Page 1: Configuration Guide
53-1001810-01 January 31, 2010 BigIron RX Configuration Guide Supporting Multi-Service IronWare v02.7.02 53-1001810-01 *53-1001810-01*...
Page 2 Trademarks used in this text: Dell, the DELL logo, Inspiron, Dell Precision, Dimension, OptiPlex, Latitude, PowerEdge, PowerVault, PowerApp, Dell OpenManage and the YOURS IS HERE logo are trademarks of Dell Inc.; Intel, Pentium, and Celeron are registered trademarks of Intel Corporation in the U.S.
Page 3: Table Of Contents
Contents About This Document In this chapter ......... . . xli Audience .
Page 4 Logging on through the CLI........1 On-line help ......... . 2 Command completion .
Page 5 Monitoring management module redundancy ....35 Determining management module status ....35 Displaying temperature information .
Page 6 Configuring SSL security for the Web Management Interface ..78 Enabling the SSL server on the device....78 Importing digital certificates and RSA private key files.
Page 7 Configuring an interface as the source for all TFTP packets ..119 Configuring an interface as the source for Syslog packets ..120 Specifying a Simple Network Time Protocol (SNTP) server ..121 Setting the system clock.
Page 8 Mirror ports for Policy-Based Routing (PBR) traffic... . .143 About hardware-based PBR ......143 Configuring mirror ports for PBR traffic .
Page 9 Configuring forwarding parameters ......186 Disabling ICMP messages ......188 Disabling ICMP redirect messages .
Page 10 LLDP overview ......... .248 Benefits of LLDP .
Page 11 VLAN configuration rules ....... . .282 VLAN ID range ........282 Tagged VLANs.
Page 12 Displaying VLAN information ......314 Displaying VLAN information ......314 Displaying VLAN information for specific ports .
Page 13 Changes to port roles and states......352 State machines .........352 Handshake mechanisms.
Page 14 MRP CLI example ........407 Commands on switch A (master node).
Page 15 Configuring a topology group ......437 Displaying topology group information ..... .438 Displaying topology group information .
Page 16 Marking ..........468 Configuring DSCP classification by interface .
Page 17 Configuring rate limiting policies ......498 Configuring a port-based rate limiting policy ....498 Configuring a port-and-priority-based rate limiting policy .
Page 18 Displaying ACL definitions ....... .533 Displaying of TCP/UDP numbers in ACLs ....534 ACL logging .
Page 19 Overview of IP multicasting ....... 571 Multicast terms .........572 Changing global IP multicast parameters .
Page 20 PIM-SSMv4 ..........620 Enabling SSM .
Page 21 Configuring RIP parameters .......665 Enabling RIP ........666 Configuring metric parameters .
Page 22 Configuring OSPF ........681 Configuration rules .
Page 23 Overview of BGP4 ........738 Relationship between the BGP4 route table and the IP route table How BGP4 selects a path for a route .
Page 24 Configuring BGP4 neighbors ......769 Removing route dampening from suppressed neighbor’s routes773 Encryption of BGP4 MD5 authentication keys.
Page 25 Chapter 27 Configuring MBGP In this chapter ......... .855 Configuration considerations .
Page 26 Globally configuring IS-IS on a device ..... . .886 Setting the overload bit .......887 Configuring authentication .
Page 27 Chapter 30 BiDirectional Forwarding Detection (BFD) In this chapter ......... . 917 Configuring BFD parameters .
Page 28 Chapter 32 Using the MAC Port Security Feature In this chapter ......... .943 Overview of MAC port security .
Page 29 Configuring 802.1x port security ......960 Configuring an authentication method list for 802.1x ..961 Setting RADIUS parameters .
Page 30 Dynamic ARP inspection........989 ARP attacks ........989 How DAI works .
Page 31 Reading CDP packets ........1015 Enabling interception of CDP packets globally ...1016 Enabling interception of CDP packets on an interface .
Page 32 Enabling IP multicast traffic reduction ....1050 Changing the IGMP mode ......1051 Modifying the query interval .
Page 33 Configuring an IPv6 host address for a BigIron RX running a switch image 1076 Configuring a global or site-local IPv6 address with a manually configured interface ID as the switch’s system-wide address1077 Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID as the switch’s system-wide address 1077 Configuring a link-local IPv6 address as the switch’s system-wide...
Page 34 Displaying global IPv6 information......1094 Displaying IPv6 cache information ....1094 Displaying IPv6 interface information.
Page 35 Displaying BGP4+ information ......1133 Displaying the BGP4+ route table..... 1133 Displaying BGP4+ route information .
Page 36 Link state advertisement types for OSPFv3 ....1200 Configuring OSPFv3 ........1200 Enabling OSPFv3 .
Page 37 Multicast Listener Discovery and source specific multicast protocols(MLDv2) ........1258 MLD version distinctions .
Page 38 RFC compliance - IS-IS ....... . . 1302 RFC compliance - RIP ........1302 RFC compliance - IP Multicast .
Page 39 Multicast (IP) ......... 1336 Multicast (L2) .
Page 40 BigIron RX Series Configuration Guide 53-1001810-01...
Page 41: About This Document
About This Document In this chapter • Audience............xli •...
Page 42: List Of Supported Features
List of supported features Features or options not listed in the Supported and unsupported features table or documented in this guide are not supported. TABLE 1 Supported and unsupported features Category Feature description System level features Cisco Discovery Protocol (CDP) Allows you to configure a Brocade device to intercept and display the contents of CDP packets.
Page 43 TABLE 1 Supported and unsupported features (Continued) Category Feature description 802.1d Spanning Tree Protocol (STP) Single Spanning Tree Protocol (SSTP) 802.1p Quality of Service (QoS) queue mapping 802.1q See VLANs, below 802.1s Multiple Spanning Tree Protocol (MSTP) 802.1w Rapid Spanning Tree Protocol (RSTP) 802.3ad Dynamic Link Aggregation on tagged and untagged trunks Jumbo packets...
Page 44: Unsupported Features
TABLE 1 Supported and unsupported features (Continued) Category Feature description ACLs Standard, Extended and Super Inbound ACL logging ACL editing BGP routes BGP peers BGP dampening Graceful Restart Foundry Direct Routing IP Forwarding IPv4 Routing IPv6 Routing IP Static entries Routes ARPs Virtual interfaces...
Page 45: What's New In This Document
• • Mirroring across VLANs • MPLS • • RARP • VLANs • VLAN translation • Subnet VLANs • Source IP Port Security What’s new in this document Enhancements and configuration notes in release 02.7.02 The following table provides a brief description of the enhancements added in this release and a reference to the specific chapter, and section in the BigIron RX Configuration Guide or the Brocade BigIron RX Series Installation Guide that contain a detailed description and operational details for the enhancement.
Page 46 Enhancements and configuration notes in release 02.7.01 TABLE 3 Summary of enhancements in release 02.7.01 Enhancement Description See page System features New 16x10G module.iew The new 16 port 10GE oversubscribed module Book: Brocade BigIron RX provides 4:1 over-subscription on the network Series Installation Guide ports.
Page 47 TABLE 4 Summary of enhancements in release 02.7.00 (Continued) Enhancement Description See page Multicast, Broadcast, and This release introduces a new hardware (module) Book: BigIron RX Series Unknown Unicast Rate based Multicast/Broadcast/Unknown Unicast Configuration Guide Limiting per Module Rate-Limiting for both CPU based flooding and Chapter: “Configuring Hardware based flooding.
Page 48 Enhancements and configuration notes in release 02.6.00 TABLE 5 Summary of enhancements in release 02.6.00 Enhancement Description See page Layer 1 features Digital Optical Beginning with release 0 2.6.00, Digital Optical Monitoring Book: Brocade BigIron Monitoring will only support newly qualified 1Gigabit optics. Digital RX Series Installation Optical Monitoring for previous 1Gigabit optics that do not Guide...
Page 49 TABLE 5 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page Multicast Layer 2 Filter Beginning with release 02.6.00, you can define multicast Book: BigIron RX Series boundaries on a per VLAN basis. Configuration Guide Chapter: “Configuring IP Multicast Protocols”...
Page 50: Enhancements And Configuration Notes In Patch Release 02.5.00Cl
TABLE 5 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page IGMP v3 Fast Leave In Release 02.6.00 of the Multi-Service IronWare software, Book: BigIron RX Series and Tracking you can configure a device running IGMP Snooping to Configuration Guide immediately remove a VLAN from the IP multicast group when Chapter:...
Page 51 Enhancements and configuration notes in patch release 02.5.00b TABLE 7 Summary of enhancements in release 02.5.00b Enhancement Description See page ACL-based Inbound sFlow With this patch release, the Multi-Service IronWare Book: BigIron RX Series software supports using an IPv4 ACL to select Configuration Guide packets that should be collected as special sFlow Chapter:...
Page 52 TABLE 8 Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page Multicast Starting release 02.5.00, low priority multicast Book: BigIron RX Series traffic is rate-limited to 1.8 Gbps per packet Configuration Guide processor. Chapter: “Configuring Quality of Service” Section: “Configuring multicast traffic...
Page 53: Summary Of Enhancements And Configuration Notes In Release 02.4.00
Summary of enhancements and configuration notes in release 02.4.00 TABLE 10 Summary of enhancements in release 02.4.00 Enhancement Description See page US Daylight Saving Time The new Daylight Saving Time (DST) change that Book: BigIron RX Series scheme went into effect on March 11th, 2007 affects only Configuration Guide networks following the US time zones.
Page 54 TABLE 10 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page New show OSPF neighbor by This feature allows OSPF to display the OSPF Book: BigIron RX Series area command neighbors existing in a particular area. Configuration Guide Chapter: “Configuring OSPF Version 2 (IPv4)”...
Page 55 TABLE 10 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Multicast Boundaries The Multicast Boundary feature is designed to Book: BigIron RX Series selectively allow or disallow multicast flows to Configuration Guide configured interfaces. Chapter: “Configuring IP Multicast Protocols”...
Page 56 TABLE 10 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page ACL-Based Mirroring With this release, the Multi-Service IronWare Book: BigIron RX Series software supports using an ACL to select traffic for Configuration Guide mirroring from one port to another. Chapter:“Access Control List”...
Page 57: Summary Of Enhancements In Patch Release 02.3.00A
Summary of enhancements in patch release 02.3.00a TABLE 11 Summary of enhancements in patch release 02.3.00a Enhancement Description See... Transparent Port Flooding When the Transparent Port Flooding feature in Book: BigIron RX Series enabled for a port, all MAC learning will be disabled Configuration Guide for that port.
Page 58: Summary Of Enhancements And Configuration Notes In Release 02.3.00
Summary of enhancements and configuration notes in release 02.3.00 System enhancements TABLE 12 System enhancements Enhancement Description See... New Hardware The following new hardware is supported with the 02.3.00 Book: Brocade BigIron RX Support software release for the device: Series Installation Guide 10G-XFP-CX4 - part number 10G-XFP-CX4 , A new XFP Module is available for use in the BigIron RX Series and 10G Interface Modules with the following capabilities:...
Page 59 TABLE 12 System enhancements (Continued) Enhancement Description See... Enhanced Digital You can configure the BigIron RX to monitor XFPs and SFPs in Book: Brocade BigIron RX Optical Monitoring the system either globally or by specified port. Series Installation Guide Chapter: Connecting a BigIron RX Series Switch to a Network Device Section: Enhanced Digital...
Page 60 Layer 3 enhancements TABLE 14 Layer 3 enhancements Enhancement Description See... OSPF NBMA You can configure an interface to send OSPF Book: BigIron RX Series unicast packets rather than broadcast packets to Configuration Guide its neighbor by configuring non-broadcast Chapter: “Configuring multi-access (NBMA) networks.
Page 61 TABLE 14 Layer 3 enhancements (Continued) Enhancement Description See... Default Originate Route for BGP In this release, if a default route is not present in Book: BigIron RX Series the IP routing table, the user can configure a Configuration Guide major route to be used for forwarding packets to Chapter: “Configuring...
Page 62 TABLE 15 IP multicast enhancements (Continued) Enhancement Description See... MSDP Mesh Groups This release supports Multicast Source Book: BigIron RX Series Discovery Protocol (MSDP) Mesh Groups. This Configuration Guide feature allows you to connect several RPs to Chapter:“Configuring IP each other which reduces the forwarding of Multicast Protocols”...
Page 63: Network Management
TABLE 16 IP service, security, and Layer 4 enhancements (Continued) Enhancement Description See... Port Security MAC Violation Limit This feature provides protection against Book: BigIron RX Series physical link instability. It allows a user to Configuration Guide configure it to keep a port in a down state in Chapter:“Using the MAC Port cases where the port has experienced some Security Feature”...
Page 64 Layer 2 enhancements TABLE 19 Layer 2 enhancements Enhancement Description See page VLAN Byte Accounting With this release, you can configure a VLAN to account Book: BigIron RX Series for the number of bytes received by all the member Configuration Guide ports.
Page 65 TABLE 20 Layer 3 enhancements (Continued) Enhancement Description See page OSPF point-to-point OSPF point-to-point eliminates the need for Book: BigIron RX Series Designated and Backup Designated routers, Configuration Guide allowing for faster convergence of the network. Chapter:“Configuring OSPF Version 2 (IPv4)” Section: “OSPF point-to-point links”...
Page 66 TABLE 22 Security enhancements (Continued) Enhancement Description See page Port Security MAC Deny With this release, you can configure deny mac Book: BigIron RX Series addresses on a global level or on a per port level. Configuration Guide Chapter:“Using the MAC Port Security Feature”...
Page 67: Summary Of Enhancements In Release 02.2.00G
TABLE 22 Security enhancements (Continued) Enhancement Description See page Port Security Enhancements You can specify how many packets from denied MAC Book: BigIron RX Series addresses can be received on a port in a one-second Configuration Guide interval before the device shuts the port down. Chapter:“Using the MAC Port Security Feature”...
Page 68: Summary Of Enhancements And Configuration Notes In 02.2.00Lxviii
Summary of enhancements and configuration notes in 02.2.00 TABLE 25 Summary of emhancements in 02.2.00 Enhancement Description See page Quality of Service (QoS) QoS support on the device is different than for the BigIron Book: BigIron RX Series Support MG8. Configuration Guide Chapter:“Configuring Quality of Service”...
Page 69: Document Conventions
Document conventions This section describes text formatting conventions and important notice formats used in this document. Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text...
Page 70: Notice To The Reader
CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
Page 71: Web Access
Web access Go to kp.foundrynet.com and log in to the Knowledge Portal (KP) to obtain more information about a product, or to report documentation errors. To report errors, click on Cases > Create a New Ticket. Make sure you specify the document title in the ticket description. E-mail access Send an e-mail to: IPsupport@brocade.com Telephone access...
Page 72 lxxii BigIron RX Series Configuration Guide 53-1001810-01...
Page 73: Getting Started With The Command Line Interface
Chapter Getting Started with the Command Line Interface In this chapter • Logging on through the CLI ........1 •...
Page 74: On-Line Help
Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed.
Page 75: Line Editing Commands
EXEC commands Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. TABLE 26 CLI line-editing commands Ctrl-key combination...
Page 76: Global Level
CONFIG commands You reach this level by entering the enable [<password>] or enable <username> <password> at the User EXEC level. Example BigIron RX>enable BigIron RX>enable user1 mypassword After entering the enable command, you see the following prompt. BigIron RX>#. The prompt indicates that you are at the Privilege EXEC level. When you are at the Privilege EXEC level, you can enter commands that are available at that level.
Page 77 CONFIG commands Trunk level The trunk level allows you to change parameters for statically-configured trunk groups. You reach this level by entering a trunk command with the appropriate port parameters. Router RIP level The RIP level allows you to configure parameters for the RIP routing protocol. You reach this level by entering the router rip command at the global CONFIG level.
Page 78 CONFIG commands Route Map level The Route Map level allows you to configure parameters for a BGP4 route map. You reach this level by entering the route-map <name> command at the global CONFIG level. Router VRRP level The VRRP level allows you to configure parameters for the Virtual Router Redundancy Protocol (VRRP).
Page 79: Accessing The Cli
Accessing the CLI MAC port security level The MAC port security level allows you to configure the port security feature. You reach this level by entering the global-port-security command at the at the Global or Interface levels. Accessing the CLI The CLI can be accessed through both serial and Telnet connections.
Page 80: Navigating Among Command Levels
Accessing the CLI The CLI prompt will change at each level of the CONFIG command structure, to easily identify the current level. BigIron RX> User Level EXEC Command BigIron RX# Privileged Level EXEC Command BigIron RX(config)#Global Level CONFIG Command BigIron RX(config-if-e10000-5/1)#Interface Level CONFIG Command BigIron RX(config-lbif-1)#Loopback Interface CONFIG Command BigIron RX(config-ve-1)#Virtual Interface CONFIG Command BigIron RX(config-trunk-4/1-4/8)#Trunk group CONFIG Command...
Page 81: Searching And Filtering Output
Searching and filtering output When an item is bracketed with “[ ]” symbols, the information requested is optional. Optional fields When two or more options are separated by a vertical bar, “| “, you must enter one of the options as part of the command.
Page 82 Searching and filtering output Searching and filtering output from show commands You can filter output from show commands to display lines containing a specified string, lines that do not contain a specified string, or output starting with a line containing a specified string. The search string is a regular expression consisting of a single character or string of characters.
Page 83 Searching and filtering output Syntax: <show-command> | begin <regular-expression> Searching and filtering output at the --More-- prompt The --More-- prompt is displayed when output extends beyond a single page. From this prompt, you can press the Space bar to display the next page, the Return or Enter key to display the next line, or Ctrl-C or Q to cancel the display.
Page 84: Using Special Characters In Regular Expressions
Searching and filtering output To display lines containing only a specified search string (similar to the include option for show commands) press the plus sign key ( + ) at the --More-- prompt and then enter the search string. --More--, next page: Space, next line: Return key, quit: Control-c +telnet The filtered results are displayed.
Page 85 Searching and filtering output TABLE 27 Special characters for regular expressions (Continued) Character Operation The question mark matches on zero occurrences or one occurrence of a pattern. For example, the following regular expression matches output that contains "dg" or "deg": de?g NOTE: Normally when you type a question mark, the CLI lists the commands or options at that CLI level that begin with the character or string you entered.
Page 86: Allowable Characters For Lag Names
Searching and filtering output Allowable characters for LAG names When creating a LAG name, you can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”.
Page 87 Searching and filtering output • Ensures that dependent or related configuration changes are all cut in at the same time. In all cases, if you want to make the changes permanent, you need to save the changes to flash using the write memory command. When you save the configuration changes to flash, this will become the configuration that is initiated and run at system boot.
Page 88 Searching and filtering output BigIron RX Series Configuration Guide 53-1001810-01...
Page 89: Getting Familiar With The Bigiron Rx Series Switch Management Applications
Chapter Getting Familiar With the BigIron RX Series Switch Management Applications In this chapter • How to manage BigIron RX Series switch ......17 •...
Page 90: On-Line Help
Logging on through the CLI • CONFIG – Lets you make configuration changes to the device. To save the changes across software reloads and system resets, you need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for VLANs, for routing protocols, and other configuration areas.
Page 91: Line Editing Commands
Logging on through the CLI default-vlan-id enable enable-acl-counter exit --More--, next page: Space, next line: Return key, quit: Control-c The software provides the following scrolling options: • Press the Space bar to display the next page (one screen at time). •...
Page 92 Logging on through the CLI You can also filter output from show commands to display lines containing a specified string, lines that do not contain a specified string, or output starting with a line containing a specified string. The search string is a regular expression consisting of a single character or string of characters. You can use special characters to construct complex regular expressions.
Page 93 Logging on through the CLI Syntax: <show-command> | begin <regular-expression> Searching and filtering output at the --More-- prompt The --More-- prompt displays when output extends beyond a single page. From this prompt, you can press the Space bar to display the next page, the Return or Enter key to display the next line, or Ctrl-C to cancel the display.
Page 94 Logging on through the CLI The filtered results are displayed. filtering... telnet Telnet by name or IP address To display lines that do not contain a specified search string (similar to the exclude option for show commands) press the minus sign key ( - ) at the --More-- prompt and then enter the search string. --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed.
Page 95: Allowable Characters For Lag Names
Logging on through the CLI TABLE 29 Special characters for regular expressions (Continued) Character Operation A caret (when not used within brackets) matches on the beginning of an input string. For example, the following regular expression matches output that begins with “deg”: ^deg A dollar sign matches on the end of an input string.
Page 96: Logging On Through The Web Management Interface
Logging on through the Web Management Interface The following characters are valid in file names: • All upper and lowercase letters • All digits Any of the following special characters are valid: • • • • • • • • •...
Page 97: Web Management Interface
Logging on through the Web Management Interface To log in, click on the Login link. Figure 2 shows the dialog box that displays. FIGURE 2 Web Management Interface login dialog box The login username and password you enter depends on whether your device is configured with AAA authentication for SNMP.
Page 98: Logging On Through Ironview Network Manager
Logging on through IronView Network Manager Logging on through IronView Network Manager Refer to the IronView Network Management User’s Guide for information about using IronView Network Manager. BigIron RX Series Configuration Guide 53-1001810-01...
Page 99: Using A Redundant Management Module
Chapter Using a Redundant Management Module In this chapter • How management module redundancy works ..... . . 27 • Management module redundancy configuration .
Page 100: Management Module Switchover
How management module redundancy works After the modules boot, the active module compares the standby module’s flash code and system-config file to its own. If differences exist, the active module synchronizes the standby module’s flash code and system-config file with its own. During normal operation, the active module handles tasks such as obtaining network topology and reachability information and determining the best paths to known destinations.
Page 101: Switchover Implications
How management module redundancy works When the switchover occurs, the standby module becomes the active module. This section explains how management module redundancy is affected when you remove and replace an active or standby management module. Removal and replacement of an active management module If you remove the active management module, the standby module automatically assumes the role of the active module.
Page 102: Management Sessions
How management module redundancy works Management sessions You can establish management sessions with the active management module’s management port. If a switchover occurs, the management port on the original active module shuts down and all open CLI, Web management interface, and IronView Network Manager sessions with that port close. You can open new sessions with the new active module, provided that the new active module has the same management port connections.
Page 103: Management Module Redundancy Configuration
Management module redundancy configuration The interface modules are not reset, as they are with the previous cold-restart redundancy feature. The interface modules continue to forward traffic while the standby management module takes over operation of the system. The new now-active management module receives updates from the interface modules and sends verification information to the interface modules to ensure that they are synchronized.
Page 104: File Synchronization Between The Active And Standby Management
Managing management module redundancy File synchronization between the active and standby management modules Each active and standby management module contains the following files that can be synchronized between the two modules are: • Flash code – The flash code can include the following files: •...
Page 105 Managing management module redundancy Figure 4 shows how the files are synchronized between the active module and the standby module. FIGURE 4 Active and standby management module file synchronization Synchronized at startup Automatically synchronized Not synchronized or switchover at regular, user-configurable intervals Also can be immediately synchronized using the CLI...
Page 106: Manually Switching Over To The Standby Management Module
Managing management module redundancy To compare and immediately synchronize files between the active and standby modules if differences exist, enter the following command at the Privileged EXEC level of the CLI. BigIron RX# sync-standby Syntax: sync-standby Synchronizing files without comparison You can synchronize the flash code, system-config file, and running-config file immediately without comparison.
Page 107: Monitoring Management Module Redundancy
Monitoring management module redundancy The tftp keyword directs the BigIron RX Series Switch to boot from an RX Series IronWare image on a TFTP server located at <ip-address> with the specified <filename>. For example, to reboot the active and standby management modules, enter the following command at the Privileged EXEC level.
Page 108: Displaying Temperature Information
Monitoring management module redundancy The Status column indicates the module status. The management modules can have one of the following status: • ACTIVE – The module is currently the active management module. • STANDBY – The module is the standby management module. The status of the standby module can be one of the following: •...
Page 109 Monitoring management module redundancy To view the redundancy parameter settings and statistics, enter the following command at any level of the CLI. BigIron RX# show redundancy === MP Redundancy Settings === Default Active Slot = 17 Running-Config Sync Period = 7 seconds === MP Redundancy Statistics === Current Active Session: Active Slot = 9,Standby Slot = 10 (Ready State),Switchover Cause = No Switchover...
Page 110: Flash Memory And Pcmcia Flash Card File Management Commands38
Flash memory and PCMCIA flash card file management commands Flash memory and PCMCIA flash card file management commands The BigIron RX Series system supports file systems in the following locations: • The management module’s flash memory. • A PCMCIA flash card inserted in the management module’s slots 1 or 2. Table 30 outlines the root directory for each file system.
Page 111: Management Focus
Flash memory and PCMCIA flash card file management commands CAUTION Do not add or remove a flash card while a file operation involving the flash card’s slot is in progress. Doing so can result in corruption of the flash card. If this occurs, you may need to reformat the flash card to make it usable again.
Page 112: Pcmcia Flash Card File System
Flash memory and PCMCIA flash card file management commands • All digits • Any of the following special characters: • • • • • • • • • • • • • • • • & PCMCIA flash card file system The PCMCIA flash card file system is hierarchical, which means that it supports subdirectories.
Page 113: Wildcards
Flash memory and PCMCIA flash card file management commands • All upper and lowercase letters • All digits • Spaces • Any of the following special characters: • • • • • • • • • • • • • •...
Page 114: Formatting A Flash Card
Flash memory and PCMCIA flash card file management commands Formatting a flash card The flash cards are not shipped with a management module If you want to use a flash card, you must formatted it for the 16 FAT file system before you can store files on the card. CAUTION Make sure the flash card is empty or does not contain files you want to keep.
Page 115: Switching The Management Focus
Flash memory and PCMCIA flash card file management commands Switching the management focus The effect of file management commands depends on the file system that has the current management focus. For example, if you enter a command to delete a file and do not specify the location of the file, the software attempts to delete the file from the location that currently has the management focus.
Page 116 Flash memory and PCMCIA flash card file management commands The software displays the directory of the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to list the files on the file system that does not currently have management focus.
Page 117: Displaying The Contents Of A File
Flash memory and PCMCIA flash card file management commands For example, to display a directory of the files on the flash card in slot 2, if flash memory has the management focus, enter the following command. BigIron RX# dir /slot2/ Directory of /slot2/ 08/01/2003 18:25:28 3,092,508 PRIMARY...
Page 118: Displaying The Hexadecimal Output Of A File
Flash memory and PCMCIA flash card file management commands For example, to display the contents of a file in flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# more cfg.cfg Syntax: more [/<directory>/]<file-name>...
Page 119 Flash memory and PCMCIA flash card file management commands The software attempts to create a subdirectory in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to create a subdirectory in a file system that does not currently have management focus.
Page 120: Removing A Subdirectory
Flash memory and PCMCIA flash card file management commands The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters. To verify successful creation of the subdirectory, enter a command such as the following to change to the new subdirectory level.
Page 121: Renaming A File
Flash memory and PCMCIA flash card file management commands Renaming a file You can rename a file in the management module’s flash memory or on a flash card inserted in the management module’s slot 1 or slot 2 using the rename or mv command. The software attempts to rename the file in the file system that has the current management focus.
Page 122: Deleting A File
Flash memory and PCMCIA flash card file management commands For example, to change the attribute of a file in slot2 to read-only, if flash memory has the management focus, enter a command such as the following. BigIron RX# attrib slot2 ro goodcfg.cfg Syntax: attrib [slot1 | slot2] ro | rw <file-name>...
Page 123: Recovering ("Undeleting") A File
Flash memory and PCMCIA flash card file management commands For example, to delete all files with names that start with “test” from flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# delete test*.* For example, to delete all files on the flash card in slot 2, if flash memory has the current management focus, you can enter one of the following commands.
Page 124: Appending A File To Another File
Flash memory and PCMCIA flash card file management commands Appending a file to another file You can append a file in flash memory or on a flash card to the end of another file in one of these file systems. The software attempts to append one file to another in the file system that has the current management focus.
Page 125 Flash memory and PCMCIA flash card file management commands NOTE The copy options require you to explicitly specify the flash card. Therefore, you can perform a copy regardless of the flash card that currently has the management focus. Copying files from one flash card to the other To copy a file from one flash card to the other, enter the following command.
Page 126 Flash memory and PCMCIA flash card file management commands Specify the optional standby keyword to copy the RX Series IronWare image from the secondary location in the active management module’s flash memory to the primary location in the standby module’s flash memory. To copy the RX Series IronWare image from the primary location in the active management module’s flash memory to the secondary location in the active module’s flash memory, enter the following command.
Page 127 Flash memory and PCMCIA flash card file management commands The command in this example copies a file from slot 1 to a TFTP server. In this case, the software uses the same name for the source file and for the destination file. Optionally, you can specify a different file name for the destination file.
Page 128 Flash memory and PCMCIA flash card file management commands To copy a startup-config file from a TFTP server to flash memory, enter a command such as the following. BigIron RX# copy tftp startup-config 10.10.10.1 test.cfg Syntax: copy tftp startup-config <ip-addr> [/<from-dir-path>]<from-name> Copying the running-config to a flash card or a TFTP server Use the following method to copy the BigIron RX Series Switch’s running-config to a flash card or a TFTP server.
Page 129: Copying Files Using The Cp Command
Flash memory and PCMCIA flash card file management commands Copying files using the cp command Using the cp command, you can do the following: • Copy files from flash memory to flash memory. • Copy files from flash memory to a flash card or vice versa. •...
Page 130 Flash memory and PCMCIA flash card file management commands If you specify a source other than the primary location in flash memory and for some reason, the source or the RX Series IronWare image is unavailable, the system uses the primary location in flash memory as a default backup source.
Page 131: Saving Configuration Changes
Flash memory and PCMCIA flash card file management commands Configuring the boot source for future reboots To change the RX Series IronWare image source from the primary location in flash memory to another source for future reboots, enter a command such as the following at the global CONFIG level of the CLI.
Page 132: File Management Messages
Flash memory and PCMCIA flash card file management commands The first command in this example sets the device to save configuration changes to the file named “switch1.cfg” in the flash card in slot 1. The second command saves the running-config to the switch1.cfg file on the flash card in slot 1.
Page 133: Securing Access To Management Functions
Chapter Securing Access to Management Functions In this chapter • Securing access methods........61 •...
Page 134 Securing access methods TABLE 33 Ways to secure management access to the device (Continued) Access method How the access method is Ways to secure the access method See page secured by default Telnet access Not secured Regulate Telnet access using ACLs page 64 Allow Telnet access only from specific page 67...
Page 135: Restricting Remote Access To Management Functions
Restricting remote access to management functions TABLE 33 Ways to secure management access to the device (Continued) Access method How the access method is Ways to secure the access method See page secured by default SNMP (IronView Network SNMP read or read-write Regulate SNMP access using ACLs page 65 Manager) access...
Page 136: Using An Acl To Restrict Telnet Access
Restricting remote access to management functions NOTE ACL filtering for remote management access is done in hardware. Using an ACL to restrict Telnet access To configure an ACL that restricts Telnet access to the device, enter commands such as the following.
Page 137 Restricting remote access to management functions NOTE In this example, the command ssh access-group 10 could have been used to apply the ACL configured in the example for Telnet access. You can use the same ACL multiple times. Using an ACL to restrict Web management access To configure an ACL that restricts Web management access to the device, enter commands such as the following.
Page 138: Restricting Remote Access To The Device To Specific Ip Addresses66
Restricting remote access to management functions NOTE The ro parameter indicates that the community string is for read-only (“get”) access. The rw parameter indicates the community string is for read-write (“set”) access. The <standard-acl-name> | <standard-acl-id> parameter specifies which ACL will be used to filter incoming SNMP packets.
Page 139 Restricting remote access to management functions The following examples show the CLI commands for restricting remote access. You can specify only one IP address with each command. However, you can enter each command ten times to specify up to ten IP addresses. NOTE You cannot restrict remote management access using the Web management interface.
Page 140: Specifying The Maximum Number Of Login Attempts For Telnet Access
Restricting remote access to management functions Specifying the maximum number of login attempts for Telnet access If you are connecting to the device using Telnet, the device prompts you for a username and password. By default, you have up to3 chances to enter a correct username and password. If you do not enter a correct username or password after 3 attempts, the device disconnects the Telnet session.
Page 141: Disabling Specific Access Methods
Restricting remote access to management functions Restricting Web management access to a specific VLAN To allow Web management access only to clients in a specific VLAN, enter a command such as the following. BigIron RX(config)# web-management enable vlan 10 The command configures the device to allow Web management access only to clients connected to ports within port-based VLAN 10.
Page 142: Disabling Telnet Access
Restricting remote access to management functions Disabling Telnet access Telnet access is enabled by default. You can use a Telnet client to access the CLI on the device over the network. If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from establishing CLI sessions with the device, enter the following command.
Page 143: Setting Passwords
Setting passwords Enter the command to disable SNMP management of the device. BigIron RX(config)#no snmp-server enable Enter the command to later re-enable SNMP management of the device. BigIron RX(config)#snmp-server enable Syntax: [no] snmp-server enable Setting passwords Passwords can be used to secure the following access methods: •...
Page 144: Setting Passwords For Management Privilege Levels
Setting passwords Setting passwords for management privilege levels You can set one password for each of the following management privilege levels: • Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
Page 145 Setting passwords NOTE If you forget your Super User level password, refer to “Recovering from a lost password” on page 74. Augmenting management privilege levels Each management privilege level provides access to specific areas of the CLI by default: • Super User level provides access to all commands and displays.
Page 146: Recovering From A Lost Password
Setting passwords • tunnel-interface • vrrp-router indicates the number of the management privilege level you are <privilege-level> augmenting. You can specify one of the following: • 0 – Super User level (full read-write access) • 4 – Port Configuration level •...
Page 147: Specifying A Minimum Password Length
Setting up local user accounts If you want to remove the password encryption, you can disable encryption by entering the following command. BigIron RX(config)# no service password-encryption Syntax: [no] service password-encryption Specifying a minimum password length By default, the Brocade device imposes no minimum length on the Line (Telnet), Enable, or Local passwords.
Page 148: Configuring A Local User Account
Setting up local user accounts • Read Only level – Allows access to the Privileged EXEC mode and CONFIG mode but only with read access. Configuring a local user account To configure a local user account, enter a command such as the following at the global CONFIG level of the CLI.
Page 149 Setting up local user accounts Changing local user passwords This section shows how to change the password for an existing local user account.The device stores not only the current password configured for a local user, but the previous two passwords configured for the user as well.
Page 150: Configuring Ssl Security For The Web Management Interface
Configuring SSL security for the Web Management Interface If necessary, select the management privilege level from the Privilege pulldown menu. By default, the system assigns privilege level 5 (Read-Only), which allows the user to display information but not to make configuration changes. 8.
Page 151: Importing Digital Certificates And Rsa Private Key Files
Configuring SSL security for the Web Management Interface For example, the following command causes the device to use TCP port 334 for SSL communication. BigIron RX(config)# ip ssl port 334 Syntax: [no] ip ssl port <port-number> The default port for SSL communication is 443. Importing digital certificates and RSA private key files To allow a client to communicate with the other device using an SSL connection, you configure a set of digital certificates and RSA public-private key pairs on the device.
Page 152: Configuring Tacacs/Tacacs+ Security
Configuring TACACS/TACACS+ security Configuring TACACS/TACACS+ security You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to authenticate the following kinds of access to the device: • Telnet access • SSH access • Web Management access •...
Page 153: Tacacs Authentication
Configuring TACACS/TACACS+ security NOTE By default, a user logging into the device through Telnet or SSH would first enter the User EXEC level. The user can enter the enable command to get to the Privileged EXEC level. A user that is successfully authenticated can be automatically placed at the Privileged EXEC level after login.
Page 154 Configuring TACACS/TACACS+ security • Command authorization consults a TACACS+ server to get authorization for commands entered by the user. When TACACS+ exec authorization takes place, the following events occur. 1. A user logs into the device using Telnet, SSH, or the Web Management Interface 2.
Page 155 Configuring TACACS/TACACS+ security AAA operations for TACACS/TACACS+ The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a device that has TACACS/TACACS+ security configured. User action Applicable AAA operations User attempts to gain access to the Enable authentication: Privileged EXEC and CONFIG levels of the...
Page 156: Tacacs/Tacacs+ Configuration Considerations
Configuring TACACS/TACACS+ security User action Applicable AAA operations User enters other commands Command authorization (TACACS+): aaa authorization commands <privilege-level> default <method-list> Command accounting (TACACS+): aaa accounting commands <privilege-level> default start-stop <method-list> AAA security for commands pasted Into the running configuration If AAA security is enabled on the device, commands pasted into the running configuration are subject to the same AAA operations as if they were entered manually.
Page 157: Enabling Snmp To Configure Tacacs/Tacacs
Configuring TACACS/TACACS+ security 3. Set optional parameters. Refer to “Setting optional TACACS/TACACS+ parameters” on page 86. 4. Configure authentication-method lists. Refer to “Configuring authentication-method lists for TACACS/TACACS+” on page 88. 5. Optionally configure TACACS+ authorization. Refer to “Configuring TACACS+ authorization” page 89.
Page 158: Specifying Different Servers For Individual Aaa Functions
Configuring TACACS/TACACS+ security NOTE If you erase a tacacs-server command (by entering “no” followed by the command), make sure you also erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (Refer “Configuring authentication-method lists for TACACS/TACACS+” on page 88.) Otherwise, when you exit from the CONFIG mode or from a Telnet session, the system continues to believe it is TACACS/TACACS+ enabled and you will not be able to access the system.
Page 159 Configuring TACACS/TACACS+ security Setting the TACACS+ key The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent over the network. The value for the key parameter on the device should match the one configured on the TACACS+ server.
Page 160: Configuring Authentication-Method Lists For Tacacs/Tacacs
Configuring TACACS/TACACS+ security Setting the timeout parameter The timeout parameter specifies how many seconds the Brocade device waits for a response from the TACACS/TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the authentication-method list.
Page 161: Configuring Tacacs+ Authorization
Configuring TACACS/TACACS+ security Entering privileged EXEC mode after a Telnet or SSH login By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login.
Page 162 Configuring TACACS/TACACS+ security To configure TACACS+ exec authorization on the device, enter the following command. BigIron RX(config)# aaa authorization exec default tacacs+ Syntax: aaa authorization exec default tacacs+ | radius | none If you specify none, or omit the aaa authorization exec command from the device’s configuration, no exec authorization is performed.
Page 163 Configuring TACACS/TACACS+ security Example user=bob { default service = permit member admin # Global password global = cleartext "cat" service = exec { privlvl = 15 The attribute name in the A-V pair is not significant; the device uses the last one that has a numeric value.
Page 164: Configuring Tacacs+ Accounting
Configuring TACACS/TACACS+ security You enable TACACS+ command authorization by specifying a privilege level whose commands require authorization. For example, to configure the device to perform authorization for the commands available at the Super User privilege level (that is, all commands on the device), enter the following command.
Page 165 Configuring TACACS/TACACS+ security Configuring TACACS+ accounting for Telnet/SSH (Shell) access To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the device, and an Accounting Stop packet when the user logs out.
Page 166: Configuring An Interface As The Source For All Tacacs/Tacacs
Configuring TACACS/TACACS+ security Configuring an interface as the source for all TACACS/TACACS+ packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS/TACACS+ packets from the device.
Page 167: Displaying Tacacs/Tacacs+ Statistics And Configuration Information
Configuring TACACS/TACACS+ security Displaying TACACS/TACACS+ statistics and configuration information The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device. Example BigIron RX# show aaa Tacacs+ key: foundry Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0...
Page 168: Configuring Radius Security
Configuring RADIUS security Example BigIron RX(config)#show web User Privilege IP address 192.168.1.234 Syntax: show web Configuring RADIUS security You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of access to the device: •...
Page 169: Radius Authorization
Configuring RADIUS security 5. The RADIUS server validates the device using a shared secret (the RADIUS key). 6. The RADIUS server looks up the username in its database. If the username is found in the database, the RADIUS server validates the password. 8.
Page 170 Configuring RADIUS security 3. If the event requires RADIUS accounting, the device sends a RADIUS Accounting Start packet to the RADIUS accounting server, containing information about the event. 4. The RADIUS accounting server acknowledges the Accounting Start packet. 5. The RADIUS accounting server records information about the event. 6.
Page 171: Radius Configuration Considerations
Configuring RADIUS security User action Applicable AAA operations User enters other commands Command authorization: aaa authorization commands <privilege-level> default <method-list> Command accounting: aaa accounting commands <privilege-level> default start-stop <method-list> AAA security for commands pasted into the running configuration If AAA security is enabled on the device, commands pasted into the running configuration are subject to the same AAA operations as if they were entered manually.
Page 172 Configuring RADIUS security 4. Configure authentication-method lists. Refer to “Configuring authentication-method lists for RADIUS” on page 103. 5. Optionally configure RADIUS authorization. Refer to “Configuring RADIUS authorization” page 104. 6. Optionally configure RADIUS accounting. “Configuring RADIUS accounting” on page 106. Brocade Configuring -specific attributes on the RADIUS server...
Page 173: Enabling Snmp To Configure Radius
Configuring RADIUS security TABLE 36 Brocade vendor-specific attributes for RADIUS (Continued) Attribute name Attribute ID Data type Description foundry-command-string string Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured. The commands are delimited by semi-colons (;).
Page 174: Specifying Different Servers For Individual Aaa Functions
Configuring RADIUS security Specifying different servers for individual AAA functions In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting.
Page 175: Configuring Authentication-Method Lists For Radius
Configuring RADIUS security Example BigIron RX(config)# radius-server key 1 abc BigIron RX(config)# write terminal radius-server host 1.2.3.5 radius key 1 $!2d NOTE Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts.
Page 176: Configuring Radius Authorization
Configuring RADIUS security The commands above cause RADIUS to be the primary authentication method for securing Telnet access to the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. To create an authentication-method list that specifies RADIUS as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.
Page 177 Configuring RADIUS security Configuring Exec authorization NOTE Before you configure RADIUS exec authorization on the BigIron RX, make sure that the aaa authentication enable default radius command or the aaa authentication login privilege-mode command exist in the configuration. When RADIUS exec authorization is performed, the device consults a RADIUS server to determine the privilege level of the authenticated user.
Page 178: Configuring Radius Accounting
Configuring RADIUS security NOTE RADIUS command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console. No authorization is performed for commands entered at the Web Management Interface or IronView Network Manager, . NOTE Since RADIUS command authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.
Page 179: Configuring An Interface As The Source For All Radius Packets107
Configuring RADIUS security Configuring RADIUS accounting for CLI commands You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the device to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Page 180: Displaying Radius Configuration Information
Configuring RADIUS security The software contains separate CLI commands for specifying the source interface for Telnet, TACACS/TACACS+, and RADIUS packets. You can configure a source interface for one or more of these types of packets. To specify an Ethernet or a loopback or virtual interface as the source for all RADIUS packets from the device, use the following CLI method.
Page 181: Configuring Authentication-Method Lists
Configuring authentication-method lists TABLE 37 Output of the show aaa command for RADIUS Field Description Radius key The setting configured with the radius-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (..) is displayed instead of the text.
Page 182 Configuring authentication-method lists NOTE To authenticate Telnet access to the CLI, you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI. You cannot enable Telnet authentication using the Web management interface. NOTE You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses.
Page 183: Examples Of Authentication-Method Lists
Configuring authentication-method lists • If you configure an authentication-method list for Web management access and specify “local” as the primary authentication method, users who attempt to access the device using the Web management interface must supply a user name and password configured in one of the local user accounts on the device.
Page 184 Configuring authentication-method lists The snmp-server | web-server | enable | login | dot1x parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access. NOTE If you configure authentication for Web management access, authentication is performed each time a page is requested from the server.
Page 185: Configuring Basic Parameters
Chapter Configuring Basic Parameters In this chapter • Entering system administration information ......114 • Configuring Simple Network Management Protocol(SNMP) traps ..114 •...
Page 186: Entering System Administration Information
Entering system administration information Entering system administration information You can configure a system name, contact, and location for the device and save the information locally in the configuration file for future reference. The information is not required for system operation but recommended. When you configure a system name, it replaces the default system name in the CLI command prompt.
Page 187: Specifying An Snmp Trap Receiver
Configuring Simple Network Management Protocol(SNMP) traps Specifying an SNMP trap receiver You can specify a trap receiver to ensure that all SNMP traps sent by the device go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network. When you specify the host, you also specify a community string.
Page 188: Setting The Snmp Trap Holddown Time
Configuring Simple Network Management Protocol(SNMP) traps • If you specify a loopback interface as the single source for SNMP traps, SNMP trap receivers can receive traps regardless of the states of individual links. Thus, if a link to the trap receiver becomes unavailable but the receiver can be reached through another link, the receiver still receives the trap, and the trap still has the source IP address of the loopback interface.
Page 189: Disabling Syslog Messages And Traps For Cli Access
Configuring Simple Network Management Protocol(SNMP) traps You can selectively disable one or more of the following traps: • SNMP authentication key • Power supply failure • Fan failure • Cold start • Link up • Link down • Bridge new root •...
Page 190: Configuring An Interface As The Source For All Telnet Packets
Configuring an interface as the source for all Telnet packets NOTE Messages for accessing the User EXEC level apply only to access through Telnet. The device does not authenticate initial access through serial connections but does authenticate serial access to the Privileged EXEC level.
Page 191: Cancelling An Outbound Telnet Session
Configuring an interface as the source for all TFTP packets • If you specify a loopback interface as the single source for Telnet packets, Telnet servers can receive the packets regardless of the states of individual links. Thus, if a link to the Telnet server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Page 192: Configuring An Interface As The Source For Syslog Packets
Configuring an interface as the source for Syslog packets For example, to specify the lowest-numbered IP address configured on a virtual routing interface as the device’s source for all TFTP packets, enter commands such as the following. BigIron RX(config)# int ve 1 BigIron RX(config-vif-1)# ip address 10.0.0.3/24 BigIron RX(config-vif-1)# exit BigIron RX(config)# ip tftp source-interface ve 1...
Page 193: Specifying A Simple Network Time Protocol (Sntp) Server
Specifying a Simple Network Time Protocol (SNTP) server Specifying a Simple Network Time Protocol (SNTP) server You can configure the device to consult SNTP servers for the current system time and date. NOTE The device does not retain time and date information across power cycles. Unless you want to reconfigure the system time counter each time the system is reset, Brocade recommends that you use the SNTP feature.
Page 194: Setting The System Clock
Setting the system clock To display information about SNTP status, enter the following command. BigIron RX# show sntp status Clock is unsynchronized, stratum = 0, no reference clock precision is 2**0 reference time is 0 clock offset is 0.0 msec, root delay is 0.0 msec root dispersion is 0.0 msec, peer dispersion is 0.0...
Page 195 Setting the system clock By default, the device does not change the system time for daylight savings time. To enable daylight savings time, enter the following command. BigIron RX# clock summer-time Syntax: clock summer-time Although SNTP servers typically deliver the time and date in Greenwich Mean Time (GMT), you can configure the device to adjust the time for any one-hour offset from GMT or for one of the following U.S.
Page 196: New Daylight Saving Time (Dst)
Configuring CLI banners • GMT time zones (gmt): gmt+12, gmt+11, gmt+10...gmt+01, gmt+00, gmt-01...gmt-10, gmt-11, gmt-12. New Daylight Saving Time (DST) The new Daylight Saving Time (DST) change that went into effect on March 11th, 2007 affects only networks following the US time zones. This software release supports the DST automatic feature, but to trigger the device to the correct time, the device must be configured to the US time zone, not the GMT offset.
Page 197: Setting A Privileged Exec Cli Level Banner
Configuring CLI banners NOTE The banner <delimiting-character> command is equivalent to the banner motd <delimiting-character> command. When you access the Web Management Interface, the banner is displayed. Setting a privileged EXEC CLI level banner You can configure the device to display a message when a user enters the Privileged EXEC CLI level.
Page 198: Configuring Terminal Display
Configuring terminal display When a user connects to the CLI using Telnet, the following message appears on the Console. Telnet from 209.157.22.63 Incoming Telnet Session!! Syntax: [no] banner incoming <delimiting-character> To remove the banner, enter the no banner incoming command. Configuring terminal display You can configure and display the number of lines displayed on a terminal screen during the current CLI session.
Page 199: Displaying And Modifying System Parameter Default Settings
Displaying and modifying system parameter default settings • OSPF • • • VRRP • VRRPE By default, IP routing is enabled on the device. All other protocols are disabled, so you must enable them to configure and use them. NOTE The following protocols require a system reset before the protocol will be active on the system: PIM, DVMRP, RIP, FSRP.
Page 200 Displaying and modifying system parameter default settings NOTE Changing the table size for a parameter reconfigures the device’s memory. Whenever you reconfigure the memory on a device, you must save the change to the startup configuration file, then reload the software to place the change into effect. To display the configurable tables, their defaults and maximum values, enter the following command at any level of the CLI.
Page 201: Enabling Or Disabling Layer 2 Switching
Enabling or disabling Layer 2 switching Syntax: show default values Information for the configurable tables appears under the columns shown in bold type. To simplify configuration, the command parameter you enter to configure the table is used for the table name. For example, to increase the capacity of the IP route table, enter the following commands.
Page 202: Cam Partitioning For The Bigiron Rx
CAM partitioning for the BigIron RX To globally disable Layer 2 switching on the device, enter commands such as the following. BigIron RX(config)# route-only BigIron RX(config)# exit BigIron RX# write memory BigIron RX# reload To re-enable Layer 2 switching globally, enter the following. BigIron RX(config)# no route-only BigIron RX(config)# exit BigIron RX# write memory...
Page 203: Nexthop Table
CAM partitioning for the BigIron RX The total amount of CAM entries available is 1024 for each packet processor. If you want to configure 600 for ACLs, 168 for PBR and Rate Limiters, and 256 for IPv6 multicast forwarding entries, enter commands such as the following. BigIron RX(config)#cam-partition rw session 768 BigIron RX(config)#cam-partition rw session rule-partition 600 If you want to configure 2 ACL entries and 2 IPv6 entries and 1020 Rate Limiting entries, enter a...
Page 204: Changing The Mac Age Time
Changing the MAC age time As of release 02.4.00, the Nexthop table is user configurable. If the router is installed in a network where there are many directly connected hosts, then the size of one-path partition should be increased. To configure the partition, use a command such as the following. BigIron RX(config)# cam-partition next-hop 2048 1024 512 512 The above command partitions the next-hop table into 2048 one-path, 1024 two-path, 512 four-path and 512 eight-path entries.
Page 205: Configuring Interface Parameters
Chapter Configuring Interface Parameters In this chapter • Assigning a port name ......... 133 •...
Page 206: Assigning An Ip Address To A Port
Assigning an IP address to a port The <text> parameter is an alphanumeric string. The name can be up to 255 characters long on the device. The name can contain blanks. You do not need to use quotation marks around the string, even when it contains blanks.
Page 207: Disabling Or Re-Enabling A Port
Disabling or re-enabling a port NOTE Brocade recommends using gig links or 24C’s links for switch uplinks when transmitting Layer 2 Traffic in a bidirectional patterns. NOTE To force the port to run at 1000 Mbps, set one of the link’s ports to be the master for the link. To set a port as a Gigabit master port, enter the following command at the interface configuration level for the port: NOTE...
Page 208: Changing The Default Gigabit Negotiation Mode
Changing the default Gigabit negotiation mode Syntax: enable You also can disable or re-enable a virtual routing interface. To do so, enter commands such as the following. BigIron RX(config)# interface ve v1 BigIron RX(config-vif-1)# disable Syntax: disable To re-enable a virtual routing interface, enter the enable command at the Interface configuration level.
Page 209: Specifying Threshold Values For Flow Control
Locking a port to restrict addresses To turn the feature back on. BigIron RX(config)# flow-control Syntax: [no] flow-control Specifying threshold values for flow control The 802.3x flow control specification provides a method for slowing traffic from a sender when a port is receiving more traffic than it can handle.
Page 210: Wait For All Cards Feature
Wait for all cards feature Wait for all cards feature During a system reload, an Interface module comes up after it completes its initialization process. After an Interface module is up, its ports can come up. Since 10G modules have more packet processors to initialize, 1G ports are up earlier than 10G ports.
Page 211 Port transition hold timer If the port flap state toggles (from down to up or from up to down) for a specified number of times within a specified period, the interface is physically disabled for the specified wait period. Once the wait period expires, the port’s link state is re-enabled.
Page 212: Modifying Port Priority (Qos)
Modifying port priority (QoS) Enter commands such as the following on the primary port of a trunk. BigIron RX(config)# interface ethernet 2 BigIron RX(config-if-e100-2)#link-error-disable 10 3 10 Re-enabling a port disabled by port flap dampening A port disabled by port flap dampening is automatically re-enabled once the wait period expires; however, if the wait period is set to zero (0) seconds, you must re-enable the port by entering the following command on the disabled port.
Page 213: Configuration Guidelines For Monitoring Traffic
Assigning a mirror port and monitor ports Configuration guidelines for monitoring traffic Use the following considerations when configuring mirroring for inbound and outbound traffic: • Any port can be mirrored and monitored except for the management port. • There can be only one mirror port per packet processor on a 24 X 1G module. •...
Page 214: Monitoring An Individual Trunk Port
Monitoring an individual trunk port BigIron RX(config)# mirror-port ethernet 1/1 BigIron RX(config)# mirror-port ethernet 2/1 BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e1000-3/1)# monitor ethernet 1/1 both BigIron RX(config-if-e1000-3/1)# interface ethernet 3/2 BigIron RX(config-if-e1000-3/2)# monitor ethernet 2/1 both The above example configures two mirror ports 1/1 and 2/1 on different modules. Port 3/1 uses port 1/1 for inbound and outbound mirroring.
Page 215: Mirror Ports For Policy-Based Routing (Pbr) Traffic
Mirror ports for Policy-Based Routing (PBR) traffic Mirror ports for Policy-Based Routing (PBR) traffic You can mirror traffic on ports that have policy-based routing (PBR) enabled. This feature is useful for monitoring traffic, debugging, and enabling application-specific mirroring. The PBR mirror interface feature allows continued hardware forwarding and, at the same time, enables you to determine exactly which traffic flows get routed using the policies defined by PBR.
Page 216: Displaying Mirror And Monitor Port Configuration
Displaying mirror and monitor port configuration Syntax: set mirror-interface <slot number>/<port number> The <slot number> parameter specifies the port number on a device. The <port number> parameter specifies the mirror port number. You can specify up to 4 mirror ports for each PBR route map instance. To do so, enter the set mirror interface command for each mirror port.
Page 217: Configuring Ip
Chapter Configuring IP In this chapter • Overview of configuring IP........145 •...
Page 218: The Ip Packet Flow
The IP packet flow The IP packet flow Figure 5 Shows how an IP packet moves through a device. FIGURE 5 IP Packet flow through a device Static ARP Table Table (software) Deny IP ACLs Incoming Drop (hardware) Port Permit Lowest IP Route Lowest...
Page 219: Arp Cache Table
The IP packet flow 4. If there is no match in the IP routing table and a default route is not configured, the packet is dropped. For an IP packet whose destination IP address is to a directly connected host, the first packet is forwarded to the CPU.
Page 220: Ip Route Table
The IP packet flow To increase the size of the ARP cache and static ARP table, see the following: • For dynamic entries, refer to “Displaying and modifying system parameter default settings” page 127. The ip-arp parameter controls the ARP cache size. •...
Page 221: Ip Forwarding Cache
Basic IP parameters and defaults IP forwarding cache The device maintains a software cache table for fast processing of IP packets that are forwarded or generated by the CPU. The cache also contains forwarding information that is normally contained in the IP routing table.
Page 222: Ip Global Parameters
Basic IP parameters and defaults IP global parameters Table 41 lists the IP global parameters for the device, their default values, and where to find configuration information. TABLE 41 IP global parameters Parameter Description Default See page... IP state The Internet Protocol, version 4 Enabled NOTE: You cannot disable IP address and mask...
Page 223 Basic IP parameters and defaults TABLE 41 IP global parameters (Continued) Parameter Description Default See page... Time to Live (TTL) The maximum number of routers (hops) through which a packet 64 hops page 186 can pass before being discarded. Each router decreases a packet’s TTL by 1 before forwarding the packet.
Page 224: Ip Interface Parameters
Basic IP parameters and defaults TABLE 41 IP global parameters (Continued) Parameter Description Default See page... IP load sharing A Brocade feature that enables the router to balance traffic to a Enabled page 201 specific destination across multiple equal-cost paths. Load sharing is based on a combination of destination MAC address, source MAC address, destination IP address, source IP address, and IP protocol.
Page 225: Configuring Ip Parameters
Configuring IP parameters TABLE 42 IP interface parameters (Continued) Parameter Description Default See page... IP Maximum The maximum length (number of bytes) of an encapsulated IP 1500 for Ethernet II page 173 Transmission Unit datagram the router can forward. encapsulated packets (MTU) 1492 for SNAP encapsulated packets...
Page 226: Configuring Ip Addresses
Configuring IP parameters Configuring IP addresses You can configure an IP address on the following types of the device interfaces: • Ethernet port • Virtual routing interface (also called a Virtual Ethernet or “VE”) • Loopback interface By default, you can configure up to 24 IP addresses on each interface. Also, the CAM can hold up to 256,000 IP address entries.
Page 227 Configuring IP parameters The ospf-ignore | ospf-passive parameters modify the device defaults for adjacency formation and interface advertisement. Use one of these parameters if you are configuring multiple IP subnet addresses on the interface but you want to prevent OSPF from running on some of the subnets: •...
Page 228: Changing The Network Mask Display To Prefix Format
Configuring IP parameters NOTE The device uses the lowest MAC address on the device (the MAC address of port 1 or 1/1) as the MAC address for all ports within all virtual interfaces you configure on the device. To add a virtual interface to a VLAN and configure an IP address on the interface, enter commands such as the following.
Page 229: Configuring The Default Gateway
Configuring IP parameters Configuring the default gateway To manage a device using Telnet or Secure Shell (SSH) CLI connections or the Web management interface, you must configure an IP address for the device. To configure a default gateway, first define an IP address using the following CLI command. BigIron RX(config)# ip address 192.45.6.110 255.255.255.0 Syntax: ip address <ip-addr>...
Page 230: Configuring A Tunnel Interface
Configuring IP parameters NOTE The encapsulated packets sent on a GRE tunnel have the DF bit set. Setting a GRE tunnel MTU to be greater than 1476 will cause the encapsulated packet to be greater than 1500 bytes. This may cause the transit routers to drop the encapsulated packet if that transit router's IP MTU is 1500 bytes (a typical default MTU value) since transit routers can not fragment a GRE packet.
Page 231 Configuring IP parameters NOTE Ensure a route to the tunnel destination exist on the tunnel source device. Create a static route if needed. Configuring a tunnel interface for GRE encapsulation To configure a specified tunnel interface for GRE encapsulation, enter the following command. BigIron RX(config)# interface tunnel 1 BigIron RX(config-tnif-1)tunnel mode gre ip Syntax: tunnel mode gre ip...
Page 232 Configuring IP parameters Example of a GRE IP tunnel configuration In this example, a GRE IP Tunnel is configured between the device A switch and the device B switch. Traffic between networks 10.10.1.0/24 and 10.10.2.0/24 is encapsulated in a GRE IP packet sent through the tunnel on the 10.10.3.0 network.
Page 233 Configuring IP parameters Displaying GRE tunneling information You can display GRE tunneling information using the show ip interface, show ip route and show interface tunnel commands as shown in the following. BigIron RX# show ip interface tunnel 1 Interface IP-Address Method Status Protocol...
Page 234: Ipv6 Over Ipv4 Tunnels In Hardware
Configuring IP parameters Tunnel mode gre ip Tunnel loopback is 1/3 No port name MTU 1476 Bytes Syntax: show interface tunnel <number> The <number> parameter indicates the tunnel interface number for which you want to display information. IPv6 over IPv4 tunnels in hardware To enable communication between the isolated IPv6 domains using the IPv4 infrastructure, you can configure IPv6 over IPv4 tunnels.
Page 235 Configuring IP parameters NOTE IPV6 over IPV4 tunnel will not work when used with transperant VLAN flooding mode . FIGURE 8 Manually configured tunnel Dual-Stack Dual-Stack IPv6 IPv6 IPv4 Network Network Network Tunnel Tunnel Destination Source To configure a manual IPv6 tunnel, enter commands such as the following on a Layer 3 Switch running both IPv4 and IPv6 protocol stacks on each end of the tunnel.
Page 236 Configuring IP parameters Clearing IPv6 tunnel statistics You can clear all IPv6 tunnel statistics (reset all fields to zero) or statistics for a specified tunnel interface. For example, to clear statistics for tunnel 1, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI.
Page 237 Configuring IP parameters This display shows the following information. TABLE 45 IPv6 tunnel interface information This field... Displays... Tunnel interface status The status of the tunnel interface can be one of the following: • up – The tunnel interface is functioning properly. •...
Page 238: Configuring Domain Name Server (Dns) Resolver
Configuring IP parameters ipv6 address fe80::3:4:2 link-local ipv6 address 1011::1/64 ipv6 address 1001::1/64 ipv6 ospf area 0 Configuring Domain Name Server (DNS) resolver The DNS resolver lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a device and thereby recognize all hosts within that domain.
Page 239: Adding Host Names To The Dns Cache Table
Configuring IP parameters The <domain-name> parameter specifies the domain name to be added to the list. The <sequence-number> parameter specifies a sequence number that is generated internally in steps of 10 starting with sequence number 5. The entries are tried in order of sequence number of entries.
Page 240 Configuring IP parameters Static cache entries You can manually add entries to the DNS cache table if you know a host’s complete, qualified name and its IP address. To add host names and their IP addresses to the DNS cache table, enter commands such as the following.
Page 241 Configuring IP parameters BigIron RX(config)#show ip dns cache-table 66.151.144.5 Host Flag TTL/min Address border2.pc0-0-bbnet1.sje.pnap.net (TMP,OK) 720 66.151.144.5 TABLE 46 The show ip dns cache-table output This field... Displays... Host The complete, qualified domain name of the host. Flag Indicates if the entry is dynamic or static and if the information for the domain is up to date: •...
Page 242 Configuring IP parameters Displaying the server list To display the current DNS server list configured for the device, enter the following command. BigIron RX#show ip dns server-list Total number of DNS Servers configured: 2 Server List: 10.51.17.30 10.51.17.29 Syntax: show ip dns server-list Debugging the DNS feature To debug the DNS feature enter the following command.
Page 243: Configuring Packet Parameters
Configuring packet parameters After you enter the command, a message indicating that the DNS query is in process and the current gateway address (IP address of the domain name server) being queried appear on the screen. Type Control-c to abort Sending DNS Query to 209.157.22.199 Tracing Route to IP node 209.157.22.80 To ABORT Trace Route, Please use stop-traceroute command.
Page 244: Setting Maximum Frame Size Per Ppcr
Configuring packet parameters • Ethernet SNAP (also called IEEE 802.3) The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format. The device uses Ethernet II by default. You can change the IP encapsulation to Ethernet SNAP on individual ports if needed.
Page 245: Changing The Mtu
Configuring packet parameters To configure the untagged max-frame-size on a VLAN, enter a command such as the following at he Interface Configuration level. BigIron RX(config-vlan-20)# BigIron RX(config-vlan-20)#max-frame-size 5000 Please reload system! BigIron RX(config-vlan-20)# Syntax: max-frame-size <bytes> The <frame-size> variable specifies the maximum frame size for each port that is connected the same PPCR as described in Table 47.
Page 246: Changing The Router Id
Changing the router ID Globally changing the IP MTU To globally enable jumbo support on all ports, enter commands such as the following. BigIron RX(config)# ip mtu 5000 BigIron RX(config)# write memory Syntax: [no] ip mtu <bytes> The <bytes> parameter specifies the maximum number of bytes an Ethernet frame can have in order to be forwarded on a port.
Page 247: Specifying A Single Source Interface For Telnet, Tacacs/Tacacs+, Or Radius Packets
Specifying a single source interface for Telnet, TACACS/TACACS+, or RADIUS packets NOTE If you change the router ID, all current BGP4 sessions are cleared. By default, the router ID on a device is one of the following: • If the router has loopback interfaces, the default router ID is the IP address configured on the lowest numbered loopback interface configured on the device.
Page 248 Specifying a single source interface for Telnet, TACACS/TACACS+, or RADIUS packets • If you specify a loopback interface as the single source for Telnet, TACACS/TACACS+, or RADIUS packets, servers can receive the packets regardless of the states of individual links. Thus, if a link to the server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Page 249: Configuring An Interface As The Source For Syslog Packets
Configuring an interface as the source for Syslog packets RADIUS packets To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all RADIUS packets, enter commands such as the following. BigIron RX(config)# int ve 1 BigIron RX(config-vif-1)# ip address 10.0.0.3/24 BigIron RX(config-vif-1)# exit BigIron RX(config)# ip radius source-interface ve 1...
Page 250: Ip Fragmentation Protection
Configuring an interface as the source for Syslog packets IP fragmentation protection Beginning with this release, IP packet filters on the device switches will drop undersized fragments and overlapping packet fragments to prevent tiny fragment attacks as explained in RFC 1858. When packets are fragmented on the network, the first fragment of a packet must be large enough to contain all the necessary header information.
Page 251: Configuring Arp Parameters
Configuring ARP parameters Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command. BigIron RX# show access-list bindings L4 configuration: ip receive access-list 101 Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables the device to obtain the MAC address of another device’s interface when the device knows the IP address of the interface.
Page 252: Rate Limiting Arp Packets
Configuring ARP parameters • If the ARP cache does not contain an entry for the destination IP address, the device broadcasts an ARP request out all its IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to the device, the device sends an ARP response containing its MAC address.
Page 253: Applying A Rate Limit To Arp Packets On An Interface
Configuring ARP parameters Applying a rate limit to ARP packets on an interface To prevent the CPU from becoming flooded by ARP packets in a busy network, you can restrict the number of ARP packets an interface will accept each second. When ARP rate limit is configured on an interface, the interface will accept up to the maximum number of packets you specify, but drops additional ARP packets received during the one-second interval.
Page 254: Clearing The Rate Limit For Arp Packets
Configuring ARP parameters The example above displays the LP processed 50 packets every second and dropped any addtional packets. Syntax: show ip traffic arp This column... Displays... Interface The interface on the device. Received Number of ARP packets received by the interface. Processed Number of ARP packets processed by the interface.
Page 255 Configuring ARP parameters NOTE An ARP request from one subnet can reach another subnet when both subnets are on the same physical segment (Ethernet cable), since MAC-layer broadcasts reach all the devices on the segment. Proxy ARP is disabled by default. To enable IP proxy ARP, enter the following command.
Page 256: Creating A Floating Static Arp Entry
Configuring ARP parameters Changing the maximum number of entries the static ARP table can hold The default number of entries in the static ARP table on the device are as follows: • Default maximum: 8192 • Configurable maximum: 65536 NOTE You must save the configuration to the startup configuration file and reload the software after changing the static ARP table size to place the change into effect.
Page 257: Static Route Arp Validation Check
Configuring ARP parameters Syntax: arp <ip-add> <mac-addr> The <ip-addr> parameter specifies the IP address of the device that has the MAC address of the entry. The <mac-addr> parameter specifies the MAC address of the entry. Static route ARP validation check Beginning with release 02.5.00, you can configure the device to perform validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.
Page 258: Configuring Forwarding Parameters
Configuring forwarding parameters Displaying the routes waiting for the next hop ARP to resolve Use the following command to display which routes are waiting for the nexthop ARP to be resolved. BigIron RX# show ip static route IP Static Routing Table - 2 entries: Type Codes: '*' - Installed, '+' - Waiting for ARP resolution IP Prefix Next Hop...
Page 259: Enabling Forwarding Of Directed Broadcasts
Configuring forwarding parameters To modify the TTL threshold to 25, enter the following commands. BigIron RX(config)# ip ttl 25 Syntax: ip ttl <1-255> Enabling forwarding of directed broadcasts A directed broadcast is an IP broadcast to all devices within a single directly-attached network or subnet.
Page 260: Disabling Icmp Messages
Configuring forwarding parameters • Loose source routing – requires that the packet pass through all of the listed routers but also allows the packet to travel through other routers, which are not listed in the packet. The device forwards both types of source-routed packets by default. You cannot enable or disable strict or loose source routing separately.
Page 261: Disabling Replies To Broadcast Ping Requests
Configuring forwarding parameters • Destination Unreachable messages – If the device receives an IP packet that it cannot deliver to its destination, the device discards the packet and sends a message back to the device that sent the packet. The message informs the device that the destination cannot be reached by the device.
Page 262: Disabling Icmp Redirect Messages
Configuring forwarding parameters To disable all ICMP Unreachable messages, enter the following command. BigIron RX(config)# no ip icmp unreachable Syntax: [no] ip icmp unreachable [network | host | protocol | administration | fragmentation-needed | port | source-route-fail] • If you enter the command without specifying a message type (as in the example above), all types of ICMP Unreachable messages listed above are disabled.
Page 263: Configuring Static Routes
Configuring forwarding parameters To disable ICMP redirect messages globally, enter the following command at the global CONFIG level of the CLI. BigIron RX(config)# no ip icmp redirects Syntax: [no] ip icmp redirects To disable ICMP redirect messages on a specific interface, enter the following command at the configuration level for the interface.
Page 264 Configuring forwarding parameters Static IP route parameters When you configure a static IP route, you must specify the following parameters: • The IP address and network mask for the route’s destination network. • The route’s path, which can be one of the following: •...
Page 265 Configuring forwarding parameters This feature allows the device to adjust to changes in network topology. The device does not continue trying to use routes on unavailable paths but instead uses routes only when their paths are available. Figure 10 shows a network containing a static route. The static route is configured on Router A, as shown in the CLI following the figure.
Page 266 Configuring forwarding parameters To configure an IP static route that uses virtual interface 3 as its next hop, enter a command such as the following. BigIron RX(config)# ip route 192.128.2.71 255.255.255.0 ve 3 Syntax: ip route <dest-ip-addr> <dest-mask> | <dest-ip-addr>/<mask-bits> <next-hop-ip-addr>...
Page 267 Configuring forwarding parameters To configure a null static route to drop packets destined for network 209.157.22.x, enter the following commands. BigIron RX(config)# ip route 209.157.22.0 255.255.255.0 null0 BigIron RX(config)# write memory Syntax: ip route <ip-addr> <ip-mask> | <dest-ip-addr>/<mask-bits> null0 [<metric>] [tag <num>] [distance <num>] To display the maximum value for your device, enter the show default values command.
Page 268: Static Route Tagging
Configuring forwarding parameters Configuring the device to drop traffic sent to the default IP route address in hardware causes the device to program 32-bit host CAM entries for each destination address using the default route, which could consume the CAM space. To prevent this from happening, you can enable the CAM Default Route Aggregation feature.
Page 269 Configuring forwarding parameters The steps for configuring the static routes are the same as described in the previous section. The following sections provide examples. To configure multiple static IP routes, enter commands such as the following. BigIron RX(config)# ip route 192.128.2.69 255.255.255.0 209.157.22.1 BigIron RX(config)# ip route 192.128.2.69 255.255.255.0 192.111.10.1 The commands in the example above configure two static IP routes.
Page 270 Configuring forwarding parameters Figure 11 shows an example of two static routes configured for the same destination network. One of the routes is a standard static route and has a metric of 1. The other static route is a null route and has a higher metric than the standard static route.
Page 271 Configuring forwarding parameters Figure 12 shows another example of two static routes. A standard static route and an interface-based static route are configured for destination network 192.168.6.0/24. The interface-based static route has a lower metric than the standard static route. As a result, the device always prefers the interface-based route when the route is available.
Page 272: Configuring A Default Network Route
Configuring forwarding parameters The first command configured an interface-based static route through Ethernet port 1/1. The command assigns a metric of 1 to this route, causing the device to always prefer this route when it is available. If the route becomes unavailable, the device uses an alternate route through the next-hop gateway 192.168.8.11/24.
Page 273: Configuring Ip Load Sharing
Configuring forwarding parameters Configuring a default network route You can configure up to four default network routes. To configure a default network route, enter commands such as the following. BigIron RX(config)# ip default-network 209.157.22.0 BigIron RX(config)# write memory Syntax: ip default-network <ip-addr> The <ip-addr>...
Page 274 Configuring forwarding parameters How multiple equal-cost paths enter the IP Route table IP load sharing applies to equal-cost paths in the IP route table. Routes eligible for load sharing can enter the table from the following sources: • IP static routes •...
Page 275 Configuring forwarding parameters Path cost The cost parameter provides a basis of comparison for selecting among paths to a given destination. Each path in the IP route table has a cost. When the IP route table contains multiple paths to a destination, the device chooses the path with the lowest cost. When the IP route table contains more than one path with the lowest cost to a destination, the device uses IP load sharing to select one of the lowest-cost paths.
Page 276: Default Route Ecmp
Configuring forwarding parameters TABLE 48 Default load sharing parameters for route sources (Continued) Route source Default maximum number of paths Maximum number of paths See... OSPF page 204 BGP4 page 789 How IP load sharing works On the device, IP load sharing (also known as ECMP load sharing) is done by the hardware. If there is more than one path to a given destination, a hash is calculated based on the source MAC address, destination MAC address, source IP address, destination IP address, and IP protocol.
Page 277: Ip Receive Access List
Configuring forwarding parameters NOTE This feature is currently not applicable to IPv6 traffic. To specify the ECMP default route, enter a command such as the following. BigIron RX(config)# ip load-sharing default-route Syntax: [no] ip load-sharing [<num> l <default-route>] The <num> parameter specifies the number of paths and can be from 2 – 8. The <default-router>...
Page 278: Configuring Irdp
Configuring forwarding parameters Configuring IP receive access list IP receive access list is a global configuration command. Once it is applied, the command will be effective on all the management modules on the device. To configure the feature, do the following. 1.
Page 279: Enabling Irdp Globally
Configuring forwarding parameters Some types of hosts use the Router Solicitation messages to discover their default gateway. When IRDP is enabled, the device responds to the Router Solicitation messages. Some clients interpret this response to mean that the device is the default gateway. If another router is actually the default gateway for these clients, leave IRDP disabled on the device.
Page 280: Configuring Udp Broadcast And Ip Helper Parameters
Configuring forwarding parameters Syntax: [no] ip irdp [broadcast | multicast] [holdtime <seconds>] [maxadvertinterval <seconds>] [minadvertinterval <seconds>] [preference <number>] The broadcast | multicast parameter specifies the packet type the device uses to send Router Advertisement. • broadcast – The device sends Router Advertisement as IP broadcasts. This is the default. •...
Page 281 Configuring forwarding parameters • dns (port 53) • tftp (port 69) • time (port 37) • netbios-ns (port 137) • netbios-dgm (port 138) • tacacs (port 65) NOTE The application names are the names for these applications that the device recognizes, and might not match the names for these applications on some third-party devices.
Page 282 Configuring forwarding parameters • dns (port 53) • dnsix (port 90) • echo (port 7) • mobile-ip (port 434) • netbios-dgm (port 138) • netbios-ns (port 137) • ntp (port 123) • tacacs (port 65) • talk (port 517) • time (port 37) •...
Page 283: Configuring Bootp/Dhcp Forwarding Parameters
Configuring forwarding parameters Configuring BootP/DHCP forwarding parameters Beginning with release 02.7.00, the DHCP relay will allow for IP address grants that do not match the subnets configured on the interface that the DHCP request was received. A host on an IP network can use BootP/DHCP to obtain its IP address from a BootP/DHCP server.
Page 284 Configuring forwarding parameters Configuring an IP helper address The procedure for configuring a helper address for BootP/DHCP requests is the same as the procedure for configuring a helper address for other types of UDP broadcasts. Refer to “Configuring an IP helper address” on page 210 .
Page 285: Displaying Ip Information
Displaying IP information Displaying IP information You can display the following IP configuration information statistics: • Global IP parameter settings – refer to “Displaying global IP configuration information” page 213. • IP interfaces – refer to “Displaying IP interface information” on page 215.
Page 286 Displaying IP information This display shows the following information. TABLE 49 CLI display of global IP configuration information This field... Displays... Global settings The Time-To-Live (TTL) for IP packets. The TTL specifies the maximum number of router hops a packet can travel before reaching the device. If the packet’s TTL value is higher than the value specified in this field, the Brocade router drops the packet.
Page 287: Displaying Ip Interface Information
Displaying IP information TABLE 49 CLI display of global IP configuration information (Continued) This field... Displays... Destination The destination IP address the policy matches. Protocol The IP protocol the policy matches. The protocol can be one of the following: • ICMP •...
Page 288: Displaying Interface Name In Syslog
Displaying IP information TABLE 50 CLI display of interface IP configuration information (Continued) This field... Displays... Status The link status of the interface. If you have disabled the interface with the disable command, the entry in the Status field will be “administratively down”.
Page 289: Displaying Arp Entries
Displaying IP information Displaying ARP entries You can display the ARP cache and the static ARP table. The ARP cache contains entries for devices attached to the device. The static ARP table contains the user-configured ARP entries. An entry in the static ARP table enters the ARP cache when the entry’s interface comes up.
Page 290 Displaying IP information This display shows the following information. The number in the left column of the CLI display is the row number of the entry in the ARP cache. This number is not related to the number you assign to static MAC address entries in the static ARP table.
Page 291: Displaying The Forwarding Cache
Displaying IP information TABLE 52 CLI display of static ARP table (Continued) This field... Displays... IP Address The IP address of the device. MAC Address The MAC address of the device. Port The port attached to the device the entry is for. Displaying the forwarding cache To display the IP Forwarding Cache for directly connected hosts, enter the following command.
Page 292: Displaying The Ip Route Table
Displaying IP information The show ip cache and show ip network commands entered on the rconsole display the following information. TABLE 53 CLI display of IP forwarding cache This field... Displays... IP Address The IP address of the destination. Next Hop The IP address of the next-hop router to the destination.
Page 293 Displaying IP information Beginning with release 02.4.00, the show ip route command has been enhanced to include the elapse time since an IP route was installed. BigIron RX(config)#show ip route Total number of IP routes: 2 Type Codes - B:BGP D:Connected I:ISIS S:Static R:RIP O:OSPF; Cost - Dist/Metric Uptime - Days:Hours:Minutes:Seconds Destination Gateway...
Page 294 Displaying IP information Here is an example of how to use the longer option. To display only the routes for a specified IP address and mask, enter a command such as the following. BigIron RX(config)# show ip route 209.159.0.0/16 longer Starting index: 1 B:BGP D:Directly-Connected R:RIP S:Static O:OSPF Destination NetMask Gateway Port Cost Type 52 209.159.38.0 255.255.255.0 207.95.6.101 1/1 1 S...
Page 295: Clearing Ip Routes
Displaying IP information TABLE 54 CLI display of IP route table (Continued) This field... Displays... Type The route type, which can be one of the following: • B – The route was learned from BGP. • D – The destination is directly connected to this device. •...
Page 296 Displaying IP information BigIron RX> sh ip traffic IP Statistics 146806 total received, 72952 mp received, 6715542 sent, 0 forwarded 0 filtered, 0 fragmented, 0 bad header 0 failed reassembly, 0 reassembled, 0 reassembly required 0 no route, 0 unknown proto, 0 no buffer, 0 other errors, 0 rpf discard ARP Statistics 19022 total recv, 35761 req recv, 475 rep recv, 2803975 req sent, 1885 rep sent...
Page 297 Displaying IP information TABLE 55 CLI display of IP traffic statistics (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received.
Page 298: Displaying Tcp Traffic Statistics
Displaying IP information TABLE 55 CLI display of IP traffic statistics (Continued) This field... Displays... input errors This information is used by Brocade customer support. in segments The number of TCP segments received by the device. out segments The number of TCP segments sent by the device. retransmission The number of segments that this device retransmitted because the retransmission timer for the segment had expired before the device at the...
Page 299 Displaying IP information This field... Displays... active opens Number of TCP connection requests from the local router, resulting in outbound TCP SYNC packets passive opens Number of TCP connection requests from remote routers or hosts, resulting in outbound TCP SYNC-ACK packets failed attempts Number of unsuccessful TCP connection requests from either local or remote active resets,...
Page 300 Displaying IP information BigIron RX Series Configuration Guide 53-1001810-01...
Page 301: Link Aggregation
Chapter Link Aggregation In this chapter • Link aggregation overview ........229 •...
Page 302: Lag Formation Rules
LAG formation rules NOTE Refer to the Dynamic Link Aggregation chapter in the BigIron RX Series Configuration Guide - Versions 02.5.00 and earlier for information on how to configure LACP in previous version of the Multi-Service IronWare software. LAG formation rules Given below are the LAG formation rules: •...
Page 303 LAG formation rules • All the ports in a trunk group must be connected to the same device at the other end. For example, a if port 1/4 and 1/5 in Device 1 are in the same trunk group, both ports must be connected to a ports in Device 2 or in Device 3.
Page 304: Lag Load Sharing
LAG load sharing Figure 15 shows and example of two devices connected over a 4 port LAG where the ports on each end of the LAG are on different interface modules. FIGURE 15 Examples of multi-slot, multi-port LAG Port2/1 Port2/1 Port1/1 Port1/1 Port2/2...
Page 305: Migration From A Pre-02.6.00 Trunk Or Lacp Configuration
Migration from a pre-02.6.00 trunk or LACP configuration • IPv4, non-TCP/UDP packets: source MAC address and destination MAC address, source IP address and destination IP address. • IPv4 TCP packets: source MAC address and destination MAC address, source IP address and destination IP address, and TCP source port and TCP destination port.
Page 306: Configuration Of A Lag
Configuration of a LAG a. A dynamic LAG is created by grouping all ports in the original configuration having the same link-aggregation key. b. If link-aggregate active/passive is configured originally, the converted dynamic LAG will be configured as deployed. Otherwise it will not be converted because such ports were originally not operating under LACP.
Page 307: Creating A Link Aggregation Group (Lag)
Configuration of a LAG Creating a Link Aggregation Group (LAG) Before setting-up ports or configuring any other aspects of a LAG, you must create it as shown in the following. BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# Syntax: [no] lag <lag-name> static | dynamic | keep-alive Refer to “Allowable characters for LAG names”...
Page 308 Configuration of a LAG Configuring the primary port for a LAG In previous versions of the Multi-Service IronWare software, the lowest number port was assigned as the primary port in a trunk or LACP configuration. In version 02.6.00 and later, the primary port must be explicitly assigned.
Page 309: Deploying A Lag
Deploying a LAG Configuring LACP port priority In a dynamic or keep alive LAG, the port priority determines the active and standby links. The other ports (with lower priorities) become standby ports in the trunk group. BigIron RX(config)# lag blue dynamic BigIron RX(config-lag-blue)# lacp-port-priority 100000 Syntax: [no] lacp-port-priority <slot/port>...
Page 310: Commands Available Under Lag Once It Is Deployed
Deploying a LAG When the deploy command is executed: For a static and dynamic LAGs, the current trunk veto mechanism is invoked to make sure the trunk can be formed. If the trunk is not vetoed, a trunk is formed with all the ports in the LAG. For dynamic LAGs, LACP is activated on all LAG ports.
Page 311: Disabling Ports Within A Lag
Deploying a LAG Disabling ports within a LAG You can disable an individual port within a LAG using the disable command within the LAG configuration as shown in the following. BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# disable ethernet 3/1 Syntax: [no] disable ethernet [slot/port] | named [name] Use the ethernet option with the appropriate [slot/port] variable to specify a Ethernet port within the LAG that you want to disable.
Page 312: Assigning A Name To A Port Within A Lag
Deploying a LAG Use the named-port-monitored option with the appropriate [slot/port] variable to specify a named port within the LAG that you want monitor. The ethernet <slot/port> parameter specifies the port to which the traffic analyzer is attached. The input | output | both parameters specify the traffic direction to be monitored. NOTE Mirror (analyzer) ports cannot be assigned to the 16x10G card.
Page 313: Displaying Lag Information
Deploying a LAG Use the ethernet option with the appropriate [slot/port] variable to specify the Ethernet port within the LAG that you want to configure the sampling rate for. Use the port-name option with the appropriate [text] variable to specify the named port within the LAG that you want to configure the sampling rate for.
Page 314 Deploying a LAG Deployment: Trunk ID 1 Port Link L2 State Dupl Speed Trunk Tag Priori MAC Name Forward Full 1G Yes level0 0004.80a0.402a Forward Full 1G Yes level0 0004.80a0.402a Forward Full 1G Yes level0 0004.80a0.402a Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] Syntax: show lag <lag-name>...
Page 315 Deploying a LAG TABLE 56 Show LAG information (Continued) This field... Displays... Link The status of the link which can be one of the following: • • down L2 State The L2 state for the port. Dupl The duplex state of the port, which can be one of the following: •...
Page 316 Deploying a LAG TABLE 56 Show LAG information (Continued) This field... Displays... Indicates the synchronization state of the port. The state can be one of the following: • No – The port is out of sync with the remote port. The port does not understand the status of the LACPDU process and is not prepared to enter a trunk link.
Page 317: Displaying Lag Statistics
Deploying a LAG Displaying LAG statistics You can display LAG statistics for a device switch in either a full or brief mode. Full mode is the default and is displayed when the show statistics lag command is executed without the brief option.
Page 318 Deploying a LAG BigIron RX Series Configuration Guide 53-1001810-01...
Page 319: Configuring Lldp
Chapter Configuring LLDP In this chapter • Terms used in this chapter ........247 •...
Page 320: Lldp Overview
LLDP overview LLDP overview LLDP enables a station attached to an IEEE 802 LAN or MAN to advertise its capabilities to, and to discover, other stations in the same 802 LAN segments. The information distributed through LLDP (the advertisement) is stored by the receiving device in a standard Management Information Base (MIB), accessible by a Network Management System (NMS) using a management protocol such as the Simple Network Management Protocol (SNMP).
Page 321: General Operating Principles
General operating principles • System description can contain the device’s product name or model number, version of hardware type, and operating system • Provides device capability, such as switch, router, or WLAN access port • Network troubleshooting: • Information generated through LLDP can be used to detect speed and duplex mismatches •...
Page 322: Lldp Packets
General operating principles LLDP packets LLDP agents transmit information about a sending device or port in packets called LLDP Data Units (LLDPDUs). All the LLDP information to be communicated by a device is contained within a single 1500 byte packet. A device receiving LLDP packets is not permitted to combine information from multiple packets.
Page 323 General operating principles • System capabilities • Management address • End of LLDPDU • Organizationally-specific TLVs are optional in LLDP implementations and are defined and encoded by individual organizations or vendors. These TLVs include support for, but are not limited to, the IEEE 802.1 and 802.3 standards and the TIA-1057 standard. Brocade devices support the following Organizationally-specific TLVs: •...
Page 324 General operating principles Brocade devices use chassis ID subtype 4, the base MAC address of the device. Other third party devices may use a chassis ID subtype other than 4. The chassis ID will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info).
Page 325: Mib Support
MIB support The TTL value is automatically computed based on the LLDP configuration settings. The TTL value will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Time to live: 40 seconds •...
Page 326: Configuration Notes And Considerations
Configuring LLDP TABLE 59 LLDP global configuration tasks and default behavior / value (Continued) Global task Default behavior / value when LLDP is enabled Specifying the maximum number of LLDP Automatically set to 4 neighbors per port neighbors per port Enabling SNMP notifications and Syslog messages Disabled Changing the minimum time between SNMP traps...
Page 327: Changing A Port's Lldp Operating Mode
Configuring LLDP Changing a port’s LLDP operating mode LLDP packets are not exchanged until LLDP is enabled on a global basis. When LLDP is enabled on a global basis, by default, each port on the Brocade device will be capable of transmitting and receiving LLDP packets.
Page 328: Specifying The Maximum Number Of Lldp Neighbors
Configuring LLDP Use the [no] form of the command to disable the receive only mode. You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Page 329: Enabling Lldp Snmp Notifications And Syslog Messages
Configuring LLDP where <value> is a number between 16 and 65536. The default number of LLDP neighbors per device is 392. Use the show lldp command to view the configuration. Per port You can change the maximum number of LLDP neighbors for which LLDP data will be retained for each port.
Page 330: Changing The Minimum Time Between Lldp Transmissions
Configuring LLDP NOTE Because LLDP Syslog messages are rate limited, some LLDP information given by the system will not match the current LLDP statistics (as shown in the show lldp statistics command output). To change the minimum time interval between traps and Syslog messages, enter a command such as the following.
Page 331: Changing The Holdtime Multiplier For Transmit Ttl
Configuring LLDP The above command causes the LLDP agent to transmit LLDP frames every 40 seconds. Syntax: [no] lldp transmit-interval <seconds> where <seconds> is a value from 5 to 32768. The default is 30 seconds. NOTE Setting the transmit interval or transmit holdtime multiplier to inappropriate values can cause the LLDP agent to transmit LLDPDUs with TTL values that are excessively high.
Page 332: Lldp Tlvs Advertised By The Brocade Device
Configuring LLDP LLDP TLVs advertised by the Brocade device When LLDP is enabled on a global basis, the Brocade device will automatically advertise the following information, except for the features noted: General system information: • Management address • Port description •...
Page 333 Configuring LLDP If no IP address is configured, the port’s current MAC address will be advertised. The management address will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Management address (IPv4): 209.157.2.1 Port description The port description TLV identifies the port from which the LLDP agent transmitted the...
Page 334 Configuring LLDP Syntax: [no] lldp advertise system-capabilities ports ethernet <slotnum/portnum> | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Page 335 Configuring LLDP By default, the system name is automatically advertised when LLDP is enabled on a global basis. To disable this advertisement, enter a command such as the following. FastIron(config)#no lldp advertise system-name ports e 2/4 to 2/12 The system name will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info).
Page 336 Configuring LLDP By default, the port VLAN ID is automatically advertised when LLDP is enabled on a global basis. To disable this advertisement, enter a command such as the following. FastIron(config)#no lldp advertise port-vlan-id ports e 2/4 to 2/12 The untagged VLAN ID will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info).
Page 337 Configuring LLDP MAC/PHY configuration status The MAC/PHY configuration and status TLV includes the following information: • Auto-negotiation capability and status • Speed and duplex mode • Flow control capabilities for auto-negotiation • Port speed down-shift and maximum port speed advertisement •...
Page 338: Displaying Lldp Statistics And Configuration Settings
Configuring LLDP Syntax: [no] lldp advertise max-frame-size ports ethernet <slotnum/portnum> | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Page 339: Lldp Statistics
Configuring LLDP This field... Displays... LLDP reinitialize delay The minimum number of seconds the device will wait from when LLDP is disabled on a port, until a request to re-enable LLDP on that port will be honored. LLDP maximum The maximum number of LLDP neighbors for which LLDP data will be retained, per neighbors device.
Page 340: Lldp Neighbors
Configuring LLDP This field... Displays... Neighbor entries The number of LLDP neighbors deleted since the last reboot or since the last time the deleted clear lldp statistics all command was issued. Neighbor entries aged The number of LLDP neighbors dropped on all ports after the time-to-live expired. Note that LLDP entries age out naturally when a port’s cable or module is disconnected or when a port becomes disabled.
Page 341: Lldp Neighbors Detail
Configuring LLDP This field... Displays... Port ID The identifier for the port. Brocade devices use the permanent MAC address associated with the port as the port ID. Port The description for the port. Description Brocade devices use the ifDescr MIB object from MIB-II as the port description. System Name The administratively-assigned name for the system.
Page 342 Configuring LLDP FastIron#show lldp neighbors detail ports e 1/9 Local port: 1/9 Neighbor: 0800.0f18.cc03, TTL 101 seconds + Chassis ID (network address): 10.43.39.151 + Port ID (MAC address): 0800.0f18.cc03 + Time to live: 120 seconds + Port description : "LAN port" + System name : "regDN 1015,MITEL 5235 DM"...
Page 343: Lldp Configuration Details
Configuring LLDP LLDP configuration details The show lldp local-info command displays the local information advertisements (TLVs) that will be transmitted by the LLDP agent. NOTE The show lldp local-info output will vary based on LLDP configuration settings. The following shows an example report. BigIron RX#show lldp local-info ports e 20/1 Local port: 20/1 + Chassis ID (MAC address): 0012.f233.e2c0...
Page 344: Resetting Lldp Statistics
Resetting LLDP statistics Resetting LLDP statistics To reset LLDP statistics, enter the clear lldp statistics command at the Global CONFIG level of the CLI. The Brocade device will clear the global and per-port LLDP neighbor statistics on the device (refer to “LLDP statistics”...
Page 345: Configuring Uni-Directional Link Detection (Udld)
Chapter Configuring Uni-Directional Link Detection (UDLD) In this chapter • Configuration considerations ........274 •...
Page 346: Configuration Considerations
Configuration considerations Everytime UDLD is enabled on a port, the port will be transitioned into the suspended state to detect if the other end (peer) supports UDLD. This include the case where: • User enables UDLD on a port • A port that has UDLD enabled coming back up after an system reboot •...
Page 347: Changing The Keepalive Retries
Displaying UDLD information Changing the keepalive retries You can change the maximum number of keepalive attempts to a value from 3 – 10. To change the maximum number of attempts, enter a command such as the following. BigIron RX(config)# link-keepalive retries 4 Syntax: [no] link-keepalive retries <num>...
Page 348 Displaying UDLD information In this example, the port has been brought down by UDLD. Notice that in addition to the information in the first line, the port state on the fourth line of the display is listed as DISABLED. BigIron RX(config)#sh link-keepalive Total link-keepalive enabled ports: 2 Keepalive Retries: 5 Keepalive Interval: 5 * 100 MilliSec.
Page 349: Displaying Information For A Single Port
Displaying UDLD information The show link-keepalive command shows the following. BigIron RX(config)# show link-keepalive ethernet Current State : down Remote MAC Addr : 0000.0000.0000 Local Port : 1/1 Remote Port : n/a Local System ID : e0eb8e00 Remote System ID : 00000000 Packets sent Packets received : 0 Transitions...
Page 350: Clearing Udld Statistics
Clearing UDLD statistics The show interface ethernet <slot>/<portnum> command also displays the UDLD state for an individual port. In addition, the line protocol state listed in the first line will say “down” if UDLD has brought the port down. Here is an example. BigIron RX(config)# show interface ethernet 1/1 GigabitEthernet2/1 is disabled, line protocol is down, link keepalive is enabled...
Page 351: Vlans
Chapter VLANs In this chapter • Overview of Virtual Local Area Networks (VLANs) ....279 • VLAN configuration rules........282 •...
Page 352 Overview of Virtual Local Area Networks (VLANs) Tagged ports allow the device to add a four-byte 802.1q tag to the packet. 802.1q tagging is an IEEE standard that allows a networking device to add information to Layer 2 packets. This information identifies the VLAN membership of the packet, as well as the VLAN ID of the VLAN from which the packet is sent.
Page 353: Protocol-Based Vlans
Overview of Virtual Local Area Networks (VLANs) Figure 22 shows an example of two devices that have the same Layer 2 port-based VLANs configured across them. Notice that only one of the VLANs requires tagging. FIGURE 22 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port Segment 1...
Page 354: Vlan Configuration Rules
VLAN configuration rules If there are ports in a port-based VLAN that you want to exclude from protocol-based VLANs, the protocol-based VLAN can be configured to explicitly exclude those ports. VLAN configuration rules To create any type of VLAN on a device, Layer 2 forwarding must be enabled. When Layer 2 forwarding is enabled, the device becomes a switch on all ports for all non-routable protocols.
Page 355: Multiple Vlan Membership Rules
Configuring port-based VLANs Multiple VLAN membership rules Given below are the membership rules for multiple VLAN: • A port can belong to multiple, overlapping Layer 2 port-based VLANs only if the port is a tagged port. Packets sent out of a tagged port use an 802.1q-tagged frame. •...
Page 356: Vlan Byte Accounting
Configuring port-based VLANs In addition to a VLAN number, you can assign a name to a VLAN by entering name <vlan-name>. Enter up to 32 characters for name. 2. Once an ID is assigned, the CLI directs you to the VLAN configuration level. At this level, you add ports to that VLAN and specify if the ports are tagged or untagged.
Page 357 Configuring port-based VLANs • On a given packet processor, the total number of VLANs with byte accounting enabled and the number of ACL-based and VLAN-based rate limiting policies is dependent on the interface module. Refer to Table 62 for details. •...
Page 358: Strictly Or Explicitly Tagging A Port
Configuring port-based VLANs On a given packet processor (PPCR), the total of: Number of VLANs with byte accounting enabled Number of rate limiting policies based on ACLs and VLANs cannot exceed the maximum number of policies as specified in Table TABLE 62 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR Module type...
Page 359: Assigning A Different Id To The Default Vlan
Configuring protocol-based VLANs Assigning a different ID to the default VLAN As stated above, by default, all ports on a device belong to the default VLAN, which is VLAN 1, until it is assigned to a port-based VLAN. The default VLAN port membership is always untagged; however, if you want to use VLAN ID 1 as a configurable VLANs with tagged port members, you can assign a different VLAN ID as the default VLAN.
Page 360: Configuring An Mstp Instance
Configuring virtual routing interfaces The static ethernet <slot-number>/<port-number> [to <slot-number>/<port-number>] parameter adds the specified ports within the port-based VLAN as static ports to the protocol-based VLAN. Packets of the specified protocol will be forwarded on these ports. The exclude ethernet <slot-number>/<port-number> [to <slot-number>/<port-number>] parameter excludes the specified ports from the protocol-based VLAN.
Page 361: Bridging And Routing The Same Protocol Simultaneously On The Same
Configuring virtual routing interfaces BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# tagged e 1/1 to 1/2 BigIron RX(config-vlan-2)# router-interface ve 2 BigIron RX(config-vlan-2)# exit BigIron RX(config)# interface ve 2 BigIron RX(config-ve-2)# ip address 10.1.1.1/24 Syntax: router-interface ve <ve-number> Enter 1 to the maximum number of virtual routing interfaces supported on the device for <ve-number>.
Page 362: Integrated Switch Routing (Isr)
Configuring virtual routing interfaces Integrated Switch Routing (ISR) Brocade Integrated Switch Routing (ISR) feature enables VLANs configured on the device to route Layer 3 traffic from one protocol-based VLAN to another instead of forwarding the traffic to an external router. The VLANs provide Layer 3 broadcast domains for the protocols, but do not in themselves provide routing services.
Page 363: Vlan Groups
VLAN groups There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN. Routing will occur independently across the port-based VLANs. Because each port-based VLAN’s STP domain is a single point-to-point backbone connection, you are guaranteed to never have an STP loop.
Page 364 VLAN groups NOTE The device’s memory must be configured to contain at least the number of VLANs you specify for the higher end of the range. For example, if you specify 2048 as the VLAN ID at the high end of the range, you first must increase the memory allocation for VLANs to 2048 or higher.
Page 365: Configuring Super Aggregated Vlans
Configuring super aggregated VLANs The <group-id> specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed. Configuring super aggregated VLANs A super aggregated VLAN allows multiple VLANs to be placed within another VLAN. This feature allows you to construct Layer 2 paths and channels.
Page 366 Configuring super aggregated VLANs Each client connected to the edge device is in its own port-based VLAN. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core. The device that aggregates the VLANs forwards the aggregated VLAN traffic through the core. The core can consist of multiple devices that forward the aggregated VLAN traffic.
Page 367: Configuring Aggregated Vlans
Configuring super aggregated VLANs This example shows a single link between the core devices. However, you can use a trunk group to add link-level redundancy. Configuring aggregated VLANs A maximum of 1526 bytes are supported on ports where super-aggregated VLANs are configured. This allows for an additional 8 bytes over the untagged port maximum to allow for support of two VLAN tags.
Page 368: Complete Cli Examples
Configuring super aggregated VLANs • Enable VLAN aggregation. This support allows the core device to add an additional tag to each Ethernet frame that contains a VLAN packet from the edge device. The additional tag identifies the aggregate VLAN (the path). However, the additional tag can cause the frame to be longer than the maximum supported frame size.
Page 369 Configuring super aggregated VLANs Commands for device A BigIron RX-A(config)# vlan 101 BigIron RX-A(config-vlan-101)# tagged ethernet 2/1 BigIron RX-A(config-vlan-101)# untagged ethernet 1/1 BigIron RX-A(config-vlan-101)# exit BigIron RX-A(config)# vlan 102 BigIron RX-A(config-vlan-102)# tagged ethernet 2/1 BigIron RX-A(config-vlan-102)# untagged ethernet 1/2 BigIron RX-A(config-vlan-102)# exit BigIron RX-A(config)# vlan 103 BigIron RX-A(config-vlan-103)# tagged ethernet 2/1 BigIron RX-A(config-vlan-103)# untagged ethernet 1/3...
Page 370 Configuring super aggregated VLANs Commands for device C Since device C is aggregating channel VLANs from devices A and B into a single path, you need to change the tag type and enable VLAN aggregation. BigIron RX-C(config)# tag-type 9100 BigIron RX-C(config)# aggregated-vlan BigIron RX-C(config)# vlan 101 BigIron RX-C(config-vlan-101)# tagged ethernet 4/1 BigIron RX-C(config-vlan-101)# untagged ethernet 3/1...
Page 371: Configuring 802.1Q-In-Q Tagging
Configuring 802.1q-in-q tagging BigIron RX-E(config-vlan-105)# tagged ethernet 2/1 BigIron RX-E(config-vlan-105)# untagged ethernet 1/5 BigIron RX-E(config-vlan-105)# exit BigIron RX-E(config)# write memory Commands for device F The commands for configuring device F are identical to the commands for configuring device E. In this example, since the port numbers on each side of the configuration in Figure 24 on page 294...
Page 372: Configuration Rules
Configuring 802.1q-in-q tagging As shown in Figure 25, the ports to customer interfaces are untagged, whereas the uplink ports to the provider cloud are tagged, because multiple client VLANs share the uplink to the provider cloud. In this example, the device treats the customer’s private VLAN ID and 8100 tag type as normal payload, and adds the 9100 tag type to the packet when the packet is sent to the uplink and forwarded along the provider cloud.
Page 373 Configuring 802.1q-in-q tagging For example, in Figure 27, the 802.1Q tag on the untagged edge links (ports 11 and 12) is 9100, whereas, the 802.1Q tag for incoming traffic is 8100. To configure 802.1 Q-in-Q tagging as shown in Figure 27, enter commands such as the following on the untagged edge links of devices C and D.
Page 374: Example Configuration
Configuring 802.1q tag-type translation Example configuration Figure 27 shows an example 802.1Q-in-Q configuration. FIGURE 27 Example 802.1Q-in-Q configuration Client 6 Client 10 Client 8 Client 1 Client 3 Client 5 Port1/1 Port1/5 Port1/3 Port1/1 Port1/3 Port1/5 ..
Page 375 Configuring 802.1q tag-type translation Figure 28 shows a basic example application of the 802.1q tag-type translation feature. FIGURE 28 802.1q tag-type translation configuration example 1 Network Core Customer Provider Provider Customer Edge Switch 1 Core Switch 2 Core Switch 1 Edge Switch 2 Tagged Tagged...
Page 376: Configuration Rules
Configuring 802.1q tag-type translation Figure 29 shows a more complex example application in which some ports are untagged, not all tag-types between devices match, and the core devices have multiple tag-types. In this example, the tag-type translation feature integrates packets that have single and double tag-types. FIGURE 29 802.1q tag-type translation configuration example 2 Edge Switch 2...
Page 377: Enabling 802.1Q Tag-Type Translation
Configuring 802.1q tag-type translation • Since the uplink (to the provider cloud) and the edge link (to the customer port) must have different 802.1q tag-types, make sure the uplink and edge link are in different port regions. • If you configure a port with an 802.1q tag-type, the device automatically applies the 802.1q tag-type to all ports within the same port region.
Page 378: Private Vlans
Private VLANs • If you do not specify a port or range of ports, the 802.1q tag-type applies to all Ethernet ports on the device. Private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN.
Page 379: Implementation Notes
Private VLANs • Secondary – The secondary private VLAN are secure VLANs that are separated from the rest of the network by the primary private VLAN. Every secondary private VLAN needs to be associated with a primary private VLAN. There are 2 different types of secondary private VLANs - 'community' and 'isolated' private VLANs: •...
Page 380: Configuring A Private Vlan
Private VLANs • The BigIron RX forwards all known unicast traffic in hardware. This differs from the way the BigIron implements private VLANs, in that the BigIron uses the CPU to forward packets on the primary VLAN’s "promiscuous" port. In addition, on the BigIron, support for the hardware forwarding in this feature sometimes results in multiple MAC address entries for the same MAC address in the device’s MAC address table.
Page 381 Private VLANs • You can configure the primary VLAN before or after you configure the community or isolated VLANs. You are not required to configure a specific type of private VLAN before you can configure the other types. • The ports in all three types of private VLANs can be untagged. •...
Page 382: Private Vlan
Private VLANs Syntax: [no] pvlan type community | isolated | primary Syntax: [no] pvlan mapping <vlan-id> ethernet <portnum> The untagged command adds the ports to the VLAN. The pvlan type command specifies that this port-based VLAN is a private VLAN. Specify primary as the type.
Page 383: Cli Example For Figure 30
Other VLAN features CLI example for Figure 30 To configure the private VLANs shown in Figure 30 on page 306, enter the following commands. BigIron RX(config)# vlan 901 BigIron RX(config-vlan-901)# untagged ethernet 3/5 to 3/6 BigIron RX(config-vlan-901)# pvlan type community BigIron RX(config-vlan-901)# exit BigIron RX(config)# vlan 902 BigIron RX(config-vlan-902)# untagged ethernet 3/9 to 3/10...
Page 384: Unknown Unicast Flooding On Vlan Ports
Other VLAN features By default, the device performs hardware flooding for Layer 2 multicast and broadcast packets. (Layer 2 multicast packets have a multicast address in the destination MAC address field.) However, if uplink VLANs or protocol-based VLANs are configured, this default behavior is overridden and software flooding is enabled.
Page 385: Flow Based Mac Learning
Other VLAN features Flow based MAC learning In this release, the cpu-flooding command that disables hardware flooding of unknown unicast, multicast, and broadcast packets on all VLAN has been added. When using this command, unknown unicast packets will go to the CPU and will be CPU forwarded. Source MAC learning will be done by CPU.
Page 386: Configuring Control Protocols In Vlans
Displaying VLAN information Syntax: [no] uplink-switch ethernet <port-number> [to <port-number> | ethernet <port-number>] In this example, 24 ports on a 10/100 module and two Gigabit ports on a Gigabit module are added to port-based VLAN 10. The two Gigabit ports are then configured as uplink ports. Configuring control protocols in VLANs You can configure the following protocols on a VLAN: •...
Page 387: Displaying Vlan Information For Specific Ports
Displaying VLAN information The output shows the following information. TABLE 65 Output of show vlan This field... Displays... Configured PORT-VLAN entries Number of port-based VLANs in the configuration. Maximum PORT-VLAN entries: 4095 Maximum number of port-based VLANs that you can configure. Note however, IDs 4091 and 4092 are reserved for control purposes.
Page 388: Displaying Vlan Status And Port Types
Displaying VLAN information Displaying VLAN status and port types To display detailed information about the state, port types, port modes, of a VLAN, as well as control protocols configured on the VLAN, enter the following command. BigIron RX# show vlan detail Untagged Ports : ethe 2/1 to 2/24 ethe 4/4 Tagged Ports...
Page 389: Displaying Vlan Group Information
Transparent firewall mode TABLE 67 Output of show vlan detail (Continued) This field... Displays... Type Port type: physical or trunk Tag-Mode Tag mode of the port: untagged, tagged, or dual-mode Protocol Protocol configured on the VLAN. State Current state of the port such as disabled, blocking, forwarding, etc. Displaying VLAN group information To display information about VLAN groups, enter the following command.
Page 390 Transparent firewall mode To set the mode to routed, enter a command such as the following. BigIron RX(config-vlan-10)# no transparent-fw-mode Syntax: [no] transparent-fw-mode BigIron RX Series Configuration Guide 53-1001810-01...
Page 391: Configuring Spanning Tree Protocol
Chapter Configuring Spanning Tree Protocol In this chapter • IEEE 802.1D Spanning Tree Protocol (STP) ......319 •...
Page 392 IEEE 802.1D Spanning Tree Protocol (STP) • Individual VLAN – Affects all ports within the specified VLAN. When you enable or disable STP within a VLAN, the setting overrides the global setting. Thus, you can enable STP for the ports within a VLAN even when STP is globally disabled, or disable the ports within a port-based VLAN when STP is globally enabled.
Page 393: Default Stp Bridge And Port Parameters
IEEE 802.1D Spanning Tree Protocol (STP) Default STP bridge and port parameters Table 70 lists the default STP bridge parameters. The bridge parameters affect the entire spanning tree. If you are using MSTP, the parameters affect the VLAN. If you are using SSTP, the parameters affect all VLANs that are members of the single spanning tree.
Page 394: Changing Stp Bridge Parameters
IEEE 802.1D Spanning Tree Protocol (STP) Changing STP bridge parameters To change a BigIron RX’s STP bridge priority to the highest value, so as to make the device the root bridge, enter the following command. BigIron RX(config)# vlan 20 BigIron RX(config-vlan-20)# spanning-tree priority 0 To make this change in the default VLAN, enter the following commands.
Page 395 IEEE 802.1D Spanning Tree Protocol (STP) Root Guard should be configured on all ports where the root bridge should not appear. In this way, the core bridged network can be cut off from the user network by establishing a protective perimeter around it.
Page 396: Spanning Tree Protocol (Stp) Bpdu Guard
IEEE 802.1D Spanning Tree Protocol (STP) Spanning Tree Protocol (STP) BPDU guard STP protection provides the ability to prohibit an end station from initiating or participating in an STP topology. The STP BPDU Guard is used to keep all active network topologies predictable. The spanning-tree protocol detects and eliminates logical loops in a redundant network by selectively blocking some data paths and allowing only some data paths to forward traffic.
Page 397 IEEE 802.1D Spanning Tree Protocol (STP) Displaying STP information for an entire device To display STP information, enter the following command at any level of the CLI. BigIron RX# show spanning-tree vlan 10 VLAN 10 - STP instance 1 -------------------------------------------------------------------- STP Bridge Parameters: Bridge Bridge Bridge Bridge Hold...
Page 398 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 72 CLI display of STP information (Continued) This field... Displays... Bridge Identifier The ID assigned by STP to this bridge for this spanning tree in hexadecimal. NOTE: If this address is the same as the Root ID, then this device or VLAN is the root bridge for its spanning tree.
Page 399 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 72 CLI display of STP information (Continued) This field... Displays... State The port’s STP state. The state can be one of the following: • BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop.
Page 400 IEEE 802.1D Spanning Tree Protocol (STP) Displaying detailed STP information for each interface To display the detailed STP information, enter the following command at any level of the CLI. BigIron RX# show spanning-tree detail vlan 10 VLAN 10 - STP instance 1 -------------------------------------------------------------------- STP Bridge Parameters: Bridge identifier - 0x8000000480a04000...
Page 401 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 73 CLI display of detailed STP information for ports This field... Displays... VLAN ID The VLAN that contains the listed ports and the number of STP instances on this VLAN. The STP type can be one of the following: •...
Page 402: Ieee Single Spanning Tree (Sstp)
IEEE Single Spanning Tree (SSTP) TABLE 73 CLI display of detailed STP information for ports (Continued) This field... Displays... STP port parameters Port number and STP state The internal port number and the port’s STP state. The internal port number is one of the following: •...
Page 403: Enabling Sstp
IEEE Single Spanning Tree (SSTP) • To remove a VLAN from the single spanning tree, disable STP on that VLAN. When you enable SSTP, all the ports that are in port-based VLANs with STP enabled become members of a single spanning tree domain. Thus, the ports share a single BPDU broadcast domain.
Page 404: Displaying Sstp Information
PVST/PVST+ compatibility For the parameter definitions and possible values, refer to “Default STP port parameters” page 321. NOTE Both commands listed above are entered at the global CONFIG level. Also, you can use the rstp single command to control the topology for VLANs. Refer to “Enabling or disabling RSTP on a single spanning tree”...
Page 405: Overview Of Pvst And Pvst
PVST/PVST+ compatibility Overview of PVST and PVST+ Per VLAN Spanning Tree (PVST) is a Cisco proprietary protocol that allows a Cisco device to have multiple spanning trees. The Cisco device can interoperate with spanning trees on other PVST devices but cannot interoperate with IEEE 802.1Q devices. An IEEE 802.1Q device has all its ports running a single spanning tree.
Page 406: Enabling Pvst+ Support
PVST/PVST+ compatibility If you want to use tagged frames on VLAN 1, you can change the default VLAN ID to an ID other than 1. You also can specify the VLAN on which you want the port to send and receive untagged frames (the native VLAN).
Page 407: Configuration Examples
PVST/PVST+ compatibility This command displays the following information. TABLE 74 CLI Display of PVST+ Information This field... Displays... Port The Brocade port number. NOTE: The command lists information only for the ports on which PVST+ support is enabled. Method The method by which PVST+ support was enabled on the port. The method can be one of the following: •...
Page 408 PVST/PVST+ compatibility Port 1/1 will process BPDUs as follows: • Process IEEE 802.1Q BPDUs for VLAN 1. • Process tagged PVST BPDUs for VLANs 2, 3, and 4. • Drop untagged PVST BPDUs for VLAN 1. Untagged port using VLAN 2 as port native VLAN Figure 33, a port’s Port Native VLAN is not VLAN 1.
Page 409: Superspan
SuperSpan™ BigIron RX(config-if-e10000-1/1)# exit BigIron RX(config)# interface ethernet 1/2 BigIron RX(config-if-e10000-1/2)# pvst-mode BigIron RX(config-if-e10000-1/2)# exit In the configuration above, all PVST BPDUs associated with VLAN 1 would be discarded. Since IEEE BPDUs associated with VLAN 1 are untagged, they are discarded because the ports in VLAN 1 are tagged.
Page 410: Customer Id
SuperSpan™ Figure 34 shows an example SuperSpan implementation. In this example, an SP's network is connected to multiple customers. Each customer network is running its own instance of standard STP. The Brocade devices in the SP are running SuperSpan. FIGURE 34 SuperSpan example SuperSpan root bridge...
Page 411 SuperSpan™ For example, if the customer's STP ID is 1, the destination MAC address of the customer's BPDUs is changed to the following: 03-80-c2-00-01-00. Each Brocade device that is configured for SuperSpan forwards the BPDU using the changed destination MAC address. At the other end of the tunnel, the Brocade device connected to the customer's network changes the destination MAC address back to the bridge group address (01-80-c2-00-00-00).
Page 412 SuperSpan™ Mixing single STP and multiple spanning trees You can use SuperSpan in any of the following combinations: • Customer and SP networks both use multiple spanning trees (a separate spanning tree in each VLAN). • Customer uses multiple spanning trees but SP uses Single STP (all STP-enabled VLANs are in the same spanning tree).
Page 413 SuperSpan™ In the above example, STP in VLAN 10 will select R10 as the root bridge and make 1/1 on R10 forwarding while blocking port 3/1 on R20. The opposite occurs for STP in VLAN 20. As a result, both links connecting the customer and SP regions are fully utilized and serve as backup links at the same time, providing loop-free, non-blocking connectivity.
Page 414 SuperSpan™ Customer uses single STP but SP uses multiple spanning trees Figure 38 shows an example of SuperSpan where the customer network uses Single STP while the SP uses multiple spanning trees. FIGURE 38 Customer using single STP and SP using Multiple Spanning Trees single span Customer...
Page 415: Configuring Superspan
SuperSpan™ Customer and SP use single STP Figure 39 shows an example of SuperSpan where the customer network and SP both use Single STP. FIGURE 39 Customer and SP using single STP single single span span Customer Provider Region Region tagged to multiple vlan Root bridge for VLAN xx stp-boundary...
Page 416 SuperSpan™ These commands configure two interfaces on the Brocade device as SuperSpan boundary interfaces. Interface 1/1 is a boundary interface with customer 1. Interface 1/2 is a boundary interface with customer 2. Each boundary interface is associated with a number, which is the SuperSpan ID.
Page 417 SuperSpan™ Displaying SuperSpan information To display the boundary interface configuration and BPDU statistics, enter the following command. BigIron RX(config)# show super-span CID 1 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed Total 1 CID 2 Boundary Ports: Port C-BPDU C-BPDU...
Page 418 SuperSpan™ BigIron RX Series Configuration Guide 53-1001810-01...
Page 419: Configuring Rapid Spanning Tree Protocol
Chapter Configuring Rapid Spanning Tree Protocol In this chapter • Overview of Rapid Spanning Tree Protocol ......347 •...
Page 420: Assignment Of Port Roles
Overview of Rapid Spanning Tree Protocol RSTP algorithm uses this information to determine if the RST BPDU received by a port is superior to the RST BPDU that the port transmits. The two values are compared in the order as given above, starting with the Root bridge ID.
Page 421: Ports On Switch 1
Overview of Rapid Spanning Tree Protocol The topology in Figure 40 contains four bridges. Switch 1 is the root bridge since it has the lowest bridge priority. Switch 2 through Switch 4 are non-root bridges. FIGURE 40 Simple RSTP topology Port7 Port8 Switch 2...
Page 422: Ports Switch 4
Edge ports and edge port roles Ports Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4. The RST BPDUs received on Port3 are superior to the RST BPDUs received on port 4;...
Page 423: Point-To-Point Ports
Point-to-point ports Point-to-point ports To take advantage of the RSTP features, ports on an RSTP topology should be explicitly configured as point-to-point links. Shared media should not be configured as point-to-point links. NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops.
Page 424: Edge Port And Non-Edge Port States
Edge port and non-edge port states Edge port and non-edge port states As soon as a port is configured as an Edge port, it goes into a forwarding state instantly (in less than 100 msec). When the link to a port comes up and RSTP detects that the port is an Edge port, that port instantly goes into a forwarding state.
Page 425: Handshake Mechanisms
State machines • Port Timers – This state machine is responsible for triggering any of the state machines described above, based on expiration of specific port timers. In contrast to the 802.1D standard, the RSTP standard does not have any bridge specific timers. All timers in the CLI are applied on a per-port basis, even though they are configured under bridge parameters.
Page 426 State machines • If the RST BPDU that the port receives is superior to what it can transmit, the port assumes the role of a Root port. (Refer to “Bridges and bridge port roles” on page 347.) • If the RST BPDU that the port receives is inferior to what it can transmit, then the port is given the role of Designated port.
Page 427 State machines • Sync – Once the Root port is elected, it sets a sync signal on all the ports on the bridge. The signal tells the ports to synchronize their roles and states (Figure 44). Ports that are non-edge ports with a role of Designated port change into a discarding state.
Page 428 State machines • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports. Once all bridge ports asserts a synced signal, the Root port asserts its own synced signal (Figure 45).
Page 429 State machines • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state. FIGURE 46 Agree stage Switch 100...
Page 430 State machines Handshake when a root port has been elected If a non-root bridge already has a Root port, RSTP uses a different type of handshake. For example, Figure 47, a new root bridge is added to the topology. FIGURE 47 Addition of a new root bridge Switch 100 Port2...
Page 431 State machines • Proposing and Proposed – The Designated port on the new root bridge (Port4/Switch 60) sends an RST BPDU that contains a proposing signal to Port4/Switch 200 to inform the port that it is ready to put itself in a forwarding state (Figure 48).
Page 432 State machines • Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge. The signal tells the ports that a new Root port has been assigned and they are to renegotiate their new roles and states.
Page 433 State machines • Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue to assert their sync signals as they continue in their discarding states. They also continue to negotiate their roles and states with their peer ports (Figure 50).
Page 434 State machines • Synced and Agree – When all the ports on the bridge assert their synced signals, the new Root port asserts its own synced signal and sends an RST BPDU to Port4/Switch 60 that contains an agreed flag (Figure 50).
Page 435: Convergence In A Simple Topology
Convergence in a simple topology The Designated port on Switch 60 goes into a forwarding state once it receives the RST BPDU with the agreed flag. FIGURE 52 Handshake completed after election of new root port Switch 100 Port2 Designated port Port2 Switch 60...
Page 436: Convergence At Start Up
Convergence in a simple topology NOTE The rapid convergence will not occur on ports connected to shared media devices, such as hubs. To take advantage of the rapid convergence provided by RSTP, make sure to explicitly configure all point-to-point links in a topology. Convergence at start up Figure 53, two bridges Switch 2 and Switch 3 are powered up.
Page 437 Convergence in a simple topology Next, Switch 1 is powered up (Figure 54). FIGURE 54 Simple Layer 2 topology Port3 Designated Port5 port Backup port Switch 1 Switch 2 Port2 Port2 Designated Bridge priority = 1500 Root port port Bridge priority = 1000 Port4 Port3 Designated port...
Page 438: Convergence After A Link Failure
Convergence in a simple topology The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2.
Page 439: Convergence At Link Restoration
Convergence in a simple topology For example, Port2/Switch, which is the port that connects Switch 2 to the root bridge (Switch 1), fails. Both Switch 2 and Switch 1 notice the topology change (Figure 56). FIGURE 56 Link failure in the topology Port5 Port3 Switch 1...
Page 440 Convergence in a simple topology When Port2/Switch 2 receives the RST BPDUs, RSTP algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Page 441: Convergence In A Complex Rstp Topology
Convergence in a complex RSTP topology Convergence in a complex RSTP topology The following is an example of a complex RSTP topology. FIGURE 57 Complex RSTP topology Switch 2 Bridge priority = 200 Switch 1 Switch 5 Port7 Port8 Bridge priority = 1000 Bridge priority = 60 Port2 Port2...
Page 442 Convergence in a complex RSTP topology Next Switch 2 sends RST BPDUs with a proposal flag to Port3/Switch 4. Port3 becomes the Root port for the bridge; all other ports are given a Designated port role with discarding states. Port3/Switch 4 sends an RST BPDU with an agreed flag to Switch 2 to confirm that it is the new Root port.
Page 443: Propagation Of Topology Change
Convergence in a complex RSTP topology After convergence is complete, Figure 58 shows the active Layer 2 path of the topology in Figure FIGURE 58 Active Layer 2 path in complex topology Switch 2 Bridge priority = 200 Switch 1 Switch 5 Port7 Port8...
Page 444 Convergence in a complex RSTP topology For example, Port3/Switch 2 in Figure 59, fails. Port4/Switch 3 becomes the new Root port. Port4/Switch 3 sends an RST BPDU with a TCN to Port4/Switch 4. To propagate the topology change, Port4/Switch 4 then starts a TCN timer on itself, on the bridge’s Root port, and on other ports on that bridge with a Designated role.
Page 445 Convergence in a complex RSTP topology • Port2/Switch 2 sends the TCN to Port2/Switch 1 FIGURE 60 Sending TCN to bridges connected to Switch 2 Switch 2 Bridge priority = 200 Switch 5 Switch 1 Port7 Port8 Bridge priority = 60 Bridge priority = 1000 Port2 Port5...
Page 446: Compatibility Of Rstp With 802.1D
Compatibility of RSTP with 802.1D Then FRY1, Switch 5, and Switch 6 send RST BPDUs that contain the TCN to Switch 3 and Switch 4 to complete the TCN propagation (Figure 61). FIGURE 61 Completing the TCN propagation Switch 2 Bridge priority = 200 Switch 1 Switch 5...
Page 447: Configuring Rstp Parameters
Configuring RSTP parameters For example, in Figure 62, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 62 RSTP bridges with an 802.1D bridge Switch 10...
Page 448: Enabling Or Disabling Rstp On A Single Spanning Tree
Configuring RSTP parameters To enable RSTP for all ports in a port-based VLAN, enter commands such as the following. BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# rstp Syntax: [no] rstp Enabling or disabling RSTP on a single spanning tree To globally enable RSTP for all ports of a single spanning tree, enter the following command. BigIron RX(config)# rstp single Syntax: [no] rstp single Disabling or enabling RSTP on a port...
Page 449: Changing Port Parameters
Configuring RSTP parameters The max-age <value> parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. Possible values: 6 – 40 seconds. The default is 20 seconds. The value of max-age must be greater than the value of forward-delay to ensure that the downstream bridges do not age out faster than the upstream bridges (those bridges that are closer to the root bridge).
Page 450: Fast Port Span
Configuring RSTP parameters TABLE 76 Recommended path cost values of RSTP (Continued) Link speed Recommended (default) RSTP path Recommended RSTP path cost range cost values 1 Gigabit per second 20,000 2,000 – 200,000,000 10 Gigabits per second 2,000 200 – 20,000 100 Gigabits per second 20 –...
Page 451 Configuring RSTP parameters forwarding loops, they can safely go through the STP state changes (blocking to listening to learning to forwarding) more quickly than is allowed by the standard STP convergence time. Fast Port Span performs the convergence on these ports in four seconds (two seconds for listening and two seconds for learning).
Page 452 Configuring RSTP parameters NOTE The fast port-span command has additional parameters that let you exclude specific ports. These parameters are shown in the following section. To re-enable Fast Port Span, enter the following commands. BigIron RX(config)# fast port-span BigIron RX(config)# write memory Excluding specific ports from fast port span You can exclude individual ports from Fast Port Span while leaving Fast Port Span enabled globally.
Page 453: Fast Uplink Span
Configuring RSTP parameters Fast uplink span The Fast Port Span feature described in the previous section enhances STP performance for end stations. The Fast Uplink feature enhances STP performance for wiring closet switches with redundant uplinks. Using the default value for the standard STP forward delay, convergence following a transition from an active link to a redundant link can take 30 seconds (15 seconds for listening and an additional 15 seconds for learning).
Page 454 Configuring RSTP parameters • When the original working trunk group comes back (partially or fully), the transition back to the original topology is accelerated if the conditions listed above are met. Configuring a fast uplink port group To enable Fast Uplink, use the following method. Using the CLI To configure a group of ports for Fast Uplink Span, enter the following commands.
Page 455: Displaying Rstp Information
Displaying RSTP information Displaying RSTP information You can display a summary or details of the RSTP information. To display a summary of RSTP, use the following command. BigIron RX(config)#show rstp vlan 10 VLAN 10 - RSTP instance 0 -------------------------------------------------------------------- RSTP (IEEE 802.1w) Bridge Parameters: Bridge Bridge Bridge Bridge Force Identifier...
Page 456 Displaying RSTP information TABLE 77 CLI display of RSTP summary (Continued) This field... Displays... Root bridge parameters: Root Bridge Identifier ID of the Root bridge that is associated with this bridge Root Path Cost The cost to reach the root bridge from this bridge. If the bridge is the root bridge, then this parameter shows a value of zero.
Page 457 Displaying RSTP information TABLE 77 CLI display of RSTP summary (Continued) This field... Displays... Edge port Indicates if the port is configured as an operational Edge port: • T – The port is configured as an Edge port. • F – The port is not configured as an Edge port. This is the default. Role The current role of the port: •...
Page 458 Displaying RSTP information TABLE 78 The show rstp detail command output (Continued) This field... Displays... forceVersion The configured version of the bridge: • 0 – The bridge has been forced to operate in an STP compatible mode. • 2 – The bridge has been forced to operate in an RSTP mode. MigrateTime The number of seconds the bridge took to migrate from STP to RSTP mode.
Page 459: Metro Ring Protocol (Mrp) Phase 1 And 2
Chapter Metro Ring Protocol (MRP) Phase 1 and 2 In this chapter • Metro Ring Protocol (MRP) phase 1 ....... 387 •...
Page 460 Metro Ring Protocol (MRP) phase 1 Figure 63 shows an MRP metro ring. FIGURE 63 Metro ring – normal state Customer A Member Node Switch B Master Member Switch A Switch C Node Node Customer A Customer A This interface blocks Layer 2 traffic to prevent a loop Switch D...
Page 461: Mrp Rings Without Shared Interfaces
MRP rings without shared interfaces MRP rings without shared interfaces MRP Phase 1 allows you to configure multiple MRP rings, as shown in Figure 64, but the rings cannot share the same link. For example, you cannot configure ring 1 and ring 2 to each have interfaces 1/1 and 1/2.
Page 462: Ring Initialization
Ring initialization Ring initialization The ring shown in Figure 63 shows the port states in a fully initialized ring without any broken links. Figure 65 shows the initial state of the ring, when MRP is first enabled on the ring’s switches. All ring interfaces on the master node and member nodes begin in the Preforwarding state (PF).
Page 463 Ring initialization • Forwarding (F) – The interface can forward data as well as RHPs. An interface changes from Preforwarding to Forwarding when the port’s preforwarding time expires. This occurs if the port does not receive an RHP from the Master, or if the forwarding bit in the RHPs received by the port is off.
Page 464 Ring initialization Figure 66 shows an example. FIGURE 66 Metro ring – from Preforwarding to Forwarding RHP 2 Customer A Forwarding bit is on. Each port changes from Preforwarding to Forwarding when it receives this RHP. Switch B Secondary port receives RHP 1 Master Switch A...
Page 465: How Ring Breaks Are Detected And Healed
How ring breaks are detected and healed How ring breaks are detected and healed Figure 67 Shows the ring forwarding state following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks. FIGURE 67 Metro ring – ring break Customer A Switch B Master...
Page 466: Master Vlans And Customer Vlans In A Topology Group
Master VLANs and customer VLANs in a topology group • If an RHP reaches the Master node’s secondary interface, the ring is intact. The secondary interface changes to Blocking. The Master node sets the forwarding bit on in the next RHP. When the restored interfaces receive this RHP, they immediately change state to Forwarding.
Page 467: Configuring Mrp
Configuring MRP You can configure MRP separately on each customer VLAN. However, this is impractical if you have many customers. To simplify configuration when you have a lot of customers (and therefore a lot of VLANs), you can use a topology group. A topology group enables you to control forwarding in multiple VLANs using a single instance of a Layer 2 protocol such as MRP.
Page 468: Adding An Mrp Ring To A Vlan
Configuring MRP NOTE When MRP and UDLD are running together, Brocade recommends keeping the MRP preforwarding interval slightly higher than default(300ms) to 400 or 500ms to prevent the possibility of a temporary loop of a few milliseconds. Adding an MRP ring to a VLAN NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group’s master VLAN.
Page 469: Changing The Hello And Preforwarding Times
MRP phase 2 NOTE To take advantage of every interface in a Metro network, you can configure another MRP ring and either configure a different Master node for the ring or reverse the configuration of the primary and secondary interfaces on the Master node. Configuring multiple rings enables you to use all the ports in the ring.
Page 470 MRP phase 2 One node, is configured as the master node of the MRP ring. One of the two interfaces on the master node is configured as the primary interface; the other is the secondary interface. The primary interface originates Ring Health Packets (RHPs), which are used to monitor the health of the ring.
Page 471: Ring Initialization For Shared Interfaces
Ring initialization for shared interfaces With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN. Figure 69 shows examples of multiple MRP rings that share the same interface. FIGURE 70 Examples of multiple rings sharing the same interface - MRP phase 2 Example 1...
Page 472: How Ring Breaks Are Detected And Healed Between Shared Interfaces
Ring initialization for shared interfaces For example, in Figure 71, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2. Port 1/1 on node S1 and Port 2/2 on S2 have the IDs of 1 and 2 since the interfaces are shared by Rings 1 and 2.
Page 473: Rhp Processing In Rings With Shared Interfaces
Ring initialization for shared interfaces RHP processing in rings with shared interfaces Interfaces on an MRP ring have one of the following states: • Preforwarding (PF) – All ring interfaces are in this state when you enable MRP. • Forwarding (F) – An interface changes from Preforwarding to Forwarding when the port’s preforwarding time expires.
Page 474: Flow When A Link Breaks
Ring initialization for shared interfaces Port 2/1 on Ring 1’s master node is the primary interface of the master node. The primary interface forwards an RHP packet on the ring. Since all the interfaces on Ring 1 are regular ports, the RHP packet is forwarded to all the interfaces until it reaches Port 2/2, the secondary interface of the master node.
Page 475: Configuring Mrp With Shared Interfaces
Ring initialization for shared interfaces The packet then continues around Ring 1, through the interfaces on S1 to Ring 2 until it reaches Ring 2’s master node. Port 3/2, the secondary interface on Ring 2 changes to blocking mode since it received its own packet, then blocks the packet to prevent a loop.
Page 476: Using Mrp Diagnostics
Using MRP diagnostics The <string> parameter specifies a name for the ring. The name is optional, but it can have up to 20 characters long and can include blank spaces. If you use a name that has blank spaces, enclose the name in double quotation marks (for example: “Customer A”). Syntax: [no] ring-interface ethernet The ethernet <primary-if>...
Page 477: Displaying Mrp Information
Displaying MRP information This display shows the following information. TABLE 79 CLI display of MRP ring diagnostic information This field... Displays... Ring id The ring ID. Diag state The state of ring diagnostics. RHP average time The average round-trip time for an RHP packet on the ring. The calculated time has a granularity of 1 microsecond.
Page 478: Displaying Ring Information
Displaying MRP information Displaying ring information To display ring information, enter the following command. BigIron RX(config)# show metro Metro Ring 2 ============= Ring State Ring Master Topo Hello Prefwing role vlan group time(ms) time(ms) enabled member not conf Ring interfaces Interface role Forwarding state Active interface...
Page 479: Mrp Cli Example
MRP CLI example TABLE 80 CLI display of MRP ring information (Continued) This field... Displays... Prefwing time The number of milliseconds an MRP interface that has entered the Preforwarding state will wait before changing to the Forwarding state. If a member port in the Preforwarding state does not receive an RHP within the Preforwarding time (Prefwing time), the port assumes that a topology change has occurred and changes to the Forwarding state.
Page 480: Commands On Switch A (Master Node)
MRP CLI example Commands on switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node’s interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
Page 481: Commands On Switch C
MRP CLI example BigIron RX(config)# topology-group 1 BigIron RX(config-topo-group-1)# master-vlan 2 BigIron RX(config-topo-group-1)# member-vlan 30 BigIron RX(config-topo-group-1)# member-vlan 40 Commands on switch C BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# tag ethernet 1/1 to 1/2 BigIron RX(config-vlan-2)# metro-ring 1 BigIron RX(config-vlan-2-mrp-1)# name “Metro A” BigIron RX(config-vlan-2-mrp-1)# ring-interface ethernet 1/1 ethernet 1/2 BigIron RX(config-vlan-2-mrp-1)# enable BigIron RX(config-vlan-2)# exit...
Page 482 MRP CLI example BigIron RX Series Configuration Guide 53-1001810-01...
Page 483: Overview Of Virtual Switch Redundancy Protocol (Vsrp)
Chapter Virtual Switch Redundancy Protocol (VSRP) In this chapter • Overview of Virtual Switch Redundancy Protocol (VSRP) ....411 • Configuring basic VSRP parameters ......418 •...
Page 484 Overview of Virtual Switch Redundancy Protocol (VSRP) Figure 74 shows a VSRP configuration. FIGURE 74 VSRP mesh – redundant paths for Layer 2 and Layer 3 traffic VSRP VSRP Master Backup optional link VSRP VSRP VSRP Aware Aware Aware Hello packets In this example, two device devices are configured as redundant paths for VRID 1.
Page 485: Layer 2 And Layer 3 Redundancy
Overview of Virtual Switch Redundancy Protocol (VSRP) Layer 2 and Layer 3 redundancy You can configure VSRP to provide redundancy for Layer 2 only or both for Layer 2 and Layer 3: • Layer 2 only – The Layer 2 links are backed up but specific IP addresses are not backed up. •...
Page 486 Overview of Virtual Switch Redundancy Protocol (VSRP) VSRP priority calculation Each VSRP device has a VSRP priority for each VRID and its VLAN. The VRID is used during Master election for the VRID. By default, a device’s VSRP priority is the value configured on the device (which is 100 by default).
Page 487 Overview of Virtual Switch Redundancy Protocol (VSRP) However, if one of the VRID’s ports goes down on one of the Backups, that Backup’s priority is reduced. If the Master’s priority is reduced enough to make the priority lower than a Backup’s priority, the VRID fails over to the Backup.
Page 488 Overview of Virtual Switch Redundancy Protocol (VSRP) You can reduce the sensitivity of a VSRP device to failover by increasing its configured VSRP priority. For example, you can increase the configured priority of the VSRP device on the left in Figure 76 to 150.
Page 489 Overview of Virtual Switch Redundancy Protocol (VSRP) When you configure a track port, you assign a priority value to the port. If the port goes down, VSRP subtracts the track port’s priority value from the configured VSRP priority. For example, if the you configure a track port with priority 20 and the configured VSRP priority is 100, the software subtracts 20 from 100 if the track port goes down, resulting in a VSRP priority of 80.
Page 490: Configuring Basic Vsrp Parameters
Configuring basic VSRP parameters MAC address failover on VSRP-aware devices VSRP-aware devices maintain a record of each VRID and its VLAN. When the device has received a Hello message for a VRID in a given VLAN, the device creates a record for that VRID and VLAN and includes the port number in the record.
Page 491: Enabling Layer 3 Vsrp
Enabling Layer 3 VSRP Syntax: [no] backup [priority <value>] [track-priority <value>] The backup command is required. In VSRP, all devices on which a VRID are configured are Backups. The Master is then elected based on the VSRP priority of each device. There is no “owner”...
Page 492: Configuring A Vrid Ip Address
Configuring optional VSRP parameters • Simple – The interfaces use a simple text-string as a password in packets sent on the interface. If the interfaces use simple password authentication, the VRID configured on the interfaces must use the same authentication type and the same password. To configure a simple password, enter a command such as the following at the interface configuration level.
Page 493: Vsrp Fast Start
Configuring optional VSRP parameters NOTE The VRID IP address must be in the same subnet as a real IP address configured on the VSRP interface, but cannot be the same as a real IP address configured on the interface. Also, an IP address cannot be configured for a virtual routing interface.
Page 494: Changing The Backup Priority
Configuring optional VSRP parameters Displaying ports that have the VSRP fast start feature enabled The show vsrp vrid command shows the ports on which the VSRP fast start feature is enabled. BigIron RX(config-vlan-10-vsrp-1)#sh vsrp VLAN 10 Auth-type no authentication VRID 1 ======== State Administrative-status Advertise-backup Preempt-mode...
Page 495: Vsrp Slow Start
Configuring optional VSRP parameters • Dead interval • Backup Hello interval • Hold-down interval Each Backup saves the configured timer values to its startup configuration file when you save the device’s configuration. NOTE The Backups always use the value of the timer scale received from the Master, regardless of whether the timer values that are saved in the configuration are the values configured on the Backup or the values received from the Master.
Page 496: Changing The Hello Interval
Configuring optional VSRP parameters The <num> parameter specifies the TTL and can be from 1 – 255. The default TTL is 2. Changing the hello interval The Master periodically sends Hello messages to the Backups. To change the Hello interval, enter a command such as the following at the configuration level for the VRID.
Page 497: Changing The Hold-Down Interval
Configuring optional VSRP parameters To change the Backup Hello interval, enter a command such as the following at the configuration level for the VRID. BigIron RX(config-vlan-200-vrid-1)# backup-hello-interval 180 Syntax: [no] backup-hello-interval <units> The <units> parameter specifies the message interval and can be from 60 – 3600 units (1 unit = 100 milliseconds).
Page 498: Specifying A Track Port
Configuring optional VSRP parameters Specifying a track port You can configure the VRID on one interface to track the link state of another interface on the device. This capability is useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy.
Page 499: Clearing Vsrp Information
Clearing VSRP information NOTE All trunk ports must have the same delayed-link-down-event configuration. The following command will delay the sending of port "down" event for 100ms when a port state is detected "down". If the port state is detected "up" afterwards within 100ms, the delayed "down" event is cancelled;...
Page 500 VSRP and MRP signaling If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure FIGURE 81 VSRP on MRP rings that failed over...
Page 501: Displaying Vsrp Information
Displaying VSRP information There are no CLI commands used to configure this process. Displaying VSRP information You can display the following VSRP information: • Configuration information and current parameter values for a VRID or VLAN • The interfaces on a VSRP-aware device that are active for the VRID Displaying VRID information To display detailed VSRP information, enter the show vsrp vrid or show vsrp vlan command.
Page 502 Displaying VSRP information TABLE 81 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... state This device’s VSRP state for the VRID. The state can be one of the following: • initialize – VSRP is not enabled on the VRID. If the state remains “initialize”...
Page 503: Displaying A Summary Of Vsrp Information
Displaying VSRP information TABLE 81 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... dead-interval The configured value for the dead interval. The dead interval is the number of units a Backup waits for a Hello message from the Master for the VRID before determining that the Master is no longer active (1 unit = 100 milliseconds).
Page 504: Displaying Vsrp Packet Statistics For Vsrp
Displaying VSRP information P Initia xxxx.1414.1404 20.20.20.4 20.20.20.100 P Initia xxxx.1e1e.1e01 30.30.30.1 30.30.30.100 Syntax: show vsrp brief This field... Displays... VLAN The VLAN on which VSRP is configured. VRID The VRID for which the following information is displayed. ConfPri The configured priority for the device’s preferability for becoming the Master for the VRID.
Page 505: Displaying The Active Interfaces For A Vrid
Displaying VSRP information Displaying the active interfaces for a VRID On a VSRP-aware device, you can display VLAN and port information for the connections to the VSRP devices (Master and Backups) using the show vsrp aware command. The command shows the active interfaces for the VRID.
Page 506 Displaying VSRP information BigIron RX Series Configuration Guide 53-1001810-01...
Page 507: Topology Overview
Chapter Topology Groups In this chapter • Topology overview ..........435 •...
Page 508: Master Vlans And Customer Vlans In Mrp
Master VLANs and customer VLANs in MRP • Member VLANs – The member VLANs are additional VLANs that share ports with the master VLAN. The Layer 2 protocol settings for the ports in the master VLAN apply to the same ports in the member VLANs.
Page 509: Configuring A Topology Group
Configuring a topology group • If you add a new master VLAN to a topology group that already has a master VLAN, the new master VLAN replaces the older master VLAN. All member VLANs and VLAN groups follow the Layer 2 protocol settings of the new master VLAN. •...
Page 510: Displaying Topology Group Information
Displaying topology group information Displaying topology group information The following sections show how to display topology group information for VLANS. Displaying topology group information To display topology group information, enter the following command. BigIron RX(config)# show topology-group Topology Group 1 ================== Master VLAN Member VLAN...
Page 511: Overview Of Vrrp
Chapter Configuring VRRP and VRRPE In this chapter • Overview of VRRP ..........439 •...
Page 512: Standard Vrrp
Overview of VRRP Standard VRRP VRRP is an election protocol that provides redundancy to routers within a LAN. VRRP allows you to provide alternate router paths for a host without changing the IP address or MAC address by which the host knows its gateway. Consider the situation shown in Figure FIGURE 83 Router1 is Host1’s default gateway but is a single point of failure...
Page 513 Overview of VRRP If Router1 fails, you could configure Host1 to use Router2. Configuring one host with a different default gateway might not require too much extra administration. However, consider a more realistic network with dozens or even hundreds of hosts per subnet; reconfiguring the default gateways for all the hosts is impractical.
Page 514: Brocade Enhancements Of Vrrp
Overview of VRRP Master router election Virtual routers use the VRRP priority values associated with each VRRP router to determine which router becomes the Master. When you configure an Owner router, the device automatically sets the its VRRP priority to 255, the highest VRRP priority. The router in the virtual router with the highest priority becomes the Master.
Page 515 Overview of VRRP Suppose interface e2/4 goes down. Even if interface e1/6 is still up, Host1 is cut off from other networks. In conventional VRRP, Router1 would continue to be the Master router despite the unavailability of the exit interface for the path the router is supporting. However, if you configure interface e1/6 to track the state of interface e2/4, if e2/4 goes down, interface e1/6 responds by changing Router1’s VRRP priority to the value of the track priority.
Page 516: Overview Of Vrrpe
Overview of VRRPE VRRP alongside RIP, OSPF, and BGP4 VRRP operation is independent of the RIP, OSPF, and BGP4 protocols. Their operation is unaffected when VRRP is enabled on a RIP, OSPF, or BGP4 interface. Overview of VRRPE VRRPE is Brocade’s proprietary version of VRRP that overcomes limitations in the standard protocol.
Page 517 Overview of VRRPE • Track ports and track priority: • VRRP changes the priority of the VRID to the track priority, which typically is lower than the VRID priority and lower than the VRID’s priorities configured on the Backups. For example, if the VRRP interface’s priority is 100 and a tracked interface with track priority 20 goes down, the software changes the VRRP interface’s priority to 20.
Page 518: Vrrp And Vrrpe Parameters
VRRP and VRRPE parameters Router1 is the master for VRID 1 (backup priority = 110) and Router2 is the backup for VRID 1 (backup priority = 100). Router1 and Router2 both track the uplinks to the Internet. If an uplink failure occurs on Router1, its backup priority is decremented by 20 (track priority = 20), so that all traffic destined to the Internet is sent through Router2 instead.
Page 519 VRRP and VRRPE parameters TABLE 84 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Authentication type The type of authentication the VRRP or VRRPE routers use to No authentication page 443 validate VRRP or VRRPE packets. The authentication type must page 451 match the authentication type the VRID’s port uses with other routing protocols such as OSPF.
Page 520: Configuring Parameters Specific To Vrrp
Configuring parameters specific to VRRP TABLE 84 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Track port Another device port or virtual interface whose link status is None page 442 tracked by the VRID’s interface. page 453 If the link for a tracked interface goes down, the VRRP or VRRPE priority of the VRID interface is changed, causing the devices to renegotiate for Master.
Page 521: Configuring Basic Vrrp Parameters
Configuring parameters specific to VRRP Configuring basic VRRP parameters To implement a simple VRRP configuration using all the default values, enter commands such as the following. Configuring the owner Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-1/6)# ip address 192.53.5.1 Router1(config-if-1/6)# ip vrrp vrid 1 Router1(config-if-1/6-vrid-1)# owner Router1(config-if-1/6-vrid-1)# ip-address 192.53.5.1...
Page 522: Configuring Parameters Specific To Vrrpe
Configuring parameters specific to VRRPE • The Dead interval must be set to the same value on both the Owner and Backups for the virtual router. • The track priority on a router must be lower than the router’s VRRP priority. Also, the track priority on the Owner must be higher than the track priority on the Backups.
Page 523: Configuring Additional Vrrp And Vrrpe Parameters
Configuring additional VRRP and VRRPE parameters Configuring additional VRRP and VRRPE parameters You can modify the following VRRP and VRRPE parameters on each individual virtual router. These parameters apply to both protocols: • Authentication type (if the interfaces on which you configure the virtual router use authentication) •...
Page 524: Up Interface
Configuring additional VRRP and VRRPE parameters The auth-type simple-text-auth <auth-data> parameter indicates that the virtual router and the interface it is configured on use a simple text password for authentication. The <auth-data> parameter is the password. If you use this parameter, make sure all interfaces on all the routers supporting this virtual router are configured for simple password authentication and use the same password.
Page 525: Dead Interval
Configuring additional VRRP and VRRPE parameters Dead interval The Dead interval is the number of seconds a Backup waits for a Hello message from the Master before determining that the Master is dead. When Backups determine that the Master is dead, the Backup with the highest priority becomes the new Master.
Page 526: Track Priority
Configuring additional VRRP and VRRPE parameters To configure 1/6 on Router1 to track interface 2/4, enter the following commands. Router1(config)# inter e 1/6 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# track-port e 2/4 Syntax: track-port ethernet <slot>/<portnum> ve <num> The syntax is the same for VRRP and VRRPE. Track priority If you configure a virtual router to track the link state of interfaces and one of the tracked interface goes down, the software changes the VRRP or VRRPE priority of the virtual router:...
Page 527: Master Router Abdication And Reinstatement
Configuring additional VRRP and VRRPE parameters NOTE In VRRP, regardless of the setting for the preempt parameter, the Owner always returns to be the Master when it comes back online. To disable preemption on a Backup, enter commands such as the following. Router1(config)# inter e 1/6 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# non-preempt-mode...
Page 528: Displaying Vrrp And Vrrpe Information
Displaying VRRP and VRRPE information Displaying VRRP and VRRPE information You can display the following information for VRRP or VRRPE: • Summary configuration and status information • Detailed configuration and status information • VRRP and VRRPE Statistics Displaying summary information To display summary information for a device, enter the following command at any level of the CLI.
Page 529: Displaying Detailed Information
Displaying VRRP and VRRPE information TABLE 85 CLI display of VRRP or VRRPE summary information (Continued) This field... Displays... CurPri The current VRRP or VRRPE priority of this device for the virtual router. Whether the backup preempt mode is enabled. If the backup preempt mode is enabled, this field contains a “P”.
Page 530 Displaying VRRP and VRRPE information Syntax: show ip vrrp [brief | ethernet <slot>/<portnum> | ve <num> | stat] Syntax: show ip vrrp-extended [brief | ethernet <slot>/<portnum> | ve <num> | stat] The brief parameter displays summary information. Refer to “Displaying summary information” page 456.
Page 531 Displaying VRRP and VRRPE information TABLE 86 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... mode Indicates whether the device is the Owner or a Backup for the virtual router. NOTE: If “incomplete” appears after the mode, configuration for this virtual router is incomplete.
Page 532: Displaying Statistics
Displaying VRRP and VRRPE information TABLE 86 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... preempt-mode Whether the backup preempt mode is enabled. NOTE: This field does not apply to VRRP Owners. virtual ip address The virtual IP addresses that this virtual router is backing up. backup router <ip-addr>...
Page 533: Clearing Vrrp Or Vrrpe Statistics
Configuration examples . received packets with invalid type = 0 . received packets with invalid authentication type = 0 . received packets with authentication type mismatch = 0 . received packets with authentication failures = 0 . received packets dropped by owner = 0 .
Page 534: Vrrp Example
Configuration examples VRRP example To implement the VRRP configuration shown in Figure 84 on page 441, enter the following commands. Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-e10000-1/6)# ip address 192.53.5.1 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# owner track-priority 20 Router1(config-if-e10000-1/6-vrid-1)# track-port ethernet 2/4...
Page 535: Vrrpe Example
Configuration examples The activate command activates the virtual router configuration on this interface. The interface does not provide backup service for the virtual IP address until you activate the VRRP configuration. Syntax: router vrrp Syntax: ip vrrp vrid <vrid> Syntax: owner [track-priority <value>] Syntax: backup [priority <value>] [track-priority <value>] Syntax: track-port ethernet <slot>/<portnum>...
Page 536 Configuration examples Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 3/2 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.254 Router1(config-if-e10000-5/1-vrid-1)# activate Router1(config-if-e10000-5/1-vrid-1)# exit Router1(config)# interface ethernet 5/1 Router1(config-if-e10000-5/1)# ip vrrp-extended vrid 2 Router1(config-if-e10000-5/1-vrid-1)# backup priority 110 track-priority 20 Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.253 Router1(config-if-e10000-5/1-vrid-1)# activate The backup command specifies that this router is a VRRPE Backup for virtual router VRID1. The IP address entered with the ip-address command is the same IP address as the one entered when configuring Router1.
Page 537: Overview Of Quality Of Service (Qos)
Chapter Configuring Quality of Service In this chapter • Overview of Quality of Service (QoS) ......465 •...
Page 538: Processing Of Classified Traffic
Classification • Packet Source MAC address – A priority can be set for a specified MAC address by assigning a static MAC entry to a specific priority in the VLAN configuration. Note: This priority affects packets sourced by this MAC address and not packed destined for this MAC address. •...
Page 539 Classification Table 87 through Table 90 show the default QoS mappings on the device, which are used if the trust level for CoS or DSCP is enabled. TABLE 87 Default QoS mappings, columns 0 to 15 DSCP value 802.1p (COS) Value DSCP value Internal...
Page 540: Marking
Marking The mapping between the internal forwarding priority and values received and forwarded can be changed as follows: • COS to DSCP Mapping – You can change the mapping between 802.1p (COS) values from the default values shown in Table 87 through Table 90.
Page 541: Configuring Port, Mac, And Vlan-Based Classification
Marking Configuring port, MAC, and VLAN-based classification Assigning QoS priorities to traffic By default, traffic is forwarded using the best-effort queue (qosp0). However, traffic can be classified into different priorities, based on the following: • Incoming port (sometimes called the ingress port) •...
Page 542: Configuring Tos-Based Qos
Configuring ToS-based QoS The <num> parameter can be from 0 – 7 and specifies the priority level equivalent to one of the four QoS queues. Assigning static MAC address entries to priority queues By default, all MAC address entries are in the best effort queue. When you configure a static MAC entry, you can assign the entry to a higher QoS level using the following method.
Page 543: Enabling Marking
Configuring the QoS mappings The cos | dscp parameter specifies the trust level: • cos – The device uses the 802.1p (CoS) priority value in the packet’s Ethernet frame header to determine the packet’s internal forwarding priority. This is the default state and is in effect even Qos-ToS is enabled on a port.
Page 544: Changing The Dscp –> Dscp Mappings
Configuring the QoS mappings This command configures the mappings displayed in the COS-DSCP map portion of the QoS information display. BigIron RX(config-if-e10000-1/1)# show qos-tos ...portions of table omitted for simplicity... COS-DSCP map: COS: --------------------------------------------------------- dscp: 0 33 25 Syntax: [no] qos-tos cos-dscp <dscp0> <dscp1> <dscp2> <dscp3> <dscp4> <dscp5> <dscp6> <dscp7>...
Page 545 Configuring the QoS mappings ...portions of table omitted for simplicity... DSCP-Priority map: (dscp = d1d2) -----+---------------------------------------- For information about the rest of this display, refer to “Displaying QoS configuration information” page 474. Syntax: [no] qos-tos map dscp-priority <dscp-value> [<dscp-value>...] to <priority> The <dscp-value>...
Page 546: Displaying Qos Configuration Information
Displaying QoS configuration information The <prio0> through <prio7> parameters specify the COS values you are mapping the eight internal priorities to. You must enter CoS values for all eight internal priorities, in order from priority 0 – 7. Displaying QoS configuration information To display configuration information, enter the following command at any level of the CLI.
Page 547: Determining Packet Drop Priority Using Wred
Determining packet drop priority using WRED This command shows the following information. TABLE 91 ToS-based QoS configuration information This field... Displays... Interface QoS, marking and trust level information The interface The state of ToS-based QoS on the interface. The state can be one of the following: •...
Page 548: How Wred Operates
Determining packet drop priority using WRED • Min-Average-Q-Size – The average queue size below which all packets are accepted. This variable is user configured. • Max-Average-Q-Size – The average queue size above which all packets are dropped. This variable is user configured. •...
Page 549: Calculating Packets That Are Dropped
Configuring packet drop priority using WRED Lower Wq values cause the avg-q-size to lean towards the statistical average queue size, reducing WRED's sensitivity to the current state of the queue and thus reduce WRED's effectiveness. On the other hand, higher Wq values cause the avg-q-size to lean towards the instantaneous queue size, which exposes WRED to any change in the instantaneous queue size and thus may cause WRED to overreact in cases of bursts.
Page 550: Setting The Averaging-Weight (Wq) Parameter
Configuring packet drop priority using WRED The <queue-number> variable is the number of the forwarding queue that you want to enable WRED for. There are four forwarding queues on device. They are numbered 0 to 3 with zero as the lowest priority queue and three the highest.
Page 551 Configuring packet drop priority using WRED In addition, the maximum drop probability, the minimum and maximum average queue size, and the maximum packet size can be configured to apply selectively to packets with a specified queue type and DSCP/TOS value. The following sections describe how to set the following drop precedence parameters for each of the four DSCP/TOS values for each of the four queue types: •...
Page 552 Configuring packet drop priority using WRED Syntax: [no] qos queue-type <queue-type> wred drop-precedence <drop-precedence-value> max-avg-queue-size <max-size> To set the minimum average queue size to the maximum size of 16 Kbytes, use the following command. BigIron RX(config)#qos queue-type 1 wred drop-precedence 0 min-avg-queue-size 16 Syntax: [no] qos queue-type <queue-type>...
Page 553: Displaying The Wred Configuration
Configuring packet drop priority using WRED Syntax: [no] qos queue-type <queue-number> default-params The <queue-number> variable is the number of the forwarding queue that you want to configure drop-precedence for. There are four forwarding queues on device Routers. They are numbered 0 to TABLE 93 WRED default settings Queue...
Page 554: Scheduling Traffic For Forwarding
Scheduling traffic for forwarding Scheduling traffic for forwarding If the traffic being processed by a device is within the capacity of the switch, all traffic is forwarded as received. Once we reach the point where the switch is bandwidth constrained, it becomes subject to drop priority if configured as described in “Determining packet drop priority using WRED”...
Page 555 Scheduling traffic for forwarding Configuring strict priority-based traffic scheduling To configure strict priority-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler strict Syntax: qos scheduler strict Configuring enhanced strict priority-based traffic scheduling To configure enhanced strict priority-based scheduling use a command such as the following.
Page 556 Scheduling traffic for forwarding To determine the weight of q3. Weight of q3 = ----------------------------------------- 5 + 10 + 15 + 20 The weight of q3 is 40%. Consequently, q3 will get 40% of the port’s total bandwidth. The values of the remaining queues are calculated to be the following. q2 = 30%, q1 = 20%, and q0 = 10% Configuring WFQ destination-based traffic scheduling To configure WFQ destination-based scheduling use a command such as the following.
Page 557 Scheduling traffic for forwarding Refer to “Calculating the values for WFQ source and destination-based traffic scheduling” information on assigning queue0-weight to queue3-weight values. Configuring maximum rate-based traffic scheduling To configure maximum rate-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos max-rate 100 100 100 100 Syntax: qos scheduler max-rate <Queue0-rate>...
Page 558: Configuring Multicast Traffic Engineering
Configuring multicast traffic engineering Displaying the scheduler configuration To view a Scheduler configuration, use the following command. BigIron RX#show qos scheduler Port | Scheduler Type Prio0 Prio1 Prio2 Prio3 | (Rates where specified are in Kbps) -------+-------------------------------------+---------+---------+--------- 13/1 | strict 13/2 | enhanced-strict Rate...
Page 559: Displaying The Multicast Traffic Engineering Configuration
Configuring multicast traffic engineering NOTE Using the qos multicast best-effort rate command affects data-plane (non-control protocol) multicast, broadcast and unknown unicast flooded traffic, that prior to inclusion of the command there was a potential for this traffic to starve other traffic from accessing an egress queue. The limiting on a per traffic manager basis to 1.8 Gbps was best for the majority of environments.
Page 560: Qos For The Oversubscribed 16 X 10Ge Modules
QoS for the oversubscribed 16 x 10GE modules 13/21 | 12000000 13/22 | 12000000 13/23 | 12000000 13/24 | 12000000 Syntax: show qos multicast [<portnum>] The <portnum> variable allow you to optionally limit the display to an individual port. QoS for the oversubscribed 16 x 10GE modules The 16-port 10 Gigabit Ethernet oversubscribed module plugs into any port slot of the device switch and is compatible with all previous generations of card on that switch.
Page 561: Setting The Server And Storage Modes
QoS for the oversubscribed 16 x 10GE modules Setting the server and storage modes The default mode is qos rcv-scheduler fq-sp which is strict priority mode. This is used for the Server mode. This command sets the queues (TC) associated to the uplink ports. Each network port is assigned one low and high priority queue.
Page 562: Setting The Group Port Weights
QoS for the oversubscribed 16 x 10GE modules TABLE 94 QOS profile table (Continued) 3 or 7 Low priority TC DP0 0 or 4 High priority TC DP1 1 or 5 High priority TC DP1 2 or 6 High priority TC DP1 3 or 7 High priority TC DP1 0 or 4...
Page 563: Egress Port Shaping
QoS for the oversubscribed 16 x 10GE modules To determine the weight of w3. Weight of w3 = -------------------------------------------- 1 + 5 + 1 + 5 +1 + 5 + 1 + 5 The weight of w3 is 20.8%. Consequently, w3 (Port 2 High Priority) will get 20.83% of the group port's total bandwidth if equal amounts of traffic are received from all eight weights.
Page 564: Supported Acls
QoS for the oversubscribed 16 x 10GE modules Supported ACLs The 16x10GE module supports standard, extended, named and numbered egress ACLs. Refer to Chapter 21, “Access Control List” for additional information. Configuring QoS for the 16 x 10G module New CLI commands have been added to allow alternating between server and storage modes on the 10 x 16GE module.
Page 565 QoS for the oversubscribed 16 x 10GE modules Use rcv-scheduler to change the receive scheduling parameters on the 16x10G card. Use scheduler to assign a scheduling mechanism to one or more ports. Use the no parameter to return to the default mode. (Server) Use the fq-sp parameter to set the 16x10G module to fair queuing strict priority mode.
Page 566 QoS for the oversubscribed 16 x 10GE modules BigIron RX Series Configuration Guide 53-1001810-01...
Page 567: Traffic Policing On The Bigiron Rx Series
Chapter Configuring Traffic Reduction In this chapter • Traffic policing on the BigIron RX Series ......495 •...
Page 568: Traffic Reduction Parameters And Algorithm
Traffic reduction parameters and algorithm Traffic reduction parameters and algorithm A rate limiting policy specifies two parameters: requested rate and maximum burst. Requested rate The requested rate is the maximum number of bits a port is allowed to receive during a one-second interval.
Page 569: Configuration Considerations
Configuration considerations The credit size is calculated using the following algorithm. Credit = (Average rate in bits per second)/(8*64453) One second is divided into 64,453 intervals. In each interval, the number of bytes equal to the credit size is added to the running total of the class. The running total of a class represents the number of bytes that can be allowed to pass through without being subject to rate limiting.
Page 570: Configuring Rate Limiting Policies
Configuring rate limiting policies • ACL-based rate limiting policies consume entries based on the number of statements in an ACL. • See the limits in Table TABLE 96 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR Module type PPCR number Port #...
Page 571: Configuring A Port-And-Priority-Based Rate Limiting Policy
Configuring rate limiting policies Configuring a port-and-priority-based rate limiting policy 802.1p packet priority is used by default. The priority number specifies the IEEE 802.1 equivalent to one of the four Brocade QoS queues. You can configure port-and-priority-based rate limiting for each of the priority numbers 1 - 7 on a port.
Page 572: Configuring A Vlan-Group-Based Rate Limiting Policy
Configuring rate limiting policies Configuring a VLAN-group-based rate limiting policy A rate limiting policy can be applied to a VLAN group. VLANs that are members of a VLAN group share the specified bandwidth defined in the rate limiting policy applied to that group. To configure a rate limiting policy for a VLAN group, do the following.
Page 573 Configuring rate limiting policies The priority <num> parameter specifies the 802.1p priority levels 0 - 7, equivalent to one of the four QoS queues. For information on the priority levels and the corresponding queue, refer “Assigning QoS priorities to traffic” on page 469.
Page 574: Configuring A Port-And-Ipv6 Acl-Based Traffic Reduction
Configuring rate limiting policies These commands first configure access-list groups that contain the ACLs that will be used in the rate limiting policy. Use the permit condition for traffic that will be rate limited. Traffic that match the condition are not subject to rate limiting and allowed to pass through. Refer to “Configuring a port-and-IPv6 ACL-based traffic reduction”...
Page 575 NP based multicast, broadcast, and unknown-unicast rate limiting NP based multicast, broadcast, and unknown-unicast rate limiting NOTE Beginning with release 02.7.00, the multicast limit, broadcast limit, and the unknown-unicast limit commands have been supperseded with the multicast rate-limit, broadcast rate-limit, and the unknown-unicast rate-limit commands.
Page 576: Displaying Traffic Reduction
Displaying traffic reduction Displaying traffic reduction The show rate-limit command displays the rate limiting policies configured on the ports. For example. BigIron RX(config)# show rate-limit interface e 1/1 rate-limit input 499321856 750000000 interface e 1/3 rate-limit input vlan-id 10 499321856 750000000 rate-limit input vlan-id 20 97523712 200000000 To display bytes forwarded and dropped, enter the following command.
Page 577: Filtering Based On Ethertype
Chapter Layer 2 ACLs In this chapter • Filtering based on ethertype........505 •...
Page 578: Configuring Layer 2 Acls
Configuring Layer 2 ACLs • The Layer 2 ACL feature cannot perform SNAP and LLC encapsulation type comparisons. • device processes ACLs in hardware. • You can use Layer 2 ACLs to block management access to the device. For example, you can use a Layer 2 ACL clause to block a certain host from establishing a connection to the device through Telnet.
Page 579: Example Layer 2 Acl Clauses
Configuring Layer 2 ACLs The permit | deny argument determines the action to be taken when a match occurs. The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using F’s and zeros.
Page 580: Inserting And Deleting Layer 2 Acl Clauses
Viewing Layer 2 ACLs The following shows an example of a valid Layer 2 ACL clause. BigIron RX(config)# access-list 400 permit any any 100 etype ipv4 Inserting and deleting Layer 2 ACL clauses You can make changes to the Layer 2 ACL table definitions without unbinding and rebinding the table from an interface.
Page 581: Example Of Layer 2 Acl Deny By Mac Address
Viewing Layer 2 ACLs Example of Layer 2 ACL deny by MAC address In the following example, an ACL is created that denies all traffic from the host with the MAC address 0012.3456.7890 being sent to the host with the MAC address 0011.2233.4455. BigIron RX(config)# access-list 401 deny 0012.3456.7890 ffff.ffff.ffff 0011.2233.4455 ffff.ffff.ffff BigIron RX(config)# access-list 401 permit any any...
Page 582 Viewing Layer 2 ACLs BigIron RX Series Configuration Guide 53-1001810-01...
Page 583: In This Chapter
Chapter Access Control List In this chapter • How the device processes ACLs ........512 •...
Page 584: How The Device Processes Acls
How the device processes ACLs How the device processes ACLs The device processes traffic that ACLs filter in hardware. The device creates an entry for each ACL in the Content Addressable Memory (CAM) at startup or when the ACL is created. The device uses these CAM entries to permit or deny packets in the hardware, without sending the packets to the CPU for processing.
Page 585: Default Acl Action
Disabling or re-enabling Access Control Lists (ACLs) Disabling or re-enabling Access Control Lists (ACLs) The ACL feature is always enabled on device; it cannot be disabled. Default ACL action The default action when no ACLs are configured on a device is to permit all traffic. However, once you configure an ACL and apply it to a port, the default action for that port is to deny all traffic that is not explicitly permitted on the port: •...
Page 586: Enabling Support For Additional Acl Statements
Enabling support for additional ACL statements • ACL entry – An ACL entry contains the filter commands associated with an ACL ID. These are also called “statements.” The maximum number of ACL entries you can configure is a system-wide parameter and depends on the device you are configuring. You can configure up to the maximum number of entries in any combination in different ACLs.
Page 587: Configuring Acl-Based Inbound Mirroring
ACL-based inbound mirroring Configuring a common destination ACL mirror port for all ports of a PPCR All ports using the same PPCR must have a Common Destination ACL mirror Port when configuring ACL-based Inbound Mirroring. For Example, where ports 4/1 and 4/2 belong to the same PPCR, the following configuration that configures them with different destination ACL mirror ports will fail and generate an error message as shown.
Page 588 ACL-based inbound mirroring Specifying the destination mirror port for physical ports You must specify a destination port for traffic that has been selected by ACL-based Inbound Mirroring. This configuration is performed at the Interface Configuration of the port whose traffic you are mirroring.
Page 589 ACL-based inbound mirroring If you attempt to add a port that is configured for ACL-based Mirroring to a port, the following message will display: ACL port is configured on port 2/1, please remove it and try again. Trunk transaction failed: Trunk Config Vetoed •...
Page 590: Configuring Numbered And Named Acls
Configuring numbered and named ACLs BigIron RX(config)# interface ethernet 4/3 BigIron RX(config-if-e10000-4/3)# acl-mirror-port ethernet 5/1 Configuring numbered and named ACLs When you configure ACLs, you can refer to the ACL by a numeric ID or by an alphanumeric name (except for super ACLs, which must be assigned numeric IDs). The commands to configure numbered ACLs are different from the commands to configure named ACLs: •...
Page 591 Configuring numbered and named ACLs Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log] Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log] Syntax: [no] access-list <num> deny | permit any [log] Syntax: [no] ip access-group <num> in The 16 x 10 GE module only supports the following standard ACLs.
Page 592: Configuring Extended Numbered Acls
Configuring numbered and named ACLs host <source-ip> | Specify a host IP address or name. When you use this parameter, you do not need to <hostname> specify the mask. A mask of all zeros (0.0.0.0) is implied. Use this parameter to configure the policy to match on all host addresses. Configures the device to generate Syslog entries and SNMP traps for packets that are denied by the access policy.
Page 593 Configuring numbered and named ACLs To configure an extended access list that blocks all Telnet traffic received on port 1/1 from IP host 209.157.22.26, create the ACL with permit and deny rules, then bind the ACL to port 1/1 using the ip access-group command.
Page 594 Configuring numbered and named ACLs The first entry in this ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network. The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network. The third entry denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network, if the TCP port number of the traffic is less than the well-known TCP port number for Telnet (23), and if the TCP port is not equal to 5.
Page 595 Configuring numbered and named ACLs [match-all <tcp-flags>] [match-any <tcp-flags>] [<icmp-type>] [established] [precedence <name> | <num>] General parameters for extended ACLs The following parameters apply to any extended ACL you are creating. <num> Enter 100 – 199 for a super ACL. deny | permit Enter deny if the packets that match the policy are to be dropped;...
Page 596 Configuring numbered and named ACLs first-fragment Enter this keyword if you want to filter only the first-fragmented packets. Refer to “Enabling ACL filtering of fragmented or non-fragmented packets” on page 557. fragment-offset <number> Enter this parameter if you want to filter a specific fragmented packets. Enter a value from 0 –...
Page 597 Configuring numbered and named ACLs <source-tcp/udp-port> Enter the source TCP or UDP port number. <destination-tcp/udp-port> Enter the destination TCP or UDP port number. match-all <tcp-flags> If you specified TCP for <ip-protocol>, you can specify which flags inside the TCP header need to be matched. Specify any of the following flags for <tcp-flags>: match-any <tcp-flags>...
Page 598 Configuring numbered and named ACLs <icmp-type> Enter one of the following values, depending on the software version the device is running: • any-icmp-type • echo • echo-reply • information-request • • mask-reply • mask-request • parameter-problem • redirect • source-quench •...
Page 599 Configuring numbered and named ACLs Using ACL QoS options to filter packets You can filter packets based on their QoS values by entering values for the following parameters: • tos <name> | <num> Specify the IP ToS name or number. You can specify one of the following: •...
Page 600 Configuring numbered and named ACLs The following occurs when you use these parameters: • Enter 0 – 63 for the dscp-marking <number> parameter. • The dscp-cos-mapping parameter takes the DSCP value you specified and compares it to an internal QoS table, which is indexed by DSCP values. The corresponding 802.1p priority, internal forwarding priority, and DSCP value is assigned to the packet.
Page 601: Configuring Standard Or Extended Named Acls
Configuring numbered and named ACLs Configuring standard or extended named ACLs The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry, you specify all the command parameters on the same command.
Page 602 Configuring numbered and named ACLs The <string> parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”).
Page 603: Configuring Super Acls
Configuring numbered and named ACLs [match-all <tcp-flags>] [match-any <tcp-flags>] [<icmp-type>] [established] [precedence <name> | <num>] Syntax: [no] ip access-list extended <string> | <num> deny | permit host <ip-protocol> any any [log] Syntax: [no] ip access-group <num> in The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring extended numbered ACLs”...
Page 604 Configuring numbered and named ACLs Super ACL syntax Syntax: [no] access-list <num> deny | permit | any | log | src-mac <src-mac> <mask> | dst-mac <dst-mac> <mask> | vlan-id <vlan-id> | ip-pkt-len <pkt-len> | ip-fragment-match {[fragment [fragment-offset <0 - 8191>]] | [non-fragment] | [first-fragment]} | ip-protocol <ip-protocol>...
Page 605: Displaying Acl Definitions
Displaying ACL definitions ip-pkt-len <pkt-len> Specifies the IP packet length to be matched. ip-fragment-match Enables IP fragment matching. <ip-protocol> Specifies the IP protocols to be matched. <sip> Enables packet matching based on specific IP source addresses. <dip> Enables packet matching based on specified IP destination addresses. Enables packet matching based on specified source TCP/UDP port.
Page 606: Displaying Of Tcp/Udp Numbers In Acls
Displaying ACL definitions Named ACL For a named ACL, enter a command such as the following. BigIron RX(config)#show access-list name entry Standard IP access list entry deny host 5.6.7.8 deny host 192.168.12.3 permit any Syntax: show access-list name <acl-name> Enter the ACL name for the <acl-name> parameter or the ACL number for <acl-number>. Displaying of TCP/UDP numbers in ACLs You can display the port numbers of TCP/UDP application information instead of their TCP/UDP well-known port name in the output of show commands and other commands that contain...
Page 607 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number Display Support Protocol Route Access Protocol Resource Location Protocol graphics Graphics nameserver Host Name Server nicname Who Is mpm-flags MPM FLAGS Protocol Message Processing Module [recv] mpm-snd MPM [default send] ni-ftp...
Page 608 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number mit-ml-dev1 MIT ML Device Common Trace Facility mit-ml-dev2 MIT ML Device mfcobol Micro Focus Cobol kerberos Kerberos su-mit-tg SU/MIT Telnet Gateway dnsix DNSIX Securit Attribute Token Map mit-dov MIT Dover Spooler Network Printing Protocol...
Page 609 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number nntp Network News Transfer Protocol cfdptkt CFDPTKT erpc Encore Expedited Remote Pro.Call smakynet SMAKYNET ansatrader ANSA REX Trader locus-map Locus PC-Interface Net Map Ser unitary NXEdit locus-con...
Page 610 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number knet-cmp KNET/VM Command/Message Protocol pcmail-srv PCMail Server nss-routing NSS-Routing sgmp-traps SGMP-TRAPS cmip-man CMIP/TCP Manager cmip-agent CMIP/TCP Agent xns-courier Xerox s-net Sirius Systems namp NAMP rsvd RSVD...
Page 611 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number Internet Relay Chat Protocol dn6-nlm-aud DNSIX Network Level Module Audit dn6-smm-red DNSIX Session Mgt Module Audit Redir Directory Location Service dls-mon Directory Location Service Monitor smux SMUX IBM System Resource Controller...
Page 612 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number zserv Zebra server fatserv Fatmen Server csi-sgwp Cabletron Management Protocol clearcase Clearcase ulistserv ListProcessor legent-1 Legent Corporation legent-2 Legent Corporation hassle Hassle Amiga Envoy Network Inquiry Protocol tnETOS NEC Corporation dsETOS...
Page 613 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number nced nced ncld ncld imsp Interactive Mail Support Protocol timbuktu Timbuktu prm-sm Prospero Resource Manager Sys. Man. prm-nm Prospero Resource Manager Node Man. decladebug DECLadebug Remote Debug Protocol Remote MT Protocol...
Page 614 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number sgcp sgcp decvms-sysmgt decvms-sysmgt cvc_hostd cvc_hostd http protocol over TLS/SSL snpp Simple Network Paging Protocol microsoft-ds Microsoft-DS ddm-rdb DDM-RDB ddm-dfm DDM-RFM ddm-byte DDM-BYTE as-servermap AS Server Mapper tserver...
Page 615 Displaying ACL definitions TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number 9pfs plan 9 file service whoami whoami meter-570 demon meter-571 udemon ipcserver SUN ipc sERVER sift-uft Sender-Initiated or Unsolicited File Transfer npmp-trap npmp-trap npmp-local npmp-local npmp-gui...
Page 616: Acl Logging
ACL logging TABLE 98 TCP/UDP port numbers and names (Continued) Port service Port name Description number cycleserv Cycle Server omserv Om Server webster webster phonebook phone cadlock-770 CADLOCK -770 rtip rtip cycleserv2 CYCLE Server submit SUBMIT rpasswd rpasswd entomb entomb wpages wpages wpgs...
Page 617: Enabling The New Logging Method
Modifying ACLs NOTE BigIron RX does not support permit logging. NOTE Logging is not currently supported on management interfaces. Enabling the new logging method There are no new CLI commands to enable this new processing method; it takes effect automatically if the following items have been configured: •...
Page 618 Modifying ACLs You can use the CLI to reorder entries within an ACL by individually removing the ACL entries and then re-adding them. To use this method, enter “no” followed by the command for an ACL entry, and repeat this for each ACL entry in the ACL you want to edit. After removing all the ACL entries from the ACL, re-add them.
Page 619: Adding Or Deleting A Comment
Modifying ACLs NOTE This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file. These are the only commands that are valid in a file you load using the copy tftp running-config… command. To save the changes to the device’s startup-config file, enter the following command at the Privileged EXEC level of the CLI.
Page 620 Modifying ACLs NOTE An ACL remark is attached to each individual filter only, no to the entire ACL. Complete the syntax by specifying any options you want for the ACL entry. Options you can use to configure standard or extended numbered ACLs are discussed in “Configuring standard or extended named ACLs”...
Page 621: Deleting Acl Entries
Deleting ACL entries • remark <string> - adds a comment to the ACL entry. The comment can contain up to 128 characters. Comments must be entered separately from actual ACL entries; that is, you cannot enter an ACL entry and an ACL comment with the same command. Also, in order for the remark to be displayed correctly in the output of show commands, a comment must be entered immediately before the ACL entry it describes.
Page 622: From Named Acls
Deleting ACL entries The <acl-number> parameter specifies the ACL entry to be deleted. The <acl-num> parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 1 – 99 for standard ACLs, 100 – 199 for extended ACLs, or 500 – 599 for super ACLs. You must enter the complete deny or permit statement for the <entire-deny-or-permit-statement>...
Page 623: Applying Acls To Interfaces
Applying ACLs to interfaces Applying ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 518 show that you apply ACLs to interfaces using the ip access-group command. This section present additional information about applying ACLs to interfaces. Configuration examples for super ACLs appear in the section “Configuring super ACLs”...
Page 624: Configuring The Layer 4 Session Log Timer
Applying ACLs to interfaces NOTE Applying an ACL to a subset of physical interfaces under a virtual routing interface multiplies the amount of CAM used by the number of physical interfaces specified. An ACL that successfully functions over a whole virtual routing interface may fail if you attempt to apply it to a subset of physical interfaces.
Page 625: Qos Options For Ip Acls
QoS options for IP ACLs When the first Syslog entry for a packet denied by an ACL is generated, the software starts an ACL timer. After this, the software sends Syslog messages every 1 to 10 minutes, depending on the value of the timer interval.
Page 626: Enabling Acl Duplication Check
Enabling ACL duplication check Enabling ACL duplication check If desired, you can enable software checking for duplicate ACL entries. To do so, enter the following command at the Global CONFIG level of the CLI. BigIron RX(config)# acl-duplication-check-disable Syntax: [no] acl-duplication-check-disable This command is disabled by default.
Page 627: Displaying Accounting Statistics For All Acls
ACL accounting Displaying accounting statistics for all ACLs To display a summary of the number of hits in all ACLs on a Multi-Service device, enter the following command. device(config)#show access-list accounting brief Collecting ACL accounting summary for VE 1 ... Completed successfully.
Page 628: Clearing The Acl Statistics
ACL accounting The display shows the following information. This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled. If enabled, it indicates if the feature is configured as passive or active.
Page 629: Enabling Acl Filtering Of Fragmented Or Non-Fragmented Packets
Enabling ACL filtering of fragmented or non-fragmented packets Enabling ACL filtering of fragmented or non-fragmented packets By default, when an extended ACL is applied to a port, the port will use the ACL to permit or deny the first fragment of a fragmented packet, but forward subsequent fragments of the same packet in hardware.
Page 630: Acl Filtering For Traffic Switched Within A Virtual Routing Interface
ACL filtering for traffic switched within a virtual routing interface NOTE The fragmented and non-fragmented parameters cannot be used together in an ACL entry. Complete the configuration by specifying options for the ACL entry. Options you can use are discussed in the appropriate sections for configuring ACLs in this chapter. ACL filtering for traffic switched within a virtual routing interface By default, a device does not filter traffic that is switched from one port to another within the same virtual routing interface, even if an ACL is applied to the interface.
Page 631: Named Acls
ICMP filtering for extended ACLs Named ACLs For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following. BigIron RX(config)# ip access-list extended entry BigIron RX(config-ext-nacl)# deny ICMP any any administratively-prohibited BigIron RX(config)# ip access-list extended entry BigIron RX(config-ext-nacl)#deny ICMP any any 3 13 Syntax: [no]ip access-list extended <acl-name>...
Page 632: Troubleshooting Acls
Troubleshooting ACLs TABLE 99 ICMP message types and codes (Continued) ICMP message type Type Code mask-reply mask-request net-redirect net-tos-redirect net-tos-unreachable net-unreachable packet-too-big parameter-problem NOTE: This message includes all parameter problems port-unreachable precedence-cutoff protocol-unreachable reassembly-timeout redirect NOTE: This includes all redirects. router-advertisement router-solicitation source-host-isolated...
Page 633 Troubleshooting ACLs If you are using another feature that requires ACLs, use the same ACL entries for filtering and for the other feature. BigIron RX Series Configuration Guide 53-1001810-01...
Page 634 Troubleshooting ACLs BigIron RX Series Configuration Guide 53-1001810-01...
Page 635: Policy-Based Routing (Pbr)
Chapter Policy-Based Routing In this chapter • Policy-Based Routing (PBR) ........563 •...
Page 636: Configuring A Pbr Policy
Configuring a PBR policy • PBR ignores explicit or implicit deny ip any any ACL entries, to ensure that for route maps that use multiple ACLs, the traffic is compared to all the ACLs. PBR also ignores any deny clauses in an ACL.
Page 637 Configuring a PBR policy Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> Syntax: [no] access-list <num> deny | permit any The <num> parameter is the access list number and can be from 1 – 99. The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded).
Page 638: Configure The Route Map
Configuring a PBR policy Configure the route map After you configure the ACLs, you can configure a PBR route map that matches based on the ACLs and sets routing information in the IP traffic. NOTE The match and set statements described in this section are the only route-map statements supported for PBR.
Page 639: Basic Example
Configuration examples Enabling PBR globally To enable PBR globally, enter a command such as the following at the global CONFIG level. BigIron RX(config)# ip policy route-map test-route This command applies a route map named “test-route” to all interfaces on the device for PBR. Syntax: ip policy route-map <map-name>...
Page 640: Setting The Next Hop
Configuration examples This command sets the next-hop IP address for traffic that matches a match statement in the route map. Setting the next hop The following commands configure the device to apply PBR to traffic from IP subnets 209.157.23.x, 209.157.24.x, and 209.157.25.x. In this example, route maps specify the next-hop gateway for packets from each of these subnets: •...
Page 641: Setting The Output Interface To The Null Interface
Trunk formation Alternatively, you can enable PBR on specific interfaces, as shown in the following example. The commands in this example configure IP addresses in the three source subnets identified in ACLs 50, 51, and 52, then apply route map test-route the interface. BigIron RX(config)# interface ve 1 BigIron RX(config-vif-1)# ip address 209.157.23.1/24 BigIron RX(config-vif-1)# ip address 209.157.24.1/24...
Page 642 Trunk formation BigIron RX Series Configuration Guide 53-1001810-01...
Page 643: Overview Of Ip Multicasting
Chapter Configuring IP Multicast Protocols In this chapter • Overview of IP multicasting........571 •...
Page 644: Multicast Terms
Multicast terms PIM and DVMRP are broadcast and pruning multicast protocols that deliver IP multicast datagrams. The protocols employ reverse path lookup check and pruning to allow source-specific multicast delivery trees to reach all group members. DVMRP and PIM build a different multicast tree for each source and destination host group.
Page 645: Defining The Maximum Number Of Dvmrp Cache Entries
IP multicast boundaries Defining the maximum number of DVMRP cache entries The DVMRP cache system parameter defines the maximum number of repeated DVMRP traffic being sent from the same source address and being received by the same destination address. To define this maximum, enter a command such as the following.
Page 646: Configuring Multicast Boundaries
Passive Multicast Route Insertion (PMRI) Configuring multicast boundaries To define boundaries for PIM enabled interfaces, enter a commands such as the following. BigIron RX(config)#interface ve 40 BigIron RX(config-vif-40)#ip multicast-boundary MyFoundryAccessList Syntax: [no] ip multicast-boundary <acl-spec> <port-list> Use the acl-spec parameter to define the number or name identifying an access list that controls the range of group addresses affected by the boundary.
Page 647: Configuring Pmri
Changing IGMP V1 and V2 parameters • If directly connected source passed source RPF check and completed data registration with RP or • If non directly connected source passed source RPF check. In PIM-DM • The route has no OIF and •...
Page 648: Modifying Igmp (V1 And V2) Query Interval Period
Changing IGMP V1 and V2 parameters • IGMP group membership time – Specifies how many seconds an IP Multicast group can remain on a device interface in the absence of a group report. Possible values are 1 – 7200. The default is 260.
Page 649: Adding An Interface To A Multicast Group
Adding an interface to a multicast group Adding an interface to a multicast group You can manually add an interface to a multicast group. This is useful in the following cases: • Hosts attached to the interface are unable to add themselves as members of the group using IGMP.
Page 650 IGMP v3 In contrast, IGMP V3 provides selective filtering of traffic based on traffic source. A router running IGMP V3 sends queries to every multicast enabled interface at the specified interval. These general queries determine if any interface wants to receive traffic from the router. The following are the three variants of the Query message: •...
Page 651: Default Igmp Version
IGMP v3 Default IGMP version IGMP V3 is available for device Switches running software release 02.6.00 and later; however, these routers are shipped with IGMP V2-enabled. You must enable IGMP V3 globally or per interface. Also, you can specify what version of IGMP you want to run on a device globally, on each interface (physical port or virtual routing interface), and on each physical port within a virtual routing interface.
Page 652: Interface
IGMP v3 Syntax: [no] ip igmp version <version-number> Enter 1, 2, or 3 for <version-number>. Version 2 is the default version. Enabling the IGMP version on a physical port within a virtual routing interface To specify the IGMP version recognized by a physical port that is a member of a virtual routing interface, enter a command such as the following.
Page 653: Setting The Query Interval
IGMP v3 If a client sends a leave message, the client is immediately removed from the group. If a client does not send a report during the specified group membership time (the default is 140 seconds), that client is removed from the tracking list. To enable the tracking and fast leave feature, enter commands such as the following.
Page 654: Setting The Group Membership Time
IGMP v3 Syntax: ip igmp query-interval <10-3600> The interval must be a little more than two times the group membership time. Setting the group membership time Group membership time defines how long a group will remain active on an interface in the absence of a group report.
Page 655 IGMP v3 To display the status of one IGMP multicast group, enter a command such as the following. BigIron RX# show ip igmp group 239.0.0.1 detail Display group 239.0.0.1 in all interfaces. Interface v18 : 1 groups group phy-port static querier life mode #_src 239.0.0.1 e4/20...
Page 656 IGMP v3 Table 0.1: This field Displays Mode Indicates current mode of the interface: Include or Exclude. If the interface is in Include mode, it admits traffic only from the source list. If an interface is in Exclude mode, it denies traffic from the source list and accepts the rest. #_src Identifies the source list that will be included or excluded on the interface.
Page 657 IGMP v3 Table 0.2: This field Displays Group membership time The number of seconds multicast groups can be members of this group before aging out. (details) The following is displayed for each interface: • The ID of the interface • The IGMP version that it is running (default IGMP V2 or configured IGMP V3) •...
Page 658: Clearing Igmp Statistics
Configuring a static multicast route Table 0.3: This field Displays ToEX Number of times the interface mode changed from include to exclude. ALLOW Number of times that additional source addresses were allowed or denied on the interface. Number of times that sources were removed from an interface. Clearing IGMP statistics To clear statistics for IGMP traffic, enter the following command.
Page 659 Configuring a static multicast route NOTE In IP multicasting, a route is handled in terms of its source, rather than its destination. You can use the ethernet <slot>/<portnum> parameter to specify a physical port or the ve <num> parameter to specify a virtual interface. NOTE The ethernet <slot>/<portnum>...
Page 660: Next Hop Validation Check
PIM dense Next hop validation check Beginning with release 02.6.00, you can configure the device to perform multicast validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. You can enable ARP validation check on the global basis. When feature is enabled, the multicast route will only be installed when the next hop ARP has been resolved.
Page 661: Initiating Pim Multicasts On A Network
PIM dense PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets. PIM is similar to DVMRP in that PIM builds source-routed multicast delivery trees and employs reverse path check when forwarding multicast packets.
Page 662 PIM dense When a node on the multicast delivery tree has all of its downstream branches (downstream interfaces) in the prune state, a prune message is sent upstream. In the case of R4, if both R5 and R6 are in a prune state at the same time, R4 becomes a leaf node with no downstream interfaces and sends a prune message to R1.
Page 663: Grafts To A Multicast Tree
PIM dense FIGURE 90 Pruning leaf nodes from a multicast tree Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Prune Message sent to upstream router (R4) Leaf Node (No Group Members) Group Group Group...
Page 664: Configuring Pim Dm
PIM dense The primary difference between PIM DM V1 and V2 is the methods the protocols use for messaging: • PIM DM V1 – uses the IGMP to send messages. • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103.
Page 665 PIM dense The behavior of the [no] router pim command was as follows: • Entering router pim command to enable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a device (router pim level) only.
Page 666 PIM dense Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds. To apply a PIM hello timer of 120 seconds to all ports on the router operating with PIM, enter the following.
Page 667 PIM dense Viewing the prune wait time To view the prune wait time, enter the following command at any level of the CLI. BigIron RX(config)#show ip pim dense Global PIM Dense Mode Settings Hello interval: 60, Neighbor timeout: 180 Graft Retransmit interval: 180, Inactivity interval: 180 Route Expire interval: 200, Route Discard interval: 340 Prune age: 180, Prune wait: 3 Syntax: show ip pim dense...
Page 668: Failover Time In A Multi-Path Topology
PIM Sparse Selection of shortest path back to source By default, when a multicast packet is received on a PIM-capable router interface in a multi-path topology, the interface checks its IP routing table to determine the shortest path back to the source.
Page 669: Pim Sparse Router Types
PIM Sparse In a PIM Sparse network, a PIM Sparse router that is connected to a host that wants to receive information for a multicast group must explicitly send a join request on behalf of the receiver (host). PIM Sparse routers are organized into domains. A PIM Sparse domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary.
Page 670: Rp Paths And Spt Paths
PIM Sparse Rendezvous Point (RP). To enhance overall network performance, device use the RP to forward only the first packet from a group source to the group’s receivers. After the first packet, the device calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver.
Page 671: Configuring Global Pim Sparse Parameters
PIM Sparse • Identify the device as a candidate PIM Sparse Rendezvous Point (RP), if applicable. • Specify the IP address of the RP (if you want to statically select the RP). NOTE Brocade recommends that you configure the same device as both the BSR and the RP. Current limitations The implementation of PIM Sparse in the current software release has the following limitations: •...
Page 672 PIM Sparse The commands in this example add an IP interface to port 2/2, then enable PIM Sparse on the interface. If the interface is on the border of the PIM Sparse domain, you also must enter the following command. BigIron RX(config-if-e10000-2/2)# ip pim border Syntax: [no] ip pim border NOTE...
Page 673 PIM Sparse Configuring RPs Enter a command such as the following to configure the device as a candidate RP. BigIron RX(config-pim-router)# rp-candidate ethernet 2/2 Syntax: [no] rp-candidate ethernet <slot>/<portnum> | loopback <num> | ve <num> The ethernet <slot>/<portnum> | loopback <num> | ve <num> parameter specifies the interface. The device will advertise the specified interface’s IP address as a candidate RP.
Page 674 PIM Sparse Statically specifying the RP Brocade recommends that you use the PIM Sparse protocol’s RP election process so that a backup RP can automatically take over if the active RP router becomes unavailable. However, if you do not want the RP to be selected by the RP election process but instead you want to explicitly identify the RP by its IP address, use the rp-address command.
Page 675: Anycast Rp
Anycast RP Use the ip address parameter to specify the IP address of the router you want to designate as an RP router. Use the acl name or id (optional) parameter to specify the name or ID of the ACL that specifies which multicast groups use this RP.
Page 676 Anycast RP This feature uses functionality that is already available on the device Router but re-purposes it to provide the benefits desired as described in RFC 3446. Configuring anycast RP To configure Anycast RP, you must do the following: • Configure a loopback interface with the anycast RP address on each of the RPs within the domain and enable PIM-SM on these interfaces.
Page 677 Anycast RP The configuration examples demonstrate the commands required to enable this application. FIGURE 92 Example of an anycast RP BigIron RX Common PIM Sparse Domain RP 1 RP 2 Loopback 1 Loopback 1 MSDP 10.0.0.1 10.0.0.1 Loopback 2 Loopback 2 10.1.1.2 10.1.1.1 Cost 5...
Page 678 Anycast RP RP1(config-pim-router)# exit RP1(config)# router msdp RP1(config-msdp-router)# msdp-peer 10.1.1.2 connect-source loopback 2 RP1(config-msdp-router)# originator-id loopback 2 RP 2 configuration The following commands provide the configuration for the RP 2 router in Figure RP2(config)#router ospf RP2(config-ospf-router)# area 0 RP2(config-ospf-router)# exit RP2(config)# interface loopback 1 RP2(config-lbif-1)# ip ospf area 0 RP2(config-lbif-1)# ip ospf passive...
Page 679: Route Selection Precedence For Multicast
Anycast RP PIMR1(config-if-e1000-6/3)# ip pim-sparse PIMR1(config-if-e1000-6/3)# exit PIMR1(config)# router pim PIMR1(config-pim-router)# rp-address 10.0.0.1 PIMR1(config-pim-router)# exit PIMR2 configuration The following commands provide the configuration for the PIMR2 router in Figure PIMR2(config)#router ospf PIMR2(config-ospf-router)# area 0 PIMR2(config-ospf-router)# exit PIMR2(config)# interface ethernet 1/2 PIMR2(config-if-e1000-1/2)# ip ospf area 0 PIMR2(config-if-e1000-1/2)# ip ospf cost 5 PIMR2(config-if-e1000-1/2)# ip address 192.5.2.2/24...
Page 680: Displaying The Route Selection
Anycast RP The none option may be used to fill up the precedence table in order to ignore certain types of routes. To use the unicast default route for multicast, enter commands such as the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)#route-precedence mc-non-default mc-default uc-non-default none Syntax: [no] route-precedence {mc-non-default mc-default uc-non-default uc-default none}...
Page 681: Changing The Shortest Path Tree (Spt) Threshold
Anycast RP ---------+----------------+----+---+----------------------+------+-------------+ v12 100.4.8.2 Itself 1 None v13 100.16.8.2 Itself 1 None v124 124.0.0.1 Itself 1 None v125 125.0.0.1 Itself 1 None v126 126.0.0.1 Itself 1 None v127 127.0.0.1 Itself 1 None l1 1.0.8.1 Itself 1 None Changing the Shortest Path Tree (SPT) threshold In a typical PIM Sparse domain, there may be two or more paths from a DR (designated router) for a multicast source to a PIM group receiver.
Page 682 Anycast RP NOTE Use the same Join/Prune message interval on all the PIM Sparse routers in the PIM Sparse domain. If the routers do not all use the same timer interval, the performance of PIM Sparse can be adversely affected. To change the Join/Prune interval, enter commands such as the following.
Page 683: Displaying Basic Pim Sparse Configuration Information
Anycast RP Displaying basic PIM Sparse configuration information To display PIM Sparse configuration information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim sparse Global PIM Sparse Mode Settings Hello interval: 60, Neighbor timeout: 180 Bootstrap Msg interval: 130, Candidate-RP Advertisement interval: 60 Join/Prune interval: 60, SPT Threshold: 1 Interface Ethernet e3/8 TTL Threshold: 1, Enabled...
Page 684: Displaying A List Of Multicast Groups
Anycast RP This field... Displays... SPT Threshold The number of packets the device sends using the path through the RP before switching to using the SPT path. PIM Sparse interface information NOTE: You also can display IP multicast interface information using the show ip pim interface command. However, this command lists all IP multicast interfaces, including regular PIM (dense mode) and DVMRP interfaces.
Page 685: Displaying Bsr Information
Anycast RP Displaying BSR information To display BSR information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim bsr PIMv2 Bootstrap information This system is the elected Bootstrap Router (BSR) BSR address: 207.95.7.1 Uptime: 00:33:52, BSR priority: 5, Hash mask length: 32 Next bootstrap message in 00:00:20 Next Candidate-RP-advertisement in 00:00:10 RP: 207.95.7.1...
Page 686: Displaying Candidate Rp Information
Anycast RP This field... Displays... Indicates the IP address of the Rendezvous Point (RP). NOTE: This field appears only if this device is a candidate BSR. group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP.
Page 687: Displaying Rp Information For A Pim Sparse Group
Anycast RP Displaying RP-to-group mappings To display RP-to-group-mappings, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim rp-map Number of group-to-RP mappings: 6 Group address RP address ------------------------------- 1 239.255.163.1 99.99.99.5 2 239.255.163.2 99.99.99.5 3 239.255.163.3 99.99.99.5 4 239.255.162.1 99.99.99.5...
Page 688: Displaying The Rp Set List
Anycast RP Displaying the RP set list To display the RP set list, enter the following command at any CLI level. BigIron RX(config)#show ip pim rp-set Group address Static-RP-address Override --------------------------------------------------- Access-List 44 99.99.99.5 On Number of group prefixes Learnt from BSR: 1 Group prefix = 239.255.162.0/24 # RPs expected: 1 # RPs received: 1 RP 1: 43.43.43.1 priority=0 age=0...
Page 689: Displaying Information About An Upstream Neighbor Device
Anycast RP Table 0.7: This field... Displays... Port The interface through which the device is connected to the neighbor. Neighbor The IP interface of the PIM neighbor interface. Holdtime sec Indicates how many seconds the neighbor wants this device to hold the entry for this neighbor in memory.
Page 690: Displaying The Pim Multicast Cache
Anycast RP Displaying the PIM multicast cache To display the PIM multicast cache, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim mcache Total 6 entries 1 (10.161.32.200, 237.0.0.1) in v87 (tag e3/1), cnt=0 Sparse Mode, RPT=0 SPT=1 Reg=0 upstream neighbor=10.10.8.45 num_oifs = 1 v2 L3 (HW) 1: e4/24(VL2702)
Page 691 Anycast RP This display shows the following information. Table 0.8: This field... Displays... (<source>, <group>) The comma-separated values in parentheses is a source-group pair. The <source> is the PIM source for the multicast <group>. For example, the following entry means source 209.157.24.162 for group 239.255.162.1: (209.157.24.162,239.255.162.1) If the <source>...
Page 692: Pim-Ssmv4
PIM-SSMv4 Displaying PIM traffic statistics To display PIM traffic statistics, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim traffic Port Hello Register RegStop Assert e3/8 Total 37 IGMP Statistics: Total Recv/Xmit 85/110 Total Discard/chksum Syntax: show ip pim traffic NOTE If you have configured interfaces for standard PIM (dense mode) on the device, statistics for these interfaces are listed first by the display.
Page 693: Enabling Ssm
Configuring Multicast Source Discovery Protocol (MSDP) The amount of unwanted traffic in the network is reduced, but because each multicast group is associated with a particular host, different hosts can be assigned the same multicast address for different streams. This greatly increases the number of multicast groups that can be used in the network.
Page 694 Configuring Multicast Source Discovery Protocol (MSDP) Figure 93 shows an example of some PIM Sparse domains. For simplicity, this example show only one Designated Router (DR), one group source, and one receiver for the group. Only one PIM Sparse router within each domain needs to run MSDP. FIGURE 93 PIM Sparse domains joined by MSDP routers PIM Sparse Domain 2...
Page 695: Peer Reverse Path Forwarding (Rpf) Flooding
Configuring Multicast Source Discovery Protocol (MSDP) Figure 93 shows only one peer for the MSDP router (which is also the RP here) in domain 1, so the Source Active message goes to only that peer. When an MSDP router has multiple peers, it sends a Source Active message to each of those peers.
Page 696: Configuring Msdp
Configuring Multicast Source Discovery Protocol (MSDP) Configuring MSDP To configure MSDP on a device, perform the following tasks: • Enable MSDP • Configure the MSDP peers NOTE The PIM Sparse Rendezvous Point (RP) is also an MSDP peer. Routers that run MSDP must also run BGP. Also, the source address used by the MSDP router must be the same source address used by BGP.
Page 697: Filtering Msdp Source-Group Pairs
Configuring Multicast Source Discovery Protocol (MSDP) Designating an interface’s IP address as the RP’s IP address When an RP receives a Source Active message, it checks its PIM Sparse multicast group table for receivers for the group. If it finds a receiver, the RP sends a Join message for that receiver back to the RP that originated the Source Active message.
Page 698 Configuring Multicast Source Discovery Protocol (MSDP) Example The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e1000-3/1)# ip address 2.2.2.98/24 BigIron RX(config-if-e1000-3/1)# exit The following commands configure a loopback interface.
Page 699: Filtering Advertised Source-Active Messages
Configuring Multicast Source Discovery Protocol (MSDP) • sa-filter in 2.2.2.97 route-map msdp_map – This command ignores source-group pairs received from neighbor 2.2.2.97 if the pairs have source address 10.x.x.x and any group address. • sa-filter in 2.2.2.96 route-map msdp2_map rp-route-map msdp2_rp_map – This command accepts all source-group pairs except those associated with RP 2.2.42.3.
Page 700: Are Applied
Configuring Multicast Source Discovery Protocol (MSDP) BigIron RX(config)# route-map msdp_map deny 1 BigIron RX(config-routemap msdp_map)# match ip address 123 BigIron RX(config-routemap msdp_map)# exit The following commands enable MSDP and configure MSDP neighbors on port 3/1. BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 2.2.2.99 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 2.2.2.97 connect-source loopback 1 BigIron RX(config-if-3/1)# exit The following commands configure the Source-Active filter.
Page 701 Configuring Multicast Source Discovery Protocol (MSDP) 21 (117.1.0.65, 224.200.1.45), RP:2.2.2.2, Age:0 22 (117.1.0.38, 224.200.1.18), RP:2.2.2.2, Age:0 23 (117.1.0.52, 224.200.1.32), RP:2.2.2.2, Age:0 24 (117.1.0.25, 224.200.1.5), RP:2.2.2.2, Age:0 25 (117.1.0.66, 224.200.1.46), RP:2.2.2.2, Age:0 26 (117.1.0.39, 224.200.1.19), RP:2.2.2.2, Age:0 27 (117.1.0.53, 224.200.1.33), RP:2.2.2.2, Age:0 28 (117.1.0.26, 224.200.1.6), RP:2.2.2.2, Age:0 29 (117.1.0.67, 224.200.1.47), RP:2.2.2.2, Age:0 30 (117.1.0.40, 224.200.1.20), RP:2.2.2.2, Age:0...
Page 702: Configuring Msdp Mesh Groups
Configuring MSDP mesh groups TABLE 100 MSDP source active cache (Continued) This field... Displays... Free The number of additional entries for which the cache has room. Index The cache entry number. SourceAddr The IP address of the multicast source. GroupAddr The IP multicast group to which the source is sending information.
Page 703: Configuring Msdp Mesh Group
Configuring MSDP mesh groups Figure 94 shows an example of an MSDP mesh group. In a PIM-SM mesh group the RPs are configured to be peers of each other. They can also be peers of RPs in other domains. FIGURE 94 Example of MSDP mesh group PIM Sparse Domain 1 Mesh GroupA...
Page 704 Configuring MSDP mesh groups BigIron RX(config-msdp-router)# mesh-group GroupA 206.251.21.31 BigIron RX(config-msdp-router)# mesh-group GroupA 206.251.17.31 BigIron RX(config-msdp-router)# mesh-group GroupA 206.251.13.31 BigIron RX(config-msdp-router)# exit Syntax: [no] mesh-group <group-name> <peer-address> The sample configuration above reflects the configuration in Figure 94. On RP 206.251.21.31 you specify its peers within the same domain (206.251.21.31, 206.251.17.31, and 206.251.13.31).
Page 705 Configuring MSDP mesh groups Example Figure 95, devices A, B, C, and D are in Mesh Group 1234. The example configuration following the figure shows how the devices are configured to be part of the MSDP mesh group. The example also shows the features that need to be enabled for the MSDP mesh group to work.
Page 706 Configuring MSDP mesh groups BigIron RX(config)# interface ethernet 2/1 BigIron RX(config-if-2/1)# ip address 12.12.12.1 255.255.255.0 BigIron RX(config-if-2/1)# ip pim-sparse BigIron RX(config-if-2/1)# exit BigIron RX(config)# interface ethernet 2/20 BigIron RX(config-if-2/20)# ip address 159.159.159.1 255.255.255.0 BigIron RX(config-if-2/20)# ip pim-sparse BigIron RX(config-if-2/20)# exit BigIron RX(config)# interface ethernet 4/1 BigIron RX(config-if-4/1)# ip address 31.31.31.1 255.255.255.0 BigIron RX(config-if-4/1)# ip pim-sparse...
Page 707 Configuring MSDP mesh groups BigIron RX(config)# interface ethernet 1/12 BigIron RX(config-if-1/12)# ip address 165.165.165.1 255.255.255.0 BigIron RX(config-if-1/12)# ip pim-sparse BigIron RX(config-if-1/12)# exit BigIron RX(config)# interface ethernet 1/24 BigIron RX(config-if-1/24)# ip address 168.72.2.2 255.255.255.0 BigIron RX(config-if-1/24)# exit BigIron RX(config)# interface ethernet 1/25 BigIron RX(config-if-1/25)# ip address 24.24.24.2 255.255.255.0 BigIron RX(config-if-1/25)# ip pim-sparse BigIron RX(config-if-1/24)# exit...
Page 708 Configuring MSDP mesh groups BigIron RX(config)# interface ethernet 10/8 BigIron RX(config-if-10/8)# ip address 35.35.35.3 255.255.255.0 BigIron RX(config-if-10/8)# ip pim-sparse BigIron RX(config-if-10/8)# ip pim border BigIron RX(config-if-10/8)# exit BigIron RX(config)# interface ethernet 12/2 BigIron RX(config-if-12/1)# ip address 34.34.34.3 255.255.255.0 BigIron RX(config-if-12/1)# ip pim-sparse BigIron RX(config-if-12/1)# exit BigIron RX(config)# interface ethernet 14/4 BigIron RX(config-if-14/4)# ip address 154.154.154.1 255.255.255.0...
Page 709 Configuring MSDP mesh groups BigIron RX(config)# interface ethernet 2/6 BigIron RX(config-if-)# ip address 156.156.156.1 255.255.255.0 BigIron RX(config-if-)# ip pim-sparse BigIron RX(config-if-)# exit BigIron RX(config)# interface ethernet 5/1 BigIron RX(config-if-)# ip address 34.34.34.4 255.255.255.0 BigIron RX(config-if-)# ip pim-sparse BigIron RX(config-if-)# exit BigIron RX(config)# interface ethernet 7/1 BigIron RX(config-if-)# ip address 14.14.14.4 255.255.255.0 BigIron RX(config-if-)# ip pim-sparse...
Page 710: Displaying Summary Information
Configuring MSDP mesh groups Displaying summary information To display summary MSDP information, enter the following command at any level of the CLI. BigIron RX# show ip msdp summary MSDP Peer Status Summary KA: Keepalive SA:Source-Active NOT: Notification Peer Address State 206.251.17.30 ESTABLISH 206.251.17.41...
Page 711: Displaying Peer Information
Configuring MSDP mesh groups Displaying peer information To display MSDP peer information, use the following CLI method. BigIron RX# show ip msdp peer Total number of MSDP Peers: 2 IP Address State 206.251.17.30 ESTABLISHED Keep Alive Time Hold Time Message Sent Message Received Keep Alive Notifications...
Page 712 Configuring MSDP mesh groups TABLE 102 MSDP peer information (Continued) This field... Displays... Keep Alive Message Received The number of Keep Alive messages the MSDP router has received from the peer. Notifications Sent The number of Notification messages the MSDP router has sent to the peer.
Page 713 Configuring MSDP mesh groups TABLE 102 MSDP peer information (Continued) This field... Displays... TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. •...
Page 714: Displaying Source Active Cache Information
Clearing MSDP information TABLE 102 MSDP peer information (Continued) This field... Displays... RcvQue The number of sequence numbers in the receive queue. SendQue The number of sequence numbers in the send queue. Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method. BigIron RX# show ip msdp sa-cache Total Entry 4096, Used 1800 Free 2296 Index...
Page 715: Clearing Peer Information
DVMRP overview Clearing peer information To clear MSDP peer information, enter the following command at the Privileged EXEC level of the CLI. BigIron RX# clear ip msdp peer 205.216.162.1 Remote connection closed Syntax: clear ip msdp peer <ip-addr> The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed.
Page 716: Initiating Dvmrp Multicasts On A Network
DVMRP overview Initiating DVMRP multicasts on a network Once DVMRP is enabled on each router, a network user can begin a video conference multicast from the server on R1. Multicast Delivery Trees are initially formed by source-originated multicast packets that are propagated to downstream interfaces as seen in Figure 96.
Page 717 DVMRP overview Figure 97, Router 5 is a leaf node with no group members in its local database. Consequently, Router 5 sends a prune message to its upstream router. This router will not receive any further multicast traffic until the prune age interval expires. FIGURE 96 Downstream broadcast of IP multicast packets from source host Video Conferencing...
Page 718: Grafts To A Multicast Tree
DVMRP overview FIGURE 97 Pruning leaf nodes from a multicast tree Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Prune Message sent to upstream router (R4) Leaf Node (No Group Members) Group Group Group...
Page 719: Configuring Dvmrp
Configuring DVMRP Configuring DVMRP Enabling DVMRP globally and on an interface Suppose you want to initiate the use of desktop video for fellow users on a sprawling campus network. All destination workstations have the appropriate hardware and software but the devicees that connect the various buildings need to be configured to support DVMRP multicasts from the designated video conference server as seen in Figure...
Page 720: Modifying Neighbor Timeout
Configuring DVMRP • Route expire time • Route discard time • Prune age • Graft retransmit time • Probe interval • Report interval • Trigger interval • Default route Modifying neighbor timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down.
Page 721: Modifying Probe Interval
Configuring DVMRP Modifying graft retransmit time The Graft Retransmit Time defines the initial period of time that a router sending a graft message will wait for a graft acknowledgement from an upstream router before re-transmitting that message. Subsequent retransmissions are sent at an interval twice that of the preceding interval. Possible values are from 5 –...
Page 722: Modifying Dvmrp Interface Parameters
Configuring DVMRP To define the default gateway for DVMRP, enter the following. BigIron RX(config-dvmrp-router)# default-gateway 192.35.4.1 Syntax: default-gateway <ip-addr> Modifying DVMRP interface parameters DVMRP global parameters come with preset values. The defaults work well in most networks, but you can modify the following interface parameters if you need to: •...
Page 723: Displaying Information About An Upstream Neighbor Device
Configuring a static multicast route Displaying information about an upstream neighbor device You can view information about the upstream neighbor device for a given source IP address for IP PIM packets. The software uses the IP route table or multicast route table to lookup the upstream neighbor device.
Page 724: Configuring Ip Multicast Traffic Reduction
Configuring IP multicast traffic reduction NOTE Regardless of the administrative distances, the device Series router always prefers directly connected routes over other routes. FIGURE 98 Example multicast static routes PIM Router D 9.9.9.101 e6/14 Client Multicast group 239.255.162.1 e4/11 207.95.6.1 e1/2 PIM Router A PIM Router C...
Page 725: Enabling Ip Multicast Traffic Reduction
Configuring IP multicast traffic reduction When you enable IP Multicast Traffic Reduction, you also can configure the following features: • IGMP mode – When you enable IP Multicast Traffic Reduction, the device passively listens for IGMP Group Membership reports by default. If the multicast domain does not have a to send IGMP queries to elicit these Group Membership reports, you can enable the device to actively send the IGMP queries.
Page 726 Configuring IP multicast traffic reduction NOTE When one or more device devices are running Layer 2 IP Multicast Traffic reduction, configure one of the devices for active IGMP and leave the other devices configured for passive IGMP. However, if the IP multicast domain contains a multicast-capable, configure all the device devices for passive IGMP and allow the to actively send the IGMP queries.
Page 727 Configuring IP multicast traffic reduction • Passive – When passive IGMP mode is enabled, the switch listens for IGMP Group Membership reports on the VLAN instance specified but does not send IGMP queries. The passive mode is called “IGMP snooping”. Use this mode when another device in the VLAN instance is actively sending queries.
Page 728: Modifying The Query Interval
Configuring IP multicast traffic reduction • Passive – When passive IGMP mode is enabled, the device listens for IGMP Group Membership reports but does not send IGMP queries. The passive mode is sometimes called “IGMP snooping”. Use this mode when another device in the network is actively sending queries.
Page 729: Layer 2 Multicast Filters
Configuring IP multicast traffic reduction When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report.
Page 730: Pim Sm Traffic Snooping
Configuring IP multicast traffic reduction Use the port-list parameter to define the member ports on which the ACL is applied. The ACL will be applied to the multicast traffic arriving in both directions. Use the no multicast boundary command to remove the boundary on an IGMP enabled interface. NOTE The ACL, MyFoundryAccessList can be configured using standard ACL syntax which can be found in the ACL section.
Page 731: Application Examples
Configuring IP multicast traffic reduction Application examples Figure 99 shows an example application of the PIM SM traffic snooping feature. In this example, a device is connected through an IP router to a PIM SM group source that is sending traffic for two PIM SM groups.
Page 732: Configuration Requirements
Configuring IP multicast traffic reduction The device stops forwarding IP multicast traffic on a port for a group if the port receives a prune message for the group. Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device.
Page 733 Configuring IP multicast traffic reduction • All the device ports connected to the source and receivers or routers must be in the same port-based VLAN. • The PIM SM snooping feature assumes that the group source and the device are in different subnets and communicate through a router.
Page 734: Static Igmp Membership
Configuring IP multicast traffic reduction Configuring the PIM SM traffic snooping per VLAN instance If PIM SM Traffic snooping is not applied globally, you can apply it to individual VLANs instances within their configurations. In the following example, multicast traffic reduction is applied using PIM SM Traffic snooping to VLAN 2.
Page 735 Configuring IP multicast traffic reduction To configure the physical interface 10.43.3.12 to statically join a multicast group on port 2/4, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX((config-vlan-100)# multicast static-group 224.10.1.1 To configure the snooping device to statically join a multicast stream with the source address of 10.43.1.12 in the include mode, enter commands such as the following.
Page 736 Configuring IP multicast traffic reduction The group-address parameter specifies the group multicast address. The include or exclude keyword indicates a filtering action. You can specify which source (for a group) to include or exclude. The include or exclude keyword is only supported on IGMPv3. The source-address parameter specifies the IP address of the multicast source.
Page 737: Overview Of Routing Information Protocol (Rip)
Chapter Configuring RIP In this chapter • Overview of Routing Information Protocol (RIP)..... . 665 • Configuring RIP parameters ........665 •...
Page 738: Enabling Rip
Configuring RIP parameters Enabling RIP RIP is disabled by default. To enable RIP, you must enable it globally and also on individual interfaces on which you want to advertise RIP. Globally enabling the protocol does not enable it on individual interfaces. You can enable the protocol on physical interfaces as well as virtual routing interfaces.
Page 739: Configuring Redistribution
Configuring RIP parameters NOTE Refer to “Changing administrative distances” on page 765 for a list of the default distances for all route sources. To change the administrative distance for RIP routes, enter a command such as the following. BigIron RX(config-rip-router)# distance 140 The command changes the administrative distance to 140 for all RIP routes.
Page 740: Configuring Route Learning And Advertising Parameters
Configuring RIP parameters • If a route does not match any match statements in the route map, the route is denied. This is the default action. To change the default action, configure the last match statement in the last instance of the route map to “permit any any”. •...
Page 741: Changing The Route Loop Prevention Method
Configuring RIP parameters • Learning of standard RIP routes – By default, the device can learn RIP routes from all its RIP neighbors. You can configure RIP neighbor filters to explicitly permit or deny learning from specific neighbors. Enabling learning of RIP default routes By default, the device does not learn default RIP routes.
Page 742: Interface
Configuring RIP parameters These loop prevention methods are configurable on a global basis as well as on an individual interface basis. One of the methods is always in effect on an interface enabled for RIP. Thus, if you disable one method, the other method is enabled. NOTE These methods are in addition to RIP’s maximum valid route cost of 15.
Page 743: Using Prefix Lists And Route Maps As Route Filters
Configuring RIP parameters Using prefix lists and route maps as route filters You can configure prefix lists to permit or deny specific routes, then apply them globally or to individual interfaces and specify whether the lists apply to learned routes (in) or advertised routes (out).
Page 744: Setting Rip Timers
Displaying RIP filters The commands apply route map map1 as route filters to routes learned from the RIP neighbor on port 1/2. Setting RIP timers You can set basic update timers for the RIP protocol. The protocol must be enabled in order to set the timers.
Page 745: Clearing The Rip Routes From The Routing Table
Displaying RIP filters TABLE 104 CLI display of neighbor filter information (Continued) This field... Displays... OSPF metric Shows what OSPF route map has been applied. Neighbor filter table area Index The filter number. You assign this number when you configure the filter. Action The action the router takes for RIP route packets to or from the specified neighbor:...
Page 746 Displaying RIP filters BigIron RX Series Configuration Guide 53-1001810-01...
Page 747: Overview Of Ospf (Open Shortest Path First)
Chapter Configuring OSPF Version 2 (IPv4) In this chapter • Overview of OSPF (Open Shortest Path First) ..... . . 675 •...
Page 748: Designated Routers In Multi-Access Networks
Overview of OSPF (Open Shortest Path First) An Autonomous System Boundary Router (ASBR) is a router that is running multiple protocols and serves as a gateway to routers outside an area and those operating with different protocols. The ASBR is able to import and translate different protocol routes into OSPF through a process known as redistribution.
Page 749: Designated Router Election In Multi-Access Networks
Overview of OSPF (Open Shortest Path First) Designated router election in multi-access networks In a network with no designated router and no backup designated router, the neighboring router with the highest priority is elected as the DR, and the router with the next largest priority is elected as the BDR, as shown in Figure 102 FIGURE 102...
Page 750: Ospf Rfc 1583 And 2328 Compliance
Overview of OSPF (Open Shortest Path First) NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the BigIron RX does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device.
Page 751 Overview of OSPF (Open Shortest Path First) Figure 104 shows an example of the AS External LSA reduction feature. In this example, Routers D and E are OSPF ASBRs, and thus communicate route information between the OSPF AS, which contains Routers A, B, and C, and another routing domain, which contains Router F. The other routing domain is running another routing protocol, such as BGP4 or RIP.
Page 752: Support For Ospf Rfc 2328 Appendix E
Overview of OSPF (Open Shortest Path First) Algorithm for AS external LSA reduction Figure 104 shows an example in which the normal AS External LSA reduction feature is in effect. The behavior changes under the following conditions: • There is one ASBR advertising (originating) a route to the external destination, but one of the following happens: •...
Page 753: Dynamic Ospf Activation And Configuration
Configuring OSPF When appendix E is supported, the router generates the link state ID for a network as follows. 1. Does an LSA with the network address as its ID already exist? • No – Use the network address as the ID. •...
Page 754: Ospf Parameters
Configuring OSPF 4. Configure route map for route redistribution, if desired. 5. Enable redistribution, if desired. 6. Modify default global and port parameters as required. Modify OSPF standard compliance, if desired. Configuration rules • If a router is to operate as an ASBR, you must enable the ASBR capability at the system level. •...
Page 755: Enable Ospf On The Router
Configuring OSPF • Modify the dead interval. • Modify MD5 authentication key parameters. • Modify the priority of the interface. • Modify the retransmit interval for the interface. • Modify the transit delay of the interface. NOTE You set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, enter router ospf…...
Page 756 Configuring OSPF An area can be normal, a stub, or a Not-So-Stubby Area (NSSA). • Normal – OSPF routers within a normal area can send and receive External Link State Advertisements (LSAs). • Stub – OSPF routers within a stub area cannot send or receive External LSAs. In addition, OSPF routers in a stub area must use a default route to the area’s Area Border Router (ABR) or Autonomous System Boundary Router (ASBR) to send traffic out of the area.
Page 757 Configuring OSPF NOTE This feature applies only when the BigIron RX is configured as an Area Border Router (ABR) for the area. To completely prevent summary LSAs from being sent to the area, disable the summary LSAs on each OSPF router that is an ABR for the area. This feature does not apply to Not So Stubby Areas (NSSAs).
Page 758 Configuring OSPF Figure 105 shows an example of an OSPF network containing an NSSA. FIGURE 105 OSPF network containing an NSSA RIP Domain NSSA Area 1.1.1.1 OSPF Area 0 Backbone Internal ASBR OSPF ABR This example shows two routing domains, a RIP domain and an OSPF domain. The ASBR inside the NSSA imports external routes from RIP into the NSSA as Type-7 LSAs, which the ASBR floods throughout the NSSA.
Page 759: Assigning An Area Range (Optional)
Configuring OSPF The nssa <cost> | default-information-originate parameter specifies that this is a Not-So-Stubby-Area (NSSA). The <cost> specifies an additional cost for using a route to or from this NSSA and can be from 1 – 16777215. There is no default. Normal areas do not use the cost parameter.
Page 760: Assigning Interfaces To An Area
Configuring OSPF The <num> | <ip-addr> parameter specifies the area number, which can be in IP address format. The range <ip-addr> parameter specifies the IP address portion of the range. The software compares the address with the significant bits in the mask. All network addresses that match this comparison are summarized in a single route advertised by the router.
Page 761: Ospf Interface Parameters
Configuring OSPF OSPF interface parameters The following parameters apply to OSPF interfaces Area Assigns an interface to a specific area. You can assign either an IP address or number to represent an OSPF Area ID. If you assign a number, it can be any value from 0 –...
Page 762 Configuring OSPF Passive When you configure an OSPF interface to be passive, that interface does not send or receive OSPF route updates. By default, all OSPF interfaces are active and thus can send and receive OSPF route information. Since a passive interface does not send or receive route information, the interface is in effect a stub network.
Page 763: Change The Timer For Ospf Authentication Changes
Configuring OSPF Change the timer for OSPF authentication changes When you make an OSPF authentication change, the software uses the authentication-change timer to gracefully implement the change. The software implements the change in the following ways: • Outgoing OSPF packets – After you make the change, the software continues to use the old authentication to send packets, during the remainder of the current authentication-change interval.
Page 764: Assign Virtual Links
Configuring OSPF NOTE You cannot block LSAs on virtual links. To apply a filter to an OSPF interface to block flooding of outbound LSAs on the interface, enter the following command at the Interface configuration level for that interface. BigIron RX(config-if-e10000-1/1)# ip ospf database-filter all out The command in this example blocks all outbound LSAs on the OSPF interface configured on port 1/1.
Page 765 Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 106 Defining OSPF virtual links within a network OSPF Area 0 BigIronC Router ID 209.157.22.1 OSPF Area 1 OSPF Area 2 “transit area”...
Page 766: Modify Virtual Link Parameters
Configuring OSPF <value> | [md5-authentication key-activation-wait-time <num> | key-id <num> [0 | 1] key <string>] The area <ip-addr> | <num> parameter specifies the transit area. The <router-id> parameter specifies the router ID of the OSPF router at the remote end of the virtual link.
Page 767: Configuring An Ospf Non-Broadcast Interface
Configuring OSPF Virtual link parameter descriptions You can modify the following virtual link interface parameters. Authentication Key This parameter allows you to assign different authentication methods on a port-by-port basis. OSPF supports three methods of authentication for each interface—none, simple password, and MD5. Only one method of authentication can be active on an interface at a time.
Page 768 Configuring OSPF You configure NBMAs on an interface. The routers at the other end of that interface must have a non-broadcast neighbor configured. There is no restriction on the number of routers sharing a non-broadcast interface (for example, through a hub or switch). To configure NBMA on an interface, do the following.
Page 769: Ospf Point-To-Point Links
Configuring OSPF OSPF point-to-point links In an OSPF point-to-point network, where a direct Layer 3 connection exists between a single pair of OSPF routers, there is no need for Designated and Backup Designated Routers, as is the case in OSPF multi-access networks. Without the need for Designated and Backup Designated routers, a point-to-point network establishes adjacency and converges faster.
Page 770 Configuring OSPF The <ip-addr> parameter displays the OSPF interface information for the specified IP address. The following table defines the highlighted fields shown in the above example output of the show ip ospf interface command. TABLE 105 Output of the show ip ospf interface command This field Displays IP Address...
Page 771 Configuring OSPF When encryption of the passwords or authentication strings is enabled, they are encrypted in the CLI regardless of the access level you are using. The encryption option can be omitted (the default) or can be one of the following: •...
Page 772: Define Redistribution Filters
Configuring OSPF The default reference bandwidth is 100 Mbps. You can change the reference bandwidth to a value from 1 – 4294967. If a change to the reference bandwidth results in a cost change to an interface, the device sends a link-state update to update the costs of interfaces advertised by the device.
Page 773 Configuring OSPF NOTE The BigIron RX advertises the default route into OSPF even if redistribution is not enabled, and even if the default route is learned through an IBGP neighbor. IBGP routes (including the default route) are not redistributed into OSPF by OSPF redistribution (for example, by the OSPF redistribute command).
Page 774: Modify Default Metric For Redistribution
Configuring OSPF For example, to enable redistribution of RIP and static IP routes into OSPF, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# redistribution rip BigIron RX(config-ospf-router)# redistribution static BigIron RX(config-ospf-router)# write memory Modify default metric for redistribution The default metric is a global parameter that specifies the cost applied to all OSPF routes by default.
Page 775 Configuring OSPF The commands in this example configure some static IP routes, then configure a route map and use the route map for redistributing static IP routes into OSPF. The ip route commands configure the static IP routes. The route-map command begins configuration of a route map called “abc”.
Page 776: Disable Or Re-Enable Load Sharing
Configuring OSPF NOTE For an external route that is redistributed into OSPF through a route map, the metric value of the route remains the same unless the metric is set by a set metric command inside the route map. The default-metric <num>...
Page 777: Configure External Route Summarization
Configuring OSPF NOTE The BigIron RX is not source routing in these examples. The router is concerned only with the paths to the next-hop routers, not the entire paths to the destination hosts. OSPF load sharing is enabled by default when IP load sharing is enabled. To configure IP load sharing parameters, refer to “Configuring IP load sharing”...
Page 778: Configure Default Route Origination
Configuring OSPF Syntax: summary-address <ip-addr> <ip-mask> The <ip-addr> parameter specifies the network address. The <ip-mask> parameter specifies the network mask. To display the configured summary addresses, enter the following command at any level of the CLI. BigIron RX(config-ospf-router)# show ip ospf config OSPF Redistribution Address Ranges currently defined: Range-Address Subnetmask...
Page 779: Configuring A Default Network Route
Configuring OSPF Syntax: [no default-information-originate [always] [metric <value>] [metric-type <type>] The always parameter advertises the default route regardless of whether the router has a default route. This option is disabled by default. The metric <value> parameter specifies a metric for the default route. If this option is not used, the default metric is used for the route.
Page 780: Modify Spf Timers
Configuring OSPF To verify that the route is in the route table, enter the following command at any level of the CLI. BigIron RX(config)# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination Gateway...
Page 781: Modify Administrative Distance
Configuring OSPF Syntax: metric-type type1 | type2 The default is type2. Modify administrative distance The device can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, ISIS, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned.
Page 782: Ospf Abr Type 3 Lsa Filtering
Configuring OSPF To reset the administrative distance to its system default (110), enter a command such as the following. BigIron RX(config-ospf-router)# no distance external 100 Configure OSPF group Link State Advertisement (LSA) pacing The device paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA’s refresh timer expires.
Page 783 Configuring OSPF • With this feature enabled in the “in” direction, all type 3 LSAs originated by the ABR to this area, based on information from all other areas, are filtered by the prefix list. Type 3 LSAs that were originated as a result of the area range command in another area are treated like any other type 3 LSA that was originated individually.
Page 784 Configuring OSPF Syntax: [no] area {<area-id> | <area_ip>} prefix-list {prefix-list-name in | out} The < prefix-list-name > parameter specifies the prefix list name. The {<area-id> | <area_ip>} parameter specifies the area id in different formats. The in keyword specifies that prefix list is applied to prefixes advertised to the specified area from other areas.
Page 785: Displaying The Configured Ospf Area Prefix List
Configuring OSPF If you do not specify ge <ge-value> or le <le-value>, the prefix list matches only on the exact network prefix you specify with the <network-addr>/<mask-bits> parameter. Displaying the configured OSPF area prefix list To display the prefix-lists attached to the areas, enter the following command. BigIron RX(config)#show ip ospf config Router OSPF: Enabled Graceful Restart: Disabled, timer 120...
Page 786: Modifing Ospf Traps Generated
Configuring OSPF Modifing OSPF traps generated OSPF traps as defined by RFC 1850 are supported on BigIron RX. You can enable or disable OSPF trap generation by doing the following. 1. Enabling SNMP traps for OSPF. (Refer to “iDisabling and enabling SNMP traps for OSPF” page 714.) 2.
Page 787 Configuring OSPF • neighbor-state-change-trap – [MIB object:ospfNbrStateChange] • virtual-neighbor-state-change-trap – [MIB object: ospfVirtNbrStateChange] • interface-config-error-trap – [MIB object: ospfIfConfigError] • virtual-interface-config-error-trap – [MIB object: ospfVirtIfConfigError] • interface-authentication-failure-trap – [MIB object: ospfIfAuthFailure] • virtual-interface-authentication-failure-trap – [MIB object: ospfVirtIfAuthFailure] • interface-receive-bad-packet-trap – [MIB object: ospfIfrxBadPacket] •...
Page 788: Modify Ospf Standard Compliance Setting
Configuring OSPF Modify OSPF standard compliance setting The device is configured, by default, to be compliant with the RFC 1583 OSPF V2 specification. To configure a router to operate with the latest OSPF standard, RFC 2328, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# no rfc1583-compatibility Syntax: [no] rfc1583-compatibility...
Page 789: Displaying Ospf Information
Displaying OSPF information Displaying OSPF information You can display the following OSPF information: • Trap, area, and interface information – refer to “Displaying general OSPF configuration information” on page 718. • CPU utilization statistics – refer to “Displaying CPU utilization and other OSPF tasks” page 719.
Page 790: Displaying General Ospf Configuration Information
Displaying OSPF information Displaying general OSPF configuration information To display general OSPF configuration information, enter the following command at any CLI level. BigIron RX> show ip ospf config Router OSPF: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Redistribution Metric: Type2 OSPF External LSA Limit: 1447047 OSPF Database Overflow Interval: 0 RFC 1583 Compatibility: Enabled...
Page 791: Displaying Cpu Utilization And Other Ospf Tasks
Displaying OSPF information Displaying CPU utilization and other OSPF tasks You can display CPU utilization statistics for OSPF and other tasks. To display CPU utilization statistics, enter the following command. BigIron RX#show tasks Task Name State Stack Size CPU Usage(%) task id task vid ---------- -----...
Page 792: Displaying Ospf Area Information
Displaying OSPF information The displayed information shows the following. TABLE 108 CLI display of show tasks This field... Displays... Task Name Name of task running on the BigIron RX. Priority of the task in comparison to other tasks State Current state of the task current instruction for the task Stack Stack location for the task...
Page 793: Displaying Ospf Neighbor Information
Displaying OSPF information TABLE 109 CLI display of OSPF area information (Continued) This field... Displays... The LSA number. Chksum(Hex) The checksum for the LSA packet. The checksum is based on all the fields in the packet except the age field. The BigIron RX uses the checksum to verify that the packet is not corrupted.
Page 794 Displaying OSPF information TABLE 110 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the BigIron RX and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor.
Page 795: Displaying Ospf Interface Information
Displaying OSPF information Displaying OSPF interface information To display OSPF interface information, enter the following command at any CLI level. BigIron RX# show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 Router ID 0.0.0.0 Interface Address 0.0.0.0...
Page 796 Displaying OSPF information TABLE 111 Output of the show ip ospf interface command (Continued) This field Displays Events OSPF Interface Event: • Interface_Up = 0x00 • Wait_Timer = 0x01 • Backup_Seen = 0x02 • Neighbor_Change = 0x03 • Loop_Indication = 0x04 •...
Page 797: Displaying Ospf Route Information
Displaying OSPF information Displaying OSPF route information To display OSPF route information, enter the following command at any CLI level. BigIron RX>#show ip ospf route OSPF Area 0x00000000 ASBR Routes 1: Destination Mask Path_Cost Type2_Cost Path_Type 10.65.12.1 255.255.255.255 1 Intra Adv_Router Link_State Dest_Type State...
Page 798 Displaying OSPF information This display shows the following information. TABLE 112 CLI display of OSPF route information This field... Displays... Destination The IP address of the route's destination. Mask The network mask for the route. Path_Cost The cost of this route path. (A route can have multiple paths. Each path represents a different exit port for the BigIron RX.) Type2_Cost The type 2 cost of this path.
Page 799: Displaying Ospf External Link State Information
Displaying OSPF information In this example, four routes have been redistributed. Three of the routes were redistributed from static IP routes and one route was redistributed from a directly connected IP route. Syntax: show ip ospf redistribute route [<ip-addr> <ip-mask>] The <ip-addr>...
Page 800: Displaying Ospf Database Link State Information
Displaying OSPF information TABLE 113 CLI display of OSPF external link state information (Continued) This field... Displays... Router The router IP address. Netmask The subnet mask of the network. Metric The cost (value) of the route Flag State information for the route entry. This information is used by Brocade technical support.
Page 801: Displaying Ospf Abr And Asbr Information
Displaying OSPF information The nssa option shows network information. The router-id <ip-addr> parameter shows the External LSAs for the specified OSPF router. The sequence-number <num(Hex)> parameter displays the External LSA entries for the specified hexadecimal LSA sequence number. The summary option shows summary information. TABLE 114 CLI display of OSPF database link state information This field...
Page 802: Displaying Ospf Trap Status
Displaying OSPF information TABLE 115 CLI display of OSPF border routers (Continued) This field... Displays... Outgoing interface ID of the interface on the router for the outgoing route. Area ID of the OSPF area to which the OSPF router belongs Displaying OSPF trap status All traps are enabled by default when you enable OSPF.
Page 803 Displaying OSPF information router ospf area 2 area 1 area 1 virtual-link 131.1.1.10 FIGURE 109 OSPF virtual neighor and virtual link example Area 0 131.1.1.10/16 DeviceA R10-MG8 192.168.148.10 135.14.1.10/16 Area 1 Area 2 1/17 135.14.1.1/16 7/23 8.11.1.1/8 DeviceB DeviceE Area 1 R11-RX16 R14-RX8 27.11.1.27/8...
Page 804: Ospf Graceful Restart
Displaying OSPF information Displaying OSPF virtual link information Use the show ip ospf virtual link command to display OSPF virtual link information. The output below represents the virtual links configured in Figure 109. BigIron RX#show ip ospf virtual link Indx Transit Area Router ID Transit(sec) Retrans(sec) Hello(sec) 131.1.1.10...
Page 805: Displaying Ospf Graceful Restart Information
Displaying OSPF information Configuring OSPF graceful restart timer The OSPF graceful restart timer specifies the maximum amount of time an OSPF restarting router will take to re-establish OSPF adjacencies and relearn OSPF routes. This value will be sent to the neighboring routers in the grace LSA packets.
Page 806 Displaying OSPF information The show ip ospf neighbor command displays the following information during a restart event on a helper router. Note the "<in graceful restart state...>" entry appears only during restart. It does not appear once restart is complete. BigIron RX#sh ip ospf neigh Port Address...
Page 807 Displaying OSPF information Use the show ip ospf neighbor command to display the state of the OSPF neighbors after enabling graceful restart. For example: BigIron RX 1# show ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 40.0.1.1 EXST/DR 40.0.1.3...
Page 808 Displaying OSPF information BigIron RX Series Configuration Guide 53-1001810-01...
Page 809: In This Chapter
Chapter Configuring BGP4 (IPv4 and IPv6) In this chapter • Overview of BGP4 ..........738 •...
Page 810: Overview Of Bgp4
Overview of BGP4 • Using the IP default route as a valid next hop for a BGP4 route ..781 • Enabling next-hop recursion ........781 •...
Page 811 Overview of BGP4 Figure 111 on page 739 shows a simple example of two BGP4 ASs. Each AS contains three BGP4 routers. All of the BGP4 routers within an AS communicate using IBGP. BGP4 routers communicate with other ASs using EBGP. Notice that each of the routers also is running an Interior Gateway Protocol (IGP).
Page 812: How Bgp4 Selects A Path For A Route
Overview of BGP4 NOTE The BigIron RX re-advertises a learned best BGP4 route to the BigIron RX’s neighbors even when the route table manager does not select that route for installation in the IP route table. This can happen if a route from another protocol, for example, OSPF, is preferred. The best BGP4 route is the route that BGP selects based on comparison of the BGP4 route path’s attributes.
Page 813: Bgp4 Message Types
Overview of BGP4 • BigIron RX compares the MEDs of two otherwise equivalent paths if and only if the routes were learned from the same neighboring AS. This behavior is called deterministic MED. Deterministic MED is always enabled and cannot be disabled. In addition, you can enable the device to always compare the MEDs, regardless of the AS information in the paths.
Page 814 Overview of BGP4 • KEEPALIVE • NOTIFICATION • ROUTE REFRESH OPEN message After a BGP4 router establishes a TCP connection with a neighboring BGP4 router, the routers exchange OPEN messages. An OPEN message indicates the following: • BGP version – Indicates the version of the protocol that is in use on the router. BGP version 4 supports Classless Interdomain Routing (CIDR) and is the version most widely used in the Internet.
Page 815: Brocade Implementation Of Bgp4
Brocade implementation of BGP4 • Path attributes – Parameters that indicate route-specific information such as path information, route preference, next hop values, and aggregation information. BGP4 uses the path attributes to make filtering and routing decisions. • Unreachable routes – A list of routes that have been in the sending router’s BGP4 table but are no longer feasible.
Page 816: Memory Considerations
Memory considerations • RFC 2439 (Route Flap Dampening) • RFC 2796 (Route Reflection) • RFC 2842 and 3392 (Capability Advertisement) • RFC 3065 (BGP4 Confederations) • RFC 2858 (Multiprotocol Extensions) • RFC 2918 (Route Refresh Capability) • RFC 3392 (BGP Capability Advertisement) Memory considerations BGP4 handles a very large number of routes and therefore requires a lot of memory.
Page 817 Configuring BGP4 The address family command also requires you to select a sub-address family, which is the type of routes for the configuration. You specify multicast or unicast routes. FIGURE 112 BGP configuration levels address-family IPv6 unicast Commands for IPv6 BGP unicast routes Global commands for BGP router bgp...
Page 818: When Parameter Changes Take Effect
Configuring BGP4 TABLE 116 IPv4 BGP commands at different configuration levels (Continued) Command Global IPv4 address IPv4 address (iPv4 and family unicast family IPv6) multicast default-local-preference “Changing the default local preference” page 764 default-metric “Changing the default metric used for redistribution”...
Page 819 Configuring BGP4 Immediately The following parameter changes take effect immediately: • Enable or disable BGP. • Set or change the local AS. • Add neighbors. • Change the update timer for route changes. • Disable or enable fast external fallover. •...
Page 820: Activating And Disabling Bgp4
Activating and disabling BGP4 After disabling and re-enabling redistribution The following parameter change takes effect only after you disable and then re-enable redistribution: • Change the default MED (metric). Activating and disabling BGP4 BGP4 is disabled by default. To enable BGP4 and place your BigIron RX into service as a BGP4 router, you must perform the following required steps.
Page 821: Entering And Exiting The Address Family Configuration Level
Entering and exiting the address family configuration level The CLI displays a warning message such as the following. BigIron RX(config)# no router bgp router bgp mode now disabled. All bgp config data will be lost when writing to flash! The Web management interface does not display a warning message. If you are testing a BGP4 configuration and are likely to disable and re-enable the protocol, you might want to make a backup copy of the startup configuration file containing the protocol’s configuration information.
Page 822 Filtering specific IP addresses NOTE Once you define a filter, the default action for addresses that do not match a filter is “deny”. To change the default action to “permit”, configure the last filter as “permit any any”. Address filters can be referred to by a BGP neighbor's distribute list number as well as by match statements in a route map.
Page 823: Defining An As-Path Filter
Defining an AS-path filter If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the filter regardless of whether the software is configured to display the masks in CIDR format.
Page 824: Configuring A Switch To Allow Routes With Its Own As Number
Configuring a switch to allow routes with its own AS number NOTE If the filter is referred to by a route map’s match statement, the filter is applied in the order in which the filter is listed in the match statement. The permit | deny parameter indicates the action the router takes if the filter match is true.
Page 825: Bgp Null0 Routing
BGP Null0 routing BGP Null0 routing BGP can use the null0 route to resolve its next hop. Thus, null0 route in the routing table (for example, static route) is considered as a valid route by BGP. If the next hop for BGP resolves into a null0 route, the BGP route is also installed as a null0 route in the routing table.
Page 826 BGP Null0 routing 5. On Router 6, redistribute the static routes into BGP, using route-map <route-map-name> (redistribute static route-map block user). 6. On Router 1, the router facing the internet, configure a null0 route matching the next-hop address in the route-map (ip route 199.199.1.1/32 null0). Repeat step 3 for all routers interfacing with the internet (edge corporate routers).
Page 827 BGP Null0 routing Router 2 The following configuration defines a null0 route to the specific next hop address. The next hop address 199.199.1.1 points to 128.178.1.101, which gets blocked. BigIron RX(config)#ip route 199.199.1.1/32 null0 BigIron RX(config)#router bgp BigIron RX(config-bgp-router)#local-as 100 BigIron RX(config-bgp-router)#neighbor <router1_int_ip address>...
Page 828 BGP Null0 routing Entering a show BGP route on Router 6 displays its routing table. Router-6# show ip bgp route Total number of BGP Routes: 126 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf...
Page 829: Aggregating Routes Advertised To Bgp4 Neighbors
Aggregating routes advertised to BGP4 neighbors Aggregating routes advertised to BGP4 neighbors By default, the device advertises individual routes for all the networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single network prefix.
Page 830: Disabling Or Re-Enabling Comparison Of The As-Path Length
Redistributing IBGP routes You can enable the device to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three ASs, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually.
Page 831: Disabling Or Re-Enabling Client-To-Client Route Reflection
Disabling or re-enabling client-to-client route reflection To enable the device to redistribute BGP4 routes into OSPF, RIP, or ISIS, enter the following command. BigIron RX(config-bgp)# bgp-redistribute-internal Syntax: [no] bgp-redistribute-internal To disable redistribution of IBGP routes into RIP, ISIS, and OSPF, enter the following command. BigIron RX(config-bgp)# no bgp-redistribute-internal Disabling or re-enabling client-to-client route reflection By default, the clients of a route reflector are not required to be fully meshed;...
Page 832: Configuring Confederations
Configuring confederations When router ID comparison is enabled, the path comparison algorithm compares the router IDs of the neighbors that sent the otherwise equal paths. • If BGP4 load sharing is disabled (maximum-paths 1), the device selects the path that came from the neighbor with the lower router ID.
Page 833: Configuring A Bgp Confederation
Configuring confederations Figure 114 shows an example of a BGP4 confederation. FIGURE 114 Example BGP4 confederation AS 20 Confederation 10 Sub-AS 64512 IBGP Router B Router A EBGP EBGP Sub-AS 64513 This BGP4 router sees all traffic from Confederation 10 IBGP as traffic from AS 10.
Page 834 Configuring confederations • Configure the list of the sub-AS numbers that are members of the confederation. All the routers within the same sub-AS use IBGP to exchange router information. Routers in different sub-ASs within the confederation use EBGP to exchange router information. The procedures show how to implement the example confederation shown in Figure 26.3.
Page 835: Configuring Route Flap Dampening
Configuring route flap dampening Commands for Router D BigIron RXD(config)# router bgp BigIron RXD(config-bgp)# local-as 64513 BigIron RXD(config-bgp)# confederation identifier 10 BigIron RXD(config-bgp)# confederation peers 64512 64513 BigIron RXD(config-bgp)# write memory Configuring route flap dampening Route Flap Dampening reduces the amount of change propagated by BGP due to routing state caused by unstable routes.
Page 836: Originating The Default Route
Originating the default route Originating the default route By default, the device does not originate and advertise a default route using BGP4. A BGP4 default route is the IP address 0.0.0.0 and the route prefix 0 or network mask 0.0.0.0. For example, 0.0.0.0/0 is a default route.
Page 837: Changing The Default Metric Used For Redistribution
Changing the default metric used for redistribution Changing the default metric used for redistribution The device can redistribute directly connected routes, static IP routes, RIP routes, ISIS routes, and OSPF routes into BGP4. By default, BGP uses zero (0) for direct connected routes and the metric (MED) value of IGP routes in the IP route table.
Page 838: Requiring The First As To Be The Neighbor's As
Requiring the first AS to be the neighbor’s AS • Unknown – 255 (the router will not use this route) Lower administrative distances are preferred over higher distances. For example, if the router receives routes for the same network from OSPF and from RIP, the router will prefer the OSPF route by default.
Page 839: Enabling Fast External Fallover
Enabling fast external fallover For example, if you want a router to use AS 200, instead of 100 when peering with neighbor 11.11.11.2, enter commands such as the following. BigIron RX(config)#router bgp BigIron RX(config-bgp-router)#local-as 100 BigIron RX(config-bgp-router)#graceful-restart restart-time 30 BigIron RX(config-bgp-router)#graceful-restart BigIron RX(config-bgp-router)#neighbor 11.11.11.2 remote-as 101 BigIron RX(config-bgp-router)#neighbor 11.11.11.2 local-as 200 Syntax: [no] neighbor <ip-address>...
Page 840: Changing The Maximum Number Of Shared Bgp4 Paths
Changing the maximum number of shared BGP4 paths The <num> parameter specifies the local AS number 1 – 65535. There is no default. AS numbers 64512 – 65535 are the well-known private BGP4 AS numbers and are not advertised to the Internet community.
Page 841: Customizing Bgp4 Load Sharing
Customizing BGP4 load sharing Customizing BGP4 load sharing By default, when BGP4 load sharing is enabled, both IBGP and EBGP paths are eligible for load sharing, while paths from different neighboring ASs are not eligible. You can change load sharing to apply only to IBGP or EBGP paths, or to support load sharing among paths from different neighboring ASs.
Page 842 Configuring BGP4 neighbors NOTE When a route-map, prefix-list, or as-path ACL is modified, BGP will be notified. Outbound route polices will be updated automatically. No longer requires user to manually clear neighbor soft-outbound. If the filter is used by BGP inbound route policies, a manual clear of a neighbor is still required.
Page 843 Configuring BGP4 neighbors For more information, refer to “Configuring cooperative BGP4 route filtering” on page 807. NOTE The current release supports cooperative filtering only for filters configured using IP prefix lists. default-originate [route-map <map-name>] configures the device to send the default route 0.0.0.0 to the neighbor.
Page 844 Configuring BGP4 neighbors • The <num> parameter specifies the maximum number. You can specify a value from 0 – 4294967295. The default is 0 (unlimited). • The <threshold> parameter specifies the percentage of the value you specified for the maximum-prefix <num>, at which you want the software to generate a Syslog message. You can specify a value from 1 (one percent) to 100 (100 percent).
Page 845 Configuring BGP4 neighbors NOTE The route map must already be configured. Refer to ““Defining route maps” on page 798. route-reflector-client specifies that this neighbor is a route-reflector client of the router. Use the parameter only if this router is going to be a route reflector. For information, refer to “Configuring a route reflector”...
Page 846: Encryption Of Bgp4 Md5 Authentication Keys
Configuring BGP4 neighbors In the example above, the aggregate-address command configures an aggregate address of 209.1.0.0 255.255.0.0. and the summary-only parameter prevents the device from advertising more specific routes contained within the aggregate route. Entering a show ip bgp route command for the aggregate address 209.1.0.0/16 shows that the more specific routes aggregated into 209.1.0.0/16 have been suppressed.
Page 847 Configuring BGP4 neighbors • show running-config (or write terminal) • show configuration • show ip bgp config When encryption of the authentication string is enabled, the string is encrypted in the CLI regardless of the access level you are using. In addition, when you save the configuration to the startup configuration file, the file contains the new BGP4 command syntax and encrypted passwords or strings.
Page 848: Configuring A Bgp4 Peer Group
Configuring a BGP4 peer group • 1 – Assumes that the authentication string you enter is the encrypted form, and decrypts the value before using it. NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1.
Page 849: Peer Group Parameters
Configuring a BGP4 peer group Peer group parameters You can set all neighbor parameters in a peer group. When you add a neighbor to the peer group, the neighbor receives all the parameter settings you set in the group, except parameter values you have explicitly configured for the neighbor.
Page 850 Configuring a BGP4 peer group • A distribute list for outbound traffic The software applies these parameters to each neighbor you add to the peer group. You can override the description parameter for individual neighbors. If you set the description parameter for an individual neighbor, the description overrides the description configured for the peer group.
Page 851: Specifying A List Of Networks To Advertise
Specifying a list of networks to advertise The commands in this example add three neighbors to the peer group “PeerGroup1”. As members of the peer group, the neighbors automatically receive the neighbor parameter values configured for the peer group. You also can override the parameters on an individual neighbor basis. For neighbor parameters not specified for the peer group, the neighbors use the default values.
Page 852 Specifying a list of networks to advertise NOTE The exact route must exist in the IP route table before the BigIron RX can create a local BGP route. To configure the device to advertise network 209.157.22.0/24, enter the following command. BigIron RX(config-bgp)# network 209.157.22.0 255.255.255.0 Syntax: network <ip-addr>...
Page 853: Using The Ip Default Route As A Valid Next Hop For A Bgp4 Route
Using the IP default route as a valid next hop for a BGP4 route Using the IP default route as a valid next hop for a BGP4 route By default, the device does not use a default route to resolve a BGP4 next-hop route. If the IP route lookup for the BGP4 next hop does not result in a valid IGP route (including static or direct routes), the BGP4 next hop is considered to be unreachable and the BGP4 route is not used.
Page 854 Enabling next-hop recursion Example when recursive route lookups are disabled Here is an example of the results of an unsuccessful next-hop lookup for a BGP route. In this case, next-hop recursive lookups are disabled. The example is for the BGP route to network 240.0.0.0/24.
Page 855 Enabling next-hop recursion Example when recursive route lookups are enabled When recursive next-hop lookups are enabled, the device recursively looks up the next-hop gateways along the route until the device finds an IGP route to the BGP route’s destination. Here is an example.
Page 856: Modifying Redistribution Parameters
Modifying redistribution parameters This device can use this route because the device has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table. Enabling recursive next-hop lookups The recursive next-hop lookups feature is disabled by default. To enable recursive next-hop lookups, enter the following command at the BGP configuration level of the CLI.
Page 857: Redistributing Connected Routes
Modifying redistribution parameters Redistributing connected routes To configure BGP4 to redistribute directly connected routes, enter the following command. BigIron RX(config-bgp)# redistribute connected Syntax: redistribute connected [metric <num>] [route-map <map-name>] The connected parameter indicates that you are redistributing routes to directly attached devices into BGP4.
Page 858: Redistributing Static Routes
Modifying redistribution parameters NOTE If you do not enter a value for the match parameter, (for example, you enter redistribute ospf only) then only internal OSPF routes will be redistributed. The metric <num> parameter changes the metric. You can specify a value from 0 – 4294967295. The default is not assigned.
Page 859: Using A Table Map To Set The Tag Value
Using a table map to set the tag value The route-map <map-name> parameter specifies a route map to be consulted before adding the static route to the BGP4 route table. The route map you specify must already be configured on the router. Refer to “Defining route maps”...
Page 860: Changing The Bgp4 Next-Hop Update Timer
Changing the BGP4 next-hop update timer NOTE You can override the global Keep Alive Time and Hold Time on individual neighbors. Refer to “Configuring BGP4 neighbors” on page 769 and “Configuring a BGP4 peer group” on page 776. To change the Keep Alive Time to 30 and Hold Time to 90, enter the following command. BigIron RX(config-bgp)# timers keep-alive 30 hold-time 90 Syntax: timers keep-alive <num>...
Page 861: Adding A Loopback Interface
Adding a loopback interface To change the router ID, enter a command such as the following. BigIron RX(config)# ip router-id 209.157.22.26 Syntax: ip router-id <ip-addr> The <ip-addr> can be any valid, unique IP address. NOTE You can specify an IP address used for an interface on the BigIron RX, but do not specify an IP address in use by another device.
Page 862: Configuring Route Reflection Parameters
Configuring route reflection parameters NOTE The maximum number of BGP4 load sharing paths cannot be greater than the maximum number of IP load sharing paths. How load sharing affects route selection During evaluation of multiple paths to select the best path to a given destination for installment in the IP route table, the last comparison the device performs is a comparison of the internal paths.
Page 863 Configuring route reflection parameters • A route reflector client is an IGP router identified as a member of a cluster. You identify a router as a route reflector client on the router that is the route reflector, not on the client. The client itself requires no additional configuration.
Page 864: Filtering
Filtering • If a device receives a route whose ORIGINATOR_ID attribute has the value of the BigIron RX’s own router ID, the BigIron RX discards the route and does not advertise it. By discarding the route, the device prevents a routing loop. •...
Page 865: Filtering As-Paths
Filtering • “Using a table map to set the tag value” on page 787 • “Configuring cooperative BGP4 route filtering” on page 807 Filtering AS-paths You can filter updates received from BGP4 neighbors based on the contents of the AS-path list accompanying the updates.
Page 866: Special Characters
Filtering The neighbor command uses the filter-list parameter to apply the AS-path ACL to the neighbor. Refer to “Configuring BGP4 neighbors” on page 769 and “Configuring a BGP4 peer group” page 776. Using regular expressions You use a regular expression for the <as-path> parameter to specify a single character or multiple characters as a filter pattern.
Page 867: Filtering Communities
Filtering TABLE 117 BGP4 special characters for regular expressions (Continued) Character Operation An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) • ) (right parenthesis) •...
Page 868 Filtering A community is an optional attribute that identifies the route as a member of a user-defined class of routes. Community names are arbitrary values made of two five-digit integers joined by a colon. You determine what the name means when you create the community name as one of a route’s attributes.
Page 869: Defining And Applying Ip Prefix Lists
Filtering The deny | permit parameter specifies the action the software takes if a route’s community list matches a match statement in this ACL. To configure the community-list match statements in a route map, use the match community command. Refer to “Matching based on community ACL”...
Page 870: Defining Neighbor Distribute Lists
Filtering The prefix-list matches only on this network unless you use the ge <ge-value> or le <le-value> parameters. (See below.) The <network-addr>/<mask-bits> parameter specifies the network number and the number of bits in the network mask. You can specify a range of prefix length for prefixes that are more specific than <network-addr>/<mask-bits>.
Page 871 Filtering Route maps can contain match statements and set statements. Each route map contains a “permit” or “deny” action for routes that match the match statements: • If the route map contains a permit action, a route that matches a match statement is permitted;...
Page 872 Filtering For example, when you configure parameters for redistributing routes into BGP, one of the optional parameters is a route map. If you specify a route map as one of the redistribution parameters, the router will match the route against the match statements in the route map. If a match is found and if the route map contains set statements, the router will set attributes in the route according to the set statements.
Page 873 Filtering Syntax: match [as-path <name>] | [address-filters | as-path-filters | community-filters <num,num,...>] | [community <acl> exact-match] | [ip address <acl> | prefix-list <string>] | [ip route-source <acl> | prefix <name>] [metric <num>] | [next-hop <address-filter-list>] | [route-type internal | external-type1 | external-type2] | [level-1 | level-2 | level-1-2] [tag <tag-value>] The as-path <num>...
Page 874 Filtering The route-type internal | external-type1 | external-type2 parameter applies only to OSPF routes. This parameter compares the route’s type to the specified value. The level-1 parameter compares ISIS routes only with routes within the same area. The level-2 parameter compares ISIS routes only with routes in different areas, but within a domain.
Page 875 Filtering Matching based on next-hop router You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on the next-hop router, enter commands such as the following.
Page 876 Filtering The <acl> parameter specifies the name of a community list ACL. You can specify up to five ACLs. Separate the ACL names or IDs with spaces. Here is another example. BigIron RX(config)# ip community-list standard std_2 permit 23:45 56:78 BigIron RX(config)# route-map bgp3 permit 1 BigIron RX(config-routemap bgp3)# match community std_1 std_2 exact-match These commands configure an additional community ACL, std_2, that contains community...
Page 877 Filtering The dampening [<half-life> <reuse> <suppress> <max-suppress-time>] parameter sets route dampening parameters for the route. The <half-life> parameter specifies the number of minutes after which the route’s penalty becomes half its value. The <reuse> parameter specifies how low a route’s penalty must become before the route becomes eligible for use again after being suppressed.
Page 878 Filtering BigIron RX(config)# access-list 1 permit 192.168.9.0 0.0.0.255 BigIron RX(config)# route-map bgp4 permit 1 BigIron RX(config-routemap bgp4)# match ip address 1 BigIron RX(config-routemap bgp4)# set metric-type internal The first command configures an ACL that matches on routes with destination network 192.168.9.0.
Page 879: Configuring Cooperative Bgp4 Route Filtering
Filtering Configuring cooperative BGP4 route filtering By default, the device performs all filtering of incoming routes locally, on the device itself. You can use cooperative BGP4 route filtering to cause the filtering to be performed by a neighbor before it sends the routes to the device.
Page 880 Filtering Syntax: [no] neighbor <ip-addr> | <peer-group-name> capability orf prefixlist [send | receive] The <ip-addr> | <peer-group-name> parameter specifies the IP address of a neighbor or the name of a peer group of neighbors. The send | receive parameter specifies the support you are enabling: •...
Page 881: Configuring Route Flap Dampening
Filtering Displaying cooperative filtering information You can display the following cooperative filtering information: • The cooperative filtering configuration on the device. • The ORFs received from neighbors. To display the cooperative filtering configuration on the device, enter a command such as the following.
Page 882 Filtering Route flap dampening is disabled by default. You can enable the feature globally or on an individual route basis using route maps. NOTE The BigIron RX applies route flap dampening only to routes learned from EBGP neighbors. The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the device stops using that route and also stops advertising it to other routers.
Page 883 Filtering To configure address filters and a route map for dampening specific routes, enter commands such as the following. BigIron RX(config)# router bgp BigIron RX(config-bgp)# address-filter 9 permit 209.157.22.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# address-filter 10 permit 209.157.23.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# exit BigIron RX(config)# route-map DAMPENING_MAP permit 9 BigIron RX(config-routemap DAMPENING_MAP)# match address-filters 9...
Page 884: Displaying And Clearing Route Flap Dampening Statistics
Filtering BigIron RX(config-routemap DAMPENING_MAP_NEIGHBOR_A)# exit BigIron RX(config)# router bgp BigIron RX(config-bgp)# dampening route-map DAMPENING_MAP_ENABLE BigIron RX(config-bgp)# neighbor 10.10.10.1 route-map in DAMPENING_MAP_NEIGHBOR_A In this example, the first command globally enables route flap dampening. This route map does not contain any match or set statements. At the BGP configuration level, the dampening route-map command refers to the DAMPENING_MAP_ENABLE route map created by the first command, thus enabling dampening globally.
Page 885 Filtering Displaying route flap dampening statistics To display route dampening statistics or all the dampened routes, enter the following command at any level of the CLI. BigIron RX# show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network From...
Page 886: Generating Traps For Bgp
Filtering You also can display all the dampened routes by entering the following command. show ip bgp dampened-paths. Clearing route flap dampening statistics NOTE Clearing the dampening statistics for a route does not change the dampening status of the route. To clear all the route dampening statistics, enter the following command at any level of the CLI.
Page 887: Using Soft Reconfiguration
Filtering You also can clear and reset the BGP4 routes that have been installed in the IP route table. Refer to “Clearing and resetting BGP4 routes in the IP route table” on page 820. Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session.
Page 888 Filtering NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 818. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the device saves all updates received from the specified neighbor or peer group.
Page 889 Filtering Displaying all the routes received from the neighbor To display all the route information received in route updates from a neighbor since you enabled soft reconfiguration, enter a command such as the following at any level of the CLI. BigIron RX# show ip bgp neighbor 192.168.4.106 routes There are 97345 received routes from neighbor 192.168.4.106...
Page 890 Filtering Dynamically refreshing routes The following sections describe how to dynamically refresh BGP4 routes to place new or changed filters into effect. To request a dynamic refresh of all routes from a neighbor, enter a command such as the following. BigIron RX(config-bgp)# clear ip bgp neighbor 192.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again.
Page 891 Filtering NOTE The device does not automatically update outbound routes using a new or changed outbound policy or filter when a session with the neighbor goes up or down. Instead, the device applies a new or changed policy or filter when a route is placed in the outbound queue (Adj-RIB-Out). To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down.
Page 892: Clearing Traffic Counters
Filtering Closing or resetting a neighbor session You can close a neighbor session or resend route updates to a neighbor. If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use these methods to ensure that neighbors contain only the routes you want them to contain.
Page 893: Clearing Route Flap Dampening Statistics
Filtering To clear the BGP4 message counter for a specific neighbor, enter a command such as the following. BigIron RX# clear ip bgp neighbor 10.0.0.1 traffic To clear the BGP4 message counter for all neighbors within a peer group, enter a command such as the following.
Page 894: Clearing Diagnostic Buffers
Displaying BGP4 information Clearing diagnostic buffers The device stores the following BGP4 diagnostic information in buffers: • The first 400 bytes of the last packet received that contained an error • The last NOTIFICATION message either sent or received by the device To display these buffers, use options with the show ip bgp neighbors command.
Page 895: Displaying Summary Bgp4 Information
Displaying BGP4 information Displaying summary BGP4 information You can display the local AS number, the maximum number of routes and neighbors supported, and some BGP4 statistics. To view summary BGP4 information for the router, enter the following command at any CLI prompt. BigIron RX# show ip bgp summary BGP4 Summary Router ID: 101.0.0.1...
Page 896 Displaying BGP4 information TABLE 119 BGP4 summary information (Continued) This field... Displays... Number of Attribute Entries Installed The number of BGP4 route-attribute entries in the router’s route-attributes table. To display the route-attribute table, refer to “Displaying BGP4 route-attribute entries” on page 846. Neighbor Address The IP addresses of this router’s BGP4 neighbors.
Page 897: Displaying The Active Bgp4 Configuration
Displaying BGP4 information TABLE 119 BGP4 summary information (Continued) This field... Displays... Sent The number of BGP4 routes that the BigIron RX has sent to the neighbor. ToSend The number of routes the BigIron RX has queued to send to this neighbor.
Page 898: Displaying Summary Neighbor Information
Displaying BGP4 information Displaying summary neighbor information To display summary neighbor information, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 routes-summary IP Address: 192.168.4.211 Routes Accepted/Installed:1, Filtered/Kept:11, Filtered:11 Routes Selected as BEST Routes:1 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0...
Page 899: Displaying Bgp4 Neighbor Information
Displaying BGP4 information TABLE 120 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Received in Update Message The number of routes received in Network Layer Reachability (NLRI) format in UPDATE messages. • Withdraws – The number of withdrawn routes the BigIron RX has received.
Page 900 Displaying BGP4 information NOTE The display shows all the configured parameters for the neighbor. Only the parameters that have values different from their defaults are shown. BigIron RX(config-bgp)# show ip bgp neighbor 10.4.0.2 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.2 State: ESTABLISHED, Time: 0h1m0s, KeepAliveTime: 0, HoldTime: 0 PeerGroup: pg1...
Page 901 Displaying BGP4 information The <ip-addr> option lets you narrow the scope of the command to a specific neighbor. The advertised-routes option displays only the routes that the device has advertised to the neighbor during the current BGP4 neighbor session. The attribute-entries option shows the attribute-entries associated with routes received from the neighbor.
Page 902 Displaying BGP4 information TABLE 121 BGP4 neighbor information (Continued) This field... Displays... EBGP/IBGP Whether the neighbor session is an IBGP session, an EBGP session, or a confederation EBGP session. • EBGP – The neighbor is in another AS. • EBGP_Confed – The neighbor is a member of another sub-AS in the same confederation.
Page 903 Displaying BGP4 information TABLE 121 BGP4 neighbor information (Continued) This field... Displays... HoldTime The hold time, which specifies how many seconds the router will wait for a KEEPALIVE or UPDATE message from a BGP4 neighbor before deciding that the neighbor is dead. Refer to “Changing the keep alive time and hold time”...
Page 904 Displaying BGP4 information TABLE 121 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following: • Reasons described in the BGP specifications: •...
Page 905 Displaying BGP4 information TABLE 121 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
Page 906 Displaying BGP4 information TABLE 121 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. •...
Page 907 Displaying BGP4 information TABLE 121 BGP4 neighbor information (Continued) This field... Displays... DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue.
Page 908 Displaying BGP4 information This display shows the following information. TABLE 122 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the BigIron RX has received from the neighbor during the current BGP4 session. • Accepted/Installed –...
Page 909 Displaying BGP4 information TABLE 122 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the BigIron RX has sent to this neighbor in UPDATE messages. • Withdraws –...
Page 910: Displaying Peer Group Information
Displaying BGP4 information Displaying the adj-RIB-out for a neighbor To display the BigIron RX’s current BGP4 Routing Information Base (Adj-RIB-Out) for a specific neighbor and a specific destination network, enter a command such as the following at any level of the CLI.
Page 911: Displaying The Bgp4 Route Table
Displaying BGP4 information This display shows the following information. TABLE 123 BGP4 summary route information This field... Displays... Total number of BGP routes (NLRIs) The number of BGP4 routes the BigIron RX has installed in the BGP4 Installed route table. Distinct BGP destination networks The number of destination networks the installed routes represent.
Page 912 Displaying BGP4 information Syntax: show ip bgp routes [[network] <ip-addr>] | <num> | [age <secs>] | [as-path-access-list <num>] | [best] | [cidr-only] | [community <num> | no-export | no-advertise | internet | local-as] | [community-access-list <num>] | [community-list <num> | [detail <option>] | [filter-list <num, num,...>] | [next-hop <ip-addr>] | [no-best] | [not-installed-best] | [prefix-list <string>] | [regular-expression <regular-expression>] | [route-map <map-name>] | [summary] |...
Page 913 Displaying BGP4 information The unreachable option displays the routes that are unreachable because the device does not have a valid RIP, OSPF, or static route to the next hop. Displaying the best BGP4 routes To display all the BGP4 routes in the BigIron RX’s BGP4 route table that are the best routes to their destinations, enter a command such as the following at any level of the CLI.
Page 914 Displaying BGP4 information Displaying information for a specific route To display BGP4 network information by specifying an IP address within the network, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, >...
Page 915 Displaying BGP4 information TABLE 124 BGP4 network information (Continued) This field... Displays... Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight.
Page 916 Displaying BGP4 information Displaying route details Here is an example of the information displayed when you use the detail option. In this example, the information for one route is shown. BigIron RX# show ip bgp routes detail Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix: 10.5.0.0/24,...
Page 917 Displaying BGP4 information TABLE 125 BGP4 route information (Continued) This field... Displays... The last time an update occurred. Next_Hop The next-hop router for reaching the network from the BigIron RX. Learned from Peer The IP address of the neighbor that sent this route. Local_Pref The degree of preference for this route relative to other routes in the local AS.
Page 918: Displaying Bgp4 Route-Attribute Entries
Displaying BGP4 information Displaying BGP4 route-attribute entries The route-attribute entries table lists the sets of BGP4 attributes stored in the router’s memory. Each set of attributes is unique and can be associated with one or more routes. In fact, the router typically has fewer route attribute entries than routes.
Page 919: Displaying The Routes Bgp4 Has Placed In The Ip Route Table
Displaying BGP4 information TABLE 126 BGP4 route-attribute entries information (Continued) This field... Displays... Aggregator Aggregator information: • AS Number shows the AS in which the network information in the attribute set was aggregated. This value applies only to aggregated routes and is otherwise 0. •...
Page 920: Displaying Route Flap Dampening Statistics
Displaying BGP4 information Displaying route flap dampening statistics To display route dampening statistics or all the dampened routes, enter the following command at any level of the CLI. BigIron RX# show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network...
Page 921: Displaying The Active Route Map Configuration
Displaying BGP4 information TABLE 127 Route flap dampening statistics This field... Displays... Reuse The amount of time remaining until this route will be un-suppressed and thus be usable again. Path Shows the AS-path information for the route. You also can display all the dampened routes by entering the following command. show ip bgp dampened-paths.
Page 922 Displaying BGP4 information significantly and limit the availability of network resources. BGP graceful restart dampens the network topology changes and limits route flapping by allowing routes to remain available between routers during a restart. BGP Graceful restart operates between a router and its peers and must be configured on both the router and its peers.
Page 923 Displaying BGP4 information BigIron RX(config-bgp)#graceful-restart stale-routes-time 30 Syntax: graceful-restart stale-routes-time <seconds> The <seconds> variable sets the number of seconds that a helper router will wait for an end-of-RIB (restart complete) message from a restarting router. Enter 10 – 3600 seconds. The default value is 360 seconds.
Page 924: Generalized Ttl Security Mechanism Support
Generalized TTL security mechanism support Displaying BGP graceful restart information You can display the BGP Graceful Restart configuration by entering the following command. BigIron RX# show ip bgp neighbor 11.11.11.2 1 IP Address: 11.11.11.2, Remote AS: 101 (EBGP), RouterID: 101.101.101.1 Local AS: 200 State: ESTABLISHED, Time: 0h18m15s, KeepAliveTime: 60, HoldTime: 180 KeepAliveTimer Expire in 44 seconds, HoldTimer Expire in 167 seconds...
Page 925 Generalized TTL security mechanism support To enable GTSM protection for neighbor 192.168.9.210, enter the following command. BigIron RX(config-bgp-router)# neighbor 192.168.9.210 ebgp-btsh Syntax: [no] neighbor <ip-addr> | <peer-group-name> ebgp-btsh NOTE For GTSM protection to work properly, it must be enabled on both the Brocade device and the neighbor.
Page 926 Generalized TTL security mechanism support BigIron RX Series Configuration Guide 53-1001810-01...
Page 927: In This Chapter
Chapter Configuring MBGP In this chapter • Configuration considerations ........856 •...
Page 928: Configuring Mbgp
Configuration considerations • Directly-connected multicast routes redistributed into MBGP. You can configure an aggregate address to aggregate network prefixes into a single, more general prefix for advertisement. MBGP is described in detail in RFC 2858. Configuration considerations • MBGP does not redistribute DVMRP routes. It redistributes static routes only. •...
Page 929: Enabling Mbgp
Configuring MBGP These commands increase the maximum number of multicast routes supported, save the configuration change to the startup-config file, and reload the software to place the change into effect. Syntax: [no] system-max multicast-route <num> The <num> parameter specifies the number of multicast routes and can be from 1024 – 153,600. Enabling MBGP To enable MBGP4, you must enable PIM SM or DM and BGP4.
Page 930: Optional Configuration Tasks
Configuring MBGP Syntax: [no] neighbor <ip-addr> | <peer-group-name> [advertisement-interval <num>] [default-originate [route-map <map-name>]] [description <string>] [distribute-list in | out <num,num,...> | <acl-num> in | out] [ebgp-multihop [<num>]] [filter-list in | out <num,num,...> | <acl-num> in | out | weight] [maximum-prefix <num> [<threshold>] [teardown]] [next-hop-self] [password [0 | 1] <string>] [prefix-list <string>...
Page 931 Configuring MBGP • For indirectly-connected routes: • Configure static IP multicast routes. The corresponding IP route must be present in the IP multicast table. • Explicitly configure network prefixes to advertise (network command). NOTE You can configure the device to advertise directly-connected networks into MBGP using the network command.
Page 932 Configuring MBGP The connected parameter indicates that you are redistributing routes to directly attached devices into MBGP. The static parameter indicates that you are redistributing static mroutes into MBGP. The metric <num> parameter changes the metric. You can specify a value from 0 – 4294967295. The default is 0.
Page 933: Displaying Mbgp Information
Displaying MBGP information Aggregating routes advertised to BGP4 neighbors By default, the device advertises individual MBGP routes for all the multicast networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single CIDR number. For example, without aggregation, the device will individually advertise routes for networks 207.95.10.0/24, 207.95.20.0/24, and 207.95.30.0/24.
Page 934: Displaying Summary Mbgp Information
Displaying MBGP information TABLE 128 MBGP Show commands (Continued) Command Description show ip mbgp <ip-addr>[/<prefix>] Displays a specific MBGP route. show ip mbgp attribute-entries Displays MBGP route attributes. show ip mbgp dampened-paths Displays MBGP paths that have been dampened by route flap dampening.
Page 935: Displaying The Active Mbgp Configuration
Displaying MBGP information Displaying the active MBGP configuration To display the active MBGP configuration information contained in the running-config without displaying the entire running-config, enter the following command at any level of the CLI. BigIron RX# show ip mbgp config Current BGP configuration: router bgp local-as 200...
Page 936 Displaying MBGP information BigIron RX # show ip mbgp neighbor 7.7.7.2 Total number of BGP Neighbors: 1 IP Address: 166.1.1.2, Remote AS: 200 (IBGP), RouterID: 8.8.8.1 State: ESTABLISHED, Time: 0h33m26s, KeepAliveTime: 60, HoldTime: 180 KeepAliveTimer Expire in 9 seconds, HoldTimer Expire in 161 seconds PeerGroup: mbgp-mesh MD5 Password: $Gsig@U\ NextHopSelf: yes...
Page 937: Displaying Mbgp Routes
Displaying MBGP information Displaying MBGP routes To display the MBGP route table, enter the following command. BigIron RX#show ip mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric...
Page 938 Displaying MBGP information BigIron RX Series Configuration Guide 53-1001810-01...
Page 939: Overview Of Secure Shell (Ssh)
Chapter Configuring Secure Shell In this chapter • Overview of Secure Shell (SSH) ........867 •...
Page 940: Supported Features
Overview of Secure Shell (SSH) • SCP/SFTP/SSH URI Format If you are using redundant management modules, you can synchronize the DSA host key pair between the active and standby modules by entering the sync-standby command at the Privileged EXEC level of the CLI. Tested SSHv2 clients The following SSH clients have been tested with SSHv2: •...
Page 941: Configuring Ssh
Configuring SSH Configuring SSH Brocade’s implementation of SSH supports two kinds of user authentication: • DSA challenge-response authentication, where a collection of public keys are stored on the device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
Page 942: Configuring Dsa Challenge-Response Authentication
Configuring SSH The generate keyword places an DSA host key pair in the flash memory and enables SSH on the device. The zeroize keyword deletes the DSA host key pair from the flash memory and disables SSH on the device. By default, public keys are hidden in the running configuration.
Page 943 Configuring SSH The device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes match, it means that the client’s private key corresponds to an authorized public key, and the client is authenticated. Setting up DSA challenge-response authentication consists of the following steps.
Page 944: Setting The Number Of Ssh Authentication Retries
Configuring SSH The <filename> variable is the name of the dsa public key file that you want to import into the Brocade device. The remove parameter deletes the key from the system. To display the currently loaded public keys, enter the following command. BigIron RX# show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---- Comment: DSA Public Key...
Page 945: Deactivating User Authentication
Configuring SSH Deactivating user authentication After the SSH server on the device negotiates a session key and encryption method with the connecting client, user authentication takes place. Brocade’s implementation of SSH supports DSA challenge-response authentication and password authentication. With DSA challenge-response authentication, a collection of clients’ public keys are stored on the device.
Page 946 Configuring SSH Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port. Also, you should be careful not to assign SSH to a port that is used by another service.
Page 947: Disabling 3-Des
Displaying SSH connection information Syntax: ip ssh idle-time <minutes> If an established SSH session has no activity for the specified number of minutes, the device closes it. An idle time of 0 minutes (the default value) means that SSH sessions never time out. The maximum idle time for SSH sessions is 240 minutes.
Page 948: Using Secure Copy
Using secure copy TABLE 129 SSH connection information (Continued) This field... Displays... Encryption The encryption method used for the connection. Username The user name for the connection. The show who command also displays information about SSH connections. For example. BigIron RX#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle...
Page 949 Using secure copy NOTE If you disable SSH, SCP is also disabled. The following are examples of using SCP to transfer files from and to a BigIron RX. NOTE When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on the BigIron RX.
Page 950 Using secure copy BigIron RX Series Configuration Guide 53-1001810-01...
Page 951: In This Chapter
Chapter Configuring IS-IS (IPv4) In this chapter • IS-IS CLI levels ..........884 •...
Page 952: Relationship To Ip Route Table
In this chapter Relationship to IP route table The IS-IS protocol has the same relationship to the device’s IP route table that OSPF has to the IP route table. The IS-IS routes are calculated and first placed in the IS-IS route table. The routes are then transferred to the IP route table.
Page 953: Domain And Areas
In this chapter Figure 117 shows an example of an IS-IS network. FIGURE 117 An IS-IS network contains Intermediate Systems (ISs) and host systems IS-IS Routing Domain IS-IS Area 1 IS-IS Area 2 Router A Router B Router C Router D BGP4 Host Host...
Page 954: Neighbors And Adjacencies
In this chapter Figure 117 on page 881, Routers A and B are Level-1s only. Routers C and D are Level-1 and Level-2 ISs. Router E is a Level-1 IS only. Neighbors and adjacencies A BigIron RX configured for IS-IS forms an adjacency with each of the IS-IS devices to which it is directly connected.
Page 955 In this chapter Figure 118 shows an example of the results of Designated IS elections. For simplicity, this example shows four of the five routers in Figure 117 on page 881, with the same domain and areas. FIGURE 118 Each broadcast network has a Level-1 designated IS and a Level-2 designated IS Broadcast Broadcast Broadcast...
Page 956: Is-Is Cli Levels
IS-IS CLI levels IS-IS CLI levels The CLI includes various levels of commands for IS-IS. Figure 119 diagrams these levels. FIGURE 119 IS-IS CLI levels IPv6 address-family level unicast sub-family Global commands for IS-IS router isis and all address families IPv4 address-family level configure terminal unicast sub-family...
Page 957: Interface Level
Configuring IPv4 IS-IS Under the address family level, Brocade currently supports the unicast address family configuration level only. The device enters the IPv4 IS-IS unicast address family configuration level when you enter the following command while at the global IS-IS configuration level. BigIron RX(config-isis-router)# address-family ipv4 unicast BigIron RX(config-isis-router-ipv4u)# Syntax: address-family ipv4 unicast...
Page 958: Globally Configuring Is-Is On A Device
Globally configuring IS-IS on a device 2. If you have not already configured a NET for IS-IS, enter commands such as the following. BigIron RX(config-isis-router)# net 49.2211.aaaa.bbbb.cccc.00 BigIron RX(config-isis-router)# The commands in the example above configure a NET that has the area ID 49.2211, the system ID aaaa.bbbb.cccc (the device’s base MAC address), and SEL value 00.
Page 959: Setting The Overload Bit
Globally configuring IS-IS on a device Setting the overload bit If an IS’s resources are overloaded and are preventing the IS from properly performing IS-IS routing, the IS can inform other ISs of this condition by setting the overload bit in LSPDUs sent to other ISs from 0 (off) to 1 (on).
Page 960: Configuring Authentication
Globally configuring IS-IS on a device Configuring authentication By default, the device does not authenticate packets sent to or received from ESs or other ISs. You can configure the following types of passwords for IS-IS globally. TABLE 130 IS-IS passwords Password type Scope Where used...
Page 961: Disabling Or Re-Enabling Display Of Hostname
Globally configuring IS-IS on a device Syntax: [no] is-type level-1 | level-1-2 | level-2 The level-1 | level-1-2 | level-2 parameter specifies the IS-IS type. If you want to re-enable support for both IS-IS types, re-enter the command you entered to change the IS-IS type, and use “no” in front of the command.
Page 962: Changing The Maximum Lsp Lifetime
Globally configuring IS-IS on a device NOTE Although the command name is csnp-interval, the interval also applies to PSNPs. Changing the maximum LSP lifetime The maximum LSP lifetime is the maximum number of seconds an un-refreshed LSP can remain in the BigIron RX’s LSP database.
Page 963: Changing The Lsp Interval And Retransmit Interval
Globally configuring IS-IS on a device Changing the LSP interval and retransmit interval You LSP interval is the rate of transmission, in milliseconds of the LSPs. The retransmit interval is the time the device waits before it retransmits LSPs. To define an LSP interval, enter a command such as the following.
Page 964: Logging Adjacency Changes
Configuring IPv4 address family route parameters If you need to disable padding, you can do so globally or on individual interfaces. Generally, you do not need to disable padding unless a link is experiencing slow performance. If you enable or disable padding on an interface, the interface setting overrides the global setting.
Page 965: Changing The Metric Style
Configuring IPv4 address family route parameters Changing the metric style The metric style specifies the Types, Lengths, and Values (TLVs) an IS-IS LSP can have. The TLVs specify the types of data, the maximum length of the data, and the valid values for the data. One of the types of data the TLVs control is a route’s default-metric.
Page 966: Changing The Administrative Distance For Ipv4 Is-Is
Configuring IPv4 address family route parameters This command enables the device to advertise a default route into the IPv4 IS-IS area to which the device is attached. Syntax: [no] default-information-originate [route-map <name>] The route-map <name> parameter allows you to specify the level on which to advertise the default route.
Page 967: Configuring Summary Addresses
Configuring IPv4 address family route parameters • OSPF – 110 • IPv4 IS-IS – 115 • RIP – 120 • IBGP – 200 • Local BGP – 200 • Unknown – 255 (the device will not use this route) Lower administrative distances are preferred over higher distances. For example, if the device receives routes for the same network from IPv4 IS-IS and from RIP, it will prefer the IPv4 IS-IS route by default.
Page 968: Changing The Default Redistribution Metric
Configuring IPv4 address family route parameters The device can redistribute routes from the following route sources into IPv4 IS-IS: • BGP4+. • RIP. • OSPF. • Static IPv4 routes. • IPv4 routes learned from directly connected networks. The device can also can redistribute Level-1 IPv4 IS-IS routes into Level-2 IPv4 IS-IS routes, and Level-2 IPv4 IS-IS routes into Level-1 IPv4 IS-IS routes.
Page 969: Redistributing Directly Connected Routes Into Ipv4 Is-Is
Configuring IPv4 address family route parameters This command configures the device to redistribute all static IPv4 routes into Level-2 IS-IS routes. Syntax: [no] redistribute static [level-1 | level-1-2 | level-2] | metric <number> | metric-type [external | internal] | route-map <name> The level-1, level-1-2, and level-2 keywords restrict redistribution to the specified IPv4 IS-IS level.
Page 970: Redistributing Ospf Routes Into Ipv4 Is-Is
Configuring IPv4 address family route parameters Redistributing OSPF routes into IPv4 IS-IS To redistribute OSPF routes into IPv4 IS-IS, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# redistribute ospf This command configures the BigIron RX to redistribute all OSPF routes into Level-2 IPv4 IS-IS. Syntax: [no] redistribute ospf [level-1 | level-1-2 | level-2] | match [external1 | external2 | internal] | metric <number>...
Page 971: Configuring Isis Properties On An Interface
Configuring ISIS properties on an interface The level-1 into level-2 | level-2 into level-1 parameter specifies the direction of the redistribution: • level-1 into level-2 – Redistributes Level 1 routes into Level 2. This is the default. • level-2 into level-1 – Redistributes Level 2 routes into Level 1. The prefix-list <name>...
Page 972: Setting The Priority For Designated Is Election
Configuring ISIS properties on an interface Setting the priority for designated IS election The priority of an IS-IS interface determines the priority of the interface for being elected as a Designated IS. Level-1 has a Designated IS and Level-2 has a Designated IS. The Level-1 and Level-2 Designated ISs are independent, although the same device can become both the Level-1 Designated IS and the Level-2 Designated IS.
Page 973: Disabling And Enabling Hello Padding On An Interface
Configuring ISIS properties on an interface NOTE If you change the IS-IS type on an individual interface, the type you specify must also be specified globally. For example, if you globally set the type to Level-2 only, you cannot set the type on an individual interface to Level-1.
Page 974: Changing The Metric Added To Advertised Routes
Displaying IPv4 IS-IS information To change the hello multiplier for Ethernet interface 2/8, enter commands such as the following. BigIron RX(config)# interface ethernet 2/8 BigIron RX(config-if-e1000-2/8)# isis hello-multiplier 50 This command changes the hello interval to 50. By default, the change applies to both Level-1 and Level-2.
Page 975: Displaying The Is-Is Configuration In The Running-Config
Displaying IPv4 IS-IS information • Neighbor information – “Displaying neighbor information” on page 904 • Neighbor adjacency changes – “Displaying IS-IS Syslog messages” on page 905 • Interface information – “Displaying interface information” on page 906 • Route information – “Displaying route information”...
Page 976: Displaying Neighbor Information
Displaying IPv4 IS-IS information NOTE Name mapping is enabled by default. When name mapping is enabled, the output of the show isis database, show isis interface, and show isis neighbor commands uses the host name instead of the system ID. To disable mapping so that these displays use the system ID instead, refer to “Disabling or re-enabling display of hostname”...
Page 977: Displaying Is-Is Syslog Messages
Displaying IPv4 IS-IS information Displaying IS-IS Syslog messages When logging is enabled, the device generates Syslog messages and SNMP traps for the following IS-IS events: • Overload state (the device entering or leaving the overload state) • Memory overrun (IS-IS is demanding more memory than is available) You also can enable the device to generate Syslog messages and SNMP traps when an adjacency with a neighbor comes up or goes down.
Page 978: Displaying Interface Information
Displaying IPv4 IS-IS information TABLE 132 IS-IS Syslog messages (Continued) Message level Message Explanation Notification ISIS L2 ADJACENCY UP <system-id> on The BigIron RX’s adjacency with this Level-2 interface <interface-id> IS has come up. The <system-id> is the system ID of the IS. The <interface-id>...
Page 979 Displaying IPv4 IS-IS information This display shows the following information. TABLE 133 IS-IS Interface information This field... Displays... Total number of IS-IS interfaces The number of interfaces on which IS-IS is enabled. Interface The port or virtual interface number to which the information listed below applies.
Page 980: Displaying Route Information
Displaying IPv4 IS-IS information TABLE 133 IS-IS Interface information (Continued) This field... Displays... Level-2 Designated IS The NET of the Level-2 Designated IS. Level-2 DIS Changes The number of times the NET of the Level-2 Designated IS has changed. Next IS-IS LAN Level-1 Hello Number of seconds before next Level-1 Hello PDU will be transmitted by the BigIron RX.
Page 981: Displaying Lsp Database Entries
Displaying IPv4 IS-IS information You may enter ip-address <subnet-mask> or ip-address/prefix if you want information for a specific route. For example: BigIron RX# show isis routes 1.0.111.0 255.255.255.0 1.0.111.0 255.255.255.0 00000000 00000242 Path: 1 Next Hop IP: 4.1.1.1 Interface: 7/1 This display shows the following information.
Page 982 Displaying IPv4 IS-IS information Displaying summary information To display summary information for all the LSPs in the BigIron RX’s LSP databases, enter the following command at any level of the CLI. BigIron RX)# show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum...
Page 983 Displaying IPv4 IS-IS information TABLE 135 IS-IS summary LSP database information (Continued) This field... Displays... The value in the Partition option field of the LSP. The field can have one of the following values: • 0 – The IS that sent the LSP does not support partition repair. •...
Page 984: Displaying Traffic Statistics
Displaying IPv4 IS-IS information TABLE 136 IS-IS detailed LSP database information (Continued) This field... Displays... IP address The IP address of the interface that sent the LSP. The BigIron RX can use this address as the next hop in routes to the addresses listed in the rows below.
Page 985: Displaying Error Statistics
Displaying IPv4 IS-IS information TABLE 137 IS-IS traffic statistics (Continued) This field... Displays... Level-2 LSP The number of Level-2 link-state PDUs sent and received by the BigIron Level-1 CSNP The number of Level-1 Complete Sequence Number PDUs (CSNPs) sent and received by the BigIron RX. Level-2 CSNP The number of Level-2 CSNPs sent and received by the BigIron RX.
Page 986: Clearing Is-Is Information
Clearing IS-IS information TABLE 138 IS-IS error statistics (Continued) This field... Displays... Level-1 Database Overload The number of times the Level-1 state on the BigIron RX changed from Waiting to On or from On to Waiting. • Waiting to On – This change can occur when the BigIron RX recovers from a previous Level-1 LSP database overload and is again ready to receive new LSPs.
Page 987 Clearing IS-IS information NOTE The traffic option also clears the values displayed in the show isis interface command’s Control Messages Sent and Control Messages Received fields. BigIron RX Series Configuration Guide 53-1001810-01...
Page 988 Clearing IS-IS information BigIron RX Series Configuration Guide 53-1001810-01...
Page 989: In This Chapter
Chapter BiDirectional Forwarding Detection (BFD) In this chapter • Configuring BFD parameters ........918 •...
Page 990: Configuring Bfd Parameters
Configuring BFD parameters Configuring BFD parameters When you configure BFD you must set timing and interval parameters. These are configured on each interface. When two adjacent interfaces with BFD are configured, they negotiate the conditions for determining if the connection between them is still active. The following command is used to set the BFD parameters.
Page 991: Displaying Bidirectional Forwarding Detection Information
Displaying Bidirectional Forwarding Detection information Displaying Bidirectional Forwarding Detection information You can display Bidirectional Forwarding Detection (BFD) information for the router you are logged-in to and for BFD configured neighbors as described in the following sections. Displaying BFD information on a router The following example illustrates the output from the show bfd command.
Page 992 Displaying Bidirectional Forwarding Detection information TABLE 139 Display of BFD information (Continued) This field... Displays... Sessions The number of BFD sessions currently operating on the specified Interface module. BFD Enabled ports count The number of ports on the router that have been enabled for BFD. Port The port that BFD is enabled on.
Page 993 Displaying Bidirectional Forwarding Detection information This display shows the following information. TABLE 141 Display of BFD information This field... Displays... Total number of Neighbor entries The number of neighbors that have established BFD sessions with ports on this router. NeighborAddress The IPv4 or IPv6 address of the remote peer.
Page 994 Displaying Bidirectional Forwarding Detection information TABLE 142 Display of BFD neighbor detail information (Continued) This field... Displays... Holddown The interval after which the session will transition to the down state if no message is received. Interval The interval at which the local router sends BFD messages to the remote peer.
Page 995: Clearing Bfd Neighbor Sessions
Configuring BFD for the specified protocol TABLE 142 Display of BFD neighbor detail information (Continued) This field... Displays... Session Uptime The amount of time the session has been in the UP state. LastSessionDownTimestamp The system time at which the session last transitioned from the UP state to some other state.
Page 996: Configuring Bfd For Ospfv3
Configuring BFD for the specified protocol While this command configures BFD for OSPFv2 on all of a router’s OSPFv2 enabled interfaces, it is not required that it be configured if you use the ip ospf bfd command to configure specific interfaces.
Page 997 Configuring BFD for the specified protocol Syntax: [no] bfd all-interfaces While this command configures BFD for IS-IS on all of a router’s IS-IS enabled interfaces, it is not required that it be configured if you use the isis bfd command to configure specific interfaces. It can be used independently or together with that command.
Page 998 Configuring BFD for the specified protocol BigIron RX Series Configuration Guide 53-1001810-01...
Page 999: How Multi-Device Port Authentication Works
Chapter Configuring Multi-Device Port Authentication In this chapter • How multi-device port authentication works ......927 • Configuring multi-device port authentication .
Page 1000: Authentication-Failure Actions
How multi-device port authentication works traffic from this MAC address is encountered on a MAC-authentication-enabled interface, the device sends the RADIUS server an Access-Request message with 0007e90feaa1 as both the username and password. The format of the MAC address sent to the RADIUS server is configurable through the CLI.

This manual is also suitable for:

Brocade dcx-4s Brocade dcx

Dell PowerConnect B-RX Configuration Manual

Chapter 1 Getting Started with the Command Line Interface

Chapter 2 Getting Familiar with the Bigiron RX Series Switch Management Applications

Chapter 3 Using a Redundant Management Module

Chapter 4 Securing Access to Management Functions

Chapter 5 Configuring Basic Parameters

Chapter 6 Configuring Interface Parameters

Chapter 7 Configuring IP

Chapter 8 Link Aggregation

Chapter 9 Configuring LLDP

Quick Links

Configuration Guide

Related Manuals for Dell PowerConnect B-RX

Summary of Contents for Dell PowerConnect B-RX