Page 6
Configuring SSL security for the Web Management Interface ..82 Enabling the SSL server on the device....83 Importing digital certificates and RSA private key files.
Page 7
Configuring an interface as source for all Telnet packets ..122 Cancelling an outbound Telnet session ....123 Configuring an interface as the source for all TFTP packets ..123 Configuring an interface as the source for Syslog packets .
Page 8
Monitoring an individual trunk port ......147 Mirror ports for Policy-Based Routing (PBR) traffic... . .148 About hardware-based PBR .
Page 11
VLAN configuration rules ....... . .288 VLAN ID range ........288 Tagged VLANs.
Page 12
Displaying VLAN information ......320 Displaying VLAN information ......320 Displaying VLAN information for specific ports .
Page 13
State machines .........358 Handshake mechanisms.
Page 14
MRP CLI example ........413 Commands on switch A (master node).
Page 15
Displaying topology group information ..... .441 Displaying topology group information ....441 Chapter 17 Configuring VRRP and VRRPE Overview of VRRP .
Page 23
Chapter 26 Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 ........731 Relationship between the BGP4 route table and the IP route table .
Page 24
Configuring BGP4 neighbors ......761 Removing route dampening from suppressed neighbor routes ........765 Encryption of BGP4 MD5 authentication keys.
Page 25
Chapter 27 Configuring MBGP Configuration considerations ......848 Configuring MBGP ........848 Setting the maximum number of multicast routes supported .
Page 26
Configuring IPv4 address family route parameters ... .870 Changing the metric style ......870 Changing the maximum number of load sharing paths .
Page 27
Chapter 30 Configuring Secure Shell Overview of Secure Shell (SSH) ......905 SSH version 2 support....... .905 Supported features .
Page 28
Chapter 32 Using the MAC Port Security Feature and Transparent Port Flooding MAC Port Security ........931 Violation actions.
Page 29
Configuring 802.1x port security ......954 Configuring an authentication method list for 802.1x ..955 Setting RADIUS parameters .
Page 31
Reading CDP packets ........1010 Enabling interception of CDP packets globally ...1010 Enabling interception of CDP packets on an interface .
Page 32
Chapter 41 Configuring IP Multicast Traffic Reduction Enabling IP multicast traffic reduction ....1046 Changing the IGMP mode ......1047 Modifying the query interval .
Page 33
Configuring an IPv6 host address for a BigIron RX running a switch image 1068 Configuring a global or site-local IPv6 address with a manually configured interface ID as the switch’s system-wide address ....... 1068 Configuring a global or site-local IPv6 address with an automatically computed EUI-64 interface ID as the switch’s system-wide address.
Page 34
Clearing global IPv6 information ......1084 Clearing the IPv6 cache......1084 Clearing IPv6 neighbor information .
About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network –...
Page 42
TABLE 1 Supported features (Continued) Category Feature description Management Options Serial and Telnet access to industry-standard Command Line Interface (CLI) SSHv2 TFTP Web-based GUI SNMP versions 1, 2, and 3 IronView Network Manager . Security AAA Authentication Local passwords RADIUS Secure Shell (SSH) version 2 Secure Copy (SCP) TACACS and TACACS+...
Page 43
TABLE 1 Supported features (Continued) Category Feature description Rate Limiting Port-based, port-and-priority based, port-and-vlan-based, and port-and-ACL-based rate limiting on inbound ports are supported. SuperSpan A Brocade STP enhancement that allows Service Providers (SPs) to use STP in both SP networks and customer networks. Topology Groups A named set of VLANs that share a Layer 2 topology.
What’s new in this document The following tables provide brief descriptions of the enhancements added in each BigIron RX software release and a reference to the specific chapter, and section in the BigIron RX Configuration Guide or the Brocade BigIron RX Series Installation Guide that contain a detailed description and operational details for the enhancement.
TABLE 2 Summary of enhancements in release 02.7.03 Enhancement Description See page MAC Port Security The MAC Port Security feature has been Book: BigIron RX Configuration updated for the 02.7.03 release. Giuide Chapter: “Using the MAC Port Security Feature and Transparent Port Flooding”...
Enhancements in release 02.7.01 TABLE 4 Summary of enhancements in release 02.7.01 (Continued) Enhancement Description See page Network management 128-bit AES encryption The Advanced Encryption Standard (AES) provides Book: BigIron RX Series support for SNMP V3 one of the most advanced encryption capabilities Configuration Guide available today.
Page 48
TABLE 5 Summary of enhancements in release 02.7.00 (Continued) Enhancement Description See page Network management DHCP Relay Enhancement Beginning with this release, the IP subnet Book: BigIron RX Series configured on the port which is directly connected Configuration Guide to the device sending a BootP/DHCP request, does Chapter: “Configuring IP”...
Page 49
TABLE 6 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page VSRP Fast Start Non-Brocade or non-VSRP aware devices Book: BigIron RX Series connected to a VSRP master can now quickly switch Configuration Guide over to the new master when a VSRP failover Chapter: “Virtual Switch occurs.
Page 50
TABLE 6 Summary of enhancements in release 02.6.00 (Continued) Enhancement Description See page IGMPv3 and IGMP Snooping In Release 02.6.00 of the Multi-Service IronWare Book: BigIron RX Series software, creating an IGMP static-group allows the Configuration Guide BigIron RX switch having L2 interfaces configured Chapter: “Configuring IP with snooping to pull traffic from upstream sources...
Enhancements in patch release 02.5.00c TABLE 7 Summary of enhancements in release 02.5.00c Enhancement Description See page Super ACLs With this patch release, the Multi-Service IronWare Book: BigIron RX Series software supports Super ACLs that can match on Configuration Guide fields in a Layer 2 or Layer 4 packet header.
TABLE 9 Summary of enhancements in release 02.5.00 (Continued) Enhancement Description See page Static Route ARP Validate Next Beginning with release 02.5.00, you can configure Book: BigIron RX Series the BigIron RX to perform validation checks on the Configuration Guide destination MAC address, the sender and target IP Chapter: “Configuring IP”...
Enhancements in release 02.4.00 TABLE 11 Summary of enhancements in release 02.4.00 Enhancement Description See page US Daylight Saving Time The new Daylight Saving Time (DST) change that Book: BigIron RX Series scheme went into effect on March 11th, 2007 affects only Configuration Guide networks following the US time zones.
Page 54
TABLE 11 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page New show OSPF neighbor by This feature allows OSPF to display the OSPF Book: BigIron RX Series area command neighbors existing in a particular area. Configuration Guide Chapter: “Configuring OSPF Version 2 (IPv4)”...
Page 55
TABLE 11 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page Multicast Boundaries The Multicast Boundary feature is designed to Book: BigIron RX Series selectively allow or disallow multicast flows to Configuration Guide configured interfaces. Chapter: “Configuring IP Multicast Protocols”...
Page 56
TABLE 11 Summary of enhancements in release 02.4.00 (Continued) Enhancement Description See page ACL-Based Mirroring With this release, the Multi-Service IronWare Book: BigIron RX Series software supports using an ACL to select traffic for Configuration Guide mirroring from one port to another. Chapter:“Access Control List”...
Enhancements in patch release 02.3.00a TABLE 12 Summary of enhancements in patch release 02.3.00a Enhancement Description See... Transparent Port Flooding When the Transparent Port Flooding feature in Book: BigIron RX Series enabled for a port, all MAC learning will be disabled Configuration Guide for that port.
Enhancements in release 02.3.00 System enhancements TABLE 13 System enhancements Enhancement Description See... New Hardware The following new hardware is supported with the 02.3.00 Book: Brocade BigIron RX Support software release for the BigIron RX: Series Installation Guide 10G-XFP-CX4 - part number 10G-XFP-CX4 , A new XFP Module is available for use in the BigIron RX Series and 10G Interface Modules with the following capabilities: •...
Page 59
TABLE 13 System enhancements (Continued) Enhancement Description See... Enhanced Digital You can configure the BigIron RX to monitor XFPs and SFPs in Book: Brocade BigIron RX Optical Monitoring the system either globally or by specified port. Series Installation Guide Chapter: Connecting a BigIron RX Series Switch to a Network Device Section: Enhanced Digital...
Page 60
Layer 3 enhancements TABLE 15 Layer 3 enhancements Enhancement Description See... OSPF NBMA You can configure an interface to send OSPF Book: BigIron RX Series unicast packets rather than broadcast packets to Configuration Guide its neighbor by configuring non-broadcast Chapter: “Configuring multi-access (NBMA) networks.
Page 61
TABLE 15 Layer 3 enhancements (Continued) Enhancement Description See... Default Originate Route for BGP In this release, if a default route is not present in Book: BigIron RX Series the IP routing table, the user can configure a Configuration Guide major route to be used for forwarding packets to Chapter: “Configuring...
Page 62
TABLE 16 IP multicast enhancements (Continued) Enhancement Description See... MSDP Mesh Groups This release supports Multicast Source Book: BigIron RX Series Discovery Protocol (MSDP) Mesh Groups. This Configuration Guide feature allows you to connect several RPs to Chapter:“Configuring IP each other which reduces the forwarding of Multicast Protocols”...
TABLE 17 IP service, security, and Layer 4 enhancements (Continued) Enhancement Description See... Port Security MAC Violation Limit This feature provides protection against Book: BigIron RX Series physical link instability. It allows a user to Configuration Guide configure it to keep a port in a down state in Chapter:“Using the MAC Port cases where the port has experienced some Security Feature and...
Page 64
Layer 2 enhancements TABLE 20 Layer 2 enhancements Enhancement Description See page VLAN Byte Accounting With this release, you can configure a VLAN to account Book: BigIron RX Series for the number of bytes received by all the member Configuration Guide ports.
Page 65
TABLE 21 Layer 3 enhancements (Continued) Enhancement Description See page OSPF point-to-point OSPF point-to-point eliminates the need for Book: BigIron RX Series Designated and Backup Designated routers, Configuration Guide allowing for faster convergence of the network. Chapter:“Configuring OSPF Version 2 (IPv4)” Section: “OSPF point-to-point links”...
Page 66
TABLE 23 Security enhancements (Continued) Enhancement Description See page Port Security MAC Deny With this release, you can configure deny mac Book: BigIron RX Series addresses on a global level or on a per port level. Configuration Guide Chapter:“Using the MAC Port Security Feature and Transparent Port Flooding”...
TABLE 23 Security enhancements (Continued) Enhancement Description See page Port Security Enhancements You can specify how many packets from denied MAC Book: BigIron RX Series addresses can be received on a port in a one-second Configuration Guide interval before the BigIron RX shuts the port down. Chapter:“Using the MAC Port Security Feature and Transparent Port Flooding”...
Page 68
Enhancements in release 02.2.00 TABLE 26 Summary of emhancements in 02.2.00 Enhancement Description See page Quality of Service (QoS) QoS support on the BigIron RX is different than for the Book: BigIron RX Series Support BigIron MG8. Configuration Guide Chapter:“Configuring Quality of Service”...
Document conventions This section describes text formatting conventions and important notice formats used in this document. Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text...
CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
Web access The Knowledge Portal (KP) contains the latest version of this guide and other user guides for the product. You can also report errors on the KP. Log in to my.Brocade.com, click the Product Documentation tab, then click on the link to the Knowledge Portal (KP).
Page 72
lxxii BigIron RX Series Configuration Guide 53-1001986-01...
Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed.
EXEC commands Line editing commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. TABLE 27 CLI line-editing commands Ctrl-key combination...
CONFIG commands You reach this level by entering the enable [<password>] or enable <username> <password> at the User EXEC level. BigIron RX>enable BigIron RX>enable user1 mypassword After entering the enable command, you see the following prompt. BigIron RX>#. The prompt indicates that you are at the Privilege EXEC level. When you are at the Privilege EXEC level, you can enter commands that are available at that level.
Page 77
CONFIG commands Trunk level The trunk level allows you to change parameters for statically-configured trunk groups. You reach this level by entering a trunk command with the appropriate port parameters. Router RIP level The RIP level allows you to configure parameters for the RIP routing protocol. You reach this level by entering the router rip command at the global CONFIG level.
Page 78
CONFIG commands Route Map level The Route Map level allows you to configure parameters for a BGP4 route map. You reach this level by entering the route-map <name> command at the global CONFIG level. Router VRRP level The VRRP level allows you to configure parameters for the Virtual Router Redundancy Protocol (VRRP).
Accessing the CLI MAC port security level The MAC port security level allows you to configure the port security feature. You reach this level by entering the global-port-security command at the at the Global or Interface levels. Accessing the CLI The CLI can be accessed through both serial and Telnet connections.
Searching and filtering output Optional fields When two or more options are separated by a vertical bar, “| “, you must enter one of the options as part of the command. Syntax: priority normal | high For example, the "normal | high" entry in the Syntax above means that priority can be either priority normal or priority high.
Page 82
Searching and filtering output Displaying lines containing a specified string The following command filters the output of the show interface command for port 3/11 so it displays only lines containing the word “Internet”. This command can be used to display the IP address of the interface.
Page 83
Searching and filtering output BigIron RX# ? append Append one file to another attrib Change file attribute boot Boot system from bootp/tftp server/flash image Change current working directory chdir Change current working directory clear Clear table/statistics/keys clock Set clock configure Enter configuration mode copy Copy between flash, tftp, config/code...
Searching and filtering output --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed. filtering... sync-standby Sync active flash (pri/sec/mon/startup config/lp images) to standby if different terminal Change terminal settings traceroute TraceRoute to IP node undelete Recover deleted file whois...
Searching and filtering output TABLE 28 Special characters for regular expressions (Continued) Character Operation A dollar sign matches on the end of an input string. For example, the following regular expression matches output that ends with “deg”: deg$ An underscore matches on one or more of the following: •...
Searching and filtering output • All digits Any of the following special characters are valid: • • • • • • • • • • • • • • • • & Syntax shortcuts A command or parameter can be abbreviated as long as enough text is entered to distinguish it from other commands at that level.
Chapter Getting Familiar With the BigIron RX Series Switch Management Applications How to manage BigIron RX Series switch This chapter describes the different applications you can use to manage the BigIron RX Series Switch. The BigIron RX Series Switch supports the same management applications as other Brocade devices.
Logging on through the CLI On-line help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed.
Logging on through the CLI TABLE 29 CLI line editing commands Ctrl-key combination Description Ctrl-A Moves to the first character on the command line. Ctrl-B Moves the cursor back one character. Ctrl-C Escapes and terminates command prompts and ongoing tasks (such as lengthy displays), and displays a fresh command prompt.
Page 90
Logging on through the CLI NOTE The regular expression specified as the search string is case sensitive. In the example above, a search string of “Internet” would match the line containing the IP address, but a search string of “internet” would not. Displaying lines that do not contain a specified string The following command filters the output of the show who command so it displays only lines that do not contain the word “closed”.
Page 91
Logging on through the CLI BigIron RX# ? append Append one file to another attrib Change file attribute boot Boot system from bootp/tftp server/flash image Change current working directory chdir Change current working directory clear Clear table/statistics/keys clock Set clock configure Enter configuration mode copy...
Page 92
Logging on through the CLI --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed: filtering... sync-standby Sync active flash (pri/sec/mon/startup config/lp images) to standby if different terminal Change terminal settings traceroute TraceRoute to IP node undelete Recover deleted file whois...
Logging on through the CLI TABLE 30 Special characters for regular expressions (Continued) Character Operation An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) •...
Logging on through the Web Management Interface • • • • • • • • • • • • • • • & Logging on through the Web Management Interface To use the Web Management Interface, open a Web browser and enter the IP address of a BigIron RX Series Switch’s management port in the Location or Address field.
Logging on through the Web Management Interface FIGURE 2 Web Management Interface login dialog box The login username and password you enter depends on whether your device is configured with AAA authentication for SNMP. If AAA authentication for SNMP is not configured, you can use the user name “get”...
Logging on through IronView Network Manager IronView Network Manager Logging on through Refer to the IronView Network Management User’s Guide for information about using IronView Network Manager. BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Using a Redundant Management Module How management module redundancy works You can install a redundant management module in slot M1 or M2 of the BigIron RX Series chassis. By default, the system considers the module installed in slot M1 to be the active management module and the module installed in slot M2 to be the redundant or standby module.
How management module redundancy works The interface modules are not reset, as they are with the previous cold-restart redundancy feature. The interface modules continue to forward traffic while the standby management module takes over operation of the system. The new now-active management module receives updates from the interface modules and sends verification information to the interface modules to ensure that they are synchronized.
How management module redundancy works • The active management module’s flash memory. • A PCMCIA flash card inserted in one of the PCMCIA slots in the active management module’s front panel. After the replacement module boots, the active module compares the standby module’s flash code and system-config file to its own.
Page 100
How management module redundancy works Syslog and SNMP traps When a switchover occurs, the BigIron RX system sends a Syslog message to the local Syslog buffer and also to the Syslog server, if you have configured the system to use one. In addition, if you have configured an SNMP trap receiver, the system sends an SNMP trap to the receiver.
Management module redundancy configuration Management module redundancy configuration Configuring management module redundancy consists of performing one optional task (changing the default active chassis slot). The section explains how to perform this task. Changing the default active Chassis slot By default, the BigIron RX Series system considers the module installed in slot M1 to be the active management module.
Page 102
Managing management module redundancy During startup or switchover, the active module compares the standby module’s flash code to its own. If differences exist, the active module synchronizes the standby module’s flash code with its own. If you update the flash code on the active module, the active module automatically synchronizes (without comparison) the standby module’s flash code with its own.
Page 103
Managing management module redundancy FIGURE 4 Active and standby management module file synchronization Synchronized at startup Automatically synchronized Not synchronized or switchover at regular, user-configurable intervals Also can be immediately synchronized using the CLI Also can be immediately synchronized using the CLI Startup-config also automatically updated with write memory...
Managing management module redundancy To compare and immediately synchronize files between the active and standby modules if differences exist, enter the following command at the Privileged EXEC level of the CLI. BigIron RX# sync-standby Syntax: sync-standby Synchronizing files without comparison You can synchronize the flash code, system-config file, and running-config file immediately without comparison.
Monitoring management module redundancy BigIron RX# boot system flash primary Syntax: boot system bootp | [flash primary | flash secondary] | slot <number> <filename> | tftp <ip-address> <filename> The flash primary keyword specifies the primary RX Series IronWare image in the management module’s flash memory, while the flash secondary keyword specifies the secondary RX Series IronWare image in the flash memory.
Monitoring management module redundancy Software To display the status of the management modules, enter the following command at any CLI level. BigIron RX# show module Module Status Ports Starting MAC M1 (upper): BigIron BI-RX Management Module Active M2 (lower): BigIron BI-RX Management Module Standby (Ready) Syntax: show module The Status column indicates the module status.
Page 107
Monitoring management module redundancy To view the redundancy parameter settings and statistics, enter the following command at any level of the CLI. BigIron RX# show redundancy === MP Redundancy Settings === Default Active Slot = 17 Running-Config Sync Period = 7 seconds === MP Redundancy Statistics === Current Active Session: Active Slot = 9,Standby Slot = 10 (Ready State),Switchover Cause = No Switchover...
Flash memory and PCMCIA flash card file management commands • Create a subdirectory. • Remove a subdirectory. • Rename a file. • Change the read-write attribute of a file. • Delete a file. • Recover or “undelete” a file. • Append one file to another (join two files).
Flash memory and PCMCIA flash card file management commands For example, if you want to display a directory of files in flash memory and flash memory has the current management focus, you do not need to specify the flash keyword. However, if you want to display a directory of files for slot 1 and flash memory has the current focus, you must specify the slot1 keyword.
Flash memory and PCMCIA flash card file management commands PCMCIA flash card file system The PCMCIA flash card file system is hierarchical, which means that it supports subdirectories. Therefore, you can create or delete subdirectories in this file system using the md or mkdir and rd or rmdir commands, respectively.
Flash memory and PCMCIA flash card file management commands • & You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”.
Flash memory and PCMCIA flash card file management commands 2048 bytes in each allocation unit. 39458 allocation units available on card. Syntax: format slot1 | slot2 The slot1 | slot2 keyword specifies the PCMCIA slot that contains the flash card you are formatting. Determining the current management focus For conceptual information about management focus, refer to “Management focus”...
Flash memory and PCMCIA flash card file management commands For the <directory-pathname> parameter for both cd and chdir commands, you can specify /slot1 or /slot2 to switch the focus to slot 1 or slot 2, respectively. Specify /flash to switch the focus to flash memory.
Flash memory and PCMCIA flash card file management commands For example, to display the contents of a file in flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# more cfg.cfg Syntax: more [/<directory>/]<file-name>...
Page 118
Flash memory and PCMCIA flash card file management commands The software attempts to create a subdirectory in the file system that has the current management focus. By default, flash memory has the management focus. However, you do not need to change the focus to create a subdirectory in a file system that does not currently have management focus.
Flash memory and PCMCIA flash card file management commands The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters. To verify successful creation of the subdirectory, enter a command such as the following to change to the new subdirectory level.
Flash memory and PCMCIA flash card file management commands Renaming a file You can rename a file in the management module’s flash memory or on a flash card inserted in the management module’s slot 1 or slot 2 using the rename or mv command. The software attempts to rename the file in the file system that has the current management focus.
Flash memory and PCMCIA flash card file management commands For example, to change the attribute of a file in slot2 to read-only, if flash memory has the management focus, enter a command such as the following. BigIron RX# attrib slot2 ro goodcfg.cfg Syntax: attrib [slot1 | slot2] ro | rw <file-name>...
Flash memory and PCMCIA flash card file management commands For example, to delete all files with names that start with “test” from flash memory, if flash memory has the current management focus, enter a command such as the following. BigIron RX# delete test*.* For example, to delete all files on the flash card in slot 2, if flash memory has the current management focus, you can enter one of the following commands.
Flash memory and PCMCIA flash card file management commands Appending a file to another file You can append a file in flash memory or on a flash card to the end of another file in one of these file systems. The software attempts to append one file to another in the file system that has the current management focus.
Page 124
Flash memory and PCMCIA flash card file management commands NOTE The copy options require you to explicitly specify the flash card. Therefore, you can perform a copy regardless of the flash card that currently has the management focus. Copying files from one flash card to the other To copy a file from one flash card to the other, enter the following command.
Page 125
Flash memory and PCMCIA flash card file management commands Specify the optional standby keyword to copy the RX Series IronWare image from the secondary location in the active management module’s flash memory to the primary location in the standby module’s flash memory. To copy the RX Series IronWare image from the primary location in the active management module’s flash memory to the secondary location in the active module’s flash memory, enter the following command.
Page 126
Flash memory and PCMCIA flash card file management commands The command in this example copies a file from slot 1 to a TFTP server. In this case, the software uses the same name for the source file and for the destination file. Optionally, you can specify a different file name for the destination file.
Flash memory and PCMCIA flash card file management commands To copy a startup-config file from a TFTP server to flash memory, enter a command such as the following. BigIron RX# copy tftp startup-config 10.10.10.1 test.cfg Syntax: copy tftp startup-config <ip-addr> [/<from-dir-path>]<from-name> Copying the running-config to a flash card or a TFTP server Use the following method to copy the BigIron RX Series Switch’s running-config to a flash card or a TFTP server.
Flash memory and PCMCIA flash card file management commands • Copy files from flash memory to flash memory. • Copy files from flash memory to a flash card or vice versa. • Copy files from one flash card to another flash card. The software attempts to copy a file in a file system to another location in the file system that has the current management focus.
Page 129
Flash memory and PCMCIA flash card file management commands Rebooting from the system To use another source instead of the RX Series IronWare image in the primary location in flash memory for one reboot, enter a command such as the following at the Privileged EXEC level of the CLI.
Flash memory and PCMCIA flash card file management commands Syntax: boot system slot1 <file-name> | slot2 <file-name> | flash secondary | tftp <ip-address> <file-name> | bootp NOTE The command syntax is the same for immediately reloading and for changing the primary source, except the <file-name>...
System Monitoring Service Specify the <dir-path-name> parameter if you want to save the configuration changes to a directory other than the root directory of a flash card file system. The <file-name> parameter indicates the name of the saved configuration file. To change the save location back to flash memory, enter a command such as the following.
Page 132
System Monitoring Service • The DRAM CRC detection feature has two methods to detect errors; an interrupt routine is used to detect these errors quickly then triggers a shutdown of the failed Traffic Manager (TM). Long term polling detects low rate CRC errors which will be repothe egress port. This process generates a Syslog message.
Page 133
System Monitoring Service TABLE 34 Syslog messages generated by SYSMON Syslog message examples Event Description Sep 13 15:01:29:E:System: ALARM:FE Switch fabric element read/write error A failure has occurred on the specified switch Read-Write Test Error: SNM4/FE1 Reg fabric module 0x14, Read 0x48000000 != Written 0x0 Sep 13 15:01:29:E:System: ALARM: TM ingress DRAM CRC error A failure was detected on the ingress DRAM.
Page 134
System Monitoring Service BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Securing Access to Management Functions Securing access methods This chapter explains how to secure access to management functions on the device. NOTE For the device, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication. The following table lists the management access methods available on the device, how they are secured by default, and the ways in which they can be secured.
Page 136
Securing access methods TABLE 35 Ways to secure management access to the device (Continued) Access method How the access method is Ways to secure the access method See page secured by default Secure Shell (SSH) access Not configured Configure SSH page 905 Regulate SSH access using ACLs page 66...
Restricting remote access to management functions Restricting remote access to management functions You can restrict access to management functions from remote sources, including Telnet, the Web management interface, and SNMP. The following methods for restricting remote access are supported: • Using ACLs to restrict Telnet, Web management interface, or SNMP access •...
Page 138
Restricting remote access to management functions To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL. For example. BigIron RX(config)# access-list 10 permit host 209.157.22.32 BigIron RX(config)# access-list 10 permit 209.157.23.0 0.0.0.255 BigIron RX(config)# access-list 10 permit 209.157.24.0 0.0.0.255 BigIron RX(config)# access-list 10 permit 209.157.25.0/24 BigIron RX(config)# telnet access-group 10...
Page 139
Restricting remote access to management functions These commands configure ACL 12, then apply the ACL as the access list for Web management access. The device denies Web management access from the IP addresses listed in ACL 12 and permits Web management access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny Web management access from all IP addresses.
Restricting remote access to management functions BigIron RX(config)# ip ssh client 209.157.22.39 Syntax: [no] ip ssh client <ip-addr> Restricting Web Management access to a specific IP address To allow Web Management access to the device only to the host with IP address 209.157.22.26, enter the following command.
Page 142
Restricting remote access to management functions • Web management access • SNMP access • TFTP access By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given access method based on VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN.
Restricting remote access to management functions The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Setting passwords Disabling Web management access by HP ProCurve Manager By default, TCP ports 80 is enabled on the Brocade device. TCP port 80 (HTTP) allows access to the device’s Web management interface. By default, TCP port 280 for HP Top tools is disabled. This tool allows access to the device by HP ProCurve Manager.
Setting passwords To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG level. BigIron RX(config)# enable telnet password letmein Syntax: [no] enable telnet password <string> Suppressing Telnet connection rejection messages By default, if a device denies Telnet management access to the device, the software sends a message to the denied Telnet client.
Page 146
Setting passwords 3. Enter the following command to set the Super User level password. BigIron RX(config)# enable super-user-password <text> NOTE You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number. 4.
Setting passwords parameter specifies the CLI level and can be one of the following values: <cli-level> • exec – EXEC level; for example, BigIron RX> or BigIron RX# • configure – CONFIG level; for example, BigIron RX (config)# • interface – Interface level; for example, BigIron RX (config-if-e10000-6)# •...
Setting up local user accounts BigIron RX(config)# enable password-display BigIron RX(config)# show snmp server The enable password-display command enables display of the community string, but only in the output of the show snmp server command. Display of the string is still encrypted in the startup configuration file and running configuration.
Setting up local user accounts If you configure local user accounts, you also need to configure an authentication-method list for Telnet access, Web management access, and SNMP access. Refer to “Configuring authentication-method lists” on page 113. For each local user account, you specify a user name which can have up to 255 characters. You also can specify the following parameters: •...
Page 150
Setting up local user accounts NOTE You must be logged on with Super User access (privilege level 0) to add user accounts or configure other access parameters. To display user account information, enter the following command. BigIron RX(config)# show users Syntax: show users Changing local user passwords This section shows how to change the password for an existing local user account.
Setting up local user accounts 3. User account information is listed in a table. Click on the Delete button next to the user account whose password you wish to change. 4. Click on Add User Account. 5. Enter the user name in the Username field. The name cannot contain blanks. 6.
Setting up local user accounts • At least two upper case characters • At least two lower case characters • At least two numeric characters • At least two special character NOTE Password minimum and combination requirements are strictly enforced. Configuring the strict password feature Use the enable strict-password-enforcement command to enable the password security feature.
Page 153
Setting up local user accounts Requiring users to accept the message of the day If a message of the day (MOTD) is configured, a user can be required to press the "Enter" key before he or she can login. To enable this requirement, enter the command as shown. BigIron RX(config)# banner motd require-enter-key Syntax: [no] banner motd require-enter-key Locking out user accounts after three login attempts...
Configuring SSL security for the Web Management Interface BigIron RX(config)# user sandy enable NetIron(config)# show user Username Password Encrypt Priv Status Expire Time ============================================================================== sandy $1$Gz...uX/$wQ44fVGtsqbKWkQknzAZ6. enabled enabled 90 days Syntax: [no] username <name> enable Creating an encrypted all-numeric password To create a password that is made up of all numeric values, use the command "username <user-string>...
Configuring SSL security for the Web Management Interface Enabling the SSL server on the device To enable the SSL server on the device, enter the following command. BigIron RX(config)# web-management https Syntax: [no] web-management http | https You can enable either the HTTP or HTTPs servers with this command. You can disable both the HTTP and HTTPs servers by entering the following command.
Configuring TACACS and TACACS+ security Generating an SSL certificate If you did not already import a digital certificate from a client, the device can create a default certificate. To do this, enter the following command. BigIron RX(config)# crypto-ssl certificate generate Syntax: [no] crypto-ssl certificate generate Deleting the SSL certificate To delete the SSL certificate, enter the following command.
Configuring TACACS and TACACS+ security TACACS and TACACS+ authentication, authorization, and accounting When you configure a device to use a TACACS and TACACS+ server for authentication, the device prompts users who are trying to access the CLI for a user name and password, then verifies the password with the TACACS and TACACS+ server.
Page 158
Configuring TACACS and TACACS+ security 5. The user is prompted for a password. 6. The user enters a password. The device sends the password to the TACACS+ server. 8. The password is validated in the TACACS+ server’s database. 9. If the password is valid, the user is authenticated. TACACS+ authorization The device supports two kinds of TACACS+ authorization: •...
Page 159
Configuring TACACS and TACACS+ security 5. The TACACS+ accounting server records information about the event. 6. When the event is concluded, the device sends an Accounting Stop packet to the TACACS+ accounting server. The TACACS+ accounting server acknowledges the Accounting Stop packet. AAA operations for TACACS and TACACS+ The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a device that has TACACS and TACACS+ security...
Configuring TACACS and TACACS+ security 3. Configure authentication-method lists. Refer to “Configuring authentication-method lists for TACACS and TACACS+” on page 92. TACACS+ configuration procedure For TACACS+ configurations, use the following procedure. 1. Enable TACACS, refer to “Enabling SNMP to configure TACACS and TACACS” on page 89 2.
Configuring TACACS and TACACS+ security If you add multiple TACACS and TACACS+ authentication servers to the device, the device tries to reach them in the order you add them. For example, if you add three servers in the following order, the software tries the servers in the same order.
Page 163
Configuring TACACS and TACACS+ security • Retransmit interval – This parameter specifies how many times the Brocade device will resend an authentication request when the TACACS and TACACS+ server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times. •...
Configuring TACACS and TACACS+ security Setting the dead time parameter The dead-time parameter specifies how long the device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 –...
Page 165
Configuring TACACS and TACACS+ security The command above causes TACACS and TACACS+ to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS and TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used;...
Configuring TACACS and TACACS+ security Configuring TACACS+ authorization The device supports TACACS+ authorization for controlling access to management functions in the CLI. Two kinds of TACACS+ authorization are supported: • Exec authorization determines a user’s privilege level when they are authenticated •...
Page 167
Configuring TACACS and TACACS+ security service = exec { foundry-privlvl = 0 In this example, the A-V pair grants the user full read-write access. The foundry-privlvl = 0 value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user. Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level.
Page 168
Configuring TACACS and TACACS+ security If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5 (read-only) is used. Configuring command authorization When TACACS+ command authorization is enabled, the BigIron RX consults a TACACS+ server to get authorization for commands entered by the user.
Configuring TACACS and TACACS+ security Configuring TACACS+ accounting The device supports TACACS+ accounting for recording information about user activity and system events. When you configure TACACS+ accounting on a device, information is sent to a TACACS+ accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring TACACS and TACACS+ security Configuring an interface as the source for all TACACS and TACACS+ packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS and TACACS+ packets from the device.
Configuring RADIUS security Configuring RADIUS security You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of access to the device: • Telnet access • SSH access • Web management access • Access to the Privileged EXEC level and CONFIG levels of the CLI NOTE The BigIron RX does not support RADIUS security for SNMP (IronView Network Manager) access.
Configuring RADIUS security • A list of commands • Whether the user is allowed or denied usage of the commands in the list The last two attributes are used with RADIUS authorization, if configured. 9. The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on the BigIron RX.
Page 174
Configuring RADIUS security AAA operations for RADIUS The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a BigIron RX that has RADIUS security configured. User action Applicable AAA operations User attempts to gain access to the Enable authentication: Privileged EXEC and CONFIG levels of the...
Configuring RADIUS security AAA security for commands pasted into the running configuration If AAA security is enabled on the device, commands pasted into the running configuration are subject to the same AAA operations as if they were entered manually. When you paste commands into the running configuration, and AAA command authorization or accounting is configured on the device, AAA operations are performed on the pasted commands.
Configuring RADIUS security Brocade Configuring -specific attributes on the RADIUS server NOTE For the BigIron RX, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the device, authenticating the user.
Configuring RADIUS security TABLE 38 Brocade vendor-specific attributes for RADIUS (Continued) Attribute name Attribute ID Data type Description brocade-command-string string Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured. The commands are delimited by semi-colons (;).
Configuring RADIUS security Specifying different servers for individual AAA functions In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting.
Configuring RADIUS security NOTE Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts. When an authentication request times out, the Brocade software will retransmit the request up to the maximum number of retransmissions configured.
Configuring RADIUS security BigIron RX(config)# aaa authentication enable default radius local none The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead.
Page 181
Configuring RADIUS security Configuring Exec authorization NOTE Before you configure RADIUS exec authorization on the BigIron RX, make sure that the aaa authentication enable default radius command or the aaa authentication login privilege-mode command exist in the configuration. When RADIUS exec authorization is performed, the BigIron RX consults a RADIUS server to determine the privilege level of the authenticated user.
Configuring RADIUS security NOTE RADIUS command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console. No authorization is performed for commands entered at the Web Management Interface or IronView Network Manager, . NOTE Since RADIUS command authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.
Configuring RADIUS security Configuring RADIUS accounting for CLI commands You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the BigIron RX to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Configuring RADIUS security • If you specify a loopback interface as the single source for RADIUS packets, RADIUS servers can receive the packets regardless of the states of individual links. Thus, if a link to the RADIUS server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Configuring authentication-method lists TABLE 39 Output of the show aaa command for RADIUS Field Description Radius key The setting configured with the radius-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (..) is displayed instead of the text.
Configuring authentication-method lists NOTE To authenticate Telnet access to the CLI, you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI. You cannot enable Telnet authentication using the Web management interface. NOTE You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses.
Configuring authentication-method lists • If you configure an authentication-method list for Web management access and specify “local” as the primary authentication method, users who attempt to access the device using the Web management interface must supply a user name and password configured in one of the local user accounts on the device.
Page 188
Configuring authentication-method lists NOTE If you configure authentication for Web management access, authentication is performed each time a page is requested from the server. When frames are enabled on the Web management interface, the browser sends an HTTP request for each frame. The Brocade device authenticates each HTTP request from the browser.
Chapter Configuring Basic Parameters This chapter describes how to configure basic system parameters. The software comes with default parameters to allow you to begin using the basic features of the system immediately. However, many advanced features, such as VLANs or routing protocols for the router, must first be enabled at the system (global) level before they can be configured.
Configuring Simple Network Management Protocol traps Configuring Simple Network Management Protocol traps This section explains how to do the following: • Specify an SNMP trap receiver. • Specify a source address and community string for all traps that the device sends. •...
Configuring Simple Network Management Protocol traps The port <value> parameter specifies the UDP port that will be used to receive traps. This parameter allows you to configure several trap receivers in a system. With this parameter, IronView Network Manager and another network management application can coexist in the same system. The device can be configured to send copies of traps to more than one network management application.
Configuring Simple Network Management Protocol traps You can change the holddown time to a value from one second to ten minutes. To change the holddown time for SNMP traps, enter a command such as the following at the global CONFIG level of the CLI. BigIron RX(config)# snmp-server enable traps holddown-time 30 The command changes the holddown time for SNMP traps to 30 seconds.
Configuring Simple Network Management Protocol traps Disabling Syslog messages and traps for CLI access The device sends Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature, enabled by default, applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS and TACACS+ server.
Configuring an interface as source for all Telnet packets The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session.
Configuring an interface as the source for all TFTP packets BigIron RX(config)# interface ethernet 1/4 BigIron RX(config-if-e10000-1/4)# ip address 209.157.22.110/24 BigIron RX(config-if-e10000-1/4)# exit BigIron RX(config)# ip telnet source-interface ethernet 1/4 Cancelling an outbound Telnet session If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the connection is frozen), you can terminate the Telnet session by doing the following.
Specifying a Simple Network Time Protocol (SNTP) server The commands in this example configure virtual interface 1, assign IP address 10.0.0.4/24 to the interface, then designate the interface's address as the source address for all Syslog packets. Syntax: [no] ip syslog source-interface ethernet [<slotnum>/]<portnum> | loopback <num> | ve <num>...
Page 197
Specifying a Simple Network Time Protocol (SNTP) server The following table describes the information displayed by the show sntp associations command. TABLE 41 Output from the show sntp associations command This field... Displays... (leading character) One or both of the following: Synchronized to this peer Peer is statically configured address...
Setting the system clock Setting the system clock In addition to SNTP support, the device also allows you to set the system time counter. It starts the system time and date clock with the time and date you specify. The time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP server.
Setting the system clock • GMT + 10:30 • GMT + 09:30 • GMT + 06:30 • GMT + 05:30 • GMT + 04:30 • GMT + 03:30 • GMT - 03:30 • GMT - 08:30 • GMT - 09:30 Beginning with the Multi-Service IronWare 02.8.01 release, you can now set the system time clock for countries like India that fall in the ½...
Configuring CLI banners To verify the change, run a show clock command. BigIron RX(config)#show clock Syntax: show clock Refer to October 19, 2006 - Daylight Savings Time 2007 Advisory, posted on kp.foundrynet.com for more information. Configuring CLI banners The device can be configured to display a greeting message on users’ terminals when they enter the Privileged EXEC CLI level or access the device through Telnet.
Configuring CLI banners Setting a privileged EXEC CLI level banner You can configure the device to display a message when a user enters the Privileged EXEC CLI level. BigIron RX(config)# banner exec_mode # (Press Return) Enter TEXT message, End with the character '#'. You are entering Privileged EXEC level Don’t foul anything up! # As with the banner motd command, you begin and end the message with a delimiting character;...
Configuring terminal display Configuring terminal display You can configure and display the number of lines displayed on a terminal screen during the current CLI session. The terminal length command allows you to determine how many lines will be displayed on the screen during the current CLI session.
Displaying and modifying system parameter default settings NOTE The following protocols require a system reset before the protocol will be active on the system: PIM, DVMRP, RIP, FSRP. To reset a system, enter the reload command at the privileged level of the CLI. To enable a protocol on a device, enter router at the global CONFIG level, followed by the protocol to be enabled.
Page 204
Displaying and modifying system parameter default settings BigIron RX# show default values telnet@ro(config)#show default values sys log buffers:50 mac age time:300 sec telnet sessions:5 ip arp age:10 min bootp relay max hops:4 ip ttl:64 hops ip addr per intf:24 when multicast enabled : igmp group memb.:140 sec igmp query:60 sec when ospf enabled :...
Enabling or disabling Layer 2 switching Information for the configurable tables appears under the columns shown in bold type. To simplify configuration, the command parameter you enter to configure the table is used for the table name. For example, to increase the capacity of the IP route table, enter the following commands. BigIron RX(config)# system-max ip-route 120000 BigIron RX(config)# write memory BigIron RX(config)# exit...
CAM partitioning for the BigIron RX To globally disable Layer 2 switching on the device, enter commands such as the following. BigIron RX(config)# route-only BigIron RX(config)# exit BigIron RX# write memory BigIron RX# reload To re-enable Layer 2 switching globally, enter the following. BigIron RX(config)# no route-only BigIron RX(config)# exit BigIron RX# write memory...
CAM partitioning for the BigIron RX The total amount of CAM entries available is 1024 for each packet processor. If you want to configure 600 for ACLs, 168 for PBR and Rate Limiters, and 256 for IPv6 multicast forwarding entries, enter commands such as the following. BigIron RX(config)#cam-partition rw session 768 BigIron RX(config)#cam-partition rw session rule-partition 600 If you want to configure 2 ACL entries and 2 IPv6 entries and 1020 Rate Limiting entries, enter a...
Changing the MAC age time As of release 02.4.00, the Nexthop table is user configurable. If the router is installed in a network where there are many directly connected hosts, then the size of one-path partition should be increased. To configure the partition, use a command such as the following. BigIron RX(config)# cam-partition next-hop 2048 1024 512 512 The above command partitions the next-hop table into 2048 one-path, 1024 two-path, 512 four-path and 512 eight-path entries.
Pinging an IPv4 address Pinging an IPv4 address To verify that a Brocade device can reach another device through the network, enter a command such as the following at any level of the CLI on the Brocade device: BigIron RX> ping 192.33.4.7 Syntax: ping <ip addr>...
Page 210
Pinging an IPv4 address U = Indicates that a destination unreachable error PDU was received. I = Indicates that the user interrupted ping. NOTE The number of ! characters displayed may not correspond to the number of successful replies by the ping command.
Chapter Configuring Interface Parameters Assigning a port name NOTE To modify Layer 2, Layer 3, or Layer 4 features on a port, refer to the appropriate section in this chapter or other chapters. For example, to modify Spanning Tree Protocol (STP) parameters for a port, refer to “Changing STP port parameters”...
Speed/Duplex negotiation Speed/Duplex negotiation Speed/Duplex Negotiation detects the speed (10MBps, 100Mbps, 1000Mbps) and duplex (half-duplex or full-duplex) settings of the device on the other end of the wire and subsequently adjusts to match those settings. Each of the 10/100/1000BaseTX ports is designed to auto-sense and auto-negotiate the speed and mode of the connected device.
Disabling or re-enabling flow control • auto-gig – The port tries to performs a negotiation with its peer port to exchange capability information. This is the default state. • neg-off – The port does not try to perform a negotiation with its peer port. Unless the ports at both ends of a Gigabit Ethernet link use the same mode (either auto-gig or neg-off), the ports cannot establish a link.
Locking a port to restrict addresses NOTE To use this feature, 802.3x flow control must be enabled globally on the device. By default, 802.3x flow control is enabled on the device, but can be disabled with the no flow-control command. To specify threshold values for flow control, enter the following command.
Port transition hold timer Port transition hold timer Using the delay-link-event command will delay the sending of port "up" or "down" events to Layer 2 protocols. While link down events are reported immediately in syslog, their effect on higher level protocols such as OSPF is delayed according to how the delay-link-event is configured.
Modifying port priority (QoS) Configuring port flap dampening on an interface This feature is configured at the interface level. BigIron RX(config)# interface ethernet 2 BigIron RX(config-if-e100-2)# link-error-disable 10 3 10 Syntax: [no] link-error-disable <toggle-threshold> <sampling-time-in-sec> <wait-time-in-sec> The <toggle-threshold> is the number of times a port’s link state goes from up to down and down to up before the wait period is activated.
Assigning a mirror port and monitor ports Assigning a mirror port and monitor ports You can monitor traffic on Brocade ports by configuring another port to “mirror” the traffic on the ports you want to monitor. By attaching a protocol analyzer to the mirror port, you can observe the traffic on the monitored ports.
Monitoring an individual trunk port The following example configures two mirror ports on the same module and one mirror port on another module. It will illustrate how inbound traffic is mirrored to the two mirror ports on the same module even if the traffic is configured to be mirrored to only one mirror port on the module. BigIron RX(config)# mirror-port ethernet 1/1 BigIron RX(config)# mirror-port ethernet 1/2 BigIron RX(config)# mirror-port ethernet 2/1...
Displaying mirror and monitor port configuration Configuring mirror ports for PBR traffic When you configure a physical or virtual port to act as a mirror port for PBR traffic, outgoing packets that match the permit Access Control List (ACL) clause in the route map are copied to the mirror ports that you specify.
Enabling WAN PHY mode support Syntax: show monitor config This output does not display the input traffic mirrored to mirror port 1/2 from port 3/1 and mirrored to mirror port 1/1 from port 4/1 because the mirroring of this traffic is not explicitly configured.
Chapter Configuring IP Overview of configuring IP The Internet Protocol (IP) is enabled by default. This chapter describes how to configure IP parameters on the device. The IP packet flow Figure 5 Shows how an IP packet moves through a device. FIGURE 5 IP Packet flow through a device Static ARP...
The IP packet flow 1. When the device receives an IP packet, the device checks for IP ACL filters on the receiving interface. If a deny filter on the interface denies the packet, the device discards the packet and performs no further processing. If logging is enabled for the filter, then the device generates a Syslog entry and SNMP trap message.
The IP packet flow The software places an entry from the static ARP table into the ARP cache when the entry’s interface comes up. Here is an example of a static ARP entry. Index IP Address MAC Address Port 207.95.6.111 0800.093b.d210 Each entry lists the information you specified when you created the entry.
Basic IP parameters and defaults To configure a static IP route, refer to “Configuring static routes” on page 197. To clear a route from the IP route table, refer to “Clearing IP routes” on page 229. To increase the size of the IP route table for learned and static routes, refer to “Displaying and modifying system parameter default settings”...
Basic IP parameters and defaults When parameter changes take effect Most IP parameters described in this chapter are dynamic. They take effect immediately, as soon as you enter the CLI command. You can verify that a dynamic change has taken effect by displaying the running configuration.
Page 228
Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... ARP rate limiting Lets you specify a maximum number of ARP packets the device Disabled page 186 will accept each second. If the device receives more ARP packets than you specify, the device drops additional ARP packets for the remainder of the one-second interval.
Page 229
Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... ICMP Router An IP protocol a router can use to advertise the IP addresses of its Disabled page 212 Discovery Protocol router interfaces to directly attached hosts. You can enable or (IRDP) disable the protocol, and change the following protocol parameters:...
Basic IP parameters and defaults TABLE 43 IP global parameters (Continued) Parameter Description Default See page... Static route An IP route you place in the IP route table. No entries page 197 Source interface The IP address the router uses as the source address for Telnet, The lowest-numbered IP page 181 RADIUS, or TACACS and TACACS+ packets originated by the router.
Configuring IP parameters TABLE 44 IP interface parameters (Continued) Parameter Description Default See page... DHCP gateway stamp The router can assist DHCP/BootP Discovery packets from one The lowest-numbered IP page 218 subnet to reach DHCP/BootP servers on a different subnet by address on the interface that placing the IP address of the router interface that receives the receives the request...
Page 232
Configuring IP parameters NOTE Once you configure a virtual routing interface on a VLAN, you cannot configure Layer 3 interface parameters on individual ports in the VLAN. Instead, you must configure the parameters on the virtual routing interface itself. Also, once an IP address is configured on an interface, the hardware is programmed to route all IP packets that are received on the interface.
Page 233
Configuring IP parameters Assigning an IP address to a loopback interface Loopback interfaces are always up, regardless of the states of physical interfaces. They can add stability to the network because they are not subject to route flap problems that can occur due to unstable links between a device and other devices.
Configuring IP parameters Syntax: interface ve <num> The <num> parameter specifies the virtual interface number. You can specify from 1 to the maximum number of virtual interfaces supported on the device. To display the maximum number of virtual interfaces supported on the device, enter the show default values command. The maximum is listed in the System Parameters section, in the Current column of the virtual-interface row.
Configuring IP parameters GRE IP tunnel The BigIron RX allows the tunneling of packets of the following protocols over an IP network using the Generic Router Encapsulation (GRE) mechanism as described in RFC 2784: • OSPF • • IS-IS point-to-point Using this feature, packets of these protocols can be encapsulated inside a transport protocol packet at a tunnel source and delivered to a tunnel destination where it is unpacked and made available for delivery.
Configuring IP parameters • GRE Encapsulation • Loopback address for the Tunnel (required for de-encapsulation) • IP address for the Tunnel NOTE Sustained rates of small packet sizes may affect the ability of a 10 gigabit Ethernet port to maintain line rate GRE encapsulation and de-encapsulation performance.
Page 237
Configuring IP parameters Configuring a loopback port for a tunnel interface On the device, a loopback port is required for de-encapsulating a packet exiting the tunnel. Fiber-optic components must be present on the interface module for the loopback port to work. Therefore, consider the following configuration rules for a loopback port: •...
Page 238
Configuring IP parameters FIGURE 7 GRE IP tunnel configuration example BigIron RX A port3/1 36.0.8.108 10.10.1.0/24 10.10.3.1 Internet 10.10.3.0 10.10.3.2 10.10.2.0/24 port5/1 131.108.5.2 BigIron RX B Configuration example for BigIron RX A BigIron RX (config)# interface ethernet 3/1 BigIron RX (config-if-e1000-3/1)# ip address 36.0.8.108/24 BigIron RX (config)# exit BigIron RX (config)# interface tunnel 1 BigIron RX(config-tnif-1)# tunnel loopback 4/1...
Page 239
Configuring IP parameters Syntax: show ip interface tunnel <tunnel-no> This display shows the following information. TABLE 45 CLI display of interface IP configuration information This field... Displays... Interface The tunnel and tunnel number. The IP address of the tunnel interface. IP-Address Whether the IP address has been configured on the tunnel interface.
Configuring IP parameters IPv6 over IPv4 tunnels in hardware To enable communication between the isolated IPv6 domains using the IPv4 infrastructure, you can configure IPv6 over IPv4 tunnels. Brocade supports the following IPv6 over IPv4 tunneling in hardware mechanisms: • Manually configured tunnels In general, a manually configured tunnel establishes a permanent link between routers in IPv6 domains.
Page 241
Configuring IP parameters BigIron RX(config)# interface tunnel 1 BigIron RX(config-tnif-1)#tunnel source ethernet 3/1 BigIron RX(config-tnif-1)#tunnel destination 198.162.100.1 BigIron RX(config-tnif-1)#tunnel mode ipv6ip BigIron RX(config-tnif-1)#ipv6 address 2001:b78:384d:34::/64 eui-64 This example creates tunnel interface 1 and assigns a global IPv6 address with an automatically computed EUI-64 interface ID to it.
Page 242
Configuring IP parameters BigIron RX# show ipv6 tunnel IP6 Tunnels Tunnel Mode Packet Received Packet Sent configured configured 22419 Syntax: show ipv6 tunnel This display shows the following information. TABLE 46 IPv6 tunnel information This field... Displays... Tunnel The tunnel interface number. Mode The tunnel mode.
Page 243
Configuring IP parameters TABLE 47 IPv6 tunnel interface information (Continued) This field... Displays... Tunnel source The tunnel source can be one of the following: • An IPv4 address • The IPv4 address associated with an interface or port. Tunnel destination The tunnel destination can an IPv4 address.
Configuring IP parameters Configuring Domain Name Server (DNS) resolver The DNS resolver lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a device and thereby recognize all hosts within that domain. After you define a domain name, the device automatically appends the appropriate domain to the host and forwards it to the domain name server.
Configuring IP parameters Use the no form of the command to remove a domain name from the domain-list. Displaying the domain name list To determine what domain names have been configured in the domain list, enter the following command. BigIron RX(config)#show ip dns domain-list Total number of entries : 3 Primary Domain Name: Domain Name List:...
Page 246
Configuring IP parameters Static cache entries You can manually add entries to the DNS cache table if you know a host’s complete, qualified name and its IP address. To add host names and their IP addresses to the DNS cache table, enter commands such as the following.
Page 247
Configuring IP parameters TABLE 48 The show ip dns cache-table output This field... Displays... Host The complete, qualified domain name of the host. Flag Indicates if the entry is dynamic or static and if the information for the domain is up to date: •...
Page 248
Configuring IP parameters Syntax: show ip dns server-list Debugging the DNS feature To debug the DNS feature enter the following command. BigIron RX#debug ip dns IP: dns debugging is on Syntax: debug ip dns Using a DNS name to initiate a trace route Suppose you want to trace the route from a device to a remote server identified as NYC02 on domain newyork.com.
Configuring packet parameters Type Control-c to abort Sending DNS Query to 209.157.22.199 Tracing Route to IP node 209.157.22.80 To ABORT Trace Route, Please use stop-traceroute command. Traced route to target IP node 209.157.22.80: IP Address Round Trip Time1 Round Trip Time2 207.95.6.30 93 msec 121 msec...
Configuring packet parameters The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format. The device uses Ethernet II by default. You can change the IP encapsulation to Ethernet SNAP on individual ports if needed. NOTE All devices connected to the device port must use the same encapsulation type.
Configuring packet parameters To configure the untagged max-frame-size on a VLAN, enter a command such as the following at he Interface Configuration level. BigIron RX(config-vlan-20)# BigIron RX(config-vlan-20)#max-frame-size 5000 Please reload system! BigIron RX(config-vlan-20)# Syntax: max-frame-size <bytes> The <frame-size> variable specifies the maximum frame size for each port that is connected the same PPCR as described in Table 49.
Changing the router ID Globally changing the IP MTU To globally enable jumbo support on all ports, enter commands such as the following. BigIron RX(config)# ip mtu 5000 BigIron RX(config)# write memory Syntax: [no] ip mtu <bytes> The <bytes> parameter specifies the maximum number of bytes an Ethernet frame can have in order to be forwarded on a port.
Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets NOTE If you change the router ID, all current BGP4 sessions are cleared. By default, the router ID on a device is one of the following: • If the router has loopback interfaces, the default router ID is the IP address configured on the lowest numbered loopback interface configured on the device.
Page 254
Specifying a single source interface for Telnet, TACACS, TACACS+, or RADIUS packets • If you specify a loopback interface as the single source for Telnet, TACACS, TACACS+, or RADIUS packets, servers can receive the packets regardless of the states of individual links. Thus, if a link to the server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Configuring an interface as the source for Syslog packets RADIUS packets To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all RADIUS packets, enter commands such as the following. BigIron RX(config)# int ve 1 BigIron RX(config-vif-1)# ip address 10.0.0.3/24 BigIron RX(config-vif-1)# exit BigIron RX(config)# ip radius source-interface ve 1...
Configuring an interface as the source for Syslog packets IP fragmentation protection Beginning with this release, IP packet filters on the device switches will drop undersized fragments and overlapping packet fragments to prevent tiny fragment attacks as explained in RFC 1858. When packets are fragmented on the network, the first fragment of a packet must be large enough to contain all the necessary header information.
Configuring ARP parameters Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command. BigIron RX# show access-list bindings L4 configuration: ip receive access-list 101 Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables the device to obtain the MAC address of another device’s interface when the device knows the IP address of the interface.
Configuring ARP parameters • If the ARP cache does not contain an entry for the destination IP address, the device broadcasts an ARP request out all its IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to the device, the device sends an ARP response containing its MAC address.
Configuring ARP parameters Applying a rate limit to ARP packets on an interface To prevent the CPU from becoming flooded by ARP packets in a busy network, you can restrict the number of ARP packets an interface will accept each second. When ARP rate limit is configured on an interface, the interface will accept up to the maximum number of packets you specify, but drops additional ARP packets received during the one-second interval.
Configuring ARP parameters LP-1#show ip traffic arp ARP Statistics 1400 total recv, 1400 req recv, 0 req sent 0 pending drop, 0 invalid source, 0 invalid dest ARP Rate Limiting Statistics Interface Received Processed Dropped(Rate-limted) ethernet1/1 184200 183500 ethernet1/2 ethernet1/3 ethernet1/4 184200 183500...
Page 261
Configuring ARP parameters Enabling proxy ARP Proxy ARP allows the device to answer ARP requests from devices on one network on behalf of devices in another network. Since ARP requests are MAC-layer broadcasts, they reach only the devices that are directly connected to the sender of the ARP request. Thus, ARP requests do not cross routers.
Configuring ARP parameters The <mac-addr> parameter specifies the MAC address of the entry. The ethernet <slot/port> command specifies the port number attached to the device that has the MAC address of the entry. The arp command allows you to specify only one port number. To create a static ARP entry for a static MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static MAC entry.
Configuring ARP parameters When an ARP entry is deleted from ARP Inspection table, the corresponding entry in the static ARP table will also be deleted. To create a floating static ARP entry for a static MAC entry, enter a command such as the following. BigIron RX(config)# arp 192.53.4.2 1245.7654.2348 The command adds a floating static ARP entry that maps IP address 192.53.4.2 to MAC address 1245.7654.2348.
Configuring forwarding parameters Displaying the routes waiting for the next hop ARP to resolve Use the following command to display which routes are waiting for the nexthop ARP to be resolved. BigIron RX# show ip static route IP Static Routing Table - 2 entries: Type Codes: '*' - Installed, '+' - Waiting for ARP resolution IP Prefix Next Hop...
Configuring forwarding parameters To modify the TTL threshold to 25, enter the following commands. BigIron RX(config)# ip ttl 25 Syntax: ip ttl <1-255> Enabling forwarding of directed broadcasts A directed broadcast is an IP broadcast to all devices within a single directly-attached network or subnet.
Configuring forwarding parameters • Loose source routing – requires that the packet pass through all of the listed routers but also allows the packet to travel through other routers, which are not listed in the packet. The device forwards both types of source-routed packets by default. You cannot enable or disable strict or loose source routing separately.
Configuring forwarding parameters • Destination Unreachable messages – If the device receives an IP packet that it cannot deliver to its destination, the device discards the packet and sends a message back to the device that sent the packet. The message informs the device that the destination cannot be reached by the device.
Configuring forwarding parameters Syntax: [no] ip icmp unreachable [network | host | protocol | administration | fragmentation-needed | port | source-route-fail] • If you enter the command without specifying a message type (as in the example above), all types of ICMP Unreachable messages listed above are disabled. If you want to disable only specific types of ICMP Unreachable messages, you can specify the message type.
Configuring forwarding parameters BigIron RX(config)# int e 3/11 BigIron RX(config-if-e100-3/11)# no ip redirect Syntax: [no] ip redirect Configuring static routes The IP route table can receive routes from the following sources: • Directly-connected networks – When you add an IP interface, the device automatically creates a route for the network the interface is in.
Page 270
Configuring forwarding parameters • A “null” interface. The device drops traffic forwarded to the null interface. The following parameters are optional: • The route’s metric – The value the device uses when comparing this route to other routes in the IP route table to the same destination. The metric applies only to routes that the device has already placed in the IP route table.
Page 271
Configuring forwarding parameters FIGURE 10 Example of a static route Router A Router B 207.95.6.157/24 207.95.6.188/24 207.95.7.7/24 e 1/2 207.95.7.69/24 The following command configures a static route to 207.95.7.0, using 207.95.6.157 as the next-hop gateway. BigIron RX(config)# ip route 207.95.7.0/24 207.95.6.157 When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or device interface through which the device can reach the route.
Page 272
Configuring forwarding parameters The <dest-ip-addr> is the route’s destination. The <dest-mask> is the network mask for the route’s destination IP address. Alternatively, you can specify the network mask information by entering / followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as 192.0.0.0/.24.
Configuring forwarding parameters To display the maximum value for your device, enter the show default values command. The maximum number of static IP routes the system can hold is listed in the ip-static-route row in the System Parameters section of the display. To change the maximum value, use the system-max ip-static-route <num>...
Page 274
Configuring forwarding parameters To add a tag value to a static route, enter commands such as the following: BigIron RX(config)#ip route 192.122.12.1 255.255.255.0 192.122.1.1 tag 20 Syntax: ip route <dest-ip-addr> <dest-mask> | <dest-ip-addr>/<dest-mask> <next-hop-ip-address> tag <value> The <dest-ip-addr> is the route’s destination. The <dest-mask> is the network mask for the route’s destination IP address.
Page 275
Configuring forwarding parameters The following commands configure static IP routes to the same destination, but with different metrics. The route with the lowest metric is used by default. The other routes are backups in case the first route becomes unavailable. The device uses the route with the lowest metric if the route is available.
Page 276
Configuring forwarding parameters FIGURE 11 Standard and null static routes to the same destination network Two static routes to 192.168.7.0/24: --Standard static route through gateway 192.168.6.157, with metric 1 --Null route, with metric 2 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.7/24 When standard static route is good, Router A uses that...
Page 277
Configuring forwarding parameters FIGURE 12 Standard and interface routes to the same destination network Two static routes to 192.168.7.0/24: --Interface-based route through port1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. Router A 192.168.6.188/24 Port1/1 192.168.6.69/24 When route through interface 1/1 is available, Router A always 192.168.8.12/24...
Configuring forwarding parameters Configuring a default network route The device enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Configuring forwarding parameters BigIron RX(config)# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination Gateway Port Cost Type 209.157.20.0 0.0.0.0 209.157.22.0 0.0.0.0 4/11 This example shows two routes. Both of the routes are directly attached, as indicated in the Type column.
Page 280
Configuring forwarding parameters Administrative distance The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. It is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on, but not used when performing IP load sharing.
Page 281
Configuring forwarding parameters • OSPF – The Path Cost associated with the path. The paths can come from any combination of inter-area, intra-area, and external Link State Advertisements (LSAs). • BGP4 – The path’s Multi-Exit Discriminator (MED) value. NOTE If the path is redistributed between two or more of the above sources before entering the IP route table, the cost can increase during the redistribution due to settings in redistribution filters.
Configuring forwarding parameters Changing the maximum number of load sharing paths By default, IP load sharing allows IP traffic to be balanced across up to four equal path. You can change the maximum number of paths that the device supports to a value of 2 – 8. For optimal results, set the maximum number of paths to a value equal to or greater than the maximum number of equal-cost paths that your network typically contains.
Configuring forwarding parameters DIsplaying the ECMP load sharing Use the show run command to display the ECMP load sharing. BigIron RX(config)#show run ========show run ===================== logging console hostname RW ip route 0.0.0.0/0 100.1.1.2 ip route 0.0.0.0/0 100.1.2.2 ip route 0.0.0.0/0 100.1.3.2 ip route 0.0.0.0/0 100.1.4.2 ip route 10.0.0.0/8 10.43.2.1 ip route 40.0.0.0/24 100.1.1.2...
Configuring forwarding parameters BigIron RX(config)# ip receive access-list 10 Syntax: [no] ip receive access-list <num> Specify an access list number for <num>. The IP receive ACL is applied globally to all interfaces on the device. Displaying IP receive access list To determine if IP receive access list has been configured on the device, enter the following command.
Configuring forwarding parameters • Hold time – Each Router Advertisement message contains a hold time value. This value specifies the maximum amount of time the host should consider an advertisement to be valid until a newer advertisement arrives. When a new advertisement arrives, the hold time is reset. The hold time is always longer than the maximum advertisement interval.
Configuring forwarding parameters The maxadvertinterval parameter specifies the maximum amount of time the device waits between sending Router Advertisements. You can specify a value from 1 to the current value of the holdtime parameter. The default is 600 seconds. The minadvertinterval parameter specifies the minimum amount of time the device can wait between sending Router Advertisements.
Page 287
Configuring forwarding parameters NOTE As shown above, forwarding support for BootP/DHCP is enabled by default. If you are configuring the device to forward BootP/DHCP requests, refer to “Configuring BootP/DHCP forwarding parameters” on page 216. You can enable forwarding for other applications by specifying the application port number. You also can disable forwarding for an application.
Configuring forwarding parameters • tftp (port 69) In addition, you can specify any UDP application by using the application’s UDP port number. The <udp-port-num> parameter specifies the UDP application port number. If the application you want to enable is not listed above, enter the application port number. You also can list the port number for any of the applications listed above.
Page 289
Configuring forwarding parameters You can configure the device to forward BootP/DHCP requests. To do so, configure a helper address on the interface that receives the client requests, and specify the BootP/DHCP server’s IP address as the address you are helping the BootP/DHCP requests to reach. Instead of the server’s IP address, you can specify the subnet directed broadcast address of the IP subnet the server is in.
Displaying IP information BigIron RX(config)# int e 1/1 BigIron RX(config-if-e1000-1/1)# ip bootp-gateway 109.157.22.26 These commands change the CLI to the configuration level for port 1/1, then change the BootP/DHCP stamp address for requests received on port 1/1 to 192.157.22.26. The device will place this IP address in the Gateway Address field of BootP/DHCP requests that the device receives on port 1/1 and forwards to the BootP/DHCP server.
Page 291
Displaying IP information • OSPF information – refer to “Displaying OSPF information” on page 712. • BGP4 information – refer to “Displaying BGP4 information” on page 814. • DVMRP information – refer to “Displaying information about an upstream neighbor device” page 647 •...
Page 292
Displaying IP information TABLE 51 CLI display of global IP configuration information (Continued) This field... Displays... bootp-relay-max-hops The maximum number of hops away a BootP server can be located from the Brocade router and still be used by the router’s clients for network booting. To change this value, refer to “Changing the maximum number of hops to a BootP relay server”...
Displaying IP information TABLE 51 CLI display of global IP configuration information (Continued) This field... Displays... Port The Layer 4 TCP or UDP port the policy checks for in packets. The port can be displayed by its number or, for port types the router recognizes, by the well-known name.
Displaying IP information BigIron RX# show ip interface ethernet 1/1 Interface Ethernet 1/1 port state: UP ip address: 192.168.9.51 subnet mask: 255.255.255.0 encapsulation: ETHERNET, mtu: 1500, metric: 1 directed-broadcast-forwarding: disabled proxy-arp: disabled ip arp-age: 10 minutes Ip Flow switching is disabled No Helper Addresses are configured.
Page 295
Displaying IP information BigIron RX# show arp Total number of ARP entries: 5 IP Address MAC Address Type Port 207.95.6.102 0800.5afc.ea21 Dynamic 207.95.6.18 00a0.24d2.04ed Dynamic 207.95.6.54 00a0.24ab.cd2b Dynamic 207.95.6.101 0800.207c.a7fa Dynamic 207.95.6.211 00c0.2638.ac9c Dynamic Syntax: show arp [ethernet <slot/port> | mac-address <xxxx.xxxx.xxxx> [<mask>] | <ip-addr> [<ip-mask>]] [<num>] [| begin <expression>...
Displaying IP information TABLE 53 CLI display of ARP cache (Continued) This field... Displays... The number of minutes the entry has remained unused. If this value reaches the ARP aging period, the entry is removed from the table. To display the ARP aging period, refer to “Displaying global IP configuration information”...
Page 297
Displaying IP information BigIron RX> show ip cache Cache Entry Usage on LPs: Module Host Network Free Total 204788 204800 Syntax: show ip cache [<ip-addr>] [| begin <expression> | exclude <expression> | include <expression>] The <ip-addr> parameter displays the cache entry for the specified IP address. The show ip cache command shows the forwarding cache usage on each interface module CPU.
Displaying IP information TABLE 55 CLI display of IP forwarding cache (Continued) This field... Displays... Type The type of host entry, which can be one or more of the following: • D – Dynamic • P – Permanent • F – Forward •...
Page 299
Displaying IP information The <num> option display the route table entry whose row number corresponds to the number you specify. For example, if you want to display the tenth row in the table, enter “10”. The <ip-addr> parameter displays the route to the specified IP address. The <ip-mask>...
Page 300
Displaying IP information BigIron RX(config)# show ip route 209.159.0.0/16 longer Starting index: 1 B:BGP D:Directly-Connected R:RIP S:Static O:OSPF Destination NetMask Gateway Port Cost Type 52 209.159.38.0 255.255.255.0 207.95.6.101 1/1 1 S 53 209.159.39.0 255.255.255.0 207.95.6.101 1/1 1 S 54 209.159.40.0 255.255.255.0 207.95.6.101 1/1 1 S 55 209.159.41.0 255.255.255.0 207.95.6.101 1/1 1 S 56 209.159.42.0 255.255.255.0 207.95.6.101 1/1 1 S 57 209.159.43.0 255.255.255.0 207.95.6.101 1/1 1 S...
Displaying IP information TABLE 56 CLI display of IP route table (Continued) This field... Displays... Type The route type, which can be one of the following: • B – The route was learned from BGP. • D – The destination is directly connected to this device. •...
Page 302
Displaying IP information BigIron RX> sh ip traffic IP Statistics 146806 total received, 72952 mp received, 6715542 sent, 0 forwarded 0 filtered, 0 fragmented, 0 bad header 0 failed reassembly, 0 reassembled, 0 reassembly required 0 no route, 0 unknown proto, 0 no buffer, 0 other errors, 0 rpf discard ARP Statistics 19022 total recv, 35761 req recv, 475 rep recv, 2803975 req sent, 1885 rep sent...
Page 303
Displaying IP information TABLE 57 CLI display of IP traffic statistics (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received.
Displaying IP information TABLE 57 CLI display of IP traffic statistics (Continued) This field... Displays... input errors This information is used by Brocade customer support. in segments The number of TCP segments received by the device. out segments The number of TCP segments sent by the device. retransmission The number of segments that this device retransmitted because the retransmission timer for the segment had expired before the device at the...
Page 305
Displaying IP information This field... Displays... active opens Number of TCP connection requests from the local router, resulting in outbound TCP SYNC packets passive opens Number of TCP connection requests from remote routers or hosts, resulting in outbound TCP SYNC-ACK packets failed attempts Number of unsuccessful TCP connection requests from either local or remote active resets,...
Page 306
Displaying IP information BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Link Aggregation Link aggregation overview This chapter describes how to configure Link Aggregation Groups (LAG). Beginning with release 02.6.00 of the Multi-Service IronWare software, you can use a single interface to configure any of the following LAG types: • Static LAGs –...
Page 308
LAG formation rules • Any number or combination of ports between 1 and 8 within the same chassis can be used to configure a LAG. The maximum number of LAG ports is checked when adding ports to a LAG. • All ports configured in a LAG must be of equal bandwidth.
Page 309
LAG formation rules To change port parameters, you must change them on the primary port. The software automatically applies the changes to the other ports in the LAG. • Make sure the device on the other end of the trunk link can support the same number of ports in the link.
Migration from a pre-02.6.00 trunk or LACP configuration • IPv4 TCP packets: source MAC address and destination MAC address, source IP address and destination IP address, and TCP source port and TCP destination port. • IPv4 UDP packets: source MAC address and destination MAC address, source IP address and destination IP address, and UDP source port and UDP destination port.
Configuration of a LAG If the original mode is passive, the converted dynamic LAG will be configured as deploy passive. Otherwise active mode is the default. d. The timeout configuration set by the command link-aggregate configure timeout will be converted to the lacp-timeout command. e.
Page 313
Configuration of a LAG Syntax: [no] lag <lag-name> static | dynamic | keep-alive Refer to “Allowable characters for LAG names” on page 13 for guidelines on LAG naming conventions. The static option specifies that the LAG with the name specified by the <lag-name> variable will be configured as a static LAG.
Page 314
Configuration of a LAG Syntax: [no] primary port <slot/port> Once a primary port has been configured for a LAG, all configurations that apply to the primary port are applied to the other ports in the LAG. NOTE This configuration is only applicable for configuration of a static or dynamic LAGs. Specifying the trunk threshold for a trunk Group You can configure the BigIron RX switch to disable all of the ports in a trunk group when the number of active member ports drops below a specified threshold value.
Deploying a LAG Configuring an LACP timeout In a dynamic or keep-alive LAG, a port's timeout can be configured as short or long. Once a port is configured with a timeout option, it will remain in that timeout mode whether it's up or down, or part of a trunk or not.
Deploying a LAG If the no deploy command is issued and more than 1 LAG port is not disabled the command is aborted and the following error message is displayed: “Error 2 or more ports in the LAG are not disabled, un-deploy this LAG may form a loop - aborted.”...
Deploying a LAG Use the named option with the appropriate [slot/port] variable to specify a named port within the LAG that you want to disable. Enabling ports within a LAG You can enable an individual port within a trunk using the disable command within the LAG configuration as shown in the following.
Deploying a LAG Assigning a name to a port within a LAG You can assign a name to an individual port within a LAG using the port-name command within the LAG configuration as shown in the following. BigIron RX(config)# lag blue static BigIron RX(config-lag-blue)# deploy BigIron RX(config-lag-blue)# port-name orange ethernet 3/1 Syntax: [no] port-name <text>...
Deploying a LAG Displaying LAG information You can display LAG information for a BigIron RX switch in either a full or brief mode. The examples below show both options of the show lag command. BigIron RX# show lag brief Total number of LAGs: Total number of deployed LAGs: 3 Total number of trunks created:3 (31 available) LACP System Priority / ID:...
Page 320
Deploying a LAG Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] Syntax: show lag <lag-name> [brief] [deployed] [dynamic] [keep-alive] [static] Table 58 describes the information displayed by the show lag command. TABLE 58 Show LAG information This field... Displays... Total number of LAGS The total number of LAGs that have been configured on the switch.
Page 321
Deploying a LAG TABLE 58 Show LAG information (Continued) This field... Displays... Dupl The duplex state of the port, which can be one of the following: • Full • Half • None Speed The bandwidth of the interface. Trunk The Trunk ID of the port. Indicates whether the ports have 802.1q VLAN tagging.
Deploying a LAG TABLE 58 Show LAG information (Continued) This field... Displays... Indicates the synchronization state of the port. The state can be one of the following: • No – The port is out of sync with the remote port. The port does not understand the status of the LACPDU process and is not prepared to enter a trunk link.
Page 323
Deploying a LAG BigIron RX# show statistics brief lag Packets Collisions Errors [Receive Transmit] [Recv Txmit] [InErr OutErr] LAG d1 1173 1018 LAG e 1268 1277 BigIron RX# show statistics lag LAG d1 Counters: InOctets 127986 OutOctets 107753 InPkts 1149 OutPkts InBroadcastPkts OutBroadcastPkts...
Page 324
Deploying a LAG BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Configuring LLDP Terms used in this chapter Link Layer Discovery Protocol (LLDP) – The Layer 2 network discovery protocol described in the IEEE 802.1AB standard, Station and Media Access Control Connectivity Discovery. This protocol enables a station to advertise its capabilities to, and to discover, other LLDP-enabled stations in the same 802 LAN segments.
LLDP overview FIGURE 16 LLDP Connectivity port device info xxxx Switch OP-PBX xxxx I’m a PBX port device info I’m a switch xxxx IP-Phone xxxx Switch xxxx I’m a switch I’m a switch I’m a switch I’m a switch I’m an IP Phone I’m a PC Benefits of LLDP LLDP provides the following benefits:...
General operating principles General operating principles LLDP use the services of the Data Link sublayers, Logical Link Control and Media Access Control, to transmit and receive information to and from other LLDP Agents (protocol entities that implement LLDP). LLDP is a one-way protocol. An LLDP agent can transmit and receive information to and from another LLDP agent located on an adjacent device, but it cannot solicit information from another LLDP agent, nor can it acknowledge information received from another LLDP agent.
General operating principles FIGURE 17 LLDPDU packet format Optional Chassis ID Port ID Time to Optional End of Live TLV LLDPDU TLV M = mandatory TLV (required for all LLDPDUs) Each LLDPDU consists of an untagged Ethernet header and a sequence of short, variable length information elements known as TLVs.
Page 329
General operating principles • 802.1 organizationally-specific TLVs Port VLAN ID VLAN name TLV • 802.3 organizationally-specific TLVs MAC/PHY configuration/status Link aggregation Maximum frame size Mandatory TLVs When an LLDP agent transmits LLDP packets to other agents in the same 802 LAN segments, the following mandatory TLVs are always included: •...
Page 330
General operating principles There are several ways in which a port may be identified, as shown in Table 60. A port ID subtype, included in the TLV, indicates how the port is being referenced in the Port ID field. TABLE 60 Port ID subtypes ID Subtype Description...
MIB support • If the TTL field value is zero, the receiving LLDP agent is notified that all system information associated with the LLDP agent or port is to be deleted. This TLV may be used, for example, to signal that the sending port has initiated a port shutdown procedure. The LLDPDU format is shown in “LLDPDU packet format”...
Configuring LLDP TABLE 61 LLDP global configuration tasks and default behavior / value (Continued) Global task Default behavior / value when LLDP is enabled Enabling and disabling TLV advertisements When LLDP transmit is enabled, by default, the Brocade device will automatically advertise LLDP capabilities, except for the system description, VLAN name, and power-via-MDI information, which may be configured by the system administrator.
Configuring LLDP Changing a port’s LLDP operating mode LLDP packets are not exchanged until LLDP is enabled on a global basis. When LLDP is enabled on a global basis, by default, each port on the Brocade device will be capable of transmitting and receiving LLDP packets.
Configuring LLDP Use the [no] form of the command to disable the receive only mode. You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Configuring LLDP where <value> is a number between 16 and 65536. The default number of LLDP neighbors per device is 392. Use the show lldp command to view the configuration. Per port You can change the maximum number of LLDP neighbors for which LLDP data will be retained for each port.
Configuring LLDP NOTE Because LLDP Syslog messages are rate limited, some LLDP information given by the system will not match the current LLDP statistics (as shown in the show lldp statistics command output). To change the minimum time interval between traps and Syslog messages, enter a command such as the following.
Configuring LLDP The above command causes the LLDP agent to transmit LLDP frames every 40 seconds. Syntax: [no] lldp transmit-interval <seconds> where <seconds> is a value from 5 to 32768. The default is 30 seconds. NOTE Setting the transmit interval or transmit holdtime multiplier to inappropriate values can cause the LLDP agent to transmit LLDPDUs with TTL values that are excessively high.
Configuring LLDP Brocade LLDP TLVs advertised by the device When LLDP is enabled on a global basis, the Brocade device will automatically advertise the following information, except for the features noted: General system information: • Management address • Port description •...
Page 339
Configuring LLDP If no IP address is configured, the port’s current MAC address will be advertised. The management address will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Management address (IPv4): 209.157.2.1 Port description The port description TLV identifies the port from which the LLDP agent transmitted the...
Page 340
Configuring LLDP Syntax: [no] lldp advertise system-capabilities ports ethernet <slotnum/portnum> | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Page 341
Configuring LLDP FastIron(config)#no lldp advertise system-name ports e 2/4 to 2/12 The system name will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). System name: “BigIron RX” Syntax: [no] lldp advertise system-name ports ethernet <slotnum/portnum>...
Page 342
Configuring LLDP The untagged VLAN ID will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). Port VLAN ID: 99 Syntax: [no] lldp advertise port-vlan-id ports ethernet <slotnum/portnum> | all You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
Page 343
Configuring LLDP • Auto-negotiation capability and status • Speed and duplex mode • Flow control capabilities for auto-negotiation • Port speed down-shift and maximum port speed advertisement • If applicable, indicates if the above settings are the result of auto-negotiation during link initiation or of a manual set override action The advertisement reflects the effects of the following CLI commands: •...
Configuring LLDP You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
Configuring LLDP This field... Displays... LLDP reinitialize delay The minimum number of seconds the device will wait from when LLDP is disabled on a port, until a request to re-enable LLDP on that port will be honored. LLDP maximum The maximum number of LLDP neighbors for which LLDP data will be retained, per neighbors device.
Configuring LLDP This field... Displays... Last neighbor change The elapsed time (in hours, minutes, and seconds) since a neighbor last advertised time information. For example, the elapsed time since a neighbor was last added, deleted, or its advertised information changed. Neighbor entries added The number of new LLDP neighbors detected since the last reboot or since the last time the clear lldp statistics all command was issued.
Configuring LLDP This field... Displays... Lcl Port The local LLDP port number. Chassis ID The identifier for the chassis. Brocade devices use the base MAC address of the device as the Chassis ID. Port ID The identifier for the port. Brocade devices use the permanent MAC address associated with the port as the port ID.
Page 348
Configuring LLDP FastIron#show lldp neighbors detail ports e 1/9 Local port: 1/9 Neighbor: 0800.0f18.cc03, TTL 101 seconds + Chassis ID (network address): 10.43.39.151 + Port ID (MAC address): 0800.0f18.cc03 + Time to live: 120 seconds + Port description : "LAN port" + System name : "regDN 1015,MITEL 5235 DM"...
Resetting LLDP statistics LLDP configuration details The show lldp local-info command displays the local information advertisements (TLVs) that will be transmitted by the LLDP agent. NOTE The show lldp local-info output will vary based on LLDP configuration settings. The following shows an example report. BigIron RX#show lldp local-info ports ethernet 4/1 Local port: 4/1 + Chassis ID (MAC address): 000c.dbfa.f900...
Chapter Configuring Uni-Directional Link Detection (UDLD) This chapter describes configuring Uni-Directional Link Detection.Uni-directional Link Detection (UDLD) monitors a link between two BigIron RX devices and provides a fast detection of link failures. UDLD brings the ports on both ends of the link down if the link goes down at any point between the two devices.
Configuration considerations Configuration considerations • The feature is supported only on Ethernet ports. • To configure UDLD on a trunk group, you must configure the feature on each port of the group individually. Configuring UDLD on a trunk group’s primary port enables the feature on that port only.
Displaying UDLD information When UDLD is enabled on a port, The UDLD starts sending the keep-alive messages at a preconfigured interval. In the current implementation, if there is no keep-alive received from the other end of this link after 3 retries then this port is set to logical link down. With the new design, after the UDLD is enabled on a port, UDLD will be kept in a newly created suspended state until it receives first keep-alive message from the other end.
Displaying UDLD information TABLE 62 CLI display of UDLD information This field... Displays... Total link-keepalive enabled ports The total number of ports on which UDLD is enabled. Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down.
Page 355
Displaying UDLD information BigIron RX(config)# show link-keepalive ethernet 4/1 Current State : up Remote MAC Addr : 00e0.52d2.5100 Local Port : 4/1 Remote Port : 2/1 Local System ID : e0927400 Remote System ID : e0d25100 Packets sent : 254 Packets received : 255 Transitions TABLE 63...
Clearing UDLD statistics The show interface ethernet <slot>/<portnum> command also displays the UDLD state for an individual port. In addition, the line protocol state listed in the first line will say “down” if UDLD has brought the port down. Here is an example: BigIron RX(config)# show interface ethernet 1/1 GigabitEthernet2/1 is disabled, line protocol is down, link keepalive is enabled...
Chapter VLANs Overview of Virtual Local Area Networks (VLANs) Virtual Local Area Networks (VLANs) allow you to segment traffic in a network by placing ports and interfaces into separate broadcast domains. Each broadcast domain is uniquely identified by VLAN IDs. These broadcast domains can span multiple devices. The device supports two types of VLANs: port-based VLANs and protocol-based VLANs.
Page 358
Overview of Virtual Local Area Networks (VLANs) FIGURE 21 Packet containing Brocade’s 802.1QVLAN tag Untagged Packet Format 6 bytes 2 bytes 6 bytes Up to 1500 bytes 4 bytes Source Type Destination Ethernet II Data Field Address Field Address 6 bytes 6 bytes 2 bytes 4 bytes...
Overview of Virtual Local Area Networks (VLANs) FIGURE 22 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port Segment 1 Segment 2 Segment 1 Segment 2 Tagging is required for the ports Tagging is not required for the ports on Segment 1 because the ports on Segment 2 because each port is are in multiple port-based VLANs.
VLAN configuration rules If there are ports in a port-based VLAN that you want to exclude from protocol-based VLANs, the protocol-based VLAN can be configured to explicitly exclude those ports. VLAN configuration rules To create any type of VLAN on a device, Layer 2 forwarding must be enabled. When Layer 2 forwarding is enabled, the device becomes a switch on all ports for all non-routable protocols.
Configuring port-based VLANs • A port can belong to multiple, overlapping Layer 2 port-based VLANs only if the port is a tagged port. Packets sent out of a tagged port use an 802.1q-tagged frame. • A port can belong to multiple, unique, overlapping Layer 3 protocol-based VLANs. •...
Configuring port-based VLANs 2. Once an ID is assigned, the CLI directs you to the VLAN configuration level. At this level, you add ports to that VLAN and specify if the ports are tagged or untagged. BigIron RX(config-vlan-2)# untag e 1/9 to 1/16 BigIron RX(config-vlan-2)# tagged e 1/1 to 1/8 The example above configures a port-based VLAN, VLAN 2.
Page 363
Configuring port-based VLANs • If a port's VLAN has byte accounting enabled, you cannot enable rate limiting on that port. Similarly, if a port has rate limiting enabled, you cannot enable VLAN byte accounting on that port's VLAN. • Clearing the rate limiting counters using clear rate-limit counters will also clear VLAN byte-accounting counters.
Configuring port-based VLANs TABLE 64 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR Module type PPCR number Port # Max # of rate limiting policies based on ACLs and VLANs + number of VLANs w/ byte accounting enabled 24 x 1G PPCR 1 1 - 12...
Configuring protocol-based VLANs You must specify a VLAN ID that is not already in use. For example, if VLAN 10 exists, do not use “10” as the new VLAN ID for the default VLAN. Valid VLAN IDs are from 1 – 4089; however, do not use VLANs 4090 –...
Configuring virtual routing interfaces Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. To configure an MSTP instance and assign a range of VLANs, use a command such as the following at the Global Configuration level.
Configuring virtual routing interfaces Enter 1 to the maximum number of virtual routing interfaces supported on the device for <ve-number>. Bridging and routing the same protocol simultaneously on the same device Some configurations may require simultaneous switching and routing of the same single protocol across different sets of ports on the same router.
Configuring virtual routing interfaces Integrated Switch Routing (ISR) Brocade Integrated Switch Routing (ISR) feature enables VLANs configured on the device to route Layer 3 traffic from one protocol-based VLAN to another instead of forwarding the traffic to an external router. The VLANs provide Layer 3 broadcast domains for the protocols, but do not in themselves provide routing services.
VLAN groups There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN. Routing will occur independently across the port-based VLANs. Because each port-based VLAN’s STP domain is a single point-to-point backbone connection, you are guaranteed to never have an STP loop.
Page 370
VLAN groups NOTE The device’s memory must be configured to contain at least the number of VLANs you specify for the higher end of the range. For example, if you specify 2048 as the VLAN ID at the high end of the range, you first must increase the memory allocation for VLANs to 2048 or higher.
Configuring super aggregated VLANs The <group-id> specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed. Configuring super aggregated VLANs A super aggregated VLAN allows multiple VLANs to be placed within another VLAN. This feature allows you to construct Layer 2 paths and channels.
Page 372
Configuring super aggregated VLANs Each client connected to the edge device is in its own port-based VLAN. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core. The device that aggregates the VLANs forwards the aggregated VLAN traffic through the core. The core can consist of multiple devices that forward the aggregated VLAN traffic.
Configuring super aggregated VLANs This example shows a single link between the core devices. However, you can use a trunk group to add link-level redundancy. Configuring aggregated VLANs A maximum of 1526 bytes are supported on ports where super-aggregated VLANs are configured. This allows for an additional 8 bytes over the untagged port maximum to allow for support of two VLAN tags.
Configuring super aggregated VLANs • Enable VLAN aggregation. This support allows the core device to add an additional tag to each Ethernet frame that contains a VLAN packet from the edge device. The additional tag identifies the aggregate VLAN (the path). However, the additional tag can cause the frame to be longer than the maximum supported frame size.
Configuring 802.1q-in-q tagging Commands for device F The commands for configuring device F are identical to the commands for configuring device E. In this example, since the port numbers on each side of the configuration in Figure 24 on page 300 are symmetrical, the configuration of device F is also identical to the configuration of device A and device B.
Configuring 802.1q-in-q tagging As shown in Figure 25, the ports to customer interfaces are untagged, whereas the uplink ports to the provider cloud are tagged, because multiple client VLANs share the uplink to the provider cloud. In this example, the device treats the customer’s private VLAN ID and 8100 tag type as normal payload, and adds the 9100 tag type to the packet when the packet is sent to the uplink and forwarded along the provider cloud.
Configuring 802.1q-in-q tagging Enabling 802.1Q-in-Q tagging To enable the 802.1Q-in-Q feature, configure an 802.1Q tag type on the untagged edge links (the customer ports) to any value other than the 802.1Q tag for incoming traffic. For example, in Figure 27, the 802.1Q tag on the untagged edge links (ports 11 and 12) is 9100, whereas, the 802.1Q tag for incoming traffic is 8100.
Configuring 802.1q tag-type translation • If you configure a port with an 802.1q tag-type, the device automatically applies the 802.1q tag-type to all ports within the same port region. • If you remove the 802.1q tag-type from a port, the device automatically removes the 802.1q tag-type from all ports within the same port region.
Private VLANs Private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 30 shows an example of an application using a private VLAN. FIGURE 30 Private VLAN used to secure communication between a workstation and servers A private VLAN secures traffic...
Private VLANs • Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN. • Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN.
Private VLANs • There is currently no support for IGMP Snooping within Private VLANs. In order to let clients in Private VLANs get multicast traffic, IGMP Snooping must be disabled, so that all multicast packets are treated as unregistered multicast packets and get flooded in software to all the ports.
Page 387
Private VLANs Configuring an isolated or community private VLAN To configure an isolated or a community private VLAN, use the following CLI methods. Using the CLI To configure a community private VLAN, enter commands such as the following. BigIron RX(config)# vlan 901 BigIron RX(config-vlan-901)# untagged ethernet 3/5 to 3/6 BigIron RX(config-vlan-901)# pvlan type community These commands create port-based VLAN 901, add ports 3/5 and 3/6 to the VLAN as untagged...
Private VLANs The pvlan mapping command identifies the other private VLANs for which this VLAN is the primary. The command also specifies the primary VLAN ports to which you are mapping the other private VLANs. • The <vlan-id> parameter specifies another private VLAN. The other private VLAN you want to specify must already be configured.
Other VLAN features Syntax: [no] multicast-flooding NOTES: • This feature is supported on the 10 Gigabit Ethernet module. • This feature cannot be enabled on an empty VLAN; the VLAN must already have ports assigned to it prior to enabling this feature. •...
Other VLAN features To enable flow based MAC learning and CPU flooding for unknown unicast packets only, enter the following command at the global configuration level. BigIron RX(config)# cpu-flooding unknown-unicast To enable CPU based flooding for broadcast and multicast packets, enter the following command at the global configuration level.
Displaying VLAN information Other configuration options You can also configure the following on a VLAN: • “Configuring static ARP entries” on page 136 • “Setting maximum frame size per PPCR” on page 178 Displaying VLAN information After you configure the VLANs, you can view and verify the configuration. Displaying VLAN information Enter the following command at any CLI level.
Displaying VLAN information TABLE 67 Output of show vlan (Continued) This field... Displays... Untagged/Tagged Ports ID of the untagged or tagged ports that are members of the VLAN (protocol-based VLANs) If protocol based VLANs are configured, their type and name appear after the list of ports.
Page 394
Displaying VLAN information BigIron RX# show vlan detail Untagged Ports : ethe 2/1 to 2/24 ethe 4/4 Tagged Ports : None Dual-mode Ports : ethe 3/1 to 3/24 ethe 4/1 to 4/3 Default VLAN Control VLAN : 4095 VLAN Tag-type : 0x8100 PORT-VLAN 1, Name DEFAULT-VLAN, Priority Level0 ----------------------------------------------------------...
Transparent firewall mode TABLE 69 Output of show vlan detail (Continued) This field... Displays... Protocol Protocol configured on the VLAN. State Current state of the port such as disabled, blocking, forwarding, etc. Displaying VLAN group information To display information about VLAN groups, enter the following command. BigIron RX# show vlan-group 10 Configured VLAN-Group entries: 1 Maximum VLAN-Group entries : 32...
Chapter Configuring Spanning Tree Protocol IEEE 802.1D Spanning Tree Protocol (STP) The BigIron RX supports Spanning Tree Protocol (STP) as described in the IEEE 802.10-1998 specification. STP eliminates Layer 2 loops in networks, by selectively blocking some ports and allowing other ports to forward traffic, based on configurable bridge and port parameters. STP also ensures that the least cost path is taken when multiple paths exist between ports or VLANs.
IEEE 802.1D Spanning Tree Protocol (STP) NOTE When you configure a VLAN, the VLAN inherits the global STP settings. However, once you begin to define a VLAN, you can no longer configure standard STP parameters globally using the CLI. From that point on, you can configure STP only within individual VLANs.
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 72 Default STP bridge parameters (Continued) Parameter Description Default and valid values Hello Time The interval of time between each configuration BPDU 2 seconds sent by the root bridge. Possible values: 1 – 10 seconds Priority A parameter used to identify the root bridge in a spanning...
IEEE 802.1D Spanning Tree Protocol (STP) NOTE The hello-time <value> parameter applies only when the device or VLAN is the root bridge for its spanning tree. Changing STP port parameters To change the path and priority costs for a port, enter commands such as the following. BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# spanning-tree ethernet 1/5 path-cost 15 priority 64 Syntax: spanning-tree ethernet <slot>/<portnum>...
IEEE 802.1D Spanning Tree Protocol (STP) Syntax: [no] spanning-tree root-protect Enter the no form of the command to disable STP Root Guard on the port. Setting the STP root guard timeout period To configure the STP Root protect timeout period globally, enter a command such as the following. BigIron RX(config)# spanning-tree root-protect timeout 120 Syntax: spanning-tree root-protect timeout <timeout in seconds>...
IEEE 802.1D Spanning Tree Protocol (STP) To prevent an end station from initiating or participating in STP topology changes, enter the following command at the interface level of the CLI. BigIron RX(config) interface ethe 2/1 BigIron RX(config-if-e1000-2/1)# spanning-tree protect This command causes the port to drop STP BPDUs sent from the device on the other end of the link.
Page 403
IEEE 802.1D Spanning Tree Protocol (STP) BigIron RX# show spanning-tree vlan 10 VLAN 10 - STP instance 1 -------------------------------------------------------------------- STP Bridge Parameters: Bridge Bridge Bridge Bridge Hold LastTopology Topology Identifier MaxAge Hello FwdDly Time Change Change 8000000480a04000 20 RootBridge RootPath DesignatedBridge Root Max Hel Fwd Identifier...
Page 404
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 CLI display of STP information (Continued) This field... Displays... Bridge Identifier The ID assigned by STP to this bridge for this spanning tree in hexadecimal. NOTE: If this address is the same as the Root ID, then this device or VLAN is the root bridge for its spanning tree.
Page 405
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 74 CLI display of STP information (Continued) This field... Displays... State The port’s STP state. The state can be one of the following: • BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop.
Page 406
IEEE 802.1D Spanning Tree Protocol (STP) BigIron RX# show spanning-tree detail vlan 10 VLAN 10 - STP instance 1 -------------------------------------------------------------------- STP Bridge Parameters: Bridge identifier - 0x8000000480a04000 Root bridge - 0x8000000480a04000 Control ports - ethe 1/3 ethe 1/13 Active global timers - None STP Port Parameters: Port 1/3 - DISABLED Port 1/13 - DISABLED...
Page 407
IEEE 802.1D Spanning Tree Protocol (STP) TABLE 75 CLI display of detailed STP information for ports This field... Displays... VLAN ID The VLAN that contains the listed ports and the number of STP instances on this VLAN. The STP type can be one of the following: •...
IEEE Single Spanning Tree (SSTP) TABLE 75 CLI display of detailed STP information for ports (Continued) This field... Displays... STP port parameters Port number and STP state The internal port number and the port’s STP state. The internal port number is one of the following: •...
IEEE Single Spanning Tree (SSTP) • To remove a VLAN from the single spanning tree, disable STP on that VLAN. When you enable SSTP, all the ports that are in port-based VLANs with STP enabled become members of a single spanning tree domain. Thus, the ports share a single BPDU broadcast domain.
PVST/PVST+ compatibility For the parameter definitions and possible values, refer to “Default STP port parameters” page 327. NOTE Both commands listed above are entered at the global CONFIG level. Also, you can use the rstp single command to control the topology for VLANs. Refer to “Enabling or disabling RSTP on a single spanning tree”...
PVST/PVST+ compatibility Overview of PVST and PVST+ Per VLAN Spanning Tree (PVST) is a Cisco proprietary protocol that allows a Cisco device to have multiple spanning trees. The Cisco device can interoperate with spanning trees on other PVST devices but cannot interoperate with IEEE 802.1Q devices. An IEEE 802.1Q device has all its ports running a single spanning tree.
PVST/PVST+ compatibility If you want to use tagged frames on VLAN 1, you can change the default VLAN ID to an ID other than 1. You also can specify the VLAN on which you want the port to send and receive untagged frames (the native VLAN).
PVST/PVST+ compatibility BigIron RX(config)# show span pvst-mode PVST+ Enabled on: Port Method Set by configuration Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 76 CLI Display of PVST+ Information This field...
Page 414
PVST/PVST+ compatibility These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port. The dual-mode feature allows the port to send and receive untagged frames for the default VLAN (VLAN 1 in this case) in addition to tagged frames for VLANs 2, 3, and 4.
SuperSpan™ • Drop tagged PVST BPDUs for VLAN 1. Note that when VLAN 1 is not the default VLAN, the ports must have an untagged VLAN enabled in order to process IEEE 802.1Q BPDUs. For example, the following configuration is incorrect. BigIron RX(config)# default-vlan-id 1000 BigIron RX(config)# vlan 1 BigIron RX(config-vlan-1)# tagged ethernet 1/1 to 1/2...
SuperSpan™ FIGURE 34 SuperSpan example SuperSpan root bridge Port1/1 Port1/1 Cust 1 SP 1 Port1/2 Port1/2 Port2/1 Port1/1 SP 2 Cust 2 Port1/2 Port2/2 In this example, the SP network contains two devices that are running SuperSpan. The SP is connected to two customer networks.
Page 417
SuperSpan™ Each Brocade device that is configured for SuperSpan forwards the BPDU using the changed destination MAC address. At the other end of the tunnel, the Brocade device connected to the customer's network changes the destination MAC address back to the bridge group address (01-80-c2-00-00-00).
Page 418
SuperSpan™ Mixing single STP and multiple spanning trees You can use SuperSpan in any of the following combinations: • Customer and SP networks both use multiple spanning trees (a separate spanning tree in each VLAN). • Customer uses multiple spanning trees but SP uses Single STP (all STP-enabled VLANs are in the same spanning tree).
Page 419
SuperSpan™ In the above example, STP in VLAN 10 will select R10 as the root bridge and make 1/1 on R10 forwarding while blocking port 3/1 on R20. The opposite occurs for STP in VLAN 20. As a result, both links connecting the customer and SP regions are fully utilized and serve as backup links at the same time, providing loop-free, non-blocking connectivity.
Page 420
SuperSpan™ Customer uses single STP but SP uses multiple spanning trees Figure 38 shows an example of SuperSpan where the customer network uses Single STP while the SP uses multiple spanning trees. FIGURE 38 Customer using single STP and SP using Multiple Spanning Trees single span Customer...
SuperSpan™ FIGURE 39 Customer and SP using single STP single single span span Customer Provider Region Region tagged to multiple vlan Root bridge for VLAN xx stp-boundary untagged to vlan 100 (Super Aggregated VLAN) In this setup, both the customer and SP networks are running a single spanning tree at Layer 2. The traffic from VLAN 10 and 20 will be carried, or aggregated by VLAN 100 at the SP network as in the previous scenario.
Page 422
SuperSpan™ These commands configure two interfaces on the Brocade device as SuperSpan boundary interfaces. Interface 1/1 is a boundary interface with customer 1. Interface 1/2 is a boundary interface with customer 2. Each boundary interface is associated with a number, which is the SuperSpan ID.
Page 423
SuperSpan™ BigIron RX(config)# show super-span CID 1 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed Total 1 CID 2 Boundary Ports: Port C-BPDU C-BPDU T-BPDU T-BPDU Rxed Txed Rxed Txed Total 0 In this example, the device has two SuperSpan customer IDs. Syntax: show superspan [cid <num>] The cid <num>...
Page 424
SuperSpan™ BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Configuring Rapid Spanning Tree Protocol Overview of Rapid Spanning Tree Protocol RSTP provides rapid convergence and takes advantage of point-to point wiring of the spanning tree. Failure in one forwarding path does not affect other forwarding paths. RSTP improves the operation of the spanning tree while maintaining backward compatibility.
Overview of Rapid Spanning Tree Protocol Assignment of port roles At system start-up, all RSTP-enabled bridge ports assume a Designated role. Once start-up is complete, RSTP algorithm calculates the superiority or inferiority of the RST BPDU that is received and transmitted on a port. On a root bridge, each port is assigned a Designated port role, except for ports on the same bridge that are physically connected together.
Edge ports and edge port roles Ports Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4. The RST BPDUs received on Port3 are superior to the RST BPDUs received on port 4;...
Point-to-point ports Point-to-point ports To take advantage of the RSTP features, ports on an RSTP topology should be explicitly configured as point-to-point links. Shared media should not be configured as point-to-point links. NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops.
Edge port and non-edge port states If a port on one bridge has a Designated role and that port is connected to a port on another bridge that has an Alternate or Backup role, the port with a Designated role cannot be given a Root port role until two instances of the forward delay timer expires on that port.
State machines • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode. It also flushes the MAC table when a topology change event takes place. •...
Page 432
State machines • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 43).
Page 433
State machines FIGURE 44 Sync stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync BigIron Switch 200 Port3 Port2 Sync Sync Discarding Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced.
Page 434
State machines FIGURE 45 Synced stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Synced BigIron Switch 200 Port2 Port3 Synced Synced Discarding Discarding Port2 Port3 Switch 400 Switch 300 Indicates a signal • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state.
Page 435
State machines FIGURE 46 Agree stage Switch 100 Root Bridge Port1 Designated port Forwarding RST BPDU Port1 sent with Root port an Agreed Synced flag Forwarding BigIron Switch 200 Port2 Port3 Synced Synced Discarding Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200.
Page 436
State machines FIGURE 47 Addition of a new root bridge Switch 100 Port2 Designated port Port2 Switch 60 Port4 Port1 Designated port Designated port Port1 Root port Switch 200 Port4 Port2 Port3 Port2 Port3 Switch 300 Switch 400 The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (“Handshake when no root port is elected”...
Page 437
State machines FIGURE 48 New root bridge sending a proposal flag Switch 100 Port2 Handshake Designated Completed port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Proposing Port1 RST BPDU Root port sent with Forwarding a Proposing flag Switch 200 Port4 Designated port...
Page 438
State machines FIGURE 49 Sync and reroot Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Proposing Port1 Root port Sync Reroot Forwarding BigIron Port4 Switch 200 Root port Sync Reroot Port2 Discarding Port3 Sync Sync Reroot...
Page 439
State machines FIGURE 50 Sync and rerooted Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Port1 Designated port Proposing Port1 Designated port Sync Rerooted Discarding BigIron Port4 Switch 200 Root port Sync Rerooted Port2 Discarding Port3 Sync Sync Rerooted Rerooted...
Page 440
State machines FIGURE 51 Rerooted,synced, and agreed Switch 100 Port2 Designated port Switch 60 Port 2 Root port Port4 Port1 Designated port Forwarding Proposing Port1 Rerooted RST BPDU Synced sent with Discarding an Agreed BigIron flag Port4 Switch 200 Root port Rerooted Synced Port2...
Convergence in a simple topology FIGURE 52 Handshake completed after election of new root port Switch 100 Port2 Designated port Port2 Switch 60 Root port Port4 Port1 Designated port Proposing Port1 Alternate port Port4 Switch 200 Root port Port2 Port3 Proposing Proposing Port2...
Convergence in a simple topology NOTE The rapid convergence will not occur on ports connected to shared media devices, such as hubs. To take advantage of the rapid convergence provided by RSTP, make sure to explicitly configure all point-to-point links in a topology. Convergence at start up Figure 53, two bridges Switch 2 and Switch 3 are powered up.
Page 443
Convergence in a simple topology FIGURE 54 Simple Layer 2 topology Port3 Designated Port5 port Switch 1 Backup port Switch 2 Port2 Port2 Designated Bridge priority = 1500 Root port port Bridge priority = 1000 Port4 Port3 Designated port Designated port Port3 Alternate...
Convergence in a simple topology The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2.
Convergence in a simple topology FIGURE 56 Link failure in the topology Port5 Port3 Switch 1 Switch 2 Port2 Bridge priority = 1500 Port2 Bridge priority = 1000 Port3 Port4 Port4 Port3 Bridge priority = 2000 Switch 3 Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port.
Convergence in a complex RSTP topology When Port2/Switch 2 receives the RST BPDUs, RSTP algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Page 448
Convergence in a complex RSTP topology Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is then given an Alternate port role, and remains in discarding state. Likewise, Port5/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is also given an Alternate port role, and remains in discarding state.
Configuring RSTP parameters For example, in Figure 62, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 62 RSTP bridges with an 802.1D bridge Switch 10...
Configuring RSTP parameters BigIron RX(config)# vlan 10 BigIron RX(config-vlan-10)# rstp Syntax: [no] rstp Enabling or disabling RSTP on a single spanning tree To globally enable RSTP for all ports of a single spanning tree, enter the following command. BigIron RX(config)# rstp single Syntax: [no] rstp single Disabling or enabling RSTP on a port The rstp command must be used to initially enable RSTP on ports.
Configuring RSTP parameters The max-age <value> parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. Possible values: 6 – 40 seconds. The default is 20 seconds. The value of max-age must be greater than the value of forward-delay to ensure that the downstream bridges do not age out faster than the upstream bridges (those bridges that are closer to the root bridge).
Configuring RSTP parameters TABLE 78 Recommended path cost values of RSTP (Continued) Link speed Recommended (default) RSTP path Recommended RSTP path cost range cost values 1 Gigabit per second 20,000 2,000 – 200,000,000 10 Gigabits per second 2,000 200 – 20,000 100 Gigabits per second 20 –...
Page 457
Configuring RSTP parameters In addition, Fast Port Span enhances overall network performance in the following ways: • Fast Port Span reduces the number of STP topology change notifications on the network. When an end station attached to a Fast Span port comes up or down, the Brocade device does not generate a topology change notification for the port.
Configuring RSTP parameters BigIron RX(config)# fast port-span BigIron RX(config)# write memory Excluding specific ports from fast port span You can exclude individual ports from Fast Port Span while leaving Fast Port Span enabled globally. To do so, use the following method. Using the CLI To exclude a port from Fast Port Span, enter commands such as the following.
Page 459
Configuring RSTP parameters You can use the Fast Uplink feature on a Brocade device deployed as a wiring closet switch to decrease the convergence time for the uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning). The wiring closet switch must be a Brocade device but the device at the other end of the link can be a Brocade device or another vendor’s switch.
Displaying RSTP information Using the CLI To configure a group of ports for Fast Uplink Span, enter the following commands. BigIron RX(config)# fast uplink-span ethernet 4/1 to 4/4 BigIron RX(config)# write memory Syntax: [no] fast uplink-span [ethernet <portnum> [ethernet <portnum>… | to <portnum>]] This example configures four ports, 4/1 –...
Page 461
Displaying RSTP information BigIron RX(config)#show rstp vlan 10 VLAN 10 - RSTP instance 0 -------------------------------------------------------------------- RSTP (IEEE 802.1w) Bridge Parameters: Bridge Bridge Bridge Bridge Force Identifier MaxAge Hello FwdDly Version Hold 0001000480a04000 20 Default RootBridge RootPath DesignatedBridge Root Max Hel Fwd Identifier Cost Identifier...
Page 462
Displaying RSTP information TABLE 79 CLI display of RSTP summary (Continued) This field... Displays... Designated Bridge Identifier The bridge from where the root information was received. It can be from the root bridge itself, but it could also be from another bridge. Root Port The port on which the root information was received.
Page 463
Displaying RSTP information TABLE 79 CLI display of RSTP summary (Continued) This field... Displays... Role The current role of the port: • Root • Designated • Alternate • Backup • Disabled Refer to “Bridges and bridge port roles” on page 353 for definitions of the roles.
Page 464
Displaying RSTP information TABLE 80 The show rstp detail command output (Continued) This field... Displays... forceVersion the configured version of the bridge: • 0 – The bridge has been forced to operate in an STP compatible mode. • 2 – The bridge has been forced to operate in an RSTP mode. MigrateTime The number of seconds the bridge took to migrate from STP to RSTP mode.
Chapter Metro Ring Protocol (MRP) Phase 1 and 2 Metro Ring Protocol (MRP) phase 1 MRP Phase 1 is a Brocade proprietary protocol that prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies. It is an alternative to STP and is especially useful in Metropolitan Area Networks (MANs) where using STP has the following drawbacks: •...
MRP rings without shared interfaces The ring in this example consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network. The nodes forward Layer 2 traffic to and from the customer networks through the ring. The ring interfaces are all in one port-based VLAN.
Ring initialization FIGURE 64 Metro ring – multiple rings Master Node port1/1 port4/1 Ring 1 Ring 2 port4/2 port1/2 Master node Ring 3 In this example, two nodes are each configured with two MRP rings. Any node in a ring can be the master for its ring.
Page 468
Ring initialization FIGURE 65 Metro ring – initial state Customer A Switch B All ports start in Preforwarding state. Master Switch A Switch C Node Primary port on Master Customer A node sends RHP 1 Customer A Switch D Customer A MRP uses Ring Health Packets (RHPs) to monitor the health of the ring.
Page 469
Ring initialization When MRP is enabled, all ports begin in the Preforwarding state. The primary interface on the Master node, although it is in the Preforwarding state like the other ports, immediately sends an RHP onto the ring. The secondary port on the Master node listens for the RHP. •...
How ring breaks are detected and healed How ring breaks are detected and healed Figure 67 Shows the ring forwarding state following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks. FIGURE 67 Metro ring – ring break Customer A Switch B Master...
Page 471
How ring breaks are detected and healed When the broken link is repaired, the link’s interfaces come up in the Preforwarding state, which allows RHPs to travel through the restored interfaces and reach the secondary interface on the Master node. •...
Master VLANs and customer VLANs in a topology group 5. RHP packets continue to be sent on the primary interface by Switch A to detect if the ring has been healed. From a user perspective, there is no difference in the behavior of the ring. The only noticeable difference is a rapid convergence in the event of ring failure.
Page 473
Master VLANs and customer VLANs in a topology group FIGURE 69 Metro ring – ring VLAN and customer VLANs Customer A Customer B VLAN 30 VLAN 40 Switch B ====== ring 1 interfaces 1/1, 1/2 port4/1 port2/1 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1, 1/2, 2/1) port1/2...
Configuring MRP If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs. • The member VLAN for a customer must contain the two ring interfaces and the interfaces for the customer.
Configuring MRP Adding an MRP ring to a VLAN NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group’s master VLAN. To add an MRP ring to a VLAN, enter commands such as the following. BigIron RX(config)# vlan 2 BigIron RX(config-vlan-2)# metro-ring 1 BigIron RX(config-vlan-2-mrp-1)# name CustomerA...
MRP phase 2 Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following. BigIron RX(config-vlan-2-mrp-1)# hello-time 200 BigIron RX(config-vlan-2-mrp-1)# preforwarding-time 400 These commands change the hello time to 200 ms and change the preforwarding time to 400 ms. NOTE The preforwarding time must be at least twice the value of the hello time and must be a multiple of the hello time.
Page 477
MRP phase 2 FIGURE 70 Multiple MRP rings - MRP Phase 1 Master Node port1/1 port4/1 Ring 1 Ring 2 port4/2 port1/2 Master node Ring 3 With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN.
Ring initialization for shared interfaces Ring initialization for shared interfaces FIGURE 72 Interface IDs and types 1,2 port1/1 Ring 2 Ring 1 port2/2 C = customer port For example, in Figure 72, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2.
Ring initialization for shared interfaces node, the packet is forwarded through the secondary interface since it is currently in a preforwarding state. A secondary interface in preforwarding mode ignores any RHP packet that is not from its ring. The secondary interface changes to blocking mode only when the RHP packet forwarded by its primary interface is returned.
Ring initialization for shared interfaces Normal flow Figure 73 shows an example of how RHP packets are processed normally in MRP rings with shared interfaces. FIGURE 73 Flow of RHP packets on MRP rings with shared interfaces (secondary interface) port2/2 port3/2 (secondary interface) Master node Ring 1...
Ring initialization for shared interfaces Flow when a link breaks If the link between shared interfaces breaks (Figure 74), the secondary interface on Ring 1’s master node changes to a preforwarding state. The RHP packet sent by port 3/1 on Ring 2 is forwarded through the interfaces on S4, then to S2.
Displaying MRP information Displaying MRP diagnostics To display MRP diagnostics results, enter the following command on the Master node. BigIron RX(config)# show metro 2 diag Metro Ring 2 - CustomerA ============= diagnostics results Ring Diag RHP average Recommended Recommended state time(microsec) hello time(ms) Prefwing time(ms)
Displaying MRP information Displaying ring information To display ring information, enter the following command. BigIron RX(config)# show metro Metro Ring 2 ============= Ring State Ring Master Topo Hello Prefwing role vlan group time(ms) time(ms) enabled member not conf Ring interfaces Interface role Forwarding state Active interface...
MRP CLI example TABLE 82 CLI display of MRP ring information (Continued) This field... Displays... Prefwing time The number of milliseconds an MRP interface that has entered the Preforwarding state will wait before changing to the Forwarding state. If a member port in the Preforwarding state does not receive an RHP within the Preforwarding time (Prefwing time), the port assumes that a topology change has occurred and changes to the Forwarding state.
MRP CLI example Commands on switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node’s interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
Chapter Virtual Switch Redundancy Protocol (VSRP) Overview of Virtual Switch Redundancy Protocol (VSRP) VSRP is a Brocade proprietary protocol that provides redundancy and sub-second failover in Layer 2 and Layer 3 mesh topologies. Based on the Brocade’s proprietary Virtual Router Redundancy Protocol Extended (VRRPE), VSRP provides one or more backups for the device.
Overview of Virtual Switch Redundancy Protocol (VSRP) Following Master election (described below), one of the Brocade devices becomes the Master for the VRID and sets the state of all the VLAN’s ports to Forwarding. The other device is a Backup and sets all the ports in its VRID VLAN to Blocking.
Page 491
Overview of Virtual Switch Redundancy Protocol (VSRP) Each Backup waits for a specific period of time, the Dead Interval, to receive a new Hello message from the Master. If the Backup does not receive a Hello message from the Master by the time the Dead Interval expires, the Backup sends a Hello message of its own, which includes the Backup's VSRP priority, to advertise the Backup's intent to become the Master.
Page 492
Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 77 VSRP priority recalculation Internet Internet enterprise Intranet enterprise Intranet e 2/4 e 3/2 Router 2 Router 1 VRID1 VRID1 Router2 = Backup Router1 = Master 192.53.5.1 192.53.5.3 e 1/5 e 1/6 IP address = 192.53.5.1 IP address = 192.53.5.1 Owner...
Page 493
Overview of Virtual Switch Redundancy Protocol (VSRP) FIGURE 78 VSRP priority bias Configured priority = 150 Configured priority = 100 Actual priority = 150 * (2/3) = 100 Actual priority = 100 * (3/3) = 100 VSRP VSRP Master Backup optional link Link down VSRP...
Configuring basic VSRP parameters • If the port number is the same as the port that previously received a Hello message, the VSRP-aware device assumes that the message came from the same VSRP Master that sent the previous message. • If the port number does not match, the VSRP-aware device assumes that a VSRP failover has occurred to a new Master, and moves the MAC addresses learned on the previous port to the new port.
Enabling Layer 3 VSRP BigIron RX(config-vlan-200-vrid-1)# enable Syntax: [no] enable Syntax: [no] activate For information about the command’s optional parameters, see the following: • “Changing the backup priority” on page 427 • “Changing the default track priority” on page 430 Enabling Layer 3 VSRP Layer 2 VSRP is enabled globally by default on the device;...
Configuring optional VSRP parameters Syntax: [no] ip vsrp auth-type no-auth | simple-text-auth <auth-data> The auth-type no-auth parameter indicates that the VRID and the interface it is configured on do not use authentication. The auth-type simple-text-auth <auth-data> parameter indicates that the VRID and the interface it is configured on use a simple text password for authentication.
Configuring optional VSRP parameters BigIron RX(config-vlan-200-vrid-1)# ip-address 10.10.10.1 Syntax: [no] ip-address <ip-addr> VSRP fast start VSRP fast start allows non-Brocade or non-VSRP aware devices that are connected to a Brocade device that is the VSRP Master to quickly switchover to the new Master when a VSRP failover occurs This feature causes the port on a VSRP Master to restart when a VSRP failover occurs.
Configuring optional VSRP parameters • Backup Hello interval • Hold-down interval Each Backup saves the configured timer values to its startup configuration file when you save the device’s configuration. NOTE The Backups always use the value of the timer scale received from the Master, regardless of whether the timer values that are saved in the configuration are the values configured on the Backup or the values received from the Master.
Configuring optional VSRP parameters Changing the hello interval The Master periodically sends Hello messages to the Backups. To change the Hello interval, enter a command such as the following at the configuration level for the VRID. BigIron RX(config-vlan-200-vrid-1)# hello-interval 10 Syntax: [no] hello-interval <units>...
Configuring optional VSRP parameters Syntax: [no] backup-hello-interval <units> The <units> parameter specifies the message interval and can be from 60 – 3600 units (1 unit = 100 milliseconds). The default is 60 units (6000 milliseconds or 6 seconds). NOTE If you change the timer scale, the change affects the actual number of seconds. Changing the hold-down interval The hold-down interval prevents Layer 2 loops from occurring during failover, by delaying the new Master from forwarding traffic long enough to ensure that the failed Master is really unavailable.
Configuring optional VSRP parameters Specifying a track port You can configure the VRID on one interface to track the link state of another interface on the device. This capability is useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy.
Clearing VSRP information NOTE All trunk ports must have the same delayed-link-down-event configuration. The following command will delay the sending of port "down" event for 100ms when a port state is detected "down". If the port state is detected "up" afterwards within 100ms, the delayed "down" event is cancelled;...
Page 505
VSRP and MRP signaling If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure FIGURE 82 VSRP on MRP rings that failed over...
Displaying VSRP information FIGURE 83 New path established Path 1 Path 2 Member Master Host Host Member Member Member Member MRP Member MRP Master MRP Member MRP Member VSRP Backup VSRP Backup VSRP Master VSRP Master VSRP VSRP Device 1 Device 1 There are no CLI commands used to configure this process.
Page 507
Displaying VSRP information This display shows the following information when you use the vrid <num> or vlan <vlan-id> parameter. For information about the display when you use the aware parameter, refer to “Displaying the active interfaces for a VRID” on page 438. TABLE 83 CLI display of VSRP VRID or VLAN information This field...
Displaying VSRP information TABLE 83 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the VRID. During negotiation, the Backup with the highest priority becomes the Master. If two or more Backups are tied with the highest priority, the Backup interface with the highest IP address becomes the Master for the VRID.
Displaying VSRP information BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress 80 P Master Unknown Unknown None When the command is entered on a Layer 3 VSRP, it displays the following information. BigIron RX# show vsrp brief VLAN VRID ConfPri CurPri P State PeerMacAddr or IpAddress P Initia xxxx.1414.1404 20.20.20.4...
Displaying VSRP information Displaying the active interfaces for a VRID On a VSRP-aware device, you can display VLAN and port information for the connections to the VSRP devices (Master and Backups) using the show vsrp aware command. The command shows the active interfaces for the VRID.
Chapter Topology Groups Topology overview This chapter describes the different types of topology groups and how to configure them. A topology group is a named set of VLANs that share a Layer 2 control protocol. Topology groups simplify configuration and enhance scalability of Layer 2 protocols by allowing you to run a single instance of a Layer 2 protocol on multiple VLANs.
Master VLANs and customer VLANs in MRP Master VLANs and customer VLANs in MRP A topology group enables you to control forwarding in multiple VLANs using a single instance of a Layer 2 protocol such as MRP. For more information on topology group and MRP, refer to “Master VLANs and customer VLANs in a topology group”...
Configuring a topology group If you remove a member VLAN or VLAN group from a topology group, you will need to reconfigure the Layer 2 protocol information in the VLAN or VLAN group. Configuring a topology group To configure a topology group, enter commands such as the following. BigIron RX(config)# topology-group 2 BigIron RX(config-topo-group-2)# master-vlan 2 BigIron RX(config-topo-group-2)# member-vlan 3...
Page 514
Displaying topology group information BigIron RX(config)# show topology-group Topology Group 1 ================== Master VLAN Member VLAN : 10 20 30 Member Group : None Control Ports : ethe 2/2 ethe 3/18 ethe 4/1 to 4/2 Free Ports : Topology Group 2 ================== Master VLAN Member VLAN...
Chapter Configuring VRRP and VRRPE Overview of VRRP This chapter describes how to configure the following router redundancy protocols: • Virtual Router Redundancy Protocol (VRRP) – The standard router redundancy protocol described in RFC 3768. • VRRP Extended (VRRPE) – A Brocade proprietary version of VRRP that overcomes limitations in the standard protocol.
Page 516
Overview of VRRP As shown in this example, Host1 uses 192.53.5.1 on Router1 as the host’s default gateway out of the subnet. If this interface goes down, Host1 is cut off from the rest of the network. Router1 is thus a single point of failure for Host1’s access to other networks. If Router1 fails, you could configure Host1 to use Router2.
Overview of VRRP NOTE You can provide more redundancy by also configuring a second VRID with Router2 as the Owner and Router1 as the Backup. This type of configuration is sometimes called Multigroup VRRP. Master router election Virtual routers use the VRRP priority values associated with each VRRP router to determine which router becomes the Master.
Page 518
Overview of VRRP Track ports and track priority Brocade enhanced VRRP by giving a VRRP router the capability to monitor the state of the interfaces on the other end of the route path through the router. For example, in Figure 85 page 444, interface e1/6 on Router1 owns the IP address to which Host1 directs route traffic on its default gateway.
Overview of VRRPE Forcing a master router to abdicate to a standby router You can force a VRRP Master to abdicate (give away control) of a virtual router to a Backup by temporarily changing the Master’s priority to a value less than the Backup’s. When you change a VRRP Owner’s priority, the change takes effect only for the current power cycle.
Page 520
Overview of VRRPE • VRRPE uses UDP to send Hello messages in IP multicast messages. The Hello packets use the interface’s actual MAC address and IP address as the source addresses. The destination MAC address is 01-00-5E-00-00-02, and the destination IP address is 224.0.0.2 (the well-known IP multicast address for “all routers”).
Page 521
Overview of VRRPE FIGURE 86 Router1 and Router2 are configured to provide dual redundant network access for the host Internet e 2/4 e 3/2 VRID 1 VRID 1 Router B = Backup Router A = Master Virtual IP address 192.53.5.254 Virtual IP address 192.53.5.254 Router1 Priority = 100 (Default)
VRRP and VRRPE parameters VRRP and VRRPE parameters Table 86 lists the VRRP and VRRPE parameters. Most of the parameters and default values are the same for both protocols. The exceptions are noted in the table. TABLE 86 VRRP and VRRPE parameters Parameter Description Default...
Page 523
VRRP and VRRPE parameters TABLE 86 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Router type Whether the router is an Owner or a Backup. VRRP – The Owner is always page 452 • the router that has the real IP Owner (VRRP only) –...
Configuring parameters specific to VRRP TABLE 86 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Track priority A VRRP or VRRPE priority value assigned to the tracked ports. If a VRRP – 2 page 446 tracked port’s link goes down, the VRID port’s VRRP or VRRPE VRRPE –...
Configuring parameters specific to VRRP Configuring the owner Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-1/6)# ip address 192.53.5.1 Router1(config-if-1/6)# ip vrrp vrid 1 Router1(config-if-1/6-vrid-1)# owner Router1(config-if-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-1/6-vrid-1)# activate Configuring a backup To configure the VRRP Backup router, enter the following commands. Router2(config)# router vrrp Router2(config)# inter e 1/5 Router2(config-if-e10000-1/5)# ip address 192.53.5.3...
Configuring parameters specific to VRRPE Configuring parameters specific to VRRPE VRRPE is configured at the interface level. To implement a simple VRRPE configuration using all the default values, enter commands such as the following on each BigIron RX. BigIron RX(config)# router vrrp-extended BigIron RX(config)# inter e 1/5 BigIron RX(config-if-e10000-1/5)# ip address 192.53.5.3 BigIron RX(config-if-e10000-1/5)# ip vrrp-extended vrid 1...
Configuring additional VRRP and VRRPE parameters • Backup priority • Suppression of RIP advertisements on Backup routes for the backed up interface • Hello interval • Dead interval • Backup Hello messages and message timer (Backup advertisement) • Track port •...
Configuring additional VRRP and VRRPE parameters Suppression of RIP advertisements on backup routers for the backup up interface Normally, a VRRP or VRRPE Backup includes route information for the virtual IP address in RIP advertisements. As a result, other routers receive multiple paths for the Backup router and might sometimes unsuccessfully use the path to the Backup router rather than the path to the Master.
Configuring additional VRRP and VRRPE parameters Syntax: dead-interval <value> The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. The syntax is the same for VRRP and VRRPE. Backup hello message state and interval By default, Backup do not send Hello messages to advertise themselves to the Master. You can enable these messages if desired and also change the message interval.
Configuring additional VRRP and VRRPE parameters • For VRRP, the software changes the priority of the virtual router to a track priority that is lower than that of the virtual router priority and lower than the priorities configured on the Backups. For example, if the virtual router priority is 100 and a tracked interface with track priority 60 goes down, the software changes the virtual router priority to 60.
Displaying VRRP and VRRPE information BigIron RX(config)# ip int eth 1/6 BigIron RX(config-if-e10000-1/6)# ip vrrp vrid 1 BigIron RX(config-if-e10000-1/6-vrid-1)# owner priority 99 Syntax: [no] owner priority | track-priority <num> The <num> parameter specifies the new priority and can be a number from 1 – 254. When you press Enter, the software changes the priority of the Master to the specified priority.
Page 532
Displaying VRRP and VRRPE information BigIron RX(config)# show ip vrrp-extended brief Total number of VRRP-Extended routers defined: 41 Inte- VRID Current State Master IP Backup IP Virtual IP rface Priority Address Address Address ----------------------------------------------------------------------------- Backup 172.16.51.2 Local 172.16.51.1 Backup 172.16.52.2 Local 172.16.52.1 Backup...
Displaying VRRP and VRRPE information TABLE 87 CLI display of VRRP or VRRPE summary information (Continued) This field... Displays... State This device’s VRRP or VRRPE state for the virtual router. The state can be one of the following: • Init – The virtual router is not enabled (activated). If the state remains Init after you activate the virtual router, make sure that the virtual router is also configured on the other routers and that the routers can communicate with each other.
Page 534
Displaying VRRP and VRRPE information The brief parameter displays summary information. Refer to “Displaying summary information” page 459. The ethernet <slot>/<portnum> parameter specifies an Ethernet port. If you use this parameter, the command displays VRRP or VRRPE information only for the specified port. The ve <num>...
Page 535
Displaying VRRP and VRRPE information TABLE 88 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... priority The device’s preferability for becoming the Master for the virtual router. During negotiation, the router with the highest priority becomes the Master.
Displaying VRRP and VRRPE information TABLE 88 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... backup router <ip-addr> expires in The IP addresses of Backups that have advertised themselves to this <time> Master by sending Hello messages. The <time>...
Configuration examples . received packets dropped by owner = 0 . received packets with ip ttl errors = 0 . received packets with ip address mismatch = 0 . received packets with advertisement interval mismatch = 0 . received packets with invalid length = 0 - total number of vrrp-extended packets sent = 2004 .
Page 538
Configuration examples Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)# router vrrp Router1(config)# inter e 1/6 Router1(config-if-e10000-1/6)# ip address 192.53.5.1 Router1(config-if-e10000-1/6)# ip vrrp vrid 1 Router1(config-if-e10000-1/6-vrid-1)# owner track-priority 20 Router1(config-if-e10000-1/6-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-e10000-1/6-vrid-1)# activate NOTE When you configure the Master (Owner), the address you enter with the ip-address command must already be configured on the interface.
Configuration examples The activate command activates the virtual router configuration on this interface. The interface does not provide backup service for the virtual IP address until you activate the VRRP configuration. Syntax: router vrrp Syntax: ip vrrp vrid <vrid> Syntax: owner [track-priority <value>] Syntax: backup [priority <value>] [track-priority <value>] Syntax: track-port ethernet <slot>/<portnum>...
Page 540
Configuration examples Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 3/2 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.254 Router1(config-if-e10000-5/1-vrid-1)# activate Router1(config-if-e10000-5/1-vrid-1)# exit Router1(config)# interface ethernet 5/1 Router1(config-if-e10000-5/1)# ip vrrp-extended vrid 2 Router1(config-if-e10000-5/1-vrid-1)# backup priority 110 track-priority 20 Router1(config-if-e10000-5/1-vrid-1)# track-port ethernet 2/4 Router1(config-if-e10000-5/1-vrid-1)# ip-address 192.53.5.253 Router1(config-if-e10000-5/1-vrid-1)# activate The backup command specifies that this router is a VRRPE Backup for virtual router VRID1. The IP address entered with the ip-address command is the same IP address as the one entered when configuring Router1.
Chapter Configuring Quality of Service Overview of Quality of Service (QoS) Quality of Service (QoS) features are used to prioritize the use of bandwidth in a switch. When QoS features are enabled, traffic is classified as it arrives at the switch, and processed through on the basis of configured priorities.
Page 542
Classification FIGURE 87 Priority resolution 802.1p Priority DSCP Priority Trust Level Trust Level Set to COS Trust Level (default) Determine Set to DSCP Trust Level Set Classification to Higher of both Inputs Port-based MAC-based Classification Classification Port-based VLAN Classification As shown in the figure, the first criteria considered are port-based, MAC-based, and port-based VLAN classifications.
Page 543
Classification TABLE 90 Default QoS mappings, columns 16 to 31 DSCP value 802.1p (COS) Value DSCP value Internal Forwarding Priority Forwarding Queue TABLE 91 Default QoS mappings, columns 32 to 47 DSCP value 802.1p (COS) Value DSCP value Internal Forwarding Priority Forwarding Queue...
Marking • COS to Internal Forwarding Priority Mapping – You can change the mapping between 802.1p (COS) values and the Internal Forwarding priority value from the default values shown in Table 89 through Table 92. This mapping is used for COS marking and determining the internal priority when the trust level is COS.
Page 545
Marking When you apply a QoS priority to one of the items listed above, you specify a number from 0 – 7. The priority number specifies the IEEE 802.1p equivalent to one of the four Brocade QoS queues. The numbers correspond to the queues as follows. Priority level QoS forwarding queue 6, 7...
Configuring ToS-based QoS Configuring ToS-based QoS To configure ToS-based QoS, perform the following tasks: • Enable ToS-based QoS on an interface. Once you enable the feature on an individual interface, you can configure the trust level and marking for traffic that is received on that interface as described: •...
Configuring the QoS mappings Configuring the QoS mappings The Brocade device maps a packet’s 802.1p or DSCP value to an internal forwarding priority. The default mappings are listed in Table 89 through Table 92. You can change the following mappings as described in this section: •...
Configuring the QoS mappings BigIron RX(config)# qos-tos map dscp-dscp 0 to 10 This command changes the mapping of DSCP value 0 to 10. Syntax: [no] qos-tos map dscp-dscp <old-dscp-value> [<old-dscp-value>...] to <new-dscp-value> You can change up to seven DSCP values in the same commend. Changing the DSCP –>...
Displaying QoS configuration information The <priority> parameter specifies the internal forwarding priority. Changing the CoS –> internal forwarding priority mappings This mapping is used when the trust level is set to CoS. In addition to determining the internal-forwarding priority of a packet, the value also determines the outbound 802.1p value if CoS marking is enabled.
Page 550
Displaying QoS configuration information BigIron RX# show qos-tos Interface QoS , Marking and Trust Level: | QoS | Mark Trust-Level -------+-----+----------+--------------- | Yes | Layer 2 CoS | No Layer 2 CoS | No Layer 2 CoS | No Layer 2 CoS ve20 | No Layer 2 CoS...
Determining packet drop priority using WRED TABLE 93 ToS-based QoS configuration information (Continued) This field... Displays... Mark The marking type enabled on the interface. The marking type can be any of the following: • COS – CoS marking is enabled. •...
Determining packet drop priority using WRED How WRED Operates The graph in Figure 88 describes the interaction of the previously described variables in the operation of WRED. When a packet arrives at a switch, the average queue size (q-size) is calculated (note that this is not the statistical average queue size - (refer to “Calculating avg-q-size”...
Configuring packet drop priority using WRED pkt-size (avg-q-size - min-avg-q size) Pdrop = ----------------- * Pmax * ----------------------------------------- pkt-size-max (max-avg-q-size - min-avg-q size) Using WRED with rate limiting When rate limiting is configured on a device, it directs the switch to drop traffic indiscriminately when the configured average-rate and maximum-burst thresholds are exceeded.
Page 554
Configuring packet drop priority using WRED TABLE 94 Possible Wq values (Continued) Averaging weight Wq value as a percentage setting 12.5% 6.2% 3.12% 1.56% 0.78% 0.4% 0.2% 0.09% 0.05% 0.02% 0.01% To set the wq parameter for queues with a queue type of 1 to 25%, use the following command. BigIron RX(config)#qos queue-type 1 wred averaging-weight 25% This gives the current queue size a weight of 25% over the statistical average queue size.
Page 555
Configuring packet drop priority using WRED Setting the maximum drop probability To set the maximum drop probability when the queue size reaches the Max-average-q-size value to 20% use the following command. BigIron RX(config)#qos queue-type 1 wred drop-precedence 0 drop-probability-max Syntax: [no] qos queue-type <queue-number> wred drop-precedence <policing-status> drop-probability-max <p-max%>...
Page 556
Configuring packet drop priority using WRED The <queue-type> variable is the number of the forwarding queue type that you want to configure drop-precedence for. There are eight forwarding queue types on BigIron RX Routers. They are numbered 0 to 3. The <drop-precedence-value>...
Configuring packet drop priority using WRED TABLE 95 WRED default settings Queue Drop Minimum Maximum Maximum Maximum Maximum Average type precedence average average packet size drop instantaneous weight queue size queue size (Byte) probability queue size (KByte) (KByte) 1024 16384 1024 0.2% 1024...
Scheduling traffic for forwarding Scheduling traffic for forwarding If the traffic being processed by a device is within the capacity of the switch, all traffic is forwarded as received. Once we reach the point where the switch is bandwidth constrained, it becomes subject to drop priority if configured as described in “Determining packet drop priority using WRED”...
Page 559
Scheduling traffic for forwarding Configuring strict priority-based traffic scheduling To configure strict priority-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler strict Syntax: qos scheduler strict Configuring enhanced strict priority-based traffic scheduling To configure enhanced strict priority-based scheduling use a command such as the following.
Page 560
Scheduling traffic for forwarding The values of the remaining queues are calculated to be the following. q2 = 30%, q1 = 20%, and q0 = 10% Configuring WFQ destination-based traffic scheduling To configure WFQ destination-based scheduling use a command such as the following. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos scheduler destination-weighted 5 10 15 20 Syntax: qos scheduler destination-weighted <queue0-weight>...
Page 561
Scheduling traffic for forwarding Syntax: qos scheduler max-rate <Queue0-rate> <Queue1-rate> <Queue2-rate> <Queue3-rate> The <Queue0-rate> variable defines the maximum bandwidth allocated to forwarding queue 0 in Kbps. The <Queue1-rate> variable defines the maximum bandwidth allocated to forwarding queue 1 in Kbps. The <Queue2-rate>...
Configuring multicast traffic engineering To limit the multicast traffic through the packet processor that includes port 1/1 to 10 Mbps, use the following command. BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# qos multicast best-effort rate 10000 Syntax: qos multicast best-effort rate <rate> The <rate>...
QoS for the oversubscribed 16 x 10GE modules QoS for the oversubscribed 16 x 10GE modules The 16-port 10 Gigabit Ethernet oversubscribed module plugs into any port slot of the BigIron RX switch and is compatible with all previous generations of card on that switch. It provides interfaces to 16 X 10GE ports.
QoS for the oversubscribed 16 x 10GE modules For both Server or Storage mode, the network control traffic will use Drop Precedence 0. (DP0) The incoming network control traffic will be assigned DP0 and all other traffic will be assigned DP1. This will allow the module to prefer network control during congestion conditions.
QoS for the oversubscribed 16 x 10GE modules TABLE 96 QOS profile table (Continued) 0 or 4 High priority TC DP0 (Network control) 1 or 5 High priority TC DP0 (Network control) 2 or 6 High priority TC DP0 (Network control) 3 or 7 High priority TC DP0 (Network control) Setting the group port weights...
QoS for the oversubscribed 16 x 10GE modules The values of the remaining weights are calculated to be the following: w0 = 4.17%, w1 = 20.83%, w2 = 4.17%, w4 = 4.17%, w5 = 20.83%, w6 = 4.17%, and w7 = 20.83% Egress port shaping The 16x10GE module is designed to provide port fairness, but the cost is a smaller number of usable queues per input port (on egress).
QoS for the oversubscribed 16 x 10GE modules Configuring QoS for the 16 x 10G module New CLI commands have been added to allow alternating between server and storage modes on the 10 x 16GE module. The new commands are part of the qos group, and configured at the interface level.
Page 569
QoS for the oversubscribed 16 x 10GE modules Use the wfq parameter to set the 16x10G module to weighted fair queuing mode. Use the num parameter to set the port weight. Refer to Table 97 on page 495 for additional information on possible values.
Page 570
QoS for the oversubscribed 16 x 10GE modules BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Configuring Traffic Reduction Traffic policing on the BigIron RX Series The BigIron RX Series Router provides line-rate traffic policing in hardware on inbound ports and outbound ports. You can configure a BigIron RX Series Router to use one of the following modes of traffic policing policies: •...
Traffic reduction parameters and algorithm The requested rate represents a percentage of an interface's line rate (bandwidth), expressed in bits per second (bps). Requested Rate must be entered in multiples of 515,624 bps. If you enter a number that is not a multiple of 515,624, the software adjusts the rate down to the lowest multiple of the number so that the calculation of credits does not result in a remainder of a partial Credit.
Configuration considerations The running total can never exceed the maximum credit total. When packets arrive at the port, a class is assigned to the packet, based on the rate limiting policies. If the running total of the class is less than the size of the packet, then the packet is dropped. Otherwise, the size of the packet is subtracted from the running total and the packet is forwarded.
Configuring rate limiting policies TABLE 98 Maximum # of rate limiting policies and VLANs w/ byte accounting permitted per-PPCR Module type PPCR number Port # Max # of rate limiting policies based on ACLs and VLANs + number of VLANs w/ byte accounting enabled 4 x 10G PPCR 1...
Configuring rate limiting policies The <maximum-burst> parameter specifies the extra bits above the requested rate that traffic can have. Refer to “Maximum burst” on page 500 for more details. Configuring a port-and-priority-based rate limiting policy 802.1p packet priority is used by default. The priority number specifies the IEEE 802.1 equivalent to one of the four Brocade QoS queues.
Configuring rate limiting policies Configuring a VLAN-group-based rate limiting policy A rate limiting policy can be applied to a VLAN group. VLANs that are members of a VLAN group share the specified bandwidth defined in the rate limiting policy applied to that group. To configure a rate limiting policy for a VLAN group, do the following.
Page 577
Configuring rate limiting policies The priority <num> parameter specifies the 802.1p priority levels 0 - 7, equivalent to one of the four QoS queues. For information on the priority levels and the corresponding queue, refer “Assigning QoS priorities to traffic” on page 472.
Configuring rate limiting policies These commands first configure access-list groups that contain the ACLs that will be used in the rate limiting policy. Use the permit condition for traffic that will be rate limited. Traffic that match the condition are not subject to rate limiting and allowed to pass through. Refer to “Configuring a port-and-IPv6 ACL-based traffic reduction”...
NP based multicast, broadcast, and unknown-unicast rate limiting NP based multicast, broadcast, and unknown-unicast rate limiting NOTE Beginning with release 02.7.00, the multicast limit, broadcast limit, and the unknown-unicast limit commands have been superseded with the multicast rate-limit, broadcast rate-limit, and the unknown-unicast rate-limit commands.
Page 580
Displaying traffic reduction BigIron RX(config)# show rate-limit interface e 1/1 rate-limit input 499321856 750000000 interface e 1/3 rate-limit input vlan-id 10 499321856 750000000 rate-limit input vlan-id 20 97523712 200000000 To display bytes forwarded and dropped, enter the following command. BigIron RX(config)# show rate-limit counters interface e 1/1 rate-limit input 499321856 750000000 Bytes fwd: 440 Bytes drop: 20 Total: 460...
Chapter Layer 2 ACLs This chapter presents information to configure and view Layer 2 ACLs. Layer 2 Access Control Lists (ACLs) filter incoming traffic based on Layer 2 MAC header fields in the Ethernet/IEEE 802.3 frame. Specifically, Layer 2 ACLs filter incoming traffic based on any of the following Layer 2 fields in the MAC header: •...
Configuring Layer 2 ACLs • You cannot add remarks to a Layer 2 ACL clause. Configuring Layer 2 ACLs Configuring a Layer 2 ACL is similar to configuring standard and extended ACLs. Layer 2 ACL table IDs range from 400 to 499, for a maximum of 100 configurable Layer 2 ACL tables. Within each Layer 2 ACL table, you can configure from 64 (default) to 256 clauses.
Configuring Layer 2 ACLs The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using F’s and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000.
Viewing Layer 2 ACLs Inserting and deleting Layer 2 ACL clauses You can make changes to the Layer 2 ACL table definitions without unbinding and rebinding the table from an interface. For example, you can add a new clause to the ACL table, delete a clause from the table, delete the ACL table, etc.
Viewing Layer 2 ACLs Example of Layer 2 ACL deny by MAC address In the following example, an ACL is created that denies all traffic from the host with the MAC address 0012.3456.7890 being sent to the host with the MAC address 0011.2233.4455. BigIron RX(config)# access-list 401 deny 0012.3456.7890 ffff.ffff.ffff 0011.2233.4455 ffff.ffff.ffff BigIron RX(config)# access-list 401 permit any any...
Chapter Access Control List This chapter describes the IP Access Control List (ACL) feature, which enables you to filter traffic based on the information in the IP packet header. For details on Layer 2 ACLs, refer to “Types of IP ACLs”...
Disabling or re-enabling Access Control Lists (ACLs) RX-BI-16XG (16 x 10GE ) Module EGRESS ACL Configuration Guidelines • The RX-BI-16XG 16 x 10GE module only supports standard, extended, named, and numbered ACLs for outbound access-group applications ACLs. • Egress filtering on subset ports of a VE is not supported, matching must apply to all VE ports .
ACL IDs and entries Standard or extended ACLs can be numbered or named. Standard ACLs are numbered from 1 – 99, extended ACLs are numbered 100 – 199. Super ACLs may be assigned numbered IDs only, from 500 - 599. IDs for standard or extended ACLs can also be a character string (named). In this document, an ACL with a string ID is called a named ACL.
ACL-based inbound mirroring ACL-based inbound mirroring With IronWare Release 02.4.00, the Multi-Service IronWare software supports using an ACL to select traffic for mirroring from one port to another. Using this feature, you can monitor traffic in the mirrored port using a protocol analyzer. Considerations when configuring ACL-based inbound mirroring The following must be considered when configuring ACL-based Inbound Mirroring:...
ACL-based inbound mirroring BigIron RX(config)#access-list 101 permit ip any any mirror The mirror parameter directs selected traffic to the mirrored port. Traffic can only be selected using the permit clause. The mirror parameter is supported on rACLs. Applying the ACL to an interface You must apply the ACL to an interface using the ip access-group command as shown in the following.
Page 592
ACL-based inbound mirroring BigIron RX(config)# trunk switch ethernet 1/1 to 1/2 BigIron RX(config-trunk-1/1-1/2)# config-trunk-ind BigIron RX(config-trunk-1/1-1/2)# acl-mirror-port ethe-port-monitored 1/1 ethernet 1/3 The following considerations apply when configuring ACL-based mirroring with trunks: • You must configure ACL-mirroring for a trunk within the trunk configuration as shown in the examples.
Configuring numbered and named ACLs Configuring ACL-based mirroring for ACLs bound to virtual interfaces For configurations that have an ACL bound to a virtual interface, you must configure the acl-mirror-port command on a port for each PPCR that is a member of the virtual interface. For example, in the following configuration ports 4/1 and 4/2 share the same PPCR while port 4/3 uses another PPCR.
Page 594
Configuring numbered and named ACLs Standard ACLs permit or deny packets based on source IP addresses. You can configure up to 99 standard ACLs. There is no limit to the number of ACL entries an ACL can contain, except for the system-wide limitation.
Configuring numbered and named ACLs <wildcard> Specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Page 596
Configuring numbered and named ACLs • Destination TCP or UDP port (if the IP protocol is TCP or UDP) The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • Internet Control Message Protocol (ICMP) •...
Configuring numbered and named ACLs The following commands apply ACL 102 to the incoming and outgoing traffic on port 1/2 and to the incoming traffic on port 4/3. BigIron RX(config)# int eth 1/2 BigIron RX(config-if-e10000-1/2)# ip access-group 102 in BigIron RX(config-if-e10000-1/2)# exit BigIron RX(config)# int eth 4/3 BigIron RX(config-if-e10000-4/3)# ip access-group 102 in BigIron RX(config)# write memory...
Page 599
Configuring numbered and named ACLs <wildcard> Specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Page 600
Configuring numbered and named ACLs <operator> Specifies a comparison operator for the TCP or UDP port number. You can enter one of the following operators: • eq – The policy applies to the TCP or UDP port name or number you enter after •...
Page 601
Configuring numbered and named ACLs <icmp-type> Enter one of the following values, depending on the software version the device is running: • any-icmp-type • echo • echo-reply • information-request • • mask-reply • mask-request • parameter-problem • redirect • source-quench •...
Page 602
Configuring numbered and named ACLs • tos <name> | <num> Specify the IP ToS name or number. You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2. •...
Configuring numbered and named ACLs • The dscp-cos-mapping parameter takes the DSCP value you specified and compares it to an internal QoS table, which is indexed by DSCP values. The corresponding 802.1p priority, internal forwarding priority, and DSCP value is assigned to the packet. For example, if you enter dscp-marking 7 and the internal QoS table is configured as shown in Table...
Page 604
Configuring numbered and named ACLs The following examples show how to configure a named standard ACL entry and a named extended ACL entry. Configuration example for standard ACL To configure a named standard ACL entry, enter commands such as the following. BigIron RX(config)# ip access-list standard Net1 BigIron RX(config-std-nacl)# deny host 209.157.22.26 log BigIron RX(config-std-nacl)# deny 209.157.29.12 log...
Page 605
Configuring numbered and named ACLs NOTE For convenience, the software allows you to configure numbered ACLs using the syntax for named ACLs. The software also still supports the older syntax for numbered ACLs. Although the software allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the startup-config and running-config files in using the older syntax, as follows.
Configuring numbered and named ACLs Syntax: [no] ip access-group <num> in The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring extended numbered ACLs” on page 523.
Displaying ACL definitions Enables packet matching based on specified source TCP/UDP port. Enables packet matching based on specified destination TCP/UDP port. icmp-detail Enables packet matching based on ICMP information. 801.2-priority-matching Enables packet matching based on the specified 802.1p priority value. Valid range is 0-7.
Displaying ACL definitions BigIron RX(config)#show access-list name entry Standard IP access list entry deny host 5.6.7.8 deny host 192.168.12.3 permit any Syntax: show access-list name <acl-name> Enter the ACL name for the <acl-name> parameter or the ACL number for <acl-number>. Displaying of TCP/UDP numbers in ACLs You can display the port numbers of TCP/UDP application information instead of their TCP/UDP well-known port name in the output of show commands and other commands that contain...
Page 610
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number Resource Location Protocol graphics Graphics nameserver Host Name Server nicname Who Is mpm-flags MPM FLAGS Protocol Message Processing Module [recv] mpm-snd MPM [default send] ni-ftp NI FTP auditd...
Page 611
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number mit-ml-dev2 MIT ML Device mfcobol Micro Focus Cobol kerberos Kerberos su-mit-tg SU/MIT Telnet Gateway dnsix DNSIX Securit Attribute Token Map mit-dov MIT Dover Spooler Network Printing Protocol Device Control Protocol objcall...
Page 612
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number erpc Encore Expedited Remote Pro.Call smakynet SMAKYNET ansatrader ANSA REX Trader locus-map Locus PC-Interface Net Map Ser unitary NXEdit locus-con Locus PC-Interface Conn Server gss-xlicen GSS X License Verification pwdgen...
Page 613
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number nss-routing NSS-Routing sgmp-traps SGMP-TRAPS cmip-man CMIP/TCP Manager cmip-agent CMIP/TCP Agent xns-courier Xerox s-net Sirius Systems namp NAMP rsvd RSVD send SEND print-srv Network PostScript multiplex Network Innovations Multiplex cl/1...
Page 614
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number dn6-smm-red DNSIX Session Mgt Module Audit Redir Directory Location Service dls-mon Directory Location Service Monitor smux SMUX IBM System Resource Controller at-rtmp AppleTalk Routing Maintenance at-nbp AppleTalk Name Binding at-3...
Page 615
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number csi-sgwp Cabletron Management Protocol clearcase Clearcase ulistserv ListProcessor legent-1 Legent Corporation legent-2 Legent Corporation hassle Hassle Amiga Envoy Network Inquiry Protocol tnETOS NEC Corporation dsETOS NEC Corporation is99c...
Page 616
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number imsp Interactive Mail Support Protocol timbuktu Timbuktu prm-sm Prospero Resource Manager Sys. Man. prm-nm Prospero Resource Manager Node Man. decladebug DECLadebug Remote Debug Protocol Remote MT Protocol synoptics-trap Trap Convention Port...
Page 617
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number cvc_hostd cvc_hostd http protocol over TLS/SSL snpp Simple Network Paging Protocol microsoft-ds Microsoft-DS ddm-rdb DDM-RDB ddm-dfm DDM-RFM ddm-byte DDM-BYTE as-servermap AS Server Mapper tserver Computer Supported Telecomunication Applications...
Page 618
Displaying ACL definitions TABLE 100 TCP/UDP port numbers and names (Continued) Port service Port name Description number meter-570 demon meter-571 udemon ipcserver SUN ipc sERVER sift-uft Sender-Initiated or Unsolicited File Transfer npmp-trap npmp-trap npmp-local npmp-local npmp-gui npmp-gui ginad ginad mdqs mdqs doom doom ID software...
Modifying ACLs NOTE Logging is not currently supported on management interfaces. Enabling the new logging method There are no new CLI commands to enable this new processing method; it takes effect automatically if the following items have been configured: • Syslog logging is enabled.
Page 621
Modifying ACLs You can use the CLI to reorder entries within an ACL by individually removing the ACL entries and then re-adding them. To use this method, enter “no” followed by the command for an ACL entry, and repeat this for each ACL entry in the ACL you want to edit. After removing all the ACL entries from the ACL, re-add them.
Modifying ACLs NOTE This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file. These are the only commands that are valid in a file you load using the copy tftp running-config… command. To save the changes to the device’s startup-config file, enter the following command at the Privileged EXEC level of the CLI.
Page 623
Modifying ACLs NOTE An ACL remark is attached to each individual filter only, not to the entire ACL. Complete the syntax by specifying any options you want for the ACL entry. Options you can use to configure standard or extended numbered ACLs are discussed in “Configuring standard or extended named ACLs”...
Deleting ACL entries • remark <string> - adds a comment to the ACL entry. The comment can contain up to 128 characters. Comments must be entered separately from actual ACL entries; that is, you cannot enter an ACL entry and an ACL comment with the same command. Also, in order for the remark to be displayed correctly in the output of show commands, a comment must be entered immediately before the ACL entry it describes.
Deleting ACL entries The <acl-number> parameter specifies the ACL entry to be deleted. The <acl-num> parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 1 – 99 for standard ACLs, 100 – 199 for extended ACLs, or 500 – 599 for super ACLs. You must enter the complete deny or permit statement for the <entire-deny-or-permit-statement>...
Applying ACLs to interfaces Applying ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 521 show that you apply ACLs to interfaces using the ip access-group command. This section present additional information about applying ACLs to interfaces. Configuration examples for super ACLs appear in the section “Configuring super ACLs”...
Applying ACLs to interfaces NOTE Applying an ACL to a subset of physical interfaces under a virtual routing interface multiplies the amount of CAM used by the number of physical interfaces specified. An ACL that successfully functions over a whole virtual routing interface may fail if you attempt to apply it to a subset of physical interfaces.
QoS options for IP ACLs When the first Syslog entry for a packet denied by an ACL is generated, the software starts an ACL timer. After this, the software sends Syslog messages every 1 to 10 minutes, depending on the value of the timer interval.
Enabling ACL duplication check Enabling ACL duplication check If desired, you can enable software checking for duplicate ACL entries. To do so, enter the following command at the Global CONFIG level of the CLI. BigIron RX(config)# acl-duplication-check-disable Syntax: [no] acl-duplication-check-disable This command is disabled by default.
ACL accounting BigIron RX(config)#show access-list accounting brief Collecting ACL accounting summary for VE 1 ... Completed successfully. ACL Accounting Summary: (ac = accumulated since accounting started) In ACL Total In Hit VE 1 473963(1s) 25540391(1m) 87014178(5m) 112554569(ac) The display shows the following information. This field...
ACL accounting This field... Displays... The IP multicast traffic snooping state The first line of the display indicates whether IP multicast traffic snooping is enabled or disabled. If enabled, it indicates if the feature is configured as passive or active. Collecting ACL accounting summary for Shows the interface included in the report and whether or not the <interface>...
Enabling ACL filtering of fragmented or non-fragmented packets Enabling ACL filtering of fragmented or non-fragmented packets By default, when an extended ACL is applied to a port, the port will use the ACL to permit or deny the first fragment of a fragmented packet, but forward subsequent fragments of the same packet in hardware.
ACL filtering for traffic switched within a virtual routing interface Enter the fragment parameter to allow the ACL to filter fragmented packets. Use the non-fragmented parameter to filter non-fragmented packets. NOTE The fragmented and non-fragmented parameters cannot be used together in an ACL entry. Complete the configuration by specifying options for the ACL entry.
ICMP filtering for extended ACLs Named ACLs For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following. BigIron RX(config)# ip access-list extended entry BigIron RX(config-ext-nacl)# deny ICMP any any administratively-prohibited BigIron RX(config)# ip access-list extended entry BigIron RX(config-ext-nacl)#deny ICMP any any 3 13 Syntax: [no]ip access-list extended <acl-name>...
Troubleshooting ACLs TABLE 101 ICMP message types and codes (Continued) ICMP message type Type Code Information-reply mask-reply mask-request net-redirect net-tos-redirect net-tos-unreachable net-unreachable packet-too-big parameter-problem NOTE: This message includes all parameter problems port-unreachable precedence-cutoff protocol-unreachable reassembly-timeout redirect NOTE: This includes all redirects. router-advertisement router-solicitation source-host-isolated...
Page 636
Troubleshooting ACLs • To determine whether the issue is specific to fragmentation, remove the Layer 4 information (TCP or UDP application ports) from the ACL, then reapply the ACL. If you are using another feature that requires ACLs, use the same ACL entries for filtering and for the other feature.
Chapter Policy-Based Routing Policy-Based Routing (PBR) Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set routing attributes for the traffic. A PBR policy specifies the next hop for traffic that matches the policy.
Configuring a PBR policy • ACL – 416 entries • Rate Limiting – 416, entries shared with PBR Configuring a PBR policy To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally or on individual interfaces. The device programs the ACLs into the Layer 4 CAM on the interfaces and routes traffic that matches the ACLs according to the instructions in the route maps.
Configuring a PBR policy NOTE To specify the host name instead of the IP address, the host name must be configured using the Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI. The <wildcard>...
Configuring a PBR policy BigIron RX(config)# route-map test-route permit 99 BigIron RX(config-routemap test-route)# match ip address 99 BigIron RX(config-routemap test-route)# set ip next-hop 192.168.2.1 BigIron RX(config-routemap test-route)# exit The commands in this example configure an entry in a route map named “test-route”. The match statement matches on IP information in ACL 99.
Configuration examples Enabling PBR locally To enable PBR locally, enter commands such as the following. BigIron RX(config)# interface ve 1 BigIron RX(config-vif-1)# ip policy route-map test-route The commands in this example change the CLI to the Interface level for virtual interface 1, then apply the “test-route”...
Configuration examples Setting the next hop The following commands configure the device to apply PBR to traffic from IP subnets 209.157.23.x, 209.157.24.x, and 209.157.25.x. In this example, route maps specify the next-hop gateway for packets from each of these subnets: •...
Trunk formation Setting the output interface to the null interface The following commands configure a PBR to send all traffic from 192.168.1.204/32 to the null interface, thus dropping the traffic instead of forwarding it. BigIron RX(config)# access-list 56 permit 209.168.1.204 0.0.0.0 The following commands configure an entry in a route map called “file-13”.
Page 644
Trunk formation BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Configuring IP Multicast Protocols Overview of IP multicasting Multicast protocols allow a group or channel to be accessed over different networks by multiple stations (clients) for the receipt and transmit of multicast data. Distribution of stock quotes, video transmissions such as news services and remote classrooms, and video conferencing are all examples of applications that use multicast routing.
Changing global IP multicast parameters Leaf Nodes: Routers that do not have any downstream routers. Multicast Tree: A unique tree is built for each source group (S,G) pair. A multicast tree is comprised of a root node and one or more nodes that are leaf or intermediate nodes. NOTE Multicast protocols can only be applied to 1 physical interface.
IP multicast boundaries Configuration considerations • Normal ACL restrictions apply as to how many software ACLs can be created, but there are no hardware restrictions on ACLs with this feature. • Creation of a static IGMP client is allowed for a group on a port that may be prevented from participation in the group on account of an ACL bound to the port’s interface.
Passive Multicast Route Insertion (PMRI) Passive Multicast Route Insertion (PMRI) To prevent unwanted multicast traffic from being sent to the CPU, Passive Multicast Route Insertion (PMRI) can be used together to ensure that multicast streams are only forwarded out ports with interested receivers and unwanted traffic is dropped in hardware on Layer 3 Switches running software release 02.4.00 and later.
Changing IGMP V1 and V2 parameters Changing IGMP V1 and V2 parameters IGMP allows Brocade routers to limit the multicast of IGMP packets to only those ports on the router that are identified as IP Multicast members. The router actively sends out host queries to identify IP Multicast groups on the network The following IGMP V1 and V2 parameters apply to PIM and DVMRP: •...
Adding an interface to a multicast group Modifying IGMP (V1 and V2) maximum response time Maximum response time defines how long the device will wait for an IGMP (V1 and V2) response from an interface before concluding that the group member on that interface is down and removing the interface from the group.
Page 651
IGMP v3 IGMP v3 The Internet Group Management Protocol (IGMP) allows an IPV4 system to communicate IP Multicast group membership information to its neighboring routers. The routers in turn limit the multicast of IP packets with multicast destination addresses to only those interfaces on the router that are identified as IP Multicast group members.
IGMP v3 In response to membership reports from the interfaces, the router sends a Group-Specific or a Group-and-Source Specific query to the multicast interfaces. For example, a router receives a membership report with a Source-List-Change record to block old sources from an interface. The router sends Group-and-Source Specific Queries to the source and group (S,G) identified in the record.
IGMP v3 Enter 1, 2, or 3 for <version-number>. Version 2 is the default version. Enabling the IGMP version per interface setting To specify the IGMP version for a physical port, enter a command such as the following. BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip igmp version 3 To specify the IGMP version for a virtual routing interface on a physical port, enter a command such as the following.
Page 654
IGMP v3 • If the interface, to which the client belongs, has IGMP V3 clients only. Therefore, all physical ports on a virtual routing interface must have IGMP V3 enabled and no IGMP V1 or V2 clients can be on the interface. (Although IGMP V3 can handle V1 and V2 clients, these two clients cannot be on the interface in order for fast leave to take effect.) •...
IGMP v3 NOTE Static IGMP groups are supported only in Layer 3 mode. Setting the query interval The IGMP query interval period defines how often a switch will query an interface for group membership. Possible values are 10 – 3,600 seconds and the default value is 125 seconds, but the value you enter must be a little more than twice the group membership time.
Page 656
IGMP v3 BigIron RX# show ip igmp group Interface v18 : 1 groups group phy-port static querier life mode #_src 239.0.0.1 e4/20 include 19 Interface v110 : 3 groups group phy-port static querier life mode #_src 239.0.0.1 e4/5 include 10 239.0.0.1 e4/6 exclude 13...
Page 657
IGMP v3 This field Displays Static A “yes” entry in this column indicates that the multicast group was configured as a static group; “No” means it was not. Static multicast groups can be configured in IGMP V2 using the ip igmp static command. In IGMP V3, static sources cannot be configured in static groups.
Page 658
IGMP v3 Entering an address for <group-address> displays information for a specified group on the specified interface. The report shows the following information. This field Displays Query interval Displays how often a querier sends a general query on the interface. Max response The maximum number of seconds a client can wait before it replies to the query.
Configuring a static multicast route This field Displays Leave Number of IGMP V2 “leave” messages on the interface. (See ToEx for IGMP V3.) IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from exclude to include.
Page 660
Configuring a static multicast route Syntax: ip mroute <ip-addr> interface ethernet <slot>/<portnum> | ve <num> [distance <num>] Syntax: ip mroute <ip-addr> rpf_address <rpf-num> The <ip-addr> command specifies the PIM source for the route. NOTE In IP multicasting, a route is handled in terms of its source, rather than its destination. You can use the ethernet <slot>/<portnum>...
PIM dense To add a static route to a virtual interface, enter commands such as the following. BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 int ve 1 distance 1 BigIron RX(config)# write memory Next hop validation check Beginning with release 02.6.00, you can configure the BigIron RX to perform multicast validation checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.
PIM dense NOTE Multicast protocols can only be applied to 1 physical interface. You must create multiple VLANs with individual untagged ports and ve’s under which you configure PIM. PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets.
Page 663
PIM dense When a node on the multicast delivery tree has all of its downstream branches (downstream interfaces) in the prune state, a prune message is sent upstream. In the case of R4, if both R5 and R6 are in a prune state at the same time, R4 becomes a leaf node with no downstream interfaces and sends a prune message to R1.
PIM dense FIGURE 91 Pruning leaf nodes from a multicast tree Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Prune Message sent to upstream router (R4) Leaf Node (No Group Members) Group Group Group...
PIM dense The primary difference between PIM DM V1 and V2 is the methods the protocols use for messaging: • PIM DM V1 – uses the IGMP to send messages. • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103.
Page 666
PIM dense • Entering router pim command to enable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a BigIron RX (router pim level) only. Enabling a PIM version To enable PIM on an interface, globally enable PIM, then enable PIM on interface 1/3, enter the following commands.
Page 667
PIM dense Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds. To apply a PIM hello timer of 120 seconds to all ports on the router operating with PIM, enter the following.
Page 668
PIM dense BigIron RX(config)#show ip pim dense Global PIM Dense Mode Settings Hello interval: 60, Neighbor timeout: 180 Graft Retransmit interval: 180, Inactivity interval: 180 Route Expire interval: 200, Route Discard interval: 340 Prune age: 180, Prune wait: 3 Syntax: show ip pim dense Modifying graft retransmit timer The Graft Retransmit Timer defines the interval between the transmission of graft messages.
PIM Sparse Total number of IP routes: 19 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port Cost Type 172.17.41.4 255.255.255.252*137.80.127.3 172.17.41.4 255.255.255.252 137.80.126.3 172.17.41.4 255.255.255.252 137.80.129.1 172.17.41.4 255.255.255.252 137.80.128.3 172.17.41.8 255.255.255.252 0.0.0.0 Failover time in a multi-path topology Previously, when a port in a multi-path topology fails, multicast routers, depending on the routing protocol being used, take a few seconds to establish a new path, if the failed port is the input port of the downstream router.
PIM Sparse FIGURE 92 Example PIM Sparse domain This interface is also the PIM Sparse router B Bootstrap Router (BR) for this PIM Sparse domain, and the Rendezvous Point (RP) for the PIM Sparse groups in this domain. Port2/1 Port2/2 207.95.8.10 207.95.7.1 Rendezvous Point (RP) path...
PIM Sparse from a group source to the group’s receivers. After the first packet, the BigIron RX calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The BigIron RX calculates a separate SPT for each source-receiver pair.
PIM Sparse NOTE Brocade recommends that you configure the same BigIron RX as both the BSR and the RP. Current limitations The implementation of PIM Sparse in the current software release has the following limitations: • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface. •...
Page 673
PIM Sparse If the interface is on the border of the PIM Sparse domain, you also must enter the following command. BigIron RX(config-if-e10000-2/2)# ip pim border Syntax: [no] ip pim border NOTE You cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse in the current software release.
Page 674
PIM Sparse The ethernet <slot>/<portnum> | loopback <num> | ve <num> parameter specifies the interface. The BigIron RX will advertise the specified interface’s IP address as a candidate RP. • Enter ethernet <slot>/<portnum> for a physical interface (port). • Enter ve <num> for a virtual interface. •...
Page 675
PIM Sparse If you explicitly specify the RP, the BigIron RX uses the specified RP for all group-to-RP mappings and overrides the set of candidate RPs supplied by the BSR. NOTE Specify the same IP address as the RP on all PIM Sparse routers within the PIM Sparse domain. Make sure the router is on the backbone or is otherwise well connected to the rest of the network.
Route selection precedence for multicast Displaying the static RP Use the show ip pim rp-set command to display static RP and the associated group ranges. BigIron RX(config)# show ip pim rp-set Static RP and associated group ranges ------------------------------------- Static RP count: 4 130.1.1.1 permit 238.1.1.0/24 permit 239.1.0.0/16...
Route selection precedence for multicast To specify a non-default route from the mRTM, then a non-default route from the uRTM, then a default route from the mRTM, and then a default route from the uRTM, enter commands such as the following. BigIron RX(config)# router pim BigIron RX(config-pim-router)# route-precedence mc-non-default uc-non-default mcdefault uc-default...
Displaying PIM Sparse configuration information and statistics The infinity | <num> parameter specifies the number of packets. If you specify infinity, the BigIron RX sends packets using the RP indefinitely and does not switch over to the SPT. If you enter a specific number of packets, the BigIron RX does not switch over to using the SPT until it has sent the number of packets you specify using the RP.
Displaying PIM Sparse configuration information and statistics • The PIM flow cache • The PIM multicast cache • PIM traffic statistics Displaying basic PIM Sparse configuration information To display PIM Sparse configuration information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim sparse Global PIM Sparse Mode Settings Hello interval: 60, Neighbor timeout: 180...
Displaying PIM Sparse configuration information and statistics This field... Displays... Join/Prune interval How frequently the BigIron RX sends PIM Sparse Join/Prune messages for the multicast groups it is forwarding. This field show the number of seconds between Join/Prune messages. The BigIron RX sends Join/Prune messages on behalf of multicast receivers who want to join or leave a PIM Sparse group.
Displaying PIM Sparse configuration information and statistics This field... Displays... Group The multicast group address Ports The BigIron RX ports connected to the receivers of the groups. Displaying BSR information To display BSR information, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim bsr PIMv2 Bootstrap information This system is the elected Bootstrap Router (BSR)
Displaying PIM Sparse configuration information and statistics This field... Displays... Next bootstrap message in NOTE: Indicates how many seconds will pass before the BSR sends its next Bootstrap message. NOTE: This field appears only if this BigIron RX is the BSR. Next Candidate-RP-advertisement Indicates how many seconds will pass before the BSR sends its next message in...
Displaying PIM Sparse configuration information and statistics This field... Displays... group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP. NOTE: This field appears only if this BigIron RX is a candidate RP. Candidate-RP-advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages.
Displaying PIM Sparse configuration information and statistics This field... Displays... Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the port or virtual interface through which this BigIron RX learned the identity of the RP. Info source Indicates the IP address on which the RP information was received.
Displaying PIM Sparse configuration information and statistics BigIron RX(config-pim-router)# show ip pim nbr Port Neighbor Holdtime UpTime e3/8 207.95.8.10 Port Neighbor Holdtime UpTime 207.95.6.2 Syntax: show ip pim nbr This display shows the following information. This field... Displays... Port The interface through which the BigIron RX is connected to the neighbor. Neighbor The IP interface of the PIM neighbor interface.
Displaying PIM Sparse configuration information and statistics BigIron RX# show ip pim rpf 1.2.3.4 no route BigIron RX# show ip pim rpf 1.10.10.24 upstream neighbor=1.1.20.1 on v21 using ip route Syntax: show ip pim | dvmrp rpf <IP address> Where <IP address> is a valid source IP address Displaying the PIM multicast cache To display the PIM multicast cache, enter the following command at any CLI level.
Page 688
Displaying PIM Sparse configuration information and statistics This field... Displays... (<source>, <group>) The comma-separated values in parentheses is a source-group pair. The <source> is the PIM source for the multicast <group>. For example, the following entry means source 209.157.24.162 for group 239.255.162.1: (209.157.24.162,239.255.162.1) If the <source>...
PIM-SSMv4 Displaying PIM traffic statistics To display PIM traffic statistics, enter the following command at any CLI level. BigIron RX(config-pim-router)# show ip pim traffic Port Hello Register RegStop Assert e3/8 Total 37 IGMP Statistics: Total Recv/Xmit 85/110 Total Discard/chksum Syntax: show ip pim traffic NOTE If you have configured interfaces for standard PIM (dense mode) on the BigIron RX, statistics for these interfaces are listed first by the display.
Configuring Multicast Source Discovery Protocol (MSDP) The amount of unwanted traffic in the network is reduced, but because each multicast group is associated with a particular host, different hosts can be assigned the same multicast address for different streams. This greatly increases the number of multicast groups that can be used in the network.
Page 691
Configuring Multicast Source Discovery Protocol (MSDP) FIGURE 93 PIM Sparse domains joined by MSDP routers PIM Sparse Domain 2 PIM Sparse Domain 1 2. RP sends SA message Designated Router (DR) Rendezvous Point (RP) through MSDP to its MSDP peers in other PIM Sparse domains.
Configuring Multicast Source Discovery Protocol (MSDP) Peer Reverse Path Forwarding (RPF) flooding When the MSDP router (also the RP) in domain 2 receives the Source Active message from its peer in domain 1, the MSDP router in domain 2 forwards the message to all its other peers. The propagation process is sometimes called “peer Reverse Path Forwarding (RPF) flooding”.
Configuring Multicast Source Discovery Protocol (MSDP) • Configure the MSDP peers NOTE The PIM Sparse Rendezvous Point (RP) is also an MSDP peer. Routers that run MSDP must also run BGP. Also, the source address used by the MSDP router must be the same source address used by BGP.
Configuring Multicast Source Discovery Protocol (MSDP) Designating an interface’s IP address as the RP’s IP address When an RP receives a Source Active message, it checks its PIM Sparse multicast group table for receivers for the group. If it finds a receiver, the RP sends a Join message for that receiver back to the RP that originated the Source Active message.
Page 695
Configuring Multicast Source Discovery Protocol (MSDP) The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. BigIron RX(config)# interface ethernet 3/1 BigIron RX(config-if-e1000-3/1)# ip address 2.2.2.98/24 BigIron RX(config-if-e1000-3/1)# exit The following commands configure a loopback interface.
Configuring Multicast Source Discovery Protocol (MSDP) • sa-filter in 2.2.2.97 route-map msdp_map – This command ignores source-group pairs received from neighbor 2.2.2.97 if the pairs have source address 10.x.x.x and any group address. • sa-filter in 2.2.2.96 route-map msdp2_map rp-route-map msdp2_rp_map – This command accepts all source-group pairs except those associated with RP 2.2.42.3.
Configuring MSDP mesh groups TABLE 102 MSDP source active cache (Continued) This field... Displays... SourceAddr The IP address of the multicast source. GroupAddr The IP multicast group to which the source is sending information. The RP through which receivers can access the group traffic from the source The number of seconds the entry has been in the cache Configuring MSDP mesh groups...
Configuring MSDP mesh groups FIGURE 94 Example of MSDP mesh group PIM Sparse Domain 1 Mesh GroupA 3. RPs within the domain receive the SA message and floods the 2. RP sends an SA message SA message to its peers in to its peers within the domain other PIM Sparse domains Designated Router (DR)
Page 701
Configuring MSDP mesh groups Syntax: [no] mesh-group <group-name> <peer-address> The sample configuration above reflects the configuration in Figure 94. On RP 206.251.21.31 you specify its peers within the same domain (206.251.21.31, 206.251.17.31, and 206.251.13.31). You first configure the MSDP peers using the msdp-peer command to assign their IP addresses and the loopback interfaces.
Page 702
Configuring MSDP mesh groups Configuration for Device A The following set of commands configure the MSDP peers of Device A (1.1.1.1) that are inside and outside MSDP mesh group 1234. Device A’s peers inside the mesh group 1234 are 1.1.2.1, 1.1.3.1, and 1.1.4.1.
Page 703
Configuring MSDP mesh groups The following set of commands configure the MSDP peers of Device B. All Device B’s peers (1.1.1.1, 1.1.3.1, and 1.1.4.1) are in the MSDP mesh group 1234. Multicast is enabled on Device B’s interfaces. PIM and BGP are also enabled. BigIron RX(config)# router pim BigIron RX(config)# router msdp BigIron RX(config-msdp-router)# msdp-peer 1.1.3.1 connect-source loopback 1...
Configuring MSDP mesh groups Displaying MSDP information You can display the following MSDP information: • Summary information – the IP addresses of the peers, the state of the BigIron RX’s MSDP session with each peer, and statistics for Keepalive, Source Active, and Notification messages sent to and received from each of the peers.
Configuring MSDP mesh groups Displaying peer information To display MSDP peer information, use the following CLI method. BigIron RX# show ip msdp peer Total number of MSDP Peers: 2 IP Address State 206.251.17.30 ESTABLISHED Keep Alive Time Hold Time Message Sent Message Received Keep Alive Notifications...
Page 708
Configuring MSDP mesh groups TABLE 104 MSDP peer information (Continued) This field... Displays... Keep Alive Message Received The number of Keep Alive messages the MSDP router has received from the peer. Notifications Sent The number of Notification messages the MSDP router has sent to the peer.
Page 709
Configuring MSDP mesh groups TABLE 104 MSDP peer information (Continued) This field... Displays... TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. •...
Clearing MSDP information Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method. BigIron RX# show ip msdp sa-cache Total Entry 4096, Used 1800 Free 2296 Index SourceAddr GroupAddr (100.100.1.254, 232.1.0.95), RP:206.251.17.41, Age:0 (100.100.1.254, 237.1.0.98), RP:206.251.17.41, Age:30 (100.100.1.254, 234.1.0.48), RP:206.251.17.41, Age:30 (100.100.1.254, 239.1.0.51), RP:206.251.17.41, Age:30...
DVMRP overview BigIron RX# clear ip msdp peer 205.216.162.1 Remote connection closed Syntax: clear ip msdp peer <ip-addr> The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed. Clearing the source active cache To clear the entries from the Source Active cache, enter the following command at the Privileged EXEC level of the CLI.
DVMRP overview Initiating DVMRP multicasts on a network Once DVMRP is enabled on each router, a network user can begin a video conference multicast from the server on R1. Multicast Delivery Trees are initially formed by source-originated multicast packets that are propagated to downstream interfaces as seen in Figure 96.
Page 713
DVMRP overview FIGURE 96 Downstream broadcast of IP multicast packets from source host Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Leaf Node Leaf Node Leaf Node (No Group Members) Group Group Group...
DVMRP overview FIGURE 97 Pruning leaf nodes from a multicast tree Video Conferencing 229.225.0.1 Server Group Group (207.95.5.1, 229.225.0.1) Member Member (Source, Group) 229.225.0.1 Group Group Group Member Member Member Prune Message sent to upstream router (R4) Leaf Node (No Group Members) Group Group Group...
Configuring DVMRP Configuring DVMRP Enabling DVMRP globally and on an interface Suppose you want to initiate the use of desktop video for fellow users on a sprawling campus network. All destination workstations have the appropriate hardware and software but the BigIron RXes that connect the various buildings need to be configured to support DVMRP multicasts from the designated video conference server as seen in Figure...
Configuring DVMRP • Route expire time • Route discard time • Prune age • Graft retransmit time • Probe interval • Report interval • Trigger interval • Default route Modifying neighbor timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down.
Configuring DVMRP Modifying graft retransmit time The Graft Retransmit Time defines the initial period of time that a router sending a graft message will wait for a graft acknowledgement from an upstream router before re-transmitting that message. Subsequent retransmissions are sent at an interval twice that of the preceding interval. Possible values are from 5 –...
Configuring DVMRP BigIron RX(config-dvmrp-router)# default-gateway 192.35.4.1 Syntax: default-gateway <ip-addr> Modifying DVMRP interface parameters DVMRP global parameters come with preset values. The defaults work well in most networks, but you can modify the following interface parameters if you need to: • •...
Configuring a static multicast route Displaying information about an upstream neighbor device You can view information about the upstream neighbor device for a given source IP address for IP PIM packets. The software uses the IP route table or multicast route table to lookup the upstream neighbor device.
Configuring IP multicast traffic reduction NOTE Regardless of the administrative distances, the BigIron RX Series router always prefers directly connected routes over other routes. FIGURE 98 Example multicast static routes PIM Router D 9.9.9.101 e6/14 Client Multicast group 239.255.162.1 e4/11 207.95.6.1 e1/2 PIM Router A...
Configuring IP multicast traffic reduction When you enable IP Multicast Traffic Reduction, you also can configure the following features: • IGMP mode – When you enable IP Multicast Traffic Reduction, the device passively listens for IGMP Group Membership reports by default. If the multicast domain does not have a to send IGMP queries to elicit these Group Membership reports, you can enable the device to actively send the IGMP queries.
Page 722
Configuring IP multicast traffic reduction NOTE When one or more BigIron RX devices are running Layer 2 IP Multicast Traffic reduction, configure one of the devices for active IGMP and leave the other devices configured for passive IGMP. However, if the IP multicast domain contains a multicast-capable, configure all the BigIron RX devices for passive IGMP and allow the to actively send the IGMP queries.
Page 723
Configuring IP multicast traffic reduction Syntax: Passive – When passive IGMP mode is enabled, the switch listens for IGMP Group Membership reports on the VLAN instance specified but does not send IGMP queries. The passive mode is called “IGMP snooping”. Use this mode when another device in the VLAN instance is actively sending queries.
Page 724
Configuring IP multicast traffic reduction • Passive – When passive IGMP mode is enabled, the device listens for IGMP Group Membership reports but does not send IGMP queries. The passive mode is sometimes called “IGMP snooping”. Use this mode when another device in the network is actively sending queries.
Configuring IP multicast traffic reduction When the device starts up, it forwards all multicast groups even though multicast traffic filters are configured. This process continues until the device receives a group membership report. Once the group membership report is received, the device drops all multicast packets for groups other than the ones for which the device has received the group membership report.
Configuring IP multicast traffic reduction Use the port-list parameter to define the member ports on which the ACL is applied. The ACL will be applied to the multicast traffic arriving in both directions. Use the no multicast boundary command to remove the boundary on an IGMP enabled interface. NOTE The ACL, MyBrocadeAccessList can be configured using standard ACL syntax which can be found in the ACL section.
Page 727
Configuring IP multicast traffic reduction FIGURE 99 PIM SM traffic reduction in enterprise network The switch snoops for PIM SM join and prune messages. The switch detects a source on port1/1 and a receiver for that source’s group on port5/1. It then forwards multicast Source for Groups data from the source on port1/1 239.255.162.1...
Page 728
Configuring IP multicast traffic reduction Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device. This is required for the PIM SM snooping feature. The feature also requires the source and the downstream router to be on different IP subnets, as shown in Figure Figure 100 shows another example application for PIM SM traffic snooping.
Page 729
Configuring IP multicast traffic reduction • The PIM SM snooping feature assumes that the group source and the device are in different subnets and communicate through a router. The source must be in a different IP subnet than the receivers. A PIM SM router sends PIM join and prune messages on behalf of a multicast group receiver only when the router and the source are in different subnets.
Configuring IP multicast traffic reduction Syntax: [no] multicast pimsm-snooping Configuring PIM proxy per VLAN instance Using the PIM proxy function, multicast traffic can be reduced by configuring an BigIron RX switch to issue PIM join and prune messages on behalf of hosts that the configured switch discovers through standard PIM interfaces.
Page 731
Configuring IP multicast traffic reduction BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 include 10.43.1.12 uplink To configure the snooping device to statically join all multicast streams on the uplink interface excluding the stream with source address 10.43.1.12, enter commands such as the following. BigIron RX(config)# vlan 100 BigIron RX(config-vlan-100)# multicast static-group 224.10.1.1 exclude 10.43.1.12 uplink...
Page 732
Configuring IP multicast traffic reduction The uplink parameter specifies the port as an uplink port that can receive multicast data for the configured multicast groups. Upstream traffic will be sent to the switch and will not use a port. The port-list parameter specifies the range of ports to include in the configuration. The no form of this command removes the static multicast definition.
Chapter Configuring RIP Overview of Routing Information Protocol (RIP) Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing distance) to measure the cost of a given route. The cost is a distance vector because the cost often is equivalent to the number of router hops between the device and the destination network.
Configuring RIP parameters BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-e1000-1/1)# ip rip v1-only Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only Configuring metric parameters By default, a device port increases the cost of a RIP route that is learned or advertised on the port by one.
Configuring RIP parameters Configuring redistribution You can configure the device to redistribute routes learned through OSPF or BGP4, connected into RIP, or static routes. When you redistribute a route from one of these other protocols into RIP, the device can use RIP to advertise the route to its RIP neighbors. To configure redistribution, perform the following tasks: •...
Configuring RIP parameters Syntax: [no] ip rip learn-default Configuring a RIP neighbor filter By default, a device learns RIP routes from all its RIP neighbors. Neighbor filters allow you to specify the neighbor routers from which the device can receive RIP routes. Neighbor filters apply globally to all ports.
Configuring RIP parameters To disable split horizon and enable poison reverse on an interface, enter the command such as the following. BigIron RX(config-if-e10000-1/1)# ip rip poison-reverse You can configure the device to avoid routing loops by advertising local RIP routes with a cost of 16 (“infinite”...
Configuring RIP parameters BigIron RX(config)# ip prefix-list list1 permit 192.53.4.1 255.255.255.0 BigIron RX(config)# ip prefix-list list2 permit 192.53.5.1 255.255.255.0 BigIron RX(config)# ip prefix-list list3 permit 192.53.6.1 255.255.255.0 BigIron RX(config)# ip prefix-list list4 deny 192.53.7.1 255.255.255.0 The prefix lists permit routes to three networks, and deny the route to one network. Since the default action is permit, all other routes (routes not explicitly permitted or denied by the filters) can be learned or advertised.
Displaying RIP filters Displaying RIP filters To display RIP filters, enter the following command at any CLI level. BigIron RX> show ip rip RIP Summary Default port 520 Administrative distance is 120 updates every 30 seconds, expire after 180 Holddown lasts 180 seconds, garbage collect after 120 Last broadcast 30, Next Update 29 Need trigger update 0, next trigger broadcast 1 Minimum update interval 25, Max update offset 5...
Displaying RIP filters Clearing the RIP routes from the routing table Clearing all the routes from the routing table To clear RIP local routes, enter a command such as the following. BigIron(config)#clear ip rip local routes Syntax: clear ip rip local routes To clear the RIP routes from the RIP database, enter a command such as the following.
Chapter Configuring OSPF Version 2 (IPv4) Overview of OSPF (Open Shortest Path First) OSPF is a link-state routing protocol. The protocol uses link-state advertisements (LSA) to update neighboring routers regarding its interfaces and information on those interfaces. The router floods these LSAs to all neighboring routers to update them regarding the interfaces.
Overview of OSPF (Open Shortest Path First) FIGURE 101 OSPF operating in a network Area 0.0.0.0 Backbone Area 200.5.0.0 Router D 208.5.1.1 Area Border Router (ABR) Area 192.5.1.0 Virtual Link Router A 206.5.1.1 Router E Router B Area Border Router F Router (ABR) Router C Autonomous System...
Page 745
Overview of OSPF (Open Shortest Path First) FIGURE 102 Designated and backup router election priority 10 Designated Backup Router Router A Designated Router priority 5 priority 20 Router C Router B If the DR goes off-line, the BDR automatically becomes the DR. The router with the next highest priority becomes the new BDR.
Overview of OSPF (Open Shortest Path First) NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device.
Page 747
Overview of OSPF (Open Shortest Path First) FIGURE 104 AS external LSA reduction Routers D, E, and F are OSPF ASBRs Another routing domain OSPF Autonomous System (AS) and EBGP routers. (such as BGP4 or RIP) Router A Router D Router ID: 2.2.2.2 Router B Router F...
Overview of OSPF (Open Shortest Path First) • A second ASBR comes on-line • A second ASBR that is already on-line begins advertising an equivalent route to the same destination. In either case above, the router with the higher router ID floods the AS External LSAs and the other router flushes its equivalent AS External LSAs.
Configuring OSPF 2. Compare the networks that have the same network address, to determine which network is more specific. The more specific network is the one that has more contiguous one bits in its network mask. For example, network 10.0.0.0 255.255.0.0 is more specific than network 10.0.0.0 255.0.0.0, because the first network has 16 ones bits (255.255.0.0) whereas the second network has only 8 ones bits (255.0.0.0).
Configuring OSPF Configuration rules • If a router is to operate as an ASBR, you must enable the ASBR capability at the system level. • Redistribution must be enabled on routers configured to operate as ASBRs. • All router ports must be assigned to one of the defined areas on an OSPF router. When a port is assigned to an area, all corresponding subnets on that port are automatically included in the assignment.
Configuring OSPF NOTE You set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, enter router ospf… at the global CONFIG Level. Interface parameters for OSPF are set at the interface CONFIG Level using the CLI command, ip ospf… Enable OSPF on the router When you enable OSPF on the router, the protocol is automatically activated.
Page 752
Configuring OSPF • ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type-7 External LSAs are a special type of LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA. •...
Page 753
Configuring OSPF The stub <cost> parameter specifies an additional cost for using a route to or from this area and can be from 1 – 16777215. There is no default. Normal areas do not use the cost parameter. The no-summary parameter applies only to stub areas and disables summary LSAs from being sent into the area.
Page 754
Configuring OSPF The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone. Since the NSSA is partially “stubby” the ABR does not flood external LSAs from the backbone into the NSSA.
Configuring OSPF The advertise | not-advertise parameter specifies whether you want the device to send type 3 LSAs for the specified range in this area. The default is advertise. Assigning an area range (optional) You can assign a range for an area, but it is not required. Ranges allow a specific IP address and mask to represent a range of IP addresses within an area, so that only that reference range address is advertised to the network, instead of all the addresses within that range.
Configuring OSPF • ip ospf hello-interval <value> • ip ospf md5-authentication key-activation-wait-time <num> | key-id <num> [0 | 1] key <string> • ip ospf passive • ip ospf priority <value> • ip ospf retransmit-interval <value> • ip ospf transmit-delay <value> For a complete description of these parameters, see the summary of OSPF port parameters in the next section.
Page 757
Configuring OSPF MD5-authentication activation wait The number of seconds the device waits until placing a new MD5 key into time effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 –...
Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior.
Configuring OSPF Block flooding of outbound LSAs on specific OSPF interfaces By default, the device floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area.
Page 760
Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 106 Defining OSPF virtual links within a network OSPF Area 0 BigIronC Router ID 209.157.22.1 OSPF Area 1 OSPF Area 2 “transit area”...
Configuring OSPF The area <ip-addr> | <num> parameter specifies the transit area. The <router-id> parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a device, enter the show ip command. Refer to “Modify virtual link parameters”...
Configuring OSPF MD5 Authentication Wait Time This parameter determines when a newly configured MD5 authentication key is valid. This parameter provides a graceful transition from one MD5 key to another without disturbing the network. All new packets transmitted after the key activation wait time interval use the newly configured MD5 Key.
Configuring OSPF For example, to configure the feature in a network with three routers connected by a hub or switch, each router must have the linking interface configured as a non-broadcast interface, and both of the other routers must be specified as neighbors. The output of the show ip ospf interface command has been enhanced to display information about non-broadcast interfaces and neighbors that are configured in the same sub-net.
Page 764
Configuring OSPF Configuring an OSPF point-to-point link To configure an OSPF point-to-point link, enter commands such as the following. BigIron RX(config)# interface eth 1/5 BigIron RX(config-if-1/5)# ip ospf network point-to-point This command configures an OSPF point-to-point link on Interface 5 in slot 1. Syntax: [no] ip ospf network point-to-point Viewing configured OSPF point-to-point links You can use the show ip ospf interface command to display OSPF point-to-point information.
Page 765
Configuring OSPF TABLE 107 Output of the show ip ospf interface command This field Displays Type The area type, which can be one of the following: • Broadcast = 0x01 • NBMA = 0x02 • Point to Point = 0x03 •...
Configuring OSPF Changing the reference bandwidth for the cost on OSPF interfaces Each interface on which OSPF is enabled has a cost associated with it. The device advertises its interfaces and their costs to OSPF neighbors. For example, if an interface has an OSPF cost of ten, the device advertises the interface with a cost of ten to other OSPF routers.
Configuring OSPF Changing the reference bandwidth To change the reference bandwidth, enter a command such as the following at the OSPF configuration level of the CLI: BigIron RX(config-ospf-router)# auto-cost reference-bandwidth 500 The reference bandwidth specified in this example results in the following costs: •...
Configuring OSPF FIGURE 107 Redistributing OSPF and static routes to RIP routes RIP Domain ASBR (Autonomous System Border Router) OSPF Domain You also have the option of specifying import of just ISIS, RIP, OSPF, BGP4, or static routes, as well as specifying that only routes for a specific network or with a specific cost (metric) be imported, as shown in the command syntax below: Syntax: [no] redistribution bgp | connected | rip | static [route-map <map-name>]...
Configuring OSPF NOTE You also can define the cost on individual interfaces. The interface cost overrides the default cost. To assign a default metric of 4 to all routes imported into OSPF, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# default-metric 4 Syntax: default-metric <value>...
Configuring OSPF The redistribute static command enables redistribution of static IP routes into OSPF, and uses route map “abc“to control the routes that are redistributed. In this example, the route map allows a static IP route to be redistributed into OSPF only if the route has a metric of 5, and changes the metric to 8 before placing the route into the OSPF route table.
Page 771
Configuring OSPF The router software can use the route information it learns through OSPF to determine the paths and costs. Figure 108 shows an example of an OSPF network containing multiple paths to a destination (in this case, R1). FIGURE 108 Example OSPF network with four equal-cost paths OSPF Area 0 BigIron RX...
Configuring OSPF Configure external route summarization When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified address range. When you configure an address range, the range takes effect immediately.
Configuring OSPF Range-Address Subnetmask 1.0.0.0 255.0.0.0 1.0.1.0 255.255.255.0 1.0.2.0 255.255.255.0 Syntax: show ip ospf config Configure default route origination When the BigIron RX is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to automatically generate a default external route into an OSPF routing domain. This feature is called “default route origination”...
Configuring OSPF The metric-type <type> parameter specifies the external link type associated with the default route advertised into the OSPF routing domain. The <type> can be one of the following: • 1 – Type 1 external route • 2 – Type 2 external route If you do not use this option, the default redistribution metric type is used for the route type.
Configuring OSPF This example shows two routes. Both of the routes are directly attached, as indicated in the Type column. However, one of the routes is shown as type “*D”, with an asterisk (*). The asterisk indicates that this route is a candidate default network route. Modify SPF timers The BigIron RX uses the following timers when calculating the shortest path for OSPF routes: •...
Configuring OSPF Modify administrative distance The BigIron RX can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, ISIS, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. The default administrative distance for OSPF routes is 110.
Configuring OSPF Configure OSPF group Link State Advertisement pacing The BigIron RX paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the BigIron RX refreshes and sends out together in one or more packets.
Page 778
Configuring OSPF • With this feature enabled in the “out” direction, all type 3 LSAs advertised by the ABR, based on information from this area to all other areas, are filtered by the prefix list. If the area range command has been configured for this area, Type 3 LSAs that corresponds to the area range command are treated like any other type 3 LSA.
Page 779
Configuring OSPF The in keyword specifies that prefix list is applied to prefixes advertised to the specified area from other areas. The out keyword specifies that prefix list is applied to prefixes advertised out of the specified area to other areas. Defining and applying IP prefix lists An IP prefix list specifies a list of networks.
Configuring OSPF Displaying the configured OSPF area prefix list To display the prefix-lists attached to the areas, enter the following command. BigIron RX(config)#show ip ospf config Router OSPF: Enabled Graceful Restart: Disabled, timer 120 Graceful Restart Helper: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Auto-cost Reference Bandwidth: Disabled OSPF Redistribution Metric: Type2...
Page 781
Configuring OSPF 1. Enabling SNMP traps for OSPF. (Refer to “Disabling and enabling SNMP traps for OSPF” page 709.) 2. Enable OSPF logging. (Refer to “Enabling OSPF logging” on page 710.) Refer to Table 109 on page 709 for the list of the default settings for OSPF traps. TABLE 109 Default settings for OSPF traps Trap name...
Configuring OSPF To configure a router to operate with the latest OSPF standard, RFC 2328, enter the following commands. BigIron RX(config)# router ospf BigIron RX(config-ospf-router)# no rfc1583-compatibility Syntax: [no] rfc1583-compatibility Modify exit overflow interval If a database overflow condition occurs on a router, the router eliminates the condition by removing entries that originated on the router.
Displaying OSPF information Displaying OSPF information You can display the following OSPF information: • Trap, area, and interface information – refer to “Displaying general OSPF configuration information” on page 712. • CPU utilization statistics – refer to “Displaying CPU utilization and other OSPF tasks” page 713.
Displaying OSPF information TABLE 110 CLI display of show tasks (Continued) This field... Displays... current instruction for the task Stack Stack location for the task Size Stack size of the task CPU Usage(%) Percentage of the CPU being used by the task task id Task’s ID number assigned by the operating system.
Displaying OSPF information Displaying OSPF neighbor information To display OSPF neighbor information, enter the following command at any CLI level. BigIron RX# show ip ospf neighbor Port Address State Neigh Address Neigh ID Ev Op Cnt 10.1.10.1 FULL/DR 10.1.10.2 10.65.12.1 10.1.11.1 FULL/DR 10.1.11.2...
Displaying OSPF information TABLE 112 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the device and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor.
Page 790
Displaying OSPF information BigIron RX# show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0...
Displaying OSPF information TABLE 113 Output of the show ip ospf interface command (Continued) This field Displays Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor The neighbor router’s ID. Displaying OSPF route information To display OSPF route information, enter the following command at any CLI level. BigIron RX>#show ip ospf route OSPF Area 0x00000000 ASBR Routes 1: Destination...
Page 792
Displaying OSPF information Syntax: show ip ospf routes [<ip-addr>] The <ip-addr> parameter specifies a destination IP address. If you use this parameter, only the route entries for that destination are shown. This display shows the following information. TABLE 114 CLI display of OSPF route information This field...
Displaying OSPF information BigIron RX# show ip ospf redistribute route 4.3.0.0 255.255.0.0 static 3.1.0.0 255.255.0.0 static 10.11.61.0 255.255.255.0 connected 4.1.0.0 255.255.0.0 static In this example, four routes have been redistributed. Three of the routes were redistributed from static IP routes and one route was redistributed from a directly connected IP route. Syntax: show ip ospf redistribute route [<ip-addr>...
Displaying OSPF information TABLE 115 CLI display of OSPF external link state information This field... Displays... Index ID of the entry Aging The age of the LSA, in seconds. LS ID The ID of the link-state advertisement from which the device learned this route.
Displaying OSPF information NOTE You cannot use the extensive option in combination with other display options. The entire database is displayed. The link-state-id <ip-addr> parameter displays the External LSAs for the LSA source specified by <IP-addr>. The network option shows network information. The nssa option shows network information.
Displaying OSPF information TABLE 117 CLI display of OSPF border routers This field... Displays... (Index) Displayed index number of the border router. Router ID ID of the OSPF router Router type Type of OSPF router: ABR or ASBR Next hop router ID of the next hop router Outgoing interface ID of the interface on the router for the outgoing route.
Page 797
Displaying OSPF information vlan 1 name DEFAULT-VLAN clock summer-time clock timezone us Pacific hostname R11-RX8 router ospf area 2 area 1 area 1 virtual-link 131.1.1.10 FIGURE 109 OSPF virtual neighbor and virtual link example Area 0 131.1.1.10/16 DeviceA R10-MG8 192.168.148.10 135.14.1.10/16 Area 1 Area 2...
Displaying OSPF information Displaying OSPF virtual link information Use the show ip ospf virtual link command to display OSPF virtual link information. The output below represents the virtual links configured in Figure 109. BigIron RX#show ip ospf virtual link Indx Transit Area Router ID Transit(sec) Retrans(sec) Hello(sec) 131.1.1.10...
Displaying OSPF information Configuring OSPF graceful restart timer The OSPF graceful restart timer specifies the maximum amount of time an OSPF restarting router will take to re-establish OSPF adjacencies and relearn OSPF routes. This value will be sent to the neighboring routers in the grace LSA packets.
Page 800
Displaying OSPF information BigIron RX#sh ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 30.1.0.5 FULL/OTHER 30.1.0.13 30.0.0.13 3/27 25.27.0.8 FULL/DR 25.27.0.14 12.1.0.14 20 2 < in graceful restart state, helping 1, timer 104 sec > 21.23.0.5 FULL/DR 21.23.0.14...
Page 801
Displaying OSPF information BigIron RX 1# show ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 40.0.1.1 EXST/DR 40.0.1.3 9.0.1.24 24 2 < in graceful restart state, helping 1, timer 112 sec > BigIron RX 3# show ip ospf neighbor Port Address Pri State...
Page 802
Displaying OSPF information BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Configuring BGP4 (IPv4 and IPv6) Overview of BGP4 BGP4 is the standard Exterior Gateway Protocol (EGP) used on the Internet to route traffic between Autonomous Systems (AS) and to maintain loop-free routing. An autonomous system is a collection of networks that share the same routing and administration characteristics. For example, a corporate Intranet consisting of several networks under common administrative control might be considered an AS.
Overview of BGP4 Relationship between the BGP4 route table and the IP route table The device’s BGP4 route table can have multiple routes or paths to the same destination, which are learned from different BGP4 neighbors. A BGP4 neighbor is another router that also is running BGP4.
Page 805
Overview of BGP4 1. Is the next hop accessible though an Interior Gateway Protocol (IGP) route? If not, ignore the path. NOTE By default, the device does not use the default route to resolve BGP4 next hop. Also refer to “Enabling next-hop recursion”...
Overview of BGP4 9. If all the comparisons above are equal, prefer the route with the lowest IGP metric to the BGP4 next hop. This is the closest internal path inside the AS to reach the destination. 10. If the internal paths also are the same and BGP4 load sharing is enabled, load share among the paths otherwise go to Step 11.
Page 807
Overview of BGP4 neighbors to always be up. For directly-attached neighbors, you can configure the BigIron RX to immediately close the TCP connection to the neighbor and clear entries learned from an EBGP neighbor if the interface to that neighbor goes down. This capability is provided by the fast external fallover feature, which is disabled by default.
Brocade implementation of BGP4 BGP4 Router A sends a Hold Time of 5 seconds and BGP4 Router B sends a Hold Time of 4 seconds, both routers use 4 seconds as the Hold Time for their BGP4 session. The default Hold Time is 180 seconds.
Configuring BGP4 As a guideline, BigIron RX switches with a 2 GB Management 4 module can accommodate 150 – 200 neighbors, with the assumption that the BigIron RX receives about one million routes total from all neighbors and sends about eight million routes total to neighbors. For each additional one million incoming routes, the capacity for outgoing routes decreases by around two million.
Page 810
Configuring BGP4 TABLE 118 IPv4 BGP commands at different configuration levels (Continued) Command Global IPv4 address IPv4 address (iPv4 and family unicast family IPv6) multicast as-path-ignore “Disabling or re-enabling comparison of the AS-path length” on page 750 bgp-redistribute-internal “Redistributing IBGP routes” on page 750 client-to-client-reflection “Disabling or re-enabling client-to-client route...
Configuring BGP4 TABLE 118 IPv4 BGP commands at different configuration levels (Continued) Command Global IPv4 address IPv4 address (iPv4 and family unicast family IPv6) multicast redistribute “Modifying redistribution parameters” page 776 show “Displaying BGP4 information” on page 814 table-map “Using a table map to set the tag value” page 779 timers “Changing the keep alive time and hold time”...
Activating and disabling BGP4 • Change other load-sharing parameters. • Define route flap dampening parameters. • Add, change, or negate redistribution parameters (except changing the default MED; see below). • Add, change, or negate route maps (when used by the network command or a redistribution command).
Entering and exiting the address family configuration level NOTE By default, the Brocade router ID is the IP address configured on the lowest numbered loopback interface. If the device does not have a loopback interface, the default router ID is the lowest numbered IP interface address configured on the device.
Filtering specific IP addresses The default is the ipv4 unicast address family level. To exit an address family configuration level, enter the following command. BigIron RX(config-bgp-ipv6u)# exit-address-family BigIron RX(config-bgp)# Syntax: exit-address-family Filtering specific IP addresses You can configure the router to explicitly permit or deny specific IP addresses received in updates from BGP4 neighbors by defining IP address filters.
Defining an AS-path filter The <wildcard> parameter specifies the portion of the IP address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches.
Defining a community filter Defining a community filter To define filter 3 to permit routes that have the NO_ADVERTISE community, enter the following command. BigIron RX(config-bgp)# community-filter 3 permit no-advertise Syntax: [no] community-filter <num> permit | deny <num>:<num> | internet | local-as | no-advertise | no-export The <num>...
BGP Null0 routing To configure a switch to disable the AS_PATH check function for routes sent to it by its BGP neighbor for a maximum limit of 3 occurrences of the route, enter the following command at the BGP configuration level. BigIron RX(config-bgp-ipv4u)# neighbor 33.33.36.2 allowas-in 3 Syntax: neighbor <IPaddress>...
BGP Null0 routing The following steps configure a null0 routing application for stopping denial of service attacks from remote hosts on the internet. Configuration steps 1. Select one router, Router 6, to distribute null0 routes throughout the BGP network. 2. Configure a route-map to match a particular tag (50) and set the next-hop address to an unused network address (199.199.1.1).
Page 819
BGP Null0 routing Router 1 The following configuration defines the null0 route to the specific next hop address. The next hop address 199.199.1.1 points to 128.178.1.101, which gets blocked. BigIron RX(config)# ip route 199.199.1.1/32 null0 BigIron RX(config)#router bgp local-as 100 BigIron RX(config-bgp-router)#neighbor <router2_int_ip address>...
Page 820
BGP Null0 routing Router-6# show ip bgp route Total number of BGP Routes: 126 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight Status 30.0.1.0/24 40.0.1.3 AS_PATH: 110.0.0.16/30 90.0.1.3 AS_PATH: 85 110.0.0.40/29 192.168.0.1 1000000 32768...
Aggregating routes advertised to BGP4 neighbors Aggregating routes advertised to BGP4 neighbors By default, the BigIron RX advertises individual routes for all the networks. The aggregation feature allows you to configure the device to aggregate routes in a range of networks into a single network prefix.
Redistributing IBGP routes You can enable the device to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three ASs, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually.
Disabling or re-enabling client-to-client route reflection To enable the device to redistribute BGP4 routes into OSPF, RIP, or ISIS, enter the following command. BigIron RX(config-bgp)# bgp-redistribute-internal Syntax: [no] bgp-redistribute-internal To disable redistribution of IBGP routes into RIP, ISIS, and OSPF, enter the following command. BigIron RX(config-bgp)# no bgp-redistribute-internal Disabling or re-enabling client-to-client route reflection By default, the clients of a route reflector are not required to be fully meshed;...
Configuring confederations When router ID comparison is enabled, the path comparison algorithm compares the router IDs of the neighbors that sent the otherwise equal paths. • If BGP4 load sharing is disabled (maximum-paths 1), the device selects the path that came from the neighbor with the lower router ID.
Configuring confederations FIGURE 114 Example BGP4 confederation AS 20 Confederation 10 Sub-AS 64512 IBGP Router B Router A EBGP EBGP Sub-AS 64513 This BGP4 router sees all traffic from Confederation 10 as traffic from AS 10. IBGP Routers outside the confederation do not know or care that the routers Router C are subdivided into sub-ASs within a...
Page 826
Configuring confederations The procedures show how to implement the example confederation shown in Figure 26.3. To configure four devices to be a member of confederation 10, consisting of two sub-ASs (64512 and 64513), enter commands such as the following. Commands for Router A BigIron RXA(config)# router bgp BigIron RXA(config-bgp)# local-as 64512 BigIron RXA(config-bgp)# confederation identifier 10...
Configuring route flap dampening Configuring route flap dampening Route Flap Dampening reduces the amount of change propagated by BGP due to routing state caused by unstable routes. Reducing change propagation will help reduce processing requirements. To enable route flap dampening using the default values, enter the following command. BigIron RX(config-bgp)# dampening Syntax: dampening [<half-life>...
Changing the default local preference BigIron RX(config-bgp)# default-information-originate Syntax: [no] default-information-originate Changing the default local preference When the router uses the BGP4 algorithm to select a route to send to the IP route table, one of the parameters the algorithm uses is the local preference. Local preference is an attribute that indicates a degree of preference for a route relative to other routes.
Changing administrative distances Changing administrative distances The BigIron RX can learn about networks from various protocols, including the EBGP portion of BGP4 and IGPs such as OSPF, ISIS, and RIP. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. To select one route over another based on the source of the route information, the device can use the administrative distances assigned to the sources.
Requiring the first AS to be the neighbor’s AS The <external-distance> sets the EBGP distance and can be a value from 1 – 255. The <internal-distance> sets the IBGP distance and can be a value from 1 – 255. The <local-distance> sets the Local BGP distance and can be a value from 1 – 255. Requiring the first AS to be the neighbor’s AS By default, the BigIron RX does not require the first AS listed in the AS_SEQUENCE field of an AS path Update from an EBGP neighbor to be the AS that the neighbor who sent the Update is in.
Setting the local AS number The router waits for the Hold Time to expire before ending the connection to a directly-attached BGP4 neighbor that dies. For directly attached neighbors, the router immediately senses loss of a connection to the neighbor from a change of state of the port or interface that connects the router to its neighbor.
Treating missing MEDs as the worst MEDs Syntax: [no] maximum-paths <number> The <num> parameter specifies the maximum number of paths across which the BigIron RX can balance traffic to a given BGP4 destination. You can change the maximum number of paths to a value from 2 –...
Configuring BGP4 neighbors By default, load sharing applies to EBGP and IBGP paths, and does not apply to paths from different neighboring ASs. Configuring BGP4 neighbors The BGP4 protocol does not contain a peer discovery process. Therefore, for each of the router’s BGP4 neighbors (peers), you must indicate the neighbor’s IP address and the AS each neighbor is in.
Page 834
Configuring BGP4 neighbors [remove-private-as] [route-map in | out <map-name>] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive <num> hold-time <num>] [unsuppress-map <map-name>] [update-source <ip-addr> | ethernet <slot>/<portnum> | loopback <num> | ve <num>] [weight <num>] The <ip-addr> | <peer-group-name> parameter indicates whether you are configuring an individual neighbor or a peer group.
Page 835
Configuring BGP4 neighbors ebgp-multihop [<num>] specifies that the neighbor is more than one hop away and that the session type with the neighbor is thus EBGP-multihop. This option is disabled by default. The <num> parameter specifies the TTL you are adding for the neighbor. You can specify a number from 0 –...
Page 836
Configuring BGP4 neighbors NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior.
Configuring BGP4 neighbors unsuppress-map <map-name> removes route suppression from a neighbor’s routes when those routes have been suppressed due to aggregation. Refer to “Removing route dampening from suppressed neighbor routes” on page 765. update-source <ip-addr> | ethernet <slot>/<portnum> | loopback <num> | ve <num> configures the router to communicate with the neighbor through the specified interface.
Configuring BGP4 neighbors BigIron RX(config)# ip prefix-list Unsuppress1 permit 209.1.44.0/24 BigIron RX(config)# route-map RouteMap1 permit 1 BigIron RX(config-routemap RouteMap1)# match prefix-list Unsuppress1 BigIron RX(config-routemap RouteMap1)# exit BigIron RX(config)# router bgp BigIron RX(config-bgp)# neighbor 10.1.0.2 unsuppress-map RouteMap1 BigIron RX(config-bgp)# clear ip bgp neighbor 10.1.0.2 soft-out The ip prefix-list command configures an IP prefix list for network 209.1.44.0/24, which is the route you want to unsuppress.
Page 839
Configuring BGP4 neighbors Encryption example The following commands configure a BGP4 neighbor and a peer group, and specify MD5 authentication strings (passwords) for authenticating packets exchanged with the neighbor or peer group. BigIron RX(config-bgp)# local-as 2 BigIron RX(config-bgp)# neighbor xyz peer-group BigIron RX(config-bgp)# neighbor xyz password abc BigIron RX(config-bgp)# neighbor 10.10.200.102 peer-group xyz BigIron RX(config-bgp)# neighbor 10.10.200.102 password test...
Configuring a BGP4 peer group of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication. If you accidentally enter option 1 followed by the clear-text version of the password or string, authentication will fail because the value used by the software will not match the value you intended to use.
Page 841
Configuring a BGP4 peer group • You must configure a peer group before you can add neighbors to the peer group. • If you remove a parameter from a peer group, the value for that parameter is reset to the default for all the neighbors within the peer group, unless you have explicitly set that parameter on individual neighbors.
Page 842
Configuring a BGP4 peer group The <peer-group-name> parameter specifies the name of the group and can be up to 80 characters long. The name can contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around the name. For example, the command neighbor “My Three Peers”...
Specifying a list of networks to advertise The <ip-addr> parameter specifies the IP address of the neighbor. The <peer-group-name> parameter specifies the peer group name. NOTE You must add the peer group before you can add neighbors to it. Administratively shutting down a session with a BGP4 neighbor You can prevent the device from starting a BGP4 session with a neighbor by administratively shutting down the neighbor.
Using the IP default route as a valid next hop for a BGP4 route The <ip-addr> is the network number and the <ip-mask> specifies the network mask. The route-map <map-name> parameter specifies the name of the route map you want to use to set or change BGP4 attributes for the network you are advertising.
Enabling next-hop recursion BigIron RX(config-bgp)# next-hop-enable-default Syntax: [no] next-hop-enable-default Enabling next-hop recursion For each BGP4 route a BigIron RX learns, the device performs a route lookup to obtain the IP address of the route’s next hop. A BGP4 route becomes eligible for installation into the IP route table only if the following conditions are true: •...
Page 846
Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 0.0.0.0/0 10.1.0.2 AS_PATH: 65001 4355 701 80 102.0.0.0/24 10.0.0.1 AS_PATH: 65001 4355 1...
Page 847
Enabling next-hop recursion BigIron RX# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 0.0.0.0/0 10.1.0.2 AS_PATH: 65001 4355 701 80 102.0.0.0/24 10.0.0.1 AS_PATH: 65001 4355 1...
Modifying redistribution parameters BigIron RX# show ip route 240.0.0.0/24 Total number of IP routes: 38 Network Address Gateway Port Cost Type 240.0.0.0 10.0.0.1 AS_PATH: 65001 4355 1 This BigIron RX can use this route because the device has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table.
Modifying redistribution parameters The static parameter indicates that you are redistributing static routes into BGP. Redistributing connected routes To configure BGP4 to redistribute directly connected routes, enter the following command. BigIron RX(config-bgp)# redistribute connected Syntax: redistribute connected [metric <num>] [route-map <map-name>] The connected parameter indicates that you are redistributing routes to directly attached devices into BGP4.
Modifying redistribution parameters The match internal | external1 | external2 parameter applies only to OSPF. This parameter specifies the types of OSPF routes to be redistributed into BGP4. The default is internal. NOTE If you do not enter a value for the match parameter, (for example, you enter redistribute ospf only) then only internal OSPF routes will be redistributed.
Using a table map to set the tag value The metric <num> parameter changes the metric. You can specify a value from 0 – 4294967295. The default is 0. The route-map <map-name> parameter specifies a route map to be consulted before adding the static route to the BGP4 route table.
Changing the BGP4 next-hop update timer NOTE Generally, you should set the Hold Time to three times the value of the Keep Alive Time. NOTE You can override the global Keep Alive Time and Hold Time on individual neighbors. Refer to “Configuring BGP4 neighbors”...
Adding a loopback interface NOTE A BigIron RX uses the same router ID for both OSPF and BGP4. If the router is already configured for OSPF, you may want to use the router ID that is already in use on the router rather than set a new one.
Configuring route reflection parameters • Set the maximum number of paths. The default maximum number of BGP4 load sharing paths is 1, which means no BGP4 load sharing takes place by default. Refer to “Changing the maximum number of shared BGP4 paths” on page 759.
Page 855
Configuring route reflection parameters • A route reflector client is an IGP router identified as a member of a cluster. You identify a router as a route reflector client on the router that is the route reflector, not on the client. The client itself requires no additional configuration.
Filtering • If a device receives a route whose ORIGINATOR_ID attribute has the value of the device’s own router ID, the device discards the route and does not advertise it. By discarding the route, the device prevents a routing loop. •...
Filtering • “Using a table map to set the tag value” on page 779 • “Configuring cooperative BGP4 route filtering” on page 799 Filtering AS-paths You can filter updates received from BGP4 neighbors based on the contents of the AS-path list accompanying the updates.
Filtering The neighbor command uses the filter-list parameter to apply the AS-path ACL to the neighbor. Refer to “Configuring BGP4 neighbors” on page 761 and “Configuring a BGP4 peer group” page 768. Using regular expressions You use a regular expression for the <as-path> parameter to specify a single character or multiple characters as a filter pattern.
Page 859
Filtering TABLE 119 BGP4 special characters for regular expressions (Continued) Character Operation An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) • ) (right parenthesis) •...
Filtering Filtering communities You can filter routes received from BGP4 neighbors based on community names. A community is an optional attribute that identifies the route as a member of a user-defined class of routes. Community names are arbitrary values made of two five-digit integers joined by a colon. You determine what the name means when you create the community name as one of a route’s attributes.
Filtering The seq <seq-value> parameter is optional and specifies the community list’s sequence number. You can configure up to 199 entries in a community list. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with number 5. The software interprets the entries in a community list in numerical order, beginning with the lowest sequence number.
Filtering The seq <seq-value> parameter is optional and specifies the IP prefix list’s sequence number. If you do not specify a sequence number, the software numbers them in increments of 5, beginning with prefix list entry 5. The software interprets the prefix list entries in numerical order, beginning with the lowest sequence number.
Filtering Defining route maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols. A route map consists of a sequence of instances. If you think of a route map as a table, an instance is a row in that table.
Page 864
Filtering • Set the MED (metric). • Set the IP address of the next hop router. • Set the origin to IGP or INCOMPLETE. • Set the weight. For example, when you configure parameters for redistributing routes into BGP, one of the optional parameters is a route map.
Page 865
Filtering Specifying the match conditions Use the following command to define the match conditions for instance 1 of the route map GET_ONE. This instance compares the route updates against BGP4 address filter 11. BigIron RX(config-routemap GET_ONE)# match address-filters 11 Syntax: match [as-path <name>] | [address-filters | as-path-filters | community-filters <num,num,...>] | [community <acl>...
Page 866
Filtering The next-hop <address-filter-list> parameter compares the IP address of the route’s next hop to the specified IP address filters. The filters must already be configured. The route-type internal | external-type1 | external-type2 parameter applies only to OSPF routes. This parameter compares the route’s type to the specified value. The level-1 parameter compares ISIS routes only with routes within the same area.
Page 867
Filtering Matching based on next-hop router You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on the next-hop router, enter commands such as the following.
Page 868
Filtering The <acl> parameter specifies the name of a community list ACL. You can specify up to five ACLs. Separate the ACL names or IDs with spaces. Here is another example. BigIron RX(config)# ip community-list standard std_2 permit 23:45 56:78 BigIron RX(config)# route-map bgp3 permit 1 BigIron RX(config-routemap bgp3)# match community std_1 std_2 exact-match These commands configure an additional community ACL, std_2, that contains community...
Page 869
Filtering The dampening [<half-life> <reuse> <suppress> <max-suppress-time>] parameter sets route dampening parameters for the route. The <half-life> parameter specifies the number of minutes after which the route’s penalty becomes half its value. The <reuse> parameter specifies how low a route’s penalty must become before the route becomes eligible for use again after being suppressed.
Page 870
Filtering BigIron RX(config)# access-list 1 permit 192.168.9.0 0.0.0.255 BigIron RX(config)# route-map bgp4 permit 1 BigIron RX(config-routemap bgp4)# match ip address 1 BigIron RX(config-routemap bgp4)# set metric-type internal The first command configures an ACL that matches on routes with destination network 192.168.9.0.
Filtering Configuring cooperative BGP4 route filtering By default, the device performs all filtering of incoming routes locally, on the device itself. You can use cooperative BGP4 route filtering to cause the filtering to be performed by a neighbor before it sends the routes to the device.
Page 872
Filtering Syntax: [no] neighbor <ip-addr> | <peer-group-name> capability orf prefixlist [send | receive] The <ip-addr> | <peer-group-name> parameter specifies the IP address of a neighbor or the name of a peer group of neighbors. The send | receive parameter specifies the support you are enabling: •...
Filtering • The cooperative filtering configuration on the device. • The ORFs received from neighbors. To display the cooperative filtering configuration on the device, enter a command such as the following. The line shown in bold type shows the cooperative filtering status. BigIron RX# show ip bgp neighbor 10.10.10.1 IP Address: 10.10.10.1, AS: 65200 (IBGP), RouterID: 10.10.10.1 State: ESTABLISHED, Time: 0h0m7s, KeepAliveTime: 60, HoldTime: 180...
Page 874
Filtering NOTE The BigIron RX applies route flap dampening only to routes learned from EBGP neighbors. The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the device stops using that route and also stops advertising it to other routers. The mechanism also allows a route’s penalties to reduce over time if the route’s stability improves.
Filtering BigIron RX(config-routemap DAMPENING_MAP_NEIGHBOR_A)# exit BigIron RX(config)# router bgp BigIron RX(config-bgp)# dampening route-map DAMPENING_MAP_ENABLE BigIron RX(config-bgp)# neighbor 10.10.10.1 route-map in DAMPENING_MAP_NEIGHBOR_A In this example, the first command globally enables route flap dampening. This route map does not contain any match or set statements. At the BGP configuration level, the dampening route-map command refers to the DAMPENING_MAP_ENABLE route map created by the first command, thus enabling dampening globally.
Page 877
Filtering BigIron RX# show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network From Flaps Since Reuse Path h> 192.50.206.0/23 166.90.213.77 0 :0 :13 0 :0 :0 65001 4355 1 701 h> 203.255.192.0/20 166.90.213.77 0 :0 :13 0 :0 :0 65001 4355 1 7018...
Filtering Clearing route flap dampening statistics NOTE Clearing the dampening statistics for a route does not change the dampening status of the route. To clear all the route dampening statistics, enter the following command at any level of the CLI. BigIron RX# clear ip bgp flap-statistics Syntax: clear ip bgp flap-statistics [regular-expression <regular-expression>...
Filtering Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session. Soft reconfiguration does not request the neighbor or group to send its entire BGP4 table, nor does the feature reset the session with the neighbor or group. Instead, the soft reconfiguration feature stores all the route updates received from the neighbor or group.
Page 880
Filtering NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 809. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the device saves all updates received from the specified neighbor or peer group.
Page 881
Filtering BigIron RX# show ip bgp neighbor 192.168.4.106 routes There are 97345 received routes from neighbor 192.168.4.106 Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status...
Page 882
Filtering To request a dynamic refresh of all routes from a neighbor, enter a command such as the following. BigIron RX(config-bgp)# clear ip bgp neighbor 192.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again. The device applies its filters to the incoming routes and adds, modifies, or removes BGP4 routes as necessary.
Filtering To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down. You can enter the command without optional parameters or with the soft out or soft-outbound option. Either way, you must specify a parameter for the neighbor (<ip-addr>, <as-num>, <peer-group-name>, or all).
Filtering If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use these methods to ensure that neighbors contain only the routes you want them to contain. • If you close a neighbor session, the device and the neighbor clear all the routes they learned from each other.
Filtering BigIron RX# clear ip bgp neighbor 10.0.0.1 traffic To clear the BGP4 message counter for all neighbors within a peer group, enter a command such as the following. BigIron RX# clear ip bgp neighbor PeerGroup1 traffic Syntax: clear ip bgp neighbor all | <ip-addr> | <peer-group-name> | <as-num> traffic The all | <ip-addr>...
Displaying BGP4 information Clearing diagnostic buffers The BigIron RX stores the following BGP4 diagnostic information in buffers: • The first 400 bytes of the last packet received that contained an error • The last NOTIFICATION message either sent or received by the device To display these buffers, use options with the show ip bgp neighbors command.
Displaying BGP4 information Displaying summary BGP4 information You can display the local AS number, the maximum number of routes and neighbors supported, and some BGP4 statistics. To view summary BGP4 information for the router, enter the following command at any CLI prompt. BigIron RX# show ip bgp summary BGP4 Summary Router ID: 101.0.0.1...
Page 888
Displaying BGP4 information TABLE 121 BGP4 summary information (Continued) This field... Displays... Number of Attribute Entries Installed The number of BGP4 route-attribute entries in the router’s route-attributes table. To display the route-attribute table, refer to “Displaying BGP4 route-attribute entries” on page 837. Neighbor Address The IP addresses of this router’s BGP4 neighbors.
Displaying BGP4 information TABLE 121 BGP4 summary information (Continued) This field... Displays... Sent The number of BGP4 routes that the device has sent to the neighbor. ToSend The number of routes the device has queued to send to this neighbor. Displaying the active BGP4 configuration To view the active BGP4 configuration information contained in the running configuration without displaying the entire running configuration, enter the following command at any level of the CLI.
Page 890
Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 routes-summary IP Address: 192.168.4.211 Routes Accepted/Installed:1, Filtered/Kept:11, Filtered:11 Routes Selected as BEST Routes:1 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0 History Routes:0 NLRIs Received in Update Message:24, Withdraws:0 (0), Replacements:1...
Displaying BGP4 information TABLE 122 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the device discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The device’s configured maximum prefix amount had been reached.
Page 893
Displaying BGP4 information The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
Page 894
Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... Description The description you gave the neighbor when you configured it on the device. State The state of the router’s session with the neighbor. The states are from this router’s perspective of the session, not the neighbor’s perspective.
Page 895
Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... DefaultOriginate Whether this option is enabled for the neighbor. MaximumPrefixLimit Lists the maximum number of prefixes the device will accept from this neighbor. RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this device has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability.
Page 896
Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following: • Reasons described in the BGP specifications: •...
Page 897
Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
Page 898
Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. •...
Page 899
Displaying BGP4 information TABLE 123 BGP4 neighbor information (Continued) This field... Displays... TotalRcv The number of sequence numbers received from the neighbor. DupliRcv The number of duplicate sequence numbers received from the neighbor. RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue.
Page 900
Displaying BGP4 information This display shows the following information. TABLE 124 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the device has received from the neighbor during the current BGP4 session. • Accepted/Installed – Indicates how many of the received routes the device accepted and installed in the BGP4 route table.
Page 901
Displaying BGP4 information TABLE 124 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the device has sent to this neighbor in UPDATE messages. • Withdraws – The number of routes the device has sent to the neighbor to withdraw.
Displaying BGP4 information Displaying the adj-RIB-out for a neighbor To display the device’s current BGP4 Routing Information Base (Adj-RIB-Out) for a specific neighbor and a specific destination network, enter a command such as the following at any level of the CLI. BigIron RX(config-bgp)# show ip bgp neighbor 192.168.4.211 rib-out-routes 192.168.1.0/24 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST I:IBGP L:LOCAL...
Displaying BGP4 information This display shows the following information. TABLE 125 BGP4 summary route information This field... Displays... Total number of BGP routes (NLRIs) The number of BGP4 routes the device has installed in the BGP4 route Installed table. Distinct BGP destination networks The number of destination networks the installed routes represent.
Page 905
Displaying BGP4 information The unreachable option displays the routes that are unreachable because the device does not have a valid RIP, OSPF, or static route to the next hop. Displaying the best BGP4 routes To display all the BGP4 routes in the device’s BGP4 route table that are the best routes to their destinations, enter a command such as the following at any level of the CLI.
Page 906
Displaying BGP4 information BigIron RX(config-bgp)# show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > best, i internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path...
Page 907
Displaying BGP4 information TABLE 126 BGP4 network information (Continued) This field... Displays... Path The route’s AS path. NOTE: This field appears only if you do not enter the route option. Origin code A character the display uses to indicate the route’s origin. The origin code appears to the right of the AS path (Path field).
Page 908
Displaying BGP4 information These displays show the following information. TABLE 127 BGP4 route information This field... Displays... Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route’s status. The status code is appears in the left column of the display, to the left of each route.
Displaying BGP4 information TABLE 127 BGP4 route information (Continued) This field... Displays... Origin The source of the route information. The origin can be one of the following: • EGP – The routes with this set of attributes came to BGP through EGP.
Page 910
Displaying BGP4 information BigIron RX# show ip bgp attribute-entries Total number of BGP Attribute Entries: 7753 Next Hop :192.168.11.1 Metric Origin:IGP Originator:0.0.0.0 Cluster List:None Aggregator:AS Number :0 Router-ID:0.0.0.0 Atomic:FALSE Local Pref:100 Communities:Internet AS Path :(65002) 65001 4355 2548 3561 5400 6669 5548 Next Hop :192.168.11.1 Metric...
Displaying BGP4 information TABLE 128 BGP4 route-attribute entries information (Continued) This field... Displays... Communities The communities that routes with this set of attributes are in. AS Path The ASs through which routes with this set of attributes have passed. The local AS is shown in parentheses. Displaying the routes BGP4 has placed in the IP route table The IP route table indicates the routes it has received from BGP4 by listing “BGP”...
Displaying BGP4 information The <address> <mask> parameter specifies a particular route. If you also use the optional longer-prefixes parameter, then all statistics for routes that match the specified route or have a longer prefix than the specified route are displayed. For example, if you specify 209.157.0.0 longer, then all routes with the prefix 209.157 or that have a longer prefix (such as 209.157.22) are displayed.
Page 913
Displaying BGP4 information match address-filters 11 set community 11:12 no-export route-map permit1122 permit 12 match ip address 11 route-map permit1122 permit 13 match ip address std_22 This example shows that the running configuration contains six route maps. Notice that the match and set statements within each route map are listed beneath the command for the route map itself.
Page 914
Displaying BGP4 information NOTE After configuring BGP Graceful Restart, you need to reset neighbor session whether or not the neighbor session is up to enable BGP graceful restart. Use the clear ip bgp neighbor command to clear and re-establish neighbor sessions. Configuring BGP graceful restart on a router Use the following command to enable the BGP graceful restart feature on a BigIron RX Switch.
Generalized TTL security mechanism support BigIron RX# show ip bgp neighbor 11.11.11.2 1 IP Address: 11.11.11.2, Remote AS: 101 (EBGP), RouterID: 101.101.101.1 Local AS: 200 State: ESTABLISHED, Time: 0h18m15s, KeepAliveTime: 60, HoldTime: 180 KeepAliveTimer Expire in 44 seconds, HoldTimer Expire in 167 seconds RefreshCapability: Received GracefulRestartCapability: Received Restart Time 120 sec, Restart bit 0...
Page 917
Generalized TTL security mechanism support Syntax: [no] neighbor <ip-addr> | <peer-group-name> ebgp-btsh NOTE For GTSM protection to work properly, it must be enabled on both the Brocade device and the neighbor. BigIron RX Series Configuration Guide 53-1001986-01...
Page 918
Generalized TTL security mechanism support BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Configuring MBGP This chapter provides details on how to configure Multi-protocol Border Gateway Protocol (MBGP). MBGP is an extension to BGP that allows a router to support separate unicast and multicast topologies. BGP4 cannot support a multicast network topology that differs from the network’s unicast topology.
Configuration considerations Configuration considerations • MBGP does not redistribute DVMRP routes. It redistributes static routes only. • You cannot redistribute MBGP routes into BGP4. • The BigIron RX supports 8192 multicast routes by default. You may need to increase the maximum number of multicast routes for MBGP.
Configuring MBGP Enabling MBGP To enable MBGP4, you must enable PIM SM or DM and BGP4. Enter commands such as the following. BigIron RX> enable BigIron RX# configure terminal BigIron RX(config)# router pim BigIron RX(config)# interface ethernet 1/1 BigIron RX(config-if-1/1)# ip address 1.1.1.1/24 BigIron RX(config-if-1/1)# ip pim BigIron RX(config-if-1/1)# exit BigIron RX(config)# router bgp...
Configuring MBGP [password [0 | 1] <string>] [prefix-list <string> in | out] [remote-as <as-number>] [remove-private-as] [route-map in | out <map-name>] [route-reflector-client] [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive <num> hold-time <num>] [update-source loopback <num>] [weight <num>] The <ip-addr> | <peer-group-name> parameter indicates whether you are configuring an individual neighbor or a peer group.
Page 923
Configuring MBGP Configuring a network prefix to advertise By default, the BigIron RX advertises MBGP routes only for the networks you identify using the network command or that are redistributed into MBGP from IP multicast route tables. NOTE The exact route must exist in the IP multicast route table so that the device can create a local MBGP route.
Page 924
Configuring MBGP NOTE The route map you specify must already be configured. Configuring static IP multicast routes To configure static IP multicast routes, enter commands such as the following. BigIron RX(config)# ip mroute 207.95.10.0 255.255.255.0 interface ethernet 1/2 BigIron RX(config)# ip mroute 0.0.0.0 0.0.0.0 interface ethernet 2/3 The commands in this example configure two static multicast routes.
Displaying MBGP information The <ip-addr> and <ip-mask> parameters specify the aggregate value for the networks. The as-set parameter causes the router to aggregate AS-path information for all the routes in the aggregate address into a single AS-path. The summary-only parameter prevents the router from advertising more specific routes contained within the aggregate route.
Displaying MBGP information BigIron RX# show ip mbgp summary BGP4 Summary Router ID: 9.9.9.1 Local AS Number : 200 Confederation Identifier : not configured Confederation Peers: Maximum Number of Paths Supported for Load Sharing : 1 Number of Neighbors Configured : 1, UP: 1 Number of Routes Installed : 5677 Number of Routes Advertising to All Neighbors : 5673 Number of Attribute Entries Installed : 3...
Displaying MBGP information Displaying MBGP neighbors To view MBGP neighbor information including the values for all the configured parameters, enter the following command. This display is similar to the show ip bgp neighbor display but has additional fields that apply only to MBGP. These fields are shown in bold type in the example and are explained below.
Displaying MBGP information The <ip-addr> parameter specifies the neighbor’s IP address. Displaying MBGP routes To display the MBGP route table, enter the following command. BigIron RX#show ip mbgp route Total number of BGP Routes: 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop...
Chapter Configuring IS-IS (IPv4) The Intermediate System to Intermediate System (IS-IS) protocol is a link-state Interior Gateway Protocol (IGP) that is based on the International Standard for Organization/International Electrotechnical Commission (ISO/IEC) Open Systems Internet Networking model (OSI). In IS-IS, an intermediate system (router) is designated as either a Level 1 or Level 2 router.
Configuring IS-IS (IPv4) • If the path provided by IS-IS has the lowest administrative distance, then the CPU places that IS-IS path in the IP route table. • If a path to the same destination supplied by another protocol has a lower administrative distance, the CPU installs the other protocol’s path in the IP route table instead.
Configuring IS-IS (IPv4) NOTE Since the Brocade implementation of IS-IS does not route OSI traffic but instead routes IP traffic, IP hosts are shown instead of ESs. The other basic IS-IS concepts illustrated in this figure are explained in the following sections. Domain and areas IS-IS is an IGP, and thus applies only to routes within a single routing domain.
Page 932
Configuring IS-IS (IPv4) The Designated IS is elected based on the priority of each IS in the broadcast network. When an IS becomes operational, it sends a Level-1 or Level-2 Hello PDU to advertise itself to other ISs. If the IS is configured to be both a Level-1 and a Level-2 IS, the IS sends a separate advertisement for each level.
IS-IS CLI levels Route calculation and selection The Designated IS uses a Shortest Path First (SPF) algorithm to calculate paths to destination ISs and ESs. The SPF algorithm uses Link State PDUs (LSPDUs) received from other ISs as input, and creates the paths as output.
IS-IS CLI levels BigIron RX(config)#router isis BigIron RX(config-isis-router)# Syntax: [no] router isis The (config-isis-router)# prompt indicates that you are at the global level for IS-IS. Configurations you enter at this level apply to both IS-IS IPv4 and IS-IS IPv6. Address family configuration level The BigIron RX implementation of IS-IS includes the address family configuration level.
Configuring IPv4 IS-IS Configuring IPv4 IS-IS Enabling IS-IS globally To configure IPv4 IS-IS, do the following. 1. Globally enable IS-IS by entering the following command. BigIron RX(config)# router isis ISIS: Please configure NET! Once you enter router isis, the device enters the IS-IS router configuration level. Syntax: [no] router isis To disable IS-IS, use the no form of this command.
Globally configuring IS-IS on a device • Change the default metric. • Add, change, or negate route redistribution parameters. Some IS-IS parameter changes take effect immediately while others do not take full effect until you disable, then re-enable route redistribution. Globally configuring IS-IS on a device This section describes how to change the global IS-IS parameters.
Globally configuring IS-IS on a device The on-startup <secs> parameter specifies the number of seconds following a reload to set the overload bit on. You can specify 0 or a number from 5 – 86400 (24 hours). The default is 0, which means the device starts performing IS-IS routing immediately following a successful software reload.
Globally configuring IS-IS on a device Changing the IS-IS Level globally By default, a BigIron RX can operate as both a Level-1 and IS-IS Level-2 router. To globally change the level supported from Level-1 and Level-2 to Level-1 only, enter the following command. BigIron RX(config-isis-router)# is-type level-1 Syntax: [no] is-type level-1 | level-1-2 | level-2 The level-1 | level-1-2 | level-2 parameter specifies the IS-IS type.
Globally configuring IS-IS on a device BigIron RX(config-isis-router)# csnp-interval 15 Syntax: [no] csnp-interval <secs> The <secs> parameter specifies the interval and can be from 0 – 65535 seconds. The default is 10 seconds. NOTE Although the command name is csnp-interval, the interval also applies to PSNPs. Changing the maximum LSP lifetime The maximum LSP lifetime is the maximum number of seconds an un-refreshed LSP can remain in the device’s LSP database.
Globally configuring IS-IS on a device The <secs> parameter specifies the minimum refresh interval and can be from 1 – 120 seconds. The default is 10 seconds. Changing the LSP interval and retransmit interval You LSP interval is the rate of transmission, in milliseconds of the LSPs. The retransmit interval is the time the device waits before it retransmits LSPs.
Globally configuring IS-IS on a device The padding consists of arbitrarily valued octets. A padded hello PDU indicates the largest PDU that the device can receive. Other ISs that receive a padded hello PDU from the device can therefore ensure that the IS-IS PDUs they send the device. Similarly, if the device receives a padded hello PDU from a neighbor IS, the device knows the maximum size PDU that the device can send to the neighbor.
Configuring IPv4 address family route parameters Configuring IPv4 address family route parameters This section describes how to modify the IS-IS parameters for the IS-IS IPv4 unicast address family. To enter the IPv4 unicast address family, refer to “Address family configuration level” on page 862.
Configuring IPv4 address family route parameters NOTE This feature requires the presence of a default route in the IPv4 route table. To enable the device to advertise a default route that is originated a Level 2, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# default-information-originate This command enables the device to advertise a default route into the IPv4 IS-IS area to which the device is attached.
Configuring IPv4 address family route parameters For example, if the router has a path from RIP, from OSPF, and IPv4 IS-IS to the same destination, and all the paths are using their protocols’ default administrative distances, the router selects the OSPF path, because that path has a lower administrative distance than the RIP and IPv4 IS-IS paths.
Configuring IPv4 address family route parameters The level-1 | level-1-2 | level-2 parameter specifies the route types to which the aggregate route applies. The default is level-2. Redistributing routes into IPv4 IS-IS To redistribute routes into IPv4 IS-IS, you can perform the following configuration tasks: •...
Configuring IPv4 address family route parameters The <value> parameter specifies the default metric. You can specify a value from 0 – 65535. The default is 0. To restore the default value for the default metric, enter the no form of this command. Redistributing static IPv4 routes into IPv4 IS-IS To redistribute static IPv4 routes from the IPv4 static route table into IPv4 IS-IS routes, enter the following command at the IPv4 IS-IS unicast address family configuration level.
Configuring IPv4 address family route parameters Redistributing RIP routes into IPv4 IS-IS To redistribute RIP routes into IPv4 IS-IS, enter the following command at the IPv4 IS-IS unicast address family configuration level. BigIron RX(config-isis-router-ipv4u)# redistribute rip This command configures the device to redistribute all RIP routes into Level-2 IS-IS. Syntax: [no] redistribute rip [level-1 | level-1-2 | level-2] | metric <number>...
Configuring ISIS properties on an interface Redistributing IPv4 IS-IS routes within IPv4 IS-IS In addition to redistributing routes from other route sources into IPv4 IS-IS, the BigIron RX can redistribute Level 1 IPv4 IS-IS routes into Level 2 IPv4 IS-IS routes, and Level 2 IPv4 IS-IS routes into Level 1 IPv4 IS-IS routes.
Configuring ISIS properties on an interface NOTE The BigIron RX advertises an IS-IS interface to its area regardless of whether adjacency formation is enabled. To disable IS-IS adjacency formation on an interface, enter commands such as the following. BigIron RX(config)# interface ethernet 2/8 BigIron RX(config-if-e1000-2/8)# isis passive This command disables IS-IS adjacency formation on port 2/8.
Configuring ISIS properties on an interface The <string> parameter specifies the password. You can enter an alphanumeric string up to 80 characters long. The password can contain blank spaces. If you use a blank space in the password, you must use quotation marks (“ “) around the entire password; for example, isis password “admin 2”.
Configuring ISIS properties on an interface The <num> parameter specifies the interval, and can be from 1 – 65535 seconds. The default is 10 seconds. The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels.
Displaying IPv4 IS-IS information The level-1 | level-2 parameter applies the change to only the level you specify. If you do not use this parameter, the change applies to both levels. Displaying IPv4 IS-IS information You can display the following information: •...
Displaying IPv4 IS-IS information BigIron RX# show isis hostname Total number of entries in IS-IS Hostname Table: 1 System ID Hostname * = local IS * bbbb.cccc.dddd Syntax: show isis hostname The table in this example contains one mapping, for this device. The device’s IS-IS system ID is “bbbb.cccc.dddd“...
Displaying IPv4 IS-IS information TABLE 132 IS-IS neighbor information (Continued) This field... Displays... Type The IS-IS type of the adjacency. The type can be one of the following: • ISL1 – Level-1 IS • ISL2 – Level-2 IS • ES – ES NOTE: The device forms a separate adjacency for each IS-IS type.
Displaying IPv4 IS-IS information TABLE 133 IS-IS Syslog messages Message level Message Explanation Alert ISIS MEMORY USE EXCEEDED IS-IS is requesting more memory than is available. Notification ISIS L1 ADJACENCY DOWN <system-id> on The device’s adjacency with this Level-1 IS interface <interface-id>...
Page 956
Displaying IPv4 IS-IS information BigIron RX# show isis interface Total number of IS-IS Interfaces: 1 Interface: Eth 7/1 Circuit State: UP Circuit Mode: LEVEL-1-2 Circuit Type: BCAST Passive State: FALSE Circuit Number: 0x01, MTU: 1497 Authentication password: None Level-1 Metric: 10, Level-1 Priority: 64 Level-1 Hello Interval: 10 Level-1 Hello Multiplier: 3 Level-1 Designated IS: RX-01 Level-1 DIS Changes: 8 Level-2 Metric: 10, Level-2 Priority: 64...
Page 957
Displaying IPv4 IS-IS information TABLE 134 IS-IS Interface information (Continued) This field... Displays... Passive State The passive state determines whether the interface is allowed to form an IS-IS adjacency with the IS at the other end of the circuit. The state can be one of the following: •...
Displaying IPv4 IS-IS information TABLE 134 IS-IS Interface information (Continued) This field... Displays... Bad LSP The number of times the interface received a bad LSP from an IS at the other end of the circuit. The following conditions can cause an LSP to be bad: •...
Displaying IPv4 IS-IS information TABLE 135 IS-IS route information (Continued) This field... Displays... Cost The IS-IS default metric for the route, which is the cost of using this route to reach the next-hop router to this destination. Type The route type, which can be one of the following: •...
Page 960
Displaying IPv4 IS-IS information The <lsp-id> parameter displays summary information about a particular LSP. Specify an LSPID for which you want to display information in HHHH.HHHH.HHHH.HH-HH format, for example, 3333.3333.3333.00-00. You can also enter name.HH-HH, for example, RX.00-00. The detail parameter displays detailed information about the LSPs. Refer to “Displaying detailed information”...
Page 961
Displaying IPv4 IS-IS information BigIron RX# show isis database detail IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL RX.00-00* 0x0000000b 0x23fb 1/0/0 Area Address: NLPID: CC(IP) Hostname: Metric: IP-Internal 4.1.1.0/24 Up-bit: 0 Metric: IS RX.01 IS-IS Level-2 Link State Database LSPID LSP Seq Num...
Displaying IPv4 IS-IS information TABLE 137 IS-IS detailed LSP database information (Continued) This field... Displays... IP address The IP address of the interface that sent the LSP. The device can use this address as the next hop in routes to the addresses listed in the rows below.
Displaying IPv4 IS-IS information TABLE 138 IS-IS traffic statistics This field... Displays... Level-1 Hellos The number of Level-1 hello PDUs sent and received by the device. Level-2 Hellos The number of Level-2 hello PDUs sent and received by the device. Level-1 LSP The number of Level-1 link-state PDUs sent and received by the device.
Clearing IS-IS information TABLE 139 IS-IS error statistics (Continued) This field... Displays... LSP Sequence Number Skipped The number of times the device received an LSP with a sequence number that was more than 1 higher than the sequence number of the previous LSP received from the same neighbor.
Page 965
Clearing IS-IS information The neighbor parameter closes the device’s adjacencies with its IS-IS neighbors and clears the neighbor statistics. The route [<ip-address> <subnet-mask> | <ip-address>/<prefix> ] parameter clears the IS-IS route table or the specified matching route. The traffic parameter clears the PDU statistics. NOTE The traffic option also clears the values displayed in the show isis interface command’s Control Messages Sent and Control Messages Received fields.
Page 966
Clearing IS-IS information BigIron RX Series Configuration Guide 53-1001986-01...
Page 967
Chapter BiDirectional Forwarding Detection (BFD) The BigIron RX provides support for Bidirectional Forwarding Detection (BFD) in Version 02.6.00 of the Multi-Service IronWare software. BFD defines a method of rapid detection of the failure of a forwarding path by checking that the next hop router is alive. Without BFD enabled, it can take from 3 to 30 seconds to detect that a neighboring router is not operational causing packet loss due to incorrect routing information at a level unacceptable for real-time applications such as VOIP and video over IP.
Configuring BFD parameters Configuring BFD parameters When you configure BFD you must set timing and interval parameters. These are configured on each interface. When two adjacent interfaces with BFD are configured, they negotiate the conditions for determining if the connection between them is still active. The following command is used to set the BFD parameters.
Displaying Bidirectional Forwarding Detection information Displaying Bidirectional Forwarding Detection information You can display Bidirectional Forwarding Detection (BFD) information for the router you are logged-in to and for BFD configured neighbors as described in the following sections. Displaying BFD information on a router The following example illustrates the output from the show bfd command.
Page 970
Displaying Bidirectional Forwarding Detection information TABLE 140 Display of BFD information (Continued) This field... Displays... BFD Enabled ports count The number of ports on the router that have been enabled for BFD. Port The port that BFD is enabled on. MinTx The interval in milliseconds between which the router desires to send a BFD message from this port to its peer.
Page 971
Displaying Bidirectional Forwarding Detection information TABLE 142 Display of BFD information This field... Displays... Total number of Neighbor entries The number of neighbors that have established BFD sessions with ports on this router. NeighborAddress The IPv4 or IPv6 address of the remote peer. State The current state of the BFD session.
Page 972
Displaying Bidirectional Forwarding Detection information TABLE 143 Display of BFD neighbor detail information (Continued) This field... Displays... Interval The interval at which the local router sends BFD messages to the remote peer. Heard from remote. Registered Protocols Specifies which protocols are registered to use BFD on this port. Local Disc Value of the “local discriminator”...
Configuring BFD for the specified protocol TABLE 143 Display of BFD neighbor detail information (Continued) This field... Displays... LastSessionDownTimestamp The system time at which the session last transitioned from the UP state to some other state. Physical Port The physical port on which the peer is known. Vlan Id The VLAN ID of the VLAN that the physical port is resident on.
Configuring BFD for the specified protocol Enabling or disabling BFD for OSPFv2 for a specific interface You can selectively enable or disable BFD on any OSPFv2 interface as shown in the following. BigIron RX# (config-if-e1000-3/1)# ip ospf bfd Syntax: ip ospf bfd [disable] The disable option disables BFD for OSPFv2 on the interface.
Page 975
Configuring BFD for the specified protocol Enabling or disabling BFD for IS-IS for a specific interface You can selectively enable or disable BFD on any IS-IS interface as shown in the following. BigIron RX#(config-if-e1000-3/1)# isis bfd Syntax: isis bfd [disable] The disable option disables BFD for IS-IS on the interface.
Page 976
Configuring BFD for the specified protocol BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Configuring Secure Shell Overview of Secure Shell (SSH) Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on a BigIron RX. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet.
Configuring SSH • Van Dyke SecureCRT 4.0 and 4.1 • F-Secure SSH Client 5.3 and 6.0 • PuTTY 0.54 and 0.56 • OpenSSH 3.5_p1 and 3.6.1p2 • Solaris Sun-SSH-1.0 Supported features The SSH server allows secure remote access management functions on a device. SSH provides a function that is similar to Telnet, but unlike Telnet, SSH provides a secure, encrypted connection.
Configuring SSH 1. Generate a host DSA public and private key pair for the device. 2. Configure DSA challenge-response authentication. 3. Set optional parameters. You can also view information about active SSH connections on the device as well as terminate them.
Configuring SSH Providing the public key to clients If you are using SSH to connect to a device from a UNIX system, you may need to add the device’s public key to a “known hosts” file; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a known hosts file.
Page 981
Configuring SSH ---- BEGIN SSH2 PUBLIC KEY ---- Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PUBLIC KEY ---- You can import the authorized public keys into the active configuration by loading them from a file on a TFTP server and are saved on the EEPROM of the chassis.
Configuring SSH BigIron RX# show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---- Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PUBLIC KEY ---- Syntax: show ip client-pub-key [| begin<expression> | exclude <expression> | include <expression>] To clear the public keys from the buffers, enter the following command.
Configuring SSH With DSA challenge-response authentication, a collection of clients’ public keys are stored on the device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH. With password authentication, users are prompted for a password when they attempt to log into the device (provided empty password logins are not allowed;...
Page 984
Configuring SSH Setting the SSH login timeout value When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects.
Displaying SSH connection information Filtering SSH access using ACLs You can permit or deny SSH access to the device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL. Then enter the following command.
Using secure copy BigIron RX#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 established, client ip address 192.168.144.241, user is hanuma 1 minutes 16 seconds in idle 2 established, client ip address 192.168.144.241, user is Mikaila...
Page 987
Using secure copy NOTE When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on the device. NOTE Certain SCP client options, including -p and -r, are ignored by the SCP server on the device. If an option is ignored, the client is notified.
Page 988
Using secure copy BigIron RX Series Configuration Guide 53-1001986-01...
Chapter Configuring Multi-Device Port Authentication How multi-device port authentication works Multi-device port authentication is a way to configure a BigIron RX to forward or block traffic from a MAC address based on information received from a RADIUS server. Multi-device port authentication is supported in the device software release 02.2.01 and later.
How multi-device port authentication works Authentication-failure actions If the MAC address does not match the username and password of an entry in the users database on the RADIUS server, then the RADIUS server returns an Access-Reject message. When this happens, it is considered an authentication failure for the MAC address. When an authentication failure occurs, the device can either drop traffic from the MAC address in hardware (the default), or move the port on which the traffic was received to a restricted VLAN.
Configuring multi-device port authentication Support for authenticating multiple MAC addresses on an interface The multi-device port authentication feature allows multiple MAC addresses to be authenticated or denied authentication on each interface. The maximum number of MAC addresses that can be authenticated on each interface is 256.
Configuring multi-device port authentication You can enable the feature on an interface at the interface CONFIG level. Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate Clients.
Configuring multi-device port authentication • FilterId (11) – RFC 2865 • Vendor-Specific Attributes (26) – RFC 2865 • Tunnel-Type (64) – RFC 2868 • Tunnel-Medium-Type (65) – RFC 2868 • EAP Message (79) – RFC 2579 • Tunnel-Private-Group-Id (81) – RFC 2868 Specifying the format of the MAC addresses sent to the RADIUS server When multi-device port authentication is configured, the device authenticates MAC addresses by...
Configuring multi-device port authentication BigIron RX(config)# interface e 3/1 BigIron RX(config-if-e100-3/1)# mac-authentication auth-fail-action block-traffic Syntax: [no] mac-authentication auth-fail-action block-traffic Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device port authentication is enabled. Defining MAC address filters You can specify MAC addresses that do not have to go through multi-device port authentication. These MAC addresses are considered pre-authenticated, and are not subject to RADIUS authentication.
Configuring multi-device port authentication If a previous authentication attempt for a MAC address failed, and as a result the port was placed in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-Accept message may specify a VLAN for the port. By default, the device moves the port out of the restricted VLAN and into the RADIUS-specified VLAN.
Configuring multi-device port authentication BigIron RX(config)# interface e 3/1 BigIron RX(config-if-e100-3/1)# mac-auth move-back-to-old-vlan port-restrict-vlan Syntax: [no] mac-authentication move-back-to-old-vlan disable | port-configured-vlan | port-restrict-vlan | system-default-vlan The disable keyword disables moving the port back to its original VLAN. The port would stay in its RADIUS-assigned VLAN.
Configuring multi-device port authentication This command removes the Layer 2 CAM entry created for the specified MAC address. If the device receives traffic from the MAC address again, the MAC address is authenticated again. Disabling aging for authenticated MAC addresses MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic is received from the MAC address for a certain period of time.
Displaying multi-device port authentication information To change the length of the software aging period for blocked MAC addresses, enter a command such as the following. BigIron RX(config)# mac-authentication max-age 180 Syntax: [no] mac-authentication max-age <seconds> You can specify from 1 – 65535 seconds. The default is 120 seconds. Displaying multi-device port authentication information You can display the following information about the multi-device port authentication configuration: •...
Displaying multi-device port authentication information Displaying multi-device port authentication configuration information To display a summary of multi-device port authentication that have been configured on the device, enter the following command. BigIron RX# show auth-mac configuration Feature enabled : Yes Global Fail-VLAN Id : None Username/Password format : xxxx.xxxx.xxxx...
Page 1000
Displaying multi-device port authentication information TABLE 146 Output from the show auth-mac-address configuration command (Continued) This field... Displays... Override Restricted Whether or not a port in a restricted VLAN (due to a failed authentication) is removed from the restricted VLAN on a subsequent successful authentication on the port.