. switch(conf-stp)# max-age 25 4. Specify the bridge maximum aging time for a specific VLAN.
Specifying the error disable timeout interval enable the port from the disabled state. For details on configuring the error disable timeout interval, refer to Specifying the error disable timeout interval on page 423. To enable the error disable timeout timer, perform the following steps from privileged EXEC mode. By default, the timeout feature is disabled. 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2.
Clearing spanning tree counters To specify the transmit hold count, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2. Specify the transmit hold count. switch(config-mstp)# transmit-holdcount 5 3. Return to privileged EXEC mode. switch(config)# end 4. Enter the copy command to save the running-config file to the startup-config file.
Enabling automatic edge detection (DCB) Enabling automatic edge detection (DCB) From the DCB interface, use this command to automatically identify the edge port. The port can become an edge port if no BPDU is received. By default, automatic edge detection is disabled. To enable automatic edge detection on the DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2.
Enabling a port (interface) as an edge port (DCB) Enabling a port (interface) as an edge port (DCB) From the DCB interface, use this command to enable the port as an edge port to allow the port to quickly transition to the forwarding state. NOTE This command is only for RSTP and MSTP. Use the spanning-tree portfast command for STP (refer to Enabling port fast (DCB) on page 428). Follow these guidelines to configure a port as an edge port: • A port can become an edge port if no BPDU is received.
Specifying the STP hello time (DCB) The gigabitethernet rbridge-id/slot/port keyword is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8. The prompt for these ports is in the format: switch(config-ifgi-22/0/1)#. switch(config)# interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. switch(conf-if-te-0/1)# no shutdown 4. Enter the spanning-tree command to enable guard root on a DCB interface.
Specifying a link type (DCB) 4. Enter the spanning-tree command to specify the restrictions for an MSTP instance on a DCB interface. switch(conf-if-te-0/1)# spanning-tree instance 5 restricted-tcn 5. Return to privileged EXEC mode. switch(conf-if-te-0/1)# end 6. Enter the copy command to save the running-config file to the startup-config file. switch# copy running-config startup-config Specifying a link type (DCB) From the DCB interface, use this command to specify a link type.
Specifying the port priority (DCB) 3. Enter the no shutdown command to enable the DCB interface. switch(conf-if-te-0/1)# no shutdown 4. Enter the spanning-tree command to enable port fast on the DCB interface. switch(conf-if-te-0/1)# spanning-tree portfast Specifying the port priority (DCB) From the DCB interface, use this command to specify the port priority. The range is from 0 through 240 in increments of 16. The default value is 128.
Restricting the topology change notification (DCB) Restricting the topology change notification (DCB) From the DCB interface, use this command to restrict the topology change notification BPDUs sent on the interface. By default, the restriction is disabled. This procedure affects MSTP only. To restrict the topology change notification BPDUs sent on the DCB interface, run the following steps in privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2.
Configuring DiST The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8. The prompt for these ports is in the following format: switch(config-if-gi-22/0/1)#. switch(config)# interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. switch(conf-if-te-0/1)# no shutdown 4. Enter the spanning-tree command to enable spanning tree on the DCB interface.
Configuring DiST 432 Network OS Administrator’s Guide 53-1003225-04
Configuring UDLD ● UDLD overview............................................................................................................. 433 ● Configuring UDLD......................................................................................................... 435 ● Other UDLD-related commands....................................................................................
Configuring UDLD FIGURE 50 Four-switch example for UDLD In the figure above, STP detects that the port on switch D that is connected to switch C should be put into a blocked state. Therefore, no data traffic gets transmitted or received on this port. Data traffic remains blocked as long as switch D receives bridge protocol data units (BPDUs) from both switches C and B.
Configuring UDLD Configuring UDLD Follow the steps below to configure basic UDLD on your switch. 1. Enter global configuration mode by entering the configure command from the desired switch: switch# configure 2. To enable the UDLD protocol, as well as to enter protocol UDLD configuration mode, enter the protocol udld command. switch(config)# protocol udld 3. (Optional) You can change the interval at which UDLD PDUs are transmitted from edge ports.
Other UDLD-related commands 436 Network OS Administrator’s Guide 53-1003225-04
Configuring Link Aggregation ● Link aggregation overview............................................................................................ 437 ● Link aggregation setup..................................................................................................439 Link aggregation overview Link aggregation allows you to bundle multiple physical Ethernet links to form a single logical trunk providing enhanced performance and redundancy.
Dynamic link aggregation • Passive mode — LACP responds to Link Aggregation Control Protocol Data Units (LACPDUs) initiated by its partner system but does not initiate the LACPDU exchange. • Active mode — LACP initiates the LACPDU exchange regardless of whether the partner system sends LACPDUs. Dynamic link aggregation Dynamic link aggregation uses LACP to negotiate which links can be added and removed from a LAG.
Virtual LAGs You can configure a maximum of 24 LAGs with up to 16 links per standard LAG, or four links per Brocade-proprietary LAG. Each LAG is associated with an aggregator. The aggregator manages the Ethernet frame collection and distribution functions. On each port, link aggregation control does the following: • • • • Maintains configuration information to control port aggregation. Exchanges configuration information with other devices to form LAGs.
vLAG configuration overview vLAG configuration overview Network OS 4.0 and later supports the option of setting the "Allowed Speed" of the port-channel to either 1 Gbps or 10 Gbps. The default is 10 Gbps. If the port-channel is 1 Gbps, then the speed needs to be configured before the port-channel is enabled. Otherwise, the physical links are throttled down because of a speed mismatch. Refer to the Network OS Command Reference for information on the speed command.
Configuring vLAGs to minimize packet loss Configuring vLAGs to minimize packet loss This topic provides background on configuring a vLAG to minimize packet loss. In scenarios where a vLAG spans more than one node, the vlag ignore-split command minimizes the extent of packet loss in the event of one of the nodes in the vLAG going down, and also reduces vLAG failover downtime. The scope of this configuration is per port-channel on LACP-based vLAGS.
Configuring Link Aggregation FIGURE 51 vLAG configuration of the ignore-split feature To reduce vLAG failover down time, you must configure ignore-split on all of the legs in the vLAG (RB2, RB3 and RB4 in this case). NOTE By default, vlag ignore-split is already activated in VCS. Configuring the vLAG ignore-split feature on page 443 walks you through setting up the vLAG ignoresplit feature.
Configuring the vLAG ignore-split feature Configuring the vLAG ignore-split feature This topic describes how to configure the vLAG ignore-split feature. To configure the vLAG ignore-split feature, perform the following steps. NOTE The following example is based on the illustration in Configuring vLAGs on page 440. 1. Log in to RB2, the first leg of the vLAG 1. 2. Access the port-channel for the first leg. switch(config)# interface port-channel 1 3. Activate vLAG ignore split.
Configuring and managing LACP NOTE When configuring load balancing on a Brocade VDX 6710, Brocade VDX 6720, Brocade VDX 6730, or Brocade VDX 6740, it should be configured consistently for all port-channels on the switch. These switches support one load-balancing scheme at a time, and apply the last loaded load-balancing scheme to all port-channels on the switch. This is not required for the Brocade VDX 8770 platform, as it supports multiple port-channel load-balancing schemes.
Configuring the LACP system priority To add additional interfaces to an existing LAG, repeat this procedure using the same LAG group number for the new interfaces. Enter the copy running-config startup-config command to save your configuration. To enable LACP on a DCB interface, perform the following step:. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number.
Clearing LACP counter statistics on a LAG Clearing LACP counter statistics on a LAG This topic describes how to clear LACP counter statistics on a single LAG. Enter clear lacp LAG_group_number counters to clear the LACP counter statistics for the specified LAG group number. switch# clear lacp 42 counters Clearing LACP counter statistics on all LAG groups This topic describes how to clear the LACP counter statistics for all LAG groups.
Configuring Link Aggregation If a Brocade-based dynamic trunk is configured on a link and the link is not able to join the LAG, do the following: • Make sure that both ends of the link are configured as Brocade for trunk type. • Make sure that both ends of the link are not configured for passive mode. They must be configured as active /active, active /passive, or passive /active.
Troubleshooting LACP 448 Network OS Administrator’s Guide 53-1003225-04
Configuring LLDP ● LLDP overview.............................................................................................................. 449 ● Configuring and managing LLDP.................................................................................. 453 LLDP overview The IEEE 802.1AB Link Layer Discovery Protocol (LLDP) enhances the ability of network management tools to discover and maintain accurate network topologies and simplify LAN troubleshooting in multivendor environments.
Configuring LLDP In LLDP the link discovery is achieved through the exchange of link-level information between two link partners. The link-level information is refreshed periodically to reflect any dynamic changes in linklevel parameters. The basic format for exchanging information in LLDP is in the form of a type, length, value (TLV) field. LLDP keeps a database for both local and remote configurations. The LLDP standard currently supports three categories of TLVs.
DCBX ‐ ‐ ‐ ‐ MAC/PHY configuration/status TLV — Indicates duplex and bit rate capabilities and the current duplex and bit rate settings of the local interface. It also indicates whether the current settings were configured through auto-negotiation or through manual configuration. Power through media dependent interface (MDI) TLV — Indicates the power capabilities of the LAN device.
Priority Flow Control TABLE 73 ETS priority grouping of IPC, LAN, and SAN traffic (Continued) Priority Priority group Bandwidth check 6 2 Yes 5 2 Yes 4 2 Yes 3 1 Yes 2 1 Yes 1 2 Yes 0 2 Yes Priority Flow Control With Priority Flow Control (PFC), it is important to provide lossless frame delivery for certain traffic classes while maintaining existing LAN behavior for other traffic classes on the converged link. This differs from the traditional 802.
Configuring and managing LLDP Configuring and managing LLDP The following sections discuss working with the Link Layer Discovery Protocol (LLDP) on Brocade devices. Understanding the default LLDP The following table lists the default LLDP configuration. Consider this when making changes to the defaults.
Resetting LLDP globally 1. Enter the protocol lldp command to enter protocol configuration mode. switch(config)# protocol lldp 2. Enter the disable command to disable LLDP globally. switch(conf-lldp)# disable Resetting LLDP globally The no protocol lldp command returns all configuration settings made using the protocol LLDP commands to their default settings. To reset LLDP globally, perform the following steps from privileged EXEC mode. 1.
Specifying a user description for LLDP Specifying a user description for LLDP To specify a user description for LLDP, perform the following steps from privileged EXEC mode. This description is for network administrative purposes and is not seen by neighboring switches. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)# protocol lldp 3. Specify a user description for LLDP.
Configuring the advertisement of LLDP DCBX-related TLVs 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)# protocol lldp 3. Advertise the optional LLDP TLVs. switch(conf-lldp)# advertise optional-tlv management-address port-description system-capabilities system-name system-description Configuring the advertisement of LLDP DCBX-related TLVs By default, For a switch in standalone mode only "dcbx-tlv" is advertised.
Configuring iSCSI priority NOTE Brocade recommends against advertising dot1.tlv and dot3.tlv LLDPs if your network contains CNAs from non-Brocade vendors, as doing so may cause functionality problems. 10.Return to privileged EXEC mode. switch(conf-lldp-profile-UK_LLDP_IT)# end 11.Enter the copy command to save the running-config file to the startup-config file.
Configuring LLDP interface-level command options An explanation of syntax "priority-table 1 2 2 2 2 2 2 15.0" is as follows: This shows the definition of a CEE Map with Priority to Priority Group mapping of CoS=1, CoS=2, CoS=3, CoS=4, CoS=5, and CoS=6 to a DWRR Priority Group ID of 2, and CoS=0 to a Priority Group ID of 1, and CoS=7 to a Strict Priority Group. This is one way to provision the CEE Priority to Priority Group Table, which maps each of the eight ingress CoS into a Priority Group.
Clearing LLDP-related information 1. Use the show lldp command to display LLDP general information. switch# show lldp 2. Use the show lldp command to display LLDP interface-related information. The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, VDX 8770-4, and VDX 8770-8. The prompt for these ports is in the following format: switch(config-ifgi-22/0/1)#.
Clearing LLDP-related information 460 Network OS Administrator’s Guide 53-1003225-04
Configuring ACLs ● ACL overview................................................................................................................ 461 ● Configuring and managing ACLs.................................................................................. 464 ACL overview NOTE In the Brocade Network OS 4.0.0 release, both Ingress Layer 2 MAC access control lists (ACLs) and Layer 3 IP ACLs are supported. With the introduction of Network OS 4.0.
IP ACLs • Logical interfaces (LAGs) • VLANs IP ACLs The IP ACLs control access to the switch. The policies do not control the egress and outbound management traffic initiated from the switch. The IP ACLs support both IPv4 and IPv6 simultaneously. An IP ACL is a set of rules that are applied to the interface as a packet filtering firewall. Each rule defines whether traffic of a combination of source and destination IP address, protocol, or port, is to be denied or permitted.
Configuring ACLs TABLE 75 IP ACL parameters ACL / Rule type IP ACL parameter IP ACL parameter definition Standard IP ACL name The name of the standard IP ACL. The name must begin with a-z, A-Z, or 0-9. Underscores and hyphens are also accepted except as the first character. The ACL name must be unique among all ACL types (L2/L3) and cannot contain more than 63 characters. Standard IP ACL rule seq The sequence number of the rule. The number must be from 0 through 4294967290.
Default ACLs TABLE 75 IP ACL parameters (Continued) ACL / Rule type hard drop IP ACL parameter IP ACL parameter definition Overrides the trap behavior for control frames and data frames such as echo request (ping).
Creating a standard MAC ACL and adding rules • The default action of "deny any" is inserted at the end of a bounded L3 ACL. This default rule is not exposed to the user. • Applying a hard-drop ACL in place of a permit or deny ACL enables packets to be dropped and overrides the control packet trap entries, but does not override the permit entry that occurs before the rule in the ACL. • You cannot delete an ACL if it is applied to an interface.
Creating an extended MAC ACL and adding rules 4. Enter the permit command to create a rule in the MAC ACL to permit traffic with the source MAC address. switch(conf-macl-std)# permit 0022.5555.3333 count 5. Use the seq command to create MAC ACL rules in a specific sequence. switch(conf-macl-std)# seq 100 deny 0011.2222.3333 count switch(conf-macl-std)# seq 1000 permit 0022.1111.2222 count 6. Return to privileged EXEC mode. switch(conf-macl-std)# end 7.
Applying a MAC ACL to a VLAN interface NOTE The DCB interface must be configured as a Layer 2 switch port before an ACL can be applied as an access-group to the interface. To apply a MAC ACL to a DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number.
Removing a MAC ACL 1. Enter the configure terminal command to access global configuration mode. 2. Enter the mac command to specify the ACL called test_02 for modification. switch(config)# mac access-list extended test_02 3. Enter the no seq command to delete the existing rule 100. switch (conf-macl-ext)# no seq 100 -orEnter the seq command to recreate rule number 100 by recreating it with new parameters.
Creating an extended IP ACL Creating an extended IP ACL To create an extended IP ACL, perform the following steps in global configuration mode. 1. Use the ip access-list extended command to enter the configuration mode. switch(config)# ip access-list extended extdACL5 2. Use the seq command to enter the rules for the ACL. You can enter multiple rules. switch(config-ip-ext)# switch(config-ip-ext)# switch(config-ip-ext)# switch(config-ip-ext)# seq seq seq seq 5 deny tcp host 10.24.26.
Displaying the IP ACL configuration NOTE Before downgrading firmware, you must unbind any ACLs on the management interface, or the downgrade will be blocked. Displaying the IP ACL configuration To display the IP ACL configuration, use the show running-config ip access-list command in privileged EXEC mode. switch# show running-config ip access-list ip access-list standard stdACL3 seq 5 permit host 10.20.33.4 seq 7 permit any ! ip access-list extended extdACL5 seq 5 deny tcp host 10.24.26.
Configuring QoS ● QoS overview................................................................................................................471 ● Configuring QoS............................................................................................................486 QoS overview Quality of Service (QoS) provides you with the capability to control how the traffic is moved from switch to switch.
Rewriting LOG indication for the disabled interface. This feature is supported on Brocade VDX 8770 series, VDX 6740, and VDX 6740-T platforms. • Data Center Bridging. DCB describes an enhanced Ethernet that will enable convergence of various applications in data centers (LAN, SAN, and IPC) onto a single interconnect technology. Rewriting Rewriting a frame header field is typically performed by an edge device.
Tail drop Tail drop Tail drop queuing is the most basic form of congestion control. Frames are queued in FIFO order and queue buildup can continue until all buffer memory is exhausted. This is the default behavior when no additional QoS has been configured. The basic tail drop algorithm does not have any knowledge of multiple priorities and per traffic class drop thresholds can be associated with a queue to address this.
Random Early Discard Instead of using the standard priority values, you can assign anywhere from 0% through 100% priority to any threshold, as long as the sum of all eight priorities does not exceed 100%.
Ethernet Pause features device receives a PAUSE frame, it must stop sending any data on the interface for the specified length of time, once it completes the transmission of any frame in progress. You can use this feature to reduce Ethernet frame losses by using a standardized mechanism. However, the pause mechanism does not have the ability to selectively back-pressure data sources multiple hops away, or to exert any control per VLAN or per priority, so it is disruptive to all traffic on the link.
Multicast rate limiting NOTE The Brocade VDX 6740 series platforms support only two PFCs. Ethernet Priority Flow Control includes the following features: • Everything operates exactly as in Ethernet Pause described above, except there are eight highwater and low-water thresholds for each input port. This means queue levels are tracked per input port plus priority. • Pause On/Off can be specified independently for TX and RX directions per priority.
Scheduling ‐ 1-gigabit Ethernet ‐ 10-gigabit Ethernet ‐ 40-gigabit Ethernet ‐ 100-gigabit Ethernet • BUM storm control and input service-policy are mutually exclusive features. Only one can be enabled at a time on a given interface. • BUM storm control replaces the multicast rate-limit feature for Brocade VDX 6740, VDX 8770-4 and VDX 8770-8, and later platforms. This command is not supported on the Brocade VDX 6710, VDX 6720, and VDX 6730.
Traffic class scheduling policy FIGURE 54 WRR schedule — two queues Deficit Weighted Round Robin (DWRR) is an improved version of WRR. DWRR remembers the excess used when a queue goes over its bandwidth allocation and reduces the queue’s bandwidth allocation in the subsequent rounds. This way the actual bandwidth usage is closer to the defined level when compared to WRR.
Multicast queue scheduling FIGURE 55 Strict priority and Weighted Round Robin scheduler Multicast queue scheduling The multicast traffic classes are numbered from 0 to 7; higher numbered traffic classes are considered higher priority. A fixed mapping from multicast traffic class to equivalent unicast traffic class is applied to select the queue scheduling behavior. The Multicast traffic class equivalence mapping table below presents the multicast traffic class with the equivalence mapping applied.
Configuring QoS The DCB Priority Group Table defines each Priority Group ID (PGID) and its scheduling policy (Strict Priority versus DWRR, DWRR weight, relative priority), and partially defines the congestion control (PFC) configuration. There are 16 rows in the DCB Priority Group Table. The table below presents the default DCB Priority Group Table configuration. TABLE 79 Default DCB Priority Group Table configuration PGID Bandwidth% PFC 15.0 – Y 15.1 – N 15.2 – N 15.3 – N 15.4 – N 15.
Brocade VCS Fabric QoS congestion control because the set of priorities mapped to the Priority Group is not known, which leads into the DCB Priority Table. The DCB Priority Table defines each CoS mapping to Priority Group, and completes PFC configuration. The table below shows an example of mapping in the DCB Priority Table. TABLE 80 Example of mapping DCB priority table values CoS PGID 0 15.6 1 15.7 2 15.5 3 15.4 4 15.3 5 15.2 6 15.1 7 15.
Port-based Policer • DSCP trust is disabled in VCS mode as it is for CoS trust. • There are no default DSCP maps in VCS mode. Default maps occur when DSCP trust is enabled in standalone mode. • A nondefault DSCP-Traffic-Class map has the following restrictions: ‐ ‐ A DSCP value cannot be classified to Traffic Class 7. A DSCP value cannot be classified to a queue that carries lossless traffic (by default Traffic Class 3).
Policing parameters • Traffic flagged to the green or "conform" color priority conforms to the committed information rate (CIR) as defined by the cir-rate variable for the policy-map (refer to Policing parameters on page 483). This rate can be anything from 40000 to 400000000000 bps. • Traffic flagged as yellow or "exceed" exceeds the CIR, but conforms to the Excess Information Rate (EIR) defined by the eir-rate variable for the policy-map (refer to Policing parameters on page 483).
Parameters that apply actions to conform and exceed traffic The eir parameter defines the value of the EIR as the rate provided in the eir-rate variable. Acceptable values are in multiples of 40000 in the range 0-40000000000 bps. ebs ebs-size The ebs parameter defines the value of the EBS as the rate provided in the ebs-size variable. Acceptable values are 1250-5000000000 bytes in increments of 1 byte.
Configuration rules and considerations for Policer Configuration rules and considerations for Policer The following are rules for configuring maps and using policing parameters for the Policer feature: • A policy-map, class map, priority-map name must be unique among all maps of that type. • A policy-map is not supported on an ISL port. • A Policer name must begin with a-z, or A-Z. You can use underscore, hyphen, and numeric values 0-9 except as the first character.
Lossless traffic with Policer TABLE 81 Policer behavior for L2 and L3 control packets Protocol Ingress Policer Egress Policer LLDP Enabled if protocol is not enabled and disabled if protocol is enabled. Disabled LACP Enabled if protocol is not enabled and disabled if protocol is enabled. Disabled STP Enabled if protocol is not enabled and disabled if protocol is enabled. Disabled DOT1X Enabled if protocol is not enabled and disabled if protocol is enabled.
Understanding default user-priority mappings for untrusted interfaces Understanding default user-priority mappings for untrusted interfaces When Layer 2 QoS trust is set to untrusted , then the default is to map all Layer 2 switched traffic to the port default user priority value of 0 (best effort), unless the user priority is configured to a different value. The following table presents the Layer 2 QoS untrusted user-priority generation table.
Configuring QoS mappings TABLE 83 IEEE 802.1Q default priority mapping (Continued) Incoming CoS User Priority 6 6 7 7 Configuring QoS mappings Consider the topics discussed below when configuring the QoS mappings. Configuring the QoS trust mode The QoS trust mode controls user priority mapping of incoming traffic. The Class of Service (CoS) mode sets the user priority based on the incoming CoS value. If the incoming packet is not priority tagged, then fallback is to the Interface Default CoS value.
Configuring user-priority mappings Configuring user-priority mappings To configure user-priority mappings, perform the following steps from privileged EXEC mode. 1. Enter global configuration mode. switch# configure terminal 2. Specify the Ethernet interface. The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, VDX 8770-4, and VDX 8770-8. The prompt for these ports is in the following format: switch(config-ifgi-22/0/1)#.
Verifying CoS-to-CoS mutation QoS mapping 5. Return to privileged EXEC mode. switch(conf-if-te-2/1/2)# end 6. Enter the copy command to save the running-config file to the startup-config file. switch# copy running-config startup-config Verifying CoS-to-CoS mutation QoS mapping To verify applied QoS maps, you can use one or both of the following options from global configuration mode. • Verify the CoS mutation mapping for a specific map by using the do show qos maps qosmutation command and the map name.
Verifying DSCP trust NOTE Note the restrictions for using this feature in VCS mode under Restrictions for Layer 3 features in VCS mode on page 481. To configure DSCP trust mode, perform the following steps from privileged EXEC mode. 1. Enter global configuration mode. switch# configure terminal 2. Specify the Ethernet interface. The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8.
Applying a DSCP mutation map to an interface • • • • DSCP values 1, 3, 5, and 7 are set to output as DSCP number 9. DSCP values 11, 13, 15, and 17 are set to output as DSCP number 19. DSCP values 12, 14, 16, and 18 are set to output as DSCP number 20 DSCP values 2, 4, 6, and 8 are set to output as DSCP number 10. 4. Enter the do copy command to save the running-config file to the startup-config file.
Creating a DSCP-to-CoS mutation map Creating a DSCP-to-CoS mutation map You can use the incoming DSCP value of ingress packets to remap the outgoing 802.1P CoS priority values by configuring a DSCP-to-COS mutation map on the ingress interface. Use the following steps. NOTE The restrictions for using this feature in VCS mode are listed at Restrictions for Layer 3 features in VCS mode on page 481. 1. Enter global configuration mode. switch# configure terminal 2.
Verifying a DSCP-to-CoS mutation map DSCP trust mode classifies packets based on the incoming DSCP value. If the incoming packet is priority tagged, fallback is to classify packets based on the CoS value. switch(conf-if-te-1/1/2)# qos trust dscp 5. Return to privileged EXEC mode. switch(conf-if-te-1/1/2)# end 6. Enter the copy command to save the running-config file to the startup-config file.
Configuring QoS TABLE 85 Default user priority for unicast traffic class mapping User priority Traffic class 0 1 1 0 2 2 3 3 4 4 5 5 6 6 7 7 You are allowed to override these default traffic class mappings per port. Once the traffic class mapping has been resolved, it is applied consistently across any queuing incurred on the ingress and the egress ports.
Configuring CoS-to-traffic-class maps Configuring CoS-to-traffic-class maps Consider the topics discussed below when configuring the CoS-to-traffic-class mappings. Mapping a CoS to a traffic class To map a CoS to a traffic-class, perform the following steps from privileged EXEC mode. NOTE Creating a CoS-to-traffic-class map is available only in standalone mode. 1. Enter global configuration mode. switch# configure terminal 2. Create the mapping by specifying a name and the mapping.
Verifying CoS-to-Traffic-Class mapping Verifying CoS-to-Traffic-Class mapping To verify a CoS-to-Traffic-Class mapping, you can use one or both of the following options from global configuration mode. • Verify CoS-Traffic-Class mapping for a specific map by using the do show qos maps cos-trafficclass command and specifying a map name.
Applying the DSCP-to-traffic-class mapping to an interface Applying the DSCP-to-traffic-class mapping to an interface To activate a DSCP-to-Traffic Class mapping, perform the following steps from privileged EXEC mode. 1. Enter global configuration mode. switch# configure terminal 2. Specify the Ethernet interface. The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8. switch(config)# interface tengigabitethernet 1/1/2 3.
Configuring Random Early Discard Configuring Random Early Discard Consider the topics discussed below when configuring Random Early Discard (RED) mappings. Understanding RED profiles Consider the following when configuring RED. • Up to four RED profiles can be applied to each port group. On the 48 x 10G line card, the port groups consist of ports 1–8, 9–16, 17–24, 25–32, 33–40, and 41–48. On the 12x40G line card, the port groups consist of ports 1–2, 3–4, 5–6, 7–8, 9–10, and 11–12.
Verifying RED profiles NOTE To deactivate the map from an interface, enter no qos random-detect cos value 4. Return to privileged EXEC mode. switch(conf-if-te-1/2/2)# end 5. Enter the copy command to save the running-config file to the startup-config file. switch# copy running-config startup-config Verifying RED profiles Verify a configured RED profiles by using the show qos red profiles command.
Configuring rate limiting 1. Enter global configuration mode. switch# configure terminal 2. Specify the Ethernet interface. The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, Brocade VDX 8770-4, and Brocade VDX 8770-8. The prompt for these ports is in the following format: switch(config-if-gi-22/0/1)#. switch(config)# interface tengigabitethernet 1/1/2 3. Enable an Ethernet PFC on the interface. switch(conf-if-te-1/1/2)# qos flowcontrol pfc 3 tx on rx on 4.
Configuring scheduling NOTE To deactivate storm control from an interface, enter no storm-control ingress followed by the mode (broadcast, unknown-unicast, or multicast) the limit (limit-bps or limit-percent), rate, and optionally either monitor or shutdown. Configuring scheduling Refer also to Scheduling on page 477. Scheduling the QoS queue To specify the schedule used, perform the following steps from privileged EXEC mode. 1. Enter global configuration mode. switch# configure terminal 2.
Defining a DCB priority group table Defining a DCB priority group table To define a priority group table map, perform the following steps from privileged EXEC mode. 1. Enter global configuration mode. switch# configure terminal 2. Specify the name of the DCB map to define by using the cee-map command. NOTE The only map name allowed is "default." switch(config)# cee-map default 3. Define the DCB map for PGID 0. switch(config-cee-map-default)# priority-group-table 0 weight 50 pfc on 4.
Verifying the DCB maps 4. Return to privileged EXEC mode. switch(conf-if-te-101/0/2)# end 5. Enter the copy command to save the running-config file to the startup-config file. switch# copy running-config startup-config Verifying the DCB maps To verify the CoS DCB map, use the show cee maps default command from privileged EXEC mode. switch# show cee maps default Configuring Brocade VCS Fabric QoS Refer also to Brocade VCS Fabric QoS on page 481.
Configuring a policer class map 3. Configure a policy-map to associate QoS and policing parameters to traffic belonging to specific classification maps. Each policy-map can contain only one classification map. Refer to Configuring the policer policy-map on page 506. 4. Bind the policy-map to a specific interface using the service-policy command. Refer to Binding the policy-map to an interface on page 510. For additional information refer to Configuring policer functions on page 504.
Configuring the policer policy-map The police priority-map will re-mark CoS values according to color-based green (conform), yellow (exceed), and red (violate) priorities. Creating a police priority-map is optional. If you do not define priority mapping for a color, the map defaults to priorities of 0, 1, 2, 3, 4, 5, 6, and 7 (in other words, nothing is modified). You can configure a maximum of 32 priority-maps (one reserved as a default), but only one map can be associated with a policer.
Configuring parameters for a class map (policy-class-map Policer mode) To delete a policy-map, use the no keyword as in the following example. switch(config)# no policy-map policymap1 3. Configure a class map in the policy-map by providing the class map name. This enables policy class map configuration mode. Note that the class map name in the following example matches the name provided when you create the class map by using the class-map command (refer to Configuring a policer class map on page 505).
Attaching the mutation to the class NOTE To configure a class map in the policy-map you must create the class map first using the classmap command while in global configuration mode. Refer to Configuring a policer class map on page 505. 4. Provide a policing parameter for the class map. This enables policy-class-map policer configuration mode. switch(config-policymap-class)# police cir 4000000 5. Enter another parameter as applicable. (config-policymap-class-police)# cbs 50000 6.
Attaching the scheduler to the class 1. Select the policy map. switch(config)# policy-map p1 2. Select the class. switch(config-policymap)# class class-default 3. Specify the shaping rate for the port. switch(config-policyclass)# port-shape 3000 Attaching the scheduler to the class You can specify the scheduling attributes along with per TC shape rate. There are total of eight queues on an interface. The number of DWRR queues present depends on the SP_COUNT value.
Binding the policy-map to an interface Binding the policy-map to an interface Use the service-policy command to associate a policy-map to an interface to apply policing parameters. 1. Enable the global configuration mode. switch# configure terminal 2. Specify the Ethernet interface, as in the following 10-gigabit Ethernet example switch(config)# interface te 1/1/2 3. Bind a policy-map to egress traffic on the interface. The following associates binds policymap1 to outbound traffic on the interface.
Displaying class maps Operational cir:39944 cbs:6518 eir:0 ebs:0 Conform Byte:0 Exceed Byte:0 Violate Byte:0 Entering show policymap without identifying an interface and specify inbound or outbound traffic displays policy-maps bound on all switch interfaces.
Auto QoS configuration guidelines NOTE As this command was created primarily to benefit Network Attached Storage devices, the commands used in the following sections use the term “NAS”. However, there is no strict requirement that these nodes be actual NAS devices, as Auto QoS will prioritize the traffic for any set of specified IP addresses. Auto QoS for NAS There are four steps to enabling and configuring Auto QoS for NAS: 1. 2. 3. 4. Enable Auto QoS. Set the Auto QoS CoS value.
Auto QoS and CEE maps ‐ ‐ • • • • • • • • • • • • • Logical chassis cluster mode without any extra configuration Fabric cluster mode with the proper Converged Enhanced Ethernet (CEE) map configuration Auto QoS only supports IPv4 addressing. Auto QoS can only be activated when the CEE map is set to the default values. If long distance ISL is configured, you cannot enable Auto QoS. Different NAS traffic types are not distinguished, and all NAS traffic types are treated equally.
Enabling Auto QoS for NAS When Auto QoS is enabled, the modified CEE map will be similar to the following: switch# show cee maps CEE Map 'default' Precedence: 1 Remap Fabric-Priority to Priority 0 Remap Lossless-Priority to Priority 0 Priority Group Table 1: Weight 40, PFC Enabled, BW% 40 2: Weight 40, PFC Disabled, BW% 40 3: Weight 20, PFC Disabled, BW% 20 15.0: PFC Disabled 15.1: PFC Disabled 15.2: PFC Disabled 15.3: PFC Disabled 15.4: PFC Disabled 15.5: PFC Disabled 15.6: PFC Disabled 15.
Disabling Auto QoS for NAS The Differentiated Services Code Point (DSCP) value affects how Auto QoS operates by specifying the priority value for Network Attached Storage traffic on IP networks. If you do not specify a DSCP value, the DSCP value is set to the default of 0. Higher numbers provide a higher level of priority. The following example sets the DSCP value to 56: switch(config)# set dscp 56 4.
Specifying NAS server IP addresses for Auto QoS The following example shows a typical output of this command, showing that Auto-NAS is enabled on two IP address (one using VLAN, and one using VRF), that it has a CoS of 2 and DSCP of 0 (defaults) and a Traffic class of 5. switch# show system internal nas Auto-NAS Enabled Cos 2 Dscp 0 Traffic Class 5 NAS server-ip 10.192.100.100/32 vlan 100 NAS server-ip 10.192.100.
Displaying NAS server IP addresses • vlan vlan_ID • vrf vrf_Name 2. Press Enter after you add each individual address entry. The following example removes two addresses, one using a VLAN mask, and the other a VRF mask. switch(config)# no nas server-ip 10.192.100.100/32 vlan 100 switch(config)# no nas server-ip 10.192.100.101/32 vrf broceliande Displaying NAS server IP addresses How to display the IP addresses for network-attached storage (NAS) servers. You must be in config mode to run this command.
Clearing NAS server statistics ----------nas server-ip 10.1.1.1/32 vrf default-vrf matches 0 packets 0 bytes switch# show nas statistics server-ip 10.1.1.0/24 vrf brad nas server-ip 10.1.1.0/24 vrf brad matches 2000000 packets 40000000 bytes Clearing NAS server statistics You can use this command to clear the statistics for a single IPv4 address (10.192.100.100/32), or an entire sub-net (10.192.100.0/24 vlan 100).
Configuring 802.1x Port Authentication ● 802.1x protocol overview.............................................................................................. 519 ● Configuring 802.1x authentication.................................................................................519 802.1x protocol overview The 802.
Configuring authentication Configuring authentication The radius-server command attempts to connect to the first RADIUS server. If the RADIUS server is not reachable, the next RADIUS server is contacted. However, if the RADIUS server is contacted and the authentication fails, the authentication process does not check for the next server in the sequence. Perform the following steps to configure authentication. 1. Enter the configure terminal command to change to global configuration mode.
Configuring 802.1x port authentication on specific interface ports • 802.1x readiness can be checked on a per-interface basis. Readiness check for all interfaces at once is not supported. • The 802.1x test timeout is shown in show dot1x command. • The gigabitethernet rbridge-id/slot/port is used only for the Brocade VDX 6710, VDX 8770-4, and VDX 8770-8. The prompt for these ports is in the following format: switch(config-if-gi-22/0/1)#.
Configuring 802.1x port reauthentication on specific interface ports Configuring 802.1x port reauthentication on specific interface ports To configure 802.1x port reauthentication on a specific interface port, perform the following steps from privileged EXEC mode. Repeat this task for each interface port you want to modify. 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2. Use the interface command to select the interface port to modify.
Disabling 802.1x on specific interface ports The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, VDX 8770-4, and VDX 8770-8. The prompt for these ports is in the following format: switch(config-ifgi-22/0/1)#. switch(config)# interface tengigabitethernet 1/12 3. Use the dot1x reauthenticate command to re-authenticate a port where dot1x is already enabled. switch(conf-if-te-1/12)# dot1x reauthenticate 4. Return to privileged EXEC mode. switch(conf-if-te-1/12)# end 5.
Configuring 802.1x Port Authentication The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, VDX 8770-4, and VDX 8770-8. The prompt for these ports is in the following format: switch(config-ifgi-22/0/1)#. switch(config)# interface tengigabitethernet 1/12 3. To check 802.1x authentication statistics on specific interface ports, use the show dot1x command with the statistics interface keyword. switch# show dot1x statistics interface tengigabitethernet 1/12 4.
Configuring sFlow ● sFlow protocol overview................................................................................................525 ● Configuring the sFlow protocol......................................................................................527 sFlow protocol overview The sFlow protocol is an industry-standard technology for monitoring high-speed switched networks.
Packet counter samples Packet counter samples A polling interval defines how often the sFlow octet and packet counter for a specific interface are sent to the sFlow collector, but the sFlow agent is free to schedule the polling in order to maximize internal efficiency. Hardware support matrix for sFlow The following table identifies Brocade VDX 8770 and VDX 67xx device support for specific sFlow features.
Flow-based sFlow TABLE 87 sFlow feature support (Continued) Feature Brocade VDX 8770 Brocade VDX 67xx Sample rate calculation Dropped packets (such as errors and ACL dropped packets) are not counted for the calculations used for sample generation Dropped packets (such as errors and ACL dropped packets) are counted for the calculations used for sample generation Maximum sFlow raw packet header size 228 bytes 128 bytes The hardware truncates the packet. The software truncates the packet.
Configuring sFlow for interfaces For complete information on the sFlow CLI commands for the Brocade switch, refer to the Network OS Command Reference. To configure sFlow globally, perform the following steps in global configuration mode. 1. Enter the configure terminal command to change to global configuration mode. switch# configure terminal 2. Globally enable the sFlow protocol. switch(config)# sflow enable 3. Designate the IP address (up to five addresses) for the sFlow collector server.
Enabling and customizing sFlow on specific interfaces Enabling and customizing sFlow on specific interfaces Perform the following steps in privileged EXEC mode to enable and customize sFlow on an interface. This task assumes that sFlow has already been enabled at the global level; refer to Configuring the sFlow protocol globally on page 527. 1. Enter the interface command to specify the DCB interface type, the RBridge ID, and the slot/port number.
Disabling sFlow on specific interfaces Disabling sFlow on specific interfaces NOTE Disabling sFlow on the interface port does not completely shut down the network communication on the interface port. To disable sFlow on a specific interface, perform the following steps in interface configuration mode. 1. Disable the sFlow interface. switch(conf-if)# no sflow enable 2. Return to privileged EXEC mode. switch(conf-if)# end 3. Confirm the sFlow configuration status on the specific interface.
Disabling flow-based sFlow on specific interfaces Disabling flow-based sFlow on specific interfaces To disable sFlow on a specific interface, perform the following steps in interface configuration mode. NOTE Disabling sFlow on an interface port does not completely shut down the network communication on the interface port. 1. Disable the sFlow interface. switch(conf-if)# no sflow enable 2. Return to privileged EXEC mode. switch(conf-if)# end 3. Switch to interface configuration mode.
Disabling flow-based sFlow on specific interfaces 532 Network OS Administrator’s Guide 53-1003225-04
Configuring Switched Port Analyzer ● Switched Port Analyzer protocol overview.................................................................... 533 ● Configuring SPAN......................................................................................................... 536 ● Configuring RSPAN......................................................................................................
Standard SPAN guidelines and limitations Standard SPAN guidelines and limitations Brocade recommends that you be aware of the following standard guidelines for and limitations of SPAN connections: • For the Brocade VDX 6720-24: ‐ The mirror port can be any port in the switch. ‐ Only one port per switch can be configured as a destination port for ingress mirroring. ‐ Only one port per switch can be configured as a destination port for egress mirroring.
SPAN in logical chassis cluster guidelines and limitations SPAN in logical chassis cluster guidelines and limitations In addition to the standard SPAN limitations, note the following guidelines and limitations for SPAN in logical chassis cluster: • The Brocade VDX 6720 is not supported as SPAN source node in logical chassis cluster but it can act as a destination node.
Limitations for mirroring across RSPAN Limitations for mirroring across RSPAN Network OS 4.0.0 and later use Inter-Switch Links (ISLs) to mirror packets across RBridges to reach the destination. All the SPAN standalone commands function for RBridges with the following exceptions: • The source port cannot be a Brocade VDX 6720-60 or VDX 6720-24 port.
Configuring bidirectional SPAN The destination port is always an external port. The source and destination ports must be in the same port group for the Brocade VDX 6720-60. switch(config-session-1)# source tengigabitethernet 1/0/15 destination tengigabitethernet 1/0/18 direction tx NOTE If the following error is displayed, use the interface no lldp command to disable LLDP on the destination port before preceding: % Error: Destination port cannot be in L2/L3/Qos/ACL/802.
Deleting a SPAN session Deleting a SPAN session To remove a SPAN session, do the following: 1. Display the existing configuration of the monitor session. switch# show monitor session 1 2. Delete the existing monitor session by using the no keyword. switch(config)# no monitor session 1 3. Return to Privileged EXEC mode with the exit command. 4. Display the monitor session again to confirm the deletion of the connection.
Configuring Switched Port Analyzer 4. Open a monitor session and assign a session number switch(config)# monitor session 1 5. Configure the source port and the destination port, with the both parameter for bidirectional port mirroring. By modifying the direction parameter, you can control whether this is an ingress, egress, or a bidirectional SPAN. In the case of RSPAN, the destination is the VLAN, instead of a destination interface.
Configuring RSPAN 540 Network OS Administrator’s Guide 53-1003225-04
Configuring SFP Breakout Mode ● SFP breakout overview................................................................................................. 541 ● Configuring breakout mode for a chassis system......................................................... 543 ● Configuring breakout mode for a standalone switch..................................................... 545 ● Configuring additional breakout mode scenarios..........................................................
Breakout mode interfaces TABLE 88 Platforms supporting breakout Platform Port configuration QSFP ports VDX 6740 48 10G plus 4 40G 4 (with 40GbE Port Upgrade license) VDX 6740T VDX 6740T-1G ports can be upgraded from to 10G with Port Upgrade license. VDX 6740T-1G VDX 8770-4 12x 40G and 27x40G 12 (12x40G) and 27 (27x40G) VDX 8770-8 27x40G line card restrictions The 27x40G line card supports nine port groups of three ports each that you can configure for Performance or Density operating modes.
Breakout mode limitations TABLE 89 SFP breakout values SFP # (rbridge/slot/port ) 3/2/1 SFP type QSFP (4 x10G) Interface name Breakout disabled Breakout enabled Fo 3/2/1 Te 3/2/1:1 Te 3/2/1:2 Te 3/2/1:3 Te 3/2/1:4 Breakout mode limitations In most circumstances, breakout interfaces behave the same as nonbreakout (normal) interfaces with regard to port attributes and states. Each breakout interface maintains its administrative state, operational state, and statistics.
Configuring SFP Breakout Mode the line card powered off, you can configure Performance mode on specific 27x40GbE ports, then enable breakout mode for these ports. For more information on 27x40GbE line card operating modes and configuration, refer to Breakout mode support on page 541. 1. Enter power-off linecard card_# to power off the line card. a) b) c) Applications will remove all interfaces. Operational CLI command will not show any interfaces on this line card.
Configuring breakout mode for a standalone switch switch# show ip int bri Interface IP-Address Status ========================== ========== ====== #In SA/FC mode, save running-config to start-up config" Protocol ======== switch# copy running-config startup-config #Power on line card switch# power-on linecard 2 switch# show ip int bri Interface ========================== FortyGigabitEthernet 1/2/1 FortyGigabitEthernet 1/2/2 FortyGigabitEthernet 1/2/3 FortyGigabitEthernet 1/2/4 FortyGigabitEthernet 1/2/5 F
Configuring additional breakout mode scenarios a) b) The Brocade VDX 6740, 6740T, and 6740T-1G create interfaces corresponding to the SFP breakout mode of each port. For a QSFP, a single Fo interface is created in disable mode and four Te interfaces are created in enable mode. The SFP interfaces under the new mode come up in default configurations as if the system were booting up for the first time. Unaffected interfaces retain their original configurations before the switch reboot is applied.
Reserving a 40G QSFP port while in breakout mode TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet Vlan 1 Vlan 4093 Vlan 4095 48/0/47 48/0/48 48/0/49:1 48/0/49:2 48/0/49:3 48/0/49:4 unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned default-vrf default-vrf default-vrf default-vrf default-vrf default-vrf administratively administratively up down up down up down(ISL) up down(ISL) up down(ISL) u
Releasing a 40G QSFP port while in breakout mode Releasing a 40G QSFP port while in breakout mode The following example shows you how to release a 40G QSFP port while in breakout mode. switch(config-dpod-48/0/49)# dpod 48/0/49 release Port should be Offline to change POD assignment.
Section IV: Network OS Layer 3 Routing Features • • • • • • • • • • • Configuring In-Band Management on page 551 IP Route Policy on page 561 Configuring IP Route Management on page 563 Configuring PBR on page 567 Configuring PIM on page 573 Configuring OSPF on page 583 Configuring VRRP on page 597 Virtual Routing and Forwarding configuration on page 609 Configuring BGP on page 617 Configuring IGMP on page 641 Configuring IP DHCP Relay on page 649 Network OS Administrator’s Guide 53-1003225-04 549
Section IV: Network OS Layer 3 Routing Features 550 Network OS Administrator’s Guide 53-1003225-04
Configuring In-Band Management ● In-band management overview.....................................................................................551 ● Configuring an in-band management interface in standalone mode.............................553 ● Configuring an in-band management interface using OSPF.........................................554 In-band management overview In-band management on the Brocade VDX switches allows you to manage devices through Layer 3enabled front-end Ethernet ports.
In-band management supported interfaces necessary to configure IP routes throughout the network to allow the communication to take place. You can configure the management interface to use either dynamic routing protocols, such as Open Shortest Path First (OSPF), or static routing. • To configure the in-band management interface to use static routing, refer to Configuring static routes on page 564. • To configure the in-band management interface to use dynamic routing, refer to Configuring OSPF on page 591.
Configuring an in-band management interface in standalone mode Configuring an in-band management interface in standalone mode The figure below shows the configuration of an in-band management interface in standalone mode. In this example, the management station IP address and Ethernet port interface IP addresses for Switch-A and Switch-B are all in the same subnet, and therefore, no routing protocols are needed for the management station to connect to Switch-B through Switch-A.
Configuring an in-band management interface using OSPF NOTE You must configure a primary IP address only. Secondary IP addresses are not supported. 5. Enter the ip mtu command to set the interface IP Maximum Transmission Unit (MTU) in bytes. 6. Enter the arp-ageing-timeout command to configure the interface timeout parameter (in minutes) for the Address Resolution Protocol (ARP). The default timeout value is 4 hours. 7.
Basic configuration for a standalone in-band management FIGURE 57 In-band management in a VCS fabric with dynamic routes (OSPF) Basic configuration for a standalone in-band management The following configuration establishes a basic in-band management connection from the management station to RBridge ID 1 (RB1) through C1. For the purpose of this example, C1 and RB1 operate in standalone mode (VCS mode is disabled). This example also illustrates the use of a VLAN to establish a connection. 1.
Configuring a management connection in VCS fabric cluster mode RB1(config)# do show vcs state : Disabled 2. C1 is a management station and automatically Telnets into node RB1. 3. Verify that the in-band management connection between the management station to C1, and between C1and RB1 (standalone test). a) b) c) d) Connect to C1 through the management interface by using an SSH session. On C1, establish a Telnet connection from C1 to RB1. C1# telnet 2.2.2.17/24 Trying 2.2.2.17... Connected to 2.2.17.24.
Configuring In-Band Management NOTE If you are configuring this in a logical chassis cluster mode, you do not configure the VLAN again on RB2 because RB1 (the principal node) would distribute the configuration to all nodes in the logical chassis cluster. a) b) c) Connect to RB2 by using a serial connection. Enter the configure terminal command to enter global configuration mode. Enter the interface vlan command to configure a VLAN on RB2.
Configuring In-Band Management 17 18 10:00:00:05:33:77:31:9C* 10.24.73.80 >10:00:00:05:33:77:23:6C 10.24.73.85 Online RB1 Online RB2 4. Verify the in-band management connection to RB1 and RB2. a) b) Connect to C1 from the management station using an SSH connection. On C1, verify connectivity to RB1 (local test) by issuing the ping command to the front-end Ethernet interface (Ve port) IP address for RB1. C1# ping 2.2.2.17 PING 2.2.2.17 (2.2.2.17): 56 data bytes 64 bytes from 2.2.2.
Configuring In-Band Management Total Number of Nodes : 2 Rbridge-Id WWN Management IP Status HostName -----------------------------------------------------------------17 10:00:00:05:33:77:31:9C* 10.24.73.80 Online RB1 18 >10:00:00:05:33:77:23:6C 10.24.73.85 Online RB2 If all verification steps produce the desired results, the configuration is successful, and you can use the management interface on C1 to perform management functions on both the local (RB1) and the remote (RB2) switch.
Configuring a management connection in VCS fabric cluster mode 560 Network OS Administrator’s Guide 53-1003225-04
IP Route Policy ● IP route policy overview................................................................................................ 561 ● Configuring IP route policy............................................................................................ 562 IP route policy overview IP route policy controls how routes or IP subnets are transported from one subsystem to another subsystem.
Configuring IP route policy may contain more than one match condition. The overall matching condition of the instance is true only if all matching conditions are met.
Configuring IP Route Management ● IP route management overview.................................................................................... 563 ● Configuring static routes............................................................................................... 564 ● Using additional IP routing commands..........................................................................
Configuring static routes Configuring static routes You can add a static route to IP route management by using the ip route commands in RBridge ID configuration mode. With these commands, you can specify either the next-hop gateway or the egress interface for the route. NOTE To make these same commands work in standalone mode, omit the rbridge-id command. For detailed information, refer to the Network OS Command Reference. Specifying the next-hop gateway To configure a static route to network 10.95.7.
Using additional IP routing commands To configure a default route with a next hop address of 10.95.6.157, enter the following ip route command. switch(config)# rbridge-id 30 switch(config-rbridge-id-30)# ip route 0.0.0.0/0 10.95.6.157 Using additional IP routing commands Refer to the Network OS Command Reference for more information about using additional IP routingrelated commands.
Using additional IP routing commands 566 Network OS Administrator’s Guide 53-1003225-04
Configuring PBR ● Policy-Based Routing....................................................................................................567 ● Policy-Based Routing behavior..................................................................................... 568 ● Policy-Based Routing with differing next hops.............................................................. 569 ● Policy-Based Routing uses of NULL0...........................................................................
Policy-Based Routing behavior Route-map level permit and deny actions ACL clause permit and Resulting Ternary Content Addressable Memory (TCAM) deny actions action Permit Permit The “set” statement of the route-map entry is applied. Permit Deny The packet is “passed” and routed normally. The contents of the “set” command are not applied. A rule is programmed in the TCAM as a “permit” with no result actions preventing any further statements of the route-map ACL from being applied.
Policy-Based Routing with differing next hops The set clauses are evaluated in the following order: 1. Set clauses where the next hop is specified. 2. Set interface NULL0. The order in which you enter the “set ip next-hop” commands determines the order preference. If no next-hops are reachable, the egress interface is selected based on the order of interface configuration. The set interface NULL0 clause — regardless of which position it was entered — is always placed as the last selection in the list.
Policy-Based Routing uses of NULL0 set ip next-hop 4.4.4.4 ! 6. View the route map application. sw0# show route-map pulp-fiction Interface TenGigabitEthernet 3/3 route-map pulp-fiction permit 10 match ip address acl Jules (Active) set ip vrf pulp_fiction next-hop 3.3.3.3 Policy routing matches: 0 packets; 0 bytes route-map pulp-fiction permit 20 match ip address acl Vincent (Active) set ip vrf pulp_fiction next-hop 3.3.3.5 (selected) set ip next-hop 4.4.4.
Policy-Based Routing and NULL0 as route map default action sw0(config-routemap pulp_fiction)# set ip vrf pulp_fiction next-hop 3.3.3.3 sw0(config-routemap pulp_fiction)# set ip interface NULL0 3. Create the second stanza of the route map. (The example is using a route map named pulp_fiction.) sw0(config)# route-map pulp_fiction permit 20 sw0(config-routemap pulp_fiction)# match ip address acl Vincent sw0(config-routemap pulp_fiction)# set ip vrf pulp_fiction next-hop 3.3.3.
Configuring PBR Providing the default stanza enables a mechanism whereby if any packet is received that does not meet the match criteria set by the route map, the traffic is dropped.
Configuring PIM ● PIM overview.................................................................................................................573 ● PIM Sparse Mode......................................................................................................... 573 ● PIM topologies.............................................................................................................. 574 ● PIM Sparse device types..................................................................................
PIM topologies PIM Sparse devices are organized into domains. A PIM Sparse domain is a contiguous set of devices that all implement PIM and are configured to operate within a common boundary. PIM-SM creates unidirectional shared trees which are rooted at a common node in the network called the rendezvous point (RP). The RP acts as the messenger between the source and the interested hosts or routers. There are various ways of identifying an RP within a network.
Configuring PIM FIGURE 58 Single VCS deployment The following requirements apply to the single-VCS deployment depicted in the figure above: • Top of rack switches can be Brocade VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T, VDX 6740T-1G, or VDX 8770 models. However, top of rack switches are typically only Layer 2capable when used in this context as part of a PIM environment, and PIM can be enabled on the Brocade VDX 8770 and VDX 6740 models only.
Configuring PIM The figure below shows the components for a two-tier VCS PIM topology. FIGURE 59 Two-tier VCS deployment The following requirements apply to the two-tier-VCS deployment depicted in the figure above: • Top of rack switches can be Brocade VDX 6710, VDX 6720, VDX 6730, or VDX 8770 models. However, Top of rack switches are typically only L2-capable when used in this context as part of a PIM environment, and PIM can be enabled on the Brocade VDX 8770 or VDX 6740 models only.
PIM Sparse device types • PIM can be enabled on all Brocade VDX 8770 or VDX 6740 models where VRRP-E is enabled. • PIM DR-priority is configured on ve interfaces of all PIM-capable aggregation routers to optimize load-sharing abilities within the aggregation.
PIM standards conformity • A timer mechanism must be available. • An IGMP module should be available for correct operation of PIM when working as a DR. PIM standards conformity The table below lists the level of Brocade conformity for various PIM-related RFCs.
Configuring PIM • • • • • • 32 virtual interfaces. The virtual interfaces can be either Layer 3 VLAN or router ports 32 output interfaces 4,000 Layer 3 multicast group IDs 2,000 (S,G) forwarding entries 256 (*, G) forwarding entries A learning rate of 32 routes per second Configuring PIM This section shows you an example PIM Sparse deployment and configuration, based on the figure below.
PIM configuration prerequisites PIM configuration prerequisites • VLAGs must belong to PIM-enabled VLANs. For more information, refer to Configuring Link Aggregation on page 437. • Set up your VLAGs before performing any PIM-specific configuration. • Make sure the rendezvous point (RP) is configured. This should be a third-party box for dynamic RP functionality, or either the Brocade VDX 8770 or the VDX 6740 series platforms for static RP functionality.
Configuring PIM j) k) Exit interface configuration mode. switch(config-Vlan-30)# exit Enter VLAN interface configuration mode for the fourth VLAN. switch (config)# int vlan 40 l) Enable IGMP snooping. m) Exit interface configuration mode. switch(config-Vlan-40)# ip igmp snooping enable switch(config-Vlan-40)# exit 2. Do the following on switch M1 in the example figure for a deployment using a single VCS in Configuring PIM on page 579.
Configuring PIM j) Enable PIM Sparse for this interface. switch (config-ve-10)# ip pim-sparse k) Exit Ve configuration mode. l) Repeat the configuration steps for each of the other VLANs shown in the example figure for a deployment using a single VCS in Configuring PIM on page 579. switch (config-ve-10)# end NOTE For more information about PIM, refer to the Network OS Command Reference.
Configuring OSPF ● OSPF overview............................................................................................................. 583 ● Configuring OSPF......................................................................................................... 591 OSPF overview Open Shortest Path First (OSPF) is a link-state routing protocol that uses link-state advertisements (LSAs) to update neighboring routers about a router’s interfaces.
OSPF components and roles FIGURE 61 OSPF operating in a network NOTE For details of components and virtual links, refer to OSPF components and roles on page 584 and Virtual links on page 588, respectively. Once OSPF is enabled on the system, the user assigns an IP address or number as the area ID for each area. The area ID is representative of all IP addresses (subnets) on a router port. Each port on a router can support one area.
Autonomous System Boundary Routers given area. The routers within the same area have identical topological databases. An ABR is responsible for forwarding routing information or changes among its border areas. Autonomous System Boundary Routers An Autonomous System Boundary Router (ASBR) is a router that is running multiple protocols and serves as a gateway to routers outside the OSPF domain and those operating with different protocols.
OSPF areas NOTE By default, the Brocade device’s router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device. When multiple routers on the same network are declaring themselves DRs, then both the priority and router ID are used to select the designated router and backup designated routers.
Area range unavailable, OSPF automatically elects the ABR with the next highest router ID to take over translation of LSAs for the NSSA. The election process for NSSA ABRs is automatic. NOTE For details refer to Not-so-stubby area (NSSA) on page 587. • TSA — Similar to a stub area, a TSA does not allow summary routes in addition to not having external routes. NOTE For details refer to Totally stubby area on page 587.
Link state advertisements FIGURE 63 OSPF network containing an NSSA This example shows two routing domains, a RIP domain and an OSPF domain. The ASBR inside the NSSA imports external routes from RIP into the NSSA as Type 7 LSAs, which the ASBR floods throughout the NSSA. The ABR translates the Type 7 LSAs into Type 5 LSAs. If a summary-address is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type 5 LSAs into the backbone.
OSPF over VRF NOTE By default, a device’s router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device. When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). The figure below shows an OSPF area border router, Device A, that is cut off from the backbone area (area 0).
OSPF considerations and limitations FIGURE 65 OSPF example in a VCS environment OSPF considerations and limitations • OSPF must be configured in a Virtual Cluster Switching (VCS) environment.
Configuring OSPF • OSPF can be configured on either a point-to-point or broadcast network. • OSPF can be enabled on the following interfaces: gigabitethernet, tengigabitethernet, fortygigabitethernet, loopback, and ve. • On enabling OSPF over a loopback interface, the network is advertised as a stub network in the router LSA for the attached area. OSPF control packets, such as hellos , are not transmitted on loopback interfaces and adjacencies will not form.
Configuring an NSSA Router Router Router Router Router Router A# configure A(config) # interface vlan 1001 A(config-Vlan-1001) # rbridge 10 A(config-rbridge-id-10) # interface Ve 1001 A(config-Ve-1001 )# ip address 101.1.1.1/24 A(config-Ve-1001) # ip ospf area 0.0.0.0 Configuring an NSSA To configure OSPF area 1.1.1.1 as an NSSA, do the following: 1. In privileged EXEC mode, enter the configure command to enter global configuration mode. 2.
Assigning interfaces to an area range addresses. For example, to define an area range for subnets on 0.0.0.10 and 0.0.0.20, do the following: 1. In privileged EXEC mode, issue the configure command to enter global configuration mode. 2. Issue the rbridge-id command followed by the RBridge ID to enter RBridge configuration mode. 3. Issue the router ospf command to enable OSPF on the router. 4. Issue the area operand followed by the area ID, then enter the range, and repeat as necessary.
Enabling OSPF over VRF 9. Enter the area operand followed by the area ID, and repeat as necessary. 10.
Changing default settings j) k) Enter the ip ospf area operand followed by the area ID to assign the interface to this area. Enter the no shutdown command: RB1# conf t RB1(config)# interface vlan 1001 RB1(config-Vlan-1001)# exit RB1(config)# rbridge-id 1 RB1(config-rbridge-id-1)# router ospf RB1(config-router-ospf-vrf-default-vrf)# area 0.0.0.0 RB1(config-router-ospf-vrf-default-vrf)# exit RB1(config-rbridge-id-1)# interface ve 1001 RB1(config-Ve-1001)# ip address 101.1.1.
Understanding the effects of disabling OSPF Understanding the effects of disabling OSPF Consider the following before disabling OSPF on a router: • If you disable OSPF, the device removes all the configuration information for the disabled protocol from the running configuration. Moreover, when you save the configuration to the startup configuration file after disabling one of these protocols, all the configuration information for the disabled protocol is removed from the startup configuration file.
Configuring VRRP ● VRRP overview............................................................................................................. 597 ● Configuring VRRP.........................................................................................................602 VRRP overview A virtual router is a collection of physical routers that can use the Virtual Router Redundancy Protocol (VRRP) to provide redundancy to routers within a LAN. Two or more VRRP-configured routers can create a virtual router.
VRRP multigroup clusters The virtual router shown in the figure above is identified as Group 1. A physical router forwards packets for the virtual router. This physical router is called the master router. The following are some common VRRP-related terms and concepts: • Virtual router — A collection of physical routers that can use either the VRRP or VRRP Extended (VRRP-E) protocol to provide redundancy to routers within a LAN.
VRRP/VRRP-E packet behavior FIGURE 67 Two routers configured for dual redundant network access for the host In this example, Router 1 and Router 2 use VRRP-E to load share as well as provide redundancy to the hosts. The load sharing is accomplished by creating two VRRP-E groups, each with its own virtual IP addresses. Half of the clients point to Group 1's virtual IP address as their default gateway, and the other half point to Group 2's virtual IP address as their default gateway.
VRRP control packets Only the master answers an ARP request for the virtual router IP address. Any backup router that receives this request forwards the request to the master. VRRP control packets VRRP: VRRP control packets are IP protocol type 112 (reserved for VRRP), and are sent to VRRP multicast address 224.0.0.18. VRRP-E: control packets are UDP packets destined to port 8888, and are sent to the all-router multicast address 224.0.0.2.
VRRP considerations and limitations FIGURE 68 Short path forwarding VRRP considerations and limitations Virtual routers must be configured in a Virtual Cluster Switching (VCS) environment.
Configuring VRRP ‐ Brocade VDX 8770-4 ‐ Brocade VDX 8770-8 • Brocade supports two VRRP protocols: ‐ Standard VRRP — The standard router redundancy protocol, VRRP v2 supports the IPv4 environment. Also, the Brocade version of standard VRRP is compliant with RFC 3768. ‐ VRRP-E (Extended) — A Brocade proprietary protocol similar to standard VRRP that is not standard compliant and cannot interoperate with VRRP. • Supported ports: ‐ For VRRP — fortygigabitethernet, tengigabitethernet, gigabitethernet, and ve.
Configuring Router 2 as backup for VRRP NOTE You can assign a group number in the range of 1 through 255. 7. Assign a virtual router IP address. sw1(config-vrrp-group-1)# virtual-ip 192.53.5.1 NOTE For VRRP, the physical router whose IP address is the same as the virtual router group IP address becomes the owner and master. However, for VRRP-E, you use the priority command to assign the highest priority to the router you want as master. Configuring Router 2 as backup for VRRP 1.
Enabling VRRP preemption Enabling VRRP preemption You can allow a backup router that is acting as the master to be preempted by another backup router with a higher priority value. Default : Preemption is enabled for VRRP, disabled for VRRP-E. NOTE If preemption is disabled for VRRP, the owner router is not affected because the owner router always preempts the active master.
Configuring multigroup VRRP routing 7. In interface configuration mode, enter the vrrp-extended-group command. switch(config-Ve-10)# vrrp-extended-group 100 8. In group configuration mode, enter the short-path-forwarding command. switch(config-vrrp-extended-group-100)# short-path-forwarding Configuring multigroup VRRP routing Refer also to VRRP multigroup clusters on page 598.
Configuring Router 1 as backup for second virtual router group NOTE (For VRRP-E only) The address you enter with the virtual-ip command cannot be the same as a real IP address configured on the interface. 8. To configure Router 1 as the master, set the priority to a value higher than the default (which is 100). sw101(config-vrrp-group-1)# priority 110 Configuring Router 1 as backup for second virtual router group 1.
Configuring Router 2 as master for second virtual router group 6. Configure the tengigabitethernet port 102/3/2 as the tracking port for interface ve 10, with a track priority of 20. sw102(config-vrrp-extended-group-1)# track te 102/3/2 priority 20 7. Configure an IP address for the virtual router. sw102(config-vrrp-extended-group-1)# virtual-ip 192.53.5.254 NOTE (For VRRP-E only) The address you enter with the virtual-ip command cannot be the same as a real IP address configured on the interface.
Configuring Router 2 as master for second virtual router group 608 Network OS Administrator’s Guide 53-1003225-04
Virtual Routing and Forwarding configuration ● VRF overview................................................................................................................609 ● Configuring VRF ...........................................................................................................610 ● Inter-VRF route leaking.................................................................................................
OSPF VRF-Lite for customer-edge routers FIGURE 69 VRF topology OSPF VRF-Lite for customer-edge routers A customer edge (CE) router acts as the provider edge (PE) router in VRF-Lite. When a type 3, 5, or 7 link-state advertisement (LSA) is sent from a PE router running multiprotocol BGP to a CE router, the DN (down) bit in the LSA options field must be set. This prevents any type 3, 5, or 7 LSA messages sent from the CE router to the PE router from being distributed any farther.
Enabling VRRP for VRF a) b) c) Enter VRF configuration mode and specify "orange" as the VRF name. switch(config-rbridge-id-1)# vrf orange Specify the router differentiator. switch(config-vrf-orange)# rd 1:1 Enable IPv4 address-family support for VRF routing, and specify the maximum number of routes to be used. switch(config-vrf-orange)# address-family ipv4 max-route 3600 3. Enable the OSPF routing protocol for the instance in VRF configuration mode, and assign it to area 10.
Configuring OSPF VRF-Lite for customer-edge routers 5. Enable the VRRP or VRRP-E protocol for the interface. (In this example, VRRP-E.) switch(config-rbridge-id-1)# vrrp-extended 10 6. Set the virtual IP address. switch(config-rbridge-id-1)# virtual-ip 172.128.20.
Configuring Inter-VRF route leaking A static route conflict may happen when the same prefix is reachable by two different nexthops in the target VRF. The forwarding behavior would be different based on which command occurred later. This following example presents a static route conflict for 10.1.2.0/24. switch(config)# switch(config)# switch(config)# switch(config)# vrf red ip route 10.1.2.0/24 next-hop-vrf green 10.1.1.1 vrf green ip route 10.1.2.0/24 18.1.1.
Example of Inter-VRF leaking 1. Set the switch to config mode. 2. Configure the VRF instances you want to be the leaker (source VRF) and where the route is being leaked to (destination VRF). 3. Specify the interface for the source VRF and map it to the source VRF. 4. Enter the IP address/mask to be used for this VRF instance. 5. Specify the interface you want to be the destination VRF and map it to the destination VRF. 6. Specify the IP address/mask to receive the leak. 7.
Inter-VRF route leaking and DHCP relay 5. Navigate to the source VRF address family context for configuring static route leak. switch(config)# rbridge-id 1 switch(conf-rbridge-id-1)# vrf Red switch(conf-vrf-Red)# address-family ipv4 max-route 6. Configure the route leak for a network (using the IP address and subnet mask), by mentioning the destination next-hop VRF name and the next hop in the destination VRF. switch(vrf-ipv4)# ip route 10.55.2.0/24 next-hop-vrf Green 10.55.1.1 7.
Inter-VRF route leaking and DHCP relay 616 Network OS Administrator’s Guide 53-1003225-04
Configuring BGP ● BGP overview............................................................................................................... 617 ● Understanding BGP configuration fundamentals.......................................................... 624 ● Configuring BGP...........................................................................................................
Configuring BGP The figure below illustrates connectivity to the core through an MLX. The RBridges use OSPF and IBGP to communicate with each other, connecting to the MLX through IBGP. The MLX connects in turn to the core through EBGP. FIGURE 72 Connectivity to the core through an MLX The figure below illustrates the previous topology but without an MLX.
Configuring BGP FIGURE 73 Connectivity to the core without an MLX The figure below illustrates the role of BGP in communicating through multiple VCS clusters and autonomous systems.
BGP peering FIGURE 74 BGP with multiple VCS clusters and autonomous systems The figure below illustrates a BGP topology that incorporates a route-reflector server and routereflector clients. FIGURE 75 BGP route-reflector server and clients BGP peering Unlike OSPF or other IGP protocols, BGP does not have neighbor detection capability. BGP neighbors (or peers) must be configured manually. A router configured to run BGP is called a BGP "speaker.
BGP message types • KEEPALIVE • NOTIFICATION • ROUTE REFRESH BGP peering can be internal or external, depending on whether the two BGP peers belong to the same AS or different ASs. A BGP session between peers within a single AS is referred to as an Interior BGP (IBGP) session; a session between peers belonging to different ASs is referred to as an Exterior BGP (EBGP) session.
UPDATE message messages. When two neighbors have different hold-time values, the lowest value is used. A hold-time value of 0 means "always consider neighbor to be active." BGP Identifier Indicates the router (or device) ID of the sender. When router-id is not configured, device-id is taken from the loopback interface. Otherwise, the lowest IP address in the system is used. Parameter List Optional list of additional parameters used in peer negotiation.
KEEPALIVE message • Finite state-machine error • Cease (voluntarily) Error Subcode Provides specific information about the error reported. Error Data Contains data based on error code and subcode. KEEPALIVE message Because BGP does not regularly exchanges route updates to maintain a session, KEEPALIVE messages are sent to keep the session alive. A KEEPALIVE message contains just the BGP header without data field. Default KEEPALIVE time is 60 seconds and is configurable.
BGP limitations and considerations The device compares the MEDs of two otherwise equivalent paths if and only if the routes were learned from the same neighboring AS. This behavior is called deterministic MED. Deterministic MED is always enabled and cannot be disabled. To ensure that the MEDs are always compared, regardless of the AS information in the paths, the always-compare-med command can be used. This option is disabled by default.
Configuring BGP Configuring BGP To enable BGP on an RBridge, enter Bridge ID configuration mode and issue the router bgp command: switch(config-rbridge-id-12)# router bgp There are two CLI modes for BGP: • Global BGP • BGP Address-Family IPv4 Unicast After issuing the router bgp command, you first enter into BGP configuration mode, where an addressfamily-specific configuration can be applied. In order to apply an IPv4 address-family-specific configuration, issue the address-family ipv4 unicast command.
BGP global mode • Address-family-specific neighbor configuration • Explicit specification of networks to advertise The following illustrates CLI options in address-family mode: switch(config-bgp-router)# address-family ipv4 unicast switch(config-bgp-ipv4u)# ? Possible completions: aggregate-address always-propagate Forwarding table bgp-redistribute-internal client-to-client-reflection dampening default-information-originate default-metric do exit help maximum-paths multipath neighbor network next-hop-enabl
Configuring BGP an AS number of the neighbor. For each neighbor, you can specify a set of attributes. However, in case a set of neighbors share same set of attributes, then it is advisable to use a peer-group. The peer-group configuration is described in the next subsection. The following illustrates the configuration of a neighbor’s IP address and AS number: switch(config-bgp-router)# neighbor 10.231.64.
Peer groups • • • • • Applying policy changes without resetting neighbor Keepalive and hold time Specifying of routes not to be suppressed in route aggregation Specifying of source IP to be used in TCP connection to neighbor Adding of weight to each route received from neighbor Peer groups Neighbors having the same attributes and parameters can be grouped together by means of the peergroup command.
Advertised networks switch(config-bgp-ipv4u)# redistribute ? Possible completions: connected Connected ospf Open Shortest Path First (OSPF) static Static routes While redistributing routes learned by OSPF, you can specify the type of routes to be redistributed. You can choose to redistribute internal, external type1, or external type2 routes.
Route flap dampening When there is more than one route-reflector, they should all belong to the same cluster. By default, the value for cluster-id is used as the device ID. However, the device ID can be changed: switch(config-bgp-router)# cluster-id ipv4-address 10.30.13.4 switch(config-bgp-router)# cluster-id 2300 The route-reflector server reflects the routes as follows: • Routes from the client are reflected to client as well as to nonclient peers.
Default route origination NOTE A dampening value for half-life can also be adjusted through a route map, by means of the set dampening option for the route-map command. Default route origination While redistributing routes from OSPF, BGP does not advertise default route 0.0.0.0/0 even if it exists.
Route filtering When next-hop recursion is enabled, if the first lookup for the destination IP address results in an IBGP path that originated in the same AS, the device performs lookup for the IP address of the nexthop gateway. This goes on until the final lookup results in an IGP route. Otherwise, the route is declared unreachable.
Configuring BGP • If a route does not match any match statements in the route map, then the route is denied. This is the default action. To change the default action, configure the last match statement in the last instance of the route map to permit any any . • If there is no match statement, the software considers the route to be a match.
Specifying the match conditions • If you specify deny, the device does not advertise or learn the route. • If you specify permit, the device applies the match and set clauses associated with this route map instance. The instance-number parameter specifies the instance of the route map you are defining. The following illustrates a creation of a route-map instance 10, which is done in RBridge ID mode. Notice the change in the command prompt.
Setting parameters in the routes Setting parameters in the routes Use the following command to define a set statement that prepends an AS number to the AS path on each route that matches the corresponding match statement. switch(config-routemap-myroutemap1/permit10)# set as-path prepend 7701000 Operands for the route-map set statement are as follows: as-path prepend num,num,… — Adds the specified AS numbers to the front of the AS-path list for the route.
Configuring BGP If the system scans all route-map instances but finds no matches, or if a deny condition is encountered, then it does not update the routes. Whenever a matched instance contains a deny statement, the current traversal terminates, and none of the updates specified in the set statements of the matched instances in both current and previous traversals are applied to the routes. This supports a more programmable route-map configuration and route filtering scheme for BGP4 peering.
Matching on a community ACL Matching on a community ACL To configure a route map that matches on community ACL 1: switch(config)# rbridge-id 5 switch(config-rbridge-id-5)# ip community-list standard 1 permit 123:2 switch(config-rbridge-id-5)# route-map mycommroutemap1 permit 10 switch(config-route-map-mycommroutemap1/permit/10)# match community 1 Matching on a destination network NOTE You can use the results of an IP ACL or an IP prefix list as the match condition.
Matching on a BGP4 static network NOTE These commands configure an additional community ACL, std_2, that contains community numbers 23:45 and 57:68. Route map mycommroutemap3 compares each BGP4 route against the sets of communities in ACLs std_1 and std_2. A BGP4 route that contains either but not both sets of communities matches the route map. For example, a route containing communities 23:45 and 57:68 matches.
Using route-map continue statements NOTE The first command configures a community ACL containing community numbers 12:99 and 12:86. The remaining commands configure a route map that matches on routes whose destination network is specified in ACL 1, and deletes communities 12:99 and 12:86 from those routes. The route does not need to contain all the specified communities in order for them to be deleted. For example, if a route contains communities 12:86, 33:44, and 66:77, community 12:86 is deleted.
Configuring BGP To unsuppress all suppressed BGP4 routes: switch# clear ip bgp dampening To clear the dampening statistics for a BGP4 route: switch# clear ip bgp flap-statistics 10.0.0.
Configuring IGMP ● IGMP overview..............................................................................................................641 ● IGMP snooping overview.............................................................................................. 641 ● Configuring IGMP snooping..........................................................................................
vLAG and LAG primary port with IGMP snooping • By sending an unsolicited IGMP join request. • By sending an IGMP join request as a response to a general query from a multicast router. In response to the request, the switch creates an entry in its Layer 2 forwarding table for that VLAN. When other hosts send join requests for the same multicast, the switch adds them to the existing table entry. Only one entry is created per VLAN in the Layer 2 forwarding table for each multicast group.
IGMP snooping scalability IGMP snooping scalability Here are the scalability limits of IGMP snooping feature in various modes of switch operation for Network OS 4.1.0. The table explains the various metrics involved in describing the scalability limits. IGMP Metric Description Maximum number of IGMP groups supported This metric is based on the available hardware resources, such as multicast group ID (MGID), configuration replay, and Ethernet Name Server (eNS) distribution bandwidth.
Configuring IGMP TABLE 94 IGMP snooping: four-node cluster metrics (Continued) Metric Limit Maximum number of VLANs supported with IGMP configuration 128 Maximum IGMP packet-processing rate per switch 512 packets/sec Maximum IGMP packet-processing rate per Brocade VCS Fabric cluster 512 packets/sec Comments TABLE 95 IGMP snooping: 24-node cluster metrics Metric Limit Comments Maximum number of IGMP groups supported 2000 Join requests are sent on four ports of the same switch.
Configuring IGMP snooping TABLE 97 IGMP snooping: IP multicast metrics (Continued) Metric Limit IGMP interfaces supported 32 IGMP snooping interfaces supported 256 Learning rate for PIM-SM 32 flows/second Learning rate for IGMP snooping 512 groups/ second Comments Configuring IGMP snooping By default, IGMP snooping is globally disabled on all VLAN interfaces. Refer to the Network OS Command Reference for complete information about the commands in this section.
Monitoring IGMP snooping NOTE An IGMP snooping querier cannot be configured on the same interface as a multicast router (mrouter) interface. Refer to the Network OS Command Reference for complete information about the commands in this section. Use the following procedure to configure the IGMP snooping querier. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to select the VLAN interface number. switch(config)# interface vlan 25 3.
Using additional IGMP commands NOTE Refer to the Network OS Command Reference for additional information on IGMP CLI commands. Using additional IGMP commands The following commands provide additional support for basic IGMP functionality. For details, refer to the Network OS Command Reference. Command Description ip igmp immediateleave Removes a group from the multicast database.
Using additional IGMP commands 648 Network OS Administrator’s Guide 53-1003225-04
Configuring IP DHCP Relay ● DHCP protocol.............................................................................................................. 649 ● IP DHCP Relay function................................................................................................649 ● Brocade IP DHCP Relay overview................................................................................650 ● Configuring IP DHCP Relay.........................................................................................
Brocade IP DHCP Relay overview Brocade IP DHCP Relay overview The Brocade IP DHCP Relay feature on allows forwarding of requests and replies between DHCP servers and clients connected to the switch when these servers and clients are not on the same subnet. You can configure the Brocade IP DHCP Relay feature on any L3 interface to forward requests and replies between DHCP servers and clients connected to the switch when these servers and clients are not on the same subnet.
Supported platforms The only unsupported configuration is a Network DHCP server. Client 1 is on a different subnet than Server 3 and Server 4, which are on the same subnet. The Brocade DHCP Relay agent forwards DHCP BOOTP broadcast packets from the DHCP clients to the appropriate server and processes broadcast or unicast packets from the server to forward to the DHCP client. BOOTP is a network protocol used to obtain an IP address from a DHCP server. Refer to the following figure.
Configuring IP DHCP Relay • You can configure the feature in standalone mode (applicable switches only) or VCS mode. • You can configure up to four DHCP server IP addresses per interface. When multiple addresses are configured, the relay agent relays the packets to all server addresses. • The DHCP server and clients it communicates with can be attached to different Virtual Forwarding and Routing (VRF) instances.
Configuring IP DHCP Relay Example: VCS mode The following is an example of configuring two IP DHCP Relay addresses on a physical 1 GbE interface in slot 2, port 4 on RBridge ID 2. NOTE In this example, the local DHCP server IP address is 3.1.1.2. switch# config Entering configuration mode terminal switch(config)# rbridge-id 1 switch(config-rbridge-id-1)# int Ve 101 switch(config-Ve-101)# ip dhcp relay address 100.1.1.2 switch(config-Ve-101)# ip dhcp relay address 12.3.4.
Displaying IP DHCP Relay addresses for an interface Displaying IP DHCP Relay addresses for an interface You can display IP DHCP Relay addresses configured on a specific interfaces of a local switch, specific RBridge, or all RBridge IDs in a logical chassis cluster. To display the IP DHCP Relay addresses configured for a switch interface, use the show ip dhcp relay address interface command followed by the interface ID to display IP DHCP Relay addresses configured on a specific interface. 1.
Displaying IP DHCP Relay addresses on specific switches Example: Displaying addresses for specific interfaces on range of switches The following is an example for displaying addresses on for a specific Virtual Ethernet interface on a range of switches (specified by RBridge IDs) in a logical chassis cluster. NOTE You can specify a list of RBridge IDs separated by commas, or a range separated by a dash (for example, 1-2). No spaces are allowed in the range string.
Configuring IP DHCP Relay Example: Displaying addresses on local RBridge The following is an example of displaying addresses configured on interfaces of a local switch. Notice that the RBridge ID is not needed in the command. switch# show ip dhcp relay address Interface --------Te 2/2/1 Te 2/4/2 Te 2/5/4 Te 2/6/6 RBridge Id: 2 ---------------Relay Address ----------10.1.1.1 20.1.1.1 30.1.1.1 40.1.1.
Displaying IP DHCP Relay statistics Displaying IP DHCP Relay statistics Display information about the DHCP Relay function, such as the DHCP Server IP address configured on the switch and the number of various DHCP packets received by the interface configured for IP DHCP Relay. Use the show ip dhcp relay statistics command to display the following information about the IP DHCP Relay function: • DHCP Server IP Address configured in the switch.
Clearing IP DHCP Relay statistics Displaying statistics for specific switches The following is an example of displaying statistics for a cluster with RBridge 1 and RBridge 3. sw0# show ip dhcp relay statistics rbridge-id 1,3 Address ------2.3.4.5 10.0.1.2 Disc. ----300 300 DHCP Relay Statistics - RBridge Id: 1 ---------------------------------------Offer Req.
Configuring IP DHCP Relay router or switch to have multiple containers of routing tables or Forwarding Information Bases (FIBs), with one routing table for each VRF instance. This permits a VRF-capable router to function as a group of multiple virtual routers on the same physical router. Inter-VRF route leaking allows leaking of specific route prefixes from one VRF instance to another on the same physical router, which eliminates the need for external routing.
High availability support High availability support IP DHCP Relay address configurations are maintained when control is switched from the active to the standby management module (MM) in the VDX 8770-4 and VDX 8770-8 chassis. Two management modules (MMs) provide redundancy on the Brocade VDX 8770-4 and VDX 8770-8 chassis. These modules host the distributed Network OS that provides overall management for the chassis.
Section V: Network OS Troubleshooting • • • • Using the Chassis ID (CID) Recovery Tool on page 663 Troubleshooting procedures on page 667 TACACS+ Accounting Exceptions on page 725 Supported NTP Regions and Time Zones on page 729 Network OS Administrator’s Guide 53-1003225-04 661
Section V: Network OS Troubleshooting 662 Network OS Administrator’s Guide 53-1003225-04
Using the Chassis ID (CID) Recovery Tool ● CID overview.................................................................................................................663 ● Critical SEEPROM data................................................................................................ 663 ● Noncritical SEEPROM data.......................................................................................... 663 ● Automatic auditing and verification of CID card data.........................................
Automatic auditing and verification of CID card data • The FRU history table, which contains logs of insertions and removals of FRUs into and from the chassis. The content of this table is not audited or verified. • The IP data table, which contains management module and chassis management IP addresses/ masks, the IP default gateway, and the chassis name. • A power-off list, which controls the order in which blades are automatically powered off if an impending power loss is detected.
Understanding CID card failure • Recover BAD from GOOD. This option is offered only if one CID card contains good data and the other card contains corrupt data. If you select this option, cidrecov copies the good data onto the affected card. • Recover CID 2 from CID 1 and Recover CID 1 from CID 2. These options are offered only if the data on both CID cards is good but there is a mismatch. You can select which card to use to overwrite data on the other card.
Understanding CID card failure 666 Network OS Administrator’s Guide 53-1003225-04
Troubleshooting procedures ● Troubleshooting overview............................................................................................. 667 ● Troubleshooting standard issues.................................................................................. 677 ● Using troubleshooting and diagnostic tools...................................................................
Using information resources Using information resources The following information is helpful for incident investigation and resolution when you contact your switch-support provider: • • • • • • • • A network diagram and topology information A record of the steps and events leading to the incident Lists of applications, management agents, and scripts running at the time of the incident supportSave files Output from the show media command if the issue is related to SFP transceivers Outputs from any commands
Understanding troubleshooting hotspots e) f) g) h) If the switch is part of a VCS Fabric cluster, verify that the MAC address tables are synchronized properly across all Brocade VDX switches in the cluster. Check whether LLDP reports neighbors. Check the Ethernet Name Server (ENS) functionality by ensuring that the MAC address table reports MAC addresses learned from other VCS Fabric switches. Use the l2traceroute command for validating the data-path fabric continuity.
Load balancing distribution To interoperate with MLX switches or other vendors’ switches, enter the following command in interface configuration mode: switch(conf-if-te-0/1)# spanning-tree bpdu-mac 0100.0ccc.
Static assignment of the routing bridge ID TABLE 98 Load balancing algorithms (Continued) Feature Algorithm LACP Provides adaptive load balancing based on up to seven criteria (7-tuple), depending upon what fields are available in the frame. Brocade trunk Provides equal packet load balancing (round-robin) among member links. Static assignment of the routing bridge ID Duplicate routing bridge (RBridge) IDs are a common source of error when a switch is added to an Ethernet fabric.
Multicast traffic in vLAG Multicast traffic in vLAG Flooding traffic always goes through a primary link of the vLAG. You should consider this restriction when provisioning bandwidth for most traffic. This link is marked with an asterisk (*) in the output of the show port-channel command.
Traffic protection during split-brain conditions ATTENTION This condition can cause packet duplication or unexpected packet loss. Traffic protection during split-brain conditions By default, Network OS has a capability to recover gracefully from the split-brain scenario. When all the ISLs between the VDX cluster switches go down, the switch with the lower RBridge ID uses LACP to inform the edge-switch partner that it has segmented out of the port-channel. It does this by changing its advertised system ID.
Principal routing bridge availability Principal routing bridge availability If a new principal routing bridge is introduced into a working VCS Fabric cluster, or if the principal routing bridge is lost and a new switch must be elected, the fabric is rebuilt from the control-plane viewpoint, whereas the data plane continues to forward traffic without disruption.
NIC teaming with vLAG NIC teaming with vLAG NIC teaming permits link aggregation between server and switch. It can be one of two types: active/ passive model or active/active model. For the active/passive model, you may not need to configure a LAG on the switch side, as unique MAC addresses will be seen on only one link. For the active/active model, the same MAC address may appear on both the links terminating on a switch (or pair of switches). In such a case, you must configure a LAG on the switch side.
ACL limits issues For the flow control solution, enable flow control either on the ports receiving the traffic from enddevices (servers or personal computers) and the connected end-device itself, or enable flow control on the port-channel as shown in the following example.
Troubleshooting standard issues Process exceptions can sometimes occur with the L2SYSD process when combinations of ACL limits are approached or exceeded. Constant MAC learning and flushing can occur when ASIC table limitations are exceeded. Layer 2 frame switching can fail if the number of MAC address table entries is exceeded. Troubleshooting standard issues This section describes some potential problems you may encounter and suggestions on how to investigate or resolve each issue.
Verifying the port-profile configuration • The port-profile is not activated or is not associated with the correct MAC address. Refer to Verifying the port-profile state on page 679. • The VM kernel MAC addresses are not associated correctly with the port-profile on the respective switches. Refer to Verifying the VM kernel MAC addresses on page 679. • The VM and its associated hosts do not share a common storage device. Refer to Verifying a shared storage device on page 679.
Verifying the port-profile state Verifying the port-profile state For the correct functioning of AMPP, the port-profile must be active and must be associated with the correct MAC address. 1. Enter the show port-profile status command to verify that the port-profile is activated and is associated with the correct MAC address. switch# show port-profile status Port-Profile PPID Activated pp1 1 No pp2 2 No Associated MAC None None Interface None None 2.
Verifying that port profiles do not conflict Verifying that port profiles do not conflict 1. Enter the show port-profile name pp1_name name pp2_name validate command to validate whether multiple port-profiles applied on an interface can co-exist without conflict.
Troubleshooting procedures 1. Link the wwncardshow command to survey the extent of the damage. (This does not have to be done for single boards.) switch# ln -s /fabos/cliexec/em /fabos/bin/wwncardshow 2. Display the wwncardshow data. switch# wwncardshow ipdata packet count is 2 ++ Wwn Card IP Data ++ Type Num Field Address Mask Cfg/Zone --------------------------------------------------------CP 0 Eth IP: 255.255.255.255 255.255.255.255 CP 1 Eth IP: 255.255.255.255 255.255.255.255 Chassis GW IP: 255.255.
Verifying SEEPROM data Verifying SEEPROM data 1. To verify the SEEPROM, copy the test_symod file to /fabos/bin as test_sysmod , and select option 10 for i2c and option 27 to Verify FRU Seeprom. The test begins automatically. 2. Use the offset of 0x6a4c, as that is where the IP table starts (size 256), but any offset (and size less than or equal to 256) will access that device.
Verifying the fabric • Check the that fabric membership information is what you expect. Refer to Verifying the fabric on page 683. • Ensure that MAC addresses are not moving among ports. Refer to Checking for MAC address movement among ports on page 683. • Ensure that no edge port has an external loopback. Refer to Verifying edge ports have no external loopback on page 683.
Verifying the default profile map interface Fcoe no shutdown ! interface Fcoe no shutdown ! interface Fcoe no shutdown ! interface Fcoe no shutdown ! interface Fcoe no shutdown ! interface Fcoe no shutdown 1/11/2 1/11/3 1/11/4 1/11/5 1/11/6 1/11/7 4. Remove the FCOE provisioning and reprovision the physical interface. 5. If that does not work, execute the shut command, and then the no shut command on the FCOE logical interface. 6.
ISL does not come up on some ports 1. Check for db packet capture. Below are the commands to enable and view a capture. db 8/0/1 rte enable capture all db 8/0/1 rte start capture db 8/0/1 rte show capture After the start capture command, the system sends a stream and performs show capture. This displays most of the capture information: a) b) c) d) e) It shows all the fields resolved — whether it is trap, drop, or fwd. It shows the packet itself.
Verifying the status of ISLs • LLDP is not reporting its neighbors. Refer to Verifying LLDP on page 688. • An overloaded CPU fails to generate keepalive packets. Refer to Checking for CPU overload on page 688. Verifying the status of ISLs If any port looks suspicious, begin by checking the status of ISLs. 1. On the switches at each end of the broken link, in privileged EXEC mode, enter the show fabric isl command to view the status of ISL connections.
Verifying VCS Fabric configuration and RBridge ID Verifying VCS Fabric configuration and RBridge ID For the ISL to function correctly, the following criteria must be true: • Both switches must have VCS Fabric mode enabled. • Both switches must have the same VCS ID. • Each switch must have a unique RBridge ID. To check the criteria, complete the following steps. 1. Enter the show vcs command on each switch. 2.
Verifying LLDP Total Number of Nodes : 1 Rbridge-Id WWN Management IP VCS Status Fabric Status HostName ------------------------------------------------------------------------------------------------------------66 >10:00:00:05:33:67:26:78* 10.24.81.66 Online Online cz41-h06-m-r2 switch2# vcs rbridge-id 77 Verifying LLDP When ISLs are functioning correctly, the show lldp neighbors command reports on each neighbor switch in the VCS Fabric cluster. 1.
Packets are dropped in hardware VCS Fabric license Feature name:VCS_FABRIC 2. If the FCoE or DPOD license appears in the show license command output, but the feature does not work for the expected ports, the probable cause is that the affected ports were not re-enabled after installing the license. NOTE After adding an FCoE or DPOD license, you must disable and re-enable all affected ports. The VCS Fabric license does not require re-enabling.
Troubleshooting procedures Dead Interval: 120 secs Remaining Life : 104 secs Chassis ID: 0005.1e78.
Verifying the data path 5. Enter the show qos interface command to check the QoS configuration.
Troubleshooting procedures Unicasts: 10641, Multicasts: 2637, Broadcasts: 1976 64-byte pkts: 10874, Over 64-byte pkts: 3294, Over 127-byte pkts: 117 Over 255-byte pkts: 969, Over 511-byte pkts: 0, Over 1023-byte pkts: 0 Over 1518-byte pkts(Jumbo): 0 Runts: 0, Jabbers: 0, CRC: 0, Overruns: 0 Errors: 0, Discards: 0 Transmit Statistics: 12633 packets, 1155963 bytes Unicasts: 18, Multicasts: 12615, Broadcasts: 0 Underruns: 0 Errors: 0, Discards: 0 Rate info (interval 299 seconds): Input 0.
Checking for noise on an optical line Enter this command on other switches in the fabric to ensure that those switches can detect this MAC address. switch# show mac-address-table VlanId Mac-address Type State 1002 0efc.0042.7300 FPMA Active 1002 0efc.0042.7302 FPMA Active 1002 0efc.0042.7800 FPMA Active Total MAC addresses : 3 Ports Te 66/0/55 Te 66/0/55 Te 66/0/60 7. Enter the l2traceroute command to validate the data-path fabric continuity.
Recovering the root password by using the root account b) c) Replace any non-Brocade SFP transceiver. Try replacing the SFP transceiver. Try replacing the cable. Recovering the root password by using the root account Use this procedure if you have lost access to the admin account, but you do have access to the root account. To reset any account password from the root account, follow these steps: NOTE For a non-secured system, you can use the serial interface or Telnet.
Troubleshooting procedures To obtain the Boot PROM recovery password from your switch support provider, perform the following steps: 1. Connect to the serial console port of the switch. 2. Manually reboot the switch. 3. When prompted to stop test or stop AutoBoot, press ESC. NOTE If the ESC key is not effective during reboot, turn the power off and back on, and then try again. If the ESC key is still not effective, check the serial console cable.
Clearing the Boot PROM password Re-enter Recovery Password: YnfG9DDrlFMDVkNM0RkPtg== 8. When prompted with "New password:", enter a new Boot PROM password, and reenter it when prompted. New password: xxx Re-enter new password: xxx The switch reboots. ATTENTION Record the new password for future reference.
Need to recover password for Brocade VDX 8770 or VDX 67xx 5. At the prompt, enter the Boot PROM password. password: ******* => 6. To reset the password, enter the resetpw command. => resetpw . . Done 7. To allow the switch to continue booting up, enter the reset command. => reset do_reset: PERFORM HARD RESETí The system is coming up, please wait... When the boot-up process is finished, the Boot PROM password is gone.
Recovering the root password for Brocade VDX 67xx platforms If you still have access to the admin account, you can change the admin account password or change passwords on user accounts by using normal password-management procedures. Refer to Managing User Accounts on page 261. Even if you have lost access to the admin account but you do have access to the root account, you can use the root account to reset passwords for the root, admin, and user accounts.
Recovering the root password for Brocade VDX 67xx platforms: Quick reference • Recovering the root password for Brocade VDX 67xx platforms: Quick reference on page 699 • Recovering the root password for Brocade VDX 67xx platforms: Detailed procedure on page 699 Recovering the root password for Brocade VDX 67xx platforms: Quick reference Advanced users who need only a reminder of the basic steps can use this quick reference to recover passwords. 1. Press ESC during reboot.
Troubleshooting procedures Recover password Used to generate a character string for your support provider to recover the Boot PROM password. ATTENTION Use this feature only when directed by technical support personnel. Enter command shell Checking system Checking memory System RAM test set_bootstatus: Hit ESC to stop Used to enter the command shell to reset all passwords on the system.
Troubleshooting procedures NOTE For Network OS, the passwddefault command restores the passwords of factory default accounts to their default values and removes nondefault user accounts that are present. The nondefault user accounts will be restored later in this procedure. Any additional user accounts remain intact. 13.Reset the OSLoadOptions parameters to "quiet;quiet." sh-2.04# bootenv OSLoadOptions "quiet;quiet" 14.Reboot the switch by using the reboot -f command. sh-2.
Recovering the root password for Brocade VDX 8770 platforms To perform the recovery procedure for dual Management Modules, stop both MMs in the command shell prompt. Then follow the listed recovery steps in the document for the Brocade VDX 87xx series in the ACTIVE MM. After the 10th step in the ACTIVE MM, enter the reset command in the STAND-BY shell prompt. When this recovery succeeds, then all passwords are set to the factory default.
Recovering the root password for Brocade VDX 8770 platforms: Detailed procedure 4. Log in as root and enter the following commands in sequence: a) b) c) d) noscli configure username name password new-password 5. Restore nondefault user accounts. Recovering the root password for Brocade VDX 8770 platforms: Detailed procedure Use this procedure if you do not have access to the root account.
Troubleshooting procedures => setenv bootargs "root=/dev/sda1 rootfstype=ext4 quiet S" 7. Enter the printenv command to verify the change. => printenv AutoLoad=yes LoadIdentifiers=Fabric Operating System;Fabric Operating System OSLoadOptions=quiet OSRootPartition=sda2;sda1 SkipWatchdog=yes autoset_mac=true baudrate=9600 bootargs=root=/dev/sda1 rootfstype=ext4 quiet S bootcmd=execute_internal_bootcmd (output truncated) 8. Enter the savenv command to save the changes.
Ping fails 18.Use the following syntax of the username command to reset passwords for the admin or user accounts, or for any other nondefault users. username account-name password new-password The following example resets the admin password to the default value of "password." switch(config)# username admin password password 19.To restore the nondefault user accounts, perform the following steps: a) Copy the running-config to a file.
RBridge ID is duplicated RBridge ID is duplicated Switches with the same RBridge ID cannot coexist in the same VCS Fabric cluster. Any attempt to add a switch with the same RBridge ID as an existing cluster switch will fail. The ISL between the two switches will not be formed; it will be segmented. 1. On the new switch, enter the show vcs command to determine the RBridge ID.
Verifying the status of the management port • The management port is down. Refer to Verifying the status of the management port on page 707 for details. • Access to the management interface is denied by an ACL. Refer to Checking for a deny ACL on page 707 for details. • The switch CPU is overloaded. Refer to Checking for overloaded CPU on page 707 for details. Verifying the status of the management port 1.
Troubleshooting procedures 1. Enter the show running-config interface command to determine which interfaces have trunking enabled. switch# show running-config interface interface Management 66/0 no ip address dhcp ip address 10.24.81.66/20 ip route 0.0.0.0/0 10.24.80.
Upgrade fails • If the interface is disabled, enable it with the no shutdown command. • If misconfiguration is apparent, refer to Trunk member not used for information on how to configure fabric trunks. • If you notice significant errors in the error statistics counters, depending on the error, check the SFP transceiver and cable on the local switch and on the peer switch at the other end of the cable. 1.
Verifying the VCS Fabric configuration NOTE It is not necessary to reboot the switch to enable the VCS Fabric license. switch# show license Rbridge-Id: 66 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx FCoE Base license Feature name:FCOE_BASE xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx VCS Fabric license Feature name:VCS Refer to the Network OS Software Licensing Guide for more information about license management.
Verifying the vLAG configuration 1. On both switches, enter the show lacp counter command to verify that LACPDUs are transmitted and received, and there are no error PDUs. switch# show lacp counter 10 % Traffic statistics Port LACPDUs Marker Pckt err Sent Recv Sent Recv Sent Recv % Aggregator Po 10 1000000 Te 0/1 65 0 0 0 0 0 Te 0/2 64 0 0 0 0 0 Te 0/3 64 0 0 0 0 0 Te 0/4 0 0 0 0 0 0 In this case, LACPDUs are being transmitted by the switch, but none are being received. 2.
Zone does not form correctly Dual-CLI sessions from the same switch: If you start a zone transaction from CLI-Session1 and then try to perform a zone modification from CLI-Session2, the CLI-Session2 zone transaction is not allowed, as CLI-Session2 is not the owner of the open transaction. If CLI-Session1 logs out, this ends the open transaction and aborts any current zone modifications. CLI-Session2 is then able to perform zone modifications.
Recovering from FID oversubscription a) b) Enter the portCfgExPort ‐d Fabric OS command to set a unique front phantom domain ID. Enter the fcrXlateConfig importedFID exportedFID preferredDomainID command to set a unique translate phantom domain ID. Refer to the Fabric OS Command Reference for details about the portCfgExPort and fcrXlateConfig commands.
Blocking zone merge after reboot Blocking zone merge after reboot To be sure of blocking zone merge following a switch reboot, enter the no fabric isl enable command to disable the ISL between neighboring Brocade VDX switches. CAUTION Brocade recommends that you do not use the shutdown command. If you use the shutdown command, then following switch reboot, the zone merge could happen before the shutdown command is replayed by the running configuration.
Troubleshooting procedures FIGURE 78 Normal Layer 2 packet traversing a VCS fabric In the figure above, an Ethernet packet arrives from MAC 1 at the VCS fabric edge. TRILL header information is added while the packet passes through the VCS fabric. The TRILL information is removed on leaving the VCS fabric, and a regular Ethernet packet arrives at MAC 2. The table below shows the Layer 2 packet header details.
Troubleshooting procedures FIGURE 79 Verifying path continuity with immediate neighbor The table below shows the packet header information for the request and response. The added TRILL OAM information is shown in bold. TABLE 102 Packet header details with Layer 2 traceroute — first hop Traceroute request packet header Traceroute reply packet header Outer L2 DA = B1Outer L2 SA = A1Outer 802.
Tracing a route with the l2traceroute command FIGURE 80 Verifying path continuity— second hop TTL count The table below shows the packet header information for the request and response packets. Information specific to the Layer 2 traceroute feature is show in bold. TABLE 103 Packet header details with Layer 2 traceroute — second hop Traceroute request — first hop (TTL = 2) Traceroute request — second hop (TTL = 1) Traceroute reply Outer L2 DA = B1Outer L2 SA = A1Outer 802.
Using show commands From the output, choose the source and destination MAC address: • Source MAC address: 0050.5685.0003 • Destination MAC address: 0024.3878.e720 2. Enter the l2traceroute command. switch2# l2traceroute Source mac address : 0050.5685.0003 Destination mac address : 0024.3878.e720 Vlan [1-3962] : 101 Edge rbridge-id [1-239] : 3 Extended commands [Y/N]? : y Protocol Type [IP] : IP Source IP address : 101.101.101.10 Destination IP address : 101.101.101.
Troubleshooting procedures TABLE 104 show commands used for troubleshooting (Continued) Command group Commands Interface commands show interface Specific fields or purpose show media Check pause-frames show ip int brief Check the CoS statistics show qos flowcontrol interface show qos queue interface Check packet drops, buffer consumption, real-time queue statistics show qos rcv-queue interface Check the QoS configuration on an interface show qos int Diagnostic commands show diags status show
Using debug commands Using debug commands You can perform the following operations related to debugging features: • To enable debugging on a feature, use the debug command. debug feature required-keywords • To check whether debugging is enabled on a feature, use the show debug command. show debug feature • To disable debugging, use the no debug command. no debug feature required-keywords Use caution when debugging in real time on a production switch, because real-time debugging is CPU-intensive.
Using hardware diagnostics TABLE 105 ASICs and ports Network OS switch ASIC Port numbers Brocade VDX 6720-60 and Brocade VDX 6730-76 0 te0/1 through te0/10 1 te0/11 through te0/20 2 te0/21 through te0/30 3 te0/31 through te0/40 4 te0/41 through te0/50 5 te0/51 through te0/60 0 te0/1 through te0/6 and gi0/1 through gi0/14 1 gi0/15 through gi0/27 2 gi0/28 through gi0/48 Brocade VDX 6710 The destination port cannot be an ISL, Layer 2, Layer 3, QoS, ACL, 802.
Viewing routing information short command, which typically takes 10 to 15 minutes. Alternatively, you can run subsets of the offline commands that check various parts of the hardware. The table below shows the complete list of supported offline commands. TABLE 106 Offline diagnostic commands Offline diagnostic command Purpose diag burninerrclear Clears the errors that are stored in the nonvolatile storage during the burnin process. diag clearerror Clears the diagnostics failure status.
Using the packet capture utility Use the show fabric route pathinfo command to display routing information from a source port on the local switch to a destination port on another switch. The command output describes the exact data path between these ports, including all intermediate switches. To use the show fabric route pathinfo command across remote fabrics, you must specify both the VCS ID (or Fabric ID) and the RBridge ID (or domain ID) of the remote switch.
Using the packet capture utility 724 Network OS Administrator’s Guide 53-1003225-04
TACACS+ Accounting Exceptions ● TACACS+ command-accounting limitations................................................................. 725 ● Unsupported Network OS command line interface commands.................................... 725 TACACS+ command-accounting limitations TACACS+ command accounting is subject to the following limitations: • The TACACS+ command-accounting logs only the Network OS CLI base command name.
TACACS+ Accounting Exceptions TABLE 108 Unsupported Network OS CLI commands in privileged EXEC mode (Continued) 726 Command name Command Description clear mcagt Clears the MCAGT agent. clear policy-map-counters Clears the policy map counters. clear sflow Clears sFlow configuration data. clear spanning-tree Clears Spanning Tree Protocol (STP) configuration data. clear vrrp Clears Virtual Router Redundancy Protocol (VRRP) configuration data. configure Configures access mode.
TACACS+ Accounting Exceptions TABLE 108 Unsupported Network OS CLI commands in privileged EXEC mode (Continued) Command name Command Description show cee maps Displays CEE maps. show cipherset Displays ciphers for LDAP and SSH. show cli Displays CLI session parameters. show clock Displays the date and time settings. show diag Displays diagnostic information. show dot1x Displays IEEE 802.1X Port-Based Access Control configuration data.
TACACS+ Accounting Exceptions TABLE 108 Unsupported Network OS CLI commands in privileged EXEC mode (Continued) Command name Command Description show ssm Displays the switch services subsystem. show startup-db Displays the startup configuration. show storm-control Displays storm control configuration. show statistics Displays accounting information. show system Displays runtime system information. show rmon Displays the Remote Monitoring Protocol (RMON) configuration.
Supported NTP Regions and Time Zones ● Africa............................................................................................................................. 729 ● America......................................................................................................................... 730 ● Antarctica...................................................................................................................... 731 ● Arctic...........................................................
America America The table below lists region and city time zones supported in the America region.
Antarctica TABLE 111 Region/city time zones in America region (Continued) America/Boa_Vista America/Swift_Current America/Indiana/Tell_City America/Manaus America/Dawson America/Indiana/Petersburg America/Eirunepe America/Santiago America/Menominee America/Rio_Branco America/Bogota America/North_Dakota/Center America/Nassau America/Costa_Rica America/North_Dakota/New_Salem America/Belize America/Havana America/Denver America/St_Johns America/Dominica America/Boise America/Halifax Amer
Atlantic TABLE 114 Region/city time zones in Asia region Asia/Dubai Asia/Tokyo Asia/Gaza Asia/Kabul Asia/Bishkek Asia/Qatar Asia/Yerevan Asia/Phnom_Penh Asia/Yekaterinburg Asia/Baku Asia/Pyongyang Asia/Omsk Asia/Dhaka Asia/Seoul Asia/Novosibirsk Asia/Bahrain Asia/Kuwait Asia/Krasnoyarsk Asia/Brunei Asia/Almaty Asia/Irkutsk Asia/Thimphu Asia/Qyzylorda Asia/Yakutsk Asia/Shanghai Asia/Aqtobe Asia/Vladivostok Asia/Harbin Asia/Aqtau Asia/Sakhalin Asia/Chongqing Asia/Oral Asia/Mag
Australia Australia The table below lists region and city time zones supported in the Australia region. TABLE 116 Region/city time zones in Australia region Australia/Lord_Howe Australia/Sydney Australia/Darwin Australia/Hobart Australia/Brisbane Australia/Perth Australia/Currie Australia/Lindeman Australia/Eucla Australia/Melbourne Australia/Adelaide Europe The table below lists region and city time zones supported in the Europe region.
Indian Indian The table below lists region and city time zones supported in the Indian region. TABLE 118 Region/city time zones in Indian region Indian/Cocos Indian/Antananarivo Indian/Mahe Indian/Christmas Indian/Mauritius Indian/Kerguelen Indian/Chagos Indian/Maldives Indian/Mayotte Indian/Comoro Indian/Reunion Pacific The table below lists region and city time zones supported in the Pacific region.
Index 802.1Q default mapping 494 802.
access-group 334 ACL 334 Auto QoS restrictions 512 flow control 333 port-profile 329 port-profile states 330 priority 333 QoS profile 333 security profile 334 VLAN profile 332 AMPP overview 327 ARP cache 553 authentication, configuring 277 Automatic Login Balancing mode for AG 230 Automatic Migration of Port Profiles , See AMPP automatic uploading of supportSave data 88 Auto Migrating Port Profile (AMPP) 327 Auto-NAS server IP addresses, adding 514 Auto QoS adding Auto-NAS server IP addresses 514 adding N
configuration 501 considerations 476 storm control 476 displaying 511 clearing LACP counters on all LAG groups 446 LACP counters on a single LAG 446 BUM storm control considerations and limitations 476 C CA certificate 301 capturing supportSave data 87 CEE interface applying a MAC ACL 466 configuring for STP, RSTP, MSTP 424 configuring the hello time for MSTP 427 disabling or enabling STP on the interface 430 enabling and disabling 358 enabling as edge port for Spanning Tree 426 enabling guard root fo
802.1x interface-specific administrative features 520 802.
management interface, configuring 66 management interfaces 52 Ethernet, forwarding 341 Ethernet pause enabling 500 Ethernet Pause configuration 475 Ethernet port 62 Ethernet Priority Flow Control (PFC) 475 ETS overview 451 priority grouping of IPC, LAN, and SAN traffic 451 F flow-based sFlow considerations and limitations 527 described 527 disabling on specific interfaces 531 enabling 530 FlowControl 500 flow control 346 flow sample, described 525 Forwarding Information Bases, See FIB frame classifica
interface timeout setting 423 timeout setting, enabling 422 interface ports configuring 802.
adding a node 78 characteristics 55 configuration 57 configuring SPAN in 538 creating 72 description 55 mode conversions 77, 78 mode transitions 74, 76 principal node setting 72, 77 removing a node 78 replacing a node 79 Login Balancing mode 230 Login Balancing Mode enabling and disabling 231 login for FIP 347 logout from FIP 347 LSAN zone example of 195 naming 170 M MQC provisioning mode 509 MSTP Cisco interoperability 417 configuration guidelines and restrictions 408 configuring 416 configuring maxi
area border routers (ABRs) 584 area ranges 592 autonomous system boundary routers (ASBRs) 584 configuration 591 designated routers 585 Link State Advertisements 588 not-so-stubby areas 587 supported platforms 583 totally stubby areas 588 VCS environment 589 virtual links 588 OSPF VRF-Lite for customer-edge routers 610 See also VRF-Lite out of band management 53 output modifiers, CLI 45 overview ACL 461 link aggregation 293, 437 MSTP 409 PVST 410 RSTP 408 STP 407 Virtual Fabrics 375 configuration 579 IGMP
guidelines and restrictions 411 Q QoS congestion control 472 data center bridging map configuration overview 479 multicast rate limiting 476 overview 471 port-based policer binding the policy map to an interface 510 configuring a class map 505 configuring a police priority map 505 configuring parameters for a class map 507 configuring the policy map 506 considerations and limitations 484 displaying policing settings and policy maps 510 overview 482 policer binding rules 510 policing parameters 483 queuin
R RADIUS authentication, configuring 520 RADIUS server, LINUX configuration 281 Random Early Discard configuring RED thresholds 474 Rapid Per VLAN Spanning Tree+. , See R-PVST+ Rapid PVST+. , See R-PVST+ Rapid Spanning Tree Protocol. , See RSTP. Rapid Spanning Tree Protocol. ., See RSTP RBAC permissions 41 readiness check enabling for 802.
configuration overview 536 configuring for bidirectional 537 configuring for egress 536 configuring for ingress 536 configuring in logical chassis cluster 538 deleting a session 538 deleting connection from a session 537 guidelines and limitations 534 in logical chassis cluster 533 logical chassis cluster guidelines and limitations 535 overview 533 spanning-tree clearing counters 424 clearing detected protocols 424 spanning-tree defaults 412 Spanning Tree Protocol. .
U configuring a CEE interface as a Layer 2 switch port 360 configuring a CEE interface as an access or trunk interface 360 configuring the MTU on an interface 358 displaying VLAN information 363 enabling and disabling a CEE interface 358 understanding MIBs 134 understanding SNMP basics 134 UniDirectional Link Detection (UDLD) commands 435 example 433 requirements 433 important notesVLAN important management notes 357 VLAN classifier groups 363 VLAN classifier rules 362 default configuration 357 FDB ove
Z zone alias, adding membersadding alias members 178 alias, deleting 179 alias, removing members removing alias members 179 aliases, creating and managing 177 configuration, definition 172 creating 180 creating configurations 184 deleting 182 member, adding 178, 179, 181 member, deleting 179, 181 merging 190 resources, optimizing 167 splitting a fabric 192 WWN adding 178 WWN, adding 178, 179, 181 WWN, deleting 179, 181 zone configuration, adding to 184 zone configuration creating 184 deleting 186 deleti
Network OS Administrator’s Guide 53-1003225-04
