Page 1: Configuration Guide
53-1001986-01 ® 31 August 2010 BigIron RX Series Configuration Guide Supporting Multi-Service IronWare v02.7.03...
Page 2 Copyright © 2010 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Page 3: Table Of Contents
Contents About This Document Audience ..........xli Supported hardware and software .
Page 4 CONFIG commands........4 Accessing the CLI .
Page 5 Flash memory and PCMCIA flash card file management commands..........36 Management focus .
Page 6 Configuring SSL security for the Web Management Interface ..82 Enabling the SSL server on the device....83 Importing digital certificates and RSA private key files.
Page 7 Configuring an interface as source for all Telnet packets ..122 Cancelling an outbound Telnet session ....123 Configuring an interface as the source for all TFTP packets ..123 Configuring an interface as the source for Syslog packets .
Page 8 Monitoring an individual trunk port ......147 Mirror ports for Policy-Based Routing (PBR) traffic... . .148 About hardware-based PBR .
Page 9 Configuring forwarding parameters ......192 Disabling ICMP messages ......194 Disabling ICMP redirect messages .
Page 10 General operating principles ......255 Operating modes ........255 LLDP packets .
Page 11 VLAN configuration rules ....... . .288 VLAN ID range ........288 Tagged VLANs.
Page 12 Displaying VLAN information ......320 Displaying VLAN information ......320 Displaying VLAN information for specific ports .
Page 13 State machines .........358 Handshake mechanisms.
Page 14 MRP CLI example ........413 Commands on switch A (master node).
Page 15 Displaying topology group information ..... .441 Displaying topology group information ....441 Chapter 17 Configuring VRRP and VRRPE Overview of VRRP .
Page 16 Configuring ToS-based QoS ....... 474 Enabling ToS-based QoS ......474 Specifying trust level .
Page 17 Configuring rate limiting policies ......502 Configuring a port-based rate limiting policy ....502 Configuring a port-and-priority-based rate limiting policy .
Page 18 Displaying ACL definitions ....... .536 Displaying of TCP/UDP numbers in ACLs ....537 ACL logging .
Page 19 Chapter 23 Configuring IP Multicast Protocols Overview of IP multicasting .......573 Multicast terms .
Page 20 Changing the Shortest Path Tree (SPT) threshold ... . .606 Changing the PIM join and prune message interval ..607 MLL optimization ........607 Displaying PIM Sparse configuration information and statistics.
Page 21 Configuring DVMRP........643 Enabling DVMRP globally and on an interface... . .643 Modifying DVMRP global parameters .
Page 22 Configuring OSPF ........677 Configuration rules .
Page 23 Chapter 26 Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 ........731 Relationship between the BGP4 route table and the IP route table .
Page 24 Configuring BGP4 neighbors ......761 Removing route dampening from suppressed neighbor routes ........765 Encryption of BGP4 MD5 authentication keys.
Page 25 Chapter 27 Configuring MBGP Configuration considerations ......848 Configuring MBGP ........848 Setting the maximum number of multicast routes supported .
Page 26 Configuring IPv4 address family route parameters ... .870 Changing the metric style ......870 Changing the maximum number of load sharing paths .
Page 27 Chapter 30 Configuring Secure Shell Overview of Secure Shell (SSH) ......905 SSH version 2 support....... .905 Supported features .
Page 28 Chapter 32 Using the MAC Port Security Feature and Transparent Port Flooding MAC Port Security ........931 Violation actions.
Page 29 Configuring 802.1x port security ......954 Configuring an authentication method list for 802.1x ..955 Setting RADIUS parameters .
Page 30 Chapter 35 Inspecting and Tracking DHCP Packets Dynamic ARP inspection........983 ARP attacks .
Page 31 Reading CDP packets ........1010 Enabling interception of CDP packets globally ...1010 Enabling interception of CDP packets on an interface .
Page 32 Chapter 41 Configuring IP Multicast Traffic Reduction Enabling IP multicast traffic reduction ....1046 Changing the IGMP mode ......1047 Modifying the query interval .
Page 33 Configuring an IPv6 host address for a BigIron RX running a switch image 1068 Configuring a global or site-local IPv6 address with a manually configured interface ID as the switch’s system-wide address ....... 1068 Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID as the switch’s system-wide address.
Page 34 Clearing global IPv6 information ......1084 Clearing the IPv6 cache......1084 Clearing IPv6 neighbor information .
Page 35 Clearing BGP4+ information......1118 Removing route flap dampening..... . 1118 Clearing route flap dampening statistics .
Page 36 Chapter 48 Configuring OSPF Version 3 OSPF version 3 ........1189 Link state advertisement types for OSPFv3 .
Page 37 Multicast Listener Discovery and source specific multicast protocols (MLDv2) ........1247 MLD version distinctions .
Page 38 RFC compliance ........1291 RFC compliance - BGPv4 .
Page 39 Multicast (IP) ......... 1325 Multicast (L2) .
Page 40 BigIron RX Series Configuration Guide 53-1001986-01...
Page 41: About This Document
About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network –...
Page 42 TABLE 1 Supported features (Continued) Category Feature description Management Options Serial and Telnet access to industry-standard Command Line Interface (CLI) SSHv2 TFTP Web-based GUI SNMP versions 1, 2, and 3 IronView Network Manager . Security AAA Authentication Local passwords RADIUS Secure Shell (SSH) version 2 Secure Copy (SCP) TACACS and TACACS+...
Page 43 TABLE 1 Supported features (Continued) Category Feature description Rate Limiting Port-based, port-and-priority based, port-and-vlan-based, and port-and-ACL-based rate limiting on inbound ports are supported. SuperSpan A Brocade STP enhancement that allows Service Providers (SPs) to use STP in both SP networks and customer networks. Topology Groups A named set of VLANs that share a Layer 2 topology.
Page 44: Unsupported Features
TABLE 1 Supported features (Continued) Category Feature description Multicast Routing Multicast cache L2 IGMP table DVMRP routes PIM-DM PIM-SM PIM-SSM PIM Snooping OSPF OSPF routes OSPF adjacencies - Dynamic OFPF LSAs OSPF filtering of advertised routes Policy Based Routing (Release 02.2.01 and later) RIP versions 1 and 2 RIP routes VRRP and VRRPE...
Page 45: What's New In This Document
What’s new in this document The following tables provide brief descriptions of the enhancements added in each BigIron RX software release and a reference to the specific chapter, and section in the BigIron RX Configuration Guide or the Brocade BigIron RX Series Installation Guide that contain a detailed description and operational details for the enhancement.
Page 46: Enhancements In Release 02.7.02
TABLE 2 Summary of enhancements in release 02.7.03 Enhancement Description See page MAC Port Security The MAC Port Security feature has been Book: BigIron RX Configuration updated for the 02.7.03 release. Giuide Chapter: “Using the MAC Port Security Feature and Transparent Port Flooding”...
Page 47: Enhancements In Release 02.6.00
Enhancements in release 02.7.01 TABLE 4 Summary of enhancements in release 02.7.01 (Continued) Enhancement Description See page Network management 128-bit AES encryption The Advanced Encryption Standard (AES) provides Book: BigIron RX Series support for SNMP V3 one of the most advanced encryption capabilities Configuration Guide available today.
Page 48 TABLE 5 Summary of enhancements in release 02.7.00 (Continued) Enhancement Description See page Network management DHCP Relay Enhancement Beginning with this release, the IP subnet Book: BigIron RX Series configured on the port which is directly connected Configuration Guide to the device sending a BootP/DHCP request, does Chapter: “Configuring IP”...
Page 49 TABLE 6 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page VSRP Fast Start Non-Brocade or non-VSRP aware devices Book: BigIron RX Series connected to a VSRP master can now quickly switch Configuration Guide over to the new master when a VSRP failover Chapter: “Virtual Switch occurs.
Page 50 TABLE 6 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page IGMPv3 and IGMP Snooping In Release 02.6.00 of the Multi-Service IronWare Book: BigIron RX Series software, creating an IGMP static-group allows the Configuration Guide BigIron RX switch having L2 interfaces configured Chapter: “Configuring IP with snooping to pull traffic from upstream sources...
Page 51: Enhancements In Patch Release 02.5.00C
Enhancements in patch release 02.5.00c TABLE 7 Summary of enhancements in release 02.5.00c Enhancement Description See page Super ACLs With this patch release, the Multi-Service IronWare Book: BigIron RX Series software supports Super ACLs that can match on Configuration Guide fields in a Layer 2 or Layer 4 packet header.
Page 52: Enhancements In Patch Release 02.4.00C
TABLE 9 Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page Static Route ARP Validate Next Beginning with release 02.5.00, you can configure Book: BigIron RX Series the BigIron RX to perform validation checks on the Configuration Guide destination MAC address, the sender and target IP Chapter: “Configuring IP”...
Page 53: Enhancements In Release 02.4.00
Enhancements in release 02.4.00 TABLE 11 Summary of enhancements in release 02.4.00 Enhancement Description See page US Daylight Saving Time The new Daylight Saving Time (DST) change that Book: BigIron RX Series scheme went into effect on March 11th, 2007 affects only Configuration Guide networks following the US time zones.
Page 54 TABLE 11 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page New show OSPF neighbor by This feature allows OSPF to display the OSPF Book: BigIron RX Series area command neighbors existing in a particular area. Configuration Guide Chapter: “Configuring OSPF Version 2 (IPv4)”...
Page 55 TABLE 11 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Multicast Boundaries The Multicast Boundary feature is designed to Book: BigIron RX Series selectively allow or disallow multicast flows to Configuration Guide configured interfaces. Chapter: “Configuring IP Multicast Protocols”...
Page 56 TABLE 11 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page ACL-Based Mirroring With this release, the Multi-Service IronWare Book: BigIron RX Series software supports using an ACL to select traffic for Configuration Guide mirroring from one port to another. Chapter:“Access Control List”...
Page 57: Enhancements In Patch Release 02.3.00A
Enhancements in patch release 02.3.00a TABLE 12 Summary of enhancements in patch release 02.3.00a Enhancement Description See... Transparent Port Flooding When the Transparent Port Flooding feature in Book: BigIron RX Series enabled for a port, all MAC learning will be disabled Configuration Guide for that port.
Page 58: Enhancements In Release 02.3.00
Enhancements in release 02.3.00 System enhancements TABLE 13 System enhancements Enhancement Description See... New Hardware The following new hardware is supported with the 02.3.00 Book: Brocade BigIron RX Support software release for the BigIron RX: Series Installation Guide 10G-XFP-CX4 - part number 10G-XFP-CX4 , A new XFP Module is available for use in the BigIron RX Series and 10G Interface Modules with the following capabilities: •...
Page 59 TABLE 13 System enhancements (Continued) Enhancement Description See... Enhanced Digital You can configure the BigIron RX to monitor XFPs and SFPs in Book: Brocade BigIron RX Optical Monitoring the system either globally or by specified port. Series Installation Guide Chapter: Connecting a BigIron RX Series Switch to a Network Device Section: Enhanced Digital...
Page 60 Layer 3 enhancements TABLE 15 Layer 3 enhancements Enhancement Description See... OSPF NBMA You can configure an interface to send OSPF Book: BigIron RX Series unicast packets rather than broadcast packets to Configuration Guide its neighbor by configuring non-broadcast Chapter: “Configuring multi-access (NBMA) networks.
Page 61 TABLE 15 Layer 3 enhancements (Continued) Enhancement Description See... Default Originate Route for BGP In this release, if a default route is not present in Book: BigIron RX Series the IP routing table, the user can configure a Configuration Guide major route to be used for forwarding packets to Chapter: “Configuring...
Page 62 TABLE 16 IP multicast enhancements (Continued) Enhancement Description See... MSDP Mesh Groups This release supports Multicast Source Book: BigIron RX Series Discovery Protocol (MSDP) Mesh Groups. This Configuration Guide feature allows you to connect several RPs to Chapter:“Configuring IP each other which reduces the forwarding of Multicast Protocols”...
Page 63: Network Management
TABLE 17 IP service, security, and Layer 4 enhancements (Continued) Enhancement Description See... Port Security MAC Violation Limit This feature provides protection against Book: BigIron RX Series physical link instability. It allows a user to Configuration Guide configure it to keep a port in a down state in Chapter:“Using the MAC Port cases where the port has experienced some Security Feature and...
Page 64 Layer 2 enhancements TABLE 20 Layer 2 enhancements Enhancement Description See page VLAN Byte Accounting With this release, you can configure a VLAN to account Book: BigIron RX Series for the number of bytes received by all the member Configuration Guide ports.
Page 65 TABLE 21 Layer 3 enhancements (Continued) Enhancement Description See page OSPF point-to-point OSPF point-to-point eliminates the need for Book: BigIron RX Series Designated and Backup Designated routers, Configuration Guide allowing for faster convergence of the network. Chapter:“Configuring OSPF Version 2 (IPv4)” Section: “OSPF point-to-point links”...
Page 66 TABLE 23 Security enhancements (Continued) Enhancement Description See page Port Security MAC Deny With this release, you can configure deny mac Book: BigIron RX Series addresses on a global level or on a per port level. Configuration Guide Chapter:“Using the MAC Port Security Feature and Transparent Port Flooding”...
Page 67: Enhancements In Release 02.2.00G
TABLE 23 Security enhancements (Continued) Enhancement Description See page Port Security Enhancements You can specify how many packets from denied MAC Book: BigIron RX Series addresses can be received on a port in a one-second Configuration Guide interval before the BigIron RX shuts the port down. Chapter:“Using the MAC Port Security Feature and Transparent Port Flooding”...
Page 68 Enhancements in release 02.2.00 TABLE 26 Summary of emhancements in 02.2.00 Enhancement Description See page Quality of Service (QoS) QoS support on the BigIron RX is different than for the Book: BigIron RX Series Support BigIron MG8. Configuration Guide Chapter:“Configuring Quality of Service”...
Page 69: Document Conventions
Document conventions This section describes text formatting conventions and important notice formats used in this document. Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text...
Page 70: Notice To The Reader
CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
Page 71: Web Access
Web access The Knowledge Portal (KP) contains the latest version of this guide and other user guides for the product. You can also report errors on the KP. Log in to my.Brocade.com, click the Product Documentation tab, then click on the link to the Knowledge Portal (KP).
Page 72 lxxii BigIron RX Series Configuration Guide 53-1001986-01...
Page 73: Getting Started With The Command Line Interface
Chapter Getting Started with the Command Line Interface In this chapter • Logging on through the CLI ........1 •...
Page 74: On-Line Help
Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed.
Page 75: Line Editing Commands
EXEC commands Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. TABLE 27 CLI line-editing commands Ctrl-key combination...
Page 76: Global Level
CONFIG commands You reach this level by entering the enable [<password>] or enable <username> <password> at the User EXEC level. BigIron RX>enable BigIron RX>enable user1 mypassword After entering the enable command, you see the following prompt. BigIron RX>#. The prompt indicates that you are at the Privilege EXEC level. When you are at the Privilege EXEC level, you can enter commands that are available at that level.
Page 77 CONFIG commands Trunk level The trunk level allows you to change parameters for statically-configured trunk groups. You reach this level by entering a trunk command with the appropriate port parameters. Router RIP level The RIP level allows you to configure parameters for the RIP routing protocol. You reach this level by entering the router rip command at the global CONFIG level.
Page 78 CONFIG commands Route Map level The Route Map level allows you to configure parameters for a BGP4 route map. You reach this level by entering the route-map <name> command at the global CONFIG level. Router VRRP level The VRRP level allows you to configure parameters for the Virtual Router Redundancy Protocol (VRRP).
Page 79: Accessing The Cli
Accessing the CLI MAC port security level The MAC port security level allows you to configure the port security feature. You reach this level by entering the global-port-security command at the at the Global or Interface levels. Accessing the CLI The CLI can be accessed through both serial and Telnet connections.
Page 80: Navigating Among Command Levels
Accessing the CLI BigIron RX> User Level EXEC Command BigIron RX# Privileged Level EXEC Command BigIron RX(config)#Global Level CONFIG Command BigIron RX(config-if-e10000-5/1)#Interface Level CONFIG Command BigIron RX(config-lbif-1)#Loopback Interface CONFIG Command BigIron RX(config-ve-1)#Virtual Interface CONFIG Command BigIron RX(config-trunk-4/1-4/8)#Trunk group CONFIG Command BigIron RX(config-if-e10000-tunnel)#IP Tunnel Level CONFIG Command BigIron RX(config-bgp-router)#BGP Level CONFIG Command BigIron RX(config-dvmrp-router)#DVMRP Level CONFIG Command...
Page 81: Searching And Filtering Output
Searching and filtering output Optional fields When two or more options are separated by a vertical bar, “| “, you must enter one of the options as part of the command. Syntax: priority normal | high For example, the "normal | high" entry in the Syntax above means that priority can be either priority normal or priority high.
Page 82 Searching and filtering output Displaying lines containing a specified string The following command filters the output of the show interface command for port 3/11 so it displays only lines containing the word “Internet”. This command can be used to display the IP address of the interface.
Page 83 Searching and filtering output BigIron RX# ? append Append one file to another attrib Change file attribute boot Boot system from bootp/tftp server/flash image Change current working directory chdir Change current working directory clear Clear table/statistics/keys clock Set clock configure Enter configuration mode copy Copy between flash, tftp, config/code...
Page 84: Using Special Characters In Regular Expressions
Searching and filtering output --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed. filtering... sync-standby Sync active flash (pri/sec/mon/startup config/lp images) to standby if different terminal Change terminal settings traceroute TraceRoute to IP node undelete Recover deleted file whois...
Page 85: Allowable Characters For Lag Names
Searching and filtering output TABLE 28 Special characters for regular expressions (Continued) Character Operation A dollar sign matches on the end of an input string. For example, the following regular expression matches output that ends with “deg”: deg$ An underscore matches on one or more of the following: •...
Page 86: Syntax Shortcuts
Searching and filtering output • All digits Any of the following special characters are valid: • • • • • • • • • • • • • • • • & Syntax shortcuts A command or parameter can be abbreviated as long as enough text is entered to distinguish it from other commands at that level.
Page 87: Getting Familiar With The Bigiron Rx Series Switch Management Applications
Chapter Getting Familiar With the BigIron RX Series Switch Management Applications How to manage BigIron RX Series switch This chapter describes the different applications you can use to manage the BigIron RX Series Switch. The BigIron RX Series Switch supports the same management applications as other Brocade devices.
Page 88: On-Line Help
Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed.
Page 89: Searching And Filtering Output From Cli Commands
Logging on through the CLI TABLE 29 CLI line editing commands Ctrl-key combination Description Ctrl-A Moves to the first character on the command line. Ctrl-B Moves the cursor back one character. Ctrl-C Escapes and terminates command prompts and ongoing tasks (such as lengthy displays), and displays a fresh command prompt.
Page 90 Logging on through the CLI NOTE The regular expression specified as the search string is case sensitive. In the example above, a search string of “Internet” would match the line containing the IP address, but a search string of “internet” would not. Displaying lines that do not contain a specified string The following command filters the output of the show who command so it displays only lines that do not contain the word “closed”.
Page 91 Logging on through the CLI BigIron RX# ? append Append one file to another attrib Change file attribute boot Boot system from bootp/tftp server/flash image Change current working directory chdir Change current working directory clear Clear table/statistics/keys clock Set clock configure Enter configuration mode copy...
Page 92 Logging on through the CLI --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed: filtering... sync-standby Sync active flash (pri/sec/mon/startup config/lp images) to standby if different terminal Change terminal settings traceroute TraceRoute to IP node undelete Recover deleted file whois...
Page 93: Allowable Characters For Lag Names
Logging on through the CLI TABLE 30 Special characters for regular expressions (Continued) Character Operation An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) •...
Page 94: Logging On Through The Web Management Interface
Logging on through the Web Management Interface • • • • • • • • • • • • • • • & Logging on through the Web Management Interface To use the Web Management Interface, open a Web browser and enter the IP address of a BigIron RX Series Switch’s management port in the Location or Address field.
Page 95: Web Management Interface
Logging on through the Web Management Interface FIGURE 2 Web Management Interface login dialog box The login username and password you enter depends on whether your device is configured with AAA authentication for SNMP. If AAA authentication for SNMP is not configured, you can use the user name “get”...
Page 96: Logging On Through Ironview Network Manager
Logging on through IronView Network Manager IronView Network Manager Logging on through Refer to the IronView Network Management User’s Guide for information about using IronView Network Manager. BigIron RX Series Configuration Guide 53-1001986-01...
Page 97: Using A Redundant Management Module
Chapter Using a Redundant Management Module How management module redundancy works You can install a redundant management module in slot M1 or M2 of the BigIron RX Series chassis. By default, the system considers the module installed in slot M1 to be the active management module and the module installed in slot M2 to be the redundant or standby module.
Page 98: Management Module Switchover
How management module redundancy works The interface modules are not reset, as they are with the previous cold-restart redundancy feature. The interface modules continue to forward traffic while the standby management module takes over operation of the system. The new now-active management module receives updates from the interface modules and sends verification information to the interface modules to ensure that they are synchronized.
Page 99: Switchover Implications
How management module redundancy works • The active management module’s flash memory. • A PCMCIA flash card inserted in one of the PCMCIA slots in the active management module’s front panel. After the replacement module boots, the active module compares the standby module’s flash code and system-config file to its own.
Page 100 How management module redundancy works Syslog and SNMP traps When a switchover occurs, the BigIron RX system sends a Syslog message to the local Syslog buffer and also to the Syslog server, if you have configured the system to use one. In addition, if you have configured an SNMP trap receiver, the system sends an SNMP trap to the receiver.
Page 101: Management Module Redundancy Configuration
Management module redundancy configuration Management module redundancy configuration Configuring management module redundancy consists of performing one optional task (changing the default active chassis slot). The section explains how to perform this task. Changing the default active Chassis slot By default, the BigIron RX Series system considers the module installed in slot M1 to be the active management module.
Page 102 Managing management module redundancy During startup or switchover, the active module compares the standby module’s flash code to its own. If differences exist, the active module synchronizes the standby module’s flash code with its own. If you update the flash code on the active module, the active module automatically synchronizes (without comparison) the standby module’s flash code with its own.
Page 103 Managing management module redundancy FIGURE 4 Active and standby management module file synchronization Synchronized at startup Automatically synchronized Not synchronized or switchover at regular, user-configurable intervals Also can be immediately synchronized using the CLI Also can be immediately synchronized using the CLI Startup-config also automatically updated with write memory...
Page 104: Manually Switching Over To The Standby Management
Managing management module redundancy To compare and immediately synchronize files between the active and standby modules if differences exist, enter the following command at the Privileged EXEC level of the CLI. BigIron RX# sync-standby Syntax: sync-standby Synchronizing files without comparison You can synchronize the flash code, system-config file, and running-config file immediately without comparison.
Page 105: Monitoring Management Module Redundancy
Monitoring management module redundancy BigIron RX# boot system flash primary Syntax: boot system bootp | [flash primary | flash secondary] | slot <number> <filename> | tftp <ip-address> <filename> The flash primary keyword specifies the primary RX Series IronWare image in the management module’s flash memory, while the flash secondary keyword specifies the secondary RX Series IronWare image in the flash memory.
Page 106: Displaying Temperature Information
Monitoring management module redundancy Software To display the status of the management modules, enter the following command at any CLI level. BigIron RX# show module Module Status Ports Starting MAC M1 (upper): BigIron BI-RX Management Module Active M2 (lower): BigIron BI-RX Management Module Standby (Ready) Syntax: show module The Status column indicates the module status.
Page 107 Monitoring management module redundancy To view the redundancy parameter settings and statistics, enter the following command at any level of the CLI. BigIron RX# show redundancy === MP Redundancy Settings === Default Active Slot = 17 Running-Config Sync Period = 7 seconds === MP Redundancy Statistics === Current Active Session: Active Slot = 9,Standby Slot = 10 (Ready State),Switchover Cause = No Switchover...
Page 108: Flash Memory And Pcmcia Flash Card File Management
Flash memory and PCMCIA flash card file management commands BigIron RX# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 24 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Sep 28 11:31:25:A:Power Supply 1, 1st left, not installed Sep 28 11:31:25:A:Power Supply 3, middle left, not installed...
Page 109: Management Focus
Flash memory and PCMCIA flash card file management commands • Create a subdirectory. • Remove a subdirectory. • Rename a file. • Change the read-write attribute of a file. • Delete a file. • Recover or “undelete” a file. • Append one file to another (join two files).
Page 110: Flash Memory File System
Flash memory and PCMCIA flash card file management commands For example, if you want to display a directory of files in flash memory and flash memory has the current management focus, you do not need to specify the flash keyword. However, if you want to display a directory of files for slot 1 and flash memory has the current focus, you must specify the slot1 keyword.
Page 111: Pcmcia Flash Card File System
Flash memory and PCMCIA flash card file management commands PCMCIA flash card file system The PCMCIA flash card file system is hierarchical, which means that it supports subdirectories. Therefore, you can create or delete subdirectories in this file system using the md or mkdir and rd or rmdir commands, respectively.
Page 112: Wildcards
Flash memory and PCMCIA flash card file management commands • & You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”.
Page 113: Determining The Current Management Focus
Flash memory and PCMCIA flash card file management commands 2048 bytes in each allocation unit. 39458 allocation units available on card. Syntax: format slot1 | slot2 The slot1 | slot2 keyword specifies the PCMCIA slot that contains the flash card you are formatting. Determining the current management focus For conceptual information about management focus, refer to “Management focus”...
Page 114: Displaying A Directory Of The Files
Flash memory and PCMCIA flash card file management commands For the <directory-pathname> parameter for both cd and chdir commands, you can specify /slot1 or /slot2 to switch the focus to slot 1 or slot 2, respectively. Specify /flash to switch the focus to flash memory.
Page 115 Flash memory and PCMCIA flash card file management commands BigIron RX# dir Directory of /flash/ 07/28/2003 15:57:45 3,077,697 1060.tmp 07/28/2003 15:56:10 3,077,697 14082.tmp 07/28/2003 16:00:08 3,077,697 2084.tmp 07/25/2003 18:00:23 292,701 boot 00/00/0 00:00:00 12 boot.ini 07/28/2003 14:40:19 840,007 lp-primary-0 07/28/2003 15:18:18 840,007 lp-secondary-0 07/28/2003 09:56:16 391,524 monitor...
Page 116: Displaying The Contents Of A File
Flash memory and PCMCIA flash card file management commands BigIron RX# dir /slot2/ Directory of /slot2/ 08/01/2003 18:25:28 3,092,508 PRIMARY 08/01/2003 18:28:06 3,092,508 primary.1234 08/01/2003 18:28:24 389,696 MONITOR 08/01/2003 18:28:30 389,696 MONITOR1 08/01/2003 18:28:01 389,696 MONITOR2 08/01/2003 18:28:03 389,696 MONITOR3 08/01/2003 18:29:04 389,696 MONITOR4 08/01/2003 18:29:12...
Page 117: Displaying The Hexadecimal Output Of A File
Flash memory and PCMCIA flash card file management commands For example, to display the contents of a file in flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# more cfg.cfg Syntax: more [/<directory>/]<file-name>...
Page 118 Flash memory and PCMCIA flash card file management commands The software attempts to create a subdirectory in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to create a subdirectory in a file system that does not currently have management focus.
Page 119: Removing A Subdirectory
Flash memory and PCMCIA flash card file management commands The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters. To verify successful creation of the subdirectory, enter a command such as the following to change to the new subdirectory level.
Page 120: Renaming A File
Flash memory and PCMCIA flash card file management commands Renaming a file You can rename a file in the management module’s flash memory or on a flash card inserted in the management module’s slot 1 or slot 2 using the rename or mv command. The software attempts to rename the file in the file system that has the current management focus.
Page 121: Deleting A File
Flash memory and PCMCIA flash card file management commands For example, to change the attribute of a file in slot2 to read-only, if flash memory has the management focus, enter a command such as the following. BigIron RX# attrib slot2 ro goodcfg.cfg Syntax: attrib [slot1 | slot2] ro | rw <file-name>...
Page 122: Recovering ("Undeleting") A File
Flash memory and PCMCIA flash card file management commands For example, to delete all files with names that start with “test” from flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# delete test*.* For example, to delete all files on the flash card in slot 2, if flash memory has the current management focus, you can enter one of the following commands.
Page 123: Appending A File To Another File
Flash memory and PCMCIA flash card file management commands Appending a file to another file You can append a file in flash memory or on a flash card to the end of another file in one of these file systems. The software attempts to append one file to another in the file system that has the current management focus.
Page 124 Flash memory and PCMCIA flash card file management commands NOTE The copy options require you to explicitly specify the flash card. Therefore, you can perform a copy regardless of the flash card that currently has the management focus. Copying files from one flash card to the other To copy a file from one flash card to the other, enter the following command.
Page 125 Flash memory and PCMCIA flash card file management commands Specify the optional standby keyword to copy the RX Series IronWare image from the secondary location in the active management module’s flash memory to the primary location in the standby module’s flash memory. To copy the RX Series IronWare image from the primary location in the active management module’s flash memory to the secondary location in the active module’s flash memory, enter the following command.
Page 126 Flash memory and PCMCIA flash card file management commands The command in this example copies a file from slot 1 to a TFTP server. In this case, the software uses the same name for the source file and for the destination file. Optionally, you can specify a different file name for the destination file.
Page 127: Copying Files Using The Cp Command
Flash memory and PCMCIA flash card file management commands To copy a startup-config file from a TFTP server to flash memory, enter a command such as the following. BigIron RX# copy tftp startup-config 10.10.10.1 test.cfg Syntax: copy tftp startup-config <ip-addr> [/<from-dir-path>]<from-name> Copying the running-config to a flash card or a TFTP server Use the following method to copy the BigIron RX Series Switch’s running-config to a flash card or a TFTP server.
Page 128: Loading The Software
Flash memory and PCMCIA flash card file management commands • Copy files from flash memory to flash memory. • Copy files from flash memory to a flash card or vice versa. • Copy files from one flash card to another flash card. The software attempts to copy a file in a file system to another location in the file system that has the current management focus.
Page 129 Flash memory and PCMCIA flash card file management commands Rebooting from the system To use another source instead of the RX Series IronWare image in the primary location in flash memory for one reboot, enter a command such as the following at the Privileged EXEC level of the CLI.
Page 130: Saving Configuration Changes
Flash memory and PCMCIA flash card file management commands Syntax: boot system slot1 <file-name> | slot2 <file-name> | flash secondary | tftp <ip-address> <file-name> | bootp NOTE The command syntax is the same for immediately reloading and for changing the primary source, except the <file-name>...
Page 131: File Management Messages
System Monitoring Service Specify the <dir-path-name> parameter if you want to save the configuration changes to a directory other than the root directory of a flash card file system. The <file-name> parameter indicates the name of the saved configuration file. To change the save location back to flash memory, enter a command such as the following.
Page 132 System Monitoring Service • The DRAM CRC detection feature has two methods to detect errors; an interrupt routine is used to detect these errors quickly then triggers a shutdown of the failed Traffic Manager (TM). Long term polling detects low rate CRC errors which will be repothe egress port. This process generates a Syslog message.
Page 133 System Monitoring Service TABLE 34 Syslog messages generated by SYSMON Syslog message examples Event Description Sep 13 15:01:29:E:System: ALARM:FE Switch fabric element read/write error A failure has occurred on the specified switch Read-Write Test Error: SNM4/FE1 Reg fabric module 0x14, Read 0x48000000 != Written 0x0 Sep 13 15:01:29:E:System: ALARM: TM ingress DRAM CRC error A failure was detected on the ingress DRAM.
Page 134 System Monitoring Service BigIron RX Series Configuration Guide 53-1001986-01...
Page 135: Securing Access To Management Functions
Chapter Securing Access to Management Functions Securing access methods This chapter explains how to secure access to management functions on the device. NOTE For the device, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication. The following table lists the management access methods available on the device, how they are secured by default, and the ways in which they can be secured.
Page 136 Securing access methods TABLE 35 Ways to secure management access to the device (Continued) Access method How the access method is Ways to secure the access method See page secured by default Secure Shell (SSH) access Not configured Configure SSH page 905 Regulate SSH access using ACLs page 66...
Page 137: Restricting Remote Access To Management Functions
Restricting remote access to management functions Restricting remote access to management functions You can restrict access to management functions from remote sources, including Telnet, the Web management interface, and SNMP. The following methods for restricting remote access are supported: • Using ACLs to restrict Telnet, Web management interface, or SNMP access •...
Page 138 Restricting remote access to management functions To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL. For example. BigIron RX(config)# access-list 10 permit host 209.157.22.32 BigIron RX(config)# access-list 10 permit 209.157.23.0 0.0.0.255 BigIron RX(config)# access-list 10 permit 209.157.24.0 0.0.0.255 BigIron RX(config)# access-list 10 permit 209.157.25.0/24 BigIron RX(config)# telnet access-group 10...
Page 139 Restricting remote access to management functions These commands configure ACL 12, then apply the ACL as the access list for Web management access. The device denies Web management access from the IP addresses listed in ACL 12 and permits Web management access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny Web management access from all IP addresses.
Page 140: Restricting Remote Access To The Device To Specific
Restricting remote access to management functions BigIron RX(config)# vlan 3 by port BigIron RX(config-vlan-3)# untagged ethe 3/1 to 3/5 BigIron RX(config-vlan-3)# router-interface ve 3 BigIron RX(config-vlan-3)# exit BigIron RX(config)# interface ve 3 BigIron RX(config-ve-1)# ip address 10.10.11.1 255.255.255.0 BigIron RX(config-ve-1)# exit BigIron RX(config)# access-list 10 permit host 10.10.11.254 BigIron RX(config)# access-list 10 permit host 192.168.2.254 BigIron RX(config)# access-list 10 permit host 192.168.12.254...
Page 141: Specifying The Maximum Number Of Login Attempts For Telnet Access
Restricting remote access to management functions BigIron RX(config)# ip ssh client 209.157.22.39 Syntax: [no] ip ssh client <ip-addr> Restricting Web Management access to a specific IP address To allow Web Management access to the device only to the host with IP address 209.157.22.26, enter the following command.
Page 142 Restricting remote access to management functions • Web management access • SNMP access • TFTP access By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given access method based on VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN.
Page 143: Disabling Specific Access Methods
Restricting remote access to management functions The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Page 144: Setting Passwords
Setting passwords Disabling Web management access by HP ProCurve Manager By default, TCP ports 80 is enabled on the Brocade device. TCP port 80 (HTTP) allows access to the device’s Web management interface. By default, TCP port 280 for HP Top tools is disabled. This tool allows access to the device by HP ProCurve Manager.
Page 145: Setting Passwords For Management Privilege Levels
Setting passwords To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG level. BigIron RX(config)# enable telnet password letmein Syntax: [no] enable telnet password <string> Suppressing Telnet connection rejection messages By default, if a device denies Telnet management access to the device, the software sends a message to the denied Telnet client.
Page 146 Setting passwords 3. Enter the following command to set the Super User level password. BigIron RX(config)# enable super-user-password <text> NOTE You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number. 4.
Page 147: Recovering From A Lost Password
Setting passwords parameter specifies the CLI level and can be one of the following values: <cli-level> • exec – EXEC level; for example, BigIron RX> or BigIron RX# • configure – CONFIG level; for example, BigIron RX (config)# • interface – Interface level; for example, BigIron RX (config-if-e10000-6)# •...
Page 148: Disabling Password Encryption
Setting up local user accounts BigIron RX(config)# enable password-display BigIron RX(config)# show snmp server The enable password-display command enables display of the community string, but only in the output of the show snmp server command. Display of the string is still encrypted in the startup configuration file and running configuration.
Page 149: Configuring A Local User Account
Setting up local user accounts If you configure local user accounts, you also need to configure an authentication-method list for Telnet access, Web management access, and SNMP access. Refer to “Configuring authentication-method lists” on page 113. For each local user account, you specify a user name which can have up to 255 characters. You also can specify the following parameters: •...
Page 150 Setting up local user accounts NOTE You must be logged on with Super User access (privilege level 0) to add user accounts or configure other access parameters. To display user account information, enter the following command. BigIron RX(config)# show users Syntax: show users Changing local user passwords This section shows how to change the password for an existing local user account.
Page 151: Username, Password And Login Rules
Setting up local user accounts 3. User account information is listed in a table. Click on the Delete button next to the user account whose password you wish to change. 4. Click on Add User Account. 5. Enter the user name in the Username field. The name cannot contain blanks. 6.
Page 152: Configuring The Strict Password Feature
Setting up local user accounts • At least two upper case characters • At least two lower case characters • At least two numeric characters • At least two special character NOTE Password minimum and combination requirements are strictly enforced. Configuring the strict password feature Use the enable strict-password-enforcement command to enable the password security feature.
Page 153 Setting up local user accounts Requiring users to accept the message of the day If a message of the day (MOTD) is configured, a user can be required to press the "Enter" key before he or she can login. To enable this requirement, enter the command as shown. BigIron RX(config)# banner motd require-enter-key Syntax: [no] banner motd require-enter-key Locking out user accounts after three login attempts...
Page 154: Configuring Ssl Security For The Web Management Interface
Configuring SSL security for the Web Management Interface BigIron RX(config)# user sandy enable NetIron(config)# show user Username Password Encrypt Priv Status Expire Time ============================================================================== sandy $1$Gz...uX/$wQ44fVGtsqbKWkQknzAZ6. enabled enabled 90 days Syntax: [no] username <name> enable Creating an encrypted all-numeric password To create a password that is made up of all numeric values, use the command "username <user-string>...
Page 155: Enabling The Ssl Server On The Device
Configuring SSL security for the Web Management Interface Enabling the SSL server on the device To enable the SSL server on the device, enter the following command. BigIron RX(config)# web-management https Syntax: [no] web-management http | https You can enable either the HTTP or HTTPs servers with this command. You can disable both the HTTP and HTTPs servers by entering the following command.
Page 156: Generating An Ssl Certificate
Configuring TACACS and TACACS+ security Generating an SSL certificate If you did not already import a digital certificate from a client, the device can create a default certificate. To do this, enter the following command. BigIron RX(config)# crypto-ssl certificate generate Syntax: [no] crypto-ssl certificate generate Deleting the SSL certificate To delete the SSL certificate, enter the following command.
Page 157: Tacacs And Tacacs+ Authentication, Authorization, And Accounting
Configuring TACACS and TACACS+ security TACACS and TACACS+ authentication, authorization, and accounting When you configure a device to use a TACACS and TACACS+ server for authentication, the device prompts users who are trying to access the CLI for a user name and password, then verifies the password with the TACACS and TACACS+ server.
Page 158 Configuring TACACS and TACACS+ security 5. The user is prompted for a password. 6. The user enters a password. The device sends the password to the TACACS+ server. 8. The password is validated in the TACACS+ server’s database. 9. If the password is valid, the user is authenticated. TACACS+ authorization The device supports two kinds of TACACS+ authorization: •...
Page 159 Configuring TACACS and TACACS+ security 5. The TACACS+ accounting server records information about the event. 6. When the event is concluded, the device sends an Accounting Stop packet to the TACACS+ accounting server. The TACACS+ accounting server acknowledges the Accounting Stop packet. AAA operations for TACACS and TACACS+ The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a device that has TACACS and TACACS+ security...
Page 160: Tacacs And Tacacs+ Configuration Considerations
Configuring TACACS and TACACS+ security User action Applicable AAA operations User enters the command: Command authorization (TACACS+): [no] aaa accounting system default aaa authorization commands <privilege-level> default <method-list> start-stop <method-list> Command accounting (TACACS+): aaa accounting commands <privilege-level> default start-stop <method-list> System accounting start (TACACS+): aaa accounting system default start-stop <method-list>...
Page 161: Enabling Snmp To Configure Tacacs And Tacacs
Configuring TACACS and TACACS+ security 3. Configure authentication-method lists. Refer to “Configuring authentication-method lists for TACACS and TACACS+” on page 92. TACACS+ configuration procedure For TACACS+ configurations, use the following procedure. 1. Enable TACACS, refer to “Enabling SNMP to configure TACACS and TACACS” on page 89 2.
Page 162: Specifying Different Servers For Individual Aaa Functions
Configuring TACACS and TACACS+ security If you add multiple TACACS and TACACS+ authentication servers to the device, the device tries to reach them in the order you add them. For example, if you add three servers in the following order, the software tries the servers in the same order.
Page 163 Configuring TACACS and TACACS+ security • Retransmit interval – This parameter specifies how many times the Brocade device will resend an authentication request when the TACACS and TACACS+ server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times. •...
Page 164: Configuring Authentication-Method Lists For Tacacs
Configuring TACACS and TACACS+ security Setting the dead time parameter The dead-time parameter specifies how long the device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 –...
Page 165 Configuring TACACS and TACACS+ security The command above causes TACACS and TACACS+ to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS and TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used;...
Page 166: Configuring Tacacs+ Authorization
Configuring TACACS and TACACS+ security Configuring TACACS+ authorization The device supports TACACS+ authorization for controlling access to management functions in the CLI. Two kinds of TACACS+ authorization are supported: • Exec authorization determines a user’s privilege level when they are authenticated •...
Page 167 Configuring TACACS and TACACS+ security service = exec { foundry-privlvl = 0 In this example, the A-V pair grants the user full read-write access. The foundry-privlvl = 0 value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user. Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level.
Page 168 Configuring TACACS and TACACS+ security If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5 (read-only) is used. Configuring command authorization When TACACS+ command authorization is enabled, the BigIron RX consults a TACACS+ server to get authorization for commands entered by the user.
Page 169: Configuring Tacacs+ Accounting
Configuring TACACS and TACACS+ security Configuring TACACS+ accounting The device supports TACACS+ accounting for recording information about user activity and system events. When you configure TACACS+ accounting on a device, information is sent to a TACACS+ accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
Page 170: Configuring An Interface As The Source For All Tacacs And Tacacs+ Packets
Configuring TACACS and TACACS+ security Configuring an interface as the source for all TACACS and TACACS+ packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS and TACACS+ packets from the device.
Page 171 Configuring TACACS and TACACS+ security BigIron RX# show aaa Tacacs+ key: brocade Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes...
Page 172: Configuring Radius Security
Configuring RADIUS security Configuring RADIUS security You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of access to the device: • Telnet access • SSH access • Web management access • Access to the Privileged EXEC level and CONFIG levels of the CLI NOTE The BigIron RX does not support RADIUS security for SNMP (IronView Network Manager) access.
Page 173: Radius Authorization
Configuring RADIUS security • A list of commands • Whether the user is allowed or denied usage of the commands in the list The last two attributes are used with RADIUS authorization, if configured. 9. The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on the BigIron RX.
Page 174 Configuring RADIUS security AAA operations for RADIUS The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a BigIron RX that has RADIUS security configured. User action Applicable AAA operations User attempts to gain access to the Enable authentication: Privileged EXEC and CONFIG levels of the...
Page 175: Radius Configuration Considerations
Configuring RADIUS security AAA security for commands pasted into the running configuration If AAA security is enabled on the device, commands pasted into the running configuration are subject to the same AAA operations as if they were entered manually. When you paste commands into the running configuration, and AAA command authorization or accounting is configured on the device, AAA operations are performed on the pasted commands.
Page 176: Configuring Brocade-Specific Attributes On The Radius Server
Configuring RADIUS security Brocade Configuring -specific attributes on the RADIUS server NOTE For the BigIron RX, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the device, authenticating the user.
Page 177: Enabling Snmp To Configure Radius
Configuring RADIUS security TABLE 38 Brocade vendor-specific attributes for RADIUS (Continued) Attribute name Attribute ID Data type Description brocade-command-string string Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured. The commands are delimited by semi-colons (;).
Page 178: Specifying Different Servers For Individual Aaa Functions
Configuring RADIUS security Specifying different servers for individual AAA functions In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting.
Page 179: Configuring Authentication-Method Lists For Radius
Configuring RADIUS security NOTE Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts. When an authentication request times out, the Brocade software will retransmit the request up to the maximum number of retransmissions configured.
Page 180: Configuring Radius Authorization
Configuring RADIUS security BigIron RX(config)# aaa authentication enable default radius local none The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead.
Page 181 Configuring RADIUS security Configuring Exec authorization NOTE Before you configure RADIUS exec authorization on the BigIron RX, make sure that the aaa authentication enable default radius command or the aaa authentication login privilege-mode command exist in the configuration. When RADIUS exec authorization is performed, the BigIron RX consults a RADIUS server to determine the privilege level of the authenticated user.
Page 182: Configuring Radius Accounting
Configuring RADIUS security NOTE RADIUS command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console. No authorization is performed for commands entered at the Web Management Interface or IronView Network Manager, . NOTE Since RADIUS command authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.
Page 183: Configuring An Interface As The Source For All Radius
Configuring RADIUS security Configuring RADIUS accounting for CLI commands You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the BigIron RX to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Page 184: Displaying Radius Configuration Information
Configuring RADIUS security • If you specify a loopback interface as the single source for RADIUS packets, RADIUS servers can receive the packets regardless of the states of individual links. Thus, if a link to the RADIUS server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Page 185: Configuring Authentication-Method Lists
Configuring authentication-method lists TABLE 39 Output of the show aaa command for RADIUS Field Description Radius key The setting configured with the radius-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (..) is displayed instead of the text.
Page 186: Configuration Considerations For Authentication
Configuring authentication-method lists NOTE To authenticate Telnet access to the CLI, you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI. You cannot enable Telnet authentication using the Web management interface. NOTE You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses.
Page 187: Examples Of Authentication-Method Lists
Configuring authentication-method lists • If you configure an authentication-method list for Web management access and specify “local” as the primary authentication method, users who attempt to access the device using the Web management interface must supply a user name and password configured in one of the local user accounts on the device.
Page 188 Configuring authentication-method lists NOTE If you configure authentication for Web management access, authentication is performed each time a page is requested from the server. When frames are enabled on the Web management interface, the browser sends an HTTP request for each frame. The Brocade device authenticates each HTTP request from the browser.
Page 189: Configuring Basic Parameters
Chapter Configuring Basic Parameters This chapter describes how to configure basic system parameters. The software comes with default parameters to allow you to begin using the basic features of the system immediately. However, many advanced features, such as VLANs or routing protocols for the router, must first be enabled at the system (global) level before they can be configured.
Page 190: Configuring Simple Network Management Protocol Traps
Configuring Simple Network Management Protocol traps Configuring Simple Network Management Protocol traps This section explains how to do the following: • Specify an SNMP trap receiver. • Specify a source address and community string for all traps that the device sends. •...
Page 191: Specifying A Single Trap Source
Configuring Simple Network Management Protocol traps The port <value> parameter specifies the UDP port that will be used to receive traps. This parameter allows you to configure several trap receivers in a system. With this parameter, IronView Network Manager and another network management application can coexist in the same system. The device can be configured to send copies of traps to more than one network management application.
Page 192: Disabling Snmp Traps
Configuring Simple Network Management Protocol traps You can change the holddown time to a value from one second to ten minutes. To change the holddown time for SNMP traps, enter a command such as the following at the global CONFIG level of the CLI. BigIron RX(config)# snmp-server enable traps holddown-time 30 The command changes the holddown time for SNMP traps to 30 seconds.
Page 193: Disabling Syslog Messages And Traps For Cli Access
Configuring Simple Network Management Protocol traps Disabling Syslog messages and traps for CLI access The device sends Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature, enabled by default, applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS and TACACS+ server.
Page 194: Configuring An Interface As Source For All Telnet Packets
Configuring an interface as source for all Telnet packets The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session.
Page 195: Cancelling An Outbound Telnet Session
Configuring an interface as the source for all TFTP packets BigIron RX(config)# interface ethernet 1/4 BigIron RX(config-if-e10000-1/4)# ip address 209.157.22.110/24 BigIron RX(config-if-e10000-1/4)# exit BigIron RX(config)# ip telnet source-interface ethernet 1/4 Cancelling an outbound Telnet session If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the connection is frozen), you can terminate the Telnet session by doing the following.
Page 196: Specifying A Simple Network Time Protocol (Sntp) Server
Specifying a Simple Network Time Protocol (SNTP) server The commands in this example configure virtual interface 1, assign IP address 10.0.0.4/24 to the interface, then designate the interface's address as the source address for all Syslog packets. Syntax: [no] ip syslog source-interface ethernet [<slotnum>/]<portnum> | loopback <num> | ve <num>...
Page 197 Specifying a Simple Network Time Protocol (SNTP) server The following table describes the information displayed by the show sntp associations command. TABLE 41 Output from the show sntp associations command This field... Displays... (leading character) One or both of the following: Synchronized to this peer Peer is statically configured address...
Page 198: Setting The System Clock
Setting the system clock Setting the system clock In addition to SNTP support, the device also allows you to set the system time counter. It starts the system time and date clock with the time and date you specify. The time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP server.
Page 199: New Daylight Saving Time (Dst)
Setting the system clock • GMT + 10:30 • GMT + 09:30 • GMT + 06:30 • GMT + 05:30 • GMT + 04:30 • GMT + 03:30 • GMT - 03:30 • GMT - 08:30 • GMT - 09:30 Beginning with the Multi-Service IronWare 02.8.01 release, you can now set the system time clock for countries like India that fall in the ½...
Page 200: Configuring Cli Banners
Configuring CLI banners To verify the change, run a show clock command. BigIron RX(config)#show clock Syntax: show clock Refer to October 19, 2006 - Daylight Savings Time 2007 Advisory, posted on kp.foundrynet.com for more information. Configuring CLI banners The device can be configured to display a greeting message on users’ terminals when they enter the Privileged EXEC CLI level or access the device through Telnet.
Page 201: Setting A Privileged Exec Cli Level Banner
Configuring CLI banners Setting a privileged EXEC CLI level banner You can configure the device to display a message when a user enters the Privileged EXEC CLI level. BigIron RX(config)# banner exec_mode # (Press Return) Enter TEXT message, End with the character '#'. You are entering Privileged EXEC level Don’t foul anything up! # As with the banner motd command, you begin and end the message with a delimiting character;...
Page 202: Configuring Terminal Display
Configuring terminal display Configuring terminal display You can configure and display the number of lines displayed on a terminal screen during the current CLI session. The terminal length command allows you to determine how many lines will be displayed on the screen during the current CLI session.
Page 203: Displaying And Modifying System Parameter Default Settings
Displaying and modifying system parameter default settings NOTE The following protocols require a system reset before the protocol will be active on the system: PIM, DVMRP, RIP, FSRP. To reset a system, enter the reload command at the privileged level of the CLI. To enable a protocol on a device, enter router at the global CONFIG level, followed by the protocol to be enabled.
Page 204 Displaying and modifying system parameter default settings BigIron RX# show default values telnet@ro(config)#show default values sys log buffers:50 mac age time:300 sec telnet sessions:5 ip arp age:10 min bootp relay max hops:4 ip ttl:64 hops ip addr per intf:24 when multicast enabled : igmp group memb.:140 sec igmp query:60 sec when ospf enabled :...
Page 205: Enabling Or Disabling Layer 2 Switching
Enabling or disabling Layer 2 switching Information for the configurable tables appears under the columns shown in bold type. To simplify configuration, the command parameter you enter to configure the table is used for the table name. For example, to increase the capacity of the IP route table, enter the following commands. BigIron RX(config)# system-max ip-route 120000 BigIron RX(config)# write memory BigIron RX(config)# exit...
Page 206: Cam Partitioning For The Bigiron Rx
CAM partitioning for the BigIron RX To globally disable Layer 2 switching on the device, enter commands such as the following. BigIron RX(config)# route-only BigIron RX(config)# exit BigIron RX# write memory BigIron RX# reload To re-enable Layer 2 switching globally, enter the following. BigIron RX(config)# no route-only BigIron RX(config)# exit BigIron RX# write memory...
Page 207: Nexthop Table
CAM partitioning for the BigIron RX The total amount of CAM entries available is 1024 for each packet processor. If you want to configure 600 for ACLs, 168 for PBR and Rate Limiters, and 256 for IPv6 multicast forwarding entries, enter commands such as the following. BigIron RX(config)#cam-partition rw session 768 BigIron RX(config)#cam-partition rw session rule-partition 600 If you want to configure 2 ACL entries and 2 IPv6 entries and 1020 Rate Limiting entries, enter a...
Page 208: Changing The Mac Age Time
Changing the MAC age time As of release 02.4.00, the Nexthop table is user configurable. If the router is installed in a network where there are many directly connected hosts, then the size of one-path partition should be increased. To configure the partition, use a command such as the following. BigIron RX(config)# cam-partition next-hop 2048 1024 512 512 The above command partitions the next-hop table into 2048 one-path, 1024 two-path, 512 four-path and 512 eight-path entries.
Page 209: Pinging An Ipv4 Address
Pinging an IPv4 address Pinging an IPv4 address To verify that a Brocade device can reach another device through the network, enter a command such as the following at any level of the CLI on the Brocade device: BigIron RX> ping 192.33.4.7 Syntax: ping <ip addr>...
Page 210 Pinging an IPv4 address U = Indicates that a destination unreachable error PDU was received. I = Indicates that the user interrupted ping. NOTE The number of ! characters displayed may not correspond to the number of successful replies by the ping command.
Page 211: Configuring Interface Parameters
Chapter Configuring Interface Parameters Assigning a port name NOTE To modify Layer 2, Layer 3, or Layer 4 features on a port, refer to the appropriate section in this chapter or other chapters. For example, to modify Spanning Tree Protocol (STP) parameters for a port, refer to “Changing STP port parameters”...
Page 212: Speed/Duplex Negotiation
Speed/Duplex negotiation Speed/Duplex negotiation Speed/Duplex Negotiation detects the speed (10MBps, 100Mbps, 1000Mbps) and duplex (half-duplex or full-duplex) settings of the device on the other end of the wire and subsequently adjusts to match those settings. Each of the 10/100/1000BaseTX ports is designed to auto-sense and auto-negotiate the speed and mode of the connected device.
Page 213: Disabling Or Re-Enabling A Port
Disabling or re-enabling a port BigIron RX(config)#interface ethernet 2/4 BigIron RX(config-if-e10000-2/4)#speed-duplex 1000-slave Syntax: [no] speed-duplex {auto |1000-master |1000-slave |1000-full | 100-full | 100-half | 10-full | 10-half} auto - Autonegotiation 1000-master - Forces 1000 Mbps master port 1000-slave - Forces 1000 Mbps slave port 1000-full - Forces 1000 Mbps full-duplex operation 1000-half - Forces 100 Mbps half-duplex operation 100-full - Forces 100 Mbps full-duplex operation...
Page 214: Changing The Negotiation Mode
Disabling or re-enabling flow control • auto-gig – The port tries to performs a negotiation with its peer port to exchange capability information. This is the default state. • neg-off – The port does not try to perform a negotiation with its peer port. Unless the ports at both ends of a Gigabit Ethernet link use the same mode (either auto-gig or neg-off), the ports cannot establish a link.
Page 215: Locking A Port To Restrict Addresses
Locking a port to restrict addresses NOTE To use this feature, 802.3x flow control must be enabled globally on the device. By default, 802.3x flow control is enabled on the device, but can be disabled with the no flow-control command. To specify threshold values for flow control, enter the following command.
Page 216: Port Transition Hold Timer
Port transition hold timer Port transition hold timer Using the delay-link-event command will delay the sending of port "up" or "down" events to Layer 2 protocols. While link down events are reported immediately in syslog, their effect on higher level protocols such as OSPF is delayed according to how the delay-link-event is configured.
Page 217: Modifying Port Priority (Qos)
Modifying port priority (QoS) Configuring port flap dampening on an interface This feature is configured at the interface level. BigIron RX(config)# interface ethernet 2 BigIron RX(config-if-e100-2)# link-error-disable 10 3 10 Syntax: [no] link-error-disable <toggle-threshold> <sampling-time-in-sec> <wait-time-in-sec> The <toggle-threshold> is the number of times a port’s link state goes from up to down and down to up before the wait period is activated.
Page 218: Assigning A Mirror Port And Monitor Ports
Assigning a mirror port and monitor ports Assigning a mirror port and monitor ports You can monitor traffic on Brocade ports by configuring another port to “mirror” the traffic on the ports you want to monitor. By attaching a protocol analyzer to the mirror port, you can observe the traffic on the monitored ports.
Page 219: Monitoring An Individual Trunk Port
Monitoring an individual trunk port The following example configures two mirror ports on the same module and one mirror port on another module. It will illustrate how inbound traffic is mirrored to the two mirror ports on the same module even if the traffic is configured to be mirrored to only one mirror port on the module. BigIron RX(config)# mirror-port ethernet 1/1 BigIron RX(config)# mirror-port ethernet 1/2 BigIron RX(config)# mirror-port ethernet 2/1...
Page 220: Mirror Ports For Policy-Based Routing (Pbr) Traffic
Mirror ports for Policy-Based Routing (PBR) traffic BigIron RX(config)# mirror ethernet 2/1 BigIron RX(config)# trunk switch ethernet 4/1 to 4/8 BigIron RX(config-trunk-4/1-4/8)# config-trunk-ind BigIron RX(config-trunk-4/1-4/8)# monitor ethe-port-monitored 4/5 ethernet 2/1 in Syntax: [no] config-trunk-ind Syntax: [no] monitor ethe-port-monitored <portnum> | named-port-monitored <portname> ethernet <slot>/<portnum>...
Page 221: Configuring Mirror Ports For Pbr Traffic
Displaying mirror and monitor port configuration Configuring mirror ports for PBR traffic When you configure a physical or virtual port to act as a mirror port for PBR traffic, outgoing packets that match the permit Access Control List (ACL) clause in the route map are copied to the mirror ports that you specify.
Page 222: Enabling Wan Phy Mode Support
Enabling WAN PHY mode support Syntax: show monitor config This output does not display the input traffic mirrored to mirror port 1/2 from port 3/1 and mirrored to mirror port 1/1 from port 4/1 because the mirroring of this traffic is not explicitly configured.
Page 223: Configuring Ip
Chapter Configuring IP Overview of configuring IP The Internet Protocol (IP) is enabled by default. This chapter describes how to configure IP parameters on the device. The IP packet flow Figure 5 Shows how an IP packet moves through a device. FIGURE 5 IP Packet flow through a device Static ARP...
Page 224: Arp Cache Table
The IP packet flow 1. When the device receives an IP packet, the device checks for IP ACL filters on the receiving interface. If a deny filter on the interface denies the packet, the device discards the packet and performs no further processing. If logging is enabled for the filter, then the device generates a Syslog entry and SNMP trap message.
Page 225: Ip Route Table
The IP packet flow The software places an entry from the static ARP table into the ARP cache when the entry’s interface comes up. Here is an example of a static ARP entry. Index IP Address MAC Address Port 207.95.6.111 0800.093b.d210 Each entry lists the information you specified when you created the entry.
Page 226: Ip Forwarding Cache
Basic IP parameters and defaults To configure a static IP route, refer to “Configuring static routes” on page 197. To clear a route from the IP route table, refer to “Clearing IP routes” on page 229. To increase the size of the IP route table for learned and static routes, refer to “Displaying and modifying system parameter default settings”...
Page 227: When Parameter Changes Take Effect
Basic IP parameters and defaults When parameter changes take effect Most IP parameters described in this chapter are dynamic. They take effect immediately, as soon as you enter the CLI command. You can verify that a dynamic change has taken effect by displaying the running configuration.
Page 228 Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... ARP rate limiting Lets you specify a maximum number of ARP packets the device Disabled page 186 will accept each second. If the device receives more ARP packets than you specify, the device drops additional ARP packets for the remainder of the one-second interval.
Page 229 Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... ICMP Router An IP protocol a router can use to advertise the IP addresses of its Disabled page 212 Discovery Protocol router interfaces to directly attached hosts. You can enable or (IRDP) disable the protocol, and change the following protocol parameters:...
Page 230: Ip Interface Parameters
Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... Static route An IP route you place in the IP route table. No entries page 197 Source interface The IP address the router uses as the source address for Telnet, The lowest-numbered IP page 181 RADIUS, or TACACS and TACACS+ packets originated by the router.
Page 231: Configuring Ip Parameters
Configuring IP parameters TABLE 44 IP interface parameters (Continued) Parameter Description Default See page... DHCP gateway stamp The router can assist DHCP/BootP Discovery packets from one The lowest-numbered IP page 218 subnet to reach DHCP/BootP servers on a different subnet by address on the interface that placing the IP address of the router interface that receives the receives the request...
Page 232 Configuring IP parameters NOTE Once you configure a virtual routing interface on a VLAN, you cannot configure Layer 3 interface parameters on individual ports in the VLAN. Instead, you must configure the parameters on the virtual routing interface itself. Also, once an IP address is configured on an interface, the hardware is programmed to route all IP packets that are received on the interface.
Page 233 Configuring IP parameters Assigning an IP address to a loopback interface Loopback interfaces are always up, regardless of the states of physical interfaces. They can add stability to the network because they are not subject to route flap problems that can occur due to unstable links between a device and other devices.
Page 234: Changing The Network Mask Display To Prefix Format
Configuring IP parameters Syntax: interface ve <num> The <num> parameter specifies the virtual interface number. You can specify from 1 to the maximum number of virtual interfaces supported on the device. To display the maximum number of virtual interfaces supported on the device, enter the show default values command. The maximum is listed in the System Parameters section, in the Current column of the virtual-interface row.
Page 235: Gre Ip Tunnel
Configuring IP parameters GRE IP tunnel The BigIron RX allows the tunneling of packets of the following protocols over an IP network using the Generic Router Encapsulation (GRE) mechanism as described in RFC 2784: • OSPF • • IS-IS point-to-point Using this feature, packets of these protocols can be encapsulated inside a transport protocol packet at a tunnel source and delivered to a tunnel destination where it is unpacked and made available for delivery.
Page 236: Configuring A Tunnel Interface
Configuring IP parameters • GRE Encapsulation • Loopback address for the Tunnel (required for de-encapsulation) • IP address for the Tunnel NOTE Sustained rates of small packet sizes may affect the ability of a 10 gigabit Ethernet port to maintain line rate GRE encapsulation and de-encapsulation performance.
Page 237 Configuring IP parameters Configuring a loopback port for a tunnel interface On the device, a loopback port is required for de-encapsulating a packet exiting the tunnel. Fiber-optic components must be present on the interface module for the loopback port to work. Therefore, consider the following configuration rules for a loopback port: •...
Page 238 Configuring IP parameters FIGURE 7 GRE IP tunnel configuration example BigIron RX A port3/1 36.0.8.108 10.10.1.0/24 10.10.3.1 Internet 10.10.3.0 10.10.3.2 10.10.2.0/24 port5/1 131.108.5.2 BigIron RX B Configuration example for BigIron RX A BigIron RX (config)# interface ethernet 3/1 BigIron RX (config-if-e1000-3/1)# ip address 36.0.8.108/24 BigIron RX (config)# exit BigIron RX (config)# interface tunnel 1 BigIron RX(config-tnif-1)# tunnel loopback 4/1...
Page 239 Configuring IP parameters Syntax: show ip interface tunnel <tunnel-no> This display shows the following information. TABLE 45 CLI display of interface IP configuration information This field... Displays... Interface The tunnel and tunnel number. The IP address of the tunnel interface. IP-Address Whether the IP address has been configured on the tunnel interface.
Page 240: Ipv6 Over Ipv4 Tunnels In Hardware
Configuring IP parameters IPv6 over IPv4 tunnels in hardware To enable communication between the isolated IPv6 domains using the IPv4 infrastructure, you can configure IPv6 over IPv4 tunnels. Brocade supports the following IPv6 over IPv4 tunneling in hardware mechanisms: • Manually configured tunnels In general, a manually configured tunnel establishes a permanent link between routers in IPv6 domains.
Page 241 Configuring IP parameters BigIron RX(config)# interface tunnel 1 BigIron RX(config-tnif-1)#tunnel source ethernet 3/1 BigIron RX(config-tnif-1)#tunnel destination 198.162.100.1 BigIron RX(config-tnif-1)#tunnel mode ipv6ip BigIron RX(config-tnif-1)#ipv6 address 2001:b78:384d:34::/64 eui-64 This example creates tunnel interface 1 and assigns a global IPv6 address with an automatically computed EUI-64 interface ID to it.
Page 242 Configuring IP parameters BigIron RX# show ipv6 tunnel IP6 Tunnels Tunnel Mode Packet Received Packet Sent configured configured 22419 Syntax: show ipv6 tunnel This display shows the following information. TABLE 46 IPv6 tunnel information This field... Displays... Tunnel The tunnel interface number. Mode The tunnel mode.
Page 243 Configuring IP parameters TABLE 47 IPv6 tunnel interface information (Continued) This field... Displays... Tunnel source The tunnel source can be one of the following: • An IPv4 address • The IPv4 address associated with an interface or port. Tunnel destination The tunnel destination can an IPv4 address.
Page 244: Configuring Domain Name Server (Dns) Resolver
Configuring IP parameters Configuring Domain Name Server (DNS) resolver The DNS resolver lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a device and thereby recognize all hosts within that domain. After you define a domain name, the device automatically appends the appropriate domain to the host and forwards it to the domain name server.
Page 245: Adding Host Names To The Dns Cache Table
Configuring IP parameters Use the no form of the command to remove a domain name from the domain-list. Displaying the domain name list To determine what domain names have been configured in the domain list, enter the following command. BigIron RX(config)#show ip dns domain-list Total number of entries : 3 Primary Domain Name: Domain Name List:...
Page 246 Configuring IP parameters Static cache entries You can manually add entries to the DNS cache table if you know a host’s complete, qualified name and its IP address. To add host names and their IP addresses to the DNS cache table, enter commands such as the following.
Page 247 Configuring IP parameters TABLE 48 The show ip dns cache-table output This field... Displays... Host The complete, qualified domain name of the host. Flag Indicates if the entry is dynamic or static and if the information for the domain is up to date: •...
Page 248 Configuring IP parameters Syntax: show ip dns server-list Debugging the DNS feature To debug the DNS feature enter the following command. BigIron RX#debug ip dns IP: dns debugging is on Syntax: debug ip dns Using a DNS name to initiate a trace route Suppose you want to trace the route from a device to a remote server identified as NYC02 on domain newyork.com.
Page 249: Configuring Packet Parameters
Configuring packet parameters Type Control-c to abort Sending DNS Query to 209.157.22.199 Tracing Route to IP node 209.157.22.80 To ABORT Trace Route, Please use stop-traceroute command. Traced route to target IP node 209.157.22.80: IP Address Round Trip Time1 Round Trip Time2 207.95.6.30 93 msec 121 msec...
Page 250: Setting Maximum Frame Size Per Ppcr
Configuring packet parameters The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format. The device uses Ethernet II by default. You can change the IP encapsulation to Ethernet SNAP on individual ports if needed. NOTE All devices connected to the device port must use the same encapsulation type.
Page 251: Changing The Mtu
Configuring packet parameters To configure the untagged max-frame-size on a VLAN, enter a command such as the following at he Interface Configuration level. BigIron RX(config-vlan-20)# BigIron RX(config-vlan-20)#max-frame-size 5000 Please reload system! BigIron RX(config-vlan-20)# Syntax: max-frame-size <bytes> The <frame-size> variable specifies the maximum frame size for each port that is connected the same PPCR as described in Table 49.
Page 252: Changing The Router Id
Changing the router ID Globally changing the IP MTU To globally enable jumbo support on all ports, enter commands such as the following. BigIron RX(config)# ip mtu 5000 BigIron RX(config)# write memory Syntax: [no] ip mtu <bytes> The <bytes> parameter specifies the maximum number of bytes an Ethernet frame can have in order to be forwarded on a port.
Page 253: Specifying A Single Source Interface For Telnet, Tacacs, Tacacs+, Or Radius Packets
Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets NOTE If you change the router ID, all current BGP4 sessions are cleared. By default, the router ID on a device is one of the following: • If the router has loopback interfaces, the default router ID is the IP address configured on the lowest numbered loopback interface configured on the device.
Page 254 Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets • If you specify a loopback interface as the single source for Telnet, TACACS, TACACS+, or RADIUS packets, servers can receive the packets regardless of the states of individual links. Thus, if a link to the server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Page 255: Configuring An Interface As The Source For Syslog Packets
Configuring an interface as the source for Syslog packets RADIUS packets To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all RADIUS packets, enter commands such as the following. BigIron RX(config)# int ve 1 BigIron RX(config-vif-1)# ip address 10.0.0.3/24 BigIron RX(config-vif-1)# exit BigIron RX(config)# ip radius source-interface ve 1...
Page 256: Ip Fragmentation Protection
Configuring an interface as the source for Syslog packets IP fragmentation protection Beginning with this release, IP packet filters on the device switches will drop undersized fragments and overlapping packet fragments to prevent tiny fragment attacks as explained in RFC 1858. When packets are fragmented on the network, the first fragment of a packet must be large enough to contain all the necessary header information.
Page 257: Configuring Arp Parameters
Configuring ARP parameters Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command. BigIron RX# show access-list bindings L4 configuration: ip receive access-list 101 Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables the device to obtain the MAC address of another device’s interface when the device knows the IP address of the interface.
Page 258: Rate Limiting Arp Packets
Configuring ARP parameters • If the ARP cache does not contain an entry for the destination IP address, the device broadcasts an ARP request out all its IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to the device, the device sends an ARP response containing its MAC address.
Page 259: Applying A Rate Limit To Arp Packets On An Interface
Configuring ARP parameters Applying a rate limit to ARP packets on an interface To prevent the CPU from becoming flooded by ARP packets in a busy network, you can restrict the number of ARP packets an interface will accept each second. When ARP rate limit is configured on an interface, the interface will accept up to the maximum number of packets you specify, but drops additional ARP packets received during the one-second interval.
Page 260: Clearing The Rate Limit For Arp Packets
Configuring ARP parameters LP-1#show ip traffic arp ARP Statistics 1400 total recv, 1400 req recv, 0 req sent 0 pending drop, 0 invalid source, 0 invalid dest ARP Rate Limiting Statistics Interface Received Processed Dropped(Rate-limted) ethernet1/1 184200 183500 ethernet1/2 ethernet1/3 ethernet1/4 184200 183500...
Page 261 Configuring ARP parameters Enabling proxy ARP Proxy ARP allows the device to answer ARP requests from devices on one network on behalf of devices in another network. Since ARP requests are MAC-layer broadcasts, they reach only the devices that are directly connected to the sender of the ARP request. Thus, ARP requests do not cross routers.
Page 262: Creating A Floating Static Arp Entry
Configuring ARP parameters The <mac-addr> parameter specifies the MAC address of the entry. The ethernet <slot/port> command specifies the port number attached to the device that has the MAC address of the entry. The arp command allows you to specify only one port number. To create a static ARP entry for a static MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static MAC entry.
Page 263: Static Route Arp Validation Check
Configuring ARP parameters When an ARP entry is deleted from ARP Inspection table, the corresponding entry in the static ARP table will also be deleted. To create a floating static ARP entry for a static MAC entry, enter a command such as the following. BigIron RX(config)# arp 192.53.4.2 1245.7654.2348 The command adds a floating static ARP entry that maps IP address 192.53.4.2 to MAC address 1245.7654.2348.
Page 264: Configuring Forwarding Parameters
Configuring forwarding parameters Displaying the routes waiting for the next hop ARP to resolve Use the following command to display which routes are waiting for the nexthop ARP to be resolved. BigIron RX# show ip static route IP Static Routing Table - 2 entries: Type Codes: '*' - Installed, '+' - Waiting for ARP resolution IP Prefix Next Hop...
Page 265: Enabling Forwarding Of Directed Broadcasts
Configuring forwarding parameters To modify the TTL threshold to 25, enter the following commands. BigIron RX(config)# ip ttl 25 Syntax: ip ttl <1-255> Enabling forwarding of directed broadcasts A directed broadcast is an IP broadcast to all devices within a single directly-attached network or subnet.
Page 266: Disabling Icmp Messages
Configuring forwarding parameters • Loose source routing – requires that the packet pass through all of the listed routers but also allows the packet to travel through other routers, which are not listed in the packet. The device forwards both types of source-routed packets by default. You cannot enable or disable strict or loose source routing separately.
Page 267: Disabling Replies To Broadcast Ping Requests
Configuring forwarding parameters • Destination Unreachable messages – If the device receives an IP packet that it cannot deliver to its destination, the device discards the packet and sends a message back to the device that sent the packet. The message informs the device that the destination cannot be reached by the device.
Page 268: Disabling Icmp Redirect Messages
Configuring forwarding parameters Syntax: [no] ip icmp unreachable [network | host | protocol | administration | fragmentation-needed | port | source-route-fail] • If you enter the command without specifying a message type (as in the example above), all types of ICMP Unreachable messages listed above are disabled. If you want to disable only specific types of ICMP Unreachable messages, you can specify the message type.
Page 269: Configuring Static Routes
Configuring forwarding parameters BigIron RX(config)# int e 3/11 BigIron RX(config-if-e100-3/11)# no ip redirect Syntax: [no] ip redirect Configuring static routes The IP route table can receive routes from the following sources: • Directly-connected networks – When you add an IP interface, the device automatically creates a route for the network the interface is in.
Page 270 Configuring forwarding parameters • A “null” interface. The device drops traffic forwarded to the null interface. The following parameters are optional: • The route’s metric – The value the device uses when comparing this route to other routes in the IP route table to the same destination. The metric applies only to routes that the device has already placed in the IP route table.
Page 271 Configuring forwarding parameters FIGURE 10 Example of a static route Router A Router B 207.95.6.157/24 207.95.6.188/24 207.95.7.7/24 e 1/2 207.95.7.69/24 The following command configures a static route to 207.95.7.0, using 207.95.6.157 as the next-hop gateway. BigIron RX(config)# ip route 207.95.7.0/24 207.95.6.157 When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or device interface through which the device can reach the route.
Page 272 Configuring forwarding parameters The <dest-ip-addr> is the route’s destination. The <dest-mask> is the network mask for the route’s destination IP address. Alternatively, you can specify the network mask information by entering / followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as 192.0.0.0/.24.
Page 273: Static Route Tagging
Configuring forwarding parameters To display the maximum value for your device, enter the show default values command. The maximum number of static IP routes the system can hold is listed in the ip-static-route row in the System Parameters section of the display. To change the maximum value, use the system-max ip-static-route <num>...
Page 274 Configuring forwarding parameters To add a tag value to a static route, enter commands such as the following: BigIron RX(config)#ip route 192.122.12.1 255.255.255.0 192.122.1.1 tag 20 Syntax: ip route <dest-ip-addr> <dest-mask> | <dest-ip-addr>/<dest-mask> <next-hop-ip-address> tag <value> The <dest-ip-addr> is the route’s destination. The <dest-mask> is the network mask for the route’s destination IP address.
Page 275 Configuring forwarding parameters The following commands configure static IP routes to the same destination, but with different metrics. The route with the lowest metric is used by default. The other routes are backups in case the first route becomes unavailable. The device uses the route with the lowest metric if the route is available.
Page 276 Configuring forwarding parameters FIGURE 11 Standard and null static routes to the same destination network Two static routes to 192.168.7.0/24: --Standard static route through gateway 192.168.6.157, with metric 1 --Null route, with metric 2 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.7/24 When standard static route is good, Router A uses that...
Page 277 Configuring forwarding parameters FIGURE 12 Standard and interface routes to the same destination network Two static routes to 192.168.7.0/24: --Interface-based route through port1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. Router A 192.168.6.188/24 Port1/1 192.168.6.69/24 When route through interface 1/1 is available, Router A always 192.168.8.12/24...
Page 278: Configuring A Default Network Route
Configuring forwarding parameters Configuring a default network route The device enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Page 279: Configuring Ip Load Sharing
Configuring forwarding parameters BigIron RX(config)# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination Gateway Port Cost Type 209.157.20.0 0.0.0.0 209.157.22.0 0.0.0.0 4/11 This example shows two routes. Both of the routes are directly attached, as indicated in the Type column.
Page 280 Configuring forwarding parameters Administrative distance The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. It is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on, but not used when performing IP load sharing.
Page 281 Configuring forwarding parameters • OSPF – The Path Cost associated with the path. The paths can come from any combination of inter-area, intra-area, and external Link State Advertisements (LSAs). • BGP4 – The path’s Multi-Exit Discriminator (MED) value. NOTE If the path is redistributed between two or more of the above sources before entering the IP route table, the cost can increase during the redistribution due to settings in redistribution filters.
Page 282: Default Route Ecmp
Configuring forwarding parameters Changing the maximum number of load sharing paths By default, IP load sharing allows IP traffic to be balanced across up to four equal path. You can change the maximum number of paths that the device supports to a value of 2 – 8. For optimal results, set the maximum number of paths to a value equal to or greater than the maximum number of equal-cost paths that your network typically contains.
Page 283: Ip Receive Access List
Configuring forwarding parameters DIsplaying the ECMP load sharing Use the show run command to display the ECMP load sharing. BigIron RX(config)#show run ========show run ===================== logging console hostname RW ip route 0.0.0.0/0 100.1.1.2 ip route 0.0.0.0/0 100.1.2.2 ip route 0.0.0.0/0 100.1.3.2 ip route 0.0.0.0/0 100.1.4.2 ip route 10.0.0.0/8 10.43.2.1 ip route 40.0.0.0/24 100.1.1.2...
Page 284: Configuring Irdp
Configuring forwarding parameters BigIron RX(config)# ip receive access-list 10 Syntax: [no] ip receive access-list <num> Specify an access list number for <num>. The IP receive ACL is applied globally to all interfaces on the device. Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command.
Page 285: Enabling Irdp Globally
Configuring forwarding parameters • Hold time – Each Router Advertisement message contains a hold time value. This value specifies the maximum amount of time the host should consider an advertisement to be valid until a newer advertisement arrives. When a new advertisement arrives, the hold time is reset. The hold time is always longer than the maximum advertisement interval.
Page 286: Configuring Udp Broadcast And Ip Helper Parameters
Configuring forwarding parameters The maxadvertinterval parameter specifies the maximum amount of time the device waits between sending Router Advertisements. You can specify a value from 1 to the current value of the holdtime parameter. The default is 600 seconds. The minadvertinterval parameter specifies the minimum amount of time the device can wait between sending Router Advertisements.
Page 287 Configuring forwarding parameters NOTE As shown above, forwarding support for BootP/DHCP is enabled by default. If you are configuring the device to forward BootP/DHCP requests, refer to “Configuring BootP/DHCP forwarding parameters” on page 216. You can enable forwarding for other applications by specifying the application port number. You also can disable forwarding for an application.
Page 288: Configuring Bootp/Dhcp Forwarding Parameters
Configuring forwarding parameters • tftp (port 69) In addition, you can specify any UDP application by using the application’s UDP port number. The <udp-port-num> parameter specifies the UDP application port number. If the application you want to enable is not listed above, enter the application port number. You also can list the port number for any of the applications listed above.
Page 289 Configuring forwarding parameters You can configure the device to forward BootP/DHCP requests. To do so, configure a helper address on the interface that receives the client requests, and specify the BootP/DHCP server’s IP address as the address you are helping the BootP/DHCP requests to reach. Instead of the server’s IP address, you can specify the subnet directed broadcast address of the IP subnet the server is in.
Page 290: Displaying Ip Information
Displaying IP information BigIron RX(config)# int e 1/1 BigIron RX(config-if-e1000-1/1)# ip bootp-gateway 109.157.22.26 These commands change the CLI to the configuration level for port 1/1, then change the BootP/DHCP stamp address for requests received on port 1/1 to 192.157.22.26. The device will place this IP address in the Gateway Address field of BootP/DHCP requests that the device receives on port 1/1 and forwards to the BootP/DHCP server.
Page 291 Displaying IP information • OSPF information – refer to “Displaying OSPF information” on page 712. • BGP4 information – refer to “Displaying BGP4 information” on page 814. • DVMRP information – refer to “Displaying information about an upstream neighbor device” page 647 •...
Page 292 Displaying IP information TABLE 51 CLI display of global IP configuration information (Continued) This field... Displays... bootp-relay-max-hops The maximum number of hops away a BootP server can be located from the Brocade router and still be used by the router’s clients for network booting. To change this value, refer to “Changing the maximum number of hops to a BootP relay server”...
Page 293: Displaying Ip Interface Information
Displaying IP information TABLE 51 CLI display of global IP configuration information (Continued) This field... Displays... Port The Layer 4 TCP or UDP port the policy checks for in packets. The port can be displayed by its number or, for port types the router recognizes, by the well-known name.
Page 294: Displaying Interface Name In Syslog
Displaying IP information BigIron RX# show ip interface ethernet 1/1 Interface Ethernet 1/1 port state: UP ip address: 192.168.9.51 subnet mask: 255.255.255.0 encapsulation: ETHERNET, mtu: 1500, metric: 1 directed-broadcast-forwarding: disabled proxy-arp: disabled ip arp-age: 10 minutes Ip Flow switching is disabled No Helper Addresses are configured.
Page 295 Displaying IP information BigIron RX# show arp Total number of ARP entries: 5 IP Address MAC Address Type Port 207.95.6.102 0800.5afc.ea21 Dynamic 207.95.6.18 00a0.24d2.04ed Dynamic 207.95.6.54 00a0.24ab.cd2b Dynamic 207.95.6.101 0800.207c.a7fa Dynamic 207.95.6.211 00c0.2638.ac9c Dynamic Syntax: show arp [ethernet <slot/port> | mac-address <xxxx.xxxx.xxxx> [<mask>] | <ip-addr> [<ip-mask>]] [<num>] [| begin <expression>...
Page 296: Displaying The Forwarding Cache
Displaying IP information TABLE 53 CLI display of ARP cache (Continued) This field... Displays... The number of minutes the entry has remained unused. If this value reaches the ARP aging period, the entry is removed from the table. To display the ARP aging period, refer to “Displaying global IP configuration information”...
Page 297 Displaying IP information BigIron RX> show ip cache Cache Entry Usage on LPs: Module Host Network Free Total 204788 204800 Syntax: show ip cache [<ip-addr>] [| begin <expression> | exclude <expression> | include <expression>] The <ip-addr> parameter displays the cache entry for the specified IP address. The show ip cache command shows the forwarding cache usage on each interface module CPU.
Page 298: Displaying The Ip Route Table
Displaying IP information TABLE 55 CLI display of IP forwarding cache (Continued) This field... Displays... Type The type of host entry, which can be one or more of the following: • D – Dynamic • P – Permanent • F – Forward •...
Page 299 Displaying IP information The <num> option display the route table entry whose row number corresponds to the number you specify. For example, if you want to display the tenth row in the table, enter “10”. The <ip-addr> parameter displays the route to the specified IP address. The <ip-mask>...
Page 300 Displaying IP information BigIron RX(config)# show ip route 209.159.0.0/16 longer Starting index: 1 B:BGP D:Directly-Connected R:RIP S:Static O:OSPF Destination NetMask Gateway Port Cost Type 52 209.159.38.0 255.255.255.0 207.95.6.101 1/1 1 S 53 209.159.39.0 255.255.255.0 207.95.6.101 1/1 1 S 54 209.159.40.0 255.255.255.0 207.95.6.101 1/1 1 S 55 209.159.41.0 255.255.255.0 207.95.6.101 1/1 1 S 56 209.159.42.0 255.255.255.0 207.95.6.101 1/1 1 S 57 209.159.43.0 255.255.255.0 207.95.6.101 1/1 1 S...
Page 301: Clearing Ip Routes
Displaying IP information TABLE 56 CLI display of IP route table (Continued) This field... Displays... Type The route type, which can be one of the following: • B – The route was learned from BGP. • D – The destination is directly connected to this device. •...
Page 302 Displaying IP information BigIron RX> sh ip traffic IP Statistics 146806 total received, 72952 mp received, 6715542 sent, 0 forwarded 0 filtered, 0 fragmented, 0 bad header 0 failed reassembly, 0 reassembled, 0 reassembly required 0 no route, 0 unknown proto, 0 no buffer, 0 other errors, 0 rpf discard ARP Statistics 19022 total recv, 35761 req recv, 475 rep recv, 2803975 req sent, 1885 rep sent...
Page 303 Displaying IP information TABLE 57 CLI display of IP traffic statistics (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received.
Page 304: Displaying Tcp Traffic Statistics
Displaying IP information TABLE 57 CLI display of IP traffic statistics (Continued) This field... Displays... input errors This information is used by Brocade customer support. in segments The number of TCP segments received by the device. out segments The number of TCP segments sent by the device. retransmission The number of segments that this device retransmitted because the retransmission timer for the segment had expired before the device at the...
Page 305 Displaying IP information This field... Displays... active opens Number of TCP connection requests from the local router, resulting in outbound TCP SYNC packets passive opens Number of TCP connection requests from remote routers or hosts, resulting in outbound TCP SYNC-ACK packets failed attempts Number of unsuccessful TCP connection requests from either local or remote active resets,...
Page 306 Displaying IP information BigIron RX Series Configuration Guide 53-1001986-01...
Page 307: Link Aggregation
Chapter Link Aggregation Link aggregation overview This chapter describes how to configure Link Aggregation Groups (LAG). Beginning with release 02.6.00 of the Multi-Service IronWare software, you can use a single interface to configure any of the following LAG types: • Static LAGs –...
Page 308 LAG formation rules • Any number or combination of ports between 1 and 8 within the same chassis can be used to configure a LAG. The maximum number of LAG ports is checked when adding ports to a LAG. • All ports configured in a LAG must be of equal bandwidth.
Page 309 LAG formation rules To change port parameters, you must change them on the primary port. The software automatically applies the changes to the other ports in the LAG. • Make sure the device on the other end of the trunk link can support the same number of ports in the link.
Page 310: Lag Load Sharing
LAG load sharing FIGURE 15 Examples of multi-slot, multi-port LAG Port2/1 Port2/1 Port1/1 Port1/1 Port2/2 Port2/2 Port1/2 Port1/2 Port2/3 Port2/3 Port1/3 Port1/3 Port2/4 Port2/4 Port1/4 Port1/4 Port2/5 Port2/5 Port1/5 Port1/5 Port2/6 Port2/6 Port1/6 Port1/6 Port2/7 Port2/7 Port1/7 Port1/7 Port2/8 Port2/8 Port1/8 Port1/8 LAG load sharing...
Page 311: Migration From A Pre-02.6.00 Trunk Or Lacp Configuration
Migration from a pre-02.6.00 trunk or LACP configuration • IPv4 TCP packets: source MAC address and destination MAC address, source IP address and destination IP address, and TCP source port and TCP destination port. • IPv4 UDP packets: source MAC address and destination MAC address, source IP address and destination IP address, and UDP source port and UDP destination port.
Page 312: Configuration Of A Lag
Configuration of a LAG If the original mode is passive, the converted dynamic LAG will be configured as deploy passive. Otherwise active mode is the default. d. The timeout configuration set by the command link-aggregate configure timeout will be converted to the lacp-timeout command. e.
Page 313 Configuration of a LAG Syntax: [no] lag <lag-name> static | dynamic | keep-alive Refer to “Allowable characters for LAG names” on page 13 for guidelines on LAG naming conventions. The static option specifies that the LAG with the name specified by the <lag-name> variable will be configured as a static LAG.
Page 314 Configuration of a LAG Syntax: [no] primary port <slot/port> Once a primary port has been configured for a LAG, all configurations that apply to the primary port are applied to the other ports in the LAG. NOTE This configuration is only applicable for configuration of a static or dynamic LAGs. Specifying the trunk threshold for a trunk Group You can configure the BigIron RX switch to disable all of the ports in a trunk group when the number of active member ports drops below a specified threshold value.
Page 315: Deploying A Lag
Deploying a LAG Configuring an LACP timeout In a dynamic or keep-alive LAG, a port's timeout can be configured as short or long. Once a port is configured with a timeout option, it will remain in that timeout mode whether it's up or down, or part of a trunk or not.
Page 316: Commands Available Under Lag Once It Is Deployed
Deploying a LAG If the no deploy command is issued and more than 1 LAG port is not disabled the command is aborted and the following error message is displayed: “Error 2 or more ports in the LAG are not disabled, un-deploy this LAG may form a loop - aborted.”...
Page 317: Enabling Ports Within A Lag
Deploying a LAG Use the named option with the appropriate [slot/port] variable to specify a named port within the LAG that you want to disable. Enabling ports within a LAG You can enable an individual port within a trunk using the disable command within the LAG configuration as shown in the following.
Page 318: Assigning A Name To A Port Within A Lag
Deploying a LAG Assigning a name to a port within a LAG You can assign a name to an individual port within a LAG using the port-name command within the LAG configuration as shown in the following. BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# port-name orange ethernet 3/1 Syntax: [no] port-name <text>...
Page 319: Displaying Lag Information
Deploying a LAG Displaying LAG information You can display LAG information for a BigIron RX switch in either a full or brief mode. The examples below show both options of the show lag command. BigIron RX# show lag brief Total number of LAGs: Total number of deployed LAGs: 3 Total number of trunks created:3 (31 available) LACP System Priority / ID:...
Page 320 Deploying a LAG Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] Syntax: show lag <lag-name> [brief] [deployed] [dynamic] [keep-alive] [static] Table 58 describes the information displayed by the show lag command. TABLE 58 Show LAG information This field... Displays... Total number of LAGS The total number of LAGs that have been configured on the switch.
Page 321 Deploying a LAG TABLE 58 Show LAG information (Continued) This field... Displays... Dupl The duplex state of the port, which can be one of the following: • Full • Half • None Speed The bandwidth of the interface. Trunk The Trunk ID of the port. Indicates whether the ports have 802.1q VLAN tagging.
Page 322: Displaying Lag Statistics
Deploying a LAG TABLE 58 Show LAG information (Continued) This field... Displays... Indicates the synchronization state of the port. The state can be one of the following: • No – The port is out of sync with the remote port. The port does not understand the status of the LACPDU process and is not prepared to enter a trunk link.
Page 323 Deploying a LAG BigIron RX# show statistics brief lag Packets Collisions Errors [Receive Transmit] [Recv Txmit] [InErr OutErr] LAG d1 1173 1018 LAG e 1268 1277 BigIron RX# show statistics lag LAG d1 Counters: InOctets 127986 OutOctets 107753 InPkts 1149 OutPkts InBroadcastPkts OutBroadcastPkts...
Page 324 Deploying a LAG BigIron RX Series Configuration Guide 53-1001986-01...
Page 325: Configuring Lldp
Chapter Configuring LLDP Terms used in this chapter Link Layer Discovery Protocol (LLDP) – The Layer 2 network discovery protocol described in the IEEE 802.1AB standard, Station and Media Access Control Connectivity Discovery. This protocol enables a station to advertise its capabilities to, and to discover, other LLDP-enabled stations in the same 802 LAN segments.
Page 326: Benefits Of Lldp
LLDP overview FIGURE 16 LLDP Connectivity port device info xxxx Switch OP-PBX xxxx I’m a PBX port device info I’m a switch xxxx IP-Phone xxxx Switch xxxx I’m a switch I’m a switch I’m a switch I’m a switch I’m an IP Phone I’m a PC Benefits of LLDP LLDP provides the following benefits:...
Page 327: General Operating Principles
General operating principles General operating principles LLDP use the services of the Data Link sublayers, Logical Link Control and Media Access Control, to transmit and receive information to and from other LLDP Agents (protocol entities that implement LLDP). LLDP is a one-way protocol. An LLDP agent can transmit and receive information to and from another LLDP agent located on an adjacent device, but it cannot solicit information from another LLDP agent, nor can it acknowledge information received from another LLDP agent.
Page 328: Tlv Support
General operating principles FIGURE 17 LLDPDU packet format Optional Chassis ID Port ID Time to Optional End of Live TLV LLDPDU TLV M = mandatory TLV (required for all LLDPDUs) Each LLDPDU consists of an untagged Ethernet header and a sequence of short, variable length information elements known as TLVs.
Page 329 General operating principles • 802.1 organizationally-specific TLVs Port VLAN ID VLAN name TLV • 802.3 organizationally-specific TLVs MAC/PHY configuration/status Link aggregation Maximum frame size Mandatory TLVs When an LLDP agent transmits LLDP packets to other agents in the same 802 LAN segments, the following mandatory TLVs are always included: •...
Page 330 General operating principles There are several ways in which a port may be identified, as shown in Table 60. A port ID subtype, included in the TLV, indicates how the port is being referenced in the Port ID field. TABLE 60 Port ID subtypes ID Subtype Description...
Page 331: Mib Support
MIB support • If the TTL field value is zero, the receiving LLDP agent is notified that all system information associated with the LLDP agent or port is to be deleted. This TLV may be used, for example, to signal that the sending port has initiated a port shutdown procedure. The LLDPDU format is shown in “LLDPDU packet format”...
Page 332: Configuration Notes And Considerations
Configuring LLDP TABLE 61 LLDP global configuration tasks and default behavior / value (Continued) Global task Default behavior / value when LLDP is enabled Enabling and disabling TLV advertisements When LLDP transmit is enabled, by default, the Brocade device will automatically advertise LLDP capabilities, except for the system description, VLAN name, and power-via-MDI information, which may be configured by the system administrator.
Page 333: Changing A Port's Lldp Operating Mode
Configuring LLDP Changing a port’s LLDP operating mode LLDP packets are not exchanged until LLDP is enabled on a global basis. When LLDP is enabled on a global basis, by default, each port on the Brocade device will be capable of transmitting and receiving LLDP packets.
Page 334: Specifying The Maximum Number Of Lldp Neighbors
Configuring LLDP Use the [no] form of the command to disable the receive only mode. You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Page 335: Enabling Lldp Snmp Notifications And Syslog Messages
Configuring LLDP where <value> is a number between 16 and 65536. The default number of LLDP neighbors per device is 392. Use the show lldp command to view the configuration. Per port You can change the maximum number of LLDP neighbors for which LLDP data will be retained for each port.
Page 336: Changing The Minimum Time Between Lldp Transmissions
Configuring LLDP NOTE Because LLDP Syslog messages are rate limited, some LLDP information given by the system will not match the current LLDP statistics (as shown in the show lldp statistics command output). To change the minimum time interval between traps and Syslog messages, enter a command such as the following.
Page 337: Changing The Holdtime Multiplier For Transmit Ttl
Configuring LLDP The above command causes the LLDP agent to transmit LLDP frames every 40 seconds. Syntax: [no] lldp transmit-interval <seconds> where <seconds> is a value from 5 to 32768. The default is 30 seconds. NOTE Setting the transmit interval or transmit holdtime multiplier to inappropriate values can cause the LLDP agent to transmit LLDPDUs with TTL values that are excessively high.
Page 338: Lldp Tlvs Advertised By The Brocade Device
Configuring LLDP Brocade LLDP TLVs advertised by the device When LLDP is enabled on a global basis, the Brocade device will automatically advertise the following information, except for the features noted: General system information: • Management address • Port description •...
Page 339 Configuring LLDP If no IP address is configured, the port’s current MAC address will be advertised. The management address will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Management address (IPv4): 209.157.2.1 Port description The port description TLV identifies the port from which the LLDP agent transmitted the...
Page 340 Configuring LLDP Syntax: [no] lldp advertise system-capabilities ports ethernet <slotnum/portnum> | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Page 341 Configuring LLDP FastIron(config)#no lldp advertise system-name ports e 2/4 to 2/12 The system name will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). System name: “BigIron RX” Syntax: [no] lldp advertise system-name ports ethernet <slotnum/portnum>...
Page 342 Configuring LLDP The untagged VLAN ID will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Port VLAN ID: 99 Syntax: [no] lldp advertise port-vlan-id ports ethernet <slotnum/portnum> | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
Page 343 Configuring LLDP • Auto-negotiation capability and status • Speed and duplex mode • Flow control capabilities for auto-negotiation • Port speed down-shift and maximum port speed advertisement • If applicable, indicates if the above settings are the result of auto-negotiation during link initiation or of a manual set override action The advertisement reflects the effects of the following CLI commands: •...
Page 344: Displaying Lldp Statistics And Configuration Settings
Configuring LLDP You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
Page 345: Lldp Statistics
Configuring LLDP This field... Displays... LLDP reinitialize delay The minimum number of seconds the device will wait from when LLDP is disabled on a port, until a request to re-enable LLDP on that port will be honored. LLDP maximum The maximum number of LLDP neighbors for which LLDP data will be retained, per neighbors device.
Page 346: Lldp Neighbors
Configuring LLDP This field... Displays... Last neighbor change The elapsed time (in hours, minutes, and seconds) since a neighbor last advertised time information. For example, the elapsed time since a neighbor was last added, deleted, or its advertised information changed. Neighbor entries added The number of new LLDP neighbors detected since the last reboot or since the last time the clear lldp statistics all command was issued.
Page 347: Lldp Neighbors Detail
Configuring LLDP This field... Displays... Lcl Port The local LLDP port number. Chassis ID The identifier for the chassis. Brocade devices use the base MAC address of the device as the Chassis ID. Port ID The identifier for the port. Brocade devices use the permanent MAC address associated with the port as the port ID.
Page 348 Configuring LLDP FastIron#show lldp neighbors detail ports e 1/9 Local port: 1/9 Neighbor: 0800.0f18.cc03, TTL 101 seconds + Chassis ID (network address): 10.43.39.151 + Port ID (MAC address): 0800.0f18.cc03 + Time to live: 120 seconds + Port description : "LAN port" + System name : "regDN 1015,MITEL 5235 DM"...
Page 349: Lldp Configuration Details
Resetting LLDP statistics LLDP configuration details The show lldp local-info command displays the local information advertisements (TLVs) that will be transmitted by the LLDP agent. NOTE The show lldp local-info output will vary based on LLDP configuration settings. The following shows an example report. BigIron RX#show lldp local-info ports ethernet 4/1 Local port: 4/1 + Chassis ID (MAC address): 000c.dbfa.f900...
Page 350 Resetting LLDP statistics BigIron RX Series Configuration Guide 53-1001986-01...
Page 351: Configuring Uni-Directional Link Detection (Udld)
Chapter Configuring Uni-Directional Link Detection (UDLD) This chapter describes configuring Uni-Directional Link Detection.Uni-directional Link Detection (UDLD) monitors a link between two BigIron RX devices and provides a fast detection of link failures. UDLD brings the ports on both ends of the link down if the link goes down at any point between the two devices.
Page 352: Configuration Considerations
Configuration considerations Configuration considerations • The feature is supported only on Ethernet ports. • To configure UDLD on a trunk group, you must configure the feature on each port of the group individually. Configuring UDLD on a trunk group’s primary port enables the feature on that port only.
Page 353: Displaying Udld Information
Displaying UDLD information When UDLD is enabled on a port, The UDLD starts sending the keep-alive messages at a preconfigured interval. In the current implementation, if there is no keep-alive received from the other end of this link after 3 retries then this port is set to logical link down. With the new design, after the UDLD is enabled on a port, UDLD will be kept in a newly created suspended state until it receives first keep-alive message from the other end.
Page 354: Displaying Information For A Single Port
Displaying UDLD information TABLE 62 CLI display of UDLD information This field... Displays... Total link-keepalive enabled ports The total number of ports on which UDLD is enabled. Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down.
Page 355 Displaying UDLD information BigIron RX(config)# show link-keepalive ethernet 4/1 Current State : up Remote MAC Addr : 00e0.52d2.5100 Local Port : 4/1 Remote Port : 2/1 Local System ID : e0927400 Remote System ID : e0d25100 Packets sent : 254 Packets received : 255 Transitions TABLE 63...
Page 356: Clearing Udld Statistics
Clearing UDLD statistics The show interface ethernet <slot>/<portnum> command also displays the UDLD state for an individual port. In addition, the line protocol state listed in the first line will say “down” if UDLD has brought the port down. Here is an example: BigIron RX(config)# show interface ethernet 1/1 GigabitEthernet2/1 is disabled, line protocol is down, link keepalive is enabled...
Page 357: Vlans
Chapter VLANs Overview of Virtual Local Area Networks (VLANs) Virtual Local Area Networks (VLANs) allow you to segment traffic in a network by placing ports and interfaces into separate broadcast domains. Each broadcast domain is uniquely identified by VLAN IDs. These broadcast domains can span multiple devices. The device supports two types of VLANs: port-based VLANs and protocol-based VLANs.
Page 358 Overview of Virtual Local Area Networks (VLANs) FIGURE 21 Packet containing Brocade’s 802.1QVLAN tag Untagged Packet Format 6 bytes 2 bytes 6 bytes Up to 1500 bytes 4 bytes Source Type Destination Ethernet II Data Field Address Field Address 6 bytes 6 bytes 2 bytes 4 bytes...
Page 359: Protocol-Based Vlans
Overview of Virtual Local Area Networks (VLANs) FIGURE 22 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port Segment 1 Segment 2 Segment 1 Segment 2 Tagging is required for the ports Tagging is not required for the ports on Segment 1 because the ports on Segment 2 because each port is are in multiple port-based VLANs.
Page 360: Vlan Configuration Rules
VLAN configuration rules If there are ports in a port-based VLAN that you want to exclude from protocol-based VLANs, the protocol-based VLAN can be configured to explicitly exclude those ports. VLAN configuration rules To create any type of VLAN on a device, Layer 2 forwarding must be enabled. When Layer 2 forwarding is enabled, the device becomes a switch on all ports for all non-routable protocols.
Page 361: Layer 2 Control Protocols On Vlans
Configuring port-based VLANs • A port can belong to multiple, overlapping Layer 2 port-based VLANs only if the port is a tagged port. Packets sent out of a tagged port use an 802.1q-tagged frame. • A port can belong to multiple, unique, overlapping Layer 3 protocol-based VLANs. •...
Page 362: Vlan Byte Accounting
Configuring port-based VLANs 2. Once an ID is assigned, the CLI directs you to the VLAN configuration level. At this level, you add ports to that VLAN and specify if the ports are tagged or untagged. BigIron RX(config-vlan-2)# untag e 1/9 to 1/16 BigIron RX(config-vlan-2)# tagged e 1/1 to 1/8 The example above configures a port-based VLAN, VLAN 2.
Page 363 Configuring port-based VLANs • If a port's VLAN has byte accounting enabled, you cannot enable rate limiting on that port. Similarly, if a port has rate limiting enabled, you cannot enable VLAN byte accounting on that port's VLAN. • Clearing the rate limiting counters using clear rate-limit counters will also clear VLAN byte-accounting counters.
Page 364: Strictly Or Explicitly Tagging A Port
Configuring port-based VLANs TABLE 64 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR Module type PPCR number Port # Max # of rate limiting policies based on ACLs and VLANs + number of VLANs w/ byte accounting enabled 24 x 1G PPCR 1 1 - 12...
Page 365: Configuring Protocol-Based Vlans
Configuring protocol-based VLANs You must specify a VLAN ID that is not already in use. For example, if VLAN 10 exists, do not use “10” as the new VLAN ID for the default VLAN. Valid VLAN IDs are from 1 – 4089; however, do not use VLANs 4090 –...
Page 366: Configuring An Mstp Instance
Configuring virtual routing interfaces Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. To configure an MSTP instance and assign a range of VLANs, use a command such as the following at the Global Configuration level.
Page 367: Bridging And Routing The Same Protocol Simultaneously On The Same Device
Configuring virtual routing interfaces Enter 1 to the maximum number of virtual routing interfaces supported on the device for <ve-number>. Bridging and routing the same protocol simultaneously on the same device Some configurations may require simultaneous switching and routing of the same single protocol across different sets of ports on the same router.
Page 368: Integrated Switch Routing (Isr)
Configuring virtual routing interfaces Integrated Switch Routing (ISR) Brocade Integrated Switch Routing (ISR) feature enables VLANs configured on the device to route Layer 3 traffic from one protocol-based VLAN to another instead of forwarding the traffic to an external router. The VLANs provide Layer 3 broadcast domains for the protocols, but do not in themselves provide routing services.
Page 369: Vlan Groups
VLAN groups There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN. Routing will occur independently across the port-based VLANs. Because each port-based VLAN’s STP domain is a single point-to-point backbone connection, you are guaranteed to never have an STP loop.
Page 370 VLAN groups NOTE The device’s memory must be configured to contain at least the number of VLANs you specify for the higher end of the range. For example, if you specify 2048 as the VLAN ID at the high end of the range, you first must increase the memory allocation for VLANs to 2048 or higher.
Page 371: Configuring Super Aggregated Vlans
Configuring super aggregated VLANs The <group-id> specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed. Configuring super aggregated VLANs A super aggregated VLAN allows multiple VLANs to be placed within another VLAN. This feature allows you to construct Layer 2 paths and channels.
Page 372 Configuring super aggregated VLANs Each client connected to the edge device is in its own port-based VLAN. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core. The device that aggregates the VLANs forwards the aggregated VLAN traffic through the core. The core can consist of multiple devices that forward the aggregated VLAN traffic.
Page 373: Configuring Aggregated Vlans
Configuring super aggregated VLANs This example shows a single link between the core devices. However, you can use a trunk group to add link-level redundancy. Configuring aggregated VLANs A maximum of 1526 bytes are supported on ports where super-aggregated VLANs are configured. This allows for an additional 8 bytes over the untagged port maximum to allow for support of two VLAN tags.
Page 374: Complete Cli Examples
Configuring super aggregated VLANs • Enable VLAN aggregation. This support allows the core device to add an additional tag to each Ethernet frame that contains a VLAN packet from the edge device. The additional tag identifies the aggregate VLAN (the path). However, the additional tag can cause the frame to be longer than the maximum supported frame size.
Page 375 Configuring super aggregated VLANs Commands for device A BigIron RX-A(config)# vlan 101 BigIron RX-A(config-vlan-101)# tagged ethernet 2/1 BigIron RX-A(config-vlan-101)# untagged ethernet 1/1 BigIron RX-A(config-vlan-101)# exit BigIron RX-A(config)# vlan 102 BigIron RX-A(config-vlan-102)# tagged ethernet 2/1 BigIron RX-A(config-vlan-102)# untagged ethernet 1/2 BigIron RX-A(config-vlan-102)# exit BigIron RX-A(config)# vlan 103 BigIron RX-A(config-vlan-103)# tagged ethernet 2/1 BigIron RX-A(config-vlan-103)# untagged ethernet 1/3...
Page 376 Configuring super aggregated VLANs BigIron RX-C(config)# tag-type 9100 BigIron RX-C(config)# aggregated-vlan BigIron RX-C(config)# vlan 101 BigIron RX-C(config-vlan-101)# tagged ethernet 4/1 BigIron RX-C(config-vlan-101)# untagged ethernet 3/1 BigIron RX-C(config-vlan-101)# exit BigIron RX-C(config)# vlan 102 BigIron RX-C(config-vlan-102)# tagged ethernet 4/1 BigIron RX-C(config-vlan-102)# untagged ethernet 3/2 BigIron RX-C(config-vlan-102)# exit BigIron RX-C(config)# write memory Commands for device D...
Page 377: Configuring 802.1Q-In-Q Tagging
Configuring 802.1q-in-q tagging Commands for device F The commands for configuring device F are identical to the commands for configuring device E. In this example, since the port numbers on each side of the configuration in Figure 24 on page 300 are symmetrical, the configuration of device F is also identical to the configuration of device A and device B.
Page 378: Configuration Rules
Configuring 802.1q-in-q tagging As shown in Figure 25, the ports to customer interfaces are untagged, whereas the uplink ports to the provider cloud are tagged, because multiple client VLANs share the uplink to the provider cloud. In this example, the device treats the customer’s private VLAN ID and 8100 tag type as normal payload, and adds the 9100 tag type to the packet when the packet is sent to the uplink and forwarded along the provider cloud.
Page 379: Enabling 802.1Q-In-Q Tagging
Configuring 802.1q-in-q tagging Enabling 802.1Q-in-Q tagging To enable the 802.1Q-in-Q feature, configure an 802.1Q tag type on the untagged edge links (the customer ports) to any value other than the 802.1Q tag for incoming traffic. For example, in Figure 27, the 802.1Q tag on the untagged edge links (ports 11 and 12) is 9100, whereas, the 802.1Q tag for incoming traffic is 8100.
Page 380: Configuring 802.1Q Tag-Type Translation
Configuring 802.1q tag-type translation FIGURE 27 Example 802.1Q-in-Q configuration Client 6 Client 10 Client 1 Client 3 Client 5 Client 8 Port1/1 Port1/5 Port1/3 Port1/1 Port1/3 Port1/5 ... . VLAN 101 VLAN 105 VLAN 103 VLAN 101...
Page 381 Configuring 802.1q tag-type translation FIGURE 28 802.1q tag-type translation configuration example 1 Network Core Customer Provider Provider Customer Edge Switch 1 Core Switch 2 Core Switch 1 Edge Switch 2 Tagged Tagged Tagged 8100 8100 9100 Tagged Tagged Tagged 8100 8100 9100 Customer...
Page 382: Configuration Rules
Configuring 802.1q tag-type translation FIGURE 29 802.1q tag-type translation configuration example 2 Edge Switch 2 Edge Switch 3 Global 802.1Q Global 802.1Q tag-type tag-type 8200 8200 8200 8200 8200 8200 Multiple Multiple Global 802.1Q Global 802.1Q 802.1Q 802.1Q tag-type tag-type tag-types tag-types 8500...
Page 383: Enabling 802.1Q Tag-Type Translation
Configuring 802.1q tag-type translation • If you configure a port with an 802.1q tag-type, the device automatically applies the 802.1q tag-type to all ports within the same port region. • If you remove the 802.1q tag-type from a port, the device automatically removes the 802.1q tag-type from all ports within the same port region.
Page 384: Private Vlans
Private VLANs Private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 30 shows an example of an application using a private VLAN. FIGURE 30 Private VLAN used to secure communication between a workstation and servers A private VLAN secures traffic...
Page 385: Implementation Notes
Private VLANs • Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN. • Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN.
Page 386: Configuring A Private Vlan
Private VLANs • There is currently no support for IGMP Snooping within Private VLANs. In order to let clients in Private VLANs get multicast traffic, IGMP Snooping must be disabled, so that all multicast packets are treated as unregistered multicast packets and get flooded in software to all the ports.
Page 387 Private VLANs Configuring an isolated or community private VLAN To configure an isolated or a community private VLAN, use the following CLI methods. Using the CLI To configure a community private VLAN, enter commands such as the following. BigIron RX(config)# vlan 901 BigIron RX(config-vlan-901)# untagged ethernet 3/5 to 3/6 BigIron RX(config-vlan-901)# pvlan type community These commands create port-based VLAN 901, add ports 3/5 and 3/6 to the VLAN as untagged...
Page 388: Private Vlan
Private VLANs The pvlan mapping command identifies the other private VLANs for which this VLAN is the primary. The command also specifies the primary VLAN ports to which you are mapping the other private VLANs. • The <vlan-id> parameter specifies another private VLAN. The other private VLAN you want to specify must already be configured.
Page 389: Other Vlan Features
Other VLAN features BigIron RX(config-vlan-903)# untagged ethernet 3/5 to 3/6 BigIron RX(config-vlan-903)# pvlan type community BigIron RX(config-vlan-903)# exit BigIron RX(config)# vlan 7 BigIron RX(config-vlan-7)# untagged ethernet 3/2 BigIron RX(config-vlan-7)# pvlan type primary BigIron RX(config-vlan-7)# pvlan mapping 901 ethernet 3/2 BigIron RX(config-vlan-7)# pvlan mapping 902 ethernet 3/2 BigIron RX(config-vlan-7)# pvlan mapping 903 ethernet 3/2 Other VLAN features Allocating memory for more VLANs or virtual routing...
Page 390: Unknown Unicast Flooding On Vlan Ports
Other VLAN features Syntax: [no] multicast-flooding NOTES: • This feature is supported on the 10 Gigabit Ethernet module. • This feature cannot be enabled on an empty VLAN; the VLAN must already have ports assigned to it prior to enabling this feature. •...
Page 391: Configuring Uplink Ports Within A Port-Based Vlan
Other VLAN features To enable flow based MAC learning and CPU flooding for unknown unicast packets only, enter the following command at the global configuration level. BigIron RX(config)# cpu-flooding unknown-unicast To enable CPU based flooding for broadcast and multicast packets, enter the following command at the global configuration level.
Page 392: Other Configuration Options
Displaying VLAN information Other configuration options You can also configure the following on a VLAN: • “Configuring static ARP entries” on page 136 • “Setting maximum frame size per PPCR” on page 178 Displaying VLAN information After you configure the VLANs, you can view and verify the configuration. Displaying VLAN information Enter the following command at any CLI level.
Page 393: Displaying Vlan Information For Specific Ports
Displaying VLAN information TABLE 67 Output of show vlan (Continued) This field... Displays... Untagged/Tagged Ports ID of the untagged or tagged ports that are members of the VLAN (protocol-based VLANs) If protocol based VLANs are configured, their type and name appear after the list of ports.
Page 394 Displaying VLAN information BigIron RX# show vlan detail Untagged Ports : ethe 2/1 to 2/24 ethe 4/4 Tagged Ports : None Dual-mode Ports : ethe 3/1 to 3/24 ethe 4/1 to 4/3 Default VLAN Control VLAN : 4095 VLAN Tag-type : 0x8100 PORT-VLAN 1, Name DEFAULT-VLAN, Priority Level0 ----------------------------------------------------------...
Page 395: Displaying Vlan Group Information
Transparent firewall mode TABLE 69 Output of show vlan detail (Continued) This field... Displays... Protocol Protocol configured on the VLAN. State Current state of the port such as disabled, blocking, forwarding, etc. Displaying VLAN group information To display information about VLAN groups, enter the following command. BigIron RX# show vlan-group 10 Configured VLAN-Group entries: 1 Maximum VLAN-Group entries : 32...
Page 396 Transparent firewall mode Syntax: [no] transparent-fw-mode BigIron RX Series Configuration Guide 53-1001986-01...
Page 397: Configuring Spanning Tree Protocol
Chapter Configuring Spanning Tree Protocol IEEE 802.1D Spanning Tree Protocol (STP) The BigIron RX supports Spanning Tree Protocol (STP) as described in the IEEE 802.10-1998 specification. STP eliminates Layer 2 loops in networks, by selectively blocking some ports and allowing other ports to forward traffic, based on configurable bridge and port parameters. STP also ensures that the least cost path is taken when multiple paths exist between ports or VLANs.
Page 398: Default Stp Bridge And Port Parameters
IEEE 802.1D Spanning Tree Protocol (STP) NOTE When you configure a VLAN, the VLAN inherits the global STP settings. However, once you begin to define a VLAN, you can no longer configure standard STP parameters globally using the CLI. From that point on, you can configure STP only within individual VLANs.
Page 399: Changing Stp Bridge Parameters
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 72 Default STP bridge parameters (Continued) Parameter Description Default and valid values Hello Time The interval of time between each configuration BPDU 2 seconds sent by the root bridge. Possible values: 1 – 10 seconds Priority A parameter used to identify the root bridge in a spanning...
Page 400: Changing Stp Port Parameters
IEEE 802.1D Spanning Tree Protocol (STP) NOTE The hello-time <value> parameter applies only when the device or VLAN is the root bridge for its spanning tree. Changing STP port parameters To change the path and priority costs for a port, enter commands such as the following. BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# spanning-tree ethernet 1/5 path-cost 15 priority 64 Syntax: spanning-tree ethernet <slot>/<portnum>...
Page 401: Spanning Tree Protocol (Stp) Bpdu Guard
IEEE 802.1D Spanning Tree Protocol (STP) Syntax: [no] spanning-tree root-protect Enter the no form of the command to disable STP Root Guard on the port. Setting the STP root guard timeout period To configure the STP Root protect timeout period globally, enter a command such as the following. BigIron RX(config)# spanning-tree root-protect timeout 120 Syntax: spanning-tree root-protect timeout <timeout in seconds>...
Page 402: Displaying Stp Information
IEEE 802.1D Spanning Tree Protocol (STP) To prevent an end station from initiating or participating in STP topology changes, enter the following command at the interface level of the CLI. BigIron RX(config) interface ethe 2/1 BigIron RX(config-if-e1000-2/1)# spanning-tree protect This command causes the port to drop STP BPDUs sent from the device on the other end of the link.
Page 403 IEEE 802.1D Spanning Tree Protocol (STP) BigIron RX# show spanning-tree vlan 10 VLAN 10 - STP instance 1 -------------------------------------------------------------------- STP Bridge Parameters: Bridge Bridge Bridge Bridge Hold LastTopology Topology Identifier MaxAge Hello FwdDly Time Change Change 8000000480a04000 20 RootBridge RootPath DesignatedBridge Root Max Hel Fwd Identifier...
Page 404 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 CLI display of STP information (Continued) This field... Displays... Bridge Identifier The ID assigned by STP to this bridge for this spanning tree in hexadecimal. NOTE: If this address is the same as the Root ID, then this device or VLAN is the root bridge for its spanning tree.
Page 405 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 CLI display of STP information (Continued) This field... Displays... State The port’s STP state. The state can be one of the following: • BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop.
Page 406 IEEE 802.1D Spanning Tree Protocol (STP) BigIron RX# show spanning-tree detail vlan 10 VLAN 10 - STP instance 1 -------------------------------------------------------------------- STP Bridge Parameters: Bridge identifier - 0x8000000480a04000 Root bridge - 0x8000000480a04000 Control ports - ethe 1/3 ethe 1/13 Active global timers - None STP Port Parameters: Port 1/3 - DISABLED Port 1/13 - DISABLED...
Page 407 IEEE 802.1D Spanning Tree Protocol (STP) TABLE 75 CLI display of detailed STP information for ports This field... Displays... VLAN ID The VLAN that contains the listed ports and the number of STP instances on this VLAN. The STP type can be one of the following: •...
Page 408: Ieee Single Spanning Tree (Sstp)
IEEE Single Spanning Tree (SSTP) TABLE 75 CLI display of detailed STP information for ports (Continued) This field... Displays... STP port parameters Port number and STP state The internal port number and the port’s STP state. The internal port number is one of the following: •...
Page 409: Enabling Sstp
IEEE Single Spanning Tree (SSTP) • To remove a VLAN from the single spanning tree, disable STP on that VLAN. When you enable SSTP, all the ports that are in port-based VLANs with STP enabled become members of a single spanning tree domain. Thus, the ports share a single BPDU broadcast domain.
Page 410: Displaying Sstp Information
PVST/PVST+ compatibility For the parameter definitions and possible values, refer to “Default STP port parameters” page 327. NOTE Both commands listed above are entered at the global CONFIG level. Also, you can use the rstp single command to control the topology for VLANs. Refer to “Enabling or disabling RSTP on a single spanning tree”...
Page 411: Overview Of Pvst And Pvst
PVST/PVST+ compatibility Overview of PVST and PVST+ Per VLAN Spanning Tree (PVST) is a Cisco proprietary protocol that allows a Cisco device to have multiple spanning trees. The Cisco device can interoperate with spanning trees on other PVST devices but cannot interoperate with IEEE 802.1Q devices. An IEEE 802.1Q device has all its ports running a single spanning tree.
Page 412: Enabling Pvst+ Support
PVST/PVST+ compatibility If you want to use tagged frames on VLAN 1, you can change the default VLAN ID to an ID other than 1. You also can specify the VLAN on which you want the port to send and receive untagged frames (the native VLAN).
Page 413: Configuration Examples
PVST/PVST+ compatibility BigIron RX(config)# show span pvst-mode PVST+ Enabled on: Port Method Set by configuration Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 76 CLI Display of PVST+ Information This field...
Page 414 PVST/PVST+ compatibility These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port. The dual-mode feature allows the port to send and receive untagged frames for the default VLAN (VLAN 1 in this case) in addition to tagged frames for VLANs 2, 3, and 4.
Page 415: Superspan
SuperSpan™ • Drop tagged PVST BPDUs for VLAN 1. Note that when VLAN 1 is not the default VLAN, the ports must have an untagged VLAN enabled in order to process IEEE 802.1Q BPDUs. For example, the following configuration is incorrect. BigIron RX(config)# default-vlan-id 1000 BigIron RX(config)# vlan 1 BigIron RX(config-vlan-1)# tagged ethernet 1/1 to 1/2...
Page 416: Customer Id
SuperSpan™ FIGURE 34 SuperSpan example SuperSpan root bridge Port1/1 Port1/1 Cust 1 SP 1 Port1/2 Port1/2 Port2/1 Port1/1 SP 2 Cust 2 Port1/2 Port2/2 In this example, the SP network contains two devices that are running SuperSpan. The SP is connected to two customer networks.
Page 417 SuperSpan™ Each Brocade device that is configured for SuperSpan forwards the BPDU using the changed destination MAC address. At the other end of the tunnel, the Brocade device connected to the customer's network changes the destination MAC address back to the bridge group address (01-80-c2-00-00-00).
Page 418 SuperSpan™ Mixing single STP and multiple spanning trees You can use SuperSpan in any of the following combinations: • Customer and SP networks both use multiple spanning trees (a separate spanning tree in each VLAN). • Customer uses multiple spanning trees but SP uses Single STP (all STP-enabled VLANs are in the same spanning tree).
Page 419 SuperSpan™ In the above example, STP in VLAN 10 will select R10 as the root bridge and make 1/1 on R10 forwarding while blocking port 3/1 on R20. The opposite occurs for STP in VLAN 20. As a result, both links connecting the customer and SP regions are fully utilized and serve as backup links at the same time, providing loop-free, non-blocking connectivity.
Page 420 SuperSpan™ Customer uses single STP but SP uses multiple spanning trees Figure 38 shows an example of SuperSpan where the customer network uses Single STP while the SP uses multiple spanning trees. FIGURE 38 Customer using single STP and SP using Multiple Spanning Trees single span Customer...
Page 421: Configuring Superspan
SuperSpan™ FIGURE 39 Customer and SP using single STP single single span span Customer Provider Region Region tagged to multiple vlan Root bridge for VLAN xx stp-boundary untagged to vlan 100 (Super Aggregated VLAN) In this setup, both the customer and SP networks are running a single spanning tree at Layer 2. The traffic from VLAN 10 and 20 will be carried, or aggregated by VLAN 100 at the SP network as in the previous scenario.
Page 422 SuperSpan™ These commands configure two interfaces on the Brocade device as SuperSpan boundary interfaces. Interface 1/1 is a boundary interface with customer 1. Interface 1/2 is a boundary interface with customer 2. Each boundary interface is associated with a number, which is the SuperSpan ID.
Page 423 SuperSpan™ BigIron RX(config)# show super-span CID 1 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed Total 1 CID 2 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed Total 0 In this example, the device has two SuperSpan customer IDs. Syntax: show superspan [cid <num>] The cid <num>...
Page 424 SuperSpan™ BigIron RX Series Configuration Guide 53-1001986-01...
Page 425: Configuring Rapid Spanning Tree Protocol
Chapter Configuring Rapid Spanning Tree Protocol Overview of Rapid Spanning Tree Protocol RSTP provides rapid convergence and takes advantage of point-to point wiring of the spanning tree. Failure in one forwarding path does not affect other forwarding paths. RSTP improves the operation of the spanning tree while maintaining backward compatibility.
Page 426: Assignment Of Port Roles
Overview of Rapid Spanning Tree Protocol Assignment of port roles At system start-up, all RSTP-enabled bridge ports assume a Designated role. Once start-up is complete, RSTP algorithm calculates the superiority or inferiority of the RST BPDU that is received and transmitted on a port. On a root bridge, each port is assigned a Designated port role, except for ports on the same bridge that are physically connected together.
Page 427: Ports On Switch 1
Overview of Rapid Spanning Tree Protocol FIGURE 40 Simple RSTP topology Port7 Port8 Switch 1 Switch 2 Bridge priority = 200 Bridge priority = 100 Port2 Port2 Port4 Port3 Port3 Port2 Port3 Port3 Switch 3 Switch 4 Bridge priority = 300 Port4 Port4 Bridge priority = 400...
Page 428: Ports Switch 4
Edge ports and edge port roles Ports Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4. The RST BPDUs received on Port3 are superior to the RST BPDUs received on port 4;...
Page 429: Point-To-Point Ports
Point-to-point ports Point-to-point ports To take advantage of the RSTP features, ports on an RSTP topology should be explicitly configured as point-to-point links. Shared media should not be configured as point-to-point links. NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops.
Page 430: Edge Port And Non-Edge Port States
Edge port and non-edge port states If a port on one bridge has a Designated role and that port is connected to a port on another bridge that has an Alternate or Backup role, the port with a Designated role cannot be given a Root port role until two instances of the forward delay timer expires on that port.
Page 431: Handshake Mechanisms
State machines • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode. It also flushes the MAC table when a topology change event takes place. •...
Page 432 State machines • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 43).
Page 433 State machines FIGURE 44 Sync stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync BigIron Switch 200 Port3 Port2 Sync Sync Discarding Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced.
Page 434 State machines FIGURE 45 Synced stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Synced BigIron Switch 200 Port2 Port3 Synced Synced Discarding Discarding Port2 Port3 Switch 400 Switch 300 Indicates a signal • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state.
Page 435 State machines FIGURE 46 Agree stage Switch 100 Root Bridge Port1 Designated port Forwarding RST BPDU Port1 sent with Root port an Agreed Synced flag Forwarding BigIron Switch 200 Port2 Port3 Synced Synced Discarding Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200.
Page 436 State machines FIGURE 47 Addition of a new root bridge Switch 100 Port2 Designated port Port2 Switch 60 Port4 Port1 Designated port Designated port Port1 Root port Switch 200 Port4 Port2 Port3 Port2 Port3 Switch 300 Switch 400 The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (“Handshake when no root port is elected”...
Page 437 State machines FIGURE 48 New root bridge sending a proposal flag Switch 100 Port2 Handshake Designated Completed port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Proposing Port1 RST BPDU Root port sent with Forwarding a Proposing flag Switch 200 Port4 Designated port...
Page 438 State machines FIGURE 49 Sync and reroot Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Proposing Port1 Root port Sync Reroot Forwarding BigIron Port4 Switch 200 Root port Sync Reroot Port2 Discarding Port3 Sync Sync Reroot...
Page 439 State machines FIGURE 50 Sync and rerooted Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Port1 Designated port Sync Rerooted Discarding BigIron Port4 Switch 200 Root port Sync Rerooted Port2 Discarding Port3 Sync Sync Rerooted Rerooted...
Page 440 State machines FIGURE 51 Rerooted,synced, and agreed Switch 100 Port2 Designated port Switch 60 Port 2 Root port Port4 Port1 Designated port Forwarding Proposing Port1 Rerooted RST BPDU Synced sent with Discarding an Agreed BigIron flag Port4 Switch 200 Root port Rerooted Synced Port2...
Page 441: Convergence In A Simple Topology
Convergence in a simple topology FIGURE 52 Handshake completed after election of new root port Switch 100 Port2 Designated port Port2 Switch 60 Root port Port4 Port1 Designated port Proposing Port1 Alternate port Port4 Switch 200 Root port Port2 Port3 Proposing Proposing Port2...
Page 442: Convergence At Start Up
Convergence in a simple topology NOTE The rapid convergence will not occur on ports connected to shared media devices, such as hubs. To take advantage of the rapid convergence provided by RSTP, make sure to explicitly configure all point-to-point links in a topology. Convergence at start up Figure 53, two bridges Switch 2 and Switch 3 are powered up.
Page 443 Convergence in a simple topology FIGURE 54 Simple Layer 2 topology Port3 Designated Port5 port Switch 1 Backup port Switch 2 Port2 Port2 Designated Bridge priority = 1500 Root port port Bridge priority = 1000 Port4 Port3 Designated port Designated port Port3 Alternate...
Page 444: Convergence After A Link Failure
Convergence in a simple topology The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2.
Page 445: Convergence At Link Restoration
Convergence in a simple topology FIGURE 56 Link failure in the topology Port5 Port3 Switch 1 Switch 2 Port2 Bridge priority = 1500 Port2 Bridge priority = 1000 Port3 Port4 Port4 Port3 Bridge priority = 2000 Switch 3 Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port.
Page 446: Convergence In A Complex Rstp Topology
Convergence in a complex RSTP topology When Port2/Switch 2 receives the RST BPDUs, RSTP algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Page 447 Convergence in a complex RSTP topology FIGURE 57 Complex RSTP topology Switch 2 Bridge priority = 200 Switch 1 Switch 5 Port7 Port8 Bridge priority = 1000 Bridge priority = 60 Port2 Port2 Port5 Port2 Port4 Port3 Port3 Port3 Port2 Port3 Port3 Port3...
Page 448 Convergence in a complex RSTP topology Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is then given an Alternate port role, and remains in discarding state. Likewise, Port5/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is also given an Alternate port role, and remains in discarding state.
Page 449: Propagation Of Topology Change
Convergence in a complex RSTP topology FIGURE 58 Active Layer 2 path in complex topology Switch 2 Bridge priority = 200 Switch 1 Switch 5 Port7 Port8 Bridge priority = 1000 Bridge priority = 60 Port2 Port5 Port2 Port2 Port3 Port4 Port3 Port3...
Page 450 Convergence in a complex RSTP topology FIGURE 59 Beginning of topology change notice Switch 2 Bridge priority = 200 Switch 5 Switch 1 Bridge priority = 60 Port7 Port8 Bridge priority = 1000 Port5 Port2 Port2 Port2 Port3 Port4 Port3 Port3 Port2 Port3...
Page 451 Convergence in a complex RSTP topology FIGURE 60 Sending TCN to bridges connected to Switch 2 Switch 2 Bridge priority = 200 Switch 5 Switch 1 Port7 Port8 Bridge priority = 60 Bridge priority = 1000 Port2 Port5 Port2 Port2 Port3 Port4 Port3...
Page 452: Compatibility Of Rstp With 802.1D
Compatibility of RSTP with 802.1D FIGURE 61 Completing the TCN propagation Switch 2 Bridge priority = 200 Switch 1 Switch 5 Bridge priority = 1000 Port7 Port8 Bridge priority = 60 Port2 Port5 Port2 Port2 Port3 Port4 Port3 Port3 Port3 Port2 Port3 Port3...
Page 453: Configuring Rstp Parameters
Configuring RSTP parameters For example, in Figure 62, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 62 RSTP bridges with an 802.1D bridge Switch 10...
Page 454: Enabling Or Disabling Rstp On A Single Spanning Tree
Configuring RSTP parameters BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# rstp Syntax: [no] rstp Enabling or disabling RSTP on a single spanning tree To globally enable RSTP for all ports of a single spanning tree, enter the following command. BigIron RX(config)# rstp single Syntax: [no] rstp single Disabling or enabling RSTP on a port The rstp command must be used to initially enable RSTP on ports.
Page 455: Changing Port Parameters
Configuring RSTP parameters The max-age <value> parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. Possible values: 6 – 40 seconds. The default is 20 seconds. The value of max-age must be greater than the value of forward-delay to ensure that the downstream bridges do not age out faster than the upstream bridges (those bridges that are closer to the root bridge).
Page 456: Fast Port Span
Configuring RSTP parameters TABLE 78 Recommended path cost values of RSTP (Continued) Link speed Recommended (default) RSTP path Recommended RSTP path cost range cost values 1 Gigabit per second 20,000 2,000 – 200,000,000 10 Gigabits per second 2,000 200 – 20,000 100 Gigabits per second 20 –...
Page 457 Configuring RSTP parameters In addition, Fast Port Span enhances overall network performance in the following ways: • Fast Port Span reduces the number of STP topology change notifications on the network. When an end station attached to a Fast Span port comes up or down, the Brocade device does not generate a topology change notification for the port.
Page 458: Fast Uplink Span
Configuring RSTP parameters BigIron RX(config)# fast port-span BigIron RX(config)# write memory Excluding specific ports from fast port span You can exclude individual ports from Fast Port Span while leaving Fast Port Span enabled globally. To do so, use the following method. Using the CLI To exclude a port from Fast Port Span, enter commands such as the following.
Page 459 Configuring RSTP parameters You can use the Fast Uplink feature on a Brocade device deployed as a wiring closet switch to decrease the convergence time for the uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning). The wiring closet switch must be a Brocade device but the device at the other end of the link can be a Brocade device or another vendor’s switch.
Page 460: Displaying Rstp Information
Displaying RSTP information Using the CLI To configure a group of ports for Fast Uplink Span, enter the following commands. BigIron RX(config)# fast uplink-span ethernet 4/1 to 4/4 BigIron RX(config)# write memory Syntax: [no] fast uplink-span [ethernet <portnum> [ethernet <portnum>… | to <portnum>]] This example configures four ports, 4/1 –...
Page 461 Displaying RSTP information BigIron RX(config)#show rstp vlan 10 VLAN 10 - RSTP instance 0 -------------------------------------------------------------------- RSTP (IEEE 802.1w) Bridge Parameters: Bridge Bridge Bridge Bridge Force Identifier MaxAge Hello FwdDly Version Hold 0001000480a04000 20 Default RootBridge RootPath DesignatedBridge Root Max Hel Fwd Identifier Cost Identifier...
Page 462 Displaying RSTP information TABLE 79 CLI display of RSTP summary (Continued) This field... Displays... Designated Bridge Identifier The bridge from where the root information was received. It can be from the root bridge itself, but it could also be from another bridge. Root Port The port on which the root information was received.
Page 463 Displaying RSTP information TABLE 79 CLI display of RSTP summary (Continued) This field... Displays... Role The current role of the port: • Root • Designated • Alternate • Backup • Disabled Refer to “Bridges and bridge port roles” on page 353 for definitions of the roles.
Page 464 Displaying RSTP information TABLE 80 The show rstp detail command output (Continued) This field... Displays... forceVersion the configured version of the bridge: • 0 – The bridge has been forced to operate in an STP compatible mode. • 2 – The bridge has been forced to operate in an RSTP mode. MigrateTime The number of seconds the bridge took to migrate from STP to RSTP mode.
Page 465: Metro Ring Protocol (Mrp) Phase 1 And 2
Chapter Metro Ring Protocol (MRP) Phase 1 and 2 Metro Ring Protocol (MRP) phase 1 MRP Phase 1 is a Brocade proprietary protocol that prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies. It is an alternative to STP and is especially useful in Metropolitan Area Networks (MANs) where using STP has the following drawbacks: •...
Page 466: Mrp Rings Without Shared Interfaces
MRP rings without shared interfaces The ring in this example consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network. The nodes forward Layer 2 traffic to and from the customer networks through the ring. The ring interfaces are all in one port-based VLAN.
Page 467: Ring Initialization
Ring initialization FIGURE 64 Metro ring – multiple rings Master Node port1/1 port4/1 Ring 1 Ring 2 port4/2 port1/2 Master node Ring 3 In this example, two nodes are each configured with two MRP rings. Any node in a ring can be the master for its ring.
Page 468 Ring initialization FIGURE 65 Metro ring – initial state Customer A Switch B All ports start in Preforwarding state. Master Switch A Switch C Node Primary port on Master Customer A node sends RHP 1 Customer A Switch D Customer A MRP uses Ring Health Packets (RHPs) to monitor the health of the ring.
Page 469 Ring initialization When MRP is enabled, all ports begin in the Preforwarding state. The primary interface on the Master node, although it is in the Preforwarding state like the other ports, immediately sends an RHP onto the ring. The secondary port on the Master node listens for the RHP. •...
Page 470: How Ring Breaks Are Detected And Healed
How ring breaks are detected and healed How ring breaks are detected and healed Figure 67 Shows the ring forwarding state following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks. FIGURE 67 Metro ring – ring break Customer A Switch B Master...
Page 471 How ring breaks are detected and healed When the broken link is repaired, the link’s interfaces come up in the Preforwarding state, which allows RHPs to travel through the restored interfaces and reach the secondary interface on the Master node. •...
Page 472: Master Vlans And Customer Vlans In A Topology Group
Master VLANs and customer VLANs in a topology group 5. RHP packets continue to be sent on the primary interface by Switch A to detect if the ring has been healed. From a user perspective, there is no difference in the behavior of the ring. The only noticeable difference is a rapid convergence in the event of ring failure.
Page 473 Master VLANs and customer VLANs in a topology group FIGURE 69 Metro ring – ring VLAN and customer VLANs Customer A Customer B VLAN 30 VLAN 40 Switch B ====== ring 1 interfaces 1/1, 1/2 port4/1 port2/1 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1, 1/2, 2/1) port1/2...
Page 474: Configuring Mrp
Configuring MRP If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs. • The member VLAN for a customer must contain the two ring interfaces and the interfaces for the customer.
Page 475: Adding An Mrp Ring To A Vlan
Configuring MRP Adding an MRP ring to a VLAN NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group’s master VLAN. To add an MRP ring to a VLAN, enter commands such as the following. BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# metro-ring 1 BigIron RX(config-vlan-2-mrp-1)# name CustomerA...
Page 476: Changing The Hello And Preforwarding Times
MRP phase 2 Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following. BigIron RX(config-vlan-2-mrp-1)# hello-time 200 BigIron RX(config-vlan-2-mrp-1)# preforwarding-time 400 These commands change the hello time to 200 ms and change the preforwarding time to 400 ms. NOTE The preforwarding time must be at least twice the value of the hello time and must be a multiple of the hello time.
Page 477 MRP phase 2 FIGURE 70 Multiple MRP rings - MRP Phase 1 Master Node port1/1 port4/1 Ring 1 Ring 2 port4/2 port1/2 Master node Ring 3 With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN.
Page 478: Ring Initialization For Shared Interfaces
Ring initialization for shared interfaces Ring initialization for shared interfaces FIGURE 72 Interface IDs and types 1,2 port1/1 Ring 2 Ring 1 port2/2 C = customer port For example, in Figure 72, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2.
Page 479: Selection Of Master Node
Ring initialization for shared interfaces node, the packet is forwarded through the secondary interface since it is currently in a preforwarding state. A secondary interface in preforwarding mode ignores any RHP packet that is not from its ring. The secondary interface changes to blocking mode only when the RHP packet forwarded by its primary interface is returned.
Page 480: Normal Flow
Ring initialization for shared interfaces Normal flow Figure 73 shows an example of how RHP packets are processed normally in MRP rings with shared interfaces. FIGURE 73 Flow of RHP packets on MRP rings with shared interfaces (secondary interface) port2/2 port3/2 (secondary interface) Master node Ring 1...
Page 481: Flow When A Link Breaks
Ring initialization for shared interfaces Flow when a link breaks If the link between shared interfaces breaks (Figure 74), the secondary interface on Ring 1’s master node changes to a preforwarding state. The RHP packet sent by port 3/1 on Ring 2 is forwarded through the interfaces on S4, then to S2.
Page 482: Using Mrp Diagnostics
Using MRP diagnostics BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# metro-ring 1 BigIron RX(config-vlan-2-mrp-1)# name CustomerA BigIron RX(config-vlan-2-mrp-1)# ring-interface ethernet 1/1 ethernet 1/2 BigIron RX(config-vlan-2-mrp-1)# enable BigIron RX(config-vlan-2-mrp-1)# metro-ring 2 BigIron RX(config-vlan-2-mrp-2)# name CustomerB BigIron RX(config-vlan-2-mrp-2)# ring-interface ethernet 1/1 ethernet 1/2 BigIron RX(config-vlan-2-mrp-1)# enable Syntax: [no] metro-ring <ring-id>...
Page 483: Displaying Mrp Diagnostics
Displaying MRP information Displaying MRP diagnostics To display MRP diagnostics results, enter the following command on the Master node. BigIron RX(config)# show metro 2 diag Metro Ring 2 - CustomerA ============= diagnostics results Ring Diag RHP average Recommended Recommended state time(microsec) hello time(ms) Prefwing time(ms)
Page 484: Displaying Ring Information
Displaying MRP information Displaying ring information To display ring information, enter the following command. BigIron RX(config)# show metro Metro Ring 2 ============= Ring State Ring Master Topo Hello Prefwing role vlan group time(ms) time(ms) enabled member not conf Ring interfaces Interface role Forwarding state Active interface...
Page 485: Mrp Cli Example
MRP CLI example TABLE 82 CLI display of MRP ring information (Continued) This field... Displays... Prefwing time The number of milliseconds an MRP interface that has entered the Preforwarding state will wait before changing to the Forwarding state. If a member port in the Preforwarding state does not receive an RHP within the Preforwarding time (Prefwing time), the port assumes that a topology change has occurred and changes to the Forwarding state.
Page 486: Commands On Switch A (Master Node)
MRP CLI example Commands on switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node’s interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
Page 487: Commands On Switch C
MRP CLI example BigIron RX(config)# topology-group 1 BigIron RX(config-topo-group-1)# master-vlan 2 BigIron RX(config-topo-group-1)# member-vlan 30 BigIron RX(config-topo-group-1)# member-vlan 40 Commands on switch C BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# tag ethernet 1/1 to 1/2 BigIron RX(config-vlan-2)# metro-ring 1 BigIron RX(config-vlan-2-mrp-1)# name “Metro A” BigIron RX(config-vlan-2-mrp-1)# ring-interface ethernet 1/1 ethernet 1/2 BigIron RX(config-vlan-2-mrp-1)# enable BigIron RX(config-vlan-2)# exit...
Page 488 MRP CLI example BigIron RX Series Configuration Guide 53-1001986-01...
Page 489: Overview Of Virtual Switch Redundancy Protocol (Vsrp)
Chapter Virtual Switch Redundancy Protocol (VSRP) Overview of Virtual Switch Redundancy Protocol (VSRP) VSRP is a Brocade proprietary protocol that provides redundancy and sub-second failover in Layer 2 and Layer 3 mesh topologies. Based on the Brocade’s proprietary Virtual Router Redundancy Protocol Extended (VRRPE), VSRP provides one or more backups for the device.
Page 490: Layer 2 And Layer 3 Redundancy
Overview of Virtual Switch Redundancy Protocol (VSRP) Following Master election (described below), one of the Brocade devices becomes the Master for the VRID and sets the state of all the VLAN’s ports to Forwarding. The other device is a Backup and sets all the ports in its VRID VLAN to Blocking.
Page 491 Overview of Virtual Switch Redundancy Protocol (VSRP) Each Backup waits for a specific period of time, the Dead Interval, to receive a new Hello message from the Master. If the Backup does not receive a Hello message from the Master by the time the Dead Interval expires, the Backup sends a Hello message of its own, which includes the Backup's VSRP priority, to advertise the Backup's intent to become the Master.
Page 492 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 77 VSRP priority recalculation Internet Internet enterprise Intranet enterprise Intranet e 2/4 e 3/2 Router 2 Router 1 VRID1 VRID1 Router2 = Backup Router1 = Master 192.53.5.1 192.53.5.3 e 1/5 e 1/6 IP address = 192.53.5.1 IP address = 192.53.5.1 Owner...
Page 493 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 78 VSRP priority bias Configured priority = 150 Configured priority = 100 Actual priority = 150 * (2/3) = 100 Actual priority = 100 * (3/3) = 100 VSRP VSRP Master Backup optional link Link down VSRP...
Page 494 Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 79 Track port priority Configured priority = 100 Configured priority = 100 Track priority 20 Actual priority = 100 * (3/3) = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP VSRP Master...
Page 495: Configuring Basic Vsrp Parameters
Configuring basic VSRP parameters • If the port number is the same as the port that previously received a Hello message, the VSRP-aware device assumes that the message came from the same VSRP Master that sent the previous message. • If the port number does not match, the VSRP-aware device assumes that a VSRP failover has occurred to a new Master, and moves the MAC addresses learned on the previous port to the new port.
Page 496: Enabling Layer 3 Vsrp
Enabling Layer 3 VSRP BigIron RX(config-vlan-200-vrid-1)# enable Syntax: [no] enable Syntax: [no] activate For information about the command’s optional parameters, see the following: • “Changing the backup priority” on page 427 • “Changing the default track priority” on page 430 Enabling Layer 3 VSRP Layer 2 VSRP is enabled globally by default on the device;...
Page 497: Configuring A Vrid Ip Address
Configuring optional VSRP parameters Syntax: [no] ip vsrp auth-type no-auth | simple-text-auth <auth-data> The auth-type no-auth parameter indicates that the VRID and the interface it is configured on do not use authentication. The auth-type simple-text-auth <auth-data> parameter indicates that the VRID and the interface it is configured on use a simple text password for authentication.
Page 498: Vsrp Fast Start
Configuring optional VSRP parameters BigIron RX(config-vlan-200-vrid-1)# ip-address 10.10.10.1 Syntax: [no] ip-address <ip-addr> VSRP fast start VSRP fast start allows non-Brocade or non-VSRP aware devices that are connected to a Brocade device that is the VSRP Master to quickly switchover to the new Master when a VSRP failover occurs This feature causes the port on a VSRP Master to restart when a VSRP failover occurs.
Page 499: Changing The Backup Priority
Configuring optional VSRP parameters BigIron RX(config-vlan-10-vsrp-1)#sh vsrp VLAN 10 Auth-type no authentication VRID 1 ======== State Administrative-status Advertise-backup Preempt-mode Link-Redundancy Backup Enabled Disabled True Disabled Parameter Configured Current Unit/Formula Priority (100-0)*(4.0/4.0) Hello-interval sec/10 Hold-interval sec/10 Initial-ttl hops Master router 219.218.18.52 or MAC xxxx.dbda.1234 expires in 00:00:02 Member ports: ethe 19/1 to 19/2 ethe 19/4 to 19/5 Operational ports: ethe 19/1 to 19/2 ethe 19/4 to 19/5...
Page 500: Vsrp Slow Start
Configuring optional VSRP parameters • Backup Hello interval • Hold-down interval Each Backup saves the configured timer values to its startup configuration file when you save the device’s configuration. NOTE The Backups always use the value of the timer scale received from the Master, regardless of whether the timer values that are saved in the configuration are the values configured on the Backup or the values received from the Master.
Page 501: Changing The Hello Interval
Configuring optional VSRP parameters Changing the hello interval The Master periodically sends Hello messages to the Backups. To change the Hello interval, enter a command such as the following at the configuration level for the VRID. BigIron RX(config-vlan-200-vrid-1)# hello-interval 10 Syntax: [no] hello-interval <units>...
Page 502: Changing The Hold-Down Interval
Configuring optional VSRP parameters Syntax: [no] backup-hello-interval <units> The <units> parameter specifies the message interval and can be from 60 – 3600 units (1 unit = 100 milliseconds). The default is 60 units (6000 milliseconds or 6 seconds). NOTE If you change the timer scale, the change affects the actual number of seconds. Changing the hold-down interval The hold-down interval prevents Layer 2 loops from occurring during failover, by delaying the new Master from forwarding traffic long enough to ensure that the failed Master is really unavailable.
Page 503: Specifying A Track Port
Configuring optional VSRP parameters Specifying a track port You can configure the VRID on one interface to track the link state of another interface on the device. This capability is useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy.
Page 504: Clearing Vsrp Information
Clearing VSRP information NOTE All trunk ports must have the same delayed-link-down-event configuration. The following command will delay the sending of port "down" event for 100ms when a port state is detected "down". If the port state is detected "up" afterwards within 100ms, the delayed "down" event is cancelled;...
Page 505 VSRP and MRP signaling If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure FIGURE 82 VSRP on MRP rings that failed over...
Page 506: Displaying Vsrp Information
Displaying VSRP information FIGURE 83 New path established Path 1 Path 2 Member Master Host Host Member Member Member Member MRP Member MRP Master MRP Member MRP Member VSRP Backup VSRP Backup VSRP Master VSRP Master VSRP VSRP Device 1 Device 1 There are no CLI commands used to configure this process.
Page 507 Displaying VSRP information This display shows the following information when you use the vrid <num> or vlan <vlan-id> parameter. For information about the display when you use the aware parameter, refer to “Displaying the active interfaces for a VRID” on page 438. TABLE 83 CLI display of VSRP VRID or VLAN information This field...
Page 508: Displaying A Summary Of Vsrp Information
Displaying VSRP information TABLE 83 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the VRID. During negotiation, the Backup with the highest priority becomes the Master. If two or more Backups are tied with the highest priority, the Backup interface with the highest IP address becomes the Master for the VRID.
Page 509: Displaying Vsrp Packet Statistics For Vsrp
Displaying VSRP information BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 80 P Master Unknown Unknown None When the command is entered on a Layer 3 VSRP, it displays the following information. BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress P Initia xxxx.1414.1404 20.20.20.4...
Page 510: Displaying The Active Interfaces For A Vrid
Displaying VSRP information Displaying the active interfaces for a VRID On a VSRP-aware device, you can display VLAN and port information for the connections to the VSRP devices (Master and Backups) using the show vsrp aware command. The command shows the active interfaces for the VRID.
Page 511: Topology Overview
Chapter Topology Groups Topology overview This chapter describes the different types of topology groups and how to configure them. A topology group is a named set of VLANs that share a Layer 2 control protocol. Topology groups simplify configuration and enhance scalability of Layer 2 protocols by allowing you to run a single instance of a Layer 2 protocol on multiple VLANs.
Page 512: Master Vlans And Customer Vlans In Mrp
Master VLANs and customer VLANs in MRP Master VLANs and customer VLANs in MRP A topology group enables you to control forwarding in multiple VLANs using a single instance of a Layer 2 protocol such as MRP. For more information on topology group and MRP, refer to “Master VLANs and customer VLANs in a topology group”...
Page 513: Configuring A Topology Group
Configuring a topology group If you remove a member VLAN or VLAN group from a topology group, you will need to reconfigure the Layer 2 protocol information in the VLAN or VLAN group. Configuring a topology group To configure a topology group, enter commands such as the following. BigIron RX(config)# topology-group 2 BigIron RX(config-topo-group-2)# master-vlan 2 BigIron RX(config-topo-group-2)# member-vlan 3...
Page 514 Displaying topology group information BigIron RX(config)# show topology-group Topology Group 1 ================== Master VLAN Member VLAN : 10 20 30 Member Group : None Control Ports : ethe 2/2 ethe 3/18 ethe 4/1 to 4/2 Free Ports : Topology Group 2 ================== Master VLAN Member VLAN...
Page 515: Overview Of Vrrp
Chapter Configuring VRRP and VRRPE Overview of VRRP This chapter describes how to configure the following router redundancy protocols: • Virtual Router Redundancy Protocol (VRRP) – The standard router redundancy protocol described in RFC 3768. • VRRP Extended (VRRPE) – A Brocade proprietary version of VRRP that overcomes limitations in the standard protocol.
Page 516 Overview of VRRP As shown in this example, Host1 uses 192.53.5.1 on Router1 as the host’s default gateway out of the subnet. If this interface goes down, Host1 is cut off from the rest of the network. Router1 is thus a single point of failure for Host1’s access to other networks. If Router1 fails, you could configure Host1 to use Router2.
Page 517: Brocade Enhancements Of Vrrp
Overview of VRRP NOTE You can provide more redundancy by also configuring a second VRID with Router2 as the Owner and Router1 as the Backup. This type of configuration is sometimes called Multigroup VRRP. Master router election Virtual routers use the VRRP priority values associated with each VRRP router to determine which router becomes the Master.
Page 518 Overview of VRRP Track ports and track priority Brocade enhanced VRRP by giving a VRRP router the capability to monitor the state of the interfaces on the other end of the route path through the router. For example, in Figure 85 page 444, interface e1/6 on Router1 owns the IP address to which Host1 directs route traffic on its default gateway.
Page 519: Overview Of Vrrpe
Overview of VRRPE Forcing a master router to abdicate to a standby router You can force a VRRP Master to abdicate (give away control) of a virtual router to a Backup by temporarily changing the Master’s priority to a value less than the Backup’s. When you change a VRRP Owner’s priority, the change takes effect only for the current power cycle.
Page 520 Overview of VRRPE • VRRPE uses UDP to send Hello messages in IP multicast messages. The Hello packets use the interface’s actual MAC address and IP address as the source addresses. The destination MAC address is 01-00-5E-00-00-02, and the destination IP address is 224.0.0.2 (the well-known IP multicast address for “all routers”).
Page 521 Overview of VRRPE FIGURE 86 Router1 and Router2 are configured to provide dual redundant network access for the host Internet e 2/4 e 3/2 VRID 1 VRID 1 Router B = Backup Router A = Master Virtual IP address 192.53.5.254 Virtual IP address 192.53.5.254 Router1 Priority = 100 (Default)
Page 522: Vrrp And Vrrpe Parameters
VRRP and VRRPE parameters VRRP and VRRPE parameters Table 86 lists the VRRP and VRRPE parameters. Most of the parameters and default values are the same for both protocols. The exceptions are noted in the table. TABLE 86 VRRP and VRRPE parameters Parameter Description Default...
Page 523 VRRP and VRRPE parameters TABLE 86 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Router type Whether the router is an Owner or a Backup. VRRP – The Owner is always page 452 • the router that has the real IP Owner (VRRP only) –...
Page 524: Configuring Parameters Specific To Vrrp
Configuring parameters specific to VRRP TABLE 86 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Track priority A VRRP or VRRPE priority value assigned to the tracked ports. If a VRRP – 2 page 446 tracked port’s link goes down, the VRID port’s VRRP or VRRPE VRRPE –...
Page 525: Configuring The Owner
Configuring parameters specific to VRRP Configuring the owner Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-1/6)# ip address 192.53.5.1 Router1(config-if-1/6)# ip vrrp vrid 1 Router1(config-if-1/6-vrid-1)# owner Router1(config-if-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-1/6-vrid-1)# activate Configuring a backup To configure the VRRP Backup router, enter the following commands. Router2(config)# router vrrp Router2(config)# inter e 1/5 Router2(config-if-e10000-1/5)# ip address 192.53.5.3...
Page 526: Configuring Parameters Specific To Vrrpe
Configuring parameters specific to VRRPE Configuring parameters specific to VRRPE VRRPE is configured at the interface level. To implement a simple VRRPE configuration using all the default values, enter commands such as the following on each BigIron RX. BigIron RX(config)# router vrrp-extended BigIron RX(config)# inter e 1/5 BigIron RX(config-if-e10000-1/5)# ip address 192.53.5.3 BigIron RX(config-if-e10000-1/5)# ip vrrp-extended vrid 1...
Page 527: Authentication Type
Configuring additional VRRP and VRRPE parameters • Backup priority • Suppression of RIP advertisements on Backup routes for the backed up interface • Hello interval • Dead interval • Backup Hello messages and message timer (Backup advertisement) • Track port •...
Page 528: For The Backup Up Interface
Configuring additional VRRP and VRRPE parameters Suppression of RIP advertisements on backup routers for the backup up interface Normally, a VRRP or VRRPE Backup includes route information for the virtual IP address in RIP advertisements. As a result, other routers receive multiple paths for the Backup router and might sometimes unsuccessfully use the path to the Backup router rather than the path to the Master.
Page 529: Backup Hello Message State And Interval
Configuring additional VRRP and VRRPE parameters Syntax: dead-interval <value> The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. The syntax is the same for VRRP and VRRPE. Backup hello message state and interval By default, Backup do not send Hello messages to advertise themselves to the Master. You can enable these messages if desired and also change the message interval.
Page 530: Backup Preempt
Configuring additional VRRP and VRRPE parameters • For VRRP, the software changes the priority of the virtual router to a track priority that is lower than that of the virtual router priority and lower than the priorities configured on the Backups. For example, if the virtual router priority is 100 and a tracked interface with track priority 60 goes down, the software changes the virtual router priority to 60.
Page 531: Displaying Vrrp And Vrrpe Information
Displaying VRRP and VRRPE information BigIron RX(config)# ip int eth 1/6 BigIron RX(config-if-e10000-1/6)# ip vrrp vrid 1 BigIron RX(config-if-e10000-1/6-vrid-1)# owner priority 99 Syntax: [no] owner priority | track-priority <num> The <num> parameter specifies the new priority and can be a number from 1 – 254. When you press Enter, the software changes the priority of the Master to the specified priority.
Page 532 Displaying VRRP and VRRPE information BigIron RX(config)# show ip vrrp-extended brief Total number of VRRP-Extended routers defined: 41 Inte- VRID Current State Master IP Backup IP Virtual IP rface Priority Address Address Address ----------------------------------------------------------------------------- Backup 172.16.51.2 Local 172.16.51.1 Backup 172.16.52.2 Local 172.16.52.1 Backup...
Page 533: Displaying Detailed Information
Displaying VRRP and VRRPE information TABLE 87 CLI display of VRRP or VRRPE summary information (Continued) This field... Displays... State This device’s VRRP or VRRPE state for the virtual router. The state can be one of the following: • Init – The virtual router is not enabled (activated). If the state remains Init after you activate the virtual router, make sure that the virtual router is also configured on the other routers and that the routers can communicate with each other.
Page 534 Displaying VRRP and VRRPE information The brief parameter displays summary information. Refer to “Displaying summary information” page 459. The ethernet <slot>/<portnum> parameter specifies an Ethernet port. If you use this parameter, the command displays VRRP or VRRPE information only for the specified port. The ve <num>...
Page 535 Displaying VRRP and VRRPE information TABLE 88 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the virtual router. During negotiation, the router with the highest priority becomes the Master.
Page 536: Displaying Statistics
Displaying VRRP and VRRPE information TABLE 88 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... backup router <ip-addr> expires in The IP addresses of Backups that have advertised themselves to this <time> Master by sending Hello messages. The <time>...
Page 537: Clearing Vrrp Or Vrrpe Statistics
Configuration examples . received packets dropped by owner = 0 . received packets with ip ttl errors = 0 . received packets with ip address mismatch = 0 . received packets with advertisement interval mismatch = 0 . received packets with invalid length = 0 - total number of vrrp-extended packets sent = 2004 .
Page 538 Configuration examples Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-e10000-1/6)# ip address 192.53.5.1 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# owner track-priority 20 Router1(config-if-e10000-1/6-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-e10000-1/6-vrid-1)# activate NOTE When you configure the Master (Owner), the address you enter with the ip-address command must already be configured on the interface.
Page 539: Vrrpe Example
Configuration examples The activate command activates the virtual router configuration on this interface. The interface does not provide backup service for the virtual IP address until you activate the VRRP configuration. Syntax: router vrrp Syntax: ip vrrp vrid <vrid> Syntax: owner [track-priority <value>] Syntax: backup [priority <value>] [track-priority <value>] Syntax: track-port ethernet <slot>/<portnum>...
Page 540 Configuration examples Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 3/2 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.254 Router1(config-if-e10000-5/1-vrid-1)# activate Router1(config-if-e10000-5/1-vrid-1)# exit Router1(config)# interface ethernet 5/1 Router1(config-if-e10000-5/1)# ip vrrp-extended vrid 2 Router1(config-if-e10000-5/1-vrid-1)# backup priority 110 track-priority 20 Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.253 Router1(config-if-e10000-5/1-vrid-1)# activate The backup command specifies that this router is a VRRPE Backup for virtual router VRID1. The IP address entered with the ip-address command is the same IP address as the one entered when configuring Router1.
Page 541: Overview Of Quality Of Service (Qos)
Chapter Configuring Quality of Service Overview of Quality of Service (QoS) Quality of Service (QoS) features are used to prioritize the use of bandwidth in a switch. When QoS features are enabled, traffic is classified as it arrives at the switch, and processed through on the basis of configured priorities.
Page 542 Classification FIGURE 87 Priority resolution 802.1p Priority DSCP Priority Trust Level Trust Level Set to COS Trust Level (default) Determine Set to DSCP Trust Level Set Classification to Higher of both Inputs Port-based MAC-based Classification Classification Port-based VLAN Classification As shown in the figure, the first criteria considered are port-based, MAC-based, and port-based VLAN classifications.
Page 543 Classification TABLE 90 Default QoS mappings, columns 16 to 31 DSCP value 802.1p (COS) Value DSCP value Internal Forwarding Priority Forwarding Queue TABLE 91 Default QoS mappings, columns 32 to 47 DSCP value 802.1p (COS) Value DSCP value Internal Forwarding Priority Forwarding Queue...
Page 544: Marking
Marking • COS to Internal Forwarding Priority Mapping – You can change the mapping between 802.1p (COS) values and the Internal Forwarding priority value from the default values shown in Table 89 through Table 92. This mapping is used for COS marking and determining the internal priority when the trust level is COS.
Page 545 Marking When you apply a QoS priority to one of the items listed above, you specify a number from 0 – 7. The priority number specifies the IEEE 802.1p equivalent to one of the four Brocade QoS queues. The numbers correspond to the queues as follows. Priority level QoS forwarding queue 6, 7...
Page 546: Configuring Tos-Based Qos
Configuring ToS-based QoS Configuring ToS-based QoS To configure ToS-based QoS, perform the following tasks: • Enable ToS-based QoS on an interface. Once you enable the feature on an individual interface, you can configure the trust level and marking for traffic that is received on that interface as described: •...
Page 547: Configuring The Qos Mappings
Configuring the QoS mappings Configuring the QoS mappings The Brocade device maps a packet’s 802.1p or DSCP value to an internal forwarding priority. The default mappings are listed in Table 89 through Table 92. You can change the following mappings as described in this section: •...
Page 548: Mappings
Configuring the QoS mappings BigIron RX(config)# qos-tos map dscp-dscp 0 to 10 This command changes the mapping of DSCP value 0 to 10. Syntax: [no] qos-tos map dscp-dscp <old-dscp-value> [<old-dscp-value>...] to <new-dscp-value> You can change up to seven DSCP values in the same commend. Changing the DSCP –>...
Page 549: Displaying Qos Configuration Information
Displaying QoS configuration information The <priority> parameter specifies the internal forwarding priority. Changing the CoS –> internal forwarding priority mappings This mapping is used when the trust level is set to CoS. In addition to determining the internal-forwarding priority of a packet, the value also determines the outbound 802.1p value if CoS marking is enabled.
Page 550 Displaying QoS configuration information BigIron RX# show qos-tos Interface QoS , Marking and Trust Level: | QoS | Mark Trust-Level -------+-----+----------+--------------- | Yes | Layer 2 CoS | No Layer 2 CoS | No Layer 2 CoS | No Layer 2 CoS ve20 | No Layer 2 CoS...
Page 551: Determining Packet Drop Priority Using Wred
Determining packet drop priority using WRED TABLE 93 ToS-based QoS configuration information (Continued) This field... Displays... Mark The marking type enabled on the interface. The marking type can be any of the following: • COS – CoS marking is enabled. •...
Page 552: How Wred Operates
Determining packet drop priority using WRED How WRED Operates The graph in Figure 88 describes the interaction of the previously described variables in the operation of WRED. When a packet arrives at a switch, the average queue size (q-size) is calculated (note that this is not the statistical average queue size - (refer to “Calculating avg-q-size”...
Page 553: Using Wred With Rate Limiting
Configuring packet drop priority using WRED pkt-size (avg-q-size - min-avg-q size) Pdrop = ----------------- * Pmax * ----------------------------------------- pkt-size-max (max-avg-q-size - min-avg-q size) Using WRED with rate limiting When rate limiting is configured on a device, it directs the switch to drop traffic indiscriminately when the configured average-rate and maximum-burst thresholds are exceeded.
Page 554 Configuring packet drop priority using WRED TABLE 94 Possible Wq values (Continued) Averaging weight Wq value as a percentage setting 12.5% 6.2% 3.12% 1.56% 0.78% 0.4% 0.2% 0.09% 0.05% 0.02% 0.01% To set the wq parameter for queues with a queue type of 1 to 25%, use the following command. BigIron RX(config)#qos queue-type 1 wred averaging-weight 25% This gives the current queue size a weight of 25% over the statistical average queue size.
Page 555 Configuring packet drop priority using WRED Setting the maximum drop probability To set the maximum drop probability when the queue size reaches the Max-average-q-size value to 20% use the following command. BigIron RX(config)#qos queue-type 1 wred drop-precedence 0 drop-probability-max Syntax: [no] qos queue-type <queue-number> wred drop-precedence <policing-status> drop-probability-max <p-max%>...
Page 556 Configuring packet drop priority using WRED The <queue-type> variable is the number of the forwarding queue type that you want to configure drop-precedence for. There are eight forwarding queue types on BigIron RX Routers. They are numbered 0 to 3. The <drop-precedence-value>...
Page 557: Displaying The Wred Configuration
Configuring packet drop priority using WRED TABLE 95 WRED default settings Queue Drop Minimum Maximum Maximum Maximum Maximum Average type precedence average average packet size drop instantaneous weight queue size queue size (Byte) probability queue size (KByte) (KByte) 1024 16384 1024 0.2% 1024...
Page 558: Scheduling Traffic For Forwarding
Scheduling traffic for forwarding Scheduling traffic for forwarding If the traffic being processed by a device is within the capacity of the switch, all traffic is forwarded as received. Once we reach the point where the switch is bandwidth constrained, it becomes subject to drop priority if configured as described in “Determining packet drop priority using WRED”...
Page 559 Scheduling traffic for forwarding Configuring strict priority-based traffic scheduling To configure strict priority-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler strict Syntax: qos scheduler strict Configuring enhanced strict priority-based traffic scheduling To configure enhanced strict priority-based scheduling use a command such as the following.
Page 560 Scheduling traffic for forwarding The values of the remaining queues are calculated to be the following. q2 = 30%, q1 = 20%, and q0 = 10% Configuring WFQ destination-based traffic scheduling To configure WFQ destination-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler destination-weighted 5 10 15 20 Syntax: qos scheduler destination-weighted <queue0-weight>...
Page 561 Scheduling traffic for forwarding Syntax: qos scheduler max-rate <Queue0-rate> <Queue1-rate> <Queue2-rate> <Queue3-rate> The <Queue0-rate> variable defines the maximum bandwidth allocated to forwarding queue 0 in Kbps. The <Queue1-rate> variable defines the maximum bandwidth allocated to forwarding queue 1 in Kbps. The <Queue2-rate>...
Page 562: Configuring Multicast Traffic Engineering
Configuring multicast traffic engineering BigIron RX#show qos scheduler Port | Scheduler Type Prio0 Prio1 Prio2 Prio3 | (Rates where specified are in Kbps) -------+-------------------------------------+---------+---------+--------- 13/1 | strict 13/2 | enhanced-strict Rate 100000 200000 300000 Remaining 13/3 | min-rate Rate 102400 204800 307200 409600...
Page 563: Displaying The Multicast Traffic Engineering Configuration
Configuring multicast traffic engineering To limit the multicast traffic through the packet processor that includes port 1/1 to 10 Mbps, use the following command. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos multicast best-effort rate 10000 Syntax: qos multicast best-effort rate <rate> The <rate>...
Page 564: Qos For The Oversubscribed 16 X 10Ge Modules
QoS for the oversubscribed 16 x 10GE modules QoS for the oversubscribed 16 x 10GE modules The 16-port 10 Gigabit Ethernet oversubscribed module plugs into any port slot of the BigIron RX switch and is compatible with all previous generations of card on that switch. It provides interfaces to 16 X 10GE ports.
Page 565: Switching Between Server And Storage Modes
QoS for the oversubscribed 16 x 10GE modules For both Server or Storage mode, the network control traffic will use Drop Precedence 0. (DP0) The incoming network control traffic will be assigned DP0 and all other traffic will be assigned DP1. This will allow the module to prefer network control during congestion conditions.
Page 566: Setting The Group Port Weights
QoS for the oversubscribed 16 x 10GE modules TABLE 96 QOS profile table (Continued) 0 or 4 High priority TC DP0 (Network control) 1 or 5 High priority TC DP0 (Network control) 2 or 6 High priority TC DP0 (Network control) 3 or 7 High priority TC DP0 (Network control) Setting the group port weights...
Page 567: Egress Port Shaping
QoS for the oversubscribed 16 x 10GE modules The values of the remaining weights are calculated to be the following: w0 = 4.17%, w1 = 20.83%, w2 = 4.17%, w4 = 4.17%, w5 = 20.83%, w6 = 4.17%, and w7 = 20.83% Egress port shaping The 16x10GE module is designed to provide port fairness, but the cost is a smaller number of usable queues per input port (on egress).
Page 568: Configuring Qos For The 16 X 10G Module
QoS for the oversubscribed 16 x 10GE modules Configuring QoS for the 16 x 10G module New CLI commands have been added to allow alternating between server and storage modes on the 10 x 16GE module. The new commands are part of the qos group, and configured at the interface level.
Page 569 QoS for the oversubscribed 16 x 10GE modules Use the wfq parameter to set the 16x10G module to weighted fair queuing mode. Use the num parameter to set the port weight. Refer to Table 97 on page 495 for additional information on possible values.
Page 570 QoS for the oversubscribed 16 x 10GE modules BigIron RX Series Configuration Guide 53-1001986-01...
Page 571: Traffic Policing On The Bigiron Rx Series
Chapter Configuring Traffic Reduction Traffic policing on the BigIron RX Series The BigIron RX Series Router provides line-rate traffic policing in hardware on inbound ports and outbound ports. You can configure a BigIron RX Series Router to use one of the following modes of traffic policing policies: •...
Page 572: Maximum Burst
Traffic reduction parameters and algorithm The requested rate represents a percentage of an interface's line rate (bandwidth), expressed in bits per second (bps). Requested Rate must be entered in multiples of 515,624 bps. If you enter a number that is not a multiple of 515,624, the software adjusts the rate down to the lowest multiple of the number so that the calculation of credits does not result in a remainder of a partial Credit.
Page 573: Configuration Considerations
Configuration considerations The running total can never exceed the maximum credit total. When packets arrive at the port, a class is assigned to the packet, based on the rate limiting policies. If the running total of the class is less than the size of the packet, then the packet is dropped. Otherwise, the size of the packet is subtracted from the running total and the packet is forwarded.
Page 574: Configuring Rate Limiting Policies
Configuring rate limiting policies TABLE 98 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR Module type PPCR number Port # Max # of rate limiting policies based on ACLs and VLANs + number of VLANs w/ byte accounting enabled 4 x 10G PPCR 1...
Page 575: Configuring A Port-And-Priority-Based Rate Limiting Policy
Configuring rate limiting policies The <maximum-burst> parameter specifies the extra bits above the requested rate that traffic can have. Refer to “Maximum burst” on page 500 for more details. Configuring a port-and-priority-based rate limiting policy 802.1p packet priority is used by default. The priority number specifies the IEEE 802.1 equivalent to one of the four Brocade QoS queues.
Page 576: Configuring A Vlan-Group-Based Rate Limiting Policy
Configuring rate limiting policies Configuring a VLAN-group-based rate limiting policy A rate limiting policy can be applied to a VLAN group. VLANs that are members of a VLAN group share the specified bandwidth defined in the rate limiting policy applied to that group. To configure a rate limiting policy for a VLAN group, do the following.
Page 577 Configuring rate limiting policies The priority <num> parameter specifies the 802.1p priority levels 0 - 7, equivalent to one of the four QoS queues. For information on the priority levels and the corresponding queue, refer “Assigning QoS priorities to traffic” on page 472.
Page 578: Configuring A Port-And-Ipv6 Acl-Based Traffic Reduction
Configuring rate limiting policies These commands first configure access-list groups that contain the ACLs that will be used in the rate limiting policy. Use the permit condition for traffic that will be rate limited. Traffic that match the condition are not subject to rate limiting and allowed to pass through. Refer to “Configuring a port-and-IPv6 ACL-based traffic reduction”...
Page 579: Rate Limiting
NP based multicast, broadcast, and unknown-unicast rate limiting NP based multicast, broadcast, and unknown-unicast rate limiting NOTE Beginning with release 02.7.00, the multicast limit, broadcast limit, and the unknown-unicast limit commands have been superseded with the multicast rate-limit, broadcast rate-limit, and the unknown-unicast rate-limit commands.
Page 580 Displaying traffic reduction BigIron RX(config)# show rate-limit interface e 1/1 rate-limit input 499321856 750000000 interface e 1/3 rate-limit input vlan-id 10 499321856 750000000 rate-limit input vlan-id 20 97523712 200000000 To display bytes forwarded and dropped, enter the following command. BigIron RX(config)# show rate-limit counters interface e 1/1 rate-limit input 499321856 750000000 Bytes fwd: 440 Bytes drop: 20 Total: 460...
Page 581: Filtering Based On Ethertype
Chapter Layer 2 ACLs This chapter presents information to configure and view Layer 2 ACLs. Layer 2 Access Control Lists (ACLs) filter incoming traffic based on Layer 2 MAC header fields in the Ethernet/IEEE 802.3 frame. Specifically, Layer 2 ACLs filter incoming traffic based on any of the following Layer 2 fields in the MAC header: •...
Page 582: Configuring Layer 2 Acls
Configuring Layer 2 ACLs • You cannot add remarks to a Layer 2 ACL clause. Configuring Layer 2 ACLs Configuring a Layer 2 ACL is similar to configuring standard and extended ACLs. Layer 2 ACL table IDs range from 400 to 499, for a maximum of 100 configurable Layer 2 ACL tables. Within each Layer 2 ACL table, you can configure from 64 (default) to 256 clauses.
Page 583: Example Layer 2 Acl Clauses
Configuring Layer 2 ACLs The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using F’s and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000.
Page 584: Inserting And Deleting Layer 2 Acl Clauses
Viewing Layer 2 ACLs Inserting and deleting Layer 2 ACL clauses You can make changes to the Layer 2 ACL table definitions without unbinding and rebinding the table from an interface. For example, you can add a new clause to the ACL table, delete a clause from the table, delete the ACL table, etc.
Page 585: Example Of Layer 2 Acl Deny By Mac Address
Viewing Layer 2 ACLs Example of Layer 2 ACL deny by MAC address In the following example, an ACL is created that denies all traffic from the host with the MAC address 0012.3456.7890 being sent to the host with the MAC address 0011.2233.4455. BigIron RX(config)# access-list 401 deny 0012.3456.7890 ffff.ffff.ffff 0011.2233.4455 ffff.ffff.ffff BigIron RX(config)# access-list 401 permit any any...
Page 586 Viewing Layer 2 ACLs BigIron RX Series Configuration Guide 53-1001986-01...
Page 587: How The Bigiron Rx Processes Acls
Chapter Access Control List This chapter describes the IP Access Control List (ACL) feature, which enables you to filter traffic based on the information in the IP packet header. For details on Layer 2 ACLs, refer to “Types of IP ACLs”...
Page 588: Disabling Or Re-Enabling Access Control Lists (Acls)
Disabling or re-enabling Access Control Lists (ACLs) RX-BI-16XG (16 x 10GE ) Module EGRESS ACL Configuration Guidelines • The RX-BI-16XG 16 x 10GE module only supports standard, extended, named, and numbered ACLs for outbound access-group applications ACLs. • Egress filtering on subset ports of a VE is not supported, matching must apply to all VE ports .
Page 589: Acl Ids And Entries
ACL IDs and entries Standard or extended ACLs can be numbered or named. Standard ACLs are numbered from 1 – 99, extended ACLs are numbered 100 – 199. Super ACLs may be assigned numbered IDs only, from 500 - 599. IDs for standard or extended ACLs can also be a character string (named). In this document, an ACL with a string ID is called a named ACL.
Page 590: Acl-Based Inbound Mirroring
ACL-based inbound mirroring ACL-based inbound mirroring With IronWare Release 02.4.00, the Multi-Service IronWare software supports using an ACL to select traffic for mirroring from one port to another. Using this feature, you can monitor traffic in the mirrored port using a protocol analyzer. Considerations when configuring ACL-based inbound mirroring The following must be considered when configuring ACL-based Inbound Mirroring:...
Page 591: Applying The Acl To An Interface
ACL-based inbound mirroring BigIron RX(config)#access-list 101 permit ip any any mirror The mirror parameter directs selected traffic to the mirrored port. Traffic can only be selected using the permit clause. The mirror parameter is supported on rACLs. Applying the ACL to an interface You must apply the ACL to an interface using the ip access-group command as shown in the following.
Page 592 ACL-based inbound mirroring BigIron RX(config)# trunk switch ethernet 1/1 to 1/2 BigIron RX(config-trunk-1/1-1/2)# config-trunk-ind BigIron RX(config-trunk-1/1-1/2)# acl-mirror-port ethe-port-monitored 1/1 ethernet 1/3 The following considerations apply when configuring ACL-based mirroring with trunks: • You must configure ACL-mirroring for a trunk within the trunk configuration as shown in the examples.
Page 593: Interfaces
Configuring numbered and named ACLs Configuring ACL-based mirroring for ACLs bound to virtual interfaces For configurations that have an ACL bound to a virtual interface, you must configure the acl-mirror-port command on a port for each PPCR that is a member of the virtual interface. For example, in the following configuration ports 4/1 and 4/2 share the same PPCR while port 4/3 uses another PPCR.
Page 594 Configuring numbered and named ACLs Standard ACLs permit or deny packets based on source IP addresses. You can configure up to 99 standard ACLs. There is no limit to the number of ACL entries an ACL can contain, except for the system-wide limitation.
Page 595: Configuring Extended Numbered Acls
Configuring numbered and named ACLs <wildcard> Specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Page 596 Configuring numbered and named ACLs • Destination TCP or UDP port (if the IP protocol is TCP or UDP) The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • Internet Control Message Protocol (ICMP) •...
Page 597: Extended Acl Syntax
Configuring numbered and named ACLs The following commands apply ACL 102 to the incoming and outgoing traffic on port 1/2 and to the incoming traffic on port 4/3. BigIron RX(config)# int eth 1/2 BigIron RX(config-if-e10000-1/2)# ip access-group 102 in BigIron RX(config-if-e10000-1/2)# exit BigIron RX(config)# int eth 4/3 BigIron RX(config-if-e10000-4/3)# ip access-group 102 in BigIron RX(config)# write memory...
Page 598 Configuring numbered and named ACLs [<operator> <destination-tcp/udp-port>] [match-all <tcp-flags>] [match-any <tcp-flags>] [<icmp-type>] [established] [precedence <name> | <num>] [tos <number>] [dscp-matching <number>] [802.1p-priority-matching <number>] [dscp-marking <number> 802.1p-priority-marking <number> internal-priority-marking <number>] | [dscp-marking <number> dscp-cos-mapping] | [dscp-cos-mapping] [fragment] [non-fragment] [first-fragment] [fragment-offset <number>] [spi <00000000 - ffffffff>] [log] Syntax: [no] access-list <num>...
Page 599 Configuring numbered and named ACLs <wildcard> Specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Page 600 Configuring numbered and named ACLs <operator> Specifies a comparison operator for the TCP or UDP port number. You can enter one of the following operators: • eq – The policy applies to the TCP or UDP port name or number you enter after •...
Page 601 Configuring numbered and named ACLs <icmp-type> Enter one of the following values, depending on the software version the device is running: • any-icmp-type • echo • echo-reply • information-request • • mask-reply • mask-request • parameter-problem • redirect • source-quench •...
Page 602 Configuring numbered and named ACLs • tos <name> | <num> Specify the IP ToS name or number. You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2. •...
Page 603: Configuring Standard Or Extended Named Acls
Configuring numbered and named ACLs • The dscp-cos-mapping parameter takes the DSCP value you specified and compares it to an internal QoS table, which is indexed by DSCP values. The corresponding 802.1p priority, internal forwarding priority, and DSCP value is assigned to the packet. For example, if you enter dscp-marking 7 and the internal QoS table is configured as shown in Table...
Page 604 Configuring numbered and named ACLs The following examples show how to configure a named standard ACL entry and a named extended ACL entry. Configuration example for standard ACL To configure a named standard ACL entry, enter commands such as the following. BigIron RX(config)# ip access-list standard Net1 BigIron RX(config-std-nacl)# deny host 209.157.22.26 log BigIron RX(config-std-nacl)# deny 209.157.29.12 log...
Page 605 Configuring numbered and named ACLs NOTE For convenience, the software allows you to configure numbered ACLs using the syntax for named ACLs. The software also still supports the older syntax for numbered ACLs. Although the software allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the startup-config and running-config files in using the older syntax, as follows.
Page 606: Configuring Super Acls
Configuring numbered and named ACLs Syntax: [no] ip access-group <num> in The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring extended numbered ACLs” on page 523.
Page 607 Configuring numbered and named ACLs vlan-id <vlan-id> | ip-pkt-len <pkt-len> | ip-fragment-match {[fragment [fragment-offset <0 - 8191>]] | [non-fragment] | [first-fragment]} | ip-protocol <ip-protocol> | sip {<source-ip>/<source-ip-mask-len> | host <hostname>} | dip {<destination-ip>/<destination-ip-len> | host <hostname>} | sp <operator> <source-tcp/udp-port> | dp <operator>...
Page 608: Displaying Acl Definitions
Displaying ACL definitions Enables packet matching based on specified source TCP/UDP port. Enables packet matching based on specified destination TCP/UDP port. icmp-detail Enables packet matching based on ICMP information. 801.2-priority-matching Enables packet matching based on the specified 802.1p priority value. Valid range is 0-7.
Page 609: Displaying Of Tcp/Udp Numbers In Acls
Displaying ACL definitions BigIron RX(config)#show access-list name entry Standard IP access list entry deny host 5.6.7.8 deny host 192.168.12.3 permit any Syntax: show access-list name <acl-name> Enter the ACL name for the <acl-name> parameter or the ACL number for <acl-number>. Displaying of TCP/UDP numbers in ACLs You can display the port numbers of TCP/UDP application information instead of their TCP/UDP well-known port name in the output of show commands and other commands that contain...
Page 610 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number Resource Location Protocol graphics Graphics nameserver Host Name Server nicname Who Is mpm-flags MPM FLAGS Protocol Message Processing Module [recv] mpm-snd MPM [default send] ni-ftp NI FTP auditd...
Page 611 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number mit-ml-dev2 MIT ML Device mfcobol Micro Focus Cobol kerberos Kerberos su-mit-tg SU/MIT Telnet Gateway dnsix DNSIX Securit Attribute Token Map mit-dov MIT Dover Spooler Network Printing Protocol Device Control Protocol objcall...
Page 612 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number erpc Encore Expedited Remote Pro.Call smakynet SMAKYNET ansatrader ANSA REX Trader locus-map Locus PC-Interface Net Map Ser unitary NXEdit locus-con Locus PC-Interface Conn Server gss-xlicen GSS X License Verification pwdgen...
Page 613 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number nss-routing NSS-Routing sgmp-traps SGMP-TRAPS cmip-man CMIP/TCP Manager cmip-agent CMIP/TCP Agent xns-courier Xerox s-net Sirius Systems namp NAMP rsvd RSVD send SEND print-srv Network PostScript multiplex Network Innovations Multiplex cl/1...
Page 614 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number dn6-smm-red DNSIX Session Mgt Module Audit Redir Directory Location Service dls-mon Directory Location Service Monitor smux SMUX IBM System Resource Controller at-rtmp AppleTalk Routing Maintenance at-nbp AppleTalk Name Binding at-3...
Page 615 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number csi-sgwp Cabletron Management Protocol clearcase Clearcase ulistserv ListProcessor legent-1 Legent Corporation legent-2 Legent Corporation hassle Hassle Amiga Envoy Network Inquiry Protocol tnETOS NEC Corporation dsETOS NEC Corporation is99c...
Page 616 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number imsp Interactive Mail Support Protocol timbuktu Timbuktu prm-sm Prospero Resource Manager Sys. Man. prm-nm Prospero Resource Manager Node Man. decladebug DECLadebug Remote Debug Protocol Remote MT Protocol synoptics-trap Trap Convention Port...
Page 617 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number cvc_hostd cvc_hostd http protocol over TLS/SSL snpp Simple Network Paging Protocol microsoft-ds Microsoft-DS ddm-rdb DDM-RDB ddm-dfm DDM-RFM ddm-byte DDM-BYTE as-servermap AS Server Mapper tserver Computer Supported Telecomunication Applications...
Page 618 Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number meter-570 demon meter-571 udemon ipcserver SUN ipc sERVER sift-uft Sender-Initiated or Unsolicited File Transfer npmp-trap npmp-trap npmp-local npmp-local npmp-gui npmp-gui ginad ginad mdqs mdqs doom doom ID software...
Page 619: Acl Logging
ACL logging TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number webster webster phonebook phone cadlock-770 CADLOCK -770 rtip rtip cycleserv2 CYCLE Server submit SUBMIT rpasswd rpasswd entomb entomb wpages wpages wpgs wpgs concert concert mdbs_daemon mdbs_daemon device...
Page 620: Enabling The New Logging Method
Modifying ACLs NOTE Logging is not currently supported on management interfaces. Enabling the new logging method There are no new CLI commands to enable this new processing method; it takes effect automatically if the following items have been configured: • Syslog logging is enabled.
Page 621 Modifying ACLs You can use the CLI to reorder entries within an ACL by individually removing the ACL entries and then re-adding them. To use this method, enter “no” followed by the command for an ACL entry, and repeat this for each ACL entry in the ACL you want to edit. After removing all the ACL entries from the ACL, re-add them.
Page 622: Adding Or Deleting A Comment
Modifying ACLs NOTE This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file. These are the only commands that are valid in a file you load using the copy tftp running-config… command. To save the changes to the device’s startup-config file, enter the following command at the Privileged EXEC level of the CLI.
Page 623 Modifying ACLs NOTE An ACL remark is attached to each individual filter only, not to the entire ACL. Complete the syntax by specifying any options you want for the ACL entry. Options you can use to configure standard or extended numbered ACLs are discussed in “Configuring standard or extended named ACLs”...
Page 624: Deleting Acl Entries
Deleting ACL entries • remark <string> - adds a comment to the ACL entry. The comment can contain up to 128 characters. Comments must be entered separately from actual ACL entries; that is, you cannot enter an ACL entry and an ACL comment with the same command. Also, in order for the remark to be displayed correctly in the output of show commands, a comment must be entered immediately before the ACL entry it describes.
Page 625: From Named Acls
Deleting ACL entries The <acl-number> parameter specifies the ACL entry to be deleted. The <acl-num> parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 1 – 99 for standard ACLs, 100 – 199 for extended ACLs, or 500 – 599 for super ACLs. You must enter the complete deny or permit statement for the <entire-deny-or-permit-statement>...
Page 626: Applying Acls To Interfaces
Applying ACLs to interfaces Applying ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 521 show that you apply ACLs to interfaces using the ip access-group command. This section present additional information about applying ACLs to interfaces. Configuration examples for super ACLs appear in the section “Configuring super ACLs”...
Page 627: Configuring The Layer 4 Session Log Timer
Applying ACLs to interfaces NOTE Applying an ACL to a subset of physical interfaces under a virtual routing interface multiplies the amount of CAM used by the number of physical interfaces specified. An ACL that successfully functions over a whole virtual routing interface may fail if you attempt to apply it to a subset of physical interfaces.
Page 628: Qos Options For Ip Acls
QoS options for IP ACLs When the first Syslog entry for a packet denied by an ACL is generated, the software starts an ACL timer. After this, the software sends Syslog messages every 1 to 10 minutes, depending on the value of the timer interval.
Page 629: Enabling Acl Duplication Check
Enabling ACL duplication check Enabling ACL duplication check If desired, you can enable software checking for duplicate ACL entries. To do so, enter the following command at the Global CONFIG level of the CLI. BigIron RX(config)# acl-duplication-check-disable Syntax: [no] acl-duplication-check-disable This command is disabled by default.
Page 630: Displaying Statistics For An Interface
ACL accounting BigIron RX(config)#show access-list accounting brief Collecting ACL accounting summary for VE 1 ... Completed successfully. ACL Accounting Summary: (ac = accumulated since accounting started) In ACL Total In Hit VE 1 473963(1s) 25540391(1m) 87014178(5m) 112554569(ac) The display shows the following information. This field...
Page 631: Clearing The Acl Statistics
ACL accounting This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled. If enabled, it indicates if the feature is configured as passive or active. Collecting ACL accounting summary for Shows the interface included in the report and whether or not the <interface>...
Page 632: Packets
Enabling ACL filtering of fragmented or non-fragmented packets Enabling ACL filtering of fragmented or non-fragmented packets By default, when an extended ACL is applied to a port, the port will use the ACL to permit or deny the first fragment of a fragmented packet, but forward subsequent fragments of the same packet in hardware.
Page 633: Interface
ACL filtering for traffic switched within a virtual routing interface Enter the fragment parameter to allow the ACL to filter fragmented packets. Use the non-fragmented parameter to filter non-fragmented packets. NOTE The fragmented and non-fragmented parameters cannot be used together in an ACL entry. Complete the configuration by specifying options for the ACL entry.
Page 634: Named Acls
ICMP filtering for extended ACLs Named ACLs For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following. BigIron RX(config)# ip access-list extended entry BigIron RX(config-ext-nacl)# deny ICMP any any administratively-prohibited BigIron RX(config)# ip access-list extended entry BigIron RX(config-ext-nacl)#deny ICMP any any 3 13 Syntax: [no]ip access-list extended <acl-name>...
Page 635: Troubleshooting Acls
Troubleshooting ACLs TABLE 101 ICMP message types and codes (Continued) ICMP message type Type Code Information-reply mask-reply mask-request net-redirect net-tos-redirect net-tos-unreachable net-unreachable packet-too-big parameter-problem NOTE: This message includes all parameter problems port-unreachable precedence-cutoff protocol-unreachable reassembly-timeout redirect NOTE: This includes all redirects. router-advertisement router-solicitation source-host-isolated...
Page 636 Troubleshooting ACLs • To determine whether the issue is specific to fragmentation, remove the Layer 4 information (TCP or UDP application ports) from the ACL, then reapply the ACL. If you are using another feature that requires ACLs, use the same ACL entries for filtering and for the other feature.
Page 637: Policy-Based Routing (Pbr)
Chapter Policy-Based Routing Policy-Based Routing (PBR) Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set routing attributes for the traffic. A PBR policy specifies the next hop for traffic that matches the policy.
Page 638: Configuring A Pbr Policy
Configuring a PBR policy • ACL – 416 entries • Rate Limiting – 416, entries shared with PBR Configuring a PBR policy To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally or on individual interfaces. The device programs the ACLs into the Layer 4 CAM on the interfaces and routes traffic that matches the ACLs according to the instructions in the route maps.
Page 639: Configure The Route Map
Configuring a PBR policy NOTE To specify the host name instead of the IP address, the host name must be configured using the Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI. The <wildcard>...
Page 640: Enabling Pbr
Configuring a PBR policy BigIron RX(config)# route-map test-route permit 99 BigIron RX(config-routemap test-route)# match ip address 99 BigIron RX(config-routemap test-route)# set ip next-hop 192.168.2.1 BigIron RX(config-routemap test-route)# exit The commands in this example configure an entry in a route map named “test-route”. The match statement matches on IP information in ACL 99.
Page 641: Basic Example
Configuration examples Enabling PBR locally To enable PBR locally, enter commands such as the following. BigIron RX(config)# interface ve 1 BigIron RX(config-vif-1)# ip policy route-map test-route The commands in this example change the CLI to the Interface level for virtual interface 1, then apply the “test-route”...
Page 642: Setting The Next Hop
Configuration examples Setting the next hop The following commands configure the device to apply PBR to traffic from IP subnets 209.157.23.x, 209.157.24.x, and 209.157.25.x. In this example, route maps specify the next-hop gateway for packets from each of these subnets: •...
Page 643: Setting The Output Interface To The Null Interface
Trunk formation Setting the output interface to the null interface The following commands configure a PBR to send all traffic from 192.168.1.204/32 to the null interface, thus dropping the traffic instead of forwarding it. BigIron RX(config)# access-list 56 permit 209.168.1.204 0.0.0.0 The following commands configure an entry in a route map called “file-13”.
Page 644 Trunk formation BigIron RX Series Configuration Guide 53-1001986-01...
Page 645: Overview Of Ip Multicasting
Chapter Configuring IP Multicast Protocols Overview of IP multicasting Multicast protocols allow a group or channel to be accessed over different networks by multiple stations (clients) for the receipt and transmit of multicast data. Distribution of stock quotes, video transmissions such as news services and remote classrooms, and video conferencing are all examples of applications that use multicast routing.
Page 646: Changing Global Ip Multicast Parameters
Changing global IP multicast parameters Leaf Nodes: Routers that do not have any downstream routers. Multicast Tree: A unique tree is built for each source group (S,G) pair. A multicast tree is comprised of a root node and one or more nodes that are leaf or intermediate nodes. NOTE Multicast protocols can only be applied to 1 physical interface.
Page 647: Configuring Multicast Boundaries
IP multicast boundaries Configuration considerations • Normal ACL restrictions apply as to how many software ACLs can be created, but there are no hardware restrictions on ACLs with this feature. • Creation of a static IGMP client is allowed for a group on a port that may be prevented from participation in the group on account of an ACL bound to the port’s interface.
Page 648: Passive Multicast Route Insertion (Pmri)
Passive Multicast Route Insertion (PMRI) Passive Multicast Route Insertion (PMRI) To prevent unwanted multicast traffic from being sent to the CPU, Passive Multicast Route Insertion (PMRI) can be used together to ensure that multicast streams are only forwarded out ports with interested receivers and unwanted traffic is dropped in hardware on Layer 3 Switches running software release 02.4.00 and later.
Page 649: Changing Igmp V1 And V2 Parameters
Changing IGMP V1 and V2 parameters Changing IGMP V1 and V2 parameters IGMP allows Brocade routers to limit the multicast of IGMP packets to only those ports on the router that are identified as IP Multicast members. The router actively sends out host queries to identify IP Multicast groups on the network The following IGMP V1 and V2 parameters apply to PIM and DVMRP: •...
Page 650: Modifying Igmp (V1 And V2) Maximum Response Time
Adding an interface to a multicast group Modifying IGMP (V1 and V2) maximum response time Maximum response time defines how long the device will wait for an IGMP (V1 and V2) response from an interface before concluding that the group member on that interface is down and removing the interface from the group.
Page 651 IGMP v3 IGMP v3 The Internet Group Management Protocol (IGMP) allows an IPV4 system to communicate IP Multicast group membership information to its neighboring routers. The routers in turn limit the multicast of IP packets with multicast destination addresses to only those interfaces on the router that are identified as IP Multicast group members.
Page 652: Default Igmp Version
IGMP v3 In response to membership reports from the interfaces, the router sends a Group-Specific or a Group-and-Source Specific query to the multicast interfaces. For example, a router receives a membership report with a Source-List-Change record to block old sources from an interface. The router sends Group-and-Source Specific Queries to the source and group (S,G) identified in the record.
Page 653: Enabling The Igmp Version Per Interface Setting
IGMP v3 Enter 1, 2, or 3 for <version-number>. Version 2 is the default version. Enabling the IGMP version per interface setting To specify the IGMP version for a physical port, enter a command such as the following. BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip igmp version 3 To specify the IGMP version for a virtual routing interface on a physical port, enter a command such as the following.
Page 654 IGMP v3 • If the interface, to which the client belongs, has IGMP V3 clients only. Therefore, all physical ports on a virtual routing interface must have IGMP V3 enabled and no IGMP V1 or V2 clients can be on the interface. (Although IGMP V3 can handle V1 and V2 clients, these two clients cannot be on the interface in order for fast leave to take effect.) •...
Page 655: Setting The Query Interval
IGMP v3 NOTE Static IGMP groups are supported only in Layer 3 mode. Setting the query interval The IGMP query interval period defines how often a switch will query an interface for group membership. Possible values are 10 – 3,600 seconds and the default value is 125 seconds, but the value you enter must be a little more than twice the group membership time.
Page 656 IGMP v3 BigIron RX# show ip igmp group Interface v18 : 1 groups group phy-port static querier life mode #_src 239.0.0.1 e4/20 include 19 Interface v110 : 3 groups group phy-port static querier life mode #_src 239.0.0.1 e4/5 include 10 239.0.0.1 e4/6 exclude 13...
Page 657 IGMP v3 This field Displays Static A “yes” entry in this column indicates that the multicast group was configured as a static group; “No” means it was not. Static multicast groups can be configured in IGMP V2 using the ip igmp static command. In IGMP V3, static sources cannot be configured in static groups.
Page 658 IGMP v3 Entering an address for <group-address> displays information for a specified group on the specified interface. The report shows the following information. This field Displays Query interval Displays how often a querier sends a general query on the interface. Max response The maximum number of seconds a client can wait before it replies to the query.
Page 659: Clearing Igmp Statistics
Configuring a static multicast route This field Displays Leave Number of IGMP V2 “leave” messages on the interface. (See ToEx for IGMP V3.) IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from exclude to include.
Page 660 Configuring a static multicast route Syntax: ip mroute <ip-addr> interface ethernet <slot>/<portnum> | ve <num> [distance <num>] Syntax: ip mroute <ip-addr> rpf_address <rpf-num> The <ip-addr> command specifies the PIM source for the route. NOTE In IP multicasting, a route is handled in terms of its source, rather than its destination. You can use the ethernet <slot>/<portnum>...
Page 661: Next Hop Validation Check
PIM dense To add a static route to a virtual interface, enter commands such as the following. BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 int ve 1 distance 1 BigIron RX(config)# write memory Next hop validation check Beginning with release 02.6.00, you can configure the BigIron RX to perform multicast validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.
Page 662: Initiating Pim Multicasts On A Network
PIM dense NOTE Multicast protocols can only be applied to 1 physical interface. You must create multiple VLANs with individual untagged ports and ve’s under which you configure PIM. PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets.
Page 663 PIM dense When a node on the multicast delivery tree has all of its downstream branches (downstream interfaces) in the prune state, a prune message is sent upstream. In the case of R4, if both R5 and R6 are in a prune state at the same time, R4 becomes a leaf node with no downstream interfaces and sends a prune message to R1.
Page 664: Grafts To A Multicast Tree
PIM dense FIGURE 91 Pruning leaf nodes from a multicast tree Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Prune Message sent to upstream router (R4) Leaf Node (No Group Members) Group Group Group...
Page 665: Configuring Pim Dm
PIM dense The primary difference between PIM DM V1 and V2 is the methods the protocols use for messaging: • PIM DM V1 – uses the IGMP to send messages. • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103.
Page 666 PIM dense • Entering router pim command to enable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a BigIron RX (router pim level) only. Enabling a PIM version To enable PIM on an interface, globally enable PIM, then enable PIM on interface 1/3, enter the following commands.
Page 667 PIM dense Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds. To apply a PIM hello timer of 120 seconds to all ports on the router operating with PIM, enter the following.
Page 668 PIM dense BigIron RX(config)#show ip pim dense Global PIM Dense Mode Settings Hello interval: 60, Neighbor timeout: 180 Graft Retransmit interval: 180, Inactivity interval: 180 Route Expire interval: 200, Route Discard interval: 340 Prune age: 180, Prune wait: 3 Syntax: show ip pim dense Modifying graft retransmit timer The Graft Retransmit Timer defines the interval between the transmission of graft messages.
Page 669: Failover Time In A Multi-Path Topology
PIM Sparse Total number of IP routes: 19 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port Cost Type 172.17.41.4 255.255.255.252*137.80.127.3 172.17.41.4 255.255.255.252 137.80.126.3 172.17.41.4 255.255.255.252 137.80.129.1 172.17.41.4 255.255.255.252 137.80.128.3 172.17.41.8 255.255.255.252 0.0.0.0 Failover time in a multi-path topology Previously, when a port in a multi-path topology fails, multicast routers, depending on the routing protocol being used, take a few seconds to establish a new path, if the failed port is the input port of the downstream router.
Page 670: Pim Sparse Router Types
PIM Sparse FIGURE 92 Example PIM Sparse domain This interface is also the PIM Sparse router B Bootstrap Router (BR) for this PIM Sparse domain, and the Rendezvous Point (RP) for the PIM Sparse groups in this domain. Port2/1 Port2/2 207.95.8.10 207.95.7.1 Rendezvous Point (RP) path...
Page 671: Rp Paths And Spt Paths
PIM Sparse from a group source to the group’s receivers. After the first packet, the BigIron RX calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The BigIron RX calculates a separate SPT for each source-receiver pair.
Page 672: Configuring Global Pim Sparse Parameters
PIM Sparse NOTE Brocade recommends that you configure the same BigIron RX as both the BSR and the RP. Current limitations The implementation of PIM Sparse in the current software release has the following limitations: • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface. •...
Page 673 PIM Sparse If the interface is on the border of the PIM Sparse domain, you also must enter the following command. BigIron RX(config-if-e10000-2/2)# ip pim border Syntax: [no] ip pim border NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release.
Page 674 PIM Sparse The ethernet <slot>/<portnum> | loopback <num> | ve <num> parameter specifies the interface. The BigIron RX will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet <slot>/<portnum> for a physical interface (port). • Enter ve <num> for a virtual interface. •...
Page 675 PIM Sparse If you explicitly specify the RP, the BigIron RX uses the specified RP for all group-to-RP mappings and overrides the set of candidate RPs supplied by the BSR. NOTE Specify the same IP address as the RP on all PIM Sparse routers within the PIM Sparse domain. Make sure the router is on the backbone or is otherwise well connected to the rest of the network.
Page 676: Route Selection Precedence For Multicast
Route selection precedence for multicast Displaying the static RP Use the show ip pim rp-set command to display static RP and the associated group ranges. BigIron RX(config)# show ip pim rp-set Static RP and associated group ranges ------------------------------------- Static RP count: 4 130.1.1.1 permit 238.1.1.0/24 permit 239.1.0.0/16...
Page 677: Displaying The Route Selection
Route selection precedence for multicast To specify a non-default route from the mRTM, then a non-default route from the uRTM, then a default route from the mRTM, and then a default route from the uRTM, enter commands such as the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# route-precedence mc-non-default uc-non-default mcdefault uc-default...
Page 678: Changing The Shortest Path Tree (Spt) Threshold
Changing the Shortest Path Tree (SPT) threshold BigIron RX(config-pim-router)#show ip pim sparse Global PIM Sparse Mode Settings Hello interval : 30 Neighbor timeout : 105 Bootstrap Msg interval: 60 Candidate-RP Advertisement interval: 60 Join/Prune interval : 60 SPT Threshold : 1 Inactivity interval : 180 SSM Enabled : No Hardware Drop Enabled : Yes Route Selection : mc-non-default uc-non-default mc-default uc-default...
Page 679: Changing The Pim Join And Prune Message Interval
Displaying PIM Sparse configuration information and statistics The infinity | <num> parameter specifies the number of packets. If you specify infinity, the BigIron RX sends packets using the RP indefinitely and does not switch over to the SPT. If you enter a specific number of packets, the BigIron RX does not switch over to using the SPT until it has sent the number of packets you specify using the RP.
Page 680: Displaying Basic Pim Sparse Configuration Information
Displaying PIM Sparse configuration information and statistics • The PIM flow cache • The PIM multicast cache • PIM traffic statistics Displaying basic PIM Sparse configuration information To display PIM Sparse configuration information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim sparse Global PIM Sparse Mode Settings Hello interval: 60, Neighbor timeout: 180...
Page 681: Displaying A List Of Multicast Groups
Displaying PIM Sparse configuration information and statistics This field... Displays... Join/Prune interval How frequently the BigIron RX sends PIM Sparse Join/Prune messages for the multicast groups it is forwarding. This field show the number of seconds between Join/Prune messages. The BigIron RX sends Join/Prune messages on behalf of multicast receivers who want to join or leave a PIM Sparse group.
Page 682: Displaying Bsr Information
Displaying PIM Sparse configuration information and statistics This field... Displays... Group The multicast group address Ports The BigIron RX ports connected to the receivers of the groups. Displaying BSR information To display BSR information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim bsr PIMv2 Bootstrap information This system is the elected Bootstrap Router (BSR)
Page 683: Displaying Candidate Rp Information
Displaying PIM Sparse configuration information and statistics This field... Displays... Next bootstrap message in NOTE: Indicates how many seconds will pass before the BSR sends its next Bootstrap message. NOTE: This field appears only if this BigIron RX is the BSR. Next Candidate-RP-advertisement Indicates how many seconds will pass before the BSR sends its next message in...
Page 684: Displaying Rp-To-Group Mappings
Displaying PIM Sparse configuration information and statistics This field... Displays... group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP. NOTE: This field appears only if this BigIron RX is a candidate RP. Candidate-RP-advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages.
Page 685: Displaying The Rp Set List
Displaying PIM Sparse configuration information and statistics This field... Displays... Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the port or virtual interface through which this BigIron RX learned the identity of the RP. Info source Indicates the IP address on which the RP information was received.
Page 686: Displaying Information About An Upstream Neighbor Device
Displaying PIM Sparse configuration information and statistics BigIron RX(config-pim-router)# show ip pim nbr Port Neighbor Holdtime UpTime e3/8 207.95.8.10 Port Neighbor Holdtime UpTime 207.95.6.2 Syntax: show ip pim nbr This display shows the following information. This field... Displays... Port The interface through which the BigIron RX is connected to the neighbor. Neighbor The IP interface of the PIM neighbor interface.
Page 687: Displaying The Pim Multicast Cache
Displaying PIM Sparse configuration information and statistics BigIron RX# show ip pim rpf 1.2.3.4 no route BigIron RX# show ip pim rpf 1.10.10.24 upstream neighbor=1.1.20.1 on v21 using ip route Syntax: show ip pim | dvmrp rpf <IP address> Where <IP address> is a valid source IP address Displaying the PIM multicast cache To display the PIM multicast cache, enter the following command at any CLI level.
Page 688 Displaying PIM Sparse configuration information and statistics This field... Displays... (<source>, <group>) The comma-separated values in parentheses is a source-group pair. The <source> is the PIM source for the multicast <group>. For example, the following entry means source 209.157.24.162 for group 239.255.162.1: (209.157.24.162,239.255.162.1) If the <source>...
Page 689: Displaying Pim Traffic Statistics
PIM-SSMv4 Displaying PIM traffic statistics To display PIM traffic statistics, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim traffic Port Hello Register RegStop Assert e3/8 Total 37 IGMP Statistics: Total Recv/Xmit 85/110 Total Discard/chksum Syntax: show ip pim traffic NOTE If you have configured interfaces for standard PIM (dense mode) on the BigIron RX, statistics for these interfaces are listed first by the display.
Page 690: Enabling Ssm
Configuring Multicast Source Discovery Protocol (MSDP) The amount of unwanted traffic in the network is reduced, but because each multicast group is associated with a particular host, different hosts can be assigned the same multicast address for different streams. This greatly increases the number of multicast groups that can be used in the network.
Page 691 Configuring Multicast Source Discovery Protocol (MSDP) FIGURE 93 PIM Sparse domains joined by MSDP routers PIM Sparse Domain 2 PIM Sparse Domain 1 2. RP sends SA message Designated Router (DR) Rendezvous Point (RP) through MSDP to its MSDP peers in other PIM Sparse domains.
Page 692: Peer Reverse Path Forwarding (Rpf) Flooding
Configuring Multicast Source Discovery Protocol (MSDP) Peer Reverse Path Forwarding (RPF) flooding When the MSDP router (also the RP) in domain 2 receives the Source Active message from its peer in domain 1, the MSDP router in domain 2 forwards the message to all its other peers. The propagation process is sometimes called “peer Reverse Path Forwarding (RPF) flooding”.
Page 693: Enabling Msdp
Configuring Multicast Source Discovery Protocol (MSDP) • Configure the MSDP peers NOTE The PIM Sparse Rendezvous Point (RP) is also an MSDP peer. Routers that run MSDP must also run BGP. Also, the source address used by the MSDP router must be the same source address used by BGP.
Page 694: Ip Address
Configuring Multicast Source Discovery Protocol (MSDP) Designating an interface’s IP address as the RP’s IP address When an RP receives a Source Active message, it checks its PIM Sparse multicast group table for receivers for the group. If it finds a receiver, the RP sends a Join message for that receiver back to the RP that originated the Source Active message.
Page 695 Configuring Multicast Source Discovery Protocol (MSDP) The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e1000-3/1)# ip address 2.2.2.98/24 BigIron RX(config-if-e1000-3/1)# exit The following commands configure a loopback interface.
Page 696: Filtering Advertised Source-Active Messages
Configuring Multicast Source Discovery Protocol (MSDP) • sa-filter in 2.2.2.97 route-map msdp_map – This command ignores source-group pairs received from neighbor 2.2.2.97 if the pairs have source address 10.x.x.x and any group address. • sa-filter in 2.2.2.96 route-map msdp2_map rp-route-map msdp2_rp_map – This command accepts all source-group pairs except those associated with RP 2.2.42.3.
Page 697: Filters Are Applied
Configuring Multicast Source Discovery Protocol (MSDP) The following commands enable MSDP and configure MSDP neighbors on port 3/1. BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 2.2.2.99 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 2.2.2.97 connect-source loopback 1 BigIron RX(config-if-3/1)# exit The following commands configure the Source-Active filter. BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# sa-filter originate route-map msdp_map This filter removes source-group pairs that match route map msdp_map from Source-Active...
Page 698 Configuring Multicast Source Discovery Protocol (MSDP) 24 (117.1.0.25, 224.200.1.5), RP:2.2.2.2, Age:0 25 (117.1.0.66, 224.200.1.46), RP:2.2.2.2, Age:0 26 (117.1.0.39, 224.200.1.19), RP:2.2.2.2, Age:0 27 (117.1.0.53, 224.200.1.33), RP:2.2.2.2, Age:0 28 (117.1.0.26, 224.200.1.6), RP:2.2.2.2, Age:0 29 (117.1.0.67, 224.200.1.47), RP:2.2.2.2, Age:0 30 (117.1.0.40, 224.200.1.20), RP:2.2.2.2, Age:0 31 (117.1.0.54, 224.200.1.34), RP:2.2.2.2, Age:0 32 (117.1.0.27, 224.200.1.7), RP:2.2.2.2, Age:0 33 (117.1.0.68, 224.200.1.48), RP:2.2.2.2, Age:0...
Page 699: Configuring Msdp Mesh Groups
Configuring MSDP mesh groups TABLE 102 MSDP source active cache (Continued) This field... Displays... SourceAddr The IP address of the multicast source. GroupAddr The IP multicast group to which the source is sending information. The RP through which receivers can access the group traffic from the source The number of seconds the entry has been in the cache Configuring MSDP mesh groups...
Page 700: Configuring Msdp Mesh Group
Configuring MSDP mesh groups FIGURE 94 Example of MSDP mesh group PIM Sparse Domain 1 Mesh GroupA 3. RPs within the domain receive the SA message and floods the 2. RP sends an SA message SA message to its peers in to its peers within the domain other PIM Sparse domains Designated Router (DR)
Page 701 Configuring MSDP mesh groups Syntax: [no] mesh-group <group-name> <peer-address> The sample configuration above reflects the configuration in Figure 94. On RP 206.251.21.31 you specify its peers within the same domain (206.251.21.31, 206.251.17.31, and 206.251.13.31). You first configure the MSDP peers using the msdp-peer command to assign their IP addresses and the loopback interfaces.
Page 702 Configuring MSDP mesh groups Configuration for Device A The following set of commands configure the MSDP peers of Device A (1.1.1.1) that are inside and outside MSDP mesh group 1234. Device A’s peers inside the mesh group 1234 are 1.1.2.1, 1.1.3.1, and 1.1.4.1.
Page 703 Configuring MSDP mesh groups The following set of commands configure the MSDP peers of Device B. All Device B’s peers (1.1.1.1, 1.1.3.1, and 1.1.4.1) are in the MSDP mesh group 1234. Multicast is enabled on Device B’s interfaces. PIM and BGP are also enabled. BigIron RX(config)# router pim BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 1.1.3.1 connect-source loopback 1...
Page 704 Configuring MSDP mesh groups BigIron RX(config)# router pim BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 35.35.35.5 BigIron RX(config-msdp-router)# msdp-peer 1.1.2.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 1.1.4.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 1.1.1.1 connect-source loopback 1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.2.1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.1.1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.4.1 BigIron RX(config-msdp-router)# exit...
Page 705 Configuring MSDP mesh groups BigIron RX(config)# router pim BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 1.1.3.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 1.1.1.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 1.1.2.1 connect-source loopback 1 BigIron RX(config-msdp-router)# msdp-peer 48.48.48.8 BigIron RX(config-msdp-router)# msdp-peer 134.134.134.13 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.1.1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.3.1 BigIron RX(config-msdp-router)# mesh-group 1234 1.1.2.1...
Page 706: Displaying Summary Information
Configuring MSDP mesh groups Displaying MSDP information You can display the following MSDP information: • Summary information – the IP addresses of the peers, the state of the BigIron RX’s MSDP session with each peer, and statistics for Keepalive, Source Active, and Notification messages sent to and received from each of the peers.
Page 707: Displaying Peer Information
Configuring MSDP mesh groups Displaying peer information To display MSDP peer information, use the following CLI method. BigIron RX# show ip msdp peer Total number of MSDP Peers: 2 IP Address State 206.251.17.30 ESTABLISHED Keep Alive Time Hold Time Message Sent Message Received Keep Alive Notifications...
Page 708 Configuring MSDP mesh groups TABLE 104 MSDP peer information (Continued) This field... Displays... Keep Alive Message Received The number of Keep Alive messages the MSDP router has received from the peer. Notifications Sent The number of Notification messages the MSDP router has sent to the peer.
Page 709 Configuring MSDP mesh groups TABLE 104 MSDP peer information (Continued) This field... Displays... TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. •...
Page 710: Displaying Source Active Cache Information
Clearing MSDP information Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method. BigIron RX# show ip msdp sa-cache Total Entry 4096, Used 1800 Free 2296 Index SourceAddr GroupAddr (100.100.1.254, 232.1.0.95), RP:206.251.17.41, Age:0 (100.100.1.254, 237.1.0.98), RP:206.251.17.41, Age:30 (100.100.1.254, 234.1.0.48), RP:206.251.17.41, Age:30 (100.100.1.254, 239.1.0.51), RP:206.251.17.41, Age:30...
Page 711: Clearing The Source Active Cache
DVMRP overview BigIron RX# clear ip msdp peer 205.216.162.1 Remote connection closed Syntax: clear ip msdp peer <ip-addr> The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed. Clearing the source active cache To clear the entries from the Source Active cache, enter the following command at the Privileged EXEC level of the CLI.
Page 712: Initiating Dvmrp Multicasts On A Network
DVMRP overview Initiating DVMRP multicasts on a network Once DVMRP is enabled on each router, a network user can begin a video conference multicast from the server on R1. Multicast Delivery Trees are initially formed by source-originated multicast packets that are propagated to downstream interfaces as seen in Figure 96.
Page 713 DVMRP overview FIGURE 96 Downstream broadcast of IP multicast packets from source host Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Leaf Node Leaf Node Leaf Node (No Group Members) Group Group Group...
Page 714: Grafts To A Multicast Tree
DVMRP overview FIGURE 97 Pruning leaf nodes from a multicast tree Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Prune Message sent to upstream router (R4) Leaf Node (No Group Members) Group Group Group...
Page 715: Configuring Dvmrp
Configuring DVMRP Configuring DVMRP Enabling DVMRP globally and on an interface Suppose you want to initiate the use of desktop video for fellow users on a sprawling campus network. All destination workstations have the appropriate hardware and software but the BigIron RXes that connect the various buildings need to be configured to support DVMRP multicasts from the designated video conference server as seen in Figure...
Page 716: Modifying Neighbor Timeout
Configuring DVMRP • Route expire time • Route discard time • Prune age • Graft retransmit time • Probe interval • Report interval • Trigger interval • Default route Modifying neighbor timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down.
Page 717: Modifying Probe Interval
Configuring DVMRP Modifying graft retransmit time The Graft Retransmit Time defines the initial period of time that a router sending a graft message will wait for a graft acknowledgement from an upstream router before re-transmitting that message. Subsequent retransmissions are sent at an interval twice that of the preceding interval. Possible values are from 5 –...
Page 718: Modifying Dvmrp Interface Parameters
Configuring DVMRP BigIron RX(config-dvmrp-router)# default-gateway 192.35.4.1 Syntax: default-gateway <ip-addr> Modifying DVMRP interface parameters DVMRP global parameters come with preset values. The defaults work well in most networks, but you can modify the following interface parameters if you need to: • •...
Page 719: Device
Configuring a static multicast route Displaying information about an upstream neighbor device You can view information about the upstream neighbor device for a given source IP address for IP PIM packets. The software uses the IP route table or multicast route table to lookup the upstream neighbor device.
Page 720: Configuring Ip Multicast Traffic Reduction
Configuring IP multicast traffic reduction NOTE Regardless of the administrative distances, the BigIron RX Series router always prefers directly connected routes over other routes. FIGURE 98 Example multicast static routes PIM Router D 9.9.9.101 e6/14 Client Multicast group 239.255.162.1 e4/11 207.95.6.1 e1/2 PIM Router A...
Page 721: Enabling Ip Multicast Traffic Reduction
Configuring IP multicast traffic reduction When you enable IP Multicast Traffic Reduction, you also can configure the following features: • IGMP mode – When you enable IP Multicast Traffic Reduction, the device passively listens for IGMP Group Membership reports by default. If the multicast domain does not have a to send IGMP queries to elicit these Group Membership reports, you can enable the device to actively send the IGMP queries.
Page 722 Configuring IP multicast traffic reduction NOTE When one or more BigIron RX devices are running Layer 2 IP Multicast Traffic reduction, configure one of the devices for active IGMP and leave the other devices configured for passive IGMP. However, if the IP multicast domain contains a multicast-capable, configure all the BigIron RX devices for passive IGMP and allow the to actively send the IGMP queries.
Page 723 Configuring IP multicast traffic reduction Syntax: Passive – When passive IGMP mode is enabled, the switch listens for IGMP Group Membership reports on the VLAN instance specified but does not send IGMP queries. The passive mode is called “IGMP snooping”. Use this mode when another device in the VLAN instance is actively sending queries.
Page 724 Configuring IP multicast traffic reduction • Passive – When passive IGMP mode is enabled, the device listens for IGMP Group Membership reports but does not send IGMP queries. The passive mode is sometimes called “IGMP snooping”. Use this mode when another device in the network is actively sending queries.
Page 725: Layer 2 Multicast Filters
Configuring IP multicast traffic reduction When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report.
Page 726: Pim Sm Traffic Snooping
Configuring IP multicast traffic reduction Use the port-list parameter to define the member ports on which the ACL is applied. The ACL will be applied to the multicast traffic arriving in both directions. Use the no multicast boundary command to remove the boundary on an IGMP enabled interface. NOTE The ACL, MyBrocadeAccessList can be configured using standard ACL syntax which can be found in the ACL section.
Page 727 Configuring IP multicast traffic reduction FIGURE 99 PIM SM traffic reduction in enterprise network The switch snoops for PIM SM join and prune messages. The switch detects a source on port1/1 and a receiver for that source’s group on port5/1. It then forwards multicast Source for Groups data from the source on port1/1 239.255.162.1...
Page 728 Configuring IP multicast traffic reduction Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device. This is required for the PIM SM snooping feature. The feature also requires the source and the downstream router to be on different IP subnets, as shown in Figure Figure 100 shows another example application for PIM SM traffic snooping.
Page 729 Configuring IP multicast traffic reduction • The PIM SM snooping feature assumes that the group source and the device are in different subnets and communicate through a router. The source must be in a different IP subnet than the receivers. A PIM SM router sends PIM join and prune messages on behalf of a multicast group receiver only when the router and the source are in different subnets.
Page 730: Static Igmp Membership
Configuring IP multicast traffic reduction Syntax: [no] multicast pimsm-snooping Configuring PIM proxy per VLAN instance Using the PIM proxy function, multicast traffic can be reduced by configuring an BigIron RX switch to issue PIM join and prune messages on behalf of hosts that the configured switch discovers through standard PIM interfaces.
Page 731 Configuring IP multicast traffic reduction BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 uplink To configure the snooping device to statically join all multicast streams on the uplink interface excluding the stream with source address 10.43.1.12, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 exclude 10.43.1.12 uplink...
Page 732 Configuring IP multicast traffic reduction The uplink parameter specifies the port as an uplink port that can receive multicast data for the configured multicast groups. Upstream traffic will be sent to the switch and will not use a port. The port-list parameter specifies the range of ports to include in the configuration. The no form of this command removes the static multicast definition.
Page 733: Overview Of Routing Information Protocol (Rip)
Chapter Configuring RIP Overview of Routing Information Protocol (RIP) Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing distance) to measure the cost of a given route. The cost is a distance vector because the cost often is equivalent to the number of router hops between the device and the destination network.
Page 734: Configuring Metric Parameters
Configuring RIP parameters BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# ip rip v1-only Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only Configuring metric parameters By default, a device port increases the cost of a RIP route that is learned or advertised on the port by one.
Page 735: Configuring Redistribution
Configuring RIP parameters Configuring redistribution You can configure the device to redistribute routes learned through OSPF or BGP4, connected into RIP, or static routes. When you redistribute a route from one of these other protocols into RIP, the device can use RIP to advertise the route to its RIP neighbors. To configure redistribution, perform the following tasks: •...
Page 736: Configuring Route Learning And Advertising Parameters
Configuring RIP parameters Syntax: redistribute connected | bgp | ospf | static [metric <value> | route-map <name>] The connected parameter applies redistribution to connected types. The bgp parameter applies redistribution to BGP4 routes. The ospf parameter applies redistribution to OSPF routes. The static parameter applies redistribution to IP static routes.
Page 737: Changing The Route Loop Prevention Method
Configuring RIP parameters Syntax: [no] ip rip learn-default Configuring a RIP neighbor filter By default, a device learns RIP routes from all its RIP neighbors. Neighbor filters allow you to specify the neighbor routers from which the device can receive RIP routes. Neighbor filters apply globally to all ports.
Page 738: Backup Interface
Configuring RIP parameters To disable split horizon and enable poison reverse on an interface, enter the command such as the following. BigIron RX(config-if-e10000-1/1)# ip rip poison-reverse You can configure the device to avoid routing loops by advertising local RIP routes with a cost of 16 (“infinite”...
Page 739: Setting Rip Timers
Configuring RIP parameters BigIron RX(config)# ip prefix-list list1 permit 192.53.4.1 255.255.255.0 BigIron RX(config)# ip prefix-list list2 permit 192.53.5.1 255.255.255.0 BigIron RX(config)# ip prefix-list list3 permit 192.53.6.1 255.255.255.0 BigIron RX(config)# ip prefix-list list4 deny 192.53.7.1 255.255.255.0 The prefix lists permit routes to three networks, and deny the route to one network. Since the default action is permit, all other routes (routes not explicitly permitted or denied by the filters) can be learned or advertised.
Page 740: Displaying Rip Filters
Displaying RIP filters Displaying RIP filters To display RIP filters, enter the following command at any CLI level. BigIron RX> show ip rip RIP Summary Default port 520 Administrative distance is 120 updates every 30 seconds, expire after 180 Holddown lasts 180 seconds, garbage collect after 120 Last broadcast 30, Next Update 29 Need trigger update 0, next trigger broadcast 1 Minimum update interval 25, Max update offset 5...
Page 741: Clearing The Rip Routes From The Routing Table
Displaying RIP filters Clearing the RIP routes from the routing table Clearing all the routes from the routing table To clear RIP local routes, enter a command such as the following. BigIron(config)#clear ip rip local routes Syntax: clear ip rip local routes To clear the RIP routes from the RIP database, enter a command such as the following.
Page 742 Displaying RIP filters BigIron RX Series Configuration Guide 53-1001986-01...
Page 743: Overview Of Ospf (Open Shortest Path First)
Chapter Configuring OSPF Version 2 (IPv4) Overview of OSPF (Open Shortest Path First) OSPF is a link-state routing protocol. The protocol uses link-state advertisements (LSA) to update neighboring routers regarding its interfaces and information on those interfaces. The router floods these LSAs to all neighboring routers to update them regarding the interfaces.
Page 744: Designated Routers In Multi-Access Networks
Overview of OSPF (Open Shortest Path First) FIGURE 101 OSPF operating in a network Area 0.0.0.0 Backbone Area 200.5.0.0 Router D 208.5.1.1 Area Border Router (ABR) Area 192.5.1.0 Virtual Link Router A 206.5.1.1 Router E Router B Area Border Router F Router (ABR) Router C Autonomous System...
Page 745 Overview of OSPF (Open Shortest Path First) FIGURE 102 Designated and backup router election priority 10 Designated Backup Router Router A Designated Router priority 5 priority 20 Router C Router B If the DR goes off-line, the BDR automatically becomes the DR. The router with the next highest priority becomes the new BDR.
Page 746: Ospf Rfc 1583 And 2328 Compliance
Overview of OSPF (Open Shortest Path First) NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device.
Page 747 Overview of OSPF (Open Shortest Path First) FIGURE 104 AS external LSA reduction Routers D, E, and F are OSPF ASBRs Another routing domain OSPF Autonomous System (AS) and EBGP routers. (such as BGP4 or RIP) Router A Router D Router ID: 2.2.2.2 Router B Router F...
Page 748: Support For Ospf Rfc 2328 Appendix E
Overview of OSPF (Open Shortest Path First) • A second ASBR comes on-line • A second ASBR that is already on-line begins advertising an equivalent route to the same destination. In either case above, the router with the higher router ID floods the AS External LSAs and the other router flushes its equivalent AS External LSAs.
Page 749: Dynamic Ospf Activation And Configuration
Configuring OSPF 2. Compare the networks that have the same network address, to determine which network is more specific. The more specific network is the one that has more contiguous one bits in its network mask. For example, network 10.0.0.0 255.255.0.0 is more specific than network 10.0.0.0 255.0.0.0, because the first network has 16 ones bits (255.255.0.0) whereas the second network has only 8 ones bits (255.0.0.0).
Page 750: Ospf Parameters
Configuring OSPF Configuration rules • If a router is to operate as an ASBR, you must enable the ASBR capability at the system level. • Redistribution must be enabled on routers configured to operate as ASBRs. • All router ports must be assigned to one of the defined areas on an OSPF router. When a port is assigned to an area, all corresponding subnets on that port are automatically included in the assignment.
Page 751: Enable Ospf On The Router
Configuring OSPF NOTE You set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, enter router ospf… at the global CONFIG Level. Interface parameters for OSPF are set at the interface CONFIG Level using the CLI command, ip ospf… Enable OSPF on the router When you enable OSPF on the router, the protocol is automatically activated.
Page 752 Configuring OSPF • ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type-7 External LSAs are a special type of LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA. •...
Page 753 Configuring OSPF The stub <cost> parameter specifies an additional cost for using a route to or from this area and can be from 1 – 16777215. There is no default. Normal areas do not use the cost parameter. The no-summary parameter applies only to stub areas and disables summary LSAs from being sent into the area.
Page 754 Configuring OSPF The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone. Since the NSSA is partially “stubby” the ABR does not flood external LSAs from the backbone into the NSSA.
Page 755: Assigning An Area Range (Optional)
Configuring OSPF The advertise | not-advertise parameter specifies whether you want the device to send type 3 LSAs for the specified range in this area. The default is advertise. Assigning an area range (optional) You can assign a range for an area, but it is not required. Ranges allow a specific IP address and mask to represent a range of IP addresses within an area, so that only that reference range address is advertised to the network, instead of all the addresses within that range.
Page 756: Ospf Interface Parameters
Configuring OSPF • ip ospf hello-interval <value> • ip ospf md5-authentication key-activation-wait-time <num> | key-id <num> [0 | 1] key <string> • ip ospf passive • ip ospf priority <value> • ip ospf retransmit-interval <value> • ip ospf transmit-delay <value> For a complete description of these parameters, see the summary of OSPF port parameters in the next section.
Page 757 Configuring OSPF MD5-authentication activation wait The number of seconds the device waits until placing a new MD5 key into time effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 –...
Page 758: Change The Timer For Ospf Authentication Changes
Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior.
Page 759: Assign Virtual Links
Configuring OSPF Block flooding of outbound LSAs on specific OSPF interfaces By default, the device floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area.
Page 760 Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 106 Defining OSPF virtual links within a network OSPF Area 0 BigIronC Router ID 209.157.22.1 OSPF Area 1 OSPF Area 2 “transit area”...
Page 761: Modify Virtual Link Parameters
Configuring OSPF The area <ip-addr> | <num> parameter specifies the transit area. The <router-id> parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a device, enter the show ip command. Refer to “Modify virtual link parameters”...
Page 762: Configuring An Ospf Non-Broadcast Interface
Configuring OSPF MD5 Authentication Wait Time This parameter determines when a newly configured MD5 authentication key is valid. This parameter provides a graceful transition from one MD5 key to another without disturbing the network. All new packets transmitted after the key activation wait time interval use the newly configured MD5 Key.
Page 763: Ospf Point-To-Point Links
Configuring OSPF For example, to configure the feature in a network with three routers connected by a hub or switch, each router must have the linking interface configured as a non-broadcast interface, and both of the other routers must be specified as neighbors. The output of the show ip ospf interface command has been enhanced to display information about non-broadcast interfaces and neighbors that are configured in the same sub-net.
Page 764 Configuring OSPF Configuring an OSPF point-to-point link To configure an OSPF point-to-point link, enter commands such as the following. BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip ospf network point-to-point This command configures an OSPF point-to-point link on Interface 5 in slot 1. Syntax: [no] ip ospf network point-to-point Viewing configured OSPF point-to-point links You can use the show ip ospf interface command to display OSPF point-to-point information.
Page 765 Configuring OSPF TABLE 107 Output of the show ip ospf interface command This field Displays Type The area type, which can be one of the following: • Broadcast = 0x01 • NBMA = 0x02 • Point to Point = 0x03 •...
Page 766: Interfaces
Configuring OSPF Changing the reference bandwidth for the cost on OSPF interfaces Each interface on which OSPF is enabled has a cost associated with it. The device advertises its interfaces and their costs to OSPF neighbors. For example, if an interface has an OSPF cost of ten, the device advertises the interface with a cost of ten to other OSPF routers.
Page 767: Define Redistribution Filters
Configuring OSPF Changing the reference bandwidth To change the reference bandwidth, enter a command such as the following at the OSPF configuration level of the CLI: BigIron RX(config-ospf-router)# auto-cost reference-bandwidth 500 The reference bandwidth specified in this example results in the following costs: •...
Page 768: Modify Default Metric For Redistribution
Configuring OSPF FIGURE 107 Redistributing OSPF and static routes to RIP routes RIP Domain ASBR (Autonomous System Border Router) OSPF Domain You also have the option of specifying import of just ISIS, RIP, OSPF, BGP4, or static routes, as well as specifying that only routes for a specific network or with a specific cost (metric) be imported, as shown in the command syntax below: Syntax: [no] redistribution bgp | connected | rip | static [route-map <map-name>]...
Page 769: Enable Route Redistribution
Configuring OSPF NOTE You also can define the cost on individual interfaces. The interface cost overrides the default cost. To assign a default metric of 4 to all routes imported into OSPF, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# default-metric 4 Syntax: default-metric <value>...
Page 770: Disable Or Re-Enable Load Sharing
Configuring OSPF The redistribute static command enables redistribution of static IP routes into OSPF, and uses route map “abc“to control the routes that are redistributed. In this example, the route map allows a static IP route to be redistributed into OSPF only if the route has a metric of 5, and changes the metric to 8 before placing the route into the OSPF route table.
Page 771 Configuring OSPF The router software can use the route information it learns through OSPF to determine the paths and costs. Figure 108 shows an example of an OSPF network containing multiple paths to a destination (in this case, R1). FIGURE 108 Example OSPF network with four equal-cost paths OSPF Area 0 BigIron RX...
Page 772: Configure External Route Summarization
Configuring OSPF Configure external route summarization When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified address range. When you configure an address range, the range takes effect immediately.
Page 773: Configure Default Route Origination
Configuring OSPF Range-Address Subnetmask 1.0.0.0 255.0.0.0 1.0.1.0 255.255.255.0 1.0.2.0 255.255.255.0 Syntax: show ip ospf config Configure default route origination When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to automatically generate a default external route into an OSPF routing domain. This feature is called “default route origination”...
Page 774: Configuring A Default Network Route
Configuring OSPF The metric-type <type> parameter specifies the external link type associated with the default route advertised into the OSPF routing domain. The <type> can be one of the following: • 1 – Type 1 external route • 2 – Type 2 external route If you do not use this option, the default redistribution metric type is used for the route type.
Page 775: Modify Spf Timers
Configuring OSPF This example shows two routes. Both of the routes are directly attached, as indicated in the Type column. However, one of the routes is shown as type “*D”, with an asterisk (*). The asterisk indicates that this route is a candidate default network route. Modify SPF timers The BigIron RX uses the following timers when calculating the shortest path for OSPF routes: •...
Page 776: Modify Administrative Distance
Configuring OSPF Modify administrative distance The BigIron RX can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, ISIS, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. The default administrative distance for OSPF routes is 110.
Page 777: Configure Ospf Group Link State Advertisement Pacing
Configuring OSPF Configure OSPF group Link State Advertisement pacing The BigIron RX paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the BigIron RX refreshes and sends out together in one or more packets.
Page 778 Configuring OSPF • With this feature enabled in the “out” direction, all type 3 LSAs advertised by the ABR, based on information from this area to all other areas, are filtered by the prefix list. If the area range command has been configured for this area, Type 3 LSAs that corresponds to the area range command are treated like any other type 3 LSA.
Page 779 Configuring OSPF The in keyword specifies that prefix list is applied to prefixes advertised to the specified area from other areas. The out keyword specifies that prefix list is applied to prefixes advertised out of the specified area to other areas. Defining and applying IP prefix lists An IP prefix list specifies a list of networks.
Page 780: Displaying The Configured Ospf Area Prefix List
Configuring OSPF Displaying the configured OSPF area prefix list To display the prefix-lists attached to the areas, enter the following command. BigIron RX(config)#show ip ospf config Router OSPF: Enabled Graceful Restart: Disabled, timer 120 Graceful Restart Helper: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Auto-cost Reference Bandwidth: Disabled OSPF Redistribution Metric: Type2...
Page 781 Configuring OSPF 1. Enabling SNMP traps for OSPF. (Refer to “Disabling and enabling SNMP traps for OSPF” page 709.) 2. Enable OSPF logging. (Refer to “Enabling OSPF logging” on page 710.) Refer to Table 109 on page 709 for the list of the default settings for OSPF traps. TABLE 109 Default settings for OSPF traps Trap name...
Page 782: Modify Ospf Standard Compliance Setting
Configuring OSPF • virtual-interface-config-error-trap – [MIB object: ospfVirtIfConfigError] • interface-authentication-failure-trap – [MIB object: ospfIfAuthFailure] • virtual-interface-authentication-failure-trap – [MIB object: ospfVirtIfAuthFailure] • interface-receive-bad-packet-trap – [MIB object: ospfIfrxBadPacket] • virtual-interface-receive-bad-packet-trap – [MIB object: ospfVirtIfRxBadPacket] The following traps are disabled by default: • interface-retransmit-packet-trap –...
Page 783: Modify Exit Overflow Interval
Configuring OSPF To configure a router to operate with the latest OSPF standard, RFC 2328, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# no rfc1583-compatibility Syntax: [no] rfc1583-compatibility Modify exit overflow interval If a database overflow condition occurs on a router, the router eliminates the condition by removing entries that originated on the router.
Page 784: Displaying Ospf Information
Displaying OSPF information Displaying OSPF information You can display the following OSPF information: • Trap, area, and interface information – refer to “Displaying general OSPF configuration information” on page 712. • CPU utilization statistics – refer to “Displaying CPU utilization and other OSPF tasks” page 713.
Page 785: Displaying Cpu Utilization And Other Ospf Tasks
Displaying OSPF information BigIron RX> show ip ospf config Router OSPF: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Redistribution Metric: Type2 OSPF External LSA Limit: 1447047 OSPF Database Overflow Interval: 0 RFC 1583 Compatibility: Enabled Router id: 207.95.11.128 Interface State Change Trap: Enabled Virtual Interface State Change Trap: Enabled...
Page 786 Displaying OSPF information BigIron RX#show tasks Task Name State Stack Size CPU Usage(%) task id task vid ---------- ----- --------- -------- ----- --------- ------ ------- idle 0 ready 00001904 04058fa0 4096 monitor 20 wait 0000d89c 0404bd80 8192 int 16 wait 0000d89c 04053f90 16384...
Page 787: Displaying Ospf Area Information
Displaying OSPF information TABLE 110 CLI display of show tasks (Continued) This field... Displays... current instruction for the task Stack Stack location for the task Size Stack size of the task CPU Usage(%) Percentage of the CPU being used by the task task id Task’s ID number assigned by the operating system.
Page 788: Displaying Ospf Neighbor Information
Displaying OSPF information Displaying OSPF neighbor information To display OSPF neighbor information, enter the following command at any CLI level. BigIron RX# show ip ospf neighbor Port Address State Neigh Address Neigh ID Ev Op Cnt 10.1.10.1 FULL/DR 10.1.10.2 10.65.12.1 10.1.11.1 FULL/DR 10.1.11.2...
Page 789: Displaying Ospf Interface Information
Displaying OSPF information TABLE 112 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the device and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor.
Page 790 Displaying OSPF information BigIron RX# show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0...
Page 791: Displaying Ospf Route Information
Displaying OSPF information TABLE 113 Output of the show ip ospf interface command (Continued) This field Displays Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor The neighbor router’s ID. Displaying OSPF route information To display OSPF route information, enter the following command at any CLI level. BigIron RX>#show ip ospf route OSPF Area 0x00000000 ASBR Routes 1: Destination...
Page 792 Displaying OSPF information Syntax: show ip ospf routes [<ip-addr>] The <ip-addr> parameter specifies a destination IP address. If you use this parameter, only the route entries for that destination are shown. This display shows the following information. TABLE 114 CLI display of OSPF route information This field...
Page 793: Displaying Ospf External Link State Information
Displaying OSPF information BigIron RX# show ip ospf redistribute route 4.3.0.0 255.255.0.0 static 3.1.0.0 255.255.0.0 static 10.11.61.0 255.255.255.0 connected 4.1.0.0 255.255.0.0 static In this example, four routes have been redistributed. Three of the routes were redistributed from static IP routes and one route was redistributed from a directly connected IP route. Syntax: show ip ospf redistribute route [<ip-addr>...
Page 794: Displaying Ospf Database Link State Information
Displaying OSPF information TABLE 115 CLI display of OSPF external link state information This field... Displays... Index ID of the entry Aging The age of the LSA, in seconds. LS ID The ID of the link-state advertisement from which the device learned this route.
Page 795: Displaying Ospf Abr And Asbr Information
Displaying OSPF information NOTE You cannot use the extensive option in combination with other display options. The entire database is displayed. The link-state-id <ip-addr> parameter displays the External LSAs for the LSA source specified by <IP-addr>. The network option shows network information. The nssa option shows network information.
Page 796: Displaying Ospf Trap Status
Displaying OSPF information TABLE 117 CLI display of OSPF border routers This field... Displays... (Index) Displayed index number of the border router. Router ID ID of the OSPF router Router type Type of OSPF router: ABR or ASBR Next hop router ID of the next hop router Outgoing interface ID of the interface on the router for the outgoing route.
Page 797 Displaying OSPF information vlan 1 name DEFAULT-VLAN clock summer-time clock timezone us Pacific hostname R11-RX8 router ospf area 2 area 1 area 1 virtual-link 131.1.1.10 FIGURE 109 OSPF virtual neighbor and virtual link example Area 0 131.1.1.10/16 DeviceA R10-MG8 192.168.148.10 135.14.1.10/16 Area 1 Area 2...
Page 798: Ospf Graceful Restart
Displaying OSPF information Displaying OSPF virtual link information Use the show ip ospf virtual link command to display OSPF virtual link information. The output below represents the virtual links configured in Figure 109. BigIron RX#show ip ospf virtual link Indx Transit Area Router ID Transit(sec) Retrans(sec) Hello(sec) 131.1.1.10...
Page 799: Displaying Ospf Graceful Restart Information
Displaying OSPF information Configuring OSPF graceful restart timer The OSPF graceful restart timer specifies the maximum amount of time an OSPF restarting router will take to re-establish OSPF adjacencies and relearn OSPF routes. This value will be sent to the neighboring routers in the grace LSA packets.
Page 800 Displaying OSPF information BigIron RX#sh ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 30.1.0.5 FULL/OTHER 30.1.0.13 30.0.0.13 3/27 25.27.0.8 FULL/DR 25.27.0.14 12.1.0.14 20 2 < in graceful restart state, helping 1, timer 104 sec > 21.23.0.5 FULL/DR 21.23.0.14...
Page 801 Displaying OSPF information BigIron RX 1# show ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 40.0.1.1 EXST/DR 40.0.1.3 9.0.1.24 24 2 < in graceful restart state, helping 1, timer 112 sec > BigIron RX 3# show ip ospf neighbor Port Address Pri State...
Page 802 Displaying OSPF information BigIron RX Series Configuration Guide 53-1001986-01...
Page 803: Overview Of Bgp4
Chapter Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 BGP4 is the standard Exterior Gateway Protocol (EGP) used on the Internet to route traffic between Autonomous Systems (AS) and to maintain loop-free routing. An autonomous system is a collection of networks that share the same routing and administration characteristics. For example, a corporate Intranet consisting of several networks under common administrative control might be considered an AS.
Page 804: Table
Overview of BGP4 Relationship between the BGP4 route table and the IP route table The device’s BGP4 route table can have multiple routes or paths to the same destination, which are learned from different BGP4 neighbors. A BGP4 neighbor is another router that also is running BGP4.
Page 805 Overview of BGP4 1. Is the next hop accessible though an Interior Gateway Protocol (IGP) route? If not, ignore the path. NOTE By default, the device does not use the default route to resolve BGP4 next hop. Also refer to “Enabling next-hop recursion”...
Page 806: Bgp4 Message Types
Overview of BGP4 9. If all the comparisons above are equal, prefer the route with the lowest IGP metric to the BGP4 next hop. This is the closest internal path inside the AS to reach the destination. 10. If the internal paths also are the same and BGP4 load sharing is enabled, load share among the paths otherwise go to Step 11.
Page 807 Overview of BGP4 neighbors to always be up. For directly-attached neighbors, you can configure the BigIron RX to immediately close the TCP connection to the neighbor and clear entries learned from an EBGP neighbor if the interface to that neighbor goes down. This capability is provided by the fast external fallover feature, which is disabled by default.
Page 808: Brocade Implementation Of Bgp4
Brocade implementation of BGP4 BGP4 Router A sends a Hold Time of 5 seconds and BGP4 Router B sends a Hold Time of 4 seconds, both routers use 4 seconds as the Hold Time for their BGP4 session. The default Hold Time is 180 seconds.
Page 809: Configuring Bgp4
Configuring BGP4 As a guideline, BigIron RX switches with a 2 GB Management 4 module can accommodate 150 – 200 neighbors, with the assumption that the BigIron RX receives about one million routes total from all neighbors and sends about eight million routes total to neighbors. For each additional one million incoming routes, the capacity for outgoing routes decreases by around two million.
Page 810 Configuring BGP4 TABLE 118 IPv4 BGP commands at different configuration levels (Continued) Command Global IPv4 address IPv4 address (iPv4 and family unicast family IPv6) multicast as-path-ignore “Disabling or re-enabling comparison of the AS-path length” on page 750 bgp-redistribute-internal “Redistributing IBGP routes” on page 750 client-to-client-reflection “Disabling or re-enabling client-to-client route...
Page 811: When Parameter Changes Take Effect
Configuring BGP4 TABLE 118 IPv4 BGP commands at different configuration levels (Continued) Command Global IPv4 address IPv4 address (iPv4 and family unicast family IPv6) multicast redistribute “Modifying redistribution parameters” page 776 show “Displaying BGP4 information” on page 814 table-map “Using a table map to set the tag value” page 779 timers “Changing the keep alive time and hold time”...
Page 812: Activating And Disabling Bgp4
Activating and disabling BGP4 • Change other load-sharing parameters. • Define route flap dampening parameters. • Add, change, or negate redistribution parameters (except changing the default MED; see below). • Add, change, or negate route maps (when used by the network command or a redistribution command).
Page 813: Note Regarding Disabling Bgp4
Entering and exiting the address family configuration level NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP interface address configured on the device.
Page 814: Filtering Specific Ip Addresses
Filtering specific IP addresses The default is the ipv4 unicast address family level. To exit an address family configuration level, enter the following command. BigIron RX(config-bgp-ipv6u)# exit-address-family BigIron RX(config-bgp)# Syntax: exit-address-family Filtering specific IP addresses You can configure the router to explicitly permit or deny specific IP addresses received in updates from BGP4 neighbors by defining IP address filters.
Page 815: Defining An As-Path Filter
Defining an AS-path filter The <wildcard> parameter specifies the portion of the IP address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches.
Page 816: Defining A Community Filter
Defining a community filter Defining a community filter To define filter 3 to permit routes that have the NO_ADVERTISE community, enter the following command. BigIron RX(config-bgp)# community-filter 3 permit no-advertise Syntax: [no] community-filter <num> permit | deny <num>:<num> | internet | local-as | no-advertise | no-export The <num>...
Page 817: Bgp Null0 Routing
BGP Null0 routing To configure a switch to disable the AS_PATH check function for routes sent to it by its BGP neighbor for a maximum limit of 3 occurrences of the route, enter the following command at the BGP configuration level. BigIron RX(config-bgp-ipv4u)# neighbor 33.33.36.2 allowas-in 3 Syntax: neighbor <IPaddress>...
Page 818: Configuration Steps
BGP Null0 routing The following steps configure a null0 routing application for stopping denial of service attacks from remote hosts on the internet. Configuration steps 1. Select one router, Router 6, to distribute null0 routes throughout the BGP network. 2. Configure a route-map to match a particular tag (50) and set the next-hop address to an unused network address (199.199.1.1).
Page 819 BGP Null0 routing Router 1 The following configuration defines the null0 route to the specific next hop address. The next hop address 199.199.1.1 points to 128.178.1.101, which gets blocked. BigIron RX(config)# ip route 199.199.1.1/32 null0 BigIron RX(config)#router bgp local-as 100 BigIron RX(config-bgp-router)#neighbor <router2_int_ip address>...
Page 820 BGP Null0 routing Router-6# show ip bgp route Total number of BGP Routes: 126 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 30.0.1.0/24 40.0.1.3 AS_PATH: 110.0.0.16/30 90.0.1.3 AS_PATH: 85 110.0.0.40/29 192.168.0.1 1000000 32768...
Page 821: Aggregating Routes Advertised To Bgp4 Neighbors
Aggregating routes advertised to BGP4 neighbors Aggregating routes advertised to BGP4 neighbors By default, the BigIron RX advertises individual routes for all the networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single network prefix.
Page 822: Disabling Or Re-Enabling Comparison Of The As-Path Length
Redistributing IBGP routes You can enable the device to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three ASs, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually.
Page 823: Disabling Or Re-Enabling Client-To-Client Route Reflection
Disabling or re-enabling client-to-client route reflection To enable the device to redistribute BGP4 routes into OSPF, RIP, or ISIS, enter the following command. BigIron RX(config-bgp)# bgp-redistribute-internal Syntax: [no] bgp-redistribute-internal To disable redistribution of IBGP routes into RIP, ISIS, and OSPF, enter the following command. BigIron RX(config-bgp)# no bgp-redistribute-internal Disabling or re-enabling client-to-client route reflection By default, the clients of a route reflector are not required to be fully meshed;...
Page 824: Configuring Confederations
Configuring confederations When router ID comparison is enabled, the path comparison algorithm compares the router IDs of the neighbors that sent the otherwise equal paths. • If BGP4 load sharing is disabled (maximum-paths 1), the device selects the path that came from the neighbor with the lower router ID.
Page 825: Configuring A Bgp Confederation
Configuring confederations FIGURE 114 Example BGP4 confederation AS 20 Confederation 10 Sub-AS 64512 IBGP Router B Router A EBGP EBGP Sub-AS 64513 This BGP4 router sees all traffic from Confederation 10 as traffic from AS 10. IBGP Routers outside the confederation do not know or care that the routers Router C are subdivided into sub-ASs within a...
Page 826 Configuring confederations The procedures show how to implement the example confederation shown in Figure 26.3. To configure four devices to be a member of confederation 10, consisting of two sub-ASs (64512 and 64513), enter commands such as the following. Commands for Router A BigIron RXA(config)# router bgp BigIron RXA(config-bgp)# local-as 64512 BigIron RXA(config-bgp)# confederation identifier 10...
Page 827: Configuring Route Flap Dampening
Configuring route flap dampening Configuring route flap dampening Route Flap Dampening reduces the amount of change propagated by BGP due to routing state caused by unstable routes. Reducing change propagation will help reduce processing requirements. To enable route flap dampening using the default values, enter the following command. BigIron RX(config-bgp)# dampening Syntax: dampening [<half-life>...
Page 828: Changing The Default Local Preference
Changing the default local preference BigIron RX(config-bgp)# default-information-originate Syntax: [no] default-information-originate Changing the default local preference When the router uses the BGP4 algorithm to select a route to send to the IP route table, one of the parameters the algorithm uses is the local preference. Local preference is an attribute that indicates a degree of preference for a route relative to other routes.
Page 829: Changing Administrative Distances
Changing administrative distances Changing administrative distances The BigIron RX can learn about networks from various protocols, including the EBGP portion of BGP4 and IGPs such as OSPF, ISIS, and RIP. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. To select one route over another based on the source of the route information, the device can use the administrative distances assigned to the sources.
Page 830: Requiring The First As To Be The Neighbor's As
Requiring the first AS to be the neighbor’s AS The <external-distance> sets the EBGP distance and can be a value from 1 – 255. The <internal-distance> sets the IBGP distance and can be a value from 1 – 255. The <local-distance> sets the Local BGP distance and can be a value from 1 – 255. Requiring the first AS to be the neighbor’s AS By default, the BigIron RX does not require the first AS listed in the AS_SEQUENCE field of an AS path Update from an EBGP neighbor to be the AS that the neighbor who sent the Update is in.
Page 831: Setting The Local As Number
Setting the local AS number The router waits for the Hold Time to expire before ending the connection to a directly-attached BGP4 neighbor that dies. For directly attached neighbors, the router immediately senses loss of a connection to the neighbor from a change of state of the port or interface that connects the router to its neighbor.
Page 832: Treating Missing Meds As The Worst Meds
Treating missing MEDs as the worst MEDs Syntax: [no] maximum-paths <number> The <num> parameter specifies the maximum number of paths across which the BigIron RX can balance traffic to a given BGP4 destination. You can change the maximum number of paths to a value from 2 –...
Page 833: Configuring Bgp4 Neighbors
Configuring BGP4 neighbors By default, load sharing applies to EBGP and IBGP paths, and does not apply to paths from different neighboring ASs. Configuring BGP4 neighbors The BGP4 protocol does not contain a peer discovery process. Therefore, for each of the router’s BGP4 neighbors (peers), you must indicate the neighbor’s IP address and the AS each neighbor is in.
Page 834 Configuring BGP4 neighbors [remove-private-as] [route-map in | out <map-name>] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive <num> hold-time <num>] [unsuppress-map <map-name>] [update-source <ip-addr> | ethernet <slot>/<portnum> | loopback <num> | ve <num>] [weight <num>] The <ip-addr> | <peer-group-name> parameter indicates whether you are configuring an individual neighbor or a peer group.
Page 835 Configuring BGP4 neighbors ebgp-multihop [<num>] specifies that the neighbor is more than one hop away and that the session type with the neighbor is thus EBGP-multihop. This option is disabled by default. The <num> parameter specifies the TTL you are adding for the neighbor. You can specify a number from 0 –...
Page 836 Configuring BGP4 neighbors NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior.
Page 837: Neighbor Routes
Configuring BGP4 neighbors unsuppress-map <map-name> removes route suppression from a neighbor’s routes when those routes have been suppressed due to aggregation. Refer to “Removing route dampening from suppressed neighbor routes” on page 765. update-source <ip-addr> | ethernet <slot>/<portnum> | loopback <num> | ve <num> configures the router to communicate with the neighbor through the specified interface.
Page 838: Encryption Of Bgp4 Md5 Authentication Keys
Configuring BGP4 neighbors BigIron RX(config)# ip prefix-list Unsuppress1 permit 209.1.44.0/24 BigIron RX(config)# route-map RouteMap1 permit 1 BigIron RX(config-routemap RouteMap1)# match prefix-list Unsuppress1 BigIron RX(config-routemap RouteMap1)# exit BigIron RX(config)# router bgp BigIron RX(config-bgp)# neighbor 10.1.0.2 unsuppress-map RouteMap1 BigIron RX(config-bgp)# clear ip bgp neighbor 10.1.0.2 soft-out The ip prefix-list command configures an IP prefix list for network 209.1.44.0/24, which is the route you want to unsuppress.
Page 839 Configuring BGP4 neighbors Encryption example The following commands configure a BGP4 neighbor and a peer group, and specify MD5 authentication strings (passwords) for authenticating packets exchanged with the neighbor or peer group. BigIron RX(config-bgp)# local-as 2 BigIron RX(config-bgp)# neighbor xyz peer-group BigIron RX(config-bgp)# neighbor xyz password abc BigIron RX(config-bgp)# neighbor 10.10.200.102 peer-group xyz BigIron RX(config-bgp)# neighbor 10.10.200.102 password test...
Page 840: Configuring A Bgp4 Peer Group
Configuring a BGP4 peer group of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication. If you accidentally enter option 1 followed by the clear-text version of the password or string, authentication will fail because the value used by the software will not match the value you intended to use.
Page 841 Configuring a BGP4 peer group • You must configure a peer group before you can add neighbors to the peer group. • If you remove a parameter from a peer group, the value for that parameter is reset to the default for all the neighbors within the peer group, unless you have explicitly set that parameter on individual neighbors.
Page 842 Configuring a BGP4 peer group The <peer-group-name> parameter specifies the name of the group and can be up to 80 characters long. The name can contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around the name. For example, the command neighbor “My Three Peers”...
Page 843: Specifying A List Of Networks To Advertise
Specifying a list of networks to advertise The <ip-addr> parameter specifies the IP address of the neighbor. The <peer-group-name> parameter specifies the peer group name. NOTE You must add the peer group before you can add neighbors to it. Administratively shutting down a session with a BGP4 neighbor You can prevent the device from starting a BGP4 session with a neighbor by administratively shutting down the neighbor.
Page 844: Using The Ip Default Route As A Valid Next Hop For A Bgp4 Route
Using the IP default route as a valid next hop for a BGP4 route The <ip-addr> is the network number and the <ip-mask> specifies the network mask. The route-map <map-name> parameter specifies the name of the route map you want to use to set or change BGP4 attributes for the network you are advertising.
Page 845: Enabling Next-Hop Recursion
Enabling next-hop recursion BigIron RX(config-bgp)# next-hop-enable-default Syntax: [no] next-hop-enable-default Enabling next-hop recursion For each BGP4 route a BigIron RX learns, the device performs a route lookup to obtain the IP address of the route’s next hop. A BGP4 route becomes eligible for installation into the IP route table only if the following conditions are true: •...
Page 846 Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 0.0.0.0/0 10.1.0.2 AS_PATH: 65001 4355 701 80 102.0.0.0/24 10.0.0.1 AS_PATH: 65001 4355 1...
Page 847 Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 0.0.0.0/0 10.1.0.2 AS_PATH: 65001 4355 701 80 102.0.0.0/24 10.0.0.1 AS_PATH: 65001 4355 1...
Page 848: Modifying Redistribution Parameters
Modifying redistribution parameters BigIron RX# show ip route 240.0.0.0/24 Total number of IP routes: 38 Network Address Gateway Port Cost Type 240.0.0.0 10.0.0.1 AS_PATH: 65001 4355 1 This BigIron RX can use this route because the device has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table.
Page 849: Redistributing Connected Routes
Modifying redistribution parameters The static parameter indicates that you are redistributing static routes into BGP. Redistributing connected routes To configure BGP4 to redistribute directly connected routes, enter the following command. BigIron RX(config-bgp)# redistribute connected Syntax: redistribute connected [metric <num>] [route-map <map-name>] The connected parameter indicates that you are redistributing routes to directly attached devices into BGP4.
Page 850: Redistributing Static Routes
Modifying redistribution parameters The match internal | external1 | external2 parameter applies only to OSPF. This parameter specifies the types of OSPF routes to be redistributed into BGP4. The default is internal. NOTE If you do not enter a value for the match parameter, (for example, you enter redistribute ospf only) then only internal OSPF routes will be redistributed.
Page 851: Using A Table Map To Set The Tag Value
Using a table map to set the tag value The metric <num> parameter changes the metric. You can specify a value from 0 – 4294967295. The default is 0. The route-map <map-name> parameter specifies a route map to be consulted before adding the static route to the BGP4 route table.
Page 852: Changing The Bgp4 Next-Hop Update Timer
Changing the BGP4 next-hop update timer NOTE Generally, you should set the Hold Time to three times the value of the Keep Alive Time. NOTE You can override the global Keep Alive Time and Hold Time on individual neighbors. Refer to “Configuring BGP4 neighbors”...
Page 853: Adding A Loopback Interface
Adding a loopback interface NOTE A BigIron RX uses the same router ID for both OSPF and BGP4. If the router is already configured for OSPF, you may want to use the router ID that is already in use on the router rather than set a new one.
Page 854: Configuring Route Reflection Parameters
Configuring route reflection parameters • Set the maximum number of paths. The default maximum number of BGP4 load sharing paths is 1, which means no BGP4 load sharing takes place by default. Refer to “Changing the maximum number of shared BGP4 paths” on page 759.
Page 855 Configuring route reflection parameters • A route reflector client is an IGP router identified as a member of a cluster. You identify a router as a route reflector client on the router that is the route reflector, not on the client. The client itself requires no additional configuration.
Page 856: Filtering
Filtering • If a device receives a route whose ORIGINATOR_ID attribute has the value of the device’s own router ID, the device discards the route and does not advertise it. By discarding the route, the device prevents a routing loop. •...
Page 857: Filtering As-Paths
Filtering • “Using a table map to set the tag value” on page 779 • “Configuring cooperative BGP4 route filtering” on page 799 Filtering AS-paths You can filter updates received from BGP4 neighbors based on the contents of the AS-path list accompanying the updates.
Page 858: Special Characters
Filtering The neighbor command uses the filter-list parameter to apply the AS-path ACL to the neighbor. Refer to “Configuring BGP4 neighbors” on page 761 and “Configuring a BGP4 peer group” page 768. Using regular expressions You use a regular expression for the <as-path> parameter to specify a single character or multiple characters as a filter pattern.
Page 859 Filtering TABLE 119 BGP4 special characters for regular expressions (Continued) Character Operation An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) • ) (right parenthesis) •...
Page 860: Filtering Communities
Filtering Filtering communities You can filter routes received from BGP4 neighbors based on community names. A community is an optional attribute that identifies the route as a member of a user-defined class of routes. Community names are arbitrary values made of two five-digit integers joined by a colon. You determine what the name means when you create the community name as one of a route’s attributes.
Page 861: Defining And Applying Ip Prefix Lists
Filtering The seq <seq-value> parameter is optional and specifies the community list’s sequence number. You can configure up to 199 entries in a community list. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with number 5. The software interprets the entries in a community list in numerical order, beginning with the lowest sequence number.
Page 862: Defining Neighbor Distribute Lists
Filtering The seq <seq-value> parameter is optional and specifies the IP prefix list’s sequence number. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with prefix list entry 5. The software interprets the prefix list entries in numerical order, beginning with the lowest sequence number.
Page 863: Defining Route Maps
Filtering Defining route maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols. A route map consists of a sequence of instances. If you think of a route map as a table, an instance is a row in that table.
Page 864 Filtering • Set the MED (metric). • Set the IP address of the next hop router. • Set the origin to IGP or INCOMPLETE. • Set the weight. For example, when you configure parameters for redistributing routes into BGP, one of the optional parameters is a route map.
Page 865 Filtering Specifying the match conditions Use the following command to define the match conditions for instance 1 of the route map GET_ONE. This instance compares the route updates against BGP4 address filter 11. BigIron RX(config-routemap GET_ONE)# match address-filters 11 Syntax: match [as-path <name>] | [address-filters | as-path-filters | community-filters <num,num,...>] | [community <acl>...
Page 866 Filtering The next-hop <address-filter-list> parameter compares the IP address of the route’s next hop to the specified IP address filters. The filters must already be configured. The route-type internal | external-type1 | external-type2 parameter applies only to OSPF routes. This parameter compares the route’s type to the specified value. The level-1 parameter compares ISIS routes only with routes within the same area.
Page 867 Filtering Matching based on next-hop router You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on the next-hop router, enter commands such as the following.
Page 868 Filtering The <acl> parameter specifies the name of a community list ACL. You can specify up to five ACLs. Separate the ACL names or IDs with spaces. Here is another example. BigIron RX(config)# ip community-list standard std_2 permit 23:45 56:78 BigIron RX(config)# route-map bgp3 permit 1 BigIron RX(config-routemap bgp3)# match community std_1 std_2 exact-match These commands configure an additional community ACL, std_2, that contains community...
Page 869 Filtering The dampening [<half-life> <reuse> <suppress> <max-suppress-time>] parameter sets route dampening parameters for the route. The <half-life> parameter specifies the number of minutes after which the route’s penalty becomes half its value. The <reuse> parameter specifies how low a route’s penalty must become before the route becomes eligible for use again after being suppressed.
Page 870 Filtering BigIron RX(config)# access-list 1 permit 192.168.9.0 0.0.0.255 BigIron RX(config)# route-map bgp4 permit 1 BigIron RX(config-routemap bgp4)# match ip address 1 BigIron RX(config-routemap bgp4)# set metric-type internal The first command configures an ACL that matches on routes with destination network 192.168.9.0.
Page 871: Configuring Cooperative Bgp4 Route Filtering
Filtering Configuring cooperative BGP4 route filtering By default, the device performs all filtering of incoming routes locally, on the device itself. You can use cooperative BGP4 route filtering to cause the filtering to be performed by a neighbor before it sends the routes to the device.
Page 872 Filtering Syntax: [no] neighbor <ip-addr> | <peer-group-name> capability orf prefixlist [send | receive] The <ip-addr> | <peer-group-name> parameter specifies the IP address of a neighbor or the name of a peer group of neighbors. The send | receive parameter specifies the support you are enabling: •...
Page 873: Configuring Route Flap Dampening
Filtering • The cooperative filtering configuration on the device. • The ORFs received from neighbors. To display the cooperative filtering configuration on the device, enter a command such as the following. The line shown in bold type shows the cooperative filtering status. BigIron RX# show ip bgp neighbor 10.10.10.1 IP Address: 10.10.10.1, AS: 65200 (IBGP), RouterID: 10.10.10.1 State: ESTABLISHED, Time: 0h0m7s, KeepAliveTime: 60, HoldTime: 180...
Page 874 Filtering NOTE The BigIron RX applies route flap dampening only to routes learned from EBGP neighbors. The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the device stops using that route and also stops advertising it to other routers. The mechanism also allows a route’s penalties to reduce over time if the route’s stability improves.
Page 875 Filtering BigIron RX(config)# router bgp BigIron RX(config-bgp)# address-filter 9 permit 209.157.22.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# address-filter 10 permit 209.157.23.0 255.255.255.0 255.255.255.0 255.255.255.0 BigIron RX(config-bgp)# exit BigIron RX(config)# route-map DAMPENING_MAP permit 9 BigIron RX(config-routemap DAMPENING_MAP)# match address-filters 9 BigIron RX(config-routemap DAMPENING_MAP)# set dampening 10 200 2500 40 BigIron RX(config-routemap DAMPENING_MAP)# exit BigIron RX(config)# route-map DAMPENING_MAP permit 10 BigIron RX(config-routemap DAMPENING_MAP)# match address-filters 10...
Page 876: Displaying And Clearing Route Flap Dampening Statistics
Filtering BigIron RX(config-routemap DAMPENING_MAP_NEIGHBOR_A)# exit BigIron RX(config)# router bgp BigIron RX(config-bgp)# dampening route-map DAMPENING_MAP_ENABLE BigIron RX(config-bgp)# neighbor 10.10.10.1 route-map in DAMPENING_MAP_NEIGHBOR_A In this example, the first command globally enables route flap dampening. This route map does not contain any match or set statements. At the BGP configuration level, the dampening route-map command refers to the DAMPENING_MAP_ENABLE route map created by the first command, thus enabling dampening globally.
Page 877 Filtering BigIron RX# show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network From Flaps Since Reuse Path h> 192.50.206.0/23 166.90.213.77 0 :0 :13 0 :0 :0 65001 4355 1 701 h> 203.255.192.0/20 166.90.213.77 0 :0 :13 0 :0 :0 65001 4355 1 7018...
Page 878: Generating Traps For Bgp
Filtering Clearing route flap dampening statistics NOTE Clearing the dampening statistics for a route does not change the dampening status of the route. To clear all the route dampening statistics, enter the following command at any level of the CLI. BigIron RX# clear ip bgp flap-statistics Syntax: clear ip bgp flap-statistics [regular-expression <regular-expression>...
Page 879: Using Soft Reconfiguration
Filtering Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session. Soft reconfiguration does not request the neighbor or group to send its entire BGP4 table, nor does the feature reset the session with the neighbor or group. Instead, the soft reconfiguration feature stores all the route updates received from the neighbor or group.
Page 880 Filtering NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 809. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the device saves all updates received from the specified neighbor or peer group.
Page 881 Filtering BigIron RX# show ip bgp neighbor 192.168.4.106 routes There are 97345 received routes from neighbor 192.168.4.106 Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status...
Page 882 Filtering To request a dynamic refresh of all routes from a neighbor, enter a command such as the following. BigIron RX(config-bgp)# clear ip bgp neighbor 192.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again. The device applies its filters to the incoming routes and adds, modifies, or removes BGP4 routes as necessary.
Page 883: Closing Or Resetting A Neighbor Session
Filtering To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down. You can enter the command without optional parameters or with the soft out or soft-outbound option. Either way, you must specify a parameter for the neighbor (<ip-addr>, <as-num>, <peer-group-name>, or all).
Page 884: Clearing Traffic Counters
Filtering If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use these methods to ensure that neighbors contain only the routes you want them to contain. • If you close a neighbor session, the device and the neighbor clear all the routes they learned from each other.
Page 885: Clearing Route Flap Dampening Statistics
Filtering BigIron RX# clear ip bgp neighbor 10.0.0.1 traffic To clear the BGP4 message counter for all neighbors within a peer group, enter a command such as the following. BigIron RX# clear ip bgp neighbor PeerGroup1 traffic Syntax: clear ip bgp neighbor all | <ip-addr> | <peer-group-name> | <as-num> traffic The all | <ip-addr>...
Page 886: Clearing Diagnostic Buffers
Displaying BGP4 information Clearing diagnostic buffers The BigIron RX stores the following BGP4 diagnostic information in buffers: • The first 400 bytes of the last packet received that contained an error • The last NOTIFICATION message either sent or received by the device To display these buffers, use options with the show ip bgp neighbors command.
Page 887: Displaying Summary Bgp4 Information
Displaying BGP4 information Displaying summary BGP4 information You can display the local AS number, the maximum number of routes and neighbors supported, and some BGP4 statistics. To view summary BGP4 information for the router, enter the following command at any CLI prompt. BigIron RX# show ip bgp summary BGP4 Summary Router ID: 101.0.0.1...
Page 888 Displaying BGP4 information TABLE 121 BGP4 summary information (Continued) This field... Displays... Number of Attribute Entries Installed The number of BGP4 route-attribute entries in the router’s route-attributes table. To display the route-attribute table, refer to “Displaying BGP4 route-attribute entries” on page 837. Neighbor Address The IP addresses of this router’s BGP4 neighbors.
Page 889: Displaying The Active Bgp4 Configuration
Displaying BGP4 information TABLE 121 BGP4 summary information (Continued) This field... Displays... Sent The number of BGP4 routes that the device has sent to the neighbor. ToSend The number of routes the device has queued to send to this neighbor. Displaying the active BGP4 configuration To view the active BGP4 configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
Page 890 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 routes-summary IP Address: 192.168.4.211 Routes Accepted/Installed:1, Filtered/Kept:11, Filtered:11 Routes Selected as BEST Routes:1 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0 History Routes:0 NLRIs Received in Update Message:24, Withdraws:0 (0), Replacements:1...
Page 891: Displaying Bgp4 Neighbor Information
Displaying BGP4 information TABLE 122 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the device discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The device’s configured maximum prefix amount had been reached.
Page 892 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 10.4.0.2 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.2 State: ESTABLISHED, Time: 0h1m0s, KeepAliveTime: 0, HoldTime: 0 PeerGroup: pg1 Multihop-EBGP: yes, ttl: 1 RouteReflectorClient: yes SendCommunity: yes NextHopSelf: yes DefaultOriginate: yes (default sent) MaximumPrefixLimit: 90000 RemovePrivateAs: : yes...
Page 893 Displaying BGP4 information The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
Page 894 Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... Description The description you gave the neighbor when you configured it on the device. State The state of the router’s session with the neighbor. The states are from this router’s perspective of the session, not the neighbor’s perspective.
Page 895 Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... DefaultOriginate Whether this option is enabled for the neighbor. MaximumPrefixLimit Lists the maximum number of prefixes the device will accept from this neighbor. RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this device has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability.
Page 896 Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following: • Reasons described in the BGP specifications: •...
Page 897 Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
Page 898 Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. •...
Page 899 Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue.
Page 900 Displaying BGP4 information This display shows the following information. TABLE 124 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the device has received from the neighbor during the current BGP4 session. • Accepted/Installed – Indicates how many of the received routes the device accepted and installed in the BGP4 route table.
Page 901 Displaying BGP4 information TABLE 124 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the device has sent to this neighbor in UPDATE messages. • Withdraws – The number of routes the device has sent to the neighbor to withdraw.
Page 902: Displaying Peer Group Information
Displaying BGP4 information Displaying the adj-RIB-out for a neighbor To display the device’s current BGP4 Routing Information Base (Adj-RIB-Out) for a specific neighbor and a specific destination network, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 rib-out-routes 192.168.1.0/24 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST I:IBGP L:LOCAL...
Page 903: Displaying The Bgp4 Route Table
Displaying BGP4 information This display shows the following information. TABLE 125 BGP4 summary route information This field... Displays... Total number of BGP routes (NLRIs) The number of BGP4 routes the device has installed in the BGP4 route Installed table. Distinct BGP destination networks The number of destination networks the installed routes represent.
Page 904 Displaying BGP4 information Syntax: show ip bgp routes [[network] <ip-addr>] | <num> | [age <secs>] | [as-path-access-list <num>] | [best] | [cidr-only] | [community <num> | no-export | no-advertise | internet | local-as] | [community-access-list <num>] | [community-list <num> | [detail <option>] | [filter-list <num, num,...>] | [next-hop <ip-addr>] | [no-best] | [not-installed-best] | [prefix-list <string>] | [regular-expression <regular-expression>] | [route-map <map-name>] | [summary] |...
Page 905 Displaying BGP4 information The unreachable option displays the routes that are unreachable because the device does not have a valid RIP, OSPF, or static route to the next hop. Displaying the best BGP4 routes To display all the BGP4 routes in the device’s BGP4 route table that are the best routes to their destinations, enter a command such as the following at any level of the CLI.
Page 906 Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > best, i internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path...
Page 907 Displaying BGP4 information TABLE 126 BGP4 network information (Continued) This field... Displays... Path The route’s AS path. NOTE: This field appears only if you do not enter the route option. Origin code A character the display uses to indicate the route’s origin. The origin code appears to the right of the AS path (Path field).
Page 908 Displaying BGP4 information These displays show the following information. TABLE 127 BGP4 route information This field... Displays... Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route’s status. The status code is appears in the left column of the display, to the left of each route.
Page 909: Displaying Bgp4 Route-Attribute Entries
Displaying BGP4 information TABLE 127 BGP4 route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP through EGP.
Page 910 Displaying BGP4 information BigIron RX# show ip bgp attribute-entries Total number of BGP Attribute Entries: 7753 Next Hop :192.168.11.1 Metric Origin:IGP Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.0 Atomic:FALSE Local Pref:100 Communities:Internet AS Path :(65002) 65001 4355 2548 3561 5400 6669 5548 Next Hop :192.168.11.1 Metric...
Page 911: Displaying Route Flap Dampening Statistics
Displaying BGP4 information TABLE 128 BGP4 route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Displaying the routes BGP4 has placed in the IP route table The IP route table indicates the routes it has received from BGP4 by listing “BGP”...
Page 912: Displaying The Active Route Map Configuration
Displaying BGP4 information The <address> <mask> parameter specifies a particular route. If you also use the optional longer-prefixes parameter, then all statistics for routes that match the specified route or have a longer prefix than the specified route are displayed. For example, if you specify 209.157.0.0 longer, then all routes with the prefix 209.157 or that have a longer prefix (such as 209.157.22) are displayed.
Page 913 Displaying BGP4 information match address-filters 11 set community 11:12 no-export route-map permit1122 permit 12 match ip address 11 route-map permit1122 permit 13 match ip address std_22 This example shows that the running configuration contains six route maps. Notice that the match and set statements within each route map are listed beneath the command for the route map itself.
Page 914 Displaying BGP4 information NOTE After configuring BGP Graceful Restart, you need to reset neighbor session whether or not the neighbor session is up to enable BGP graceful restart. Use the clear ip bgp neighbor command to clear and re-establish neighbor sessions. Configuring BGP graceful restart on a router Use the following command to enable the BGP graceful restart feature on a BigIron RX Switch.
Page 915 Displaying BGP4 information Router 1 BigIron RX(config)#router bgp BigIron RX(config-bgp)#local-as 100 BigIron RX(config-bgp)#graceful-restart BigIron RX(config-bgp)#neighbor 12.2.0.14 remote-as 200 BigIron RX(config-bgp)#write memory Router 2 BigIron RX(config)#router bgp BigIron RX(config-bgp)#local-as 200 BigIron RX(config-bgp)#graceful-restart BigIron RX(config-bgp)#neighbor 12.1.0.14 remote-as 100 BigIron RX(config-bgp)#neighbor 12.3.0.14 remote-as 300 BigIron RX(config-bgp)#write memory Router 3 BigIron RX(config)#router bgp...
Page 916: Generalized Ttl Security Mechanism Support
Generalized TTL security mechanism support BigIron RX# show ip bgp neighbor 11.11.11.2 1 IP Address: 11.11.11.2, Remote AS: 101 (EBGP), RouterID: 101.101.101.1 Local AS: 200 State: ESTABLISHED, Time: 0h18m15s, KeepAliveTime: 60, HoldTime: 180 KeepAliveTimer Expire in 44 seconds, HoldTimer Expire in 167 seconds RefreshCapability: Received GracefulRestartCapability: Received Restart Time 120 sec, Restart bit 0...
Page 917 Generalized TTL security mechanism support Syntax: [no] neighbor <ip-addr> | <peer-group-name> ebgp-btsh NOTE For GTSM protection to work properly, it must be enabled on both the Brocade device and the neighbor. BigIron RX Series Configuration Guide 53-1001986-01...
Page 918 Generalized TTL security mechanism support BigIron RX Series Configuration Guide 53-1001986-01...
Page 919: Configuring Mbgp
Chapter Configuring MBGP This chapter provides details on how to configure Multi-protocol Border Gateway Protocol (MBGP). MBGP is an extension to BGP that allows a router to support separate unicast and multicast topologies. BGP4 cannot support a multicast network topology that differs from the network’s unicast topology.
Page 920: Configuring Mbgp
Configuration considerations Configuration considerations • MBGP does not redistribute DVMRP routes. It redistributes static routes only. • You cannot redistribute MBGP routes into BGP4. • The BigIron RX supports 8192 multicast routes by default. You may need to increase the maximum number of multicast routes for MBGP.
Page 921: Enabling Mbgp
Configuring MBGP Enabling MBGP To enable MBGP4, you must enable PIM SM or DM and BGP4. Enter commands such as the following. BigIron RX> enable BigIron RX# configure terminal BigIron RX(config)# router pim BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-1/1)# ip address 1.1.1.1/24 BigIron RX(config-if-1/1)# ip pim BigIron RX(config-if-1/1)# exit BigIron RX(config)# router bgp...
Page 922: Optional Configuration Tasks
Configuring MBGP [password [0 | 1] <string>] [prefix-list <string> in | out] [remote-as <as-number>] [remove-private-as] [route-map in | out <map-name>] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive <num> hold-time <num>] [update-source loopback <num>] [weight <num>] The <ip-addr> | <peer-group-name> parameter indicates whether you are configuring an individual neighbor or a peer group.
Page 923 Configuring MBGP Configuring a network prefix to advertise By default, the BigIron RX advertises MBGP routes only for the networks you identify using the network command or that are redistributed into MBGP from IP multicast route tables. NOTE The exact route must exist in the IP multicast route table so that the device can create a local MBGP route.
Page 924 Configuring MBGP NOTE The route map you specify must already be configured. Configuring static IP multicast routes To configure static IP multicast routes, enter commands such as the following. BigIron RX(config)# ip mroute 207.95.10.0 255.255.255.0 interface ethernet 1/2 BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 interface ethernet 2/3 The commands in this example configure two static multicast routes.
Page 925: Displaying Mbgp Information
Displaying MBGP information The <ip-addr> and <ip-mask> parameters specify the aggregate value for the networks. The as-set parameter causes the router to aggregate AS-path information for all the routes in the aggregate address into a single AS-path. The summary-only parameter prevents the router from advertising more specific routes contained within the aggregate route.
Page 926: Displaying The Active Mbgp Configuration
Displaying MBGP information BigIron RX# show ip mbgp summary BGP4 Summary Router ID: 9.9.9.1 Local AS Number : 200 Confederation Identifier : not configured Confederation Peers: Maximum Number of Paths Supported for Load Sharing : 1 Number of Neighbors Configured : 1, UP: 1 Number of Routes Installed : 5677 Number of Routes Advertising to All Neighbors : 5673 Number of Attribute Entries Installed : 3...
Page 927: Displaying Mbgp Neighbors
Displaying MBGP information Displaying MBGP neighbors To view MBGP neighbor information including the values for all the configured parameters, enter the following command. This display is similar to the show ip bgp neighbor display but has additional fields that apply only to MBGP. These fields are shown in bold type in the example and are explained below.
Page 928: Displaying Mbgp Routes
Displaying MBGP information The <ip-addr> parameter specifies the neighbor’s IP address. Displaying MBGP routes To display the MBGP route table, enter the following command. BigIron RX#show ip mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop...
Page 929: Relationship To Ip Route Table
Chapter Configuring IS-IS (IPv4) The Intermediate System to Intermediate System (IS-IS) protocol is a link-state Interior Gateway Protocol (IGP) that is based on the International Standard for Organization/International Electrotechnical Commission (ISO/IEC) Open Systems Internet Networking model (OSI). In IS-IS, an intermediate system (router) is designated as either a Level 1 or Level 2 router.
Page 930: Intermediate Systems And End Systems
Configuring IS-IS (IPv4) • If the path provided by IS-IS has the lowest administrative distance, then the CPU places that IS-IS path in the IP route table. • If a path to the same destination supplied by another protocol has a lower administrative distance, the CPU installs the other protocol’s path in the IP route table instead.
Page 931: Domain And Areas
Configuring IS-IS (IPv4) NOTE Since the Brocade implementation of IS-IS does not route OSI traffic but instead routes IP traffic, IP hosts are shown instead of ESs. The other basic IS-IS concepts illustrated in this figure are explained in the following sections. Domain and areas IS-IS is an IGP, and thus applies only to routes within a single routing domain.
Page 932 Configuring IS-IS (IPv4) The Designated IS is elected based on the priority of each IS in the broadcast network. When an IS becomes operational, it sends a Level-1 or Level-2 Hello PDU to advertise itself to other ISs. If the IS is configured to be both a Level-1 and a Level-2 IS, the IS sends a separate advertisement for each level.
Page 933: Is-Is Cli Levels
IS-IS CLI levels Route calculation and selection The Designated IS uses a Shortest Path First (SPF) algorithm to calculate paths to destination ISs and ESs. The SPF algorithm uses Link State PDUs (LSPDUs) received from other ISs as input, and creates the paths as output.
Page 934: Address Family Configuration Level
IS-IS CLI levels BigIron RX(config)#router isis BigIron RX(config-isis-router)# Syntax: [no] router isis The (config-isis-router)# prompt indicates that you are at the global level for IS-IS. Configurations you enter at this level apply to both IS-IS IPv4 and IS-IS IPv6. Address family configuration level The BigIron RX implementation of IS-IS includes the address family configuration level.
Page 935: Configuring Ipv4 Is-Is
Configuring IPv4 IS-IS Configuring IPv4 IS-IS Enabling IS-IS globally To configure IPv4 IS-IS, do the following. 1. Globally enable IS-IS by entering the following command. BigIron RX(config)# router isis ISIS: Please configure NET! Once you enter router isis, the device enters the IS-IS router configuration level. Syntax: [no] router isis To disable IS-IS, use the no form of this command.
Page 936: Globally Configuring Is-Is On A Device
Globally configuring IS-IS on a device • Change the default metric. • Add, change, or negate route redistribution parameters. Some IS-IS parameter changes take effect immediately while others do not take full effect until you disable, then re-enable route redistribution. Globally configuring IS-IS on a device This section describes how to change the global IS-IS parameters.
Page 937: Configuring Authentication
Globally configuring IS-IS on a device The on-startup <secs> parameter specifies the number of seconds following a reload to set the overload bit on. You can specify 0 or a number from 5 – 86400 (24 hours). The default is 0, which means the device starts performing IS-IS routing immediately following a successful software reload.
Page 938: Changing The Is-Is Level Globally
Globally configuring IS-IS on a device Changing the IS-IS Level globally By default, a BigIron RX can operate as both a Level-1 and IS-IS Level-2 router. To globally change the level supported from Level-1 and Level-2 to Level-1 only, enter the following command. BigIron RX(config-isis-router)# is-type level-1 Syntax: [no] is-type level-1 | level-1-2 | level-2 The level-1 | level-1-2 | level-2 parameter specifies the IS-IS type.
Page 939: Changing The Maximum Lsp Lifetime
Globally configuring IS-IS on a device BigIron RX(config-isis-router)# csnp-interval 15 Syntax: [no] csnp-interval <secs> The <secs> parameter specifies the interval and can be from 0 – 65535 seconds. The default is 10 seconds. NOTE Although the command name is csnp-interval, the interval also applies to PSNPs. Changing the maximum LSP lifetime The maximum LSP lifetime is the maximum number of seconds an un-refreshed LSP can remain in the device’s LSP database.
Page 940: Changing The Lsp Interval And Retransmit Interval
Globally configuring IS-IS on a device The <secs> parameter specifies the minimum refresh interval and can be from 1 – 120 seconds. The default is 10 seconds. Changing the LSP interval and retransmit interval You LSP interval is the rate of transmission, in milliseconds of the LSPs. The retransmit interval is the time the device waits before it retransmits LSPs.
Page 941: Logging Adjacency Changes
Globally configuring IS-IS on a device The padding consists of arbitrarily valued octets. A padded hello PDU indicates the largest PDU that the device can receive. Other ISs that receive a padded hello PDU from the device can therefore ensure that the IS-IS PDUs they send the device. Similarly, if the device receives a padded hello PDU from a neighbor IS, the device knows the maximum size PDU that the device can send to the neighbor.
Page 942: Configuring Ipv4 Address Family Route Parameters
Configuring IPv4 address family route parameters Configuring IPv4 address family route parameters This section describes how to modify the IS-IS parameters for the IS-IS IPv4 unicast address family. To enter the IPv4 unicast address family, refer to “Address family configuration level” on page 862.
Page 943: Changing The Administrative Distance For Ipv4 Is-Is
Configuring IPv4 address family route parameters NOTE This feature requires the presence of a default route in the IPv4 route table. To enable the device to advertise a default route that is originated a Level 2, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# default-information-originate This command enables the device to advertise a default route into the IPv4 IS-IS area to which the device is attached.
Page 944: Configuring Summary Addresses
Configuring IPv4 address family route parameters For example, if the router has a path from RIP, from OSPF, and IPv4 IS-IS to the same destination, and all the paths are using their protocols’ default administrative distances, the router selects the OSPF path, because that path has a lower administrative distance than the RIP and IPv4 IS-IS paths.
Page 945: Redistributing Routes Into Ipv4 Is-Is
Configuring IPv4 address family route parameters The level-1 | level-1-2 | level-2 parameter specifies the route types to which the aggregate route applies. The default is level-2. Redistributing routes into IPv4 IS-IS To redistribute routes into IPv4 IS-IS, you can perform the following configuration tasks: •...
Page 946: Redistributing Static Ipv4 Routes Into Ipv4 Is-Is
Configuring IPv4 address family route parameters The <value> parameter specifies the default metric. You can specify a value from 0 – 65535. The default is 0. To restore the default value for the default metric, enter the no form of this command. Redistributing static IPv4 routes into IPv4 IS-IS To redistribute static IPv4 routes from the IPv4 static route table into IPv4 IS-IS routes, enter the following command at the IPv4 IS-IS unicast address family configuration level.
Page 947: Redistributing Rip Routes Into Ipv4 Is-Is
Configuring IPv4 address family route parameters Redistributing RIP routes into IPv4 IS-IS To redistribute RIP routes into IPv4 IS-IS, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# redistribute rip This command configures the device to redistribute all RIP routes into Level-2 IS-IS. Syntax: [no] redistribute rip [level-1 | level-1-2 | level-2] | metric <number>...
Page 948: Redistributing Ipv4 Is-Is Routes Within Ipv4 Is-Is
Configuring ISIS properties on an interface Redistributing IPv4 IS-IS routes within IPv4 IS-IS In addition to redistributing routes from other route sources into IPv4 IS-IS, the BigIron RX can redistribute Level 1 IPv4 IS-IS routes into Level 2 IPv4 IS-IS routes, and Level 2 IPv4 IS-IS routes into Level 1 IPv4 IS-IS routes.
Page 949: Setting The Priority For Designated Is Election
Configuring ISIS properties on an interface NOTE The BigIron RX advertises an IS-IS interface to its area regardless of whether adjacency formation is enabled. To disable IS-IS adjacency formation on an interface, enter commands such as the following. BigIron RX(config)# interface ethernet 2/8 BigIron RX(config-if-e1000-2/8)# isis passive This command disables IS-IS adjacency formation on port 2/8.
Page 950: Changing The Is-Is Level On An Interface
Configuring ISIS properties on an interface The <string> parameter specifies the password. You can enter an alphanumeric string up to 80 characters long. The password can contain blank spaces. If you use a blank space in the password, you must use quotation marks (“ “) around the entire password; for example, isis password “admin 2”.
Page 951: Changing The Hello Multiplier
Configuring ISIS properties on an interface The <num> parameter specifies the interval, and can be from 1 – 65535 seconds. The default is 10 seconds. The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels.
Page 952: Displaying Ipv4 Is-Is Information
Displaying IPv4 IS-IS information The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels. Displaying IPv4 IS-IS information You can display the following information: •...
Page 953: Displaying Neighbor Information
Displaying IPv4 IS-IS information BigIron RX# show isis hostname Total number of entries in IS-IS Hostname Table: 1 System ID Hostname * = local IS * bbbb.cccc.dddd Syntax: show isis hostname The table in this example contains one mapping, for this device. The device’s IS-IS system ID is “bbbb.cccc.dddd“...
Page 954: Displaying Is-Is Syslog Messages
Displaying IPv4 IS-IS information TABLE 132 IS-IS neighbor information (Continued) This field... Displays... Type The IS-IS type of the adjacency. The type can be one of the following: • ISL1 – Level-1 IS • ISL2 – Level-2 IS • ES – ES NOTE: The device forms a separate adjacency for each IS-IS type.
Page 955: Displaying Interface Information
Displaying IPv4 IS-IS information TABLE 133 IS-IS Syslog messages Message level Message Explanation Alert ISIS MEMORY USE EXCEEDED IS-IS is requesting more memory than is available. Notification ISIS L1 ADJACENCY DOWN <system-id> on The device’s adjacency with this Level-1 IS interface <interface-id>...
Page 956 Displaying IPv4 IS-IS information BigIron RX# show isis interface Total number of IS-IS Interfaces: 1 Interface: Eth 7/1 Circuit State: UP Circuit Mode: LEVEL-1-2 Circuit Type: BCAST Passive State: FALSE Circuit Number: 0x01, MTU: 1497 Authentication password: None Level-1 Metric: 10, Level-1 Priority: 64 Level-1 Hello Interval: 10 Level-1 Hello Multiplier: 3 Level-1 Designated IS: RX-01 Level-1 DIS Changes: 8 Level-2 Metric: 10, Level-2 Priority: 64...
Page 957 Displaying IPv4 IS-IS information TABLE 134 IS-IS Interface information (Continued) This field... Displays... Passive State The passive state determines whether the interface is allowed to form an IS-IS adjacency with the IS at the other end of the circuit. The state can be one of the following: •...
Page 958: Displaying Route Information
Displaying IPv4 IS-IS information TABLE 134 IS-IS Interface information (Continued) This field... Displays... Bad LSP The number of times the interface received a bad LSP from an IS at the other end of the circuit. The following conditions can cause an LSP to be bad: •...
Page 959: Displaying Lsp Database Entries
Displaying IPv4 IS-IS information TABLE 135 IS-IS route information (Continued) This field... Displays... Cost The IS-IS default metric for the route, which is the cost of using this route to reach the next-hop router to this destination. Type The route type, which can be one of the following: •...
Page 960 Displaying IPv4 IS-IS information The <lsp-id> parameter displays summary information about a particular LSP. Specify an LSPID for which you want to display information in HHHH.HHHH.HHHH.HH-HH format, for example, 3333.3333.3333.00-00. You can also enter name.HH-HH, for example, RX.00-00. The detail parameter displays detailed information about the LSPs. Refer to “Displaying detailed information”...
Page 961 Displaying IPv4 IS-IS information BigIron RX# show isis database detail IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL RX.00-00* 0x0000000b 0x23fb 1/0/0 Area Address: NLPID: CC(IP) Hostname: Metric: IP-Internal 4.1.1.0/24 Up-bit: 0 Metric: IS RX.01 IS-IS Level-2 Link State Database LSPID LSP Seq Num...
Page 962: Displaying Traffic Statistics
Displaying IPv4 IS-IS information TABLE 137 IS-IS detailed LSP database information (Continued) This field... Displays... IP address The IP address of the interface that sent the LSP. The device can use this address as the next hop in routes to the addresses listed in the rows below.
Page 963: Displaying Error Statistics
Displaying IPv4 IS-IS information TABLE 138 IS-IS traffic statistics This field... Displays... Level-1 Hellos The number of Level-1 hello PDUs sent and received by the device. Level-2 Hellos The number of Level-2 hello PDUs sent and received by the device. Level-1 LSP The number of Level-1 link-state PDUs sent and received by the device.
Page 964: Clearing Is-Is Information
Clearing IS-IS information TABLE 139 IS-IS error statistics (Continued) This field... Displays... LSP Sequence Number Skipped The number of times the device received an LSP with a sequence number that was more than 1 higher than the sequence number of the previous LSP received from the same neighbor.
Page 965 Clearing IS-IS information The neighbor parameter closes the device’s adjacencies with its IS-IS neighbors and clears the neighbor statistics. The route [<ip-address> <subnet-mask> | <ip-address>/<prefix> ] parameter clears the IS-IS route table or the specified matching route. The traffic parameter clears the PDU statistics. NOTE The traffic option also clears the values displayed in the show isis interface command’s Control Messages Sent and Control Messages Received fields.
Page 966 Clearing IS-IS information BigIron RX Series Configuration Guide 53-1001986-01...
Page 967 Chapter BiDirectional Forwarding Detection (BFD) The BigIron RX provides support for Bidirectional Forwarding Detection (BFD) in Version 02.6.00 of the Multi-Service IronWare software. BFD defines a method of rapid detection of the failure of a forwarding path by checking that the next hop router is alive. Without BFD enabled, it can take from 3 to 30 seconds to detect that a neighboring router is not operational causing packet loss due to incorrect routing information at a level unacceptable for real-time applications such as VOIP and video over IP.
Page 968: Configuring Bfd Parameters
Configuring BFD parameters Configuring BFD parameters When you configure BFD you must set timing and interval parameters. These are configured on each interface. When two adjacent interfaces with BFD are configured, they negotiate the conditions for determining if the connection between them is still active. The following command is used to set the BFD parameters.
Page 969: Displaying Bidirectional Forwarding Detection Information
Displaying Bidirectional Forwarding Detection information Displaying Bidirectional Forwarding Detection information You can display Bidirectional Forwarding Detection (BFD) information for the router you are logged-in to and for BFD configured neighbors as described in the following sections. Displaying BFD information on a router The following example illustrates the output from the show bfd command.
Page 970 Displaying Bidirectional Forwarding Detection information TABLE 140 Display of BFD information (Continued) This field... Displays... BFD Enabled ports count The number of ports on the router that have been enabled for BFD. Port The port that BFD is enabled on. MinTx The interval in milliseconds between which the router desires to send a BFD message from this port to its peer.
Page 971 Displaying Bidirectional Forwarding Detection information TABLE 142 Display of BFD information This field... Displays... Total number of Neighbor entries The number of neighbors that have established BFD sessions with ports on this router. NeighborAddress The IPv4 or IPv6 address of the remote peer. State The current state of the BFD session.
Page 972 Displaying Bidirectional Forwarding Detection information TABLE 143 Display of BFD neighbor detail information (Continued) This field... Displays... Interval The interval at which the local router sends BFD messages to the remote peer. Heard from remote. Registered Protocols Specifies which protocols are registered to use BFD on this port. Local Disc Value of the “local discriminator”...
Page 973: Clearing Bfd Neighbor Sessions
Configuring BFD for the specified protocol TABLE 143 Display of BFD neighbor detail information (Continued) This field... Displays... LastSessionDownTimestamp The system time at which the session last transitioned from the UP state to some other state. Physical Port The physical port on which the peer is known. Vlan Id The VLAN ID of the VLAN that the physical port is resident on.
Page 974: Configuring Bfd For Ospfv3
Configuring BFD for the specified protocol Enabling or disabling BFD for OSPFv2 for a specific interface You can selectively enable or disable BFD on any OSPFv2 interface as shown in the following. BigIron RX# (config-if-e1000-3/1)# ip ospf bfd Syntax: ip ospf bfd [disable] The disable option disables BFD for OSPFv2 on the interface.
Page 975 Configuring BFD for the specified protocol Enabling or disabling BFD for IS-IS for a specific interface You can selectively enable or disable BFD on any IS-IS interface as shown in the following. BigIron RX#(config-if-e1000-3/1)# isis bfd Syntax: isis bfd [disable] The disable option disables BFD for IS-IS on the interface.
Page 976 Configuring BFD for the specified protocol BigIron RX Series Configuration Guide 53-1001986-01...
Page 977: Overview Of Secure Shell (Ssh)
Chapter Configuring Secure Shell Overview of Secure Shell (SSH) Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on a BigIron RX. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet.
Page 978: Supported Features
Configuring SSH • Van Dyke SecureCRT 4.0 and 4.1 • F-Secure SSH Client 5.3 and 6.0 • PuTTY 0.54 and 0.56 • OpenSSH 3.5_p1 and 3.6.1p2 • Solaris Sun-SSH-1.0 Supported features The SSH server allows secure remote access management functions on a device. SSH provides a function that is similar to Telnet, but unlike Telnet, SSH provides a secure, encrypted connection.
Page 979: Generating A Host Key Pair
Configuring SSH 1. Generate a host DSA public and private key pair for the device. 2. Configure DSA challenge-response authentication. 3. Set optional parameters. You can also view information about active SSH connections on the device as well as terminate them.
Page 980: Configuring Dsa Challenge-Response Authentication
Configuring SSH Providing the public key to clients If you are using SSH to connect to a device from a UNIX system, you may need to add the device’s public key to a “known hosts” file; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a known hosts file.
Page 981 Configuring SSH ---- BEGIN SSH2 PUBLIC KEY ---- Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PUBLIC KEY ---- You can import the authorized public keys into the active configuration by loading them from a file on a TFTP server and are saved on the EEPROM of the chassis.
Page 982: Setting The Number Of Ssh Authentication Retries
Configuring SSH BigIron RX# show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---- Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PUBLIC KEY ---- Syntax: show ip client-pub-key [| begin<expression> | exclude <expression> | include <expression>] To clear the public keys from the buffers, enter the following command.
Page 983: Enabling Empty Password Logins
Configuring SSH With DSA challenge-response authentication, a collection of clients’ public keys are stored on the device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH. With password authentication, users are prompted for a password when they attempt to log into the device (provided empty password logins are not allowed;...
Page 984 Configuring SSH Setting the SSH login timeout value When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects.
Page 985: Disabling 3-Des
Displaying SSH connection information Filtering SSH access using ACLs You can permit or deny SSH access to the device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL. Then enter the following command.
Page 986: Using Secure Copy
Using secure copy BigIron RX#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 established, client ip address 192.168.144.241, user is hanuma 1 minutes 16 seconds in idle 2 established, client ip address 192.168.144.241, user is Mikaila...
Page 987 Using secure copy NOTE When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on the device. NOTE Certain SCP client options, including -p and -r, are ignored by the SCP server on the device. If an option is ignored, the client is notified.
Page 988 Using secure copy BigIron RX Series Configuration Guide 53-1001986-01...
Page 989: How Multi-Device Port Authentication Works
Chapter Configuring Multi-Device Port Authentication How multi-device port authentication works Multi-device port authentication is a way to configure a BigIron RX to forward or block traffic from a MAC address based on information received from a RADIUS server. Multi-device port authentication is supported in the device software release 02.2.01 and later.
Page 990: Authentication-Failure Actions
How multi-device port authentication works Authentication-failure actions If the MAC address does not match the username and password of an entry in the users database on the RADIUS server, then the RADIUS server returns an Access-Reject message. When this happens, it is considered an authentication failure for the MAC address. When an authentication failure occurs, the device can either drop traffic from the MAC address in hardware (the default), or move the port on which the traffic was received to a restricted VLAN.
Page 991: On An Interface
Configuring multi-device port authentication Support for authenticating multiple MAC addresses on an interface The multi-device port authentication feature allows multiple MAC addresses to be authenticated or denied authentication on each interface. The maximum number of MAC addresses that can be authenticated on each interface is 256.
Page 992: Configuring An Authentication Method List For 802.1X
Configuring multi-device port authentication You can enable the feature on an interface at the interface CONFIG level. Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate Clients.
Page 993: Specifying The Authentication-Failure Action
Configuring multi-device port authentication • FilterId (11) – RFC 2865 • Vendor-Specific Attributes (26) – RFC 2865 • Tunnel-Type (64) – RFC 2868 • Tunnel-Medium-Type (65) – RFC 2868 • EAP Message (79) – RFC 2579 • Tunnel-Private-Group-Id (81) – RFC 2868 Specifying the format of the MAC addresses sent to the RADIUS server When multi-device port authentication is configured, the device authenticates MAC addresses by...
Page 994: Defining Mac Address Filters
Configuring multi-device port authentication BigIron RX(config)# interface e 3/1 BigIron RX(config-if-e100-3/1)# mac-authentication auth-fail-action block-traffic Syntax: [no] mac-authentication auth-fail-action block-traffic Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device port authentication is enabled. Defining MAC address filters You can specify MAC addresses that do not have to go through multi-device port authentication. These MAC addresses are considered pre-authenticated, and are not subject to RADIUS authentication.
Page 995: Specifying To Which Vlan A Port Is Moved After Its Radius-Specified Vlan Assignment Expires
Configuring multi-device port authentication If a previous authentication attempt for a MAC address failed, and as a result the port was placed in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-Accept message may specify a VLAN for the port. By default, the device moves the port out of the restricted VLAN and into the RADIUS-specified VLAN.
Page 996: Configuration File
Configuring multi-device port authentication BigIron RX(config)# interface e 3/1 BigIron RX(config-if-e100-3/1)# mac-auth move-back-to-old-vlan port-restrict-vlan Syntax: [no] mac-authentication move-back-to-old-vlan disable | port-configured-vlan | port-restrict-vlan | system-default-vlan The disable keyword disables moving the port back to its original VLAN. The port would stay in its RADIUS-assigned VLAN.
Page 997: Disabling Aging For Authenticated Mac Addresses
Configuring multi-device port authentication This command removes the Layer 2 CAM entry created for the specified MAC address. If the device receives traffic from the MAC address again, the MAC address is authenticated again. Disabling aging for authenticated MAC addresses MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic is received from the MAC address for a certain period of time.
Page 998: Displaying Multi-Device Port Authentication Information
Displaying multi-device port authentication information To change the length of the software aging period for blocked MAC addresses, enter a command such as the following. BigIron RX(config)# mac-authentication max-age 180 Syntax: [no] mac-authentication max-age <seconds> You can specify from 1 – 65535 seconds. The default is 120 seconds. Displaying multi-device port authentication information You can display the following information about the multi-device port authentication configuration: •...
Page 999: Information
Displaying multi-device port authentication information Displaying multi-device port authentication configuration information To display a summary of multi-device port authentication that have been configured on the device, enter the following command. BigIron RX# show auth-mac configuration Feature enabled : Yes Global Fail-VLAN Id : None Username/Password format : xxxx.xxxx.xxxx...
Page 1000 Displaying multi-device port authentication information TABLE 146 Output from the show auth-mac-address configuration command (Continued) This field... Displays... Override Restricted Whether or not a port in a restricted VLAN (due to a failed authentication) is removed from the restricted VLAN on a subsequent successful authentication on the port.

This manual is also suitable for:

Bigiron rx series

Dell PowerConnect B-RX Configuration Manual

Table of Contents

Chapter 1 Getting Started with the Command Line Interface

Chapter 2 Getting Familiar with the Bigiron RX Series Switch Management Applications

Chapter 3 Using a Redundant Management Module

Chapter 4 Securing Access to Management Functions

Chapter 5 Configuring Basic Parameters

Chapter 6 Configuring Interface Parameters

Chapter 7 Configuring IP

Chapter 8 Link Aggregation

Chapter 9 Configuring LLDP

Chapter 10 Configuring Uni-Directional Link Detection (UDLD)

Chapter 11 Vlans

Chapter 12 Configuring Spanning Tree Protocol

Chapter 13 Configuring Rapid Spanning Tree Protocol

Chapter 14 Metro Ring Protocol (MRP) Phase 1 and 2

Chapter 15 Virtual Switch Redundancy Protocol (VSRP)

Chapter 16 Topology Groups

Chapter 17 Configuring VRRP and VRRPE

Chapter 18 Configuring Quality of Service

Chapter 19 Configuring Traffic Reduction

Chapter 20 Layer 2 Acls

Chapter 21 Access Control List

Chapter 22 Policy-Based Routing

Chapter 23 Configuring IP Multicast Protocols

Chapter 24 Configuring RIP

Chapter 25 Configuring OSPF Version 2 (Ipv4)

Chapter 26 Configuring BGP4 (Ipv4 and Ipv6)

Chapter 27 Configuring Mbgp

Chapter 28 Configuring IS-IS (Ipv4)

Chapter 29 Bidirectional Forwarding Detection (BFD)

Chapter 30 Configuring Secure Shell

Chapter 31 Configuring Multi-Device Port Authentication

Chapter 32 Using the MAC Port Security Feature and Transparent Port Flooding

Chapter 33 Configuring 802.1X Port Security

Chapter 34 Protecting against Denial of Service Attacks

Chapter 35 Inspecting and Tracking DHCP Packets

Chapter 36 Securing SNMP Access

Chapter 37 Enabling the Foundry Discovery Protocol (FDP) and Reading Cisco

Chapter 38 Remote Network Monitoring

Chapter 39 Configuring Sflow

Chapter 40 Multiple Spanning Tree Protocol (MSTP) 802.1S

Chapter 41 Configuring IP Multicast Traffic Reduction

Chapter 42 Ipv6 Addressing

Chapter 43 Configuring Basic Ipv6 Connectivity

Chapter 44 Configuring Ripng

Chapter 45 Configuring BGP4

Chapter 46 Configuring Ipv6 MBGP

Chapter 47 Ipv6 Access Control Lists (Acls)

Chapter 48 Configuring OSPF Version 3

Chapter 49 Configuring Ipv6 Multicast Features

Chapter 50 Configuring Ipv6 Routes

Appendix A Using Syslog

Appendix B Software Specifications

Appendix C NIAP-CCEVS Certification

Appendix D Commands that Require a Reload

Appendix E Index to the CLI Commands

Quick Links

Configuration Guide

Chapters

Related Manuals for Dell PowerConnect B-RX

Summary of Contents for Dell PowerConnect B-RX