Foundry Networks Switch and Router Installation And Configuration Manual

Switch and router

Table of Contents

Quick Links

Foundry Switch and Router

Installation and Configuration Guide

2100 Gold Street

P.O. Box 649100

San Jose, CA 95164-9100

Tel 408.586.1700

Fax 408.586.1900

www.foundrynetworks.com

Table of Contents

Chapters

Table of Contents

Summary of Contents for Foundry Networks Switch and Router

Page 1 Foundry Switch and Router Installation and Configuration Guide 2100 Gold Street P.O. Box 649100 San Jose, CA 95164-9100 Tel 408.586.1700 Fax 408.586.1900 www.foundrynetworks.com...
Page 3: Table Of Contents
Contents HAPTER ..................1-1 ETTING TARTED ............................1-1 NTRODUCTION ..............................1-1 UDIENCE ............................1-1 OMENCLATURE ..........................1-2 ELATED UBLICATIONS ’ ? ........................1-2 DITION ..........................1-2 ARDWARE ........................1-2 AYER NHANCEMENTS ......................1-3 YSTEM EVEL NHANCEMENTS .............................1-4 OW TO ............................1-4 CCESS .............................1-4 MAIL CCESS ..........................1-4 ELEPHONE CCESS ..........................1-4 ARRANTY OVERAGE HAPTER...
Page 4 Foundry Switch and Router Installation and Configuration Guide ....................2-6 ETERMINING OWER UPPLY TATUS ......................2-6 NSTALLING OWER UPPLIES .......................2-7 EMOVING OWER UPPLIES (4-S ) ..............2-10 EPLACING LOT AND HASSIS EVICES ..........................2-10 EQUIRED OOLS ....................2-10 ETERMINING HICH AILED .........................2-11 HASSIS ........................2-12 IGHT...
Page 5 ......................3-9 ETTING A ELNET ASSWORD ..............3-10 ETTING ASSWORDS FOR ANAGEMENT RIVILEGE EVELS ....................3-11 ECOVERING FROM A ASSWORD SNMP C ..................3-12 ISPLAYING THE OMMUNITY TRING ....................3-12 ISABLING ASSWORD NCRYPTION .......................3-12 ETTING OCAL CCOUNTS .....................3-13 ONFIGURING A OCAL CCOUNT SNMP C .....................3-14 STABLISHING OMMUNITY TRINGS...
Page 6 Foundry Switch and Router Installation and Configuration Guide RSA C ..............4-5 NABLING HALLENGE ESPONSE UTHENTICATION .......................4-5 ETTING PTIONAL ARAMETERS SSH A ..............4-5 ETTING THE UMBER OF UTHENTICATION ETRIES RSA K ....................4-5 ETTING THE ERVER ....................4-6 EACTIVATING UTHENTICATION ....................4-6 NABLING MPTY...
Page 7 ................5-25 HANGING THE RITE TTRIBUTE OF A ....................5-26 ELETING A ILE FROM A LASH (“U ”) ....................5-26 ECOVERING NDELETING ....................5-27 PPENDING A ILE TO NOTHER ..........................5-27 OPYING ILES PCMCIA F .....5-30 OADING THE TARTUP ONFIG ILE FROM A LASH URING YSTEM ......................5-32 ANAGEMENT...
Page 8 Foundry Switch and Router Installation and Configuration Guide POS P ................6-16 ONFIGURING A ORT FOR AYER WITCHING STP P .......................6-17 ONFIGURING ARAMETERS POS P ...............6-19 ONFIGURING THE ORTS INTO A RUNK ROUP 2 POS P ..................6-20 ISPLAYING AYER NFORMATION POS I ........................6-21...
Page 9 ............................8-3 EATURE .......................8-6 HOWING YSTEM EFAULTS .......................8-7 CCESS AND ANAGEMENT EATURES (SSH) .........................8-7 ECURE HELL ........................8-8 ANAGEMENT NTERFACES ....................8-10 ULTIPLE EVELS OF CCESS ONTROL (ACL ) .......................8-11 CCESS ONTROL ISTS ........................8-11 YNAMIC ONFIGURATION ...........................8-11 EBOOT ......................8-11 CHEDULED YSTEM ELOAD ..............................8-11 ELNET (TFTP) ..................8-11 RIVIAL...
Page 10 Foundry Switch and Router Installation and Configuration Guide ) ..............8-21 ULTI UBNETS NTEGRATED WITCH OUTING IP R (ARP) E ARP (RARP) TATIC OUTES DDRESS ESOLUTION ROTOCOL NTRIES EVERSE ............................8-21 NTRIES IP/RIP R ..........................8-21 OUTING (BGP4) R ................8-22 ORDER ATEWAY ROTOCOL...
Page 11 ........................9-13 TACKABLE RCHITECTURE ............................9-15 HYSICAL .........................9-16 LOT AND UMBERS AC P ........................9-17 OWER ONNECTOR ............................9-17 UFFERING ..............................9-17 ..............................9-17 ...............................9-19 ORTS ) ..............9-20 XPANSION ODULES TACKABLE DEVICES ONLY AC P ...........................9-20 OWER UPPLY ...................9-20 TANDARD AND EDUNDANT OWER PTIONS DC P ...........................9-21 OWER UPPLY...
Page 12 Foundry Switch and Router Installation and Configuration Guide ..................10-68 OCKING A ESTRICT DDRESSES ...................10-68 ONFIGURING ASIC AYER ARAMETERS ................10-68 NABLING OR ISABLING OUTING ROTOCOLS IPX R ..................10-69 NABLING OUTER CCELERATION ............10-70 ISPLAYING AND ODIFYING YSTEM ARAMETER EFAULT ETTINGS ..................10-73 SSIGNING A...
Page 13 HAPTER (ACL )........... 13-1 SING CCESS ONTROL ISTS ..............................13-1 VERVIEW (ACL ) ................13-2 SAGE UIDELINES FOR CCESS ONTROL ISTS ACL S ..................13-2 UPPORT ON THE OUNDRY RODUCTS ACL ID ........................13-3 S AND NTRIES ACL A ........................13-3 EFAULT CTION ................13-4 ONTROLLING ANAGEMENT CCESS TO THE EVICE...
Page 14 Foundry Switch and Router Installation and Configuration Guide HAPTER IP..................15-1 ONFIGURING ..........................15-1 ASIC ONFIGURATION ..............................15-2 VERVIEW IP I ..........................15-2 NTERFACES IP P .................15-3 ACKET HROUGH A AYER WITCH IP R .....................15-7 OUTE XCHANGE ROTOCOLS IP M ........................15-7 ULTICAST ROTOCOLS IP I ...................15-8...
Page 15 IP I – L ................15-83 ISPLAYING NFORMATION AYER WITCHES IP I – L ................15-104 ISPLAYING NFORMATION AYER WITCHES HAPTER RIP ..................16-1 ONFIGURING ICMP H .............16-1 NREACHABLE ESSAGE FOR NDELIVERABLE RIP P ......................16-1 ARAMETERS AND EFAULTS RIP G .........................16-1 LOBAL ARAMETERS RIP I ......................16-3...
Page 16 Foundry Switch and Router Installation and Configuration Guide ...................17-32 ISABLE OR ENABLE HARING ................17-33 ONFIGURE XTERNAL OUTE UMMARIZATION ..................17-34 ONFIGURE EFAULT OUTE RIGINATION SPF T ........................17-35 ODIFY IMERS ....................17-35 ODIFY EDISTRIBUTION ETRIC ....................17-36 ODIFY DMINISTRATIVE ISTANCE OSPF G (LSA) P ...........17-36...
Page 17 PIM S ........................18-13 ONFIGURING PARSE ......................18-13 IMITATIONS IN THIS ELEASE ....................18-14 ONFIGURING LOBAL ARAMETERS PIM I ..................18-14 ONFIGURING NTERFACE ARAMETERS PIM S ................18-15 ONFIGURING PARSE LOBAL ARAMETERS RP ......................18-16 TATICALLY PECIFYING THE (SPT) T ...............18-17 HANGING THE HORTEST HRESHOLD PIM J ...............18-17 HANGING THE OIN AND...
Page 18 Foundry Switch and Router Installation and Configuration Guide ......................19-13 DDING A OOPBACK NTERFACE BGP4 N ......................19-14 DDING EIGHBORS BGP4 P ......................19-21 DDING A ROUP ......................19-27 PTIONAL ONFIGURATION ASKS ................19-27 HANGING THE LIVE IME AND ....................19-27 NABLING XTERNAL ALLOVER BGP4 L .........19-28...
Page 19 ................19-116 ISPLAYING OUTE AMPENING TATISTICS ..............19-118 ISPLAYING THE CTIVE OUTE ONFIGURATION ......................19-118 LEARING RAFFIC OUNTERS ...................19-119 LEARING OUTE AMPENING TATISTICS ..........19-119 PDATING OUTE NFORMATION AND ESETTING A EIGHBOR ESSION BGP4 N ........19-119 YNAMICALLY EQUESTING A OUTE EFRESH FROM A EIGHBOR ................19-121 LOSING OR ESETTING A...
Page 20 Foundry Switch and Router Installation and Configuration Guide VRRP VRRPE ..................21-13 EGARDING ISABLING VRRP VRRPE P ..............21-13 ONFIGURING DDITIONAL ARAMETERS ............21-18 ORCING A ASTER OUTER BDICATE TO A TANDBY OUTER VRRP VRRPE I ..................21-19 ISPLAYING NFORMATION ....................21-19 ISPLAYING UMMARY NFORMATION ....................21-21...
Page 21 GNS R ........................23-11 ISABLE EPLIES RIP R ................23-11 ODIFY AXIMUM OUTE NTRIES SAP H ................23-12 ODIFY OUNT NCREMENT RIP A ................23-13 ODIFY THE DVERTISEMENT ACKET SAP A ................23-13 ODIFY THE DVERTISEMENT ACKET RIP A ..................23-14 ODIFY THE DVERTISEMENT NTERVAL SAP A ...................23-14 ODIFY THE DVERTISEMENT...
Page 22: V Irtual Lan
Foundry Switch and Router Installation and Configuration Guide ARP R .....................24-18 PPLE ETRANSMIT OUNT ARP R ..................24-18 PPLE ETRANSMIT NTERVAL ......................24-19 PPLE LEAN ACKETS ........................24-19 PPLE OCKET RTMP U ....................24-19 PPLE PDATE NTERVAL ZIP Q ....................24-20 PPLE UERY NTERVAL ....................24-20...
Page 23 IPX N VLAN ............25-39 ONFIGURING AN ETWORK WITH YNAMIC ORTS VLAN ..............25-39 ONFIGURING PLINK ORTS ITHIN A ASED IP S VLAN .......25-40 ONFIGURING THE DDRESS ON ULTIPLE ASED VLAN G ............25-43 ONFIGURING ROUPS AND IRTUAL NTERFACE ROUPS VLAN G ......................25-43 ONFIGURING A ROUP ..................25-44...
Page 24 Foundry Switch and Router Installation and Configuration Guide PPENDIX ........A-1 ROTECTING GAINST ENIAL OF ERVICE TTACKS ..................... A-1 ROTECTING GAINST MURF TTACKS ..............A-2 VOIDING EING AN NTERMEDIARY IN A MURF TTACK ..................A-2 VOIDING EING A ICTIM IN A...
Page 25 ........................D-3 AFETY GENCY PPROVALS PPENDIX ...............E-1 OFTWARE PECIFICATIONS .......................... E-1 TANDARDS OMPLIANCE RFC S ............................E-2 UPPORT ..........................E-4 NTERNET RAFTS December 2000...
Page 26 Foundry Switch and Router Installation and Configuration Guide xxvi December 2000...
Page 27: Chapter 1 Getting Started
This manual is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Foundry Layer 3 Switch, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP4, IGMP, PIM, DVMRP, IPX, AppleTalk, FSRP, and VRRP.
Page 28: Related Publications
Related Publications The following Foundry Networks documents supplement the information in this guide. • Foundry Switch and Router Command Line Interface Reference – provides a list and syntax information for all the switch and router CLI commands. • Foundry Diagnostic Guide – provides descriptions of diagnostic commands that can help you diagnose and solve issues on switches and Layer 3 Switchs.
Page 29: System Level Enhancements
Configurable block size for You can change the size of the data blocks the software uses TFTP file transfers when you use TFTP to transfer a file to or from the Foundry device. Option to suppress Telnet You can disable the message that the Foundry device sends to connection rejection a Telnet client that is denied access to the device.
Page 30: How To Get Help
For example, MIB file MIB07105.mib corresponds with software release 07.1.05. How to Get Help Foundry Networks technical support will ensure that the fast and easy access that you have come to expect from your Foundry Networks products will be maintained. Web Access •...
Page 31: Installing A Foundry Layer 2 Switch Or Layer 3 Switch
Installing a Foundry Layer 2 Switch or Layer 3 Switch This chapter describes how to install Foundry Layer 2 Switches and Layer 3 Switches and attach them to your network. For information about basic software configuration, see “Configuring Basic Features” on page 10-1.
Page 32 Subsequent IP address configuration can be performed using the Web management interface. See “Configuring IP Addresses” on page 2-17. Foundry devices can be installed on a desktop or in an equipment rack. See “Mounting the Chassis or Stackable Device” on page 2-19.
Page 33: Installation Precautions
Installing a Foundry Layer 2 Switch or Layer 3 Switch 14. Secure access to the device. See “Securing Access to Management Functions” on page 3-1. Installation Precautions Follow these precautions when installing a Foundry device: WARNING: The Chassis devices are heavy when fully populated with modules and power supplies. TWO OR MORE PEOPLE ARE REQUIRED WHEN LIFTING, HANDLING, OR MOUNTING THESE DEVICES.
Page 34: Installing Or Removingo
Foundry Switch and Router Installation and Configuration Guide Installing or Removing Optional Modules (Chassis Devices Only) NOTE: If you are installing redundant management modules (Management II or higher), see “Using Redundant Management Modules” on page 5-1 for complete installation, configuration, and management instructions for the modules.
Page 35: Removing Modules
Installing a Foundry Layer 2 Switch or Layer 3 Switch Figure 2.1 Installing a module Removing Modules To remove a module from the chassis, do the following: Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as ground.
Page 36: Hassis Devices Only )
To install a power supply in the chassis, do the following: CAUTION: Power supplies are hot swappable but Foundry Networks recommends that you disconnect the power supply from AC power before installing or removing the supply. The device can be running while a power supply is being installed or removed, but the power supply itself should not be connected to a power source.
Page 37: Removing Power Supplies
To remove a power supply module from the chassis, do the following: CAUTION: Power supplies are hot swappable. However, Foundry Networks recommends that you disconnect the power supply from AC power before installing or removing the supply. The device can be running while a power supply is being installed or removed, but the power supply itself should not be connected to a power source.
Page 38 Foundry Switch and Router Installation and Configuration Guide BigIron Figure 2.3 Fifteen-slot Chassis device 2 - 8 December 2000...
Page 39 Installing a Foundry Layer 2 Switch or Layer 3 Switch BigIron 8000 B24E B24E B8GM Figure 2.4 Eight-slot Chassis device BigIron 4000 Link Link Link Link Activity Activity Activity Activity Link Link Link Link Activity Activity Activity Activity Link Link...
Page 40: Replacing Fans (4-Slot And 8-Slot Chassis Devices Only)
Foundry Switch and Router Installation and Configuration Guide Replacing Fans (4-Slot and 8-Slot Chassis Devices Only) The 4-slot and 8-slot Chassis devices contain field-upgradable fans. The fans are upgradable on an individual basis. You need to replace only the fan that has failed.
Page 41: Four-Slot Chassis
Installing a Foundry Layer 2 Switch or Layer 3 Switch Four-Slot Chassis To replace a fan in a 4-slot chassis: Power down the chassis and remove the power cables from the chassis power supplies. Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as ground.
Page 42: Eight-Slot Chassis
Foundry Switch and Router Installation and Configuration Guide 18. Verify that all chassis modules and power supplies are fully seated and all cover plates and panels are fully fastened. 19. Reconnect the power and power on the chassis. 20. Access the CLI and enter the show chassis command to verify that all fans are now operating normally.
Page 43: Replacing A Fan Tray (15-Slot Chassis Devices Only)
Installing a Foundry Layer 2 Switch or Layer 3 Switch 17. Screw the 34 Phillips-head screws back in. 18. Verify that all chassis modules and power supplies are fully seated and all cover plates and panels are fully fastened. 19. Reconnect the power cables and power on the chassis.
Page 44: Attaching Apc Or Terminal
Telnet connections. The CLI is described in detail in the Foundry Switch and Router Command Line Interface Reference. You need to assign an IP address using the CLI. You can access the CLI by attaching a serial cable to the Console port.
Page 45 Terminal connections will vary, requiring either a DB-9 or DB-25 connector, male or female. Serial cable options between a Foundry switch or router and a PC or terminal are shown in Figure 2.7. NOTE: As indicated in Figure 2.6 and Figure 2.7, some of the wires should not be connected. If you do connect the wires that are labeled “Reserved”, you might get unexpected results with some terminals.
Page 46: Assigning Permanent Passwords
Foundry Switch and Router Installation and Configuration Guide DB-9 to DB-9 DB-9 to DB-25 Female Switch Terminal or PC Female Switch Terminal or PC Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Figure 2.7 Serial port pin assignments showing cable connection options to a terminal or PC...
Page 47: Configuring Ip Addresses
In addition, Foundry routers require an IP sub-net address for the sub-net in which you plan to place them in your network. Foundry devices support both classical IP network masks (Class A, B, and C sub-net masks, and so on) and Classless Interdomain Routing (CIDR) network prefix masks.
Page 48: Layer 2 Switches
Foundry Switch and Router Installation and Configuration Guide BigIron# erase startup-config WARNING: Use this step only for new systems. If you enter this command on a system you have already configured, the command erases the configuration. If you accidentally do erase the configuration on a configured system, enter the write memory command to save the running configuration to the startup-config file.
Page 49: Mounting The Chassis Or Stackable Device
Syntax: ip default-gateway <ip-addr> Mounting the Chassis or Stackable Device You can install Foundry systems on a desktop or in an equipment rack. WARNING: The Chassis devices are very heavy, especially when fully populated with modules and power supplies. TWO OR MORE PEOPLE ARE REQUIRED WHEN LIFTING, HANDLING, OR MOUNTING THESE DEVICES.
Page 50: Rack Mount Installation - Stackable Devices
Foundry Switch and Router Installation and Configuration Guide Figure 2.8 Installing a Chassis device in a rack mount Rack Mount Installation – Stackable Devices NOTE: You need a #2 Phillips-head screwdriver for installation. Remove the rack mount kit from the shipping carton. The kit contains two L-shaped mounting brackets and mounting screws.
Page 51: Powering On A System
NOTE: Foundry devices are designed to provide uninterrupted service even when you insert or remove modules. Therefore, the systems do not have separate on/off power switches. To turn the system off, simply unplug the power cord(s).
Page 52: Connecting Network Devices
Foundry Switch and Router Installation and Configuration Guide Connecting Network Devices Foundry devices can support connections to other vendors’ routers, switches, and hubs as well other Foundry devices. Connectors • 10BaseT/100BaseTX ports come with RJ45 jacks for standard unshielded twisted pair (UTP/Category 5) cable connections.
Page 53 Installing a Foundry Layer 2 Switch or Layer 3 Switch Table 2.3: Cable length summary table Fiber Type Core Modal Minimum Diameter Bandwidth Range (microns) (MHz*km) (meters) 1000BaseSX 62.5 2 – 200 62.5 2 – 275 2 – 500 2 – 550 1000BaseLX 62.5...
Page 54: Connecting To Ethernet Or Fast Ethernet Hubs
Connecting to Ethernet or Fast Ethernet Hubs For connections to Ethernet hubs, a 10/100BaseTX or 1000BaseT switch, or another Foundry device, a crossover cable is required (Figure 2.11 or Figure 2.12). If the hub is equipped with an uplink port, it will require a straight- through cable instead of a crossover cable.
Page 55: Installing Or Removing Agbic
Installing a Foundry Layer 2 Switch or Layer 3 Switch Installing or Removing a GBIC Some modules use Gigabit Interface Converters (GBICs) or miniature GBICs (mini-GBICs), which are individually insertable and removable port connectors. To insert or remove a GBIC or mini-GBIC, use the following procedures.
Page 56: Troubleshooting Network Connections
You also can perform trace routes. Pinging an IP Address To verify that a Foundry device can reach another device through the network, enter a command such as the following at any level of the CLI on the Foundry device: BigIron>...
Page 57: Managing The Device
VLANs, for routing protocols, and other configuration areas. NOTE: By default, any user who can open a serial or Telnet connection to the Foundry device can access all these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can configure the device to use a RADIUS or TACACS/TACACS+ server for authentication.
Page 58 Foundry Switch and Router Installation and Configuration Guide all-client appletalk boot some lines omitted for brevity... lock-address logging --More--, next page: Space, next line: Return key, quit: Control-c The software provides the following scrolling options: • Press the Space bar to display the next page (one screen at time).
Page 59: Logging On Through The Web Management Interface
Logging On Through the Web Management Interface To use the Web management interface, open a web browser and enter the IP address of the Foundry device in Location or Address field. The web browser contacts the Foundry device and displays a login dialog, as shown in Figure 2.13.
Page 60 Foundry Switch and Router Installation and Configuration Guide Navigating the Web Management Interface When you log into a device, the System configuration panel is displayed. This panel allows you to enable or disable major system features. You can return to this panel from any other panel by selecting the Home link.
Page 61: Logging On Through Ironview
Installing a Foundry Layer 2 Switch or Layer 3 Switch Front Panel Front Panel Frame Menu Type (Tree View shown) Page Menu Bottom Frame Menu Frame NOTE: The tree view is available when you use the Web management interface with Netscape 4.0 or higher or Internet Explorer 4.0 or higher browsers.
Page 62 Foundry Switch and Router Installation and Configuration Guide NOTE: If the slot has never contained a module or you are swapping in exactly the same type of module, you do not need to use the module command. The slot requires configuration only if it has already been configured for another type of module.
Page 63 Installing a Foundry Layer 2 Switch or Layer 3 Switch Select slot number from the Slot pulldown menu. • Slots in a 4-slot chassis are numbered 1 – 4, from top to bottom. • Slots in an 8-slot chassis are numbered 1 – 8, from left to right.
Page 64 Foundry Switch and Router Installation and Configuration Guide 2 - 34 December 2000...
Page 65: Securing Access To Management Functions
Chapter 3 Securing Access to Management Functions This chapter explains how to secure access to management functions on a Foundry device. It contains the following sections: • “Securing Access Methods” on page 3-1 lists the management access methods available on a Foundry device and the ways you can secure each one •...
Page 66 Foundry Switch and Router Installation and Configuration Guide Table 3.1: Ways to secure management access to Foundry devices (Continued) Access method How the access Ways to secure the access method method is secured page by default Access to the Privileged EXEC...
Page 67: Restricting Remote Access To Management Functions
Allowing remote access only to clients connected to a specific VLAN • Specifically disabling Telnet, Web management interface, or SNMP access to the device The following sections describe how to restrict remote access to a Foundry device using these methods. December 2000 3 - 3...
Page 68: Using Acls To Restrict Remote Access
Foundry Switch and Router Installation and Configuration Guide Using ACLs to Restrict Remote Access You can use standard ACLs to control the following access methods to management functions on a Foundry device: • Telnet access • Web management access •...
Page 69: Restricting Remote Access To The Device To Specific Ip Addresses
NOTE: You cannot restrict remote management access using the Web management interface. Restricting Telnet Access to a Specific IP Address To allow Telnet access to the Foundry device only to the host with IP address 209.157.22.39, enter the following command:...
Page 70: Restricting Remote Access To The Device To Specific Vlan Ids
Restricting All Remote Management Access to a Specific IP Address To allow Telnet, Web, and SNMP management access to the Foundry device only to the host with IP address 209.157.22.69, you can enter three separate commands (one for each access type) or you can enter the following command: BigIron(config)# all-client 209.157.22.69...
Page 71: Disabling Specific Access Methods
Securing Access to Management Functions Restricting Web Management Access to a Specific VLAN To allow Web management access only to clients in a specific VLAN, enter a command such as the following: BigIron(config)# web-management enable vlan 10 The command in this example configures the device to allow Web management access only to clients connected to ports within port-based VLAN 10.
Page 72 Disabling SNMP Access SNMP is enabled by default on all Foundry devices. SNMP is required if you want to manage a Foundry device using IronView. To disable SNMP, use one of the following methods.
Page 73: Setting Passwords
Suppressing Telnet Connection Rejection Messages By default, if a Foundry device denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message. When you enable the option, a denied Telnet client does not receive a message from the Foundry device.
Page 74: Setting Passwords For Recovering From A Lost
Foundry Switch and Router Installation and Configuration Guide Setting Passwords for Management Privilege Levels You can set one password for each of the following management privilege levels: • Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
Page 75 Securing Access to Management Functions You can grant additional access to a privilege level on an individual command basis. To grant the additional access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the individual command.
Page 76: Displaying The Snmp Community String
BigIron(config)# no service password-encryption Syntax: [no] service password-encryption Setting Up Local User Accounts You can define up to 16 local user accounts on a Foundry device. User accounts regulate who can access the management functions in the CLI using the following methods: •...
Page 77: Configuring A Local User Account
Securing Access to Management Functions • Port Configuration level – Allows read-and-write access for specific ports but not for global (system-wide) parameters. • Read Only level – Allows access to the Privileged EXEC mode and CONFIG mode but only with read access.
Page 78: Establishing Snmp Community Strings
Foundry Switch and Router Installation and Configuration Guide • If any user accounts are already configured on the device, the account information is listed in a table. Select the Add User Account link to display the following panel. Notice that the password display is encrypted.
Page 79: Encryption Of Snmp Community Strings
Securing Access to Management Functions NOTE: As an alternative to the SNMP community strings, you can secure Web management access using local user accounts or ACLs. See “Setting Up Local User Accounts” on page 3-12 or “Using an ACL to Restrict Web Management Access”...
Page 80: Displaying The Snmp Community Strings
BigIron(config)# show snmp server Syntax: show snmp server See the Foundry Switch and Router Command Line Interface Reference for an example of the information displayed by the command. NOTE: If display of the strings is encrypted, the strings are not displayed. Encryption is enabled by default.
Page 81 Securing Access to Management Functions Select the Community String link to display the SNMP Community String panel, as shown in the following example. This example shows the table listed for a system that is configured only with the default read-only community string “public”.
Page 82: Configuring Tacacs/Tacacs+ S
TACACS+ server to determine which management privilege level (and which associated set of commands) an authenticated user is allowed to use. You can also optionally configure accounting, which causes the Foundry device to log information on the TACACS+ server when specified events occur on the device. 3 - 18...
Page 83 TACACS Authentication When TACACS authentication takes place, the following events occur: A user attempts to gain access to the Foundry device by doing one of the following: • Logging into the device using Telnet, SSH, or the Web management interface •...
Page 84 A Telnet, SSH, or Web management interface user previously authenticated by a TACACS+ server enters a command on the Foundry device. The Foundry device looks at its configuration to see if the command is at a privilege level that requires TACACS+ command authorization.
Page 85 Securing Access to Management Functions User Action Applicable AAA Operations User logs in using Telnet/SSH Login authentication: aaa authentication login default <method-list> Exec authorization (TACACS+): aaa authorization exec default tacacs+ Exec accounting start (TACACS+): aaa accounting exec default <method-list> System accounting start (TACACS+): aaa accounting system default start-stop <method-list>...
Page 86: Tacacs/Tacacs+ C
Optionally configure TACACS+ accounting. See “Configuring TACACS+ Accounting” on page 3-27. Identifying the TACACS/TACACS+ Servers To use TACACS/TACACS+ servers to authenticate access to a Foundry device, you must identify the servers to the Foundry device. For example, to identify three TACACS/TACACS+ servers, enter commands such as the following: BigIron(config)# tacacs-server host 207.94.6.161...
Page 87 NOTE: The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the Foundry device. To specify a TACACS+ server key: BigIron(config)# tacacs-server key rkwong Syntax: tacacs-server key <key-string>...
Page 88: Configuring Authentication
Syntax: tacacs-server dead-time <number> Setting the Timeout Parameter The timeout parameter specifies how many seconds the Foundry device waits for a response from the TACACS/ TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 –...
Page 89 When frames are enabled on the Web management interface, the browser sends an HTTP request for each frame. The Foundry device authenticates each HTTP request from the browser. To limit authentications to one per page, disable frames on the Web management interface.
Page 90 During TACACS+ exec authorization, the TACACS+ server sends the Foundry device a response containing an A- V (Attribute-Value) pair that specifies the privilege level of the user. When it receives the response, the Foundry device extracts the first A-V pair configured for the Exec service and uses it to determine the user’s privilege level.
Page 91: Configuring Ani
To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out: BigIron(config)# aaa accounting exec default start-stop tacacs+...
Page 92 Foundry Switch and Router Installation and Configuration Guide The software contains separate CLI commands for specifying the source interface for Telnet, TACACS/TACACS+, and RADIUS packets. You can configure a source interface for one or more of these types of packets.
Page 93 NOTE: The key parameter applies only to TACACS+ servers, not to TACACS servers. If you are configuring for TACACS authentication, do not configure a key on the TACACS server and do not enter a key on the Foundry device. 10. Click Apply if you changed any TACACS/TACACS+ parameters.
Page 94 Foundry Switch and Router Installation and Configuration Guide 12. Enter the server’s IP address in the IP Address field. 13. If needed, change the Authentication port and Accounting port. (The default values work in most networks.) 14. Click Home to return to the System configuration panel, then select the Save link at the bottom of the dialog.
Page 95 Securing Access to Management Functions you want to use multiple authentication methods, make sure you enter the primary authentication method first, the secondary authentication method second, and so on. If you need to delete an entry, select the access type and authentication method for the entry, then click Delete.
Page 96 27. To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out, select Exec from the Type field’s pulldown menu.
Page 97: Configuring Radius Security
RADIUS server to determine whether a user can execute a command he or she has entered, as well as accounting, which causes the Foundry device to log information on a RADIUS accounting server when specified events occur on the device.
Page 98 When RADIUS authorization takes place, the following events occur: A user previously authenticated by a RADIUS server enters a command on the Foundry device. The Foundry device looks at its configuration to see if the command is at a privilege level that requires RADIUS command authorization.
Page 99 Securing Access to Management Functions User Action Applicable AAA Operations User logs in using Telnet/SSH Login authentication: aaa authentication login default <method-list> EXEC accounting Start: aaa accounting exec default start-stop <method-list> System accounting Start: aaa accounting system default start-stop <method-list> User logs into the Web management Web authentication: interface...
Page 100: Configuring Foundry -S
Whether the user is allowed or denied usage of the commands in the list You must add these three Foundry vendor-specific attributes to your RADIUS server’s configuration, and configure the attributes in the individual or group profiles of the users that will access the Foundry device. 3 - 36...
Page 101 Identifying the RADIUS Server to the Foundry Device To use a RADIUS server to authenticate access to a Foundry device, you must identify the server to the Foundry device. For example: BigIron(config)# radius-server host 209.157.22.99...
Page 102: Tring
The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over the network. The value for the key parameter on the Foundry device should match the one configured on the RADIUS server. The key can be from 1 – 32 characters in length.
Page 103 When frames are enabled on the Web management interface, the browser sends an HTTP request for each frame. The Foundry device authenticates each HTTP request from the browser. To limit authentications to one per page, disable frames on the Web management interface.
Page 104: Configuring Radius Authorization
Syntax: aaa authorization commands <privilege-level> default radius | tacacs+ | none The <privilege-level> parameter can be one of the following: • 0 – Authorization is performed (that is, the Foundry device looks at the command list) for commands available at the Super User level (all commands) •...
Page 105 If your RADIUS server is configured to accept packets only from specific links or IP addresses, you can use this feature to simplify configuration of the RADIUS server by configuring the Foundry device to always send the RADIUS packets from the same link or source address.
Page 106: Displaying Radius Configuration Information
Foundry Switch and Router Installation and Configuration Guide The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then designate the interface as the source for all RADIUS packets from the Layer 3 Switch.
Page 107 Securing Access to Management Functions Table 3.6: Output of the show aaa command for RADIUS Field Description connection The current connection status. This can be “no connection” or “connection active”. The show web command displays the privilege level of Web management interface users. For example: ServerIron(config)#show web User Privilege...
Page 108 Foundry Switch and Router Installation and Configuration Guide 12. Enter the server’s IP address in the IP Address field. 13. If needed, change the Authentication port and Accounting port. (The default values work in most networks.) 14. Click Home to return to the System configuration panel, then select the Save link at the bottom of the dialog.
Page 109 Securing Access to Management Functions 17. Select the type of access for which you are defining the authentication method list from the Type field’s pulldown menu. Each type of access must have a separate authentication-method list. For example, to define the authentication-method list for logging into the CLI, select Login. 18.
Page 110 27. To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out, select Exec from the Type field’s pulldown menu.
Page 111 • 5 – Records commands available at the Read Only level (read-only commands) 29. To configure RADIUS accounting to record when system events occur on the Foundry device, select System from the Type field’s pulldown menu. 30. Click on the radio button next to Radius.
Page 112 Foundry Switch and Router Installation and Configuration Guide NOTE: If an authentication method is working properly and the password (and user name, if applicable) is not known to that method, this is not an error. The authentication attempt stops, and the user is denied access.
Page 113: Radius
Securing Access to Management Functions This command configures the device to use the local user accounts to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI. Example 2: To configure the device to consult a RADIUS server first to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI, then consult the local user accounts if the RADIUS server is unavailable, enter the following command: BigIron(config)# aaa authentication enable default radius local...
Page 114 Foundry Switch and Router Installation and Configuration Guide Select the Authentication Methods link to display the Login Authentication Sequence panel, as shown in the following example. Select the type of access for which you are defining the authentication method list from the Type field’s pulldown menu.
Page 115: Configuring Secure Shell
Configuring Secure Shell Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on a Foundry device. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet.
Page 116 Providing the Public Key to Clients If you are using SSH to connect to a Foundry device from a UNIX system, you may need to add the Foundry device’s public key to a “known hosts” file; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a known hosts file: 10.10.20.10 1024 37 1187718818626770304648512887372580468560316406358876792301...
Page 117 The client sends the decrypted bytes back to the Foundry device. The Foundry device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes match, it means that the client’s private key corresponds to an authorized public key, and the client is authenticated.
Page 118 BigIron(config)# ip ssh pub-key-file slot1 pkeys.txt Syntax: ip ssh pub-key-file slot1 | slot2 <filename> To cause a public key file called pkeys.txt to be loaded from a TFTP server each time the Foundry device is booted, enter a command such as the following: BigIron(config)# ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt...
Page 119: Setting Optional Parameters
A specific interface to be used as the source for all SSH traffic from the device Setting the Number of SSH Authentication Retries By default, the Foundry device attempts to negotiate a connection with the connecting host three times. The number of authentication retries can be changed to between 1 – 5.
Page 120: Deactivating User Authentication
Foundry Switch and Router Installation and Configuration Guide Deactivating User Authentication After the SSH server on the Foundry device negotiates a session key and encryption method with the connecting client, user authentication takes place. Foundry’s implementation of SSH supports RSA challenge-response authentication and password authentication.
Page 121: Designating An Interface As The Source For All Ssh Packets
BigIron(config-if-1/4)# ip address 209.157.22.110/24 BigIron(config-if-1/4)# exit BigIron(config)# ip ssh source-interface ethernet 1/4 Viewing SSH Connection Information Up to five SSH connections can be active on the Foundry device. To display information about SSH connections, enter the following command: BigIron#show ip ssh Connection...
Page 122 Foundry Switch and Router Installation and Configuration Guide Table 4.1: SSH Connection Information (Continued) This Field... Displays... State The connection state. This can be one of the following: 0x00 Server started to send version number to client. 0x01 Server sent version number to client.
Page 123: Using Secure Copy
The ip ssh pub-key-file tftp command causes a public key file called pkeys.txt to be loaded from a TFTP server at 192.168.1.234. To gain access to the Foundry device using SSH, a user must have a private key that corresponds to one of the public keys in this file.
Page 124 NOTE: When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on the Foundry device. NOTE: Certain SCP client options, including -p and -r, are ignored by the SCP server on the Foundry device. If an option is ignored, the client is notified.
Page 125 Chapter 5 Using Redundant Management Modules This chapter describes the redundant management modules and how to configure and manage them. Redundant management modules provide increased routing capacity and failover for BigIron, NetIron, and FastIron II Chassis devices. See the following sections for information: •...
Page 126: Configuration Considerations
Foundry Switch and Router Installation and Configuration Guide Configuration Considerations • You can use one or two redundant management modules in a Chassis device. • You cannot use older management modules in the same Chassis device with redundant management modules.
Page 127 When a switchover occurs, the software sends a Syslog message to the local Syslog buffer and also to the SyslogD server, if you have configured the Foundry device to use one. In addition, if you have configured an SNMP trap receiver, the software sends an SNMP trap to the receiver.
Page 128 For example, if you place one management module in slot 5, Foundry recommends that you place the other management module in slot 6, 7, or 8. This note does not apply to 4-slot or 8-slot chassis.
Page 129 If you are using redundant management modules, Foundry recommends that you place both management modules in slots belonging to the same region. For example, if you place one management module in slot 5, Foundry recommends that you place the other management module in slot 6, 7, or 8.
Page 130 Foundry Switch and Router Installation and Configuration Guide Click the Add button to save the change to the device’s running-config file. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 131 Using Redundant Management Modules USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed. Select the Redundant link to display the following panel. Select slot number for the active redundant management module from the Active Management Slot pulldown menu.
Page 132 Foundry Switch and Router Installation and Configuration Guide If you are installing a redundant management module in an unoccupied module slot, remove the blank faceplate from the slot in which the module is to be installed. Place the blank faceplate in a safe place for future use.
Page 133 Using Redundant Management Modules port. If the upper green LED is lit, the module is currently the active redundant management module. If the LED is dark, the module is the standby. The lower green LED indicates the power status. If the lower LED is dark, the module is not receiving power.
Page 134 Foundry Switch and Router Installation and Configuration Guide The Status column shows the module status. The redundant management modules can have one of the following statuses: • ACTIVE – The module is currently the active management module. • STANDBY – The module is the standby management module.
Page 135 Using Redundant Management Modules Management module at slot 1 state changed, changed state from standby to active USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed.
Page 136 Foundry Switch and Router Installation and Configuration Guide Automatically synchronized Automatically synchronized Not automatically synchronized at startup or switchover at regular, user-configurable but can be configured to synchronize at startup or switchover intervals Startup-config also Also can be immediately synchronized...
Page 137 Using Redundant Management Modules Sync boot image: FALSE Running-config sync interval is 10 seconds NOTE: The values shown in this example are the default values. Syntax: sync-standby NOTE: The sync-standby command has optional parameters. If you enter one of the parameters, the CLI synchronizes software between the modules.
Page 138 Foundry Switch and Router Installation and Configuration Guide BigIron# sync-standby boot Syntax: sync-standby boot To immediately synchronize the flash code (system software) on the standby module with the boot code on the active module, enter the following command at the Privileged EXEC level of the CLI:...
Page 139 Using Redundant Management Modules USING THE CLI The CLI commands for automating synchronization of software between the active and standby modules is the same as the syntax for immediately synchronizing the software. The only difference is the CLI level where you enter the commands.
Page 140 Foundry Switch and Router Installation and Configuration Guide NOTE: Do not click the Synchronize Boot Flash Now button unless you want the active module to immediately copy its boot flash image to the standby module. Click the Apply button to send the configuration change to the active module’s running-config file.
Page 141 Using Redundant Management Modules Select the Switch-over Active Module link. A message appears asking you to verify that you want to switch over from the active module to the standby. Select Yes to switch over or No to cancel the switchover request. PCMCIA Flash Card File Management Commands This section describes the commands for managing files on the Management IV module’s PCMCIA flash card.
Page 142 Foundry Switch and Router Installation and Configuration Guide PCMCIA Slots The Management IV module has two PCMCIA slots, numbered 1 and 2. • In a 4-slot chassis, slot 1 is on top and slot 2 is on the bottom. •...
Page 143 Using Redundant Management Modules These commands create two levels of subdirectories on the flash card in PCMCIA slot 1, then copy a flash image file named “B2R07100.bin” from a TFTP server into the new 07100 subdirectory. Since the file name for the copy destination is not specified, the software uses the same name for the copy (B2R07100.bin).
Page 144: Formatting A Flash Card
Foundry Switch and Router Installation and Configuration Guide • B2P07000.bin • B2P*.bin • B2P*.* Formatting a Flash Card The flash cards shipped with Management IV modules are already formatted for the 16 FAT file system used by the modules. If you want to use a flash card that is not formatted for the 16 FAT file system, you need to reformat the flash card before you can store files on the card.
Page 145: Switching The Management Focus
Using Redundant Management Modules USING THE CLI To display which flash card slot and subdirectory path currently have the management focus, enter the following command: BigIron# pwd slot1 \ In this example, the management focus is at the root directory of the flash card in slot 1. Syntax: pwd In the following example, the management focus is at a subdirectory called “TEST”...
Page 146 The time of day at which the file was placed on the flash module, if the Foundry device’s system clock is set. If the clock is not set, the field shows 00:00a (12 AM), as shown in the example above.
Page 147: Displaying The Contents Of A File
Using Redundant Management Modules 01/01/2000 00:00a 2157693 M4R.BIN 01/01/2000 00:00a 1027230 M5.BIN 01/01/2000 00:00a 1029838 M4S.BIN 01/01/2000 00:00a 687026 P3R.BIN 01/01/2000 00:00a 1029838 MM.BIN 6 File(s) 6617560 bytes 74180608 bytes free The command in this example lists all the image files on the flash card in the slot that has the management focus. (More specifically, the command lists all the files that end with “.bin”.) Displaying the Contents of a File Use the following method to display the data in a file on a flash card.
Page 148: Creating A Subdirectory
Foundry Switch and Router Installation and Configuration Guide 000000d0: 7420330a 69702061 64647265 73732031 t 3 ip address 1 000000e0: 39322e31 36382e32 2e353820 3235352e 92.168.2.58 255. 000000f0: 3235352e 3235352e 300a656e 255.255.0 end Syntax: hd [slot1 | slot2] <file-name> Each row of hexadecimal output contains the following parts: •...
Page 149: Removing A Subdirectory
Using Redundant Management Modules You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”.
Page 150 Foundry Switch and Router Installation and Configuration Guide To change all files on a flash card to read-only, enter a command such as the following: BigIron# attrib ro *.* This command changes the read-write attribute for all files on the flash card that currently has the management focus to read-only.
Page 151: Appending A File To Another File
Using Redundant Management Modules Appending a File to Another File You can append a file on a PCMCIA flash card to the end of another file. To append one file to another one, enter a command such as the following: BigIron# append newacls.cfg startup-config.cfg This command appends a file called “newacls.cfg”...
Page 152 Copying Files Between a Flash Card and a TFTP Server Use the following methods to copy files between a flash card and a TFTP server. NOTE: The Foundry device must have network access to the TFTP server. USING THE CLI To copy a file from a flash card to a TFTP server, enter a command such as the following: BigIron# copy slot1 tftp 192.168.1.17 notes.txt...
Page 153 Using Redundant Management Modules To copy a file from a TFTP server to a flash card, enter a command such as the following: BigIron# copy tftp slot1 192.168.1.17 notes.txt Downloading from tftp server ... Tftp 254 bytes done, copy to slot1 ... Write to slot1 cfg.cfg succeeded Syntax: copy tftp slot1 | slot2 <ip-addr>...
Page 154 ACLs offline in a text file on a PC, then save the file to the flash card. To load the ACLs, you can insert the flash card in the Foundry device, then copy the file to the device’s running configuration.
Page 155 Using Redundant Management Modules The command in this example reboots the device using the image file B2R07100.bin located on the PCMCIA flash card in slot 1. This example assumes the image file is in the root directory on the flash card. If the image file is in a subdirectory, specify the subdirectory path.
Page 156: File Management Messages
Foundry Switch and Router Installation and Configuration Guide NOTE: In this example, after you save the configuration changes using the write memory command, the router1.cfg file will include the command that designates PCMCIA slot 1 as the save location for configuration changes.
Page 157: Displaying The Temperature
Using Redundant Management Modules Table 5.3: Flash Card File Management Messages (Continued) This Message... Means... File recovered successfully and A file you tried to recover was successfully recovered under the name named <file-name> indicated in the message Temperature Sensor The redundant management module contains a temperature sensor. Depending on the temperature reported by the sensor, the software can send a warning if the temperature exceeds the normal threshold and can even shut the module down if the temperature exceeds the safe threshold.
Page 158: Displaying Temperature Messages
Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed. Click on the plus sign next to Monitor in the tree view to display the monitoring options.
Page 159 Using Redundant Management Modules Static Log Buffer: Dynamic Log Buffer (50 entries): at 0 days 0 hours 2 minutes 0 seconds, level alert Temperature 48.0 C degrees, warning level 45.0 C degrees, shutdown level 55.0 C degrees at 0 days 0 hours 1 minutes 0 seconds, level alert Temperature 50.0 C degrees, warning level 45.0 C degrees, shutdown level 55.0 C degrees USING THE WEB MANAGEMENT INTERFACE...
Page 160 Foundry Switch and Router Installation and Configuration Guide Edit the value in the Temperature Warning Threshold field to change the warning temperature. Edit the value in the Temperature Shutdown Threshold field to change the shutdown temperature. Click the Apply button to send the configuration change to the active module’s running-config file.
Page 161 Using Redundant Management Modules Edit the value in the Chassis Poll Interval field to change polling interval. You can enter a value from 0 – 65535. The default is 60 seconds. Click the Apply button to send the configuration change to the active module’s running-config file. If you want the change to remain in effect following the next system reload, select the Save link to save the configuration change to the active redundant management module's startup-config file.
Page 162 Foundry Switch and Router Installation and Configuration Guide 5 - 38 December 2000...
Page 163 Chapter 6 Using Packet Over SONET (POS) Modules This chapter describes the Foundry POS (Packet Over SONET) modules and how to configure and manage them. SONET (Synchronous Optical Network) is based on a worldwide standard for fiber optic transmission, modified for North American asynchronous rates.
Page 164 Foundry Switch and Router Installation and Configuration Guide Installing a POS Module To install a POS module, perform the following tasks: • Configure the chassis slot to receive the module. NOTE: The system must be running software release 05.3.00 or later.
Page 165: Upgrading The Boot Code
Using Packet Over SONET (POS) Modules Upgrading POS Software from a TFTP Server The POS modules contain their own flash memory from which they can boot. To upgrade the boot code or flash code (system software) on a POS module, copy the upgrade onto a TFTP server to which the Layer 3 Switch has access, then download the code from the TFTP server to the POS modules in the chassis.
Page 166 Foundry Switch and Router Installation and Configuration Guide Changing the Boot Source To change the boot source for the POS module, use either of the following methods. USING THE CLI To change the boot source from the POS module’s primary flash to its secondary flash, enter the following...
Page 167: Adding An Ip Address
The size can be from 60 – 4470 bytes. The default is 4470 bytes. • Frame type – You can configure a Foundry POS interface to transmit and receive SDH (Synchronous Digital Hierarchy) frames or SONET (Synchronous Optical Network) frames. The default is SONET.
Page 168: Changing The Encapsulation Type
Changing the Clock Source Foundry POS interfaces use the network as the clock source by default. You can change the clock source for an interface to internal, which causes the interface to use clock information from the POS module itself as the clocking source.
Page 169: Changing The Mtu
The internal and line parameters specify whether the clock source is on the POS module (internal) or on the network (line). Changing the Loopback Path Foundry POS interfaces can use the following loopback configurations for self tests: • Internal – Packets that the router transmits on the interface are looped back to the interface’s POS framer.
Page 170 Foundry Switch and Router Installation and Configuration Guide Disabling or Reenabling Keepalive Messages You can disable or reenable a POS interface to send keepalive messages to the POS interface at the other end of the link. Keepalive messages are enabled by default.
Page 171 The <value(Hex)> parameter specifies the value you are assigning to the flag. The flag values are hexadecimal numbers. Changing the Frame Type Foundry POS interfaces support the following frame types: • SDH (Synchronous Digital Hierarchy) – An international standard for optical digital transmission at rates from 155 Mbps (used for STM-1) to 2.5 Gbps (used for STM-16) and higher.
Page 172 Syntax: pos scramble-atm Configuring POS for Frame Relay You can configure a Foundry POS interface for Frame Relay. To configure the interface: • Set the encapsulation type to Frame Relay and specify the Frame Relay type. You can specify IETF (RFC 1490) or use the default, Cisco-compatible.
Page 173: Verifying The Configuration
Using Packet Over SONET (POS) Modules Specifying the LMI Type Foundry POS Frame Relay links use the Cisco-compatible LMI type by default. To specify a different LMI type, enter a command such as the following: BigIron(config-posif-2/1)# frame-relay lmi-type ansi Syntax: [no] frame-relay lmi-type ansi | ccitt | lmi The default is lmi.
Page 174 Foundry Switch and Router Installation and Configuration Guide Figure 6.2 shows an example of a Layer 2 switching configuration using Layer 2 POS. Each client and its server on the other Each client and its server are in their Foundry device are in the same sub-net.
Page 175 Using Packet Over SONET (POS) Modules Figure 6.3 shows the network in Figure 6.2 from the perspective of client C1 and server SI. The devices appear to one another to be on the same Ethernet LAN segment. Conceptually, the devices are connected by a Layer 2 switch or bridge.
Page 176 Foundry Switch and Router Installation and Configuration Guide Link Redundancy and Load Balancing The configuration in Figure 6.2 on page 6-12 uses a single POS link between the two remote devices. However, you can provide link redundancy using either of the following methods: •...
Page 177 Using Packet Over SONET (POS) Modules Each client and its server on the other To provide load balancing in Foundry device are in the same sub-net. addition to redundancy, configure the STP path cost of the POS ports Traffic between each client and its server to different values on different VLANs.
Page 178: Configuration Procedures
You can use STP with trunk group links. STP regards a trunk group as a single link and thus either forwards or blocks traffic on all the ports within the trunk group. Configuration Procedures To configure a Foundry device for POS Layer 2 switching: • Change POS interface parameters, if you need to change a parameter from its default value.
Page 179: Configuring Stp Parameters
Using Packet Over SONET (POS) Modules NOTE: By default, POS ports are not members of the device’s default VLAN (VLAN 1) or of any other VLAN. NOTE: A POS port cannot be added as an untagged port to any VLAN. A single POS link can multiplex and demultiplex traffic from different clients while keeping each client's traffic within the client's own Layer 2 broadcast domain (port-based VLAN).
Page 180 Foundry Switch and Router Installation and Configuration Guide Table 6.1: Default STP Port Path Costs Port Type Default Path Cost 10 Mbps 100 Mbps Gigabit OC-3c OC-12c OC-48c You can set a port’s STP path cost to a value from 0 – 65535. If you want to bias STP’s selection to favor one POS port over another of the same speed, use the following CLI method.
Page 181 Using Packet Over SONET (POS) Modules USING THE CLI To enable STP on a POS port, enter commands such as the following: BigIron(config)# interface pos 2/1 BigIron(config-if-2/1)# spanning-tree These commands change the CLI to the configuration level for the POS port, then enable STP on the VLAN. Syntax: [no] spanning-tree Enabling or Disabling Fast Uplink Span on the Port To enable Fast Uplink on a pair of POS ports, use the following CLI method.
Page 182 Foundry Switch and Router Installation and Configuration Guide USING THE CLI To configure two POS ports on a single POS module into a trunk group, enter a command such as the following: BigIron(config)# trunk pos 1/1 to 1/2 This command configures the ports on a POS module in slot 1 into a trunk group. Port 1/1 is the primary port. To make configuration changes to the trunk group, make the changes on the primary port.
Page 183 To display the software version running on the POS module, enter the following command at any CLI level: BigIron> show version SW: Version 07.1.05T1 Copyright (c) 1996-1999 Foundry Networks, Inc. Compiled on Sep 29 2000 at 17:10:51 labeled as B2R07105 (1357024 bytes) from Primary b2r07105.car...
Page 184 Foundry Switch and Router Installation and Configuration Guide Displaying General Module Information To display general module information, use the following method. USING THE CLI To display general information for the POS module, enter the following command at any CLI level:...
Page 185 Using Packet Over SONET (POS) Modules Software You can display status information for a POS module using either of the following methods. NOTE: • Slots on a 4-slot chassis are numbered 1 – 4, from top to bottom. • Slots on an 8-slot chassis are numbered 1 – 4, from top to bottom. •...
Page 186 Foundry Switch and Router Installation and Configuration Guide The command shows the following information for POS ports. Table 6.3: CLI Display of POS Interface Information This Field... Displays... Port The chassis slot and port number of the interface. Link State The state of the link, which can be one of the following: •...
Page 187 Using Packet Over SONET (POS) Modules Table 6.3: CLI Display of POS Interface Information (Continued) This Field... Displays... Frame The frame type used on the interface. The frame type can be one of the following: • sdh – Synchronous Digital Hierarchy. •...
Page 188 Foundry Switch and Router Installation and Configuration Guide BigIron(config)# show interface pos 2/1 POS2/1 is up No port name Hardware is Packet over Sonet MTU 4470 bytes, encapsulation PPP, clock is internal Framing is SONET, BW 622000Kbit, CRC 32 Loopback not set, keepalive is set (10 sec), scramble disabled...
Page 189 Configuring Automatic Protection Switching (APS) The Automatic Protection Switching (APS) feature provides redundancy for a POS link. Foundry’s implementation of POS APS supports 1 + 1 protection architecture, where a working interface is paired with a protect or backup interface.
Page 190 The following commands configure the working interface on BigIronA: NOTE: Foundry Networks recommends that you configure the working interface prior to configuring the protect interface, so that the protect interface does not inadvertently become the working interface. BigIronA(config)# interface loopback 1 BigIronA(config-lbif-1)# ip address 10.0.0.1/24...
Page 191 Using Packet Over SONET (POS) Modules Working Interface POS 2/1 BigIron APS Group 50 BigIronA Protect Interface POS 2/2 APS Group 60 SONET ADM Protect Interface POS 3/1 BigIron APS Group 50 BigIronB Working Interface POS 3/2 APS Group 60 Figure 6.8 Configuration with multiple POS APS interfaces In this configuration, interface 3/1 on BigIronB serves as the protect interface to working interface 2/1 on BigIronA,...
Page 192 Foundry Switch and Router Installation and Configuration Guide Single-Device APS Configuration The working and protect interfaces can reside on the same device. Figure 6.9 illustrates this kind of configuration. Working Interface POS 2/1 BigIron SONET ADM BigIron Protect Interface POS 3/1 Figure 6.9...
Page 193 Using Packet Over SONET (POS) Modules interface. This communication takes place on a channel independent of the working and protect interfaces themselves. You can specify an authentication string that must be part of each packet sent between the process controlling the working interface and the process controlling the protect interface.
Page 194 Foundry Switch and Router Installation and Configuration Guide BigIron(config)# interface pos 2/1 BigIron(config-posif-2/1)# aps working 1 BigIron(config-posif-2/1)# aps manual 1 BigIron(config-posif-2/1)# exit Syntax: aps manual <circuit-number> The <circuit-number> is a valid POS APS circuit number. In addition, you can specify 0 as the <circuit-number>...
Page 195 In this example, the output indicates that POS interface 2/1 is the working interface for channel 1 in APS group 1, and the interface is active. If there is a tilde next to Selected (for example, ~Selected) it means the interface is not active. Foundry POS Interface Specifications Table 6.5: POS Specifications Transceiver...
Page 196 Foundry Switch and Router Installation and Configuration Guide 6 - 34 December 2000...
Page 197 Foundry device. You cannot “put” a file onto the Foundry device using the interface of your TFTP server. NOTE: The Foundry TFTP client supports 8.3 file names. If you try to copy a file with more than eight characters and up to three characters in the extension, the interface reports that the file was not found on the TFTP server.
Page 198 Foundry Switch and Router Installation and Configuration Guide Upgrading the Boot Code To upgrade the boot code on a management module, use the same methods as for any other management module. USING THE CLI To upgrade MP boot code from a TFTP server, enter a command such as the following: BigIron# copy tftp flash 192.168.1.170 M2B07108.bin boot...
Page 199: Changing The Block Size For Tftp File Transfers
Changing the Block Size for TFTP File Transfers When you use TFTP to copy a file to or from a Foundry device, the device transfers the data in blocks of 8192 bytes by default. You can change the block size to one of the following if needed: •...
Page 200 You can use boot commands to immediately initiate software boots from a software image stored in primary or secondary flash on a Foundry Layer 3 Switch or from a BootP or TFTP server. You can test new versions of code on a Layer 3 Switch or choose the preferred boot source from the console boot prompt without requiring a system reset.
Page 201: Loading And Saving Configuration Files
TFTP Transfers” on page 7-9 is displayed. Loading and Saving Configuration Files For easy configuration management, all Foundry switches and Layer 3 Switches support both the download and upload of configuration files between the switch or router and a TFTP server on the network.
Page 202: Replacing The Startup Configuration With The Running Configuration
Logging Changes to the Startup-Config File You can configure a Foundry device to generate a Syslog message when the startup-config file is changed. The trap is enabled by default. The following Syslog message is generated when the startup-config file is changed:...
Page 203: Copying A Configuration File To Or From A Tftp Server
Enter the configuration file name in the Configuration File Name field. NOTE: The TFTP client on the Foundry device supports only 8.3 format file names (up to eight characters in the name plus up to three characters in the extension. Make sure that if you rename the file on your TFTP server, you give the file a name that conforms to these rules.
Page 204 To determine the size of a Foundry device’s running-config or startup-config file, copy it to a TFTP server, then use the directory services on the server to list the size of the copied file. To copy the running-config or startup-config file to a TFTP server, use one of the following commands.
Page 205: Diagnostic Error Codes And Remedies For Tftp Transfers
Updating Software Images and Configuration Files Diagnostic Error Codes and Remedies for TFTP Transfers If an error occurs with a TFTP transfer to or from a Foundry switch or Layer 3 Switch, one of the following error codes is displayed.
Page 206: Scheduling A System Reload
• write memory saves the running configuration file into the startup configuration file. NOTE: All of these commands are at the privileged level of the CLI. See the Foundry Switch and Router Command Line Interface Reference. USING THE WEB MANAGEMENT INTERFACE You cannot delete image or configuration files using the Web management interface.
Page 207: Canceling A Scheduled Reload
Updating Software Images and Configuration Files BigIron# reload after 01:12:00 secondary Syntax: reload after <dd:hh:mm> [primary | secondary] <dd:hh:mm> is the number of days, hours, and minutes. primary | secondary specifies whether the reload is to occur from the primary code flash module or the secondary code flash module.
Page 208 Foundry Switch and Router Installation and Configuration Guide 7 - 12 December 2000...
Page 209: Software Overview
For an overview of the Stackable and Chassis hardware, see “Hardware Overview” on page 9-1. Software Feature Summary This section lists the flash image files (system software) that Foundry devices can run and the features that are supported in each type of flash image. Foundry products run one of three types of flash images: •...
Page 210 The flash image (system software) that is running on a device determines the software features that are supported by that device. Table 8.1 on page 8-2 lists the flash images that can be used on each Foundry device. Table 8.1: Foundry Flash Software Images...
Page 211 TurboIron (but only if upgraded to a Layer 3 Switch) • NetIron • Switch – Layer 2 Switch. A device capable of performing Layer 2 switching. The following Foundry devices are or can be configured as switches: • BigIron Layer 2 Switch •...
Page 212 Foundry Switch and Router Installation and Configuration Guide Some features require specific hardware configurations. See the chapters describing those features or contact Foundry Networks or your reseller for information. Table 8.2: Foundry Software Features Feature Supported on... See page... Router...
Page 213 Software Overview Table 8.2: Foundry Software Features (Continued) Feature Supported on... See page... Router Switch SrvrIrn Queue assignment by traffic type 8-15 Layer 2 Switching Features MAC switching 8-15 Static MAC entries 8-15 Standard Spanning Tree Protocol 8-16 IronSpan STP enhancements...
Page 214 FastIron Backbone switch and TurboIron Backbone switch. b.A ServerIron feature available as an optional upgrade for Layer 2 Switches. c.This feature can be used with Foundry ServerIron switches, third-party SLBs, and directly-connected web servers.
Page 215: Access And Management Features
The following sections describe the access and management features listed in Table 8.1 on page 8-2. Secure Shell (SSH) Secure Shell (SSH) is a mechanism for allowing secure remote access to a Foundry device. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet.
Page 216: Management Interfaces
To use the Web management interface, open a web browser and enter the IP address of the Foundry device in the Location or Address field. The web browser contacts the Foundry device and displays a login dialog, as shown in Figure 8.1.
Page 217 IronView Foundry Networks also offers IronView — an SNMP application for those who prefer a graphical user interface. IronView provides the same management and display features as the web management interface. However, IronView provides the performance and ease of use of a Windows-based Graphical User Interface (GUI). In addition, IronView enables you to simultaneously monitor multiple Foundry switches and routers within the network.
Page 218: Multiple Levels Of Access Control
Local Access Control You can configure up to 16 user names and passwords to control access to a Foundry Layer 2 Switch or Layer 3 Switch. The passwords and user names can be used for accessing devices using the CLI, the Web management interface, and IronView.
Page 219: Dynamic Configuration
Soft Reboot When you upgrade the software image on a Foundry switch or router, you do not need to power down the system to use the new software. You can boot the new software immediately from the primary flash, secondary flash, a TFTP server, or a BootP server.
Page 220: Simple Network Time Protocol (Sntp)
IP addresses of up to four DNS servers that have authority for the domain. For example, if you define the domain “newyork.com” on a Foundry device, you can initiate a ping to a host on that domain by specifying only the host name in the command. You do not need to specify the host’s entire domain name.
Page 221 “user”. You can change the facility if needed. You also can change the number of entries that can be stored in the local buffer. The default is 50. Foundry devices do not have a limit to the number of messages that can be logged on a remote SyslogD server.
Page 222: Port Mirroring
Port Mirroring The mirror port feature lets you connect a protocol analyzer to a port on a Foundry device to observe the traffic flowing into and out of another port on the same device. To use this feature, you specify the port you want to monitor and the port into which you are plugging the protocol analyzer.
Page 223: Layer 2 Switching Features
See “Configuring Basic Layer 2 Parameters” on page 10-33 for more information about configuring MAC switching parameters. NOTE: By default, all ports in a Foundry device belong to a common Layer 2 broadcast domain, VLAN 1. You can configure port-based VLANs (Virtual LANs) to create smaller broadcast domains that use subsets of the device’s ports.
Page 224: Trunk Groups
Trunk Groups A trunk group is a set of ports that provide a high speed link between two Foundry devices or between a Foundry device and a server. A trunk group can provide a transfer rate of up to 4 Gbps of bi-directional traffic.
Page 225: Vlan Tagging
Port-Based Virtual LANs (VLANs) By default, all ports in a Foundry device belong to a common Layer 2 broadcast domain. When the device sends a Layer 2 broadcast packet, the packet goes out all active ports. A port-based VLAN (Virtual LAN) is a subset of ports on a Foundry device that constitutes a Layer 2 broadcast domain.
Page 226: Layer 3 Switching Features
DHCP Assist ensures that a DHCP server that manages multiple IP sub-nets can readily recognize the requester’s IP sub-net, even when that server is not on the client’s local LAN segment. The Foundry Layer 2 Switch does this by stamping the correct gateway IP address into a DHCP discovery packet on behalf of the router.
Page 227 In this example, the Foundry Layer 2 Switch forwards the first IP packet it receives for IP address 209.157.2.1 to the attached router. This is shown by the solid arrow pointing from the Foundry Layer 2 Switch to the router. The router alters the packet for forwarding (updates the destination address and decrements the Time-to-Live) and sends the packet back to the Foundry Layer 2 Switch for forwarding.
Page 228: Layer 3 Routing Features
IP and IPX Router Acceleration Policies When IP or IPX router acceleration is enabled on a Foundry Layer 2 Switch, it makes entries in its CAM and directly forwards IP or IPX traffic by default. If you want to control the addresses for which the Layer 2 Switch provides Layer 3 router acceleration, you can define route service filters.
Page 229: Multi-Port Subnets (Integrated Switch-Routing)
Multi-Port Subnets (Integrated Switch-Routing) Integrated Switch Routing (ISR) allows a Foundry router to assign and support VLANs on its interfaces as would a Layer 2 Switch. In addition, this feature provides routing between its VLANs. This combined logical switch and router operation within a single device is what defines a router as an Integrated Switch-Router, as shown in Figure 8.4.
Page 230 RIP is a distance-vector protocol. It uses a cost value associated with each route to express the preferability of that route. Generally, the cost is equivalent to the number of hops in the route, but Foundry devices allow you to bias the preferability of a route by changing its cost.
Page 231: Ipx Routing
Up to four different IPX network numbers and frame encapsulation types can be defined for each IPX interface on a Foundry router. Therefore, you can define and receive traffic from four separate IPX networks on a single interface. Each of the networks must have a distinct network number and encapsulation type (Ethernet SNAP, Ethernet 802.2, Ethernet 802.3 and Ethernet II).
Page 232 • IP/BGP4 For example, a Foundry router running OSPF and RIP can pass a route learned through RIP to OSPF. The router associates a metric and other parameters with a route when the router redistributes the route to other protocols.
Page 233 For details on UDP helper and its configuration, see “Configuring UDP Broadcast and IP Helper Parameters” on page 15-70. NOTE: UDP Helper is supported only on Foundry routers. To configure a Foundry Layer 2 Switch or a ServerIron to help BootP/DHCP packets, use the DHCP Assist feature. See “Configuring DHCP Assist” on page 15-79.
Page 234: Firewall Load Balancing
Router Support for Globally-Distributed SLB Foundry Layer 3 Switches contain a Layer 4 HTTP health check, which you can use to support globally- distributed SLB. Globally-distributed SLB allows the same web site (and same IP address) to reside on multiple servers, which usually are in geographically dispersed locations.
Page 235 Layer 4 Switch Redundancy Hot standby redundancy allows a Foundry ServerIron or Layer 2 Switch running TCS or SLB to serves as an automatic backup for another ServerIron or Layer 2 Switch running SLB or TCS. When switches are configured as backups, one switch serves as the primary or active switch, and the other serves as the secondary or standby switch.
Page 236 Foundry Switch and Router Installation and Configuration Guide 8 - 28 December 2000...
Page 237: Hardware Overview
D-1. • For a detailed summary and description of all the software features of the Foundry switches and routers, see “Software Overview” on page 8-1. Foundry Layer 2 Switches provide support for Layer 2 and Layer 3 switching within one platform. Foundry Layer 3 Switches provide both Layer 2 switching and Layer 3 routing in a single device.
Page 238 Foundry Switch and Router Installation and Configuration Guide Each system requires one management module. Management modules are available with 10/100 Mbps, 100 Mbps fiber ports or Gigabit Ethernet ports and provide a serial port for console access. Management modules also provide additional port density to the system. The management module can be installed within any slot of the BigIron or FastIron II.
Page 239 Hardware Overview BigIron Figure 9.3 BigIron 15000 Chassis For information about the modules you can install in the BigIron, see the following sections: • “NetIron and BigIron Redundant Management Modules” on page 9-6 • “BigIron Standard Management Modules” on page 9-9 •...
Page 240 The software features are the same as those supported on the BigIron Layer 3 Switch, IP-only, and switch images. For feature information, see the rest of this guide and the following documents: • Foundry Switch and Router Command Line Interface Reference – provides a list and syntax information for all the switch and router CLI commands. •...
Page 241 FastIron II Plus GC offers the industry's highest Gigabit Ethernet copper density with 64 ports. Foundry offers many configurations of the FastIron II products listed above with various combinations of 10/100, SX, LX, and GC ports to meet your networking needs. You also of course can order individual modules as needed for upgrades, replacements, or spares.
Page 242 Foundry Switch and Router Installation and Configuration Guide • 8-port Gigabit with 6SX/2LX management module (FI8GM-2LX) • 8-port Gigabit with 4SX/4LX management module (FI8GM-4LX) • 8-port Gigabit LX management module (FI8GM-8LX) • 8-port Gigabit Copper management module (FI8GCM) Chassis Modules •...
Page 243 M4RZG – Does not contain GBIC slots or other ports. • BXGMR – Contains eight slots for mini-GBICs. You can install any combination of the following GBIC types in the 4-port model. All the Foundry GBICs provide SC connectors. •...
Page 244 Foundry Switch and Router Installation and Configuration Guide Management III Modules • 8-port 1000BaseSX module (B8GMR3) Link Link Link Link Activity Activity Activity Activity • 8-port 1000BaseLX module (B8GMR3-8L) Link Link Link Link Activity Activity Activity Activity • 6-port 1000BaseSX plus 2-port 1000BaseLX module (B8GMR3-2L)
Page 245 Hardware Overview • 0-port module (BZMGR) NOTE: The above modules come standard with 128 MB but you can order them with 256 MB (part number BMR256). BigIron Standard Management Modules Standard management modules (sometimes called “Management I modules”) do not provide redundancy. •...
Page 246 Foundry Switch and Router Installation and Configuration Guide • 6-port Gigabit 4SX/2LX management module (B4GM-2LX) Link Link Link Activity Activity Activity • 4-port Gigabit 4SX management module (B4GM) Link Link Activity Activity NetIron and BigIron Forwarding Modules • 24-port 10/100 module (B24E) •...
Page 247 BigIron Gigabit Ethernet interfaces are available in both multi-mode 1000BaseSX and single- mode 1000BaseLX. Foundry Networks also offers enhanced single-mode 1000BaseLH that supports distances of up to 70 kilometers, enabling you to deploy Gigabit Ethernet in metropolitan area networks (MANs).
Page 248 NOTE: The number of ports on the Long-Haul modules (LHA and LHB) depends on how many ports you order. Stackable Devices Foundry Networks provides Stackable Layer 2 and Layer 3 Switches in addition to Chassis devices. Foundry Networks offers three models of Stackable switches—the FastIron, ServerIron, and TurboIron; and two models of Stackable Layer 3 Switches—the NetIron and TurboIron.
Page 249: System Architecture
Layer 2 Architecture When a packet arrives at a Foundry Layer 2 Switch, a search for the MAC destination address is initiated. If the MAC destination address is found, the packet’s priority is determined. The packet is then forwarded to the appropriate output port.
Page 250 Layer 3 Architecture When a packet arrives at either a Foundry backbone Layer 2 Switch or Layer 3 Switch, an address lookup is initiated. IP Version 4 Packets If the IP address is located, then the Stackable performs the following Layer 3 IP operations on the IP packet: •...
Page 251: Physical View
Hardware Overview Physical View This section describes the external features of the Stackable and Chassis devices. 1000BaseSX, 1000BaseLX 10BaseT/100BaseTX ports 1000BaseLH ports Power LEDs Port LEDs BigIron 4000 Serial Port Link Link Link Link Activity Activity Activity Activity Reset Button Link Link Link...
Page 252 Foundry Switch and Router Installation and Configuration Guide Redundant AC Power Connector AC Power Connector Fans Figure 9.13 Rear panel of a Foundry Stackable switch or router NOTE: The rear panel of a Chassis device does not provide network or power connections and therefore is not shown.
Page 253: Ac Power Connector
The 4-slot Chassis devices come with four fans. The 8-slot and 15-slot Chassis devices come with six fans. LEDs Each Foundry device is equipped with LEDs that denote port and power supply status. The tables below reflect the different port and expansion module port states.
Page 254 Foundry Switch and Router Installation and Configuration Guide Table 9.2: Port LED indicators for earlier Stackable 10BaseT/100BaseTX systems Position State Meaning Full-duplex connection found or configured. Half-duplex connection or no port connection exists. Link/Activity Bottom Connection established, no activity. No connection established.
Page 255 The 1000BaseT Gigabit Copper (GC) ports are fully compliant with the IEEE 802.3ab standard and can provide Gigabit throughput over standard category-5 (“Cat-5”) copper wiring. The port connectors are RJ-45s, the same as the connectors on Foundry’s 10/100 modules. Thus, you can immediately deploy the GC ports without recabling.
Page 256: Ac Power Supply
Standard and Redundant Power Options Redundant power is an option for all Foundry devices. Each power supply can be connected to a separate AC power source for additional power redundancy. When power supplies are added to a system, the power supplies load balance and the draw on the individual power supplies is reduced.
Page 257: Dc Power Supply
Hardware Overview NOTE: When you power on a device that requires multiple power supplies, make sure you apply power to all the supplies (or at least the minimum number of supplies required for your configuration) at the same time. Otherwise, the device either will not boot at all, or will boot and then repeatedly display a warning message stating that you need to add more power supplies.
Page 258 Foundry Switch and Router Installation and Configuration Guide 9 - 22 December 2000...
Page 259 “Configuring IP” on page 15-1. Foundry switches and routers are configured at the factory with default parameters that allow you to begin using the basic features of the system immediately. However, many of the advanced features such as VLANs or routing protocols for the router must first be enabled at the system (global) level before they can be configured.
Page 260 Foundry Switch and Router Installation and Configuration Guide Using the Web Management Interface for Basic Configuration Changes The Web management interface enables you to easily make numerous configuration changes by entering or changing information on configuration panels such as the one shown in Figure 10.1. This example is for a router.
Page 261: Configuring Basic System Parameters
Configuring Basic Features • Assign Layer 4 QoS Priority (Layer 2 Switches only). NOTE: Layer 4 priority for routers is set using the IP policy command found at the global CONFIG level of the CLI and the IP configuration sheet for the Web management interface. •...
Page 262: Entering System Administration Information
Entering System Administration Information You can configure a system name, contact, and location for a Foundry switch or router and save the information locally in the configuration file for future reference. This information is not required for system operation but is suggested.
Page 263 Specifying an SNMP Trap Receiver You can specify a trap receiver to ensure that all SNMP traps sent by the Foundry device go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network. When you specify the host, you also specify a community string.
Page 264 Specifying a Single Trap Source You can specify a single trap source to ensure that all SNMP traps sent by the Foundry device use the same source IP address. When you configure the SNMP source address, you specify the Ethernet port, POS port, loopback interface, or virtual interface that is the source for the traps.
Page 265 SNMP trap source for this Layer 3 Switch. Regardless of the port the Foundry device uses to send traps to the receiver, the traps always arrive from the same source IP address. The following commands configure an IP interface on a POS port and designate the address as the SNMP trap source for a Layer 3 Switch.
Page 266 Disabling Syslog Messages and Traps for CLI Access Foundry devices send Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS/TACACS+ server.
Page 267 Configuring Basic Features The feature is enabled by default. Examples of Syslog Messages for CLI Access When a user whose access is authenticated by a local user account, a RADIUS server, or a TACACS/TACACS+ server logs into or out of the CLI’s User EXEC or Privileged EXEC mode, the software generates a Syslog message and trap containing the following information: •...
Page 268: Configuring An Interface As The Source For All Telnet Packets
You can configure Layer 2 and Layer 3 Switches to consult SNTP servers for the current system time and date. NOTE: Foundry Layer 2 and Layer 3 Switches do not retain time and date information across power cycles. Unless you want to reconfigure the system time counter each time the system is reset, Foundry Networks recommends that you use the SNTP feature.
Page 269 Configuring Basic Features Syntax: sntp server <ip-addr> | <hostname> [<version>] The <version> parameter specifies the SNTP version the server is running and can be from 1 – 4. The default is 1. You can configure up to three SNTP servers by entering three separate sntp server commands. By default, the switch or router polls its SNTP server every 30 minutes (1800 seconds).
Page 270: Setting The System Clock
Setting the System Clock In addition to SNTP support, Foundry switches and routers also allow you to set the system time counter. The time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP server.
Page 271 BigIron# clock set 10:15:05 10-15-99 Syntax: [no] clock set <hh:mm:ss> <mm-dd-yy> | <mm-dd-yyyy> By default, Foundry switches and routers do not change the system time for daylight savings time. To enable daylight savings time, enter the following command: BigIron# clock summer-time...
Page 272: Configuring The Syslog Service
The procedures in this section describe how to perform the following Syslog configuration tasks: • Specify a SyslogD server. You can configure the Foundry device to use up to six SyslogD servers. (Use of a SyslogD server is optional. The system can hold up to 100 Syslog messages in an internal buffer.) •...
Page 273 The device writes the messages to a local buffer that can hold up to 100 messages. You also can specify the IP address or host name of up to six SyslogD servers. When you specify a SyslogD server, the Foundry device writes the messages both to the system log and to the SyslogD server.
Page 274 Foundry Switch and Router Installation and Configuration Guide This command enables local Syslog logging with the following defaults: • Messages of all severity levels (Emergencies – Debugging) are logged. • Up to 50 messages are retained in the local Syslog buffer.
Page 275 Foundry device. The default facility for messages the Foundry device sends to the SyslogD server is “user”. You can change the facility using the following command. NOTE: You can specify only one facility. If you configure the Foundry device to use two SyslogD servers, the device uses the same facility on both servers.
Page 276 Foundry Switch and Router Installation and Configuration Guide BigIron> show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 3 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer:...
Page 277 Configuring Basic Features • Dynamic – logs all other message types In the static log, new messages replace older ones, so only the most recent message is displayed. For example, only the most recent temperature warning message will be present in the log. If multiple temperature warning messages are sent to the log, the latest one replaces the previous one.
Page 278 Foundry Switch and Router Installation and Configuration Guide • If you have not set the time and date on the onboard system clock, the time stamp shows the amount of time that has passed since the device was booted, in the following format: <num>d<num>h<num>m<num>s...
Page 279 Clearing the Syslog Messages from the Local Buffer To clear the Syslog messages stored in the Foundry device’s local buffer, enter the following command from the Privileged EXEC level the CLI:...
Page 280: Changing The Default Gigabit Negotiation Mode
An administrator must intervene to manually configure one or both sides of the link to enable the ports to establish the link. Foundry Chassis software provides a solution by changing the default negotiation behavior for Gigabit Ethernet ports on Chassis devices. The new default behavior allows a port to establish a link with another port whether the other port is configured for auto-Gigabit or negotiation-off.
Page 281 Configuring Basic Features before. (Although you cannot set a global default for Gigabit Ethernet negotiation in software releases earlier than 05.2.00, the implicit default behavior is negotiation-off.) If the startup-config file contains the auto-gig command to configure individual ports for auto-Gigabit, the command is changed to the new format, gig-default auto-gig.
Page 282 (not even IGMP packets) are limited. See “Configuring IP Multicast Traffic Reduction (Layer 2 Switches only)” on page 10-56. Limiting Broadcasts To limit the number of broadcast packets a Foundry device can forward each second, use the following CLI method. USING THE CLI...
Page 283: Configuring Cli Banners
Setting a Message of the Day Banner You can configure the Foundry device to display a message on a user’s terminal when he or she establishes a Telnet CLI session. For example, to display the message “Welcome to BigIron!” when a Telnet CLI session is...
Page 284: Configuring Basic Port Parameters
Foundry Switch and Router Installation and Configuration Guide Setting a Privileged EXEC CLI Level Banner You can configure the Foundry device to display a message when a user enters the Privileged EXEC CLI level. For example: BigIron(config)# banner exec_mode # (Press Return) Enter TEXT message, End with the character ’#’.
Page 285 Bridge and Port Parameters” on page 10-34. All Foundry ports are pre-configured with default values that allow the device to be fully operational at initial startup without any additional configuration. However, in some cases, changes to the port parameters may be necessary to adjust to attached devices or other network requirements.
Page 286: Assigning A Port Name
Foundry Switch and Router Installation and Configuration Guide NOTE: A slot option appears on the chassis port configuration sheet. Slot corresponds to a module slot number. See “Slot and Port Numbers” on page 9-16. NOTE: The IEEE Tagging option appears only on the Port configuration sheet when tagging is enabled at the system level and a VLAN is defined on the system.
Page 287 Configuring Basic Features Select the Port link to display the Port table. Click on the Modify button next to the row of information for the port you want to reconfigure. Enter a name in the Name field. Click Apply to save the changes to the device’s running-config file. Select the Save link at the bottom of the dialog.
Page 288 The port can be made inactive (disable) or active (enable) by selecting the appropriate status option. The default value for a port is enabled. USING THE CLI To disable port 8 on module 1 of a Foundry Chassis device, enter the following: BigIron(config)# interface e 1/8 BigIron(config-if-1/8)# disable...
Page 289 Configuring Basic Features BigIron(config)# interface ve v1 BigIron(config-vif-1)# disable Syntax: disable To re-enable a virtual interface, enter the enable command at the Interface configuration level. For example, to re-enable virtual interface v1, enter the following command: BigIron(config-vif-1)# enable Syntax: enable USING THE WEB MANAGEMENT INTERFACE To disable or enable a port: Log on to the device using a valid user name and password for read-write access.
Page 290 Foundry Switch and Router Installation and Configuration Guide Changing the 802.3x Gigabit Negotiation Mode On Chassis devices, the globally configured Gigabit negotiation mode for 802.3x flow control is the default mode for all Gigabit ports. You can override the globally configured default and set individual ports to the following: •...
Page 291 Layer 2 IP Multicast Traffic Reduction feature (Layer 2 Switches only) – see “Configuring IP Multicast Traffic Reduction (Layer 2 Switches only)” on page 10-56 NOTE: This section does not describe the IP Multicast features on Foundry Layer 3 Switches. For information about these features, see “Configuring IP Multicast Protocols” on page 18-1.
Page 292 STP must be enabled at the system level to allow assignment of this capability on the VLAN level. On Foundry Layer 2 Switches, STP is enabled by default. On Foundry routers, STP is disabled by default.
Page 293 Configuring Basic Features or on the Layer 2 or Layer 3 Switch (when no VLANs are configured for the system). Ports are re-routed based on their priority. A higher numerical value means a lower priority; thus, the highest priority is 0. Possible values: 0 –...
Page 294 Enabling or Disabling Layer 2 Switching (Layer 3 Switches only) By default, Foundry Layer 3 Switches support Layer 2 switching. These devices switch the routing protocols that are not supported on the devices. If IPX routing is not enabled, then IPX traffic also is switched. By default IPX routing is disabled.
Page 295 Configuring Basic Features NOTE: Make sure you really want to disable all Layer 2 switching operations before you use this option. Consult your reseller or Foundry Networks for information. USING THE CLI To globally disable Layer 2 switching on a Layer 3 Switch, enter commands such as the following:...
Page 296: Changing The Mac Age Time
Static MAC addresses can be assigned to Foundry Layer 2 and Layer 3 Switches. NOTE: Foundry routers also support the assignment of static IP Routes, static ARP, and static RARP entries. For details on configuring these types of static entries, see “Configuring Static Routes” on page 15-39 and “Creating Static ARP Entries”...
Page 297: Lists
Configuring Basic Features Here is the syntax for Stackable devices. Syntax: static-mac-address <mac-addr> ethernet <port-num> [normal-priority | high-priority] [host-type | router-type] The priority can be 0 – 7 (0 is lowest priority and 7 is highest priority) for Chassis devices and either normal-priority or high-priority for Stackable devices.
Page 298 The <num> parameter specifies the VLAN ID. The valid range for VLAN IDs starts at 1 on all systems but the upper limit of the range differs depending on the device. In addition, you can change the upper limit on some devices using the vlan max-vlans... command. See the Foundry Switch and Router Command Line Interface Reference.
Page 299: Configuring Trunk Groups
The Trunk Group feature allows you to establish multiple high-speed load-sharing links between two Foundry switches or routers or between a Foundry switch and router and a server. You can configure from 2 – 4 ports as a trunk group, supporting transfer rates of up to 4 Gbps of bi-directional traffic.
Page 300 Foundry device. Multi-homing Server Multi-homing adapter has the same IP and MAC address Trunk Group Console ..Figure 10.3 Trunk group between a server and a Foundry Stackable switch or router 10 - 42 December 2000...
Page 301 Configuring Basic Features Trunk Group Rules • You can configure up to 64 trunk groups on a Chassis device, and up to four trunk groups on all Stackable devices except the TurboIron/4. The TurboIron/4 allows up to three trunk groups. •...
Page 302 Figure 10.4 shows some examples of valid 2-port trunk group links between devices. The trunk groups in this example are switch trunk groups, between two Foundry devices. Ports in a valid 2-port trunk group on one device are connected to two ports in a valid 2-port trunk group on another device. The same rules apply to 4-port trunk groups.
Page 303 Configuring Basic Features Figure 10.5 shows examples of two Chassis devices connected by multi-slot trunk groups. Figure 10.5 Examples of multi-slot trunk groups December 2000 10 - 45...
Page 304 Foundry Switch and Router Installation and Configuration Guide Figure 10.6 shows the valid 2-port and 4-port trunk groups on chassis 10/100 modules. Valid 2-port trunk groups Valid 4-port trunk groups Figure 10.6 Valid 2-port and 4-port trunk groups on chassis 10/100 modules Additional Trunk Group Rules for Gigabit Ethernet Modules on Chassis Devices •...
Page 305 Foundry Layer 2 or Layer 3 Switch. • Server trunk group – Use this type of trunk group to connect a Foundry Layer 2 or Layer 3 Switch to a file server or single host device. The Foundry device load shares across the ports in the trunk group. The type of load sharing depends on the type of device.
Page 306 Configure the trunk group on one of the two switches or routers involved in the configuration. Save this configuration to flash and reboot the system. NOTE: Foundry Networks recommends that you reload the software immediately after saving a trunk group configuration to the startup-config file, before making further configuration changes.
Page 307 Configuring Basic Features Example 1: Configuring the Trunk Groups Shown in Figure 10.2 To configure the trunk groups shown in Figure 10.2, enter the following commands. Notice that the commands are entered on multiple devices. USING THE CLI To configure the trunk group link between NetIron1 and the FastIron: NOTE: The text shown in italics in the CLI example below shows messages echoed to the screen in answer to the CLI commands entered.
Page 308 Click in the checkbox next to Server to place a checkmark in the box if the other end of the trunk group is a server. If the other end of the connection is a Foundry Layer 2 or Layer 3 Switch, do not click this checkbox.
Page 309 The server | switch parameter specifies whether the trunk ports will be connected to a server or to another Layer 2 or Layer 3 Switch. This parameter affects the type of load balancing performed by the Foundry device. See “Trunk Group Load Sharing” on page 10-47. The default is switch.
Page 310 Therefore, TurboIron/4 Layer 2 and Layer 3 Switches support a maximum of three trunk groups of two ports each. The possible trunk groups are ports 1-2, 3-4 and 5-6. NOTE: Foundry Networks recommends that you reload the software immediately after saving a trunk group configuration to flash memory, before making further configuration changes.
Page 311 Configuring Basic Features Modifying Trunk Group Membership You can change port membership by removing individual ports from the trunk group. To remove a port from a trunk group, use one of the following methods. USING THE CLI To remove ports 1/3 and 1/4 from the trunk group, enter the following command: BigIron(config)# no trunk ethernet 1/3 to 1/4 Syntax: no trunk ethernet <portnum>...
Page 312 11. Select the Reload link and select Yes when the Web management interface asks you whether you really want to reload the software. NOTE: Foundry Networks recommends that you reload the software immediately after saving a trunk group configuration to flash memory, before making further configuration changes.
Page 313 Configuring Basic Features Operational trunks: Trunk Type Ports Duplex Speed Tag Priority Switch 1/1 1/2 1/3 1/4 2/1 2/2 2/3 2/4 None None level0 Syntax: show trunk The following table describes the information displayed by the show trunk command. Table 10.6: CLI Trunk Group Information This Field...
Page 314 Enabling IP Multicast Traffic Reduction By default, Foundry Layer 2 Switches forward all IP multicast traffic out all ports except the port on which the traffic was received. To reduce multicast traffic through the switch, you can enable IP Multicast Traffic Reduction. This feature configures the switch to forward multicast traffic only on the ports attached to multicast group members.
Page 315 IGMP mode. The default mode is passive. • Active – When active IGMP mode is enabled, a Foundry Layer 2 Switch actively sends out IGMP queries to identify IP multicast groups on the network and makes entries in the IGMP table based on the Group Membership reports received from the network.
Page 316 Disabling IGMP on Individual Ports By default, when you enable IP multicast on a Foundry Layer 2 Switch, all ports on the switch are configured for IGMP. If you are using active IGMP, all ports can send IGMP queries and receive IGMP reports. If you are using passive IGMP, all ports can receive IGMP queries.
Page 317 Configuring Basic Features Modifying the Query Interval The query interval specifies how often a Foundry Layer 2 Switch enabled for active IP Multicast Traffic Reduction sends Group Membership queries. NOTE: The query interval applies only to the active mode of IP Multicast Traffic reduction.
Page 318 Foundry Switch and Router Installation and Configuration Guide To enable IP multicast filtering, use the following CLI method. NOTE: In software releases earlier than 07.1.10, you must reload the software after making this configuration change and saving it to the startup-config file. If you are using software release 07.1.10 or later, you do not need to reload the software.
Page 319: Defining Mac Address Filters
NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use IP access policies. See “Policies and Filters” on page C-1 and the Foundry ServerIron Installation and Configuration Guide. You configure MAC filters globally, then apply them to individual interfaces. To apply MAC filters to an interface, you add the filters to that interface’s MAC filter group.
Page 320 For complete MAC filter examples, see the Foundry Switch and Router Command Line Interface Reference. To define a MAC filter, use one of the following methods.
Page 321 Configuring Basic Features NOTE: You must type in both bytes, otherwise the software will fill the field, left justified with a 00. Refer to RFC 1042 for a complete listing of SAP numbers. SNAP is defined as an IEEE 802.3 frame with the SSAP, DSAP, and control field set to AA, AA, and 03. Immediately following these is a five-byte SNAP header.
Page 322 Foundry Switch and Router Installation and Configuration Guide Edit the value in the ID field if you want to assign the filter a different ID. The software automatically increments this field each time you add a MAC filter. Select the filter action by selecting Permit or Deny next to Action.
Page 323 Layer 2 MAC filters. You can enable logging of denied packets on a global basis or an individual port basis. See Example 4 in the “show logging” section in the “Show Commands” chapter of the Foundry Switch and Router Command Line Interface Reference for a description of how the timer for the entries works. Layer 2 MAC filters and IP access policies use the same timer, whereas Access Control Lists (ACLs) use a separate timer, but the timers work the same way.
Page 324 Foundry Switch and Router Installation and Configuration Guide Defining Broadcast and Multicast Filters You can filter Layer 2 broadcast and multicast packets on specific ports. • Layer 2 broadcast packets have the value “FFFFFFFFFFFF” (all ones) in the destination MAC address field.
Page 325 Configuring Basic Features BigIron(config-bcast-filter-id-1)# write memory To configure two filters, one to filter IP UDP traffic on ports 1/1 – 1/4, and the other to filter all broadcast traffic on port 4/6, enter the following commands: BigIron(config)# broadcast filter 2 ip udp BigIron(config-bcast-filter-id-2)# exclude-ports ethernet 1/1 to 1/4 BigIron(config-bcast-filter-id-2)# exit BigIron(config)# broadcast filter 3 any...
Page 326: Locking A Port To Restrict Addresses
Foundry Switch and Router Installation and Configuration Guide Locking a Port To Restrict Addresses Address-lock filters allow you to limit the number of devices that have access to a specific port. Access violations are reported as SNMP traps. By default this feature is disabled. A maximum of 2048 entries can be specified for access.
Page 327: Enabling Ip Or Ipx Router
CLI. USING THE CLI To enable a protocol on a Foundry Layer 3 Switch, enter router at the global CONFIG level, followed by the protocol to be enabled. The following example shows how to enable OSPF:...
Page 328: Displaying And Modifying System Parameter Default Settings
Displaying and Modifying System Parameter Default Settings Foundry devices have default table sizes for the following parameters. The table sizes determine the maximum number of entries the tables can hold. You can adjust individual table sizes to accommodate your configuration needs.
Page 329 NOTE: Changing the table size for a parameter reconfigures the device’s memory. Whenever you reconfigure the memory on a Foundry device, you must save the change to the startup-config file, then reload the software to place the change into effect.
Page 330 Foundry Switch and Router Installation and Configuration Guide l4-real-server 1024 2048 1024 l4-virtual-server l4-server-port 2048 4096 2048 8000 64000 8000 ip-route 128000 200000 128000 ip-static-route 2048 vlan 2048 spanning-tree mac-filter-port mac-filter-sys 1024 ip-subnet-port session-limit 131072 500000 131072 view 65535 virtual-interface 2048 Information for the configurable tables appears under the columns that are shown in bold type in this example.
Page 331: Assigning A Mirror Port And Displaying The Current
Assigning a Mirror Port and Monitor Ports You can monitor traffic on Foundry ports by configuring another port to “mirror” the traffic on the ports you want to monitor. By attaching a protocol analyzer to the mirror port, you can observe the traffic on the monitored ports.
Page 332 Foundry Switch and Router Installation and Configuration Guide Select the Port link to display the Port table. Click the Modify button next to the port you want to monitor. In this example, select port 3 on the module in slot 4 (4/3).
Page 333: Chapter Iron Clad Quality Of
Chapter 11 IronClad Quality of Service (QoS) This chapter describes how to configure Quality of Service (QoS) on Foundry devices. NOTE: The IronClad QoS features described in this chapter apply only to Chassis devices and to the TurboIron/8. To configure QoS on Stackable devices, use the procedures in “Assigning QoS Priorities to Traffic”...
Page 334: Automatic Queue Mapping For Queuing Methods
Automatic Queue Mapping for IP Type Of Service (TOS) Values Foundry devices that support IronClad QoS automatically examine the first two bits in the Type of Service (TOS) header in each IP packet as it enters the device on a 10/100 port. The device then places the packet in the QoS queue that corresponds to the TOS value.
Page 335: Selecting The Queuingm
Selecting the Queuing Method Foundry Chassis devices (including the TurboIron/8) use the weighted fair queuing method of packet prioritization by default. To change the method to strict queuing or back to weighted fair queuing, use one of the following methods.
Page 336 Foundry Switch and Router Installation and Configuration Guide Renaming the Queues The default queue names are qosp3, qosp2, qosp1, and qosp0. You can change one or more of the names if desired. To do so, use one of the following methods.
Page 337 IronClad Quality of Service (QoS) By default, the four QoS queues receive the following minimum guaranteed percentages of a port’s total bandwidth. Queue Default Minimum Percentage of Bandwidth qosp3 qosp2 qosp1 3.3% qosp0 1.7% NOTE: The percentages are guaranteed minimum bandwidth percentages. Thus, they apply when a port is fully utilized.
Page 338 Foundry Switch and Router Installation and Configuration Guide The following table shows one full queue cycle using the default bandwidth percentages. qosp3 qosp2 qosp1 qosp0 bandwidth % = 80 bandwidth % = 15 bandwidth % = 3.3 bandwidth % = 1.7...
Page 339 IronClad Quality of Service (QoS) Figure 11.1 illustrates a cycle through the queues. q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 Begin here q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3...
Page 340 Foundry Switch and Router Installation and Configuration Guide NOTE: The weighted fair queuing method is based on packet-level scheduling. As a result, a queue’s bandwidth percentage does not necessarily reflect the exact bandwidth share the queue receives. This is due to the effects of variable size packets.
Page 341 IronClad Quality of Service (QoS) For results that do not differ widely from the percentages you enter, enter successively lower percentages for each queue, beginning with the premium queue. If you enter a higher percentage for a particular queue than you enter for a higher queue, the normalized results can vary widely from the percentages you enter.
Page 342: Displaying The Iron Clad Qo
Foundry Switch and Router Installation and Configuration Guide Select the Save link at the bottom of the dialog, then select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. Resetting the Minimum Bandwidth Percentages to Their Defaults You can use either of the following CLI commands to reset the QoS queues to their default bandwidth percentages (and therefore to their default weights).
Page 343: Assigning Qos Priorities To Traffic
When you apply a QoS priority to one of the items listed above, you either specify a number from 0 – 7 (Chassis devices) or specify “high” or normal (Stackable devices). On Chassis devices, the priority number specifies the IEEE 802.1 equivalent to one of the four Foundry QoS queues. The numbers correspond to the queues as follows.
Page 344 Foundry Switch and Router Installation and Configuration Guide BigIron(config-if-1/1)# write memory Syntax: [no] priority <num> The <num> parameter can be from 0 – 7 and specifies the IEEE 802.1 equivalent to one of the four QoS queues. To change the QoS priority of port 1 on a Stackable device to the high queue, enter the following commands:...
Page 345 IronClad Quality of Service (QoS) NOTE: Tagged packets also contain a priority value in the 802.1q tag. If you use the default priority for a VLAN, a tagged packet that exits on that VLAN can be placed into a higher priority queue based on the port priority, the priority in the 802.1q tag, and so on.
Page 346 IP access policy, and so on). If the VLAN for the packet uses the default priority (0, equal to the qosp0 queue), then the Foundry device uses the priority information in the packet to assign the packet to a queue on its incoming port.
Page 347 IronClad Quality of Service (QoS) queue (qosp0). If a tagged packet’s 802.1p priority level is always in the qosp0 queue, then the packet’s outbound queue is affected by other items such as incoming port, VLAN, and so on. To reassign the priorities to different queues, use either of the following methods. USING THE CLI To reassign all 802.1p priority levels 2 –...
Page 348: Assigning Static Mac Entries To Priority Queues
Foundry Switch and Router Installation and Configuration Guide Click the Apply button to save the change to the device’s running-config file. Select the Save link at the bottom of the dialog, then select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 349 IronClad Quality of Service (QoS) NOTE: The location of the static-mac-address command in the CLI depends on whether you configure port- based VLANs on the device. If the device does not have more than one port-based VLAN (VLAN 1, which is the default VLAN that contains all the ports), the static-mac-address command is at the global CONFIG level of the CLI.
Page 350 Foundry Switch and Router Installation and Configuration Guide Click the Apply button to save the change to the device’s running-config file. 10. Select the Save link at the bottom of the dialog, then select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 351 IronClad Quality of Service (QoS) • eq – The policy applies to the TCP or UDP port name or number you enter after eq. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.
Page 352 Foundry Switch and Router Installation and Configuration Guide Figure 11.2 and Figure 11.3 show the CLI syntax for configuring a Layer 4 QoS policy on a Foundry router. Notice that the syntax differs slightly depending on whether you are configuring a Stackable router or a Chassis router.
Page 353 Figure 11.3 QoS IP policy syntax for a Foundry router (2 of 2) Layer 2 Switch Syntax To assign a priority of 7 to FTP traffic on all ports on a FastIron II Layer 2 Switch, enter the following commands:...
Page 354 CLI to apply the policy to a port: ip-policy <num> Figure 11.4 shows the CLI syntax for configuring a QoS policy on a Foundry Layer 2 Switch. The value “<CR>” means “carriage return”, also known as the Enter key.
Page 355 IronClad Quality of Service (QoS) Layer 3 Switch To assign a priority of 4 to all HTTP traffic on port 3/12 on a BigIron Layer 3 Switch, perform the following steps: Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed.
Page 356 Foundry Switch and Router Installation and Configuration Guide • icmp • igmp • igrp • ospf • • In this example, enter tcp. 11. If you entered tcp or udp, you also can select one of the following comparison operators from the Operator field.
Page 357 IronClad Quality of Service (QoS) 16. Select the port number from the Slot (for Chassis devices) and Port pulldown lists. In this example, select 3/ 17. Click the checkbox next to In Filter, Out Filter, or next to both options to indicate the traffic direction to which you are applying the policy.
Page 358 Foundry Switch and Router Installation and Configuration Guide NOTE: The device applies the policies in the order you list them, so make sure you order them in such a away that you receive the results you expect. Once a packet matches a policy, the device takes the action specified in that policy and stops comparing the packet to the policies in the list.
Page 359: Configuring A Utilization List For An Uplink Port
IronClad Quality of Service (QoS) Edit the socket number in the Socket field if needed. • On a Chassis device, select a number from 0 – 7 from the QoS field’s pulldown menu. • On a Stackable device, select high or normal from the QoS field’s pulldown menu. Click on the Apply button to apply the new QoS setting to the socket number specified in the Socket field or click on the Apply To All Sockets button to apply the new QoS setting to all AppleTalk sockets.
Page 360: Displaying Utilization Percentages For An Uplink
Foundry Switch and Router Installation and Configuration Guide Enter the ID for the link utilization list in the ID field. You can specify a number from 1 – 4. Click the Select Uplink Port Members button. A Port Members panel similar to the following is displayed.
Page 361 IronClad Quality of Service (QoS) BigIron(config)# show relative-utilization 1 uplink: ethe 1 30-sec total uplink packet count = 3011 packet count ratio (%) 1/ 2:60 1/ 3:40 In this example, ports 1/2 and 1/3 are sending traffic to port 1/1. Port 1/2 and port 1/3 are isolated (not shared by multiple clients) and typically do not exchange traffic with other ports except for the uplink port, 1/1.
Page 362 Foundry Switch and Router Installation and Configuration Guide This panel displays a graph of the percentage of the uplink’s bandwidth that each of the downlink ports used during the most recent 30-second port statistics interval. 11 - 30 December 2000...
Page 363: Configuring Standard Stp Parameters
By default, each port-based VLAN on a Foundry device runs a separate spanning tree (a separate instance of STP). A Foundry device has one port-based VLAN (VLAN 1) by default that contains all the device’s ports. Thus, by default each Foundry device has one spanning tree. However, if you configure additional port-based VLANs on a Foundry device, then each of those VLANs and VLAN 1 all run separate spanning trees.
Page 364: C P P C L R
Foundry Switch and Router Installation and Configuration Guide STP Parameters and Defaults Table 12.1 lists the default STP bridge parameters. The bridge parameters affect the entire VLAN (or the entire device, if the only port-based VLAN is the default one, VLAN 1).
Page 365: Configuring Spanning
VLAN, you can no longer configure standard STP parameters globally using the CLI. From that point on, you can configure STP only within individual VLANs. USING THE CLI To enable STP for all ports on a Foundry device, enter the following command: BigIron(config)# spanning-tree Syntax: [no] spanning-tree USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access.
Page 366 To change STP bridge parameters, use either of the following methods. USING THE CLI To change a Foundry device’s STP bridge priority to the highest value to make the device the root bridge, enter the following command: BigIron(config)# spanning-tree priority 0 The command in this example changes the priority on a device on which you have not configured port-based VLANs.
Page 367 Configuring Spanning Tree Protocol (STP) and IronSpan Modify the bridge STP parameters to the values desired. Click Apply to save the changes to the device’s running-config file. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 368 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE To modify the STP port parameters: Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed.
Page 369: Displaying Stp Information
Configuring Spanning Tree Protocol (STP) and IronSpan Displaying STP Information You can display the following STP information: • All the global and interface STP settings • CPU utilization statistics • Detailed STP information for each interface • STP state information for an individual interface •...
Page 370 Foundry Switch and Router Installation and Configuration Guide The show span command shows the following information. Table 12.3: CLI Display of STP Information This Field... Displays... Global STP Parameters VLAN ID The port-based VLAN that contains this spanning tree (instance of STP).
Page 371 Configuring Spanning Tree Protocol (STP) and IronSpan Table 12.3: CLI Display of STP Information (Continued) This Field... Displays... State The port’s STP state. The state can be one of the following: • BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop.
Page 372 Foundry Switch and Router Installation and Configuration Guide Table 12.4: Web Management Display of STP Information This Field... Displays... STP Bridge Parameters (global parameters) VLAN ID The port-based VLAN that contains this spanning tree (instance of STP). VLAN 1 is the default VLAN. If you have not configured port- based VLANs on this device, all STP information is for VLAN 1.
Page 373 Configuring Spanning Tree Protocol (STP) and IronSpan Table 12.4: Web Management Display of STP Information (Continued) This Field... Displays... State The port’s STP state. The state can be one of the following: • BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop.
Page 374 Foundry Switch and Router Installation and Configuration Guide 0.00 0.00 0.00 0.00 0.00 0.03 0.04 0.07 VRRP 0.00 0.00 0.00 0.00 If the software has been running less than 15 minutes (the maximum interval for utilization statistics), the command indicates how long the software has been running. Here is an example: BigIron# show process cpu The system has only been up for 6 seconds.
Page 375 Configuring Spanning Tree Protocol (STP) and IronSpan Timers: message age 20, forward delay 5, hold 5 BPDU: sent 5, received 0 For brevity, this example shows information for only two ports. The command displays information for all the ports on the device. Syntax: show span detail The show span detail command shows the following information.
Page 376 Foundry Switch and Router Installation and Configuration Guide Table 12.5: CLI Display of Detailed STP Information for Ports (Continued) This Field... Displays... Timers The current values for the following timers: • Message age – The number of seconds this port has been waiting for a hello message from the root bridge.
Page 377 Configuring Spanning Tree Protocol (STP) and IronSpan BigIron(config)# show interface brief Port Link State Dupl Speed Trunk Tag Priori MAC Name Down None None None None level0 00e0.52a9.bb00 Down None None None None level0 00e0.52a9.bb01 Down None None None None level0 00e0.52a9.bb02 Down None None None...
Page 378: Configuring Ironspan Features
Fast Port Span reduces the number of STP topology change notifications on the network. When an end station attached to a Fast Span port comes up or down, the Foundry device does not generate a topology change notification for the port. In this situation, the notification is unnecessary since a change in the state of the host does not affect the network’s topology.
Page 379 Configuring Spanning Tree Protocol (STP) and IronSpan automatically uses the normal STP settings. If a port matches any of the following criteria, the port is ineligible for Fast Port Span and uses normal STP instead: • The port is 802.1q tagged •...
Page 380: Fast Uplink Span
(two seconds for listening and two seconds for learning). The wiring closet switch must be a Foundry device but the device at the other end of the link can be a Foundry device or another vendor’s switch.
Page 381: Single Spanning Tree
VLAN basis. Alternatively, you can configure a Foundry device to run a single spanning tree across all ports and VLANs on the device. The single STP feature is especially useful for connecting a Foundry device to third-party devices that run a single spanning tree in accordance with the 802.1q specification.
Page 382 VLAN and you want all the ports to be in the same STP broadcast domain. USING THE CLI To configure the Foundry device to run a single spanning tree, enter the following command at the global CONFIG level. BigIron(config) spanning-tree single Here is the syntax for the global STP parameters.
Page 383 Configuring Spanning Tree Protocol (STP) and IronSpan NOTE: Both commands listed above are entered at the global CONFIG level. NOTE: If the device has only one port-based VLAN, the CLI command for enabling single-instance STP is not listed in the CLI. The command is listed only if you have configured a port-based VLAN. To change a global STP parameter, enter a command such as the following at the global CONFIG level: BigIron(config) spanning-tree single priority 2 This command changes the STP priority for all ports to 2.
Page 384 Foundry Switch and Router Installation and Configuration Guide VLAN Port Prio Path State Design Design Design rity Cost Trans Cost Root Bridge DISABLED 0000000000000000 0000000000000000 DISABLED 0000000000000000 0000000000000000 DISABLED 0000000000000000 0000000000000000 DISABLED 0000000000000000 0000000000000000 some lines omitted for brevity To display VLAN information, including the STP state of each VLAN, enter the following command at any CLI...
Page 385: Pvst/Pvst+ Compatibility
The information in this section is for reference. If you are running PVST/PVST+ on the Cisco devices and the default support for separate spanning trees in each VLAN on the Foundry devices, then no configuration is necessary for the devices to share spanning tree information.
Page 386: Enabling Pvst/Pvst+ S
BPDUs to the other devices. The other devices forward the BPDUs as needed. The format of an STP BPDU differs depending on whether it is a Cisco PVST BPDU or a Foundry BPDU. Foundry and Cisco devices also can support single STP BPDUs, which use another format.
Page 387: Displaying Pvst Information
Displaying PVST Information To display PVST information, use the following CLI method. USING THE CLI To display PVST information for ports on a Foundry device, enter the following command at any level of the CLI: BigIron(config)# show span pvst-mode VLAN...
Page 388 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE You cannot display PVST information using the Web management interface. 12 - 26 December 2000...
Page 389 NOTE: For optimal performance, apply deny ACLs to inbound ports instead of outbound ports. This way, traffic is dropped as it tries to enter the Foundry device, instead of being dropped after it has been forwarded internally to the outbound port.
Page 390: Addresses
2 Switches support ACLs only for access control. However, you can filter IP traffic on a Layer 2 Switch that has been upgraded to Layer 3 routing code by configuring IP access policies. The following table lists the ACL functions supported on each Foundry Layer 3 Switch and Layer 2 Switch. Product...
Page 391: Acl Ids And Entries
Using Access Control Lists (ACLs) Product Packet Forwarding ACLs Management Access ACLs Supported Supported BigIron Layer 3 Switch FastIron II, FastIron II Plus TurboIron/8 NetIron stackable Layer 3 Switch (octal) FastIron Backbone Layer 2 Switch FastIron Workgroup Layer 2 Switch with 8 MB DRAM or greater only FastIron Workgroup Layer 2 Switch with 2 MB DRAM...
Page 392: Traffic
ACL action, deny all, to the interface and thus denies all traffic. Controlling Management Access to the Device You can use standard ACLs to control Telnet, Web, and SNMP access to a Foundry device. See “Using ACLs to Restrict Remote Access” on page 3-4. ACL Logging ACL logging is disabled by default.
Page 393 Using Access Control Lists (ACLs) To store this many ACLs, you need a Management IV module with a PCMCIA flash card. The flash card contains enough space to store a startup-config file with 4096 ACLs. You can boot the device from the PCMCIA flash card and load a configuration file containing ACLs and VLANs from the PCMCIA flash card.
Page 394 Foundry Switch and Router Installation and Configuration Guide Click on the plus sign next to Configure in the tree view to expand the list of configuration options. Click on the plus sign next to IP in the tree view to expand the list of IP option links.
Page 395 The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name. NOTE: To specify the host name instead of the IP address, the host name must be configured using the Foundry device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI.
Page 396 Foundry Switch and Router Installation and Configuration Guide The log argument configures the device to generate Syslog entries and SNMP traps for packets that are denied by the access policy. NOTE: You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use.
Page 397 In Bound – The ACL applies to traffic received on the port from other devices. • Out Bound – The ACL applies to traffic this Foundry device queues for transmission on the port. 12. Enter the ACL number in the ACL Number field.
Page 398 Foundry Switch and Router Installation and Configuration Guide Configuring Extended ACLs This section describes how to configure extended ACLs. • For configuration information on named ACLs, see “Configuring Named ACLs” on page 13-19. • For configuration information on standard ACLs, see “Configuring Standard ACLs” on page 13-6.
Page 399: Filtering On Ip Precedence And Tos Values
Using Access Control Lists (ACLs) The fourth entry denies all IP traffic from host 209.157.21.100to host 209.157.22.1 and generates Syslog entries for packets that are denied by this entry. The fifth entry denies all OSPF traffic and generates Syslog entries for denied traffic. The sixth entry permits all packets that are not explicitly denied by the other entries.
Page 400: Extended Acl Syntax
Foundry Switch and Router Installation and Configuration Guide The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic has the IP precedence value “6” (equivalent to “internet”). The third entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.
Page 401 Using Access Control Lists (ACLs) 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 0.0.0.255 in the startup-config file. If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>”...
Page 402 Foundry Switch and Router Installation and Configuration Guide • pop2 • pop3 • smtp • • telnet • UDP port names recognized by the software: • bootps • bootpc • • • radius • radius-old • • snmp • snmp-trap •...
Page 403 Using Access Control Lists (ACLs) You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability TOS. The decimal value for this option is 2. • max-throughput or 4 – The ACL matches packets that have the maximum throughput TOS. The decimal value for this option is 4.
Page 404 Foundry Switch and Router Installation and Configuration Guide Change the ACL number in the ACL Number field or use the ACL number displayed in the field. NOTE: You cannot specify a name. Select the ACL action. You can select Permit or Deny: •...
Page 405 Using Access Control Lists (ACLs) • If you enter a host name instead of an IP address, when you click Add to add the ACL, the Web management interface sends a DNS query for the address. For the query to be successful, the device must have network access to a DNS server and the server must have an Address record for the host.
Page 406 In Bound – The ACL applies to traffic received on the port from other devices. • Out Bound – The ACL applies to traffic this Foundry device queues for transmission on the port. 21. Enter the ACL number in the ACL Number field.
Page 407 Using Access Control Lists (ACLs) 23. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. NOTE: You also can access the dialog for saving configuration changes by clicking on Command in the tree view, then clicking on Save to Flash.
Page 408: Modifying Acls
NOTE: This section applies to standard ACLs and to extended ACLs. When you use the Foundry device’s CLI or Web management interface to configure an ACL, the software places the ACL entries in the ACL in the order you enter them. For example, if you enter the following entries in the order shown below, the software always applies the entries to traffic in the same order.
Page 409 ACL list has been read from the file. Save the text file. On the Foundry device, enter the following command at the Privileged EXEC level of the CLI: copy tftp running-config <tftp-ip-addr> <filename> NOTE: This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file.
Page 410 Syntax: [no] ip access-group <num> in ethernet <portnum> [<portnum>...] to <portnum> Enabling Strict TCP or UDP Mode By default, when you use ACLs to filter TCP or UDP traffic, the Foundry device does not compare all TCP or UDP packets against the ACLs.
Page 411: Enabling Strict Tcp Mode
Enabling Strict TCP Mode By default, when you use ACLs to filter TCP traffic, the Foundry device does not compare all TCP packets against the ACLs. Instead, the device compares TCP control packets against the ACLs, but not data packets. Control packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset) packets.
Page 412: Displaying Acls
Foundry Switch and Router Installation and Configuration Guide NOTE: If the device’s configuration currently has ACLs associated with interfaces, remove the ACLs from the interfaces before changing the ACL mode. To enable the strict ACL UDP mode, enter the following command at the global CONFIG level of the CLI:...
Page 413 Using Access Control Lists (ACLs) To display Syslog entries, use one of the following methods. USING THE CLI Enter the following command from any CLI prompt: BigIron(config)# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Log Buffer (50 entries):...
Page 414 The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name. NOTE: To specify the host name instead of the IP address, the host name must be configured using the Foundry device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI.
Page 415 Using Access Control Lists (ACLs) Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy. If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask.
Page 416: Enabling Pbr
Foundry Switch and Router Installation and Configuration Guide The <num> parameter specifies the instance of the route map you are defining. Each route map can have up to 50 instances. Routes are compared to the instances in ascending numerical order. For example, a route is compared to instance 1, then instance 2, and so on.
Page 417 Using Access Control Lists (ACLs) • Packets from 209.157.23.x are sent to 192.168.2.1. • Packets from 209.157.24.x are sent to 192.168.2.2. • Packets from 209.157.25.x are sent to 192.168.2.3. The following commands configure three standard ACLs. Each ACL contains one of the ACLs listed above. Make sure you specify permit instead of deny in the ACLs, so that the Layer 3 Switch permits the traffic that matches the ACLs to be further evaluated by the route map.
Page 418 Foundry Switch and Router Installation and Configuration Guide The following commands configure an entry in a route map called “test-route-if-no-gateway”. The first entry (permit 4) matches on the IP address information in ACL 4 above. For IP traffic from sub-net 192.168.1.0/24, this route map entry sets the next-hop IP address to 192.111.1.1, but only if the Layer 3 Switch does not already have...
Page 419 Using Access Control Lists (ACLs) The following command enables PBR by globally applying the route map to all interfaces. BigIron(config)# ip policy route-map file-13 Alternatively, you can enable the PBR on specific interfaces, as shown in the following example. The commands in this example configure IP addresses in the source sub-net identified in ACL 6, then apply route map file-13 to the interface.
Page 420 Foundry Switch and Router Installation and Configuration Guide 13 - 32 December 2000...
Page 421 Chapter 14 IronClad Rate Limiting Foundry’s IronClad rate limiting enables you to control the amount of bandwidth specific traffic uses on specific interfaces, by limiting the amount of data the interface receives or forwards for traffic. You can configure the following types of rate limiting: •...
Page 422: How Fixed Rate Limiting Works
NOTE: Foundry recommends that you do not use Fixed Rate Limiting on ports that send or receive route control traffic or Spanning Tree Protocol (STP) control traffic. If the port drops control packets due to the Fixed Rate Limiting policy, routing or STP can be disrupted.
Page 423: Configuring Fixed Rate Limiting
IronClad Rate Limiting The Fixed Rate Limiting policy allows up to 500000 bits (62500 bytes) of inbound traffic during each one-second interval. Once the maximum rate is reached, all additional traffic within the one-second interval is dropped. One-second One-second One-second One-second interval interval...
Page 424 Foundry Switch and Router Installation and Configuration Guide Total rate-limited interface count: 6. Port Input rate RX Enforced Output rate TX Enforced 500000 1234567 2222222 1234567 1238888 1238888 Syntax: show rate-limiting fixed This display shows the following information. Table 14.2: CLI Display of Fixed Rate Limiting Information This Field...
Page 425: Adaptive Rate Limiting
The rate policy rules allow to specify the action you want the Foundry device to take depending on whether the traffic is conforming to the policy. You can specify one of the following actions for each case: •...
Page 426 Foundry Switch and Router Installation and Configuration Guide Examples of Adaptive Rate Limiting Applications The following sections show some examples of how you can use Adaptive Rate Limiting. The CLI commands for implementing each application are shown in “Complete CLI Examples” on page 14-19.
Page 427 IronClad Rate Limiting The rate policy rules are for three TCP/UDP applications: HTTP (web), FTP, and DNS. The fourth rule is for all other IP traffic (traffic that is not for one of the three applications). The device applies rate policy rules in the order in which you apply them to an interface.
Page 428 Foundry Switch and Router Installation and Configuration Guide Adaptive Rate Policy for a Specific MAC Address Figure 14.3 shows an example of a rate policy consisting of one rule applied to a virtual routing interface (“virtual interface” or “VE”). A virtual interface enables ports in a VLAN to route to other VLANs. In this example, the VLAN contains three ports, attached to three hosts.
Page 429 IronClad Rate Limiting Adaptive Rate Policy for a Port-Based VLAN Figure 14.4 shows a rate policy applied to a VLAN. When you apply a rate policy to a VLAN, the policy applies to all the ports in the VLAN. The rate policy in this example performs the following actions on traffic received on ports in the VLAN: •...
Page 430 Foundry Switch and Router Installation and Configuration Guide • Average Rate • Normal Burst Size • Excess Burst Size • Committed Time Interval When you apply Adaptive Rate Limiting policies to an interface, you specify the first three of these parameters.
Page 431 How Adaptive Rate Limiting Works Foundry’s Adaptive Rate Limiting polices bandwidth usage on specific interfaces for specific IP traffic, and takes the actions you specify based on whether the traffic is within the amount of bandwidth you have allocated for the traffic or has exceeded the bandwidth allocation.
Page 432 Foundry Switch and Router Installation and Configuration Guide Figure 14.5 shows an example of the Normal Burst Size and Excess Burst Size counters. This example shows two Committed Time Intervals. Line rate = 1,000,000,000 bps (one Gigabit) Average Rate = 500,000,000 bits...
Page 433 IronClad Rate Limiting Figure 14.6 shows an example of two Committed Time Intervals. In this example, the policy rule matches the maximum number of conforming bytes (Normal Burst Size bytes) in each interval. Line rate = 1,000,000,000 bps (one Gigabit) Average Rate = 500,000,000 bits Normal Burst Size = 62,500,000 bytes (500,000,000 bits) Excess Burst Size = 93,750,000...
Page 434: Configuring Adaptive Rate Limiting
Foundry Switch and Router Installation and Configuration Guide Figure 14.7 shows an example of eight Committed Time Intervals. The software drops traffic in the second and eighth intervals because the interface receives traffic that matches the rule after the rule has already matched the maximum number of bytes for the Normal Burst Size and Excess Burst Size.
Page 435 IronClad Rate Limiting NOTE: To characterize the traffic, configure ACLs. You can use ACLs for rate policy rules applied to IP interfaces or to virtual interfaces, but not for rate policy rules applied directly to port-based VLANs. When you apply a rate policy rule to a port-based VLAN, the policy applies to all IP traffic. •...
Page 436 Foundry Switch and Router Installation and Configuration Guide NOTE: The deny option is not applicable to rate limiting. Always specify permit when configuring an ACL for use in a rate limiting rule. Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log] NOTE: For complete syntax descriptions for standard and extended ACLs, see “Using Access Control Lists...
Page 437 IronClad Rate Limiting NOTE: The bits appear in this order in the IP precedence field and the software reads them from right to left. The least significant digit is the rightmost digit (bit position 1) and the most significant digit is the leftmost digit (bit position 8).
Page 438 Foundry Switch and Router Installation and Configuration Guide CLI Syntax Syntax: [no] rate-limit input | output [access-group <num>] <average-rate> <normal-burst-size> <excess-burst- size> conform-action <action> exceed-action <action> The input | output parameter specifies whether the rule applies to inbound traffic or outbound traffic.
Page 439: Complete Cli Examples
IronClad Rate Limiting • 4 – flash override precedence • 5 – critical precedence • 6 – internetwork control precedence • 7 – network control precedence • set-prec-continue <new-prec> – Set the IP precedence to one of the values listed above, then evaluate the traffic based on the next rate policy.
Page 440 Foundry Switch and Router Installation and Configuration Guide NetIron(config-if-e1000-25)# rate-limit input access-group 102 10000000 125000 187500 conform-action set-prec-transmit 5 exceed-action drop The following rule applies to traffic that matches ACL 103. Like the previous rule, this rule drops packets received after the maximum number of conforming packets have been received.
Page 441 IronClad Rate Limiting Disabling Rate Limiting Exemption for Control Packets By default, the Foundry device does not apply Adaptive Rate Limiting policies to certain types of control packets, but instead always forwards these packets, regardless of the rate limiting policies in effect.
Page 442 Foundry Switch and Router Installation and Configuration Guide 14 - 22 December 2000...
Page 443: Configuring Ip
Chapter 15 Configuring IP This chapter describes the Internet Protocol (IP) parameters on Foundry Layer 3 Switches and Layer 2 Switches and how to configure them. After you add IP addresses and configure other IP parameters, see the following chapters for configuration information for the IP routing protocols: •...
Page 444: Overview
Foundry Layer 2 Switches consists of basic services to support management access and access to a default gateway. IP support on Foundry Layer 3 Switches includes all of the following, in addition to a highly configurable implementation of basic IP services including Address Resolution Protocol (ARP), ICMP Router Discovery Protocol (IRDP), and Reverse ARP (RARP): •...
Page 445: Ip Packet Flow Through A Layer 3 Switch
Layer 2 Switches You can configure an IP address on a Foundry Layer 2 Switch for management access to the Layer 2 Switch. An IP address is required for Telnet access, Web management access, and SNMP access. You also can specify the default gateway for forwarding traffic to other sub-nets.
Page 446 Foundry Switch and Router Installation and Configuration Guide Figure 15.1 shows the following packet flow: When the Layer 3 Switch receives an IP packet, the Layer 3 Switch checks for filters on the receiving interface. If a deny filter on the interface denies the packet, the Layer 3 Switch discards the packet and performs no further processing, except generating a Syslog entry and SNMP message, if logging is enabled for the filter.
Page 447 Configuring IP IP Address MAC Address Type Port 207.95.6.102 0800.5afc.ea21 Dynamic Each entry contains the destination device’s IP address and MAC address. Static ARP Table In addition to the ARP cache, Layer 3 Switches have a static ARP table. Entries in the static ARP table are user- configured.
Page 448 The IP forwarding cache provides a fast-path mechanism for forwarding IP packets. The cache contains entries for IP destinations. When a Foundry Layer 3 Switch has completed processing and addressing for a packet and is ready to forward the packet, the device checks the IP forwarding cache for an entry to the packet’s destination.
Page 449: Ip Route Exchange Protocols
Distance Vector Multicast Routing Protocol (DVMRP) For configuration information, see “Configuring IP Multicast Protocols” on page 18-1. NOTE: Foundry Layer 2 Switches support IGMP and can forward IP multicast packets. See “Configuring IP Multicast Traffic Reduction (Layer 2 Switches only)” on page 10-56.
Page 450: Ip Interface Redundancy Protocols
IP Interface Redundancy Protocols You can configure a Foundry Layer 3 Switch to back up an IP interface configured on another Foundry Layer 3 Switch. If the link for the backed up interface becomes unavailable, the other Layer 3 Switch can continue service for the interface.
Page 451: Basic Ip Parameters And Defaults - Layer 3 Switches
Virtual Router Redundancy Protocol (VRRP) – see “Configuring VRRP and VRRPE” on page 21-1. • Foundry Standby Router Protocol (FSRP) – see “Configuring FSRP” on page 22-1 The following tables list the Layer 3 Switch IP parameters, their default values, and where to find configuration information.
Page 452: Ip Global Parameters - Layer 3 Switches
Foundry Switch and Router Installation and Configuration Guide IP Global Parameters – Layer 3 Switches Table 15.1 lists the IP global parameters for Layer 3 Switches. Table 15.1: IP Global Parameters – Layer 3 Switches Parameter Description Default See page...
Page 453 Configuring IP Table 15.1: IP Global Parameters – Layer 3 Switches (Continued) Parameter Description Default See page... Time to Live The maximum number of routers (hops) through 64 hops 15-35 (TTL) which a packet can pass before being discarded. Each router decreases a packet’s TTL by 1 before forwarding the packet.
Page 454 Foundry Switch and Router Installation and Configuration Guide Table 15.1: IP Global Parameters – Layer 3 Switches (Continued) Parameter Description Default See page... Maximum The maximum number of hops away a BootP server Four 15-75 BootP relay can be located from a router and still be used by the hops router’s clients for network booting.
Page 455 Configuring IP Table 15.1: IP Global Parameters – Layer 3 Switches (Continued) Parameter Description Default See page... Origination of You can enable a router to originate default routes for Disabled 16-10 default routes the following route exchange protocols, on an 17-34 individual protocol basis: 19-32...
Page 456: Ip Interface Parameters - Layer 3 Switches
Foundry Switch and Router Installation and Configuration Guide IP Interface Parameters – Layer 3 Switches Table 15.2 lists the interface-level IP parameters for Layer 3 Switches. Table 15.2: IP Interface Parameters – Layer 3 Switches Parameter Description Default See page...
Page 457 Configuring IP Table 15.2: IP Interface Parameters – Layer 3 Switches (Continued) Parameter Description Default See page... UDP broadcast The router can forward UDP broadcast packets for The router helps 15-71 forwarding UDP applications such as BootP. By forwarding the forward broadcasts for UDP broadcasts, the router enables clients on one the following UDP...
Page 458: Basic Ip Parameters And Defaults - Layer 2 Switches
IP is enabled by default. The following tables list the Layer 2 Switch IP parameters, their default values, and where to find configuration information. NOTE: Foundry Layer 2 Switches also provide IP multicast forwarding, which is enabled by default. For information about this feature, see “Configuring IP Multicast Traffic Reduction (Layer 2 Switches only)” on page 10-56.
Page 459 If decreasing the TTL causes the TTL to be 0, the router drops the packet instead of forwarding it. Domain name A domain name (example: foundry.router.com) you None configured 15-77 for Domain can use in place of an IP address for certain...
Page 460: Interface Ip Parameters - Layer 2 Switches
Foundry Switch and Router Installation and Configuration Guide Interface IP Parameters – Layer 2 Switches Table 15.4 lists the interface-level IP parameters for Layer 2 Switches. Table 15.4: Interface IP Parameters – Layer 2 Switches Parameter Description Default See page...
Page 461: Configuring Ip Parameters - Layer 3 Switches
64 IP sub-net addresses per port by increasing the size of the subnet-per-interface table. See “Displaying and Modifying System Parameter Default Settings” on page 10-70. Foundry devices support both classical IP network masks (Class A, B, and C sub-net masks, and so on) and Classless Interdomain Routing (CIDR) network prefix masks.
Page 462 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE To assign an IP address and mask to a router interface: Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed.
Page 463 You can add up to 24 IP addresses to each loopback interface. NOTE: If you configure the Foundry Layer 3 Switch to use a loopback interface to communicate with a BGP4 neighbor, you also must configure a loopback interface on the neighbor and configure the neighbor to use that loopback interface to communicate with the Foundry Layer 3 Switch.
Page 464 To delete an IP address, enter a command such as the following: BigIron(config-if-1/1)# no ip address 1.1.2.1 1.Foundry’s feature that allows routing between VLANs within the same device, without the need for external routers, is called Integrated Switch Routing (ISR). See “Integrated Switch Routing (ISR)” on page 25-4.
Page 465: Configuring Domain Name Server (Dns) Resolver
Switch automatically appends the appropriate domain to the host and forwards it to the domain name server. For example, if the domain “newyork.com” is defined on a Foundry Layer 2 Switch or Layer 3 Switch and you want to initiate a ping to host “NYC01” on that domain, you need to reference only the host name in the command instead of the host name and its domain name.
Page 466: Configuring Packet Parameters
Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>] [source-ip <ip addr>] The only required parameter is the IP address of the host at the other end of the route. See the Foundry Switch and Router Command Line Interface Reference for information about the parameters.
Page 467 The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format. Foundry Layer 3 Switches use Ethernet II by default. You can change the IP encapsulation to Ethernet SNAP on individual ports if needed.
Page 468: Changing The Router Id
NOTE: Routing Information Protocol (RIP) does not use the router ID. NOTE: If you change the router ID, all current BGP4 sessions are cleared. By default, the router ID on a Foundry Layer 3 Switch is one of the following: •...
Page 469 Syntax: ip router-id <ip-addr> The <ip-addr> can be any valid, unique IP address. NOTE: You can specify an IP address used for an interface on the Foundry Layer 3 Switch, but do not specify an IP address in use by another device.
Page 470 Foundry Switch and Router Installation and Configuration Guide • If you specify a loopback interface as the single source for Telnet, TACACS/TACACS+, or RADIUS packets, servers can receive the packets regardless of the states of individual links. Thus, if a link to the server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Page 471: Configuring Arp Parameters
NOTE: Foundry Layer 2 Switches also support ARP. The description in “How ARP Works” also applies to ARP on Foundry Layer 2 Switches. However, the configuration options described later in this section apply only to Layer 3 Switches, not to Layer 2 Switches.
Page 472: Rate Limiting Arp Packets
Rate Limiting ARP Packets You can limit the number of ARP packets the Foundry device accepts during each second. By default, the software does not limit the number of ARP packets the device can receive. Since the device sends ARP packets to the CPU for processing, if a device in a busy network receives a high number of ARP packets in a short period of time, some CPU processing might be deferred while the CPU processes the ARP packets.
Page 473 NOTE: An ARP request from one sub-net can reach another sub-net when both sub-nets are on the same physical segment (Ethernet cable), since MAC-layer broadcasts reach all the devices on the segment. Proxy ARP is disabled by default on Foundry Layer 3 Switches. The feature is not supported on Foundry Layer 2 Switches.
Page 474 Creating Static ARP Entries Foundry Layer 3 Switches have a static ARP table, in addition to the regular ARP cache. The static ARP table contains entries that you configure. Static entries are useful in cases where you want to pre-configure an entry for a device that is not connected to the Layer 3 Switch, or you want to prevent a particular entry from aging out.
Page 475 Table 15.5 on page 15-34 lists the default maximum and configurable maximum number of entries in the static ARP table that are supported on each type of Foundry Layer 3 Switch. If you need to change the maximum number of entries supported on a Layer 3 Switch, use either of the following methods.
Page 476 Foundry Switch and Router Installation and Configuration Guide Table 15.5: Static ARP Entry Support Product Default Configurable Configurable Maximum Minimum Maximum NetIron Internet Backbone router 2048 2048 10,000 with 512MB management module (Management IV module) BigIron 2048 2048 10,000 with 512MB or 256MB Management IV module...
Page 477: Configuring Forwarding Parameters
Configuring IP Configuring Forwarding Parameters The following configurable parameters control the forwarding behavior of Foundry Layer 3 Switches: • Time-To-Live (TTL) threshold • Forwarding of directed broadcasts • Forwarding of source-routed packets • Ones-based and zero-based broadcasts All these parameters are global and thus affect all IP interfaces configured on the Layer 3 Switch.
Page 478 Foundry Switch and Router Installation and Configuration Guide Foundry software makes the forwarding decision based on the router’s knowledge of the destination network prefix. Routers cannot determine that a message is unicast or directed broadcast apart from the destination network prefix. The decision to forward or not forward the message is by definition only possible in the last hop router.
Page 479: Disabling Icmp Messages
Layer 3 Switch. Disabling Replies to Broadcast Ping Requests By default, Foundry devices are enabled to respond to broadcast ICMP echo packets, which are ping requests. You can disable response to ping requests on a global basis using the following CLI method.
Page 480 Disabling ICMP Destination Unreachable Messages By default, when a Foundry device receives an IP packet that the device cannot deliver, the device sends an ICMP Unreachable message back to the host that sent the packet. You can selectively disable a Foundry device’s response to the following types of ICMP Unreachable messages: •...
Page 481: Disabling Icmp Redirects
Configuring IP • The administration parameter disables ICMP Unreachable (caused by Administration action) messages. • The fragmentation-needed parameter disables ICMP Fragmentation-Needed But Don’t-Fragment Bit Set messages. • The port parameter disables ICMP Port Unreachable messages. • The source-route-fail parameter disables ICMP Unreachable (caused by Source-Route-Failure) messages. To disable ICMP Host Unreachable messages and ICMP Network Unreachable messages but leave the other types of ICMP Unreachable messages enabled, enter the following commands instead of the command shown above:...
Page 482 Foundry Switch and Router Installation and Configuration Guide Static Route Types You can configure the following types of static IP routes: • Standard – the static route consists of the destination network address and network mask, and the IP address of the next-hop gateway.
Page 483 Configuring IP Static Route States Follow Port States IP static routes remain in the IP route table only so long as the next-hop gateway, port, or virtual interface used by the route is available. If the gateway or port becomes unavailable, the software removes the static route from the IP route table.
Page 484 Foundry Switch and Router Installation and Configuration Guide BigIron(config)# ip route 192.128.2.73 255.255.255.0 pos 2/2 Syntax: ip route <dest-ip-addr> <dest-mask> <next-hop-ip-addr> | ethernet <portnum> | pos <portnum> | ve <num> [<metric>] [distance <num>] Syntax: ip route <dest-ip-addr>/<mask-bits> <next-hop-ip-addr> | ethernet <portnum> | pos <portnum> | ve <num>...
Page 485 Configuring IP • If you are modifying an existing static route, click on the Modify button to the right of the row describing the static route to display the Static Route configuration panel. Enter the network address for the route in the Network field. Enter the network mask in the Mask field.
Page 486 Foundry Switch and Router Installation and Configuration Guide The <ip-mask> parameter specifies the network mask. Ones are significant bits and zeros allow any value. For example, the mask 255.255.255.0 matches on all hosts within the Class C sub-net address specified by <ip- addr>.
Page 487 Configuring IP of two and the third route has a metric of 3. Thus, the second route is used only of the first route (which has a metric of 1) becomes unavailable. Likewise, the third route is used only if the first and second routes (which have lower metrics) are both unavailable.
Page 488 Foundry Switch and Router Installation and Configuration Guide 13. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. Configuring Standard Static IP Routes and Interface or Null Static Routes to the Same...
Page 489 Configuring IP Two static routes to 192.168.7.0/24: --Standard static route through gateway 192.168.6.157, with metric 1 --Null route, with metric 2 Router A Router B 192.168.6.188/24 192.168.6.157/24 192.168.7.7/24 When standard static route is good, Router A uses that route. 192.168.7.69/24 Router A Router B 192.168.6.188/24...
Page 490 Foundry Switch and Router Installation and Configuration Guide Two static routes to 192.168.7.0/24: --Interface-based route through port 1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. Router A 192.168.6.188/24 Port 1/1 192.168.6.69/24 When route through interface 1/1 is available, Router A always uses that route.
Page 491: Configuring A Default Network Route
Configuring IP USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed. Click on the plus sign next to Configure in the tree view to expand the list of configuration options. Click on the plus sign next to IP in the tree view to expand the list of IP option links.
Page 492 Foundry Switch and Router Installation and Configuration Guide When the software uses the default network route, it also uses the default network route’s next hop gateway as the gateway of last resort. This feature is especially useful in environments where network topology changes can make the next hop gateway unreachable.
Page 493: Configuring Ip Load Sharing
Configuring IP USING THE WEB MANAGEMENT INTERFACE You cannot configure a default network route using the Web management interface. In addition, the IP route table display in the Web management interface does not indicate routes that are candidate default network routes. The routes are listed but are not flagged with an asterisk.
Page 494 Foundry Switch and Router Installation and Configuration Guide Here are the default administrative distances on the Foundry Layer 3 Switch: • Directly connected – 0 (this value is not configurable) • Static IP route – 1 (applies to all static routes, including default routes and default network routes) •...
Page 495 The load sharing state for all the route sources is based on the state of IP load sharing. Since IP load sharing is enabled by default on all Foundry Layer 3 Switches, load sharing for static IP routes, RIP routes, OSPF routes, and BGP4 routes also is enabled by default.
Page 496 Foundry Switch and Router Installation and Configuration Guide Response to Path State Changes If one of the load-balanced paths to a cached destination becomes unavailable, or the IP route table receives a new equal-cost path to a cached destination, the software removes the unavailable path from the IP route table.
Page 497 Configuring IP IP Forwarding Cache Host-Based Load Sharing Destination Host Next-Hop R1 is configured with four IP load sharing paths, and has two paths 192.168.1.170 (H1) 192.168.6.2 (R2) to hosts H1 - H9, attached to R4. 192.168.5.1 (R3) 192.168.1.234 (H2) The cache entries in this example are based on the assumption that 192.168.6.2 (R2)
Page 498 Foundry Switch and Router Installation and Configuration Guide IP Forwarding Cache Host-Based Load Sharing Destination Host Next-Hop R1 is configured with four IP load sharing paths, and has two paths 192.168.2.175 (H4) 192.168.6.2 (R2) to hosts H1 - H9, attached to R4.
Page 499 Configuring IP Figure 15.7 shows an example of IP load sharing cache entries for network-based IP load sharing. The network in this example is the same as the network in Figure 15.5 and Figure 15.6. Notice that the cache contains one entry for each destination network, instead of a separate entry for each destination host.
Page 500 Foundry Switch and Router Installation and Configuration Guide M = A number from 1 to the maximum number of load-sharing paths. This value increases by 1 until it reaches the maximum, then reverts to 1. P = Number of equal-cost paths to destination network...
Page 501 Configuring IP Table 15.7: Path Selection for Network-Based IP Load Sharing (Continued) Number of Paths Maximum Paths Path Counter Value December 2000 15 - 59...
Page 502 Foundry Switch and Router Installation and Configuration Guide As shown in Table 15.7, the results of the network-based IP load sharing algorithm provide evenly-distributed load sharing. Figure 15.8 shows a network where a Layer 3 Switch has eight equal-cost paths to destination networks N1 –...
Page 503 Configuring IP USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed. Click on the plus sign next to Configure in the tree view to expand the list of configuration options. Click on the plus sign next to IP in the tree view to expand the list of IP option links.
Page 504 Foundry Switch and Router Installation and Configuration Guide When you configure host-based load sharing for a specific destination network, the Layer 3 Switch distributes traffic to hosts on the network evenly across the available paths. For other networks, the Layer 3 Switch uses a single path for all traffic to hosts on a given network.
Page 505: Optimizing The Ip Forwarding Cache
Configuring IP For optimal results, set the maximum number of paths to a value at least as high as the maximum number of equal-cost paths your network typically contains. For example, if the Layer 3 Switch you are configuring for IP load sharing has six next-hop routers, set the maximum paths value to six.
Page 506 Foundry Switch and Router Installation and Configuration Guide Enabling Unicast High-Performance Mode To increase the capacity of the forwarding cache for unicast entries, use the following CLI method. NOTE: To place a change to the high-performance mode into effect, you must reload the software after saving the change to the startup-config file.
Page 507 Configuring IP NOTE: To display other types of forwarding cache entries, see “Displaying the Forwarding Cache” on page 15- USING THE CLI To display the default route cache entries, enter the following command at any level of the CLI: BigIron(config)# show ip dr-aggregate Syntax: show ip dr-aggregate [<ip-addr>] If you specify an IP address, only the entries for that destination are displayed.
Page 508: Configuring Irdp
Configuring IRDP The ICMP Router Discovery Protocol (IRDP) is used by Foundry Layer 3 Switches to advertise the IP addresses of its router interfaces to directly attached hosts. IRDP is disabled by default. You can enable the feature on a global basis or on an individual port basis.
Page 509 Configuring IP USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed. Click on the plus sign next to Configure in the tree view to display the list of configuration options. Click on the plus sign next to IP to display the list of IP configuration options.
Page 510: Configuring Rarp
Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE You cannot configure these options using the Web management interface. Configuring RARP The Reverse Address Resolution Protocol (RARP) provides a simple mechanism for directly-attached IP hosts to boot over the network.
Page 511 To configure static RARP entries, use the following methods. USING THE CLI To assign a static IP RARP entry for static routes on a Foundry router, enter a command such as the following: BigIron(config)# rarp 1 1245.7654.2348 192.53.4.2 This command creates a RARP entry for a client with MAC address 1245.7654.2348. When the Layer 3 Switch receives a RARP request from this client, the Layer 3 Switch replies to the request by sending IP address 192.53.4.2 to the client.
Page 512: Configuring Udp Broadcast And Ip Helper Parameters
Foundry Switch and Router Installation and Configuration Guide Enter the MAC address. Enter the IP address. Click the Add button to save the change to the device’s running-config file. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 513 Configuring IP NOTE: The application names are the names for these applications that the Layer 3 Switch software recognizes, and might not match the names for these applications on some third-party devices. The numbers listed in parentheses are the UDP port numbers for the applications. The numbers come from RFC 1340. NOTE: As shown above, forwarding support for BootP/DHCP is enabled by default.
Page 514 Foundry Switch and Router Installation and Configuration Guide In addition, you can specify any UDP application by using the application’s UDP port number. The <udp-port-num> parameter specifies the UDP application port number. If the application you want to enable is not listed above, enter the application port number. You also can list the port number for any of the applications listed above.
Page 515: Configuring Bootp/Dhcp Forwarding Parameters
Configuring IP Click on the plus sign next to RIP in the tree view to expand the list of RIP option links. Click on the UDP Helper link. • If the device does not have any UDP helper assignments, the UDP Helper configuration panel is displayed, as shown in the following example.
Page 516 Foundry Switch and Router Installation and Configuration Guide port 67. A limited IP broadcast is addressed to IP address 255.255.255.255 and is not forwarded by the Foundry Layer 3 Switch or other IP routers. When the BootP/DHCP client and server are on the same network, the server receives the broadcast request and replies to the client.
Page 517 Configuring IP Gateway Address field of BootP/DHCP requests that the Layer 3 Switch receives on port 1/1 and forwards to the BootP/DHCP server. Syntax: ip bootp-gateway <ip-addr> USING THE WEB MANAGEMENT INTERFACE You cannot change the IP address used for stamping BootP/DHCP requests using the Web management interface.
Page 518: Configuring Ip Parameters - Layer 2 Switches
To configure an IP address and specify the default gateway, use the following CLI method. USING THE CLI To assign an IP address to a Foundry Layer 2 Switch, enter a command such as the following at the global CONFIG level: FastIron(config)# ip address 192.45.6.110 255.255.255.0...
Page 519: Configuring Domain Name Server (Dns) Resolver
Switch automatically appends the appropriate domain to the host and forwards it to the domain name server. For example, if the domain “newyork.com” is defined on a Foundry Layer 2 Switch or Layer 3 Switch and you want to initiate a ping to host “NYC01” on that domain, you need to reference only the host name in the command instead of the host name and its domain name.
Page 520 Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>] [source-ip <ip addr>] The only required parameter is the IP address of the host at the other end of the route. See the Foundry Switch and Router Command Line Interface Reference for information about the parameters.
Page 521: Changing The Ttl Threshold
You cannot change the TTL on a Layer 2 Switch using the Web management interface. Configuring DHCP Assist DHCP Assist allows a Foundry Layer 2 Switch to assist a router that is performing multi-netting on its interfaces as part of its DHCP relay function.
Page 522 Upon initiation of a DHCP session, the client sends out a DHCP discovery packet for an address from the DHCP server as seen in Figure 15.11. When the DHCP discovery packet is received at a Foundry Layer 2 Switch with the DHCP Assist feature enabled, the gateway address configured on the receiving interface is inserted into the packet.
Page 523 Configuring IP DHCP Server Server 207.95.7.6 Server Step 3: Router forwards the DHCP request to the server without touching the gateway address inserted in the packet by the switch Router Step 2: Gateway addresses: FastIron stamps each DHCP request 192.95.5.1 with the gateway address of the 200.95.6.1 corresponding subnet of the...
Page 524 You can associate a gateway list with a port. You must configure a gateway list when DHCP Assist is enabled on a Foundry Layer 2 Switch. The gateway list contains a gateway address for each sub-net that will be requesting addresses from a DHCP server.
Page 525: Displaying Ip Configuration Information And Statistics
Configuring IP FastIron(config-if-8)# int e 14 FastIron(config-if-14)# dhcp-gateway-list 2 Syntax: dhcp-gateway-list <num> <ip-addr> USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed. Select the DHCP Gateway link to display the DHCP Gateway configuration panel. Enter the list ID in the List ID field.
Page 526 • BGP4 information – see “Displaying BGP4 Information” on page 19-88. • DVMRP information – see the “Show Commands” chapter in the Foundry Switch and Router Command Line Interface Reference. • PIM information – see the “Show Commands” chapter in the Foundry Switch and Router Command Line Interface Reference.
Page 527 The Time-To-Live (TTL) for IP packets. The TTL specifies the maximum number of router hops a packet can travel before reaching the Foundry router. If the packet’s TTL value is higher than the value specified in this field, the Foundry router drops the packet.
Page 528 Foundry Switch and Router Installation and Configuration Guide Table 15.8: CLI Display of Global IP Configuration Information – Layer 3 Switch (Continued) This Field... Displays... Policies Index The policy number. This is the number you assigned the policy when you configured it.
Page 529 Configuring IP 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 0.00 If the software has been running less than 15 minutes (the maximum interval for utilization statistics), the command indicates how long the software has been running. Here is an example: BigIron# show process cpu The system has only been up for 6 seconds.
Page 530 Foundry Switch and Router Installation and Configuration Guide Table 15.9: CLI Display of Interface IP Configuration Information This Field... Displays... Interface The type and the slot and port number of the interface. IP-Address The IP address of the interface. Note: If an “s” is listed following the address, this is a secondary address.
Page 531 Configuring IP Table 15.10: Web Display of IP Interface Information (Continued) This Field... Displays... The Maximum Transmission Unit (MTU), which specifies the maximum packet size for packets sent and received on this interface. Metric The cost associated with this interface. Directed Broadcast Forward The state of the directed broadcast forwarding feature.
Page 532 Foundry Switch and Router Installation and Configuration Guide The <num> parameter lets you display the table beginning with a specific entry number. NOTE: The entry numbers in the ARP cache are not related to the entry numbers for static ARP table entries.
Page 533 Configuring IP Table 15.12: Web Display of ARP Cache – Layer 3 Switch (Continued) This Field... Displays... Type The type, which can be one of the following: • Dynamic – The Layer 3 Switch learned the entry from an incoming packet. •...
Page 534 Foundry Switch and Router Installation and Configuration Guide The <num> parameter lets you display the table beginning with a specific entry number. Table 15.13: CLI Display of Static ARP Table This Field... Displays... Static ARP table size The maximum number of static entries that can be configured on the device using the current memory allocation.
Page 535 IP address or the value DIRECT. DIRECT means the destination is either directly attached or the destination is an address on this Foundry device. For example, the next hop for loopback addresses and broadcast addresses is shown as DIRECT.
Page 536 IP address or the value DIRECT. DIRECT means the destination is either directly attached or the destination is an address on this Foundry device. For example, the next hop for loopback addresses and broadcast addresses is shown as DIRECT.
Page 537 Configuring IP Start index: 1 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port Cost Type 1.1.0.0 255.255.0.0 99.1.1.2 1.2.0.0 255.255.0.0 99.1.1.2 1.3.0.0 255.255.0.0 99.1.1.2 1.4.0.0 255.255.0.0 99.1.1.2 1.5.0.0 255.255.0.0 99.1.1.2 1.6.0.0 255.255.0.0 99.1.1.2 1.7.0.0 255.255.0.0 99.1.1.2 1.8.0.0 255.255.0.0 99.1.1.2 1.9.0.0...
Page 538 Foundry Switch and Router Installation and Configuration Guide 52 209.159.38.0 255.255.255.0 207.95.6.101 1/1 1 S 53 209.159.39.0 255.255.255.0 207.95.6.101 1/1 1 S 54 209.159.40.0 255.255.255.0 207.95.6.101 1/1 1 S 55 209.159.41.0 255.255.255.0 207.95.6.101 1/1 1 S 56 209.159.42.0 255.255.255.0 207.95.6.101 1/1 1 S 57 209.159.43.0 255.255.255.0 207.95.6.101 1/1 1 S...
Page 539 Configuring IP Clearing IP Routes If needed, you can clear the entire route table or specific individual routes. To do so, use one of the following procedures. USING THE CLI To clear all routes from the IP route table: BigIron# clear ip route To clear route 209.157.22.0/24 from the IP routing table: BigIron# clear ip route 209.157.22.0/24 Syntax: clear ip route [<ip-addr>...
Page 540 Foundry Switch and Router Installation and Configuration Guide TCP Statistics 0 active opens, 0 passive opens, 0 failed attempts 0 active resets, 0 passive resets, 0 input errors 138 in segments, 141 out segments, 4 retransmission RIP Statistics 0 requests sent, 0 requests received...
Page 541 The number of UDP packets dropped because the packet did not contain a valid UDP port number. input errors This information is used by Foundry customer support. TCP statistics The TCP statistics are derived from RFC 793, “Transmission Control Protocol”.
Page 542 Foundry Switch and Router Installation and Configuration Guide Table 15.17: CLI Display of IP Traffic Statistics – Layer 3 Switch (Continued) This Field... Displays... out segments The number of TCP segments sent by the device. retransmission The number of segments that this device retransmitted because the...
Page 543 The number of ICMP packets received by the device. Total Sent The number of ICMP packets sent by the device. Received Errors This information is used by Foundry customer support. Sent Errors This information is used by Foundry customer support. Received Unreachable The number of Destination Unreachable messages received by the device.
Page 544 Foundry Switch and Router Installation and Configuration Guide Table 15.18: Web Display of IP Traffic Statistics – Layer 3 Switch (Continued) This Field... Displays... Received Redirect The number of Redirect messages received by the device. Sent Redirect The number of Redirect messages sent by the device.
Page 545 The number of TCP connections this device reset because the device at the other end of the connection sent a TCP RESET message. Input Errors This information is used by Foundry customer support. In Segments The number of TCP segments received by the device.
Page 546 Foundry Switch and Router Installation and Configuration Guide Displaying IP Information – Layer 2 Switches You can display the following IP configuration information statistics on Layer 2 Switches: • Global IP settings – see “Displaying Global IP Configuration Information” on page 15-104.
Page 547 Configuring IP Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed. Click on the plus sign next to Configure in the tree view to display the list of configuration options. Click on the plus sign next to IP to display the list of IP configuration options.
Page 548 MAC Address The MAC address of the device. Type The type, which is always Dynamic on Foundry Layer 2 Switches. The device learns dynamic entries from incoming packet. The number of minutes the entry has remained unused. If this value reaches the ARP aging period, the entry is removed from the cache.
Page 549 The number of packets dropped by the device because the value in the Protocol field of the packet header is unrecognized by this device. no buffer This information is used by Foundry customer support. other errors The number of packets that this device dropped due to error types other than the types listed above.
Page 550 Foundry Switch and Router Installation and Configuration Guide Table 15.22: CLI Display of IP Traffic Statistics – Layer 2 Switch (Continued) This Field... Displays... addr mask The number of Address Mask Request messages sent or received by the device. addr mask reply The number of Address Mask Replies messages sent or received by the device.
Page 551 The number of ICMP packets received by the device. Total Sent The number of ICMP packets sent by the device. Received Errors This information is used by Foundry customer support. Sent Errors This information is used by Foundry customer support. Received Unreachable The number of Destination Unreachable messages received by the device.
Page 552 Foundry Switch and Router Installation and Configuration Guide Table 15.23: Web Display of IP Traffic Statistics – Layer 2 Switch (Continued) This Field... Displays... Sent Parameter The number of Parameter Problem messages sent by the device. Received Source Quench The number of Source Quench messages received by the device.
Page 553 The number of TCP connections opened by this device in response to connection requests (TCP SYNs) received from other devices. Failed Attempts This information is used by Foundry customer support. Active Resets The number of TCP connections this device reset by sending a TCP RESET message to the device at the other end of the connection.
Page 554 Foundry Switch and Router Installation and Configuration Guide 15 - 112 December 2000...
Page 555: Configuring Rip
A hop is another router through which packets must travel to reach the destination. If the Foundry Layer 3 Switch receives a RIP update from another router that contains a path with fewer hops than the path stored in the Foundry Layer 3 Switch’s route table, the Layer 3 Switch replaces the older route with the...
Page 556 Foundry Switch and Router Installation and Configuration Guide Table 16.1: RIP Global Parameters Parameter Description Default See page... RIP state Routing Information Protocol version 2 Disabled 16-3 Note: You can change the RIP version on individual interfaces. See Table 16.2 on page 16-3.
Page 557: Rip Interface Parameters
Configuring RIP RIP Interface Parameters Table 16.2 lists the interface-level RIP parameters and their default values, and indicates where you can find configuration information. Table 16.2: RIP Interface Parameters Parameter Description Default See page... RIP version The version of the protocol that is supported on the Version 2 only 16-4 interface.
Page 558 Foundry Switch and Router Installation and Configuration Guide BigIron(config)# write memory Syntax: [no] router rip USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed.
Page 559: Configuring Metric Parameters
Configuring Metric Parameters By default, a Foundry Layer 3 Switch port increases the cost of a RIP route that is learned on the port by one. You can configure individual ports to add more than one to a learned route’s cost. In addition, you can configure a RIP offset list to increase the metric for learned or advertised routes based on network address.
Page 560: Changing The Administrative Distance
Foundry Switch and Router Installation and Configuration Guide The software adds the offset value to the routing metric (cost) of the routes that match the ACL. If a route matches both a global offset list and an interface-based offset list, the interface-based offset list takes precedence.
Page 561: Configuring Redistribution
Configuring RIP Configuring Redistribution You can configure the Layer 3 Switch to redistribute routes learned through Open Shortest Path First (OSPF) or Border Gateway Protocol version 4 (BGP4) into RIP. When you redistribute a route from one of these other protocols into RIP, the Layer 3 Switch can use RIP to advertise the route to its RIP neighbors.
Page 562 Foundry Switch and Router Installation and Configuration Guide Click on the plus sign next to RIP in the tree view to expand the list of RIP option links. Click on the Redistribution Filter link. • If the device does not have any RIP redistribution filters, the RIP Redistribution Filter configuration panel is displayed, as shown in the following example.
Page 563: Configuring Route Learning And Advertising Parameters
Configuring Route Learning and Advertising Parameters By default, a Foundry Layer 3 Switch learns routes from all its RIP neighbors and advertises RIP routes to those neighbors. You can configure the following learning and advertising parameters: •...
Page 564 Foundry Switch and Router Installation and Configuration Guide Changing the Update Interval for Route Advertisements The update interval specifies how often the Layer 3 Switch sends route advertisements to its RIP neighbors. You can specify an interval from 1 – 1000 seconds. The default is 30 seconds.
Page 565 Configuring a RIP Neighbor Filter By default, a Foundry Layer 3 Switch learns RIP routes from all its RIP neighbors. Neighbor filters allow you to specify the neighbor routers from which the Foundry router can receive RIP routes. Neighbor filters apply globally to all ports.
Page 566: Changing The Route Loop Prevention Method
Foundry Switch and Router Installation and Configuration Guide • If a RIP neighbor filter is already configured and you are adding a new filter, click on the Add Neighbor Filter link to display the RIP Neighbor Filter configuration panel, as shown in the following example.
Page 567: Configuring Rip Route Filters
Configuring RIP USING THE CLI To enable poison reverse on an interface, enter commands such as the following: BigIron(config)# interface ethernet 1/1 BigIron(config-if-1/1)# ip rip poison-reverse Syntax: [no] ip rip poison-reverse USING THE WEB MANAGEMENT INTERFACE To enable RIP routing on individual interfaces: Log on to the device using a valid user name and password for read-write access.
Page 568 Foundry Switch and Router Installation and Configuration Guide NOTE: A route is defined by the destination’s IP address and network mask. NOTE: Once you define a RIP route filter, the default action changes from learning and advertising all routes to denying all routes except the ones you explicitly permit.
Page 569 Configuring RIP Enter the filter ID. Select either Permit or Deny as the action. Enter an IP address and mask or the wildcard value, 0.0.0.0, to allow all routes. Click the Add button to save the change to the device’s running-config file. Select the Save link at the bottom of the dialog.
Page 570: Displaying Rip Filters
Foundry Switch and Router Installation and Configuration Guide Click on the plus sign next to Configure in the tree view to expand the list of configuration options. Click on the plus sign next to RIP in the tree view to expand the list of RIP option links.
Page 571 Configuring RIP This display shows the following information. Table 16.3: CLI Display of RIP Filter Information This Field... Displays... Route filters The rows underneath “RIP Route Filter Table” list the RIP route filters. If no RIP route filters are configured on the device, the following message is displayed instead: “No Filters are configured in RIP Route Filter Table”.
Page 572 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE To display RIP filter information: Log on to the device using a valid user name and password for read-only or read-write access. The System configuration panel is displayed.
Page 573 Configuring RIP 0.00 VRRP 0.00 Syntax: show process cpu [<num>] The <num> parameter specifies the number of seconds and can be from 1 – 900. If you use this parameter, the command lists the usage statistics only for the specified number of seconds. If you do not use this parameter, the command lists the usage statistics for the previous one-second, one-minute, five-minute, and fifteen-minute intervals.
Page 574 Foundry Switch and Router Installation and Configuration Guide 16 - 20 December 2000...
Page 575: Configuring Ospf
To display OSPF configuration information and statistics, see “Displaying OSPF Information” on page 17-41. For complete syntax information for the CLI commands shown in this chapter, see the Foundry Switch and Router Command Line Interface Reference. NOTE: The TurboIron/8, Stackable NetIron, and Chassis Layer 3 Switches using basic management modules (not Management II or higher) can contain 10000 routes by default.
Page 576 Foundry Switch and Router Installation and Configuration Guide You can further limit the broadcast area of flooding by defining an area range. The area range allows you to assign an aggregate value to a range of IP addresses. This aggregate value becomes the address that is advertised instead all of the individual addresses it represents being advertised.
Page 577: Designated Router Election
ID is designated as the BDR. NOTE: By default, the Foundry router ID is the IP address configured on the lowest numbered loopback interface. If the Layer 3 Switch does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device.
Page 578: Ospf Rfc 1583 And 2178 Compliance
Figure 17.4 shows an example of the AS External LSA reduction feature. In this example, Foundry Layer 3 Switches D and E are OSPF ASBRs, and thus communicate route information between the OSPF AS, which contains Routers A, B, and C, and another routing domain, which contains Router F.
Page 579 (Router F). For Routers A, B, and C, either route to Router F (through Router D or through Router E) is equally good. OSPF eliminates the duplicate AS External LSAs. When two or more Foundry Layer 3 Switches configured as ASBRs have equal-cost routes to the same next-hop router in an external routing domain, the ASBR with the highest router ID floods the AS External LSAs for the external domain into the OSPF AS, while the other ASBRs flush the equivalent AS External LSAs from their databases.
Page 580: Dynamic Ospf Activation And Configuration
Foundry Switch and Router Installation and Configuration Guide Algorithm for AS External LSA Reduction Figure 17.4 shows an example in which the normal AS External LSA reduction feature is in effect. The behavior changes under the following conditions: • There is one ASBR advertising (originating) a route to the external destination, but one of the following happens: •...
Page 581: Configuration Rules
(running-config) to the startup-config file, the commands are removed from the file. NOTE: The external-lsdb-overflow command is still supported in accordance with RFC 1765. To display the current allocations of dynamic memory, enter the show memory command. See the Foundry Switch and Router Command Line Interface Reference.
Page 582: Enable Ospf On The Router
Foundry Switch and Router Installation and Configuration Guide • Disable or re-enable load sharing. • Enable or disable default-information-originate. • Modify Shortest Path First (SPF) timers • Define external route summarization • Define redistribution metric type. • Define deny redistribution.
Page 583: Assign Ospf Areas
Configuring OSPF Note Regarding Disabling OSPF If you disable OSPF, the Layer 3 Switch removes all the configuration information for the disabled protocol from the running-config. Moreover, when you save the configuration to the startup-config file after disabling one of these protocols, all the configuration information for the disabled protocol is removed from the startup-config file.
Page 584 Foundry Switch and Router Installation and Configuration Guide The <num> | <ip-addr> parameter specifies the area number, which can be a number or in IP address format. If you specify an number, the number can be from 0 – 2,147,483,647.
Page 585 Configuring OSPF Assign a Totally Stubby Area By default, the Layer 3 Switch sends summary LSAs (LSA type 3) into stub areas. You can further reduce the number of link state advertisements (LSA) sent into a stub area by configuring the Layer 3 Switch to stop sending summary LSAs (type 3 LSAs) into the area.
Page 586 Foundry Switch and Router Installation and Configuration Guide The Foundry implementation of NSSA is based on RFC 1587. Figure 17.5 shows an example of an OSPF network containing an NSSA. RIP Domain BigIron NSSA Area 1.1.1.1 OSPF Area 0 Backbone...
Page 587 Configuring OSPF Configuring an NSSA To configure an NSSA, use one of the following methods. USING THE CLI To configure OSPF area 1.1.1.1 as an NSSA, enter the following commands. BigIron(config)# router ospf BigIron(config-ospf-router)# area 1.1.1.1 nssa 1 BigIron(config-ospf-router)# write memory Syntax: area <num>...
Page 588 Foundry Switch and Router Installation and Configuration Guide Enter the area ID in the Area ID field. The ID can be a number or an IP address. Select NSSA by clicking on the radio button next to NSSA in the Type field.
Page 589 Configuring OSPF NOTE: If the device already has an OSPF area range, a table listing the ranges is displayed. Click the Modify button to the right of the row describing a range to change its configuration, or click the Add Area Range link to display the OSPF Area Range configuration panel.
Page 590: Assigning Interfaces To An Area
Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. If you have not already enabled OSPF, enable it by clicking on the Enable radio button next to OSPF on the System configuration panel, then clicking Apply to apply the change.
Page 591 Configuring OSPF Click on the Interface link. • If the device does not have any OSPF interfaces, the OSPF Interface configuration panel is displayed, as shown in the following example. • If an OSPF interface is already configured and you are adding a new one, click on the Add OSPF Interface link to display the OSPF Interface configuration panel, as shown in the following example.
Page 592: Modify Interface Defaults
Foundry Switch and Router Installation and Configuration Guide Modify Interface Defaults OSPF has interface parameters that you can configure. For simplicity, each of these parameters has a default value. No change to these default values is required except as needed for specific network configurations.
Page 593 Configuring OSPF 11. Modify the default values of the following interface parameters as needed: hello interval, retransmit interval, transmit delay, dead interval, priority, and cost. 12. Click the Add button (if you are adding a new neighbor) or the Modify button (if you are modifying a neighbor that is already configured) to apply the changes to the device’s running-config file.
Page 594 Foundry Switch and Router Installation and Configuration Guide Encrypted Display of the Authentication String or MD5 Authentication Key The optional 0 | 1 parameter with the authentication-key and md5-authentication key-id parameters affects encryption. For added security, software release 07.1.10 and later encrypts display of the password or authentication string.
Page 595: Assign Virtual Links
NOTE: By default, the Foundry router ID is the IP address configured on the lowest numbered loopback interface. If the Layer 3 Switch does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device.
Page 596 The <router-id> parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a Foundry Layer 3 Switch, enter the show ip command. See “Modify Virtual Link Parameters” on page 17-24 for descriptions of the optional parameters.
Page 597 Configuring OSPF USING THE WEB MANAGEMENT INTERFACE To configure a virtual link: Log on to the device using a valid user name and password for read-write access. If you have not already enabled OSPF, enable it by clicking on the Enable radio button next to OSPF on the System configuration panel, then clicking Apply to apply the change.
Page 598: Modify Virtual Link Parameters
[hello-interval <num>] [md5-authentication key-activation-wait-time <num> | key-id <num> [0 | 1] key <string>] [retransmit-interval <num>] [transmit-delay <num>] The parameters are described below. For syntax information, see the Foundry Switch and Router Command Line Interface Reference. USING THE WEB MANAGEMENT INTERFACE To modify virtual link default values: Log on to the device using a valid user name and password for read-write access.
Page 599 Configuring OSPF The MD5 method of authentication encrypts the authentication key you define. The authentication is included in each OSPF packet transmitted. MD5 Authentication Key: When simple authentication is enabled, the key is an alphanumeric password of up to eight characters. When MD5 is enabled, the key is an alphanumeric password of up to 16 characters that is later encrypted and included in each OSPF packet transmitted.
Page 600: Define Redistribution Filters
Foundry Switch and Router Installation and Configuration Guide Define Redistribution Filters Route redistribution imports and translates different protocol routes into a specified protocol type. On Foundry routers, redistribution is supported for static routes, OSPF, RIP, and BGP4. When you configure redistribution for RIP, you can specify that static, OSPF, or BGP4 routes are imported into RIP routes.
Page 601 Configuring OSPF RIP Domain BigIron BigIron ASBR (Autonomous System Border Router) OSPF Domain BigIron Figure 17.7 Redistributing OSPF and static routes to RIP routes USING THE CLI EXAMPLE: To configure the BigIron Layer 3 Switch acting as an ASBR in Figure 17.7 to redistribute OSPF, BGP4, and static routes into RIP, enter the following commands: BigIronASBR(config)# router rip BigIronASBR(config-rip-router)# permit redistribute 1 all...
Page 602 Foundry Switch and Router Installation and Configuration Guide Syntax: deny | permit redistribute <filter-num> all | bgp | connected | rip | static [address <ip-addr> <ip-mask> [match-metric <value> [set-metric <value>]]] EXAMPLE: To redistribute RIP, static, and BGP4 routes into OSPF, enter the following commands on the Layer 3 Switch...
Page 603: Modify Default Metric For Redistribution
Configuring OSPF Optionally, enter the IP address and mask if you want to filter the redistributed routes for a specific network range. Optionally, enter the filter ID or accept the ID value in the Filter ID field. Optionally, select the filter action, Deny or Permit. The default is Permit. Optionally, select the types of routes the filter applies to in the Protocol section.
Page 604: Enable Route Redistribution
Foundry Switch and Router Installation and Configuration Guide Syntax: default-metric <value> The <value> can be from 1 – 16,777,215. The default is 10. USING THE WEB MANAGEMENT INTERFACE To modify the cost that is assigned to redistributed routes: Log on to the device using a valid user name and password for read-write access.
Page 605 Configuring OSPF Select the Enable radio button next to Redistribution. Click the Apply button to apply the change to the device’s running-config file. Select the Save link at the bottom of the dialog, then select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 606 • BI->R6 Normally, the Foundry router will choose the path to the R1 with the lower metric. For example, if R3’s metric is 1400 and R4’s metric is 600, the Foundry router will always choose R4. However, suppose the metric is the same for all four routers in this example. If the costs are the same, the router now has four equal-cost paths to R1.
Page 607: Configure External Route Summarization
Configuring OSPF Configure External Route Summarization When the Layer 3 Switch is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified address range.
Page 608: Configure Default Route Origination
“default information origination”. By default, Foundry Layer 3 Switches do not advertise the default route into the OSPF domain. If you want the Layer 3 Switch to advertise the OSPF default route, you must explicitly enable default route origination.
Page 609: Modify Spf Timers
Configuring OSPF Modify SPF Timers The Layer 3 Switch uses the following timers when calculating the shortest path for OSPF routes: • SPF delay - When the Layer 3 Switch receives a topology change, the software waits before it starts a Shortest Path First (SPF) calculation.
Page 610: Modify Administrative Distance
Modify Administrative Distance Foundry Layer 3 Switchs can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned.
Page 611 USING THE WEB MANAGEMENT INTERFACE You cannot configure this option using the Web management interface. Modify OSPF Traps Generated OSPF traps as defined by RFC 1850 are supported on Foundry routers. OSPF trap generation is enabled on the router, by default. USING THE CLI...
Page 612: Modify Ospf Standard Compliance Setting
Modify OSPF Standard Compliance Setting Foundry routers are configured, by default, to be compliant with the RFC 1583 OSPF V2 specification. USING THE CLI To configure a router to operate with the latest OSPF standard, RFC 2178, enter the following commands:...
Page 613: Modify Exit Overflow Interval
Configuring OSPF Select Disable next to RFC 1583. Click the Apply button to save the change to the device’s running-config file. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 614 Foundry Switch and Router Installation and Configuration Guide The <num> indicates the number of OSPF routes allowed and can be from 4000 – 32000. The change takes effect after the router is rebooted. USING THE WEB MANAGEMENT INTERFACE You cannot modify the maximum number of OSPF routes using the Web management interface.
Page 615: Displaying Ospf Information
Configuring OSPF Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. Displaying OSPF Information You can use CLI commands and Web management options to display the following OSPF information: •...
Page 616 Foundry Switch and Router Installation and Configuration Guide Originate LSA Trap: Enabled Originate MaxAge LSA Trap: Enabled Link State Database Overflow Trap: Enabled Link State Database Approaching Overflow Trap: Enabled OSPF Area currently defined: Area-ID Area-Type Cost normal OSPF Interfaces currently defined:...
Page 617: Displaying Ospf Area Information
Configuring OSPF 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 0.00 To display utilization statistics for a specific number of seconds, enter a command such as the following: BigIron# show process cpu 1 Process Name Sec(%) Time(ms) 0.00 0.00...
Page 618: Displaying Ospf Neighbor Information
Foundry Switch and Router Installation and Configuration Guide Table 17.2: CLI Display of OSPF Area Information (Continued) This Field... Displays... Cost The area’s cost. SPFR The SPFR value. The ABR number. ASBR The ABSR number. The LSA number. Chksum(Hex) The checksum for the LSA packet. The checksum is based on all the fields in the packet except the age field.
Page 619 The number of times the neighbor’s state changed. The sum of the option bits in the Options field of the Hello packet. This information is used by Foundry technical support. See Section A.2 in RFC 2178 for information about the Options field in Hello packets.
Page 620: Displaying Ospf Interface Information
Foundry Switch and Router Installation and Configuration Guide Displaying OSPF Interface Information To display OSPF interface information for the router, use one of the following methods. USING THE CLI To display OSPF interface information, enter the following command at any CLI level: BigIron>...
Page 621 • External2 – The path to the destination is a type 2 external route. Adv_Router The OSPF router that advertised the route to this Foundry Layer 3 Switch. Link-State The link state from which the route was calculated. Dest_Type The destination type, which can be one of the following: •...
Page 622: Displaying Ospf External Link State Information
Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE You cannot display the OSPF route table using the Web management interface. Displaying OSPF External Link State Information To display external link state information for the router, use one of the following methods.
Page 623: Displaying Ospf Link State Information
Configuring OSPF USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-only or read-write access. The System configuration panel is displayed. Click on the plus sign next to Monitor in the tree view to expand the list of monitoring options. Click on the plus sign next to OSPF in the tree view to expand the list of OSPF option links.
Page 624: Displaying Ospf Virtual Neighbor Information
Foundry Switch and Router Installation and Configuration Guide For example, to determine an external LSA’s index number, enter the following command: BigIron> show ip ospf external-link-state Index Aging LS ID Router Seq(hex) Chksum 1332 130.132.81.208 130.130.130.241 80000002 000085ae 1325 130.132.116.192 130.130.130.241 80000002 0000a37d 1330 130.132.88.112...
Page 625: Displaying Ospf Abr And Asbr Information
Configuring OSPF Displaying OSPF ABR and ASBR Information To display OSPF ABR and ASBR information for the router, use one of the following methods. USING THE CLI To display OSPF ABR and ASBR information, enter the following command at any CLI level: BigIron>...
Page 626 Foundry Switch and Router Installation and Configuration Guide 17 - 52 December 2000...
Page 627: Overview Of Ip Multicasting
PIM or DVMRP on an interface and is disabled on the interface if you disable PIM or DVMRP on the interface. A summary of all CLI commands discussed in this chapter can also be found in the Foundry Switch and Router Command Line Interface Reference.
Page 628: Changing Global Ip Multicast Parameters
IP multicast packets in hardware. Changing IGMP Parameters IGMP allows Foundry routers to limit the multicast of IGMP packets to only those ports on the router that are identified as IP Multicast members. Foundry devices support IGMP versions 1 and 2.
Page 629 Configuring IP Multicast Protocols Syntax: ip igmp query-interval <1-3600> USING THE WEB MANAGEMENT INTERFACE To modify the default value for the IGMP query interval: Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed.
Page 630: Initiating Pim Multicasts On A Network
Enabling Hardware Forwarding for all Fragments of IP Multicast Packets By default, a Foundry Layer 3 Switch forwards the first fragment of a fragmented IP multicast packet through hardware, but forwards the remaining fragments through the software. You can enable the device to forward all the fragments of fragmented IP multicast packet through hardware.
Page 631 Configuring IP Multicast Protocols For example, in Figure 18.1 the sender with address 207.95.5.1 is sending multicast packets to the group 229.225.0.1. If a PIM router receives any groups other than that group, the router discards the group and sends a prune message to the upstream PIM router.
Page 632: Grafts To A Multicast Tree
Foundry Switch and Router Installation and Configuration Guide Video Conferencing Server (207.95.5.1, 229.225.0.1) (Source, Group) 229.225.0.1 229.225.0.1 Group Group Group Group Group Member Member Member Member Member NetIron Console NetIron NetIron Console Console Leaf Node NetIron Prune Message Console sent to upstream router (R4)
Page 633: Configuring Pim
Figure 18.1 on page 18-5. PIM is enabled on each of the Foundry routers shown in Figure 18.1, on which multicasts are expected. You can enable PIM on each router independently or remotely from one of the routers with a Telnet connection. Follow the same steps for each router.
Page 634 Foundry Switch and Router Installation and Configuration Guide If you are configuring an IP Tunnel, enter the IP address of the destination interface, the end point of the IP Tunnel, in the Remote Address field. IP tunneling must also be enabled and defined on the destination router interface as well.
Page 635 Modifying Prune Timer This parameter defines how long a Foundry PIM router will maintain a prune state for a forwarding entry. The first received multicast interface is forwarded to all other PIM interfaces on the router. If there is no presence of groups on that interface, the leaf node sends a prune message upstream and stores a prune state.
Page 636 Foundry Switch and Router Installation and Configuration Guide A prune state is maintained until the prune timer expires or a graft message is received for the forwarding entry. The default value is 180 seconds. USING THE CLI To set the PIM prune timer to 90, enter the following:...
Page 637 Configuring IP Multicast Protocols Modifying Inactivity Timer The router deletes a forwarding entry if the entry is not used to send multicast packets. The PIM inactivity timer defines how long a forwarding entry can remain unused before the router deletes it. USING THE CLI To apply a PIM inactivity timer of 90 seconds to all PIM interfaces, enter the following: BigIron(config)# router pim...
Page 638: Pim Sparse Router Types
PMBR – A PIM router that has some interfaces within the PIM domain and other interface outside the PIM domain. PBMRs connect the PIM domain to the Internet. NOTE: You cannot configure a Foundry routing interface as a PMBR interface for PIM Sparse in the current software release.
Page 639: Rp Paths And Spt Paths
PIM Sparse routers can use the SPT as an alternative to using the RP for forwarding traffic from a source to a receiver. By default, Foundry Layer 3 Switches forward the first packet they receive from a given source to a given receiver using the RP path, but forward subsequent packets from that source to that receiver through the SPT.
Page 640: Configuring Global Parameters
Sparse router without configuring the Layer 3 Switch as a candidate BSR and RP. However, if you do configure the Layer 3 Switch as one of these, Foundry Networks recommends that you configure the Layer 3 Switch as both of these. See “Configuring PIM Sparse Global Parameters” on page 18-15.
Page 641 Rendezvous Point (RP). NOTE: It is possible to configure the Layer 3 Switch as only a candidate BSR or RP, but Foundry Networks recommends that you configure the same interface on the same Layer 3 Switch as both a BSR and an RP.
Page 642: Statically Specifying The Rp
Statically Specifying the RP Foundry Networks recommends that you use the PIM Sparse protocol’s RP election process so that a backup RP can automatically take over if the active RP router becomes unavailable. However, if you do not want the RP to be selected by the RP election process but instead you want to explicitly identify the RP by its IP address, you can do using the following CLI method.
Page 643: Changing The Pim Join And Prune Message Interval
(SPT) to all the PIM Sparse group receivers within the domain, with the Layer 3 Switch itself as the root of the tree. The first time a Foundry Layer 3 Switch configured as a PIM router receives a packet for a PIM receiver, the Layer 3 Switch sends the packet to the RP for the group.
Page 644 Foundry Switch and Router Installation and Configuration Guide The <num> parameter specifies the number of seconds and can from 1 – 65535. The default is 60. USING THE WEB MANAGEMENT INTERFACE You cannot configure PIM Sparse parameters using the Web management interface.
Page 645 Configuring IP Multicast Protocols This display shows the following information. This Field... Displays... Global PIM Sparse mode settings Hello interval How frequently the Layer 3 Switch sends PIM Sparse hello messages to its PIM Sparse neighbors. This field show the number of seconds between hello messages.
Page 646 Foundry Switch and Router Installation and Configuration Guide This Field... Displays... TTL Threshold Following the TTL threshold value, the interface state is listed. The interface state can be one of the following: • Disabled • Enabled Local Address Indicates the IP address configured on the port or virtual interface.
Page 647 Configuring IP Multicast Protocols Next bootstrap message in 00:00:20 Next Candidate-RP-advertisement in 00:00:10 RP: 207.95.7.1 group prefixes: 224.0.0.0 / 4 Candidate-RP-advertisement period: 60 This example show information displayed on a Layer 3 Switch that has been elected as the BSR. The following example shows information displayed on a Layer 3 Switch that is not the BSR.
Page 648 Foundry Switch and Router Installation and Configuration Guide This Field... Displays... Indicates the IP address of the Rendezvous Point (RP). Note: This field appears only if this Layer 3 Switch is the BSR. group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP.
Page 649 Configuring IP Multicast Protocols This Field... Displays... Candidate-RP-advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages. Note: This field appears only if this Layer 3 Switch is a candidate RP. USING THE WEB MANAGEMENT INTERFACE You cannot display PIM Sparse information using the Web management interface. Displaying RP-to-Group Mappings To display RP-to-group mappings, use the following CLI method.
Page 650 Foundry Switch and Router Installation and Configuration Guide This display shows the following information. This Field... Displays... Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the port or virtual interface through which this Layer 3 Switch learned the identity of the RP.
Page 651 Configuring IP Multicast Protocols Displaying Multicast Neighbor Information To display information about the Layer 3 Switch’s IP Multicast neighbors, use either of the following methods. USING THE CLI To display information about the Layer 3 Switch’s PIM neighbors, enter the following command at any CLI level: BigIron(config-pim-router)# show ip pim nbr Port Neighbor Holdtime Age...
Page 652 Indicates the port or virtual interface from which the Layer 3 Switch receives packets from the group’s source. CamFlags This field is used by Foundry technical support for troubleshooting. CamIndex This field is used by Foundry technical support for troubleshooting.
Page 653 Configuring IP Multicast Protocols This display shows the following information. This Field... Displays... (<source>, <group>) The comma-separated values in parentheses is a source-group pair. The <source> is the PIM source for the multicast <group>. For example, the following entry means source 209.157.24.162 for group 239.255.162.1: (209.157.24.162,239.255.162.1) If the <source>...
Page 654 Foundry Switch and Router Installation and Configuration Guide This Field... Displays... prune ports Indicates the physical ports on which the Layer 3 Switch has received a prune notification (in a Join/Prune message) to remove the receiver from the list of recipients for the group.
Page 655 Configuring IP Multicast Protocols This Field... Displays... RegStop The number of Register Stop messages sent or received on the interface. Assert The number of Assert messages sent or received on the interface. Total Recv/Xmit The total number of IGMP messages sent and received by the Layer 3 Switch.
Page 656 Foundry Switch and Router Installation and Configuration Guide Configuring Multicast Source Discovery Protocol (MSDP) The Multicast Source Discovery Protocol (MSDP) is used by Protocol Independent Multicast (PIM) Sparse routers to exchange routing information for PIM Sparse multicast groups across PIM Sparse domains. Routers running MSDP can discover PIM Sparse sources that are in other PIM Sparse domains.
Page 657: Source Active Caching
Configuring IP Multicast Protocols Figure 18.4 shows only one peer for the MSDP router (which is also the RP here) in domain 1, so the Source Active message goes to only that peer. When an MSDP router has multiple peers, it sends a Source Active message to each of those peers.
Page 658 Foundry Switch and Router Installation and Configuration Guide Enabling MSDP Use the following CLI method to enable MSDP. USING THE CLI To enable MSDP, enter the following command at the global CONFIG level of the CLI. This command also places you at the MSDP configuration level of the CLI.
Page 659 Configuring IP Multicast Protocols MSDP Summary Information This Field... Displays... Peer Address The IP address of the peer’s interface with the Layer 3 Switch State The state of the MSDP router’s connection with the peer. The state can be one of the following: •...
Page 660 Foundry Switch and Router Installation and Configuration Guide Notification Message Error Code Transmitted:Unspecified Notification Message Error SubCode Transmitted:Not Applicable TCP Connection state: ESTABLISHED Local host: 206.251.17.29, Local Port: 8270 Remote host: 206.251.17.30, Remote Port: 639 ISentSeq: 16927 SendNext: 685654 TotUnAck:...
Page 661 Configuring IP Multicast Protocols MSDP Peer Information (Continued) This Field... Displays... Notification Message Error Code If the MSDP router receives a NOTIFICATION messages from the Received neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error.
Page 662 Foundry Switch and Router Installation and Configuration Guide MSDP Peer Information (Continued) This Field... Displays... TCP Statistics TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request.
Page 663 Configuring IP Multicast Protocols MSDP Peer Information (Continued) This Field... Displays... ReTrans The number of sequence numbers that the MSDP router retransmitted because they were not acknowledged. IRcvSeq The initial receive sequence number for the session. RcvNext The next sequence number expected from the neighbor. RcvWnd The size of the receive window.
Page 664: Clearing Msdp Information
Foundry Switch and Router Installation and Configuration Guide MSDP Source Active Cache (Continued) This Field... Displays... The RP through which receivers can access the group traffic from the source The number of seconds the entry has been in the cache USING THE WEB MANAGEMENT INTERFACE You cannot display MSDP information using the Web management interface.
Page 665: Dvmrp Overview
Configuring IP Multicast Protocols DVMRP Overview Foundry routers provide multicast routing with the Distance Vector Multicast Routing Protocol (DVMRP) routing protocol. DVMRP uses Internet Group Membership Protocol (IGMP) to manage the IP multicast groups. DVMRP is a broadcast and pruning multicast protocol that delivers IP multicast datagrams to its intended receivers.
Page 666 Foundry Switch and Router Installation and Configuration Guide Video Conferencing Server (207.95.5.1, 229.225.0.1) (Source, Group) 229.225.0.1 229.225.0.1 Group Group Group Group Group Member Member Member Member Member NetIron Console NetIron NetIron Console Console Leaf Node NetIron Console NetIron NetIron Console...
Page 667 Configuring IP Multicast Protocols Video Conferencing Server (207.95.5.1, 229.225.0.1) (Source, Group) 229.225.0.1 229.225.0.1 Group Group Group Group Group Member Member Member Member Member NetIron Console NetIron NetIron Console Console Leaf Node NetIron Prune Message Console sent to upstream router (R4) NetIron NetIron Console...
Page 668: Configuring Dvmrp
Figure 18.5. DVMRP is enabled on each of the Foundry routers shown in Figure 18.5, on which multicasts are expected. You can enable DVMRP on each router independently or remotely from one NetIron by a Telnet connection. Follow the same steps for each router.
Page 669: Modifying Dvmrp Global Parameters
Configuring IP Multicast Protocols 11. Click Enable or Disable next to Encapsulation to enable or disable the feature. 12. Click the Add button to save the change to the device’s running-config file. 13. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 670 Foundry Switch and Router Installation and Configuration Guide Enter a value from 40 – 8000 into the Neighbor Router Timeout field. Click the Apply button to save the change to the device’s running-config file. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 671 Configuring IP Multicast Protocols Modifying Route Discard Time The Route Discard Time defines the period of time before a route is deleted. Possible values are from 40 – 8000 seconds. The default value is 340 seconds. USING THE CLI To modify the route discard setting to 150, enter the following: BigIron(config-dvmrp-router)# route-discard-timeout 150 Syntax: route-discard-timeout <40-8000>...
Page 672 Foundry Switch and Router Installation and Configuration Guide Syntax: graft-retransmit-time <5-3600> USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. Click on the plus sign next to Configure in the tree view to expand the list of configuration options.
Page 673: Modifying Dvmrp Interface Parameters
Configuring IP Multicast Protocols Click the Apply button to save the change to the device’s running-config file. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. Modifying Trigger Interval The Trigger Interval defines how often trigger updates, which reflect changes in the network topology, are sent.
Page 674 The router uses the metric when establishing reverse paths to some networks on directly attached interfaces. Possible values are from 1 – 31 hops. The default is 1. NOTE: This command is not supported on Foundry Layer 2 Switches. USING THE CLI...
Page 675 Configuring IP Multicast Protocols Click on the Modify button next to the interface you want to modify. The DVMRP Interface configuration panel is displayed. Enter a value from 1 – 31 in the Metric field. Click the Add button to save the changes to the device’s running-config file. Select the Save link at the bottom of the dialog.
Page 676 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE To enable encapsulation on a DVMRP interface: Log on to the device using a valid user name and password for read-write access. Click on the plus sign next to Configure in the tree view to expand the list of configuration options.
Page 677 Configuring IP Multicast Protocols Non-Multicast Capable Routers Router A Router B NetIron NetIron Router Mulitcast Capable Router Mulitcast Capable Router 192.58.4.1 192.3.45.6 Link Link IP Tunnel Router IP Tunnel IP Tunnel Link Link Router Activity Activity Activity Activity Console Console Power Power Group...
Page 678: Configuring A Static Multicast Route
Foundry Switch and Router Installation and Configuration Guide Configuring a Static Multicast Route Static multicast routes allow you to control the network path used by multicast traffic. Static multicast routes are especially useful when the unicast and multicast topologies of a network are different. You can avoid the need to make the topologies similar by instead configuring static multicast routes.
Page 679 You cannot configure a static multicast route using the Web management interface. Tracing a Multicast Route The Foundry implementation of Mtrace is based on “A ‘traceroute’ facility for IP Multicast”, an Internet draft by S. Casner and B. Fenner. To trace a PIM route, use the following CLI method.
Page 680 Foundry Switch and Router Installation and Configuration Guide Tracing the route for tree 209.157.23.188 207.95.7.2 207.95.7.2 Thresh 0 207.95.7.1 Thresh 0 207.95.8.1 Thresh 0 207.157.24.62 Syntax: mtrace source <ip-addr> group <multicast-group> The source <ip-addr> parameter specifies the address of the route’s source.
Page 681 Displaying Another Multicast Router’s Multicast Configuration The Foundry implementation of Mrinfo is based on the DVMRP Internet draft by T. Pusateri, but applies to PIM and not to DVMRP. To display the PIM configuration of another PIM router, use the following CLI method.
Page 682 Foundry Switch and Router Installation and Configuration Guide 18 - 56 December 2000...
Page 683: Configuring Bgp4
To display BGP4 configuration information and statistics, see “Displaying BGP4 Information” on page 19-88. This chapter shows the commands you need in order to configure the Foundry Layer 3 Switch for BGP4. For a detailed list of all CLI commands, including syntax and possible values, see the Foundry Switch and Router Command Line Interface Reference.
Page 684: Overview Of Bgp4
IP route table. The route that BGP4 chooses and sends to the IP route table is the preferred route and will be used by the Foundry Layer 3 Switch. If the preferred route goes down, BGP4 updates the route information in the IP route table with a new BGP4 preferred route.
Page 685: How Bgp4 Selects A Path For A Route
• Number of paths available for load sharing. Foundry Layer 3 Switches use the following algorithm to choose the optimal path for a BGP4 route. The algorithm uses the parameters listed above. Is the next hop accessible though an Interior Gateway Protocol (IGP) route? If not, ignore the route.
Page 686: Bgp4 Message Types
INCOMPLETE is highest If the routes have the same origin type, prefer the route with the lowest MED. NOTE: If the path does not have the MED attribute, Foundry’s BGP4 uses zero as the MED value for the comparison. If the routes have the same MED, prefer routes in the following order: •...
Page 687 BGP Identifier – The router ID. The BGP Identifier (router ID) identifies the BGP4 router to other BGP4 routers. Foundry Layer 3 Switches use the same router ID for OSPF and BGP4. If you do not set a router ID, the software uses the IP address on the lowest numbered loopback interface configured on the router.
Page 688: Basic Configuration And Activation For Bgp4
Foundry Switch and Router Installation and Configuration Guide Basic Configuration and Activation for BGP4 BGP4 is disabled by default. To enable BGP4 and place your Foundry Layer 3 Switch into service as a BGP4 router, you must perform at least the following steps: Enable the BGP4 protocol.
Page 689: Bgp4 Parameters
Configuring BGP4 router bgp mode now disabled. All bgp config data will be lost when writing to flash! The Web management interface does not display a warning message. If you have disabled the protocol but have not yet saved the configuration to the startup-config file and reloaded the software, you can restore the configuration information by re-entering the command to enable the protocol (ex: router bgp), or by selecting the Web management option to enable the protocol.
Page 690 Foundry Switch and Router Installation and Configuration Guide • Optional – Define IP prefix lists. • Optional – Define neighbor distribute lists. • Optional – Define BGP4 route maps for filtering routes redistributed into RIP and OSPF. • Optional – Define route flap dampening parameters.
Page 691: Memory Considerations
Many configurations, especially those involving more than one neighbor, can require the router to hold even more routes. Foundry Layer 3 Switches and NetIron Internet Backbone routers provide dynamic memory allocation for BGP4 data. These devices automatically allocate memory when needed to support BGP4 neighbors, routes, and route attribute entries.
Page 692 To begin using BGP4 on the router, follow the steps outlined below: Optionally define the router ID. Enable the BGP4 feature on the router. Set the local AS number. Identify the Foundry Layer 3 Switch’s BGP4 neighbors and the ASs they are in. 19 - 10 December 2000...
Page 693: Basic Configuration Tasks
The following sections describe how to perform the configuration tasks that are required to use BGP4 on the Foundry Layer 3 Switch. You can modify many parameters in addition to the ones described in this section. See “Optional Configuration Tasks” on page 19-27.
Page 694 Syntax: ip router-id <ip-addr> The <ip-addr> can be any valid, unique IP address. NOTE: You can specify an IP address used for an interface on the Foundry Layer 3 Switch, but do not specify an IP address in use by another device.
Page 695: Setting The Local As Number
Setting the Local AS Number The local AS number identifies the AS the Foundry BGP4 router is in. The AS number can be from 1 – 65535. There is no default. AS numbers 64512 – 65535 are the well-known private BGP4 AS numbers and are not advertised to the Internet community.
Page 696: Adding Bgp4 Neighbors
Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed. Select the IP Address link to display a table listing the configured IP addresses.
Page 697 Configuring BGP4 The neighbor command has some additional parameters, as shown in the following syntax: Syntax: [no] neighbor <ip-addr> | <peer-group-name> [advertisement-interval <num>] [default-originate [route-map <map-name>]] [description <string>] [distribute-list in | out <num,num,...> | <acl-num> in | out] [ebgp-multihop [<num>]] [filter-list in | out <num,num,...>...
Page 698 Foundry Switch and Router Installation and Configuration Guide NOTE: By default, if an AS-path does not match any of the filters or ACLs, the Layer 3 Switch denies the route. To change the default behavior, configure the last filter or ACL as “permit any any”.
Page 699 Configuring BGP4 NOTE: The route map must already be configured. See “Defining Route Maps” on page 19-63. route-reflector-client specifies that this neighbor is a route-reflector client of the router. Use the parameter only if this router is going to be a route reflector. For information, see “Configuring Route Reflection Parameters” on page 19-37.
Page 700 Foundry Switch and Router Installation and Configuration Guide Enter the neighbor’s IP address in the IP Address field. Enter a description in the Description field. Select Enable next to Default Originate if you want to enable this feature for the neighbor. By default, the Layer 3 Switch does not advertise a default route using BGP4.
Page 701 Configuring BGP4 10. Select Enable next to Client To Client Reflection if this neighbor is a route-reflector client of the router. Use the parameter only if this router is going to be a route reflector. For information, see “Configuring Route Reflection Parameters”...
Page 702 NOTE: Foundry recommends that you save a copy of the startup-config file for each Layer 3 Switch you plan to upgrade. If you need to return to a software release earlier than 07.1.14, the earlier software will not recognize the passwords or authentication keys in their encrypted form and will not be able to convert them back to their clear form.
Page 703: Adding A Bgp4 Peer Group
Configuring BGP4 neighbor 10.10.200.102 remote-as 1 neighbor 10.10.200.102 password 1 $on-o Notice that the software has converted the commands that specify an authentication string into the new syntax (described below), and has encrypted display of the authentication strings. Command Syntax Since the default behavior in software release 07.1.14 does not affect the BGP4 configuration itself but does encrypt display of the authentication string, the CLI does not list the encryption options.
Page 704 Foundry Switch and Router Installation and Configuration Guide • Flash memory conservation – Using peer groups instead of individually configuring all the parameters for each neighbor requires fewer configuration commands in the startup-config file. You can perform the following tasks on a peer-group basis.
Page 705 Configuring BGP4 NOTE: If you enter a command to remove the remote AS parameter from a peer group, the software checks to ensure that the peer group does not contain any neighbors. If the peer group does contain neighbors, the software does not allow you to remove the remote AS.
Page 706 Foundry Switch and Router Installation and Configuration Guide Configuring a Peer Group To configure a BGP4 peer group, use either of the following methods. USING THE CLI To configure a peer group, enter commands such as the following at the BGP configuration level: BigIron(config-bgp-router)# neighbor PeerGroup1 peer-group BigIron(config-bgp-router)# neighbor PeerGroup1 description “EastCoast Neighbors”...
Page 707 Layer 3 Switch from establishing a BGP4 session with the neighbor even after reloading the software. NOTE: If you notice that a particular BGP4 neighbor never establishes a session with the Foundry Layer 3 Switch, check the Layer 3 Switch’s running-config and startup-config files to see whether the configuration contains a command that is shutting down the neighbor.
Page 708 Foundry Switch and Router Installation and Configuration Guide Click on the plus sign next to Configure in the tree view to expand the list of configuration options. Click on the plus sign next to BGP in the tree view to expand the list of BGP option links.
Page 709: Optional Configuration Tasks
Configuring BGP4 Optional Configuration Tasks The following sections describe how to perform optional BGP4 configuration tasks. Changing the Keep Alive Time and Hold Time The Keep Alive Time specifies how frequently the router will send KEEPALIVE messages to its BGP4 neighbors. The Hold Time specifies how long the router will wait for a KEEPALIVE or UPDATE message from a neighbor before concluding that the neighbor is dead.
Page 710: Changing The Maximum Number Of Paths For Bgp4 Load Sharing
Foundry Switch and Router Installation and Configuration Guide The router waits for the Hold Time to expire before ending the connection to a directly-attached BGP4 neighbor that dies. For directly attached neighbors, the router to immediately senses loss of a connection to the neighbor from a change to the state of the port or interface that connects the router to its neighbor.
Page 711 Configuring BGP4 See “How BGP4 Selects a Path for a Route” on page 19-3 for a description of the BGP4 algorithm. When you enable IP load sharing, the Layer 3 Switch can load balance BGP4 or OSPF routes across up to four equal paths by default.
Page 712: Specifying A List Of Networks To Advertise
Foundry Switch and Router Installation and Configuration Guide Edit the number in the # of Paths field if needed. You can specify from 1 – 4 paths. The default is 1. You cannot set the maximum number of BGP4 paths to a number higher than the IP load sharing maximum number of paths.
Page 713 Configuring BGP4 Enter the network address in the IP Address field. Enter the network mask in the Mask field. Optionally enter a weight to be added to routes to this network. If you want to tag the route as a backdoor route, select Enable next to Back Door. Click the Apply button to apply the changes to the device’s running-config file.
Page 714: Changing The Default Local Preference
BGP4 route using either of the following methods. NOTE: The Foundry Layer 3 Switch checks for the existence of an IGP route for 0.0.0.0/0 in the IP route table before creating a local BGP route for 0.0.0.0/0.
Page 715: Changing Administrative Distances
Changing the Default MED (Metric) Used for Route Redistribution The Foundry Layer 3 Switch can redistribute RIP and OSPF routes into BGP4. The MED (metric) is a global parameter that specifies the cost that will be applied to all routes by default when they are redistributed into BGP4.
Page 716 05.2.00, so only directly-connected routes are preferred over static routes when the default administrative distances for the routes are used. Here are the default administrative distances on the Foundry Layer 3 Switch: • Directly connected – 0 (this value is not configurable) •...
Page 717 Configuring BGP4 USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed. Click on the plus sign next to Configure in the tree view to expand the list of configuration options. Click on the plus sign next to BGP in the tree view to expand the list of BGP option links.
Page 718 Foundry Switch and Router Installation and Configuration Guide Synchronizing Routes By default, the Layer 3 Switch does not wait until the IGPs in the local AS have fully exchanged route information before BGP4 advertises the routes to its remote BGP4 neighbors. The Layer 3 Switch advertises routes to its remote BGP4 neighbors regardless of whether the routes are learned or have already been propagated throughout the local AS.
Page 719: Configuring Route Reflection Parameters
A route reflector is an IGP router configured to send BGP route information to all the clients (other BGP4 routers) within the cluster. Route reflection is enabled on all Foundry BGP4 routers by default but does not take effect unless you add route reflector clients to the router.
Page 720 Foundry Switch and Router Installation and Configuration Guide AS 1 AS 2 Cluster 1 Route Route Reflector 1 Reflector 2 EBGP BigIron BigIron BigIron IBGP IBGP BigIron BigIron BigIron BigIron IBGP Route Route Reflector Reflector Client 1 Client 2 10.0.1.0 10.0.2.0...
Page 721 Enter the following commands to configure a Foundry Layer 3 Switch as route reflector 1 in Figure 19.3 on page 19-38. To configure route reflector 2, enter the same commands on the Foundry Layer 3 Switch that will be route reflector 2. The clients require no configuration for route reflection.
Page 722: Configuring Confederations
AS IDs. NOTE: You can use any valid AS numbers for the sub-ASs. If your AS is connected to the Internet, Foundry recommends that you use numbers from within the private AS range (64512 – 65535). These are private ASs numbers and BGP4 routers do not propagate these AS numbers to the Internet.
Page 723 Configuring BGP4 Figure 19.4 shows an example of a BGP4 confederation. Confederation 10 AS 20 Sub-AS 64512 IBGP Router B Router A EBGP EBGP Sub-AS 64513 This BGP4 router sees all traffic from Confederation 10 as traffic from AS 10. IBGP Routers outside the confederation do not know or care that the routers...
Page 724 The <num> parameter with the local-as command indicates the AS number for the BGP routers within the sub- AS. You can specify a number from 1 – 65535. Foundry recommends that you use a number within the range of well-known private ASs, 64512 – 65535.
Page 725: Aggregating Routes Advertised To Bgp4 Neighbors
Configuring BGP4 Enter the AS numbers of the peers (sub-ASs) within the confederation in the Confederation Peers field. Separate the AS numbers with spaces. You must specify all the sub-ASs contained in the confederation. All the routers within the same sub-AS use IBGP to exchange router information. Routers in different sub-ASs within the confederation use EBGP to exchange router information.
Page 726 Foundry Switch and Router Installation and Configuration Guide Click on the Aggregate Address link to display the BGP Aggregate Address configuration panel. • If the device does not have any BGP aggregate addresses configured, the BGP Aggregate Address configuration panel is displayed, as shown in the following example.
Page 727: Modifying Redistribution Parameters
Configuring BGP4 Modifying Redistribution Parameters By default, the router does not redistribute route information between BGP4 and the IP IGPs (RIP and OSPF). You can configure the router to redistribute OSPF routes, RIP routes, directly connected routes, or static routes into BGP4.
Page 728 Foundry Switch and Router Installation and Configuration Guide Select the source of the routes you want to redistribute into BGP4. You can select RIP, OSPF, Static, or Connected (directly attached) routes. Optionally enter a metric for the redistributed routes in the Metric field. You can specify a value from 0 –...
Page 729 Configuring BGP4 The match internal | external1 | external2 parameter applies only to OSPF. This parameter specifies the types of OSPF routes to be redistributed into BGP4. USING THE WEB MANAGEMENT INTERFACE Use the procedure in “Redistributing RIP Routes” on page 19-45. Redistributing Static Routes To configure the Layer 3 Switch to redistribute static routes, enter the following command: BigIron(config-bgp-router)# redistribute static...
Page 730: Filtering Specific Ip Addresses
Foundry Switch and Router Installation and Configuration Guide Syntax: [no] bgp-redistribute-internal To disable redistribution of IBGP routes into RIP and OSPF, enter the following command: BigIron(config-bgp-router)# no bgp-redistribute-internal USING THE WEB MANAGEMENT INTERFACE You cannot configure this parameter using the Web management interface.
Page 731 Configuring BGP4 non-significant portion of the IP address into zeros. For example, if you specify 209.157.22.26/24 or 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 0.0.0.255 in the startup-config file. If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>”...
Page 732 The <num> parameter identifies the filter’s position in the AS-path filter list and can be from 1 – 100. Thus, the AS-path filter list can contain up to 100 filters. The Foundry Layer 3 Switch applies the filters in numerical order, beginning with the lowest-numbered filter.
Page 733 Configuring BGP4 Click on the AS Path Filter link to display the BGP AS Path Filter panel. • If the device does not have any BGP AS-path filters configured, the BGP AS Path Filter configuration panel is displayed, as shown in the following example. •...
Page 734 Foundry Switch and Router Installation and Configuration Guide The deny | permit parameter specifies the action the software takes if a route’s AS-path list matches a match statement in this ACL. To configure the AS-path match statements, use the match as-path command. See “Matching Based on AS-Path ACL”...
Page 735 Configuring BGP4 11. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. NOTE: You cannot apply the AS path ACLs to a neighbor using the Web management interface. You must use the CLI.
Page 736 Foundry Switch and Router Installation and Configuration Guide Table 19.2: BGP4 Special Characters for Regular Expressions (Continued) Character Operation A caret (when not used within brackets) matches on the beginning of an input string. For example, the following regular expression matches on an AS-path that begins with “jlampa”:...
Page 737: Filtering Communities
Configuring BGP4 Table 19.2: BGP4 Special Characters for Regular Expressions (Continued) Character Operation Parentheses allow you to create complex expressions. For example, the following complex expression matches on “abc”, “abcabc”, or “abcabcabcdefg”, but not on “abcdefgdefg”: ((abc)+)|((defg)?) If you want to filter for a special character instead of using the special character as described in Table 19.2 on page 19-53, enter “\”...
Page 738 Foundry Switch and Router Installation and Configuration Guide NOTE: If the filter is referred to by a route map’s match statement, the filter is applied in the order in which the filter is listed in the match statement. The permit | deny parameter indicates the action the router takes if the filter match is true.
Page 739 Configuring BGP4 • No Advertise – Filters for routes with the well-known community “NO_ADVERTISE”. A route in this community should not be advertised to any BGP4 neighbors. • No Export – Filters for routes with the well-known community “NO_EXPORT”. A route in this community should not be advertised to any BGP4 neighbors outside the local AS.
Page 740: Defining Ip Prefix Lists
Foundry Switch and Router Installation and Configuration Guide Click on the plus sign next to Configure in the tree view to display the list of configuration options. Click on the plus sign next to IP to display the list of IP configuration options.
Page 741 Configuring BGP4 BigIron(config)# ip prefix-list Routesfor20 permit 20.20.0.0/24 BigIron(config-bgp-router)# neighbor 10.10.10.1 prefix-list Routesfor20 out These commands configure an IP prefix list named Routesfor20, which permits routes to network 20.20.0.0/24. The neighbor command configures the Layer 3 Switch to use IP prefix list Routesfor20 to determine which routes to send to neighbor 10.10.10.1.
Page 742 Foundry Switch and Router Installation and Configuration Guide NOTE: You cannot modify an IP prefix list ACL. Instead, you can delete and then re-add the ACL. To delete an ACL, click on the Delete button to the right of the row describing the ACL, then click on the Add IP Prefix List link.
Page 743: Defining Neighbor Distribute Lists
Configuring BGP4 To apply the IP Prefix List to a neighbor, use the following procedure: In the tree view, click on the plus sign next to BGP under Configure to display the list of BGP configuration options. Select the Neighbor link to display the BGP Neighbor panel. Select the Prefix List link to display the BGP Neighbor Prefix List panel, as shown in the following example.
Page 744 Foundry Switch and Router Installation and Configuration Guide NOTE: The command syntax shown above is new in software release 06.5.00. However, the neighbor <ip- addr> distribute-list in | out <num> command (where the direction is specified before the filter number) is the same as in earlier software releases.
Page 745: Defining Route Maps
Configuring BGP4 12. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. Defining Route Maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols.
Page 746 Foundry Switch and Router Installation and Configuration Guide For example, when you configure parameters for redistributing routes into RIP, one of the optional parameters is a route map. If you specify a route map as one of the redistribution parameters, the router will match the route against the match statements in the route map.
Page 747 Configuring BGP4 Enter the name of the route map in the Route Map Name field. Enter the sequence (instance) number in the Sequence field. The Layer 3 Switch applies the instances in ascending numerical order. Once an instance comparison results in a “true” evaluation, the Layer 3 Switch stops applying instances and applies the match and set statements you configure for the instance.
Page 748 NOTE: IP prefix lists and neighbor distribute lists provide separate means for the same type of filtering. To simplify configuration, Foundry Networks recommends you use one method or the other but do not mix them. 11. Enter the filter or ACL numbers or names in the entry fields next to the filter or ACL types you selected.
Page 749 Configuring BGP4 12. Optionally enter an IP address against which you want to compare the route updates’ next-hop attribute. Enter the address in the Next Hop List field. Also select the checkbox in front of the field. 13. Optionally enter a tag value against which you want to compare the updates in the Tag List field. Also select the checkbox in front of the field.
Page 750 Foundry Switch and Router Installation and Configuration Guide Enter the name of the route map in the Route Map Name field. Enter the sequence (instance) number in the Sequence field. The Layer 3 Switch applies the instances in ascending numerical order. Once an instance comparison results in a “true” evaluation, the Layer 3 Switch stops applying instances and applies the match and set statements you configure for the instance.
Page 751 NOTE: IP prefix lists and neighbor distribute lists provide separate means for the same type of filtering. To simplify configuration, Foundry Networks recommends you use one method or the other but do not mix them. 11. Next to each type of ACL or filter you selected, enter the ACL or filter name or ID. In this example, AS-path ACL 1 is specified.
Page 752 Foundry Switch and Router Installation and Configuration Guide USING THE CLI To construct a route map that matches based on the next-hop router, enter commands such as the following: BigIron(config)# route-map HopMap permit 1 BigIron(config-routemap HopMap)# match ip next-hop 2 Syntax: match ip next-hop <num>...
Page 753 Configuring BGP4 Switch does not already have explicit routing information for the traffic. This option is used in Policy-Based Routing (PBR). See “Policy-Based Routing (PBR)” on page 13-25. The local-preference <num> parameter sets the local preference for the route. You can set the preference to a value from 0 –...
Page 754: Using A Table Map To Set The Tag Value
Foundry Switch and Router Installation and Configuration Guide 14. For a private community, enter the community number in the Number field. You can enter more than one community. Use commas or spaces to separate the community names. 15. Select Additive of you want the Set statement to add the specified community.
Page 755: Configuring Route Flap Dampening
The Foundry implementation of route flap dampening is based on RFC 2439. Route flap dampening is disabled by default. You can enable the feature globally or on an individual route basis using route maps.
Page 756 Foundry Switch and Router Installation and Configuration Guide Syntax: dampening [<half-life> <reuse> <suppress> <max-suppress-time>] The <half-life> parameter specifies the number of minutes after which the route’s penalty becomes half its value. The route penalty allows routes that have remained stable for a while despite earlier instability to eventually become eligible for use again.
Page 757 Configuring BGP4 be suppressed regardless of how unstable it is. You can set the maximum suppression time to a value from 1 – 20000 minutes. The default is four times the half-life setting. Thus, if you use the default half-life of 15 minutes, the maximum suppression time is 60 minutes.
Page 758 Foundry Switch and Router Installation and Configuration Guide • If you are modifying an existing BGP address filter, click on the Modify button to the right of the row describing the filter to display the BGP Address Filter configuration panel, as shown in the following example.
Page 759 Configuring BGP4 14. Enter the name of the route map in the Route Map Name field. 15. Enter the sequence (instance) number in the Sequence field. The Layer 3 Switch applies the instances in ascending numerical order. Once an instance comparison results in a “true” evaluation, the Layer 3 Switch stops applying instances and applies the match and set statements you configure for the instance.
Page 760 Foundry Switch and Router Installation and Configuration Guide 19. Click on the checkbox next to Address Filter to indicate that you are using an address filter as a match condition. 20. Enter the address filter number in the Address Filter field.
Page 761 Configuring BGP4 23. Select the checkbox in the Dampening section to specify that this route map is setting dampening parameters. 24. Edit the value in the Half Life field to specify the half life you want this route map to set for routes that match the match conditions you specified above.
Page 762 Foundry Switch and Router Installation and Configuration Guide Using a Route Map To Configure Route Flap Dampening for a Specific Neighbor You can use a route map to configure route flap dampening for a specific neighbor by performing the following tasks: •...
Page 763 Configuring BGP4 NOTE: If the device already has route maps, a table listing the route maps is displayed. Click the Modify button to the right of the row describing the route map to change its configuration, or click the Add Route Map Filter link to display the BGP Route Map Filter panel.
Page 764: Removing Route Dampening From A Route
Foundry Switch and Router Installation and Configuration Guide 22. Select the neighbor IP address from the IP Address field’s pulldown menu. 23. Select the traffic direction to which you want to apply the route map. You can select In or Out. In this example, select In.
Page 765: Displaying And Clearing Route Flap Dampening Statistics
Configuring BGP4 Displaying and Clearing Route Flap Dampening Statistics The software provides many options for displaying and clearing route flap statistics. To display the statistics, use either of the following methods. Displaying Route Flap Dampening Statistics To display route flap dampening statistics, use the following CLI method. USING THE CLI To display route dampening statistics or all the dampened routes, enter the following command at any level of the CLI:...
Page 766 Foundry Switch and Router Installation and Configuration Guide Table 19.3: Route Flap Dampening Statistics This Field... Displays... From The neighbor that sent the route to the Layer 3 Switch. Flaps The number of flaps (state changes) the route has experienced.
Page 767 Configuring BGP4 NOTE: If you have a lot of IBGP neighbors, you can configure some IBGP routers as route reflectors. By doing so, you can reduce the number of neighbors you need to configure on each router. Without route reflectors, all IBGP routers must be fully meshed to ensure proper route propagation.
Page 768 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed. Click on the plus sign next to Configure in the tree view to expand the list of configuration options.
Page 769 Configuring BGP4 The <num> indicates the number of route-attribute entries allowed on the router. See “Memory Considerations” on page 19-9 for the maximum for your device. The change takes effect after the router is rebooted. USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access.
Page 770: Displaying Bgp4 Information
Foundry Switch and Router Installation and Configuration Guide Displaying BGP4 Information You can display the following configuration information and statistics for the BGP4 protocol on the router: • Summary BGP4 configuration information for the router • Active BGP4 configuration information (the BGP4 information in the running-config) •...
Page 771 Configuring BGP4 Table 19.4: BGP4 Summary Information (Continued) This Field... Displays... Maximum Number of Paths The maximum number of route paths across which the device can Supported for Load Sharing balance traffic to the same destination. The feature is enabled by default but the default number of paths is 1.
Page 772 Foundry Switch and Router Installation and Configuration Guide Table 19.4: BGP4 Summary Information (Continued) This Field... Displays... State The state of this router’s neighbor session with each neighbor. The states are from this router’s perspective of the session, not the neighbor’s perspective.
Page 773: Displaying The Active Bgp4 Configuration
Configuring BGP4 Table 19.4: BGP4 Summary Information (Continued) This Field... Displays... RtSent The number of BGP4 routes that the Layer 3 Switch has sent to the neighbor. RtToSend The number of routes the Layer 3 Switch has queued to send to this neighbor.
Page 774 Foundry Switch and Router Installation and Configuration Guide BigIron# show process cpu Process Name 5Sec(%) 1Min(%) 5Min(%) 15Min(%) Runtime(ms) 0.01 0.03 0.09 0.22 0.04 0.06 0.08 0.14 ICMP 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 0.00...
Page 775 Configuring BGP4 History Routes:0 NLRIs Received in Update Message:19, Withdraws:1, Replacements:0 NLRIs Discarded due to Maximum Prefix Limit:0, AS Loop:0, Invalid Nexthop:0 Duplicated Originator_ID:0, Cluster_ID:0 Routes Advertised:2, To be Sent:0, To be Withdrawn:0 NLRIs Sent in Update Message:2, Withdraws:0, Replacements:0 Peer Out of Memory Count for: Receiving Update Messages:0, Accepting Routes(NLRI):0 Attributes:0, Outbound Routes(RIB-out):0...
Page 776 Foundry Switch and Router Installation and Configuration Guide Table 19.5: BGP4 Route Summary Information for a Neighbor (Continued) This Field... Displays... NLRIs Discarded due to Indicates the number of times the Layer 3 Switch discarded an NLRI for the neighbor due to the following reasons: •...
Page 777: Displaying Bgp4 Neighbor Information
Configuring BGP4 Displaying BGP4 Neighbor Information You can display configuration information and statistic for the router’s BGP4 neighbors using either of the following methods. USING THE CLI To view BGP4 neighbor information for the router, enter the following command: BigIron# show ip bgp neighbors 192.168.4.211 IP Address EBGP/IBGP RouterID...
Page 778 Foundry Switch and Router Installation and Configuration Guide • best – Displays the routes received from the neighbor that the Layer 3 Switch selected as the best routes to their destinations. • not-installed-best – Displays the routes received from the neighbor that are the best BGP4 routes to their destinations, but were nonetheless not installed in the IP route table because the Layer 3 Switch received better routes from other sources (such as OSPF, RIP, or static IP routes).
Page 779 Configuring BGP4 Table 19.6: BGP4 Neighbor Information (Continued) This Field... Displays... State The state of the router’s session with the neighbor. The states are from this router’s perspective of the session, not the neighbor’s perspective. The state values are based on the BGP4 state machine values described in RFC 1771 and can be one of the following for each router: •...
Page 780 Foundry Switch and Router Installation and Configuration Guide Table 19.6: BGP4 Neighbor Information (Continued) This Field... Displays... RefreshCapability Whether this Layer 3 Switch has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability. SendCommunity Whether this option is enabled for the neighbor.
Page 781 Configuring BGP4 Table 19.6: BGP4 Neighbor Information (Continued) This Field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following: • Reasons described in the BGP specifications: • Message Header Error •...
Page 782 Foundry Switch and Router Installation and Configuration Guide Table 19.6: BGP4 Neighbor Information (Continued) This Field... Displays... Last Connection Reset Reason • Reasons specific to the Foundry implementation: (cont.) • Reset All Peer Sessions • User Reset Peer Session •...
Page 783 Configuring BGP4 Table 19.6: BGP4 Neighbor Information (Continued) This Field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error.
Page 784 Foundry Switch and Router Installation and Configuration Guide Table 19.6: BGP4 Neighbor Information (Continued) This Field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request.
Page 785 Configuring BGP4 Table 19.6: BGP4 Neighbor Information (Continued) This Field... Displays... UnAckSeq The current acknowledged sequence number. IRcvSeq The initial receive sequence number for the session. RcvNext The next sequence number expected from the neighbor. SendWnd The size of the send window. TotalRcv The number of sequence numbers received from the neighbor.
Page 786 Foundry Switch and Router Installation and Configuration Guide NLRIs Sent in Update Message:2, Withdraws:0, Replacements:0 Peer Out of Memory Count for: Receiving Update Messages:0, Accepting Routes(NLRI):0 Attributes:0, Outbound Routes(RIB-out):0 This display shows the following information. Table 19.7: BGP4 Route Summary Information for a Neighbor This Field...
Page 787 Configuring BGP4 Table 19.7: BGP4 Route Summary Information for a Neighbor (Continued) This Field... Displays... Routes Advertised The number of routes the Layer 3 Switch has advertised to this neighbor. • To be Sent – The number of routes the Layer 3 Switch has queued to send to this neighbor.
Page 788 Foundry Switch and Router Installation and Configuration Guide Displaying the Best Received Routes To display the routes received from a specific neighbor that are the “best” routes to their destinations, enter a command such as the following at any level of the CLI: BigIron(config-bgp-router)# show ip bgp neighbor 192.168.4.211 received-routes best...
Page 789: Displaying Summary Route Information
Configuring BGP4 Displaying Summary Route Information To display summary route information, use the following CLI method. USING THE CLI To display summary statistics for all the routes in the Layer 3 Switch’s BGP4 route table, enter a command such as the following at any level of the CLI: BigIron(config-bgp-router)# show ip bgp routes summary Total number of BGP routes (NLRIs) Installed : 20...
Page 790 Foundry Switch and Router Installation and Configuration Guide USING THE CLI To view the BGP4 route table, enter the following command: To display all the BGP4 routes in the Layer 3 Switch’s BGP4 route table that are the best routes to their...
Page 791 Configuring BGP4 Displaying the Best BGP4 Routes To display all the BGP4 routes in the Layer 3 Switch’s BGP4 route table that are the best routes to their destinations, enter a command such as the following at any level of the CLI: BigIron(config-bgp-router)# show ip bgp routes best Searching for matching routes, use ^C to quit...
Page 792 Foundry Switch and Router Installation and Configuration Guide For information about the fields in this display, see Table 19.9 on page 19-110. The fields in this display also appear in the show ip bgp display. Displaying Information for a Specific Route To display information for a specific BGP4 routes, use either of the following methods.
Page 793 Configuring BGP4 Table 19.9: BGP4 Network Information (Continued) This Field... Displays... Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight.
Page 794 Foundry Switch and Router Installation and Configuration Guide Displaying Route Details Here is an example of the information displayed when you use the detail option. In this example, the information for one route is shown. BigIron# show ip bgp routes detail...
Page 795 Configuring BGP4 Table 19.10: BGP4 Network Information (Continued) This Field... Displays... Atomic Whether network information in this route has been aggregated and this aggregation has resulted in information loss. Note: Information loss under these circumstances is a normal part of BGP4 and does not indicate an error.
Page 796 Foundry Switch and Router Installation and Configuration Guide Table 19.10: BGP4 Network Information (Continued) This Field... Displays... RIB_out The number of neighbors to which the route has been or will be advertised. This is the number of times the route has been selected as the best route and placed in the Adj-RIB-Out (outbound queue) for a BGP4 neighbor.
Page 797 Configuring BGP4 Table 19.11: BGP4 Route-Attribute Entries Information (Continued) This Field... Displays... Next Hop The IP address of the next hop router for routes that have this set of attributes. Metric The cost of the routes that have this set of attributes. Origin The source of the route information.
Page 798: Displaying The Routes Bgp4 Has Placed In The Ip Route Table
Foundry Switch and Router Installation and Configuration Guide Displaying the Routes BGP4 Has Placed in the IP Route Table The IP route table indicates the routes it has received from BGP4 by listing “BGP” as the route type. You can view the IP route table using either of the following methods.
Page 799 Configuring BGP4 Syntax: show ip bgp flap-statistics [regular-expression <regular-expression> | <address> <mask> [longer-prefixes] | neighbor <ip-addr> | filter-list <num>...] The regular-expression <regular-expression> parameter is a regular expression. The regular expressions are the same ones supported for BGP4 AS-path filters. See “Using Regular Expressions” on page 19-53. The <address>...
Page 800: Displaying The Active Route Map Configuration
Foundry Switch and Router Installation and Configuration Guide Displaying the Active Route Map Configuration To view the device’s active route map configuration (contained in the running-config) without displaying the entire running-config, use the following CLI method. USING THE CLI To display the device’s active route map configuration, enter the following command at any level of the CLI:...
Page 801: Clearing Route Flap Dampening Statistics
Configuring BGP4 peer group. The <as-num> parameter specifies all neighbors within the specified AS. The all parameter specifies all neighbors. USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed.
Page 802 RFC 2842. This RFC specifies the Capability Advertisement, which a BGP4 router uses to dynamically negotiate a capability with a neighbor. • RFC 2858 for Multi-protocol Extension. NOTE: The Foundry implementation of dynamic route refresh supports negotiation of IP version 4 unicasts only. • bgp-draft-route-refresh-1.txt, which describes the dynamic route refresh capability The dynamic route refresh capability is enabled by default when you upgrade to software release 07.1.00 and...
Page 803: Closing Or Resetting A Neighbor Session
Adj-RIB-Out to the neighbor. NOTE: The Foundry Layer 3 Switch does not automatically update outbound routes using a new or changed outbound policy or filter when a session with the neighbor goes up or down. Instead, the Layer 3 Switch applies a new or changed policy or filter when a route is placed in the outbound queue (Adj-RIB-Out).
Page 804: Removing Route Flap Dampening
If you use the soft-outbound option, the Layer 3 Switch compiles a list of all the routes it would normally send to the neighbor at the beginning of a session. However, before sending the updates, the Foundry Layer 3 Switch also applies the filters and route maps you have configured to the list of routes. If the filters or route maps result in changes to the list of routes, the Layer 3 Switch sends updates to advertise, change, or even withdraw routes on the neighbor as needed.
Page 805: Clearing Diagnostic Buffers
Neighbor Information” on page 19-95. This information can be useful if you are working with Foundry Technical Support to resolve a problem. The buffers do not identify the system time when the data was written to the buffer. If you want to ensure that diagnostic data in a buffer is recent, you can clear the buffers.
Page 806 Foundry Switch and Router Installation and Configuration Guide Click on the plus sign next to Command in the tree view to expand the list of command options. Click on the Clear link to display the Clear panel. Select one of the following: •...
Page 807 Internet to the private networks. Figure 20.1 shows a basic example of a network using NAT on a Foundry device. In this example, a BigIron 8000 Layer 3 Switch is using NAT to translate traffic originated from the hosts on the 10.10.10.x/24 sub-net into public addresses from the address pool.
Page 808 Internet address when communicating outside the private network. NOTE: You can configure both dynamic and static NAT on the same Foundry device. When you configure both types of NAT, static NAT takes precedence over dynamic NAT. Thus, if you configure a static NAT translation for a private address, the device always uses that translation instead of creating a dynamic one.
Page 809 Address Translation maps a client’s IP address and TCP or UDP port number to both an IP address and a TCP or UDP port number. In this way, the Foundry device can map many private addresses to the same public address and use TCP or UDP port numbers to uniquely identify the private hosts.
Page 810: Configuring Nat
Foundry Switch and Router Installation and Configuration Guide Maximum Number of Addresses If the Layer 3 Switch cannot allocate an address because it has run out of addresses, the Layer 3 Switch drops the packet and sends an ICMP Host Unreachable packet.
Page 811 Network Address Translation NOTE: You must configure inside NAT on one interface and outside NAT on another interface. The device performs NAT for traffic between the interfaces. In addition to the tasks listed above, you can modify the age timers for the address translation entries the device creates.
Page 812 These commands configure a standard ACL for the private sub-net 10.10.10.x/24, then enable inside NAT for the sub-net. Make sure you specify permit in the ACL, rather than deny. If you specify deny, the Foundry device will not provide NAT for the addresses.
Page 813 Network Address Translation and using a TCP or UDP port number to distinguish among the private hosts. The device supports up to 50 global IP addresses with this feature enabled. Enabling NAT The NAT configuration does not take effect until you enable it on specific interfaces. You can enable NAT on Ethernet ports and on virtual interfaces.
Page 814 Foundry Switch and Router Installation and Configuration Guide Each NAT entry remains in the NAT translation table until the entry ages out. The age timers apply globally to all interfaces on which NAT is enabled. • Dynamic timeout – This age timer applies to all entries (static and dynamic) that do not use Port Address Translation.
Page 815: Displaying Nat Statistics
Network Address Translation BigIron(config)# show ip nat translation Pro Inside global Inside local Outside local Outside global --- 209.157.1.69 10.10.10.69 207.195.2.12 207.195.2.12 --- 209.157.1.72 10.10.10.2 207.195.4.69 207.195.4.69 Syntax: show ip nat translation The show ip nat translation command shows the following information. Table 20.1: CLI Display of Active NAT Translations This Field...
Page 816 Foundry Switch and Router Installation and Configuration Guide Syntax: show ip nat statistics The show ip nat statistics command shows the following information. Table 20.2: CLI Display of NAT Statistics This Field... Displays... Total translations The number of translations that are currently active. This number changes when translations are added or age out.
Page 817 Network Address Translation Table 20.2: CLI Display of NAT Statistics (Continued) This Field... Displays... Sess Lists session statistics. NAT uses the session table for managing the translations. • Total – The total number of both used and available internal session resources. •...
Page 818 Foundry Switch and Router Installation and Configuration Guide This command clears the inside NAT entry that maps private address 10.10.10.5 to Internet address 209.157.1.43. Here is the syntax for this form of the command. Syntax: clear ip nat inside <global-ip> <private-ip>...
Page 819 Network Address Translation NAT: tcp data src 10.10.100.18:1144 => trans 192.168.2.78:8012 dst 192.168.3.11:53 NAT: 192.168.2.78:8012 192.168.3.11:53 flags A ID 65302 len 40 txfid 13 NAT: tcp data src 10.10.100.18:1144 => trans 192.168.2.78:8012 dst 192.168.3.11:53 NAT: 192.168.2.78:8012 192.168.3.11:53 flags FA ID 23 len 40 txfid 13 NAT: tcp data dest 192.168.2.78:8012 =>...
Page 820: Configuration Examples
Foundry Switch and Router Installation and Configuration Guide Configuration Examples This section shows two complete configuration examples for NAT. The examples are based on different network topologies. • NAT clients connected to the Layer 3 Switch by a Layer 2 Switch.
Page 821 Network Address Translation Layer 2 Switch Commands The following commands access the configuration level of the CLI on the Foundry FastIron Workgroup Layer 2 Switch, then configure an IP address and specify the default gateway. The Layer 2 Switch connects the private address clients to the Layer 3 Switch in Figure 20.2.
Page 822 You can use a virtual interface for routing only when you add the interface to a port-based VLAN. A port-based VLAN is a separate Layer 2 broadcast domain, a logical Layer 2 Switch within the Foundry device. The Layer 3 Switch uses virtual interfaces to route Layer 3 traffic between port-based VLANs.
Page 823 Network Address Translation The device performs NAT Internet for traffic between the outside NAT interface and the inside NAT interface. NAT Pool = 63.251.295.47/26 - 63.251.295.48/26 Internet access router 63.251.295.1/26 10.10.10.2 Outside NAT interface Virtual interface 15 10.10.10.3 63.251.295.46/26 8/16 8/24 10.10.10.4 Inside NAT interface...
Page 824 Foundry Switch and Router Installation and Configuration Guide BigIron(config)# vlan 3 by port BigIron(config-vlan-3)# untagged ethernet 1/1 BigIron(config-vlan-3)# router-interface ve 15 BigIron(config-vlan-3)# exit The following command configures an ACL to identify the range of private addresses for which you want to provide NAT services.
Page 825 Network Address Translation The following command saves all the configuration changes above to the Layer 3 Switch’s startup-config file on flash memory. The Layer 3 Switch applies NAT configuration information as soon as you enter it into the CLI. Saving the changes to the startup-config file ensures that the changes are reinstated following a system reload. BigIron(config)# write memory December 2000 20 - 19...
Page 826 Foundry Switch and Router Installation and Configuration Guide 20 - 20 December 2000...
Page 827 NOTE: VRRP and VRRPE are separate protocols. You cannot use them together. NOTE: You can use a Foundry Layer 3 Switch configured for VRRP with another Foundry Layer 3 Switch or a third-party router that is also configured for VRRP. You can use a Foundry Layer 3 Switch configured for VRRPE only with another Foundry Layer 3 Switch that also is configured for VRRPE.
Page 828: Overview Of Vrrp
Foundry Switch and Router Installation and Configuration Guide Overview The following sections describe VRRP and VRRPE. The protocols both provide redundant paths for IP addresses. However, the protocols differ in a few important ways. For clarity, each protocol is described separately.
Page 829 Configuring VRRP and VRRPE Figure 21.2 shows the same example network shown in Figure 21.1, but with a VRRP virtual router configured on Router1 and Router2. Internet Internet enterprise Intranet enterprise Intranet e 2/4 e 3/2 VRID1 VRID1 Router1 = Master Router2 = Backup e 1/6 192.53.5.1...
Page 830 Virtual Router IP Address Unlike Foundry Standby Router Protocol (FSRP), VRRP does not use virtual IP addresses. Thus, there is no virtual IP address associated with a virtual router. Instead, you associate the virtual router with one or more real interface IP addresses configured on the router that owns the real IP address(es).
Page 831 Track Ports and Track Priority The Foundry implementation of VRRP enhances the protocol by giving a VRRP router the capability to monitor the state of the interfaces on the other end of the route path through the router. For example, in Figure 21.2 on page 21-3, interface e1/6 on Router1 owns the IP address to which Host1 directs route traffic on its default gateway.
Page 832: Overview Of Vrrpe
Foundry Switch and Router Installation and Configuration Guide NOTE: The MD5 authentication type is not supported for VRRP. Independent Operation of VRRP alongside RIP, OSPF, and BGP4 VRRP operation is independent of the RIP, OSPF, and BGP4 protocols. Their operation is unaffected when VRRP is enabled on a RIP, OSPF, or BGP4 interface.
Page 833 Configuring VRRP and VRRPE The most important difference is that all VRRPE routers are Backups. There is no Owner router. VRRPE overcomes the limitations in standard VRRP by removing the Owner. Figure 21.3 shows an example of a VRRPE configuration. Internet Internet enterprise Intranet...
Page 834: Architectural Differences
• Track ports – A Foundry feature that enables you to diagnose the health of all the Layer 3 Switch’s ports used by the backed-up VRID, instead of only the port connected to the client sub-net. See “Track Ports and Track Priority”...
Page 835: Vrrp And Vrrpe Parameters
IP address (the one you are backing up) on both the Primary Router and the Backup Router. NOTE: If your Foundry routers already are using FSRP and you do not need redundancy with devices that cannot use FSRP, you do not need to reconfigure your routers to use VRRP or VRRPE.
Page 836 Foundry Switch and Router Installation and Configuration Guide Table 21.1: VRRP and VRRPE Parameters (Continued) Parameter Description Default See page... Virtual Router IP This is the address you are backing up. None 21-4 address No default. 21-12 • VRRP – The virtual router IP address must be a...
Page 837 Configuring VRRP and VRRPE Table 21.1: VRRP and VRRPE Parameters (Continued) Parameter Description Default See page... Backup priority A numeric value that determines a Backup’s VRRP – 255 for the 21-15 preferability for becoming the Master for the VRID. Owner; 100 for each During negotiation, the router with the highest priority Backup becomes the Master.
Page 838: Configuring Basic Vrrp Parameters
Foundry Switch and Router Installation and Configuration Guide Table 21.1: VRRP and VRRPE Parameters (Continued) Parameter Description Default See page... Track priority A VRRP or VRRPE priority value assigned to the VRRP – 2 21-5 tracked port(s). If a tracked port’s link goes down, the VRRPE –...
Page 839: Configuring Basic Vrrpe Parameters
Configuring VRRP and VRRPE Configuring Basic VRRPE Parameters To implement a simple VRRPE configuration using all the default values, enter commands such as the following on each Layer 3 Switch. Router2(config)# router vrrp-extended Router2(config)# inter e 1/5 Router2(config-if-1/5)# ip address 192.53.5.3 Router2(config-if-1/5)# ip vrrp-extended vrid 1 Router2(config-if-1/5-vrid-1)# backup Router2(config-if-1/5-vrid-1)# ip-address 192.53.5.254...
Page 840 See “VRRP and VRRPE Parameters” on page 21-9 for a summary of the parameters and their defaults. Authentication Type If the interfaces on which you configure the VRID use authentication, the VRRP or VRRPE packets on those interfaces also must use the same authentication. Foundry’s implementation of VRRP and VRRPE supports the following authentication types: •...
Page 841 Configuring VRRP and VRRPE VRRPE Syntax Syntax: ip vrrp-extended auth-type no-auth | simple-text-auth <auth-data> The parameter values are the same as for VRRP. Router Type A VRRP interface is either an Owner or a Backup for a given VRID. By default, the Owner becomes the Master following the negotiation.
Page 842 Foundry Switch and Router Installation and Configuration Guide NOTE: You cannot set the priority of a VRRP Owner. The Owner’s priority is always 255. VRRPE Syntax Syntax: backup [priority <value>] [track-priority <value>] The software requires you to identify a VRRPE interface as a Backup for its VRID before you can activate the interface for the VRID.
Page 843 Configuring VRRP and VRRPE Router2(config-if-1/5)# ip vrrp vrid 1 Router2(config-if-1/5-vrid-1)# dead-interval 30 Syntax: dead-interval <value> The syntax is the same for VRRP and VRRPE. Backup Hello Message State and Interval By default, Backup do not send Hello messages to advertise themselves to the Master. You can enable these messages if desired and also change the message interval.
Page 844: Forcing A Master Router To Abdicate To A Standby Router
Foundry Switch and Router Installation and Configuration Guide goes down, the software changes the VRRPE interface’s priority to 40. If another tracked interface goes down, the software reduces the VRID’s priority again, by the amount of the tracked interface’s track priority.
Page 845: Displaying Vrrp And Vrrpe Information
Configuring VRRP and VRRPE Syntax: [no] owner priority | track-priority <num> The <num> parameter specifies the new priority and can be a number from 1 – 254. When you press Enter, the software changes the priority of the Master to the specified priority. If the new priority is lower than at least one Backup’s priority for the same VRID, the Backup takes over and becomes the new Master until the next software reload or system reset.
Page 846 Foundry Switch and Router Installation and Configuration Guide Interface VRID CurPri P State Master addr Backup addr P Init 192.53.5.1 192.53.5.3 192.53.5.1 This example is for VRRP. Here is an example for VRRPE: BigIron Router(config-if-e1000-1/6-vrid-1)# show ip vrrp-extended brief Total number of VRRP-Extended routers defined: 1...
Page 847: Displaying Detailed Information
Configuring VRRP and VRRPE Table 21.2: CLI Display of VRRP or VRRPE Summary Information (Continued) This Field... Displays... State This Layer 3 Switch’s VRRP or VRRPE state for the VRID. The state can be one of the following: • Init – The VRID is not enabled (activated). If the state remains Init after you activate the VRID, make sure that the VRID is also configured on the other routers and that the routers can communicate with each other.
Page 848 Foundry Switch and Router Installation and Configuration Guide VRID 1 state backup administrative-status enabled mode non-owner(backup) priority 100 current priority 100 hello-interval 1 sec dead-interval 3.600 sec current dead-interval 3.600 sec preempt-mode true advertise backup: enabled backup router 192.53.5.3 expires in 00:00:03...
Page 849 Configuring VRRP and VRRPE Table 21.3: CLI Display of VRRP or VRRPE Detailed Information (Continued) This Field... Displays... Interface parameters Interface The interface on which VRRP or VRRPE is configured. If VRRP or VRRPE is configured on multiple interfaces, information for each interface is listed separately.
Page 850 Foundry Switch and Router Installation and Configuration Guide Table 21.3: CLI Display of VRRP or VRRPE Detailed Information (Continued) This Field... Displays... current priority The current VRRP or VRRPE priority of this Layer 3 Switch for the VRID. The current priority can differ from the configured priority (see the row above) for the following reasons: •...
Page 851 Configuring VRRP and VRRPE Table 21.3: CLI Display of VRRP or VRRPE Detailed Information (Continued) This Field... Displays... next hello sent in <time> How long until the Backup sends its next Hello message. Note: This field applies only when this Layer 3 Switch is the Master and the Backup is configured to send Hello messages (the advertise backup option is enabled).
Page 852 Foundry Switch and Router Installation and Configuration Guide Table 21.4: Web Display of VRRP Detailed Information (Continued) This Field... Displays... Virtual Router table Port The interface number. All the device’s interfaces are listed. The VRID configured on this interface. If multiple VRIDs are configured on the interface, information for each VRID is listed separately.
Page 853: Displaying Statistics
Configuring VRRP and VRRPE Displaying Statistics To display VRRP or VRRPE statistics, use either of the following methods. USING THE CLI To display statistics, enter a command such as the following at any level of the CLI: BigIron Router(config-if-e1000-1/5-vrid-1)# show ip vrrp stat Interface ethernet 1/5 rxed vrrp header error count = 0 rxed vrrp auth error count = 0...
Page 854 Foundry Switch and Router Installation and Configuration Guide Table 21.5: CLI Display of VRRP or VRRPE Statistics (Continued) This Field... Displays... rxed vrrp vrid not found error count The number of VRRP or VRRPE packets received by the interface that contained a VRID that is not configured on this interface.
Page 855 Configuring VRRP and VRRPE This display shows the following information. Table 21.6: Web Display of VRRP Statistics This Field... Displays... Virtual Router panel Port The interface on which VRRP is configured. If VRRP is configured on more than one interface, the display lists the statistics separately for each interface.
Page 856: Clearing Vrrp Or Vrrpe Statistics
Foundry Switch and Router Installation and Configuration Guide Table 21.6: Web Display of VRRP Statistics (Continued) This Field... Displays... Rcv Priority Zero from Master The number of packets received that did not match the configuration for the receiving interface. Rcv Higher Priority The number of VRRP packets received by the interface that had a higher backup priority for the VRID than this Layer 3 Switch’s backup...
Page 857: Vrrp Example
Configuring VRRP and VRRPE 0.00 0.00 0.00 0.00 VRRP 0.03 0.07 0.09 0.10 If the software has been running less than 15 minutes (the maximum interval for utilization statistics), the command indicates how long the software has been running. Here is an example: BigIron# show process cpu The system has only been up for 6 seconds.
Page 858 Foundry Switch and Router Installation and Configuration Guide Router1(config-if-1/6)# ip vrrp vrid 1 Router1(config-if-1/6-vrid-1)# owner track-priority 20 Router1(config-if-1/6-vrid-1)# track-port ethernet 2/4 Router1(config-if-1/6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-1/6-vrid-1)# activate NOTE: When you configure the Master (Owner), the address you enter with the ip-address command must already be configured on the interface.
Page 859 Configuring VRRP and VRRPE NOTE: Some of the data entry fields contain zeros. When you save a VRRP definition, the software uses the default values for the parameters instead of zeros. The Web management interface shows zeros instead of the defaults because the defaults differ depending on whether you are creating an Owner or a Backup.
Page 860 Foundry Switch and Router Installation and Configuration Guide Select the interface from the pulldown list on the Port field. In this example, select 1/6. Enter the VRID in the Router ID field the Router ID field. In this example, use the default value, 1.
Page 861: Vrrpe Example
Configuring VRRP and VRRPE Configuring Router2 Using the Web Management Interface To configure VRRP Router2 in Figure 21.2 on page 21-3 after you enable VRRP: Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed.
Page 862 Foundry Switch and Router Installation and Configuration Guide Configuring Router1 Using the CLI To configure VRRP Router1 in Figure 21.3 on page 21-7, enter the following commands: Router1(config)# router vrrp-extended Router1(config)# inter e 1/6 Router1(config-if-1/6)# ip address 192.53.5.2 Router1(config-if-1/6)# ip vrrp-extended vrid 1...
Page 863 Details for configuring FSRP with the CLI and the Web management interface are shown. For detailed summaries of all CLI commands, including the syntax and ranges of parameter values, see the Foundry Switch and Router Command Line Interface Reference.
Page 864 Foundry Switch and Router Installation and Configuration Guide Host 1 Host 2 Default Router Default Router 192.53.5.1 192.53.5.1 192.53.5.1 192.53.5.1 192.53.5.1 Router 1 Router 2 192.53.5.3 192.53.5.2 Virtual TurboIron TurboIron Link Link Link Link Router Activity Activity Activity Activity Console...
Page 865 Configuring FSRP FSRP Support on Virtual Interfaces FSRP is supported on both physical and virtual interfaces. Support on a virtual interface allows you to assign a single virtual interface to serve as a redundant link for multiple ports within a VLAN. For example, in Figure 22.2, virtual interface 1 represents ports 1, 2, and 3 for NetIron1.
Page 866 Foundry Switch and Router Installation and Configuration Guide If a change in state (up or down) is detected by the track port, the priority of the FSRP Group Interface will automatically be increased or decreased. NOTE: Virtual router interfaces cannot be assigned as track ports.
Page 867 The Virtual Router Redundancy Protocol (VRRP) is a standards-based protocol that provides redundancy to routers within a LAN. VRRP is described in RFC 2338. Foundry’s implementation of VRRP provides many of the same features as FSRP. In addition, VRRP enables you to configure third-party devices that adhere to RFC 2338 along with Foundry devices as virtual routers.
Page 868 Foundry Switch and Router Installation and Configuration Guide NOTE: If your Foundry routers already are using FSRP and you do not need redundancy with devices that cannot use FSRP, you do not need to reconfigure your routers to use VRRP.
Page 869 Configuring FSRP NOTE: All FSRP configurations are implemented using a single configuration panel of the Web management interface. Given this, all other configuration steps, other than enabling the feature, are shown in a separate section at the end of this chapter rather than interspersed with CLI examples. Assign Virtual Router IP Addresses In the examples in this section, FSRP is used to provide a redundant path between Host 1 and Host 3 to ensure against failure of the primary path.
Page 870 Foundry Switch and Router Installation and Configuration Guide To establish the virtual IP address 192.55.4.1 for interface C defined by IP address 192.55.4.2 and Ethernet port 20, enter the following commands: Router1(config)# inter e 20 Router1(config-if-20)# ip fsrp address 192.55.4.2 vir-rtr-ip 192.55.4.1 other-rtr-ip 192.55.4.3...
Page 871 Configuring FSRP Router1(config-if-17)# int e 20 Router1(config-if-20)# ip fsrp address 192.55.4.2 preference 200 Modify Port Parameters (optional) The user can also modify two port parameters for FSRP: the keep-alive-time and the router-dead-interval. Keep Alive Time The keep-alive-time parameter allows you to modify how often the FSRP hello message is sent on the interface on which the keep-alive-time is configured.
Page 872 Foundry Switch and Router Installation and Configuration Guide Click on the FSRP link. • If the device does not have an FSRP configuration, the FSRP configuration panel is displayed. • If FSRP is already configured but you are adding a new FSRP configuration, click on the Add Interface link to display the FSRP configuration panel, as shown in the following example.
Page 873 Configuring FSRP 11. Repeat the steps above for each interface that is to be a redundant link. In this example, you would also need to configure interface B for router 1 and interfaces C and D for router 2. 12. Click the Add button to apply the changes to the device’s running-config file. 13.
Page 874 Foundry Switch and Router Installation and Configuration Guide In preparation for track port configuration on NetIron1, you would do the following: Configure an IP sub-net VLAN with port membership of 1, 2, and 3 on NetIron1. Enable FSRP on virtual interface 1.
Page 875: Overview Of Ipx
Chapter 23 Configuring IPX This chapter describes how to configure the IPX protocol on the Foundry Layer 3 Switches using the CLI and Web management interface. To display IPX configuration information and statistics, see “Displaying IPX Configuration Information and Statistics” on page 23-16.
Page 876 Foundry Switch and Router Installation and Configuration Guide Define RIP, SAP, and forward filters (optional). Assign RIP, SAP, and Forward filter groups (optional). Modify the maximum number of SAP and RIP Route entries supported (optional). Modify the hop count increment for RIP and SAP broadcast packets (optional).
Page 877 Configuring IPX Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. Click on the plus sign next to Command in the tree view to list the command options. Select the Reload link and select Yes when prompted to reload the software.
Page 878 Foundry Switch and Router Installation and Configuration Guide Internal Network Internal Network Number: 01010101 Number: 03030303 SAP, RIP Node: 1 Node: 1 Advertisements Finance Server Server Network 100 802.2 Network 300 802.2 Client #1 Client #3 MAC address: 008012345678 NetIron...
Page 879 Configuring IPX Select the frame type from the pull down menu. Enable NetBIOS if desired. Click the Add button to apply the changes to the device’s running-config file. 10. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
Page 880 Foundry Switch and Router Installation and Configuration Guide Enter a filter ID value from 1 – 32. Select either Permit or Deny. Enter the appropriate number for the destination socket of the application running in the Socket field. If you enter all zeros in this field, the filter will accept any socket.
Page 881 Configuring IPX 14. Select the port or slot/port combination to which you are assigning the filter(s). 15. Check either or both of the In Filter and Out Filter boxes. If you check the In Filter box, all incoming traffic is filtered as defined.
Page 882 Foundry Switch and Router Installation and Configuration Guide • If you are modifying an existing IPX RIP filter, click on the Modify button to the right of the row describing the filter to display the IPX RIP Filter configuration panel, as shown in the following example.
Page 883 Configuring IPX 15. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. Configuring IPX SAP Access Control Lists (ACLs) You can configure Access Control Lists (ACLs) for filtering Service Advertisement Protocol (SAP) replies sent on a Layer 3 Switch’s IPX interfaces.
Page 884 Foundry Switch and Router Installation and Configuration Guide The node is a 48-bit value represented by three four-digit numbers joined by periods; for example, 1234.1234.1234. The [<network-mask>.<node-mask>] parameter lets you specify a comparison mask for the network and node. The mask consists of zeros (0) and ones (f). Ones indicate significant bits. For example, to configure a mask that matches on network abcdefxx, where xx can be any value and the node address can be any value, specify the following mask: ffffff00.0000.0000.0000...
Page 885 Configuring IPX Syntax: [no] ipx sap-access-list <num> deny | permit <network>[.<node>] [<network-mask>.<node-mask>] [<service-type> [<server-name>]] The <service-type> [<server-name>] parameter lets you specify a service type and, optionally, a specific server. Use these parameters when you are configuring an ACL for filtering Get Nearest Server (GNS) replies. The service type is a hexadecimal number.
Page 886 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE To modify the maximum number of RIP or SAP route entries supported on a router: Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed.
Page 887 Configuring IPX USING THE CLI To increase the hop count increment assessed to interface 5, enter the following commands: NetIron(config)# int e 5 NetIron(config-if-5)# ipx-rip-update-hop-count-increment 10 NetIron(config-if-5)# ipx-sap-update-hop-count-increment 10 Syntax: ipx-rip-update-hop-count-increment <2-15>, ipx-sap-update-hop-count-increment <2-15> USING THE WEB MANAGEMENT INTERFACE You cannot modify hop count increments using the Web management interface. Modify the RIP Advertisement Packet Size The default IPX RIP packet size is 432 bytes, which allows 50 routes plus 32 bytes of header in an IPX RIP update packet.
Page 888 Foundry Switch and Router Installation and Configuration Guide Syntax: ipx sap-max-packetsize <bytes> The number of bytes can be from 96 bytes (enough for one server) – 1440 bytes (enough for 22 servers). The default is 480 bytes. USING THE WEB MANAGEMENT INTERFACE You cannot modify the SAP advertisement packet size using the Web management interface.
Page 889 Configuring IPX Syntax: ipx sap-interval <interval> The <interval> can be from 10 – 65535 seconds. The default is 60. USING THE WEB MANAGEMENT INTERFACE You cannot modify the SAP advertisement interval using the Web management interface. Modify the Age Timer for Learned IPX Routes The age timer specifies how many seconds a learned IPX route can remain in the Layer 3 Switch's IPX route table before aging out.
Page 890 Foundry Switch and Router Installation and Configuration Guide Displaying IPX Configuration Information and Statistics You can use CLI commands and Web management options to display the following IPX information: • Global IPX parameter settings – see “Displaying Global IPX Configuration Information” on page 23-16.
Page 891 Configuring IPX Table 23.1: CLI Display of Global IPX Configuration Information (Continued) This Field... Displays... Maximum IPX SAP filters How many IPX service filters you can configure in the router. On some devices, you can change this value by changing the amount of memory allocated for the filters.
Page 892 Foundry Switch and Router Installation and Configuration Guide This display shows the following information. Table 23.2: CLI Display of IPX Interface Information This Field... Displays... Interface The port or virtual interface on which the IPX interface is configured. MAC address The MAC address of the interface.
Page 893 Configuring IPX Table 23.2: CLI Display of IPX Interface Information (Continued) This Field... Displays... sap-max-packet-size The maximum packet size for IPX SAP advertisements. The default IPX SAP packet size is 480 bytes, which allows seven servers plus 32 bytes of header in an IPX SAP update packet. To modify this parameter, see “Modify the SAP Advertisement Packet Size”...
Page 894: Displaying The Ipx Route Table
Foundry Switch and Router Installation and Configuration Guide Table 23.3: CLI Display of IPX Forwarding Cache (Continued) This Field... Displays... Router The MAC address of the next-hop IPX router. If the destination is local, the address is shown as all zeros.
Page 895 Network The IPX network at the route’s destination. Router The MAC address of the next-hop IPX router. Hops The number of hops (routers) separating the Foundry Layer 3 Switch from the network. Ticks The number of ticks. Port The port through which the Layer 3 Switch sends traffic to the destination network.
Page 896 Foundry Switch and Router Installation and Configuration Guide This display shows the following information. Table 23.5: CLI Display of IPX Server Table This Field... Displays... Index The index number of the table entry. Network The network in which the server is located.
Page 897 Configuring IPX Table 23.6: CLI Display of IPX Traffic Statistics (Continued) This Field... Displays... Transmit The number of IPX packets originated on the Layer 3 Switch and sent on the port. Dropped Receive The number of packets received on this port by the Layer 3 Switch that the Layer 3 Switch dropped.
Page 898 Foundry Switch and Router Installation and Configuration Guide Click on the Port Counter link. This display shows the following information. Table 23.8: Web Display of IPX Port Statistics This Field... Displays... Port The port or virtual interface on which the IPX interface is configured.
Page 899: Address Assignment
This chapter describes how to configure AppleTalk on Foundry Layer 3 Switches using the CLI and the Web management interface. Foundry Layer 3 Switches support Phase II of AppleTalk routing. For complete syntax information for the CLI commands shown in this chapter, see the Foundry Switch and Router Command Line Interface Reference.
Page 900 Foundry Switch and Router Installation and Configuration Guide An AppleTalk network address is a single 16-bit network number or a network range (cable range). The network range specifies a range of contiguous network numbers with start and end values. Zones AppleTalk zones are logical groupings of AppleTalk nodes defined within and across multiple networks as shown in Figure 24.1.
Page 901 RTMP establishes and maintains the AppleTalk routing table. AppleTalk routers use RTMP to exchange routing information at regular intervals to ensure that each router has the latest routing information. For Foundry Layer 3 Switches, the periodic updates are sent out every 10 seconds by default. AppleTalk Echo Protocol (AEP) AppleTalk routers use AEP to check connectivity to other devices on the network.
Page 902: Configuring Appletalk Routing
Configuring AppleTalk Routing To begin using AppleTalk on a Foundry router, perform the following tasks: Enable AppleTalk on the router, if it is not already enabled. Configure AppleTalk as either a seed or a non-seed router.
Page 903 Configuring AppleTalk USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed. Select the Enable radio button next to AppleTalk. Click the Apply button to apply the changes to the device’s running-config file. Select the Save link at the bottom of the dialog.
Page 904 Foundry Switch and Router Installation and Configuration Guide Enabling AppleTalk Routing on an Interface To enable AppleTalk routing on interface 3, enter the following command: BigIron(config-if-3)# appletalk routing Saving Configuration Changes to the Interface Once you have configured the cable range, network address, zone(s), and AppleTalk routing for an interface, you can preserve the configuration changes by saving them to flash.
Page 905 Configuring AppleTalk Select the port or slot/port to be configured from the port pulldown menu(s). Modify the ARP age value from the default value of 10 minutes, if desired. Possible values are 1 – 240 minutes. Beginning in software release 06.0.00, the AppleTalk ARP age is a global parameter instead of an interface parameter.
Page 906 Foundry Switch and Router Installation and Configuration Guide Enabling AppleTalk Routing at the Global (System) Level To enable AppleTalk on the router, use one of the following methods: USING THE CLI BigIron(config)# router appletalk USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed.
Page 907 Configuring AppleTalk Select the port or slot/port to be configured from the port pulldown menu(s). Modify the ARP age value from the default value of 10 minutes, if desired. Possible values are 1 – 240 minutes. Beginning in software release 06.0.00, the AppleTalk ARP age is a global parameter instead of an interface parameter.
Page 908 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed. Click on the plus sign next to Configure in the tree view to expand the list of configuration options.
Page 909 Configuring AppleTalk Marketing Zone AppleTalk FieldService Zone Port 3 100.50 Marketing FieldService Zone Zone Network 300 Apple Server Network 200 Network 400 AppleTalk 200.50 300.50 400.50 Port 1 Port 13 Port 15 Link Link Activity Activity NetIron Console Power Port 10 Port 14 600.50 500.50...
Page 910 Foundry Switch and Router Installation and Configuration Guide Click on the Zone Filter link. • If the device does not have any AppleTalk zone filters, the AppleTalk Zone Filter configuration panel is displayed, as shown in the following example. •...
Page 911 Configuring AppleTalk USING THE CLI To define the permit filter for HR on ports 10 and 14, enter the following commands: BigIron(config)# interface e 10 BigIron(config-if-10)# no appletalk routing BigIron(config-if-10)# appletalk permit zone HR BigIron(config-if-10)# deny additional-zones BigIron(config-if-10)# appletalk routing BigIron(config-if-10)# int e 14 BigIron(config-if-14)# no appletalk routing BigIron(config-if-14)# appletalk permit zone HR...
Page 912 In addition to supporting AppleTalk VLANs, Foundry routers support routing between AppleTalk VLANs using virtual interfaces. The virtual interfaces provide VLANs access to the router functions of Foundry routers. Using these virtual interfaces eliminates the need to assign a physical port for routing between local VLANs.
Page 913 Configuring AppleTalk Switch 300.50 Finance Zone AppleTalk Virtual Protocol VLAN Interface 3 Router 100.50 Marketing Zone Figure 24.3 Virtual interface provides a routing interface to an AppleTalk VLAN USING THE CLI To configure the AppleTalk VLAN as seen in Figure 24.3, enter the following commands: BigIron(config)# router appletalk BigIron(config)# vlan 1 BigIron(config-vlan-1)# atalk-proto...
Page 914 Foundry Switch and Router Installation and Configuration Guide To create the configuration shown in Figure 24.4, perform the following tasks. Create port-based VLANs 2 and 3. NOTE: Protocol VLANs must always be within the boundaries of a port-based domain. Whenever port and protocol VLANs operate on a system together, you must create the port-based VLAN before you create the protocol VLAN.
Page 915 Configuring AppleTalk To configure the physical interface (e8) to which all outgoing traffic is forwarded, enter the following commands: BigIron(config-vlan-atalk-proto)# int e8 BigIron(config-if-8)# appletalk cable-range 400 - 400 BigIron(config-if-8)# appletalk address 400.50 BigIron(config-if-8)# appletalk zone-name sales BigIron(config-if-8)# appletalk routing To configure the defined AppleTalk VLAN virtual interfaces ve3 and ve5, enter the following commands: BigIron(config-if-8)# int ve 5 BigIron(config-vif-5)# appletalk cable-range 100 - 100 BigIron(config-vif-5)# appletalk address 100.50...
Page 916 Foundry Switch and Router Installation and Configuration Guide Log on to the device using a valid user name and password for read-write access. If you have not already enabled AppleTalk, enable it by clicking on the Enable radio button next to AppleTalk on the System configuration dialog, then clicking Apply to apply the change.
Page 917 Configuring AppleTalk USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. Click on the plus sign next to Configure in the tree view to expand the list of configuration options. Click on the plus sign next to AppleTalk in the tree view to expand the list of AppleTalk option links.
Page 918 Foundry Switch and Router Installation and Configuration Guide EXAMPLE: To change the value to 50 seconds from a default value of 10 seconds, use one of the following methods. USING THE CLI BigIron(config)# appletalk rtmp-update-interval 50 Syntax: appletalk rtmp-update-interval <1-3600>...
Page 919 Configuring AppleTalk NOTE: For more details on these commands, see the Foundry Switch and Router Command Line Interface Reference. • show appletalk arp cache: Displays the ARP table for the AppleTalk routing protocol. Displays the forwarding table for the AppleTalk routing protocol.
Page 920 Foundry Switch and Router Installation and Configuration Guide USING THE WEB MANAGEMENT INTERFACE Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed. Click on the plus sign next to Command in the tree view to expand the list of command options.
Page 921: Types Of Vlans
AppleTalk cable VLANs – a subset of ports in a port-based VLAN that share a common, exclusive network broadcast domain for a specified AppleTalk cable range When a Foundry device receives a packet on a port that is a member of a VLAN, the device forwards the packet based on the following VLAN hierarchy: •...
Page 922 Foundry device that constitutes a Layer 2 broadcast domain. By default, all the ports on a Foundry device are members of the default VLAN. Thus, all the ports on the device constitute a single Layer 2 broadcast domain. You can configure multiple port-based VLANs. When you configure a port-based VLAN, the device automatically removes the ports you add to the VLAN from the default VLAN.
Page 923 Configuring Virtual LANs (VLANs) Figure 25.1 shows an example of a Foundry device on which a Layer 2 port-based VLAN has been configured. DEFAULT-VLAN VLAN ID = 1 Layer 2 Port-based VLAN User-configured port-based VLAN When you add a port-based VLAN, the device removes all the ports in the new VLAN from DEFAULT-VLAN.
Page 924 Layer 3 protocol VLANs within a Layer 2 port-based VLAN Integrated Switch Routing (ISR) Foundry Networks’ Integrated Switch Routing (ISR) feature enables VLANs configured on Layer 3 Switches to route Layer 3 traffic from one protocol VLAN or IP sub-net, IPX network, or AppleTalk cable VLAN to another.
Page 925: Default Vlan
Default VLAN By default, all the ports on a Foundry device are in a single port-based VLAN. This VLAN is called DEFAULT- VLAN and is VLAN number 1. Foundry devices do not contain any protocol VLANs or IP sub-net, IPX network, or AppleTalk cable VLANs by default.
Page 926 802.1q tagging is an IEEE standard that allows a networking device to add information to a Layer 2 packet in order to identify the VLAN membership of the packet. Foundry devices tag a packet by adding a four-byte tag to the packet.
Page 927 If you use tagging on multiple devices, each device must be configured for tagging and must use the same tag value. In addition, the implementation of tagging must be compatible on the devices. The tagging on all Foundry devices is compatible with other Foundry devices.
Page 928 Spanning Tree Protocol (STP) The default state of STP depends on the device type: • STP is disabled by default on Foundry Layer 3 Switches. • STP is enabled by default on Foundry Layer 2 Switches. Also by default, each port-based VLAN has a separate instance of STP. Thus, when STP is globally enabled, each port-based VLAN on the device runs a separate spanning tree.
Page 929: Virtual Interfaces
Configuring Virtual LANs (VLANs) Virtual Interfaces A virtual interface is a logical routing interface that Foundry Layer 3 Switches use to route Layer 3 protocol traffic between protocol VLANs. Foundry devices send Layer 3 traffic at Layer 2 within a protocol VLAN. However, Layer 3 traffic from one protocol VLAN to another must be routed.
Page 930 Foundry Switch and Router Installation and Configuration Guide VLAN and Virtual Interface Groups To simplify configuration, you can configure VLAN groups and virtual interface groups. When you create a VLAN group, the VLAN parameters you configure for the group apply to all the VLANs within the group. Additionally, you can easily associate the same IP sub-net interface with all the VLANs in a group by configuring a virtual interface group with the same ID as the VLAN group.
Page 931 Configuring Virtual LANs (VLANs) A = active port C = candidate port When you add ports dynamically, all the ports are added when you add the VLAN. Figure 25.7 VLAN with dynamic ports—all ports are active when you create the VLAN Figure 25.8 shows that ports in a new protocol VLAN that do not receive traffic for the VLAN’s protocol age out after 10 minutes and become candidate ports.
Page 932 Foundry Switch and Router Installation and Configuration Guide Figure 25.9 shows what happens if a candidate port receives traffic for the VLAN’s protocol. Ports that time out remain candidates for membership in the VLAN and become active again if they receive traffic for the VLAN’s protocol, IP sub-net, IPX network, or AppleTalk cable range.
Page 933: Super Aggregated Vlans
Configuring Virtual LANs (VLANs) packets. Only when the port receives eight AppleTalk broadcast packets or eight DECnet broadcast packets does the port send the eighth packet of that protocol type. Figure 25.10 shows an example of a Layer 3 IP protocol VLAN with dynamic ports. Since the ports have dynamic membership, they are “leaky”.
Page 934: Summary Of Vlan Configuration Rules
IP, IPX, or Appletalk protocol VLAN, IP sub-net VLAN, AppleTalk cable VLAN, or IPX network VLAN is defined within a port-based VLAN on a Foundry Layer 3 Switch. You also you need to route these protocols to another port-based VLAN on the same router. You need to configure a separate virtual router...
Page 935 Some configurations may require simultaneous switching and routing of the same single protocol across different sets of ports on the same router. When IP, IPX, or Appletalk routing is enabled on a Foundry Layer 3 Switch, you can route these protocols on specific interfaces while bridging them on other interfaces. In this scenario, you can create two separate backbones for the same protocol, one bridged and one routed.
Page 936: Assigning A Different Vlan Id To The Default Vlan
Dynamic Port Assignment (Layer 2 and Layer 3 Switches) All Layer 2 Switch ports are dynamically assigned to any Layer 3 VLAN on Foundry Layer 2 Switches and any non-routable VLAN on Foundry Layer 3 Switches. To maintain explicit control of the VLAN, you can explicitly exclude ports when configuring any Layer 3 VLAN on a Foundry Layer 2 Switch or any non-routable Layer 3 VLAN on a Foundry Layer 3 Switch.
Page 937: Ipx Network
Configuring Virtual LANs (VLANs) EXAMPLE: Figure 25.11 shows a simple port-based VLAN configuration using a single Foundry Layer 2 Switch. All ports within each VLAN are untagged. One untagged port within each VLAN is used to connect the Layer 2 Switch to a Layer 3 Switch (in this example, a NetIron) for Layer 3 connectivity between the two port-based VLANs.
Page 938 Foundry Switch and Router Installation and Configuration Guide EXAMPLE: Figure 25.12 shows a more complex port-based VLAN configuration using multiple Layer 2 Switches and IEEE 802.1q VLAN tagging. The backbone link connecting the three Layer 2 Switches is tagged. One untagged port within each port-based VLAN on FastIron-A connects each separate network wide Layer 2 broadcast domain to the router for Layer 3 forwarding between broadcast domains.
Page 939 Configuring Virtual LANs (VLANs) FastIron-A(config-vlan-4)# spanning-tree FastIron-A(config-vlan-4)# spanning-tree priority 500 FastIron-A(config-vlan-4)# vlan 5 name RED FastIron-A(config-vlan-5)# untag ethernet 13 to 16 ethernet 20 FastIron-A(config-vlan-5)# tag ethernet 25 to 26 FastIron-A(config-vlan-5)# spanning-tree FastIron-A(config-vlan-5)# spanning-tree priority 500 FastIron-A(config-vlan-5)# end FastIron-A# write memory Configuring FastIron-B Enter the following commands to configure FastIron-B: FastIron>...
Page 940 Foundry Switch and Router Installation and Configuration Guide Syntax: [no] spanning-tree Syntax: spanning-tree [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value> hello-time <value> maximum-age <time> priority <value> Modifying a Port-Based VLAN You can make the following modifications to a port-based VLAN: •...
Page 941 Enable all packets exiting the Layer 2 Switch on VLAN 2 to transmit from the high priority hardware queue of each transmit interface. Note that possible QoS priority levels for Foundry Stackable devices are normal or high. For Chassis devices, possible levels are 0 (normal) – 7 (highest).
Page 942 Foundry Switch and Router Installation and Configuration Guide Enable Spanning Tree on a VLAN The spanning tree bridge and port parameters are configurable using one CLI command set at the Global Configuration Level of each Port-based VLAN. Suppose you wanted to enable the IEEE 802.1d STP across VLAN 3.
Page 943 Configuring Virtual LANs (VLANs) • Hello Time – the interval of time between each configuration BPDU sent by the root bridge. Possible values: 1 – 10 seconds. Default is 2. • Priority – a parameter used to identify the root bridge in a network. The bridge with the lowest value has the highest priority and is the root.
Page 944 Foundry Switch and Router Installation and Configuration Guide Figure 25.13 shows this configuration. NetIron Router NetIron Router Link Activity Console Link / Act Link / Act Link / Act Power Link / Act Link / Act Link / Act Port 25...
Page 945 Configuring Virtual LANs (VLANs) FastIron(config-ip-subnet)# no dynamic FastIron(config-ip-subnet)# static ethernet 17 to 25 To permanently assign ports 1 – 12 and port 25 to IPX network 1 VLAN, enter the following commands: FastIron(config-ip-subnet)# ipx-network 1 ethernet_802.3 name Blue FastIron(config-ipx-network)# no dynamic FastIron(config-ipx-network)# static ethernet 1 to 12 ethernet 25 FastIron(config-ipx-network)# To permanently assign ports 12 –...
Page 946 Foundry Switch and Router Installation and Configuration Guide NetIron Router NetIron Router Console Link/Act Link/Act Power Link/Act Link/Act Port 1 Port 9 Port 17 FastIron Workgroup FastIron Workgroup Link Link Link Link Activity Activity Activity Activity Console Console Link / Act...
Page 947 Configuring Virtual LANs (VLANs) FastIron-A(config-vlan-ip-proto)# ipx-proto name Blue FastIron-A(config-vlan-ipx-proto)# no dynamic FastIron-A(config-vlan-ipx-proto)# static e1 e5 to 8 e25 to 26 FastIron-A(config-vlan-ipx-proto)# exclude e2 to 4 To prevent machines with non-IP protocols from getting into the IP portion of VLAN 2, create another Layer 3 protocol VLAN to exclude all other protocols from the ports that comprise the IP-protocol VLAN.
Page 948 Foundry Switch and Router Installation and Configuration Guide FastIron-B(config-vlan-ip-proto)# exclude e5 to 8 FastIron-B(config-vlan-ip-proto)# ipx-proto name Blue FastIron-B(config-vlan-ipx-proto)# no dynamic FastIron-B(config-vlan-ipx-proto)# static e5 to 8 e25 to 26 FastIron-B(config-vlan-ipx-proto)# exclude e1 to 4 FastIron-B(config-vlan-other-proto)# vlan 3 name IP-Sub_IPX-Net_VLANs FastIron-B(config-vlan-3)# untag e9 to 16...
Page 949 Routing Between VLANs using Virtual Interfaces (routers only) Foundry Layer 3 Switches offer the ability to create a virtual interface within a Layer 2 STP port-based VLAN or within each Layer 3 protocol, IP sub-net, or IPX network VLAN. This combination of multiple Layer 2 and/or Layer 3 broadcast domains and virtual interfaces are the basis for Foundry Networks’...
Page 950 Foundry Switch and Router Installation and Configuration Guide USING THE CLI Configuring NetIron-A Enter the following commands to configure NetIron-A. The following commands enable OSPF or RIP routing and IPX routing. NetIron> en No password has been assigned yet... NetIron# configure terminal...
Page 951 Configuring Virtual LANs (VLANs) NetIron-A(config-vlan-3)# no spanning-tree NetIron-A(config-vlan-3)# ip-subnet 1.1.1.0/24 NetIron-A(config-vlan-ip-subnet)# static e9 to 12 NetIron-A(config-vlan-ip-subnet)# router-interface ve3 NetIron-A(config-vlan-ip-subnet)# ipx-network 1 ethernet_802.3 NetIron-A(config-vlan-ipx-network)# static e13 to 16 NetIron-A(config-vlan-ipx-network)# router-interface ve4 NetIron-A(config-vlan-ipx-network)# other-proto name block-other-protocols NetIron-A(config-vlan-other-proto)# exclude e9 to 16 NetIron-A(config-vlan-other-proto)# no dynamic NetIron-A(config-vlan-other-proto)# interface ve 3 NetIron-A(config-vif-3)# ip addr 1.1.1.1/24 NetIron-A(config-vif-3)# ip ospf area 0.0.0.0...
Page 952 Foundry Switch and Router Installation and Configuration Guide This completes the configuration for NetIron-A. The configuration for NetIron-B and C is very similar except for a few issues. • IP sub-nets and IPX networks configured on NetIron-B and NetIron-C must be unique across the entire network, except for the backbone port-based VLANs 5, 6, and 7 where the sub-net is the same but the IP address must change.
Page 953 Configuring Virtual LANs (VLANs) NetIron-B(config-vlan-4)# untag ethernet 17 to 24 NetIron-B(config-vlan-4)# tag ethernet 25 to 26 NetIron-B(config-vlan-4)# spanning-tree NetIron-B(config-vlan-4)# vlan 5 name Rtr_BB_to_Bldg.1 NetIron-B(config-vlan-5)# tag e25 NetIron-B(config-vlan-5)# no spanning-tree NetIron-B(config-vlan-5)# router-interface ve5 NetIron-B(config-vlan-5)# vlan 7 name Rtr_BB_to_Bldg.3 NetIron-B(config-vlan-7)# tag ethernet 26 NetIron-B(config-vlan-7)# no spanning-tree NetIron-B(config-vlan-7)# router-interface ve6 NetIron-B(config-vlan-7)# int ve5...
Page 954: Configuration Guidelines
Foundry Switch and Router Installation and Configuration Guide NetIron-C(config-vlan-ipx-network)# other-proto name block-other-protocols NetIron-C(config-vlan-other-proto)# exclude e9 to 16 NetIron-C(config-vlan-other-proto)# no dynamic NetIron-C(config-vlan-other-proto)# interface ve 3 NetIron-C(config-vif-3)# ip addr 1.1.10.1/24 NetIron-C(config-vif-3)# ip ospf area 0.0.0.0 NetIron-C(config-vif-3)# int ve4 NetIron-C(config-vif-4)# ipx network 10 ethernet_802.3...
Page 955: Configuration Example
Configuring Virtual LANs (VLANs) you already have an AppleTalk protocol VLAN in the port-based VLAN, you must delete the AppleTalk protocol VLAN first, then configure the AppleTalk cable VLAN. Configuration Example Figure 25.16 shows an example of a BigIron Layer 3 Switch with four AppleTalk cable VLANs configured on a single port-based VLAN.
Page 956 Foundry Switch and Router Installation and Configuration Guide The following commands add four AppleTalk cable VLANs, in groups of three commands each. The appletalk- cable-vlan command adds a cable VLAN and, with the optional name parameter, names the VLAN. The static command adds specific ports within the port-based VLAN to the AppleTalk cable VLAN.
Page 957: Configuring Protocol Vlans With Dynamic Ports
Configuring Virtual LANs (VLANs) BigIron(config-vif-4)# appletalk zone-name DD BigIron(config-vif-4)# appletalk routing BigIron(config-vif-4)# write memory Configuring Protocol VLANs With Dynamic Ports The configuration examples for protocol VLANs in the sections above show how to configure the VLANs using static ports. You also can configure the following types of protocol VLANs with dynamic ports: •...
Page 958 Foundry Switch and Router Installation and Configuration Guide BigIron(config)# vlan 10 by port BigIron(config-vlan-10)# untag ethernet 1/1 to 1/6 added untagged port ethe 1/1 to 1/6 to port-vlan 30. BigIron(config-vlan-10)# ip-proto name IP_Prot_VLAN BigIron(config-vlan-10)# dynamic BigIron(config)# write memory Syntax: vlan <vlan-id> by port [name <string>] Syntax: untagged ethernet <portnum>...
Page 959: Configuring An Ipx Network Vlan With Dynamic Ports
Configuring Virtual LANs (VLANs) Configuring an IPX Network VLAN with Dynamic Ports To configure an IPX network VLAN with dynamic ports, use one of the following methods. USING THE CLI To configure port-based VLAN 20, then configure an IPX network VLAN within the port-based VLAN with dynamic ports, enter commands such as the following: BigIron(config)# vlan 20 by port name IPX_VLAN BigIron(config-vlan-10)# untag ethernet 2/1 to 2/6...
Page 960 Configuring the Same IP Sub-Net Address on Multiple Port-Based VLANs For a Foundry device to route between port-based VLANs, you must add a virtual interface to each VLAN. Generally, you also configure a unique IP sub-net address on each virtual interface. For example, if you have three port-based VLANs, you add a virtual interface to each VLAN, then add a separate IP sub-net address to each virtual interface.
Page 961 If a host attached to one VLAN sends an ARP message for the MAC address of a host in one of the other VLANs using the same IP sub-net address, the Foundry device performs a proxy ARP on behalf of the other host.
Page 962 ARP for the destination to the other VLANs that are using the same IP sub-net address. • If the destination is in the same VLAN as the source, the Foundry device does not need to perform a proxy ARP.
Page 963: Configuring A Vlan Group
Configuring Virtual LANs (VLANs) Configuring VLAN Groups and Virtual Interface Groups To simplify configuration when you have many VLANs with the same configuration, you can configure VLAN groups and virtual interface groups. NOTE: VLAN groups are supported on the NetIron Internet Backbone router and BigIron Layer 3 Switches and Layer 2 Switches with Management II or higher modules.
Page 964 Foundry Switch and Router Installation and Configuration Guide Specify the low VLAN ID first and the high VLAN ID second. The command adds all the specified VLANs to the VLAN group. NOTE: The device’s memory must be configured to contain at least the number of VLANs you specify for the higher end of the range.
Page 965 Configuring Virtual LANs (VLANs) The router-interface-group command enables a VLAN group to use a virtual interface group. Enter this command at the configuration level for the VLAN group. This command configures the VLAN group to use the virtual interface group that has the same ID as the VLAN group. You can enter this command when you configure the VLAN group for the first time or later, after you have added tagged ports to the VLAN and so on.
Page 966 Foundry Switch and Router Installation and Configuration Guide Table 25.1: VLAN and Virtual Interface Support (Continued) Product Default Configurable Maximum Maximum BigIron Layer 3 Switch 4095 with 512MB or 256MB Management IV module BigIron Layer 3 Switch 2048 with 128MB management module (Management II or...
Page 967: Configuring Super Aggregated Vlans
The network that connects them is transparent to the two devices. You can aggregate up to 4094 VLANs within another VLAN. This provides a total VLAN capacity on one Foundry device of 16,760,836 channels (4094 * 4094).
Page 968 Foundry Switch and Router Installation and Configuration Guide ..Client 1 Client 3 Client 5 Client 1 192.168.1.69/24 Path = a single VLAN into which client VLANs are aggregated Channel = a client VLAN nested...
Page 969 Configuring Virtual LANs (VLANs) Client 6 Client 8 Client 10 Client 1 Client 3 Client 5 Port 1/1 Port 1/3 Port 1/5 Port 1/1 Port 1/5 Port 1/3 ... . VLAN 101 VLAN 103 VLAN 105...
Page 970: Configuring Aggregated Vlans
Foundry Switch and Router Installation and Configuration Guide Configuring Aggregated VLANs To configure aggregated VLANs, perform the following tasks: • On each edge device, configure a separate port-based VLAN for each client connected to the edge device. In each client VLAN: •...
Page 971 Configuring Virtual LANs (VLANs) Syntax: [no] untagged ethernet <portnum> [to <portnum> | ethernet <portnum>] Use the tagged command to add the port that the device uses for the uplink to the core device. Use the untagged command to add the ports connected to the individual clients. USING THE WEB MANAGEMENT INTERFACE You cannot enable VLAN aggregation using the Web management interface.
Page 972 Foundry Switch and Router Installation and Configuration Guide BigIronA(config-vlan-101)# exit BigIronA(config)# vlan 102 by port BigIronA(config-vlan-102)# tagged ethernet 2/1 BigIronA(config-vlan-102)# untagged ethernet 1/2 BigIronA(config-vlan-102)# exit BigIronA(config)# vlan 103 by port BigIronA(config-vlan-103)# tagged ethernet 2/1 BigIronA(config-vlan-103)# untagged ethernet 1/3 BigIronA(config-vlan-103)# exit...
Page 973 Configuring Virtual LANs (VLANs) BigIronC(config-vlan-102)# exit BigIronC(config)# write memory Commands for Device D Device D is at the other end of path and separates the channels back into individual VLANs. The tag type must be the same as tag type configured on the other core device (Device C). In addition, VLAN aggregation also must be enabled.
Page 974 Foundry Switch and Router Installation and Configuration Guide BigIronF(config)# vlan 103 by port BigIronF(config-vlan-103)# tagged ethernet 2/1 BigIronF(config-vlan-103)# untagged ethernet 1/3 BigIronF(config-vlan-103)# exit BigIronF(config)# vlan 104 by port BigIronF(config-vlan-104)# tagged ethernet 2/1 BigIronF(config-vlan-104)# untagged ethernet 1/4 BigIronF(config-vlan-104)# exit BigIronF(config)# vlan 105 by port...
Page 975 4 priority high Figure 25.21 VLAN list on Foundry Stackable Layer 2 Switch As shown in this example, the MAC VLAN list contains four entries. For simplicity, each of the MAC addresses in the list in this example belongs to a host attached to the switch. Each of the MAC addresses belongs to a host attached to the switch port indicated in the file.
Page 976 Foundry Switch and Router Installation and Configuration Guide Enter the following command in the file to add a MAC VLAN entry to the file: ext mac-vlan <mac-addr> <vlan-id> ethernet <portnum> [priority <num>] The <mac-addr> parameter specifies the source MAC address you want to the switch to check for.
Page 977 Configuring Virtual LANs (VLANs) Clearing MAC VLAN Entries from the MAC Table You can clear entries that have been added to the MAC table from a MAC VLAN list. To clear entries, enter the following command at the Privileged EXEC level of the CLI. Syntax: ext clear mac-vlan [mac <mac-addr>...
Page 978 Foundry Switch and Router Installation and Configuration Guide Select the virtual interface (router interface) if applicable. 10. Click the Select Port Members button to display the following panel. 11. Select the ports you are placing in the VLAN. To select a row, click on the checkbox next to the row number, then click on the Select Row button.
Page 979 Configuring Virtual LANs (VLANs) Enter the VLAN ID that will contain the protocol VLAN in the VLAN ID field. Enter a name for the VLAN in the Protocol_VLAN_Name field. Select the virtual interface from the Router_Interface pulldown list if you configured a virtual interface for routing into and out of the VLAN.
Page 980 Foundry Switch and Router Installation and Configuration Guide • If at least one protocol VLAN is already configured and you are adding a new one, click on the IP Subnet link to display the IP Sub-net Protocol VLAN configuration panel.
Page 981 Configuring Virtual LANs (VLANs) Configuring an IPX Network VLAN Log on to the device using a valid user name and password for read-write access. Click on the plus sign next to Configure in the tree view to expand the list of configuration options. Click on the plus sign next to VLAN in the tree view to expand the list of VLAN option links.
Page 982 Foundry Switch and Router Installation and Configuration Guide NOTE: All the ports must be members of the port-based VLAN that contains this IPX network VLAN. See “Layer 3 Protocol-Based VLANs” on page 25-3. 11. Click the Add button (if you are adding a new VLAN) or the Modify button (if you are modifying an existing VLAN) to save the change to the device’s running-config file.
Page 983: Displaying Vlan Information
Configuring Virtual LANs (VLANs) Specify the port that are members for the VLAN: • Select Dynamic Port if you want the port membership to be dynamic. For information, see “Dynamic Ports” on page 25-10. • Click the Change Static Members button if you want to configure static ports. For information, see “Static Ports”...
Page 984: Displaying Vlan Information For Specific Ports
Foundry Switch and Router Installation and Configuration Guide Static ports: None Exclude ports: None Dynamic ports: (S2) Syntax: show vlans [<vlan-id> | ethernet <portnum>] USING THE WEB MANAGEMENT INTERFACE To display VLAN configuration information: Log on to the device using a valid user name and password for read-only or read-write access. The System configuration dialog is displayed.
Page 985 IP address, the Foundry Layer 3 Switch ensures that gateway routers receive a route to the IP address only if that IP address is available. The Foundry Layer 3 Switch uses a Layer-4 HTTP health check that you configure to determine whether the HTTP (web) service on the IP address is available.
Page 986 209.157.22.249. For this example, also assume that you have a real server in Paris with the same IP address and the server is directly attached to a Foundry Layer 3 Switch. Suppose the DNS entry for this IP address maps the address to a site named www.foundrynet.com. When a web client in Los Angeles enters this domain in their web browser, the web browser goes to the client’s local DNS to...
Page 987 Route Health Injection When Los Angeles site is available, client’s gateway router (at ISP) has path to the Web client in www.foundrynet.com in Los Angeles: Los Angeles requests IP address Cost Location www.foundrynet.com ============================ 209.157.22.249 Los Angeles If Los Angeles site is unavailable, the path ages out and is replaced by the path to the www.foundrynet.com in New York:...
Page 988 By configuring the Foundry Layer 3 Switches attached to the ServerIrons, third-party SLBs, or real servers that contain the web site to check the health of the web site (HTTP application), you can ensure that the Foundry Layer 3 Switches advertise paths only to for web site locations that are available: •...
Page 989: Cli Syntax
Route Health Injection Foundry Layer 3 Switch leaves the static host route to the IP address in the Layer 3 Switch’s route table or adds the route if it is not present. By default, the HTTP health check is disabled. Once you enable the health check, the Layer 3 Switch sends the health check every five seconds by default.
Page 990: Interface Level
Configuring the HTTP Health Check on the Layer 3 Switch To configure Foundry Layer 3 Switches to perform the HTTP health check for a web site and to manage a static host route for the IP address, do the following: •...
Page 991 See the Foundry ServerIron Installation and Configuration Guide for information. The ip dont-advertise command configures the Foundry Layer 3 Switch to block advertisement of the network route for this IP sub-net address. This command ensures that the Layer 3 Switch advertises only the host route to the IP address.
Page 992 Foundry Switch and Router Installation and Configuration Guide HEAD parameter, and the slash is not in the configured URL page, then the Layer 3 Switch automatically inserts a slash before retrieving the URL page. In addition to specifying another URL, you can change the method to GET. Changing the method does not affect the health check from the Layer 3 Switch ‘s standpoint.
Page 993 Route Health Injection Table 26.1: Real Server Information (Continued) This Field... Displays... Name The name of the real server. This is the name you assigned to the server when you configured it on the ServerIron. The IP address of the real server. If you configured a host range of VIPs on the server, the number following the IP address (after the colon) is the number of hosts on the server.
Page 994 Foundry Switch and Router Installation and Configuration Guide 26 - 10 December 2000...
Page 995: Protecting Against Smurf Attacks
Protecting Against Denial of Service Attacks In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normal operation. Foundry devices include measures for defending against two types of DoS attacks: Smurf attacks and TCP SYN attacks.
Page 996: Avoiding Being An Intermediary In A Smurf Attack
Avoiding Being a Victim in a Smurf Attack You can configure the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP packets that are targeted at the router itself or passing through an interface, and drop them when the thresholds are exceeded.
Page 997: Protecting Against Tcp Syn Attacks
TCP SYN packets, the connection queue can fill up, and service can be denied to legitimate TCP connections. To protect against TCP SYN attacks, you can configure the Foundry device to drop TCP SYN packets when excessive numbers are encountered. You can set threshold values for TCP SYN packets that are targeted at the router itself or passing through an interface, and drop them when the thresholds are exceeded.
Page 998 Foundry Switch and Router Installation and Configuration Guide Displaying Statistics about Packets Dropped Because of DoS Attacks To display information about ICMP and TCP SYN packets dropped because burst thresholds were exceeded: BigIron(config)# show statistics dos-attack ---------------------------- Local Attack Statistics --------------------------...
Page 999: Network Monitoring
Appendix B Network Monitoring This chapter provides a general overview of monitoring tools supported on Foundry Layer 2 Switches and Layer 3 Switches. Configuration examples are provided using the CLI and Web management interfaces. RMON Support All Foundry Networks Layer 2 Switches and Layer 3 Switches come standard with an RMON agent that supports the following groups.
Page 1000 History (RMON Group 2) All active ports by default will generate two history control data entries per active Foundry switch port or router interface. An active port is defined as one with a link up. If the link goes down the two entries are automatically be deleted.

Foundry Networks Switch and Router Installation And Configuration Manual

Table of Contents

S (Q S) 11-1Erviceo

Chapter 1 Getting Started

Chapter 2 Installing a Foundry Layer 2 Switch or Layer 3 Switch

Chapter 3 Securing Access to Management Functions

Table of Contents

Chapter 12 Configuring Spanning

Chapter 15 Configuring Ip

Quick Links

Chapters

Related Manuals for Foundry Networks Switch and Router

Summary of Contents for Foundry Networks Switch and Router