Page 1: Configuration Guide
53-1002253-01 ® 20 May 2011 BigIron RX Series Configuration Guide Supporting Multi-Service IronWare v02.8.00...
Page 2 Copyright © 2011 Brocade Communications Systems, Inc. All Rights Reserved Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Page 3: Table Of Contents
Contents Contents About This Document Audience ..........xli Supported hardware and software .
Page 4 EXEC commands ......... . 3 Global level .
Page 5 Flash memory and PCMCIA flash card file management commands..........36 Management focus .
Page 6 Configuring TACACS and TACACS+ security ....82 How TACACS+ differs from TACACS ..... . . 83 TACACS and TACACS+ authentication, authorization, and accounting .
Page 7 Configuring an interface as the source for Syslog packets ..123 Specifying a Simple Network Time Protocol (SNTP) server ..124 Setting the system clock........126 New Daylight Saving Time (DST) .
Page 8 Displaying mirror and monitor port configuration....150 Enabling WAN PHY mode support ......151 Chapter 7 Configuring IP Overview of configuring IP .
Page 9 Configuring forwarding parameters ......194 Disabling ICMP messages ......196 Disabling ICMP redirect messages .
Page 10 General operating principles ......255 Operating modes ........255 LLDP packets .
Page 11 VLAN configuration rules ....... . .290 VLAN ID range ........290 Tagged VLANs.
Page 12 Displaying VLAN information ......321 Displaying VLAN information ......322 Displaying VLAN information for specific ports .
Page 13 State machines .........362 Handshake mechanisms.
Page 14 MRP CLI example ........421 Commands on switch A (master node).
Page 15 Displaying topology group information ..... .449 Displaying topology group information ....449 Chapter 17 Configuring VRRP and VRRPE Overview of VRRP .
Page 16 Configuring ToS-based QoS .......482 Enabling ToS-based QoS ......482 Specifying trust level .
Page 17 Configuring rate limiting policies ......508 Configuring a port-based rate limiting policy ....508 Configuring a port-and-priority-based rate limiting policy .
Page 18 Displaying ACL definitions ....... .544 Displaying of TCP/UDP numbers in ACLs ....545 ACL logging .
Page 19 Chapter 23 Configuring IP Multicast Protocols Overview of IP multicasting .......581 Multicast terms .
Page 20 Changing the Shortest Path Tree (SPT) threshold ... . .614 Changing the PIM join and prune message interval ..615 MLL optimization ........615 Displaying PIM Sparse configuration information and statistics.
Page 21 Configuring DVMRP........651 Enabling DVMRP globally and on an interface... . .651 Modifying DVMRP global parameters .
Page 22 Configuring OSPF ........685 Configuration rules .
Page 23 Chapter 26 Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 ........739 Relationship between the BGP4 route table and the IP route table .
Page 24 Configuring BGP4 neighbors ......771 Removing route dampening from suppressed neighbor routes ........775 Encryption of BGP4 MD5 authentication keys.
Page 25 Chapter 27 Configuring MBGP Configuration considerations ......858 Configuring MBGP ........858 Setting the maximum number of multicast routes supported .
Page 26 Configuring IPv4 address family route parameters ... .880 Changing the metric style ......880 Changing the maximum number of load sharing paths .
Page 27 Chapter 30 Configuring Secure Shell In this chapter ......... .913 Overview of Secure Shell (SSH) .
Page 28 Example configurations ........940 Multi-device port authentication with dynamic VLAN assignment .
Page 29 How 802.1x port security works......963 Device roles in an 802.1x configuration ....963 Communication between the devices .
Page 30 Chapter 34 Protecting Against Denial of Service Attacks Protecting against Smurf attacks......995 Avoiding being an intermediary in a Smurf attack..996 ACL-based DOS-attack prevention .
Page 31 Chapter 37 Enabling the Foundry Discovery Protocol (FDP) and Reading Cisco Discovery Protocol (CDP) Packets Using FDP ......... . . 1023 Configuring FDP .
Page 32 Chapter 40 Multiple Spanning Tree Protocol (MSTP) 802.1s 802.1s Multiple Spanning Tree Protocol ....1051 Multiple spanning-tree regions ......1051 Configuring MSTP.
Page 33 Configuring IPv6 on each router interface....1083 Configuring a global or site-local IPv6 address ..1084 Configuring a link-local IPv6 address .
Page 34 Configuring IPv6 neighbor discovery ..... . 1096 Neighbor solicitation and advertisement messages ..1097 Router advertisement and solicitation messages ..1098 Neighbor redirect messages .
Page 35 Configuring BGP4+ ........1130 Enabling BGP4+ ........1131 Configuring BGP4+ neighbors using global or site-local IPv6 addresses.
Page 36 Using IPv6 ACLs as input to other features ....1198 Configuring an IPv6 ACL ....... . 1198 Example configurations .
Page 37 Chapter 49 Configuring IPv6 Multicast Features IPv6 PIM sparse ........1249 PIM sparse router types.
Page 38 Configuring the Syslog service ......1291 Displaying the Syslog configuration ....1291 Disabling or re-enabling Syslog.
Page 39 FDP/CDP ..........1338 IP .
Page 40 SSH..........1374 sFlow .
Page 41: About This Document
About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network –...
Page 42 TABLE 1 Supported features (Continued) Category Feature description Management Options Serial and Telnet access to industry-standard Command Line Interface (CLI) SSHv2 TFTP Web-based GUI SNMP versions 1, 2, and 3 IronView Network Manager or Brocade Network Advisor Security AAA Authentication Local passwords RADIUS Secure Shell (SSH) version 2...
Page 43 TABLE 1 Supported features (Continued) Category Feature description Rate Limiting Port-based, port-and-priority based, port-and-vlan-based, and port-and-ACL-based rate limiting on inbound ports are supported. SuperSpan A Brocade STP enhancement that allows Service Providers (SPs) to use STP in both SP networks and customer networks. Topology Groups A named set of VLANs that share a Layer 2 topology.
Page 44: Unsupported Features
TABLE 1 Supported features (Continued) Category Feature description Multicast Routing Multicast cache L2 IGMP table DVMRP routes PIM-DM PIM-SM PIM-SSM PIM Snooping OSPF OSPF routes OSPF adjacencies - Dynamic OFPF LSAs OSPF filtering of advertised routes Policy Based Routing RIP versions 1 and 2 RIP routes VRRP and VRRPE Virtual Router Redundancy Protocol (VRRP)
Page 45: What's New In This Document
What’s new in this document The following tables provide brief descriptions of the enhancements added in each BigIron RX software release and a reference to the specific chapter, and section in the BigIron RX Series Configuration Guide or the Brocade BigIron RX Series Installation Guide that contain a detailed description and operational details for the enhancement.
Page 46: Enhancements In Release 02.8.00
Enhancements in release 02.8.00 TABLE 2 Summary of enhancements in release 02.8.00 Enhancement Description See page Multi-device Port Multi-device port authentication is now Book: BigIron RX Series Authentication supported on the BigIron RX tagged ports. Configuration Guide Chapter:“Configuring Multi-Device Port Authentication” Section: “How multi-device port authentication works”...
Page 47: Enhancements In Release 02.7.03
Enhancements in release 02.7.03 TABLE 3 Summary of enhancements in release 02.7.03 Enhancement Description See page System Monitoring This feature was introduced in the 02.6.00c Book: BigIron RX Series Service (SYSMON) patch release. It monitors the hardware in the Configuration Guide system to detect, report, and in some cases Chapter: “Using a Redundant...
Page 48 TABLE 3 Summary of enhancements in release 02.7.03 Enhancement Description See page MAC Port Security The MAC Port Security feature has been Book: BigIron RX Configuration updated for the 02.7.03 release. Giuide Chapter: “Using the MAC Port Security Feature and Transparent Port Flooding”...
Page 49 Enhancements in release 02.7.01 TABLE 5 Summary of enhancements in release 02.7.01 (Continued) Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP/LP console port. While the old session-based rconsole is a remote X-Window which is connected to one of the windows on the target system, the new rconsole is a remote desktop.
Page 50 Enhancements in release 02.7.00 TABLE 6 Summary of enhancements in release 02.7.00 Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP/LP console port. While the old session-based rconsole is a remote X-Window which is connected to one of the windows on the target system, the new rconsole is a remote desktop.
Page 51 TABLE 6 Summary of enhancements in release 02.7.00 (Continued) Enhancement Description See page CLI Change To globally enable MAC port security, the Book: BigIron RX Series global-port-security command has been added. The Configuration Guide port security command is now only used when Chapter: “Using the MAC configuring MAC port security on specific interfaces.
Page 52 TABLE 7 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page Digital Optical Monitoring Beginning with release 0 2.6.00, Digital Optical Book: Brocade BigIron RX Monitoring will only support newly qualified Series Installation Guide 1Gigabit optics. Digital Optical Monitoring for Chapter: Connecting a previous 1Gigabit optics that do not include "OM"...
Page 53 TABLE 7 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page IPv6 PIM-SM In Release 02.6.00 of the Multi-Service IronWare Book: BigIron RX Series software, the BigIron RX supports IPv6 Protocol Configuration Guide Independent Multicast (PIM) Sparse. IPv6 PIM Chapter: “Configuring IPv6 Sparse provides multicasting that is especially...
Page 54: Enhancements In Patch Release 02.5.00C
TABLE 7 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page Static Route ARP Validate Beginning with release 02.6.00, you can configure Book: BigIron RX Series Next Hop the BigIron RX to perform multicast validation Configuration Guide checks on the destination MAC address, the sender Chapter: “Configuring IP and target IP addresses, and the source MAC...
Page 55: Enhancements In Patch Release 02.5.00B
TABLE 8 Summary of enhancements in release 02.5.00c (Continued) Enhancement Description See page Limited/Fixed Boot Code Book: Foundry BigIron RX Configuration Guide Chapter: Section: Super ACLs With this patch release, the Multi-Service IronWare Book: BigIron RX Series software supports Super ACLs that can match on Configuration Guide fields in a Layer 2 or Layer 4 packet header.
Page 56 TABLE 10 Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page BigIron RX-32 Release 02.5.00 introduces the BigIron RX-32 Book: Brocade BigIron RX device which runs the same Multi-Service IronWare Series Installation Guide software as other devices in the BigIron RX series. The new BigIron RX-32 device provide support for up to 32 interface modules.
Page 57: Enhancements In Patch Release 02.4.00C
TABLE 10 Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page Changes to the copy tftp In Release 02.5.00 of the Multi-Service IronWare Book: Release Notes for Image command software, new option have been added to the copy BigIron RX –...
Page 58: Enhancements In Release 02.4.00
Enhancements in release 02.4.00 TABLE 12 Summary of enhancements in release 02.4.00 Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP/LP console port. While the old session-based rconsole is a remote X-Window which is connected to one of the windows on the target system, the new rconsole is a remote desktop.
Page 59 TABLE 12 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Increase Global Static ARP The system max value for ip-static-arp can be Book: BigIron RX Series Entries configured to values up to 16,384 beginning with Configuration Guide version 02.4.00 of the BigIron RX Multi-Service Chapter: “Configuring IP”...
Page 60 TABLE 12 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page IPv6 Load Sharing over ECMP When the device receives traffic for a destination, Book: BigIron RX Series and Trunks and the IPv6 route table contains multiple, Configuration Guide equal-cost paths to that destination, the packets Chapter: “Configuring...
Page 61 TABLE 12 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Passive Multicast Route This new feature prevents unwanted multicast Book: BigIron RX Series Insertion (PMRI) traffic from being sent the CPU by conditionally Configuration Guide dropping unwanted multicast traffic in hardware. Chapter: “Configuring IP Multicast Protocols”...
Page 62: Enhancements In Patch Release 02.3.00A
TABLE 12 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page CLI Logging This feature provides the logging of all valid CLI Book: BigIron RX Series commands from each user session into the system Configuration Guide log. Chapter: “Using Syslog”...
Page 63: Enhancements In Release 02.3.00
Enhancements in release 02.3.00 System enhancements TABLE 14 System enhancements Enhancement Description See... New Hardware The following new hardware is supported with the 02.3.00 Book: Brocade BigIron RX Support software release for the BigIron RX: Series Installation Guide 10G-XFP-CX4 - part number 10G-XFP-CX4 , A new XFP Module is available for use in the BigIron RX Series and 10G Interface Modules with the following capabilities: •...
Page 64 TABLE 14 System enhancements (Continued) Enhancement Description See... Enhanced Digital You can configure the BigIron RX to monitor XFPs and SFPs in Book: Brocade BigIron RX Optical Monitoring the system either globally or by specified port. Series Installation Guide Chapter: Connecting a BigIron RX Series Switch to a Network Device Section: Enhanced Digital...
Page 65 Layer 3 enhancements TABLE 16 Layer 3 enhancements Enhancement Description See... OSPF NBMA You can configure an interface to send OSPF Book: BigIron RX Series unicast packets rather than broadcast packets to Configuration Guide its neighbor by configuring non-broadcast Chapter: “Configuring multi-access (NBMA) networks.
Page 66 TABLE 16 Layer 3 enhancements (Continued) Enhancement Description See... ACL Duplication Check The acl-duplication-check command has been Book: BigIron RX Series changed to acl-duplication-check-disable. With Configuration Guide this command, software checking for duplicate Chapter: “Access Control ACL entries will be disabled after an upgrade. List”...
Page 67 IP multicast enhancements TABLE 17 IP multicast enhancements Enhancement Description See... MBGP Multiprotocol BGP allows for the inclusion of Book: BigIron RX Series information other than IPv4 routes via BGP Configuration Guide packets is available in this release. Chapter: “Configuring MBGP”...
Page 68 TABLE 17 IP multicast enhancements (Continued) Enhancement Description See... IPv6 Embedded RP Embedded RP allows the router to learn RP information using the multicast group destination address instead of the statically configured RP. IPv6 PIM SM IPv6 PIM SM provides the Multicast IP Sparse Mode protocol for routing multicast packets to multicast groups.
Page 69: Enhancements In Release 02.2.01
Network management TABLE 19 Network management Enhancement Description See... IPv6 Management TFTP, SSH, You can perform system management tasks for Book: BigIron RX Series Telnet, AAA, and WEB the BigIron RX using the TFTP, telnet, AAA, and Configuration Guide Secure Shell (SSH). Chapter:“Configuring Basic IPv6 Connectivity”...
Page 70 Layer 3 enhancements TABLE 22 Layer 3 enhancements Enhancement Description See page Graceful Restart With this release, you can enable Graceful Restart Book: BigIron RX Series for OSPF and BGP Configuration Guide Chapter:“Configuring OSPF Version 2 (IPv4)” “Configuring BGP4 (IPv4 and IPv6)” Section: “OSPF graceful restart”...
Page 71 Multicast enhancement TABLE 23 Multicast enhancement Enhancement Description See page IGMP Snooping The BigIron RX supports IGMP snooping. Book: BigIron RX Series Configuration Guide Chapter:“Configuring IP Multicast Traffic Reduction” Section: “Enabling IP multicast traffic reduction” Security enhancements TABLE 24 Security enhancements Enhancement Description See page...
Page 72 TABLE 24 Security enhancements (Continued) Enhancement Description See page MTU enhancements for IPv4 In this release, you can configure IPv4 MTU to be Book: BigIron RX Series greater than 1500 bytes. Configuration Guide Chapter:“Configuring Quality of Service” Section:“Changing the MTU” Enhancements to passwords The following have been implemented to enhance the Book: Brocade BigIron RX...
Page 73: Enhancements In Release 02.2.00G
Enhancements in release 02.2.00g TABLE 26 Summary of enhancements in 02.2.00g Enhancement Description See page New Hardware Support The following new hardware is supported with the 02.2.01 Book: Brocade BigIron RX software release for the BigIron RX: Series Installation Guide •...
Page 74: Document Conventions
TABLE 27 Summary of emhancements in 02.2.00 (Continued) Enhancement Description See page Multicast Entry Limit 1542 multicast entries are limited to IPv4 1542 entries provided every group has only one destination. WAN PHY Mode Support This release supports WAN PHY Mode per 10 GB Ethernet Book: BigIron RX Series port.
Page 75: Notes, Cautions, And Danger Notices
variable Variables are printed in italics enclosed in angled brackets < >. Repeat the previous element, for example “member[;member...]” Choose from one of the parameters. Notes, cautions, and danger notices The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards.
Page 76: Getting Technical Help Or Reporting Errors
NOTE The latest version of these guides is posted at http://www.brocade.com/ethernetproducts. Getting technical help or reporting errors E-mail and telephone access Go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information. lxxvi BigIron RX Series Configuration Guide 53-1002253-01...
Page 77: Getting Started With The Command Line Interface
Chapter Getting Started with the Command Line Interface In this chapter • Logging on through the CLI ........1 •...
Page 78: On-Line Help
Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed.
Page 79: Line Editing Commands
EXEC commands Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. TABLE 28 CLI line-editing commands Ctrl-key combination...
Page 80: Global Level
CONFIG commands You reach this level by entering the enable [<password>] or enable <username> <password> at the User EXEC level. BigIron RX>enable BigIron RX>enable user1 mypassword After entering the enable command, you see the following prompt. BigIron RX>#. The prompt indicates that you are at the Privilege EXEC level. When you are at the Privilege EXEC level, you can enter commands that are available at that level.
Page 81 CONFIG commands Trunk level The trunk level allows you to change parameters for statically-configured trunk groups. You reach this level by entering a trunk command with the appropriate port parameters. Router RIP level The RIP level allows you to configure parameters for the RIP routing protocol. You reach this level by entering the router rip command at the global CONFIG level.
Page 82 CONFIG commands Route Map level The Route Map level allows you to configure parameters for a BGP4 route map. You reach this level by entering the route-map <name> command at the global CONFIG level. Router VRRP level The VRRP level allows you to configure parameters for the Virtual Router Redundancy Protocol (VRRP).
Page 83: Accessing The Cli
Accessing the CLI MAC port security level The MAC port security level allows you to configure the port security feature. You reach this level by entering the global-port-security command at the at the Global or Interface levels. Accessing the CLI The CLI can be accessed through both serial and Telnet connections.
Page 84: Navigating Among Command Levels
Accessing the CLI BigIron RX> User Level EXEC Command BigIron RX# Privileged Level EXEC Command BigIron RX(config)#Global Level CONFIG Command BigIron RX(config-if-e10000-5/1)#Interface Level CONFIG Command BigIron RX(config-lbif-1)#Loopback Interface CONFIG Command BigIron RX(config-ve-1)#Virtual Interface CONFIG Command BigIron RX(config-trunk-4/1-4/8)#Trunk group CONFIG Command BigIron RX(config-if-e10000-tunnel)#IP Tunnel Level CONFIG Command BigIron RX(config-bgp-router)#BGP Level CONFIG Command BigIron RX(config-dvmrp-router)#DVMRP Level CONFIG Command...
Page 85: Searching And Filtering Output
Searching and filtering output Optional fields When two or more options are separated by a vertical bar, “| “, you must enter one of the options as part of the command. Syntax: priority normal | high For example, the "normal | high" entry in the Syntax above means that priority can be either priority normal or priority high.
Page 86 Searching and filtering output Displaying lines containing a specified string The following command filters the output of the show interface command for port 3/11 so it displays only lines containing the word “Internet”. This command can be used to display the IP address of the interface.
Page 87 Searching and filtering output BigIron RX# ? append Append one file to another attrib Change file attribute boot Boot system from bootp/tftp server/flash image Change current working directory chdir Change current working directory clear Clear table/statistics/keys clock Set clock configure Enter configuration mode copy Copy between flash, tftp, config/code...
Page 88: Using Special Characters In Regular Expressions
Searching and filtering output --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed. filtering... sync-standby Sync active flash (pri/sec/mon/startup config/lp images) to standby if different terminal Change terminal settings traceroute TraceRoute to IP node undelete Recover deleted file whois...
Page 89: Allowable Characters For Lag Names
Searching and filtering output TABLE 29 Special characters for regular expressions (Continued) Character Operation A dollar sign matches on the end of an input string. For example, the following regular expression matches output that ends with “deg”: deg$ An underscore matches on one or more of the following: •...
Page 90: Syntax Shortcuts
Searching and filtering output • All digits Any of the following special characters are valid: • • • • • • • • • • • • • • • • & Syntax shortcuts A command or parameter can be abbreviated as long as enough text is entered to distinguish it from other commands at that level.
Page 91: Getting Familiar With The Bigiron Rx Series Switch Management Applications
Chapter Getting Familiar With the BigIron RX Series Switch Management Applications How to manage BigIron RX Series switch This chapter describes the different applications you can use to manage the BigIron RX Series Switch. The BigIron RX Series Switch supports the same management applications as other Brocade devices.
Page 92: On-Line Help
Logging on through the CLI NOTE By default, any user who can open a direct or Telnet connection to a BigIron RX Series Switch can access all these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can configure the device to use a RADIUS or TACACS and TACACS+ server for authentication.
Page 93: Line Editing Commands
Logging on through the CLI • Press Ctrl-C cancel the display. Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command.
Page 94 Logging on through the CLI NOTE The vertical bar ( | ) is part of the command. NOTE The regular expression specified as the search string is case sensitive. In the example above, a search string of “Internet” would match the line containing the IP address, but a search string of “internet”...
Page 95 Logging on through the CLI BigIron RX# ? append Append one file to another attrib Change file attribute boot Boot system from bootp/tftp server/flash image Change current working directory chdir Change current working directory clear Clear table/statistics/keys clock Set clock configure Enter configuration mode copy...
Page 96 Logging on through the CLI --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed: filtering... sync-standby Sync active flash (pri/sec/mon/startup config/lp images) to standby if different terminal Change terminal settings traceroute TraceRoute to IP node undelete Recover deleted file whois...
Page 97: Allowable Characters For Lag Names
Logging on through the CLI TABLE 31 Special characters for regular expressions (Continued) Character Operation An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) •...
Page 98: Logging On Through The Web Management Interface
Logging on through the Web Management Interface • • • • • • • • • • • • • • • & Logging on through the Web Management Interface To use the Web Management Interface, open a Web browser and enter the IP address of a BigIron RX Series Switch’s management port in the Location or Address field.
Page 99: Web Management Interface
Logging on through the Web Management Interface FIGURE 2 Web Management Interface login dialog box The login username and password you enter depends on whether your device is configured with AAA authentication for SNMP. If AAA authentication for SNMP is not configured, you can use the user name “get”...
Page 100 Logging on through the Web Management Interface BigIron RX Series Configuration Guide 53-1002253-01...
Page 101: Using A Redundant Management Module
Chapter Using a Redundant Management Module How management module redundancy works You can install a redundant management module in slot M1 or M2 of the BigIron RX Series devices. By default, the system considers the module installed in slot M1 to be the active management module and the module installed in slot M2 to be the redundant or standby module.
Page 102: Management Module Switchover
How management module redundancy works The interface modules are not reset, as they are with the previous cold-restart redundancy feature. The interface modules continue to forward traffic while the standby management module takes over operation of the system. The new now-active management module receives updates from the interface modules and sends verification information to the interface modules to ensure that they are synchronized.
Page 103: Switchover Implications
How management module redundancy works • The active management module’s flash memory. • A PCMCIA flash card inserted in one of the PCMCIA slots in the active management module’s front panel. After the replacement module boots, the active module compares the standby module’s flash code and system-config file to its own.
Page 104 How management module redundancy works Syslog and SNMP traps When a switchover occurs, the BigIron RX system sends a Syslog message to the local Syslog buffer and also to the Syslog server, if you have configured the system to use one. In addition, if you have configured an SNMP trap receiver, the system sends an SNMP trap to the receiver.
Page 105: Management Module Redundancy Configuration
Management module redundancy configuration Management module redundancy configuration Configuring management module redundancy consists of performing one optional task (changing the default active slot). The section explains how to perform this task. Changing the default active slot By default, the BigIron RX Series system considers the module installed in slot M1 to be the active management module.
Page 106 Managing management module redundancy A BigIron RX Multi-Service IronWare image contains the layer 1 – 3 software run by the management module. During startup or switchover, the active module compares the standby module’s flash code to its own. If differences exist, the active module synchronizes the standby module’s flash code with its own.
Page 107 Managing management module redundancy FIGURE 4 Active and standby management module file synchronization Synchronized at startup Automatically synchronized Not synchronized or switchover at regular, user-configurable intervals Also can be immediately synchronized using the CLI Also can be immediately synchronized using the CLI Startup-config also automatically updated with write memory...
Page 108: Manually Switching Over To The Standby Management
Managing management module redundancy To compare and immediately synchronize files between the active and standby modules if differences exist, enter the following command at the Privileged EXEC level of the CLI. BigIron RX# sync-standby Syntax: sync-standby Synchronizing files without comparison You can synchronize the flash code, system-config file, and running-config file immediately without comparison.
Page 109: Monitoring Management Module Redundancy
Monitoring management module redundancy BigIron RX# boot system flash primary Syntax: boot system bootp | [flash primary | flash secondary] | slot <number> <filename> | tftp <ip-address> <filename> The flash primary keyword specifies the primary BigIron RX Series Multi-Service IronWare image in the management module’s flash memory, while the flash secondary keyword specifies the secondary BigIron RX Series Multi-Service IronWare image in the flash memory.
Page 110: Displaying Temperature Information
Monitoring management module redundancy You can also observe the Pwr LED on each module. If this LED is on (green), the module is receiving power. If this LED is off, the module is not receiving power. (A module without power will not function as the active or standby module.) Software To display the status of the management modules, enter the following command at any CLI level.
Page 111 Monitoring management module redundancy • Redundancy parameter settings and statistics, which include the number of switchover that have occurred. • System log or the traps logged on an SNMP trap receiver, which includes Information about whether a switchover has occurred. To view the redundancy parameter settings and statistics, enter the following command at any level of the CLI.
Page 112: Flash Memory And Pcmcia Flash Card File Management
Flash memory and PCMCIA flash card file management commands BigIron RX# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 24 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Sep 28 11:31:25:A:Power Supply 1, 1st left, not installed Sep 28 11:31:25:A:Power Supply 3, middle left, not installed...
Page 113: Management Focus
Flash memory and PCMCIA flash card file management commands • Create a subdirectory. • Remove a subdirectory. • Rename a file. • Change the read-write attribute of a file. • Delete a file. • Recover or “undelete” a file. • Append one file to another (join two files).
Page 114: Flash Memory File System
Flash memory and PCMCIA flash card file management commands For example, if you want to display a directory of files in flash memory and flash memory has the current management focus, you do not need to specify the flash keyword. However, if you want to display a directory of files for slot 1 and flash memory has the current focus, you must specify the slot1 keyword.
Page 115: Pcmcia Flash Card File System
Flash memory and PCMCIA flash card file management commands PCMCIA flash card file system The PCMCIA flash card file system is hierarchical, which means that it supports subdirectories. Therefore, you can create or delete subdirectories in this file system using the md or mkdir and rd or rmdir commands, respectively.
Page 116: Wildcards
Flash memory and PCMCIA flash card file management commands • & You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”.
Page 117: Determining The Current Management Focus
Flash memory and PCMCIA flash card file management commands 2048 bytes in each allocation unit. 39458 allocation units available on card. Syntax: format slot1 | slot2 The slot1 | slot2 keyword specifies the PCMCIA slot that contains the flash card you are formatting. Determining the current management focus For conceptual information about management focus, refer to “Management focus”...
Page 118: Displaying A Directory Of The Files
Flash memory and PCMCIA flash card file management commands For the <directory-pathname> parameter for both cd and chdir commands, you can specify /slot1 or /slot2 to switch the focus to slot 1 or slot 2, respectively. Specify /flash to switch the focus to flash memory.
Page 119 Flash memory and PCMCIA flash card file management commands BigIron RX# dir Directory of /flash/ 07/28/2003 15:57:45 3,077,697 1060.tmp 07/28/2003 15:56:10 3,077,697 14082.tmp 07/28/2003 16:00:08 3,077,697 2084.tmp 07/25/2003 18:00:23 292,701 boot 00/00/0 00:00:00 12 boot.ini 07/28/2003 14:40:19 840,007 lp-primary-0 07/28/2003 15:18:18 840,007 lp-secondary-0 07/28/2003 09:56:16 391,524 monitor...
Page 120: Displaying The Contents Of A File
Flash memory and PCMCIA flash card file management commands BigIron RX# dir /slot2/ Directory of /slot2/ 08/01/2003 18:25:28 3,092,508 PRIMARY 08/01/2003 18:28:06 3,092,508 primary.1234 08/01/2003 18:28:24 389,696 MONITOR 08/01/2003 18:28:30 389,696 MONITOR1 08/01/2003 18:28:01 389,696 MONITOR2 08/01/2003 18:28:03 389,696 MONITOR3 08/01/2003 18:29:04 389,696 MONITOR4 08/01/2003 18:29:12...
Page 121: Displaying The Hexadecimal Output Of A File
Flash memory and PCMCIA flash card file management commands For example, to display the contents of a file in flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# more cfg.cfg Syntax: more [/<directory>/]<file-name>...
Page 122 Flash memory and PCMCIA flash card file management commands The software attempts to create a subdirectory in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to create a subdirectory in a file system that does not currently have management focus.
Page 123: Removing A Subdirectory
Flash memory and PCMCIA flash card file management commands The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters. To verify successful creation of the subdirectory, enter a command such as the following to change to the new subdirectory level.
Page 124: Renaming A File
Flash memory and PCMCIA flash card file management commands Renaming a file You can rename a file in the management module’s flash memory or on a flash card inserted in the management module’s slot 1 or slot 2 using the rename or mv command. The software attempts to rename the file in the file system that has the current management focus.
Page 125: Deleting A File
Flash memory and PCMCIA flash card file management commands For example, to change the attribute of a file in slot2 to read-only, if flash memory has the management focus, enter a command such as the following. BigIron RX# attrib slot2 ro goodcfg.cfg Syntax: attrib [slot1 | slot2] ro | rw <file-name>...
Page 126: Recovering ("Undeleting") A File
Flash memory and PCMCIA flash card file management commands For example, to delete all files with names that start with “test” from flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# delete test*.* For example, to delete all files on the flash card in slot 2, if flash memory has the current management focus, you can enter one of the following commands.
Page 127: Appending A File To Another File
Flash memory and PCMCIA flash card file management commands Appending a file to another file You can append a file in flash memory or on a flash card to the end of another file in one of these file systems. The software attempts to append one file to another in the file system that has the current management focus.
Page 128 Flash memory and PCMCIA flash card file management commands • Load a running-config from a flash card or TFTP server into the device’s running-config (loading ACLs only) NOTE The copy options require you to explicitly specify the flash card. Therefore, you can perform a copy regardless of the flash card that currently has the management focus.
Page 129 Flash memory and PCMCIA flash card file management commands Copying software images between active and standby management modules To copy the monitor image from flash memory of the active management module to flash memory of the standby module, enter the following command. BigIron RX# copy flash flash monitor standby Syntax: copy flash flash monitor standby To copy the BigIron RX Series Multi-Service IronWare image from the secondary location in the...
Page 130 Flash memory and PCMCIA flash card file management commands BigIron RX# copy flash tftp 10.10.10.1 secondary.bak secondary Syntax: copy flash tftp <ip-addr> <dest-file-name> primary | secondary Copying files between a flash card and a TFTP server You can use the following methods to copy files between a flash card and a TFTP server. NOTE The BigIron RX Series system must have network access to the TFTP server.
Page 131 Flash memory and PCMCIA flash card file management commands This command copies the startup configuration from the device’s flash memory to a flash card in slot 1 and names the file mfgtest.cfg. Copying the startup-config file between flash memory and a TFTP server Use the following methods to copy a startup-config between flash memory and a TFTP server to which the BigIron RX Series system has access.
Page 132: Copying Files Using The Cp Command
Flash memory and PCMCIA flash card file management commands Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> running The command in this example changes the device’s active configuration based on the information in the file. To copy a running-config from a TFTP server, enter a command such as the following. BigIron RX# copy tftp running-config 10.10.10.1 run.cfg overwrite Syntax: copy tftp running-config <ip-addr>...
Page 133: Loading The Software
Flash memory and PCMCIA flash card file management commands Loading the software By default, the management module loads its BigIron RX Series Multi-Service IronWare image from the primary location in flash memory. You can change the system’s BigIron RX Series Multi-Service IronWare image source to one of the following sources for one reboot or for all future reboots: •...
Page 134: Saving Configuration Changes
Flash memory and PCMCIA flash card file management commands To reboot the system from a BOOTP server, enter the following command. BigIron RX# boot system bootp Syntax: boot system bootp Configuring the boot source for future reboots To change the BigIron RX Series Multi-Service IronWare image source from the primary location in flash memory to another source for future reboots, enter a command such as the following at the global CONFIG level of the CLI.
Page 135: File Management Messages
Flash memory and PCMCIA flash card file management commands BigIron RX# locate startup-config slot1 switch1.cfg BigIron RX# write memory The first command in this example sets the device to save configuration changes to the file named “switch1.cfg” in the flash card in slot 1. The second command saves the running-config to the switch1.cfg file on the flash card in slot 1.
Page 136 Flash memory and PCMCIA flash card file management commands TABLE 34 Flash card file management messages (Continued) This message... Means... Invalid DOS file name A filename you entered contains an invalid character (for example, “:” or “\”). File recovered successfully and named A file you tried to recover was successfully recovered under the name <file-name>...
Page 137: Securing Access To Management Functions
Chapter Securing Access to Management Functions Securing access methods This chapter explains how to secure access to management functions on the device. NOTE For the device, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication. The following table lists the management access methods available on the device, how they are secured by default, and the ways in which they can be secured.
Page 138 Securing access methods TABLE 35 Ways to secure management access to the device (Continued) Access method How the access method is Ways to secure the access method See page secured by default Secure Shell (SSH) access Not configured Configure SSH page 913 Regulate SSH access using ACLs page 64...
Page 139: Restricting Remote Access To Management Functions
Restricting remote access to management functions Restricting remote access to management functions You can restrict access to management functions from remote sources, including Telnet, the Web management interface, and SNMP. The following methods for restricting remote access are supported: • Using ACLs to restrict Telnet, Web management interface, or SNMP access •...
Page 140 Restricting remote access to management functions The ipv6 <ipv6-access-list-name> parameter specifies the IPv6 access list. To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL. For example. BigIron RX(config)# access-list 10 permit host 209.157.22.32 BigIron RX(config)# access-list 10 permit 209.157.23.0 0.0.0.255 BigIron RX(config)# access-list 10 permit 209.157.24.0 0.0.0.255 BigIron RX(config)# access-list 10 permit 209.157.25.0/24...
Page 141 Restricting remote access to management functions The <num> parameter specifies the number of a standard ACL, 1 – 99. The <name> parameter specifies the standard access list name. The ipv6 <ipv6-access-list-name> parameter specifies the IPv6 access list. These commands configure ACL 12, then apply the ACL as the access list for Web management access.
Page 142: Restricting Remote Access To The Device To Specific
Restricting remote access to management functions Configuring hardware-based remote access filtering on the device The following is an example of configuring device to perform hardware filtering for Telnet access. BigIron RX(config)# vlan 3 by port BigIron RX(config-vlan-3)# untagged ethe 3/1 to 3/5 BigIron RX(config-vlan-3)# router-interface ve 3 BigIron RX(config-vlan-3)# exit BigIron RX(config)# interface ve 3...
Page 143: Specifying The Maximum Number Of Login Attempts For Telnet Access
Restricting remote access to management functions Restricting SSH access to a specific IP address To allow SSH access to the device only to the host with IP address 209.157.22.39, enter the following command. BigIron RX(config)# ip ssh client 209.157.22.39 Syntax: [no] ip ssh client <ip-addr> | ipv6 <ipv6-addr> Restricting Web Management access to a specific IP address To allow Web Management access to the device only to the host with IP address 209.157.22.26, enter the following command.
Page 144: Restricting Remote Access To The Device To Specific Vlan Ids
Restricting remote access to management functions Restricting remote access to the device to specific VLAN IDs You can restrict management access to a device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods: •...
Page 145: Disabling Specific Access Methods
Restricting remote access to management functions Restricting TFTP access to a specific VLAN To allow TFTP access only to clients in a specific VLAN, enter a command such as the following. BigIron RX(config)# tftp client enable vlan 40 The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40.
Page 146: Setting Passwords
Setting passwords BigIron RX(config)# web-management Syntax: [no] web-management Disabling Web management access by HP ProCurve Manager By default, TCP ports 80 is enabled on the Brocade device. TCP port 80 (HTTP) allows access to the device’s Web management interface. By default, TCP port 280 for HP Top tools is disabled. This tool allows access to the device by HP ProCurve Manager.
Page 147: Setting A Telnet Password
Setting passwords Setting a Telnet password By default, the device does not require a user name or password when you log in to the CLI using Telnet. To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG level.
Page 148 Setting passwords 1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode. BigIron RX> enable BigIron RX# 2. Access the CONFIG level of the CLI by entering the following command. BigIron RX# configure terminal BigIron RX(config)# 3.
Page 149: Recovering From A Lost Password
Setting passwords BigIron RX(config)# privilege configure level 4 ip In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration).
Page 150: Displaying The Snmp Community String
Setting up local user accounts 4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check. 5. Enter boot system flash primary at the prompt. 6. After the console prompt reappears, assign a new password. Displaying the SNMP community string If you want to display the SNMP community string, enter the following commands.
Page 151: Configuring A Local User Account
Setting up local user accounts • Web Management access • SNMP access Local user accounts provide greater flexibility for controlling management access to the device than do management privilege level passwords and SNMP community strings of SNMP versions 1 and 2. You can continue to use the privilege level passwords and the SNMP community strings as additional means of access authentication.
Page 152 Setting up local user accounts The privilege parameter specifies the privilege level for the account. You can specify one of the following: • 0 – Super User level (full read-write access) • 4 – Port Configuration level • 5 – Read Only level The default privilege level is 0.
Page 153: Username, Password And Login Rules
Setting up local user accounts Using the Web Management Interface To change a local user password using the Web Management Interface, you must first delete the user account, then re-add it with the new password. Use the following procedure. NOTE Before you can change a local user account using the Web Management Interface, you must enable this capability by entering the CLI command "password-change any"...
Page 154: Configuring The Strict Password Feature
Setting up local user accounts • Users must accept the message of the day when they log in. • Users are locked out (disabled) if they fail to login in three login attempts. • The last 15 passwords are stored in the CLI. •...
Page 155 Setting up local user accounts Enter a password such as TesT12$! that contains the required character combination. Once the enable strict-password-enforcement command is enabled, you can configure the features discussed in the following sections: • “Requiring users to accept the message of the day” on page 79 •...
Page 156 Setting up local user accounts The <days> variable specifies the number of days before the password expires. Enter 1 – 365 days. The default is 90 days. NOTE The enable strict-password-enforcement command must be enabled before this command is configured. Otherwise, the following message is displayed: "Password expire time is enabled only if strict-password-enforcement is set".
Page 157: Configuring Ssl Security For The Web Management Interface
Configuring SSL security for the Web Management Interface Configuring SSL security for the Web Management Interface When enabled, the SSL protocol uses digital certificates and public-private key pairs to establish a secure connection to the device. Digital certificates serve to prove the identity of a connecting client, and public-private key pairs provide a means to encrypt data sent between the device and the client.
Page 158: Generating An Ssl Certificate
Configuring TACACS and TACACS+ security Syntax: [no] ip ssl certificate-data-file tftp <ip-addr> <certificate-filename> NOTE If you import a digital certificate from a client, it can be no larger than 2048 bytes. To import an RSA private key from a client using TFTP, enter a command such as the following. BigIron RX(config)# ip ssl private-key-file tftp 192.168.9.210 keyfile Syntax: [no] ip ssl private-key-file tftp <ip-addr>...
Page 159: How Tacacs+ Differs From Tacacs
Configuring TACACS and TACACS+ security How TACACS+ differs from TACACS TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery. TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the device and the TACACS+ server.
Page 160 Configuring TACACS and TACACS+ security 4. The device sends a request containing the username and password to the TACACS server. 5. The username and password are validated in the TACACS server’s database. 6. If the password is valid, the user is authenticated. TACACS+ authentication When TACACS+ authentication takes place, the following events occur.
Page 161 Configuring TACACS and TACACS+ security 4. If the user is authorized to use the command, the command is executed. TACACS+ accounting TACACS+ accounting works as follows. 1. One of the following events occur on the device: • A user logs into the management interface using Telnet or SSH •...
Page 162: Tacacs And Tacacs+ Configuration Considerations
Configuring TACACS and TACACS+ security User action Applicable AAA operations User logs out of Telnet/SSH session Command accounting (TACACS+): aaa accounting commands <privilege-level> default start-stop <method-list> EXEC accounting stop (TACACS+): aaa accounting exec default start-stop <method-list> User enters system commands Command authorization (TACACS+): (for example, reload, boot system) aaa authorization commands <privilege-level>...
Page 163: Enabling Snmp To Configure Tacacs And Tacacs
Configuring TACACS and TACACS+ security • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select TACACS+ as the primary authentication method for Telnet CLI access, but you cannot also select RADIUS authentication as a primary method for the same type of access.
Page 164: Identifying The Tacacs And Tacacs+ Servers
Configuring TACACS and TACACS+ security Identifying the TACACS and TACACS+ servers To use TACACS and TACACS+ servers to authenticate access to adevice, you must identify the servers to the device. For example, to identify three TACACS and TACACS+ servers, enter commands such as the following.
Page 165: Setting Optional Tacacs And Tacacs+ Parameters
Configuring TACACS and TACACS+ security BigIron RX(config)# tacacs-server host 1.2.3.4 auth-port 49 authentication-only key abc BigIron RX(config)# tacacs-server host 1.2.3.5 auth-port 49 authorization-only key def BigIron RX(config)# tacacs-server host 1.2.3.6 auth-port 49 accounting-only key ghi Syntax: tacacs-server host <ip-addr> | ipv6<ipv6-addr> | <server-name> [auth-port <number> [authentication-only | authorization-only | accounting-only | default] [key <string>]] The default parameter causes the server to be used for all AAA functions.
Page 166: Configuring Authentication-Method Lists For Tacacs
Configuring TACACS and TACACS+ security When you display the configuration of the device, the TACACS+ keys are encrypted. BigIron RX(config)# tacacs-server key 1 abc BigIron RX(config)# write terminal tacacs-server host 1.2.3.5 auth-port 49 tacacs key 1 $!2d NOTE Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required;...
Page 167 Configuring TACACS and TACACS+ security Within the authentication-method list, TACACS and TACACS+ is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If TACACS and TACACS+ authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
Page 168: Configuring Tacacs+ Authorization
Configuring TACACS and TACACS+ security BigIron RX(config)# aaa authentication enable implicit-user Syntax: [no] aaa authentication enable implicit-user Telnet/SSH prompts when the TACACS+ server is unavailable When TACACS+ is the first method in the authentication method list, the device displays the login prompt received from the TACACS+ server.
Page 169 Configuring TACACS and TACACS+ security Also note that in order for the aaa authorization exec default tacacs+ command to work, either the aaa authentication enable default tacacs+ command, or the aaa authentication login privilege-mode command must also exist in the configuration. Configuring an Attribute-Value pair on the TACACS+ server During TACACS+ exec authorization, the Brocade device expects the TACACS+ server to send a response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user.
Page 170 Configuring TACACS and TACACS+ security In the example above, the A-V pair configured for the Exec service is . The BigIron RX privlvl = 15 uses the value in this A-V pair to set the user’s privilege level to 0 (super-user), granting the user full read-write access.
Page 171: Configuring Tacacs+ Accounting
Configuring TACACS and TACACS+ security AAA support for console commands To enable AAA support for commands entered at the console, enter the following command. BigIron RX(config)# enable aaa console Syntax: [no] enable aaa console NOTES: AAA support for commands entered at the console can include the following: •...
Page 172: Configuring An Interface As The Source For All Tacacs And Tacacs+ Packets
Configuring TACACS and TACACS+ security • 4 – Records commands available at the Port Configuration level (port-config and read-only commands) • 5 – Records commands available at the Read Only level (read-only commands) Configuring TACACS+ accounting for system events You can configure TACACS+ accounting to record when system events occur on the BigIron RX. System events include rebooting and when changes to the active configuration are made.
Page 173: Displaying Tacacs And Tacacs+ Statistics And Configuration Information
Configuring TACACS and TACACS+ security Syntax: ip tacacs source-interface ethernet <portnum> | loopback <num> | ve <num> The <num> parameter is a loopback interface or virtual interface number. If you specify an Ethernet, the <portnum> is the port’s number (including the slot number, if you are configuring a device).
Page 174: Configuring Radius Security
Configuring RADIUS security TABLE 37 Output of the show aaa command for TACACS and TACACS+ (Continued) Field Description Tacacs+ Server For each TACACS and TACACS+ server, the IP address, port, and the following statistics are displayed: opensNumber of times the port was opened for communication with the server closesNumber of times the port was closed normally timeoutsNumber of times port was closed due to a timeout errorsNumber of times an error occurred while opening the port...
Page 175: Radius Authentication
Configuring RADIUS security RADIUS authentication When RADIUS authentication takes place, the following events occur. 1. A user attempts to gain access to the BigIron RX by doing one of the following: • Logging into the device using Telnet, SSH, or the Web management interface •...
Page 176: Radius Accounting
Configuring RADIUS security 4. If the command list indicates that the user is authorized to use the command, the command is executed. RADIUS accounting RADIUS accounting works as follows. 1. One of the following events occur on the BigIron RX: •...
Page 177: Radius Configuration Considerations
Configuring RADIUS security User action Applicable AAA operations User enters system commands Command authorization: (for example, reload, boot system) aaa authorization commands <privilege-level> default <method-list> Command accounting: aaa accounting commands <privilege-level> default start-stop <method-list> System accounting stop: aaa accounting system default start-stop <method-list> User enters the command: Command authorization: [no] aaa accounting system default...
Page 178: Radius Configuration Procedure
Configuring RADIUS security • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access.
Page 179: Enabling Snmp To Configure Radius
Configuring RADIUS security TABLE 38 Brocade vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Description brocade-privilege-level integer Specifies the privilege level for the user. This attribute can be set to one of the following: Super User level – Allows complete read-and-write access to the system.
Page 180: Identifying The Radius Server To The Bigiron Rx
Configuring RADIUS security Identifying the RADIUS server to the BigIron RX To use a RADIUS server to authenticate access to a BigIron RX, you must identify the server to the BigIron RX. BigIron RX(config)# radius-server host 209.157.22.99 Syntax: radius-server host <ip-addr> | <server-name> [auth-port <number> acct-port <number>] The host <ip-addr>| ipv6 <ipv6-addr>...
Page 181: Configuring Authentication-Method Lists For Radius
Configuring RADIUS security Setting the RADIUS key The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over the network. The value for the key parameter on the BigIron RX should match the one configured on the RADIUS server.
Page 182 Configuring RADIUS security Within the authentication-method list, RADIUS is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If RADIUS authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
Page 183: Configuring Radius Authorization
Configuring RADIUS security BigIron RX(config)# aaa authentication enable implicit-user Syntax: [no] aaa authentication enable implicit-user Configuring RADIUS authorization The device supports RADIUS authorization for controlling access to management functions in the CLI. Two kinds of RADIUS authorization are supported: • Exec authorization determines a user’s privilege level when they are authenticated •...
Page 184 Configuring RADIUS security Syntax: aaa authorization commands <privilege-level> default radius | tacacs+ | none The <privilege-level> parameter can be one of the following: • 0 – Authorization is performed (that is, the BigIron RX looks at the command list) for commands available at the Super User level (all commands) •...
Page 185: Configuring Radius Accounting
Configuring RADIUS security Configuring RADIUS accounting The device supports RADIUS accounting for recording information about user activity and system events. When you configure RADIUS accounting on device, information is sent to a RADIUS accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
Page 186: Configuring An Interface As The Source For All Radius
Configuring RADIUS security Configuring an interface as the source for all RADIUS packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all RADIUS packets from the device. Identifying a single source IP address for RADIUS packets provides the following benefits: •...
Page 187 Configuring RADIUS security BigIron RX# show aaa Tacacs+ key: brocade Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server:...
Page 188: Configuring Authentication-Method Lists
Configuring authentication-method lists Configuring authentication-method lists To implement one or more authentication methods for securing access to the device, you configure authentication-method lists that set the order in which the authentication methods are consulted. In an authentication-method list, you specify the access method (Telnet, Web, SNMP, and so on) and the order in which the device tries one or more of the following authentication methods: •...
Page 189: Configuration Considerations For Authentication
Configuring authentication-method lists Configuration considerations for authentication- method lists Consider the following before configuring authentication-method lists: • For CLI access, you must configure authentication-method lists if you want the device to authenticate access using local user accounts or a RADIUS server. Otherwise, the device will authenticate using only the locally based password for the Super User privilege level.
Page 190 Configuring authentication-method lists To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the following command. BigIron RX(config)# aaa authentication enable default local This command configures the device to use the local user accounts to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI.
Page 191 Configuring authentication-method lists TABLE 40 Authentication method values (Continued) Method parameter Description radius Authenticate using the database on a RADIUS server. You also must identify the server to the device using the radius-server command. none Do not use any authentication method. The device automatically permits access.
Page 192 Configuring authentication-method lists BigIron RX Series Configuration Guide 53-1002253-01...
Page 193: Configuring Basic Parameters
Chapter Configuring Basic Parameters This chapter describes how to configure basic system parameters. The software comes with default parameters to allow you to begin using the basic features of the system immediately. However, many advanced features, such as VLANs or routing protocols for the router, must first be enabled at the system (global) level before they can be configured.
Page 194: Configuring Simple Network Management Protocol Traps
Configuring Simple Network Management Protocol traps Configuring Simple Network Management Protocol traps This section explains how to do the following: • Specify an SNMP trap receiver. • Specify a source address and community string for all traps that the device sends. •...
Page 195: Specifying A Single Trap Source
Configuring Simple Network Management Protocol traps The port <value> parameter specifies the UDP port that will be used to receive traps. This parameter allows you to configure several trap receivers in a system. With this parameter, IronView Network Manager and another network management application can coexist in the same system. The device can be configured to send copies of traps to more than one network management application.
Page 196: Disabling Snmp Traps
Configuring Simple Network Management Protocol traps You can change the holddown time to a value from one second to ten minutes. To change the holddown time for SNMP traps, enter a command such as the following at the global CONFIG level of the CLI. BigIron RX(config)# snmp-server enable traps holddown-time 30 The command changes the holddown time for SNMP traps to 30 seconds.
Page 197: Disabling Syslog Messages And Traps For Cli Access
Configuring Simple Network Management Protocol traps Disabling Syslog messages and traps for CLI access The device sends Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature, enabled by default, applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS and TACACS+ server.
Page 198: Configuring An Interface As Source For All Telnet Packets
Configuring an interface as source for all Telnet packets The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session.
Page 199: Cancelling An Outbound Telnet Session
Configuring an interface as the source for all TFTP packets BigIron RX(config)# interface ethernet 1/4 BigIron RX(config-if-e10000-1/4)# ip address 209.157.22.110/24 BigIron RX(config-if-e10000-1/4)# exit BigIron RX(config)# ip telnet source-interface ethernet 1/4 Cancelling an outbound Telnet session If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the connection is frozen), you can terminate the Telnet session by doing the following.
Page 200: Specifying A Simple Network Time Protocol (Sntp) Server
Specifying a Simple Network Time Protocol (SNTP) server The commands in this example configure virtual interface 1, assign IP address 10.0.0.4/24 to the interface, then designate the interface's address as the source address for all Syslog packets. Syntax: [no] ip syslog source-interface ethernet [<slotnum>/]<portnum> | loopback <num> | ve <num>...
Page 201 Specifying a Simple Network Time Protocol (SNTP) server TABLE 41 Output from the show sntp associations command This field... Displays... (leading character) One or both of the following: Synchronized to this peer Peer is statically configured address IP address of the peer ref clock IP address of the peer’s reference clock NTP stratum level of the peer...
Page 202: Setting The System Clock
Setting the system clock Setting the system clock In addition to SNTP support, the device also allows you to set the system time counter. It starts the system time and date clock with the time and date you specify. The time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP server.
Page 203: New Daylight Saving Time (Dst)
Configuring CLI banners • GMT + 10:30 • GMT + 09:30 • GMT + 06:30 • GMT + 05:30 • GMT + 04:30 • GMT + 03:30 • GMT - 03:30 • GMT - 08:30 • GMT - 09:30 To change the time zone to Australian East Coast time (which is normally 10 hours ahead of GMT), enter the following command.
Page 204: Setting A Message Of The Day Banner
Configuring CLI banners Setting a message of the day banner You can configure the device to display a message on a user’s terminal when he or she establishes a Telnet CLI session. For example, to display the message “Welcome to BigIron RX!” when a Telnet CLI session is established.
Page 205: Displaying A Message On The Console When An Incoming Telnet Session Is Detected
Configuring terminal display As with the banner motd command, you begin and end the message with a delimiting character; in this example, the delimiting character is # (pound sign). To remove the banner, enter the no banner exec_mode command. Syntax: [no] banner exec_mode <delimiting-character> Displaying a message on the console when an incoming Telnet session is detected You can configure the device to display a message on the Console when a user establishes a Telnet...
Page 206: Enabling Or Disabling Routing Protocols
Enabling or disabling routing protocols BigIron RX(config)# show terminal Length: 24 lines Page display mode (session): enabled Page display mode (global): enabled Syntax: show terminal Enabling or disabling routing protocols The BigIron RX supports the following protocols: • BGP4 • DVMRP •...
Page 207 Displaying and modifying system parameter default settings • ARP entries • IP routes • IP route filters • IP subnets per port and per device • Static routes The tables you can configure as well the defaults and valid ranges for each table differ depending on the device you are configuring.
Page 208 Displaying and modifying system parameter default settings BigIron RX# show default values telnet@ro(config)#show default values sys log buffers:50 mac age time:300 sec telnet sessions:5 ip arp age:10 min bootp relay max hops:4 ip ttl:64 hops ip addr per intf:24 when multicast enabled : igmp group memb.:140 sec igmp query:60 sec when ospf enabled :...
Page 209: Enabling Or Disabling Layer 2 Switching
Enabling or disabling Layer 2 switching Information for the configurable tables appears under the columns shown in bold type. To simplify configuration, the command parameter you enter to configure the table is used for the table name. For example, to increase the capacity of the IP route table, enter the following commands. BigIron RX(config)# system-max ip-route 120000 BigIron RX(config)# write memory BigIron RX(config)# exit...
Page 210: Cam Partitioning For The Bigiron Rx
CAM partitioning for the BigIron RX To globally disable Layer 2 switching on the device, enter commands such as the following. BigIron RX(config)# route-only BigIron RX(config)# exit BigIron RX# write memory BigIron RX# reload To re-enable Layer 2 switching globally, enter the following. BigIron RX(config)# no route-only BigIron RX(config)# exit BigIron RX# write memory...
Page 211: Nexthop Table
CAM partitioning for the BigIron RX The total amount of CAM entries available is 1024 for each packet processor. If you want to configure 600 for ACLs, 168 for PBR and Rate Limiters, and 256 for IPv6 multicast forwarding entries, enter commands such as the following. BigIron RX(config)#cam-partition rw session 768 BigIron RX(config)#cam-partition rw session rule-partition 600 If you want to configure 2 ACL entries and 2 IPv6 entries and 1020 Rate Limiting entries, enter a...
Page 212: Changing The Mac Age Time
Changing the MAC age time As of release 02.4.00, the Nexthop table is user configurable. If the router is installed in a network where there are many directly connected hosts, then the size of one-path partition should be increased. To configure the partition, use a command such as the following. BigIron RX(config)# cam-partition next-hop 2048 1024 512 512 The above command partitions the next-hop table into 2048 one-path, 1024 two-path, 512 four-path and 512 eight-path entries.
Page 213: Pinging An Ipv4 Address
Pinging an IPv4 address Pinging an IPv4 address To verify that a BigIron RX device can reach another device through the network, enter a command such as the following at any level of the CLI on the BigIron RX device: BigIron RX>...
Page 214 Pinging an IPv4 address U = Indicates that a destination unreachable error PDU was received. I = Indicates that the user interrupted ping. NOTE The number of ! characters displayed may not correspond to the number of successful replies by the ping command.
Page 215: Configuring Interface Parameters
Chapter Configuring Interface Parameters Assigning a port name NOTE To modify Layer 2, Layer 3, or Layer 4 features on a port, refer to the appropriate section in this chapter or other chapters. For example, to modify Spanning Tree Protocol (STP) parameters for a port, refer to “Changing STP port parameters”...
Page 216: Speed/Duplex Negotiation
Speed/Duplex negotiation Speed/Duplex negotiation Speed/Duplex Negotiation detects the speed (10MBps, 100Mbps, 1000Mbps) and duplex (half-duplex or full-duplex) settings of the device on the other end of the wire and subsequently adjusts to match those settings. Each of the 10/100/1000BaseTX ports is designed to auto-sense and auto-negotiate the speed and mode of the connected device.
Page 217: Disabling Or Re-Enabling A Port
Disabling or re-enabling a port BigIron RX(config)#interface ethernet 2/4 BigIron RX(config-if-e10000-2/4)#speed-duplex 1000-slave Syntax: [no] speed-duplex {auto |1000-master |1000-slave |1000-full | 100-full | 100-half | 10-full | 10-half} auto - Autonegotiation 1000-master - Forces 1000 Mbps master port 1000-slave - Forces 1000 Mbps slave port 1000-full - Forces 1000 Mbps full-duplex operation 1000-half - Forces 100 Mbps half-duplex operation 100-full - Forces 100 Mbps full-duplex operation...
Page 218: Changing The Negotiation Mode
Disabling or re-enabling flow control • neg-full-auto – The port first tries to perform a negotiation with its peer port to exchange capability information. If the other port does not respond, the port reverts to the Negotiation-off state. • auto-gig – The port tries to performs a negotiation with its peer port to exchange capability information.
Page 219: Locking A Port To Restrict Addresses
Locking a port to restrict addresses The device generates 802.3x PAUSE frames when the number of buffers available to a module's Buffer Manager (BM) drops below a threshold value. A module's BM can start running out of buffers when a port receives more traffic than it can handle. In addition, the device drops the lowest priority traffic when the number of available buffers drops below a second threshold.
Page 220: Port Transition Hold Timer
Port transition hold timer NOTE With the wait-for-all-cards command enabled,10G ports will come up before 1G ports because Multi-Service IronWare software processes 10G port’s state changes first. Port transition hold timer Using the delay-link-event command will delay the sending of port "up" or "down" events to Layer 2 protocols.
Page 221 Port transition hold timer • The sampling time or window (the time during which the specified toggle threshold can occur before the wait period is activated) is triggered when the first "up to down" transition occurs. • "Up to down" transitions include UDLD-based toggles, as well as the physical link state. Configuring port flap dampening on an interface This feature is configured at the interface level.
Page 222: Modifying Port Priority (Qos)
Modifying port priority (QoS) Modifying port priority (QoS) You can give preference to the inbound traffic on specific ports by changing the Quality of Service (QoS) level on those ports. For information and procedures, refer to Chapter 18, “Configuring Quality of Service”.
Page 223 Assigning a mirror port and monitor ports NOTE You cannot monitor outbound traffic from one armed router traffic. NOTE Mirror (analyzer) ports cannot be assigned to the 16x10 card. You can monitor traffic on 16x10 ports. BigIron RX Series Configuration Guide 53-1002253-01...
Page 224: Monitoring An Individual Trunk Port
Monitoring an individual trunk port The following example configures two mirror ports on the same module and one mirror port on another module. It will illustrate how inbound traffic is mirrored to the two mirror ports on the same module even if the traffic is configured to be mirrored to only one mirror port on the module. BigIron RX(config)# mirror-port ethernet 1/1 BigIron RX(config)# mirror-port ethernet 1/2 BigIron RX(config)# mirror-port ethernet 2/1...
Page 225: Mirror Ports For Policy-Based Routing (Pbr) Traffic
Mirror ports for Policy-Based Routing (PBR) traffic BigIron RX(config)# mirror ethernet 2/1 BigIron RX(config)# trunk switch ethernet 4/1 to 4/8 BigIron RX(config-trunk-4/1-4/8)# config-trunk-ind BigIron RX(config-trunk-4/1-4/8)# monitor ethe-port-monitored 4/5 ethernet 2/1 in Syntax: [no] config-trunk-ind Syntax: [no] monitor ethe-port-monitored <portnum> | named-port-monitored <portname> ethernet <slot>/<portnum>...
Page 226: Configuring Mirror Ports For Pbr Traffic
Displaying mirror and monitor port configuration Configuring mirror ports for PBR traffic When you configure a physical or virtual port to act as a mirror port for PBR traffic, outgoing packets that match the permit Access Control List (ACL) clause in the route map are copied to the mirror ports that you specify.
Page 227: Enabling Wan Phy Mode Support
Enabling WAN PHY mode support Syntax: show monitor config This output does not display the input traffic mirrored to mirror port 1/2 from port 3/1 and mirrored to mirror port 1/1 from port 4/1 because the mirroring of this traffic is not explicitly configured.
Page 228 Enabling WAN PHY mode support BigIron RX Series Configuration Guide 53-1002253-01...
Page 229: Configuring Ip
Chapter Configuring IP Overview of configuring IP The Internet Protocol (IP) is enabled by default. This chapter describes how to configure IP parameters on the device. The IP packet flow Figure 5 Shows how an IP packet moves through a device. FIGURE 5 IP Packet flow through a device Static ARP...
Page 230: Arp Cache Table
The IP packet flow 1. When the device receives an IP packet, the device checks for IP ACL filters on the receiving interface. If a deny filter on the interface denies the packet, the device discards the packet and performs no further processing. If logging is enabled for the filter, then the device generates a Syslog entry and SNMP trap message.
Page 231: Ip Route Table
The IP packet flow The software places an entry from the static ARP table into the ARP cache when the entry’s interface comes up. Here is an example of a static ARP entry. Index IP Address MAC Address Port 207.95.6.111 0800.093b.d210 Each entry lists the information you specified when you created the entry.
Page 232: Ip Forwarding Cache
Basic IP parameters and defaults To configure a static IP route, refer to “Configuring static routes” on page 198. To clear a route from the IP route table, refer to “Clearing IP routes” on page 231. To increase the size of the IP route table for learned and static routes, refer to “Displaying and modifying system parameter default settings”...
Page 233: When Parameter Changes Take Effect
Basic IP parameters and defaults When parameter changes take effect Most IP parameters described in this chapter are dynamic. They take effect immediately, as soon as you enter the CLI command. You can verify that a dynamic change has taken effect by displaying the running configuration.
Page 234 Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... ARP rate limiting Lets you specify a maximum number of ARP packets the device Disabled page 188 will accept each second. If the device receives more ARP packets than you specify, the device drops additional ARP packets for the remainder of the one-second interval.
Page 235 Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... ICMP Router An IP protocol a router can use to advertise the IP addresses of its Disabled page 214 Discovery Protocol router interfaces to directly attached hosts. You can enable or (IRDP) disable the protocol, and change the following protocol parameters:...
Page 236: Ip Interface Parameters
Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... Static route An IP route you place in the IP route table. No entries page 198 Source interface The IP address the router uses as the source address for Telnet, The lowest-numbered IP page 183 RADIUS, or TACACS and TACACS+ packets originated by the router.
Page 237: Configuring Ip Parameters
Configuring IP parameters TABLE 44 IP interface parameters (Continued) Parameter Description Default See page... DHCP gateway stamp The router can assist DHCP/BootP Discovery packets from one The lowest-numbered IP page 220 subnet to reach DHCP/BootP servers on a different subnet by address on the interface that placing the IP address of the router interface that receives the receives the request...
Page 238 Configuring IP parameters NOTE Once you configure a virtual routing interface on a VLAN, you cannot configure Layer 3 interface parameters on individual ports in the VLAN. Instead, you must configure the parameters on the virtual routing interface itself. Also, once an IP address is configured on an interface, the hardware is programmed to route all IP packets that are received on the interface.
Page 239 Configuring IP parameters Assigning an IP address to a loopback interface Loopback interfaces are always up, regardless of the states of physical interfaces. They can add stability to the network because they are not subject to route flap problems that can occur due to unstable links between a device and other devices.
Page 240: Changing The Network Mask Display To Prefix Format
Configuring IP parameters Syntax: interface ve <num> The <num> parameter specifies the virtual interface number. You can specify from 1 to the maximum number of virtual interfaces supported on the device. To display the maximum number of virtual interfaces supported on the device, enter the show default values command. The maximum is listed in the System Parameters section, in the Current column of the virtual-interface row.
Page 241: Gre Ip Tunnel
Configuring IP parameters GRE IP tunnel The BigIron RX allows the tunneling of packets of the following protocols over an IP network using the Generic Router Encapsulation (GRE) mechanism as described in RFC 2784: • OSPF • • IS-IS point-to-point Using this feature, packets of these protocols can be encapsulated inside a transport protocol packet at a tunnel source and delivered to a tunnel destination where it is unpacked and made available for delivery.
Page 242: Configuring A Tunnel Interface
Configuring IP parameters • GRE Encapsulation • Loopback address for the Tunnel (required for de-encapsulation) • IP address for the Tunnel NOTE Sustained rates of small packet sizes may affect the ability of a 10 gigabit Ethernet port to maintain line rate GRE encapsulation and de-encapsulation performance.
Page 243 Configuring IP parameters Configuring a loopback port for a tunnel interface On the device, a loopback port is required for de-encapsulating a packet exiting the tunnel. Fiber-optic components must be present on the interface module for the loopback port to work. Therefore, consider the following configuration rules for a loopback port: •...
Page 244 Configuring IP parameters FIGURE 7 GRE IP tunnel configuration example BigIron RX A port3/1 36.0.8.108 10.10.1.0/24 10.10.3.1 Internet 10.10.3.0 10.10.3.2 10.10.2.0/24 port5/1 131.108.5.2 BigIron RX B Configuration example for BigIron RX A BigIron RX (config)# interface ethernet 3/1 BigIron RX (config-if-e1000-3/1)# ip address 36.0.8.108/24 BigIron RX (config)# exit BigIron RX (config)# interface tunnel 1 BigIron RX(config-tnif-1)# tunnel loopback 4/1...
Page 245 Configuring IP parameters Syntax: show ip interface tunnel <tunnel-no> This display shows the following information. TABLE 45 CLI display of interface IP configuration information This field... Displays... Interface The tunnel and tunnel number. The IP address of the tunnel interface. IP-Address Whether the IP address has been configured on the tunnel interface.
Page 246: Ipv6 Over Ipv4 Tunnels In Hardware
Configuring IP parameters IPv6 over IPv4 tunnels in hardware To enable communication between the isolated IPv6 domains using the IPv4 infrastructure, you can configure IPv6 over IPv4 tunnels. Brocade supports the following IPv6 over IPv4 tunneling in hardware mechanisms: • Manually configured tunnels In general, a manually configured tunnel establishes a permanent link between routers in IPv6 domains.
Page 247 Configuring IP parameters BigIron RX(config)# interface tunnel 1 BigIron RX(config-tnif-1)#tunnel source ethernet 3/1 BigIron RX(config-tnif-1)#tunnel destination 198.162.100.1 BigIron RX(config-tnif-1)#tunnel mode ipv6ip BigIron RX(config-tnif-1)#ipv6 address 2001:b78:384d:34::/64 eui-64 This example creates tunnel interface 1 and assigns a global IPv6 address with an automatically computed EUI-64 interface ID to it.
Page 248 Configuring IP parameters BigIron RX# show ipv6 tunnel IP6 Tunnels Tunnel Mode Packet Received Packet Sent configured configured 22419 Syntax: show ipv6 tunnel This display shows the following information. TABLE 46 IPv6 tunnel information This field... Displays... Tunnel The tunnel interface number. Mode The tunnel mode.
Page 249 Configuring IP parameters TABLE 47 IPv6 tunnel interface information (Continued) This field... Displays... Tunnel source The tunnel source can be one of the following: • An IPv4 address • The IPv4 address associated with an interface or port. Tunnel destination The tunnel destination can an IPv4 address.
Page 250: Configuring Domain Name Server (Dns) Resolver
Configuring IP parameters Configuring Domain Name Server (DNS) resolver The DNS resolver lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a device and thereby recognize all hosts within that domain. After you define a domain name, the device automatically appends the appropriate domain to the host and forwards it to the domain name server.
Page 251: Adding Host Names To The Dns Cache Table
Configuring IP parameters Use the no form of the command to remove a domain name from the domain-list. Displaying the domain name list To determine what domain names have been configured in the domain list, enter the following command. BigIron RX(config)#show ip dns domain-list Total number of entries : 3 Primary Domain Name: Domain Name List:...
Page 252 Configuring IP parameters Static cache entries You can manually add entries to the DNS cache table if you know a host’s complete, qualified name and its IP address. To add host names and their IP addresses to the DNS cache table, enter commands such as the following.
Page 253 Configuring IP parameters TABLE 48 The show ip dns cache-table output This field... Displays... Host The complete, qualified domain name of the host. Flag Indicates if the entry is dynamic or static and if the information for the domain is up to date: •...
Page 254 Configuring IP parameters Syntax: show ip dns server-list Debugging the DNS feature To debug the DNS feature enter the following command. BigIron RX#debug ip dns IP: dns debugging is on Syntax: debug ip dns Using a DNS name to initiate a trace route Suppose you want to trace the route from a device to a remote server identified as NYC02 on domain newyork.com.
Page 255: Configuring Packet Parameters
Configuring packet parameters Type Control-c to abort Sending DNS Query to 209.157.22.199 Tracing Route to IP node 209.157.22.80 To ABORT Trace Route, Please use stop-traceroute command. Traced route to target IP node 209.157.22.80: IP Address Round Trip Time1 Round Trip Time2 207.95.6.30 93 msec 121 msec...
Page 256: Setting Maximum Frame Size Per Ppcr
Configuring packet parameters The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format. The device uses Ethernet II by default. You can change the IP encapsulation to Ethernet SNAP on individual ports if needed. NOTE All devices connected to the device port must use the same encapsulation type.
Page 257: Changing The Mtu
Configuring packet parameters To configure the untagged max-frame-size on a VLAN, enter a command such as the following at he Interface Configuration level. BigIron RX(config-vlan-20)# BigIron RX(config-vlan-20)#max-frame-size 5000 Please reload system! BigIron RX(config-vlan-20)# Syntax: max-frame-size <bytes> The <frame-size> variable specifies the maximum frame size for each port that is connected the same PPCR as described in Table 49.
Page 258: Changing The Router Id
Changing the router ID Globally changing the IP MTU To globally enable jumbo support on all ports, enter commands such as the following. BigIron RX(config)# ip mtu 5000 BigIron RX(config)# write memory Syntax: [no] ip mtu <bytes> The <bytes> parameter specifies the maximum number of bytes an Ethernet frame can have in order to be forwarded on a port.
Page 259: Specifying A Single Source Interface For Telnet, Tacacs, Tacacs+, Or Radius Packets
Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets NOTE If you change the router ID, all current BGP4 sessions are cleared. By default, the router ID on a device is one of the following: • If the router has loopback interfaces, the default router ID is the IP address configured on the lowest numbered loopback interface configured on the device.
Page 260 Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets • If you specify a loopback interface as the single source for Telnet, TACACS, TACACS+, or RADIUS packets, servers can receive the packets regardless of the states of individual links. Thus, if a link to the server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Page 261: Configuring An Interface As The Source For Syslog Packets
Configuring an interface as the source for Syslog packets RADIUS packets To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all RADIUS packets, enter commands such as the following. BigIron RX(config)# int ve 1 BigIron RX(config-vif-1)# ip address 10.0.0.3/24 BigIron RX(config-vif-1)# exit BigIron RX(config)# ip radius source-interface ve 1...
Page 262: Ip Option Attack Protection
Configuring an interface as the source for Syslog packets IP option attack protection An attack on the network could be accomplished using the options field of an IP packet header. For example, the source routing option makes it possible for the sender to specify a route to follow. To protect against attacks contained in the option field, devices drop any IP packet that contains an option in its header, except for packets.
Page 263: Configuring Arp Parameters
Configuring ARP parameters Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables the device to obtain the MAC address of another device’s interface when the device knows the IP address of the interface. ARP is enabled by default and cannot be disabled. How ARP works The device needs to know a destination’s MAC address when forwarding traffic, because the device encapsulates the IP packet in a Layer 2 packet (MAC layer packet) and sends the Layer 2 packet to...
Page 264: Rate Limiting Arp Packets
Configuring ARP parameters NOTE The ARP request broadcast is a MAC broadcast, which means the broadcast goes only to devices that are directly attached to the device. A MAC broadcast is not routed to other networks. However, some routers, including the device, can be configured to reply to ARP requests from one network on behalf of devices on another network.
Page 265 Configuring ARP parameters • The interface level configuration overrides the global configuration for a specific port. • The command is supported on Layer 3 Switches only. • There is no default value for <rate>. Enter 0–30,000. • If the value of <rate> is entered as 0, the interface will stop processing ARP packets immediately.
Page 266: Clearing The Rate Limit For Arp Packets
Configuring ARP parameters Clearing the rate limit for ARP packets To clear the ARP port rate limit data on every port of the LP, enter a command such as the following. LP-1# clear ip traffic arp Changing the ARP aging period When the device places an entry in the ARP cache, the device also starts an aging timer for the entry.
Page 267 Configuring ARP parameters Syntax: [no] ip proxy-arp Creating static ARP entries The device has a static ARP table, in addition to the regular ARP cache. The static ARP table contains entries that you configure. Static entries are useful in cases where you want to pre-configure an entry for a device that is not connected to the device, or you want to prevent a particular entry from aging out.
Page 268: Creating A Floating Static Arp Entry
Configuring ARP parameters To increase the maximum number of entries in the static ARP table you can configure, enter commands such as the following at the global CONFIG level of the CLI. BigIron RX(config)# system-max ip-static-arp 4000 BigIron RX(config)# write memory BigIron RX(config)# end BigIron RX# reload Syntax: system-max ip-static-arp <num>...
Page 269 Configuring ARP parameters BigIron RX(config)#ip route validate-nexthop-arp Syntax: [no] ip route validate-nexthop-arp Use the no form of the command to disable the ARP validation feature. When ARP validation is disabled, the static route will be installed without checking the validity of the next hop. Enabling the next hop validate ARP timer The next hop validate ARP timer works only on the ARP entries created when the ARP validation check feature has been enabled.
Page 270: Configuring Forwarding Parameters
Configuring forwarding parameters For additional information on the command syntax, refer to the syntax of the show arp command under “Displaying the ARP cache” on page 224. Configuring forwarding parameters The following configurable parameters control the forwarding behavior of the device: •...
Page 271 Configuring forwarding parameters To disable the directed broadcasts, enter the following command in the CONFIG mode. BigIron RX(config)# no ip directed-broadcast To enable directed broadcasts on an individual interface instead of globally for all interfaces, enter commands such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e10000-1/1)# ip directed-broadcast Syntax: [no] ip directed-broadcast...
Page 272: Disabling Icmp Messages
Configuring forwarding parameters NOTE When you enable the device for zero-based subnet broadcasts, the device still treats IP packets with all ones the host portion as IP subnet broadcasts too. Thus, the device can be configured to support all ones only (the default) or all ones and all zeroes. NOTE This feature applies only to IP subnet broadcasts, not to local network broadcasts.
Page 273 Configuring forwarding parameters • Host – The destination network or subnet of the packet is directly connected to the device, but the host specified in the destination IP address of the packet is not on the network. • Network – The device cannot reach the network specified in the destination IP address of the packet.
Page 274: Disabling Icmp Redirect Messages
Configuring forwarding parameters BigIron RX(config)# ip icmp unreachable host BigIron RX(config)# ip icmp unreachable network The commands shown above re-enable ICMP Unreachable Host messages and ICMP Network Unreachable messages. Disabling ICMP redirect messages You can disable or re-enable ICMP redirect messages. By default, the device sends an ICMP redirect message to the source of a misdirected packet in addition to forwarding the packet to the appropriate router.
Page 275: Static Route Types
Configuring forwarding parameters Static route types You can configure the following types of static IP routes: • Standard – the static route consists of the destination network address and network mask, and the IP address of the next-hop gateway. You can configure multiple standard static routes with the same metric for load sharing or with different metrics to provide a primary route and backup routes.
Page 276 Configuring forwarding parameters • Path redundancy – When you add multiple static IP routes for the same destination, but give the routes different metrics or administrative distances, the device uses the route with the lowest administrative distance by default, but uses another route to the same destination of the first route becomes unavailable.
Page 277 Configuring forwarding parameters Configuring a static IP route To configure an IP static route with a destination address of 192.0.0.0 255.0.0.0 and a next-hop router IP address of 195.1.1.1, enter the following. BigIron RX(config)# ip route 192.0.0.0 255.0.0.0 195.1.1.1 To configure a default route, enter the following. BigIron RX(config)# ip route 0.0.0.0 0.0.0.0 To configure a static IP route with an Ethernet port instead of a next-hop address, enter a command such as the following.
Page 278 Configuring forwarding parameters The distance <num> parameter specifies the administrative distance of the route. When comparing otherwise equal routes to a destination, the device prefers lower administrative distances over higher ones, so make sure you use a low value for your default route. Possible values: 1 - 255.
Page 279: Static Route Tagging
Configuring forwarding parameters Dropping traffic sent to the null0 interface in hardware Traffic sent to the null0 interface is done in hardware; that is, by programming the CAM to discard traffic sent to the null0 interface. This improves forwarding efficiency and reduces the burden on the device’s CPU.
Page 280 Configuring forwarding parameters • IP load sharing – If you configure more than one static route to the same destination, and the routes have different next-hop gateways but have the same metrics, the device load balances among the routes using basic round-robin. For example, if you configure two static routes with the same metrics but to different gateways, the device alternates between the two routes.
Page 281 Configuring forwarding parameters When the device has multiple routes to the same destination, the device always prefers the route with the lowest metric. Generally, when you configure a static route to a destination network, you assign the route a low metric so that the device prefers the static route over other routes to the destination.
Page 282 Configuring forwarding parameters FIGURE 11 Standard and null static routes to the same destination network Two static routes to 192.168.7.0/24: --Standard static route through gateway 192.168.6.157, with metric 1 --Null route, with metric 2 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.7/24 When standard static route is good, Router A uses that...
Page 283 Configuring forwarding parameters FIGURE 12 Standard and interface routes to the same destination network Two static routes to 192.168.7.0/24: --Interface-based route through port1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. Router A 192.168.6.188/24 Port1/1 192.168.6.69/24 When route through interface 1/1 is available, Router A always 192.168.8.12/24...
Page 284: Configuring A Default Network Route
Configuring forwarding parameters Configuring a default network route The device enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Page 285: Configuring Ip Load Sharing
Configuring forwarding parameters BigIron RX(config)# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination Gateway Port Cost Type 209.157.20.0 0.0.0.0 209.157.22.0 0.0.0.0 4/11 This example shows two routes. Both of the routes are directly attached, as indicated in the Type column.
Page 286 Configuring forwarding parameters Administrative distance The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. It is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on, but not used when performing IP load sharing.
Page 287 Configuring forwarding parameters • OSPF – The Path Cost associated with the path. The paths can come from any combination of inter-area, intra-area, and external Link State Advertisements (LSAs). • BGP4 – The path’s Multi-Exit Discriminator (MED) value. NOTE If the path is redistributed between two or more of the above sources before entering the IP route table, the cost can increase during the redistribution due to settings in redistribution filters.
Page 288: Default Route Ecmp
Configuring forwarding parameters Changing the maximum number of load sharing paths By default, IP load sharing allows IP traffic to be balanced across up to four equal path. You can change the maximum number of paths that the device supports to a value of 2 – 8. For optimal results, set the maximum number of paths to a value equal to or greater than the maximum number of equal-cost paths that your network typically contains.
Page 289: Ip Receive Access List
Configuring forwarding parameters DIsplaying the ECMP load sharing Use the show run command to display the ECMP load sharing. BigIron RX(config)#show run ========show run ===================== logging console hostname RW ip route 0.0.0.0/0 100.1.1.2 ip route 0.0.0.0/0 100.1.2.2 ip route 0.0.0.0/0 100.1.3.2 ip route 0.0.0.0/0 100.1.4.2 ip route 10.0.0.0/8 10.43.2.1 ip route 40.0.0.0/24 100.1.1.2...
Page 290: Configuring Irdp
Configuring forwarding parameters BigIron RX(config)# ip receive access-list 10 Syntax: [no] ip receive access-list <num> Specify an access list number for <num>. The IP receive ACL is applied globally to all interfaces on the device. Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command.
Page 291: Enabling Irdp Globally
Configuring forwarding parameters • Hold time – Each Router Advertisement message contains a hold time value. This value specifies the maximum amount of time the host should consider an advertisement to be valid until a newer advertisement arrives. When a new advertisement arrives, the hold time is reset. The hold time is always longer than the maximum advertisement interval.
Page 292: Configuring Udp Broadcast And Ip Helper Parameters
Configuring forwarding parameters The maxadvertinterval parameter specifies the maximum amount of time the device waits between sending Router Advertisements. You can specify a value from 1 to the current value of the holdtime parameter. The default is 600 seconds. The minadvertinterval parameter specifies the minimum amount of time the device can wait between sending Router Advertisements.
Page 293 Configuring forwarding parameters NOTE As shown above, forwarding support for BootP/DHCP is enabled by default. If you are configuring the device to forward BootP/DHCP requests, refer to “Configuring BootP/DHCP forwarding parameters” on page 218. You can enable forwarding for other applications by specifying the application port number. You also can disable forwarding for an application.
Page 294: Configuring Bootp/Dhcp Forwarding Parameters
Configuring forwarding parameters • tftp (port 69) In addition, you can specify any UDP application by using the application’s UDP port number. The <udp-port-num> parameter specifies the UDP application port number. If the application you want to enable is not listed above, enter the application port number. You also can list the port number for any of the applications listed above.
Page 295 Configuring forwarding parameters You can configure the device to forward BootP/DHCP requests. To do so, configure a helper address on the interface that receives the client requests, and specify the BootP/DHCP server’s IP address as the address you are helping the BootP/DHCP requests to reach. Instead of the server’s IP address, you can specify the subnet directed broadcast address of the IP subnet the server is in.
Page 296: Displaying Ip Information
Displaying IP information BigIron RX(config)# int e 1/1 BigIron RX(config-if-e1000-1/1)# ip bootp-gateway 109.157.22.26 These commands change the CLI to the configuration level for port 1/1, then change the BootP/DHCP stamp address for requests received on port 1/1 to 192.157.22.26. The device will place this IP address in the Gateway Address field of BootP/DHCP requests that the device receives on port 1/1 and forwards to the BootP/DHCP server.
Page 297 Displaying IP information • OSPF information – refer to “Displaying OSPF information” on page 720. • BGP4 information – refer to “Displaying BGP4 information” on page 824. • DVMRP information – refer to “Displaying information about an upstream neighbor device” page 655 •...
Page 298 Displaying IP information TABLE 51 CLI display of global IP configuration information (Continued) This field... Displays... bootp-relay-max-hops The maximum number of hops away a BootP server can be located from the Brocade router and still be used by the router’s clients for network booting. To change this value, refer to “Changing the maximum number of hops to a BootP relay server”...
Page 299: Displaying Ip Interface Information
Displaying IP information TABLE 51 CLI display of global IP configuration information (Continued) This field... Displays... Port The Layer 4 TCP or UDP port the policy checks for in packets. The port can be displayed by its number or, for port types the router recognizes, by the well-known name.
Page 300: Displaying Interface Name In Syslog
Displaying IP information BigIron RX# show ip interface ethernet 1/1 Interface Ethernet 1/1 port state: UP ip address: 192.168.9.51 subnet mask: 255.255.255.0 encapsulation: ETHERNET, mtu: 1500, metric: 1 directed-broadcast-forwarding: disabled proxy-arp: disabled ip arp-age: 10 minutes Ip Flow switching is disabled No Helper Addresses are configured.
Page 301 Displaying IP information BigIron RX# show arp Total number of ARP entries: 5 IP Address MAC Address Type Port 207.95.6.102 0800.5afc.ea21 Dynamic 207.95.6.18 00a0.24d2.04ed Dynamic 207.95.6.54 00a0.24ab.cd2b Dynamic 207.95.6.101 0800.207c.a7fa Dynamic 207.95.6.211 00c0.2638.ac9c Dynamic Syntax: show arp [ve <decimal> | ethernet <slot/port> | mac-address <xxxx.xxxx.xxxx> [<mask>] | <ip-addr>...
Page 302: Displaying The Forwarding Cache
Displaying IP information TABLE 53 CLI display of ARP cache (Continued) This field... Displays... The number of minutes the entry has remained unused. If this value reaches the ARP aging period, the entry is removed from the table. To display the ARP aging period, refer to “Displaying global IP configuration information”...
Page 303 Displaying IP information BigIron RX> show ip cache Cache Entry Usage on LPs: Module Host Network Free Total 204788 204800 Syntax: show ip cache [<ip-addr>] [| begin <expression> | exclude <expression> | include <expression>] The <ip-addr> parameter displays the cache entry for the specified IP address. The show ip cache command shows the forwarding cache usage on each interface module CPU.
Page 304: Displaying The Ip Route Table
Displaying IP information TABLE 55 CLI display of IP forwarding cache (Continued) This field... Displays... Type The type of host entry, which can be one or more of the following: • D – Dynamic • P – Permanent • F – Forward •...
Page 305 Displaying IP information The <num> option display the route table entry whose row number corresponds to the number you specify. For example, if you want to display the tenth row in the table, enter “10”. The <ip-addr> parameter displays the route to the specified IP address. The <ip-mask>...
Page 306 Displaying IP information BigIron RX(config)# show ip route 209.159.0.0/16 longer Starting index: 1 B:BGP D:Directly-Connected R:RIP S:Static O:OSPF Destination NetMask Gateway Port Cost Type 52 209.159.38.0 255.255.255.0 207.95.6.101 1/1 1 S 53 209.159.39.0 255.255.255.0 207.95.6.101 1/1 1 S 54 209.159.40.0 255.255.255.0 207.95.6.101 1/1 1 S 55 209.159.41.0 255.255.255.0 207.95.6.101 1/1 1 S 56 209.159.42.0 255.255.255.0 207.95.6.101 1/1 1 S 57 209.159.43.0 255.255.255.0 207.95.6.101 1/1 1 S...
Page 307: Clearing Ip Routes
Displaying IP information TABLE 56 CLI display of IP route table (Continued) This field... Displays... Type The route type, which can be one of the following: • B – The route was learned from BGP. • D – The destination is directly connected to this device. •...
Page 308 Displaying IP information BigIron RX> sh ip traffic IP Statistics 146806 total received, 72952 mp received, 6715542 sent, 0 forwarded 0 filtered, 0 fragmented, 0 bad header 0 failed reassembly, 0 reassembled, 0 reassembly required 0 no route, 0 unknown proto, 0 no buffer, 0 other errors, 0 rpf discard ARP Statistics 19022 total recv, 35761 req recv, 475 rep recv, 2803975 req sent, 1885 rep sent...
Page 309 Displaying IP information TABLE 57 CLI display of IP traffic statistics (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received.
Page 310: Displaying Tcp Traffic Statistics
Displaying IP information TABLE 57 CLI display of IP traffic statistics (Continued) This field... Displays... input errors This information is used by Brocade customer support. in segments The number of TCP segments received by the device. out segments The number of TCP segments sent by the device. retransmission The number of segments that this device retransmitted because the retransmission timer for the segment had expired before the device at the...
Page 311 Displaying IP information This field... Displays... active opens Number of TCP connection requests from the local router, resulting in outbound TCP SYNC packets passive opens Number of TCP connection requests from remote routers or hosts, resulting in outbound TCP SYNC-ACK packets failed attempts Number of unsuccessful TCP connection requests from either local or remote active resets,...
Page 312 Displaying IP information BigIron RX Series Configuration Guide 53-1002253-01...
Page 313: Link Aggregation
Chapter Link Aggregation Link aggregation overview This chapter describes how to configure Link Aggregation Groups (LAG). You can use a single interface to configure any of the following LAG types: • Static LAGs – These trunk groups are manually-configured aggregate links containing multiple ports.
Page 314 LAG formation rules • do not share the same SuperSpan customer id (or cid). • do not share the same vlan membership • do not share the same uplink vlan membership • do not share the same protocol-vlan configuration • are configured as marble primary and secondary interfaces •...
Page 315 LAG formation rules FIGURE 13 Example of a 1-port keep alive LAG Port1/1 Port1/1 Port1/2 Port1/2 Port1/3 Port1/3 Port1/4 Port1/4 Port1/5 Port1/5 Port1/6 Port1/6 Port1/7 Port1/7 Port1/8 Port1/8 Figure 14 shows an example of a valid 2-port LAG link between devices where the ports on each end are on the same interface module.
Page 316: Lag Load Sharing
LAG load sharing LAG load sharing Traffic on BigIron RX switches is load balance over a LAG by using the Hash Based Load Sharing method. The Hash Based Load Sharing method is based on the packet type and cannot be changed.
Page 317: Configuration Of A Lag
Configuration of a LAG Configuration of a LAG The following configuration procedures are used to configure a LAG. Depending upon whether you are configuring a static, dynamic or keep-alive LAG, the configuration procedures may or may not apply as described: •...
Page 318 Configuration of a LAG The ports added to a LAG are ethernet as specified for the slot/port where they reside. The ports can be added to the LAG sequentially as shown in the following example. BigIron RX(config-lag-blue)# ports ethernet 3/1 ethernet 7/2 ethernet 4/3 ethernet A range of ports from a single interface module can be specified.
Page 319 Configuration of a LAG Syntax: trunk-threshold <number> You can specify a threshold from 1 (the default) up to the number of ports in the trunk group. When a LAG is shut down because the number of ports drops below the configured threshold, the LAG is kept intact and it is re-enabled if enough ports become active to reach the threshold.
Page 320: Deploying A Lag
Deploying a LAG Deploying a LAG After configuring a LAG, you must explicitly enable it before it takes begins aggregating traffic. This is accomplished using the deploy command within the LAG configuration. Once the deploy command is executed, the LAG is in the aggregating mode. Only the primary port within the LAG is available at the individual interface level.
Page 321: Configuring Acl-Based Mirroring
Deploying a LAG Configuring ACL-based mirroring ACL-based mirroring can be configured for an individual port within a LAG using the acl-mirror-port command, as shown in the following. BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# acl-mirror-port ethe-port-monitored 3/1 Syntax: [no] acl-mirror-port ethe-port-monitored [slot/port] | named-port-monitored [name] Use the ethe-port-monitored option with the appropriate [slot/port] variable to specify a Ethernet port that you want to provide ACL mirroring for.
Page 322: Monitoring An Individual Lag Port
Deploying a LAG Monitoring an individual LAG port By default, when you monitor the primary port in a LAG group, aggregated traffic for all the ports in the LAG is copied to the mirror port. You can configure the device to monitor individual ports in a LAG including Ethernet, or Named ports.
Page 323: Setting The Sflow Sampling Rate For A Port Within A Lag
Deploying a LAG BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# sflow-forwarding ethernet 3/1 Syntax: [no] sflow-forwarding ethernet [slot/port] | port-name [text] Use the ethernet option with the appropriate [slot/port] variable to specify a Ethernet port within the LAG that you want to enable sFlow forwarding for. Use the port-name option with the appropriate [text] variable to specify a named port within the LAG that you want to enable sFlow forwarding for.
Page 324 Deploying a LAG === LAG "d1" (dynamic Deployed) === LAG Configuration: Ports: ethe 13/2 to 13/3 ethe 32/2 Primary Port: 32/2 LACP Key: Deployment: Trunk ID 3 Port Link L2 State Dupl Speed Trunk Tag Priori MAC Name Forward Full 10G Yes level0 0004.80a0.44d9 13/3 Forward...
Page 325 Deploying a LAG TABLE 58 Show LAG information (Continued) This field... Displays... Type The configured type of the LAG: static, dynamic, or keep-alive Deploy Status of LAG deployment: Y – yes, LAG is deployed. N – no, LAG is not deployed. Trunk The trunk ID number.
Page 326 Deploying a LAG TABLE 58 Show LAG information (Continued) This field... Displays... Indicates the link aggregation mode, which can be one of the following: • No – The mode is passive on the port. If link aggregation is enabled (and the mode is passive), the port can send and receive LACPDU messages to participate in negotiation of an aggregate link initiated by another port, but cannot search for a link aggregation port or initiate negotiation of...
Page 327: Displaying Lag Statistics
Deploying a LAG TABLE 58 Show LAG information (Continued) This field... Displays... Indicates whether the port is using default link aggregation values. The port uses default values if it has not received link aggregation information through LACP from the port at the remote end of the link. This field can have one of the following values: •...
Page 328 Deploying a LAG GiantPkts ShortPkts InBitsPerSec OutBitsPerSec InPktsPerSec OutPktsPerSec InUtilization 0.0% OutUtilization 0.0% Syntax: show statistics [brief] lag [<lag-name>] BigIron RX Series Configuration Guide 53-1002253-01...
Page 329: Configuring Lldp
Chapter Configuring LLDP Terms used in this chapter Link Layer Discovery Protocol (LLDP) – The Layer 2 network discovery protocol described in the IEEE 802.1AB standard, Station and Media Access Control Connectivity Discovery. This protocol enables a station to advertise its capabilities to, and to discover, other LLDP-enabled stations in the same 802 LAN segments.
Page 330: Benefits Of Lldp
LLDP overview Figure 16 illustrates LLDP connectivity. FIGURE 16 LLDP Connectivity port device info xxxx Switch OP-PBX xxxx I’m a PBX port device info I’m a switch IP-Phone xxxx xxxx Switch xxxx I’m a switch I’m a switch I’m a switch I’m a switch I’m an IP Phone I’m a PC...
Page 331: General Operating Principles
General operating principles • Can discover devices with misconfigured or unreachable IP addresses General operating principles LLDP use the services of the Data Link sublayers, Logical Link Control and Media Access Control, to transmit and receive information to and from other LLDP Agents (protocol entities that implement LLDP).
Page 332: Tlv Support
General operating principles As shown in Figure 17, each LLDPDU has three mandatory TLVs, an End of LLDPDU TLV, plus optional TLVs as selected by network management. FIGURE 17 LLDPDU packet format Optional Chassis ID Port ID Time to Optional End of Live TLV LLDPDU TLV...
Page 333 General operating principles • Organizationally-specific TLVs are optional in LLDP implementations and are defined and encoded by individual organizations or vendors. These TLVs include support for, but are not limited to, the IEEE 802.1 and 802.3 standards and the TIA-1057 standard. Brocade devices support the following Organizationally-specific TLVs: •...
Page 334 General operating principles Chassis ID (MAC address): 0012.f233.e2c0 The Chassis ID TLV is always the first TLV in the LLDPDU. Port ID The Port ID identifies the port from which LLDP packets were sent. There are several ways in which a port may be identified, as shown in Table 60.
Page 335: Mib Support
MIB support • If the TTL field has a value other than zero, the receiving LLDP agent is notified to completely replace all information associated with the LLDP agent or port with the information in the received LLDPDU. • If the TTL field value is zero, the receiving LLDP agent is notified that all system information associated with the LLDP agent or port is to be deleted.
Page 336: Configuration Notes And Considerations
Configuring LLDP TABLE 61 LLDP global configuration tasks and default behavior / value Global task Default behavior / value when LLDP is enabled Enabling LLDP on a global basis Disabled Specifying the maximum number of LLDP Automatically set to 392 neighbors per device neighbors per device Specifying the maximum number of LLDP Automatically set to 4 neighbors per port...
Page 337: Enabling And Disabling Lldp
Configuring LLDP Enabling and disabling LLDP LLDP is enabled by default on individual ports. However, to run LLDP, you must first enable it on a global basis (on the entire device). To enable LLDP globally, enter the following command at the global CONFIG level of the CLI. BigIron RX(config)#lldp run Syntax: [no] lldp run Changing a port’s LLDP operating mode...
Page 338: Specifying The Maximum Number Of Lldp Neighbors
Configuring LLDP To change a port’s LLDP operating mode from transmit only to receive only, first disable the transmit only mode, then enable the receive only mode. Enter commands such as the following. BigIron RX(config)#no lldp enable transmit ports e 2/7 e 2/8 e 2/9 BigIron RX(config)#lldp enable receive ports e 2/7 e 2/8 e 2/9 The above commands change the LLDP operating mode on ports 2/7, 2/8, and 2/9, from transmit only to receive only.
Page 339: Enabling Lldp Snmp Notifications And Syslog Messages
Configuring LLDP Per device You can change the maximum number of neighbors for which LLDP data will be retained for the entire system. For example, to change the maximum number of LLDP neighbors for the entire device to 26, enter the following command.
Page 340: Specifying The Minimum Time Between Snmp Traps And Syslog Messages
Configuring LLDP You can list all of the ports individually, use the keyword to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Page 341: Changing The Interval Between Regular Lldp Transmissions
Configuring LLDP where <seconds> is a value between 1 and 8192. The default is two seconds. Note that this value must not be greater than one quarter of the LLDP transmission interval (CLI command lldp transmit-interval). Changing the interval between regular LLDP transmissions The LLDP transmit interval specifies the number of seconds between regular LLDP packet transmissions.
Page 342: Changing The Minimum Time Between Port Reinitializations
Configuring LLDP Changing the minimum time between port reinitializations The LLDP re-initialization delay timer specifies the minimum number of seconds the device will wait from when LLDP is disabled on a port, until it will honor a request to re-enable LLDP on that port. When you enable LLDP, the system sets the re-initialization delay timer to two seconds.
Page 343: General System Information
Configuring LLDP • MAC/PHY configuration and status • Maximum frame size The above TLVs are described in detail in the following sections. NOTE The system description, VLAN name, and power-via-MDI information TLVs are not automatically enabled. The following sections show how to enable these advertisements. General system information Except for the system description, the Brocade device will advertise the following system information when LLDP is enabled on a global basis:...
Page 344 Configuring LLDP Port description The port description TLV identifies the port from which the LLDP agent transmitted the advertisement. The port description is taken from the ifDescr MIB object from MIB-II. By default, the port description is automatically advertised when LLDP is enabled on a global basis. To disable advertisement of the port description, enter a command such as the following.
Page 345 Configuring LLDP You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
Page 346 Configuring LLDP The system name will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). System name: “BigIron RX” Syntax: [no] lldp advertise system-name ports ethernet <slotnum/portnum> | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
Page 347 Configuring LLDP This section needs work. More info on this parm in the LLDP-MED spec. BigIron RX(config)#lldp advertise port-protocol-vlan-id none ports e 2/4 to 2/12 The port and protocol VLAN ID advertisement will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info): Port-Protocol VLAN ID: not supported Syntax: [no] lldp advertise port-protocol-vlan-id none ports ethernet <port list>...
Page 348 Configuring LLDP The link-aggregation TLV indicates the following: • Whether the link is capable of being aggregated • Whether the link is currently aggregated • The primary trunk port Brocade devices advertise link aggregation information about standard link aggregation (LACP) as well as static trunk configuration.
Page 349: Displaying Lldp Statistics And Configuration Settings
Configuring LLDP + 802.3 MAC/PHY : auto-negotiation enabled Advertised capabilities: 10baseT-HD, 10baseT-FD, 100baseTX-HD, 100baseTX-FD, fdxSPause, fdxBPause, 1000baseT-HD, 1000baseT-FD Operational MAU type: 100BaseTX-FD Syntax: [no] lldp advertise mac-phy-config-status ports ethernet <slotnum/portnum> | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
Page 350: Lldp Configuration Summary
Configuring LLDP This above show commands are described in this section. LLDP configuration summary To display a summary of the LLDP configuration settings on the device, enter the show lldp command at any level of the CLI. The following shows an example report. BigIron RX#show lldp LLDP transmit interval : 10 seconds...
Page 351 Configuring LLDP BigIron RX#show lldp statistics Last neighbor change time: 23 hours 50 minutes 40 seconds ago Neighbor entries added : 14 Neighbor entries deleted Neighbor entries aged out Neighbor advertisements dropped : 0 Port Tx Pkts Rx Pkts Rx Pkts Rx Pkts Rx TLVs Rx TLVs Neighbors...
Page 352: Lldp Neighbors
Configuring LLDP This field... Displays... Rx Pkts Total The number of LLDP packets the port received. Rx Pkts w/Errors The number of LLDP packets the port received that have one or more detectable errors. Rx Pkts Discarded The number of LLDP packets the port received then discarded. Rx TLVs Unrecognz The number of TLVs the port received that were not recognized by the LLDP local agent.
Page 353: Lldp Neighbors Detail
Configuring LLDP LLDP neighbors detail The show lldp neighbors detail command displays the LLDP advertisements received from LLDP neighbors. The following shows an example show lldp neighbors detail report. NOTE The show lldp neighbors detail output will vary depending on the data received. Also, values that are not recognized or do not have a recognizable format, may be displayed in hexadecimal binary form.
Page 354: Lldp Configuration Details
Configuring LLDP This field... Displays... Neighbor The source MAC address from which the packet was received, and the remaining TTL for the neighbor entry. Syntax: show lldp neighbors detail [ports ethernet <slotnum/portnum> | all] If you do not specify any ports or use the keyword all, by default, the report will show the LLDP neighbor details for all ports.
Page 355: Resetting Lldp Statistics
Resetting LLDP statistics Resetting LLDP statistics To reset LLDP statistics, enter the clear lldp statistics command at the Global CONFIG level of the CLI. The Brocade device will clear the global and per-port LLDP neighbor statistics on the device (refer to “LLDP statistics”...
Page 356 Resetting LLDP statistics BigIron RX Series Configuration Guide 53-1002253-01...
Page 357: Configuring Uni-Directional Link Detection (Udld)
Chapter Configuring Uni-Directional Link Detection (UDLD) This chapter describes configuring Uni-Directional Link Detection.Uni-directional Link Detection (UDLD) monitors a link between two BigIron RX devices and provides a fast detection of link failures. UDLD brings the ports on both ends of the link down if the link goes down at any point between the two devices.
Page 358: Configuration Considerations
Configuration considerations Configuration considerations • The feature is supported only on Ethernet ports. • To configure UDLD on a trunk group, you must configure the feature on each port of the group individually. Configuring UDLD on a trunk group’s primary port enables the feature on that port only.
Page 359: Displaying Udld Information
Displaying UDLD information When UDLD is enabled on a port, The UDLD starts sending the keep-alive messages at a preconfigured interval. In the current implementation, if there is no keep-alive received from the other end of this link after 3 retries then this port is set to logical link down. With the new design, after the UDLD is enabled on a port, UDLD will be kept in a newly created suspended state until it receives first keep-alive message from the other end.
Page 360: Displaying Information For A Single Port
Displaying UDLD information TABLE 62 CLI display of UDLD information This field... Displays... Total link-keepalive enabled ports The total number of ports on which UDLD is enabled. Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down.
Page 361 Displaying UDLD information BigIron RX(config)# show link-keepalive ethernet 4/1 Current State : up Remote MAC Addr : 00e0.52d2.5100 Local Port : 4/1 Remote Port : 2/1 Local System ID : e0927400 Remote System ID : e0d25100 Packets sent : 254 Packets received : 255 Transitions TABLE 63...
Page 362: Clearing Udld Statistics
Clearing UDLD statistics The show interface ethernet <slot>/<portnum> command also displays the UDLD state for an individual port. In addition, the line protocol state listed in the first line will say “down” if UDLD has brought the port down. Here is an example: BigIron RX(config)# show interface ethernet 1/1 GigabitEthernet2/1 is disabled, line protocol is down, link keepalive is enabled...
Page 363: Vlans
Chapter VLANs Overview of Virtual Local Area Networks (VLANs) Virtual Local Area Networks (VLANs) allow you to segment traffic in a network by placing ports and interfaces into separate broadcast domains. Each broadcast domain is uniquely identified by VLAN IDs. These broadcast domains can span multiple devices. The device supports two types of VLANs: port-based VLANs and protocol-based VLANs.
Page 364 Overview of Virtual Local Area Networks (VLANs) FIGURE 21 Packet containing Brocade’s 802.1QVLAN tag Untagged Packet Format 6 bytes 2 bytes 6 bytes Up to 1500 bytes 4 bytes Source Type Destination Ethernet II Data Field Address Field Address 6 bytes 6 bytes 2 bytes 4 bytes...
Page 365: Protocol-Based Vlans
Overview of Virtual Local Area Networks (VLANs) FIGURE 22 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port Segment 1 Segment 2 Segment 1 Segment 2 Tagging is required for the ports Tagging is not required for the ports on Segment 1 because the ports on Segment 2 because each port is are in multiple port-based VLANs.
Page 366: Vlan Configuration Rules
VLAN configuration rules If there are ports in a port-based VLAN that you want to exclude from protocol-based VLANs, the protocol-based VLAN can be configured to explicitly exclude those ports. VLAN configuration rules To create any type of VLAN on a device, Layer 2 forwarding must be enabled. When Layer 2 forwarding is enabled, the device becomes a switch on all ports for all non-routable protocols.
Page 367: Layer 2 Control Protocols On Vlans
Configuring port-based VLANs • A port can belong to multiple, overlapping Layer 2 port-based VLANs only if the port is a tagged port. Packets sent out of a tagged port use an 802.1q-tagged frame. • A port can belong to multiple, unique, overlapping Layer 3 protocol-based VLANs. •...
Page 368: Vlan Byte Accounting
Configuring port-based VLANs 2. Once an ID is assigned, the CLI directs you to the VLAN configuration level. At this level, you add ports to that VLAN and specify if the ports are tagged or untagged. BigIron RX(config-vlan-2)# untag e 1/9 to 1/16 BigIron RX(config-vlan-2)# tagged e 1/1 to 1/8 The example above configures a port-based VLAN, VLAN 2.
Page 369 Configuring port-based VLANs • If a port's VLAN has byte accounting enabled, you cannot enable rate limiting on that port. Similarly, if a port has rate limiting enabled, you cannot enable VLAN byte accounting on that port's VLAN. • Clearing the rate limiting counters using clear rate-limit counters will also clear VLAN byte-accounting counters.
Page 370: Strictly Or Explicitly Tagging A Port
Configuring port-based VLANs TABLE 64 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR Module type PPCR number Port # Max # of rate limiting policies based on ACLs and VLANs + number of VLANs w/ byte accounting enabled 24 x 1G PPCR 1 1 - 12...
Page 371: Configuring Protocol-Based Vlans
Configuring protocol-based VLANs You must specify a VLAN ID that is not already in use. For example, if VLAN 10 exists, do not use “10” as the new VLAN ID for the default VLAN. Valid VLAN IDs are from 1 – 4089; however, do not use VLANs 4090 –...
Page 372: Configuring An Mstp Instance
Configuring virtual routing interfaces Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. To configure an MSTP instance and assign a range of VLANs, use a command such as the following at the Global Configuration level.
Page 373: Bridging And Routing The Same Protocol Simultaneously On The Same Device
Configuring virtual routing interfaces Enter 1 to the maximum number of virtual routing interfaces supported on the device for <ve-number>. Bridging and routing the same protocol simultaneously on the same device Some configurations may require simultaneous switching and routing of the same single protocol across different sets of ports on the same router.
Page 374: Integrated Switch Routing (Isr)
Configuring virtual routing interfaces Integrated Switch Routing (ISR) Brocade Integrated Switch Routing (ISR) feature enables VLANs configured on the device to route Layer 3 traffic from one protocol-based VLAN to another instead of forwarding the traffic to an external router. The VLANs provide Layer 3 broadcast domains for the protocols, but do not in themselves provide routing services.
Page 375: Vlan Groups
VLAN groups There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN. Routing will occur independently across the port-based VLANs. Because each port-based VLAN’s STP domain is a single point-to-point backbone connection, you are guaranteed to never have an STP loop.
Page 376 VLAN groups NOTE The device’s memory must be configured to contain at least the number of VLANs you specify for the higher end of the range. For example, if you specify 2048 as the VLAN ID at the high end of the range, you first must increase the memory allocation for VLANs to 2048 or higher.
Page 377: Configuring Super Aggregated Vlans
Configuring super aggregated VLANs The <group-id> specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed. Configuring super aggregated VLANs A super aggregated VLAN allows multiple VLANs to be placed within another VLAN. This feature allows you to construct Layer 2 paths and channels.
Page 378 Configuring super aggregated VLANs Each client connected to the edge device is in its own port-based VLAN. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core. The device that aggregates the VLANs forwards the aggregated VLAN traffic through the core. The core can consist of multiple devices that forward the aggregated VLAN traffic.
Page 379: Configuring Aggregated Vlans
Configuring super aggregated VLANs This example shows a single link between the core devices. However, you can use a trunk group to add link-level redundancy. Configuring aggregated VLANs A maximum of 1526 bytes are supported on ports where super-aggregated VLANs are configured. This allows for an additional 8 bytes over the untagged port maximum to allow for support of two VLAN tags.
Page 380: Complete Cli Examples
Configuring super aggregated VLANs • Enable VLAN aggregation. This support allows the core device to add an additional tag to each Ethernet frame that contains a VLAN packet from the edge device. The additional tag identifies the aggregate VLAN (the path). However, the additional tag can cause the frame to be longer than the maximum supported frame size.
Page 381 Configuring super aggregated VLANs Commands for device A BigIron RX-A(config)# vlan 101 BigIron RX-A(config-vlan-101)# tagged ethernet 2/1 BigIron RX-A(config-vlan-101)# untagged ethernet 1/1 BigIron RX-A(config-vlan-101)# exit BigIron RX-A(config)# vlan 102 BigIron RX-A(config-vlan-102)# tagged ethernet 2/1 BigIron RX-A(config-vlan-102)# untagged ethernet 1/2 BigIron RX-A(config-vlan-102)# exit BigIron RX-A(config)# vlan 103 BigIron RX-A(config-vlan-103)# tagged ethernet 2/1 BigIron RX-A(config-vlan-103)# untagged ethernet 1/3...
Page 382 Configuring super aggregated VLANs BigIron RX-C(config)# tag-type 9100 BigIron RX-C(config)# aggregated-vlan BigIron RX-C(config)# vlan 101 BigIron RX-C(config-vlan-101)# tagged ethernet 4/1 BigIron RX-C(config-vlan-101)# untagged ethernet 3/1 BigIron RX-C(config-vlan-101)# exit BigIron RX-C(config)# vlan 102 BigIron RX-C(config-vlan-102)# tagged ethernet 4/1 BigIron RX-C(config-vlan-102)# untagged ethernet 3/2 BigIron RX-C(config-vlan-102)# exit BigIron RX-C(config)# write memory Commands for device D...
Page 383: Configuring 802.1Q-In-Q Tagging
Configuring 802.1q-in-q tagging Commands for device F The commands for configuring device F are identical to the commands for configuring device E. In this example, since the port numbers on each side of the configuration in Figure 24 on page 302 are symmetrical, the configuration of device F is also identical to the configuration of device A and device B.
Page 384: Configuration Rules
Configuring 802.1q-in-q tagging As shown in Figure 25, the ports to customer interfaces are untagged, whereas the uplink ports to the provider cloud are tagged, because multiple client VLANs share the uplink to the provider cloud. In this example, the device treats the customer’s private VLAN ID and 8100 tag type as normal payload, and adds the 9100 tag type to the packet when the packet is sent to the uplink and forwarded along the provider cloud.
Page 385: Enabling 802.1Q-In-Q Tagging
Configuring 802.1q-in-q tagging Enabling 802.1Q-in-Q tagging To enable the 802.1Q-in-Q feature, configure an 802.1Q tag type on the untagged edge links (the customer ports) to any value other than the 802.1Q tag for incoming traffic. For example, in Figure 27, the 802.1Q tag on the untagged edge links (ports 11 and 12) is 9100, whereas, the 802.1Q tag for incoming traffic is 8100.
Page 386: Configuring 802.1Q Tag-Type Translation
Configuring 802.1q tag-type translation FIGURE 27 Example 802.1Q-in-Q configuration Client 6 Client 10 Client 1 Client 3 Client 5 Client 8 Port1/1 Port1/5 Port1/3 Port1/1 Port1/3 Port1/5 ... . VLAN 101 VLAN 105 VLAN 103 VLAN 101...
Page 387 Configuring 802.1q tag-type translation FIGURE 28 802.1q tag-type translation configuration example 1 Network Core Customer Provider Provider Customer Edge Switch 1 Core Switch 2 Core Switch 1 Edge Switch 2 Tagged Tagged Tagged 8100 8100 9100 Tagged Tagged Tagged 8100 8100 9100 Customer...
Page 388: Configuration Rules
Configuring 802.1q tag-type translation FIGURE 29 802.1q tag-type translation configuration example 2 Edge Switch 2 Edge Switch 3 Global 802.1Q Global 802.1Q tag-type tag-type 8200 8200 8200 8200 8200 8200 Multiple Multiple Global 802.1Q Global 802.1Q 802.1Q 802.1Q tag-type tag-type tag-types tag-types 8500...
Page 389: Enabling 802.1Q Tag-Type Translation
Configuring 802.1q tag-type translation • If you configure a port with an 802.1q tag-type, the device automatically applies the 802.1q tag-type to all ports within the same port region. • If you remove the 802.1q tag-type from a port, the device automatically removes the 802.1q tag-type from all ports within the same port region.
Page 390: Private Vlans
Private VLANs Private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 30 shows an example of an application using a private VLAN. FIGURE 30 Private VLAN used to secure communication between a workstation and servers A private VLAN secures traffic...
Page 391: Implementation Notes
Private VLANs • Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN. • Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN.
Page 392: Configuring A Private Vlan
Private VLANs • A primary VLAN can have multiple ports. All these ports are active, but the ports that will be used depends on the private VLAN mappings. Also, secondary VLANs (isolated and community VLANs) can be mapped to multiple primary VLAN ports. For example: pvlan mapping 901 ethernet 1/2 pvlan mapping 901 ethernet 2/2 pvlan mapping 901 ethernet 3/2...
Page 393 Private VLANs BigIron RX(config)# vlan 901 BigIron RX(config-vlan-901)# untagged ethernet 3/5 to 3/6 BigIron RX(config-vlan-901)# pvlan type community These commands create port-based VLAN 901, add ports 3/5 and 3/6 to the VLAN as untagged ports, then specify that the VLAN is a community private VLAN. Syntax: untagged ethernet [to <portnum>...
Page 394: Private Vlan
Private VLANs Enabling broadcast, multicast or unknown unicast traffic to the private VLAN To enhance private VLAN security, the primary private VLAN does not forward broadcast or unknown unicast packets to its community and isolated VLANs. For example, if port 3/2 in Figure 30 on page 314 receives a broadcast packet from the firewall, the port does not forward the packet to the other private VLAN ports (3/5, 3/6, 3/9, and 3/10).
Page 395: Other Vlan Features
Other VLAN features Other VLAN features Allocating memory for more VLANs or virtual routing interfaces By default, you can configure up to 512 VLANs and virtual routing interfaces on the device. Although this is the default maximum, the device can support up to 4089 VLANs and 4095 virtual routing interfaces.
Page 396: Unknown Unicast Flooding On Vlan Ports
Other VLAN features • You cannot enable this feature on the designated management VLAN for the device. • If you enable this feature on a VLAN that includes a trunk group, hardware flooding for Layer 2 multicast and broadcast packets occurs only on the trunk group’s primary port.
Page 397: Configuring Uplink Ports Within A Port-Based Vlan
Displaying VLAN information Use the unknown-unicast parameter to specify CPU flooding for unknown unicast packets only. NOTE This command does not erase any multicast or unknown-unicast flooding configuration. If this command is enabled, then it supersedes the per-vlan configuration. Configuring uplink ports within a port-based VLAN You can configure a subset of the ports in a port-based VLAN as uplink ports.
Page 398: Displaying Vlan Information
Displaying VLAN information Displaying VLAN information Enter the following command at any CLI level. BigIron RX# show vlan Configured PORT-VLAN entries: 3 Maximum PORT-VLAN entries: 4095 Default PORT-VLAN id: 1 PORT-VLAN 1, Name DEFAULT-VLAN, Priority Level0 L2 protocols : NONE Untagged Ports : ethe 2/1 to 2/24 ethe 3/1 to 3/24 eth PORT-VLAN 2, Name [None], Priority Level0 L2 protocols...
Page 399: Displaying Vlan Status And Port Types
Displaying VLAN information The ethernet <slot-number>/<port-number> parameter specifies a port. The command lists all the VLAN memberships for the port. The output shows the following information. TABLE 68 Output of show vlan ethernet This field... Displays... Port <slot-number>/<port-number> is The number of VLANs a port is a member of. a member of # VLANs VLANs The IDs of the VLANs that the port is a member of.
Page 400: Displaying Vlan Group Information
Displaying VLAN information TABLE 69 Output of show vlan detail This field... Displays... Untagged Ports This line appears if you do not specify a VLAN. It lists all the ports that are configured as untagged ports in all the VLANs on the device. Tagged Ports This line appears if you do not specify a VLAN.
Page 401: Transparent Firewall Mode
Transparent firewall mode Transparent firewall mode The Transparent Firewall mode allows the device to switch self-originated control packets. By default, Brocade devices will drop control packets received with the device's MAC address as the packet's source MAC address (i.e. self originated packet from the switch or router). Under the Transparent Firewall mode, switching of self-originated packets is allowed.
Page 402 Transparent firewall mode BigIron RX Series Configuration Guide 53-1002253-01...
Page 403: Configuring Spanning Tree Protocol
Chapter Configuring Spanning Tree Protocol IEEE 802.1D Spanning Tree Protocol (STP) The BigIron RX supports Spanning Tree Protocol (STP) as described in the IEEE 802.10-1998 specification. STP eliminates Layer 2 loops in networks, by selectively blocking some ports and allowing other ports to forward traffic, based on configurable bridge and port parameters. STP also ensures that the least cost path is taken when multiple paths exist between ports or VLANs.
Page 404: Default Stp Bridge And Port Parameters
IEEE 802.1D Spanning Tree Protocol (STP) NOTE When you configure a VLAN, the VLAN inherits the global STP settings. However, once you begin to define a VLAN, you can no longer configure standard STP parameters globally using the CLI. From that point on, you can configure STP only within individual VLANs.
Page 405: Changing Stp Bridge Parameters
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 72 Default STP bridge parameters (Continued) Parameter Description Default and valid values Hello Time The interval of time between each configuration BPDU 2 seconds sent by the root bridge. Possible values: 1 – 10 seconds Priority A parameter used to identify the root bridge in a spanning...
Page 406: Changing Stp Port Parameters
IEEE 802.1D Spanning Tree Protocol (STP) NOTE The hello-time <value> parameter applies only when the device or VLAN is the root bridge for its spanning tree. Changing STP port parameters To change the path and priority costs for a port, enter commands such as the following. BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# spanning-tree ethernet 1/5 path-cost 15 priority 64 Syntax: spanning-tree ethernet <slot>/<portnum>...
Page 407: Spanning Tree Protocol (Stp) Bpdu Guard
IEEE 802.1D Spanning Tree Protocol (STP) Syntax: [no] spanning-tree root-protect Enter the no form of the command to disable STP Root Guard on the port. Setting the STP root guard timeout period To configure the STP Root protect timeout period globally, enter a command such as the following. BigIron RX(config)# spanning-tree root-protect timeout 120 Syntax: spanning-tree root-protect timeout <timeout in seconds>...
Page 408: Displaying Stp Information
IEEE 802.1D Spanning Tree Protocol (STP) To prevent an end station from initiating or participating in STP topology changes, enter the following command at the interface level of the CLI. BigIron RX(config) interface ethe 2/1 BigIron RX(config-if-e1000-2/1)# spanning-tree protect This command causes the port to drop STP BPDUs sent from the device on the other end of the link.
Page 409 IEEE 802.1D Spanning Tree Protocol (STP) BigIron RX# show spanning-tree vlan 10 VLAN 10 - STP instance 1 -------------------------------------------------------------------- STP Bridge Parameters: Bridge Bridge Bridge Bridge Hold LastTopology Topology Identifier MaxAge Hello FwdDly Time Change Change 8000000480a04000 20 RootBridge RootPath DesignatedBridge Root Max Hel Fwd Identifier...
Page 410 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 CLI display of STP information (Continued) This field... Displays... Bridge Identifier The ID assigned by STP to this bridge for this spanning tree in hexadecimal. NOTE: If this address is the same as the Root ID, then this device or VLAN is the root bridge for its spanning tree.
Page 411 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 CLI display of STP information (Continued) This field... Displays... State The port’s STP state. The state can be one of the following: • BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop.
Page 412 IEEE 802.1D Spanning Tree Protocol (STP) BigIron RX# show spanning-tree detail vlan 10 VLAN 10 - STP instance 1 -------------------------------------------------------------------- STP Bridge Parameters: Bridge identifier - 0x8000000480a04000 Root bridge - 0x8000000480a04000 Control ports - ethe 1/3 ethe 1/13 Active global timers - None STP Port Parameters: Port 1/3 - DISABLED Port 1/13 - DISABLED...
Page 413 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 75 CLI display of detailed STP information for ports This field... Displays... VLAN ID The VLAN that contains the listed ports and the number of STP instances on this VLAN. The STP type can be one of the following: •...
Page 414 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 75 CLI display of detailed STP information for ports (Continued) This field... Displays... STP port parameters Port number and STP state The internal port number and the port’s STP state. The internal port number is one of the following: •...
Page 415 IEEE 802.1D Spanning Tree Protocol (STP) BigIron RX# show xstp Ethernet 3/1 STP information: -------------------------------------------------------------------- STP Port Parameters: VLAN ID: 11 Port Prio Path State Designat- Designated Designated rity Cost ed Cost Root Bridge FORWARDING 0 8000000cdbf5ee00 8000000cdbf5ee00 STP Port Parameters: VLAN ID: 12 Port Prio Path...
Page 416: Ieee Single Spanning Tree (Sstp)
IEEE Single Spanning Tree (SSTP) TABLE 76 CLI display of STP information for the specified Ethernet interface This field... Displays... <slot/port> The STP/RSTP/MSTP protocol information for the specified ethernet interface. NOTE: If the Ethernet interface is not added to any STP enabled VLANs, the command displays the following message instead: "No STP-configured VLANs for the port <slot/port>”.
Page 417: Sstp Defaults
IEEE Single Spanning Tree (SSTP) SSTP uses the same parameters, with the same value ranges and defaults, as the default STP supported on the device. Refer to “Default STP bridge and port parameters” on page 328. SSTP defaults SSTP is disabled by default. When you enable the feature, all VLANs on which STP is enabled become members of a single spanning tree.
Page 418: Displaying Sstp Information
IEEE Single Spanning Tree (SSTP) The commands shown above override the global setting for STP priority and set the priority to 10 for port 1/1. Here is the syntax for the global STP parameters. Syntax: [no] spanning-tree single [forward-delay <value>] [hello-time <value>] | [maximum-age <time>] | [priority <value>] Here is the syntax for the STP port parameters.
Page 419: Pvst/Pvst+ Compatibility
PVST/PVST+ compatibility PVST/PVST+ compatibility Brocade’s support for Cisco's Per VLAN Spanning Tree plus (PVST+) allows the device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices . Brocade ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected. When it is configured for MSTP, the device can interoperate with PVST.
Page 420: Enabling Pvst+ Support
PVST/PVST+ compatibility For the port to also support the other VLANs (the PVST+ VLANs) in tagged mode. The port must be a dual-mode port. The untagged frames are supported on the port’s native VLAN. By default, the native VLAN is the same as the device’s default VLAN , which by default is VLAN 1.
Page 421: Configuration Examples
PVST/PVST+ compatibility BigIron RX(config)# show span pvst-mode PVST+ Enabled on: Port Method Set by configuration Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 77 CLI Display of PVST+ Information This field...
Page 422 PVST/PVST+ compatibility These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port. The dual-mode feature allows the port to send and receive untagged frames for the default VLAN (VLAN 1 in this case) in addition to tagged frames for VLANs 2, 3, and 4.
Page 423: Superspan
SuperSpan™ • Drop tagged PVST BPDUs for VLAN 1. Note that when VLAN 1 is not the default VLAN, the ports must have an untagged VLAN enabled in order to process IEEE 802.1Q BPDUs. For example, the following configuration is incorrect. BigIron RX(config)# default-vlan-id 1000 BigIron RX(config)# vlan 1 BigIron RX(config-vlan-1)# tagged ethernet 1/1 to 1/2...
Page 424: Customer Id
SuperSpan™ FIGURE 34 SuperSpan example SuperSpan root bridge Port1/1 Port1/1 Cust 1 SP 1 Port1/2 Port1/2 Port2/1 Port1/1 SP 2 Cust 2 Port1/2 Port2/2 In this example, the SP network contains two devices that are running SuperSpan. The SP is connected to two customer networks.
Page 425 SuperSpan™ Each Brocade device that is configured for SuperSpan forwards the BPDU using the changed destination MAC address. At the other end of the tunnel, the Brocade device connected to the customer's network changes the destination MAC address back to the bridge group address (01-80-c2-00-00-00).
Page 426 SuperSpan™ Mixing single STP and multiple spanning trees You can use SuperSpan in any of the following combinations: • Customer and SP networks both use multiple spanning trees (a separate spanning tree in each VLAN). • Customer uses multiple spanning trees but SP uses Single STP (all STP-enabled VLANs are in the same spanning tree).
Page 427 SuperSpan™ In the above example, STP in VLAN 10 will select R10 as the root bridge and make 1/1 on R10 forwarding while blocking port 3/1 on R20. The opposite occurs for STP in VLAN 20. As a result, both links connecting the customer and SP regions are fully utilized and serve as backup links at the same time, providing loop-free, non-blocking connectivity.
Page 428 SuperSpan™ Customer uses single STP but SP uses multiple spanning trees Figure 38 shows an example of SuperSpan where the customer network uses Single STP while the SP uses multiple spanning trees. FIGURE 38 Customer using single STP and SP using Multiple Spanning Trees single span Customer...
Page 429: Configuring Superspan
SuperSpan™ FIGURE 39 Customer and SP using single STP single single span span Customer Provider Region Region tagged to multiple vlan Root bridge for VLAN xx stp-boundary untagged to vlan 100 (Super Aggregated VLAN) In this setup, both the customer and SP networks are running a single spanning tree at Layer 2. The traffic from VLAN 10 and 20 will be carried, or aggregated by VLAN 100 at the SP network as in the previous scenario.
Page 430 SuperSpan™ These commands configure two interfaces on the Brocade device as SuperSpan boundary interfaces. Interface 1/1 is a boundary interface with customer 1. Interface 1/2 is a boundary interface with customer 2. Each boundary interface is associated with a number, which is the SuperSpan ID.
Page 431 SuperSpan™ BigIron RX(config)# show super-span CID 1 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed Total 1 CID 2 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed Total 0 In this example, the device has two SuperSpan customer IDs. Syntax: show superspan [cid <num>] The cid <num>...
Page 432 SuperSpan™ BigIron RX Series Configuration Guide 53-1002253-01...
Page 433: Configuring Rapid Spanning Tree Protocol
Chapter Configuring Rapid Spanning Tree Protocol Overview of Rapid Spanning Tree Protocol RSTP provides rapid convergence and takes advantage of point-to point wiring of the spanning tree. Failure in one forwarding path does not affect other forwarding paths. RSTP improves the operation of the spanning tree while maintaining backward compatibility.
Page 434: Assignment Of Port Roles
Overview of Rapid Spanning Tree Protocol Assignment of port roles At system start-up, all RSTP-enabled bridge ports assume a Designated role. Once start-up is complete, RSTP algorithm calculates the superiority or inferiority of the RST BPDU that is received and transmitted on a port. On a root bridge, each port is assigned a Designated port role, except for ports on the same bridge that are physically connected together.
Page 435: Ports On Switch 1
Overview of Rapid Spanning Tree Protocol FIGURE 40 Simple RSTP topology Port7 Port8 Switch 1 Switch 2 Bridge priority = 200 Bridge priority = 100 Port2 Port2 Port4 Port3 Port3 Port2 Port3 Port3 Switch 3 Switch 4 Bridge priority = 300 Port4 Port4 Bridge priority = 400...
Page 436: Ports Switch 4
Edge ports and edge port roles Ports Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4. The RST BPDUs received on Port3 are superior to the RST BPDUs received on port 4;...
Page 437: Point-To-Point Ports
Point-to-point ports Point-to-point ports To take advantage of the RSTP features, ports on an RSTP topology should be explicitly configured as point-to-point links. Shared media should not be configured as point-to-point links. NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops.
Page 438: Edge Port And Non-Edge Port States
Edge port and non-edge port states If a port on one bridge has a Designated role and that port is connected to a port on another bridge that has an Alternate or Backup role, the port with a Designated role cannot be given a Root port role until two instances of the forward delay timer expires on that port.
Page 439: Handshake Mechanisms
State machines • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode. It also flushes the MAC table when a topology change event takes place. •...
Page 440 State machines • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 43).
Page 441 State machines FIGURE 44 Sync stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync BigIron Switch 200 Port3 Port2 Sync Sync Discarding Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced.
Page 442 State machines FIGURE 45 Synced stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Synced BigIron Switch 200 Port2 Port3 Synced Synced Discarding Discarding Port2 Port3 Switch 400 Switch 300 Indicates a signal • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state.
Page 443 State machines FIGURE 46 Agree stage Switch 100 Root Bridge Port1 Designated port Forwarding RST BPDU Port1 sent with Root port an Agreed Synced flag Forwarding BigIron Switch 200 Port2 Port3 Synced Synced Discarding Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200.
Page 444 State machines FIGURE 47 Addition of a new root bridge Switch 100 Port2 Designated port Port2 Switch 60 Port4 Port1 Designated port Designated port Port1 Root port Switch 200 Port4 Port2 Port3 Port2 Port3 Switch 300 Switch 400 The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (“Handshake when no root port is elected”...
Page 445 State machines FIGURE 48 New root bridge sending a proposal flag Switch 100 Port2 Handshake Designated Completed port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Proposing Port1 RST BPDU Root port sent with Forwarding a Proposing flag Switch 200 Port4 Designated port...
Page 446 State machines FIGURE 49 Sync and reroot Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Proposing Port1 Root port Sync Reroot Forwarding BigIron Port4 Switch 200 Root port Sync Reroot Port2 Discarding Port3 Sync Sync Reroot...
Page 447 State machines FIGURE 50 Sync and rerooted Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Port1 Designated port Sync Rerooted Discarding BigIron Port4 Switch 200 Root port Sync Rerooted Port2 Discarding Port3 Sync Sync Rerooted Rerooted...
Page 448 State machines FIGURE 51 Rerooted,synced, and agreed Switch 100 Port2 Designated port Switch 60 Port 2 Root port Port4 Port1 Designated port Forwarding Proposing Port1 Rerooted RST BPDU Synced sent with Discarding an Agreed BigIron flag Port4 Switch 200 Root port Rerooted Synced Port2...
Page 449: Convergence In A Simple Topology
Convergence in a simple topology FIGURE 52 Handshake completed after election of new root port Switch 100 Port2 Designated port Port2 Switch 60 Root port Port4 Port1 Designated port Proposing Port1 Alternate port Port4 Switch 200 Root port Port2 Port3 Proposing Proposing Port2...
Page 450: Convergence At Start Up
Convergence in a simple topology NOTE The rapid convergence will not occur on ports connected to shared media devices, such as hubs. To take advantage of the rapid convergence provided by RSTP, make sure to explicitly configure all point-to-point links in a topology. Convergence at start up Figure 53, two bridges Switch 2 and Switch 3 are powered up.
Page 451 Convergence in a simple topology FIGURE 54 Simple Layer 2 topology Port3 Designated Port5 port Switch 1 Backup port Switch 2 Port2 Port2 Designated Bridge priority = 1500 Root port port Bridge priority = 1000 Port4 Port3 Designated port Designated port Port3 Alternate...
Page 452: Convergence After A Link Failure
Convergence in a simple topology The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2.
Page 453: Convergence At Link Restoration
Convergence in a simple topology FIGURE 56 Link failure in the topology Port5 Port3 Switch 1 Switch 2 Port2 Bridge priority = 1500 Port2 Bridge priority = 1000 Port3 Port4 Port4 Port3 Bridge priority = 2000 Switch 3 Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port.
Page 454: Convergence In A Complex Rstp Topology
Convergence in a complex RSTP topology When Port2/Switch 2 receives the RST BPDUs, RSTP algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Page 455 Convergence in a complex RSTP topology FIGURE 57 Complex RSTP topology Switch 2 Bridge priority = 200 Switch 1 Switch 5 Port7 Port8 Bridge priority = 1000 Bridge priority = 60 Port2 Port2 Port5 Port2 Port4 Port3 Port3 Port3 Port2 Port3 Port3 Port3...
Page 456 Convergence in a complex RSTP topology Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is then given an Alternate port role, and remains in discarding state. Likewise, Port5/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is also given an Alternate port role, and remains in discarding state.
Page 457: Propagation Of Topology Change
Convergence in a complex RSTP topology FIGURE 58 Active Layer 2 path in complex topology Switch 2 Bridge priority = 200 Switch 1 Switch 5 Port7 Port8 Bridge priority = 1000 Bridge priority = 60 Port2 Port5 Port2 Port2 Port3 Port4 Port3 Port3...
Page 458 Convergence in a complex RSTP topology FIGURE 59 Beginning of topology change notice Switch 2 Bridge priority = 200 Switch 5 Switch 1 Bridge priority = 60 Port7 Port8 Bridge priority = 1000 Port5 Port2 Port2 Port2 Port3 Port4 Port3 Port3 Port2 Port3...
Page 459 Convergence in a complex RSTP topology FIGURE 60 Sending TCN to bridges connected to Switch 2 Switch 2 Bridge priority = 200 Switch 5 Switch 1 Port7 Port8 Bridge priority = 60 Bridge priority = 1000 Port2 Port5 Port2 Port2 Port3 Port4 Port3...
Page 460: Compatibility Of Rstp With 802.1D
Compatibility of RSTP with 802.1D FIGURE 61 Completing the TCN propagation Switch 2 Bridge priority = 200 Switch 1 Switch 5 Bridge priority = 1000 Port7 Port8 Bridge priority = 60 Port2 Port5 Port2 Port2 Port3 Port4 Port3 Port3 Port3 Port2 Port3 Port3...
Page 461: Configuring Rstp Parameters
Configuring RSTP parameters For example, in Figure 62, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 62 RSTP bridges with an 802.1D bridge Switch 10...
Page 462: Enabling Or Disabling Rstp On A Single Spanning Tree
Configuring RSTP parameters BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# rstp Syntax: [no] rstp Enabling or disabling RSTP on a single spanning tree To globally enable RSTP for all ports of a single spanning tree, enter the following command. BigIron RX(config)# rstp single Syntax: [no] rstp single Disabling or enabling RSTP on a port The rstp command must be used to initially enable RSTP on ports.
Page 463: Changing Port Parameters
Configuring RSTP parameters The max-age <value> parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. Possible values: 6 – 40 seconds. The default is 20 seconds. The value of max-age must be greater than the value of forward-delay to ensure that the downstream bridges do not age out faster than the upstream bridges (those bridges that are closer to the root bridge).
Page 464: Fast Port Span
Configuring RSTP parameters TABLE 79 Recommended path cost values of RSTP (Continued) Link speed Recommended (default) RSTP path Recommended RSTP path cost range cost values 1 Gigabit per second 20,000 2,000 – 200,000,000 10 Gigabits per second 2,000 200 – 20,000 100 Gigabits per second 20 –...
Page 465 Configuring RSTP parameters In addition, Fast Port Span enhances overall network performance in the following ways: • Fast Port Span reduces the number of STP topology change notifications on the network. When an end station attached to a Fast Span port comes up or down, the Brocade device does not generate a topology change notification for the port.
Page 466: Fast Uplink Span
Configuring RSTP parameters BigIron RX(config)# fast port-span BigIron RX(config)# write memory Excluding specific ports from fast port span You can exclude individual ports from Fast Port Span while leaving Fast Port Span enabled globally. To do so, use the following method. Using the CLI To exclude a port from Fast Port Span, enter commands such as the following.
Page 467 Configuring RSTP parameters You can use the Fast Uplink feature on a Brocade device deployed as a wiring closet switch to decrease the convergence time for the uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning). The wiring closet switch must be a Brocade device but the device at the other end of the link can be a Brocade device or another vendor’s switch.
Page 468: Displaying Rstp Information
Displaying RSTP information Using the CLI To configure a group of ports for Fast Uplink Span, enter the following commands. BigIron RX(config)# fast uplink-span ethernet 4/1 to 4/4 BigIron RX(config)# write memory Syntax: [no] fast uplink-span [ethernet <portnum> [ethernet <portnum>… | to <portnum>]] This example configures four ports, 4/1 –...
Page 469 Displaying RSTP information BigIron RX(config)#show rstp vlan 10 VLAN 10 - RSTP instance 0 -------------------------------------------------------------------- RSTP (IEEE 802.1w) Bridge Parameters: Bridge Bridge Bridge Bridge Force Identifier MaxAge Hello FwdDly Version Hold 0001000480a04000 20 Default RootBridge RootPath DesignatedBridge Root Max Hel Fwd Identifier Cost Identifier...
Page 470 Displaying RSTP information TABLE 80 CLI display of RSTP summary (Continued) This field... Displays... Designated Bridge Identifier The bridge from where the root information was received. It can be from the root bridge itself, but it could also be from another bridge. Root Port The port on which the root information was received.
Page 471 Displaying RSTP information TABLE 80 CLI display of RSTP summary (Continued) This field... Displays... Role The current role of the port: • Root • Designated • Alternate • Backup • Disabled Refer to “Bridges and bridge port roles” on page 357 for definitions of the roles.
Page 472 Displaying RSTP information TABLE 81 The show rstp detail command output (Continued) This field... Displays... forceVersion the configured version of the bridge: • 0 – The bridge has been forced to operate in an STP compatible mode. • 2 – The bridge has been forced to operate in an RSTP mode. MigrateTime The number of seconds the bridge took to migrate from STP to RSTP mode.
Page 473 Displaying RSTP information TABLE 81 The show rstp detail command output (Continued) This field... Displays... ActiveTimers Shows what timers are currently active on this port and the number of seconds they have before they expire: • rrWhile – Recent root timer. A non-zero value means that the port has recently been a Root port.
Page 474 Displaying RSTP information BigIron RX# show xstp Ethernet 3/1 STP information: -------------------------------------------------------------------- No STP-configured VLANs for the port 3/1 RSTP information: ---------------------------------------------------------------------------- RSTP (IEEE 802.1w)Port Parameters: VLAN ID: 11 <--- Config Params ---> | <--- Current state ---> Port Pri PortPath P2P Edge Role State Designa-...
Page 475 Displaying RSTP information This field... Displays... P2P Mac Indicates if the point-to-point-mac parameter is configured to be a point-to-point link: • T – The link is configured as a point-to-point link. • F – The link is not configured as a point-to-point link. This is the default.
Page 476 Displaying RSTP information This field... Displays... Designated Cost The cost to the root bridge as advertised by the designated bridge that is connected to this port. If the designated bridge is the root bridge itself, then the cost is 0. The identity of the designated bridge is shown in the Design Bridge field.
Page 477: Metro Ring Protocol (Mrp) Phase 1 And 2
Chapter Metro Ring Protocol (MRP) Phase 1 and 2 Metro Ring Protocol (MRP) phase 1 MRP Phase 1 is a Brocade proprietary protocol that prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies. It is an alternative to STP and is especially useful in Metropolitan Area Networks (MANs) where using STP has the following drawbacks: •...
Page 478: Mrp Rings Without Shared Interfaces
MRP rings without shared interfaces The ring in this example consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network. The nodes forward Layer 2 traffic to and from the customer networks through the ring. The ring interfaces are all in one port-based VLAN.
Page 479: Ring Initialization
Ring initialization FIGURE 64 Metro ring – multiple rings Master Node port1/1 port4/1 Ring 1 Ring 2 port4/2 port1/2 Master node Ring 3 In this example, two nodes are each configured with two MRP rings. Any node in a ring can be the master for its ring.
Page 480 Ring initialization FIGURE 65 Metro ring – initial state Customer A Switch B All ports start in Preforwarding state. Master Switch A Switch C Node Primary port on Master Customer A node sends RHP 1 Customer A Switch D Customer A MRP uses Ring Health Packets (RHPs) to monitor the health of the ring.
Page 481 Ring initialization When MRP is enabled, all ports begin in the Preforwarding state. The primary interface on the Master node, although it is in the Preforwarding state like the other ports, immediately sends an RHP onto the ring. The secondary port on the Master node listens for the RHP. •...
Page 482: How Ring Breaks Are Detected And Healed
How ring breaks are detected and healed How ring breaks are detected and healed Figure 67 Shows the ring forwarding state following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks. FIGURE 67 Metro ring – ring break Customer A Switch B Master...
Page 483 How ring breaks are detected and healed When the broken link is repaired, the link’s interfaces come up in the Preforwarding state, which allows RHPs to travel through the restored interfaces and reach the secondary interface on the Master node. •...
Page 484: Master Vlans And Customer Vlans In A Topology Group
Master VLANs and customer VLANs in a topology group 5. RHP packets continue to be sent on the primary interface by Switch A to detect if the ring has been healed. From a user perspective, there is no difference in the behavior of the ring. The only noticeable difference is a rapid convergence in the event of ring failure.
Page 485 Master VLANs and customer VLANs in a topology group FIGURE 69 Metro ring – ring VLAN and customer VLANs Customer A Customer B VLAN 30 VLAN 40 Switch B ====== ring 1 interfaces 1/1, 1/2 port4/1 port2/1 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1, 1/2, 2/1) port1/2...
Page 486: Configuring Mrp
Configuring MRP If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs. • The member VLAN for a customer must contain the two ring interfaces and the interfaces for the customer.
Page 487: Adding An Mrp Ring To A Vlan
Configuring MRP Adding an MRP ring to a VLAN NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group’s master VLAN. To add an MRP ring to a VLAN, enter commands such as the following. BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# metro-ring 1 BigIron RX(config-vlan-2-mrp-1)# name CustomerA...
Page 488: Changing The Hello And Preforwarding Times
MRP phase 2 Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following. BigIron RX(config-vlan-2-mrp-1)# hello-time 200 BigIron RX(config-vlan-2-mrp-1)# preforwarding-time 400 These commands change the hello time to 200 ms and change the preforwarding time to 400 ms. NOTE The preforwarding time must be at least twice the value of the hello time and must be a multiple of the hello time.
Page 489 MRP phase 2 FIGURE 70 Multiple MRP rings - MRP Phase 1 Master Node port1/1 port4/1 Ring 1 Ring 2 port4/2 port1/2 Master node Ring 3 With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN.
Page 490: Ring Initialization For Shared Interfaces
Ring initialization for shared interfaces Ring initialization for shared interfaces FIGURE 72 Interface IDs and types 1,2 port1/1 Ring 2 Ring 1 port2/2 C = customer port For example, in Figure 72, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2.
Page 491: Selection Of Master Node
Ring initialization for shared interfaces node, the packet is forwarded through the secondary interface since it is currently in a preforwarding state. A secondary interface in preforwarding mode ignores any RHP packet that is not from its ring. The secondary interface changes to blocking mode only when the RHP packet forwarded by its primary interface is returned.
Page 492: Normal Flow
Ring initialization for shared interfaces Normal flow Figure 73 shows an example of how RHP packets are processed normally in MRP rings with shared interfaces. FIGURE 73 Flow of RHP packets on MRP rings with shared interfaces (secondary interface) port2/2 port3/2 (secondary interface) Master node Ring 1...
Page 493: Flow When A Link Breaks
Ring initialization for shared interfaces Flow when a link breaks If the link between shared interfaces breaks (Figure 74), the secondary interface on Ring 1’s master node changes to a preforwarding state. The RHP packet sent by port 3/1 on Ring 2 is forwarded through the interfaces on S4, then to S2.
Page 494: Using Mrp Diagnostics
Using MRP diagnostics BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# metro-ring 1 BigIron RX(config-vlan-2-mrp-1)# name CustomerA BigIron RX(config-vlan-2-mrp-1)# ring-interface ethernet 1/1 ethernet 1/2 BigIron RX(config-vlan-2-mrp-1)# enable BigIron RX(config-vlan-2-mrp-1)# metro-ring 2 BigIron RX(config-vlan-2-mrp-2)# name CustomerB BigIron RX(config-vlan-2-mrp-2)# ring-interface ethernet 1/1 ethernet 1/2 BigIron RX(config-vlan-2-mrp-1)# enable Syntax: [no] metro-ring <ring-id>...
Page 495: Displaying Mrp Diagnostics
Displaying MRP information Displaying MRP diagnostics To display MRP diagnostics results, enter the following command on the Master node. BigIron RX(config)# show metro 2 diag Metro Ring 2 - CustomerA ============= diagnostics results Ring Diag RHP average Recommended Recommended state time(microsec) hello time(ms) Prefwing time(ms)
Page 496: Displaying Ring Information
Displaying MRP information Displaying ring information To display ring information, enter the following command. BigIron RX(config)# show metro Metro Ring 2 ============= Ring State Ring Master Topo Hello Prefwing role vlan group time(ms) time(ms) enabled member not conf Ring interfaces Interface role Forwarding state Active interface...
Page 497: Mrp Cli Example
MRP CLI example TABLE 84 CLI display of MRP ring information (Continued) This field... Displays... Prefwing time The number of milliseconds an MRP interface that has entered the Preforwarding state will wait before changing to the Forwarding state. If a member port in the Preforwarding state does not receive an RHP within the Preforwarding time (Prefwing time), the port assumes that a topology change has occurred and changes to the Forwarding state.
Page 498: Commands On Switch A (Master Node)
MRP CLI example Commands on switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node’s interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
Page 499: Commands On Switch C
MRP CLI example BigIron RX(config)# topology-group 1 BigIron RX(config-topo-group-1)# master-vlan 2 BigIron RX(config-topo-group-1)# member-vlan 30 BigIron RX(config-topo-group-1)# member-vlan 40 Commands on switch C BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# tag ethernet 1/1 to 1/2 BigIron RX(config-vlan-2)# metro-ring 1 BigIron RX(config-vlan-2-mrp-1)# name “Metro A” BigIron RX(config-vlan-2-mrp-1)# ring-interface ethernet 1/1 ethernet 1/2 BigIron RX(config-vlan-2-mrp-1)# enable BigIron RX(config-vlan-2)# exit...
Page 500 MRP CLI example BigIron RX Series Configuration Guide 53-1002253-01...
Page 501: Overview Of Virtual Switch Redundancy Protocol (Vsrp)
Chapter Virtual Switch Redundancy Protocol (VSRP) Overview of Virtual Switch Redundancy Protocol (VSRP) VSRP is a Brocade proprietary protocol that provides redundancy and sub-second failover in Layer 2 and Layer 3 mesh topologies. Based on the Brocade’s proprietary Virtual Router Redundancy Protocol Extended (VRRPE), VSRP provides one or more backups for the device.
Page 502: Layer 2 And Layer 3 Redundancy
Overview of Virtual Switch Redundancy Protocol (VSRP) Following Master election (described below), one of the Brocade devices becomes the Master for the VRID and sets the state of all the VLAN’s ports to Forwarding. The other device is a Backup and sets all the ports in its VRID VLAN to Blocking.
Page 503 Overview of Virtual Switch Redundancy Protocol (VSRP) Each Backup waits for a specific period of time, the Dead Interval, to receive a new Hello message from the Master. If the Backup does not receive a Hello message from the Master by the time the Dead Interval expires, the Backup sends a Hello message of its own, which includes the Backup's VSRP priority, to advertise the Backup's intent to become the Master.
Page 504 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 77 VSRP priority recalculation Internet Internet enterprise Intranet enterprise Intranet e 2/4 e 3/2 Router 2 Router 1 VRID1 VRID1 Router2 = Backup Router1 = Master 192.53.5.1 192.53.5.3 e 1/5 e 1/6 IP address = 192.53.5.1 IP address = 192.53.5.1 Owner...
Page 505 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 78 VSRP priority bias Configured priority = 150 Configured priority = 100 Actual priority = 150 * (2/3) = 100 Actual priority = 100 * (3/3) = 100 VSRP VSRP Master Backup optional link Link down VSRP...
Page 506 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 79 Track port priority Configured priority = 100 Configured priority = 100 Track priority 20 Actual priority = 100 * (3/3) = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP VSRP Master...
Page 507: Configuring Basic Vsrp Parameters
Configuring basic VSRP parameters • If the port number is the same as the port that previously received a Hello message, the VSRP-aware device assumes that the message came from the same VSRP Master that sent the previous message. • If the port number does not match, the VSRP-aware device assumes that a VSRP failover has occurred to a new Master, and moves the MAC addresses learned on the previous port to the new port.
Page 508: Enabling Layer 3 Vsrp
Enabling Layer 3 VSRP BigIron RX(config-vlan-200-vrid-1)# enable Syntax: [no] enable Syntax: [no] activate For information about the command’s optional parameters, see the following: • “Changing the backup priority” on page 435 • “Changing the default track priority” on page 438 Enabling Layer 3 VSRP Layer 2 VSRP is enabled globally by default on the device;...
Page 509: Configuring A Vrid Ip Address
Configuring optional VSRP parameters Syntax: [no] ip vsrp auth-type no-auth | simple-text-auth <auth-data> The auth-type no-auth parameter indicates that the VRID and the interface it is configured on do not use authentication. The auth-type simple-text-auth <auth-data> parameter indicates that the VRID and the interface it is configured on use a simple text password for authentication.
Page 510: Vsrp Fast Start
Configuring optional VSRP parameters BigIron RX(config-vlan-200-vrid-1)# ip-address 10.10.10.1 Syntax: [no] ip-address <ip-addr> VSRP fast start VSRP fast start allows non-Brocade or non-VSRP aware devices that are connected to a Brocade device that is the VSRP Master to quickly switchover to the new Master when a VSRP failover occurs This feature causes the port on a VSRP Master to restart when a VSRP failover occurs.
Page 511: Changing The Backup Priority
Configuring optional VSRP parameters BigIron RX(config-vlan-10-vsrp-1)#sh vsrp VLAN 10 Auth-type no authentication VRID 1 ======== State Administrative-status Advertise-backup Preempt-mode Link-Redundancy Backup Enabled Disabled True Disabled Parameter Configured Current Unit/Formula Priority (100-0)*(4.0/4.0) Hello-interval sec/10 Hold-interval sec/10 Initial-ttl hops Master router 219.218.18.52 or MAC xxxx.dbda.1234 expires in 00:00:02 Member ports: ethe 19/1 to 19/2 ethe 19/4 to 19/5 Operational ports: ethe 19/1 to 19/2 ethe 19/4 to 19/5...
Page 512: Vsrp Slow Start
Configuring optional VSRP parameters • Backup Hello interval • Hold-down interval Each Backup saves the configured timer values to its startup configuration file when you save the device’s configuration. NOTE The Backups always use the value of the timer scale received from the Master, regardless of whether the timer values that are saved in the configuration are the values configured on the Backup or the values received from the Master.
Page 513: Changing The Hello Interval
Configuring optional VSRP parameters Changing the hello interval The Master periodically sends Hello messages to the Backups. To change the Hello interval, enter a command such as the following at the configuration level for the VRID. BigIron RX(config-vlan-200-vrid-1)# hello-interval 10 Syntax: [no] hello-interval <units>...
Page 514: Changing The Hold-Down Interval
Configuring optional VSRP parameters Syntax: [no] backup-hello-interval <units> The <units> parameter specifies the message interval and can be from 60 – 3600 units (1 unit = 100 milliseconds). The default is 60 units (6000 milliseconds or 6 seconds). NOTE If you change the timer scale, the change affects the actual number of seconds. Changing the hold-down interval The hold-down interval prevents Layer 2 loops from occurring during failover, by delaying the new Master from forwarding traffic long enough to ensure that the failed Master is really unavailable.
Page 515: Specifying A Track Port
Configuring optional VSRP parameters Specifying a track port You can configure the VRID on one interface to track the link state of another interface on the device. This capability is useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy.
Page 516: Clearing Vsrp Information
Clearing VSRP information NOTE All trunk ports must have the same delayed-link-down-event configuration. The following command will delay the sending of port "down" event for 100ms when a port state is detected "down". If the port state is detected "up" afterwards within 100ms, the delayed "down" event is cancelled;...
Page 517 VSRP and MRP signaling If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure FIGURE 82 VSRP on MRP rings that failed over...
Page 518: Displaying Vsrp Information
Displaying VSRP information FIGURE 83 New path established Path 1 Path 2 Member Master Host Host Member Member Member Member MRP Member MRP Master MRP Member MRP Member VSRP Backup VSRP Backup VSRP Master VSRP Master VSRP VSRP Device 1 Device 1 There are no CLI commands used to configure this process.
Page 519 Displaying VSRP information This display shows the following information when you use the vrid <num> or vlan <vlan-id> parameter. For information about the display when you use the aware parameter, refer to “Displaying the active interfaces for a VRID” on page 446. TABLE 85 CLI display of VSRP VRID or VLAN information This field...
Page 520: Displaying A Summary Of Vsrp Information
Displaying VSRP information TABLE 85 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the VRID. During negotiation, the Backup with the highest priority becomes the Master. If two or more Backups are tied with the highest priority, the Backup interface with the highest IP address becomes the Master for the VRID.
Page 521: Displaying Vsrp Packet Statistics For Vsrp
Displaying VSRP information BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 80 P Master Unknown Unknown None When the command is entered on a Layer 3 VSRP, it displays the following information. BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress P Initia xxxx.1414.1404 20.20.20.4...
Page 522: Displaying The Active Interfaces For A Vrid
Displaying VSRP information Displaying the active interfaces for a VRID On a VSRP-aware device, you can display VLAN and port information for the connections to the VSRP devices (Master and Backups) using the show vsrp aware command. The command shows the active interfaces for the VRID.
Page 523: Topology Overview
Chapter Topology Groups Topology overview This chapter describes the different types of topology groups and how to configure them. A topology group is a named set of VLANs that share a Layer 2 control protocol. Topology groups simplify configuration and enhance scalability of Layer 2 protocols by allowing you to run a single instance of a Layer 2 protocol on multiple VLANs.
Page 524: Master Vlans And Customer Vlans In Mrp
Master VLANs and customer VLANs in MRP Master VLANs and customer VLANs in MRP A topology group enables you to control forwarding in multiple VLANs using a single instance of a Layer 2 protocol such as MRP. For more information on topology group and MRP, refer to “Master VLANs and customer VLANs in a topology group”...
Page 525: Configuring A Topology Group
Configuring a topology group If you remove a member VLAN or VLAN group from a topology group, you will need to reconfigure the Layer 2 protocol information in the VLAN or VLAN group. Configuring a topology group To configure a topology group, enter commands such as the following. BigIron RX(config)# topology-group 2 BigIron RX(config-topo-group-2)# master-vlan 2 BigIron RX(config-topo-group-2)# member-vlan 3...
Page 526 Displaying topology group information BigIron RX(config)# show topology-group Topology Group 1 ================== Master VLAN Member VLAN : 10 20 30 Member Group : None Control Ports : ethe 2/2 ethe 3/18 ethe 4/1 to 4/2 Free Ports : Topology Group 2 ================== Master VLAN Member VLAN...
Page 527: Overview Of Vrrp
Chapter Configuring VRRP and VRRPE Overview of VRRP This chapter describes how to configure the following router redundancy protocols: • Virtual Router Redundancy Protocol (VRRP) – The standard router redundancy protocol described in RFC 3768. • VRRP Extended (VRRPE) – A Brocade proprietary version of VRRP that overcomes limitations in the standard protocol.
Page 528 Overview of VRRP As shown in this example, Host1 uses 192.53.5.1 on Router1 as the host’s default gateway out of the subnet. If this interface goes down, Host1 is cut off from the rest of the network. Router1 is thus a single point of failure for Host1’s access to other networks. If Router1 fails, you could configure Host1 to use Router2.
Page 529: Brocade Enhancements Of Vrrp
Overview of VRRP NOTE You can provide more redundancy by also configuring a second VRID with Router2 as the Owner and Router1 as the Backup. This type of configuration is sometimes called Multigroup VRRP. Master router election Virtual routers use the VRRP priority values associated with each VRRP router to determine which router becomes the Master.
Page 530 Overview of VRRP Track ports and track priority Brocade enhanced VRRP by giving a VRRP router the capability to monitor the state of the interfaces on the other end of the route path through the router. For example, in Figure 85 page 452, interface e1/6 on Router1 owns the IP address to which Host1 directs route traffic on its default gateway.
Page 531: Overview Of Vrrpe
Overview of VRRPE Forcing a master router to abdicate to a standby router You can force a VRRP Master to abdicate (give away control) of a virtual router to a Backup by temporarily changing the Master’s priority to a value less than the Backup’s. When you change a VRRP Owner’s priority, the change takes effect only for the current power cycle.
Page 532 Overview of VRRPE • VRRPE uses UDP to send Hello messages in IP multicast messages. The Hello packets use the interface’s actual MAC address and IP address as the source addresses. The destination MAC address is 01-00-5E-00-00-02, and the destination IP address is 224.0.0.2 (the well-known IP multicast address for “all routers”).
Page 533 Overview of VRRPE FIGURE 86 Router1 and Router2 are configured to provide dual redundant network access for the host Internet e 2/4 e 3/2 VRID 1 VRID 1 Router B = Backup Router A = Master Virtual IP address 192.53.5.254 Virtual IP address 192.53.5.254 Router1 Priority = 100 (Default)
Page 534: Vrrp And Vrrpe Parameters
VRRP and VRRPE parameters VRRP and VRRPE parameters Table 88 lists the VRRP and VRRPE parameters. Most of the parameters and default values are the same for both protocols. The exceptions are noted in the table. TABLE 88 VRRP and VRRPE parameters Parameter Description Default...
Page 535 VRRP and VRRPE parameters TABLE 88 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Router type Whether the router is an Owner or a Backup. VRRP – The Owner is always page 460 • the router that has the real IP Owner (VRRP only) –...
Page 536: Configuring Parameters Specific To Vrrp
Configuring parameters specific to VRRP TABLE 88 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Track priority A VRRP or VRRPE priority value assigned to the tracked ports. If a VRRP – 2 page 454 tracked port’s link goes down, the VRID port’s VRRP or VRRPE VRRPE –...
Page 537: Configuring The Owner
Configuring parameters specific to VRRP Configuring the owner Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-1/6)# ip address 192.53.5.1 Router1(config-if-1/6)# ip vrrp vrid 1 Router1(config-if-1/6-vrid-1)# owner Router1(config-if-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-1/6-vrid-1)# activate Configuring a backup To configure the VRRP Backup router, enter the following commands. Router2(config)# router vrrp Router2(config)# inter e 1/5 Router2(config-if-e10000-1/5)# ip address 192.53.5.3...
Page 538: Configuring Parameters Specific To Vrrpe
Configuring parameters specific to VRRPE Configuring parameters specific to VRRPE VRRPE is configured at the interface level. To implement a simple VRRPE configuration using all the default values, enter commands such as the following on each BigIron RX. BigIron RX(config)# router vrrp-extended BigIron RX(config)# inter e 1/5 BigIron RX(config-if-e10000-1/5)# ip address 192.53.5.3 BigIron RX(config-if-e10000-1/5)# ip vrrp-extended vrid 1...
Page 539: Authentication Type
Configuring additional VRRP and VRRPE parameters • Backup priority • Suppression of RIP advertisements on Backup routes for the backed up interface • Hello interval • Dead interval • Backup Hello messages and message timer (Backup advertisement) • Track port •...
Page 540: For The Backup Up Interface
Configuring additional VRRP and VRRPE parameters Suppression of RIP advertisements on backup routers for the backup up interface Normally, a VRRP or VRRPE Backup includes route information for the virtual IP address in RIP advertisements. As a result, other routers receive multiple paths for the Backup router and might sometimes unsuccessfully use the path to the Backup router rather than the path to the Master.
Page 541: Backup Hello Message State And Interval
Configuring additional VRRP and VRRPE parameters Syntax: dead-interval <value> The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. The syntax is the same for VRRP and VRRPE. Backup hello message state and interval By default, Backup do not send Hello messages to advertise themselves to the Master. You can enable these messages if desired and also change the message interval.
Page 542: Backup Preempt
Configuring additional VRRP and VRRPE parameters • For VRRP, the software changes the priority of the virtual router to a track priority that is lower than that of the virtual router priority and lower than the priorities configured on the Backups. For example, if the virtual router priority is 100 and a tracked interface with track priority 60 goes down, the software changes the virtual router priority to 60.
Page 543: Displaying Vrrp And Vrrpe Information
Displaying VRRP and VRRPE information BigIron RX(config)# ip int eth 1/6 BigIron RX(config-if-e10000-1/6)# ip vrrp vrid 1 BigIron RX(config-if-e10000-1/6-vrid-1)# owner priority 99 Syntax: [no] owner priority | track-priority <num> The <num> parameter specifies the new priority and can be a number from 1 – 254. When you press Enter, the software changes the priority of the Master to the specified priority.
Page 544 Displaying VRRP and VRRPE information BigIron RX(config)# show ip vrrp-extended brief Total number of VRRP-Extended routers defined: 41 Inte- VRID Current State Master IP Backup IP Virtual IP rface Priority Address Address Address ----------------------------------------------------------------------------- Backup 172.16.51.2 Local 172.16.51.1 Backup 172.16.52.2 Local 172.16.52.1 Backup...
Page 545: Displaying Detailed Information
Displaying VRRP and VRRPE information TABLE 89 CLI display of VRRP or VRRPE summary information (Continued) This field... Displays... State This device’s VRRP or VRRPE state for the virtual router. The state can be one of the following: • Init – The virtual router is not enabled (activated). If the state remains Init after you activate the virtual router, make sure that the virtual router is also configured on the other routers and that the routers can communicate with each other.
Page 546 Displaying VRRP and VRRPE information The brief parameter displays summary information. Refer to “Displaying summary information” page 467. The ethernet <slot>/<portnum> parameter specifies an Ethernet port. If you use this parameter, the command displays VRRP or VRRPE information only for the specified port. The ve <num>...
Page 547 Displaying VRRP and VRRPE information TABLE 90 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the virtual router. During negotiation, the router with the highest priority becomes the Master.
Page 548: Displaying Statistics
Displaying VRRP and VRRPE information TABLE 90 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... backup router <ip-addr> expires in The IP addresses of Backups that have advertised themselves to this <time> Master by sending Hello messages. The <time>...
Page 549: Clearing Vrrp Or Vrrpe Statistics
Configuration examples . received packets dropped by owner = 0 . received packets with ip ttl errors = 0 . received packets with ip address mismatch = 0 . received packets with advertisement interval mismatch = 0 . received packets with invalid length = 0 - total number of vrrp-extended packets sent = 2004 .
Page 550 Configuration examples Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-e10000-1/6)# ip address 192.53.5.1 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# owner track-priority 20 Router1(config-if-e10000-1/6-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-e10000-1/6-vrid-1)# activate NOTE When you configure the Master (Owner), the address you enter with the ip-address command must already be configured on the interface.
Page 551: Vrrpe Example
Configuration examples The activate command activates the virtual router configuration on this interface. The interface does not provide backup service for the virtual IP address until you activate the VRRP configuration. Syntax: router vrrp Syntax: ip vrrp vrid <vrid> Syntax: owner [track-priority <value>] Syntax: backup [priority <value>] [track-priority <value>] Syntax: track-port ethernet <slot>/<portnum>...
Page 552 Configuration examples Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 3/2 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.254 Router1(config-if-e10000-5/1-vrid-1)# activate Router1(config-if-e10000-5/1-vrid-1)# exit Router1(config)# interface ethernet 5/1 Router1(config-if-e10000-5/1)# ip vrrp-extended vrid 2 Router1(config-if-e10000-5/1-vrid-1)# backup priority 110 track-priority 20 Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.253 Router1(config-if-e10000-5/1-vrid-1)# activate The backup command specifies that this router is a VRRPE Backup for virtual router VRID1. The IP address entered with the ip-address command is the same IP address as the one entered when configuring Router1.
Page 553: Overview Of Quality Of Service (Qos)
Chapter Configuring Quality of Service Overview of Quality of Service (QoS) Quality of Service (QoS) features are used to prioritize the use of bandwidth in a switch. When QoS features are enabled, traffic is classified as it arrives at the switch, and processed through on the basis of configured priorities.
Page 554 Classification FIGURE 87 Priority resolution 802.1p Priority DSCP Priority Trust Level Trust Level Set to COS Trust Level (default) Determine Set to DSCP Trust Level Set Classification to Higher of both Inputs Port-based MAC-based Classification Classification Port-based VLAN Classification As shown in the figure, the first criteria considered are port-based, MAC-based, and port-based VLAN classifications.
Page 555 Classification TABLE 92 Default QoS mappings, columns 16 to 31 DSCP value 802.1p (COS) Value DSCP value Internal Forwarding Priority Forwarding Queue TABLE 93 Default QoS mappings, columns 32 to 47 DSCP value 802.1p (COS) Value DSCP value Internal Forwarding Priority Forwarding Queue...
Page 556: Marking
Marking • COS to Internal Forwarding Priority Mapping – You can change the mapping between 802.1p (COS) values and the Internal Forwarding priority value from the default values shown in Table 91 through Table 94. This mapping is used for COS marking and determining the internal priority when the trust level is COS.
Page 557 Marking When you apply a QoS priority to one of the items listed above, you specify a number from 0 – 7. The priority number specifies the IEEE 802.1p equivalent to one of the four Brocade QoS queues. The numbers correspond to the queues as follows. Priority level QoS forwarding queue 6, 7...
Page 558: Configuring Tos-Based Qos
Configuring ToS-based QoS Configuring ToS-based QoS To configure ToS-based QoS, perform the following tasks: • Enable ToS-based QoS on an interface. Once you enable the feature on an individual interface, you can configure the trust level and marking for traffic that is received on that interface as described: •...
Page 559: Configuring The Qos Mappings
Configuring the QoS mappings Configuring the QoS mappings The Brocade device maps a packet’s 802.1p or DSCP value to an internal forwarding priority. The default mappings are listed in Table 91 through Table 94. You can change the following mappings as described in this section: •...
Page 560: Mappings
Configuring the QoS mappings BigIron RX(config)# qos-tos map dscp-dscp 0 to 10 This command changes the mapping of DSCP value 0 to 10. Syntax: [no] qos-tos map dscp-dscp <old-dscp-value> [<old-dscp-value>...] to <new-dscp-value> You can change up to seven DSCP values in the same commend. Changing the DSCP –>...
Page 561: Displaying Qos Configuration Information
Displaying QoS configuration information The <priority> parameter specifies the internal forwarding priority. Changing the CoS –> internal forwarding priority mappings This mapping is used when the trust level is set to CoS. In addition to determining the internal-forwarding priority of a packet, the value also determines the outbound 802.1p value if CoS marking is enabled.
Page 562 Displaying QoS configuration information BigIron RX# show qos-tos Interface QoS , Marking and Trust Level: | QoS | Mark Trust-Level -------+-----+----------+--------------- | Yes | Layer 2 CoS | No Layer 2 CoS | No Layer 2 CoS | No Layer 2 CoS ve20 | No Layer 2 CoS...
Page 563: Determining Packet Drop Priority Using Wred
Determining packet drop priority using WRED TABLE 95 ToS-based QoS configuration information (Continued) This field... Displays... Mark The marking type enabled on the interface. The marking type can be any of the following: • COS – CoS marking is enabled. •...
Page 564: How Wred Operates
Determining packet drop priority using WRED How WRED Operates The graph in Figure 88 describes the interaction of the previously described variables in the operation of WRED. When a packet arrives at a switch, the average queue size (q-size) is calculated (note that this is not the statistical average queue size - (refer to “Calculating avg-q-size”...
Page 565: Using Wred With Rate Limiting
Configuring packet drop priority using WRED pkt-size (avg-q-size - min-avg-q size) Pdrop = ----------------- * Pmax * ----------------------------------------- pkt-size-max (max-avg-q-size - min-avg-q size) Using WRED with rate limiting When rate limiting is configured on a device, it directs the switch to drop traffic indiscriminately when the configured average-rate and maximum-burst thresholds are exceeded.
Page 566 Configuring packet drop priority using WRED TABLE 96 Possible Wq values (Continued) Averaging weight Wq value as a percentage setting 12.5% 6.2% 3.12% 1.56% 0.78% 0.4% 0.2% 0.09% 0.05% 0.02% 0.01% To set the wq parameter for queues with a queue type of 1 to 25%, use the following command. BigIron RX(config)#qos queue-type 1 wred averaging-weight 25% This gives the current queue size a weight of 25% over the statistical average queue size.
Page 567 Configuring packet drop priority using WRED Setting the maximum drop probability To set the maximum drop probability when the queue size reaches the Max-average-q-size value to 20% use the following command. BigIron RX(config)#qos queue-type 1 wred drop-precedence 0 drop-probability-max Syntax: [no] qos queue-type <queue-number> wred drop-precedence <policing-status> drop-probability-max <p-max%>...
Page 568 Configuring packet drop priority using WRED The <queue-type> variable is the number of the forwarding queue type that you want to configure drop-precedence for. There are eight forwarding queue types on BigIron RX Routers. They are numbered 0 to 3. The <drop-precedence-value>...
Page 569: Displaying The Wred Configuration
Configuring packet drop priority using WRED TABLE 97 WRED default settings Queue Drop Minimum Maximum Maximum Maximum Maximum Average type precedence average average packet size drop instantaneous weight queue size queue size (Byte) probability queue size (KByte) (KByte) 1024 16384 1024 0.2% 1024...
Page 570: Scheduling Traffic For Forwarding
Scheduling traffic for forwarding Scheduling traffic for forwarding If the traffic being processed by a device is within the capacity of the switch, all traffic is forwarded as received. Once we reach the point where the switch is bandwidth constrained, it becomes subject to drop priority if configured as described in “Determining packet drop priority using WRED”...
Page 571 Scheduling traffic for forwarding Configuring strict priority-based traffic scheduling To configure strict priority-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler strict Syntax: qos scheduler strict Configuring enhanced strict priority-based traffic scheduling To configure enhanced strict priority-based scheduling use a command such as the following.
Page 572 Scheduling traffic for forwarding The values of the remaining queues are calculated to be the following. q2 = 30%, q1 = 20%, and q0 = 10% Configuring WFQ destination-based traffic scheduling To configure WFQ destination-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler destination-weighted 5 10 15 20 Syntax: qos scheduler destination-weighted <queue0-weight>...
Page 573 Scheduling traffic for forwarding Syntax: qos scheduler max-rate <Queue0-rate> <Queue1-rate> <Queue2-rate> <Queue3-rate> The <Queue0-rate> variable defines the maximum bandwidth allocated to forwarding queue 0 in Kbps. The <Queue1-rate> variable defines the maximum bandwidth allocated to forwarding queue 1 in Kbps. The <Queue2-rate>...
Page 574: Configuring Multicast Traffic Engineering
Configuring multicast traffic engineering BigIron RX#show qos scheduler Port | Scheduler Type Prio0 Prio1 Prio2 Prio3 | (Rates where specified are in Kbps) -------+-------------------------------------+---------+---------+--------- 13/1 | strict 13/2 | enhanced-strict Rate 100000 200000 300000 Remaining 13/3 | min-rate Rate 102400 204800 307200 409600...
Page 575: Displaying The Multicast Traffic Engineering Configuration
Configuring multicast traffic engineering To limit the multicast traffic through the packet processor that includes port 1/1 to 10 Mbps, use the following command. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos multicast best-effort rate 10000 Syntax: qos multicast best-effort rate <rate> The <rate>...
Page 576: Qos Profiles
Configuring multicast traffic engineering • Virtual interface subsets are not supported for engress ACLs. • The egress filtering of the 16x10 module only compares to 3 bits of TOS field (delay, throughput, reliability). • The 16 x10 GE module consists of 4 port groups of 4 ports each: Port group 1: ports 1,5,9,13 •...
Page 577: Scheduling
Configuring multicast traffic engineering Setting the averaging-fair-weight (wfq) parameter The wfq parameter is configured as the averaging-fair-weight parameter. In this implementation, you can set one of 13 (1 - 13) possible values. These values represent a wfg value as described in Table 99 Calculating the values for WFQ storage mode traffic scheduling...
Page 578: Mirroring Ports
Configuring multicast traffic engineering Table 99 identifies the profile used for network control traffic which is identified using an independent flag. TABLE 99 QOS profile index Qos profile QOS profile index (depending Comments on network port) Low priority DP1 0,1,2,3 Low priority DP1 0,1,2,3 Low priority DP1...
Page 579 Configuring multicast traffic engineering NOTE The configurations for group port 1 will now be associated to s/1,s/5,s/9,s/13 3. To set the group port 2 weight, low prioriy traffic, BigIron RX(config-if-e10000-4/1)#qos rcv-scheduler wfq 1 2 1 4. To set the group port 2 weight, high prioriy traffic, BigIron RX(config-if-e10000-4/1)#qos rcv-scheduler wfq 1 2 1 2 NOTE The configurations for group port 2 will now be associated to s/2,s/6,s/10,s/14...
Page 580 Configuring multicast traffic engineering BigIron RX Series Configuration Guide 53-1002253-01...
Page 581: Traffic Policing On The Bigiron Rx Series
Chapter Configuring Traffic Reduction In this chapter • Traffic policing on the BigIron RX Series ......505 •...
Page 582: Traffic Reduction Parameters And Algorithm
Traffic reduction parameters and algorithm Traffic reduction parameters and algorithm A rate limiting policy specifies two parameters: requested rate and maximum burst. Requested rate The requested rate is the maximum number of bits a port is allowed to receive during a one-second interval.
Page 583: Configuration Considerations
Configuration considerations The credit size is calculated using the following algorithm. Credit = (Average rate in bits per second)/(8*64453) One second is divided into 64,453 intervals. In each interval, the number of bytes equal to the credit size is added to the running total of the class. The running total of a class represents the number of bytes that can be allowed to pass through without being subject to rate limiting.
Page 584: Configuring Rate Limiting Policies
Configuring rate limiting policies • ACL-based rate limiting policies consume entries based on the number of statements in an ACL. • See the limits in Table 100. TABLE 100 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR Module type PPCR number...
Page 585: Configuring A Port-And-Priority-Based Rate Limiting Policy
Configuring rate limiting policies The <requested-rate> parameter specifies the maximum rate allowed on a port during a one-second interval. The minimum configurable requested rate is 20,345 bps. The maximum configurable rate limiting rate is near line-rate. Refer to “Requested rate” on page 506 for more details.
Page 586: Configuring A Vlan-Group-Based Rate Limiting Policy
Configuring rate limiting policies The vlan <vlan-number> parameter species the VLAN ID to which the policy applies. Refer to “Configuration considerations” on page 507 to determine the number of rate limiting policies that can be configured on a device. For information on the other parameters, refer to “Configuring a port-based rate limiting policy”...
Page 587 Configuring rate limiting policies The command applies the rate limiting policy for rate limiting VLAN group 10. This policy limits all traffic tagged with VLANs 3, 5, 6, or 7 on hardware forwarding queues 2 and 3 to a rate of 500 Mbps with a maximum burst size of 750 Mbits.
Page 588: Configuring A Port-And-Ipv6 Acl-Based Traffic Reduction
Configuring rate limiting policies Average rate is adjusted to 499321856 bits per second BigIron RX(config-if-e1000-1/5)# rate-limit in access-group 60 100000000 200000000 Average rate is adjusted to 97523712 bits per second These commands first configure access-list groups that contain the ACLs that will be used in the rate limiting policy.
Page 589: Rate Limiting
NP based multicast, broadcast, and unknown-unicast rate limiting The ipv6-named-access-group <name> parameter identifies the IPv6 ACL used to permit or deny traffic on a port. Permitted traffic is subject to rate limiting. Denied traffic is forwarded on the port. For information on the other parameters, refer to “Configuring a port-based rate limiting policy”...
Page 590: Displaying Traffic Reduction
Displaying traffic reduction Displaying traffic reduction The show rate-limit command displays the rate limiting policies configured on the ports. For example. BigIron RX(config)# show rate-limit interface e 1/1 rate-limit input 499321856 750000000 interface e 1/3 rate-limit input vlan-id 10 499321856 750000000 rate-limit input vlan-id 20 97523712 200000000 To display bytes forwarded and dropped, enter the following command.
Page 591 Displaying traffic reduction BigIron RX Series Configuration Guide 53-1002253-01...
Page 592 Displaying traffic reduction BigIron RX Series Configuration Guide 53-1002253-01...
Page 593: Filtering Based On Ethertype
Chapter Layer 2 ACLs This chapter presents information to configure and view Layer 2 ACLs. Layer 2 Access Control Lists (ACLs) filter incoming traffic based on Layer 2 MAC header fields in the Ethernet/IEEE 802.3 frame. Specifically, Layer 2 ACLs filter incoming traffic based on any of the following Layer 2 fields in the MAC header: •...
Page 594: Configuring Layer 2 Acls
Configuring Layer 2 ACLs • You cannot add remarks to a Layer 2 ACL clause. Configuring Layer 2 ACLs Configuring a Layer 2 ACL is similar to configuring standard and extended ACLs. Layer 2 ACL table IDs range from 400 to 499, for a maximum of 100 configurable Layer 2 ACL tables. Within each Layer 2 ACL table, you can configure from 64 (default) to 256 clauses.
Page 595: Example Layer 2 Acl Clauses
Configuring Layer 2 ACLs The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using F’s and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000.
Page 596: Inserting And Deleting Layer 2 Acl Clauses
Viewing Layer 2 ACLs Inserting and deleting Layer 2 ACL clauses You can make changes to the Layer 2 ACL table definitions without unbinding and rebinding the table from an interface. For example, you can add a new clause to the ACL table, delete a clause from the table, delete the ACL table, etc.
Page 597: Example Of Layer 2 Acl Deny By Mac Address
Viewing Layer 2 ACLs Example of Layer 2 ACL deny by MAC address In the following example, an ACL is created that denies all traffic from the host with the MAC address 0012.3456.7890 being sent to the host with the MAC address 0011.2233.4455. BigIron RX(config)# access-list 401 deny 0012.3456.7890 ffff.ffff.ffff 0011.2233.4455 ffff.ffff.ffff BigIron RX(config)# access-list 401 permit any any...
Page 598 Viewing Layer 2 ACLs BigIron RX Series Configuration Guide 53-1002253-01...
Page 599: How The Bigiron Rx Processes Acls
Chapter Access Control List This chapter describes the IP Access Control List (ACL) feature, which enables you to filter traffic based on the information in the IP packet header. For details on Layer 2 ACLs, refer to “Types of IP ACLs”...
Page 600: Disabling Or Re-Enabling Access Control Lists (Acls)
Disabling or re-enabling Access Control Lists (ACLs) RX-BI-16XG (16 x 10GE ) Module EGRESS ACL Configuration Guidelines • The RX-BI-16XG 16 x 10GE module only supports standard, extended, named, and numbered ACLs for outbound access-group applications ACLs. • Egress filtering on subset ports of a VE is not supported, matching must apply to all VE ports .
Page 601: Acl Ids And Entries
ACL IDs and entries Standard or extended ACLs can be numbered or named. Standard ACLs are numbered from 1 – 99, extended ACLs are numbered 100 – 199. Super ACLs may be assigned numbered IDs only, from 500 - 599. IDs for standard or extended ACLs can also be a character string (named). In this document, an ACL with a string ID is called a named ACL.
Page 602: Acl-Based Inbound Mirroring
ACL-based inbound mirroring ACL-based inbound mirroring ACLs can be used to select traffic for mirroring from one port to another. Using this feature, you can monitor traffic in the mirrored port using a protocol analyzer. Considerations when configuring ACL-based inbound mirroring The following must be considered when configuring ACL-based Inbound Mirroring: •...
Page 603: Applying The Acl To An Interface
ACL-based inbound mirroring The mirror parameter directs selected traffic to the mirrored port. Traffic can only be selected using the permit clause. The mirror parameter is supported on rACLs. Applying the ACL to an interface You must apply the ACL to an interface using the ip access-group command as shown in the following.
Page 604 ACL-based inbound mirroring BigIron RX(config)# trunk switch ethernet 1/1 to 1/2 BigIron RX(config-trunk-1/1-1/2)# config-trunk-ind BigIron RX(config-trunk-1/1-1/2)# acl-mirror-port ethe-port-monitored 1/1 ethernet 1/3 The following considerations apply when configuring ACL-based mirroring with trunks: • You must configure ACL-mirroring for a trunk within the trunk configuration as shown in the examples.
Page 605: Interfaces
Configuring numbered and named ACLs Configuring ACL-based mirroring for ACLs bound to virtual interfaces For configurations that have an ACL bound to a virtual interface, you must configure the acl-mirror-port command on a port for each PPCR that is a member of the virtual interface. For example, in the following configuration ports 4/1 and 4/2 share the same PPCR while port 4/3 uses another PPCR.
Page 606 Configuring numbered and named ACLs Standard ACLs permit or deny packets based on source IP addresses. You can configure up to 99 standard ACLs. There is no limit to the number of ACL entries an ACL can contain, except for the system-wide limitation.
Page 607: Configuring Extended Numbered Acls
Configuring numbered and named ACLs <wildcard> Specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Page 608 Configuring numbered and named ACLs • Destination TCP or UDP port (if the IP protocol is TCP or UDP) The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • Internet Control Message Protocol (ICMP) •...
Page 609: Extended Acl Syntax
Configuring numbered and named ACLs The following commands apply ACL 102 to the incoming and outgoing traffic on port 1/2 and to the incoming traffic on port 4/3. BigIron RX(config)# int eth 1/2 BigIron RX(config-if-e10000-1/2)# ip access-group 102 in BigIron RX(config-if-e10000-1/2)# exit BigIron RX(config)# int eth 4/3 BigIron RX(config-if-e10000-4/3)# ip access-group 102 in BigIron RX(config)# write memory...
Page 610 Configuring numbered and named ACLs [<operator> <destination-tcp/udp-port>] [match-all <tcp-flags>] [match-any <tcp-flags>] [<icmp-type>] [established] [precedence <name> | <num>] [tos <number>] [dscp-matching <number>] [802.1p-priority-matching <number>] [dscp-marking <number> 802.1p-priority-marking <number> internal-priority-marking <number>] | [dscp-marking <number> dscp-cos-mapping] | [dscp-cos-mapping] [fragment] [non-fragment] [first-fragment] [fragment-offset <number>] [spi <00000000 - ffffffff>] [log] Syntax: [no] access-list <num>...
Page 611 Configuring numbered and named ACLs <wildcard> Specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Page 612 Configuring numbered and named ACLs <operator> Specifies a comparison operator for the TCP or UDP port number. You can enter one of the following operators: • eq – The policy applies to the TCP or UDP port name or number you enter after •...
Page 613 Configuring numbered and named ACLs <icmp-type> Enter one of the following values, depending on the software version the device is running: • any-icmp-type • echo • echo-reply • information-request • • mask-reply • mask-request • parameter-problem • redirect • source-quench •...
Page 614 Configuring numbered and named ACLs • tos <name> | <num> Specify the IP ToS name or number. You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2. •...
Page 615: Configuring Standard Or Extended Named Acls
Configuring numbered and named ACLs • The dscp-cos-mapping parameter takes the DSCP value you specified and compares it to an internal QoS table, which is indexed by DSCP values. The corresponding 802.1p priority, internal forwarding priority, and DSCP value is assigned to the packet. For example, if you enter dscp-marking 7 and the internal QoS table is configured as shown in Table...
Page 616 Configuring numbered and named ACLs The following examples show how to configure a named standard ACL entry and a named extended ACL entry. Configuration example for standard ACL To configure a named standard ACL entry, enter commands such as the following. BigIron RX(config)# ip access-list standard Net1 BigIron RX(config-std-nacl)# deny host 209.157.22.26 log BigIron RX(config-std-nacl)# deny 209.157.29.12 log...
Page 617 Configuring numbered and named ACLs NOTE For convenience, the software allows you to configure numbered ACLs using the syntax for named ACLs. The software also still supports the older syntax for numbered ACLs. Although the software allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the startup-config and running-config files in using the older syntax, as follows.
Page 618: Configuring Super Acls
Configuring numbered and named ACLs Syntax: [no] ip access-group <num> in The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring extended numbered ACLs” on page 531.
Page 619 Configuring numbered and named ACLs vlan-id <vlan-id> | ip-pkt-len <pkt-len> | ip-fragment-match {[fragment [fragment-offset <0 - 8191>]] | [non-fragment] | [first-fragment]} | ip-protocol <ip-protocol> | sip {<source-ip>/<source-ip-mask-len> | host <hostname>} | dip {<destination-ip>/<destination-ip-len> | host <hostname>} | sp <operator> <source-tcp/udp-port> | dp <operator>...
Page 620: Displaying Acl Definitions
Displaying ACL definitions Enables packet matching based on specified source TCP/UDP port. Enables packet matching based on specified destination TCP/UDP port. icmp-detail Enables packet matching based on ICMP information. 801.2-priority-matching Enables packet matching based on the specified 802.1p priority value. Valid range is 0-7.
Page 621: Displaying Of Tcp/Udp Numbers In Acls
Displaying ACL definitions BigIron RX(config)#show access-list name entry Standard IP access list entry deny host 5.6.7.8 deny host 192.168.12.3 permit any Syntax: show access-list name <acl-name> Enter the ACL name for the <acl-name> parameter or the ACL number for <acl-number>. Displaying of TCP/UDP numbers in ACLs You can display the port numbers of TCP/UDP application information instead of their TCP/UDP well-known port name in the output of show commands and other commands that contain...
Page 622 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number Resource Location Protocol graphics Graphics nameserver Host Name Server nicname Who Is mpm-flags MPM FLAGS Protocol Message Processing Module [recv] mpm-snd MPM [default send] ni-ftp NI FTP auditd...
Page 623 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number mit-ml-dev2 MIT ML Device mfcobol Micro Focus Cobol kerberos Kerberos su-mit-tg SU/MIT Telnet Gateway dnsix DNSIX Securit Attribute Token Map mit-dov MIT Dover Spooler Network Printing Protocol Device Control Protocol objcall...
Page 624 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number erpc Encore Expedited Remote Pro.Call smakynet SMAKYNET ansatrader ANSA REX Trader locus-map Locus PC-Interface Net Map Ser unitary NXEdit locus-con Locus PC-Interface Conn Server gss-xlicen GSS X License Verification pwdgen...
Page 625 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number nss-routing NSS-Routing sgmp-traps SGMP-TRAPS cmip-man CMIP/TCP Manager cmip-agent CMIP/TCP Agent xns-courier Xerox s-net Sirius Systems namp NAMP rsvd RSVD send SEND print-srv Network PostScript multiplex Network Innovations Multiplex cl/1...
Page 626 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number dn6-smm-red DNSIX Session Mgt Module Audit Redir Directory Location Service dls-mon Directory Location Service Monitor smux SMUX IBM System Resource Controller at-rtmp AppleTalk Routing Maintenance at-nbp AppleTalk Name Binding at-3...
Page 627 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number csi-sgwp Cabletron Management Protocol clearcase Clearcase ulistserv ListProcessor legent-1 Legent Corporation legent-2 Legent Corporation hassle Hassle Amiga Envoy Network Inquiry Protocol tnETOS NEC Corporation dsETOS NEC Corporation is99c...
Page 628 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number imsp Interactive Mail Support Protocol timbuktu Timbuktu prm-sm Prospero Resource Manager Sys. Man. prm-nm Prospero Resource Manager Node Man. decladebug DECLadebug Remote Debug Protocol Remote MT Protocol synoptics-trap Trap Convention Port...
Page 629 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number cvc_hostd cvc_hostd http protocol over TLS/SSL snpp Simple Network Paging Protocol microsoft-ds Microsoft-DS ddm-rdb DDM-RDB ddm-dfm DDM-RFM ddm-byte DDM-BYTE as-servermap AS Server Mapper tserver Computer Supported Telecomunication Applications...
Page 630 Displaying ACL definitions TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number meter-570 demon meter-571 udemon ipcserver SUN ipc sERVER sift-uft Sender-Initiated or Unsolicited File Transfer npmp-trap npmp-trap npmp-local npmp-local npmp-gui npmp-gui ginad ginad mdqs mdqs doom doom ID software...
Page 631: Acl Logging
ACL logging TABLE 102 TCP/UDP port numbers and names (Continued) Port service Port name Description number webster webster phonebook phone cadlock-770 CADLOCK -770 rtip rtip cycleserv2 CYCLE Server submit SUBMIT rpasswd rpasswd entomb entomb wpages wpages wpgs wpgs concert concert mdbs_daemon mdbs_daemon device...
Page 632: Enabling The New Logging Method
Modifying ACLs NOTE Logging is not currently supported on management interfaces. Enabling the new logging method There are no new CLI commands to enable this new processing method; it takes effect automatically if the following items have been configured: • Syslog logging is enabled.
Page 633 Modifying ACLs You can use the CLI to reorder entries within an ACL by individually removing the ACL entries and then re-adding them. To use this method, enter “no” followed by the command for an ACL entry, and repeat this for each ACL entry in the ACL you want to edit. After removing all the ACL entries from the ACL, re-add them.
Page 634: Adding Or Deleting A Comment
Modifying ACLs NOTE This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file. These are the only commands that are valid in a file you load using the copy tftp running-config… command. To save the changes to the device’s startup-config file, enter the following command at the Privileged EXEC level of the CLI.
Page 635 Modifying ACLs NOTE An ACL remark is attached to each individual filter only, not to the entire ACL. Complete the syntax by specifying any options you want for the ACL entry. Options you can use to configure standard or extended numbered ACLs are discussed in “Configuring standard or extended named ACLs”...
Page 636: Deleting Acl Entries
Deleting ACL entries • remark <string> - adds a comment to the ACL entry. The comment can contain up to 255 characters. Comments must be entered separately from actual ACL entries; that is, you cannot enter an ACL entry and an ACL comment with the same command. Also, in order for the remark to be displayed correctly in the output of show commands, a comment must be entered immediately before the ACL entry it describes.
Page 637: From Named Acls
Deleting ACL entries The <acl-number> parameter specifies the ACL entry to be deleted. The <acl-num> parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 1 – 99 for standard ACLs, 100 – 199 for extended ACLs, or 500 – 599 for super ACLs. You must enter the complete deny or permit statement for the <entire-deny-or-permit-statement>...
Page 638: Applying Acls To Interfaces
Applying ACLs to interfaces Applying ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 529 show that you apply ACLs to interfaces using the ip access-group command. This section present additional information about applying ACLs to interfaces. Configuration examples for super ACLs appear in the section “Configuring super ACLs”...
Page 639: Configuring The Layer 4 Session Log Timer
Applying ACLs to interfaces NOTE Applying an ACL to a subset of physical interfaces under a virtual routing interface multiplies the amount of CAM used by the number of physical interfaces specified. An ACL that successfully functions over a whole virtual routing interface may fail if you attempt to apply it to a subset of physical interfaces.
Page 640: Qos Options For Ip Acls
QoS options for IP ACLs When the first Syslog entry for a packet denied by an ACL is generated, the software starts an ACL timer. After this, the software sends Syslog messages every 1 to 10 minutes, depending on the value of the timer interval.
Page 641: Enabling Acl Duplication Check
Enabling ACL duplication check Enabling ACL duplication check If desired, you can enable software checking for duplicate ACL entries. To do so, enter the following command at the Global CONFIG level of the CLI. BigIron RX(config)# acl-duplication-check-disable Syntax: [no] acl-duplication-check-disable This command is disabled by default.
Page 642: Displaying Statistics For An Interface
ACL accounting BigIron RX(config)#show access-list accounting brief Collecting ACL accounting summary for VE 1 ... Completed successfully. ACL Accounting Summary: (ac = accumulated since accounting started) In ACL Total In Hit VE 1 473963(1s) 25540391(1m) 87014178(5m) 112554569(ac) The display shows the following information. This field...
Page 643: Clearing The Acl Statistics
ACL accounting This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled. If enabled, it indicates if the feature is configured as passive or active. Collecting ACL accounting summary for Shows the interface included in the report and whether or not the <interface>...
Page 644: Packets
Enabling ACL filtering of fragmented or non-fragmented packets Enabling ACL filtering of fragmented or non-fragmented packets By default, when an extended ACL is applied to a port, the port will use the ACL to permit or deny the first fragment of a fragmented packet, but forward subsequent fragments of the same packet in hardware.
Page 645: Interface
ACL filtering for traffic switched within a virtual routing interface Enter the fragment parameter to allow the ACL to filter fragmented packets. Use the non-fragmented parameter to filter non-fragmented packets. NOTE The fragmented and non-fragmented parameters cannot be used together in an ACL entry. Complete the configuration by specifying options for the ACL entry.
Page 646: Named Acls
ICMP filtering for extended ACLs Named ACLs For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following. BigIron RX(config)# ip access-list extended entry BigIron RX(config-ext-nacl)# deny ICMP any any administratively-prohibited BigIron RX(config)# ip access-list extended entry BigIron RX(config-ext-nacl)#deny ICMP any any 3 13 Syntax: [no]ip access-list extended <acl-name>...
Page 647: Troubleshooting Acls
Troubleshooting ACLs TABLE 103 ICMP message types and codes (Continued) ICMP message type Type Code Information-reply mask-reply mask-request net-redirect net-tos-redirect net-tos-unreachable net-unreachable packet-too-big parameter-problem NOTE: This message includes all parameter problems port-unreachable precedence-cutoff protocol-unreachable reassembly-timeout redirect NOTE: This includes all redirects. router-advertisement router-solicitation source-host-isolated...
Page 648 Troubleshooting ACLs • To determine whether the issue is specific to fragmentation, remove the Layer 4 information (TCP or UDP application ports) from the ACL, then reapply the ACL. If you are using another feature that requires ACLs, use the same ACL entries for filtering and for the other feature.
Page 649: Policy-Based Routing (Pbr)
Chapter Policy-Based Routing Policy-Based Routing (PBR) Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set routing attributes for the traffic. A PBR policy specifies the next hop for traffic that matches the policy.
Page 650: Configuring A Pbr Policy
Configuring a PBR policy • ACL – 416 entries • Rate Limiting – 416, entries shared with PBR Configuring a PBR policy To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally or on individual interfaces. The device programs the ACLs into the Layer 4 CAM on the interfaces and routes traffic that matches the ACLs according to the instructions in the route maps.
Page 651: Configure The Route Map
Configuring a PBR policy NOTE To specify the host name instead of the IP address, the host name must be configured using the Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI. The <wildcard>...
Page 652: Enabling Pbr
Configuring a PBR policy BigIron RX(config)# route-map test-route permit 99 BigIron RX(config-routemap test-route)# match ip address 99 BigIron RX(config-routemap test-route)# set ip next-hop 192.168.2.1 BigIron RX(config-routemap test-route)# exit The commands in this example configure an entry in a route map named “test-route”. The match statement matches on IP information in ACL 99.
Page 653: Basic Example
Configuration examples Enabling PBR locally To enable PBR locally, enter commands such as the following. BigIron RX(config)# interface ve 1 BigIron RX(config-vif-1)# ip policy route-map test-route The commands in this example change the CLI to the Interface level for virtual interface 1, then apply the “test-route”...
Page 654: Setting The Next Hop
Configuration examples Setting the next hop The following commands configure the device to apply PBR to traffic from IP subnets 209.157.23.x, 209.157.24.x, and 209.157.25.x. In this example, route maps specify the next-hop gateway for packets from each of these subnets: •...
Page 655: Setting The Output Interface To The Null Interface
Trunk formation Setting the output interface to the null interface The following commands configure a PBR to send all traffic from 192.168.1.204/32 to the null interface, thus dropping the traffic instead of forwarding it. BigIron RX(config)# access-list 56 permit 209.168.1.204 0.0.0.0 The following commands configure an entry in a route map called “file-13”.
Page 656 Trunk formation BigIron RX Series Configuration Guide 53-1002253-01...
Page 657: Overview Of Ip Multicasting
Chapter Configuring IP Multicast Protocols Overview of IP multicasting Multicast protocols allow a group or channel to be accessed over different networks by multiple stations (clients) for the receipt and transmit of multicast data. Distribution of stock quotes, video transmissions such as news services and remote classrooms, and video conferencing are all examples of applications that use multicast routing.
Page 658: Changing Global Ip Multicast Parameters
Changing global IP multicast parameters Leaf Nodes: Routers that do not have any downstream routers. Multicast Tree: A unique tree is built for each source group (S,G) pair. A multicast tree is comprised of a root node and one or more nodes that are leaf or intermediate nodes. NOTE Multicast protocols can only be applied to 1 physical interface.
Page 659: Configuring Multicast Boundaries
IP multicast boundaries Configuration considerations • Normal ACL restrictions apply as to how many software ACLs can be created, but there are no hardware restrictions on ACLs with this feature. • Creation of a static IGMP client is allowed for a group on a port that may be prevented from participation in the group on account of an ACL bound to the port’s interface.
Page 660: Passive Multicast Route Insertion (Pmri)
Passive Multicast Route Insertion (PMRI) Passive Multicast Route Insertion (PMRI) To prevent unwanted multicast traffic from being sent to the CPU, Passive Multicast Route Insertion (PMRI) can be used together to ensure that multicast streams are only forwarded out ports with interested receivers and unwanted traffic is dropped in hardware on Layer 3 Switches.
Page 661: Changing Igmp V1 And V2 Parameters
Changing IGMP V1 and V2 parameters Changing IGMP V1 and V2 parameters IGMP allows Brocade routers to limit the multicast of IGMP packets to only those ports on the router that are identified as IP Multicast members. The router actively sends out host queries to identify IP Multicast groups on the network The following IGMP V1 and V2 parameters apply to PIM and DVMRP: •...
Page 662: Modifying Igmp (V1 And V2) Maximum Response Time
Adding an interface to a multicast group Modifying IGMP (V1 and V2) maximum response time Maximum response time defines how long the device will wait for an IGMP (V1 and V2) response from an interface before concluding that the group member on that interface is down and removing the interface from the group.
Page 663 IGMP v3 IGMP v3 The Internet Group Management Protocol (IGMP) allows an IPV4 system to communicate IP Multicast group membership information to its neighboring routers. The routers in turn limit the multicast of IP packets with multicast destination addresses to only those interfaces on the router that are identified as IP Multicast group members.
Page 664: Default Igmp Version
IGMP v3 In response to membership reports from the interfaces, the router sends a Group-Specific or a Group-and-Source Specific query to the multicast interfaces. For example, a router receives a membership report with a Source-List-Change record to block old sources from an interface. The router sends Group-and-Source Specific Queries to the source and group (S,G) identified in the record.
Page 665: Enabling The Igmp Version Per Interface Setting
IGMP v3 Enabling the IGMP version per interface setting To specify the IGMP version for a physical port, enter a command such as the following. BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip igmp version 3 To specify the IGMP version for a virtual routing interface on a physical port, enter a command such as the following.
Page 666 IGMP v3 • No other client on the interface is receiving traffic from the group to which the client belongs. Every group on the physical interface of a virtual routing interface keeps its own tracking record. It can track by (source, group). For example, two clients (Client A and Client B) belong to group1 but each is receiving traffic streams from different sources.
Page 667: Setting The Query Interval
IGMP v3 Setting the query interval The IGMP query interval period defines how often a switch will query an interface for group membership. Possible values are 10 – 3,600 seconds and the default value is 125 seconds, but the value you enter must be a little more than twice the group membership time. To modify the default value for the IGMP query interval, enter the following.
Page 668 IGMP v3 BigIron RX# show ip igmp group Interface v18 : 1 groups group phy-port static querier life mode #_src 239.0.0.1 e4/20 include 19 Interface v110 : 3 groups group phy-port static querier life mode #_src 239.0.0.1 e4/5 include 10 239.0.0.1 e4/6 exclude 13...
Page 669 IGMP v3 This field Displays Static A “yes” entry in this column indicates that the multicast group was configured as a static group; “No” means it was not. Static multicast groups can be configured in IGMP V2 using the ip igmp static command. In IGMP V3, static sources cannot be configured in static groups.
Page 670 IGMP v3 Entering an address for <group-address> displays information for a specified group on the specified interface. The report shows the following information. This field Displays Query interval Displays how often a querier sends a general query on the interface. Max response The maximum number of seconds a client can wait before it replies to the query.
Page 671: Clearing Igmp Statistics
Configuring a static multicast route This field Displays Leave Number of IGMP V2 “leave” messages on the interface. (See ToEx for IGMP V3.) IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from exclude to include.
Page 672 Configuring a static multicast route Syntax: ip mroute <ip-addr> interface ethernet <slot>/<portnum> | ve <num> [distance <num>] Syntax: ip mroute <ip-addr> rpf_address <rpf-num> The <ip-addr> command specifies the PIM source for the route. NOTE In IP multicasting, a route is handled in terms of its source, rather than its destination. You can use the ethernet <slot>/<portnum>...
Page 673: Next Hop Validation Check
PIM dense To add a static route to a virtual interface, enter commands such as the following. BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 int ve 1 distance 1 BigIron RX(config)# write memory Next hop validation check You can configure the BigIron RX to perform multicast validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.
Page 674: Initiating Pim Multicasts On A Network
PIM dense NOTE Multicast protocols can only be applied to 1 physical interface. You must create multiple VLANs with individual untagged ports and ve’s under which you configure PIM. PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets.
Page 675 PIM dense When a node on the multicast delivery tree has all of its downstream branches (downstream interfaces) in the prune state, a prune message is sent upstream. In the case of R4, if both R5 and R6 are in a prune state at the same time, R4 becomes a leaf node with no downstream interfaces and sends a prune message to R1.
Page 676: Grafts To A Multicast Tree
PIM dense FIGURE 91 Pruning leaf nodes from a multicast tree Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Prune Message sent to upstream router (R4) Leaf Node (No Group Members) Group Group Group...
Page 677: Configuring Pim Dm
PIM dense The primary difference between PIM DM V1 and V2 is the methods the protocols use for messaging: • PIM DM V1 – uses the IGMP to send messages. • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103.
Page 678 PIM dense • Entering router pim command to enable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a BigIron RX (router pim level) only. Enabling a PIM version To enable PIM on an interface, globally enable PIM, then enable PIM on interface 1/3, enter the following commands.
Page 679 PIM dense Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds. To apply a PIM hello timer of 120 seconds to all ports on the router operating with PIM, enter the following.
Page 680 PIM dense BigIron RX(config)#show ip pim dense Global PIM Dense Mode Settings Hello interval: 60, Neighbor timeout: 180 Graft Retransmit interval: 180, Inactivity interval: 180 Route Expire interval: 200, Route Discard interval: 340 Prune age: 180, Prune wait: 3 Syntax: show ip pim dense Modifying graft retransmit timer The Graft Retransmit Timer defines the interval between the transmission of graft messages.
Page 681: Failover Time In A Multi-Path Topology
PIM Sparse Total number of IP routes: 19 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port Cost Type 172.17.41.4 255.255.255.252*137.80.127.3 172.17.41.4 255.255.255.252 137.80.126.3 172.17.41.4 255.255.255.252 137.80.129.1 172.17.41.4 255.255.255.252 137.80.128.3 172.17.41.8 255.255.255.252 0.0.0.0 Failover time in a multi-path topology Previously, when a port in a multi-path topology fails, multicast routers, depending on the routing protocol being used, take a few seconds to establish a new path, if the failed port is the input port of the downstream router.
Page 682: Pim Sparse Router Types
PIM Sparse FIGURE 92 Example PIM Sparse domain This interface is also the PIM Sparse router B Bootstrap Router (BR) for this PIM Sparse domain, and the Rendezvous Point (RP) for the PIM Sparse groups in this domain. Port2/1 Port2/2 207.95.8.10 207.95.7.1 Rendezvous Point (RP) path...
Page 683: Rp Paths And Spt Paths
PIM Sparse from a group source to the group’s receivers. After the first packet, the BigIron RX calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The BigIron RX calculates a separate SPT for each source-receiver pair.
Page 684: Configuring Global Pim Sparse Parameters
PIM Sparse NOTE Brocade recommends that you configure the same BigIron RX as both the BSR and the RP. Current limitations The implementation of PIM Sparse in the current software release has the following limitations: • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface. •...
Page 685 PIM Sparse If the interface is on the border of the PIM Sparse domain, you also must enter the following command. BigIron RX(config-if-e10000-2/2)# ip pim border Syntax: [no] ip pim border NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release.
Page 686 PIM Sparse The ethernet <slot>/<portnum> | loopback <num> | ve <num> parameter specifies the interface. The BigIron RX will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet <slot>/<portnum> for a physical interface (port). • Enter ve <num> for a virtual interface. •...
Page 687 PIM Sparse If you explicitly specify the RP, the BigIron RX uses the specified RP for all group-to-RP mappings and overrides the set of candidate RPs supplied by the BSR. NOTE Specify the same IP address as the RP on all PIM Sparse routers within the PIM Sparse domain. Make sure the router is on the backbone or is otherwise well connected to the rest of the network.
Page 688: Route Selection Precedence For Multicast
Route selection precedence for multicast Displaying the static RP Use the show ip pim rp-set command to display static RP and the associated group ranges. BigIron RX(config)# show ip pim rp-set Static RP and associated group ranges ------------------------------------- Static RP count: 4 130.1.1.1 permit 238.1.1.0/24 permit 239.1.0.0/16...
Page 689: Displaying The Route Selection
Route selection precedence for multicast To specify a non-default route from the mRTM, then a non-default route from the uRTM, then a default route from the mRTM, and then a default route from the uRTM, enter commands such as the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# route-precedence mc-non-default uc-non-default mcdefault uc-default...
Page 690: Changing The Shortest Path Tree (Spt) Threshold
Changing the Shortest Path Tree (SPT) threshold BigIron RX(config-pim-router)#show ip pim sparse Global PIM Sparse Mode Settings Hello interval : 30 Neighbor timeout : 105 Bootstrap Msg interval: 60 Candidate-RP Advertisement interval: 60 Join/Prune interval : 60 SPT Threshold : 1 Inactivity interval : 180 SSM Enabled : No Hardware Drop Enabled : Yes Route Selection : mc-non-default uc-non-default mc-default uc-default...
Page 691: Changing The Pim Join And Prune Message Interval
Displaying PIM Sparse configuration information and statistics The infinity | <num> parameter specifies the number of packets. If you specify infinity, the BigIron RX sends packets using the RP indefinitely and does not switch over to the SPT. If you enter a specific number of packets, the BigIron RX does not switch over to using the SPT until it has sent the number of packets you specify using the RP.
Page 692: Displaying Basic Pim Sparse Configuration Information
Displaying PIM Sparse configuration information and statistics • The PIM flow cache • The PIM multicast cache • PIM traffic statistics Displaying basic PIM Sparse configuration information To display PIM Sparse configuration information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim sparse Global PIM Sparse Mode Settings Hello interval: 60, Neighbor timeout: 180...
Page 693: Displaying A List Of Multicast Groups
Displaying PIM Sparse configuration information and statistics This field... Displays... Join/Prune interval How frequently the BigIron RX sends PIM Sparse Join/Prune messages for the multicast groups it is forwarding. This field show the number of seconds between Join/Prune messages. The BigIron RX sends Join/Prune messages on behalf of multicast receivers who want to join or leave a PIM Sparse group.
Page 694: Displaying Bsr Information
Displaying PIM Sparse configuration information and statistics This field... Displays... Group The multicast group address Ports The BigIron RX ports connected to the receivers of the groups. Displaying BSR information To display BSR information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim bsr PIMv2 Bootstrap information This system is the elected Bootstrap Router (BSR)
Page 695: Displaying Candidate Rp Information
Displaying PIM Sparse configuration information and statistics This field... Displays... Next bootstrap message in NOTE: Indicates how many seconds will pass before the BSR sends its next Bootstrap message. NOTE: This field appears only if this BigIron RX is the BSR. Next Candidate-RP-advertisement Indicates how many seconds will pass before the BSR sends its next message in...
Page 696: Displaying Rp-To-Group Mappings
Displaying PIM Sparse configuration information and statistics This field... Displays... group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP. NOTE: This field appears only if this BigIron RX is a candidate RP. Candidate-RP-advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages.
Page 697: Displaying The Rp Set List
Displaying PIM Sparse configuration information and statistics This field... Displays... Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the port or virtual interface through which this BigIron RX learned the identity of the RP. Info source Indicates the IP address on which the RP information was received.
Page 698: Displaying Information About An Upstream Neighbor Device
Displaying PIM Sparse configuration information and statistics BigIron RX(config-pim-router)# show ip pim nbr Port Neighbor Holdtime UpTime e3/8 207.95.8.10 Port Neighbor Holdtime UpTime 207.95.6.2 Syntax: show ip pim nbr This display shows the following information. This field... Displays... Port The interface through which the BigIron RX is connected to the neighbor. Neighbor The IP interface of the PIM neighbor interface.
Page 699: Displaying The Pim Multicast Cache
Displaying PIM Sparse configuration information and statistics BigIron RX# show ip pim rpf 1.2.3.4 no route BigIron RX# show ip pim rpf 1.10.10.24 upstream neighbor=1.1.20.1 on v21 using ip route Syntax: show ip pim | dvmrp rpf <IP address> Where <IP address> is a valid source IP address Displaying the PIM multicast cache To display the PIM multicast cache, enter the following command at any CLI level.
Page 700 Displaying PIM Sparse configuration information and statistics This field... Displays... (<source>, <group>) The comma-separated values in parentheses is a source-group pair. The <source> is the PIM source for the multicast <group>. For example, the following entry means source 209.157.24.162 for group 239.255.162.1: (209.157.24.162,239.255.162.1) If the <source>...
Page 701: Displaying Pim Traffic Statistics
PIM-SSMv4 Displaying PIM traffic statistics To display PIM traffic statistics, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim traffic Port Hello Register RegStop Assert e3/8 Total 37 IGMP Statistics: Total Recv/Xmit 85/110 Total Discard/chksum Syntax: show ip pim traffic NOTE If you have configured interfaces for standard PIM (dense mode) on the BigIron RX, statistics for these interfaces are listed first by the display.
Page 702: Enabling Ssm
Configuring Multicast Source Discovery Protocol (MSDP) The amount of unwanted traffic in the network is reduced, but because each multicast group is associated with a particular host, different hosts can be assigned the same multicast address for different streams. This greatly increases the number of multicast groups that can be used in the network.
Page 703 Configuring Multicast Source Discovery Protocol (MSDP) FIGURE 93 PIM Sparse domains joined by MSDP routers PIM Sparse Domain 2 PIM Sparse Domain 1 2. RP sends SA message Designated Router (DR) Rendezvous Point (RP) through MSDP to its MSDP peers in other PIM Sparse domains.
Page 704: Peer Reverse Path Forwarding (Rpf) Flooding
Configuring Multicast Source Discovery Protocol (MSDP) Peer Reverse Path Forwarding (RPF) flooding When the MSDP router (also the RP) in domain 2 receives the Source Active message from its peer in domain 1, the MSDP router in domain 2 forwards the message to all its other peers. The propagation process is sometimes called “peer Reverse Path Forwarding (RPF) flooding”.
Page 705: Enabling Msdp
Configuring Multicast Source Discovery Protocol (MSDP) • Configure the MSDP peers NOTE The PIM Sparse Rendezvous Point (RP) is also an MSDP peer. Routers that run MSDP must also run BGP. Also, the source address used by the MSDP router must be the same source address used by BGP.
Page 706: Ip Address
Configuring Multicast Source Discovery Protocol (MSDP) Designating an interface’s IP address as the RP’s IP address When an RP receives a Source Active message, it checks its PIM Sparse multicast group table for receivers for the group. If it finds a receiver, the RP sends a Join message for that receiver back to the RP that originated the Source Active message.
Page 707 Configuring Multicast Source Discovery Protocol (MSDP) The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e1000-3/1)# ip address 2.2.2.98/24 BigIron RX(config-if-e1000-3/1)# exit The following commands configure a loopback interface.
Page 708: Filtering Advertised Source-Active Messages
Configuring Multicast Source Discovery Protocol (MSDP) • sa-filter in 2.2.2.97 route-map msdp_map – This command ignores source-group pairs received from neighbor 2.2.2.97 if the pairs have source address 10.x.x.x and any group address. • sa-filter in 2.2.2.96 route-map msdp2_map rp-route-map msdp2_rp_map – This command accepts all source-group pairs except those associated with RP 2.2.42.3.
Page 709: Filters Are Applied
Configuring Multicast Source Discovery Protocol (MSDP) The following commands enable MSDP and configure MSDP neighbors on port 3/1. BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 2.2.2.99 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 2.2.2.97 connect-source loopback 1 BigIron RX(config-if-3/1)# exit The following commands configure the Source-Active filter. BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# sa-filter originate route-map msdp_map This filter removes source-group pairs that match route map msdp_map from Source-Active...
Page 710 Configuring Multicast Source Discovery Protocol (MSDP) 24 (117.1.0.25, 224.200.1.5), RP:2.2.2.2, Age:0 25 (117.1.0.66, 224.200.1.46), RP:2.2.2.2, Age:0 26 (117.1.0.39, 224.200.1.19), RP:2.2.2.2, Age:0 27 (117.1.0.53, 224.200.1.33), RP:2.2.2.2, Age:0 28 (117.1.0.26, 224.200.1.6), RP:2.2.2.2, Age:0 29 (117.1.0.67, 224.200.1.47), RP:2.2.2.2, Age:0 30 (117.1.0.40, 224.200.1.20), RP:2.2.2.2, Age:0 31 (117.1.0.54, 224.200.1.34), RP:2.2.2.2, Age:0 32 (117.1.0.27, 224.200.1.7), RP:2.2.2.2, Age:0 33 (117.1.0.68, 224.200.1.48), RP:2.2.2.2, Age:0...
Page 711: Configuring Msdp Mesh Groups
Configuring MSDP mesh groups TABLE 104 MSDP source active cache (Continued) This field... Displays... SourceAddr The IP address of the multicast source. GroupAddr The IP multicast group to which the source is sending information. The RP through which receivers can access the group traffic from the source The number of seconds the entry has been in the cache Configuring MSDP mesh groups...
Page 712: Configuring Msdp Mesh Group
Configuring MSDP mesh groups FIGURE 94 Example of MSDP mesh group PIM Sparse Domain 1 Mesh GroupA 3. RPs within the domain receive the SA message and floods the 2. RP sends an SA message SA message to its peers in to its peers within the domain other PIM Sparse domains Designated Router (DR)
Page 713 Configuring MSDP mesh groups Syntax: [no] mesh-group <group-name> <peer-address> The sample configuration above reflects the configuration in Figure 94. On RP 206.251.21.31 you specify its peers within the same domain (206.251.21.31, 206.251.17.31, and 206.251.13.31). You first configure the MSDP peers using the msdp-peer command to assign their IP addresses and the loopback interfaces.
Page 714 Configuring MSDP mesh groups Configuration for Device A The following set of commands configure the MSDP peers of Device A (1.1.1.1) that are inside and outside MSDP mesh group 1234. Device A’s peers inside the mesh group 1234 are 1.1.2.1, 1.1.3.1, and 1.1.4.1.
Page 715 Configuring MSDP mesh groups The following set of commands configure the MSDP peers of Device B. All Device B’s peers (1.1.1.1, 1.1.3.1, and 1.1.4.1) are in the MSDP mesh group 1234. Multicast is enabled on Device B’s interfaces. PIM and BGP are also enabled. BigIron RX(config)# router pim BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 1.1.3.1 connect-source loopback 1...
Page 716 Configuring MSDP mesh groups BigIron RX(config)# router pim BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 35.35.35.5 BigIron RX(config-msdp-router)# msdp-peer 1.1.2.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 1.1.4.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 1.1.1.1 connect-source loopback 1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.2.1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.1.1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.4.1 BigIron RX(config-msdp-router)# exit...
Page 717 Configuring MSDP mesh groups BigIron RX(config)# router pim BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 1.1.3.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 1.1.1.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 1.1.2.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 48.48.48.8 BigIron RX(config-msdp-router)# msdp-peer 134.134.134.13 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.1.1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.3.1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.2.1...
Page 718: Displaying Summary Information
Configuring MSDP mesh groups Displaying MSDP information You can display the following MSDP information: • Summary information – the IP addresses of the peers, the state of the BigIron RX’s MSDP session with each peer, and statistics for Keepalive, Source Active, and Notification messages sent to and received from each of the peers.
Page 719: Displaying Peer Information
Configuring MSDP mesh groups Displaying peer information To display MSDP peer information, use the following CLI method. BigIron RX# show ip msdp peer Total number of MSDP Peers: 2 IP Address State 206.251.17.30 ESTABLISHED Keep Alive Time Hold Time Message Sent Message Received Keep Alive Notifications...
Page 720 Configuring MSDP mesh groups TABLE 106 MSDP peer information (Continued) This field... Displays... Keep Alive Message Received The number of Keep Alive messages the MSDP router has received from the peer. Notifications Sent The number of Notification messages the MSDP router has sent to the peer.
Page 721 Configuring MSDP mesh groups TABLE 106 MSDP peer information (Continued) This field... Displays... TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. •...
Page 722: Displaying Source Active Cache Information
Clearing MSDP information Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method. BigIron RX# show ip msdp sa-cache Total Entry 4096, Used 1800 Free 2296 Index SourceAddr GroupAddr (100.100.1.254, 232.1.0.95), RP:206.251.17.41, Age:0 (100.100.1.254, 237.1.0.98), RP:206.251.17.41, Age:30 (100.100.1.254, 234.1.0.48), RP:206.251.17.41, Age:30 (100.100.1.254, 239.1.0.51), RP:206.251.17.41, Age:30...
Page 723: Clearing The Source Active Cache
DVMRP overview BigIron RX# clear ip msdp peer 205.216.162.1 Remote connection closed Syntax: clear ip msdp peer <ip-addr> The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed. Clearing the source active cache To clear the entries from the Source Active cache, enter the following command at the Privileged EXEC level of the CLI.
Page 724: Initiating Dvmrp Multicasts On A Network
DVMRP overview Initiating DVMRP multicasts on a network Once DVMRP is enabled on each router, a network user can begin a video conference multicast from the server on R1. Multicast Delivery Trees are initially formed by source-originated multicast packets that are propagated to downstream interfaces as seen in Figure 96.
Page 725 DVMRP overview FIGURE 96 Downstream broadcast of IP multicast packets from source host Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Leaf Node Leaf Node Leaf Node (No Group Members) Group Group Group...
Page 726: Grafts To A Multicast Tree
DVMRP overview FIGURE 97 Pruning leaf nodes from a multicast tree Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Prune Message sent to upstream router (R4) Leaf Node (No Group Members) Group Group Group...
Page 727: Configuring Dvmrp
Configuring DVMRP Configuring DVMRP Enabling DVMRP globally and on an interface Suppose you want to initiate the use of desktop video for fellow users on a sprawling campus network. All destination workstations have the appropriate hardware and software but the BigIron RXes that connect the various buildings need to be configured to support DVMRP multicasts from the designated video conference server as seen in Figure...
Page 728: Modifying Neighbor Timeout
Configuring DVMRP • Route expire time • Route discard time • Prune age • Graft retransmit time • Probe interval • Report interval • Trigger interval • Default route Modifying neighbor timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down.
Page 729: Modifying Probe Interval
Configuring DVMRP Modifying graft retransmit time The Graft Retransmit Time defines the initial period of time that a router sending a graft message will wait for a graft acknowledgement from an upstream router before re-transmitting that message. Subsequent retransmissions are sent at an interval twice that of the preceding interval. Possible values are from 5 –...
Page 730: Modifying Dvmrp Interface Parameters
Configuring DVMRP BigIron RX(config-dvmrp-router)# default-gateway 192.35.4.1 Syntax: default-gateway <ip-addr> Modifying DVMRP interface parameters DVMRP global parameters come with preset values. The defaults work well in most networks, but you can modify the following interface parameters if you need to: • •...
Page 731: Device
Configuring a static multicast route Displaying information about an upstream neighbor device You can view information about the upstream neighbor device for a given source IP address for IP PIM packets. The software uses the IP route table or multicast route table to lookup the upstream neighbor device.
Page 732: Configuring Ip Multicast Traffic Reduction
Configuring IP multicast traffic reduction NOTE Regardless of the administrative distances, the BigIron RX Series router always prefers directly connected routes over other routes. FIGURE 98 Example multicast static routes PIM Router D 9.9.9.101 e6/14 Client Multicast group 239.255.162.1 e4/11 207.95.6.1 e1/2 PIM Router A...
Page 733: Enabling Ip Multicast Traffic Reduction
Configuring IP multicast traffic reduction When you enable IP Multicast Traffic Reduction, you also can configure the following features: • IGMP mode – When you enable IP Multicast Traffic Reduction, the device passively listens for IGMP Group Membership reports by default. If the multicast domain does not have a to send IGMP queries to elicit these Group Membership reports, you can enable the device to actively send the IGMP queries.
Page 734 Configuring IP multicast traffic reduction NOTE When one or more BigIron RX devices are running Layer 2 IP Multicast Traffic reduction, configure one of the devices for active IGMP and leave the other devices configured for passive IGMP. However, if the IP multicast domain contains a multicast-capable, configure all the BigIron RX devices for passive IGMP and allow the to actively send the IGMP queries.
Page 735 Configuring IP multicast traffic reduction Syntax: Passive – When passive IGMP mode is enabled, the switch listens for IGMP Group Membership reports on the VLAN instance specified but does not send IGMP queries. The passive mode is called “IGMP snooping”. Use this mode when another device in the VLAN instance is actively sending queries.
Page 736 Configuring IP multicast traffic reduction • Passive – When passive IGMP mode is enabled, the device listens for IGMP Group Membership reports but does not send IGMP queries. The passive mode is sometimes called “IGMP snooping”. Use this mode when another device in the network is actively sending queries.
Page 737: Layer 2 Multicast Filters
Configuring IP multicast traffic reduction When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report.
Page 738: Pim Sm Traffic Snooping
Configuring IP multicast traffic reduction Use the port-list parameter to define the member ports on which the ACL is applied. The ACL will be applied to the multicast traffic arriving in both directions. Use the no multicast boundary command to remove the boundary on an IGMP enabled interface. NOTE The ACL, MyBrocadeAccessList can be configured using standard ACL syntax which can be found in the ACL section.
Page 739 Configuring IP multicast traffic reduction FIGURE 99 PIM SM traffic reduction in enterprise network The switch snoops for PIM SM join and prune messages. The switch detects a source on port1/1 and a receiver for that source’s group on port5/1. It then forwards multicast Source for Groups data from the source on port1/1 239.255.162.1...
Page 740 Configuring IP multicast traffic reduction Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device. This is required for the PIM SM snooping feature. The feature also requires the source and the downstream router to be on different IP subnets, as shown in Figure Figure 100 shows another example application for PIM SM traffic snooping.
Page 741 Configuring IP multicast traffic reduction • The PIM SM snooping feature assumes that the group source and the device are in different subnets and communicate through a router. The source must be in a different IP subnet than the receivers. A PIM SM router sends PIM join and prune messages on behalf of a multicast group receiver only when the router and the source are in different subnets.
Page 742: Static Igmp Membership
Configuring IP multicast traffic reduction Syntax: [no] multicast pimsm-snooping Configuring PIM proxy per VLAN instance Using the PIM proxy function, multicast traffic can be reduced by configuring an BigIron RX switch to issue PIM join and prune messages on behalf of hosts that the configured switch discovers through standard PIM interfaces.
Page 743 Configuring IP multicast traffic reduction BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 uplink To configure the snooping device to statically join all multicast streams on the uplink interface excluding the stream with source address 10.43.1.12, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 exclude 10.43.1.12 uplink...
Page 744 Configuring IP multicast traffic reduction The uplink parameter specifies the port as an uplink port that can receive multicast data for the configured multicast groups. Upstream traffic will be sent to the switch and will not use a port. The port-list parameter specifies the range of ports to include in the configuration. The no form of this command removes the static multicast definition.
Page 745: Overview Of Routing Information Protocol (Rip)
Chapter Configuring RIP Overview of Routing Information Protocol (RIP) Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing distance) to measure the cost of a given route. The cost is a distance vector because the cost often is equivalent to the number of router hops between the device and the destination network.
Page 746: Configuring Metric Parameters
Configuring RIP parameters BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# ip rip v1-only Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only Configuring metric parameters By default, a device port increases the cost of a RIP route that is learned or advertised on the port by one.
Page 747: Configuring Redistribution
Configuring RIP parameters Configuring redistribution You can configure the device to redistribute routes learned through OSPF or BGP4, connected into RIP, or static routes. When you redistribute a route from one of these other protocols into RIP, the device can use RIP to advertise the route to its RIP neighbors. To configure redistribution, perform the following tasks: •...
Page 748: Configuring Route Learning And Advertising Parameters
Configuring RIP parameters Syntax: redistribute connected | bgp | ospf | static [metric <value> | route-map <name>] The connected parameter applies redistribution to connected types. The bgp parameter applies redistribution to BGP4 routes. The ospf parameter applies redistribution to OSPF routes. The static parameter applies redistribution to IP static routes.
Page 749: Changing The Route Loop Prevention Method
Configuring RIP parameters Syntax: [no] ip rip learn-default Configuring a RIP neighbor filter By default, a device learns RIP routes from all its RIP neighbors. Neighbor filters allow you to specify the neighbor routers from which the device can receive RIP routes. Neighbor filters apply globally to all ports.
Page 750: Backup Interface
Configuring RIP parameters To disable split horizon and enable poison reverse on an interface, enter the command such as the following. BigIron RX(config-if-e10000-1/1)# ip rip poison-reverse You can configure the device to avoid routing loops by advertising local RIP routes with a cost of 16 (“infinite”...
Page 751: Setting Rip Timers
Configuring RIP parameters BigIron RX(config)# ip prefix-list list1 permit 192.53.4.1 255.255.255.0 BigIron RX(config)# ip prefix-list list2 permit 192.53.5.1 255.255.255.0 BigIron RX(config)# ip prefix-list list3 permit 192.53.6.1 255.255.255.0 BigIron RX(config)# ip prefix-list list4 deny 192.53.7.1 255.255.255.0 The prefix lists permit routes to three networks, and deny the route to one network. Since the default action is permit, all other routes (routes not explicitly permitted or denied by the filters) can be learned or advertised.
Page 752: Displaying Rip Filters
Displaying RIP filters Displaying RIP filters To display RIP filters, enter the following command at any CLI level. BigIron RX> show ip rip RIP Summary Default port 520 Administrative distance is 120 updates every 30 seconds, expire after 180 Holddown lasts 180 seconds, garbage collect after 120 Last broadcast 30, Next Update 29 Need trigger update 0, next trigger broadcast 1 Minimum update interval 25, Max update offset 5...
Page 753: Clearing The Rip Routes From The Routing Table
Displaying RIP filters Clearing the RIP routes from the routing table Clearing all the routes from the routing table To clear RIP local routes, enter a command such as the following. BigIron RX(config)#clear ip rip local routes Syntax: clear ip rip local routes To clear the RIP routes from the RIP database, enter a command such as the following.
Page 754 Displaying RIP filters BigIron RX Series Configuration Guide 53-1002253-01...
Page 755: Overview Of Ospf (Open Shortest Path First)
Chapter Configuring OSPF Version 2 (IPv4) Overview of OSPF (Open Shortest Path First) OSPF is a link-state routing protocol. The protocol uses link-state advertisements (LSA) to update neighboring routers regarding its interfaces and information on those interfaces. The router floods these LSAs to all neighboring routers to update them regarding the interfaces.
Page 756: Designated Routers In Multi-Access Networks
Overview of OSPF (Open Shortest Path First) FIGURE 101 OSPF operating in a network Area 0.0.0.0 Backbone Area 200.5.0.0 Router D 208.5.1.1 Area Border Router (ABR) Area 192.5.1.0 Virtual Link Router A 206.5.1.1 Router E Router B Area Border Router F Router (ABR) Router C Autonomous System...
Page 757 Overview of OSPF (Open Shortest Path First) FIGURE 102 Designated and backup router election priority 10 Designated Backup Router Router A Designated Router priority 5 priority 20 Router C Router B If the DR goes off-line, the BDR automatically becomes the DR. The router with the next highest priority becomes the new BDR.
Page 758: Ospf Rfc 1583 And 2328 Compliance
Overview of OSPF (Open Shortest Path First) NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device.
Page 759 Overview of OSPF (Open Shortest Path First) FIGURE 104 AS external LSA reduction Routers D, E, and F are OSPF ASBRs Another routing domain OSPF Autonomous System (AS) and EBGP routers. (such as BGP4 or RIP) Router A Router D Router ID: 2.2.2.2 Router B Router F...
Page 760: Support For Ospf Rfc 2328 Appendix E
Overview of OSPF (Open Shortest Path First) • A second ASBR comes on-line • A second ASBR that is already on-line begins advertising an equivalent route to the same destination. In either case above, the router with the higher router ID floods the AS External LSAs and the other router flushes its equivalent AS External LSAs.
Page 761: Dynamic Ospf Activation And Configuration
Configuring OSPF 2. Compare the networks that have the same network address, to determine which network is more specific. The more specific network is the one that has more contiguous one bits in its network mask. For example, network 10.0.0.0 255.255.0.0 is more specific than network 10.0.0.0 255.0.0.0, because the first network has 16 ones bits (255.255.0.0) whereas the second network has only 8 ones bits (255.0.0.0).
Page 762: Ospf Parameters
Configuring OSPF Configuration rules • If a router is to operate as an ASBR, you must enable the ASBR capability at the system level. • Redistribution must be enabled on routers configured to operate as ASBRs. • All router ports must be assigned to one of the defined areas on an OSPF router. When a port is assigned to an area, all corresponding subnets on that port are automatically included in the assignment.
Page 763: Enable Ospf On The Router
Configuring OSPF NOTE You set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, enter router ospf… at the global CONFIG Level. Interface parameters for OSPF are set at the interface CONFIG Level using the CLI command, ip ospf… Enable OSPF on the router When you enable OSPF on the router, the protocol is automatically activated.
Page 764 Configuring OSPF • ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type-7 External LSAs are a special type of LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA. •...
Page 765 Configuring OSPF The stub <cost> parameter specifies an additional cost for using a route to or from this area and can be from 1 – 16777215. There is no default. Normal areas do not use the cost parameter. The no-summary parameter applies only to stub areas and disables summary LSAs from being sent into the area.
Page 766 Configuring OSPF The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone. Since the NSSA is partially “stubby” the ABR does not flood external LSAs from the backbone into the NSSA.
Page 767: Assigning An Area Range (Optional)
Configuring OSPF The advertise | not-advertise parameter specifies whether you want the device to send type 3 LSAs for the specified range in this area. The default is advertise. Assigning an area range (optional) You can assign a range for an area, but it is not required. Ranges allow a specific IP address and mask to represent a range of IP addresses within an area, so that only that reference range address is advertised to the network, instead of all the addresses within that range.
Page 768: Ospf Interface Parameters
Configuring OSPF • ip ospf hello-interval <value> • ip ospf md5-authentication key-activation-wait-time <num> | key-id <num> [0 | 1] key <string> • ip ospf passive • ip ospf priority <value> • ip ospf retransmit-interval <value> • ip ospf transmit-delay <value> For a complete description of these parameters, see the summary of OSPF port parameters in the next section.
Page 769 Configuring OSPF MD5-authentication activation wait The number of seconds the device waits until placing a new MD5 key into time effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 –...
Page 770: Change The Timer For Ospf Authentication Changes
Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior.
Page 771: Assign Virtual Links
Configuring OSPF Block flooding of outbound LSAs on specific OSPF interfaces By default, the device floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area.
Page 772 Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 106 Defining OSPF virtual links within a network OSPF Area 0 BigIronC Router ID 209.157.22.1 OSPF Area 1 OSPF Area 2 “transit area”...
Page 773: Modify Virtual Link Parameters
Configuring OSPF The area <ip-addr> | <num> parameter specifies the transit area. The <router-id> parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a device, enter the show ip command. Refer to “Modify virtual link parameters”...
Page 774: Configuring An Ospf Non-Broadcast Interface
Configuring OSPF MD5 Authentication Wait Time This parameter determines when a newly configured MD5 authentication key is valid. This parameter provides a graceful transition from one MD5 key to another without disturbing the network. All new packets transmitted after the key activation wait time interval use the newly configured MD5 Key.
Page 775: Ospf Point-To-Point Links
Configuring OSPF For example, to configure the feature in a network with three routers connected by a hub or switch, each router must have the linking interface configured as a non-broadcast interface, and both of the other routers must be specified as neighbors. The output of the show ip ospf interface command has been enhanced to display information about non-broadcast interfaces and neighbors that are configured in the same sub-net.
Page 776 Configuring OSPF BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip ospf network point-to-point This command configures an OSPF point-to-point link on Interface 5 in slot 1. Syntax: [no] ip ospf network point-to-point Viewing configured OSPF point-to-point links You can use the show ip ospf interface command to display OSPF point-to-point information. Enter the following command at any CLI level.
Page 777 Configuring OSPF TABLE 109 Output of the show ip ospf interface command This field Displays Type The area type, which can be one of the following: • Broadcast = 0x01 • NBMA = 0x02 • Point to Point = 0x03 •...
Page 778: Interfaces
Configuring OSPF Changing the reference bandwidth for the cost on OSPF interfaces Each interface on which OSPF is enabled has a cost associated with it. The device advertises its interfaces and their costs to OSPF neighbors. For example, if an interface has an OSPF cost of ten, the device advertises the interface with a cost of ten to other OSPF routers.
Page 779: Define Redistribution Filters
Configuring OSPF Changing the reference bandwidth To change the reference bandwidth, enter a command such as the following at the OSPF configuration level of the CLI: BigIron RX(config-ospf-router)# auto-cost reference-bandwidth 500 The reference bandwidth specified in this example results in the following costs: •...
Page 780: Modify Default Metric For Redistribution
Configuring OSPF FIGURE 107 Redistributing OSPF and static routes to RIP routes RIP Domain ASBR (Autonomous System Border Router) OSPF Domain You also have the option of specifying import of just ISIS, RIP, OSPF, BGP4, or static routes, as well as specifying that only routes for a specific network or with a specific cost (metric) be imported, as shown in the command syntax below: Syntax: [no] redistribution bgp | connected | rip | static [route-map <map-name>]...
Page 781: Enable Route Redistribution
Configuring OSPF NOTE You also can define the cost on individual interfaces. The interface cost overrides the default cost. To assign a default metric of 4 to all routes imported into OSPF, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# default-metric 4 Syntax: default-metric <value>...
Page 782: Disable Or Re-Enable Load Sharing
Configuring OSPF The redistribute static command enables redistribution of static IP routes into OSPF, and uses route map “abc“to control the routes that are redistributed. In this example, the route map allows a static IP route to be redistributed into OSPF only if the route has a metric of 5, and changes the metric to 8 before placing the route into the OSPF route table.
Page 783 Configuring OSPF The router software can use the route information it learns through OSPF to determine the paths and costs. Figure 108 shows an example of an OSPF network containing multiple paths to a destination (in this case, R1). FIGURE 108 Example OSPF network with four equal-cost paths OSPF Area 0 BigIron RX...
Page 784: Configure External Route Summarization
Configuring OSPF Configure external route summarization When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified address range. When you configure an address range, the range takes effect immediately.
Page 785: Configure Default Route Origination
Configuring OSPF Range-Address Subnetmask 1.0.0.0 255.0.0.0 1.0.1.0 255.255.255.0 1.0.2.0 255.255.255.0 Syntax: show ip ospf config Configure default route origination When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to automatically generate a default external route into an OSPF routing domain. This feature is called “default route origination”...
Page 786: Configuring A Default Network Route
Configuring OSPF The metric-type <type> parameter specifies the external link type associated with the default route advertised into the OSPF routing domain. The <type> can be one of the following: • 1 – Type 1 external route • 2 – Type 2 external route If you do not use this option, the default redistribution metric type is used for the route type.
Page 787: Modify Spf Timers
Configuring OSPF This example shows two routes. Both of the routes are directly attached, as indicated in the Type column. However, one of the routes is shown as type “*D”, with an asterisk (*). The asterisk indicates that this route is a candidate default network route. Modify SPF timers The BigIron RX uses the following timers when calculating the shortest path for OSPF routes: •...
Page 788: Modify Administrative Distance
Configuring OSPF Modify administrative distance The BigIron RX can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, ISIS, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. The default administrative distance for OSPF routes is 110.
Page 789: Configure Ospf Group Link State Advertisement Pacing
Configuring OSPF Configure OSPF group Link State Advertisement pacing The BigIron RX paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the BigIron RX refreshes and sends out together in one or more packets.
Page 790 Configuring OSPF • With this feature enabled in the “out” direction, all type 3 LSAs advertised by the ABR, based on information from this area to all other areas, are filtered by the prefix list. If the area range command has been configured for this area, Type 3 LSAs that corresponds to the area range command are treated like any other type 3 LSA.
Page 791 Configuring OSPF The in keyword specifies that prefix list is applied to prefixes advertised to the specified area from other areas. The out keyword specifies that prefix list is applied to prefixes advertised out of the specified area to other areas. Defining and applying IP prefix lists An IP prefix list specifies a list of networks.
Page 792: Displaying The Configured Ospf Area Prefix List
Configuring OSPF Displaying the configured OSPF area prefix list To display the prefix-lists attached to the areas, enter the following command. BigIron RX(config)#show ip ospf config Router OSPF: Enabled Graceful Restart: Disabled, timer 120 Graceful Restart Helper: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Auto-cost Reference Bandwidth: Disabled OSPF Redistribution Metric: Type2...
Page 793 Configuring OSPF 1. Enabling SNMP traps for OSPF. (Refer to “Disabling and enabling SNMP traps for OSPF” page 717.) 2. Enable OSPF logging. (Refer to “Enabling OSPF logging” on page 718.) Refer to Table 111 on page 717 for the list of the default settings for OSPF traps. TABLE 111 Default settings for OSPF traps Trap name...
Page 794: Modify Ospf Standard Compliance Setting
Configuring OSPF • virtual-interface-config-error-trap – [MIB object: ospfVirtIfConfigError] • interface-authentication-failure-trap – [MIB object: ospfIfAuthFailure] • virtual-interface-authentication-failure-trap – [MIB object: ospfVirtIfAuthFailure] • interface-receive-bad-packet-trap – [MIB object: ospfIfrxBadPacket] • virtual-interface-receive-bad-packet-trap – [MIB object: ospfVirtIfRxBadPacket] The following traps are disabled by default: • interface-retransmit-packet-trap –...
Page 795: Modify Exit Overflow Interval
Configuring OSPF To configure a router to operate with the latest OSPF standard, RFC 2328, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# no rfc1583-compatibility Syntax: [no] rfc1583-compatibility Modify exit overflow interval If a database overflow condition occurs on a router, the router eliminates the condition by removing entries that originated on the router.
Page 796: Displaying Ospf Information
Displaying OSPF information Displaying OSPF information You can display the following OSPF information: • Trap, area, and interface information – refer to “Displaying general OSPF configuration information” on page 720. • CPU utilization statistics – refer to “Displaying CPU utilization and other OSPF tasks” page 721.
Page 797: Displaying Cpu Utilization And Other Ospf Tasks
Displaying OSPF information BigIron RX> show ip ospf config Router OSPF: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Redistribution Metric: Type2 OSPF External LSA Limit: 1447047 OSPF Database Overflow Interval: 0 RFC 1583 Compatibility: Enabled Router id: 207.95.11.128 Interface State Change Trap: Enabled Virtual Interface State Change Trap: Enabled...
Page 798 Displaying OSPF information BigIron RX#show tasks Task Name State Stack Size CPU Usage(%) task id task vid ---------- ----- --------- -------- ----- --------- ------ ------- idle 0 ready 00001904 04058fa0 4096 monitor 20 wait 0000d89c 0404bd80 8192 int 16 wait 0000d89c 04053f90 16384...
Page 799: Displaying Ospf Area Information
Displaying OSPF information TABLE 112 CLI display of show tasks (Continued) This field... Displays... current instruction for the task Stack Stack location for the task Size Stack size of the task CPU Usage(%) Percentage of the CPU being used by the task task id Task’s ID number assigned by the operating system.
Page 800: Displaying Ospf Neighbor Information
Displaying OSPF information Displaying OSPF neighbor information To display OSPF neighbor information, enter the following command at any CLI level. BigIron RX# show ip ospf neighbor Port Address State Neigh Address Neigh ID Ev Op Cnt 10.1.10.1 FULL/DR 10.1.10.2 10.65.12.1 10.1.11.1 FULL/DR 10.1.11.2...
Page 801: Displaying Ospf Interface Information
Displaying OSPF information TABLE 114 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the device and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor.
Page 802 Displaying OSPF information BigIron RX# show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0...
Page 803: Displaying Ospf Route Information
Displaying OSPF information TABLE 115 Output of the show ip ospf interface command (Continued) This field Displays Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor The neighbor router’s ID. Displaying OSPF route information To display OSPF route information, enter the following command at any CLI level. BigIron RX>#show ip ospf route OSPF Area 0x00000000 ASBR Routes 1: Destination...
Page 804 Displaying OSPF information Syntax: show ip ospf routes [<ip-addr>] The <ip-addr> parameter specifies a destination IP address. If you use this parameter, only the route entries for that destination are shown. This display shows the following information. TABLE 116 CLI display of OSPF route information This field...
Page 805: Displaying Ospf External Link State Information
Displaying OSPF information BigIron RX# show ip ospf redistribute route 4.3.0.0 255.255.0.0 static 3.1.0.0 255.255.0.0 static 10.11.61.0 255.255.255.0 connected 4.1.0.0 255.255.0.0 static In this example, four routes have been redistributed. Three of the routes were redistributed from static IP routes and one route was redistributed from a directly connected IP route. Syntax: show ip ospf redistribute route [<ip-addr>...
Page 806: Displaying Ospf Database Link State Information
Displaying OSPF information TABLE 117 CLI display of OSPF external link state information This field... Displays... Index ID of the entry Aging The age of the LSA, in seconds. LS ID The ID of the link-state advertisement from which the device learned this route.
Page 807: Displaying Ospf Abr And Asbr Information
Displaying OSPF information NOTE You cannot use the extensive option in combination with other display options. The entire database is displayed. The link-state-id <ip-addr> parameter displays the External LSAs for the LSA source specified by <IP-addr>. The network option shows network information. The nssa option shows network information.
Page 808: Displaying Ospf Trap Status
Displaying OSPF information TABLE 119 CLI display of OSPF border routers This field... Displays... (Index) Displayed index number of the border router. Router ID ID of the OSPF router Router type Type of OSPF router: ABR or ASBR Next hop router ID of the next hop router Outgoing interface ID of the interface on the router for the outgoing route.
Page 809 Displaying OSPF information vlan 1 name DEFAULT-VLAN clock summer-time clock timezone us Pacific hostname R11-RX8 router ospf area 2 area 1 area 1 virtual-link 131.1.1.10 FIGURE 109 OSPF virtual neighbor and virtual link example Area 0 131.1.1.10/16 DeviceA R10-MG8 192.168.148.10 135.14.1.10/16 Area 1 Area 2...
Page 810: Ospf Graceful Restart
Displaying OSPF information Displaying OSPF virtual link information Use the show ip ospf virtual link command to display OSPF virtual link information. The output below represents the virtual links configured in Figure 109. BigIron RX#show ip ospf virtual link Indx Transit Area Router ID Transit(sec) Retrans(sec) Hello(sec) 131.1.1.10...
Page 811: Displaying Ospf Graceful Restart Information
Displaying OSPF information Configuring OSPF graceful restart timer The OSPF graceful restart timer specifies the maximum amount of time an OSPF restarting router will take to re-establish OSPF adjacencies and relearn OSPF routes. This value will be sent to the neighboring routers in the grace LSA packets.
Page 812 Displaying OSPF information BigIron RX#sh ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 30.1.0.5 FULL/OTHER 30.1.0.13 30.0.0.13 3/27 25.27.0.8 FULL/DR 25.27.0.14 12.1.0.14 20 2 < in graceful restart state, helping 1, timer 104 sec > 21.23.0.5 FULL/DR 21.23.0.14...
Page 813 Displaying OSPF information BigIron RX 1# show ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 40.0.1.1 EXST/DR 40.0.1.3 9.0.1.24 24 2 < in graceful restart state, helping 1, timer 112 sec > BigIron RX 3# show ip ospf neighbor Port Address Pri State...
Page 814 Displaying OSPF information BigIron RX Series Configuration Guide 53-1002253-01...
Page 815: Overview Of Bgp4
Chapter Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 BGP4 is the standard Exterior Gateway Protocol (EGP) used on the Internet to route traffic between Autonomous Systems (AS) and to maintain loop-free routing. An autonomous system is a collection of networks that share the same routing and administration characteristics. For example, a corporate Intranet consisting of several networks under common administrative control might be considered an AS.
Page 816: Table
Overview of BGP4 Relationship between the BGP4 route table and the IP route table The device’s BGP4 route table can have multiple routes or paths to the same destination, which are learned from different BGP4 neighbors. A BGP4 neighbor is another router that also is running BGP4.
Page 817 Overview of BGP4 1. Is the next hop accessible though an Interior Gateway Protocol (IGP) route? If not, ignore the path. NOTE By default, the device does not use the default route to resolve BGP4 next hop. Also refer to “Enabling next-hop recursion”...
Page 818: Bgp4 Message Types
Overview of BGP4 9. If all the comparisons above are equal, prefer the route with the lowest IGP metric to the BGP4 next hop. This is the closest internal path inside the AS to reach the destination. 10. If the internal paths also are the same and BGP4 load sharing is enabled, load share among the paths otherwise go to Step 11.
Page 819 Overview of BGP4 neighbors to always be up. For directly-attached neighbors, you can configure the BigIron RX to immediately close the TCP connection to the neighbor and clear entries learned from an EBGP neighbor if the interface to that neighbor goes down. This capability is provided by the fast external fallover feature, which is disabled by default.
Page 820: Brocade Implementation Of Bgp4
Brocade implementation of BGP4 BGP4 Router A sends a Hold Time of 5 seconds and BGP4 Router B sends a Hold Time of 4 seconds, both routers use 4 seconds as the Hold Time for their BGP4 session. The default Hold Time is 180 seconds.
Page 821: Configuring Bgp4
Configuring BGP4 As a guideline, BigIron RX switches with a 2 GB Management 4 module can accommodate 150 – 200 neighbors, with the assumption that the BigIron RX receives about one million routes total from all neighbors and sends about eight million routes total to neighbors. For each additional one million incoming routes, the capacity for outgoing routes decreases by around two million.
Page 822 Configuring BGP4 TABLE 120 IPv4 BGP commands at different configuration levels (Continued) Command Global IPv4 address IPv4 address (iPv4 and family unicast family IPv6) multicast as-path-ignore “Disabling or re-enabling comparison of the AS-path length” on page 760 bgp-redistribute-internal “Redistributing IBGP routes” on page 760 client-to-client-reflection “Disabling or re-enabling client-to-client route...
Page 823 Configuring BGP4 TABLE 120 IPv4 BGP commands at different configuration levels (Continued) Command Global IPv4 address IPv4 address (iPv4 and family unicast family IPv6) multicast redistribute “Modifying redistribution parameters” page 786 show “Displaying BGP4 information” on page 824 table-map “Using a table map to set the tag value” page 789 timers “Changing the keep alive time and hold time”...
Page 824 Configuring BGP4 TABLE 121 IPv4 and IPv6 BGP Commands at Different Configuration Levels (Continued) Command Global IPv4 IPv4 IPv6 (iPv4 Address Address Address Family Family Family IPv6) Unicast Multicast Unicast default-information-ori “Originating the default route” on page 765 ginate default-local-preferenc “Changing the default local preference”...
Page 825: When Parameter Changes Take Effect
Configuring BGP4 When parameter changes take effect Some parameter changes take effect immediately while others do not take full effect until the router’s sessions with its neighbors are reset. Immediately The following parameter changes take effect immediately: • Enable or disable BGP. •...
Page 826: Activating And Disabling Bgp4
Activating and disabling BGP4 After disabling and re-enabling redistribution The following parameter change takes effect only after you disable and then re-enable redistribution: • Change the default MED (metric). Activating and disabling BGP4 BGP4 is disabled by default. To enable BGP4 and place your BigIron RX into service as a BGP4 router, you must perform the following required steps.
Page 827: Entering And Exiting The Address Family Configuration Level
Entering and exiting the address family configuration level The CLI displays a warning message such as the following. BigIron RX(config)# no router bgp router bgp mode now disabled. All bgp config data will be lost when writing to flash! The Web management interface does not display a warning message. If you are testing a BGP4 configuration and are likely to disable and re-enable the protocol, you might want to make a backup copy of the startup configuration file containing the protocol’s configuration information.
Page 828 Filtering specific IP addresses NOTE Once you define a filter, the default action for addresses that do not match a filter is “deny”. To change the default action to “permit”, configure the last filter as “permit any any”. Address filters can be referred to by a BGP neighbor's distribute list number as well as by match statements in a route map.
Page 829: Defining An As-Path Filter
Defining an AS-path filter If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the filter regardless of whether the software is configured to display the masks in CIDR format.
Page 830: Configuring A Switch To Allow Routes With Its Own As Number
Configuring a switch to allow routes with its own AS number NOTE If the filter is referred to by a route map’s match statement, the filter is applied in the order in which the filter is listed in the match statement. The permit | deny parameter indicates the action the router takes if the filter match is true.
Page 831: Bgp Null0 Routing
BGP Null0 routing BGP Null0 routing BGP can use the null0 route to resolve its next hop. Thus, null0 route in the routing table (for example, static route) is considered as a valid route by BGP. If the next hop for BGP resolves into a null0 route, the BGP route is also installed as a null0 route in the routing table.
Page 832 BGP Null0 routing 5. On Router 6, redistribute the static routes into BGP, using route-map <route-map-name> (redistribute static route-map block user). 6. On Router 1, the router facing the internet, configure a null0 route matching the next-hop address in the route-map (ip route 199.199.1.1/32 null0). Repeat step 3 for all routers interfacing with the internet (edge corporate routers).
Page 833 BGP Null0 routing Router 2 The following configuration defines a null0 route to the specific next hop address. The next hop address 199.199.1.1 points to 128.178.1.101, which gets blocked. BigIron RX(config)#ip route 199.199.1.1/32 null0 BigIron RX(config)#router bgp BigIron RX(config-bgp-router)#local-as 100 BigIron RX(config-bgp-router)#neighbor <router1_int_ip address>...
Page 834 BGP Null0 routing Router-6# show ip bgp route Total number of BGP Routes: 126 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 30.0.1.0/24 40.0.1.3 AS_PATH: 110.0.0.16/30 90.0.1.3 AS_PATH: 85 110.0.0.40/29 192.168.0.1 1000000 32768...
Page 835: Aggregating Routes Advertised To Bgp4 Neighbors
Aggregating routes advertised to BGP4 neighbors Aggregating routes advertised to BGP4 neighbors By default, the BigIron RX advertises individual routes for all the networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single network prefix.
Page 836: Disabling Or Re-Enabling Comparison Of The As-Path Length
Redistributing IBGP routes You can enable the device to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three ASs, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually.
Page 837: Disabling Or Re-Enabling Client-To-Client Route Reflection
Disabling or re-enabling client-to-client route reflection BigIron RX(config-bgp)# bgp-redistribute-internal Syntax: [no] bgp-redistribute-internal To disable redistribution of IBGP routes into RIP, ISIS, and OSPF, enter the following command. BigIron RX(config-bgp)# no bgp-redistribute-internal Disabling or re-enabling client-to-client route reflection By default, the clients of a route reflector are not required to be fully meshed; the routes from a client are reflected to other clients.
Page 838: Configuring Confederations
Configuring confederations • If BGP4 load sharing is disabled (maximum-paths 1), the device selects the path that came from the neighbor with the lower router ID. • If BGP4 load sharing is enabled, the device load shares among the remaining paths. In this case, the router ID is not used to select a path.
Page 839: Configuring A Bgp Confederation
Configuring confederations FIGURE 114 Example BGP4 confederation AS 20 Confederation 10 Sub-AS 64512 IBGP Router B Router A EBGP EBGP Sub-AS 64513 This BGP4 router sees all traffic from Confederation 10 as traffic from AS 10. IBGP Routers outside the confederation do not know or care that the routers Router C are subdivided into sub-ASs within a...
Page 840 Configuring confederations The procedures show how to implement the example confederation shown in Figure 26.3. To configure four devices to be a member of confederation 10, consisting of two sub-ASs (64512 and 64513), enter commands such as the following. Commands for Router A BigIron RXA(config)# router bgp BigIron RXA(config-bgp)# local-as 64512 BigIron RXA(config-bgp)# confederation identifier 10...
Page 841: Configuring Route Flap Dampening
Configuring route flap dampening Configuring route flap dampening Route Flap Dampening reduces the amount of change propagated by BGP due to routing state caused by unstable routes. Reducing change propagation will help reduce processing requirements. To enable route flap dampening using the default values, enter the following command. BigIron RX(config-bgp)# dampening Syntax: dampening [<half-life>...
Page 842: Changing The Default Local Preference
Changing the default local preference BigIron RX(config-bgp)# default-information-originate Syntax: [no] default-information-originate Changing the default local preference When the router uses the BGP4 algorithm to select a route to send to the IP route table, one of the parameters the algorithm uses is the local preference. Local preference is an attribute that indicates a degree of preference for a route relative to other routes.
Page 843: Changing Administrative Distances
Changing administrative distances Changing administrative distances The BigIron RX can learn about networks from various protocols, including the EBGP portion of BGP4 and IGPs such as OSPF, ISIS, and RIP. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. To select one route over another based on the source of the route information, the device can use the administrative distances assigned to the sources.
Page 844: Requiring The First As To Be The Neighbor's As
Requiring the first AS to be the neighbor’s AS The <external-distance> sets the EBGP distance and can be a value from 1 – 255. The <internal-distance> sets the IBGP distance and can be a value from 1 – 255. The <local-distance> sets the Local BGP distance and can be a value from 1 – 255. Requiring the first AS to be the neighbor’s AS By default, the BigIron RX does not require the first AS listed in the AS_SEQUENCE field of an AS path Update from an EBGP neighbor to be the AS that the neighbor who sent the Update is in.
Page 845: Setting The Local As Number
Setting the local AS number The router waits for the Hold Time to expire before ending the connection to a directly-attached BGP4 neighbor that dies. For directly attached neighbors, the router immediately senses loss of a connection to the neighbor from a change of state of the port or interface that connects the router to its neighbor.
Page 846: Treating Missing Meds As The Worst Meds
Treating missing MEDs as the worst MEDs Syntax: [no] maximum-paths <number> The <num> parameter specifies the maximum number of paths across which the BigIron RX can balance traffic to a given BGP4 destination. You can change the maximum number of paths to a value from 2 –...
Page 847: Configuring Bgp4 Neighbors
Configuring BGP4 neighbors By default, load sharing applies to EBGP and IBGP paths, and does not apply to paths from different neighboring ASs. Configuring BGP4 neighbors The BGP4 protocol does not contain a peer discovery process. Therefore, for each of the router’s BGP4 neighbors (peers), you must indicate the neighbor’s IP address and the AS each neighbor is in.
Page 848 Configuring BGP4 neighbors [remove-private-as] [route-map in | out <map-name>] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive <num> hold-time <num>] [unsuppress-map <map-name>] [update-source <ip-addr> | ethernet <slot>/<portnum> | loopback <num> | ve <num>] [weight <num>] The <ip-addr> | <peer-group-name> parameter indicates whether you are configuring an individual neighbor or a peer group.
Page 849 Configuring BGP4 neighbors NOTE The address filter must already be configured. Refer to “Filtering specific IP addresses” page 751. ebgp-multihop [<num>] specifies that the neighbor is more than one hop away and that the session type with the neighbor is thus EBGP-multihop. This option is disabled by default. The <num>...
Page 850 Configuring BGP4 neighbors • 0 – Disables encryption for the authentication string you specify with the command. The password or string is shown as clear text in the output of commands that display neighbor or peer group configuration information. • 1 –...
Page 851: Neighbor Routes
Configuring BGP4 neighbors timers keep-alive <num> hold-time <num> overrides the global settings for the Keep Alive Time and Hold Time. For the Keep Alive Time, you can specify from 0 – 65535 seconds. For the Hold Time, you can specify 0 or 3 –...
Page 852: Encryption Of Bgp4 Md5 Authentication Keys
Configuring BGP4 neighbors If you want to override the summary-only parameter and allow a specific route to be advertised to a neighbor, enter commands such as the following. BigIron RX(config)# ip prefix-list Unsuppress1 permit 209.1.44.0/24 BigIron RX(config)# route-map RouteMap1 permit 1 BigIron RX(config-routemap RouteMap1)# match prefix-list Unsuppress1 BigIron RX(config-routemap RouteMap1)# exit BigIron RX(config)# router bgp...
Page 853 Configuring BGP4 neighbors Encryption example The following commands configure a BGP4 neighbor and a peer group, and specify MD5 authentication strings (passwords) for authenticating packets exchanged with the neighbor or peer group. BigIron RX(config-bgp)# local-as 2 BigIron RX(config-bgp)# neighbor xyz peer-group BigIron RX(config-bgp)# neighbor xyz password abc BigIron RX(config-bgp)# neighbor 10.10.200.102 peer-group xyz BigIron RX(config-bgp)# neighbor 10.10.200.102 password test...
Page 854: Configuring A Bgp4 Peer Group
Configuring a BGP4 peer group of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication. If you accidentally enter option 1 followed by the clear-text version of the password or string, authentication will fail because the value used by the software will not match the value you intended to use.
Page 855 Configuring a BGP4 peer group • You must configure a peer group before you can add neighbors to the peer group. • If you remove a parameter from a peer group, the value for that parameter is reset to the default for all the neighbors within the peer group, unless you have explicitly set that parameter on individual neighbors.
Page 856 Configuring a BGP4 peer group The <peer-group-name> parameter specifies the name of the group and can be up to 80 characters long. The name can contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around the name. For example, the command neighbor “My Three Peers”...
Page 857: Specifying A List Of Networks To Advertise
Specifying a list of networks to advertise The <ip-addr> parameter specifies the IP address of the neighbor. The <peer-group-name> parameter specifies the peer group name. NOTE You must add the peer group before you can add neighbors to it. Administratively shutting down a session with a BGP4 neighbor You can prevent the device from starting a BGP4 session with a neighbor by administratively shutting down the neighbor.
Page 858: Using The Ip Default Route As A Valid Next Hop For A Bgp4 Route
Using the IP default route as a valid next hop for a BGP4 route The <ip-addr> is the network number and the <ip-mask> specifies the network mask. The route-map <map-name> parameter specifies the name of the route map you want to use to set or change BGP4 attributes for the network you are advertising.
Page 859: Enabling Next-Hop Recursion
Enabling next-hop recursion BigIron RX(config-bgp)# next-hop-enable-default Syntax: [no] next-hop-enable-default Enabling next-hop recursion For each BGP4 route a BigIron RX learns, the device performs a route lookup to obtain the IP address of the route’s next hop. A BGP4 route becomes eligible for installation into the IP route table only if the following conditions are true: •...
Page 860 Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 0.0.0.0/0 10.1.0.2 AS_PATH: 65001 4355 701 80 102.0.0.0/24 10.0.0.1 AS_PATH: 65001 4355 1...
Page 861 Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 0.0.0.0/0 10.1.0.2 AS_PATH: 65001 4355 701 80 102.0.0.0/24 10.0.0.1 AS_PATH: 65001 4355 1...
Page 862: Modifying Redistribution Parameters
Modifying redistribution parameters BigIron RX# show ip route 240.0.0.0/24 Total number of IP routes: 38 Network Address Gateway Port Cost Type 240.0.0.0 10.0.0.1 AS_PATH: 65001 4355 1 This BigIron RX can use this route because the device has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table.
Page 863: Redistributing Connected Routes
Modifying redistribution parameters The static parameter indicates that you are redistributing static routes into BGP. Redistributing connected routes To configure BGP4 to redistribute directly connected routes, enter the following command. BigIron RX(config-bgp)# redistribute connected Syntax: redistribute connected [metric <num>] [route-map <map-name>] The connected parameter indicates that you are redistributing routes to directly attached devices into BGP4.
Page 864: Redistributing Static Routes
Modifying redistribution parameters The match internal | external1 | external2 parameter applies only to OSPF. This parameter specifies the types of OSPF routes to be redistributed into BGP4. The default is internal. NOTE If you do not enter a value for the match parameter, (for example, you enter redistribute ospf only) then only internal OSPF routes will be redistributed.
Page 865: Using A Table Map To Set The Tag Value
Using a table map to set the tag value The metric <num> parameter changes the metric. You can specify a value from 0 – 4294967295. The default is 0. The route-map <map-name> parameter specifies a route map to be consulted before adding the static route to the BGP4 route table.
Page 866: Changing The Bgp4 Next-Hop Update Timer
Changing the BGP4 next-hop update timer NOTE Generally, you should set the Hold Time to three times the value of the Keep Alive Time. NOTE You can override the global Keep Alive Time and Hold Time on individual neighbors. Refer to “Configuring BGP4 neighbors”...
Page 867: Adding A Loopback Interface
Adding a loopback interface NOTE A BigIron RX uses the same router ID for both OSPF and BGP4. If the router is already configured for OSPF, you may want to use the router ID that is already in use on the router rather than set a new one.
Page 868: Configuring Route Reflection Parameters
Configuring route reflection parameters • Set the maximum number of paths. The default maximum number of BGP4 load sharing paths is 1, which means no BGP4 load sharing takes place by default. Refer to “Changing the maximum number of shared BGP4 paths” on page 769.
Page 869 Configuring route reflection parameters • A route reflector client is an IGP router identified as a member of a cluster. You identify a router as a route reflector client on the router that is the route reflector, not on the client. The client itself requires no additional configuration.
Page 870: Filtering
Filtering • If a device receives a route whose ORIGINATOR_ID attribute has the value of the device’s own router ID, the device discards the route and does not advertise it. By discarding the route, the device prevents a routing loop. •...
Page 871: Filtering As-Paths
Filtering • “Using a table map to set the tag value” on page 789 • “Configuring cooperative BGP4 route filtering” on page 809 Filtering AS-paths You can filter updates received from BGP4 neighbors based on the contents of the AS-path list accompanying the updates.
Page 872: Special Characters
Filtering The neighbor command uses the filter-list parameter to apply the AS-path ACL to the neighbor. Refer to “Configuring BGP4 neighbors” on page 771 and “Configuring a BGP4 peer group” page 778. Using regular expressions You use a regular expression for the <as-path> parameter to specify a single character or multiple characters as a filter pattern.
Page 873 Filtering TABLE 122 BGP4 special characters for regular expressions (Continued) Character Operation An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) • ) (right parenthesis) •...
Page 874: Filtering Communities
Filtering Filtering communities You can filter routes received from BGP4 neighbors based on community names. A community is an optional attribute that identifies the route as a member of a user-defined class of routes. Community names are arbitrary values made of two five-digit integers joined by a colon. You determine what the name means when you create the community name as one of a route’s attributes.
Page 875: Defining And Applying Ip Prefix Lists
Filtering The seq <seq-value> parameter is optional and specifies the community list’s sequence number. You can configure up to 199 entries in a community list. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with number 5. The software interprets the entries in a community list in numerical order, beginning with the lowest sequence number.
Page 876: Defining Neighbor Distribute Lists
Filtering The seq <seq-value> parameter is optional and specifies the IP prefix list’s sequence number. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with prefix list entry 5. The software interprets the prefix list entries in numerical order, beginning with the lowest sequence number.
Page 877: Defining Route Maps
Filtering Defining route maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols. A route map consists of a sequence of instances. If you think of a route map as a table, an instance is a row in that table.
Page 878 Filtering • Set the MED (metric). • Set the IP address of the next hop router. • Set the origin to IGP or INCOMPLETE. • Set the weight. For example, when you configure parameters for redistributing routes into BGP, one of the optional parameters is a route map.
Page 879 Filtering Specifying the match conditions Use the following command to define the match conditions for instance 1 of the route map GET_ONE. This instance compares the route updates against BGP4 address filter 11. BigIron RX(config-routemap GET_ONE)# match address-filters 11 Syntax: match [as-path <name>] | [address-filters | as-path-filters | community-filters <num,num,...>] | [community <acl>...
Page 880 Filtering The next-hop <address-filter-list> parameter compares the IP address of the route’s next hop to the specified IP address filters. The filters must already be configured. The route-type internal | external-type1 | external-type2 parameter applies only to OSPF routes. This parameter compares the route’s type to the specified value. The level-1 parameter compares ISIS routes only with routes within the same area.
Page 881 Filtering Matching based on next-hop router You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on the next-hop router, enter commands such as the following.
Page 882 Filtering The <acl> parameter specifies the name of a community list ACL. You can specify up to five ACLs. Separate the ACL names or IDs with spaces. Here is another example. BigIron RX(config)# ip community-list standard std_2 permit 23:45 56:78 BigIron RX(config)# route-map bgp3 permit 1 BigIron RX(config-routemap bgp3)# match community std_1 std_2 exact-match These commands configure an additional community ACL, std_2, that contains community...
Page 883 Filtering The dampening [<half-life> <reuse> <suppress> <max-suppress-time>] parameter sets route dampening parameters for the route. The <half-life> parameter specifies the number of minutes after which the route’s penalty becomes half its value. The <reuse> parameter specifies how low a route’s penalty must become before the route becomes eligible for use again after being suppressed.
Page 884 Filtering BigIron RX(config)# access-list 1 permit 192.168.9.0 0.0.0.255 BigIron RX(config)# route-map bgp4 permit 1 BigIron RX(config-routemap bgp4)# match ip address 1 BigIron RX(config-routemap bgp4)# set metric-type internal The first command configures an ACL that matches on routes with destination network 192.168.9.0.
Page 885: Configuring Cooperative Bgp4 Route Filtering
Filtering Configuring cooperative BGP4 route filtering By default, the device performs all filtering of incoming routes locally, on the device itself. You can use cooperative BGP4 route filtering to cause the filtering to be performed by a neighbor before it sends the routes to the device.
Page 886 Filtering Syntax: [no] neighbor <ip-addr> | <peer-group-name> capability orf prefixlist [send | receive] The <ip-addr> | <peer-group-name> parameter specifies the IP address of a neighbor or the name of a peer group of neighbors. The send | receive parameter specifies the support you are enabling: •...
Page 887: Configuring Route Flap Dampening
Filtering • The cooperative filtering configuration on the device. • The ORFs received from neighbors. To display the cooperative filtering configuration on the device, enter a command such as the following. The line shown in bold type shows the cooperative filtering status. BigIron RX# show ip bgp neighbor 10.10.10.1 IP Address: 10.10.10.1, AS: 65200 (IBGP), RouterID: 10.10.10.1 State: ESTABLISHED, Time: 0h0m7s, KeepAliveTime: 60, HoldTime: 180...
Page 888 Filtering NOTE The BigIron RX applies route flap dampening only to routes learned from EBGP neighbors. The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the device stops using that route and also stops advertising it to other routers. The mechanism also allows a route’s penalties to reduce over time if the route’s stability improves.
Page 889 Filtering BigIron RX(config)# router bgp BigIron RX(config-bgp)# address-filter 9 permit 209.157.22.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# address-filter 10 permit 209.157.23.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# exit BigIron RX(config)# route-map DAMPENING_MAP permit 9 BigIron RX(config-routemap DAMPENING_MAP)# match address-filters 9 BigIron RX(config-routemap DAMPENING_MAP)# set dampening 10 200 2500 40 BigIron RX(config-routemap DAMPENING_MAP)# exit BigIron RX(config)# route-map DAMPENING_MAP permit 10 BigIron RX(config-routemap DAMPENING_MAP)# match address-filters 10...
Page 890: Displaying And Clearing Route Flap Dampening Statistics
Filtering BigIron RX(config-routemap DAMPENING_MAP_NEIGHBOR_A)# exit BigIron RX(config)# router bgp BigIron RX(config-bgp)# dampening route-map DAMPENING_MAP_ENABLE BigIron RX(config-bgp)# neighbor 10.10.10.1 route-map in DAMPENING_MAP_NEIGHBOR_A In this example, the first command globally enables route flap dampening. This route map does not contain any match or set statements. At the BGP configuration level, the dampening route-map command refers to the DAMPENING_MAP_ENABLE route map created by the first command, thus enabling dampening globally.
Page 891 Filtering BigIron RX# show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network From Flaps Since Reuse Path h> 192.50.206.0/23 166.90.213.77 0 :0 :13 0 :0 :0 65001 4355 1 701 h> 203.255.192.0/20 166.90.213.77 0 :0 :13 0 :0 :0 65001 4355 1 7018...
Page 892: Generating Traps For Bgp
Filtering Clearing route flap dampening statistics NOTE Clearing the dampening statistics for a route does not change the dampening status of the route. To clear all the route dampening statistics, enter the following command at any level of the CLI. BigIron RX# clear ip bgp flap-statistics Syntax: clear ip bgp flap-statistics [regular-expression <regular-expression>...
Page 893: Using Soft Reconfiguration
Filtering Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session. Soft reconfiguration does not request the neighbor or group to send its entire BGP4 table, nor does the feature reset the session with the neighbor or group. Instead, the soft reconfiguration feature stores all the route updates received from the neighbor or group.
Page 894 Filtering NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 819. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the device saves all updates received from the specified neighbor or peer group.
Page 895 Filtering BigIron RX# show ip bgp neighbor 192.168.4.106 routes There are 97345 received routes from neighbor 192.168.4.106 Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status...
Page 896 Filtering To request a dynamic refresh of all routes from a neighbor, enter a command such as the following. BigIron RX(config-bgp)# clear ip bgp neighbor 192.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again. The device applies its filters to the incoming routes and adds, modifies, or removes BGP4 routes as necessary.
Page 897: Closing Or Resetting A Neighbor Session
Filtering To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down. You can enter the command without optional parameters or with the soft out or soft-outbound option. Either way, you must specify a parameter for the neighbor (<ip-addr>, <as-num>, <peer-group-name>, or all).
Page 898: Clearing Traffic Counters
Filtering If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use these methods to ensure that neighbors contain only the routes you want them to contain. • If you close a neighbor session, the device and the neighbor clear all the routes they learned from each other.
Page 899: Clearing Route Flap Dampening Statistics
Filtering BigIron RX# clear ip bgp neighbor 10.0.0.1 traffic To clear the BGP4 message counter for all neighbors within a peer group, enter a command such as the following. BigIron RX# clear ip bgp neighbor PeerGroup1 traffic Syntax: clear ip bgp neighbor all | <ip-addr> | <peer-group-name> | <as-num> traffic The all | <ip-addr>...
Page 900: Clearing Diagnostic Buffers
Displaying BGP4 information Clearing diagnostic buffers The BigIron RX stores the following BGP4 diagnostic information in buffers: • The first 400 bytes of the last packet received that contained an error • The last NOTIFICATION message either sent or received by the device To display these buffers, use options with the show ip bgp neighbors command.
Page 901: Displaying Summary Bgp4 Information
Displaying BGP4 information Displaying summary BGP4 information You can display the local AS number, the maximum number of routes and neighbors supported, and some BGP4 statistics. To view summary BGP4 information for the router, enter the following command at any CLI prompt. BigIron RX# show ip bgp summary BGP4 Summary Router ID: 101.0.0.1...
Page 902 Displaying BGP4 information TABLE 124 BGP4 summary information (Continued) This field... Displays... Number of Attribute Entries Installed The number of BGP4 route-attribute entries in the router’s route-attributes table. To display the route-attribute table, refer to “Displaying BGP4 route-attribute entries” on page 847. Neighbor Address The IP addresses of this router’s BGP4 neighbors.
Page 903: Displaying The Active Bgp4 Configuration
Displaying BGP4 information TABLE 124 BGP4 summary information (Continued) This field... Displays... Sent The number of BGP4 routes that the device has sent to the neighbor. ToSend The number of routes the device has queued to send to this neighbor. Displaying the active BGP4 configuration To view the active BGP4 configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
Page 904 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 routes-summary IP Address: 192.168.4.211 Routes Accepted/Installed:1, Filtered/Kept:11, Filtered:11 Routes Selected as BEST Routes:1 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0 History Routes:0 NLRIs Received in Update Message:24, Withdraws:0 (0), Replacements:1...
Page 905: Displaying Bgp4 Neighbor Information
Displaying BGP4 information TABLE 125 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the device discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The device’s configured maximum prefix amount had been reached.
Page 906 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 10.4.0.2 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.2 State: ESTABLISHED, Time: 0h1m0s, KeepAliveTime: 0, HoldTime: 0 PeerGroup: pg1 Multihop-EBGP: yes, ttl: 1 RouteReflectorClient: yes SendCommunity: yes NextHopSelf: yes DefaultOriginate: yes (default sent) MaximumPrefixLimit: 90000 RemovePrivateAs: : yes...
Page 907 Displaying BGP4 information The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
Page 908 Displaying BGP4 information TABLE 126 BGP4 neighbor information (Continued) This field... Displays... Description The description you gave the neighbor when you configured it on the device. State The state of the router’s session with the neighbor. The states are from this router’s perspective of the session, not the neighbor’s perspective.
Page 909 Displaying BGP4 information TABLE 126 BGP4 neighbor information (Continued) This field... Displays... DefaultOriginate Whether this option is enabled for the neighbor. MaximumPrefixLimit Lists the maximum number of prefixes the device will accept from this neighbor. RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this device has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability.
Page 910 Displaying BGP4 information TABLE 126 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following: • Reasons described in the BGP specifications: •...
Page 911 Displaying BGP4 information TABLE 126 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
Page 912 Displaying BGP4 information TABLE 126 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. •...
Page 913 Displaying BGP4 information TABLE 126 BGP4 neighbor information (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue.
Page 914 Displaying BGP4 information This display shows the following information. TABLE 127 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the device has received from the neighbor during the current BGP4 session. • Accepted/Installed – Indicates how many of the received routes the device accepted and installed in the BGP4 route table.
Page 915 Displaying BGP4 information TABLE 127 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the device has sent to this neighbor in UPDATE messages. • Withdraws – The number of routes the device has sent to the neighbor to withdraw.
Page 916: Displaying Peer Group Information
Displaying BGP4 information Displaying the adj-RIB-out for a neighbor To display the device’s current BGP4 Routing Information Base (Adj-RIB-Out) for a specific neighbor and a specific destination network, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 rib-out-routes 192.168.1.0/24 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST I:IBGP L:LOCAL...
Page 917: Displaying The Bgp4 Route Table
Displaying BGP4 information This display shows the following information. TABLE 128 BGP4 summary route information This field... Displays... Total number of BGP routes (NLRIs) The number of BGP4 routes the device has installed in the BGP4 route Installed table. Distinct BGP destination networks The number of destination networks the installed routes represent.
Page 918 Displaying BGP4 information Syntax: show ip bgp routes [[network] <ip-addr>] | <num> | [age <secs>] | [as-path-access-list <num>] | [best] | [cidr-only] | [community <num> | no-export | no-advertise | internet | local-as] | [community-access-list <num>] | [community-list <num> | [detail <option>] | [filter-list <num, num,...>] | [next-hop <ip-addr>] | [no-best] | [not-installed-best] | [prefix-list <string>] | [regular-expression <regular-expression>] | [route-map <map-name>] | [summary] |...
Page 919 Displaying BGP4 information The unreachable option displays the routes that are unreachable because the device does not have a valid RIP, OSPF, or static route to the next hop. Displaying the best BGP4 routes To display all the BGP4 routes in the device’s BGP4 route table that are the best routes to their destinations, enter a command such as the following at any level of the CLI.
Page 920 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > best, i internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path...
Page 921 Displaying BGP4 information TABLE 129 BGP4 network information (Continued) This field... Displays... Path The route’s AS path. NOTE: This field appears only if you do not enter the route option. Origin code A character the display uses to indicate the route’s origin. The origin code appears to the right of the AS path (Path field).
Page 922 Displaying BGP4 information These displays show the following information. TABLE 130 BGP4 route information This field... Displays... Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route’s status. The status code is appears in the left column of the display, to the left of each route.
Page 923: Displaying Bgp4 Route-Attribute Entries
Displaying BGP4 information TABLE 130 BGP4 route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP through EGP.
Page 924 Displaying BGP4 information BigIron RX# show ip bgp attribute-entries Total number of BGP Attribute Entries: 7753 Next Hop :192.168.11.1 Metric Origin:IGP Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.0 Atomic:FALSE Local Pref:100 Communities:Internet AS Path :(65002) 65001 4355 2548 3561 5400 6669 5548 Next Hop :192.168.11.1 Metric...
Page 925: Displaying Route Flap Dampening Statistics
Displaying BGP4 information TABLE 131 BGP4 route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Displaying the routes BGP4 has placed in the IP route table The IP route table indicates the routes it has received from BGP4 by listing “BGP”...
Page 926: Displaying The Active Route Map Configuration
Displaying BGP4 information The <address> <mask> parameter specifies a particular route. If you also use the optional longer-prefixes parameter, then all statistics for routes that match the specified route or have a longer prefix than the specified route are displayed. For example, if you specify 209.157.0.0 longer, then all routes with the prefix 209.157 or that have a longer prefix (such as 209.157.22) are displayed.
Page 927 Displaying BGP4 information match address-filters 11 set community 11:12 no-export route-map permit1122 permit 12 match ip address 11 route-map permit1122 permit 13 match ip address std_22 This example shows that the running configuration contains six route maps. Notice that the match and set statements within each route map are listed beneath the command for the route map itself.
Page 928 Displaying BGP4 information NOTE After configuring BGP Graceful Restart, you need to reset neighbor session whether or not the neighbor session is up to enable BGP graceful restart. Use the clear ip bgp neighbor command to clear and re-establish neighbor sessions. Configuring BGP graceful restart on a router Use the following command to enable the BGP graceful restart feature on a BigIron RX device.
Page 929 Displaying BGP4 information Router 1 BigIron RX(config)#router bgp BigIron RX(config-bgp)#local-as 100 BigIron RX(config-bgp)#graceful-restart BigIron RX(config-bgp)#neighbor 12.2.0.14 remote-as 200 BigIron RX(config-bgp)#write memory Router 2 BigIron RX(config)#router bgp BigIron RX(config-bgp)#local-as 200 BigIron RX(config-bgp)#graceful-restart BigIron RX(config-bgp)#neighbor 12.1.0.14 remote-as 100 BigIron RX(config-bgp)#neighbor 12.3.0.14 remote-as 300 BigIron RX(config-bgp)#write memory Router 3 BigIron RX(config)#router bgp...
Page 930: Generalized Ttl Security Mechanism Support
Generalized TTL security mechanism support BigIron RX# show ip bgp neighbor 11.11.11.2 1 IP Address: 11.11.11.2, Remote AS: 101 (EBGP), RouterID: 101.101.101.1 Local AS: 200 State: ESTABLISHED, Time: 0h18m15s, KeepAliveTime: 60, HoldTime: 180 KeepAliveTimer Expire in 44 seconds, HoldTimer Expire in 167 seconds RefreshCapability: Received GracefulRestartCapability: Received Restart Time 120 sec, Restart bit 0...
Page 931 Generalized TTL security mechanism support Syntax: [no] neighbor <ip-addr> | <peer-group-name> ebgp-btsh NOTE For GTSM protection to work properly, it must be enabled on both the Brocade device and the neighbor. BigIron RX Series Configuration Guide 53-1002253-01...
Page 932 Generalized TTL security mechanism support BigIron RX Series Configuration Guide 53-1002253-01...
Page 933: Configuring Mbgp
Chapter Configuring MBGP This chapter provides details on how to configure Multi-protocol Border Gateway Protocol (MBGP). MBGP is an extension to BGP that allows a router to support separate unicast and multicast topologies. BGP4 cannot support a multicast network topology that differs from the network’s unicast topology.
Page 934: Configuring Mbgp
Configuration considerations Configuration considerations • MBGP does not redistribute DVMRP routes. It redistributes static routes only. • You cannot redistribute MBGP routes into BGP4. • The BigIron RX supports 8192 multicast routes by default. You may need to increase the maximum number of multicast routes for MBGP.
Page 935: Enabling Mbgp
Configuring MBGP Enabling MBGP To enable MBGP4, you must enable PIM SM or DM and BGP4. Enter commands such as the following. BigIron RX> enable BigIron RX# configure terminal BigIron RX(config)# router pim BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-1/1)# ip address 1.1.1.1/24 BigIron RX(config-if-1/1)# ip pim BigIron RX(config-if-1/1)# exit BigIron RX(config)# router bgp...
Page 936: Optional Configuration Tasks
Configuring MBGP [password [0 | 1] <string>] [prefix-list <string> in | out] [remote-as <as-number>] [remove-private-as] [route-map in | out <map-name>] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive <num> hold-time <num>] [update-source loopback <num>] [weight <num>] The <ip-addr> | <peer-group-name> parameter indicates whether you are configuring an individual neighbor or a peer group.
Page 937 Configuring MBGP Configuring a network prefix to advertise By default, the BigIron RX advertises MBGP routes only for the networks you identify using the network command or that are redistributed into MBGP from IP multicast route tables. NOTE The exact route must exist in the IP multicast route table so that the device can create a local MBGP route.
Page 938 Configuring MBGP NOTE The route map you specify must already be configured. Configuring static IP multicast routes To configure static IP multicast routes, enter commands such as the following. BigIron RX(config)# ip mroute 207.95.10.0 255.255.255.0 interface ethernet 1/2 BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 interface ethernet 2/3 The commands in this example configure two static multicast routes.
Page 939: Displaying Mbgp Information
Displaying MBGP information The <ip-addr> and <ip-mask> parameters specify the aggregate value for the networks. The as-set parameter causes the router to aggregate AS-path information for all the routes in the aggregate address into a single AS-path. The summary-only parameter prevents the router from advertising more specific routes contained within the aggregate route.
Page 940: Displaying The Active Mbgp Configuration
Displaying MBGP information BigIron RX# show ip mbgp summary BGP4 Summary Router ID: 9.9.9.1 Local AS Number : 200 Confederation Identifier : not configured Confederation Peers: Maximum Number of Paths Supported for Load Sharing : 1 Number of Neighbors Configured : 1, UP: 1 Number of Routes Installed : 5677 Number of Routes Advertising to All Neighbors : 5673 Number of Attribute Entries Installed : 3...
Page 941: Displaying Mbgp Neighbors
Displaying MBGP information Displaying MBGP neighbors To view MBGP neighbor information including the values for all the configured parameters, enter the following command. This display is similar to the show ip bgp neighbor display but has additional fields that apply only to MBGP. These fields are shown in bold type in the example and are explained below.
Page 942: Displaying Mbgp Routes
Displaying MBGP information The <ip-addr> parameter specifies the neighbor’s IP address. Displaying MBGP routes To display the MBGP route table, enter the following command. BigIron RX#show ip mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop...
Page 943: Relationship To Ip Route Table
Chapter Configuring IS-IS (IPv4) The Intermediate System to Intermediate System (IS-IS) protocol is a link-state Interior Gateway Protocol (IGP) that is based on the International Standard for Organization/International Electrotechnical Commission (ISO/IEC) Open Systems Internet Networking model (OSI). In IS-IS, an intermediate system (router) is designated as either a Level 1 or Level 2 router.
Page 944: Intermediate Systems And End Systems
Configuring IS-IS (IPv4) • If the path provided by IS-IS has the lowest administrative distance, then the CPU places that IS-IS path in the IP route table. • If a path to the same destination supplied by another protocol has a lower administrative distance, the CPU installs the other protocol’s path in the IP route table instead.
Page 945: Domain And Areas
Configuring IS-IS (IPv4) NOTE Since the Brocade implementation of IS-IS does not route OSI traffic but instead routes IP traffic, IP hosts are shown instead of ESs. The other basic IS-IS concepts illustrated in this figure are explained in the following sections. Domain and areas IS-IS is an IGP, and thus applies only to routes within a single routing domain.
Page 946 Configuring IS-IS (IPv4) The Designated IS is elected based on the priority of each IS in the broadcast network. When an IS becomes operational, it sends a Level-1 or Level-2 Hello PDU to advertise itself to other ISs. If the IS is configured to be both a Level-1 and a Level-2 IS, the IS sends a separate advertisement for each level.
Page 947: Is-Is Cli Levels
IS-IS CLI levels Route calculation and selection The Designated IS uses a Shortest Path First (SPF) algorithm to calculate paths to destination ISs and ESs. The SPF algorithm uses Link State PDUs (LSPDUs) received from other ISs as input, and creates the paths as output.
Page 948: Address Family Configuration Level
IS-IS CLI levels BigIron RX(config)#router isis BigIron RX(config-isis-router)# Syntax: [no] router isis The (config-isis-router)# prompt indicates that you are at the global level for IS-IS. Configurations you enter at this level apply to both IS-IS IPv4 and IS-IS IPv6. Address family configuration level The BigIron RX implementation of IS-IS includes the address family configuration level.
Page 949: Configuring Ipv4 Is-Is
Configuring IPv4 IS-IS Configuring IPv4 IS-IS Enabling IS-IS globally To configure IPv4 IS-IS, do the following. 1. Globally enable IS-IS by entering the following command. BigIron RX(config)# router isis ISIS: Please configure NET! Once you enter router isis, the device enters the IS-IS router configuration level. Syntax: [no] router isis To disable IS-IS, use the no form of this command.
Page 950: Globally Configuring Is-Is On A Device
Globally configuring IS-IS on a device • Change the default metric. • Add, change, or negate route redistribution parameters. Some IS-IS parameter changes take effect immediately while others do not take full effect until you disable, then re-enable route redistribution. Globally configuring IS-IS on a device This section describes how to change the global IS-IS parameters.
Page 951: Configuring Authentication
Globally configuring IS-IS on a device The on-startup <secs> parameter specifies the number of seconds following a reload to set the overload bit on. You can specify 0 or a number from 5 – 86400 (24 hours). The default is 0, which means the device starts performing IS-IS routing immediately following a successful software reload.
Page 952: Changing The Is-Is Level Globally
Globally configuring IS-IS on a device Changing the IS-IS Level globally By default, a BigIron RX can operate as both a Level-1 and IS-IS Level-2 router. To globally change the level supported from Level-1 and Level-2 to Level-1 only, enter the following command. BigIron RX(config-isis-router)# is-type level-1 Syntax: [no] is-type level-1 | level-1-2 | level-2 The level-1 | level-1-2 | level-2 parameter specifies the IS-IS type.
Page 953: Changing The Maximum Lsp Lifetime
Globally configuring IS-IS on a device BigIron RX(config-isis-router)# csnp-interval 15 Syntax: [no] csnp-interval <secs> The <secs> parameter specifies the interval and can be from 0 – 65535 seconds. The default is 10 seconds. NOTE Although the command name is csnp-interval, the interval also applies to PSNPs. Changing the maximum LSP lifetime The maximum LSP lifetime is the maximum number of seconds an un-refreshed LSP can remain in the device’s LSP database.
Page 954: Changing The Lsp Interval And Retransmit Interval
Globally configuring IS-IS on a device The <secs> parameter specifies the minimum refresh interval and can be from 1 – 120 seconds. The default is 10 seconds. Changing the LSP interval and retransmit interval You LSP interval is the rate of transmission, in milliseconds of the LSPs. The retransmit interval is the time the device waits before it retransmits LSPs.
Page 955: Logging Adjacency Changes
Globally configuring IS-IS on a device The padding consists of arbitrarily valued octets. A padded hello PDU indicates the largest PDU that the device can receive. Other ISs that receive a padded hello PDU from the device can therefore ensure that the IS-IS PDUs they send the device. Similarly, if the device receives a padded hello PDU from a neighbor IS, the device knows the maximum size PDU that the device can send to the neighbor.
Page 956: Configuring Ipv4 Address Family Route Parameters
Configuring IPv4 address family route parameters Configuring IPv4 address family route parameters This section describes how to modify the IS-IS parameters for the IS-IS IPv4 unicast address family. To enter the IPv4 unicast address family, refer to “Address family configuration level” on page 872.
Page 957: Changing The Administrative Distance For Ipv4 Is-Is
Configuring IPv4 address family route parameters NOTE This feature requires the presence of a default route in the IPv4 route table. To enable the device to advertise a default route that is originated a Level 2, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# default-information-originate This command enables the device to advertise a default route into the IPv4 IS-IS area to which the device is attached.
Page 958: Configuring Summary Addresses
Configuring IPv4 address family route parameters For example, if the router has a path from RIP, from OSPF, and IPv4 IS-IS to the same destination, and all the paths are using their protocols’ default administrative distances, the router selects the OSPF path, because that path has a lower administrative distance than the RIP and IPv4 IS-IS paths.
Page 959: Redistributing Routes Into Ipv4 Is-Is
Configuring IPv4 address family route parameters The level-1 | level-1-2 | level-2 parameter specifies the route types to which the aggregate route applies. The default is level-2. Redistributing routes into IPv4 IS-IS To redistribute routes into IPv4 IS-IS, you can perform the following configuration tasks: •...
Page 960: Redistributing Static Ipv4 Routes Into Ipv4 Is-Is
Configuring IPv4 address family route parameters The <value> parameter specifies the default metric. You can specify a value from 0 – 65535. The default is 0. To restore the default value for the default metric, enter the no form of this command. Redistributing static IPv4 routes into IPv4 IS-IS To redistribute static IPv4 routes from the IPv4 static route table into IPv4 IS-IS routes, enter the following command at the IPv4 IS-IS unicast address family configuration level.
Page 961: Redistributing Rip Routes Into Ipv4 Is-Is
Configuring IPv4 address family route parameters Redistributing RIP routes into IPv4 IS-IS To redistribute RIP routes into IPv4 IS-IS, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# redistribute rip This command configures the device to redistribute all RIP routes into Level-2 IS-IS. Syntax: [no] redistribute rip [level-1 | level-1-2 | level-2] | metric <number>...
Page 962: Redistributing Ipv4 Is-Is Routes Within Ipv4 Is-Is
Configuring ISIS properties on an interface Redistributing IPv4 IS-IS routes within IPv4 IS-IS In addition to redistributing routes from other route sources into IPv4 IS-IS, the BigIron RX can redistribute Level 1 IPv4 IS-IS routes into Level 2 IPv4 IS-IS routes, and Level 2 IPv4 IS-IS routes into Level 1 IPv4 IS-IS routes.
Page 963: Setting The Priority For Designated Is Election
Configuring ISIS properties on an interface NOTE The BigIron RX advertises an IS-IS interface to its area regardless of whether adjacency formation is enabled. To disable IS-IS adjacency formation on an interface, enter commands such as the following. BigIron RX(config)# interface ethernet 2/8 BigIron RX(config-if-e1000-2/8)# isis passive This command disables IS-IS adjacency formation on port 2/8.
Page 964: Changing The Is-Is Level On An Interface
Configuring ISIS properties on an interface The <string> parameter specifies the password. You can enter an alphanumeric string up to 80 characters long. The password can contain blank spaces. If you use a blank space in the password, you must use quotation marks (“ “) around the entire password; for example, isis password “admin 2”.
Page 965: Changing The Hello Multiplier
Configuring ISIS properties on an interface The <num> parameter specifies the interval, and can be from 1 – 65535 seconds. The default is 10 seconds. The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels.
Page 966: Displaying Ipv4 Is-Is Information
Displaying IPv4 IS-IS information The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels. Displaying IPv4 IS-IS information You can display the following information: •...
Page 967: Displaying Neighbor Information
Displaying IPv4 IS-IS information BigIron RX# show isis hostname Total number of entries in IS-IS Hostname Table: 1 System ID Hostname * = local IS * bbbb.cccc.dddd Syntax: show isis hostname The table in this example contains one mapping, for this device. The device’s IS-IS system ID is “bbbb.cccc.dddd“...
Page 968: Displaying Is-Is Syslog Messages
Displaying IPv4 IS-IS information TABLE 135 IS-IS neighbor information (Continued) This field... Displays... Type The IS-IS type of the adjacency. The type can be one of the following: • ISL1 – Level-1 IS • ISL2 – Level-2 IS • ES – ES NOTE: The device forms a separate adjacency for each IS-IS type.
Page 969: Displaying Interface Information
Displaying IPv4 IS-IS information TABLE 136 IS-IS Syslog messages Message level Message Explanation Alert ISIS MEMORY USE EXCEEDED IS-IS is requesting more memory than is available. Notification ISIS L1 ADJACENCY DOWN <system-id> on The device’s adjacency with this Level-1 IS interface <interface-id>...
Page 970 Displaying IPv4 IS-IS information BigIron RX# show isis interface Total number of IS-IS Interfaces: 1 Interface: Eth 7/1 Circuit State: UP Circuit Mode: LEVEL-1-2 Circuit Type: BCAST Passive State: FALSE Circuit Number: 0x01, MTU: 1497 Authentication password: None Level-1 Metric: 10, Level-1 Priority: 64 Level-1 Hello Interval: 10 Level-1 Hello Multiplier: 3 Level-1 Designated IS: RX-01 Level-1 DIS Changes: 8 Level-2 Metric: 10, Level-2 Priority: 64...
Page 971 Displaying IPv4 IS-IS information TABLE 137 IS-IS Interface information (Continued) This field... Displays... Passive State The passive state determines whether the interface is allowed to form an IS-IS adjacency with the IS at the other end of the circuit. The state can be one of the following: •...
Page 972: Displaying Route Information
Displaying IPv4 IS-IS information TABLE 137 IS-IS Interface information (Continued) This field... Displays... Bad LSP The number of times the interface received a bad LSP from an IS at the other end of the circuit. The following conditions can cause an LSP to be bad: •...
Page 973: Displaying Lsp Database Entries
Displaying IPv4 IS-IS information TABLE 138 IS-IS route information (Continued) This field... Displays... Cost The IS-IS default metric for the route, which is the cost of using this route to reach the next-hop router to this destination. Type The route type, which can be one of the following: •...
Page 974 Displaying IPv4 IS-IS information The <lsp-id> parameter displays summary information about a particular LSP. Specify an LSPID for which you want to display information in HHHH.HHHH.HHHH.HH-HH format, for example, 3333.3333.3333.00-00. You can also enter name.HH-HH, for example, RX.00-00. The detail parameter displays detailed information about the LSPs. Refer to “Displaying detailed information”...
Page 975 Displaying IPv4 IS-IS information BigIron RX# show isis database detail IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL RX.00-00* 0x0000000b 0x23fb 1/0/0 Area Address: NLPID: CC(IP) Hostname: Metric: IP-Internal 4.1.1.0/24 Up-bit: 0 Metric: IS RX.01 IS-IS Level-2 Link State Database LSPID LSP Seq Num...
Page 976: Displaying Traffic Statistics
Displaying IPv4 IS-IS information TABLE 140 IS-IS detailed LSP database information (Continued) This field... Displays... IP address The IP address of the interface that sent the LSP. The device can use this address as the next hop in routes to the addresses listed in the rows below.
Page 977: Displaying Error Statistics
Displaying IPv4 IS-IS information TABLE 141 IS-IS traffic statistics This field... Displays... Level-1 Hellos The number of Level-1 hello PDUs sent and received by the device. Level-2 Hellos The number of Level-2 hello PDUs sent and received by the device. Level-1 LSP The number of Level-1 link-state PDUs sent and received by the device.
Page 978: Clearing Is-Is Information
Clearing IS-IS information TABLE 142 IS-IS error statistics (Continued) This field... Displays... LSP Sequence Number Skipped The number of times the device received an LSP with a sequence number that was more than 1 higher than the sequence number of the previous LSP received from the same neighbor.
Page 979 Clearing IS-IS information The neighbor parameter closes the device’s adjacencies with its IS-IS neighbors and clears the neighbor statistics. The route [<ip-address> <subnet-mask> | <ip-address>/<prefix> ] parameter clears the IS-IS route table or the specified matching route. The traffic parameter clears the PDU statistics. NOTE The traffic option also clears the values displayed in the show isis interface command’s Control Messages Sent and Control Messages Received fields.
Page 980 Clearing IS-IS information BigIron RX Series Configuration Guide 53-1002253-01...
Page 981: Configuring Bfd Parameters
Chapter BiDirectional Forwarding Detection (BFD) The BigIron RX provides support for Bidirectional Forwarding Detection (BFD), which defines a method of rapid detection of the failure of a forwarding path by checking that the next hop router is alive. Without BFD enabled, it can take from 3 to 30 seconds to detect that a neighboring router is not operational causing packet loss due to incorrect routing information at a level unacceptable for real-time applications such as VOIP and video over IP.
Page 982: Number Of Bfd Sessions Supported
Displaying Bidirectional Forwarding Detection information BigIron RX(config-if-e1000-3/1)# bfd interval 100 min-rx 100 multiplier 3 Syntax: [no] bfd interval <transmit-time> min-rx <receive-time> multiplier <number> The <transmit-time> variable is the interval in milliseconds between which this router will send a BFD message to its peer informing it that it is still operational. This value is specified in milliseconds.
Page 983 Displaying Bidirectional Forwarding Detection information BigIron RX# show bfd BFD State: ENABLED Version: 1 Current Registered Protocols: ospf ospf6 All Sessions: Current: 2 Maximum Allowed: 100 Maximum Exceeded Count: 0 LP Sessions: Maximum Allowed on LP: 20 Maximum Exceeded Count for LPs: 0 LP Sessions LP Sessions LP Sessions LP Sessions 10 0 11 0...
Page 984 Displaying Bidirectional Forwarding Detection information TABLE 143 Display of BFD information (Continued) This field... Displays... Mult The number of times that the router will wait for the MinRx time on this port before it determines that its peer router is non-operational. Sessions The number of BFD sessions originating on this port.
Page 985 Displaying Bidirectional Forwarding Detection information TABLE 145 Display of BFD information (Continued) This field... Displays... Interface The logical port (physical or virtual port) on which the peer is known. The physical port can be either Ethernet or POS. Holddown The interval after which the session will transition to the down state if no message is received.
Page 986: Clearing Bfd Neighbor Sessions
Displaying Bidirectional Forwarding Detection information TABLE 146 Display of BFD neighbor detail information (Continued) This field... Displays... Diag Value of the “diagnostic” field in the BFD Control Message as used by the local router in the last message sent. Demand Value of the “demand”...
Page 987: Configuring Bfd For The Specified Protocol
Configuring BFD for the specified protocol BigIron RX# clear bfd neighbor Syntax: clear bfd neighbor [<IP-Address> | <IPv6-address>] The <IP-Address> variable specifies the IPv4 address of a particular neighbor whose session you want to clear BFD. The <IPv6-Address> variable specifies the IPv6 address of a particular neighbor whose session you want to clear BFD.
Page 988: Configuring Bfd For Is-Is
Configuring BFD for the specified protocol Enabling BFD for OSPFv3 for all interfaces You can configure BFD for OSPFv3 on all of a router’s OSPFv3 enabled interfaces using the command shown in the following. BigIron RX(config)# ipv6 router ospf BigIron RX(config-ospf6-router)# bfd all-interfaces Syntax: [no] bfd all-interfaces While this command configures BFD for OSPFv3 on all of a router’s OSPFv3 enabled interfaces, it is not required that it be configured if you use the ipv6 ospf bfd command to configure specific...
Page 989: Overview Of Secure Shell (Ssh)
Chapter Configuring Secure Shell In this chapter • Overview of Secure Shell (SSH) ........913 •...
Page 990: Supported Features
Configuring SSH • SCP/SFTP/SSH URI Format If you are using redundant management modules, you can synchronize the DSA host key pair between the active and standby modules by entering the sync-standby command at the Privileged EXEC level of the CLI. Tested SSHv2 clients The following SSH clients have been tested with SSHv2: •...
Page 991: Generating A Host Key Pair
Configuring SSH • DSA challenge-response authentication, where a collection of public keys are stored on the device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH. •...
Page 992: Configuring Dsa Challenge-Response Authentication
Configuring SSH By default, public keys are hidden in the running configuration. You can optionally configure the device to display the DSA host key pair in the running configuration file entering the following command. BigIron RX# ssh show-host-keys Syntax: ssh show-host-keys To hide the public keys in the running configuration file, enter the following command.
Page 993 Configuring SSH 1. Importing authorized public keys into the device. 2. Enabling DSA challenge response authentication Importing authorized public keys into the device SSH clients that support DSA authentication normally provide a utility to generate an DSA key pair. The private key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not protected.
Page 994: Setting The Number Of Ssh Authentication Retries
Configuring SSH BigIron RX# show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---- Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PUBLIC KEY ---- Syntax: show ip client-pub-key [| begin<expression> | exclude <expression> | include <expression>] To clear the public keys from the buffers, enter the following command.
Page 995: Enabling Empty Password Logins
Configuring SSH With DSA challenge-response authentication, a collection of clients’ public keys are stored on the device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH. With password authentication, users are prompted for a password when they attempt to log into the device (provided empty password logins are not allowed;...
Page 996 Configuring SSH Setting the SSH login timeout value When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects.
Page 997: Disabling 3-Des
Displaying SSH connection information Filtering SSH access using ACLs You can permit or deny SSH access to the device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL. Then enter the following command.
Page 998: Using Secure Copy
Using secure copy BigIron RX#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 established, client ip address 192.168.144.241, user is hanuma 1 minutes 16 seconds in idle 2 established, client ip address 192.168.144.241, user is Mikaila...
Page 999 Using secure copy NOTE When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on the device. NOTE Certain SCP client options, including -p and -r, are ignored by the SCP server on the device. If an option is ignored, the client is notified.
Page 1000 Using secure copy BigIron RX Series Configuration Guide 53-1002253-01...

This manual is also suitable for:

Bigiron rx series

Dell PowerConnect B-RX Configuration Manual

Chapter 1 Getting Started with the Command Line Interface

Chapter 2 Getting Familiar with the Bigiron RX Series Switch Management Applications

Chapter 3 Using a Redundant Management Module

Chapter 4 Securing Access to Management Functions

Chapter 5 Configuring Basic Parameters

Chapter 6 Configuring Interface Parameters

Chapter 7 Configuring IP

Chapter 8 Link Aggregation

Chapter 9 Configuring LLDP

Quick Links

Configuration Guide

Related Manuals for Dell PowerConnect B-RX

Summary of Contents for Dell PowerConnect B-RX