53-1003053-01 30 September 2013 Brocade TurboIron 24X Series Configuration Guide Supporting FastIron Software Release 08.0.
Copyright © 2013 Brocade Communications Systems, Inc. All Rights Reserved. ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Document Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi Device nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging on through Brocade Network Advisor . . . . . . . . . . . . . . . . . 20 Chapter 3 Configuring Basic Software Features Configuring basic system parameters . . . . . . . . . . . . . . . . . . . . . . . . 21 Entering system administration information . . . . . . . . . . . . . . . 22 Configuring Simple Network Management Protocol (SNMP) parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Disabling Syslog messages and traps for CLI access . . . . . . . .
Loading and saving configuration files . . . . . . . . . . . . . . . . . . . . . . . 54 Replacing the startup configuration with the running configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Replacing the running configuration with the startup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Logging changes to the startup-config file . . . . . . . . . . . . . . . . . 55 Copying a configuration file to or from a TFTP server . . . . . . . .
Configuring TACACS/TACACS+ security . . . . . . . . . . . . . . . . . . . . . . . 84 How TACACS+ differs from TACACS . . . . . . . . . . . . . . . . . . . . . . . 85 TACACS/TACACS+ authentication, authorization, and accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 TACACS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 TACACS/TACACS+ configuration considerations . . . . . . . . . . . . 89 Enabling TACACS . . . . . . . . . . . . . . .
Setting optional parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Setting the number of SSH authentication retries . . . . . . . . .126 Deactivating user authentication . . . . . . . . . . . . . . . . . . . . . . .126 Enabling empty password logins. . . . . . . . . . . . . . . . . . . . . . . .126 Setting the SSH port number . . . . . . . . . . . . . . . . . . . . . . . . . .127 Setting the SSH login timeout value . . . . . . . . . . . . . . . . . . . . .
Clearing global IPv6 information . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Clearing the IPv6 cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Clearing IPv6 neighbor information . . . . . . . . . . . . . . . . . . . . .150 Clearing IPv6 traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . .151 Displaying global IPv6 information. . . . . . . . . . . . . . . . . . . . . . . . . .151 Displaying IPv6 cache information . . . . . . . . . . . . . . . . . . . . . .
Reading CDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Enabling interception of CDP packets globally . . . . . . . . . . . .182 Enabling interception of CDP packets on an interface . . . . . .182 Displaying CDP information. . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Clearing CDP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 Chapter 10 Configuring LLDP Terms used in this chapter . . . . . . . . . . . . . . . . . . . . . . . .
Digital optical monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Supported media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Media not supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Supported media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Media not supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Configuration limitations . . . . . . . . . . . . . . .
sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 sFlow support for IPv6 packets. . . . . . . . . . . . . . . . . . . . . . . . .242 Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . .243 Configuring and enabling sFlow . . . . . . . . . . . . . . . . . . . . . . . .244 Displaying sFlow information . . . . . . . . . . . . . . . . . . . . . . . . . .249 Configuring a utilization list for an uplink port . . . . . . . . . . .
Chapter 15 Configuring Metro Features Topology groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273 Master VLAN and member VLANs . . . . . . . . . . . . . . . . . . . . . .273 Control ports and free ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Configuring a topology group . . . . . . . . . . . . . . . . . . . . . . . . . .275 Displaying topology group information . .
Configuring a trunk group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336 CLI syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336 Example 1: Configuring the trunk groups shown in Figure 75337 Example 2: Configuring a trunk group that spans two Gbps Ethernet modules in a chassis device . . . . . . . . . . .338 Example 3: Configuring a multi-slot trunk group with one port per module . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Virtual routing interfaces (Layer 3 Switches only) . . . . . . . . . . 374 Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) . . . . . . . . . . . . . . . . . . . . . .375 Dynamic port assignment (Layer 2 Switches and Layer 3 Switches) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Assigning a different VLAN ID to the default VLAN . . . . . . . . .
Chapter 19 Configuring Port Mirroring and Monitoring Mirroring support by platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423 Configuring port mirroring and monitoring . . . . . . . . . . . . . . . . . . .423 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424 Monitoring a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425 Monitoring an individual trunk port . . . . . . . . . . . . . . . . . . . . .
Configuring IP parameters – Layer 2 Switches . . . . . . . . . . . . . . . .484 Configuring the management IP address and specifying the default gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .485 Configuring Domain Name Server (DNS) resolver. . . . . . . . . .486 Changing the TTL threshold . . . . . . . . . . . . . . . . . . . . . . . . . . .487 Configuring DHCP Assist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RIP parameters and defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592 RIP global parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592 RIP interface parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593 Configuring RIP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593 Enabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593 Configuring metric parameters . . . . . . . . . . . . . .
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .613 Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .614 OSPF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .614 Enable OSPF on the router . . . . . . . . . . . . . . . . . . . . . . . . . . . .615 Assign OSPF areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .616 Assigning an area range (optional) . . . . . . . . . . .
Chapter 24 Configuring BGP4 Overview of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660 Relationship between the BGP4 route table and the IP route table 660 How BGP4 selects a path for a route . . . . . . . . . . . . . . . . . . . .661 BGP4 message types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663 Basic configuration and activation for BGP4 . . . . . . . . . . . . . . . . .665 Note regarding disabling BGP4. . . . . . . . . . . . . . . . . . . .
Modifying redistribution parameters . . . . . . . . . . . . . . . . . . . . . . . .699 Redistributing connected routes. . . . . . . . . . . . . . . . . . . . . . . .699 Redistributing RIP routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .700 Redistributing OSPF external routes. . . . . . . . . . . . . . . . . . . . .700 Redistributing static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Clearing route flap dampening statistics. . . . . . . . . . . . . . . . . . . . .765 Removing route flap dampening . . . . . . . . . . . . . . . . . . . . . . . . . . .765 Clearing diagnostic buffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .766 Chapter 25 Configuring IP Multicast Traffic Reduction IGMP snooping overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .767 IGMP V1, V2, and V3 snooping support . . . . . . . . . . . . . . . . . .
PIM SM snooping show commands. . . . . . . . . . . . . . . . . . . . . . . . .788 Displaying PIM SM snooping information. . . . . . . . . . . . . . . . .788 Displaying PIM SM snooping information on a Layer 2 switch788 Displaying PIM SM snooping information for a specific group or source group pair . . . . . . . . . . . . . . . . . . . . . . . . . . . .789 Clear commands for IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . .790 Clearing the IGMP mcache . . . . . . . . . . . . . . . . . . . . . .
Using ACLs to control multicast features. . . . . . . . . . . . . . . . . . . . .849 Using ACLs to limit static RP groups . . . . . . . . . . . . . . . . . . . . .849 Using ACLs to limit PIM RP candidate advertisement . . . . . . .851 Tracing a multicast route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .852 Displaying the multicast configuration for another multicast router853 IGMP V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894 VRRP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894 VRRPE example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .895 Chapter 28 Configuring Rule-Based IP Access Control Lists ACL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .897 Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using ACLs to control multicast features. . . . . . . . . . . . . . . . . . . . .925 Enabling and viewing hardware usage statistics for an ACL . . . . .925 Displaying ACL information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .926 Troubleshooting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .926 Chapter 29 Configuring Traffic Policies About traffic policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring 802.1X port security . . . . . . . . . . . . . . . . . . . . . . . . . . .950 Configuring an authentication method list for 802.1X . . . . . .950 Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .951 Configuring dynamic VLAN assignment for 802.1X ports . . . .954 Dynamically applying IP ACLs and MAC filters to 802.1X ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .958 Enabling 802.1X port security. . . . . . . . . . . . . . . . . .
Configuring the MAC port security feature . . . . . . . . . . . . . . . . . . .992 Enabling the MAC port security feature . . . . . . . . . . . . . . . . . .992 Setting the maximum number of secure MAC addresses for an interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993 Setting the port security age timer . . . . . . . . . . . . . . . . . . . . . .993 Specifying secure MAC addresses . . . . . . . . . . . . . . . . . . . . . .
Displaying multi-device port authentication information . . . . . . .1015 Displaying authenticated MAC address information . . . . . . .1015 Displaying multi-device port authentication configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1016 Displaying multi-device port authentication information for a specific MAC address or port . . . . . . . . . . . . . . . . . . . . .1016 Displaying the authenticated MAC addresses . . . . . . . . . . . .
Configuring DSCP-based QoS. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1041 Application notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042 Using ACLs to honor DSCP-based QoS . . . . . . . . . . . . . . . . . 1042 Configuring the QoS mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . 1042 Default DSCP –> Internal forwarding priority mappings . . .
xxx Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
About This Document In this chapter • Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi • Device nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii • Notice to the reader .
What’s new in this document There are no enhancements in FastIron release 08.0.01 for TurboIron 24X. Document conventions This section describes text formatting conventions and important notice formats used in this document.
Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations.
Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to: documentation@brocade.com Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement.
Chapter 1 Feature Highlights In this chapter • Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Supported IPv6 management features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 • Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Introduction to features The features that are available on a device depend on the type of software image the device is running.
Supported features TABLE 3 Supported management features (Continued) Category, description, and configuration notes TurboIron X Series Combined DSCP and internal marking in one ACL rule Yes Disabling TFTP Access Yes Brocade Network Advisor Yes P-Bridge and Q-Bridge MIBs Yes Remote monitoring (RMON) Yes sFlow: • For inbound traffic only • 802.
Supported features TABLE 4 Supported security features (Continued) Category, description, and configuration notes TurboIron X Series Authentication, Authorization and Accounting (AAA): • RADIUS, TACACS/TACACS+ Yes Denial of Service (DoS) protection: • TCP SYN Attacks and ICMP Attacks Yes Local passwords Yes MAC filter override of 802.
Supported features TABLE 5 4 Supported system-level features (Continued) Category, description, and configuration notes TurboIron X Series ACL-Based Rate Limiting: • TurboIron X Series devices support ACL-based fixed and adaptive rate limiting on inbound ports Yes ACL filtering based on VLAN membership or VE port membership Yes ACL logging of denied packets: • ACL logging is supported for denied packets, which are sent to the CPU for logging • ACL logging is not supported for permitted packets • P
Supported features TABLE 5 Supported system-level features (Continued) Category, description, and configuration notes TurboIron X Series Foundry Discovery Protocol (FDP) / Cisco Discovery Protocol (CDP) Yes LLDP Yes MAC filter-based mirroring Yes Multi-port static MAC address Yes Multiple Syslog server logging: • Up to six Syslog servers Yes Negative temperature setting Yes Outbound rate shaping Yes Port flap dampening Yes Port mirroring and monitoring: • Mirroring of both inbound and o
Supported features TABLE 6 6 Supported Layer 2 features (Continued) Category, description, and configuration notes TurboIron X Series 802.1s Multiple Spanning Tree Yes 802.1W Rapid Spanning Tree (RSTP): • 802.1W RSTP support allows for sub-second convergence (both final standard and draft 3 supported) Yes 802.3ad link aggregation (dynamic trunk groups): • TurboIron X Series ports enabled for link aggregation follow the same rules as ports configured for trunk groups.
Supported features TABLE 6 Supported Layer 2 features (Continued) Category, description, and configuration notes TurboIron X Series PVRST+ compatibility Yes Root Guard Yes Super Aggregated VLANs Yes Trunk groups: • Trunk threshold for static trunk groups • Flexible trunk group membership Yes Topology groups Yes Uni-directional Link Detection (UDLD) (Link keepalive) Yes Uplink Ports Within a Port-Based VLAN Yes VLAN Support: • • • 802.
Supported IPv6 management features • • • • • • OSPF V2 (IPv4) Route-only support (Global and interface configuration levels ) VRRP Anycast RP IGMP V1, V2, and V3 (for multicast routing scenarios) IP multicast routing protocols (PIM-SM, PIM-DM): TurboIron X Series devices support PIM-SM and PIM-DM • ICMP Redirect messages • Multiprotocol Source Discovery Protocol (MSDP) • Route-only support: • Disabling Layer 2 Switching at the CLI Interface level as well as the Global CONFIG level.
Unsupported features TABLE 7 Supported IPv6 management features Category, description, and configuration notes TurboIron X Series Telnet Yes TFTP Yes Traps Yes Unsupported features Table 8 lists the features that are not supported on the TurboIron X Series devices. If required, these features are available on other TurboIron X Series devices.
Unsupported features 10 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 2 Getting Familiar with Management Applications In this chapter • Using the management port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logging on through the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Using and port number with CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . • Logging on through Brocade Network Advisor. . . . . . . . . . . . . . . . . . . . . . . .
Using the management port TurboIron(config-if-mgmt)#ip addr 10.44.9.64/24 TurboIron(config)#show running-config interface management 1 interface management 1 ip address 10.44.9/64 255.255.255.0 To display the current configuration, use the show interfaces management command. Syntax: show interfaces management TurboIron(config)#show interfaces management 1 GigEthernetmgmt1 is up, line protocol is up Hardware is GigEthernet, address is 0000.0076.544a (bia 0000.0076.
Logging on through the CLI TurboIron#show statistics management 1 Port Link State Dup Speed Trunk mgmt1 Up None Full100M None InOctets InPkts InBroadcastPkts InMultiastPkts InUnicastPkts InBadPkts InFragments InDiscards CRC InErrors InGiantPkts InShortPkts InJabber InFlowCtrlPkts InBitsPerSec InPktsPerSec InUtilization 3210941 39939 4355 35214 370 0 0 0 0 0 0 0 0 0 83728 130 0.
Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at this point in the command string. If you enter an invalid command followed by ?, a message appears indicating the command was unrecognized.
Using and port number with CLI commands TABLE 9 CLI line editing commands Ctrl+Key combination Description Ctrl+A Moves to the first character on the command line. Ctrl+B Moves the cursor back one character. Ctrl+C Escapes and terminates command prompts and ongoing tasks (such as lengthy displays), and displays a fresh command prompt. Ctrl+D Deletes the character at the cursor. Ctrl+E Moves to the end of the current command line. Ctrl+F Moves the cursor forward one character.
Using and port number with CLI commands Searching and filtering output from Show commands You can filter output from show commands to display lines containing a specified string, lines that do not contain a specified string, or output starting with a line containing a specified string. The search string is a regular expression consisting of a single character or string of characters. You can use special characters to construct complex regular expressions.
Using and port number with CLI commands 3 4 5 closed closed closed Syntax: show-command | begin Searching and filtering output at the --More-- prompt The --More-- prompt displays when output extends beyond a single page. From this prompt, you can press the Space bar to display the next page, the Return or Enter key to display the next line, or Ctrl+C or Q to cancel the display. In addition, you can search and filter output from this prompt.
Using and port number with CLI commands undebug undelete whois write Disable debugging functions (see also 'debug') Undelete flash card files WHOIS lookup Write running configuration to flash or terminal As with the modifiers for filtering output from show commands, the search string is a regular expression consisting of a single character or string of characters. You can use special characters to construct complex regular expressions.
Using and port number with CLI commands TABLE 10 Special characters for regular expressions (Continued) Character Operation _ An underscore matches on one or more of the following: , (comma) { (left curly brace) } (right curly brace) ( (left parenthesis) ) (right parenthesis) The beginning of the input string The end of the input string A blank space For example, the following regular expression matches on “100” but not on “1002”, “2100”, and so on.
Logging on through Brocade Network Advisor After the alias is configured, entering shoro at either the Privileged EXEC or CONFIG levels of the CLI executes the show ip route command. To create an alias called wrsbc for copy running-config tftp 10.10.10.10 test.cfg, enter the following command. TurboIron(config)#alias wrsbc = copy running-config tftp 10.10.10.10 test.cfg To remove the wrsbc alias from the configuration, enter one of the following commands.
Chapter 3 Configuring Basic Software Features In this chapter • Configuring basic system parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 • Configuring basic port parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring basic system parameters Brocade devices are configured at the factory with default parameters that allow you to begin using the basic features of the system immediately.
Configuring basic system parameters NOTE For information about the Syslog buffer and messages, refer to Chapter 12, “Using Syslog”. Entering system administration information You can configure a system name, contact, and location for a device and save the information locally in the configuration file for future reference. This information is not required for system operation but is suggested. When you configure a system name, the name replaces the default system name in the CLI command prompt.
Configuring basic system parameters Specifying an SNMP trap receiver You can specify a trap receiver to ensure that all SNMP traps sent by the device go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network. When you specify the host, you also specify a community string. The device sends all the SNMP traps to the specified hosts and includes the specified community string.
Configuring basic system parameters Specifying a single trap source You can specify a single trap source to ensure that all SNMP traps sent by the device use the same source IP address. When you configure the SNMP source address, you specify the Ethernet port, loopback interface, or virtual interface that is the source for the traps. The device then uses the lowest-numbered IP address configured on the port or interface as the source IP address in the SNMP traps sent by the device.
Configuring basic system parameters TurboIron(config)#snmp-server enable traps holddown-time 30 The command in this example changes the holddown time for SNMP traps to 30 seconds. The device waits 30 seconds to allow convergence in STP and OSPF before sending traps to the SNMP trap receiver. Syntax: [no] snmp-server enable traps holddown-time The parameter specifies the number of seconds and can be from 1 – 600 (ten minutes). The default is 60 seconds.
Configuring basic system parameters • VRRP-E To stop link down occurrences from being reported, enter the following. TurboIron(config)#no snmp-server enable traps link-down Syntax: [no] snmp-server enable traps Disabling Syslog messages and traps for CLI access TurboIron X Seriesdevices send Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI.
Configuring basic system parameters The first message (the one on the bottom) indicates that user “dg” logged in to the CLI User EXEC level on October 15 at 5:38 PM and 3 seconds (Oct 15 17:38:03). The same user logged into the Privileged EXEC level four seconds later. The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.
Configuring basic system parameters TurboIron(config)#interface ethernet 4 TurboIron(config-if-e10000-4)#ip address 10.157.22.110/24 TurboIron(config-if-e10000-4)#exit TurboIron(config)#ip telnet source-interface ethernet 4 Cancelling an outbound Telnet session If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the connection is frozen), you can terminate the Telnet session by doing the following. 1. At the console, press Ctrl+^ (Ctrl+Shift-6). 2.
Configuring basic system parameters TABLE 12 Output from the show sntp associations command This field... Displays...
Configuring basic system parameters NOTE You can synchronize the time counter with your NTPv4 server time by entering the sntp sync command from the Privileged EXEC level of the CLI. NOTE Unless you identify an NTPv4 server for the system time and date, you will need to re-enter the time and date following each reboot. For more details about NTPv4, refer to “Specifying a Simple Network Time Protocol (NTPv4) server” on page 28.
Configuring basic system parameters New start and end dates for US daylight saving time NOTE This feature applies to US time zones only. Starting in 2007, the system will automatically change the system clock to Daylight Saving Time (DST), in compliance with the new federally mandated start of daylight saving time, which is extended one month beginning in 2007. The DST will start at 2:00am on the second Sunday in March and will end at 2:00am on the first Sunday in November.
Configuring basic system parameters On TurboIron X Series devices, multicast limiting is independent of broadcast limiting. To enable multicast limiting on devices, enter commands such as the following. TurboIron(config)#interface ethernet 1 to 8 TurboIron(config-mif-e10000-1-8)#multicast limit 65536 To enable unknown unicast limiting by counting the number of packets received, enter commands such as the following.
Configuring basic system parameters TurboIron(config)#interface ethernet 8 TurboIron(config-mif-e10000-1-8)#multicast limit 9000 kbps Multicast limit in kbits/sec set to 8064 To enable unknown unicast limiting, enter commands such as the following.
Configuring basic port parameters Use the show rate-limit unknown-unicast command to display the unknown unicast limit for each port region to which it applies. TurboIron#show rate-limit unknown-unicast Unknown Unicast Limit Settings: Port Region Combined Limit Packets/Bytes 1 - 12 524288 Packets 13 - 24 65536 Bytes Syntax: show rate-limit unknown-unicast Use the show rate-limit broadcast command to display the broadcast limit or broadcast and multicast limit for each port to which it applies.
Configuring basic port parameters Assigning a port name A port name can be assigned to help identify interfaces on the network. You can assign a port name to physical ports, virtual interfaces, and loopback interfaces. To assign a name to a port. TurboIron(config)#interface e 2 TurboIron(config-if-e10000-2)#port-name Marsha Syntax: port-name The parameter is an alphanumeric string. The name can be up to 64 characters long. The name can contain blanks.
Configuring basic port parameters • • • • • • • • 10-half – 10 Mbps, half duplex 100-full – 100 Mbps, full duplex 100-half – 100 Mbps, half duplex 1000 – 1 Gbps, full duplex (not supported on TurboIron X Series 10-GbE ports only) 1000-full-master – 1 Gbps, full duplex master (supported on the TurboIron X Series) 1000-full-slave – 1 Gbps, full duplex slave (not supported on the TurboIron X Series) 10000 – 10 Gbps, full duplex (supported on TurboIron X Series 10-GbE ports only) auto – auto-negotiation The
Configuring basic port parameters TurboIron(config)#interface e 8 TurboIron(config-if-e10000-8)#disable Syntax: disable You also can disable or re-enable a virtual interface. To do so, enter commands such as the following. TurboIron(config)#interface ve v1 TurboIron(config-vif-1)#disable Syntax: disable To re-enable a virtual interface, enter the enable command at the Interface configuration level. For example, to re-enable virtual interface v1, enter the following command.
Configuring basic port parameters Commands may be entered in IF (single port) or MIF (multiple ports at once) mode. TurboIron(config)#interface ethernet 21 TurboIron(config-if-e10000-21)#flow-control This command enables flow-control on port 21. TurboIron(config)#interface e 11 to 15 TurboIron(config-mif-11-15)#flow-control This command enables flow-control on ports 11 to 15.
Configuring basic port parameters Configuring IPG on a 10 Gbps Ethernet interface To configure IPG on a 10 Gbps Ethernet interface, enter commands such as the following. TurboIron(config)#interface ethernet 1 TurboIron(config-if-e10000-1)#ipg-xgmii 120 IPG 120(128) has been successfully configured for port 1 Syntax: [no] ipg-xgmii Enter 96-192 for . The default is 96 bit time.
Configuring basic port parameters If the port link state toggles from up to down for a specified number of times within a specified period, the interface is physically disabled for the specified wait period. Once the wait period expires, the port link state is re-enabled. However, if the wait period is set to zero (0) seconds, the port link state will remain disabled until it is manually re-enabled.
Configuring basic port parameters TurboIron(config)#interface ethernet 1 TurboIron(config-if-e10000-1)#no link-error-disable 10 3 10 Displaying ports configured with port flap dampening Ports that have been disabled due to the port flap dampening feature are identified in the output of the show link-error-disable command. The following shows an example output. TurboIron#show link-error-disable Port 1 is forced down by link-error-disable.
Configuring basic port parameters TurboIron#show interface ethernet 15 GigabitEthernet15 is up, line protocol is up Link Error Dampening is Enabled Hardware is GigabitEthernet, address is 0000.0000.010e (bia 0000.0000.010e) Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx Configured mdi mode AUTO, actual MDIX TurboIron#show interface ethernet 17 GigabitEthernet17 is ERR-DISABLED, line protocol is down Link Error Dampening is Enabled Hardware is GigabitEthernet, address is 0000.0000.
Configuring basic port parameters • The device automatically re-enables the port. To set your device to automatically re-enable Err-Disabled ports, refer to “Configuring the device to automatically re-enable ports” on page 44. Configuration notes • Loopback detection packets are sent and received on both tagged and untagged ports. Therefore, this feature cannot be used to detect a loop across separate devices. • On TurboIron X Series devices, the port loop detection feature works only on untagged ports.
Configuring basic port parameters Configuring a global loop detection interval The loop detection interval specifies how often a test packet is sent on a port. When loop detection is enabled, the loop detection time unit is 0.1 second, with a default of 10 (one second). The range is from 1 (one tenth of a second) to 100 (10 seconds). You can use the show loop-detection status command to view the loop detection interval.
Configuring basic port parameters Syntax: [no] errdisable recovery interval where is a number from 10 to 65535. Clearing loop-detection To clear loop detection statistics and re-enable all ports that are in Err-Disable state because of a loop detection, enter the following command. TurboIron#clear loop-detection Displaying loop-detection information Use the show loop-detection status command to display loop detection status, as shown.
Configuring basic port parameters Syslog message The following message is logged when a port is disabled due to loop detection. This message also appears on the console. loop-detect: port ?\?\? vlan ?, into errdisable state The Errdisable function logs a message whenever it re-enables a port.
Chapter 4 Operations, Administration, and Maintenance In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Determining the software versions installed and running on a device . . . . • Image file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Upgrading software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determining the software versions installed and running on a device NOTE If you are attempting to transfer a file using TFTP but have received an error message, refer to “Diagnostic error codes and remedies for TFTP transfers” on page 60. Determining the software versions installed and running on a device Use the following methods to display the software versions running on the device and the versions installed in flash memory.
Determining the software versions installed and running on a device • The “Compressed Pri Code size” line lists the flash code version installed in the primary flash area. • The “Compressed Sec Code size” line lists the flash code version installed in the secondary flash area. • The “Boot Monitor Image size” line lists the boot code version installed in flash memory. The device does not have separate primary and secondary flash areas for the boot image.
Image file types TurboIron#verify md5 secondary 01c410d6d153189a4a5d36c955653861 TurboIron#.........................Done Size = 2044830, MD5 01c410d6d153189a4a5d36c955653862 Verification FAILED. In the previous example, the codes did not match, and verification failed. If verification succeeds, the output will look like this. TurboIron#verify md5 secondary 01c410d6d153189a4a5d36c955653861 TurboIron#.........................Done Size = 2044830, MD5 01c410d6d153189a4a5d36c955653861 Verification SUCEEDED.
Upgrading software NOTE Use the copy tftp flash command to copy the boot code to the device only during a maintenance window. Attempting to do so during normal networking operations can cause disruption to the network. 3. Verify that the code has been successfully copied by entering the following command at any level of the CLI: • show flash The output will display the compressed boot ROM code size and the boot code version. 4. Upgrade the flash code as instructed in the following section.
Using SNMP to upgrade software The system responds with the following message. TurboIron#Load to buffer (8192 bytes per dot) ..................Write to boot flash...................... TFTP to Flash Done. TurboIron#Synchronizing with standby module... Boot image synchronization done. Using SNMP to upgrade software You can use a third-party SNMP management application to upgrade software on a device.
Rebooting TurboIron(config)#flash 2047 set flash copy block size to 2048 Syntax: [no] flash The software rounds up the value you enter to the next valid power of two, and displays the resulting value. In this example, the software rounds the value up to 2048. NOTE If the value you enter is one of the valid powers of two for this parameter, the software still rounds the value up to the next valid power of two. Thus, if you enter 2048, the software rounds the value up to 4096.
Loading and saving configuration files TurboIron#show boot-preference Boot system preference(Configured): Boot system flash secondary Boot system tftp 10.1.1.1 TIX04200b1.bin Boot system flash primary Boot system preference (Default) Boot system flash primary Boot system flash secondary Syntax: show boot-preference The results of the show run command for the configured example above appear as follows. TurboIron#show run Current Configuration: ! boot sys fl sec boot sys df 10.1.1.1 TIX04200b1.
Loading and saving configuration files Replacing the startup configuration with the running configuration After you make configuration changes to the active system, you can save those changes by writing them to flash memory. When you write configuration changes to flash memory, you replace the startup configuration with the running configuration. To replace the startup configuration with the running configuration, enter the following command at any Enable or CONFIG command prompt.
Loading and saving configuration files To copy the startup-config or running-config file from a TFTP server using the CLI, use one of the following commands. NOTE When you copy a configuration file from the TFTP server to a device, the filename should not contain the "/" and "\" characters. If required, you can specify the filename along with its path, for example, “ip/turboiron/config1.txt”.
Loading and saving configuration files • The software retains the running-config that is currently on the device, and changes the running-config only by adding new commands from the configuration file. If the running config already contains a command that is also in the configuration file you are loading, the CLI rejects the new command as a duplicate and displays an error message.
Loading and saving configuration files The running-config already has a command to add an address to port 11, so the CLI responds like this. TurboIron(config)#interface ethernet 11 TurboIron(config-if-e10000-11)#ip add 10.10.10.69/24 Error: can only assign one primary ip address per subnet TurboIron(config-if-e10000-11)# To successfully replace the address, enter commands into the file as follows. interface ethernet 11 no ip address 10.20.20.69/24 ip address 10.10.10.
Scheduling a system reload • ncopy running-config tftp • Commands to copy the startup-config file to a TFTP server: • copy startup-config tftp • ncopy startup-config tftp Scheduling a system reload In addition to reloading the system manually, you can configure the device to reload itself at a specific time or after a specific amount of time has passed. NOTE The scheduled reload feature requires the system clock.
Diagnostic error codes and remedies for TFTP transfers Displaying the amount of time remaining before a scheduled reload To display how much time is remaining before a scheduled system reload, enter the following command from any level of the CLI. TurboIron#show reload Canceling a scheduled reload To cancel a scheduled system reload using the CLI, enter the following command at the global CONFIG level of the CLI.
Diagnostic error codes and remedies for TFTP transfers TABLE 17 Diagnostic error codes for TFTP transfer Error code Message Explanation and action 16 TFTP remote - general error. 17 TFTP remote - no such file. The TFTP configuration has an error. The specific error message describes the error. Correct the error, then retry the transfer. 18 TFTP remote - access violation. 19 TFTP remote - disk full. 20 TFTP remote - illegal operation. 21 TFTP remote - unknown transfer ID.
Diagnostic error codes and remedies for TFTP transfers 62 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 5 Securing Access to Management Functions In this chapter • Securing access methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 • Restricting remote access to management functions . . . . . . . . . . . . . . . . . 65 • Setting passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 • Setting up local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing access methods TABLE 18 Ways to secure management access to devices (Continued) Access method How the access method is secured by default Ways to secure the access method See page Telnet access Not secured Regulate Telnet access using ACLs page 65 Allow Telnet access only from specific IP addresses page 68 Restrict Telnet access based on a client MAC address page 69 Allow Telnet access only from specific MAC addresses page 70 Specify the maximum number of login attempts for Telnet
Restricting remote access to management functions TABLE 18 Ways to secure management access to devices (Continued) Access method How the access method is secured by default Ways to secure the access method See page TFTP access Not secured Allow TFTP access only to clients connected to a specific VLAN page 71 Disable TFTP access page 73 Restricting remote access to management functions You can restrict access to management functions from remote sources, including Telnet and SNMP.
Restricting remote access to management functions TurboIron(config)#access-list 10 deny host 10.157.22.32 log TurboIron(config)#access-list 10 deny 10.157.23.0 0.0.0.255 log TurboIron(config)#access-list 10 deny 10.157.24.0 0.0.0.255 log TurboIron(config)#access-list 10 deny 10.157.25.
Restricting remote access to management functions NOTE The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet or SSH access using ACLs. TurboIron(config)#access-list 25 deny host 10.157.22.98 log TurboIron(config)#access-list 25 deny 10.157.23.0 0.0.0.255 log TurboIron(config)#access-list 25 deny 10.157.24.0 0.0.0.255 log TurboIron(config)#access-list 25 permit any TurboIron(config)#access-list 30 deny 10.157.25.0 0.0.0.
Restricting remote access to management functions NOTE In RADIUS, the standard attribute Idle-Timeout is used to define the console session timeout value. The attribute Idle-Timeout value is specified in seconds. Within the switch, it is truncated to the nearest minute, because the switch configuration is defined in minutes. Restricting remote access to the device to specific IP addresses By default, a device does not control remote management access based on the IP address of the managing device.
Restricting remote access to management functions TurboIron(config)#all-client 10.157.22.69 Syntax: [no] all-client | Restricting access to the device based on IP or MAC address You can restrict remote management access to the device, using Telnet, SSH, HTTP, and HTTPS, based on the connecting client IP or MAC address. Restricting Telnet connection You can restrict Telnet connection to a device based on the client IP address or MAC address.
Restricting remote access to management functions The following command allows HTTP and HTTPS access to the device to a host with any IP address and MAC address 0000.000f.10ba. TurboIron(config)#web client any 0000.000f.10ba Syntax: [no] web client any Specifying the maximum number of login attempts for Telnet access If you are connecting to the device using Telnet, the device prompts you for a username and password.
Restricting remote access to management functions Syntax: [no] telnet server enable vlan Restricting SNMP access to a specific VLAN To allow SNMP access only to clients in a specific VLAN, enter a command such as the following. TurboIron(config)#snmp-server enable vlan 40 The command in this example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Restricting remote access to management functions These commands configure port-based VLAN 10 to consist of ports 1 – 4 and to be the designated management VLAN. The last two commands configure default gateways for the VLAN. Since the 10.10.10.1 gateway has a lower metric, the software uses this gateway. The other gateway remains in the configuration but is not used. You can use the other one by changing the metrics so that the 10.20.20.1 gateway has the lower metric.
Restricting remote access to management functions • TFTP NOTE If you disable Telnet access, you will not be able to access the CLI except through a serial connection to the management module. If you disable SNMP access, you will not be able to use Brocade Network Advisor or third-party SNMP management applications. Disabling Telnet access You can use a Telnet client to access the CLI on the device over the network.
Setting passwords Setting passwords Passwords can be used to secure the following access methods: • Telnet access can be secured by setting a Telnet password. Refer to “Setting a Telnet password” on page 74. • Access to the Privileged EXEC and CONFIG levels of the CLI can be secured by setting passwords for management privilege levels. Refer to “Setting passwords for management privilege levels” on page 74.
Setting passwords • Read Only level – Allows access to the Privileged EXEC mode and CONFIG mode of the CLI but only with read access. You can assign a password to each management privilege level. You also can configure up to 16 user accounts consisting of a user name and password, and assign each user account to one of the three privilege levels. Refer to “Setting up local user accounts” on page 78. NOTE You must use the CLI to assign a password for management privilege levels.
Setting passwords • All interface configuration levels • Read Only level gives access to: • The User EXEC and Privileged EXEC levels You can grant additional access to a privilege level on an individual command basis. To grant the additional access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the individual command. NOTE This feature applies only to management privilege levels on the CLI.
Setting passwords The parameter specifies the command you are allowing users with the specified privilege level to enter. To display a list of the commands at a CLI level, enter “?” at that level's command prompt. Recovering from a lost password Recovery from a lost password requires direct access to the serial port and a system reset. NOTE You can perform this procedure only from the CLI. Follow the steps given below to recover from a lost password. 1.
Setting up local user accounts Setting up local user accounts You can define up to 16 local user accounts on a device. User accounts regulate who can access the management functions in the CLI using the following methods: • Telnet access • SNMP access Local user accounts provide greater flexibility for controlling management access to devices than do management privilege level passwords and SNMP community strings of SNMP versions 1 and 2.
Setting up local user accounts • A password can now be set to expire.
Setting up local user accounts TurboIron(config)#username kelly password Enter Password: ******** NOTE When password masking is enabled, press the [Enter] key before entering the password. Syntax: username password [Enter] For [Enter], press the Enter key. Enter the password when prompted. If strict-password-enforcement is enabled, enter a password which contains the required character combination. Refer to “Enabling enhanced user password combination requirements” on page 79.
Setting up local user accounts Enhanced login lockout The CLI provides up to three login attempts. If a user fails to login after three attempts, that user is locked out (disabled). If desired, you can increase or decrease the number of login attempts before the user is disabled. To do so, enter a command such as the following at the global CONFIG level of the CLI.
Setting up local user accounts NOTE This requirement is disabled by default, unless configured. Users are not required to press Enter after the MOTD banner is displayed. Configuring a local user account You can create accounts for local users with or without passwords. Accounts with passwords can have encrypted or unencrypted passwords.
Setting up local user accounts • 5 – Read Only level The default privilege level is 0. If you want to assign Super User level access to the account, you can enter the command without privilege 0, as shown in the command example above. The password | nopassword parameter indicates whether the user must enter a password. If you specify password, enter the string for the user's password. You can enter up to 48 characters for .
Configuring TACACS/TACACS+ security Syntax: [no] username [privilege ] create-password You can enter up to 48 characters for . This string can be alphanumeric or all-numeric. The privilege parameter specifies the privilege level for the account. You can specify one of the following: • 0 – Super User level (full read-write access) • 4 – Port Configuration level • 5 – Read Only level Enter up to 48 alphanumeric characters for .
Configuring TACACS/TACACS+ security • Access to the Privileged EXEC level and CONFIG levels of the CLI The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is sent between a device and an authentication database on a TACACS/TACACS+ server. TACACS/TACACS+ services are maintained in a database, typically on a UNIX workstation or PC with a TACACS/TACACS+ server running.
Configuring TACACS/TACACS+ security 1. A user attempts to gain access to the device by doing one of the following: • Logging into the device using Telnet or SSH • Entering the Privileged EXEC level or CONFIG level of the CLI 2. The user is prompted for a username and password. 3. The user enters a username and password. 4. The device sends a request containing the username and password to the TACACS server. 5. The username and password are validated in the TACACS server database. 6.
Configuring TACACS/TACACS+ security 1. A Telnet or SSH user previously authenticated by a TACACS+ server enters a command on the device. 2. The device looks at its configuration to see if the command is at a privilege level that requires TACACS+ command authorization. 3. If the command belongs to a privilege level that requires authorization, the device consults the TACACS+ server to see if the user is authorized to use the command. 4. If the user is authorized to use the command, the command is executed.
Configuring TACACS/TACACS+ security TABLE 19 User action Applicable AAA operations User logs in using Telnet/SSH Login authentication: aaa authentication login default Exec authorization (TACACS+): aaa authorization exec default tacacs+ Exec accounting start (TACACS+): aaa accounting exec default System accounting start (TACACS+): aaa accounting system default start-stop User logs out of Telnet/SSH session Command accounting (TACACS+): aaa accounting commands
Configuring TACACS/TACACS+ security TACACS/TACACS+ configuration considerations • You must deploy at least one TACACS/TACACS+ server in your network. • Devices support authentication using up to eight TACACS/TACACS+ servers. The device tries to use the servers in the order you add them to the device configuration. • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels).
Configuring TACACS/TACACS+ security Identifying the TACACS/TACACS+ servers To use TACACS/TACACS+ servers to authenticate access to a device, you must identify the servers to the device. For example, to identify three TACACS/TACACS+ servers, enter commands such as the following. TurboIron(config)#tacacs-server host 10.94.6.161 TurboIron(config)#tacacs-server host 10.94.6.191 TurboIron(config)#tacacs-server host 10.94.6.
Configuring TACACS/TACACS+ security TurboIron(config)#tacacs-server host 10.2.3.4 auth-port 49 authentication-only key abc TurboIron(config)#tacacs-server host 10.2.3.5 auth-port 49 authorization-only key def TurboIron(config)#tacacs-server host 10.2.3.
Configuring TACACS/TACACS+ security When you display the configuration of the device, the TACACS+ keys are encrypted. For example. TurboIron(config)#tacacs-server key 1 abc TurboIron(config)#write terminal ... tacacs-server host 10.2.3.5 auth-port 49 tacacs key 1 $!2d NOTE Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility.
Configuring TACACS/TACACS+ security The commands above cause TACACS/TACACS+ to be the primary authentication method for securing Telnet/SSH access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, authentication is performed using local user accounts instead. To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.
Configuring TACACS/TACACS+ security TurboIron(config)#aaa authentication login privilege-mode Syntax: aaa authentication login privilege-mode The user privilege level is based on the privilege level granted during login. Configuring enable authentication to prompt for password only If Enable authentication is configured on the device, when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password.
Configuring TACACS/TACACS+ security A user privilege level is obtained from the TACACS+ server in the “foundry-privlvl” A-V pair. If the aaa authorization exec default tacacs command exists in the configuration, the device assigns the user the privilege level specified by this A-V pair. If the command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair is ignored, and the user is granted Super User access.
Configuring TACACS/TACACS+ security service = exec { priv-lvl = 15 } } The attribute name in the A-V pair is not significant; the device uses the last one that has a numeric value. However, the device interprets the value for a non-”foundry-privlvl” A-V pair differently than it does for a “foundry-privlvl” A-V pair. The following table lists how the device associates a value from a non-”foundry-privlvl” A-V pair with a privilege level.
Configuring TACACS/TACACS+ security • 0 – Authorization is performed for commands available at the Super User level (all commands) • 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-only commands) • 5 – Authorization is performed for commands available at the Read Only level (read-only commands) NOTE TACACS+ command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console.
Configuring TACACS/TACACS+ security Configuring TACACS+ accounting for CLI commands You can configure TACACS+ accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the device to perform TACACS+ accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Configuring TACACS/TACACS+ security • If you specify a loopback interface as the single source for TACACS/TACACS+ packets, TACACS/TACACS+ servers can receive the packets regardless of the states of individual links. Thus, if a link to the TACACS/TACACS+ server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Configuring RADIUS security The following table describes the TACACS/TACACS+ information displayed by the show aaa command. TABLE 22 Output of the show aaa command for TACACS/TACACS+ Field Description Tacacs+ key The setting configured with the tacacs-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is displayed instead of the text.
Configuring RADIUS security 1. A user attempts to gain access to the device by doing one of the following: • Logging into the device using Telnet or SSH • Entering the Privileged EXEC level or CONFIG level of the CLI 2. The user is prompted for a username and password. 3. The user enters a username and password. 4. The device sends a RADIUS Access-Request packet containing the username and password to the RADIUS server. 5. The RADIUS server validates the device using a shared secret (the RADIUS key). 6.
Configuring RADIUS security RADIUS accounting RADIUS accounting works as follows. 1. One of the following events occur on the device: • A user logs into the management interface using Telnet or SSH • A user enters a command for which accounting has been configured • A system event occurs, such as a reboot or reloading of the configuration file 2. The device checks its configuration to see if the event is one for which RADIUS accounting is required. 3.
Configuring RADIUS security TABLE 23 User action Applicable AAA operations User enters system commands (for example, reload, boot system) Command authorization: aaa authorization commands default Command accounting: aaa accounting commands default start-stop System accounting stop: aaa accounting system default start-stop User enters the command: Command authorization: [no] aaa accounting system default aaa authorization comm
Configuring RADIUS security • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access. However, you can configure backup authentication methods for each access type.
Configuring RADIUS security TABLE 24 Brocade vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Description foundry-privilege-level 1 integer Specifies the privilege level for the user. This attribute can be set to one of the following: • 0 - Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
Configuring RADIUS security Identifying the RADIUS server to the device To use a RADIUS server to authenticate access to a device, you must identify the server to the device. Example TurboIron(config)#radius-server host 10.157.22.99 Syntax: radius-server host | | [auth-port ] [acct-port ] The host | | parameter is either an IP address or an ASCII text string.
Configuring RADIUS security Configuration example and command syntax The following shows an example configuration. TurboIron(config)#radius-server host 10.10.10.103 default key mykeyword dot1x port-only TurboIron(config)#radius-server host 10.10.10.104 default key mykeyword dot1x port-only TurboIron(config)#radius-server host 10.10.10.105 default key mykeyword dot1x TurboIron(config)#radius-server host 10.10.10.
Configuring RADIUS security Configuration example and command syntax To map a RADIUS server to a port, enter commands such as the following. TurboIron(config)#int e 3 TurboIron(config-if-e10000-3)#dot1x port-control auto TurboIron(config-if-e10000-3)#use-radius-server 10.10.10.103 TurboIron(config-if-e10000-3)#use-radius-server 10.10.10.110 With the above configuration, port e 3 would send a RADIUS request to 10.10.10.103 first, since it is the first server mapped to the port.
Configuring RADIUS security Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts. When an authentication request times out, the software will retransmit the request up to the maximum number of retransmissions configured. The default retransmit value is 3 retries. The range of retransmit values is from 1 – 5. To set the RADIUS retransmit limit, enter a command such as the following.
Configuring RADIUS security The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
Configuring RADIUS security Configuring enable authentication to prompt for password only If Enable authentication is configured on the device, when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password. In this release, you can configure the device to prompt only for a password. The device uses the username entered at login, if one is available.
Configuring RADIUS security You enable RADIUS command authorization by specifying a privilege level whose commands require authorization. For example, to configure the device to perform authorization for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Configuring RADIUS security Configuring RADIUS accounting Devices support RADIUS accounting for recording information about user activity and system events. When you configure RADIUS accounting on a device, information is sent to a RADIUS accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring RADIUS security Configuring an interface as the source for all RADIUS packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all RADIUS packets from the Layer 3 Switch.
Configuring authentication-method lists Example TurboIron#show aaa Tacacs+ key: Brocade Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 10.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 10.95.6.
Configuring authentication-method lists • • • • Local user accounts configured on the device Database on a TACACS or TACACS+ server Database on a RADIUS server No authentication NOTE The TACACS/TACACS+, RADIUS, and Telnet login password authentication methods are not supported for SNMP access. NOTE To authenticate Telnet access to the CLI, you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI.
Configuring authentication-method lists Examples of authentication-method lists The following examples show how to configure authentication-method lists. In these examples, the primary authentication method for each is “local”. The device will authenticate access attempts using the locally configured usernames and passwords. The command syntax for each of the following examples is provided in “Command Syntax” on page 117.
Configuring authentication-method lists The snmp-server | web-server | enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access. NOTE TACACS/TACACS+ and RADIUS are supported only with the enable and login parameters. The parameter specifies the primary authentication method.
Chapter 6 Configuring SSH2 and SCP In this chapter • SSH version 2 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • AES encryption for SSH2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring SSH2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Setting optional parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Filtering SSH access using ACLs.
SSH version 2 support • • • • SSH Fingerprint Format SSH Protocol Assigned Numbers SSH Transport Layer Encryption Modes SCP/SFTP/SSH URI Format Tested SSH2 clients The following SSH clients have been tested with SSH2: • • • • • • SSH Secure Shell 3.2.3 Van Dyke SecureCRT 4.0 and 4.1 F-Secure SSH Client 5.3 and 6.0 PuTTY 0.54 and 0.56 OpenSSH 3.5_p1 and 3.6.1p2 Solaris Sun-SSH-1.0 NOTE The devices support client public key sizes of 2048 bits or less.
AES encryption for SSH2 AES encryption for SSH2 Encryption is provided with 3des-cbc, aes128-cbc, aes192-cbc or aes256-cbc. AES encryption has been adopted by the U.S. Government as an encryption standard. A total of five SSH connections can be active on a device. To display information about SSH connections, enter the following command.
Configuring SSH2 • Password authentication, where users attempting to gain access to the device using an SSH client are authenticated with passwords stored on the device or on a TACACS/TACACS+ or RADIUS server Both kinds of user authentication are enabled by default. You can configure the device to use one or both of them. Follow the steps given below to configure Secure Shell on a device. 1. If necessary, recreate the SSH keys 2. Generate a host DSA public and private key pair for the device 3.
Configuring SSH2 TurboIron(config)#crypto key zeroize When SSH is disabled, it is deleted from the flash memory of all management modules. Syntax: crypto key generate | zeroize The generate keyword places a DSA host key pair in the flash memory and enables SSH on the device. The zeroize keyword deletes the DSA host key pair from the flash memory and disables SSH on the device. By default, public keys are hidden in the running configuration.
Configuring SSH2 5. The client uses its private key to decrypt the bytes. 6. The client sends the decrypted bytes back to the device. 7. The device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes match, it means that the client private key corresponds to an authorized public key, and the client is authenticated. Setting up DSA challenge-response authentication consists of the following steps. 1. Importing authorized public keys into the device. 2.
Setting optional parameters TurboIron#show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOoc
Setting optional parameters Setting the number of SSH authentication retries By default, the device attempts to negotiate a connection with the connecting host three times. The number of authentication retries can be changed to between 1 – 5. For example, the following command changes the number of authentication retries to 5.
Setting optional parameters Setting the SSH port number By default, SSH traffic occurs on TCP port 22. You can change this port number. For example, the following command changes the SSH port number to 2200. TurboIron(config)#ip ssh port 2200 Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port. Also, you should be careful not to assign SSH to a port that is used by another service.
Filtering SSH access using ACLs Example TurboIron(config)#interface ethernet 4 TurboIron(config-if-e10000-4)#ip address 10.157.22.110/24 TurboIron(config-if-e10000-4)#exit TurboIron(config)#ip ssh source-interface ethernet 4 Configuring the maximum idle time for SSH sessions By default, SSH sessions do not time out. Optionally, you can set the amount of time an SSH session can be inactive before the device closes it.
Displaying SSH connection information TurboIron#show ip ssh Connection Version Encryption 1 SSH-2 3des-cbc 2 SSH-2 3des-cbc 3 SSH-2 3des-cbc 4 SSH-2 3des-cbc 5 SSH-2 3des-cbc Username Hanuma Mikaila Jenny Mariah Logan Syntax: show ip ssh [begin | exclude | include ] This display shows the following information about the active SSH connections. TABLE 28 SSH connection information This field... Displays... Connection The SSH connection ID. This can be from 1 – 5.
Using Secure copy with SSH2 Using Secure copy with SSH2 Secure Copy (SCP) uses security built into SSH to transfer image and configuration files to and from the device. SCP automatically uses the authentication methods, encryption algorithm, and data compression level configured for SSH. For example, if password authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file to be transferred. No additional configuration is required for SCP on top of SSH.
Using Secure copy with SSH2 Copying the running config file to an SCP-enabled client To copy the running configuration file on the device to a file called c:\cfg\fdryrun.cfg on the SCP-enabled client, enter the following command. C:\> scp terry@192.168.1.50:runConfig c:\cfg\fdryrun.cfg Copying the startup config file to an SCP-enabled client To copy the startup configuration file on the device to a file called c:\cfg\fdrystart.cfg on the SCP-enabled client, enter the following command. C:\> scp terry@192.
Using Secure copy with SSH2 132 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 7 Configuring IPv6 Connectivity In this chapter • IPv6 addressing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 • IPv6 CLI command support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 • Configuring an IPv6 host address on a Layer 2 switch . . . . . . . . . . . . . . . . 137 • Configuring the management port for an IPv6 automatic address configuration 138 • Configuring basic IPv6 connectivity on a Layer 3 switch . . . .
IPv6 addressing overview • You can use the two colons (::) only once in the address to represent the longest successive hexadecimal fields of zeros • The hexadecimal letters in IPv6 addresses are not case-sensitive As shown in Figure 1, the IPv6 network prefix is composed of the left-most bits of the address. As with an IPv4 address, you can specify the IPv6 prefix using the / format, where the following applies.
IPv6 addressing overview TABLE 29 . IPv6 address types Address type Description Address structure Unicast An address for a single interface. A packet sent to a unicast address is delivered to the interface identified by the address. Depends on the type of the unicast address: • Aggregatable global address—An address equivalent to a global or public IPv4 address.
IPv6 CLI command support IPv6 stateless autoconfiguration TurboIron X Series devices use the IPv6 stateless autoconfiguration feature to enable a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. The automatic configuration of a host interface is performed without the use of a server, such as a Dynamic Host Configuration Protocol (DHCP) server, or manual configuration.
Configuring an IPv6 host address on a Layer 2 switch TABLE 30 IPv6 CLI command support (Continued) IPv6 command Description Switch code Router code ipv6 enable Enables IPv6 on an interface. X X log host ipv6 Configures the IPv6 Syslog server. X X ping ipv6 Performs an ICMP for IPv6 echo test. X X show ipv6 Displays some global IPv6 parameters, such IPv6 DNS server address. X X show ipv6 cache Displays the IPv6 host cache.
Configuring the management port for an IPv6 automatic address configuration Enabling IPv6 To enable IPv6 and automatically enter the following. TurboIron(config)#ipv6 enable This command enables IPv6.
Configuring basic IPv6 connectivity on a Layer 3 switch • An automatically computed EUI-64 interface ID on router image. If you prefer to assign a link-local IPv6 address to the interface, you must explicitly enable IPv6 on the interface, which causes a link-local address to be automatically computed for the interface. If preferred, you can override the automatically configured link-local address with an address that you manually configure.
Configuring basic IPv6 connectivity on a Layer 3 switch To configure IPv6 address on an interface with an automatically computed EUI-64 interface ID in the low-order 64-bits on devices running a router image, enter commands such as the following. TurboIron(config)#interface ethernet 1 TurboIron(config-if-e10000-1)#ipv6 address 2001:DB8:12D:1300::/64 eui-64 These commands configure the global prefix 2001:DB8:12d:1300::/64 and an interface ID, and enable IPv6 on Ethernet interface 1.
IPv6 management (IPv6 host support) Configuring an IPv6 anycast address on an interface In IPv6, an anycast address is an address for a set of interfaces belonging to different nodes. Sending a packet to an anycast address results in the delivery of the packet to the closest interface configured with the anycast address. An anycast address looks similar to a unicast address, because it is allocated from the unicast address space.
IPv6 management (IPv6 host support) SNTP over IPv6 To enable the device to send SNTP packets over IPv6, enter a command such as the following at the Global CONFIG level of the CLI. TurboIron(config)#sntp server ipv6 2001:DB8::400 Syntax: sntp server ipv6 • The< ipv6-address> is the IPv6 address of the SNTP server. When you enter the IPv6 address, you do not need to specifry the prefix length. A prefix length of 128 is implied.
IPv6 management (IPv6 host support) Establishing a Telnet session from an IPv6 host To establish a Telnet session from an IPv6 host to the device, open your Telnet application and specify the IPv6 address of the device. Configuring name-to-IPv6 address resolution using IPv6 DNS resolver The Domain Name Server (DNS) resolver feature lets you use a host name to perform Telnet and ping commands. You can also define a DNS domain on a device and thereby recognize all hosts within that domain.
IPv6 management (IPv6 host support) • Flash memory. • Running configuration. • Startup configuration. Copying a file from flash memory For example, to copy the primary or secondary boot image from the device flash memory to an IPv6 TFTP server, enter a command such as the following. TurboIron#copy flash tftp 2001:DB8:e0ff:7837::3 test.img secondary This command copies the secondary boot image named test.img from flash memory to a TFTP server with the IPv6 address of 2001:DB8:e0ff:7837::3.
IPv6 management (IPv6 host support) TurboIron#copy tftp flash 2001:DB8:e0ff:7837::3 test.img secondary This command copies a boot image named test.img from an IPv6 TFTP server with the IPv6 address of 2001:DB8:e0ff:7837::3 to the secondary storage location in the device flash memory. Syntax: copy tftp flash primary | secondary • The parameter specifies the address of the TFTP server.
IPv6 management (IPv6 host support) Copying a primary or secondary boot image from flash memory to an IPv6 TFTP server For example, to copy the primary or secondary boot image from the device flash memory to an IPv6 TFTP server, enter a command such as the following. TurboIron#ncopy flash primary tftp 2001:DB8:e0ff:7837::3 primary.img This command copies the primary boot image named primary.img from flash memory to a TFTP server with the IPv6 address of 2001:DB8:e0ff:7837::3.
IPv6 management (IPv6 host support) This command uploads the primary boot image named primary.img from a TFTP server with the IPv6 address of 2001:DB8:e0ff:7837::3 to the device primary storage location in flash memory. Syntax: ncopy tftp flash primary | secondary • The tftp parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373.
IPv6 management (IPv6 host support) • The source parameter specifies an IPv6 address to be used as the origin of the ping packets. NOTE The outgoing-interface and source options are available only on router code and not on switch code. • The count parameter specifies how many ping packets the router sends. You can specify from 1 - 4294967296. The default is 1.
IPv6 management (IPv6 host support) Viewing IPv6 SNMP server addresses Some of the show commands display IPv6 addresses for IPv6 SNMP servers. The following shows an example output for the show snmp server command. TurboIron#show snmp server Contact: Location: Community(ro): .....
Clearing global IPv6 information Clearing global IPv6 information You can clear the following global IPv6 information: • Entries from the IPv6 cache • Entries from the IPv6 neighbor table • IPv6 traffic statistics Clearing the IPv6 cache You can remove all entries from the IPv6 cache or specify an entry based on the following: • IPv6 prefix. • IPv6 address. • Interface type.
Displaying global IPv6 information • You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter. • You must specify thes parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
Displaying global IPv6 information Syntax: show ipv6 cache [ | < ipv6-prefix> / | | ethernet | ve | tunnel ] • The parameter restricts the display to the entry for the specified index number and subsequent entries. • The / parameter restricts the display to the entries for the specified IPv6 prefix.
Displaying global IPv6 information • The parameter displays detailed information for a specified interface. For the interface, you can specify the Ethernet, loopback, tunnel, or VE keywords. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a loopback, tunnel, or VE interface, also specify the number associated with the interface. This display shows the following information.
Displaying global IPv6 information TABLE 33 Detailed IPv6 interface information fields (Continued) This field... Displays... MTU The setting of the maximum transmission unit (MTU) configured for the IPv6 interface. The MTU is the maximum length an IPv6 packet can have to be transmitted on the interface. If an IPv6 packet is longer than an MTU, the host that originated the packet fragments the packet and transmits its contents in multiple packets that are shorter than the configured MTU.
Displaying global IPv6 information TABLE 34 IPv6 neighbor information fields (Continued) This field... State Displays... The current state of the neighbor. Possible states are as follows: INCOMPLETE – Address resolution of the entry is being performed. *REACH – The static forward path to the neighbor is functioning properly. • REACH – The forward path to the neighbor is functioning properly. • STALE – This entry has remained unused for the maximum interval.
Displaying global IPv6 information TABLE 35 General IPv6 TCP connection fields This field... Displays... Local IP address:port The IPv4 or IPv6 address and port number of the local router interface over which the TCP connection occurs. Remote IP address:port The IPv4 or IPv6 address and port number of the remote router interface over which the TCP connection occurs. TCP state The state of the TCP connection. Possible states include the following: LISTEN – Waiting for a connection request.
Displaying global IPv6 information TurboIron#show ipv6 tcp status 2000:4::110 179 2000:4::106 8222 TCP: TCP = 0x217fc300 TCP: 2000:4::110:179 -> 2000:4::106:8222: state: ESTABLISHED Port: 1 Send: initial sequence number = 242365900 Send: first unacknowledged sequence number = 242434080 Send: current send pointer = 242434080 Send: next sequence number to send = 242434080 Send: remote received window = 16384 Send: total unacknowledged sequence number = 0 Send: total used buffers 0 Receive: initial incoming s
Displaying global IPv6 information TABLE 36 Specific IPv6 TCP connection fields (Continued) This field... Displays... Send: total unacknowledged sequence number = The total number of unacknowledged sequence numbers sent by the local router. Send: total used buffers The total number of buffers used by the local router in setting up the TCP connection. Receive: initial incoming sequence number = The initial incoming sequence number received by the local router.
Displaying global IPv6 information TurboIron#show ipv6 traffic IP6 Statistics 36947 received, 66818 sent, 0 forwarded, 36867 delivered, 0 rawout 0 bad vers, 23 bad scope, 0 bad options, 0 too many hdr 0 no route, 0 can not forward, 0 redirect sent 0 frag recv, 0 frag dropped, 0 frag timeout, 0 frag overflow 0 reassembled, 0 fragmented, 0 ofragments, 0 can not frag 0 too short, 0 too small, 11 not member 0 no buffer, 66819 allocated, 21769 freed 0 forward cache hit, 46 forward cache miss ICMP6 Statistics Re
Displaying global IPv6 information TABLE 37 IPv6 traffic statistics fields (Continued) This field... Displays... bad options The number of IPv6 packets dropped by the router because of bad options. too many hdr The number of IPv6 packets dropped by the router because the packets had too many headers. no route The number of IPv6 packets dropped by the router because there was no route. can not forward The number of IPv6 packets the router could not forward to another router.
Displaying global IPv6 information TABLE 37 IPv6 traffic statistics fields (Continued) This field... Displays... nei soli The number of Neighbor Solicitation messages sent or received by the router. nei adv The number of Router Advertisement messages sent or received by the router. redirect The number of redirect messages sent or received by the router. Applies to received only bad code The number of Bad Code messages received by the router.
Displaying global IPv6 information TABLE 37 162 IPv6 traffic statistics fields (Continued) This field... Displays... active opens The number of TCP connections opened by the router by sending a TCP SYN to another device. passive opens The number of TCP connections opened by the router in response to connection requests (TCP SYNs) received from other devices. failed attempts This information is used by Brocade Technical Support.
Chapter 8 Securing SNMP Access In this chapter • SNMP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Establishing SNMP community strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Defining SNMP views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • SNMP version 3 traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying SNMP Information . . . . . . . .
Establishing SNMP community strings Establishing SNMP community strings SNMP versions 1 and 2 use community strings to restrict SNMP access: • The default read-only community string is “public”. • There is no default read-write community string. You first must configure a read-write community string using the CLI. Then you can log on using “set” as the user name and the read-write community string you configure as the password.
Establishing SNMP community strings NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. NOTE If you specify encryption option 1, the software assumes that you are entering the encrypted form of the community string. In this case, the software decrypts the community string you enter before using the value for authentication.
Establishing SNMP community strings Displaying the SNMP community strings To display the configured community strings, enter the following command at any CLI level.
Establishing SNMP community strings 3. Configure the SNMP version 3 features in devices. Configuring SNMP version 3 Follow the steps given below to configure SNMP version 3 on devices. 1. Enter an engine ID for the management module using the snmp-server engineid command if you will not use the default engine ID.Refer to “Defining the engine id” on page 167. 2. Create views that will be assigned to SNMP user groups using the snmp-server view command.
Establishing SNMP community strings • Octets 1 through 4 represent the agent's SNMP management private enterprise number as assigned by the Internet Assigned Numbers Authority (IANA). The most significant bit of Octet 1 is "1". For example, “000007c7” is the ID for Brocade Communications, Inc. in hexadecimal. With Octet 1 always equal to "1", the first four octets in the default engine ID is always “800007c7” (which is 1991 in decimal).
Establishing SNMP community strings The value of is defined using the snmp-server view command. The SNMP agent comes with the "all" default view, which provides access to the entire MIB; however, it must be specified when creating the group. The "all" view also allows SNMP version 3 to be backwards compatibility with SNMP version 1 and version 2. NOTE If you will be using a view other than the "all" view, that view must be configured before creating the user group.
Defining SNMP views NOTE The ACL specified in a user account overrides the ACL assigned to the group to which the user is mapped. If no ACL is entered for the user account, then the ACL configured for the group will be used to filter packets. The encrypted parameter means that the MD5 or SHA password will be a digest value. MD5 has 16 octets in the digest. SHA has 20. The digest string has to be entered as a hexadecimal string. In this case, the agent need not generate any explicit digest.
SNMP version 3 traps TurboIron(config)#snmp-server view Maynes system included TurboIron(config)#snmp-server view Maynes system.2 excluded TurboIron(config)#snmp-server view Maynes 2.3.*.6 included TurboIron(config)#write mem NOTE The snmp-server view command supports the MIB objects as defined in RFC 1445. Syntax: [no] snmp-server view included | excluded The parameter can be any alphanumeric name you choose to identify the view. The names cannot contain spaces.
SNMP version 3 traps To configure an SNMP user group, first configure SNMP v3 views using the snmp-server view command.Refer to “SNMP v3 Configuration examples” on page 175. Then enter a command such as the following.
SNMP version 3 traps For SNMP version 2c, enter v2 and the name of the community string. This string is encrypted within the system. For SNMP version 3, enter one of the following depending on the authorization required for the host: • v3 auth : Allow only authenticated packets. • v3 no auth : Allow all packets. • v3 priv : A password is required For port , specify the UDP port number on the host that will receive the trap.
Displaying SNMP Information The must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373. Displaying SNMP Information This section lists the commands for viewing SNMP-related information. Displaying the Engine ID To display the engine ID of a management module, enter a command such as the following.
SNMP v3 Configuration examples TurboIron#show snmp user username = bob ACL id = 2 group = admin security model = v3 group ACL id = 0 authtype = md5 authkey = 3aca18d90b8d172760e2dd2e8f59b7fe privtype = des, privkey = 1088359afb3701730173a6332d406eec engine ID= 800007c70300e052ab0000 Syntax: show snmp user Interpreting varbinds in report packets If an SNMP version 3 request packet is to be rejected by an SNMP agent, the agent sends a report packet that contains one or more varbinds.
SNMP v3 Configuration examples More detailed SNMP v3 configuration TurboIron(config)#snmp-server view internet internet included TurboIron(config)#snmp-server view system system included TurboIron(config)#snmp-server community ..... ro TurboIron(config)#snmp-server community ..... rw TurboIron(config)#snmp-server contact isc-operations TurboIron(config)#snmp-server location sdh-pillbox TurboIron(config)#snmp-server host 10.91.255.32 .....
Chapter Enabling the Foundry Discovery Protocol and Reading Cisco Discovery Protocol Packets 9 In this chapter • Using FDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 • Reading CDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Using FDP The Foundry Discovery Protocol (FDP) enables Brocade devices to advertise themselves to other devices on the network.
Using FDP Enabling FDP at the interface level By default, FDP is enabled at the interface level after FDP is enabled on the device. When FDP is enabled globally, you can disable and re-enable FDP on individual ports.
Using FDP • FDP information for an interface on the device you are managing • FDP packet statistics NOTE If the Brocade device has intercepted CDP updates, then the CDP information is also displayed. Displaying neighbor information To display a summary list of all the neighbors that have sent FDP updates to this device, enter the following command.
Using FDP TurboIronA#show fdp neighbor detail Device ID: FCX648 Switch configured as tag-type8100 Entry address(es): IP address: 10.20.64.
Using FDP Syntax: show fdp entry * | The * | parameter specifies the device ID. If you enter *, the detailed updates for all neighbor devices are displayed. If you enter a specific device ID, the update for that device is displayed. For information about the display, refer to Table 39. Displaying FDP information for an interface To display FDP information for an interface, enter a command such as the following.
Reading CDP packets Clearing FDP and CDP statistics To clear FDP and CDP statistics, enter the following command. TurboIron#clear fdp counters Syntax: clear fdp counters Reading CDP packets Cisco Discovery Protocol (CDP) packets are used by Cisco devices to advertise themselves to other Cisco devices. By default, devices forward these packets without examining their contents. You can configure a device to intercept and display the contents of CDP packets.
Reading CDP packets • CDP entries for all Cisco neighbors or a specific neighbor • CDP packet statistics Displaying neighbors To display the Cisco neighbors the Brocade device has learned from CDP packets, enter the following command.
Reading CDP packets TurboIron#show fdp entry * Device ID: Router Entry address(es): IP address: 10.95.6.143 Platform: cisco RSP4, Capabilities: Router Interface: Eth 1, Port ID (outgoing port): FastEthernet0 Holdtime : 124 seconds Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-JSV-M), Version 12.0(5)T1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc.
Reading CDP packets TurboIron#clear fdp counters Syntax: clear fdp counters Brocade TurboIron 24X Series Configuration Guide 53-1003053-01 185
Reading CDP packets 186 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 10 Configuring LLDP In this chapter • Terms used in this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • LLDP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • General operating principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Syslog messages . . . . . . .
LLDP overview Network connectivity device – A forwarding 802 LAN device, such as a router, switch, or wireless access point. Station – A node in a network. TLV (Type-Length-Value) – An information element in an LLDPDU that describes the type of information being sent, the length of the information string, and the value (actual information) that will be transmitted. TTL (Time-to-Live) – Specifies the length of time that the receiving device should maintain the information acquired through LLDP in its MIB.
General operating principles Benefits of LLDP LLDP provides the following benefits: • Network Management: • Simplifies the use of and enhances the ability of network management tools in multi-vendor environments • Enables discovery of accurate physical network topologies such as which devices are neighbors and through which ports they connect • Enables discovery of stations in multi-vendor environments • Network Inventory Data: • Supports optional system name, system description, system capabilities and
General operating principles An LLDP agent initiates the transmission of LLDP packets whenever the transmit countdown timing counter expires, or whenever LLDP information has changed. When a transmit cycle is initiated, the LLDP manager extracts the MIB objects and formats this information into TLVs. The TLVs are inserted into an LLDPDU, addressing parameters are prepended to the LLDPDU, and the information is sent out LLDP-enabled ports to adjacent LLDP-enabled devices.
General operating principles LLDP TLVs There are two types of LLDP TLVs, as specified in the IEEE 802.3AB standard: • Basic management TLVs consist of both optional general system information TLVs as well as mandatory TLVs. Mandatory TLVs cannot be manually configured. They are always the first three TLVs in the LLDPDU, and are part of the packet header. General system information TLVs are optional in LLDP implementations and are defined by the Network Administrator.
General operating principles Chassis ID The Chassis ID identifies the device that sent the LLDP packets. There are several ways in which a device may be identified. A chassis ID subtype, included in the TLV and shown in Table 40, indicates how the device is being referenced in the Chassis ID field.
MIB support Port ID (MAC address): 0000.0033.e2d3 The LLDPDU format is shown in “LLDPDU packet format” on page 190. The Port ID TLV format is shown below. FIGURE 4 Port ID TLV packet format TLV Type = 3 7 bits TLV Information String Length = 2 9 bits Time to Live (TTL) 2 octets TTL value The Time to Live (TTL) Value is the length of time the receiving device should maintain the information acquired by LLDP in its MIB.
Syslog messages Syslog messages Syslog messages for LLDP provide management applications with information related to MIB data consistency and general status. These Syslog messages correspond to the lldpRemTablesChange SNMP notifications. Refer to “Enabling LLDP SNMP notifications and syslog messages” on page 197. Configuring LLDP This section describes how to enable and configure LLDP. Table 42 lists the LLDP global-level tasks and the default behavior/value for each task.
Configuring LLDP • By default, the device limits the number of neighbors per port to four, and staggers the transmission of LLDP packets on different ports, in order to minimize any high-usage spikes to the CPU. • Ports that are in blocking mode (spanning tree) can still receive LLDP packets from a forwarding port. • Auto-negotiation status indicates what is being advertised by the port for 802.3 auto-negotiation. Enabling and disabling LLDP LLDP is enabled by default on individual ports.
Configuring LLDP Enabling and disabling receive only mode When LLDP is enabled on a global basis, by default, each port on the device will be capable of transmitting and receiving LLDP packets. To change the LLDP operating mode from receive and transmit mode to receive only mode, simply disable the transmit mode. Enter a command such as the following at the Global CONFIG level of the CLI.
Configuring LLDP Per device You can change the maximum number of neighbors for which LLDP data will be retained for the entire system. For example, to change the maximum number of LLDP neighbors for the entire device to 26, enter the following command. TurboIron(config)#lldp max-total-neighbors 26 Syntax: [no] lldp max-total-neighbors Use the [no] form of the command to remove the static configuration and revert to the default value of 392. where is a number between 16 and 65536.
Configuring LLDP Specifying the minimum time between SNMP traps and syslog messages When SNMP notifications and Syslog messages for LLDP are enabled, the device will send no more than one SNMP notification and corresponding Syslog message within a five second period. If desired, you can throttle the amount of time between transmission of SNMP traps (lldpRemTablesChange) and Syslog messages from five seconds up to a value equal to one hour (3600 seconds).
Configuring LLDP Changing the interval between regular LLDP transmissions The LLDP transmit interval specifies the number of seconds between regular LLDP packet transmissions. When you enable LLDP, by default, the device will wait 30 seconds between regular LLDP packet transmissions. If desired, you can change the default behavior from 30 seconds to a value between 5 and 32768 seconds. To change the LLDP transmission interval, enter a command such as the following at the Global CONFIG level of the CLI.
Configuring LLDP To set the re-initialization delay timer, enter a command such as the following at the Global CONFIG level of the CLI. TurboIron(config)#lldp reinit-delay 5 The above command causes the device to wait five seconds after LLDP is disabled, before attempting to honor a request to re-enable it. Syntax: [no] lldp reinit-delay where is a value from 1 – 10. The default is two seconds.
Configuring LLDP Management Address A management address is an IPv4 address that can be used to manage the device. If no management address is explicitly configured to be advertised, the device will use the first available IPv4 address.
Configuring LLDP • DOCSIS cable device • Station only (devices that implement end station capability) • Other System capabilities for devices are based on the type of software image in use (e.g., Layer 2 switch or Layer 3 router). The enabled capabilities will be the same as the available capabilities, except that when using a router image (base or full Layer 3), if the global route-only feature is turned on, the bridge capability will not be included, since no bridging takes place.
Configuring LLDP Syntax: [no] lldp advertise system-name ports ethernet | all 802.1 capabilities Except for the VLAN name, the device will advertise the following 802.1 attributes when LLDP is enabled on a global basis: • VLAN name (not automatically advertised) • Untagged VLAN ID VLAN name The VLAN name TLV contains the name and VLAN ID of a VLAN configured on a port. An LLDPDU may include multiple instances of this TLV, each for a different VLAN.
Configuring LLDP • Whether the link is capable of being aggregated • Whether the link is currently aggregated • The primary trunk port Devices advertise link aggregation information about standard link aggregation (LACP) as well as static trunk configuration. By default, link-aggregation information is automatically advertised when LLDP is enabled on a global basis. To disable this advertisement, enter a command such as the following.
Configuring LLDP Maximum frame size The maximum frame size TLV provides the maximum 802.3 frame size capability of the port. This value is expressed in octets and includes the four-octet Frame Check Sequence (FCS). The default maximum frame size is 1522. The advertised value may change depending on whether the aggregated-vlan or jumbo CLI commands are in effect. By default, the maximum frame size is automatically advertised when LLDP is enabled on a global basis.
Configuring LLDP Table 1: This field... Displays... LLDP transmit interval The number of seconds between regular LLDP packet transmissions. LLDP transmit hold multiplier The multiplier used to compute the actual time-to-live (TTL) value of an LLDP advertisement. The TTL value is the transmit interval multiplied by the transmit hold multiplier. LLDP transmit delay The number of seconds the LLDP agent will wait after transmitting an LLDP frame and before transmitting another LLDP frame.
Configuring LLDP NOTE You can reset LLDP statistics using the CLI command clear LLDP statistics. Refer to “The contents of the show output will vary depending on which TLVs are configured to be advertised.” on page 211. The following table describes the information displayed by the show lldp statistics command. This field... Displays... Last neighbor change time The elapsed time (in hours, minutes, and seconds) since a neighbor last advertised information.
Configuring LLDP Table 2: This field... Displays... Lcl Port The local LLDP port number. Chassis ID The identifier for the chassis. Devices use the base MAC address of the device as the Chassis ID. Port ID The identifier for the port. Devices use the permanent MAC address associated with the port as the port ID. Port Description The description for the port. Devices use the ifDescr MIB object from MIB-II as the port description. System Name The administratively-assigned name for the system.
Configuring LLDP TurboIron#show lldp neighbors detail ports e 9 Local port: 9 Neighbor: 0000.0018.cc03, TTL 101 seconds + Chassis ID (network address): 10.43.39.151 + Port ID (MAC address): 0000.0018.cc03 + Time to live: 120 seconds + Port description : "LAN port" + System name : "regDN 1015,MITEL 5235 DM" + System description : "regDN 1015,MITEL 5235 DM,h/w rev 2,ASIC rev 1,f/w\ Boot 02.01.00.11,f/w Main 02.01.00.
Configuring LLDP LLDP configuration details The show lldp local-info command displays the local information advertisements (TLVs) that will be transmitted by the LLDP agent. NOTE The show lldp local-info output will vary based on LLDP configuration settings TurboIron#show lldp local-info Local port: 5 + Chassis ID (MAC address): 0000.0017.50bb + Port ID (MAC address): 0000.0017.
Resetting LLDP statistics TurboIron#show lldp local-info ports ethernet 28 Local port: 28 + Chassis ID (MAC address): 0000.0017.50bb + Port ID (MAC address): 0000.0017.50d6 + Time to live: 120 seconds + System name : "TX24 Router" + Port description : "GigabitEthernet28" + System capabilities : bridge, router Enabled capabilities: bridge, router + 802.
Clearing cached LLDP neighbor information If you do not specify any ports or use the keyword all, by default, the system will clear the cached LLDP neighbor information for all ports.
Chapter Monitoring Hardware Components 11 In this chapter • Hardware support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 • Digital optical monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Hardware support The procedures in this chapter describe how to configure the software to monitor hardware components.
Digital optical monitoring Media not supported Digital optical monitoring is not supported for the following optics: • • • • • • • 1000Base-SX 2 1000Base-BX-D 1000Base-BX-U E1MG-100BXU E1MG-100BXD E1MG-BXU E1MG-BXD Supported media Digital optical monitoring is supported with the following Brocade-qualified media types: • • • • • • • 1000Base-BX-D 1000Base-BX-U 1000Base-LHA 1000Base-LHB 1000Base-LX 1000Base-SX 1000Base-SX 2 Media not supported Digital optical monitoring is not supported for the follow
Digital optical monitoring To enable optical monitoring on a range of ports, use the following command. TurboIron(config)#interface ethernet 1 to 12 TurboIron(config-mif-e10000-1-12)#optical-monitor Syntax: [no] optical-monitor Use the no form of the command to disable digital optical monitoring. Setting the alarm interval You can optionally change the interval between which alarms and warning messages are sent. The default interval is three minutes. To change the interval, use the following command.
Digital optical monitoring Port Port Port Port Port Port Port Port Port Port 17: 18: 19: 20: 21: 22: 23: 24: 25: Type : Type : Type : Type : Type : Type : Type : Type : Type : Vendor: Part#: 26: Type : 1G M-C 1G M-C 1G M-C 1G M-C 1G M-C 1G M-C 1G M-C 1G M-C 10G XG-SR(XFP) Brocade Communications Inc. Version: 02 JXPR01SW05306 Serial#: F617604000A3 EMPTY Use the show media slot command to obtain information about the media device installed in a slot.
Digital optical monitoring TurboIron> show optic 4 Port Temperature Tx Power Rx Power Tx Bias Current +----+-----------+----------+------------+-------------------+ 1 30.8242 C -001.8822 dBm -002.5908 dBm 41.790 mA Normal Normal Normal Normal 2 31.7070 C -001.4116 dBm -006.4092 dBm 41.976 mA Normal Normal Normal Normal 3 30.1835 C -000.5794 dBm 0.000 mA Normal Low-Alarm Normal Low-Alarm 4 0.0000 C 0.
Digital optical monitoring TABLE 45 Alarm status value description (Continued) Status value Description High-Warn Monitored level has climbed above the "high-warn" threshold set by the manufacturer of the optical transceiver. High-Alarm Monitored level has climbed above the "high-alarm" threshold set by the manufacturer of the optical transceiver.
Digital optical monitoring For details about the above Syslog messages, refer to Chapter 12, “Using Syslog”.
Digital optical monitoring 220 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 12 Using Syslog In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 • Displaying Syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 • Configuring the Syslog service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying Syslog messages Displaying Syslog messages To display the Syslog messages in the device local buffer, enter the show logging command at any level of the CLI. The following shows an example display output.
Configuring the Syslog service telnet@TurboIron#terminal monitor Syslog trace was turned OFF Here is an example of how the Syslog messages are displayed.
Configuring the Syslog service TurboIron#show logging Syslog logging: enabled (0 messages dropped, 0 Buffer logging: level ACDMEINW, 3 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dynamic Log Buffer (50 entries): Dec 15 18:46:17:I:Interface ethernet 4, state up Dec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, changed st
Configuring the Syslog service In the static log, new messages replace older ones, so only the most recent message is displayed. For example, only the most recent temperature warning message will be present in the log. If multiple temperature warning messages are sent to the log, the latest one replaces the previous one. The static buffer is not configurable. The message types that appear in the static buffer do not appear in the dynamic buffer.
Configuring the Syslog service • hh – hours • mm – minutes • ss – seconds For example, “Oct 15 17:38:03” means October 15 at 5:38 PM and 3 seconds. • If you have not set the time and date on the onboard system clock, the time stamp shows the amount of time that has passed since the device was booted, in the following format.
Configuring the Syslog service TurboIron#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dynamic Log Buffer (50 entries): 21d07h02m40s:warning:list 101 denied 0000.001f.77ed) -> 10.99.4.69(http), 19d07h03m30s:warning:list 101 denied 0000.001f.77ed) -> 10.99.4.
Configuring the Syslog service Disabling logging of a message level To change the message level, disable logging of specific message levels. You must disable the message levels on an individual basis. For example, to disable logging of debugging and informational messages, enter the following commands.
Configuring the Syslog service NOTE You can specify only one facility. If you configure the device to use two Syslog servers, the device uses the same facility on both servers.
Configuring the Syslog service When you display the messages in the Syslog, you see the interface name under the Dynamic Log Buffer section. The actual interface number is appended to the interface name.
Appendix 13 Network Monitoring In this chapter • Basic management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • RMON support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • sFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring a utilization list for an uplink port . . . . . . . . . . . . . . . . . . . . . .
Basic management Viewing configuration information You can view a variety of configuration details and statistics with the show option. The show option provides a convenient way to check configuration changes before saving them to flash. The show options available will vary for Layer 2 Switches and Layer 3 Switches and by configuration level. To determine the available show commands for the system or a specific level of the CLI, enter the following command.
Basic management TABLE 47 Port statistics This line... Displays... Port configuration Port The port number. Link The link state. State The STP state. Dupl The mode (full-duplex or half-duplex). Speed The port speed (10M, 100M, or 1000M). Trunk The trunk group number, if the port is a member of a trunk group. Tag Whether the port is a tagged member of a VLAN. Priori The QoS forwarding priority of the port (level0 – level7). MAC The MAC address of the port.
Basic management TABLE 47 Port statistics (Continued) This line... CRC Displays... The total number of packets received for which all of the following was true: The data length was between 64 bytes and the maximum allowable frame size. • No Collision or Late Collision was detected. • The CRC was invalid. • Collisions The total number of packets received in which a Collision event was detected. InErrors The total number of packets received that had Alignment errors or phy errors.
Basic management To determine the available clear commands for the system, enter the following command. TurboIron#clear ? Syntax: clear
Basic management Configuration syntax This section provides the syntax and configuration examples for enhanced traffic counters. Example To configure traffic counters for outbound traffic on a specific port, enter a command such as the following. TurboIron(config)#transmit-counter 4 port 18 only vlan 1 prio 7 enable The above command creates and enables traffic counter 4 on port 18. The device will count the number of packets sent out on port 18 that are in VLAN 1 and have a priority queue of 7.
Basic management NOTE Once the enhanced traffic counters are displayed, the counters are cleared (reset to zero). The following shows an example output.
RMON support RMON support The RMON agent supports the following groups. The group numbers come from the RMON specification (RFC 1757): • • • • Statistics (RMON Group 1) History (RMON Group 2) Alarms (RMON Group 3) Events (RMON Group 9) The CLI allows you to make configuration changes to the control data for these groups, but you need a separate RMON application to view and display the data graphically.
RMON support TurboIron#show rmon statistics Ethernet statistics 1 is active, owned by monitor Interface 1 (ifIndex 1) counters Octets 0 Drop events 0 Packets Broadcast pkts 0 Multicast pkts CRC alignment errors 0 Undersize pkts Oversize pkts 0 Fragments Jabbers 0 Collisions 64 octets pkts 0 65 to 127 octets pkts 128 to 255 octets pkts 0 256 to 511 octets pkts 512 to 1023 octets pkts 0 1024 to 1518 octets pkts 0 0 0 0 0 0 0 0 Syntax: show rmon statistics The parameter specifies the port
RMON support TABLE 49 Export configuration and statistics (Continued) This line... Displays... Oversize packets The total number of packets received that were longer than 1518 octets and were otherwise well formed. This number does not include framing bits but does include FCS octets. Jabbers The total number of packets received that were longer than 1518 octets and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).
sFlow You can modify the sampling interval and the bucket (number of entries saved before overwrite) using the CLI. In the above example, owner refers to the RMON station that will request the information. NOTE To review the control data entry for each port or interface, enter the show rmon history command. Alarm (RMON group 3) Alarm is designed to monitor configured thresholds for any SNMP integer, time tick, gauge or counter MIB object.
sFlow • Combines sFlow samples into UDP packets and forwards them to the sFlow collectors for analysis • Forwards byte and packet count data, or counter samples, to sFlow collectors sFlow is described in RFC 3176, “InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks”. NOTE When sFlow is enabled, QoS will support 7 priority queues rather than 8. This is because QoS queue 1 is reserved for sFlow and does not get used for other types of traffic.
sFlow IPv6 packet sampling IPv6 sampling is performed by the packet processor. The system uses the sampling rate setting to selectively mark the monitoring bit in the header of an incoming packet. Marked packets tell the CPU that the packets are subject to sFlow sampling. Configuration considerations This section lists the sFlow configuration considerations on devices. Hardware support • Devices support sFlow packet sampling of inbound traffic only. These devices do not sample outbound packets.
sFlow NOTE If an IP address is not already configured when you enable sFlow, the feature uses the source address 0.0.0.0. To display the agent_address, enable sFlow, then enter the show sflow command. Refer to “Enabling sFlow forwarding” on page 248 and “Displaying sFlow information” on page 249. Sampling rate The sampling rate is the average ratio of the number of packets incoming on an sFlow enabled port, to the number of flow samples taken from those packets.
sFlow The sampled sFlow data sent to the collectors includes an agent_address field. This field identifies the device that sent the data. Refer to “Source address” on page 243. IPv6 devices To specify an sFlow collector on an IPv6 device, enter a command such as the following. TurboIron(config)#sflow destination ipv6 2003:0:0::0b:02a This command specifies a collector with IPv6 address 2003:0::0b:02a, listening for sFlow data on UDP port 6343.
sFlow Configuration considerations The sampling rate is a fraction in the form 1/N, meaning that, on average, one out of every N packets will be sampled. The sflow sample command at the global level or port level specifies N, the denominator of the fraction. Thus a higher number for the denominator means a lower sampling rate since fewer packets are sampled. Likewise, a lower number for the denominator means a higher sampling rate because more packets are sampled.
sFlow Sampling rate for new ports When you enable sFlow on a port, the port's sampling rate is set to the global default sampling rate. This also applies to ports on which you disable and then re-enable sFlow. The port does not retain the sampling rate it had when you disabled sFlow on the port, even if you had explicitly set the sampling rate on the port.
sFlow To change the sampling rate on an individual port, enter a command such as the following at the configuration level for the port. TurboIron(config-if-1)#sflow sample 8192 Syntax: [no] sflow sample The parameter specifies the average number of packets from which each sample will be taken. The software rounds the value you enter up to the next odd power of 2. The actual sampling rate becomes one of the values listed in “Changing the default sampling rate”.
sFlow Command syntax This section shows how to enable sFlow forwarding. Globally enabling sFlow forwarding To enable sFlow forwarding, you must first enable it on a global basis, then on individual interfaces or trunk ports, or both. To globally enable sFlow forwarding, enter the following command. TurboIron(config)#sflow enable You can now enable sFlow forwarding on individual ports as described in the next two sections.
sFlow ...continued from previous page...
Configuring a utilization list for an uplink port TABLE 50 sFlow information (Continued) This field... Displays... Actual default sampling rate The actual default sampling rate. UDP packets exported The number of sFlow export packets the device has sent. NOTE: Each UDP packet can contain multiple samples. sFlow samples collected The number of sampled packets that have been sent to the collectors. sFlow ports The ports on which you enabled sFlow.
Configuring a utilization list for an uplink port Each list displays the uplink port and the percentage of that port bandwidth that was utilized by the downlink ports over the most recent 30-second interval. You can configure up to four bandwidth utilization lists. Command syntax To configure an uplink utilization list, enter commands such as the following. The commands in this example configure a link utilization list with port 1 as the uplink port and ports2 and 3 as the downlink ports.
Configuring a utilization list for an uplink port In the following example, ports 2 and 3 are in the same port-based VLAN. TurboIron#show relative-utilization 1 uplink: ethe 1 30-sec total uplink packet count = 3011 packet count ratio (%) 2:100 3:100 Here is another example showing different data for the same link utilization list. In this example, port 2 is connected to a hub and is sending traffic to port 1. Port 3 is unconnected.
Configuring a utilization list for an uplink port 254 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 14 Configuring Basic Layer 2 Features In this chapter • Enabling or disabling the Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . • Changing the MAC age time and disabling MAC address learning . . . . . . • Configuring static MAC entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring VLAN-based static MAC entries . . . . . . . . . . . . . . . . . . . . . . . . • Enabling port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing the MAC age time and disabling MAC address learning STP must be enabled at the system level to allow assignment of this capability on the VLAN level. On devices running Layer 2 code, STP is enabled by default. On devices running Layer 3 code, STP is disabled by default. To enable STP for all ports on a device, enter the following command.
Configuring static MAC entries Syntax: [no] mac-learn disable Use the no form of the command to allow a physical port to learn MAC addresses. Configuration notes and feature limitations • This command is not available on virtual routing interfaces. Also, if this command is configured on the primary port of a trunk, MAC address learning will be disabled on all the ports in the trunk.
Configuring static MAC entries You can manually input the MAC address of a device to prevent it from being aged out of the system address table. This option can be used to prevent traffic for a specific device, such as a server, from flooding the network with traffic when it is down. Additionally, the static MAC address entry is used to assign higher priorities to specific MAC addresses.
Configuring VLAN-based static MAC entries Syntax: [no] static-mac-address ethernet ethernet ethernet …. [priority ] or Syntax: [no] static-mac-address ethernet to ethernet [priority ] The parameter is a valid port number. The priority is optional and can be a value from 0 – 7 (0 is lowest priority and 7 is highest priority). The default priority is 0.
Defining MAC address filters The parameter specifies the VLAN ID. The valid range for VLAN IDs starts at 1 on all systems but the upper limit of the range differs depending on the device. In addition, you can change the upper limit on some devices using the system max-vlans... command. The parameter is the VLAN name and can be a string up to 32 characters. You can use blank spaces in the name if you enclose the name in double quotes (for example, “Product Marketing”.
Defining MAC address filters You configure MAC filters globally, then apply them to individual interfaces. To apply MAC filters to an interface, you add the filters to that interface MAC filter group. The device takes the action associated with the first matching filter. If the packet does not match any of the filters in the access list, the default action is to drop the packet.
Defining MAC address filters The | any parameter specifies the source MAC address. You can enter a specific address value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using (ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.
Defining MAC address filters Enabling logging of management traffic permitted by MAC filters You can configure the device to generate Syslog entries and SNMP traps for management traffic that is permitted by MAC filters. Management traffic applies to packets that are destined for the CPU, such as control packets. You can enable logging of permitted management traffic on a global basis or an individual port basis.
MAC address filter override for 802.1X-enabled ports MAC address filter override for 802.1X-enabled ports The MAC address filtering feature on an 802.1X-enabled port allows 802.1X and non-802.1X devices to share the same physical port. For example, this feature enables you to connect a PC and a non-802.1X device, such as a Voice Over IP (VOIP) phone, to the same 802.1X-enabled port on the Brocade device. The IP phone will bypass 802.1X authentication and the PC will require 802.1X authentication.
Displaying and modifying system parameter default settings The dest-mac mask | any parameter specifies the destination MAC address. The syntax rules are the same as those for the src-mac mask | any parameter. Note that the 802.1x Authentication filter (dot1x auth-filter) does not use the destination MAC address in the MAC address filter. The filter-num command identifies the MAC address filter.
Displaying and modifying system parameter default settings TurboIron#show default values Minimun multicast-route 1024 pim-mcache 1024 igmp-max-group-addr 4096 igmp-snoop-mcache 512 msdp-sa-cache 1024 Maximum 2048 4096 8192 2048 4096 Current 1024 4096 4096 512 1024 Table 51 defines the system parameters in the show default values command output. TABLE 51 266 System parameters in show default values command This system parameter... Defines the maximum number of...
Egress buffer thresholds for QoS priorities TABLE 51 System parameters in show default values command (Continued) This system parameter... Defines the maximum number of...
Egress buffer thresholds for QoS priorities • Egress Buffer Threshold for a given Traffic Class for a port – When this is configured, the specified egress buffer threshold will be applied to a specific traffic class (0 – 7) on a port. The egress buffer thresholds can be modified to various levels. The default settings are described in the section “Default settings for egress buffer thresholds” on page 269.
Egress buffer thresholds for QoS priorities FIGURE 6 Egress buffer thresholds Egress Buffer Thresholds Maximum Level 6 Level 5 Level 4 Level 3 Level 2 Level 1 Minimum Manually increasing buffer thresholds may be useful in situations where applications have intermittent bursts of oversubscription. For example, by increasing a port egress buffer threshold, the device will be able to forward oversubscribed packets instead of dropping them.
Egress buffer thresholds for QoS priorities TurboIron(config)#no enable egress-buffer-default This command disables the default values for all traffic classes on all ports. Once disabled, you can configure new threshold values as instructed in “Setting the egress buffer threshold for all QoS priorities on a port or group of ports” on page 270 and “Setting the egress buffer threshold for a specific QoS priority on a port or group of ports” on page 270.
Link Fault Signaling (LFS) for 10G TurboIron(config)#int e 3 TurboIron(conf-if-e10000-3)#egress-buffer-threshold level-6 6 These commands set the egress buffer threshold for packets with QoS priority 6 to the level-6 threshold. To set the egress buffer threshold for a specific QoS priority on multiple ports, enter commands such as the following.
Jumbo frame support Jumbo frame support Ethernet traffic moves in units called frames. The maximum size of frames is called the Maximum Transmission Unit (MTU). When a network device receives a frame larger than its MTU, the data is either fragmented or dropped. Historically, Ethernet has a maximum frame size of 1500 bytes, so most devices use 1500 as their default MTU. Jumbo frames are Ethernet frames with more than 1,500 bytes MTU. Conventionally, jumbo frames can carry up to 9,000 bytes MTU.
Chapter Configuring Metro Features 15 In this chapter • Topology groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 • Metro Ring Protocol (MRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 • Virtual Switch Redundancy Protocol (VSRP) . . . . . . . . . . . . . . . . . . . . . . . . 298 Topology groups A topology group is a named set of VLANs that share a Layer 2 topology.
Topology groups • Member VLANs – The member VLANs are additional VLANs that share ports with the master VLAN. The Layer 2 protocol settings for the ports in the master VLAN apply to the same ports in the member VLANs. A change to the master VLAN Layer 2 protocol configuration or Layer 2 topology affects all the member VLANs. Member VLANs do not independently run a Layer 2 protocol. • Member VLAN groups – A VLAN group is a named set of VLANs.
Topology groups • Once you add a VLAN as a member of a topology group, all the Layer 2 protocol information on the VLAN is deleted. Configuring a topology group To configure a topology group, enter commands such as the following.
Topology groups NOTE Once you add a VLAN or VLAN group as a member of a topology group, all the Layer 2 protocol configuration information for the VLAN or group is deleted. For example, if STP is configured on a VLAN and you add the VLAN to a topology group, the STP configuration is removed from the VLAN. Once you add the VLAN to a topology group, the VLAN uses the Layer 2 protocol settings of the master VLAN.
Metro Ring Protocol (MRP) TABLE 52 CLI display of topology group information This field... Displays... master-vlan The master VLAN for the topology group. The settings for STP, MRP, or VSRP on the control ports in the master VLAN apply to all control ports in the member VLANs within the topology group. member-vlan The member VLANs in the topology group. Common control ports The master VLAN ports that are configured with Layer 2 protocol information.
Metro Ring Protocol (MRP) Figure 7 shows an example of an MRP metro ring. FIGURE 7 Metro ring – normal state Customer A F F Switch B F F F F Switch A Master Node Switch C Customer A F This interface blocks Layer 2 traffic to prevent a loop F Switch D F Customer A B F F Customer A The ring in this example consists of four MRP nodes. Each node has two interfaces with the ring. Each node also is connected to a separate customer network.
Metro Ring Protocol (MRP) Configuration notes • When you configure MRP, Brocade recommends that you disable one of the ring interfaces before beginning the ring configuration. Disabling an interface prevents a Layer 2 loop from occurring while you are configuring MRP on the ring nodes. Once MRP is configured and enabled on all the nodes, you can re-enable the interface. • MRP 1 and MRP 2 support are added for the devices.
Metro Ring Protocol (MRP) MRP rings with shared interfaces (MRP Phase 2) With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN. Figure 9 shows examples of multiple MRP rings that share the same interface.
Metro Ring Protocol (MRP) FIGURE 10 Interface IDs and types 1 1 1 T 2 2 2 S1 1 1,2 Port1 2 Ring 2 Ring 1 1,2 Port2 1 2 S2 1 1 1 T 2 2 2 C = customer port For example, in Figure 10, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2. Port 1 on node S1 and Port 2 on S2 have the IDs of 1 and 2 since the interfaces are shared by Rings 1 and 2. The ring ID is also used to determine an interface priority.
Metro Ring Protocol (MRP) Ring initialization The ring shown in Figure 7 shows the port states in a fully initialized ring without any broken links. Figure 11 shows the initial state of the ring, when MRP is first enabled on the ring switches. All ring interfaces on the master node and member nodes begin in the Preforwarding state (PF). FIGURE 11 Metro ring – initial state Customer A F PF Switch B PF PF PF All ports start in Preforwarding state.
Metro Ring Protocol (MRP) RHP processing in MRP Phase 1 A ring interface can have one of the following MRP states: • Preforwarding (PF) – The interface can forward RHPS but cannot forward data. All ring ports begin in this state when you enable MRP. • Forwarding (F) – The interface can forward data as well as RHPs. An interface changes from Preforwarding to Forwarding when the port preforwarding time expires.
Metro Ring Protocol (MRP) FIGURE 12 Metro ring – from preforwarding to forwarding RHP 2 Customer A Forwarding bit is on. Each port changes from Preforwarding to Forwarding when it receives this RHP. F PF F Switch B PF F Switch C Customer A PF F Secondary port receives RHP 1 and changes to Blocking Switch A Master Node Primary port then sends RHP 2 with forwarding bit on PF Switch D F Customer A B PF F Customer A Each RHP also has a sequence number.
Metro Ring Protocol (MRP) FIGURE 13 Flow of RHP packets on MRP rings with shared interfaces 1 1 1 (secondary interface) Port2 2 2 1,2 1 Ring 1 Master node (primary interface) Port1 T 2 S1 1 1 S3 Port4 (secondary interface) 2 Port3 (primary interface) Master node 1,2 1 2 Ring 2 1 S2 T 2 2 S4 2 = Ring 1 RHP packet = Ring 2 RHP packet Port 1 on Ring 1 master node is the primary interface of the master node. The primary interface forwards an RHP packet on the ring.
Metro Ring Protocol (MRP) FIGURE 14 Metro ring – ring break Customer A F F Switch B F F F F Switch A Master Node Switch C Customer A F Customer A F Switch D F F Customer A If a break in the ring occurs, MRP heals the ring by changing the states of some of the ring interfaces: • Blocking interface – The Blocking interface on the master node has a dead timer. If the dead time expires before the interface receives one of its ring RHPs, the interface changes state to Preforwarding.
Metro Ring Protocol (MRP) When the broken link is repaired, the link interfaces come up in the Preforwarding state, which allows RHPs to travel through the restored interfaces and reach the secondary interface on the master node: • If an RHP reaches the master node secondary interface, the ring is intact. The secondary interface changes to Blocking. The master node sets the forwarding bit on in the next RHP. When the restored interfaces receive this RHP, they immediately change state to Forwarding.
Metro Ring Protocol (MRP) Alarm RHP Previously, detection of MRP ring breaks was completely timer based. An absence of Ring Health Packets (RHP) for a period of 3 "hello times" indicated to the MRP master that the ring is broken. This initiated the transition to a topology change as described in the previous section. The convergence time associated with such an event could take several hundreds of milliseconds. Now, each MRP node is made a more active participant in detecting link failures.
Metro Ring Protocol (MRP) FIGURE 16 A MRP ring under normal operation (A) and after detection of a failure in the ring (B) Blocked Master Forwarding Blocked Master RHP packet direction Switch B Switch E Switch D Switch C Forwarding Switch E Switch B Switch D Switch C Alarm RHP packet (a) (b) Master VLANs and customer VLANs All the ring ports must be in the same VLAN. Placing the ring ports in the same VLAN provides Layer 2 connectivity for a given customer across the ring.
Metro Ring Protocol (MRP) FIGURE 17 Metro ring – ring VLAN and customer VLANs Customer B VLAN 40 Customer A VLAN 30 Switch B ====== ring 1 interfaces 1, 2 topology group 2 master VLAN 2 (1,2) member VLAN 30 (1,2,3) member VLAN 40 (1,2,4) Port 4 Port 3 Port 2 Port 1 Switch B Switch D Port 2 Port 3 Customer A VLAN 30 Port 1 Port 4 Switch D ====== ring 1 interfaces 1,1 topology group 2 master VLAN 2 (1,2) member VLAN 30 (1,2,3) member VLAN 40 (1,2,4) Customer B VLAN 40 Notice that each customer
Metro Ring Protocol (MRP) In Figure 17, VLAN 2 is the master VLAN and contains the MRP configuration parameters for ring 1. VLAN 30 and VLAN 40, the customer VLANs, are member VLANs in the topology group. Since a topology group is used, a single instance of MRP provides redundancy and loop prevention for both the customer VLANs. If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs.
Metro Ring Protocol (MRP) TurboIron(config)#vlan 2 TurboIron(config-vlan-2)#metro-ring 1 TurboIron(config-vlan-2-mrp-1)#name CustomerA TurboIron(config-vlan-2-mrp-1)#master TurboIron(config-vlan-2-mrp-1)#ring-interface ethernet 1 ethernet 2 TurboIron(config-vlan-2-mrp-1)#enable These commands configure an MRP ring on VLAN 2. The ring ID is 1, the ring name is CustomerA, and this node (this TurboIron X Series device) is the master for the ring. The ring interfaces are 1 and 2.
Metro Ring Protocol (MRP) Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following. TurboIron(config-vlan-2-mrp-1)#hello-time 200 TurboIron(config-vlan-2-mrp-1)#preforwarding-time 400 These commands change the hello time to 200 ms and change the preforwarding time to 400 ms. Syntax: [no] hello-time Syntax: [no] preforwarding-time The specifies the number of milliseconds.
Metro Ring Protocol (MRP) TurboIron#show metro 1 diag Metro Ring 1 - CustomerA ============= diagnostics results Ring id 2 Diag state enabled Diag frame sent 1230 RHP average time(microsec) 125 Recommended hello time(ms) 100 Recommended Prefwing time(ms) 300 Diag frame lost 0 Syntax: show metro diag This display shows the following information. TABLE 53 CLI display of MRP ring diagnostic information This field... Displays... Ring id The ring ID.
Metro Ring Protocol (MRP) TurboIron#show metro Metro Ring 1 ============= Ring State id 2 enabled Ring role member Master vlan 2 Ring interfaces Interface role Interface Type ethernet 1 primary ethernet 2 secondary RHPs sent 3 Topo group not conf Forwarding state disabled forwarding RHPs rcvd 0 TC RHPs rcvd 0 Hello time(ms) 100 Prefwing time(ms) 300 Active interface none ethernet 2 Regular Tunnel State changes 4 Syntax: show metro This display shows the following information.
Metro Ring Protocol (MRP) TABLE 54 CLI display of MRP ring information (Continued) This field... Ring interfaces Displays... The device two interfaces with the ring. NOTE: If the interfaces are trunk groups, only the primary ports of the groups are listed. Interface role Forwarding state Active interface The interface role can be one of the following: primary • Master node – The interface generates RHPs.
Metro Ring Protocol (MRP) Commands on Switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
Virtual Switch Redundancy Protocol (VSRP) TurboIron(config)#topology-group 1 TurboIron(config-topo-group-1)#master-vlan 2 TurboIron(config-topo-group-1)#member-vlan 30 TurboIron(config-topo-group-1)#member-vlan 40 Commands on Switch C TurboIron(config)#vlan 2 TurboIron(config-vlan-2)#tag ethernet 1 to 2 TurboIron(config-vlan-2)#metro-ring 1 TurboIron(config-vlan-2-mrp-1)#name “Metro A” TurboIron(config-vlan-2-mrp-1)#ring-interface ethernet 1 ethernet 2 TurboIron(config-vlan-2-mrp-1)#enable TurboIron(confi
Virtual Switch Redundancy Protocol (VSRP) The TurboIron X Series device supports full VSRP and VSRP-awareness. A TurboIron X Series device that is not itself configured for VSRP, but is connected to a device that is configured for VSRP, is VSRP aware. You can use VSRP for Layer 2, Layer 3, or for both layers. On Layer 3 Switches, Layer 2 and Layer 3 share the same VSRP configuration information. On Layer 2 Switches, VSRP applies only to Layer 2. Figure 18 shows an example of a VSRP configuration.
Virtual Switch Redundancy Protocol (VSRP) Configuration notes • • • • VSRP and 802.1Q-n-Q tagging are not supported together on the same device. VSRP and Super Aggregated VLANs are not supported together on the same device. VSRP does not work on a VLAN which has multicast enabled. TurboIron X Series devices support VSRP awareness, and VSRP-aware security features.
Virtual Switch Redundancy Protocol (VSRP) Each backup waits for a specific period of time, the dead Interval, to receive a new hello message from the master. If the backup does not receive a hello message from the master by the time the dead interval expires, the backup sends a hello message of its own, which includes the backup's VSRP priority, to advertise the backup's intent to become the master. If there are multiple backups for the VRID, each backup sends a hello message.
Virtual Switch Redundancy Protocol (VSRP) FIGURE 19 VSRP priority Configured priority = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP Master F F Configured priority = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP Backup optional link F B B B VSRP Aware VSRP Aware VSRP Aware However, if one of the VRID ports goes down on one of the backups, that backup priority is reduced.
Virtual Switch Redundancy Protocol (VSRP) FIGURE 21 VSRP priority bias Configured priority = 150 Actual priority = 150 * (2/3) = 100 VSRP Master F F Configured priority = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP Backup optional link F B B B X Link down VSRP Aware VSRP Aware VSRP Aware Track ports Optionally, you can configure track ports to be included during VSRP priority calculation.
Virtual Switch Redundancy Protocol (VSRP) FIGURE 22 Track port priority Configured priority = 100 Track priority 20 Actual priority = (100 - 0) * (3/3) = 100 VSRP Master F Track port is up F Configured priority = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP Backup optional link F B B VSRP Aware VSRP Aware B VSRP Aware In Figure 22, the track port is up. SInce the port is up, the track priority does not affect the VSRP priority calculation.
Virtual Switch Redundancy Protocol (VSRP) MAC address failover on VSRP-aware devices VSRP-aware devices maintain a record of each VRID and its VLAN. When the device has received a hello message for a VRID in a given VLAN, the device creates a record for that VRID and VLAN and includes the port number in the record.
Virtual Switch Redundancy Protocol (VSRP) TABLE 55 VSRP parameters Parameter Description Default See page... Protocol VSRP state Enabled page 309 NOTE: On a Layer 3 Switch, you must disable VSRP to use VRRP-E or VRRP. Virtual Router ID (VRID) The ID of the virtual switch you are creating by configuring multiple devices as redundant links. You must configure the same VRID on each device that you want to use to back up the links.
Virtual Switch Redundancy Protocol (VSRP) TABLE 55 VSRP parameters (Continued) Parameter Description Default See page... VRID IP address A gateway address you are backing up. Configuring an IP address provides VRRP-E Layer 3 redundancy in addition to VSRP LAyer 2 redundancy. The VRID IP address must be in the same subnet as a real IP address configured on the VSRP interface, but cannot be the same as a real IP address configured on the interface.
Virtual Switch Redundancy Protocol (VSRP) TABLE 55 VSRP parameters (Continued) Parameter Description Default See page... Hold-down interval The amount of time a backup that has sent a hello packet announcing its intent to become master waits before beginning to forward traffic for the VRID. The hold-down interval prevents Layer 2 loops from occurring during VSRP rapid failover. The interval can from 1 – 84 seconds.
Virtual Switch Redundancy Protocol (VSRP) • Specify that the device is a backup. Since VSRP, like VRRP-E, does not have an “owner”, all VSRP devices are backups. The active device for a VRID is elected based on the VRID priority, which is configurable. • Activate the VRID. The following example shows a simple VSRP configuration.
Virtual Switch Redundancy Protocol (VSRP) Timer scale The VSRP hello interval, dead interval, backup hello interval, and hold-down interval timers are individually configurable. You also can easily change all the timers at the same time while preserving the ratios among their values. To do so, change the timer scale. The timer scale is a value used by the software to calculate the timers. The software divides a timer value by the timer scale value. By default, the scale is 1.
Virtual Switch Redundancy Protocol (VSRP) Configuring authentication If the interfaces on which you configure the VRID use authentication, the VSRP packets on those interfaces also must use the same authentication. VSRP supports the following authentication types: • No authentication – The interfaces do not use authentication. This is the default. • Simple – The interfaces use a simple text-string as a password in packets sent on the interface.
Virtual Switch Redundancy Protocol (VSRP) Syntax: vsrp-aware vrid no-auth port-list is a valid VRID (from 1 to 255). no-auth specifies no authentication as the preferred VSRP-aware security method. The VSRP device will not accept incoming packets that have authentication strings. simple-text-auth specifies the authentication string for accepting VSRP hello packets, where can be up to 8 characters.
Virtual Switch Redundancy Protocol (VSRP) or Syntax: [no] ip address Changing the backup priority When you enter the backup command to configure the device as a VSRP backup for the VRID, you also can change the backup priority and the track priority: • The backup priority is used for election of the master. The VSRP backup with the highest priority value for the VRID is elected as the master for that VRID. The default priority is 100.
Virtual Switch Redundancy Protocol (VSRP) By default, each backup saves the configured timer values to its startup-config file when you save the device configuration. You can configure a backup to instead save the current timer values received from the master when you save the configuration. Saving the current timer values instead of the configured ones helps ensure consistent timer usage for all the VRID devices.
Virtual Switch Redundancy Protocol (VSRP) NOTE If you change the timer scale, the change affects the actual number of seconds. Changing the dead interval The dead interval is the number of seconds a backup waits for a hello message from the master before determining that the master is dead. The default is 3 seconds. This is three times the default hello interval. To change the dead interval, enter a command such as the following at the configuration level for the VRID.
Virtual Switch Redundancy Protocol (VSRP) TurboIron(config-vlan-200-vrid-1)#hold-down-interval 4 Syntax: [no] hold-down-interval The parameter specifies the hold-down interval and can be from 1 – 84 seconds. The default is 2 seconds. NOTE If you change the timer scale, the change affects the actual number of seconds.
Virtual Switch Redundancy Protocol (VSRP) Disabling or re-enabling backup pre-emption By default, a backup that has a higher priority than another backup that has become the master can preempt the master, and take over the role of master. If you want to prevent this behavior, disable preemption. Preemption applies only to backups and takes effect only when the master has failed and a backup has assumed ownership of the VRID.
Virtual Switch Redundancy Protocol (VSRP) Syntax: vsrp-aware vrid tc-vlan-flush When this command is enabled, MAC addresses will be flushed at the VLAN level, instead of at the port level. MAC addresses will be flushed for every topology change (TC) received on the VSRP-aware ports. When this command is enabled, the results of the show vsrp-aware vlan command resemble the following.
Virtual Switch Redundancy Protocol (VSRP) TABLE 56 CLI display of VSRP VRID or VLAN information This field... Displays... Total number of VSRP routers defined The total number of VRIDs configured on this device. VLAN The VLAN on which VSRP is configured. auth-type The authentication type in effect on the ports in the VSRP VLAN. VRID parameters VRID state The VRID for which the following information is displayed. This device VSRP state for the VRID.
Virtual Switch Redundancy Protocol (VSRP) TABLE 56 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... dead-interval The configured value for the dead interval. The dead interval is the number of seconds a backup waits for a hello message from the master for the VRID before determining that the master is no longer active.
Virtual Switch Redundancy Protocol (VSRP) TABLE 57 CLI display of VSRP-aware information (Continued) This field... Displays... VRID The VRID. Last Port The most recent active port connection to the VRID. This is the port connected to the current master. If a failover occurs, the VSRP-aware device changes the port to the port connected to the new master. The VSRP-aware device uses this port to send and receive data through the backed up node.
Virtual Switch Redundancy Protocol (VSRP) TurboIron#show vsrp vrid 100 VLAN 100 auth-type no authentication VRID 100 ======== State Administrative-status Advertise-backup Preempt-mode save-current master enabled disabled true false Parameter Configured Current Unit/Formula priority 100 50 (100-0)*(2.0/4.0) hello-interval 1 1 sec/1 dead-interval 3 3 sec/1 hold-interval 3 3 sec/1 initial-ttl 2 2 hops next hello sent in 00:00:00.
Virtual Switch Redundancy Protocol (VSRP) If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure 25.
Virtual Switch Redundancy Protocol (VSRP) There are no CLI commands used to configure this process.
Chapter 16 Configuring Uni-Directional Link Detection (UDLD) In this chapter • UDLD overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 UDLD overview Uni-Directional Link Detection (UDLD) monitors a link between two devices and brings the ports on both ends of the link down if the link goes down at any point between the two devices. This feature is useful for links that are individual ports and for trunk links. Figure 27 shows an example.
UDLD overview • To configure UDLD on a trunk group, you must enable and configure the feature on each port of the group individually. Configuring UDLD on a trunk group primary port enables the feature on that port only. • When UDLD is enabled on a trunk port, trunk threshold is not supported. • Dynamic trunking is not supported. If you want to configure a trunk group that contains ports on which UDLD is enabled, you must remove the UDLD configuration from the ports.
UDLD overview Syntax: [no] link-keepalive retries The parameter specifies the maximum number of times the port will try the health check. You can specify a value from 3 – 64. The default is 7. UDLD for tagged ports The default implementation of UDLD sends the packets untagged, even across tagged ports. If the untagged UDLD packet is received by a third-party switch, that switch may reject the packet.
UDLD overview TABLE 58 CLI display of UDLD information This field... Displays... Total link-keepalive enabled ports The total number of ports on which UDLD is enabled. Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down. Keepalive Interval The number of seconds between health check packets. Port The port number. Physical Link The state of the physical link. This is the link between the port and the directly connected device.
UDLD overview TABLE 59 CLI display of detailed UDLD information (Continued) This field... Displays... Local System ID A unique value that identifies this device. The ID can be used by Brocade technical support for troubleshooting. Remote System ID A unique value that identifies the device at the remote end of the link. Packets sent The number of UDLD health-check packets sent on this port. Packets received The number of UDLD health-check packets received on this port.
UDLD overview 330 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter Configuring Trunk Groups and Dynamic Link Aggregation 17 In this chapter • Trunk group overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring a trunk group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying trunk group configuration information. . . . . . . . . . . . . . . . . . . . • Dynamic link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trunk group overview Switch Gigabit Backbone ... Trunk Group Server Power Users Dedicated 100 Mbps Switch1 Switch2 Trunk Group NOTE The ports in a trunk group make a single logical link. Therefore, all the ports in a trunk group must be connected to the same device at the other end. Trunk group connectivity to a server To support termination of a trunk group, the server must have either multiple network interface cards (NICs) or either a dual or quad interface card installed.
Trunk group overview Trunk group rules Table 60 lists the maximum number of trunk groups you can configure on a device and the valid number of ports in a trunk group. The table applies to static and LACP trunk ports. TABLE 60 Trunk group support Model Maximum number of Gbps trunk groups Valid number of ports in a group TurboIron X Series 28 2, 3, 4, 5, 6, 7, or 8 • You cannot configure a port as a member of a trunk group if 802.3ad link aggregation is enabled on the port.
Trunk group overview • Make sure the device on the other end of the trunk link can support the same number of ports in the link. For example, if you configure a three-port trunk group on the device and the other end is a different type of switch, make sure the other switch can support a three-port trunk group. • All the ports must be connected to the same device at the other end.
Trunk group overview Trunk group load sharing Trunk groups on the devices are not classified as switch trunk groups or server trunk groups. Devices load-share across the ports in the trunk group. The method used for the load sharing depends on the following: • Device type – Chassis device or Stackable device • Traffic type – Layer 2 or Layer 3 • Software version your device is running NOTE Layer 3 routed IP is not load balanced. This traffic types will however still be forwarded on the trunk ports.
Configuring a trunk group TABLE 61 Trunk group load sharing Traffic type Load balancing method L2 Bridged Non-IP Source MAC, Destination MAC, Module ID (0 for 24-port device), Ingress port, VLAN ID (default VLAN ID used for untagged packets), EtherType L2 Bridged IPv4 TCP/UDP Source IP, Destination IP, Source TCP/UDP Port, Destination TCP/UDP Port L2 Bridged IPv4 Non-TCP/UDP Source IP, Destination IP L2 Bridged IPv6 TCP/UDP Source IP, Destination IP, Source TCP/UDP Port, Destination TCP/UDP Port
Configuring a trunk group Syntax: [no] trunk ethernet to [ethernet to ] Syntax: trunk deploy Each ethernet parameter introduces a port group. Enter the slot number (if applicable) and the port number of the Ethernet port. The to parameters specify a port group. Notice that each port group must begin with a primary port.
Configuring a trunk group Example 2: Configuring a trunk group that spans two Gbps Ethernet modules in a chassis device This section shows how to configure a trunk group that spans two modules in a chassis device. Multi-slot trunk groups are supported on 1-GbE ports, 10-GbE ports , as well as on static and LACP trunk ports. To configure a trunk group consisting of two groups of ports, 1 – 2 on module 1 and 5 – 6 on module 4, enter the following commands.
Configuring a trunk group The parameter specifies the secondary port in the trunk group. NOTE Two-port trunk groups are supported for 10 Gbps Ethernet. You cannot specify more than two ports. To display configuration information and load-sharing statistics for the trunk group, enter the show trunk command. Refer to “Displaying trunk group configuration information” on page 343. Additional trunking options The following trunking options can be performed on ports in deployed trunks.
Configuring a trunk group You can disable or re-enable individual ports in a trunk group. To disable an individual port in a trunk group, enter commands such as the following at the trunk group configuration level. TurboIron(config)#trunk e 1 to 4 TurboIron(config-trunk-1-4)#config-trunk-ind TurboIron(config-trunk-1-4)#disable ethernet 2 Syntax: [no] config-trunk-ind Syntax: [no] disable ethernet The config-trunk-ind command enables configuration of individual ports in the trunk group.
Configuring a trunk group TurboIron(config-trunk-1-4)#enable ethernet 1 to 2 ethernet 4 Syntax: [no] config-trunk-ind Syntax: [no] disable ethernet [to | ethernet ] Syntax: [no] enable ethernet [to | ethernet ] The to parameter indicates that you are specifying a range. Specify the lower port number in the range first, then to, then the higher port number in the range. The parameter specifies an individual port.
Configuring a trunk group TurboIron(config)#no trunk ethernet 1 to 2 ethernet 3 to 4 Syntax: no trunk ethernet | pos to Specifying the minimum number of ports in a static trunk group You can configure devices to disable all of the ports in a trunk group when the number of active member ports drops below a specified threshold value.
Displaying trunk group configuration information Enabling sFlow forwarding on a trunk port You can enable sFlow forwarding on individual ports of a static trunk group. For configuration details, refer to “” on page 249. Setting the sFlow sampling rate on a trunk port You can configure an individual trunk port to use a different sampling rate than the global default sampling rate. This feature is supported on static trunk ports.
Dynamic link aggregation Table 62 describes the information displayed by the show trunk command. TABLE 62 CLI trunk group information This field... Displays... Trunk ID The trunk group number. The software numbers the groups in the display to make the display easy to use. HW Trunk ID The trunk ID. Duplex The mode of the port, which can be one of the following: None – The link on the primary trunk port is down. Full – The primary port is running in full-duplex.
Dynamic link aggregation NOTE Use the link aggregation feature only if the device at the other end of the link you want to aggregate also supports IEEE 802.3ad link aggregation. Otherwise, you need to manually configure the trunk links. Link aggregation support is disabled by default.
Dynamic link aggregation • The dynamic link aggregation ((802.3ad) implementation on TurboIron X Series devices allows any number or ports up to eight to be aggregated into a link. • The default key assigned to an aggregate link is based on the port type (1 Gbps port or 10 Gbps port). The device assigns different keys to 10 Gbps ports than on 1 Gbps ports so that ports with different physical capabilities will not be able to form a trunk.
Dynamic link aggregation • If the feature places a port into a trunk group as a secondary port, all configuration information except information related to link aggregation is removed from the port. For example, if port 3 has an IP interface, and the link aggregation feature places port 3 into a trunk group consisting of ports 1 – 4, the IP interface is removed from the port.
Dynamic link aggregation Port1 Group 1 Port2 Port3 Group 2 Port4 Table 63 shows examples of the ports from Figure 32 that will be eligible for an aggregate link based on individual port states.
Dynamic link aggregation Using the default key assigned by the software TurboIron(config)#interface ethernet 1 TurboIron(config-if-e10000-1)#link-aggregate active TurboIron(config)#interface ethernet 2 TurboIron(config-if-e10000-2)#link-aggregate active The commands in this example enable the active mode of link aggregation on ports 1 and 2. The ports can send and receive LACPDU messages. Note that these ports will use the default key, since one has not been explicitly configured.
Dynamic link aggregation When you change a port VLAN membership, the device searches through existing key groups for a port with matching port properties. Specifically, it searches for a match on all three of the following properties: • VLAN ID • default key • port tag type (tagged or untagged) If it finds a match, the port (whose VLAN membership you are changing) gets the matching port key. If it does not find a match, the port gets a new key.
Dynamic link aggregation System priority The system priority parameter specifies the link aggregation priority on the device, relative to the devices at the other ends of the links on which link aggregation is enabled. A higher value indicates a lower priority. You can specify a priority from 0 – 65535. The default is 1. System Priority does not take effect until you toggle the link-aggregate command.
Dynamic link aggregation NOTE It is recommended to configure a unique key if ports are tagged or untagged in a VLAN. FIGURE 33 Ports with the same key in different aggregate links Port1 Port2 System ID: dddd.eeee.ffff All these ports have the same key, but are in two separate aggregate links with two other devices. Port3 Ports 5 - 8: Key 4 Port4 Port5 Port6 Port7 Port8 System ID: aaaa.bbbb.cccc Ports 1 - 8 Key 0 System ID: 1111.2222.
Dynamic link aggregation FIGURE 34 Multi-slot aggregate link All ports in a multi-slot aggregate link have the same key. Port1 Port2 Port3 Port4 Port5 Port6 Port7 Port8 System ID: aaaa.bbbb.cccc Ports 1 - 4: Key 0 Ports 5 - 8: Key 0 By default, the device ports are divided into 4-port groups. The software dynamically assigns a unique key to each 4-port group.
Dynamic link aggregation 17 18 19 20 1 1 1 1 1 1 1 1 481 481 481 481 Yes Yes Yes Yes S S S S Agg Agg Agg Agg Syn Syn Syn Syn Col Col Col Col Dis Dis Dis Dis Def Def Def Def No No No No Ope Ope Ope Ope Syntax: show link-aggregation [ethernet [] Possible values: N/A Default value: N/A Configuring link aggregation parameters You can configure one or more parameters on the same command line, and in any order.
Displaying and determining the status of aggregate links The key parameter identifies the group of ports that are eligible to be aggregated into a trunk group. The software automatically assigns a key to each group of ports. The software assigns the keys in ascending numerical order, beginning with 0. You can change a port group key to a value from 10000 – 65535.
Displaying and determining the status of aggregate links • LACP brings the port back up • The port joins a trunk group Displaying link aggregation and port status information Use the show link-aggregation command to determine the operational status of ports associated with aggregate links. To display the link aggregation information for a specific port, enter a command such as the following at any level of the CLI. TurboIron#show link-aggregation ethernet 5 System ID: 0000.00a9.
Displaying and determining the status of aggregate links TABLE 64 This field... Act CLI display of link aggregation information (Continued) Displays... Indicates the link aggregation mode, which can be one of the following: No – The mode is passive or link aggregation is disabled (off) on the port.
Clearing the negotiated aggregate links table TABLE 64 CLI display of link aggregation information (Continued) This field... Displays... Exp Indicates whether the negotiated link aggregation settings have expired. The settings expire if the port does not receive an LACPDU message from the port at the other end of the link before the message timer expires.
Configuring single link LACP Configuration notes • • • • This feature is supported on 1-GbE and 10-GbE ports. This feature is not supported on static trunk ports. This feature is not intended for the creation of trunk groups. The single link LACP timer is always short (3 seconds) and is not configurable. PDUs are sent out every three seconds. • This feature is not supported on ports that have the link-keepalive command (UDLD) configured.
Configuring single link LACP 360 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter Configuring Virtual LANs (VLANs) 18 In this chapter • VLAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 • Routing between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 • Configuring IP subnet, IPX network andprotocol-based VLANs . . . . . . . . . 383 • Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) 385 • Configuring uplink ports within a port-based VLAN . . .
VLAN overview You can configure up to 4094 port-based VLANs on a Layer 2 Switch or Layer 3 Switch. On both device types, valid VLAN IDs are 1 – 4095. You can configure up to the maximum number of VLANs within that ID range. NOTE If you want to use VLANs 4091 and 4092 as configurable VLANs, you can assign them to different VLAN IDs. For more information, refer to “Assigning different VLAN IDs to reserved VLANs 4091 and 4092” on page 376. Each port-based VLAN can contain either tagged or untagged ports.
VLAN overview DEFAULT-VLAN VLAN ID = 1 Layer 2 Port-based VLAN User-configured port-based VLAN When you add a port-based VLAN, the device removes all the ports in the new VLAN from DEFAULT-VLAN. Layer 3 protocol-based VLANs If you want some or all of the ports within a port-based VLAN to be organized according to Layer 3 protocol, you must configure a Layer 3 protocol-based VLAN within the port-based VLAN. You can configure each of the following types of protocol-based VLAN within a port-based VLAN.
VLAN overview Figure 36 shows an example of Layer 3 protocol VLANs configured within a Layer 2 port-based VLAN. FIGURE 36 Layer 3 protocol VLANs within a Layer 2 port-based VLAN DEFAULT-VLAN VLAN ID = 1 Layer 2 Port-based VLAN User-configured port-based VLAN User-configured protocol VLAN, IP sub-net VLAN, IPX network VLAN, or Apple Talk cable VLAN You can add Layer 3 protocol VLANs or IP sub-net, IPX network, and AppleTalk cable VLANs to port-based VLANs.
VLAN overview Integrated Switch Routing (ISR) The Integrated Switch Routing (ISR) feature enables VLANs configured on Layer 3 Switches to route Layer 3 traffic from one protocol VLAN or IP subnet, IPX network, or AppleTalk cable VLAN to another. Normally, to route traffic from one IP subnet, IPX network, or AppleTalk cable VLAN to another, you would need to forward the traffic to an external router.
VLAN overview NOTE The Layer 3 Switch routes packets between VLANs of the same protocol. The Layer 3 Switch cannot route from one protocol to another. NOTE IP subnet VLANs are not the same thing as IP protocol VLANs. An IP protocol VLAN sends all IP broadcasts on the ports within the IP protocol VLAN. An IP subnet VLAN sends only the IP subnet broadcasts for the subnet of the VLAN. You cannot configure an IP protocol VLAN and an IP subnet VLAN within the same port-based VLAN.
VLAN overview When you configure a port-based VLAN, one of the configuration items you provide is the ports that are in the VLAN. When you configure the VLAN, the device automatically removes the ports that you place in the VLAN from DEFAULT-VLAN. By removing the ports from the default VLAN, the device ensures that each port resides in only one Layer 2 broadcast domain. NOTE Information for the default VLAN is available only after you define another VLAN.
VLAN overview FIGURE 38 Packet containing a 802.1Q VLAN tag Untagged Packet Format 6 bytes 6 bytes 2 bytes Destination Address Source Address Type Field 6 bytes 6 bytes 2 bytes Destination Address Source Address Length Field Up to 1500 bytes 4 bytes Data Field CRC Up to 1496 bytes 4 bytes Data Field CRC Ethernet II IEEE 802.3 802.1q Tagged Packet Format 6 bytes 6 bytes 4 bytes 2 bytes Destination Address Source Address 802.
VLAN overview FIGURE 39 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port T T Segment 1 T T T T T Segment 2 Segment 1 Segment 2 Tagging is required for the ports on Segment 1 because the ports are in multiple port-based VLANs. Tagging is not required for the ports on Segment 2 because each port is in only one port-based VLAN. Without tagging, a device receiving VLAN traffic from the other device would not be sure which VLAN the traffic is for.
VLAN overview • Port-based VLAN – Affects all ports within the specified port-based VLAN. STP is a Layer 2 protocol. Thus, you cannot enable or disable STP for individual protocol VLANs or for IP subnet, IPX network, or AppleTalk cable VLANs. The STP state of a port-based VLAN containing these other types of VLANs determines the STP state for all the Layer 2 broadcasts within the port-based VLAN. This is true even though Layer 3 protocol broadcasts are sent on Layer 2 within the VLAN.
VLAN overview FIGURE 40 Use virtual routing interfaces for routing between Layer 3 protocol VLANs User-configured port-based VLAN User-configured protocol VLAN, IP sub-net VLAN, IPX network VLAN, or AppleTalk cable VLAN VE = virtual interface (“VE” stands for “Virtual Ethernet”) VE 3 VE 1 VE 4 VE 2 Layer 2 and Layer 3 traffic within a VLAN is bridged at Layer 2. Layer 3 traffic between protocol VLANs is routed using virtual interfaces (VE).
VLAN overview Dynamic, static, and excluded port membership When you add ports to a protocol VLAN, IP subnet VLAN, IPX network VLAN, or AppleTalk cable VLAN, you can add them dynamically or statically: • Dynamic ports • Static ports You also can explicitly exclude ports. Dynamic ports Dynamic ports are added to a VLAN when you create the VLAN. However, if a dynamically added port does not receive any traffic for the VLAN protocol within ten minutes, the port is removed from the VLAN.
VLAN overview SUBNET Ports in a new protocol VLAN that do not receive traffic for the VLAN protocol age out after 10 minutes and become candidate ports. Figure 42 shows what happens if a candidate port receives traffic for the VLAN protocol.
Routing between VLANs Broadcast leaks A dynamic port becomes a member of a Layer 3 protocol VLAN when traffic from the VLAN's protocol is received on the port. After this point, the port remains an active member of the protocol VLAN, unless the port does not receive traffic from the VLAN's protocol for 20 minutes. If the port does not receive traffic for the VLAN's protocol for 20 minutes, the port ages out and is no longer an active member of the VLAN.
Routing between VLANs If you do not need to further partition the port-based VLAN by defining separate Layer 3 VLANs, you can define a single virtual routing interface at the port-based VLAN level and enable IP, IPX, and Appletalk routing on a single virtual routing interface. Some configurations may require simultaneous switching and routing of the same single protocol across different sets of ports on the same router.
Routing between VLANs There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN. Routing will occur independently across the port-based VLANs. Because each port-based VLAN STP domain is a single point-to-point backbone connection, you are guaranteed to never have an STP loop.
Routing between VLANs NOTE You must save the configuration (write mem) and reload the software to place the change into effect. The above configuration changes the VLAN ID of 4091 to 10. After saving the configuration and reloading the software, you can configure VLAN 4091 as you would any other VLAN. Syntax: [no] reserved-vlan-map vlan 4091 | 4092 new-vlan For , enter a valid VLAN ID that is not already in use.
Routing between VLANs Configuring port-based VLANs Port-based VLANs allow you to provide separate spanning tree protocol (STP) domains or broadcast domains on a port-by-port basis. This section describes how to perform the following tasks for port-based VLANs using the CLI: • • • • • Create a VLAN Delete a VLAN Modify a VLAN Change a VLAN priority Enable or disable STP on the VLAN Example 1 Figure 43 shows a simple port-based VLAN configuration using a single Layer 2 Switch.
Routing between VLANs Example 2 Device IP Subnet1 IPX Net 1 Atalk 100.1 Zone “A” IP Subnet2 IPX Net 2 Atalk 200.1 Zone “B” Port17 Port18 = STP Blocked VLAN ROOT BRIDGE FOR VLAN - BROWN VLAN - GREEN IP Subnet3 IPX Net 3 Atalk 300.1 Zone “C” Port19 IP Subnet4 IPX Net 4 Atalk 400.
Routing between VLANs TurboIron-A(config-vlan-5)#spanning-tree TurboIron-A(config-vlan-5)#spanning-tree priority 500 TurboIron-A(config-vlan-5)#end TurboIron-A#write memory Configuring device-B Enter the following commands to configure device-B.
Routing between VLANs Syntax: spanning-tree [ethernet path-cost priority ] forward-delay hello-time maximum-age
Routing between VLANs TurboIron-A(config-vlan-4)# TurboIron-A(config-vlan-4)#no untag ethernet 11 deleted port ethe 11 from port-vlan 4. TurboIron-A(config-vlan-4)# 4. Enter the following commands to exit the VLAN CONFIG mode and save the configuration to the system-config file on flash memory. TurboIron-A(config-vlan-4)# TurboIron-A(config-vlan-4)#end TurboIron-A#write memory You can remove all the ports from a port-based VLAN without losing the rest of the VLAN configuration.
Configuring IP subnet, IPX network andprotocol-based VLANs NOTE You do not need to configure values for the STP parameters. All parameters have default values as noted below. Additionally, all values will be globally applied to all ports on the system or on the port-based VLAN for which they are defined. To configure a specific path-cost or priority value for a given port, enter those values using the key words in the brackets [ ] shown in the syntax summary below.
Configuring IP subnet, IPX network andprotocol-based VLANs Also suppose you want a single router interface to be present within all of these separate broadcast domains, without using IEEE 802.1Q VLAN tagging or any proprietary form of VLAN tagging. Figure 44 shows this configuration.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) 4. To permanently assign ports 1 – 12 and port 25 to IPX network 1 VLAN, enter the following commands. TurboIron(config-ip-subnet)#ipx-network 1 ethernet_802.3 name Blue TurboIron(config-ipx-network)#no dynamic TurboIron(config-ipx-network)#static ethernet 1 to 12 ethernet 25 TurboIron(config-ipx-network)# 5. To permanently assign ports 12 – 25 to Appletalk VLAN, enter the following commands.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) FIGURE 45 Vlan3 Vlan4 V5 IP/IPX V4 /IPX V4 V5 IP/IPX V7 IP/IPX V4 Vlan2 Vlan8 V6 IP/IPX V4 Building 1 Device-A Routing between protocol-based VLANs Building 2 Device-B Device-B Vlan2 Vlan8 Vlan3 Vlan4 V7 IP/IPX V4 V6 IP/IPX V4 Device-C Device-C V6 IP Vlan2 Vlan8 Vlan3 V4 Vlan4 = STP Blocked VLAN Building 3 To configure the Layer 3 VLANs and virtual routing interfaces on the Layer 3 Switch in Figure 45, us
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) TurboIron-A(config-ospf-router)#vlan 2 name IP-Subnet_10.1.2.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) TurboIron-A(config-vlan-4)#router-interface ve5 TurboIron-A(config-vlan-4)#int ve5 TurboIron-A(config-vif-5)#ip address 10.1.3.1/24 TurboIron-A(config-vif-5)#ip ospf area 0.0.0.0 TurboIron-A(config-vif-5)#ipx network 3 ethernet_802.3 TurboIron-A(config-vif-5)# It is time to configure a separate port-based VLAN for each of the routed backbone ports (Ethernet 25 and 26).
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) TurboIron-B(config-ospf-router)#vlan 2 name IP-Subnet_10.1.6.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) Configuration for device-C Enter the following commands to configure device-C. TurboIron> en No password has been assigned yet... TurboIron#config t TurboIron(config)#hostname TurboIron-C TurboIron-C(config)#router ospf TurboIron-C(config-ospf-router)#area 0.0.0.0 normal TurboIron-C(config-ospf-router)#router ipx TurboIron-C(config-ospf-router)#vlan 2 name IP-Subnet_10.1.9.
Configuring uplink ports within a port-based VLAN TurboIron-C(config-vif-5)#ip addr 10.1.8.2/24 TurboIron-C(config-vif-5)#ip ospf area 0.0.0.0 TurboIron-C(config-vif-5)#ipx network 8 ethernet_802.3 TurboIron-C(config-vif-5)#int ve6 TurboIron-C(config-vif-6)#ip addr 10.1.5.2/24 TurboIron-C(config-vif-6)#ip ospf area 0.0.0.0 TurboIron-C(config-vif-6)#ipx network 5 ethernet_802.
Configuring the same IP subnet address on multiple port-based VLANs Configuring the same IP subnet address on multiple port-based VLANs For a device to route between port-based VLANs, you must add a virtual routing interface to each VLAN. Generally, you also configure a unique IP subnet address on each virtual routing interface. For example, if you have three port-based VLANs, you add a virtual routing interface to each VLAN, then add a separate IP subnet address to each virtual routing interface.
Configuring the same IP subnet address on multiple port-based VLANs FIGURE 47 Multiple port-based VLANs with the same protocol address VLAN 2 VLAN 3 VLAN 4 Switch VLAN 2 VE 1 -IP 10.0.0.1/24 VLAN 3 VE 2 -Follow VE 1 VLAN 4 VE 3 -Follow VE 1 Each VLAN still requires a separate virtual routing interface. However, all three VLANs now use the same IP subnet address. In addition to conserving IP subnet addresses, this feature allows containment of Layer 2 broadcasts to segments within an IP subnet.
Configuring the same IP subnet address on multiple port-based VLANs • If the destination is in the same VLAN as the source, the device does not need to perform a proxy ARP. To configure multiple VLANs to use the same IP subnet address: • Configure each VLAN, including adding tagged or untagged ports. • Configure a separate virtual routing interface for each VLAN, but do not add an IP subnet address to more than one of the virtual routing interfaces.
Configuring VLAN groups and virtual routing interface groups Configuring VLAN groups and virtual routing interface groups NOTE VLAN groups are supported. To simplify configuration when you have many VLANs with the same configuration, you can configure VLAN groups and virtual routing interface groups. NOTE VLAN groups are supported on Layer 3 Switches and Layer 2 Switches. Virtual routing interface groups are supported only on Layer 3 Switches.
Configuring VLAN groups and virtual routing interface groups The parameter with the vlan-group command specifies the VLAN group ID and can be from 1 – 32. The vlan to parameters specify a contiguous range (a range with no gaps) of individual VLAN IDs. Specify the low VLAN ID first and the high VLAN ID second. The command adds all the specified VLANs to the VLAN group.
Configuring VLAN groups and virtual routing interface groups Configuring a virtual routing interface group A virtual routing interface group allows you to associate the same IP subnet interface with multiple port-based VLANs. For example, if you associate a virtual routing interface group with a VLAN group, all the VLANs in the group have the IP interface of the virtual routing interface group.
Configuring VLAN groups and virtual routing interface groups The syntax and usage for the ip address command is the same as when you use the command at the interface level to add an IP interface. Displaying the VLAN group and virtual routing interface group information To verify configuration of VLAN groups and virtual routing interface groups, display the running-config file.
Configuring super aggregated VLANs Increasing the number of VLANs you can configure NOTE Although you can specify up to 4095 VLANs, you can configure only 4094 VLANs. VLAN ID 4094 is reserved for use by the Single Spanning Tree feature. To increase the maximum number of VLANs you can configure, enter commands such as the following at the global CONFIG level of the CLI.
Configuring super aggregated VLANs Figure 48 shows a conceptual picture of the service that aggregated VLANs provide. Aggregated VLANs provide a path for multiple client channels. The channels do not receive traffic from other channels. Thus, each channel is a private link. FIGURE 48 Conceptual model of the super aggregated VLAN application Each client connected to the edge device is in its own port-based VLAN, which is like an ATM channel.
Configuring super aggregated VLANs Figure 49 shows an example application that uses aggregated VLANs. This configuration includes the client connections shown in Figure 48.
Configuring super aggregated VLANs FIGURE 49 Example of a super aggregated VLAN application In this example, a collocation service provides private channels for multiple clients. Although the same devices are used for all the clients, the VLANs ensure that each client receives its own Layer 2 broadcast domain, separate from the broadcast domains of other clients. For example, client 1 cannot ping client 5.
Configuring super aggregated VLANs This example shows a single link between the core devices. However, you can use a trunk group to add link-level redundancy. Configuration note • Super Aggregated VLANs and VSRP are not supported together on the same device. Configuring aggregated VLANs To configure aggregated VLANs, perform the following tasks: • On each edge device, configure a separate port-based VLAN for each client connected to the edge device.
Configuring super aggregated VLANs TurboIron(config-vlan-104)#tagged ethernet 6 TurboIron(config-vlan-104)#untagged ethernet 4 TurboIron(config-vlan-104)#exit TurboIron(config)#vlan 105 by port TurboIron(config-vlan-105)#tagged ethernet 6 TurboIron(config-vlan-105)#untagged ethernet 5 TurboIron(config-vlan-105)#exit TurboIron(config)#write memory Syntax: [no] vlan [by port] Syntax: [no] tagged ethernet portnum> [to [ | ethernet ] Syntax: [no] untagged ethernet [to
Configuring super aggregated VLANs NOTE In these examples, the configurations of the edge devices (A, B, E, and F) are identical. The configurations of the core devices (C and D) also are identical. The aggregated VLAN configurations of the edge and core devices on one side must be symmetrical (in fact, a mirror image) to the configurations of the devices on the other side. For simplicity, the example in Figure 49 on page 402 is symmetrical in terms of the port numbers.
Configuring super aggregated VLANs TurboIronB(config)#vlan 105 by port TurboIronB(config-vlan-105)#tagged ethernet 6 TurboIronB(config-vlan-105)#untagged ethernet 5 TurboIronB(config-vlan-105)#exit TurboIronB(config)#write memory Commands for device C Since device C is aggregating channel VLANs from devices A and B into a single path, you need to change the tag type and enable VLAN aggregation.
Configuring 802.1Q-in-Q tagging TurboIronE(config)#vlan 104 by port TurboIronE(config-vlan-104)#tagged ethernet 6 TurboIronE(config-vlan-104)#untagged ethernet4 TurboIronE(config-vlan-104)#exit TurboIronE(config)#vlan 105 by port TurboIronE(config-vlan-105)#tagged ethernet 6 TurboIronE(config-vlan-105)#untagged ethernet 5 TurboIronE(config-vlan-105)#exit TurboIronE(config)#write memory Commands for device F The commands for configuring device F are identical to the commands for configuring device E.
Configuring 802.1Q-in-Q tagging To customer interface Uplink to provider cloud Configured tag-type 9100 Untagged DA Default tag-type 8100 Provider Edge Switch SA 8100 Customer VLAN DA Tagged SA 8100 Provider VLAN 8100 Customer VLAN In Figure 50, the untagged ports (to customer interfaces) accept frames that have any 802.1Q tag other than the configured tag-type 9100.
Configuring 802.1Q-in-Q tagging TurboIron(config)#tag-type 9100 e 11 to 12 Syntax: [no] tag-type [ethernet [to ]] The parameter specifies the tag-type number and can be a hexadecimal value from 0 - ffff. The default is 8100. The ethernet to parameter specifies the ports that will use the defined 802.1Q tag. This parameter operates with the following rules: • If you do not specify a port or range of ports, the 802.
Configuring 802.1Q-in-Q tagging FIGURE 51 410 Example 802.
Configuring private VLANs Configuring private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 52 shows an example of an application using a private VLAN. FIGURE 52 Private VLAN used to secure communication between a workstation and servers A private VLAN secures traffic between a primary port and host ports.
Configuring private VLANs • Secondary – The secondary private VLAN are secure VLANs that are separated from the rest of the network by the primary private VLAN. Every secondary private VLAN is associated with a primary private VLAN. The two types of secondary private VLANs are isolated private VLAN and community private VLAN. • Isolated – Broadcasts and unknown-unicasts packet received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN.
Configuring private VLANs • The device forwards all known unicast traffic in hardware. Multiple MAC entries do not appear in the MAC address table because the device transparently manages multiple MAC entries in hardware. • You can configure private VLANs and dual-mode VLAN ports on the same device. However, the dual-mode VLAN ports cannot be members of private VLANs.
Configuring private VLANs TurboIron(config)#vlan 901 TurboIron(config-vlan-901)#untagged ethernet 5 to 6 TurboIron(config-vlan-901)#pvlan type community These commands create port-based VLAN 901, add ports 5 and 6 to the VLAN as untagged ports, then specify that the VLAN is a community private VLAN. Syntax: untagged ethernet [to [ | ethernet ] Syntax: [no] pvlan type community | isolated | primary The untagged command adds the ports to the VLAN.
Dual-mode VLAN ports • The ethernet parameter specifies the primary VLAN port to which you are mapping all the ports in the other private VLAN (the one specified by ).
Dual-mode VLAN ports VLAN 20 Traffic Untagged Traffic Hub Port11 Tagged, VLAN 20 dual-mode Switch Port9 Tagged, VLAN 20 Port10 Untagged VLAN 20 Traffic Untagged Traffic To enable the dual-mode feature on port 11 in Figure 53,enter the following commands.
Dual-mode VLAN ports VLAN 10 Untagged Traffic VLAN 10 Untagged Traffic Port10 Untagged, VLAN 10 Dual-mode Port11 Default VLAN ID 10 Tagged, VLAN 20 Hub Switch Port9 Tagged, VLAN 20 VLAN 20 Tagged Traffic VLAN 20 Tagged Traffic In Figure 54, tagged port 11 is a dual-mode port belonging to VLANs 10 and 20. The default VLAN assigned to this dual-mode port is 10.
Displaying VLAN information Example TurboIron#show vlan Total PORT-VLAN entries: 3 Maximum PORT-VLAN entries: 16 legend: [S=Slot] PORT-VLAN Untagged Untagged Untagged Tagged Uplink DualMode PORT-VLAN Untagged Tagged Uplink DualMode PORT-VLAN Untagged Tagged Uplink DualMode 1, Name DEFAULT-VLAN, Priority level0, Spanning Ports: (S1) 1 2 3 4 5 6 7 8 Ports: (S2) 1 2 3 4 5 6 7 8 12 13 14 15 Ports: (S2) 20 21 22 23 24 Ports: None Ports: None Ports: None 10, Name [None], Priority level0, Spanning tree Ports: (S
Displaying VLAN information TurboIron#show run Current configuration: ! ver 07.2.
Displaying VLAN information TurboIron#show vlan 4 Total PORT-VLAN entries: 5 Maximum PORT-VLAN entries: 3210 PORT-VLAN 4, Name [None], Priority level0, Spanning tree Off Untagged Ports: None Tagged Ports: 6 9 10 11 Uplink Ports: None DualMode Ports: 7 8 TurboIron#show vlan 3 Total PORT-VLAN entries: 5 Maximum PORT-VLAN entries: 3210 PORT-VLAN 3, Name [None], Priority level0, Spanning tree Off Untagged Ports: None Tagged Ports: 6 7 8 9 10 Uplink Ports: None DualMode Ports: None Syntax: show vlans [
Displaying VLAN information Brocade TurboIron 24X Series Configuration Guide 53-1003053-01 421
Displaying VLAN information 422 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 19 Configuring Port Mirroring and Monitoring In this chapter • Mirroring support by platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring port mirroring and monitoring . . . . . . . . . . . . . . . . . . . . . . . . . • ACL-based inbound mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • MAC filter-based mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring port mirroring and monitoring Configuration notes Refer to the following rules when configuring port mirroring and monitoring: • Port monitoring and sFlow support: • Devices support sFlow and port monitoring together on the same port. • If you configure both ACL mirroring and ACL based rate limiting on the same port, then all packets that match are mirrored, including the packets that exceed the rate limit. • Table 69 lists the number of mirror and monitor ports supported on the devices.
Configuring port mirroring and monitoring TurboIron(config)#mirror ethernet 24 TurboIron(config)#mirror ethernet 48 TurboIron(config)#interface ethernet 1 TurboIron(interface ethernet 1)#monitor ethernet 48 both The analyzer port (48) is set to all devices in the system TurboIron#interface TurboIron(interface TurboIron#exit TurboIron#interface TurboIron(interface ethernet 2 ethernet 2)#ip access-group 101 in ethernet 1 ethernet 1)#acl-mirror-port ethernet 48 The previous command is required even though
ACL-based inbound mirroring By default, when you monitor the primary port in a trunk group, aggregated traffic for all the ports in the trunk group is copied to the mirror port. You can configure the device to monitor individual ports in a trunk group. You can monitor the primary port or a secondary port individually. To configure port monitoring on an individual port in a trunk group, enter commands such as the following.
ACL-based inbound mirroring TurboIron(config)#access-list 101 permit ip any any mirror At this point not all IP traffic will be mirrored to port 2, since the ACL has not yet been applied to any port. 3. Apply the ACL inbound clause to the monitor port. TurboIron(config)#int e 5 TurboIron(config-if-e10000-5)#ip access-group 101 in 4. Configure the monitor port to use the mirror port.
ACL-based inbound mirroring TurboIron(config)#interface ethernet 1 TurboIron(config-if-e10000-1)#ACL-mirror-port ethernet 3 TurboIron(config)#interface ethernet 2 TurboIron(config-if-e10000-2)#ACL-mirror-port ethernet 3 If ports within the same port region are mirrored to different destination ports, an error message will be generated as shown in the following example, and the configuration will be disallowed.
ACL-based inbound mirroring NOTE If you want to add a port configured for ACL-Based Mirroring to a trunk, you must first remove the ACL-mirror-port from the port configuration. You can then add the port to a trunk that can then be configured for ACL-Based Trunk Mirroring. Behavior of ACL-based mirroring when deleting trunks If you delete a trunk that has ACL-Based Mirroring configured, the ACL-Based Mirroring configuration will be configured on the individual ports that made up the trunk.
MAC filter-based mirroring In this configuration, the ACL-mirror-port command is configured on port 1 which is a member of ve 10. Because of this, ACL-Based Mirroring will only apply to VLAN 10 traffic that arrives on ports 1 and 2. It will not apply to VLAN 10 traffic that arrives on port 3 because that port belongs to a different port group than ports 1 and 2.
MAC filter-based mirroring 1. Configure the mirror port. TurboIron(config)#mirror-port ethernet 2 2. Configure the MAC filter inbound mirror clause. TurboIron(config)#mac filter 1 permit 0000.0000.0010 ffff.ffff.ffff any mirror 3. Apply the MAC filter inbound mirror clause to the monitor port. TurboIron(config)#int e 5 TurboIron(config-if-e10000-5)#mac filter-group 1 4. Configure the monitor port to use the mirror port.
MAC filter-based mirroring 432 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 20 Configuring IP In this chapter • Basic configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Basic IP parameters and defaults – Layer 3 Switches . . . . . . . . . . . . . . . . • Basic IP parameters and defaults – Layer 2 Switches . . . . . . . . . . . . . . . . • Configuring IP parameters – Layer 3 Switches . . . . . . . . . . .
Overview • Route exchange protocols: • Routing Information Protocol (RIP) • Open Shortest Path First (OSPF) • Multicast protocols: • Internet Group Membership Protocol (IGMP) • Protocol Independent Multicast Dense (PIM-DM) • Protocol Independent Multicast Sparse (PIM-SM) • Router redundancy protocols: • Virtual Router Redundancy Protocol Extended (VRRP-E) • Virtual Router Redundancy Protocol (VRRP) IP interfaces Layer 3 Switches and Layer 2 Switches allow you to configure IP addresses.
Overview You also can specify the default gateway for forwarding traffic to other subnets. IP packet flow through a Layer 3 Switch Figure 55 shows how an IP packet moves through a Layer 3 Switch. FIGURE 55 IP Packet Flow through a Layer 3 Switch Load Balancing Algorithm Y N Y PBR or IP acc policy Mult. Equalcost Paths Lowest Metric N RIP Incoming Port Session Table N Y Fwding Cache N IP Route Table Lowest Admin.
Overview 1. When the Layer 3 Switch receives an IP packet, the Layer 3 Switch checks for filters on the receiving interface.1 If a deny filter on the interface denies the packet, the Layer 3 Switch discards the packet and performs no further processing, except generating a Syslog entry and SNMP message, if logging is enabled for the filter. 2.
Overview ARP cache The ARP cache can contain dynamic (learned) entries and static (user-configured) entries. The software places a dynamic entry in the ARP cache when the Layer 3 Switch learns a device MAC address from an ARP request or ARP reply from the device. The software can learn an entry when the Layer 2 Switch or Layer 3 Switch receives an ARP request from another IP forwarding device or an ARP reply. Here is an example of a dynamic entry: IP Address 10.95.6.102 1 MAC Address 0000.00fc.
Overview NOTE Layer 2 Switches do not have an IP route table. A Layer 2 Switch sends all packets addressed to another subnet to the default gateway, which you specify when you configure the basic IP information on the Layer 2 Switch.
Overview • If the cache contains an entry with the destination IP address, the device uses the information in the entry to forward the packet out the ports listed in the entry. The destination IP address is the address of the packet final destination. The port numbers are the ports through which the destination can be reached. • If the cache does not contain an entry and the traffic does not qualify for an entry in the session table instead, the software can create an entry in the forwarding cache.
Overview • Open Shortest Path First (OSPF) All these protocols provide routes to the IP route table. You can use one or more of these protocols, in any combination. The protocols are disabled by default.
Basic IP parameters and defaults – Layer 3 Switches Both methods allow you to filter packets based on Layer 3 and Layer 4 source and destination information. ACLs also provide great flexibility by providing the input to various other filtering mechanisms such as route maps, which are used by BGP4. IP access policies allow you to configure QoS based on sessions (Layer 4 traffic flows). Only one of these filtering mechanisms can be enabled on a device at a time.
Basic IP parameters and defaults – Layer 3 Switches Changes to memory allocation require you to reload the software after you save the changes to the startup-config file. When reloading the software is required to complete a configuration change described in this chapter, the procedure that describes the configuration change includes a step for reloading the software. IP global parameters – Layer 3 Switches Table 70 lists the IP global parameters for Layer 3 Switches.
Basic IP parameters and defaults – Layer 3 Switches TABLE 70 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default See page... ARP age The amount of time the device keeps a MAC address learned through ARP in the device ARP cache. The device resets the timer to zero each time the ARP entry is refreshed and removes the entry if the timer reaches the ARP age. Ten minutes page 460 NOTE: You also can change the ARP age on an individual interface basis.
Basic IP parameters and defaults – Layer 3 Switches TABLE 70 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default See page... Reverse ARP (RARP) An IP mechanism a host can use to request an IP address from a directly attached router when the host boots. Enabled page 479 Static RARP entries An IP address you place in the RARP table for RARP requests from hosts. No entries page 480 NOTE: You must enter the RARP entries manually.
Basic IP parameters and defaults – Layer 3 Switches IP interface parameters – Layer 3 Switches Table 71 lists the interface-level IP parameters for Layer 3 Switches. TABLE 71 IP interface parameters – Layer 3 Switches Parameter Description Default See page... IP state The Internet Protocol, version 4 Enabled n/a NOTE: You cannot disable IP.
Basic IP parameters and defaults – Layer 2 Switches Basic IP parameters and defaults – Layer 2 Switches IP is enabled by default. The following tables list the Layer 2 Switch IP parameters, their default values, and where to find configuration information. NOTE Layer 2 Switches also provide IP multicast forwarding, which is enabled by default. For information about this feature, refer to Chapter 25, “Configuring IP Multicast Traffic Reduction”.
Configuring IP parameters – Layer 3 Switches TABLE 72 IP global parameters – Layer 2 Switches (Continued) Parameter Description Default See page... Domain name for Domain Name Server (DNS) resolver A domain name (example: Brocade.router.com) you can use in place of an IP address for certain operations such as IP pings, trace routes, and Telnet management connections to the router.
Configuring IP parameters – Layer 3 Switches NOTE This section describes how to configure IP parameters for Layer 3 Switches. For IP configuration information for Layer 2 Switches, refer to “Configuring IP parameters – Layer 2 Switches” on page 484.
Configuring IP parameters – Layer 3 Switches The ospf-ignore | ospf-passive parameters modify the Layer 3 Switch defaults for adjacency formation and interface advertisement. Use one of these parameters if you are configuring multiple IP subnet addresses on the interface but you want to prevent OSPF from running on some of the subnets: • ospf-passive – This option disables adjacency formation with OSPF neighbors.
Configuring IP parameters – Layer 3 Switches Assigning an IP address to a virtual interface A virtual interface is a logical port associated with a Layer 3 Virtual LAN (VLAN) configured on a Layer 3 Switch. You can configure routing parameters on the virtual interface to enable the Layer 3 Switch to route protocol traffic from one Layer 3 VLAN to the other, without using an external router.1 You can configure IP routing interface parameters on a virtual interface.
Configuring IP parameters – Layer 3 Switches With IPv4, four IP addresses with a 30-bit subnet mask are allocated on point-to-point networks. In contrast, a 31-bit subnet mask uses only two IP addresses: all zero bits and all one bits in the host portion of the IP address. The two IP addresses are interpreted as host addresses, and do not require broadcast support because any packet that is transmitted by one host is always received by the other host at the receiving end.
Configuring IP parameters – Layer 3 Switches Router A is connected to Router B as a point-to-point link with 10.1.1.0/31 subnet. There are only two available addresses in this subnet, 10.1.1.0 on Router A and 10.1.1.1 on Router B, Routers B and C are connected by a regular 24-bit subnet. Router C can either be a switch with many hosts belonging to the 10.2.2.2/24 subnet connected to it, or it can be a router. Router A RouterA(config)#interface ethernet 1/1/1 RouterA(config-if-e1000-1/1/1)#ip address 10.1.
Configuring IP parameters – Layer 3 Switches Changing the encapsulation type The Layer 3 Switch encapsulates IP packets into Layer 2 packets, to send the IP packets on the network. (A Layer 2 packet is also called a MAC layer packet or an Ethernet frame.) The source address of a Layer 2 packet is the MAC address of the Layer 3 Switch interface sending the packet. The destination address can be one of the following: • The MAC address of the IP packet destination.
Configuring IP parameters – Layer 3 Switches Configuration considerations for increasing the MTU • When you increase the MTU size of a port, the increase uses system resources. Increase the MTU size only on the ports that need it. For example, if you have one port connected to a server that uses jumbo frames and two other ports connected to clients that can support the jumbo frames, increase the MTU only on those three ports. Leave the MTU size on the other ports at the default value (1500 bytes).
Configuring IP parameters – Layer 3 Switches NOTE The new command ip-port-mtu replace the command ip mtu. The IP MTU check on egress is validated based on the physical port instead of the ip interface. Therefore, the command ip-port-mtu can be set only on a physical port. In the case of a VE, we can set the ip-port-mtu on a port member of a VE. In contrast with the ip mtu command, the multiple physical ports in a VE can have a different IP MTU. However, all VLANs of a port would have the same IP MTU size.
Configuring IP parameters – Layer 3 Switches If you prefer, you can explicitly set the router ID to any valid IP address. The IP address cannot be in use on another device in the network. NOTE Layer 3 Switches use the same router ID for both OSPF and BGP4. If the router is already configured for OSPF, you may want to use the router ID that is already in use on the router rather than set a new one. To display the router ID, enter the show ip CLI command at any CLI level.
Configuring IP parameters – Layer 3 Switches Telnet packets To specify the lowest-numbered IP address configured on a virtual interface as the device source for all Telnet packets, enter commands such as the following. TurboIron(config)#int loopback 2 TurboIron(config-lbif-2)#ip address 10.0.0.2/24 TurboIron(config-lbif-2)#exit TurboIron(config)#ip telnet source-interface loopback 2 The commands in this example configure loopback interface 2, assign IP address 10.0.0.
Configuring IP parameters – Layer 3 Switches The parameter is a loopback interface or virtual interface number. If you specify an Ethernet port, the is the port number. Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables an IP Layer 3 Switch to obtain the MAC address of another device interface when the Layer 3 Switch knows the IP address of the interface. ARP is enabled by default and cannot be disabled.
Configuring IP parameters – Layer 3 Switches • If the ARP cache does not contain an entry for the destination IP address, the Layer 3 Switch broadcasts an ARP request out all its IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to the Layer 3 Switch, the device sends an ARP response containing its MAC address. The response is a unicast packet addressed directly to the Layer 3 Switch.
Configuring IP parameters – Layer 3 Switches NOTE If you want to change a previously configured the ARP rate limiting policy, you must remove the previously configured policy using the no rate-limit-arp command before entering the new policy. Changing the ARP aging period When the Layer 3 Switch places an entry in the ARP cache, the Layer 3 Switch also starts an aging timer for the entry. The aging timer ensures that the ARP cache does not retain learned entries that are no longer valid.
Configuring IP parameters – Layer 3 Switches Proxy ARP is disabled by default on Layer 3 Switches. This feature is not supported on Layer 2 Switches. You can enable proxy ARP at the Interface level, as well as at the Global CONFIG level, of the CLI. NOTE Configuring proxy ARP at the Interface level overrides the global configuration. Enabling proxy ARP globally To enable IP proxy ARP on a global basis, enter the following command.
Configuring IP parameters – Layer 3 Switches Changing the maximum number of entries the static ARP table can hold NOTE The basic procedure for changing the static ARP table size is the same as the procedure for changing other configurable cache or table sizes.
Configuring IP parameters – Layer 3 Switches • Strict source routing – requires the packet to pass through only the listed routers. If the Layer 3 Switch receives a strict source-routed packet but cannot reach the next hop interface specified by the packet, the Layer 3 Switch discards the packet and sends an ICMP Source-Route-Failure message to the sender. NOTE The Layer 3 Switch allows you to disable sending of the Source-Route-Failure messages. Refer to “Disabling ICMP messages” on page 463.
Configuring IP parameters – Layer 3 Switches • Administration – The packet was dropped by the device due to a filter or ACL configured on the device. • Fragmentation-needed – The packet has the Do not Fragment bit set in the IP Flag field, but the device cannot forward the packet without fragmenting it. • Host – The destination network or subnet of the packet is directly connected to the device, but the host specified in the destination IP address of the packet is not on the network.
Configuring IP parameters – Layer 3 Switches TurboIron(config)#ip icmp unreachable host Configuring static routes The IP route table can receive routes from the following sources: • Directly-connected networks – When you add an IP interface, the Layer 3 Switch automatically creates a route for the network the interface is in. • RIP – If RIP is enabled, the Layer 3 Switch can learn about routes from the advertisements other RIP routers send to the Layer 3 Switch.
Configuring IP parameters – Layer 3 Switches • The metric for the route – The value the Layer 3 Switch uses when comparing this route to other routes in the IP route table to the same destination. The metric applies only to routes that the Layer 3 Switch has already placed in the IP route table. The default metric for static IP routes is 1.
Configuring IP parameters – Layer 3 Switches The following command configures a static route to 10.95.7.0, using 10.95.6.157 as the next-hop gateway. TurboIron(config)#ip route 10.95.7.0/24 10.95.6.157 When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or Layer 3 Switch interface through which the Layer 3 Switch can reach the route. The Layer 3 Switch adds the route to the IP route table. In this case, Switch A knows that 10.95.6.
Configuring IP parameters – Layer 3 Switches The is the IP address of the next-hop router (gateway) for the route. If you do not want to specify a next-hop IP address, you can instead specify a port or interface number on the Layer 3 Switch. The parameter is a virtual interface number. If you instead specify an Ethernet port, the is the port number.
Configuring IP parameters – Layer 3 Switches To display the maximum value for your device, enter the show default values command. The maximum number of static IP routes the system can hold is listed in the ip-static-route row in the System Parameters section of the display. To change the maximum value, use the system-max ip-static-route command at the global CONFIG level. The parameter specifies the network or host address.
Configuring IP parameters – Layer 3 Switches The commands in the example above configure two static IP routes. The routes go to different next-hop gateways but have the same metrics. These commands use the default metric value (1), so the metric is not specified. These static routes are used for load sharing among the next-hop gateways. The following commands configure static IP routes to the same destination, but with different metrics. The route with the lowest metric is used by default.
Configuring IP parameters – Layer 3 Switches Figure 58 shows an example of two static routes configured for the same destination network. In this example, one of the routes is a standard static route and has a metric of 1. The other static route is a null route and has a higher metric than the standard static route. The Layer 3 Switch always prefers the static route with the lower metric. In this example, the Layer 3 Switch always uses the standard static route for traffic to destination network 192.168.7.
Configuring IP parameters – Layer 3 Switches To configure a standard static IP route and a null route to the same network as shown in Figure 58 on page 471, enter commands such as the following. TurboIron(config)#ip route 192.168.7.0/24 192.168.6.157/24 1 TurboIron(config)#ip route 192.168.7.0/24 null0 3 The first command configures a standard static route, which includes specification of the next-hop gateway.
Configuring IP parameters – Layer 3 Switches Configuring a default network route The Layer 3 Switch enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Configuring IP parameters – Layer 3 Switches To verify that the route is in the route table, enter the following command at any level of the CLI. TurboIron#show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected R:RIP S:Static Destination NetMask Gateway 1 10.157.20.0 255.255.255.0 0.0.0.0 2 10.157.22.0 255.255.255.0 0.0.0.0 O:OSPF *:Candidate default Port Cost Type lb1 1 D 11 1 *D This example shows two routes.
Configuring IP parameters – Layer 3 Switches Administrative distance The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. The administrative distance is not used when performing IP load sharing, but the administrative distance is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on.
Configuring IP parameters – Layer 3 Switches • IP static route – The value you assign to the metric parameter when you configure the route. The default metric is 1. Refer to “Configuring load balancing and redundancy using multiple static routes to the same destination” on page 469. • RIP – The number of next-hop routers to the destination. • OSPF – The Path Cost associated with the path. The paths can come from any combination of inter-area, intra-area, and external Link State Advertisements (LSAs).
Configuring IP parameters – Layer 3 Switches Response to path state changes If one of the load-balanced paths to a cached destination becomes unavailable, or the IP route table receives a new equal-cost path to a cached destination, the software removes the unavailable path from the IP route table. Then the software selects a new path. Disabling or re-enabling load sharing To disable IP load sharing, enter the following commands.
Configuring IP parameters – Layer 3 Switches Some types of hosts use the Router Solicitation messages to discover their default gateway. When IRDP is enabled on the Layer 3 Switch, the Layer 3 Switch responds to the Router Solicitation messages. Some clients interpret this response to mean that the Layer 3 Switch is the default gateway. If another router is actually the default gateway for these clients, leave IRDP disabled on the Layer 3 Switch. IRDP uses the following parameters.
Configuring IP parameters – Layer 3 Switches Syntax: [no] ip irdp [broadcast | multicast] [holdtime ] [maxadvertinterval ] [minadvertinterval ] [preference ] The broadcast | multicast parameter specifies the packet type the Layer 3 Switch uses to send Router Advertisement: • broadcast – The Layer 3 Switch sends Router Advertisement as IP broadcasts. This is the default.
Configuring IP parameters – Layer 3 Switches • If the RARP table does not contain an entry for the client, the Layer 3 Switch silently discards the RARP request and does not reply to the client. How RARP Differs from BootP/DHCP RARP and BootP/DHCP are different methods for providing IP addresses to IP hosts when they boot. These methods differ in the following ways: • Location of configured host addresses: • RARP requires static configuration of the host IP addresses on the Layer 3 Switch.
Configuring IP parameters – Layer 3 Switches The parameter identifies the RARP entry number. You can specify an unused number from 1 to the maximum number of RARP entries supported on the device. To determine the maximum number of entries supported on the device, refer to the section “Displaying and modifying system parameter default settings” on page 265. The parameter specifies the MAC address of the RARP client.
Configuring IP parameters – Layer 3 Switches NOTE The application names are the names for these applications that the Layer 3 Switch software recognizes, and might not match the names for these applications on some third-party devices. The numbers listed in parentheses are the UDP port numbers for the applications. The numbers come from RFC 1340. NOTE Forwarding support for BootP/DHCP is enabled by default.
Configuring IP parameters – Layer 3 Switches • tftp (port 69) In addition, you can specify any UDP application by using the application UDP port number. The parameter specifies the UDP application port number. If the application you want to enable is not listed above, enter the application port number. You also can list the port number for any of the applications listed above. To disable forwarding for an application, enter a command such as the following.
Configuring IP parameters – Layer 2 Switches NOTE The BootP/DHCP hop count is not the TTL parameter. Configuring the BOOTP/DHCP reply source address You can configure the device so that a BOOTP/DHCP reply to a client contains the server IP address as the source address instead of the router IP address. To do so, enter the following command at the Global CONFIG level of the CLI.
Configuring IP parameters – Layer 2 Switches Configuring the management IP address and specifying the default gateway To manage a Layer 2 Switch using Telnet or Secure Shell (SSH) CLI connections, you must configure an IP address for the Layer 2 Switch. Optionally, you also can specify the default gateway.
Configuring IP parameters – Layer 2 Switches Configuring Domain Name Server (DNS) resolver The Domain Name Server (DNS) resolver feature lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a Layer 2 Switch or Layer 3 Switch and thereby recognize all hosts within that domain. After you define a domain name, the Layer 2 Switch or Layer 3 Switch automatically appends the appropriate domain to the host and forwards it to the domain name server.
Configuring IP parameters – Layer 2 Switches Type Control-c to abort Sending DNS Query to 10.157.22.199 Tracing Route to IP node 10.157.22.80 To ABORT Trace Route, Please use stop-traceroute command. Traced route to target IP node 10.157.22.80: IP Address Round Trip Time1 Round Trip Time2 10.95.6.30 93 msec 121 msec NOTE In the above example, 10.157.22.199 is the IP address of the domain name server (default DNS gateway address), and 10.157.22.80 represents the IP address of the NYC02 host.
Configuring IP parameters – Layer 2 Switches Syntax: ip ttl <1-255> Configuring DHCP Assist DHCP Assist allows a Layer 2 Switch to assist a router that is performing multi-netting on its interfaces as part of its DHCP relay function. DHCP Assist ensures that a DHCP server that manages multiple IP subnets can readily recognize the requester IP subnet, even when that server is not on the client local LAN segment.
Configuring IP parameters – Layer 2 Switches For example, in Figure 61, a host from each of the four subnets supported on a Layer 2 Switch requests an IP address from the DHCP server. These requests are sent transparently to the router. Because the router is unable to determine the origin of each packet by subnet, it assumes the lowest IP address or the ‘primary address’ is the gateway for all ports on the Layer 2 Switch and stamps the request with that address.
Configuring IP parameters – Layer 2 Switches When the stamped DHCP discovery packet is then received at the router, it is forwarded to the DHCP server. The DHCP server then extracts the gateway address from each request and assigns an available IP address within the corresponding IP subnet (Figure 63). The IP address is then forwarded back to the workstation that originated the request. NOTE When DHCP Assist is enabled on any port, Layer 2 broadcast packets are forwarded by the CPU.
Configuring IP parameters – Layer 2 Switches NOTE When DHCP Assist is enabled on any port, Layer 2 broadcast packets are forwarded by the CPU. Unknown unicast and multicast packets are still forwarded in hardware, although selective packets such as IGMP are sent to the CPU for analysis. When DHCP Assist is not enabled, Layer 2 broadcast packets are forwarded in hardware. Configuring DHCP Assist You can associate a gateway list with a port.
Displaying IP configuration information and statistics Up to eight addresses can be defined for each gateway list in support of ports that are multi-homed. When multiple IP addresses are configured for a gateway list, the Layer 2 Switch inserts the addresses into the discovery packet in a round robin fashion. Up to 32 gateway lists can be defined for each Layer 2 Switch. Example To create the configuration indicated in Figure 62 and Figure 63, enter commands such as the following.
Displaying IP configuration information and statistics • IP forwarding cache – refer to “Displaying the forwarding cache” on page 500. • IP route table – refer to “Displaying the IP route table” on page 501. • IP traffic statistics – refer to “Displaying IP traffic statistics” on page 503. The sections below describe how to display this information. In addition to the information described below, you can display the following IP information.
Displaying IP configuration information and statistics TABLE 75 CLI Display of global IP configuration information – Layer 3 Switch (Continued) This field... Displays... bootp-relay-max-ho ps The maximum number of hops away a BootP server can be located from the router and still be used by the router clients for network booting. To change this value, refer to “Changing the maximum number of hops to a BootP relay server” on page 484. router-id The 32-bit number that uniquely identifies the router.
Displaying IP configuration information and statistics Displaying CPU utilization statistics You can display CPU utilization statistics for IP protocols using the show process cpu command. The show process cpu command includes CPU utilization statistics for ACL, 802.1x, and L2VLAN. L2VLAN contains any packet transmitted to a VLAN by the CPU, including unknown unicast, multicast, broadcast, and CPU forwarded Layer 2 traffic.
Displaying IP configuration information and statistics TurboIron#show process cpu 2 Statistics for last 1 sec and 80 ms Process Name Sec(%) Time(ms) ACL 0 0.00 ARP 1 0.01 BGP 0 0.00 DOT1X 0 0.00 ICMP 0 0.00 IP 0 0.00 L2VLAN 1 0.01 OSPF 0 0.00 RIP 0 0.00 STP 0 0.00 VRRP 0 0.00 When you specify how many seconds’ worth of statistics you want to display, the software selects the sample that most closely matches the number of seconds you specified.
Displaying IP configuration information and statistics TABLE 76 CLI display of interface IP configuration information (Continued) This field... Displays... Status The link status of the interface. If you have disabled the interface with the disable command, the entry in the Status field will be “administratively down”. Otherwise, the entry in the Status field will be either “up” or “down”. Protocol Whether the interface can provide two-way communication.
Displaying IP configuration information and statistics The and parameters let you restrict the display to entries for a specific IP address and network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0). NOTE The parameter and parameter perform different operations.
Displaying IP configuration information and statistics TurboIron#show ip static-arp Static ARP table size: 512, configurable from 512 to 1024 Index IP Address MAC Address Port 1 10.95.6.111 0000.003b.d210 1 3 10.95.6.123 0000.003b.d211 1 This example shows two static entries. Note that since you specify an entry index number when you create the entry, it is possible for the range of index numbers to have gaps, as shown in this example.
Displaying IP configuration information and statistics Displaying the forwarding cache To display the IP forwarding cache, enter the following command at any CLI level. TurboIron#show ip cache Total number of cache entries: 3 D:Dynamic P:Permanent F:Forward U:Us C:Complex Filter W:Wait ARP I:ICMP Deny K:Drop R:Fragment S:Snap Encap IP Address Next Hop MAC Type 1 192.168.1.11 DIRECT 0000.0000.0000 PU 2 192.168.1.255 DIRECT 0000.0000.0000 PU 3 255.255.255.255 DIRECT 0000.0000.
Displaying IP configuration information and statistics Displaying the IP route table To display the IP route table, enter the following command at any CLI level. TurboIron#show ip route Total number of IP routes: 514 Start index: 1 B:BGP D:Connected R:RIP S:Static Destination NetMask Gateway 10.1.0.0 255.255.0.0 10.1.1.2 1 10.2.0.0 255.255.0.0 10.1.1.2 1 10.3.0.0 255.255.0.0 10.1.1.2 1 10.4.0.0 255.255.0.0 10.1.1.2 1 10.5.0.0 255.255.0.0 10.1.1.2 1 10.6.0.0 255.255.0.0 10.1.1.2 1 10.7.0.0 255.255.0.0 10.1.
Displaying IP configuration information and statistics Here is an example of how to use the static option. To display only the static IP routes,enter the following command. TurboIron#show ip route static Start index: 1 B:BGP D:Connected R:RIP Destination NetMask 192.144.33.11 255.255.255.0 S:Static O:OSPF *:Candidate default Gateway Port Cost Type 10.157.22.12 1 2 S Notice that the route displayed in this example has “S” in the Type field, indicating the route is static.
Displaying IP configuration information and statistics TABLE 80 CLI display of IP route table This field... Displays... Destination The destination network of the route. NetMask The network mask of the destination address. Gateway The next-hop router. Port The port through which this router sends packets to reach the route's destination. Cost The route's cost. Type The route type, which can be one of the following: • B – The route was learned from BGP.
Displaying IP configuration information and statistics TurboIron#show ip traffic IP Statistics 139 received, 145 sent, 0 forwarded 0 filtered, 0 fragmented, 0 reassembled, 0 bad header 0 no route, 0 unknown proto, 0 no buffer, 0 other errors ICMP Statistics Received: 0 total, 0 errors, 0 unreachable, 0 time exceed 0 parameter, 0 source quench, 0 redirect, 0 echo, 0 echo reply, 0 timestamp, 0 timestamp reply, 0 addr mask 0 addr mask reply, 0 irdp advertisement, 0 irdp solicitation Sent: 0 total, 0 errors, 0
Displaying IP configuration information and statistics TABLE 81 CLI display of IP traffic statistics – Layer 3 Switch (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received. The field descriptions below apply to each.
Displaying IP configuration information and statistics TABLE 81 CLI display of IP traffic statistics – Layer 3 Switch (Continued) This field... Displays... out segments The number of TCP segments sent by the device. retransmission The number of segments that this device retransmitted because the retransmission timer for the segment had expired before the device at the other end of the connection had acknowledged receipt of the segment.
Displaying IP configuration information and statistics TurboIron#show ip Switch IP address: 192.168.1.2 Subnet mask: 255.255.255.0 Default router address: TFTP server address: Configuration filename: Image filename: 192.168.1.1 None None None Syntax: show ip This display shows the following information. TABLE 82 CLI display of global IP configuration information – Layer 2 Switch This field... Displays... IP configuration Switch IP address The management IP address configured on the Layer 2 Switch.
Displaying IP configuration information and statistics TABLE 83 CLI display of ARP cache This field... Displays... IP The IP address of the device. Mac The MAC address of the device. NOTE: If the MAC address is all zeros, the entry is for the default gateway, but the Layer 2 Switch does not have a link to the gateway. Port The port on which the entry was learned. Age The number of minutes the entry has remained unused.
Displaying IP configuration information and statistics TABLE 84 CLI display of IP traffic statistics – Layer 2 Switch This field... Displays... IP statistics received The total number of IP packets received by the device. sent The total number of IP packets originated and sent by the device. fragmented The total number of IP packets fragmented by this device to accommodate the MTU of this device or of another device.
Displaying IP configuration information and statistics TABLE 84 CLI display of IP traffic statistics – Layer 2 Switch (Continued) This field... Displays... input errors This information is used by Brocade customer support. TCP statistics The TCP statistics are derived from RFC 793, “Transmission Control Protocol”. 510 current active tcbs The number of TCP Control Blocks (TCBs) that are currently active. tcbs allocated The number of TCBs that have been allocated.
Chapter Configuring Spanning Tree Protocol (STP) Related Features 21 In this chapter • STP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring standard STP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring STP related features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • PVST/PVST+ compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring standard STP parameters STP parameters and defaults Table 85 lists the default STP states. TABLE 85 Default STP states Device type Default STP type Default STP state Default STP state of new VLANs1 Layer 2 Switch MSTP2 Enabled Enabled Layer 3 Switch MSTP Disabled Disabled 1. When you create a port-based VLAN, the new VLAN STP state is the same as the default STP state on the device. The new VLAN does not inherit the STP state of the default VLAN. 2.
Configuring standard STP parameters TABLE 87 Default STP port parameters Parameter Description Default and valid values Priority The preference that STP gives this port relative to other ports for forwarding traffic out of the spanning tree. A higher numerical value means a lower priority. 128 Possible values (configurable in increments of 16) Path Cost The cost of using the port to reach the root bridge.
Configuring standard STP parameters Enabling or disabling STP in a port-based VLAN Use the following procedure to disable or enable STP on a device on which you have configured a port-based VLAN. Changing the STP state in a VLAN affects only that VLAN. To enable STP for all ports in a port-based VLAN, enter commands such as the following.
Configuring standard STP parameters TurboIron(config)#vlan 1 TurboIron(config-vlan-1)#spanning-tree priority 0 Syntax: [no] spanning-tree [forward-delay ] | [hello-time ] | [maximum-age ] | [priority ] The forward-delay parameter specifies the forward delay and can be a value from 4 – 30 seconds. The default is 15 seconds. NOTE You can configure a device for faster convergence (including a shorter forward delay) using Fast Span.
Configuring standard STP parameters STP protection enhancement STP protection provides the ability to prohibit an end station from initiating or participating in an STP topology change. The 802.1W Spanning Tree Protocol (STP) detects and eliminates logical loops in a redundant network by selectively blocking some data paths (ports) and allowing only the best data paths to forward traffic.
Configuring standard STP parameters You can view the STP Protection configuration for all ports on a device, or for a specific port only. The show stp-protect command output shows the port number on which STP Protection is enabled, and the number of BPDUs dropped by each port. To view the STP Protection configuration for all ports on the device, enter the following command at any level of the CLI.
Configuring standard STP parameters TurboIron#show span VLAN 1 BPDU cam_index is 3 and the Master DMA Are(HEX) STP instance owned by VLAN 1 Global STP (IEEE 802.
Configuring standard STP parameters TABLE 88 CLI display of STP information (Continued) This field... Displays... Root Cost The cumulative cost from this bridge to the root bridge. If this device is the root bridge, then the root cost is 0. Root Port The port on this device that connects to the root bridge. If this device is the root bridge, then the value is “Root” instead of a port number. Priority Hex This device or VLAN STP priority. The value is shown in hexadecimal format.
Configuring standard STP parameters TABLE 88 CLI display of STP information (Continued) This field... Displays... Design Cost The cost to the root bridge as advertised by the designated bridge that is connected to this port. If the designated bridge is the root bridge itself, then the cost is 0. The identity of the designated bridge is shown in the Design Bridge field. Designated Root The root bridge as recognized on this port. The value is the same as the root bridge ID listed in the Root ID field.
Configuring standard STP parameters TurboIron#show span detail ====================================================================== VLAN 1 - MULTIPLE SPANNING TREE (MSTP) ACTIVE ====================================================================== Bridge identifier - 0x80000000804d4a00 Active global timers - Hello: 0 Port 1 is FORWARDING Port - Path cost: 19, Priority: 128, Root: 0x8000000000a9bb00 Designated - Bridge: 0x8000000000a9bb00, Interface: 1, Path cost: 0 Active Timers - None BPDUs - Sent: 11,
Configuring standard STP parameters TABLE 89 CLI display of detailed STP information for ports (Continued) This field... Displays... Active global timers The global STP timers that are currently active, and their current values. The following timers can be listed: • Hello – The interval between Hello packets. This timer applies only to the root bridge. • Topology Change (TC) – The amount of time during which the topology change flag in Hello packets will be marked, indicating a topology change.
Configuring standard STP parameters TABLE 89 CLI display of detailed STP information for ports (Continued) This field... Displays... Active Timers The current values for the following timers, if active: • Message age – The number of seconds this port has been waiting for a hello message from the root bridge. • Forward delay – The number of seconds that have passed since the last topology change and consequent reconvergence.
Configuring STP related features TurboIron#show interface ethernet 11 FastEthernet11 is up, line protocol is up Hardware is FastEthernet, address is 00e0.52a9.bb49 (bia 00e0.52a9.
Configuring STP related features 802.1W Rapid Spanning Tree (RSTP) Rapid Spanning Tree Protocol (RSTP), which was 802.1W Draft 3, provided only a subset of the IEEE 802.1W standard; whereas the 802.1W RSTP feature provides the full standard. The implementation of the 802.1W Draft 3 is referred to as RSTP Draft 3. RSTP Draft3 will continue to be supported on devices for backward compatibility. However, customers who are currently using RSTP Draft 3 should migrate to 802.1W. The 802.
Configuring STP related features The 802.1W algorithm uses this information to determine if the RST BPDU received by a port is superior to the RST BPDU that the port transmits. The two values are compared in the order as given above, starting with the Root bridge ID. The RST BPDU with a lower value is considered superior. The superiority and inferiority of the RST BPDU is used to assign a role to a port.
Configuring STP related features The topology in Figure 64 contains four bridges. Switch 1 is the root bridge since it has the lowest bridge priority. Switch 2 through Switch 4 are non-root bridges. FIGURE 64 Simple 802.
Configuring STP related features Edge ports and edge port roles The Brocade implementation of 802.1W allows ports that are configured as Edge ports to be present in an 802.1W topology. (Figure 65). Edge ports are ports of a bridge that connect to workstations or computers. Edge ports do not register any incoming BPDU activities. Edge ports assume Designated port roles. Port flapping does not cause any topology change events on Edge ports since 802.
Configuring STP related features NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops. The topology in Figure 66 is an example of shared media that should not be configured as point-to-point links. In Figure 66, a port on a bridge communicates or is connected to at least two ports. FIGURE 66 Example of shared media Bridge port states Ports roles can have one of the following states: • Forwarding – 802.
Configuring STP related features A port on a non-root bridge with a Designated role starts in the discarding state. When that port becomes elected to the Root port role, 802.1W quickly places it into a forwarding state. However, if the Designated port is an Edge port, then the port starts and stays in a forwarding state and it cannot be elected as a Root port. A port with an Alternate or Backup role is always in a discarding state.
Configuring STP related features • Port Protocol Migration – This state machine deals with compatibility with 802.1D bridges. When a legacy BPDU is detected on a port, this state machine configures the port to transmit and receive legacy BPDUs and operate in the legacy mode. • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode.
Configuring STP related features • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 67). The Designated port continues to send this flag in its RST BPDU until it is placed in a forwarding state (Figure 70) or is forced to operate in 802.1D mode. (Refer to “Compatibility of 802.1W with 802.1D” on page 552).
Configuring STP related features • Sync – Once the Root port is elected, it sets a sync signal on all the ports on the bridge. The signal tells the ports to synchronize their roles and states (Figure 68). Ports that are non-edge ports with a role of Designated port change into a discarding state. These ports have to negotiate with their peer ports to establish their new roles and states.
Configuring STP related features • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports. Once all bridge ports asserts a synced signal, the Root port asserts its own synced signal (Figure 69).
Configuring STP related features • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state.
Configuring STP related features Handshake when a root port has been elected If a non-root bridge already has a Root port, 802.1W uses a different type of handshake. For example, in Figure 71, a new root bridge is added to the topology.
Configuring STP related features • Proposing and Proposed – The Designated port on the new root bridge (Port4/Switch 60) sends an RST BPDU that contains a proposing signal to Port4/Switch 200 to inform the port that it is ready to put itself in a forwarding state (Figure 72). 802.1W algorithm determines that the RST BPDU that Port4/Switch 200 received is superior to what it can generate, so Port4/Switch 200 assumes a Root port role.
Configuring STP related features • Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge. The signal tells the ports that a new Root port has been assigned and they are to renegotiate their new roles and states. The other ports on the bridge assert their sync and reroot signals. Information about the old Root port is discarded from all ports. Designated ports change into discarding states (Figure 73).
Configuring STP related features • Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue to assert their sync signals as they continue in their discarding states. They also continue to negotiate their roles and states with their peer ports (Figure 74).
Configuring STP related features • Synced and Agree – When all the ports on the bridge assert their synced signals, the new Root port asserts its own synced signal and sends an RST BPDU to Port4/Switch 60 that contains an agreed flag (Figure 74). The Root port also moves into a forwarding state.
Configuring STP related features The Designated port on Switch 60 goes into a forwarding state once it receives the RST BPDU with the agreed flag.
Configuring STP related features Convergence at start up In Figure 77, two bridges Switch 2 and Switch 3 are powered up. There are point-to-point connections between Port3/Switch 2 and Port3/Switch 3. FIGURE 77 Convergence between two bridges Bridge priority = 1500 Switch 2 Port3 Designated port Port3 Root port Switch 3 Bridge priority = 2000 At power up, all ports on Switch 2 and Switch 3 assume Designated port roles and are at discarding states before they receive any RST BPDU.
Configuring STP related features Next, Switch 1 is powered up (Figure 78).
Configuring STP related features The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2. The 802.
Configuring STP related features For example, Port2/Switch, which is the port that connects Switch 2 to the root bridge (Switch 1), fails. Both Switch 2 and Switch 1 notice the topology change (Figure 80). FIGURE 80 Link failure in the topology Port5 Port3 Port2 Bridge priority = 1500 Port2 Switch 1 Switch 2 Port3 Port3 Bridge priority = 2000 Bridge priority = 1000 Port4 Port4 Switch 3 Switch 1 sets its Port2 into a discarding state.
Configuring STP related features When Port2/Switch 2 receives the RST BPDUs, 802.1W algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Configuring STP related features Convergence in a complex 802.1W topology The following is an example of a complex 802.1W topology. FIGURE 81 Complex 802.
Configuring STP related features Next Switch 2 sends RST BPDUs with a proposal flag to Port3/Switch 4. Port3 becomes the Root port for the bridge; all other ports are given a Designated port role with discarding states. Port3/Switch 4 sends an RST BPDU with an agreed flag to Switch 2 to confirm that it is the new Root port. The port then goes into a forwarding state. Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit.
Configuring STP related features After convergence is complete, Figure 82 shows the active Layer 2 path of the topology in Figure 81.
Configuring STP related features For example, Port3/Switch 2 in Figure 83, fails. Port4/Switch 3 becomes the new Root port. Port4/Switch 3 sends an RST BPDU with a TCN to Port4/Switch 4. To propagate the topology change, Port4/Switch 4 then starts a TCN timer on itself, on the bridge Root port, and on other ports on that bridge with a Designated role. Then Port3/Switch 4 sends RST BPDU with the TCN to Port4/Switch 2. (Note the new active Layer 2 path in Figure 83.
Configuring STP related features • Port2/Switch 2 sends the TCN to Port2/Switch 1 FIGURE 84 Sending TCN to bridges connected to Switch 2 Bridge priority = 200 Port 7 Bridge priority = 1000 Port2 Switch 1 Port2 Port8 Port5 Port3 Port4 Switch 5 Port4 Port3 Switch 3 Port3 Port3 Port4 Bridge priority = 300 Port2 Switch 2 Port3 Port2 Bridge priority = 60 Switch 4 Bridge priority = 400 Port4 Port5 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indica
Configuring STP related features Then Switch 1, Switch 5, and Switch 6 send RST BPDUs that contain the TCN to Switch 3 and Switch 4 to complete the TCN propagation (Figure 85).
Configuring STP related features For example, in Figure 86, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 86 802.1W bridges with an 802.1D bridge Switch 10 802.1W Switch 20 802.1D Switch 30 802.1W Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other.
Configuring STP related features To enable 802.1W for all ports in a port-based VLAN, enter commands such as the following. TurboIron(config)#vlan 10 TurboIron(config-vlan-10)#spanning-tree 802-1w Syntax: [no] spanning-tree 802-1w Note regarding pasting 802.1W settings into the running configuration If you paste 802.1W settings into the running configuration, and the pasted configuration includes ports that are already up, the ports will initially operate in STP legacy mode before operating in 802.
Configuring STP related features NOTE If you change the 802.1W state of the primary port in a trunk group, the change affects all ports in that trunk group. To disable or enable 802.1W on an individual port, enter commands such as the following. TurboIron(config)#interface e 1 TurboIron(config-if-e10000-1)#no spanning-tree Syntax: [no] spanning-tree Changing 802.1W bridge parameters When you make changes to 802.1W bridge parameters, the changes are applied to individual ports on the bridge.
Configuring STP related features The priority parameter specifies the priority of the bridge. You can enter a value from 0 – 65535. A lower numerical value means the bridge has a higher priority. Thus, the highest priority is 0. The default is 32768. You can specify some or all of these parameters on the same command line. If you specify more than one parameter, you must specify them in the order shown above, from left to right. Changing port parameters The 802.
Configuring STP related features Set the admin-pt2pt-mac to enabled or disabled. If set to enabled, then a port is connected to another port through a point-to-point link. The point-to-point link increases the speed of convergence. This parameter, however, does not auto-detect whether or not the link is a physical point-to-point link. The force-migration-check parameter forces the specified port to sent one RST BPDU.
Configuring STP related features TABLE 91 CLI display of 802.1W summary (Continued) This field... Displays... Bridge IEEE 802.1W parameters 558 Bridge Identifier The ID of the bridge. Bridge Max Age The configured max age for this bridge. The default is 20. Bridge Hello The configured hello time for this bridge.The default is 2. Bridge FwdDly The configured forward delay time for this bridge. The default is 15. Force-Version The configured force version value.
Configuring STP related features TABLE 91 CLI display of 802.1W summary (Continued) This field... Displays... Hello The hello value derived from the Root port. It is the number of seconds between two Hello packets. Port IEEE 802.1W parameters Port Num The port number shown in a port#format. Pri The configured priority of the port. The default is 128 or 0x80. Port Path Cost The configured path cost on a link connected to this port.
Configuring STP related features TurboIron#show 802-1w detail ====================================================================== VLAN 1 - MULTIPLE SPANNING TREE (MSTP - IEEE 802.
Configuring STP related features TABLE 92 CLI display of show spanning-tree 802.1W (Continued) This field... Displays... State The port current 802.1W state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge port states” on page 529 and “Edge port and non-edge port states” on page 530. Path Cost The configured path cost on a link connected to this port. Priority The configured priority of the port. The default is 128 or 0x80.
Configuring STP related features TABLE 92 CLI display of show spanning-tree 802.1W (Continued) This field... Displays... Machine States The current states of the various state machines on the port: PIM – State of the Port Information state machine. PRT – State of the Port Role Transition state machine. PST – State of the Port State Transition state machine. TCM – State of the Topology Change state machine. PPM – State of the Port Protocol Migration. PTX – State of the Port Transmit state machine.
Configuring STP related features FIGURE 87 802.
Configuring STP related features FIGURE 88 802.
Configuring STP related features Once a failover occurs, the Switch no longer has an alternate root port. If the port that was an alternate port but became the root port fails, standard STP is used to reconverge with the network. You can minimize the reconvergence delay in this case by setting the forwarding delay on the root bridge to a lower value. For example, if the forwarding delay is set to 15 seconds (the default), change the forwarding delay to a value from 3 – 10 seconds. During failover, 802.
Configuring STP related features Enabling 802.1W Draft 3 802.1W Draft 3 is disabled by default. The procedure for enabling the feature differs depending on whether single STP is enabled on the device. NOTE STP must be enabled before you can enable 802.1W Draft 3. Enabling 802.1W Draft 3 when single STP is not enabled By default, each port-based VLAN on the device has its own spanning tree. To enable 802.1W Draft 3 in a port-based VLAN, enter commands such as the following.
Configuring STP related features SSTP uses the same parameters, with the same value ranges and defaults, as the default STP support on devices. Refer to “STP parameters and defaults” on page 512. SSTP defaults SSTP is disabled by default. When you enable the feature, all VLANs on which STP is enabled become members of a single spanning tree. All VLANs on which STP is disabled are excluded from the single spanning tree. To add a VLAN to the single spanning tree, enable STP on that VLAN.
PVST/PVST+ compatibility TurboIron(config) spanning-tree single ethernet 1 priority 10 The commands shown above override the global setting for STP priority and set the priority to 10 for port 1. Here is the syntax for the global STP parameters. Syntax: [no] spanning-tree single [forward-delay ] [hello-time ] | [maximum-age
PVST/PVST+ compatibility Support for Cisco's Per VLAN Spanning Tree plus (PVST+), allows a device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices. The device ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected.
PVST/PVST+ compatibility FIGURE 89 Interaction of IEEE 802.1Q, PVST, and PVST+ regions PVST BPDUs tunneled through the IEEE 802.1Q region 802.1D BPDUs PVST+Region dual mode port 802.1D BPDUs IEEE 802.1Q Region dual mode port PVST+Region Do not connect PVST BPDUs (over ISL trunks) PVST BPDUs (over ISL trunks) PVST Region VLAN tags and dual mode The dual-mode feature enables a port to send and receive both tagged and untagged frames.
PVST/PVST+ compatibility Configuring PVST+ support PVST+ support is automatically enabled when the port receives a PVST BPDU. You can manually enable the support at any time or disable the support if desired. If you want a tagged port to also support IEEE 802.1Q BPDUs, you need to enable the dual-mode feature on the port. The dual-mode feature is disabled by default and must be enabled manually.
PVST/PVST+ compatibility TurboIron#show span pvst-mode PVST+ Enabled on: Port Method 1 Set by configuration 2 Set by configuration 10 Set by auto-detect 12 Set by configuration 24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 93 CLI display of PVST+ information This field... Displays... Port The port number. NOTE: The command lists information only for the ports on which PVST+ support is enabled.
PVST/PVST+ compatibility Commands on the device TurboIron(config)#vlan-group 1 vlan 2 to 4 TurboIron(config-vlan-group-1)#tagged ethernet 1 TurboIron(config-vlan-group-1)#exit TurboIron(config)#interface ethernet 1 TurboIron(config-if-1)#dual-mode TurboIron(config-if-1)#pvst-mode These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port.
PVST/PVST+ compatibility These commands change the default VLAN ID, configure port 1 as a tagged member of VLANs 1 and 2, and enable the dual-mode feature and PVST+ support on port 1. Since VLAN 1 is tagged in this configuration, the default VLAN ID must be changed from VLAN 1 to another VLAN ID. Changing the default VLAN ID from 1 allows the port to process tagged frames for VLAN 1. VLAN 2 is specified with the dual-mode command, which makes VLAN 2 the port Port Native VLAN.
PVRST compatibility PVRST compatibility PVRST, the "rapid" version of per-VLAN spanning tree (PVST), is a Cisco proprietary protocol. PVRST corresponds to the Brocade full implementation of IEEE 802.1w (RSTP). Likewise, PVST, also a Cisco proprietary protocol, corresponds to the Brocade implementation of IEEE 802.1D (STP). TurboIron X Series devices also support PVRST compatibility. When it receives PVRST BPDUs on a port configured to run 802.
BPDU guard Re-enabling ports disabled by BPDU guard When a BPSU Guard-enabled port is disabled by BPSU Guard, the device will place the port in errdisable state and display a message on the console indicating that the port is errdisabled (refer to “Example console messages” on page 577). In addition, the show interface command output will indicate that the port is errdisabled.
Root guard 300 second input rate: 8 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 256 bits/sec, 0 packets/sec, 0.
802.1s Multiple Spanning Tree Protocol NOTE Root guard may prevent network connectivity if it is improperly configured. Root guard must be configured on the perimeter of the network rather than the core. NOTE Root guard is not supported when MSTP is enabled. Enabling STP root guard An STP root guard is configured on an interface by entering commands similar to the following.
802.1s Multiple Spanning Tree Protocol For example, in Figure 92 a network is configured with two regions: Region 1 and Region 2. The entire network is running an instance of CST. Each of the regions is running an instance of IST. In addition, this network contains Switch 1 running MSTP that is not configured in a region and consequently is running in the CIST instance. In this configuration, the regions are each regarded as a single bridge to the rest of the network, as is Switch 1.
802.1s Multiple Spanning Tree Protocol MSTP Region – These are clusters of bridges that run multiple instances of the MSTP protocol. Multiple bridges detect that they are in the same region by exchanging their configuration (instance to VLAN mapping), name, and revision-level. Therefore, if you need to have two bridges in the same region, the two bridges must have identical configurations, names, and revision-levels.
802.1s Multiple Spanning Tree Protocol NOTE MSTP is not operational however until the mstp start command is issued as described in “Activating MSTP on a switch” on page 585. Once the system is configured into MSTP mode, CIST (sometimes referred to as “instance 0”) is created and all existing VLANs inside the MSTP scope are controlled by CIST. In addition, whenever you create a new VLAN inside MSTP scope, it is put under CIST control by default.
802.1s Multiple Spanning Tree Protocol TurboIron(config)#mstp name TurboIron Syntax: [no] mstp name The parameter defines an ASCII name for the MSTP configuration. The default name is for the name variable to be blank. Setting the MSTP revision number Each switch that is running MSTP is configured with a revision number. It applies to the switch which can have many different VLANs that can belong to many different MSTP regions.
802.1s Multiple Spanning Tree Protocol Configuring bridge priority for an MSTP instance Priority can be configured for a specified instance. To configure priority for an MSTP instance, use a command such as the following at the Global Configuration level. TurboIron(config)#mstp instance 1 priority 8192 Syntax: [no] mstp instance priority The variable is the number for the instance of MSTP that you are configuring.
802.1s Multiple Spanning Tree Protocol Setting ports to be operational edge ports You can define specific ports as edge ports for the region in which they are configured to connect to devices (such as a host) that are not running STP, RSTP, or MSTP. If a port is connected to an end device such as a PC, the port can be configured as an edge port. To configure ports as operational edge ports enter a command such as the following.
802.1s Multiple Spanning Tree Protocol Forcing ports to transmit an MSTP BPDU To force a port to transmit an MSTP BPDU, use a command such as the following at the Global Configuration level. TurboIron(config)#mstp force-migration-check ethernet 1 Syntax: [no] mstp force-migration-check ethernet The variable specifies the port or ports from which you want to transmit an MSTP BPDU.
802.
802.
802.1s Multiple Spanning Tree Protocol TABLE 94 This field... Displays... MSTP Instance The ID of the MSTP instance whose statistics are being displayed. For the CIST, this number is 0. VLANs The number of VLANs that are included in this instance of MSTP. For the CIST this number will always be 1. Bridge Identifier The MAC address of the bridge. Bridge MaxAge sec Displays configured Max Age. Bridge Hello sec Displays configured Hello variable.
802.1s Multiple Spanning Tree Protocol TABLE 94 Output from Show MSTP (Continued) This field... Displays... State The port current spanning tree state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Designated Cost Port path cost to the root bridge. Max Hop cnt The maximum hop count configured for this instance. Root Hop cnt Hop count from the root bridge.
802.1s Multiple Spanning Tree Protocol TurboIron#show mstp conf MSTP CONFIGURATION -----------------Name : Reg1 Revision : 1 Version : 3 (MSTP mode) Status : Started Instance VLANs -------- -----------------------------------------------------0 4093 To display details about the MSTP that is configured on the device, enter the following command.
Chapter 22 Configuring RIP In this chapter • RIP overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • RIP parameters and defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring RIP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying RIP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RIP parameters and defaults RIP parameters and defaults The following tables list the RIP parameters, their default values, and where to find configuration information. RIP global parameters Table 95 lists the global RIP parameters and their default values, and indicates where you can find configuration information. TABLE 95 RIP global parameters Parameter Description Default See page...
Configuring RIP parameters RIP interface parameters Table 96 lists the interface-level RIP parameters and their default values, and indicates where you can find configuration information. TABLE 96 . RIP interface parameters Parameter Description Default See page... RIP state and version The state of the protocol and the version that is supported on the interface.
Configuring RIP parameters After globally enabling the protocol, you must enable it on individual interfaces. You can enable the protocol on physical interfaces as well as virtual routing interfaces. To enable RIP on an interface, enter commands such as the following. TurboIron(config)#interface ethernet 1 TurboIron(config-if-1)#ip rip v1-only Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only NOTE You must specify the RIP version.
Configuring RIP parameters • The type and number of a specific port to which the offset list applies (optional). The software adds the offset value to the routing metric (cost) of the routes that match the ACL. If a route matches both a global offset list and an interface-based offset list, the interface-based offset list takes precedence. The interface-based offset list metric is added to the route in this case.
Configuring RIP parameters • Change the default redistribution metric (optional). The Layer 3 Switch assigns a RIP metric of one to each redistributed route by default. You can change the default metric to a value up to 16. • Enable redistribution. NOTE Do not enable redistribution until you configure the other redistribution parameters. Configuring redistribution filters RIP redistribution filters apply to all interfaces.
Configuring RIP parameters The following command denies redistribution for all OSPF routes that have a metric of 10. TurboIron(config-rip-router)#deny redistribute 3 ospf address 10.92.0.0 255.255.0.0 match-metric 10 The following commands deny redistribution of all routes except routes for 10.10.10.x and 10.20.20.x. TurboIron(config-rip-router)#deny redistribute 64 static address 255.255.255.255 255.255.255.255 TurboIron(config-rip-router)#permit redistribute 1 static address 10.10.10.0 255.255.255.
Configuring RIP parameters TurboIron(config-rip-router)#no deny redistribute 2 all address 10.92.0.0 255.255.0.0 TurboIron(config-rip-router)#no redistribution TurboIron(config-rip-router)#redistribution Configuring route learning and advertising parameters By default, a Layer 3 Switch learns routes from all its RIP neighbors and advertises RIP routes to those neighbors.
Configuring RIP parameters Configuring a RIP neighbor filter By default, a Layer 3 Switch learns RIP routes from all its RIP neighbors. Neighbor filters allow you to specify the neighbor routers from which the device can receive RIP routes. Neighbor filters apply globally to all ports. To configure a RIP neighbor filters, enter a command such as the following.
Configuring RIP parameters Suppressing RIP route advertisement on a VRRP or VRRPE backup interface NOTE This section applies only if you configure the Layer 3 Switch for Virtual Router Redundancy Protocol (VRRP) or VRRP Extended (VRRPE). Refer to Chapter 27, “Configuring VRRP and VRRPE”. Normally, a VRRP or VRRPE Backup includes route information for the virtual IP address (the backed up interface) in RIP advertisements.
Displaying RIP filters Applying a RIP route filter to an interface Once you define RIP route filters, you must assign them to individual interfaces. The filters do not take effect until you apply them to interfaces. When you apply a RIP route filter, you also specify whether the filter applies to learned routes or advertised routes: • Out filters apply to routes the Layer 3 Switch advertises to its neighbor on the interface.
Displaying CPU utilization statistics TABLE 97 CLI display of RIP filter information (Continued) This field... Displays... Subnet Mask The network mask for the IP address. Neighbor filters The rows underneath “RIP Neighbor Filter Table” list the RIP neighbor filters. If no RIP neighbor filters are configured on the device, the following message is displayed instead: “No Filters are configured in RIP Neighbor Filter Table”. Index Action Neighbor IP Address The filter number.
Displaying CPU utilization statistics TurboIron#show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Runtime(ms) 0 0 1 0 0 0 0 0 To display utilization statistics for a specific number of seconds, enter a command such as the following.
Displaying CPU utilization statistics 604 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 23 Configuring OSPF Version 2 (IPv4) In this chapter • Overview of OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Clearing OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of OSPF You can further limit the broadcast area of flooding by defining an area range. The area range allows you to assign an aggregate value to a range of IP addresses. This aggregate value becomes the address that is advertised instead all of the individual addresses it represents being advertised. You can assign up to 32 ranges in an OSPF area. An OSPF router can be a member of multiple areas. Routers with membership in multiple areas are known as Area Border Routers (ABRs).
Overview of OSPF OSPF point-to-point Links One important OSPF process is Adjacency. Adjacency occurs when a relationship is formed between neighboring routers for the purpose of exchanging routing information. Adjacent OSPF neighbor routers go beyond the simple Hello packet exchange; they exchange database information.
Overview of OSPF In an OSPF point-to-point network, where a direct Layer 3 connection exists between a single pair of OSPF routers, there is no need for Designated and Backup Designated Routers, as is the case in OSPF multi-access networks. Without the need for Designated and Backup Designated routers, a point-to-point network establishes adjacency and converges faster. The neighboring routers become adjacent whenever they can communicate directly.
Overview of OSPF NOTE Priority is a configurable option at the interface level. You can use this parameter to help bias one router as the DR. FIGURE 96 Backup designated router becomes designated router Designated Router priority 10 Router A X Designated Backup Router priority 5 priority 20 Router C Router B If two neighbors share the same priority, the router with the highest router ID is designated as the DR. The router with the next highest router ID is designated as the BDR.
Overview of OSPF NOTE For details on how to configure the system to operate with the RFC 2178, refer to “Modify OSPF standard compliance setting” on page 643. Reduction of equivalent AS External LSAs An OSPF ASBR uses AS External link advertisements (AS External LSAs) to originate advertisements of a route to another routing domain, such as a BGP4 or RIP domain.
Overview of OSPF FIGURE 97 AS External LSA reduction Notice that both Router D and Router E have a route to the other routing domain through Router F. In earlier, if Routers D and E have equal-cost routes to Router F, then both Router D and Router E flood AS External LSAs to Routers A, B, and C advertising the route to Router F. Since both routers are flooding equivalent routes, Routers A, B, and C receive multiple routes with the same cost to the same destination (Router F).
Overview of OSPF Algorithm for AS External LSA reduction Figure 97 shows an example in which the normal AS External LSA reduction feature is in effect. The behavior changes under the following conditions: • There is one ASBR advertising (originating) a route to the external destination, but one of the following happens: • A second ASBR comes on-line • A second ASBR that is already on-line begins advertising an equivalent route to the same destination.
Configuring OSPF When appendix E is supported, the router generates the link state ID for a network as follows. 1. Does an LSA with the network address as its ID already exist? • No – Use the network address as the ID. • Yes – Go to step 2. 2. Compare the networks that have the same network address, to determine which network is more specific. The more specific network is the one that has more contiguous one bits in its network mask. For example, network 10.0.0.0 255.255.0.
Configuring OSPF 1. Enable OSPF on the router. 2. Assign the areas to which the router will be attached. 3. Assign individual interfaces to the OSPF areas. 4. Define redistribution filters, if desired. 5. Enable redistribution, if you defined redistribution filters. 6. Modify default global and port parameters as required. 7. Modify OSPF standard compliance, if desired. NOTE OSPF is automatically enabled without a system reset.
Configuring OSPF Interface parameters: • • • • • • • • • Assign interfaces to an area. Define the authentication key for the interface. Change the authentication-change interval Modify the cost for a link. Modify the dead interval. Modify MD5 authentication key parameters. Modify the priority of the interface. Modify the retransmit interval for the interface. Modify the transit delay of the interface. NOTE When using the CLI, you set global level parameters at the OSPF CONFIG Level of the CLI.
Configuring OSPF If you are testing an OSPF configuration and are likely to disable and re-enable the protocol, you might want to make a backup copy of the startup-config file containing the protocol configuration information. This way, if you remove the configuration information by saving the configuration after disabling the protocol, you can restore the configuration by copying the backup copy of the startup-config file onto the flash memory.
Configuring OSPF LSA translation for NSSA. OSPF elects the ABR with the highest router ID. If the elected ABR becomes unavailable, OSPF automatically elects the ABR with the next highest router ID to take over translation of LSAs for the NSSA. The election process for NSSA ABRs is automatic. Example To set up the OSPF areas shown in Figure 94 on page 606, enter the following commands. TurboIron(config-ospf-router)#area 10.192.5.1 TurboIron(config-ospf-router)#area 10.200.5.
Configuring OSPF The no-summary parameter applies only to stub areas and disables summary LSAs from being sent into the area. NOTE You can assign one area on a router interface. For example, if the system or chassis module has 16 ports, 16 areas are supported on the chassis or module. Assign a Not-So-Stubby Area (NSSA) The OSPF Not So Stubby Area (NSSA) feature enables you to configure OSPF areas that provide the benefits of stub areas, but that also are capable of importing external route information.
Configuring OSPF This example shows two routing domains, a RIP domain and an OSPF domain. The ASBR inside the NSSA imports external routes from RIP into the NSSA as Type-7 LSAs, which the ASBR floods throughout the NSSA. The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone.
Configuring OSPF The parameter specifies the IP address portion of the range. The software compares the address with the significant bits in the mask. All network addresses that match this comparison are summarized in a single route advertised by the router. The parameter specifies the portions of the IP address that a route must contain to be summarized in the summary route. In the example above, all networks that begin with 10.157 are summarized into a single route.
Configuring OSPF • • • • • • ip ospf auth-change-wait-time • • • • ip ospf passive ip ospf authentication-key [0 | 1] ip ospf cost ip ospf dead-interval ip ospf hello-interval ip ospf md5-authentication key-activation-wait-time | key-id [0 | 1] key ip ospf priority ip ospf retransmit-interval ip ospf transmit-delay For a complete description of these parameters, see the summary of OSPF port parameters in the next sectio
Configuring OSPF Hello-interval: Represents the length of time between the transmission of hello packets. The value can be from 1 – 65535 seconds. The default is 10 seconds. MD5-authentication activation wait time: The number of seconds the Layer 3 Switch waits until placing a new MD5 key into effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 – 14400 seconds. The default is 300 seconds (5 minutes).
Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication.
Configuring OSPF Block flooding of outbound LSAs on specific OSPF interfaces By default, the Layer 3 Switch floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area. After you apply filters to block the outbound LSAs, the filtering occurs during the database synchronization and flooding.
Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 99 Defining OSPF virtual links within a network Example Figure 99 shows an OSPF area border router, DeviceA, that is cut off from the backbone area (area 0). To provide backbone access to DeviceA, you can add a virtual link between DeviceA and DeviceC using area 1 as a transit area.
Configuring OSPF TurboIronC(config-ospf-router)#area 1 virtual-link 10.0.0.1 TurboIronC(config-ospf-router)#write memory Syntax: area | virtual-link [authentication-key | dead-interval | hello-interval | retransmit-interval | transmit-delay ] The area | parameter specifies the transit area. The parameter specifies the router ID of the OSPF router at the remote end of the virtual link.
Configuring OSPF MD5 Authentication Wait Time: This parameter determines when a newly configured MD5 authentication key is valid. This parameter provides a graceful transition from one MD5 key to another without disturbing the network. All new packets transmitted after the key activation wait time interval use the newly configured MD5 Key. OSPF packets that contain the old MD5 key are accepted for up to five minutes after the new MD5 key is in operation.
Configuring OSPF • • • • 10 Mbps port cost = 10000/10 = 1000 100 Mbps port cost = 10000/100 = 100 1000 Mbps port cost = 10000/1000 = 10 10000 Mbps port cost = 10000/10000 = 1 The bandwidth for interfaces that consist of more than one physical port is calculated as follows: • Trunk group – The combined bandwidth of all the ports. • Virtual interface – The combined bandwidth of all the ports in the port-based VLAN that contains the virtual interface. The default reference bandwidth is 100 Mbps.
Configuring OSPF The parameter specifies the reference bandwidth and can be a value from 1 – 4294967. The default is 100. For 10 Gbps OSPF interfaces, in order to differentiate the costs between 100 Mbps, 1000 Mbps, and 10,000 Mbps interfaces, set the auto-cost reference bandwidth to 10000, whereby each slower link is given a higher cost To restore the reference bandwidth to its default value and thus restore the default costs of interfaces to their default values, enter the following command.
Configuring OSPF NOTE Do not enable redistribution until you have configured the redistribution filters. If you enable redistribution before you configure the redistribution filters, the filters will not take affect and all routes will be distributed.
Configuring OSPF Example To redistribute RIP, static, and BGP4 routes into OSPF, enter the following commands on the Layer 3 Switch acting as an ASBR.
Configuring OSPF To configure an OSPF distribution list: • Configure a standard or extended ACL that identifies the routes you want to deny. Using a standard ACL lets you deny routes based on the destination network, but does not filter based on the network mask. To also filter based on the destination network network mask, use an extended ACL. • Configure an OSPF distribution list that uses the ACL as input.
Configuring OSPF The parameter specifies the source address for the policy. Since this ACL is input to an OSPF distribution list, the parameter actually is specifying the destination network of the route. The parameter specifies the portion of the source address to match against. The is in dotted-decimal notation (IP address format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a zero.
Configuring OSPF The | parameter specifies the ACL name or ID. The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. The parameter indicates the type of IP packet you are filtering. When using an extended ACL as input for an OSPF distribution list, specify ip. Since this ACL is input to an OSPF distribution list, the parameter actually specifies the destination network of the route.
Configuring OSPF TurboIron(config)#router ospf TurboIron(config-ospf-router)#default-metric 4 Syntax: default-metric The can be from 1 – 16,777,215. The default is 10. Enable route redistribution To enable route redistribution, use one of the following methods. NOTE Do not enable redistribution until you have configured the redistribution filters. Otherwise, you might accidentally overload the network with routes you did not intend to redistribute.
Configuring OSPF The following command shows the result of the redistribution filter. Since only one of the static IP routes configured above matches the route map, only one route is redistributed. Notice that the route metric is 5 before redistribution but is 8 after redistribution. TurboIron#show ip ospf database external extensive Index Aging 1 2 LS ID 10.4.4.0 Router 10.10.10.
Configuring OSPF The router software can use the route information it learns through OSPF to determine the paths and costs. Example OSPF network with four equal-cost paths OSPF Area 0 R3 H1 R1 Device R4 H2 H3 R5 H4 R6 In the example in Figure , the switch has four paths to R1: • • • • Device->R3 Device->R4 Device->R5 Device->R6 Normally, the switch will choose the path to the R1 with the lower metric. For example, if R3 metric is 1400 and R4 metric is 600, the switch will always choose R4.
Configuring OSPF When you configure an address range, the range takes effect immediately. All the imported routes are summarized according to the configured address range. Imported routes that have already been advertised and that fall within the range are flushed out of the AS and a single route corresponding to the range is advertised.
Configuring OSPF Configure default route origination When the Layer 3 Switch is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to automatically generate a default external route into an OSPF routing domain. This feature is called “default route origination” or “default information origination”. By default, Layer 3 Switches do not advertise the default route into the OSPF domain.
Configuring OSPF If you do not use this option, the default redistribution metric type is used for the route type. NOTE If you specify a metric and metric type, the values you specify are used even if you do not use the always option. Modify SPF timers The Layer 3 Switch uses the following timers when calculating the shortest path for OSPF routes: • SPF delay – When the Layer 3 Switch receives a topology change, the software waits before it starts a Shortest Path First (SPF) calculation.
Configuring OSPF Modify administrative distance Layer 3 Switches can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. The default administrative distance for OSPF routes is 110. Refer to “Changing administrative distances” on page 691 for a list of the default distances for all route sources.
Configuring OSPF Configure OSPF group Link State Advertisement (LSA) pacing The Layer 3 Switch paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA refresh timer expires. The accumulated LSAs constitute a group, which the Layer 3 Switch refreshes and sends out together in one or more packets.
Configuring OSPF • • • • • • • • • • • • • virtual-neighbor-state-change-trap – [MIB object: ospfVirtNbrStateChange] interface-config-error-trap – [MIB object: ospfIfConfigError] virtual-interface-config-error-trap – [MIB object: ospfVirtIfConfigError] interface-authentication-failure-trap – [MIB object: ospfIfAuthFailure] virtual-interface-authentication-failure-trap – [MIB object: ospfVirtIfAuthFailure] interface-receive-bad-packet-trap – [MIB object: ospfIfrxBadPacket] virtual-interface-receive-bad-pac
Clearing OSPF information Syntax: database-overflow-interval The can be from 0 – 86400 seconds. The default is 0 seconds. Specifying the types of OSPF Syslog messages to log You can specify which kinds of OSPF-related Syslog messages are logged. By default, the only OSPF messages that are logged are those indicating possible system errors. If you want other kinds of OSPF messages to be logged, you can configure the device to log them.
Clearing OSPF information TurboIron#clear ip ospf neighbor Syntax: clear ip ospf neighbor [ip | id ] This command clears all OSPF neighbors and the OSPF routes exchanged with the neighbors in the OSPF link state database. After this information is cleared, adjacencies with all neighbors are re-established, and routes with these neighbors exchanged again. To clear information on the device about OSPF neighbor 10.10.10.1, enter the following command.
Displaying OSPF information This command clears all OSPF areas, all OSPF neighbors, and the entire OSPF routing table. After this information has been cleared, adjacencies with all neighbors are re-established, and all OSPF routes are re-learned. To clear information on the device about OSPF area 1, enter the following command. TurboIron#clear ip ospf area 1 This command clears information about the specified area ID. Information about other OSPF areas is not affected.
Displaying OSPF information TurboIron#show ip ospf config Router OSPF: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Redistribution Metric: Type2 OSPF External LSA Limit: 25000 OSPF Database Overflow Interval: 0 RFC 1583 Compatibility: Enabled Router id: 10.95.11.
Displaying OSPF information TurboIron#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.03 0.06 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.09 0.08 0.00 0.00 0.09 0.00 0.00 0.00 15Min(%) 0.22 0.14 0.00 0.00 0.12 0.00 0.00 0.00 Runtime(ms) 9 13 0 0 11 0 0 0 If the software has been running less than 15 minutes (the maximum interval for utilization statistics), the command indicates how long the software has been running.
Displaying OSPF information Displaying OSPF area information To display OSPF area information, enter the following command at any CLI level. TurboIron#show ip ospf area Indx Area Type Cost SPFR ABR ASBR LSA Chksum(Hex) 1 0.0.0.0 normal 0 1 0 0 1 0000781f 2 10.147.60.0 normal 0 1 0 0 1 0000fee6 3 10.147.80.0 stub 1 1 0 0 2 000181cd Syntax: show ip ospf area [] | [] The parameter shows information for the specified area.
Displaying OSPF information TurboIron#show ip ospf neighbor detail Port 1 Address 10.20.2.2 Second-to-dead:39 1 10.20.3.2 Second-to-dead:36 1-8 10.23.5.1 Second-to-dead:33 1-2 10.23.2.1 Second-to-dead:33 Pri State 1 FULL/DR Neigh Address 10.20.2.1 Neigh ID 10.2.2.2 Ev Op Cnt 6 2 0 1 FULL/BDR 10.20.3.1 10.3.3.3 5 2 0 1 FULL/DR 10.23.5.2 10.16.16.16 6 2 0 1 FULL/DR 10.23.2.2 10.15.15.
Displaying OSPF information TABLE 99 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the Layer 3 Switch and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor. • Attempt – This state is only valid for neighbors attached to non-broadcast networks.
Displaying OSPF information TurboIron#show ip ospf interface 10.168.1.1 Ethernet 1,OSPF enabled IP Address 10.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0 Interface Address 0.0.0.0 Neighbor Count = 0, Adjacent Neighbor Count= 1 Neighbor: 10.2.2.
Displaying OSPF information TABLE 100 Output of the show ip ospf interface command (Continued) This field Displays Events OSPF Interface Event: Interface_Up = 0x00 Wait_Timer = 0x01 Backup_Seen = 0x02 Neighbor_Change = 0x03 Loop_Indication = 0x04 Unloop_Indication = 0x05 Interface_Down = 0x06 Interface_Passive = 0x07 • • • • • • • • Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor: The neighbor router ID.
Displaying OSPF information TABLE 101 This field... Path_Type CLI Display of OSPF route information (Continued) Displays... The type of path, which can be one of the following: Inter – The path to the destination passes into another area. Intra – The path to the destination is entirely within the local area. External1 – The path to the destination is a type 1 external route. External2 – The path to the destination is a type 2 external route.
Displaying OSPF information TurboIron#show ip ospf redistribute route 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0 static Displaying OSPF external link state information To display external link state information, enter the following command at any CLI level. TurboIron#show ip ospf database external-link-state Index Aging LS ID Router Netmask 1 1794 10.1.168.64 10.85.0.3 ffffe000 2 1794 10.3.215.0 10.85.0.3 ffff0000 3 1794 10.1.27.250 10.85.0.3 fffffe00 4 1794 10.1.24.23 10.85.0.3 ffffff00 5 1794 10.1.21.
Displaying OSPF information TABLE 102 CLI display of OSPF external link state information (Continued) This field... Displays... Seq(hex) The sequence number of the LSA. The OSPF neighbor that sent the LSA stamps it with a sequence number to enable the Layer 3 Switch and other OSPF routers to determine which LSA for a given route is the most recent. Chksum A checksum for the LSA packet, which is based on all the fields in the packet except the age field.
Displaying OSPF information Index Aging LS ID Router Netmask Metric Flag 3 619 10.27.250.0 10.85.0.3 fffffe00 000003e8 b500 0.0.0.0 LSA Header: age: 619, options: 0x02, seq-nbr: 0x80000003, length: 36 NetworkMask: 255.255.254.0 TOS 0: metric_type: 1, metric: 1000 forwarding_address: 0.0.0.
Displaying OSPF information Syntax: show ip ospf border-routers [] The parameter displays the ABR and ASBR entries for the specified IP address. Displaying OSPF trap status All traps are enabled by default when you enable OSPF. To disable or re-enable an OSPF trap, refer to “Modify OSPF traps generated” on page 642. To display the state of each OSPF trap, enter the following command at any CLI level.
Chapter 24 Configuring BGP4 In this chapter • Overview of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Basic configuration and activation for BGP4. . . . . . . . . . . . . . . . . . . . . . . . • BGP4 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Memory considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Basic configuration tasks . . . . . . . . . . . .
Overview of BGP4 NOTE Devices support up to 12,000 BGP routes. Overview of BGP4 BGP4 is the standard Exterior Gateway Protocol (EGP) used on the Internet to route traffic between Autonomous Systems (AS) and to maintain loop-free routing. An autonomous system is a collection of networks that share the same routing and administration characteristics. For example, a corporate intranet consisting of several networks under common administrative control might be considered an AS.
Overview of BGP4 Although a Layer 3 Switch BGP4 route table can have multiple routes to the same destination, the BGP4 protocol evaluates the routes and chooses only one of the routes to send to the IP route table. The route that BGP4 chooses and sends to the IP route table is the preferred route and will be used by the Layer 3 Switch. If the preferred route goes down, BGP4 updates the route information in the IP route table with a new BGP4 preferred route.
Overview of BGP4 3. If the weights are the same, prefer the route with the largest local preference. 4. If the routes have the same local preference, prefer the route that was originated locally (by this BGP4 Layer 3 Switch). 5. If the local preferences are the same, prefer the route with the shortest AS-path. An AS-SET counts as 1. A confederation path length, if present, is not counted as part of the path length. 6. If the AS-path lengths are the same, prefer the route with the lowest origin type.
Overview of BGP4 NOTE Layer 3 Switches support BGP4 load sharing among multiple equal-cost paths. BGP4 load sharing enables the Layer 3 Switch to balance the traffic across the multiple paths instead of choosing just one path based on router ID. For EBGP routes, load sharing applies only when the paths are from neighbors within the same remote AS. EBGP paths from neighbors in different ASs are not compared.
Overview of BGP4 UPDATE message After BGP4 neighbors establish a BGP4 connection over TCP and exchange their BGP4 routing tables, they do not send periodic routing updates. Instead, a BGP4 neighbor sends an update to its neighbor when it has a new route to advertise or routes have changed or become unfeasible. An UPDATE message can contain the following information: • Network Layer Reachability Information (NLRI) – The mechanism by which BGP4 supports Classless Interdomain Routing (CIDR).
Basic configuration and activation for BGP4 Basic configuration and activation for BGP4 BGP4 is disabled by default. Follow the steps given below to enable BGP4 and place your Layer 3 Switch into service as a BGP4 router. 1. Enable the BGP4 protocol. 2. Set the local AS number. NOTE You must specify the local AS number for BGP4 to become functional. 3. Add each BGP4 neighbor (peer BGP4 router) and identify the AS the neighbor is in. 4.
BGP4 parameters NOTE To disable BGP4 without losing the BGP4 configuration information, remove the local AS (for example, by entering the no local-as command). In this case, BGP4 retains the other configuration information but is not operational until you set the local AS again. BGP4 parameters You can modify or set the following BGP4 parameters: 666 • • • • • • • • Optional – Define the router ID. (The same router ID also is used by OSPF.
BGP4 parameters • Optional – Define neighbor distribute lists. • Optional – Define BGP4 route maps for filtering routes redistributed into RIP and OSPF. • Optional – Define route flap dampening parameters. NOTE When using CLI, you set global level parameters at the BGP CONFIG Level of the CLI. You can reach the BGP CONFIG level by entering router bgp… at the global CONFIG level.
Memory considerations • Add, change, or negate route maps (when used by the network command or a redistribution command). After resetting neighbor sessions The following parameter changes take effect only after the router BGP4 sessions are cleared, or reset using the “soft” clear option. (Refer to “Closing or resetting a neighbor session” on page 764.) The parameter are as follows: • Change the Hold Time or Keep Alive Time. • Aggregate routes. • Add, change, or negate filter tables.
Basic configuration tasks Memory configuration options obsoleted by dynamic memory Devices that support dynamic BGP4 memory allocation do not require or even support static configuration of memory for BGP4 neighbors, routes, or route attributes.
Basic configuration tasks NOTE Layer 3 Switches use the same router ID for both OSPF and BGP4. If the router is already configured for OSPF, you may want to use the router ID that is already in use on the router rather than set a new one. To display the router ID, enter the show ip CLI command at any CLI level. To change the router ID, enter a command such as the following. TurboIron(config)#ip router-id 10.157.22.26 Syntax: ip router-id The can be any valid, unique IP address.
Basic configuration tasks TurboIron(config-bgp-router)#exit TurboIron(config)#int loopback 1 TurboIron(config-lbif-1)#ip address 10.0.0.1/24 Syntax: interface loopback The value can be from 1 – 8 on Chassis Layer 3 Switches. The value can be from 1 – 4 on the Compact Layer 3 Switch. Adding BGP4 neighbors The BGP4 protocol does not contain a peer discovery process.
Basic configuration tasks [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [unsuppress-map ] [update-source | ethernet | loopback | ve ] [weight ] The | parameter indicates whether you are configuring an individual neighbor or a peer group. If you specify a neighbor IP address, you are configuring that individual neighbor.
Basic configuration tasks NOTE By default, if a route does not match any of the filters, the Layer 3 Switch denies the route. To change the default behavior, configure the last filter as “permit any any”. NOTE The address filter must already be configured. Refer to “Filtering specific IP addresses” on page 702. ebgp-multihop [] specifies that the neighbor is more than one hop away and that the session type with the neighbor is thus EBGP-multihop. This option is disabled by default.
Basic configuration tasks password [0 | 1] specifies an MD5 password for securing sessions between the Layer 3 Switch and the neighbor. You can enter a string up to 80 characters long. The string can contain any alphanumeric characters, but the first character cannot be a number. If the password contains a number, do not enter a space following the number.
Basic configuration tasks shutdown administratively shuts down the session with this neighbor. Shutting down the session allows you to completely configure the neighbor and save the configuration without actually establishing a session with the neighbor. This option is disabled by default. soft-reconfiguration inbound enables the soft reconfiguration feature, which stores all the route updates received from the neighbor.
Basic configuration tasks Encryption example The following commands configure a BGP4 neighbor and a peer group, and specify MD5 authentication strings (passwords) for authenticating packets exchanged with the neighbor or peer group. TurboIron(config-bgp-router)#local-as TurboIron(config-bgp-router)#neighbor TurboIron(config-bgp-router)#neighbor TurboIron(config-bgp-router)#neighbor TurboIron(config-bgp-router)#neighbor 2 xyz peer-group xyz password abc 10.10.200.102 peer-group xyz 10.10.200.
Basic configuration tasks of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication. If you accidentally enter option 1 followed by the clear-text version of the password or string, authentication will fail because the value used by the software will not match the value you intended to use. Displaying the Authentication String If you want to display the authentication string, enter the following commands.
Basic configuration tasks • If you remove a parameter from a peer group, the value for that parameter is reset to the default for all the neighbors within the peer group, unless you have explicitly set that parameter on individual neighbors. In this case, the value you set on the individual neighbors applies to those neighbors, while the default value applies to neighbors for which you have not explicitly set the value.
Basic configuration tasks • If you do not specify a parameter for an individual neighbor, the neighbor uses the value in the peer group. • If you set the parameter for the individual neighbor, that value overrides the value you set in the peer group. • If you add a parameter to a peer group that already contains neighbors, the parameter value is applied to neighbors that do not already have the parameter explicitly set.
Basic configuration tasks [remote-as ] [remove-private-as] [route-map in | out ] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [update-source loopback ] [weight ] The | parameter indicates whether you are configuring a peer group or an individual neighbor. You can specify a peer group name or IP address with the neighbor command.
Optional configuration tasks When you apply the new option to shut down a neighbor, the option takes place immediately and remains in effect until you remove the option. If you save the configuration to the startup-config file, the shutdown option remains in effect even after a software reload. NOTE The software also contains an option to end the session with a BGP4 neighbor and thus clear the routes learned from the neighbor.
Optional configuration tasks For each keyword, indicates the number of seconds. The Keep Alive Time can be 0 – 65535. The Hold Time can be 0 or 3 – 65535 (1 and 2 are not allowed). If you set the Hold Time to 0, the router waits indefinitely for messages from a neighbor without concluding that the neighbor is dead. Changing the BGP4 next-hop update timer By default, the Layer 3 Switch updates its BGP4 next-hop tables and affected BGP4 routes five seconds after IGP route changes.
Optional configuration tasks Changing the maximum number of paths for BGP4 load sharing Load sharing enables the Layer 3 Switch to balance traffic to a route across multiple equal-cost paths of the same type (EBGP or IBGP) for the route. To configure the Layer 3 Switch to perform BGP4 load sharing: • Enable IP load sharing if it is disabled. • Set the maximum number of paths. The default maximum number of BGP4 load sharing paths is 1, which means no BGP4 load sharing takes place by default.
Optional configuration tasks If an IGP path used by a BGP4 next-hop route path installed in the IP route table changes, then the BGP4 paths and IP paths are adjusted accordingly. For example, if one of the OSPF paths to reach the BGP4 next hop goes down, the software removes this path from the BGP4 route table and the IP route table.
Optional configuration tasks • multi-as – Load sharing is enabled for paths from different ASs. By default, load sharing applies to EBGP and IBGP paths, and does not apply to paths from different neighboring ASs. Specifying a list of networks to advertise By default, the router sends BGP4 routes only for the networks you identify using the network command or that are redistributed into BGP4 from RIP or OSPF. You can specify up to 600 networks.
Optional configuration tasks To configure a route map, and use it to set or change route attributes for a network you define for BGP4 to advertise, enter commands such as the following. TurboIron(config)#route-map set_net permit 1 TurboIron(config-routemap set_net)#set community no-export TurboIron(config-routemap set_net)#exit TurboIron(config)#router bgp TurboIron(config-bgp-router)#network 10.100.1.
Optional configuration tasks Using the IP default route as a valid next hop for a BGP4 route By default, the Layer 3 Switch does not use a default route to resolve a BGP4 next-hop route. If the IP route lookup for the BGP4 next hop does not result in a valid IGP route (including static or direct routes), the BGP4 next hop is considered to be unreachable and the BGP4 route is not used.
Optional configuration tasks Enabling next-hop recursion For each BGP4 route a Layer 3 Switch learns, the Layer 3 Switch performs a route lookup to obtain the IP address of the route next hop. A BGP4 route becomes eligible for installation into the IP route table only if the following conditions are true: • The lookup succeeds in obtaining a valid next-hop IP address for the route. • The path to the next-hop IP address is an Interior Gateway Protocol (IGP) path or a static route path.
Optional configuration tasks TurboIron#show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 0.0.0.0/0 10.1.0.2 0 100 0 BI AS_PATH: 65001 4355 701 80 2 10.2.0.0/24 10.0.0.1 1 100 0 BI AS_PATH: 65001 4355 1 3 10.4.0.0/24 10.1.0.2 0 100 0 BI AS_PATH: 65001 4355 701 1 189 4 10.240.0.0/24 10.102.0.1 1 100 0 I AS_PATH: 65001 4355 3356 7170 1455 5 10.250.
Optional configuration tasks TurboIron#show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 0.0.0.0/0 10.1.0.2 0 100 0 BI AS_PATH: 65001 4355 701 80 2 10.102.0.0/24 10.0.0.1 1 100 0 BI AS_PATH: 65001 4355 1 3 10.104.0.0/24 10.1.0.2 0 100 0 BI AS_PATH: 65001 4355 701 1 189 4 10.240.0.0/24 10.102.0.
Optional configuration tasks This Layer 3 Switch can use this route because the Layer 3 Switch has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table. Enabling recursive next-hop lookups The recursive next-hop lookups feature is disabled by default. To enable recursive next-hop lookups, enter the following command at the BGP configuration level of the CLI.
Optional configuration tasks Lower administrative distances are preferred over higher distances. For example, if the router receives routes for the same network from OSPF and from RIP, the router will prefer the OSPF route by default. The administrative distances are configured in different places in the software.
Optional configuration tasks This command disables comparison of the AS-Path lengths of otherwise equal paths. When you disable AS-Path length comparison, the BGP4 algorithm shown in “How BGP4 selects a path for a route” on page 661 skips from Step 4 to Step 6. Syntax: [no] as-path-ignore Enabling or disabling comparison of the router IDs Router ID comparison is Step 10 in the algorithm BGP4 uses to select the next path for a route.
Optional configuration tasks You can enable the Layer 3 Switch to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three ASs, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually. NOTE By default, value 0 (most favorable) is used in MED comparison when the MED attribute is not present.
Optional configuration tasks • A cluster is a group of IGP routers organized into route reflectors and route reflector clients. You configure the cluster by assigning a cluster ID on the route reflector and identifying the IGP neighbors that are members of that cluster. All the configuration for route reflection takes place on the route reflectors. The clients are unaware that they are members of a route reflection cluster. All members of the cluster must be in the same AS.
Optional configuration tasks AS1 contains a cluster with two route reflectors and two clients. The route reflectors are fully meshed with other BGP4 routers, but the clients are not fully meshed. They rely on the route reflectors to propagate BGP4 route updates. FIGURE 102 Example of a route reflector configuration AS 1 AS 2 Cluster 1 Route Reflector 1 Route Reflector 2 EBGP Switch IBGP IBGP Route Reflector Client 1 Route Reflector Client 2 10.0.1.0 10.0.2.
Optional configuration tasks • The Layer 3 Switch adds the attributes only if it is a route reflector, and only when advertising IBGP route information to other IBGP neighbors. The attributes are not used when communicating with EBGP neighbors. • A Layer 3 Switch configured as a route reflector sets the ORIGINATOR_ID attribute to the router ID of the router that originated the route.
Optional configuration tasks By default, the clients of a route reflector are not required to be fully meshed; the routes from a client are reflected to other clients. However, if the clients are fully meshed, route reflection is not required between clients. If you need to disable route reflection between clients, enter the following command. When the feature is disabled, route reflection does not occur between clients but reflection does still occur between clients and non-clients.
Modifying redistribution parameters The attribute-map parameter configures the router to set attributes for the aggregate routes based on the specified route map. NOTE For the suppress-map, advertise-map, and attribute-map parameters, the route map must already be defined. Refer to “Defining route maps” on page 711 for information on defining a route map.
Modifying redistribution parameters The metric parameter changes the metric. You can specify a value from 0 – 4294967295. The default is 0. The route-map parameter specifies a route map to be consulted before adding the RIP route to the BGP4 route table. NOTE The route map you specify must already be configured on the switch. Refer to “Defining route maps” on page 711 for information about defining route maps.
Modifying redistribution parameters NOTE The route map you specify must already be configured on the switch. Refer to “Defining route maps” on page 711 for information about defining route maps. NOTE If you use both the redistribute ospf route-map command and the redistribute ospf match internal | external1 | external2 command, the software uses only the route map for filtering.
Filtering To enable the Layer 3 Switch to redistribute BGP4 routes into OSPF and RIP, enter the following command. TurboIron(config-bgp-router)#bgp-redistribute-internal Syntax: [no] bgp-redistribute-internal To disable redistribution of IBGP routes into RIP and OSPF, enter the following command.
Filtering TurboIron(config-bgp-router)#address-filter 1 deny 10.157.0.0 255.255.0.0 Syntax: address-filter permit | deny The parameter is the filter number. The permit | deny parameter indicates the action the Layer 3 Switch takes if the filter match is true. • If you specify permit, the Layer 3 Switch permits the route into the BGP4 table if the filter match is true.
Filtering NOTE The Layer 3 Switch cannot actively support AS-path filters and AS-path ACLs at the same time. Use one method or the other but do not mix methods. NOTE Once you define a filter or ACL, the default action for updates that do not match a filter is “deny”. To change the default action to “permit”, configure the last filter or ACL as “permit any any”. AS-path filters or AS-path ACLs can be referred to by a BGP neighbor's filter list number as well as by match statements in a route map.
Filtering The seq parameter is optional and specifies the AS-path list sequence number. You can configure up to 199 entries in an AS-path list. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with number 5. The software interprets the entries in an AS-path list in numerical order, beginning with the lowest sequence number.
Filtering TABLE 103 BGP4 special characters for regular expressions (Continued) Character Operation + The plus sign matches on one or more sequences of a pattern. For example, the following regular expression matches on an AS-path that contains a sequence of “g”s, such as “deg”, “degg”, “deggg”, and so on: deg+ ? The question mark matches on zero occurrences or one occurrence of a pattern.
Filtering If you want to filter for a special character instead of using the special character, enter “\” (backslash) in front of the character. For example, to filter on AS-path strings containing an asterisk, enter the asterisk portion of the regular expression as “\*”. TurboIron(config-bgp-router)#as-path-filter 2 deny \* To use the backslash as a string character, enter two slashes.
Filtering NOTE If the filter is referred to by a route map match statement, the filter is applied in the order in which the filter is listed in the match statement. The permit | deny parameter indicates the action the router takes if the filter match is true. • If you specify permit, the router permits the route into the BGP4 table if the filter match is true. • If you specify deny, the router denies the route from entering the BGP4 table if the filter match is true.
Filtering The seq parameter is optional and specifies the community list sequence number. You can configure up to 199 entries in a community list. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with number 5. The software interprets the entries in a community list in numerical order, beginning with the lowest sequence number.
Filtering The seq parameter is optional and specifies the IP prefix list sequence number. You can configure up to 100 prefix list entries. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with prefix list entry 5. The software interprets the prefix list entries in numerical order, beginning with the lowest sequence number. The deny | permit parameter specifies the action the software takes if a neighbor route is in this prefix list.
Filtering Defining route maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols. A route map consists of a sequence of up to 50 instances. If you think of a route map as a table, an instance is a row in that table. The router evaluates a route according to a route map instances in ascending numerical order.
Filtering • • • • Set the MED (metric). Set the IP address of the next hop router. Set the origin to IGP or INCOMPLETE. Set the weight. For example, when you configure parameters for redistributing routes into RIP, one of the optional parameters is a route map. If you specify a route map as one of the redistribution parameters, the router will match the route against the match statements in the route map.
Filtering Specifying the match conditions Use the following command to define the match conditions for instance 1 of the route map GET_ONE. This instance compares the route updates against BGP4 address filter 11. TurboIron(config-routemap GET_ONE)#match address-filters 11 Syntax: match [as-path ] | [address-filters | as-path-filters | community-filters
Filtering NOTE By default, route maps apply to both unicast and multicast traffic. The route-type internal | external-type1 | external-type2 parameter applies only to OSPF routes. This parameter compares the route type to the specified value. The tag parameter compares the route tag to the specified value. Match examples using ACLs The following sections show some detailed examples of how to configure route maps that include match statements that match on ACLs.
Filtering Matching based on next-hop router To construct match statements for a route map that match based on the IP address of the next-hop router, use either of the following methods. You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on the next-hop router, enter commands such as the following.
Filtering Syntax: match community exact-match The parameter specifies the name of a community list ACL. You can specify up to five ACLs. Separate the ACL names or IDs with spaces. Here is another example. TurboIron(config)#ip community-list standard std_2 permit 23:45 56:78 TurboIron(config)#route-map bgp3 permit 1 TurboIron(config-routemap bgp3)#match community std_1 std_2 exact-match These commands configure an additional community ACL, std_2, that contains community numbers 23:45 and 57:68.
Filtering The [default] interface null0 parameter redirects the traffic to the specified interface. You can send the traffic to the null0 interface, which is the same as dropping the traffic. You can specify more than one interface, in which case the Layer 3 Switch uses the first available port. If the first port is unavailable, the Layer 3 Switch sends the traffic to the next port in the list.
Filtering The weight parameter sets the weight for the route. You can specify a weight value from 0 – 4294967295. Setting a BP4 route MED to the same value as the IGP metric of the next-hop route To set a route's MED to the same value as the IGP metric of the BGP4 next-hop route, when advertising the route to a neighbor, enter commands such as the following. TurboIron(config)#access-list 1 permit 10.192.168.9 0.0.0.
Filtering The first command configures a community ACL containing community numbers 12:99 and 12:86. The remaining commands configure a route map that matches on routes whose destination network is specified in ACL 1, and deletes communities 12:99 and 12:86 from those routes. The route does not need to contain all the specified communities in order for them to be deleted. For example, if a route contains communities 12:86, 33:44, and 66:77, community 12:86 is deleted.
Filtering When you enable cooperative filtering, the Layer 3 Switch advertises this capability in its Open message to the neighbor when initiating the neighbor session. The Open message also indicates whether the Layer 3 Switch is configured to send filters, receive filters or both, and the types of filters it can send or receive. The Layer 3 Switch sends the filters as Outbound Route Filters (ORFs) in Route Refresh messages.
Filtering If you do not specify the capability, both capabilities are enabled. The prefixlist parameter specifies the type of filter you want to send to the neighbor. NOTE The current release supports cooperative filtering only for filters configured using IP prefix lists. Sending and receiving ORFs Cooperative filtering affects neighbor sessions that start after the filtering is enabled, but do not affect sessions that are already established.
Configuring route flap dampening TurboIron#show ip bgp neighbor 10.10.10.1 1 IP Address: 10.10.10.1, AS: 65200 (IBGP), RouterID: 10.10.10.
Configuring route flap dampening The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the Layer 3 Switch stops using that route and also stops advertising it to other routers. The mechanism also allows a route penalties to reduce over time if the route stability improves. The route flap dampening mechanism uses the following parameters: • Suppression threshold – Specifies the penalty value at which the Layer 3 Switch stops using the route.
Configuring route flap dampening The parameter specifies the maximum number of minutes that a route can be suppressed regardless of how unstable it is. You can set the maximum suppression time to a value from 1 – 20000 minutes. The default is four times the half-life setting. Thus, if you use the default half-life of 15 minutes, the maximum suppression time is 60 minutes. The following example shows how to change the dampening parameters.
Configuring route flap dampening Using a route map to configure route flap dampening for a specific neighbor You can use a route map to configure route flap dampening for a specific neighbor by performing the following tasks: • Configure an empty route map with no match or set statements. This route map does not specify particular routes for dampening but does allow you to enable dampening globally when you refer to this route map from within the BGP configuration level.
Configuring route flap dampening Removing route dampening from a route You can un-suppress routes by removing route flap dampening from the routes. The Layer 3 Switch allows you to un-suppress all routes at once or un-suppress individual routes. To un-suppress all the suppressed routes, enter the following command at the Privileged EXEC level of the CLI. TurboIron#clear ip bgp damping Syntax: clear ip bgp damping [ ] The parameter specifies a particular network.
Configuring route flap dampening If you want to override the summary-only parameter and allow a specific route to be advertised to a neighbor, enter commands such as the following. TurboIron(config)#ip prefix-list Unsuppress1 permit 10.1.44.0/24 TurboIron(config)#route-map RouteMap1 permit 1 TurboIron(config-routemap RouteMap1)#match prefix-list Unsuppress1 TurboIron(config-routemap RouteMap1)#exit TurboIron(config)#router bgp TurboIron(config-bgp-router)#neighbor 10.1.0.
Configuring route flap dampening The regular-expression parameter is a regular expression. The regular expressions are the same ones supported for BGP4 AS-path filters. Refer to “Using regular expressions” on page 705. The parameter specifies a particular route. If you also use the optional longer-prefixes parameter, then all statistics for routes that match the specified route or have a longer prefix than the specified route are displayed.
Generating traps for BGP The parameters are the same as those for the show ip bgp flap-statistics command (except the longer-prefixes option is not supported). Refer to “Displaying route flap dampening statistics” on page 727. NOTE The clear ip bgp damping command not only clears statistics but also un-suppresses the routes. Refer to “Displaying route flap dampening statistics” on page 727. Generating traps for BGP You can enable and disable SNMP traps for BGP. BGP traps are enabled by default.
Displaying BGP4 information TurboIron#show ip bgp summary BGP4 Summary Router ID: 10.101.0.0 Local AS Number : 4 Confederation Identifier : not configured Confederation Peers: 4 5 Maximum Number of Paths Supported for Load Sharing : 1 Number of Neighbors Configured : 11 Number of Routes Installed : 2 Number of Routes Advertising to All Neighbors : 8 Number of Attribute Entries Installed : 6 Neighbor Address AS#State Time Rt:Accepted Filtered Sent 10.2.3.4 200 ADMDN 0h44m56s 0 0 0 10.0.0.
Displaying BGP4 information TABLE 105 BGP4 summary information (Continued) This field... Displays... State The state of this router neighbor session with each neighbor. The states are from this router perspective of the session, not the neighbor perspective. The state values are based on the BGP4 state machine values described in RFC 1771 and can be one of the following for each router: • IDLE – The BGP4 process is waiting to be started.
Displaying BGP4 information TurboIron#show ip bgp config Current BGP configuration: router bgp address-filter 1 deny any any as-path-filter 1 permit ^65001$ local-as 65002 maximum-paths 4 neighbor pg1 peer-group neighbor pg1 remote-as 65001 neighbor pg1 description "TurboIron group 1" neighbor pg1 distribute-list out 1 neighbor 10.192.169.100 peer-group pg1 neighbor 10.192.169.101 peer-group pg1 neighbor 10.192.169.102 peer-group pg1 neighbor 10.192.169.201 remote-as 65101 neighbor 10.192.169.
Displaying BGP4 information TurboIron#show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Runtime(ms) 0 0 1 0 0 0 0 0 To display utilization statistics for a specific number of seconds, enter a command such as the following.
Displaying BGP4 information TurboIron#show ip bgp neighbor 10.168.4.211 routes-summary 1 IP Address: 10.168.4.211 Routes Accepted/Installed:1, Filtered/Kept:11, Filtered:11 Routes Selected as BEST Routes:1 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0 History Routes:0 NLRIs Received in Update Message:24, Withdraws:0 (0), Replacements:1 NLRIs Discarded due to Maximum Prefix Limit:0, AS Loop:0 Invalid Nexthop:0, Invalid Nexthop Address:0.0.0.
Displaying BGP4 information TABLE 106 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the Layer 3 Switch discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The Layer 3 Switch configured maximum prefix amount had been reached. • AS Loop – An AS loop occurred. An AS loop occurs when the BGP4 AS-path attribute contains the local AS number.
Displaying BGP4 information TurboIron#show ip bgp neighbor 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 10.0.0.1 Description: neighbor 10.4.0.
Displaying BGP4 information The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
Displaying BGP4 information TABLE 107 BGP4 neighbor information (Continued) This field... Displays... RouterID The neighbor router ID. Description The description you gave the neighbor when you configured it on the Layer 3 Switch. State The state of the router session with the neighbor. The states are from this router perspective of the session, not the neighbor perspective.
Displaying BGP4 information TABLE 107 BGP4 neighbor information (Continued) This field... Displays... RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this Layer 3 Switch has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability. CooperativeFilteringCapabilit y Whether the neighbor is enabled for cooperative route filtering. Distribute-list Lists the distribute list parameters, if configured.
Displaying BGP4 information 740 TABLE 107 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following.
Displaying BGP4 information TABLE 107 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
Displaying BGP4 information 742 TABLE 107 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Displaying BGP4 information TABLE 107 BGP4 neighbor information (Continued) This field... Displays... RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed. Displaying route information for a neighbor You can display routes based on the following criteria: • A summary of the routes for a specific neighbor.
Displaying BGP4 information TABLE 108 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the Layer 3 Switch has received from the neighbor during the current BGP4 session: • Accepted/Installed – Indicates how many of the received routes the Layer 3 Switch accepted and installed in the BGP4 route table.
Displaying BGP4 information TABLE 108 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the Layer 3 Switch has sent to this neighbor in UPDATE messages: • Withdraws – The number of routes the Layer 3 Switch has sent to the neighbor to withdraw. • Replacements – The number of routes the Layer 3 Switch has sent to the neighbor to replace routes the neighbor already has.
Displaying BGP4 information Displaying the best routes that were nonetheless not installed in the IP route table To display the BGP4 routes received from a specific neighbor that are the “best” routes to their destinations but are not installed in the Layer 3 Switch IP route table, enter a command such as the following at any level of the CLI. TurboIron#show ip bgp neighbor 10.192.168.
Displaying BGP4 information TurboIron#show ip bgp peer-group pg1 1 BGP peer-group is pg Description: peer group abc SendCommunity: yes NextHopSelf: yes DefaultOriginate: yes Members: IP Address: 10.192.168.10, AS: 65111 Syntax: show ip bgp peer-group [] Only the parameters that have values different from their defaults are listed.
Displaying BGP4 information TABLE 109 BGP4 summary route information (Continued) This field... Displays... IBGP routes selected as best routes The number of “best” routes in the BGP4 route table that are IBGP routes. EBGP routes selected as best routes The number of “best” routes in the BGP4 route table that are EBGP routes.
Displaying BGP4 information The community option lets you display routes for a specific community. You can specify local-as, no-export, no-advertise, internet, or a private community number. You can specify the community number as either two five-digit integer values of up to 1– 65535, separated by a colon (for example, 12345:6789) or a single long integer value. The community-access-list parameter filters the display using the specified community ACL.
Displaying BGP4 information For information about the fields in this display, refer to Table 110 on page 751. The fields in this display also appear in the show ip bgp display.
Displaying BGP4 information Displaying information for a specific route To display BGP4 network information by specifying an IP address within the network, enter a command such as the following at any level of the CLI. TurboIron#show ip bgp 10.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight *> 10.3.4.0/24 10.168.4.
Displaying BGP4 information TABLE 110 BGP4 network information (Continued) This field... Displays... Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight. Path The route AS path. NOTE: This field appears only if you do not enter the route option.
Displaying BGP4 information These displays show the following information. TABLE 111 BGP4 route information This field... Displays... Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route status. The status code is appears in the left column of the display, to the left of each route. The status codes are described in the command output. Prefix The network prefix and mask length.
Displaying BGP4 information TABLE 111 BGP4 route information (Continued) This field... Displays... Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight. Atomic Whether network information in this route has been aggregated and this aggregation has resulted in information loss.
Displaying BGP4 information TABLE 112 BGP4 route-attribute entries information This field... Displays... Total number of BGP Attribute Entries The number of routes contained in this router BGP4 route table. Next Hop The IP address of the next hop router for routes that have this set of attributes. Metric The cost of the routes that have this set of attributes. Origin The source of the route information.
Displaying BGP4 information TurboIron#show ip route Total number of IP routes: 50834 B:BGP D:Directly-Connected O:OSPF R:RIP S:Static Network Address NetMask Gateway Port Cost Type 10.3.0.0 255.0.0.0 192.168.13.2 1 0 B 10.4.0.0 255.0.0.0 192.168.13.2 1 0 B 10.9.20.0 255.255.128.0 192.168.13.2 1 0 B 10.1.0.0 255.255.0.0 0.0.0.0 0 1 1 D 10.10.11.0 255.255.255.0 0.0.0.0 0 24 1 D 10.12.2.97 255.255.255.0 192.168.13.2 1 0 B 10.12.3.63 255.255.255.0 192.168.13.2 1 0 B 10.12.3.123 255.255.255.0 192.168.13.
Displaying BGP4 information TABLE 113 Route flap dampening statistics This field... Displays... Total number of flapping routes The total number of routes in the Layer 3 Switch BGP4 route table that have changed state and thus have been marked as flapping routes. Status code Indicates the dampening status of the route, which can be one of the following: > – This is the best route among those in the BGP4 route table to the route destination. • d – This route is currently dampened, and thus unusable.
Updating route information and resetting a neighbor session This example shows the active configuration for a route map called “setcomm“. Syntax: show route-map [] Updating route information and resetting a neighbor session The following sections describe ways to update route information with a neighbor, reset the session with a neighbor, and close a session with a neighbor.
Updating route information and resetting a neighbor session Use the following CLI methods to configure soft configuration, apply policy changes, and display information for the updates that are filtered out by the policies. Enabling soft reconfiguration To configure a neighbor for soft reconfiguration, enter a command such as the following. TurboIron(config-bgp-router)#neighbor 10.10.200.102 soft-reconfiguration inbound This command enables soft reconfiguration for updates received from 10.10.200.102.
Updating route information and resetting a neighbor session TurboIron#show ip bgp filtered-routes Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 10.3.0.0/8 10.168.4.106 100 0 EF AS_PATH: 65001 4355 701 80 2 10.4.0.0/8 10.168.4.106 100 0 EF AS_PATH: 65001 4355 1 3 10.4.60.212/22 10.168.4.
Updating route information and resetting a neighbor session The detail parameter displays detailed information for the routes. The example above shows summary information. NOTE The syntax for displaying received routes is shown. For complete command syntax, refer to “Displaying BGP4 neighbor information” on page 735. NOTE The show ip bgp neighbor received-routes syntax supported in previous software releases is changed to the following syntax: show ip bgp neighbor routes.
Updating route information and resetting a neighbor session TurboIron(config-bgp-router)#clear ip bgp neighbor 10.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again. The Layer 3 Switch applies its filters to the incoming routes and adds, modifies, or removes BGP4 routes as necessary.
Updating route information and resetting a neighbor session To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down. You can enter the command without optional parameters or with the soft out or soft-outbound option. Either way, you must specify a parameter for the neighbor (, , , or all).
Updating route information and resetting a neighbor session Closing or resetting a neighbor session You can close a neighbor session or resend route updates to a neighbor. If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use the following methods to ensure that neighbors contain only the routes you want them to contain: • If you close a neighbor session, the Layer 3 Switch and the neighbor clear all the routes they learned from each other.
Clearing traffic counters Clearing traffic counters You can clear the counters (reset them to 0) for BGP4 messages. To do so, use one of the following methods. To clear the BGP4 message counter for all neighbors, enter the following command. TurboIron#clear ip bgp traffic Syntax: clear ip bgp traffic To clear the BGP4 message counter for a specific neighbor, enter a command such as the following. TurboIron#clear ip bgp neighbor 10.0.0.
Clearing diagnostic buffers To un-suppress all the suppressed routes, enter the following command at the Privileged EXEC level of the CLI. TurboIron#clear ip bgp damping Syntax: clear ip bgp damping [ ] The parameter specifies a particular network. The parameter specifies the network mask. To un-suppress a specific route, enter a command such as the following. TurboIron#clear ip bgp damping 10.157.22.0 255.255.255.
Chapter 25 Configuring IP Multicast Traffic Reduction In this chapter • IGMP snooping overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • PIM SM traffic snooping overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring PIM SM snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • IGMP snooping show commands . .
IGMP snooping overview • Filter-mode-change record. If the interface state changes from IS_IN to IS_EX, a TO_EX record is included in the membership report. Likewise, if the interface state changes from IS_EX to IS_IN, a TO_IN record appears in the membership report. • An IGMP V2 leave report is equivalent to a TO_IN (empty) record in IGMP V3. This record means that no traffic from this group will be received regardless of the source.
IGMP snooping overview devices are configured as queriers, after these devices exchange queries, then all except the winner stop sending queries. The device with the lowest address becomes the querier. Although the system will work when multiple devices are configured as queriers, Brocade recommends that only one device (preferably the one with the traffic source) is configured as a querier.
IGMP snooping overview • Hardware resource is installed only when there is data traffic. If a VLAN is configured for IGMPv3, the hardware matches (S G), otherwise it matches (* G). • A user can configure the maximum numbers of groups and hardware switched data streams. • The device supports static groups that apply to the entire VLAN, or to just a few ports. The device acts as a proxy to send IGMP reports for the static groups when receiving queries.
PIM SM traffic snooping overview PIM SM traffic snooping overview When multiple PIM sparse routers connect through a snooping-enabled device, the device always forwards multicast traffic to these routers. For example, PIM sparse routers R1, R2 and R3 connect through a device. Assume R2 needs traffic, and R1 sends it to the device, which forwards it to both R2 and R3, even though R3 does not need it.
PIM SM traffic snooping overview The device stops forwarding IP multicast traffic on a port for a group if the port receives a prune message for the group. Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device. This is required for the PIM SM snooping feature. The devices on the edge of the Global Ethernet cloud are configured for IGMP snooping and PIM SM traffic snooping.
Configuring IGMP snooping Configuration notes and limitations • PIM SM snooping applies only to PIM SM version 2 (PIM SM V2). • Devices support PIM SM traffic snooping in the Layer 2 code. • IGMP snooping must be enabled on the device that will be running PIM SM snooping. The PIM SM traffic snooping feature requires IGMP snooping. NOTE Use the passive mode of IGMP snooping instead of the active mode.
Configuring IGMP snooping • • • • • “Modifying the maximum response time” “Configuring report control” (rate limiting) “Modifying the wait time before stopping traffic when receiving a leave message” “Modifying the multicast cache age time” “Enabling or disabling error and warning messages” VLAN-specific tasks Perform the following VLAN-specific tasks: • • • • • • • • “Configuring the IGMP mode for a VLAN” (active or passive) “Disabling IGMP snooping on a VLAN” “Configuring the IGMP version for a VLAN”
Configuring IGMP snooping Setting the maximum number of IGMP group addresses When IGMP snooping is enabled, by default, devices support up to 4K of IGMP group addresses by default, and the configurable range is from 4096 to 8192. The configured number is the upper limit of an expandable database. Client memberships exceeding the group limit are not processed. Enter a command such as the following to define the maximum number of IGMP group addresses.
Configuring IGMP snooping Configuring the IGMP mode for a VLAN If you specify an IGMP mode for a VLAN, it overrides the global setting. To set the IGMP mode for VLAN 20 to active, enter the following commands. TurboIron(config)#vlan 20 TurboIron(config-vlan-20)#multicast active Syntax: [no] multicast active | passive Configuring the IGMP version Configuring the global IGMP version When you globally enable IGMP snooping, you can specify IGMP V2 or IGMP V3 for the device.
Configuring IGMP snooping Syntax: [no] multicast disable-multicast-snoop Disabling transmission and receipt of IGMP packets on a port When a VLAN is snooping-enabled, all IGMP packets are trapped to the CPU without hardware VLAN flooding. The CPU can block IGMP packets to and from a multicast-disabled port, and does not add it to the output interfaces of hardware resources. This prevents the disabled port from receiving multicast traffic.
Configuring IGMP snooping The parameter specifies the time between queries. You can specify a value from 10 3600 seconds. The default is 125 seconds. Modifying the maximum response time The maximum response time is the number of seconds that a client can wait before responding to a query sent by the switch. The default response time is 10 seconds maximum.
Configuring IGMP snooping Modifying the multicast cache age time You can set the time for an mcache to age out when it does not receive traffic. The traffic is hardware switched. One minute before aging out an mcache, the device mirrors a packet of this mcache to CPU to reset the age. If no data traffic arrives within one minute, this mcache is deleted. A lower value quickly removes resources consumed by idle streams, but it mirrors packets to CPU often.
Configuring IGMP snooping IGMP V3 membership tracking and fast leave IGMP V3 gives clients membership tracking and fast leave capability. In IGMP V2, only one client on an interface needs to respond to a router's queries. This can leave some clients invisible to the router, making it impossible to track the membership of all clients in a group.
Configuring PIM SM snooping Syntax: [no] multicast fast-leave-v2 Fast convergence In addition to sending periodic general queries, an active device sends general queries when it detects a new port. However, because the device does not recognize the other device's port up event, multicast traffic might still require up to the query-interval time to resume after a topology change.
IGMP snooping show commands NOTE The device must be in passive mode before it can be configured for PIM SM snooping. To disable the feature, enter the following command. TurboIron(config)#no ip pimsm-snooping If you also want to disable IP multicast traffic reduction, enter the following command. TurboIron(config)#no ip multicast Syntax: [no] ip pimsm-snooping Enabling PIM SM snooping on a VLAN You can enable PIM SM snooping for a specific VLAN.
IGMP snooping show commands TurboIron#show ip multicast Summary of all vlans. Please use "sh ip mu vlan vlan-id" for details Version=2, Intervals: Query=125, Group Age=260, Max Resp=10, Other Qr=260 VL10: cfg V3, vlan cfg passive, , pimsm (vlan cfg), 1 grp, 0 (SG) cache, no rtr port To display the IGMP snooping information for a specific VLAN (release 04.1.00 or later), enter a command such as the following.
IGMP snooping show commands Syntax: show ip multicast error The following table describes the output from the show ip multicast error command. Table 0.4: This field Displays SW processed pkt The number of multicast packets processed by IGMP snooping. up-time The time since the IGMP snooping is enabled. Displaying IGMP group information To display information about IGMP groups, enter the following command.
IGMP snooping show commands If you want a report for a specific multicast group, enter that group's address for group-address. Enter detail to display the source list of a specific VLAN. Enter tracking for information on interfaces that have tracking enabled. The following table describes the information displayed by the show ip multicast group command. Table 0.5: This field... Displays... group The address of the group (destination address in this case, 224.1.1.
IGMP snooping show commands Table 0.6: This field... Displays... age The mcache age. The mcache will be reset to 0 if traffic continues to arrive, otherwise the mcache will be aged out when it reaches the time defined by the ip multicast mcache-age command. uptime The up time of this mcache in seconds. vidx Vidx specifies output port list index. Range is from 4096 to 8191 ref-cnt The vidx is shared among mcaches having the same output interfaces.
IGMP snooping show commands Displaying the status of IGMP snooping traffic To display status information for IGMP snooping traffic, enter the following command.
PIM SM snooping show commands PIM SM snooping show commands This section shows how to display information about PIM SM snooping, including: • “Displaying PIM SM snooping information” • “Displaying PIM SM snooping information on a Layer 2 switch” • “Displaying PIM SM snooping information for a specific group or source group pair” Displaying PIM SM snooping information To display PIM SM snooping information, enter the following command. TurboIron#show ip multicast pimsm-snooping vlan 1, has 2 caches.
PIM SM snooping show commands Syntax: show ip multicast pimsm-snooping vlan Enter the ID of the VLAN for the vlan parameter. If you want to display PIM SM snooping information for one source or one group, enter a command as in the following example. The command also displays the (source, port) list of the group. TurboIron#show ip multicast pimsm-snooping 239.255.163.2 Show pimsm snooping group 239.255.163.2 in all vlan VLAN ID 100 Group: 239.255.163.
Clear commands for IGMP snooping TurboIron#show ip multicast pimsm-snooping 230.1.1.1 Show pimsm snooping group 230.1.1.1 in all vlans vlan 10,has 2 caches. 1 (*230.1.1.1) has 1 pim join ports out of 1 OIF 1(age=120) 1 has 1 src:10.20.20.66(120) To display PIM SM snooping information for a specific (source, group) pair, enter a command such as the following at any level of the CLI. TurboIron#show ip multicast pimsm-snooping 230.2.2.2 10.20.20.66 Show pimsm snooping source 10.20.20.66, group 230.2.2.
Clear commands for IGMP snooping The parameter specifies the specific VLAN to clear the cache. Clearing traffic on a specific VLAN To clear the traffic counters on a specific VLAN, enter the following command. TurboIron#clear ip multicast vlan 10 traffic Syntax: clear ip multicast vlan traffic The parameter specifies the specific VLAN on which to clear the traffic counters.
Clear commands for IGMP snooping 792 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 26 Configuring IP Multicast Protocols In this chapter • Overview of IP multicasting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Changing global IP multicast parameters . . . . . . . . . . . . . . . . . . . . . . . . . . • PIM Dense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • PIM Sparse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of IP multicasting IPv4 multicast group addresses In IPv4 Multicast, host groups are identified by Class D addresses, i.e., those with “1110” as their higher-order four bits. In Internet standard "dotted decimal" notation, these group addresses range from 224.0.0.0 to 239.255.255.255. However, the IANA IPv4 Multicast Address Registry (referencing RFC 3171) stipulates that the range 224.0.0.0 through 224.0.0.255 should not be used for regular multicasting applications.
Changing global IP multicast parameters • Root Node: The node that initiates the tree building process. It is also the router that sends the multicast packets down the multicast delivery tree. • Upstream: Represents the direction from which a router receives multicast data packets. An upstream router is a node that sends multicast packets. • Downstream: Represents the direction to which a router forwards multicast data packets.
Changing global IP multicast parameters Defining the maximum number of PIM cache entries The PIM cache system parameter defines the maximum number of repeated PIM traffic being sent from the same source address and being received by the same destination address. To define this maximum, enter a command such as the following. TurboIron(config)#system-max pim-mcache 999 Syntax: system-max pim-mcache The parameter specifies the maximum number of multicast cache entries for PIM.
Changing global IP multicast parameters Modifying IGMP (V1 and V2) membership time Group membership time defines how long a group will remain active on an interface in the absence of a group report. Possible values are from 1 – 7200 seconds and the default value is 140 seconds. To define an IGMP (V1 and V2) membership time of 240 seconds, enter the following.
PIM Dense The ethernet parameter specifies the port number. Use this parameter if the port is a member of a virtual routing interface, and you are entering this command at the configuration level for the virtual routing interface. Manually added groups are included in the group information displayed by the following commands: • show ip igmp group • show ip pim group PIM Dense NOTE This section describes the “dense” mode of PIM, described in RFC 1075.
PIM Dense Pruning a multicast tree As multicast packets reach these leaf routers, the routers check their IGMP databases for the group. If the group is not in a router IGMP database, the router discards the packet and sends a prune message to the upstream router. The router that discarded the packet also maintains the prune state for the source, group (S,G) pair. The branch is then pruned (removed) from the multicast tree.
PIM Dense FIGURE 104 Transmission of multicast packets from the source to host group members 800 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
PIM Dense FIGURE 105 Pruning leaf nodes from a multicast tree Grafts to a multicast Tree A PIM switch restores pruned branches to a multicast tree by sending graft messages towards the upstream switch. Graft messages start at the leaf node and travel up the tree, first sending the message to its neighbor upstream switch. In the example above, if a new 229.255.0.1 group member joins on switch S6, which was previously pruned, a graft is sent upstream to S4.
PIM Dense PIM DM versions Devices support PIM DM V1 and V2. The default is V2. You can specify the version on an individual interface basis. The primary difference between PIM DM V1 and V2 is the methods the protocols use for messaging: • PIM DM V1 – uses the Internet Group Management Protocol (IGMP) to send messages • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103 The CLI commands for configuring and managing PIM DM are the same for V1 and V2.
PIM Dense Globally enabling and disabling PIM To globally enable PIM, enter the following command. TurboIron(config)#router pim Syntax: [no] router pim The behavior of the [no] router pim command is as follows: • Entering router pim command to enable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a Layer 3 Switch (router pim level) only.
PIM Dense • Graft retransmit timer • Inactivity timer Modifying neighbor timeout Neighbor timeout is the interval after which a PIM router will consider a neighbor to be absent. Absence of PIM hello messages from a neighboring router indicates that a neighbor is not present. The default value is 180 seconds. To apply a PIM neighbor timeout value of 360 seconds to all ports on the router operating with PIM, enter the following.
PIM Dense A prune wait value of zero causes the PIM router to stop traffic immediately upon receiving a prune message. If there are two or more neighbors on the physical port, then the prune-wait command should not be used because one neighbor may send a prune message while the other sends a join message at the during time or in less than three seconds. To set the prune wait time to zero, enter the following commands.
PIM Sparse Failover time in a multi-path topology When a port in a multi-path topology fails, and the failed port is the input port of the downstream router, a new path is re-established within a few seconds, depending on the routing protocol being used. No configuration is required for this feature. Modifying the TTL The TTL defines the minimum value required in a packet for it to be forwarded out of the interface.
PIM Sparse PIM Sparse switch types Switches that are configured with PIM Sparse interfaces also can be configured to fill one or more of the following roles: • PMBR – A PIM switch that has some interfaces within the PIM domain and other interface outside the PIM domain. PBMRs connect the PIM domain to the Internet. NOTE You cannot configure a routing interface as a PMBR interface for PIM Sparse in the current software release.
PIM Sparse To enhance overall network performance, Layer 3 Switches use the RP to forward only the first packet from a group source to the group receivers. After the first packet, the Layer 3 Switch calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The Layer 3 Switch calculates a separate SPT for each source-receiver pair.
PIM Sparse NOTE Brocade recommends that you configure the same Layer 3 Switch as both the BSR and the RP. Limitations in this release The implementation of PIM Sparse in the current software release has the following limitations: • PIM Border Routers (PMBRs) are not supported. Thus, you cannot configure a routing interface as a PMBR interface for PIM Sparse. • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface.
PIM Sparse To enable PIM Sparse mode on an interface, enter commands such as the following. TurboIron(config)#interface ethernet 2 TurboIron(config-if-2)#ip address 10.95.7.1 255.255.255.0 TurboIron(config-if-2)#ip pim-sparse Syntax: [no] ip pim-sparse The commands in this example add an IP interface to port 2, then enable PIM Sparse on the interface. If the interface is on the border of the PIM Sparse domain, you also must enter the following command.
PIM Sparse NOTE Brocade recommends you specify 30 for IP version 4 (IPv4) networks. The specifies the BSR priority. You can specify a value from 0 – 255. When the election process for BSR takes place, the candidate BSR with the highest priority becomes the BSR. The default is 0. Configuring RPs Enter a command such as the following to configure the Layer 3 Switch as a candidate RP.
PIM Sparse The clear pim rp-map command allows you to update the entries in the static multicast forwarding table immediately after making RP configuration changes. This command is meant to be used with rp-address command. To update the entries in a PIM sparse static multicast forwarding table with new RP configuration, enter the following command at the privileged EXEC level of the CLI.
PIM Sparse After the Layer 3 Switch receives a packet for a given source-group pair, the Layer 3 Switch starts a PIM data timer for that source-group pair. If the Layer 3 Switch does not receive another packet for the source-group pair before the timer expires, it reverts to using the RP for the next packet received for the source-group pair. In accordance with the PIM Sparse RFC recommendation, the timer is 210 seconds and is not configurable.
PIM Sparse RP1(config-lbif-1)#ip ospf passive RP1(config-lbif-1)#ip address 10.0.0.1/32 RP1(config-lbif-1)#ip pim-sparse RP1(config-lbif-1)#exit RP1(config)#interface loopback 2 RP1(config-lbif-2)#ip ospf area 0 RP1(config-lbif-2)#ip ospf passive RP1(config-lbif-2)#ip address 10.1.1.1/32 RP1(config-lbif-2)#exit RP1(config)#interface ethernet 1 RP1(config-if-e10000-1)#ip ospf area 0 RP1(config-if-e10000-1)#ip address 10.192.1.
PIM Sparse RP2(config-pim-router)#rp-candidate loopback 1 RP2(config-pim-router)#exit RP2(config)#router msdp RP2(config-msdp-router)#msdp-peer 10.1.1.1 connect-source loopback 2 RP2(config-msdp-router)#originator-id loopback 2 RP2(config)#ip router-id 10.1.1.2 The example shown in Figure 107 is an anycast-enabled network with three RPs connected in a triangular mesh topology. Loopback 2 in RP 1, RP 2, and RP 3 have the same IP address, which is the anycast RP address.
PIM Sparse RP1(config-lbif-1)#ip ospf area 0 RP1(config-lbif-1)#ip ospf passive RP1(config-lbif-1)#ip address 10.1.1.1/32 RP1(config-lbif-1)#exit RP1(config)#interface loopback 2 RP1(config-lbif-2)#ip ospf area 0 RP1(config-lbif-2)#ip ospf passive RP1(config-lbif-2)#ip pim-sparse RP1(config-lbif-2)#ip address 10.2.1.1/32 RP1(config-lbif-2)#exit RP1(config)#interface ethernet 1 RP1(config-if-e10000-1)#ip ospf area 0 RP1(config-if-e10000-1)#ip ospf cost 2 RP1(config-if-e10000-1)#ip address 10.192.1.
PIM Sparse RP2(config-pim-router)#rp-address 10.2.1.1 RP2(config-pim-router)#exit RP2(config)#router msdp RP2(config-msdp-router)#msdp-peer 10.1.1.1 connect-source loopback 1 RP2(config-msdp-router)#msdp-peer 10.1.1.3 connect-source loopback 1 RP2(config-msdp-router)#mesh-group mesh1 10.1.1.1 RP2(config-msdp-router)#mesh-group mesh1 10.1.1.3 RP2(config-msdp-router)#originator-id loopback 1 RP2(config-msdp-router)#exit RP2(config)#ip router-id 10.1.1.
PIM Sparse • • • • • • • • • • Group information BSR information Candidate RP information RP-to-group mappings RP information for a PIM Sparse group RP set list PIM Neighbor information The PIM flow cache The PIM multicast cache PIM traffic statistics Displaying basic PIM Sparse configuration information To display basic configuration information for PIM Sparse, enter the following command at any CLI level.
PIM Sparse TABLE 117 Output of show ip pim sparse (Continued) This field... Displays... Bootstrap Msg interval How frequently the BSR configured on the Layer 3 Switch sends the RP set to the RPs within the PIM Sparse domain. The RP set is a list of candidate RPs and their group prefixes. A candidate RP group prefix indicates the range of PIM Sparse group numbers for which it can be an RP. NOTE: This field contains a value only if an interface on the Layer 3 Switch is elected to be the BSR.
PIM Sparse This display shows the following information. TABLE 118 Output of show ip pim group This field... Displays... Total number of Groups Lists the total number of IP multicast groups the Layer 3 Switch is forwarding. NOTE: This list can include groups that are not PIM Sparse groups. If interfaces on the Layer 3 Switch are configured for regular PIM (dense mode), these groups are listed too. Index The index number of the table entry in the display.
PIM Sparse TABLE 119 Output of show ip pim bsr (Continued) This field... Displays... BSR priority or local BSR priority The priority assigned to the interface for use during the BSR election process. During BSR election, the priorities of the candidate BSRs are compared and the interface with the highest BSR priority becomes the BSR. NOTE: If the word “local” does not appear in the field, this Layer 3 Switch is the BSR. If the word “local” does appear, this Layer 3 Switch is not the BSR.
PIM Sparse TurboIron#show ip pim resource alloc in-use NBR list 64 0 timer 256 0 pimsm J/P elem 0 0 pimsm group2rp 0 0 pimsm L2 reg xmt 64 0 mcache 256 0 mcache hash link 997 0 mcache 2nd hash 9 0 graft if no mcache 197 0 pim/dvm global group 256 0 pim/dvmrp prune 128 0 Output intf-vlan 2000 0 group hash link 97 0 2D vlan for nbr, glb 2000 0 Output intf. 1024 0 2D for glb grp 1024 0 pim/dvm config.
PIM Sparse TABLE 120 Output of show ip pim resource command (Continued) This field... Displays... size Size of each element init Number of elements allocated for the pool at the bootup #of PIM ports Total number of PIM ports, by port type, on the device Total, allocated, and available Mils In Layer 3 multicast, this refers to the Multicast Linked List that contains information on where (S,G) gets forwarded.
PIM Sparse TurboIron#show ip pim rp-map Number of group-to-RP mappings: 6 Group address RP address ------------------------------1 239.255.163.1 10.99.99.5 2 239.255.163.2 10.99.99.5 3 239.255.163.3 10.99.99.5 4 239.255.162.1 10.99.99.5 5 239.255.162.2 10.43.43.1 6 239.255.162.3 10.99.99.5 Syntax: show ip pim rp-map This display shows the following information. TABLE 122 Output of show ip pim rp-map command This field... Displays...
PIM Sparse TurboIron#show ip pim rp-set Group address Static-RP-address Override --------------------------------------------------Access-List 44 10.99.99.5 On Number of group prefixes Learnt from BSR: 1 Group prefix = 239.255.162.0/24 #RPs expected: 1 #RPs received: 1 RP 1: 10.43.43.1 priority=0 age=0 Syntax: show ip pim rp-set This display shows the following information. TABLE 124 Output of show ip pim rp-set command This field... Displays...
PIM Sparse TABLE 125 Output of show ip pim nbr command (Continued) This field... Displays... Holdtime sec Indicates how many seconds the neighbor wants this Layer 3 Switch to hold the entry for this neighbor in memory. The neighbor sends the Hold Time in its Hello packets: • If the Layer 3 Switch receives a new Hello packet before the Hold Time received in the previous packet expires, the Layer 3 Switch updates its table entry for the neighbor.
PIM Sparse TABLE 126 Output of show ip pim flowcach commande This field... Displays... Source Indicates the source of the PIM Sparse group. Group Indicates the PIM Sparse group. Parent Indicates the port or virtual interface from which the Layer 3 Switch receives packets from the group source. CamFlags This field is used by Brocade technical support for troubleshooting. CamIndex This field is used by Brocade technical support for troubleshooting.
PIM Sparse TABLE 127 Output of show ip pim mcache command (Continued) This field... Displays... RPT Indicates whether the cache entry uses the RP path or the SPT path. The RPT flag can have one of the following values: • 0 – The SPT path is used instead of the RP path. • 1– The RP path is used instead of the SPT path. NOTE: The values of the RP and SPT flags are always opposite (one is set to 0 and the other is set to 1). SPT Indicates whether the cache entry uses the RP path or the SPT path.
PIM Sparse TurboIron#show ip pim traffic Port e8 Port v1 Hello [Rx 19 [Rx 32 Hello [Rx Tx] 18 19 [Rx 0 Port v2 J/P Tx] 19 RegStop [Rx Tx] 37 0 [Rx 0 Assert Tx] 0 Tx] 20 Register [Rx Tx] 0 0 RegStop [Rx Tx] 0 0 [Rx 0 Assert Tx] 0 Tx] 0 Register [Rx Tx] 0 16 RegStop [Rx Tx] 0 0 [Rx 0 Assert Tx] 0 0 J/P Hello [Rx 0 Register [Rx Tx] 0 0 Tx] J/P Tx] 19 [Rx 0 Total 37 57 32 IGMP Statistics: Total Recv/Xmit 85/110 Total Discard/chksum 0/0 0 0 0 0 0 0 0 Syntax: show ip pim traffi
Passive multicast route insertion This command displays the number of warnings and non-zero PIM errors on the device. This count can increase during transition periods such as reboots and topology changes; however, if the device is stable, the number of errors should not increase. If warnings keep increasing in a stable topology, then there may be a configuration error or problems on the device. To clear the counter for PIM errors, enter the following command.
Multicast Source Discovery Protocol (MSDP) PIM Sparse routers use MSDP to register PIM Sparse multicast sources in a domain with the Rendezvous Point (RP) for that domain. Figure 108 shows an example of some PIM Sparse domains. For simplicity, this example shows only one Designated Router (DR), one group source, and one receiver for the group. Only one PIM Sparse router within each domain needs to run MSDP.
Multicast Source Discovery Protocol (MSDP) The RP sends the source information to each of its peers by sending a Source Active message. The message contains the IP address of the source, the group address to which the source is sending, and the IP address of the RP interface with its peer. By default, the IP address included in the RP address field of the SA message is the IP address of the originating RP.
Multicast Source Discovery Protocol (MSDP) Some MSDP routers that are also RPs can cache Source Active messages. If the RP is not caching Source Active messages, the RP does not send a Join message unless it already has a receiver that wants to join the group. Otherwise, the RP does not send a Join message and does not remember the information in the Source Active message after forwarding it.
Multicast Source Discovery Protocol (MSDP) The connect-source loopback parameter specifies the loopback interface you want to use as the source for sessions with the neighbor. NOTE It is strongly recommended that you use the connect-source loopback parameter when issuing the msdp-peer command. If you do not use this parameter, the Layer 3 Switch uses the subnet interface configured on the port.
Multicast Source Discovery Protocol (MSDP) Filtering MSDP source-group pairs The following commands allow you to filter individual source-group pairs in MSDP Source-Active messages: • sa-filter in – Filters source-group pairs received in Source-Active messages from an MSDP neighbor • sa-filter originate – Filters source-group pairs in Source-Active messages in advertisements to an MSDP neighbor Filtering incoming source-active messages The following example configures filters for incoming Source-Active
Multicast Source Discovery Protocol (MSDP) TurboIron(config)#router msdp TurboIron(config-msdp-router)#msdp-peer 2.2.2.99 connect-source loopback 1 TurboIron(config-msdp-router)#msdp-peer 2.2.2.97 connect-source loopback 1 TurboIron(config-msdp-router)#msdp-peer 2.2.2.96 connect-source loopback 1 TurboIron(config-msdp-router)#exit The following commands configure the Source-Active filters. TurboIron(config)#router msdp TurboIron(config-msdp-router)#sa-filter in 2.2.2.
Multicast Source Discovery Protocol (MSDP) Example The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. TurboIron(config)#interface ethernet 3/1 TurboIron(config-if-3/1)#ip address 2.2.2.98/24 TurboIron(config-if-3/1)#exit The following commands configure a loopback interface. The Layer 3 Switch will use this interface as the source address for communicating with the MSDP neighbors.
Multicast Source Discovery Protocol (MSDP) MSDP mesh groups A PIM Sparse domain can have several RPs that are connected to each other to form an MSDP mesh group. To qualify as a mesh group, the RPs have to be fully meshed; that is, each RP must be connected to all peer RPs in a domain. (See Figure 109.) A mesh group reduces the forwarding of SA messages within a domain. Instead of having every RP in a domain forward SA messages to all the RPs within that domain, only one RP forwards the SA message.
Multicast Source Discovery Protocol (MSDP) Example configuration In Figure 109, devices A, B, C, and D are in Mesh Group 1234. The example configuration following the figure shows how the devices are configured to be part of the MSDP mesh group. The example also shows the features that need to be enabled for the MSDP mesh group to work. FIGURE 109 MSDP mesh group 1234 RHP 2 Customer A Forwarding bit is on. Each port changes from Preforwarding to Forwarding when it receives this RHP.
Multicast Source Discovery Protocol (MSDP) TurboIron(config)#interface loopback 1 TurboIron(config-lbif-1)#ip address 10.1.1.1 255.255.255.0 TurboIron(config-lbif-1)#ip pim-sparse TurboIron(config-lbif-1)#exit TurboIron(config)#interface ethernet 1/1 TurboIron(config-if-1/1)#ip address 10.14.14.1 255.255.255.0 TurboIron(config-if-1/1)#ip pim-sparse TurboIron(config-if-1/1)#exit TurboIron(config)#interface ethernet 2/1 TurboIron(config-if-2/1)#ip address 10.12.12.1 255.255.255.
Multicast Source Discovery Protocol (MSDP) TurboIron(config)#router msdp TurboIron(config-msdp-router)#msdp-peer 10.1.3.1 connect-source loopback 1 TurboIron(config-msdp-router)#msdp-peer 10.1.1.1 connect-source loopback 1 TurboIron(config-msdp-router)#msdp-peer 10.1.4.1 connect-source loopback 1 TurboIron(config-msdp-router)#mesh-group 1234 10.1.1.1 TurboIron(config-msdp-router)#mesh-group 1234 10.1.3.1 TurboIron(config-msdp-router)#mesh-group 1234 10.1.4.
Multicast Source Discovery Protocol (MSDP) Configuration for Device C The following set of commands configure the MSDP peers of Device C (10.1.3.1) that are inside and outside MSDP mesh group 1234. Device C peers inside the mesh group 1234 are 10.1.1.1, 10.1.2.1, and 10.1.4.1. Device 10.35.35.5 is a peer of Device C, but is outside mesh group 1234. Multicast is enabled on Device C interfaces. PIM and BGP are also enabled.
Multicast Source Discovery Protocol (MSDP) TurboIron(config-router-bsr)#neighbor 10.32.32.2 remote-as 222 TurboIron(config-router-bsr)#neighbor 10.32.32.2 next-hop-self TurboIron(config-router-bsr)#neighbor 10.34.34.4 remote-as 444 TurboIron(config-router-bsr)#neighbor 10.34.34.4 next-hop-self TurboIron(config-router-bsr)#neighbor 10.31.31.1 remote-as 111 TurboIron(config-router-bsr)#neighbor 10.31.31.
Multicast Source Discovery Protocol (MSDP) TurboIron(config)#router pim TurboIron(config-router-pim)#bsr-candidate loopback 1 14 34 TurboIron(config-router-pim)#rp-candidate loopback 1 TurboIron(config-router-pim)#exit TurboIron(config)#router bgp TurboIron(config-router-bsr)#local-as 444 TurboIron(config-router-bsr)#neighbor 10.34.34.3 remote-as 333 TurboIron(config-router-bsr)#neighbor 10.34.34.3 next-hop-self TurboIron(config-router-bsr)#neighbor 10.14.14.
Multicast Source Discovery Protocol (MSDP) TABLE 129 MSDP summary information This field... Displays... Peer Address The IP address of the peer interface with the Layer 3 Switch State The state of the MSDP router connection with the peer. The state can be one of the following: • CONNECT – The session is in the active open state. • ESTABLISH – The MSDP session is fully up. • IDLE– The session is idle or inactive. • LISTEN – The session is in the passive open state.
Multicast Source Discovery Protocol (MSDP) This display shows the following information. TABLE 130 846 MSDP peer information This field... Displays... Total number of MSDP peers The number of MSDP peers configured on the Layer 3 Switch IP Address The IP address of the peer interface with the Layer 3 Switch State The state of the MSDP router connection with the peer. The state can be one of the following: • CONNECT – The session is in the active open state.
Multicast Source Discovery Protocol (MSDP) TABLE 130 MSDP peer information (Continued) This field... Displays... Notification Message Error SubCode Transmitted See above. TCP Statistics TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request.
Multicast Source Discovery Protocol (MSDP) TABLE 130 MSDP peer information (Continued) This field... Displays... RcvQue The number of sequence numbers in the receive queue. SendQue The number of sequence numbers in the send queue. Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method. TurboIron(config-msdp-router)#show ip msdp sa-cache Total Index 1 2 3 4 5 6 7 8 9 10 Entry 4096, Used 1800 Free 2296 SourceAddr GroupAddr Age (10.
Using ACLs to control multicast features Clearing peer information To clear MSDP peer information, enter the following command at the Privileged EXEC level of the CLI: TurboIron#clear ip msdp peer 10.216.162.1 Remote connection closed Syntax: clear ip msdp peer The command in this example clears the MSDP peer connection with MSDP router 10.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed.
Using ACLs to control multicast features To configure an RP that covers multicast groups in 239.255.162.x, enter commands such as the following. TurboIron(config)#access-list 2 permit 239.255.162.0 0.0.0.255 TurboIron(config)#router pim TurboIron(config-pim-router)#rp-address 10.43.43.1 2 To configure an RP that covers multicast groups in the 239.255.162.x range, except the 239.255.162.2 group, enter commands such as the following. TurboIron(config)#access-list 5 deny host 239.255.162.
Using ACLs to control multicast features TurboIron#show ip pim rp-map Number of group-to-RP mappings: 6 Group address RP address ------------------------------1 239.255.163.1 10.43.43.1 2 239.255.163.2 10.43.43.1 3 239.255.163.3 10.43.43.1 4 239.255.162.1 10.99.99.5 5 239.255.162.2 10.99.99.5 6 239.255.162.3 10.99.99.5 The display shows the multicast group addresses covered by the RP candidate and the IP address of the RP for the listed multicast group.
Tracing a multicast route TurboIron(config)#router pim TurboIron(config-pim-router)#bsr-candidate loopback 1 32 100 TurboIron(config-pim-router)#rp-candidate loopback 1 group-list 5 Syntax: [no] rp-candidate ethernet | loopback | ve [group-list ] The | loopback | ve parameter specifies the interface.
Displaying the multicast configuration for another multicast router The command example above indicates that the source address 10.157.24.62 is three hops (three PIM switches) away from PIM Switch A. In PIM terms, each of the three switches has a forwarding state for the specified source address and multicast group. The value following “Thresh” in some of the lines indicates the TTL threshold. The threshold 0 means that all multicast packets are forwarded on the interface.
IGMP V3 NOTE This display shows the PIM interface configuration information, but does not show the link states for the interfaces. The information in brackets indicates the following: • • • • The multicast interface type (always PIM) The Time-to-Live (TTL) for the interface.
IGMP V3 • Source-List-Change Record. If the interface wants to add or remove traffic sources from its membership report, the membership report can have an ALLOW record, which contains a list of new sources from which the interface wishes to receive traffic. It can also contains a BLOCK record, which lists current traffic sources from which the interfaces wants to stop receiving traffic.
IGMP V3 Globally enabling the IGMP version Using the CLI To globally identify the IGMP version on a device, enter the following command. TurboIron(config)#ip igmp version 3 Syntax: ip igmp version Enter 1, 2, or 3 for . Version 2 is the default version. Enabling the IGMP version per interface setting To specify the IGMP version for a physical port, enter a command such as the following.
IGMP V3 Enabling membership tracking and fast leave IGMP V3 provides membership tracking and fast leave to clients. In IGMP V2, only one client on an interface needs to respond to a router queries; therefore, some of the clients may be invisible to the router, making it impossible for the router to track the membership of all clients in a group.
IGMP V3 Setting the group membership time Group membership time defines how long a group will remain active on an interface in the absence of a group report. Possible values are from 20 – 7200 seconds and the default value is 140 seconds. To define an IGMP membership time of 240 seconds, enter the following.
IGMP V3 TurboIron#show ip igmp group 239.0.0.1 detail Display group 239.0.0.1 in all interfaces. Interface v18 : 1 groups group phy-port static querier life mode #_src 1 239.0.0.1 e20 no yes include 19 group: 239.0.0.1, include, permit 19 (source, life): (10.3.3.1 40) (10.3.3.2 40) (10.3.3.3 40) (10.3.3.4 40) (10.3.3.5 40) (10.3.3.6 40) (10.3.3.7 40) (10.3.3.8 40) (10.3.3.9 40) (10.3.3.10 40) (10.3.3.11 40) (10.3.3.12 40) (10.3.3.13 40) (10.3.3.14 40) (10.3.3.15 40) (10.3.3.16 40) (10.3.3.17 40) (10.3.3.
IGMP V3 TABLE 132 Output of show ip igmp group (Continued) This field Displays Mode Indicates current mode of the interface: Include or Exclude. If the interface is in Include mode, it admits traffic only from the source list. If an interface is in Exclude mode, it denies traffic from the source list and accepts the rest. #_src Identifies the source list that will be included or excluded on the interface.
IGMP V3 TABLE 133 Output of show ip igmp interface This field Displays Query interval Displays how often a querier sends a general query on the interface. Max response The maximum number of seconds a client can wait before it replies to the query. Group membership time The number of seconds multicast groups can be members of this group before aging out.
IGMP V3 TABLE 134 Output of show ip igmp traffic (Continued) This field Displays ToIN Number of times the interface mode changed from exclude to include. ToEX Number of times the interface mode changed from include to exclude. ALLOW Number of times that additional source addresses were allowed or denied on the interface. BLK Number of times that sources were removed from an interface. Clearing IGMP statistics To clear statistics for IGMP traffic, enter the following command.
Chapter 27 Configuring VRRP and VRRPE In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Comparison of VRRP and VRRPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • VRRP and VRRPE parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring basic VRRP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring basic VRRPE parameters . . . . .
Overview Overview of VRRP NOTE VRRP support in the base Layer 3 code is the same as in the full Layer 3 code. VRRP is a protocol that provides redundancy to routers within a LAN. VRRP allows you to provide alternate router paths for a host without changing the IP address or MAC address by which the host knows its gateway. Consider the situation shown in Figure 111. FIGURE 111 Switch 1 is Host1 default gateway but is a single point of failure Switch 1 as the host default gateway out of the subnet.
Overview The dashed box in Figure 112 represents a VRRP virtual router. When you configure a virtual router, one of the configuration parameters is the virtual router ID (VRID), which can be a number from 1 – 255. In this example, the VRID is 1. NOTE You can provide more redundancy by also configuring a second VRID with Switch 2 as the Owner and Switch 1 as the Backup. This type of configuration is sometimes called Multigroup VRRP.
Overview When you configure a VRID, the software automatically assigns its MAC address. When a VRID becomes active, the Master router broadcasts a gratuitous ARP request containing the virtual router MAC address for each IP address associated with the virtual router. In Figure 112, Switch 1 sends a gratuitous ARP with MAC address 00-00-00-00-01-01 and IP address 10.53.5.1. Hosts use the virtual router MAC address in routed traffic they send to their default IP gateway (in this example, 10.53.5.1).
Overview Hello messages VRRP routers use Hello messages for negotiation to determine the Master router. VRRP routers send Hello messages to IP Multicast address 224.0.0.18. The frequency with which the Master sends Hello messages is the Hello Interval. Only the Master sends Hello messages. However, a Backup uses the Hello interval you configure for the Backup if it becomes the Master. The Backup routers wait for a period of time called the Dead Interval for a Hello message from the Master.
Overview the track priorities are always lower than the VRRP priorities. The default track priority for the router that owns the VRID IP addresses is 2. The default track priority for Backup routers is 1. If you change the track port priorities, make sure you assign a higher track priority to the Owner of the IP addresses than the track priority you assign on the Backup routers.
Overview • VRRPE does not use Owners. All routers are Backups for a given VRID. The router with the highest priority becomes Master. If there is a tie for highest priority, the router with the highest IP address becomes Master. The elected Master owns the virtual IP address and answers ping and ARP requests and so on. • VRID's IP address: • VRRP requires that the VRID also be a real IP address configured on the VRID's interface on the Owner.
Overview In this example, Switch 1 and Switch 2 use VRRPE to load share as well as provide redundancy to the hosts. The load sharing is accomplished by creating two VRRPE groups. Each group has its own virtual IP addresses. Half of the clients point to VRID 1's virtual IP address as their default gateway and the other half point to VRID 2's virtual IP address as their default gateway. This will enable some of the outbound Internet traffic to go through Switch 1 and the rest to go through Switch 2.
Comparison of VRRP and VRRPE Configuration note VRRP-E is supported in the full Layer 3 code only. It is not supported in the Base Layer 3 code. Comparison of VRRP and VRRPE This section compares router redundancy protocols. VRRP VRRP is a standards-based protocol, described in RFC 2338. The VRRP contains the features in RFC 2338.
VRRP and VRRPE parameters Virtual router IP address (the address you are backing up) • VRRP – The virtual router IP address is the same as an IP address or virtual interface configured on one of the Layer 3 Switches, which is the “Owner” and becomes the default Master. • VRRPE – The virtual router IP address is the gateway address you want to backup, but does not need to be an IP interface configured on one of the Layer 3 Switch ports or a virtual interface.
VRRP and VRRPE parameters TABLE 135 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... VRID MAC address The source MAC address in VRRP or VRRPE packets sent from the VRID interface, and the destination for packets sent to the VRID: • VRRP – A virtual MAC address defined as 00-00-00-00-01-. The Master owns the Virtual MAC address.
Configuring basic VRRP parameters TABLE 135 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Dead interval The number of seconds a Backup waits for a Hello message from the Master for the VRID before determining that the Master is no longer active. If the Master does not send a Hello message before the dead interval expires, the Backups negotiate (compare priorities) to select a new Master for the VRID.
Configuring basic VRRPE parameters Configuring the Owner Router1(config)#router vrrp Router1(config)#inter e 6 Router1(config-if-6)#ip address 10.53.5.1 Router1(config-if-6)#ip vrrp vrid 1 Router1(config-if-6-vrid-1)#owner Router1(config-if-6-vrid-1)#ip-address 10.53.5.1 Router1(config-if-6-vrid-1)#activate Configuring a Backup Router2(config)#router vrrp Router2(config)#inter e 5 Router2(config-if-5)#ip address 10.53.5.
Note regarding disabling VRRP or VRRPE Configuration rules for VRRPE • • • • • The interfaces of all routers in a VRID must be in the same IP subnet. The IP address associated with the VRID cannot be configured on any of the Layer 3 Switches. The Hello interval must be set to the same value on all the Layer 3 Switches. The Dead interval must be set to the same value on all the Layer 3 Switches. The track priority for a VRID must be lower than the VRRPE priority.
Configuring additional VRRP and VRRPE parameters • • • • • • Backup Hello messages and message timer (Backup advertisement) Track port Track priority Backup preempt mode Timer scale VRRP-E slow start timer For information about the fields, see the parameter descriptions in the following sections. Refer to “VRRP and VRRPE parameters” on page 872 for a summary of the parameters and their defaults.
Configuring additional VRRP and VRRPE parameters Router type A VRRP interface is either an Owner or a Backup for a given VRID. By default, the Owner becomes the Master following the negotiation. A Backup becomes the Master only if the Master becomes unavailable. A VRRPE interface is always a Backup for its VRID. The Backup with the highest VRRP priority becomes the Master.
Configuring additional VRRP and VRRPE parameters The priority parameter specifies the VRRP priority for this interface and VRID. You can specify a value from 3 – 254. The default is 100. The track-priority parameter is the same as above. VRRPE syntax Syntax: backup [priority ] [track-priority ] The software requires you to identify a VRRPE interface as a Backup for its VRID before you can activate the interface for the VRID.
Configuring additional VRRP and VRRPE parameters Dead interval The Dead interval is the number of seconds a Backup waits for a Hello message from the Master before determining that the Master is dead. When Backups determine that the Master is dead, the Backup with the highest priority becomes the new Master. The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. This is three times the default Hello interval (1 second) plus one-half second added by the router software.
Configuring additional VRRP and VRRPE parameters Syntax: track-port ethernet | ve The syntax is the same for VRRP and VRRPE.
Configuring additional VRRP and VRRPE parameters To disable preemption on a Backup, enter commands such as the following. Router1(config)#inter e 6 Router1(config-if-6)#ip vrrp vrid 1 Router1(config-if-6-vrid-1)#non-preempt-mode Syntax: non-preempt-mode The syntax is the same for VRRP and VRRPE. Changing the timer scale To achieve sub-second failover times, you can shorten the duration of all scale timers for VSRP, VRRP, and VRRP-E by adjusting the timer scale.
Forcing a Master router to abdicate to a standby router VRRP-E slow start timer In a VRRP-E configuration, if a Master router goes down, the Backup router with the highest priority takes over. When the Master comes back up again, it takes over from the Backup. By default, this transition from Backup back to Master takes place immediately.
Displaying VRRP and VRRPE information When you press Enter, the software changes the priority of the Master to the specified priority. If the new priority is lower than at least one Backup priority for the same VRID, the Backup takes over and becomes the new Master until the next software reload or system reset. To verify the change, enter the following command from any level of the CLI.
Displaying VRRP and VRRPE information TurboIron#show ip vrrp-extended brief Total number of VRRP-Extended routers defined: 1 Interface VRID CurPri P State Master addr Backup addr 6 1 255 P Init 10.53.5.2 10.53.5.3 VIP 10.53.5.254 Syntax: show ip vrrp brief | ethernet | ve | stat Syntax: show ip vrrp-extended brief | ethernet | ve | stat The brief parameter displays the summary information. If you do not use this parameter, detailed information is displayed instead.
Displaying VRRP and VRRPE information Displaying detailed information To display detailed VRRP or VRRPE information, enter the following command at any level of the CLI. TurboIron#show ip vrrp Total number of VRRP routers defined: 1 Interface ethernet 6 auth-type no authentication VRID 1 state master administrative-status enabled mode owner priority 255 current priority 255 hello-interval 10000 msec advertise backup: disabled track-port 4 This example is for a VRRP Owner.
Displaying VRRP and VRRPE information TurboIron#show ip vrrp-extended Total number of VRRP-Extended routers defined: 1 Interface ethernet 6 auth-type no authentication VRID 1 state master administrative-status enabled priority 200 current priority 200 hello-interval 10000 msec dead-interval 30000 msec current dead-interval 30000 msec preempt-mode true virtual ip address 10.53.5.254 advertise backup: enabled master router 10.53.5.2 expires in 00:00:03.
Displaying VRRP and VRRPE information TABLE 137 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... state This Layer 3 Switch VRRP or VRRPE state for the VRID. The state can be one of the following: • initialize – The VRID is not enabled (activated). If the state remains “initialize” after you activate the VRID, make sure that the VRID is also configured on the other routers and that the routers can communicate with each other.
Displaying VRRP and VRRPE information TABLE 137 CLI display of VRRP or VRRPE detailed information (Continued) This field... preempt-mode Displays... Whether the backup preempt mode is enabled. NOTE: This field does not apply to VRRP Owners. virtual ip address The virtual IP addresses that this VRID is backing up. advertise backup The IP addresses of Backups that have advertised themselves to this Layer 3 Switch by sending Hello messages. NOTE: Hello messages from Backups are disabled by default.
Displaying VRRP and VRRPE information TurboIron#show ip vrrp vrid 1 VRID 1 Interface ethernet 11 state initialize administrative-status disabled mode non-owner(backup)incomplete priority 12 current priority 12 track-priority 22 hello-interval 1 sec dead-interval 0 sec current dead-interval 3.900 sec preempt-mode true advertise backup: disabled Syntax: show ip vrrp vrid [ethernet | ve ] The parameter specifies the VRID.
Displaying VRRP and VRRPE information Displaying statistics To display statistics on most devices, enter a command such as the following at any level of the CLI.
Displaying VRRP and VRRPE information TABLE 139 CLI display of VRRP or VRRPE statistics (Continued) This field... Displays... rxed vrrp vrid not found error count The number of VRRP or VRRPE packets received by the interface that contained a VRID that is not configured on this interface. VRID statistics rxed arp packet drop count The number of ARP packets addressed to the VRID that were dropped. rxed ip packet drop count The number of IP packets addressed to the VRID that were dropped.
Displaying VRRP and VRRPE information TurboIron#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.03 0.07 5Min(%) 0.09 0.08 0.00 0.00 0.00 0.00 0.00 0.09 15Min(%) 0.22 0.14 0.00 0.00 0.00 0.00 0.00 0.10 Runtime(ms) 9 13 0 0 0 0 0 8 If the software has been running less than 15 minutes (the maximum interval for utilization statistics), the command indicates how long the software has been running.
Configuration examples Configuration examples The following sections contain the CLI commands for implementing the VRRP and VRRPE configurations shown in Figure 112 on page 864 and Figure 113 on page 869. VRRP example To implement the VRRP configuration shown in Figure 112 on page 864, use the following method. Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)#router vrrp Router1(config)#inter e 6 Router1(config-if-6)#ip address 10.53.5.
Configuration examples NOTE When you configure a Backup router, the router interface on which you are configuring the VRID must have a real IP address that is in the same subnet as the address associated with the VRID by the Owner. However, the address cannot be the same. The priority parameter establishes the router VRRP priority in relation to the other VRRP routers in this virtual router.
Configuration examples Configuring Router2 To configure Router2, enter the following commands. Router1(config)#router vrrp-extended Router1(config)#interface ethernet 5 Router1(config-if-5)#ip address 10.53.5.3/24 Router1(config-if-5)#ip vrrp-extended vrid 1 Router1(config-if-5-vrid-1)#backup priority 100 track-priority 20 Router1(config-if-5-vrid-1)#track-port ethernet 2 Router1(config-if-5-vrid-1)#ip-address 10.53.5.
Chapter Configuring Rule-Based IP Access Control Lists 28 In this chapter • ACL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897 • How hardware-based ACLs work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899 • Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900 • Configuring standard numbered ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL overview Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable Memory (CAM) space allocated for the ports. The ACLs are programmed into hardware at startup (or as new ACLs are entered and bound to ports). Devices that use rule-based ACLs program the ACLs into the CAM entries and use these entries to permit or deny packets in the hardware, without sending the packets to the CPU for processing.
How hardware-based ACLs work You configure ACLs on a global basis, then apply them to the incoming traffic on specific ports. The software applies the entries within an ACL in the order they appear in the ACL configuration. As soon as a match is found, the software takes the action specified in the ACL entry (permit or deny the packet) and stops further comparison for that packet. Numbered and named ACLs When you configure an ACL, you can refer to the ACL by a numeric ID or by an alphanumeric name.
Configuration considerations • The first fragment of a packet is permitted or denied using the ACLs. The first fragment is handled the same way as non-fragmented packets, since the first fragment contains the Layer 4 source and destination application port numbers. The device uses the Layer 4 CAM entry if one is programmed, or applies the interface's ACL entries to the packet and permits or denies the packet according to the first matching ACL.
Configuring standard numbered ACLs • Devices support MAC filters instead of Layer 2 ACLs. • You can apply an ACL to a port that has TCP SYN protection or ICMP smurf protection, or both, enabled. NOTE TurboIron X Series devices do not support ACLs on Group VEs, even though the CLI contains commands for this action. Configuring standard numbered ACLs This section describes how to configure standard numbered ACLs with numeric IDs and provides configuration examples.
Configuring standard numbered ACLs If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “10.157.22.26 0.0.0.255” as “10.157.22.26/24”. The CLI automatically converts the CIDR number into the appropriate ACL mask (where zeros instead of ones are the significant bits) and changes the non-significant portion of the IP address into ones.
Configuring standard named ACLs Configuring standard named ACLs This section describes how to configure standard named ACLs with alphanumeric IDs. This section also provides configuration examples. Standard ACLs permit or deny packets based on source IP address. You can configure up to 99 standard named ACLs. There is no limit to the number of ACL entries an ACL can contain except for the system-wide limitation.
Configuring standard named ACLs NOTE To specify the host name instead of the IP address, the host name must be configured using the DNS resolver on the device. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI. The parameter specifies the mask value to compare against the host address specified by the parameter. The is in dotted-decimal notation (IP address format).
Configuring extended numbered ACLs TurboIron(config)#ip access-list standard Net1 TurboIron(config-std-nACL)#deny host 10.157.22.26 log TurboIron(config-std-nACL)#deny 10.157.29.12 log TurboIron(config-std-nACL)#deny host IPHost1 log TurboIron(config-std-nACL)#permit any TurboIron(config-std-nACL)#exit TurboIron(config)#int eth 1 TurboIron(config-if-e10000-1)#ip access-group Net1 in The commands in this example configure a standard ACL named “Net1”.
Configuring extended numbered ACLs Extended numbered ACL syntax Syntax: [no] access-list deny | permit | [/] | [| ] [ /] [dscp-marking <0-63> [802.1p-priority-marking <0 –7...
Configuring extended numbered ACLs The | parameter specifies the ICMP protocol type: • This parameter applies only if you specified icmp as the value. • If you use this parameter, the ACL entry is sent to the CPU for processing. • If you do not specify a message type, the ACL applies to all types of ICMP messages. The parameter can be a value from 0 – 255.
Configuring extended numbered ACLs • range – The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the range parameter. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53. The first port number in the range must be lower than the last number in the range.
Configuring extended numbered ACLs NOTE This value is not supported on 10 Gbps Ethernet modules. • normal or 0 – The ACL matches packets that have the normal ToS. The decimal value for this option is 0. • – A number from 0 – 15 that is the sum of the numeric values of the options you want. The ToS field is a four-bit field following the Precedence field in the IP header. You can specify one or more of the following.
Configuring extended numbered ACLs The second entry denies IGMP traffic from the host device named “rkwong” to the 10.157.21.x network. The third entry denies IGMP traffic from the 10.157.21.x network to the host device named “rkwong”. The fourth entry denies all IP traffic from host 10.157.21.100 to host 10.157.22.1 and generates Syslog entries for packets that are denied by this entry. The fifth entry denies all OSPF traffic and generates Syslog entries for denied traffic.
Configuring extended named ACLs Configuring extended named ACLs The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry, you specify all the command parameters on the same command.
Configuring extended named ACLs The parameter indicates the type of IP packet you are filtering. You can specify a well-known name for any protocol whose number is less than 255. For other protocols, you must enter the number. Enter “?” instead of a protocol to list the well-known names recognized by the CLI. The | parameter specifies the source IP host for the policy. If you want the policy to match on all source addresses, enter any.
Configuring extended named ACLs • • • • • • • • • • mask-request parameter-problem redirect source-quench time-exceeded timestamp-reply timestamp-request traffic policy unreachable The parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http.
Configuring extended named ACLs The precedence | parameter of the ip access-list command specifies the IP precedence. The precedence option for of an IP packet is set in a three-bit field following the four-bit header-length field of the packet’s header. You can specify one of the following: • critical or 5 – The ACL matches packets that have the critical precedence. If you specify the option number instead of the name, specify number 5.
Preserving user input for ACL TCP/UDP port numbers • You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter to the end of the ACL or filter. The software replaces the ACL or filter command with the new one. The new ACL or filter, with logging enabled, takes effect immediately.
Managing ACL comment text Managing ACL comment text ACL comment text describes entries in an ACL. The comment text appears in the output of show commands that display ACL information. This section describes how to add ACL comments. Adding a comment to an entry in a numbered ACL To add comments to entries in a numbered ACL, enter commands such as the following.
Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN Applying an ACL to a virtual interface in a protocolor subnet-based VLAN By default, when you apply an ACL to a virtual interface in a protocol-based or subnet-based VLAN, the ACL takes effect on all protocol or subnet VLANs to which the untagged port belongs.
Enabling ACL logging If no ACL entries explicitly deny packets during an entire five-minute timer interval, the timer stops. The timer restarts when an ACL entry explicitly denies a packet. NOTE The timer for logging packets denied by Layer 2 filters is a different timer than the ACL logging timer. Configuration notes Note the following before configuring ACL logging: • You can enable ACL logging on physical and virtual interfaces. • ACL logging logs denied packets only.
Enabling strict control of ACL filtering of fragmented packets Displaying ACL Log Entries The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for packets permitted or denied by ACLs are at the warning level of the Syslog. When the first Syslog entry for a packet permitted or denied by an ACL is generated, the software starts an ACL timer.
Enabling ACL support for switched traffic in the router image The fragments are forwarded even if the first fragment, which contains the Layer 4 information, was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be completed without the entire packet. For tighter control, you can configure the port to drop all packet fragments. To do so, enter commands such as the following.
Enabling ACL filtering based on VLAN membership or VE port membership By default, this feature support is disabled. To enable it, enter the following commands at the Global CONFIG level of the CLI.
Filtering on IP precedence and ToS values The parameter is the access list name or number. Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only) You can apply an IPv4 ACL to a virtual routing interface. The virtual interface is used for routing between VLANs and contains all the ports within the VLAN. The IPv4 ACL applies to all the ports on the virtual routing interface.
QoS options for IP ACLs The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network, if the traffic has the IP precedence value “6” (equivalent to “internet”). The third entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL. To configure an IP ACL that matches based on ToS, enter commands such as the following.
QoS options for IP ACLs TurboIron(config)#acc 104 per ip any any 802.1p-and-internal-marking 1 Syntax: access-list permit ip any any 802.1p-and-internal-marking For TCP TurboIron(config)#acc 105 per tcp any any 802.1p-and-internal-marking 1 Syntax: access-list permit tcp any any 802.1p-and-internal-marking For UDP TurboIron(config)#acc 105 per udp any any 802.
ACL-based rate limiting To configure an ACL that matches on a packet with DSCP value 29, enter a command such as the following. TurboIron(config)#access-list 112 permit ip 10.1.1.0 0.0.0.255 10.2.2.x 0.0.0.255 dscp-matching 29 The complete CLI syntax for this feature is shown in “Configuring extended numbered ACLs” on page 905 and “Configuring extended named ACLs” on page 911. The following shows the syntax specific to this feature. Syntax: ...
Displaying ACL information • If the ACL contains filters with Layer 4 source or destination port ranges and the ACL is not attached to any port or VLAN, then the minimum and maximum number of estimated TCAM usage per filter is displayed in ‘x or y’ format where ‘x’ is the minimum number and ‘y’ is the maximum number of estimated TCAM entries. • Whenever the ACL is attached to a different VLAN (on the same or another port), the TCAM usage count is incremented to reflect the current usage.
Troubleshooting ACLs If you are using another feature that requires ACLs, either use the same ACL entries for filtering and for the other feature, or change to flow-based ACLs Brocade TurboIron 24X Series Configuration Guide 53-1003053-01 927
Troubleshooting ACLs 928 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 29 Configuring Traffic Policies In this chapter • About traffic policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration notes and feature limitations . . . . . . . . . . . . . . . . . . . . . . . . • Maximum number of traffic policies supported on a device . . . . . . . . . . . • ACL-based rate limiting using traffic policies . . . . . . . . . . . . . . . . . . . . . . . . • ACL and rate limit counting. . . . . . . . . . . . . . . . . . . . .
Configuration notes and feature limitations Configuration notes and feature limitations Note the following when configuring traffic policies: • • • • Traffic policies are supported. This feature is supported in the Layer 2 and Layer 3 code. This feature applies to IP ACLs only. The maximum number of supported active TPDs is a system-wide parameter and depends on the device you are configuring. The total number of active TPDs cannot exceed the system maximum.
Maximum number of traffic policies supported on a device Maximum number of traffic policies supported on a device The maximum number of supported active traffic policies is a system-wide parameter and depends on the device you are configuring, as follows: • By default, up to 1024 active traffic policies are supported on Layer 2 and on Layer 3 switches. This value is fixed on Layer 2 switches and cannot be modified.
ACL-based rate limiting using traffic policies You can configure ACL-based rate limiting on the following interface types: • • • • physical Ethernet interfaces virtual interfaces trunk ports specific VLAN members on a port (New in 02.3.03 – refer to “Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only)” on page 921 • a subset of ports on a virtual interface (New in 02.3.
ACL-based rate limiting using traffic policies The above commands configure a fixed rate limiting policy that allows port e5 to receive a maximum traffic rate of 100 kbps. If the port receives additional bits during a given one-second interval, the port drops the additional inbound packets that are received within that one-second interval. Syntax: [no] traffic-policy rate-limit fixed exceed-action [count] Syntax: access-list permit | deny....
ACL-based rate limiting using traffic policies TABLE 143 ACL-Based adaptive rate limiting parameters (Continued) Parameter Definition Peak Information Rate (PIR) The peak maximum kilobit rate for inbound traffic on a port. The PIR must be equal to or greater than the CIR. Peak Burst Size (PBS) The number of bytes per second allowed in a burst before all packets will exceed the peak information rate. The PBS must be a value greater than zero (0).
ACL-based rate limiting using traffic policies is the name of the traffic policy definition. This value can be 8 or fewer alphanumeric characters. rate-limit adaptive specifies that the policy will enforce a flexible bandwidth limit that allows for bursts above the limit. is the committed information rate in kbps. Refer to Table 143. is the committed burst size in bytes. Refer to Table 143. is the peak information rate in kbps. Refer to Table 143.
ACL and rate limit counting Syntax: traffic-policy rate-limit adaptive cir cbs pir pbs exceed-action drop Permitting packets that exceed the limit This section shows some example configurations and provides the CLI syntax for configuring a port to permit packets that exceed the configured limit for rate limiting. Example The following shows an example fixed rate limiting configuration.
ACL and rate limit counting Enabling ACL statistics NOTE ACL statistics and ACL counting are used interchangeably throughout this chapter and mean the same thing. Use the procedures in this section to configure ACL statistics. Before configuring this feature, see what to consider in “Configuration notes and feature limitations” on page 930. You also can enable ACL statistics when you create a traffic policy for rate limiting.
ACL and rate limit counting Enabling ACL statistics with rate limiting traffic policies The configuration example in the section “Enabling ACL statistics” on page 937 shows how to enable ACL counting without having to configure parameters for rate limiting. You also can enable ACL counting while defining a rate limiting traffic policy, as illustrated in the following configuration examples.
Viewing traffic policies Syntax: show statistics traffic-policy [] Table 144 explains the output of the show access-list accounting and show statistics traffic-policy commands. TABLE 144 ACL and rate limit counting statistics This line... Displays... Traffic Policy The name of the traffic policy. General Counters Port Region # The port region to which the active traffic policy applies. Byte Count The number of bytes that were filtered (matched ACL clauses).
Viewing traffic policies TurboIron#show traffic-policy t_voip Traffic Policy - t_voip: Metering Enabled, Parameters: Mode: Adaptive Rate-Limiting cir: 100 kbps, cbs: 2000 bytes, bytes Counting Not Enabled Number of References/Bindings:1 pir: 200 kbps, pbs: 4000 Syntax: show traffic-policy [] To display all traffic policies, enter the show traffic-policy command without entering a . TABLE 145 Traffic policy information This line... Displays...
Chapter Configuring 802.1X Port Security 30 In this chapter • IETF RFC support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941 • How 802.1X port security works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941 • Configuring 802.1X port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950 • Displaying 802.1X information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969 • Sample 802.
How 802.1X port security works Figure 114 illustrates these roles. FIGURE 114 Authenticator, client/supplicant, and authentication server in an 802.1X configuration RADIUS Server (Authentication Server) Switch (Authenticator) Client/Supplicant Authenticator – The device that controls access to the network. In an 802.1X configuration, the device serves as the Authenticator. The Authenticator passes messages between the Client and the Authentication Server.
How 802.1X port security works EAPOL messages are passed between the Port Access Entity (PAE) on the Supplicant and the Authenticator. Figure 115 shows the relationship between the Authenticator PAE and the Supplicant PAE. FIGURE 115 Authenticator PAE and supplicant PAE Switch (Authenticator) Authentication Server RADIUS Messages Authenticator PAE 802.
How 802.1X port security works Controlled and uncontrolled ports A physical port on the device used with 802.1X port security has two virtual access points a controlled port and an uncontrolled port. The controlled port provides full access to the network. The uncontrolled port provides access only for EAPOL traffic between the Client and the Authentication Server. When a Client is successfully authenticated, the controlled port is opened to the Client. Figure 116 illustrates this concept.
How 802.1X port security works Message exchange during authentication Figure 117 illustrates a sample exchange of messages between an 802.1X-enabled Client, a switch acting as Authenticator, and a RADIUS server acting as an Authentication Server.
How 802.1X port security works • EAP-TLS (RFC 2716) – EAP Transport Level Security (TLS) provides strong security by requiring both client and authentication server to be identified and validated through the use of public key infrastructure (PKI) digital certificates. EAP-TLS establishes a tunnel between the client and the authentication server to protect messages from unauthorized users’ eavesdropping activities.
How 802.1X port security works Authenticating multiple hosts connected to the same port Devices support 802.1X authentication for ports with more than one host connected to them. Figure 118 illustrates a sample configuration where multiple hosts are connected to a single 802.1X port. FIGURE 118 Multiple hosts connected to a single 802.1X-enabled port By default, traffic from hosts that cannot be authenticated by the RADIUS server is dropped in hardware.
How 802.1X port security works How 802.1X Multiple-host authentication works When multiple hosts are connected to a single 802.1X-enabled port on a device (as in Figure 118), 802.1X authentication is performed in the following way. 1. One of the 802.1X-enabled Clients attempts to log into a network in which a device serves as an Authenticator. 2. The device creates an internal session (called a dot1x-mac-session) for the Client.
How 802.1X port security works • When a Client has been denied access to the network, its dot1x-mac-session is aged out if no traffic is received from the Client MAC address over a fixed hardware aging period (70 seconds), plus a configurable software aging period. You can optionally change the software aging period for dot1x-mac-sessions or disable aging altogether. After the denied Client dot1x-mac-session is aged out, traffic from that Client is no longer blocked, and the Client can be re-authenticated.
Configuring 802.1X port security 802.1X port security and sFlow sFlow is a standards-based protocol that allows network traffic to be sampled at a user-defined rate for the purpose of monitoring traffic flow patterns and identifying packet transfer rates on user-specified interfaces. When you enable sFlow forwarding on an 802.1X-enabled interface, the samples taken from the interface include the user name string at the inbound or outbound port, or both, if that information is available.
Configuring 802.1X port security For the , enter at least one of the following authentication methods radius – Use the list of all RADIUS servers that support 802.1X for authentication. none – Use no authentication. The Client is automatically authenticated without the device using information supplied by the Client. NOTE If you specify both radius and none, make sure radius comes before none in the method list.
Configuring 802.1X port security • • • • • • Tunnel-Type (64) – RFC 2868 Tunnel-Medium-Type (65) – RFC 2868 EAP Message (79) – RFC 2579 Message-Authenticator (80) RFC 3579 Tunnel-Private-Group-Id (81) – RFC 2868 NAS-Port-id (87) – RFC 2869 Specifying the RADIUS timeout action A RADIUS timeout occurs when the device does not receive a response from a RADIUS server within a specified time limit and after a certain number of retries.
Configuring 802.1X port security Syntax: [no] dot1x auth-timeout-action failure Once the failure timeout action is enabled, use the no form of the command to reset the RADIUS timeout behavior to retry. NOTE If restrict-vlan is configured along with auth-timeout-action failure, the user will be placed into a VLAN with restricted or limited access.Refer to “Allow user access to a restricted VLAN after a RADIUS timeout” on page 953.
Configuring 802.
Configuring 802.1X port security Enable 802.1X VLAN ID support by adding the following attributes to a user profile on the RADIUS server. Table 5: Attribute name Type Value Tunnel-Type 064 13 (decimal) – VLAN Tunnel-Medium-Type 065 6 (decimal) – 802 Tunnel-Private-Group-ID 081 (string) – either the name or the number of a VLAN configured on the device.
Configuring 802.1X port security When the RADIUS server specifies an untagged VLAN ID, the port default VLAN ID (or PVID) is changed from the system DEFAULT-VLAN (VLAN 1) to the specified VLAN ID. The port transmits only untagged traffic on its PVID. In this example, the port PVID is changed from VLAN 1 (the DEFAULT-VLAN) to VLAN 10 or the VLAN named "marketing". The PVID for a port can be changed only once through RADIUS authentication.
Configuring 802.1X port security By default, the dynamic VLAN assignments are not saved to the running-config file. Entering the show running-config command does not display dynamic VLAN assignments, although they can be displayed with the show vlan and show authenticated-mac-address detail commands. NOTE When this feature is enabled, issuing the command write mem will save any dynamic VLAN assignments to the startup configuration file. Considerations for dynamic VLAN assignment in an 802.
Configuring 802.1X port security Example TurboIron(config)#int e 2 TurboIron(config-if-e10000-2)#port security TurboIron(config-port-security-e10000-2)#maximum 2 TurboIron(config-port-security-e10000-2)#exit Refer to Chapter 31, “Using the MAC Port Security Feature” for more information. Dynamically applying IP ACLs and MAC filters to 802.1X ports The Brocade 802.
Configuring 802.1X port security Disabling and enabling strict security mode for dynamic filter assignment By default, 802.1X dynamic filter assignment operates in strict security mode. When strict security mode is enabled, 802.1X authentication for a port fails if the Filter-ID attribute contains invalid information, or if insufficient system resources are available to implement the per-user IP ACLs or MAC address filters specified in the Vendor-Specific attribute.
Configuring 802.1X port security Syntax: [no] dot1x disable-filter-strict-security The output of the show dot1x and show dot1x config commands has been enhanced to indicate whether strict security mode is enabled or disabled globally and on an interface. Refer to “Displaying 802.1X multiple-host authentication information” on page 975. Dynamically applying existing ACLs or MAC address filters When a port is authenticated using 802.
Configuring 802.1X port security • Dynamically assigned IP ACLs and MAC address filters are subject to the same configuration restrictions as non-dynamically assigned IP ACLs and MAC address filters. Configuring per-user IP ACLs or MAC address filters Per-user IP ACLs and MAC address filters make use of the Vendor-Specific (type 26) attribute to dynamically apply filters to ports. Defined in the Vendor-Specific attribute are Brocade ACL or MAC address filter statements.
Configuring 802.1X port security For example, to enable 802.1X port security on all interfaces on the device, enter the following command. TurboIron(config-dot1x)#enable all Syntax: [no] enable all To enable 802.1X port security on interface 11, enter the following command. TurboIron(config-dot1x)#enable ethernet 11 Syntax: [no] enable ethernet The parameter is a valid port number. To enable 802.1X port security on interfaces 11 through 16, enter the following command.
Configuring 802.1X port security auto – The controlled port is unauthorized until authentication takes place between the Client and Authentication Server. Once the Client passes authentication, the port becomes authorized. This activates authentication on an 802.1X-enabled interface. NOTE You cannot enable 802.
Configuring 802.1X port security Setting the quiet period If the device is unable to authenticate the Client, the device waits a specified amount of time before trying again. The amount of time the device waits is specified with the quiet-period parameter. The quiet-period parameter can be from 1 – 4294967295 seconds. The default is 60 seconds. For example, to set the quiet period to 30 seconds, enter the following command.
Configuring 802.1X port security Syntax: auth-max is a number from 1 – 10. The default is 2. Specifying the wait interval and number of EAP-request/ identity frame retransmissions from the RADIUS server Acting as an intermediary between the RADIUS Authentication Server and the Client, the device receives RADIUS messages from the RADIUS server, encapsulates them as EAPOL frames, and sends them to the Client.
Configuring 802.1X port security Specifying a timeout for retransmission of messages to the authentication server When performing authentication, the device receives EAPOL frames from the Client and passes the messages on to the RADIUS server. The device expects a response from the RADIUS server within 30 seconds. If the RADIUS server does not send a response within 30 seconds, the device retransmits the message to the RADIUS server.
Configuring 802.1X port security TurboIron(config)#dot1x-enable TurboIron(config-dot1x)#auth-fail-action restricted-vlan Syntax: [no] auth-fail-action restricted-vlan To specify the ID of the restricted VLAN as VLAN 300, enter the following command.
Configuring 802.1X port security As a shortcut, use the command [no] mac-session-aging to enable or disable aging for permitted and denied sessions. Specifying the aging time for blocked clients When the device is configured to drop traffic from non-authenticated Clients, traffic from the blocked Clients is dropped in hardware, without being sent to the CPU. A Layer 2 CAM entry is created that drops traffic from the blocked Client MAC address in hardware.
Displaying 802.1X information Once the success timeout action is enabled, use the no form of the command to reset the RADIUS timeout behavior to retry. Syntax: timeout restrict-fwd-period The parameter is a value from 0 to 32767. The default value is 10. Configuring a timeout action to cancel 802.1X authentication for Non-802.1x clients Normally, the Brocade-specific attribute obtained from the RADIUS server identifies a client as not 802.1X-capable and tells the switch not to perform 802.
Displaying 802.1X information Displaying 802.1X configuration information To display information about the 802.1X configuration on the device, enter the following command.
Displaying 802.1X information TABLE 146 Output from the show dot1x command (Continued) This field... Displays... max-req The number of times the device retransmits an EAP-request/identity frame if it does not receive an EAP-response/identity frame from a Client (default 2 times). Refer to “Setting the maximum number of EAP frame retransmissions” on page 964 for information on how to change this setting.
Displaying 802.1X information TABLE 147 Output from the show dot1x config command for an interface (Continued) This field... Displays... AdminControlledDirections Indicates whether an unauthorized controlled port exerts control over communication in both directions (disabling both reception of incoming frames and transmission of outgoing frames), or just in the incoming direction (disabling only reception of incoming frames). On devices, this parameter is set to BOTH.
Displaying 802.1X information TABLE 148 Output from the show dot1x statistics command This field... Displays... RX EAPOL Start The number of EAPOL-Start frames received on the port. RX EAPOL Logoff The number of EAPOL-Logoff frames received on the port. RX EAPOL Invalid The number of invalid EAPOL frames received on the port. RX EAPOL Total The total number of EAPOL frames received on the port.
Displaying 802.1X information TurboIron#show interface e 2 FastEthernet2 is up, line protocol is up Hardware is FastEthernet, address is 0000.00a0.4681 (bia 0000.00a0.
Displaying 802.1X information TurboIron#show dot1x ip-ACL Port 3 (User defined IP ACLs): Extended IP access list Port_3_E_IN permit udp any any Extended IP access list Port_3_E_OUT permit show dp an anip-ACL Syntax: dot1x Displaying dynamically applied MAC filters and IP ACLs To display the dynamically applied MAC address filters active on an interface, enter a command such as the following. TurboIron#show dot1x mac-address-filter e 3 Port 3 MAC Address Filter information: 802.
Displaying 802.1X information • The number of users connected on each port in a 802.1X multiple-host configuration Displaying 802.1X multiple-host configuration information The output of the show dot1x and show dot1x config commands displays information related to 802.1X multiple-host authentication. The following is an example of the output of the show dot1x command. The information related to multiple-host authentication is highlighted in bold.
Displaying 802.1X information TurboIron#show dot1x config e 1 Port-Control filter strict security PVID State Original PVID PVID mac total PVID mac authorized num mac sessions num mac authorized : : : : : : : : control-auto Enable Restricted (10) 10 1 0 1 0 Syntax: show dot1x config ethernet The parameter is a valid port number. The following table lists the fields in the display. TABLE 150 Output from the show dot1x config command This field... Displays...
Displaying 802.1X information Example TurboIron#show dot1x mac-session Port MAC/(username) Vlan Auth ACL Age PAE State State ----------------------------------------------------------------------------1 0000.0098.24f7 :User 10 permit none S20 AUTHENTICATED Syntax: show dot1x mac-session Table 151 lists the new fields in the display. TABLE 151 Output from the show dot1x mac-session command This field... Displays... Port The port on which the dot1x-mac-session exists.
Sample 802.1X configurations 7 8 9 10 11 12 13 14 15 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no Syntax: show dot1x mac-session brief The following table describes the information displayed by the show dot1x mac-session brief command. TABLE 152 Output from the show dot1x mac-session brief command This field... Displays... Port Information about the users connected to each port.
Sample 802.1X configurations The following commands configure the device in Figure 120 TurboIron(config)#aaa authentication dot1x default radius TurboIron(config)#radius-server host 192.168.9.
Sample 802.1X configurations TurboIron(config)#interface e 3 TurboIron(config-if-e10000-3)#dot1x port-control auto TurboIron(config-if-e10000-3)#exit Hub configuration Figure 121 illustrates a configuration where three 802.1X-enabled Clients are connected to a hub, which is connected to a port on the device. The configuration is similar to that in Figure 120, except that 802.1X port security is enabled on only one port, and the multiple-hosts command is used to allow multiple Clients on the port.
Sample 802.1X configurations The following commands configure the device in Figure 121 TurboIron(config)#aaa authentication dot1x default radius TurboIron(config)#radius-server host 192.168.9.
Sample 802.1X configurations TurboIron(config)#interface e 1 TurboIron(config-if-e10000-1)#dot1x port-control auto TurboIron(config-if-e10000-1)#dot1x multiple-hosts TurboIron(config-if-e10000-1)#exit 802.1X Authentication with dynamic VLAN assignment Figure 122 illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration, two user PCs are connected to a hub, which is connected to port e2. Port e2 is configured as a dual-mode port. Both PCs transmit untagged traffic.
Using multi-device port authentication and 802.1X security on the same port In this example, the PVID for port e2 would be changed based on the first host to be successfully authenticated. If User 1 is authenticated first, then the PVID for port e2 is changed to VLAN 3. If User 2 is authenticated first, then the PVID for port e2 is changed to VLAN 20.
Using multi-device port authentication and 802.1X security on the same port When both of these features are enabled on the same port, multi-device port authentication is performed prior to 802.1X authentication. If multi-device port authentication is successful, 802.1X authentication may be performed, based on the configuration of a vendor-specific attribute (VSA) in the profile for the MAC address on the RADIUS server.
Using multi-device port authentication and 802.1X security on the same port TABLE 153 Brocade vendor-specific attributes for RADIUS Attribute Name Attribute ID Data Type Description Foundry-802_1x-enable 6 integer Specifies whether 802.1X authentication is performed when multi-device port authentication is successful for a device. This attribute can be set to one of the following: 0 Do not perform 802.1X authentication on a device that passes multi-device port authentication.
Using multi-device port authentication and 802.1X security on the same port NOTE This example assumes that the IP phone initially transmits untagged packets (for example, CDP or DHCP packets), which trigger the authentication process on the device and client lookup on the RADIUS server. If the phone sends only tagged packets and the port (e 3) is not a member of that VLAN, authentication would not occur. In this case, port e 3 must be added to that VLAN prior to authentication.
Using multi-device port authentication and 802.1X security on the same port When the PC MAC address is authenticated, the Access-Accept message from the RADIUS server specifies that the PVID for the PC port be changed to the VLAN named “Login-VLAN”, which is VLAN 1024. The Foundry-802_1x-enable attribute is set to 1, meaning that 802.1X authentication is required for this MAC address. The PVID of the port 3 is temporarily changed to VLAN 1024, pending 802.1X authentication.
Using multi-device port authentication and 802.1X security on the same port Multi-device port authentication is initially performed for both devices. The IP phone MAC address has a profile on the RADIUS server. This profile indicates that 802.1X authentication should be skipped for this device, and that the device port be placed into the VLAN named “IP-Phone-VLAN”. Since there is no profile for the PC MAC address on the RADIUS server, multi-device port authentication for this MAC address fails.
Using multi-device port authentication and 802.
Chapter 31 Using the MAC Port Security Feature In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring the MAC port security feature. . . . . . . . . . . . . . . . . . . . . . . . . . • Clearing port security statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying port security information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the MAC port security feature Besides the maximum of 64 local resources available to an interface, there are additional global resources. Depending on flash memory size, a device can have 1024, 2048, or 4096 global resources available. When an interface has secured enough MAC addresses to reach its limit for local resources, it can secure additional MAC addresses by using global resources. Global resources are shared among all the interfaces on a first-come, first-served basis.
Configuring the MAC port security feature TurboIron(config)#port security TurboIron(config-port-security)#no enable To enable the feature on a specific interface, enter the following commands. TurboIron(config)#int e 11 TurboIron(config-if-e10000-11)#port security TurboIron(config-port-security-e10000-11)#enable Syntax: port security Syntax: [no] enable Setting the maximum number of secure MAC addresses for an interface When port security is enabled, an interface can store one secure MAC address.
Configuring the MAC port security feature On an untagged interface To specify a secure MAC address on an untagged interface, enter commands such as the following. TurboIron(config)#int e 11 TurboIron(config-if-e10000-11)#port security TurboIron(config-port-security-e10000-11)#secure-mac-address 0000.0018.747C Syntax: [no] secure-mac-address On a tagged interface When specifying a secure MAC address on a tagged interface, you must also specify the VLAN ID.
Configuring the MAC port security feature Specifying the action taken when a security violation occurs A security violation can occur when a user tries to connect to a port where a MAC address is already locked, or the maximum number of secure MAC addresses has been exceeded. When a security violation occurs, an SNMP trap and Syslog message are generated.
Clearing port security statistics TurboIron(config)#int e 11 TurboIron(config-if-e10000-11)#port security TurboIron(config-port-security-e10000-11)#violation shutdown 5 Syntax: violation shutdown You can specify from 0 – 1440 minutes. Specifying 0 shuts down the port permanently when a security violation occurs. Clearing port security statistics You can clear restricted MAC addresses and violation statistics from ports globally (on all ports) or on individual ports.
Displaying port security information Displaying port security settings You can display the port security settings for an individual port or for all the ports on a specified module. For example, to display the port security settings for port 11, enter the following command. TurboIron#show port security e 11 Port Security Violation Shutdown-Time Age-Time Max-MAC ----- -------- --------- ------------- --------- ------11 disabled shutdown 10 10 1 Syntax: show port security ethernet .
Displaying port security information Displaying port security statistics You can display port security statistics for an interface or for a module. For example, to display port security statistics for interface 11,enter the following command.
Chapter Configuring Multi-Device Port Authentication 32 In this chapter • How multi-device port authentication works . . . . . . . . . . . . . . . . . . . . . . . . 999 • Using multi-device port authentication and 802.1X security on the same port 1001 • Configuring multi-device port authentication . . . . . . . . . . . . . . . . . . . . . 1003 • Displaying multi-device port authentication information . . . . . . . . . . . . .
How multi-device port authentication works The RADIUS server is configured with the usernames and passwords of authenticated users. For multi-device port authentication, the username and password is the MAC address itself; that is, the device uses the MAC address for both the username and the password in the request sent to the RADIUS server. For example, given a MAC address of 0007e90feaa1, the users file on the RADIUS server would be configured with a username and password both set to 0007e90feaa1.
Using multi-device port authentication and 802.1X security on the same port Support for dynamic VLAN assignment The multi-device port authentication feature supports dynamic VLAN assignment, where a port can be placed in one or more VLANs based on the MAC address learned on that interface. For details about this feature, refer to “Configuring the RADIUS server to support dynamic VLAN assignment” on page 1007.
Using multi-device port authentication and 802.1X security on the same port 4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0, then 802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs specified in the Access-Accept message returned during multi-device port authentication are applied to the port. 5. If 802.
Configuring multi-device port authentication If neither of these VSAs exist in a device profile on the RADIUS server, then by default the device is subject to multi-device port authentication (if configured), then 802.1X authentication (if configured). The RADIUS record can be used for both multi-device port authentication and 802.1X authentication.
Configuring multi-device port authentication Example TurboIron(config)#interface e 1 TurboIron(config-if-e10000-1)#mac-authentication enable Syntax: [no] mac-authentication enable You can also configure multi-device port authentication commands on a range of interfaces.
Configuring multi-device port authentication Note that the restricted VLAN must already exist on the device. You cannot configure the restricted VLAN to be a non-existent VLAN. If the port is a tagged or dual-mode port, you cannot use a restricted VLAN as the authentication-failure action. To configure the device to drop traffic from non-authenticated MAC addresses in hardware, enter commands such as the following.
Configuring multi-device port authentication Configuring dynamic VLAN assignment An interface can be dynamically assigned to one or more VLANs based on the MAC address learned on that interface. When a MAC address is successfully authenticated, the RADIUS server sends the device a RADIUS Access-Accept message that allows the device to forward traffic from that MAC address. The RADIUS Access-Accept message can also contain attributes set for the MAC address in its access profile on the RADIUS server.
Configuring multi-device port authentication • For tagged or dual-mode ports, if the VLAN ID provided by the RADIUS server does not match the VLAN ID in the tagged packet that contains the authenticated MAC address as its source address, then it is considered an authentication failure, and the configured authentication failure action is performed for the MAC address.
Configuring multi-device port authentication You can optionally specify an alternate VLAN to which to move the port when the MAC session for the address is deleted. For example, to place the port in the restricted VLAN, enter commands such as the following.
Configuring multi-device port authentication The dynamic IP ACL is active as long as the client is connected to the network. When the client disconnects from the network, the IP ACL is no longer applied to the port. If an IP ACL had been applied to the port prior to multi-device port authentication; it will be re-applied to the port. The device uses information in the Filter ID to apply an IP ACL on a per-user basis.
Configuring multi-device port authentication Configuring the RADIUS server to support dynamic IP ACLs When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in the running-config file on the device can be dynamically applied to the port. To do this, you configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the name or number of the IP ACL.
Configuring multi-device port authentication TurboIron(config)#interface e 1 TurboIron(config-if-e10000-1)#mac-authentication dos-protection enable ITo specify a maximum rate for RADIUS authentication attempts, enter commands such as the following. TurboIron(config)#interface e 1 TurboIron(config-if-e10000-1)#mac-authentication dos-protection mac-limit 256 Syntax: [no] mac-authentication dos-protection mac-limit You can specify a rate from 1 – 65535 authentication attempts per second.
Configuring multi-device port authentication You can optionally disable aging for MAC addresses subject to authentication, either for all MAC addresses or for those learned on a specified interface. Globally disabling aging of MAC addresses On most devices, you can disable aging for all MAC addresses on all interfaces where multi-device port authentication has been enabled by entering the following command.
Configuring multi-device port authentication Specifying the aging time for blocked MAC addresses When the device is configured to drop traffic from non-authenticated MAC addresses, traffic from the blocked MAC addresses is dropped in hardware, without being sent to the CPU. A Layer 2 CAM entry is created that drops traffic from the blocked MAC address in hardware. If no traffic is received from the blocked MAC address for a certain amount of time, this Layer 2 CAM entry is aged out.
Configuring multi-device port authentication Deny User access to the network after a RADIUS timeout To set the RADIUS timeout behavior to bypass multi-device port authentication and block user access to the network, enter commands such as the following.
Displaying multi-device port authentication information Limiting the number of authenticated MAC addresses You cannot enable MAC port security on the same port that has multi-device port authentication enabled. To simulate the function of MAC port security, you can enter a command such as the following.
Displaying multi-device port authentication information Displaying multi-device port authentication configuration information To display information about the multi-device port authentication configuration, enter the following command.
Displaying multi-device port authentication information The parameter is a valid port number. The following table describes the information displayed by the show authenticated-mac-address command for a specified MAC address or port. TABLE 161 Output from the show authenticated-mac-address address command This field... Displays... MAC/IP Address The MAC address for which information is displayed.
Displaying multi-device port authentication information Displaying multi-device port authentication information for a port To display a summary of Multi-Device Port Authentication for ports on a device, enter the following command TurboIron#show auth-mac-addresses ethernet 1 ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age Dot1x ------------------------------------------------------------------------------0000.0000.
Displaying multi-device port authentication information TurboIron#show auth-mac-addresses detailed ethernet 23 Port : 23 Dynamic-Vlan Assignment : Enabled RADIUS failure action : Block Traffic Failure restrict use dot1x : No Override-restrict-vlan : Yes Port Default VLAN : 101 ( RADIUS assigned: No) (101) Port Vlan State : DEFAULT 802.
Displaying multi-device port authentication information TABLE 163 1020 Output from the show auth-mac-addresses detailed command (Continued) This field... Displays... Port VLAN state Indicates the state of the port VLAN. The State can be one of the following “Default”, “RADIUS Assigned” or “Restricted”. 802.1X override Dynamic PVID Indicates if 802.1X can dynamically assign a Port VLAN ID (PVID).
Displaying multi-device port authentication information TABLE 163 Output from the show auth-mac-addresses detailed command (Continued) This field... Displays... RADIUS Server The IP address of the RADIUS server used for authenticating the MAC addresses. Authenticated Whether the MAC address has been authenticated by the RADIUS server. Time The time at which the MAC address was authenticated. If the clock is set on the device, then the actual date and time are displayed.
Displaying multi-device port authentication information 1022 Brocade TurboIron 24X Series Configuration Guide 53-1003053-01
Chapter 33 Protecting Against Denial of Service Attacks In this chapter • Protecting against Smurf attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023 • Protecting against TCP SYN attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025 Protecting against Smurf attacks This chapter explains how to protect your devices from Denial of Service (DoS) attacks. In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normal operation.
Protecting against Smurf attacks Avoiding being a victim in a Smurf attack You can configure the device to drop ICMP packets when excessive numbers are encountered, as is the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP packets that are targeted at the router itself or passing through an interface, and drop them when the thresholds are exceeded. Protection against ICMP attacks The ICMP flood attack protection is implemented in hardware on devices.
Protecting against TCP SYN attacks Protecting against TCP SYN attacks TCP SYN attacks exploit the process of how TCP connections are established in order to disrupt normal traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYN packet to the destination host. The destination host responds with a SYN ACK packet, and the connecting host sends back an ACK packet. This process, known as a “TCP three-way handshake”, establishes the TCP connection.
Protecting against TCP SYN attacks The device supports the following burst-normal, burst-max, and lockup values. The number of incoming TCP SYN packets per second are measured and compared to the threshold values as follows: • If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped. • If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the number of seconds specified by the lockup value.
Protecting against TCP SYN attacks • If the RST bit is set and the sequence number is outside the expected window, the device silently drops the segment. • If the RST bit is exactly the next expected sequence number, the device resets the connection. • If the RST bit is set and the sequence number does not exactly match the next expected sequence value, but is within the acceptable window, the device sends an acknowledgement.
Protecting against TCP SYN attacks Displaying statistics about packets dropped due to DoS attacks To display information about ICMP and TCP SYN packets dropped because burst thresholds were exceeded,enter the following command.
Chapter Configuring Rate Limiting and Rate Shaping 34 In this chapter • Rate limiting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029 • Rate limiting in hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029 • Rate shaping overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032 Rate limiting overview This chapter describes how to configure rate limiting and rate shaping.
Rate limiting in hardware How Fixed Rate Limiting works Fixed Rate Limiting counts the number of kilobits that a port receives, in one second intervals. If the number exceeds the maximum number you specify when you configure the rate, the port drops all further inbound packets for the duration of the one-second interval. Once the one-second interval is complete, the port clears the counter and re-enables traffic. Figure 126 shows an example of how Fixed Rate Limiting works.
Rate limiting in hardware Configuring a port-based rate limiting policy To configure rate limiting on a TurboIron port, enter commands such as the following. TurboIron(config)#interface ethernet 24 TurboIron(config-if-e10000-24)#rate input fixed 64 These commands configure a fixed rate limiting policy that allows port 24 to receive a maximum of 64 kilobits per second (65536 bytes per second).
Rate shaping overview Syntax: show rate-limit fixed The command lists the ports on which fixed rate limiting is configured, and provides the information listed in Table 165 for each of the ports. TABLE 165 CLI display of Fixed Rate Limiting information This field... Displays... Total rate-limited interface count The total number of ports that are configured for Fixed Rate Limiting. Port The port number. Configured Input Rate The maximum rate requested for inbound traffic.
Rate shaping overview Configuring outbound rate shaping for a port To configure the maximum rate at which outbound traffic is sent out on a port, enter commands such as the following. TurboIron(config)#interface e 2 TurboIron(config-if-e10000-2)#rate-limit output shaping 1300 • The configured 1300 Kbps outbound rate shaping on port 2 is rounded up to the nearest value programmable by the hardware, which is 1344 Kbps. This value is the actual limit on the port for outbound traffic.
Rate shaping overview TurboIron#show rate-limit output-shaping Outbound Rate Shaping Limits in Kbps: Port PortMax Prio0 Prio1 Prio2 1 2 1302 15 651 - Prio3 - Prio4 - Prio5 - Prio6 - Prio7 651 - The display lists the ports on a device, the configured outbound rate shaper on a port and for a priority for a port.
Chapter 35 Configuring Quality of Service In this chapter • Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • QoS queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring DSCP-based QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Classification • Layer 3 Differentiated Service codepoint (DSCP) – This is the value in the six most significant bits of the IP packet header 8-bit DSCP field. It can be a value from 0 – 63. These values are described in RFCs 2472 and 2475. The DSCP value is sometimes called the DiffServ value. The device automatically maps a packet's DSCP value to a hardware forwarding queue. Refer to “Viewing QoS settings” on page 1049".
Classification Packet received on ingress port Does the packet match an ACL that defines a priority? Yes Trust the DSCPCoS-mapping or the DSCP-marking Yes Trust the DSCP/ToS value No Does the port have Trust DSCP enable? No Is the packet tagged? Yes Trust the 802.
Classification Once a packet is classified by one of the procedures mentioned, it is mapped to an internal forwarding queue. There are eight queues designated as 0 to 7. The internal forwarding priority maps to one of these eight queues as shown in Table 166 through Table 169. The mapping between the internal priority and the forwarding queue cannot be changed. Table 166 through Table 169 show the default QoS mappings that are used if the trust level for CoS or DSCP is enabled.
QoS queues TABLE 169 Default QoS mappings, columns 48 to 63 (Continued) DSCP value 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 Internal Forwarding Priority 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 Forwarding Queue 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 Mapping between DSCP value and Forwarding Queue cannot be changed.
QoS queues The following sections describe how to change the priority for each of the items listed above. Although it is possible for a packet to qualify for an adjusted QoS priority based on more than one of the criteria listed In the section above, the system always gives a packet the highest priority for which it qualifies.
Marking Buffer allocation/threshold for QoS queues By default, Ironware software allocates a certain number of buffers to the outbound transport queue for each port based on QoS priority. The buffers control the total number of packets permitted in the outbound queue for the port. If desired, you can increase or decrease the maximum number of outbound transmit buffers allocated to all QoS queues, or to specific QoS queues on a port or group of ports.
Configuring the QoS mappings Application notes • DSCP-based QoS is not automatically honored for routed and switched traffic. The default is 802.1p to CoS mapping. To honor DSCP-based QoS, you must change the priority mapping to DSCP to CoS mapping. Refer to “Using ACLs to honor DSCP-based QoS” on page 1042. • When DSCP marking is enabled, the device changes the contents of the inbound packet ToS field to match the DSCP-based QoS value.
Configuring the QoS mappings TABLE 171 Default DSCP to internal forwarding priority mappings (Continued) Internal forwarding priority DSCP value 6 48 – 55 7 (highest priority queue) 56 – 63 Notice that DSCP values range from 0 – 63, whereas the internal forwarding priority values range from 0 – 7. Any DSCP value within a given range is mapped to the same internal forwarding priority value. For example, any DSCP value from 8 – 15 maps to priority 1.
Configuring the QoS mappings These commands configure the mappings displayed in the DSCP to forwarding priority portion of the QoS information display. To read this part of the display, select the first part of the DSCP value from the d1 column and select the second part of the DSCP value from the d2 row. For example, to read the DSCP to forwarding priority mapping for DSCP value 24, select 2 from the d1 column and select 4 from the d2 row.
Scheduling • • • • qosp3 qosp2 qosp1 qosp0 Scheduling Scheduling is the process of mapping a packet to an internal forwarding queue based on its QoS information, and servicing the queues according to a mechanism. QoS Queuing methods The following QoS queuing methods are supported. • Weighted round robin (WRR) – WRR ensures that all queues are serviced during each cycle. A weighted fair queuing algorithm is used to rotate service among the eight queues on the devices.
Scheduling By default, when you specify the combined SP and WRR queuing method, the system balances the traffic among the queues as shown in Table 173. If desired, you can change the default bandwidth values as instructed in the section “Changing the bandwidth allocations of the hybrid WRR and SP queues” on page 1048.
Scheduling Syntax: qos name The parameter specifies the name of the queue before the change. The parameter specifies the new name of the queue. You can specify an alphanumeric string up to 32 characters long.
Scheduling TurboIron(config)#qos profile qosp7 25 qosp6 15 qosp5 10 qosp1 10 qosp0 6 Profile qosp7 : Priority7 bandwidth requested Profile qosp6 : Priority6 bandwidth requested Profile qosp5 : Priority5 bandwidth requested Profile qosp4 : Priority4 bandwidth requested Profile qosp3 : Priority3 bandwidth requested Profile qosp2 : Priority2 bandwidth requested Profile qosp1 : Priority1 bandwidth requested Profile qosp0 : Priority0 bandwidth requested 12 qosp4 12 qosp3 10 25% 15% 12% 12% 10% 10% 10% 6% calc
Viewing QoS settings NOTE The percentages must add up to 100. The device does not adjust the bandwidth percentages you enter. In contrast, the BigIron QoS does adjust the bandwidth percentages to ensure that each queue has at least its required minimum bandwidth percentage. Viewing QoS settings To display the QoS settings for all of the queues, enter the show qos-profiles command.
Viewing DSCP-based QoS settings TurboIron#show qos-tos DSCP-->Traffic-Class map: (DSCP = d1d2: 00, 01...63) d2| 0 1 2 3 4 5 6 7 8 9 d1 | -----+---------------------------------------0 | 0 0 0 0 0 0 0 0 1 1 1 | 1 1 1 1 1 1 2 2 2 2 2 | 2 2 2 2 3 3 3 3 3 3 3 | 3 3 4 4 4 4 4 4 4 4 4 | 5 5 5 5 5 5 5 5 6 6 5 | 6 6 6 6 6 6 7 7 7 7 6 | 7 7 7 7 Traffic-Class-->802.1p-Priority map (use to derive DSCP--802.1p-Priority): Traffic | 802.
Appendix A Syslog messages Table 176 lists all of the Syslog messages. Note that some of the messages apply only to Layer 3 Switches. The messages are listed by message level, in the following order, then by message type: • • • • • • • • Emergencies (none) Alerts Critical Errors Warnings Notifications Informational Debugging NOTE This appendix does not list Syslog messages that can be displayed when a debug option is enabled.
Syslog messages TABLE 176 1052 Brocade Syslog messages (Continued) Message level Message Explanation Alert MAC Authentication failed for on (No VLAN Info received from RADIUS server) RADIUS authentication was successful for the specified on the specified ; however, dynamic VLAN assignment was enabled for the port, but the RADIUS Access-Accept message did not include VLAN information. This is treated as an authentication failure.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Alert System: No Free Tcam Entry available. System will be unstable The limit for the TCAM routing entries has been reached. You must reboot the device. Alert System: Temperature is over shutdown level, system is going to be reset in seconds The chassis temperature has risen above shutdown level. The system will be shut down in the amount of time indicated.
Syslog messages TABLE 176 1054 Brocade Syslog messages (Continued) Message level Message Explanation Information MAC Filter removed from port by from (filter id= ) Indicates a MAC filter was removed from the specified port by the specified user during the specified session. can be console, telnet, ssh, web, or snmp. is a list of the MAC filters that were removed.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Informational Bridge topology change, vlan , interface , changed state to A Spanning Tree Protocol (STP) topology change has occurred on a port. The is the ID of the VLAN in which the STP topology change occurred. The is the port number.
Syslog messages TABLE 176 1056 Brocade Syslog messages (Continued) Message level Message Explanation Informational DOT1X Port is unauthorized because system resource is not enough or the invalid information to set the dynamic assigned IP ACLs or MAC address filters 802.1X authentication could not take place on the port.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Informational MAC Based Vlan Disabled on port A MAC Based VLAN has been disabled on a port Informational MAC Based Vlan Enabled on port A MAC Based VLAN has been enabled on a port.
Syslog messages TABLE 176 1058 Brocade Syslog messages (Continued) Message level Message Explanation Informational SSH | telnet server enabled | disabled from console | telnet | ssh | web | snmp session [by user ] A user enabled or disabled an SSH or Telnet session, or changed the SSH enable/disable configuration through the Web, SNMP, console, SSH, or Telnet session.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Informational System: Static Mac entry with Mac Address is added to ethe / to / on A MAC address is added to a range of interfaces, which are members of the specified VLAN.
Syslog messages TABLE 176 1060 Brocade Syslog messages (Continued) Message level Message Explanation Informational vlan Bridge is RootBridge (MsgAgeExpiry) The message age expired on the Root port so 802.1W changed the current bridge to be the root bridge of the topology. Informational vlan interface Bridge TC Event (DOT1wTransition) 802.1W recognized a topology change event in the bridge.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Notification Authentication Enabled on The multi-device port authentication feature was enabled on the on the specified . Notification BGP Peer DOWN (IDLE) Indicates that a BGP4 neighbor has gone down. The is the IP address of the neighbor BGP4 interface with the device.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Notification Local ICMP exceeds burst packets, stopping for seconds!! The number of ICMP packets exceeds the threshold set by the ip icmp burst command. The device may be the victim of a Denial of Service (DoS) attack. All ICMP packets will be dropped for the number of seconds specified by the value.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 176 1064 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf rcvd bad pkt: Bad Checksum, rid , intf addr , pkt size , checksum , pkt src addr , pkt type The device received an OSPF packet that had an invalid checksum. The rid is the router ID. The intf addr is the IP address of the interface that received the packet. The pkt size is the number of bytes in the packet.
Syslog messages TABLE 176 1066 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the device has retransmitted a Link State Advertisement (LSA). The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF neighbor has changed. The is the router ID of the device. The is the IP address of the neighbor. The is the router ID of the neighbor.
Syslog messages TABLE 176 1068 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 176 1070 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the device has retransmitted a Link State Advertisement (LSA). The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF virtual neighbor has changed. The is the router ID of the device. The is the IP address of the neighbor. The is the router ID of the neighbor.
Syslog messages TABLE 176 1072 Brocade Syslog messages (Continued) Message level Message Explanation Notification VRRP intf state changed, intf , vrid , state A state change has occurred in a Virtual Router Redundancy Protocol (VRRP) interface. The is the port. The is the virtual router ID (VRID) configured on the interface.
Syslog messages TABLE 176 Brocade Syslog messages (Continued) Message level Message Explanation Warning list denied () (Ethernet ) -> (), 1 event(s) Indicates that an Access Control List (ACL) denied (dropped) packets. The indicates the ACL number. Numbers 1 – 99 indicate standard ACLs. Numbers 100 – 199 indicate extended ACLs.
Syslog messages TABLE 176 1074 Brocade Syslog messages (Continued) Message level Message Explanation Warning No global IP! cannot send IGMP msg. The device is configured for ip multicast active but there is no configured IP address and the device cannot send out IGMP queries. Warning No of prefixes received from BGP peer exceeds warning limit The Layer 3 Switch has received more than the allowed percentage of prefixes from the neighbor.
Appendix B Software Specifications In this appendix • IEEE compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075 • RFC support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075 • Internet drafts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080 IEEE compliance Brocade devices support the following standards.
RFC support NOTE Some devices support only a subset of the RFCs. For example, Layer 2 Switches do not support router-specific RFCs. For a list of features supported on your device, refer to the data sheet or the software release notes for the version of software running on your device.
RFC support TABLE 178 Brocade RFC support (Continued) RFC number Protocol or Standard TurboIron X Series 1493 Bridge MIB (excluding filtering of objects) Yes 1516 Repeater MIB Yes 1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy Yes 1541 Dynamic Host Configuration Protocol (DHCP) Yes 1542 BootP Extensions Yes 1573 SNMP MIB II Yes 1591 Domain Name System (DNS) Structure and Delegation Yes 1643 Ethernet Interface MIB Yes 1757 Remote Moni
RFC support TABLE 178 1078 Brocade RFC support (Continued) RFC number Protocol or Standard TurboIron X Series 2570 Introduction to version 3 of the Internet-standard Network Management Framework Yes 2571 An Architecture of Describing SNMP Management Frameworks Yes 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) Yes 2573 SNMP version 3 Applications Yes 2574 User-based Security (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
RFC support TABLE 178 Brocade RFC support (Continued) RFC number Protocol or Standard TurboIron X Series 3413 Simple Network Management Protocol (SNMP) Applications Yes 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMP V3) Yes 3415 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) Yes 3416 Version 2 of the Protocol Operations for the SNMP Yes 3418 Management Information Base (MIB) for the Simple Networ
Internet drafts TABLE 178 RFC number Brocade RFC support (Continued) Protocol or Standard TurboIron X Series SSH V 1.5 Yes SSH V 2 Yes SNMP V1, V2c, and V3 Yes TACACS/TACACS+ Yes TELNET and SSH V1 Yes UDLD Yes Username or Password (challenge and response) Yes Internet drafts In addition to the RFCs listed in “RFC support” on page 1075, Brocade devices support the following Internet drafts: • draft-ietf-magma-igmp-proxy.txt • TACACS+ Protocol version 1.
Appendix C NIAP-CCEVS Certification In this appendix • NIAP-CCEVS certified TurboIron X Series equipment and Ironware releases 1081 • Local user password changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082 • Local user password changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082 TurboIron X Series devices have passed the Common Criteria (CC) certification testing.
Local user password changes Local user password changes Please note that if existing usernames and passwords have been configured on a device with specific privilege levels (super-user, read-only, port-config), and if you attempt to change a user's password by executing the following syntax: Brocade-Device(config)#user fdryreadonly password value The privilege level of this particular user will be changed from its current value to "super-user".
