manualshive.com logo in svg

Dell BigIron RX Series, Configuration Manual

Share
Download
Dell BigIron RX Series Configuration Manual Download Page 30

xxx

BigIron RX Series Configuration Guide

53-1002253-01

Chapter 34

Protecting Against Denial of Service Attacks

Protecting against Smurf attacks. . . . . . . . . . . . . . . . . . . . . . . . . . .995

Avoiding being an intermediary in a Smurf attack. . . . . . . . . .996
ACL-based DOS-attack prevention  . . . . . . . . . . . . . . . . . . . . . .996

Protecting against TCP SYN attacks. . . . . . . . . . . . . . . . . . . . . . . . .997

TCP security enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . .998

Displaying statistics due DoS attacks . . . . . . . . . . . . . . . . . . . . . . .999

Clear DoS attack statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1000

Chapter 35

Inspecting and Tracking DHCP Packets

Dynamic ARP inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001

ARP attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001
How DAI works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1002
Limits and restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1003
Configuring DAI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1003
Displaying ARP inspection status and ports  . . . . . . . . . . . .  1004
Displaying the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1005

DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1006

How DHCP snooping works . . . . . . . . . . . . . . . . . . . . . . . . . .  1006
System reboot and the binding database  . . . . . . . . . . . . . . .1007
Configuring DHCP snooping  . . . . . . . . . . . . . . . . . . . . . . . . . .1007

DHCP relay agent information (DHCP option 82) . . . . . . . . . . . .  1008

Disabling option 82 processing  . . . . . . . . . . . . . . . . . . . . . .  1009
Displaying DHCP snooping status and ports . . . . . . . . . . . . .1010
DHCP snooping configuration example . . . . . . . . . . . . . . . . .1010

IP source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1010

Limits and restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1011
Enabling IP source guard. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1011

Chapter 36

Securing SNMP Access

Establishing SNMP community strings . . . . . . . . . . . . . . . . . . . . .1013

Encryption of SNMP community strings   . . . . . . . . . . . . . . . .1013
Adding an SNMP community string  . . . . . . . . . . . . . . . . . . . .1013
Displaying the SNMP community strings . . . . . . . . . . . . . . . .1014

Using the user-based security model. . . . . . . . . . . . . . . . . . . . . . .1015

Configuring your NMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1015

Configuring SNMP version 3 on the BigIron RX . . . . . . . . . . .1015
Defining the engine ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1016
Defining an SNMP group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1016
Defining an SNMP user account. . . . . . . . . . . . . . . . . . . . . . .1017
Displaying the engine ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1019
Displaying SNMP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1019
Displaying user information. . . . . . . . . . . . . . . . . . . . . . . . . .  1020
Interpreting varbinds in report packets . . . . . . . . . . . . . . . .  1020

Defining SNMP views  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1020

SNMP v3 configuration examples. . . . . . . . . . . . . . . . . . . . . .1021

Summary of Contents for BigIron RX Series

Page 1: ...53 1002253 01 20 May 2011 BigIron RX Series Configuration Guide Supporting Multi Service IronWare v02 8 00 ...

Page 2: ...rising from the information contained in this book or the computer programs that accompany it The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements To find out which open source software is included in Brocade products view the licensing terms applicable to the open source software and obtain a copy...

Page 3: ...2 5 00 lv Enhancements in patch release 02 4 00c lvii Enhancements in release 02 4 00 lviii Enhancements in patch release 02 3 00a lxii Enhancements in release 02 3 00 lxiii Enhancements in release 02 2 01 lxix Enhancements in release 02 2 00g lxxiii Enhancements in release 02 2 00 lxxiii Document conventions lxxiv Text formatting lxxiv Command syntax conventions lxxiv Notes cautions and danger no...

Page 4: ...ommands 17 Allowable characters for LAG names 21 Logging on through the Web Management Interface 22 Web Management Interface 23 Chapter 3 Using a Redundant Management Module How management module redundancy works 25 Management module redundancy overview 25 Management module switchover 26 Switchover implications 27 Management module redundancy configuration 29 Changing the default active slot 29 Ma...

Page 5: ...59 Chapter 4 Securing Access to Management Functions Securing access methods 61 Restricting remote access to management functions 63 Using ACLs to restrict remote access 63 Restricting remote access to the device to specific IP addresses 66 Specifying the maximum number of login attempts for Telnet access 67 Restricting remote access to the device to specific VLAN IDs 68 Disabling specific access ...

Page 6: ...fic attributes on the RADIUS server 102 Enabling SNMP to configure RADIUS 103 Identifying the RADIUS server to the BigIron RX 104 Specifying different servers for individual AAA functions 104 Setting RADIUS parameters 104 Configuring authentication method lists for RADIUS 105 Configuring RADIUS authorization 107 Configuring RADIUS accounting 109 Configuring an interface as the source for all RADIU...

Page 7: ...ons 134 Nexthop table 135 Changing the MAC age time 136 Configuring static ARP entries 136 Pinging an IPv4 address 137 Chapter 6 Configuring Interface Parameters Assigning a port name 139 Assigning an IP address to a port 139 Speed Duplex negotiation 140 Disabling or re enabling a port 141 Changing the default Gigabit negotiation mode 141 Changing the negotiation mode 142 Disabling or re enabling ...

Page 8: ...er IPv4 tunnels in hardware 170 Configuring Domain Name Server DNS resolver 174 Adding host names to the DNS cache table 175 Configuring packet parameters 179 Changing the encapsulation type 179 Setting maximum frame size per PPCR 180 Changing the MTU 181 Changing the router ID 182 Specifying a single source interface for Telnet TACACS TACACS or RADIUS packets 183 Configuring an interface as the s...

Page 9: ...26 Displaying the IP route table 228 Clearing IP routes 231 Displaying IP traffic statistics 231 Displaying TCP traffic statistics 234 Chapter 8 Link Aggregation Link aggregation overview 237 LAG formation rules 237 LAG load sharing 240 Configuration of a LAG 241 Creating a Link Aggregation Group LAG 241 Deploying a LAG 244 Commands available under LAG once it is deployed 244 Configuring ACL based...

Page 10: ...ltiplier for transmit TTL 265 Changing the minimum time between port reinitializations 266 LLDP TLVs advertised by the Brocade device 266 Displaying LLDP statistics and configuration settings 273 LLDP configuration summary 274 LLDP statistics 274 LLDP neighbors 276 LLDP neighbors detail 277 LLDP configuration details 278 Resetting LLDP statistics 279 Chapter 10 Configuring Uni Directional Link Det...

Page 11: ...ing super aggregated VLANs 301 Configuring aggregated VLANs 303 Complete CLI examples 304 Configuring 802 1q in q tagging 307 Configuration rules 308 Enabling 802 1Q in Q tagging 309 Example configuration 309 Configuring 802 1q tag type translation 310 Configuration rules 312 Enabling 802 1q tag type translation 313 Private VLANs 314 Implementation notes 315 Configuration notes 315 Configuring a p...

Page 12: ...uard 331 Displaying STP information 332 IEEE Single Spanning Tree SSTP 340 SSTP defaults 341 Enabling SSTP 341 Displaying SSTP information 342 PVST PVST compatibility 343 Overview of PVST and PVST 343 VLAN tags and dual mode 343 Enabling PVST support 344 Displaying PVST support information 344 Configuration examples 345 SuperSpan 347 Customer ID 348 BPDU forwarding 348 Configuring SuperSpan 353 Ch...

Page 13: ...TP information 392 Chapter 14 Metro Ring Protocol MRP Phase 1 and 2 Metro Ring Protocol MRP phase 1 401 MRP rings without shared interfaces 402 Ring initialization 403 How ring breaks are detected and healed 406 Master VLANs and customer VLANs in a topology group 408 Configuring MRP 410 Adding an MRP ring to a VLAN 411 Changing the hello and preforwarding times 412 MRP phase 2 412 Ring initializat...

Page 14: ...om the master 435 VSRP slow start 436 Changing the Time To Live TTL 436 Changing the hello interval 437 Changing the dead interval 437 Changing the backup hello state and interval 437 Changing the hold down interval 438 Changing the default track priority 438 Specifying a track port 439 Disabling or re enabling backup pre emption 439 Port transition hold timer 439 Clearing VSRP information 440 VSR...

Page 15: ...d VRRPE parameters 462 Authentication type 463 Suppression of RIP advertisements on backup routers for the backup up interface 464 Hello interval 464 Dead interval 464 Backup hello message state and interval 465 Track port 465 Track priority 465 Backup preempt 466 Master router abdication and reinstatement 466 Displaying VRRP and VRRPE information 467 Displaying summary information 467 Displaying ...

Page 16: ...rate limiting 489 Configuring packet drop priority using WRED 489 Enabling WRED 489 Setting the averaging weight Wq parameter 489 Displaying the WRED configuration 493 Scheduling traffic for forwarding 494 Configuring traffic scheduling 494 Configuring multicast traffic engineering 498 Displaying the multicast traffic engineering configuration 499 Qos profiles 500 501 Calculating the values for WF...

Page 17: ... table to an interface 520 Increasing the maximum number of clauses per Layer 2 ACL table 520 Viewing Layer 2 ACLs 520 Example of Layer 2 ACL deny by MAC address 521 Chapter 21 Access Control List How the BigIron RX processes ACLs 523 Disabling or re enabling Access Control Lists ACLs 524 Default ACL action 524 Types of IP ACLs 524 ACL IDs and entries 525 Enabling support for additional ACL statem...

Page 18: ...L log entries 563 QoS options for IP ACLs 564 Enabling ACL duplication check 565 ACL accounting 565 Displaying accounting statistics for all ACLs 565 Displaying statistics for an interface 566 Clearing the ACL statistics 567 Enabling ACL filtering of fragmented or non fragmented packets 568 ACL filtering for traffic switched within a virtual routing interface 569 ICMP filtering for extended ACLs 5...

Page 19: ... IGMP version 588 Compatibility with IGMP V1 and V2 588 Enabling the IGMP version per interface setting 589 Enabling the IGMP version on a physical port within a virtual routing interface 589 Setting the query interval 591 Setting the group membership time 591 Setting the maximum response time 591 Displaying IGMPv3 information 591 Clearing IGMP statistics 595 IGMP V3 and source specific multicast ...

Page 20: ...v4 625 Enabling SSM 626 Configuring Multicast Source Discovery Protocol MSDP 626 Peer Reverse Path Forwarding RPF flooding 628 Source active caching 628 Configuring MSDP 628 Enabling MSDP 629 Configuring MSDP peers 629 Designating an interface s IP address as the RP s IP address 630 Filtering MSDP source group pairs 630 Filtering incoming source active messages 630 Filtering advertised source acti...

Page 21: ...9 Configuring metric parameters 670 Changing the administrative distance 670 Configuring redistribution 671 Configuring route learning and advertising parameters 672 Changing the route loop prevention method 673 Suppressing RIP route advertisement on a VRRP or VRRPE backup interface 674 Using prefix lists and route maps as route filters 674 Setting RIP timers 675 Displaying RIP filters 676 Clearin...

Page 22: ... origination 709 Configuring a default network route 710 Modify SPF timers 711 Modify redistribution metric type 711 Modify administrative distance 712 Configure OSPF group Link State Advertisement pacing 713 OSPF ABR type 3 LSA filtering 713 Displaying the configured OSPF area prefix list 716 Modifying OSPF traps generated 716 Modify OSPF standard compliance setting 718 Modify exit overflow inter...

Page 23: ...Null0 routing 755 Aggregating routes advertised to BGP4 neighbors 759 Configuring the device to always compare MEDs 759 Disabling or re enabling comparison of the AS path length 760 Redistributing IBGP routes 760 Disabling or re enabling client to client route reflection 761 Configuring a route reflector 761 Enabling or disabling comparison of the router IDs 761 Configuring confederations 762 Conf...

Page 24: ...es 798 Defining and applying IP prefix lists 799 Defining neighbor distribute lists 800 Defining route maps 801 Configuring cooperative BGP4 route filtering 809 Configuring route flap dampening 811 Generating traps for BGP 816 Updating route information and resetting a neighbor session 816 Clearing traffic counters 822 Clearing route flap dampening statistics 823 Removing route flap dampening 823 ...

Page 25: ...reas 869 Level 1 routing and Level 2 routing 869 Neighbors and adjacencies 869 Designated IS 869 IS IS CLI levels 871 Global configuration level 871 Address family configuration level 872 Interface level 872 Configuring IPv4 IS IS 873 Enabling IS IS globally 873 Globally configuring IS IS on a device 874 Setting the overload bit 874 Configuring authentication 875 Changing the IS IS Level globally ...

Page 26: ...election 887 Limiting access to adjacencies with a neighbor 887 Changing the IS IS level on an interface 888 Disabling and enabling hello padding on an interface 888 Changing the hello interval 888 Changing the hello multiplier 889 Changing the metric added to advertised routes 889 Displaying IPv4 IS IS information 890 Displaying the IS IS configuration in the running config 890 Displaying the nam...

Page 27: ...nabling multi device port authentication 927 Configuring an authentication method list for 802 1x 928 Setting RADIUS parameters 928 Specifying the format of the MAC addresses sent to the RADIUS server 929 Specifying the authentication failure action 929 Defining MAC address filters 930 Configuring dynamic VLAN assignment 930 Specifying to which VLAN a port is moved after its RADIUS specified VLAN ...

Page 28: ...mer 951 Defining security violation actions 951 Shutdown the interface 952 Restricting interface access 952 Denying a MAC address 954 Understanding the rules for violation action configuration 954 Interaction between global and interface level violation actions 954 Changing the global violation action 955 Changing the violation action for an interface 955 Re enabling an interface 956 Interface shu...

Page 29: ... Re authenticating a port manually 978 Setting the quiet period 979 Setting the interval for retransmission of EAP request identity frames 979 Specifying the number of EAP request identity frame retransmissions 979 Specifying a timeout for retransmission of messages to the authentication server 980 Specifying a timeout for retransmission of EAP request frames to the client 980 Initializing 802 1x ...

Page 30: ...g database 1007 Configuring DHCP snooping 1007 DHCP relay agent information DHCP option 82 1008 Disabling option 82 processing 1009 Displaying DHCP snooping status and ports 1010 DHCP snooping configuration example 1010 IP source guard 1010 Limits and restrictions 1011 Enabling IP source guard 1011 Chapter 36 Securing SNMP Access Establishing SNMP community strings 1013 Encryption of SNMP communit...

Page 31: ...Clearing CDP information 1030 Chapter 38 Remote Network Monitoring Basic management 1033 Viewing system information 1033 Viewing configuration information 1033 Viewing port statistics 1033 Viewing STP statistics 1033 Clearing statistics 1034 RMON support 1034 Statistics RMON group 1 1034 History RMON group 2 1037 Alarm RMON group 3 1037 Event RMON group 9 1037 Chapter 39 Configuring sFlow Configur...

Page 32: ...STP information for a specified instance 1060 Displaying MSTP information for CIST instance 0 1061 Chapter 41 Configuring IP Multicast Traffic Reduction Enabling IP multicast traffic reduction 1066 Changing the IGMP mode 1067 Modifying the query interval 1068 Modifying the age interval 1068 Filtering multicast groups 1068 Static IGMP membership 1069 PIM SM traffic snooping 1071 Application example...

Page 33: ...ured interface ID as the switch s system wide address 1088 Configuring a global or site local IPv6 address with an automatically computed EUI 64 interface ID as the switch s system wide address 1089 Configuring a link local IPv6 address as the switch s system wide address 1089 Configuring IPv4 and IPv6 protocol stacks 1090 Configuring IPv6 Domain Name Server DNS resolver 1091 Defining a DNS entry ...

Page 34: ...e IPv6 cache 1104 Clearing IPv6 neighbor information 1105 Clearing IPv6 routes from the IPv6 route table 1105 Clearing IPv6 traffic statistics 1106 Deleting IPv6 session flows 1106 Displaying global IPv6 information 1106 Displaying IPv6 cache information 1106 Displaying IPv6 interface information 1107 Displaying IPv6 neighbor information 1109 Displaying the IPv6 route table 1111 Displaying local I...

Page 35: ...g the BGP4 route table 1143 Displaying BGP4 route information 1150 Displaying BGP4 route attribute entries 1151 Displaying the BGP4 running configuration 1153 Displaying dampened BGP4 paths 1153 Displaying filtered out BGP4 routes 1154 Displaying route flap dampening statistics 1158 Displaying BGP4 neighbor information 1160 Displaying BGP4 peer group configuration information 1183 Displaying BGP4 ...

Page 36: ...utes into OSPFv3 1216 Filtering OSPFv3 routes 1220 Configuring default route origination 1222 Modifying shortest path first timers 1223 Modifying administrative distance 1224 Configuring the OSPFv3 LSA pacing interval 1225 Modifying exit overflow interval 1225 Modifying external link state database limit 1225 Modifying OSPFv3 interface defaults 1226 Disabling or reenabling event logging 1227 Displ...

Page 37: ...t 1269 Setting the query interval 1269 Setting the maximum response time 1270 Setting the last listener query count 1270 Setting the last listener query interval 1270 Setting the robustness 1270 Setting the version 1270 Specifying a port version 1271 Specifying a static group 1271 Setting the interface MLD version 1271 Displaying MLD information 1271 Displaying MLD group information 1271 Displayin...

Page 38: ...ompliance 1319 RFC compliance 1319 RFC compliance BGPv4 1319 RFC compliance OSPF 1320 RFC compliance IS IS 1320 RFC compliance RIP 1320 RFC compliance IP Multicast 1320 RFC compliance general protocols 1321 RFC compliance management 1322 RFC compliance IPv6 core 1322 RFC compliance IPv6 routing 1323 RFC compliance IPv6 multicast 1323 RFC compliance IPv6 transitioning 1323 RFC compliance IPv6 manag...

Page 39: ...parameters 1358 Port based routing 1359 Quality of Service QoS 1359 Rate limiting 1361 RIP 1361 RMON 1362 RSTP 1363 Security Management 1363 802 1x Port Security 1363 Access 1365 Authentication method list 1365 Passwords 1365 Privilege level 1365 RADIUS 1366 SNMP access 1366 SSH access 1367 SSL 1367 TACACS and TACACS 1367 Telnet access 1368 TFTP access 1368 User account 1368 Web management access ...

Page 40: ...xl BigIron RX Series Configuration Guide 53 1002253 01 SSH 1374 sFlow 1374 STP 1375 SysLog messages 1375 System parameters 1376 Topology 1377 LAG 1378 UDLD 1379 VLAN 1379 VRRP VRRPE 1380 VSRP 1381 ...

Page 41: ...ware release 02 8 00 The Information in this guide apply to the following hardware platforms BigIron RX 4 BigIron RX 8 BigIron RX 16 BigIron RX 32 List of supported features Features or options not listed in the Supported features table or documented in this guide are not supported TABLE 1 Supported features Category Feature description System level features Cisco Discovery Protocol CDP Allows you...

Page 42: ...from having to handle too many packets SysLogD Server Logging Multiple SysLogD server logging sFlow sFLow version 5 Uni directional Link Detection UDLD Monitors a link between two Brocade devices and brings the ports on both ends of the link down if the link goes down at any point between the two devices Layer 2 features 802 1d Spanning Tree Protocol STP and Single Spanning Tree Protocol SSTP 802 ...

Page 43: ... links between two Brocade devices or between a Brocade device and a server VLANs 802 1Q tagging Port based VLANs Super Aggregated VLANs SAV Dual mode VLAN ports Transparent Port Flooding VLAN ID to MSTP Instance Pre assignment Private VLANs VSRP Layer 2 Virtual Switch Redundancy Protocol VSRP Layer 3 Virtual Switch Redundancy Protocol VSRP VSRP and MRP Signaling Layer 2 ACLs Replaces MAC filters ...

Page 44: ...Multicast cache L2 IGMP table DVMRP routes PIM DM PIM SM PIM SSM PIM Snooping OSPF OSPF routes OSPF adjacencies Dynamic OFPF LSAs OSPF filtering of advertised routes PBR Policy Based Routing RIP versions 1 and 2 RIP routes VRRP and VRRPE Virtual Router Redundancy Protocol VRRP and VRRP Extended VRRPE IPv6 features IPv6 ACLs Extended ACLs IPv6 Routing Protocols RIPng OSPFv3 BGP4 IPv6 Multicast PIM ...

Page 45: ...de brief descriptions of the enhancements added in each BigIron RX software release and a reference to the specific chapter and section in the BigIron RX Series Configuration Guide or the Brocade BigIron RX Series Installation Guide that contain a detailed description and operational details for the enhancement ...

Page 46: ...iguring Spanning Tree Protocol Section Displaying STP information for the specified Ethernet interface Chapter Configuring Rapid Spanning Tree Protocol Section Displaying RSTP information for the specified Ethernet interface Chapter Multiple Spanning Tree Protocol MSTP 802 1s Section Displaying MSTP information for the specified Ethernet interface Copy software image from a flash card to the flash...

Page 47: ...ks you to confirm your request Enter Y to continue or N to cancel your request This enhancement was introduced in Patch Release 02 7 02c and has been added to this issue of the BigIron RX Series Configuration Guide Book BigIron RX Series Configuration Guide Chapter Using a Redundant Management Module Section Manually switching over to the standby management module Support for active cable for 16 p...

Page 48: ...BLE 4 Summary of enhancements in release 02 7 02 Enhancement Description See page System features Enhanced spreed duplex command The speed duplex command has been enhanced to support 24F and 24HF modules The auto Autonegotiation mode option has also been added to allow the user to set the speed on E1MG TX media Book BigIron RX Series Configuration Guide Chapter Configuring Interface Parameters Sec...

Page 49: ...RX Series Configuration Guide Chapter Configuring Quality of Service Section Configuring QoS for the 16 x 10G module Network management 128 bit AES encryption support for SNMP V3 The Advanced Encryption Standard AES provides one of the most advanced encryption capabilities available today This release adds AES for SNMPv3 as specified in RFC 3826 To enable AES encryption specify the aes encryption ...

Page 50: ...E1MG TX fiber optic module now supports speeds of 10 100 1000 Book Brocade BigIron RX Series Installation Guide UDLD Start up Mode In this release after UDLD is enabled on a port UDLD can be configured to be kept in a newly created suspended state until it receives its first keep alive message from the other end Book BigIron RX Series Configuration Guide Chapter Configuring Uni Directional Link De...

Page 51: ...een added to this release Textual Conventions Layer 2 ACL Next Clause Table Layer 2 ACL Configuration Table Layer 2 ACL Binding Configuration Table Book MIB Reference Chapter Filtering Traffic Section Layer 2 ACLs TABLE 7 Summary of enhancements in release 02 6 00 Enhancement Description See page True Remote Console The new rconsole feature provides a true connection to the MP LP console port Whil...

Page 52: ...igIron RX Series Configuration Guide Chapter Configuring IP Section Applying a rate limit to ARP packets on an interface Layer 2 features VSRP Fast Start Non Brocade or non VSRP aware devices connected to a VSRP master can now quickly switch over to the new master when a VSRP failover occurs Book BigIron RX Series Configuration Guide Chapter Virtual Switch Redundancy Protocol VSRP Section VSRP fas...

Page 53: ...res Section Multicast Listener Discovery and source specific multicast protocols MLDv2 IGMPv3 and IGMP Snooping In Release 02 6 00 of the Multi Service IronWare software creating an IGMP static group allows the BigIron RX switch having L2 interfaces configured with snooping to pull traffic from upstream sources using IGMP joins When using the uplink option you avoid burning a dedicated port This i...

Page 54: ...sages Book BigIron RX Series Configuration Guide Chapter Configuring IP Multicast Traffic Reduction Section Multicast traffic reduction per VLAN Layer 4 features Automatic ACL Rebind Beginning wirh release 02 6 00 the ACL automatic rebind feature allows the newly changed ACL filter definitions to be automatically applied to the ports where the ACL was bound Book BigIron RX Series Configuration Gui...

Page 55: ... rconsole is a remote desktop N A Limited Fixed Boot Code Book Foundry BigIron RX Configuration Guide Chapter Section ACL based Inbound sFlow With this patch release the Multi Service IronWare software supports using an IPv4 ACL to select packets that should be collected as special sFlow samples in addition to the regular statistical sampling of sFlow Book BigIron RX Series Configuration Guide Cha...

Page 56: ...the line card without the need of a serial cable N A Enhancement on Static ARP In Release 02 5 00 of the Multi Service IronWare software static ARP has been enhanced to support the ability to create a static ARP entry without an outgoing interface Book BigIron RX Series Configuration Guide Chapter Configuring IP Section Creating a floating static ARP entry Static Route ARP Validate Next Hop Beginn...

Page 57: ...ription See page True Remote Console The new rconsole feature provides a true connection to the MP LP console port While the old session based rconsole is a remote X Window which is connected to one of the windows on the target system the new rconsole is a remote desktop N A Limited Fixed Boot Code Book Foundry BigIron RX Configuration Guide Chapter Section ACL Based RP assignment The rp address c...

Page 58: ...w boot image command displays which image the device will use for the next reboot or reload Book Brocade BigIron RX Series Installation Guide Chapter Upgrading Software Images and Configuration Files Section Displaying the Next Boot Image New show image_checksum command The image_checksum command will allow the user to verify the checksum of a image Book Brocade BigIron RX Series Installation Guid...

Page 59: ... IP Section Displaying the IP route table Compare MED for internal BGP route with empty as path This new BGP command directs iBGP to take the MED value into consideration even if the route has an empty as path path attribute Book BigIron RX Series Configuration Guide Chapter Configuring BGP4 IPv4 and IPv6 Section Configuring the device to always compare MEDs OSPF Default Network Route This feature...

Page 60: ...ring IP Multicast Protocols Section IP multicast boundaries IPv6 PIM SM Book Foundry BigIron RX Configuration Guide Chapter Section Embedded RP Embedded RP allows the router to learn RP information using the multicast group destination address instead of the statically configured RP Book Foundry BigIron RX Configuration Guide Chapter Section MLD Snooping Book Foundry BigIron RX Configuration Guide...

Page 61: ... Chapter Inspecting and Tracking DHCP Packets Section DHCP relay agent information DHCP option 82 DoS Protection This feature allows for monitoring the hit rate of the ACL and drops matching traffic above a selected rate and locking the port if the rate exceeds a maximum allowed amount Book BigIron RX Series Configuration Guide Chapter Protecting Against Denial of Service Attacks Section ACL based...

Page 62: ...vg snAgGblCpuUtil5SecAvg snAgGblCpuUtil1MinAvg Book MIB Reference Chapter Monitoring and Logging Section Usage Notes on CPU Utilization and System CPU Utility Table TABLE 13 Summary of enhancements in patch release 02 3 00a Enhancement Description See Transparent Port Flooding When the Transparent Port Flooding feature in enabled for a port all MAC learning will be disabled for that port This will...

Page 63: ...odule Book Brocade BigIron RX Series Installation Guide Hitless OS Upgrade for Layer 2 Version 02 5 00 of the Multi Service IronWare software supports hitless upgrade of the operating system on a BigIron RX switch Using this feature you can upgrade the Multi Service IronWare software without a loss or disruption of service as described Book Brocade BigIron RX Series Installation Guide Chapter Upgr...

Page 64: ...Enhanced speed duplex command In this release the speed duplex command has been enhanced to include the master and slave parameters Book BigIron RX Series Configuration Guide Chapter Configuring Interface Parameters Section Speed Duplex negotiation TABLE 15 Layer 2 enhancements Enhancement Description See Flow based MAC Learning In this release the cpu flooding unknown unicast command that disable...

Page 65: ...6 packets See the Configuring Basic IPv6 Connectivity chapter of the BigIron RX Series Configuration Guide Book BigIron RX Series Configuration Guide Chapter Configuring Basic IPv6 Connectivity ICMPv6 As with the Internet Control Message Protocol ICMP for IPv4 ICMP for IPv6 provides error and informational messages Foundry BigIron RX Series Configuration Guide IPv6 NDP RDP ICMP Router Discovery Pr...

Page 66: ...ice IronWare the process by which BGP selects a path has changed The following procedure replaces the procedure described in the BigIron RX Series Configuration Guide Book BigIron RX Series Configuration Guide Chapter Configuring BGP4 IPv4 and IPv6 Section How BGP4 selects a path for a route BGP allowas in command The allowas in command has been added to this release to allow you to set a paramete...

Page 67: ...ges within a domain Book BigIron RX Series Configuration Guide Chapter Configuring IP Multicast Protocols Section Configuring MSDP mesh group IGMP v3 IGMP v3 provides selective filtering of traffic based on traffic source Book BigIron RX Series Configuration Guide Chapter Configuring IP Multicast Protocols Section IGMP v3 PIM SSM v4 PIM SSM is a routing protocol used for source specific multicast ...

Page 68: ...PDU Guard BPDU Guard is an extension to the port fast feature If a port is in port fast mode of operation and a BDPU is received the port is put into the disabled mode Book BigIron RX Series Configuration Guide Chapter Configuring Spanning Tree Protocol Section Spanning Tree Protocol STP BPDU guard Port Security MAC Violation Limit This feature provides protection against physical link instability...

Page 69: ...upply New fan controller Book Brocade BigIron RX Series Installation Guide TABLE 21 Layer 2 enhancements Enhancement Description See page VLAN Byte Accounting With this release you can configure a VLAN to account for the number of bytes received by all the member ports Book BigIron RX Series Configuration Guide Chapter VLANs Section VLAN byte accounting Super Aggregated VLANs SAV Multiple VLANs ca...

Page 70: ...oint OSPF point to point eliminates the need for Designated and Backup Designated routers allowing for faster convergence of the network Book BigIron RX Series Configuration Guide Chapter Configuring OSPF Version 2 IPv4 Section OSPF point to point links Neighbor Local AS Neighbor Local Autonomous System AS feature allows a router that is a member of one AS to appear to be a member of another AS Bo...

Page 71: ...port level Book BigIron RX Series Configuration Guide Chapter Using the MAC Port Security Feature and Transparent Port Flooding IP Fragmentation Protection Fragmented IP packets with undersized fragments and overlapping fragments are dropped Book BigIron RX Series Configuration Guide Chapter Configuring IP Section IP fragmentation protection IP Option Attack Prevention Packets with IP options in t...

Page 72: ...specify how many packets from denied MAC addresses can be received on a port in a one second interval before the BigIron RX shuts the port down Book BigIron RX Series Configuration Guide Chapter Using the MAC Port Security Feature and Transparent Port Flooding Section Defining security violation actions Larger SSHv2 Crypto Key The size of the SSH v2 crypto key in this release is larger than crypto...

Page 73: ...limit accounting is available if WRED is not enabled CLI changes required for these differences are described in the page referenced on the next column Book BigIron RX Series Configuration Guide Chapter Configuring Traffic Reduction Hardware Forwarding of Packets Default behavior on BigIron RX is hardware unknown unicast and multicast flooding Book BigIron RX Series Configuration Guide Chapter VLA...

Page 74: ... these conventions Multicast Entry Limit 1542 multicast entries are limited to IPv4 1542 entries provided every group has only one destination N A WAN PHY Mode Support This release supports WAN PHY Mode per 10 GB Ethernet port Book BigIron RX Series Configuration Guide Chapter Configuring Interface Parameters Section Enabling WAN PHY mode support TABLE 27 Summary of emhancements in 02 2 00 Continu...

Page 75: ... potentially lethal or extremely hazardous to you Safety labels are also attached directly to products to warn of these conditions or situations Notice to the reader This document may contain references to the trademarks of the following corporations These trademarks are the properties of their respective companies and corporations These references are made for informational purposes only Related ...

Page 76: ...he latest version of these guides is posted at http www brocade com ethernetproducts Getting technical help or reporting errors E mail and telephone access Go to http www brocade com services support index page for the latest e mail and telephone contact information ...

Page 77: ...n initiate a local Telnet SSH or SNMP connection by specifying the management port s IP address The commands in the CLI are organized into the following levels User EXEC Lets you display information and perform basic tasks such as pings and traceroutes Privileged EXEC Lets you use the same commands as those at the User EXEC level plus configuration commands that do not require saving the changes t...

Page 78: ...ers of the command or option name to avoid ambiguity with other commands or options the CLI understands what you are typing Scroll control By default the CLI uses a page mode to paginate displays that are longer than the number of rows in your terminal emulation window For example if you display a list of all the commands at the global CONFIG level but your terminal emulation window does not have ...

Page 79: ...chy such as the Privileged EXEC level Privileged EXEC level Commands at the Privileged EXEC level enable you to transfer and store software images and configuration files between the network and the system and review the configuration TABLE 28 CLI line editing commands Ctrl key combination Description Ctrl A Moves to the first character on the command line Ctrl B Moves the cursor back one characte...

Page 80: ...t the privileged EXEC level BigIron RX enable BigIron RX configuration terminal The prompt changes to the Global Configuration level BigIron RX config CONFIG commands CONFIG commands modify the configuration of a device Once you are at the Global Configuration level you can enter commands to configure the features in the device This section describes the following CONFIG CLI levels Redundancy leve...

Page 81: ...unicast address family level allows you to configure a BGP4 unicast route For backward compatibility you can currently access BGP4 unicast address family commands at both global BGP configuration and BGP4 unicast address family configuration levels Therefore the global BGP and BGP4 unicast address family commands are documented together You reach the global BGP level by entering the router bgp com...

Page 82: ...is level by entering the vlan vlan id command at the Global CONFIG Level Metro ring level Metro rings provide Layer 2 connectivity and fast failover in ring topologies You reach this level by entering the metro ring ring id command at the Global CONFIG Level VSRP level The VSRP level allows you to configure parameters for the Virtual Switch Redundancy Protocol VSRP You reach this level by entering...

Page 83: ... You also have the option of assigning a separate password for Telnet access with the enable telnet password password command found at the Global Level At initial log on all you need to do is type enable at the prompt then press Return You only need to enter a password after a permanent password is entered at the Global CONFIG Level of the CLI NOTE If you install switch code on a router the comman...

Page 84: ...is a variable and required When an item is not enclosed by or symbols the item is a required keyword When an item is bracketed with symbols the information requested is optional BigIron RX User Level EXEC Command BigIron RX Privileged Level EXEC Command BigIron RX config Global Level CONFIG Command BigIron RX config if e10000 5 1 Interface Level CONFIG Command BigIron RX config lbif 1 Loopback Int...

Page 85: ... traceroute You also can use the question mark with an individual command to see all available options or to check context To view possible copy command options enter the following BigIron RX copy flash running config startup config tftp BigIron RX copy flash tftp Searching and filtering output You can filter CLI output from show commands and at the More prompt You can search for individual charac...

Page 86: ...o display open connections to the Brocade device BigIron RX show who exclude closed Console connections established you are connecting to this session 2 seconds in idle Telnet connections inbound 1 established client ip address 192 168 9 37 27 seconds in idle Telnet connection outbound SSH connections Syntax show command exclude regular expression Displaying lines starting with a specified string ...

Page 87: ...ftp server flash image cd Change current working directory chdir Change current working directory clear Clear table statistics keys clock Set clock configure Enter configuration mode copy Copy between flash tftp config code cp Copy file commands debug Enable debugging functions see also undebug delete Delete file on flash dir List files dm test commands dot1x 802 1x erase Erase image configuration...

Page 88: ...tern For example the following regular expression matches output that contains the string abc followed by zero or more Xs abcX The plus sign matches on one or more sequential instances of a pattern For example the following regular expression matches output that contains de followed by a sequence of g s such as deg degg deggg and so on deg The question mark matches on zero occurrences or one occur...

Page 89: ...renthesis right parenthesis The beginning of the input string The end of the input string A blank space For example the following regular expression matches on 100 but not on 1002 2100 and so on Square brackets enclose a range of single character patterns For example the following regular expression matches output that contains 1 2 3 4 or 5 1 5 You can use the following expression symbols within t...

Page 90: ...te memory and reset of the system reload before it becomes active This approach in adopting configuration changes Allows you to make configuration changes to the operating or running configuration of the device to address a short term requirement or validate a configuration without overwriting the permanent configuration file the startup configuration that is saved in the system flash and Ensures ...

Page 91: ... network management system The following section describes how to log on to these applications Logging on through the CLI Once an IP address is assigned to the BigIron RX Series Switch s management port you can access the CLI through a PC or terminal attached to the management module s serial Console port or 10BaseT 100BaseTX Ethernet management port or from a Telnet or SSH connection to the PC or...

Page 92: ...d command Command completion The CLI supports command completion so you do not need to enter the entire name of a command or option As long as you enter enough characters of the command or option name to avoid ambiguity with other commands or options the CLI understands what you are typing Scroll control By default the CLI uses a page mode to paginate displays that are longer than the number of ro...

Page 93: ...tring The following command filters the output of the show interface command for port 3 1 so it displays only lines containing the word Internet This command can be used to display the IP address of the interface BigIron RX show interface e 3 1 include Internet Internet address is 192 168 1 11 24 MTU 1518 bytes encapsulation ethernet Syntax show command include regular expression TABLE 30 CLI line...

Page 94: ...o command so it displays output starting with the first line that contains the word SSH This command can be used to display information about SSH connections to the BigIron RX Series Switch Syntax show command begin regular expression Searching and filtering output at the More prompt The More prompt displays when output extends beyond a single page From this prompt you can press the Space bar to d...

Page 95: ... working directory chdir Change current working directory clear Clear table statistics keys clock Set clock configure Enter configuration mode copy Copy between flash tftp config code cp Copy file commands debug Enable debugging functions see also undebug delete Delete file on flash dir List files dm test commands dot1x 802 1x erase Erase image configuration files from flash exit Exit Privileged m...

Page 96: ... followed by zero or more Xs abcX The plus sign matches on one or more sequential instances of a pattern For example the following regular expression matches output that contains de followed by a sequence of g s such as deg degg deggg and so on deg The question mark matches on zero occurrences or one occurrence of a pattern For example the following regular expression matches output that contains ...

Page 97: ...of the input string The end of the input string A blank space For example the following regular expression matches on 100 but not on 1002 2100 and so on _100_ Square brackets enclose a range of single character patterns For example the following regular expression matches output that contains 1 2 3 4 or 5 1 5 You can use the following expression symbols within the brackets These symbols are allowe...

Page 98: ...owser contacts the device and displays the login panel for the BigIron RX Series Switch as shown in Figure 1 FIGURE 1 Web Management Interface login panel NOTE If you are unable to connect with the device through a Web browser due to a proxy problem it may be necessary to set your Web browser to direct Internet access instead of using a proxy For information on how to change a proxy setting refer ...

Page 99: ... the CLI Web Management Interface When you log into a device the System configuration panel is displayed This panel allows you to enable or disable major system features You can return to this panel from any other panel by selecting the Home link The Site Map link gives you a view of all available options on a single screen Figure 3 displays the Web Management Interface panel for Layer 3 Switch fe...

Page 100: ...24 BigIron RX Series Configuration Guide 53 1002253 01 Logging on through the Web Management Interface 2 ...

Page 101: ...n slot M2 becomes the standby module You can change the default active slot from M1 to M2 using the active management command For information about performing this task refer to Changing the default active slot on page 29 After the active and standby modules are determined both modules boot from the source specified for the active module The active management module can boot from the following sou...

Page 102: ...resets itself and sends an interrupt signal to the standby module The standby module then becomes the active module and the interface modules continue to forward traffic The new active module begins to manage the system When the original active module becomes available again or is replaced it assumes the role of standby module Manual switchover In some situations you may want to manually switch th...

Page 103: ...module compares the standby module s flash code and system config file to its own If differences exist the active module synchronizes the standby module s flash code and system config file with its own Switchover implications After the role of the active management module switches from one module to another you must be aware of implications that affect the following areas Management sessions Syslo...

Page 104: ...dules run the same code a command that brings down the active management module will most likely bring down the standby management module Because all configuration commands are synchronized from active to standby management module in real time both management modules will crash at almost the same time This in turn causes the system to reset all interface modules similar to the behavior when the re...

Page 105: ...ancy BigIron RX config redundancy active management mgmt 2 Syntax active management mgt module The mgt module parameter specifies the management module which can be mgmt 1 or mgmt 2 NOTE This configuration has no effect on the reload and boot commands It only applies to the power cycle when both MPs are in the device Managing management module redundancy The BigIron RX Series Switch allows you to ...

Page 106: ... to the system config file on the active module the active module automatically synchronizes without comparison the standby module s system config file with its own Running config The running config file resides in the BigIron RX Series system s memory The running config file is automatically synchronized without comparison from the active module to the standby module at regular intervals The defa...

Page 107: ... flash code system config file and running config file on the active management module with the same files on the standby module and synchronize the files immediately if differences exist When you synchronize the files the active module copies its files to the standby module replacing the files on the standby module Synchronized at startup or switchover Also can be immediately synchronized using t...

Page 108: ...cause the BigIron RX Series system to switch over to the standby module and thus make it the active module To do so you can enter either the switchover or the reset commands at the Privileged EXEC level BigIron RX switchover or BigIron RX reset Syntax reset Syntax switchover NOTE When you enter the switchover command the CLI asks you to confirm your request by displaying the following prompt Are y...

Page 109: ...ed EXEC level BigIron RX reload Syntax reload To reboot the standby module only enter the following command at the Privileged EXEC level BigIron RX reboot standby Syntax reboot standby Monitoring management module redundancy You can monitor the following aspects of management module redundancy The status of the management modules if a module is the active or standby module The switchover history f...

Page 110: ...e is awaiting boot information from the active management module Sync The active module is currently synchronizing files between itself and the standby module Displaying temperature information Each management module contains a temperature sensor By default the BigIron RX system polls the temperature of each management module every 60 seconds You can display the current temperature of the manageme...

Page 111: ...ssions switchovers occurred because the active module was rebooted In session 2 the module installed in slot 9 M1 was the active module while the module installed in slot 10 M2 was the standby module In session 1 the module installed in slot 10 M2 was the active module while the module installed in slot 9 M1 was the standby module To view the system log or the traps logged on an SNMP trap receiver...

Page 112: ...e BigIron RX show log Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Buffer logging level ACDMEINW 24 messages logged level code A alert C critical D debugging M emergency E error I informational N notification W warning Static Log Buffer Sep 28 11 31 25 A Power Supply 1 1st left not installed Sep 28 11 31 25 A Power Supply 3 middle left not installed Sep 28 11 31 25 A Power Supply...

Page 113: ...anagement focus The management focus determines the default file system flash memory or the flash card inserted in slot 1 or 2 to which a file management operation applies When you power on or reload a BigIron RX Series system by default the management focus is on flash memory You can change the current management focus from flash memory to a slot and subdirectory using the cd or chdir command For...

Page 114: ...at it does not support subdirectories As a result you cannot create or delete subdirectories in this file system using the md or mkdir and rd or rmdir commands respectively Also when specifying the syntax for the various file management commands you will not need to specify a pathname to a subdirectory because it is not possible for a subdirectory to exist File naming conventions A file name in th...

Page 115: ... you want as long as the full path name is 256 characters or less When you include a subdirectory path in a file management command use a slash between each level For example to create a subdirectory for flash code and copy a flash image file to the subdirectory enter commands such as the following BigIron RX mkdir slot1 switchCode initial release These commands create two levels of subdirectories...

Page 116: ...mands you can use asterisk as a wildcard for any part of the name For example all the following values are valid for file name teststartup cfg test cfg nmb02200 bin bin m bin m Formatting a flash card The flash cards are not shipped with a management module If you want to use a flash card you must formatted it for the 16 FAT file system before you can store files on the card CAUTION Make sure the ...

Page 117: ...n RX pwd slot1 test Switching the management focus The effect of file management commands depends on the file system that has the current management focus For example if you enter a command to delete a file and do not specify the location of the file the software attempts to delete the file from the location that currently has the management focus By default the management focus is on the manageme...

Page 118: ...eaching the path For example if you are already at the PLOOK level the CLI cannot find the subdirectory PLOOK because it is not a subdirectory from the level that currently has the management focus To change the management focus back to flash memory enter the following command BigIron RX cd flash BigIron RX Displaying a directory of the files You can display a directory of the files in the managem...

Page 119: ... the following command BigIron RX dir Directory of flash 07 28 2003 15 57 45 3 077 697 1060 tmp 07 28 2003 15 56 10 3 077 697 14082 tmp 07 28 2003 16 00 08 3 077 697 2084 tmp 07 25 2003 18 00 23 292 701 boot 00 00 0 00 00 00 12 boot ini 07 28 2003 14 40 19 840 007 lp primary 0 07 28 2003 15 18 18 840 007 lp secondary 0 07 28 2003 09 56 16 391 524 monitor 07 28 2003 15 08 12 3 077 697 primary 07 28...

Page 120: ... card if the Brocade device s system clock is set Time of day The time of day at which the file was placed in the flash memory or card if the Brocade device s system clock is set File size The number of bytes in the file Read write attribute If you have set the file s read write attribute to read only R appears before the file name If the file s read write attribute is read write the default no va...

Page 121: ...y has the management focus However you do not need to change the focus to display the hexadecimal output of the file in a file system that does not currently have management focus In this case you can specify the directory file name parameter with the hd command to display the output of the file in the desired file system For example to display the hexadecimal output of a file in flash memory if f...

Page 122: ...either md or mkdir for the command name Specify the slot1 or slot2 keyword to create a subdirectory on the flash card in slot 1 or slot 2 respectively If you do not specify one of these parameters the command applies to the file system that currently has the management focus The dir name parameter specifies the subdirectory name You can enter a name that contains any combination of the following c...

Page 123: ...t flash memory has the management focus However you do not need to change the focus to remove a subdirectory from a file system that does not currently have management focus In this case you can specify the slot1 or slot2 keyword with the rd or rmdir command to remove the subdirectory from the desired file system For example to remove a subdirectory from the flash card inserted in slot 2 if the fl...

Page 124: ...w filename that you want to assign to the original file For example to rename a file on the flash card inserted in slot 2 if flash memory has the current management focus enter a command such as the following BigIron RX rename slot2 oldname slot2 newname Changing the read write attribute of a file You can specify the read write attribute of a file on a flash card as follows Read only You can displ...

Page 125: ...lete or rm command NOTE The delete or rm command deletes all files in a file system unless you explicitly specify the files you want to delete NOTE The software does not support an undelete option for the flash memory file system When deleting a file from flash memory make sure you really want to delete the file The software attempts to delete the file in the file system that has the current manag...

Page 126: ...out switching the management focus refer to Switching the management focus on page 41 For example to undelete a file on the flash card in slot 2 if flash memory has the current management focus enter a command such as the following BigIron RX cd slot2 BigIron RX undelete Undelete file RIMARY enter y or n y Input one character P File recovered successfully and named to PRIMARY For each file that ca...

Page 127: ...that currently has the management focus specify the subdirectory path in front of the file name The dest dir path dest file name parameter specifies the file to which you are appending the other file If the file is not located in the current subdirectory specify the subdirectory path in front of the file name For example to append a file in the root directory of slot 1 to another file in a subdire...

Page 128: ...ard to the primary area in flash memory enter a command such as the following BigIron RX copy slot1 flash nmpr02200 bin primary Syntax copy slot1 slot2 flash from dir path from name monitor primary secondary To copy a file from flash memory to a flash card enter a command such as the following BigIron RX copy flash slot2 nmpr02200 bin primary Syntax copy flash slot1 slot2 source name monitor prima...

Page 129: ...copy flash flash secondary standby Specify the optional standby keyword to copy the BigIron RX Series Multi Service IronWare image from the primary location in the active management module s flash memory to the secondary location in the standby module s flash memory Copying files from a management module to an interface module You can copy a software image or other type of file from the management...

Page 130: ...dir path source file path name monitor primary secondary The command in this example copies the primary BigIron RX Series Multi Service IronWare image from a TFTP server to a flash card in slot 1 Copying the startup config file between a flash card and flash memory Use the following methods to copy a startup config file between flash memory and a flash card By default the BigIron RX Series Switch ...

Page 131: ...n RX Series Switch s running config to a flash card or a TFTP server The running config contains the device s currently active configuration information When you copy the running config to a flash card or TFTP server you are making a copy of the device s current configuration including any configuration changes you have not saved to the startup config To copy the device s running configuration int...

Page 132: ...ith the cp command to copy a file to or from a file system that does not have current management focus For example to copy a file from flash memory which has the current management focus to flash memory enter a command such as the following BigIron RX cp primary primary2 For example to copy a file from flash memory which has the current management focus to the flash card in slot 2 enter a command ...

Page 133: ...ommand in this example reboots the system using the image nmpr02200 bin located on the flash card in slot 1 This example assumes that the flash card in slot 1 is not the management focus Syntax boot system slot1 slot2 dir path file name The slot1 slot2 keywords specify the flash card slot The file name parameter specifies the file name If the file is in a subdirectory specify the subdirectory path...

Page 134: ...e is not a slash the CLI treats the name you specify as relative to the root directory The device s response to the command depends on whether you enter the command at the Privileged EXEC level or the global CONFIG level If you enter multiple boot system commands at the global CONFIG level the software places them in the running config in the order you enter them and saves them to the startup conf...

Page 135: ...p config flash memory switch1 cfg BigIron RX write memory File management messages The following table lists the messages the CLI can display in response to file management commands TABLE 34 Flash card file management messages This message Means File not found You specified a file name that the software could not find Verify the command you entered to make sure the command matches the source and d...

Page 136: ...nds 3 Invalid DOS file name A filename you entered contains an invalid character for example or File recovered successfully and named file name A file you tried to recover was successfully recovered under the name indicated in the message TABLE 34 Flash card file management messages Continued This message Means ...

Page 137: ...ess to the CLI Not secured Establish passwords for management privilege levels page 71 Access to the Privileged EXEC and CONFIG levels of the CLI Not secured Establish a password for Telnet access to the CLI page 71 Establish passwords for management privilege levels page 71 Set up local user accounts page 74 Configure TACACS and TACACS security page 82 Configure RADIUS security page 98 Telnet acc...

Page 138: ...read write community strings for SNMP versions 1 and 2 page 1013 Establishing user groups for SNMP version 3 page 1017 Configure TACACS and TACACS security page 82 Configure RADIUS security page 98 SNMP network management system access SNMP read or read write community strings and the password to the Super User privilege level NOTE SNMP read or read write community strings are always required for ...

Page 139: ...ess group web access group and SNMP community strings Each of these configuration items accepts an ACL as a parameter The ACL contains entries that identify the IP addresses that can use the access method The following sections present examples of how to secure management access using ACLs NOTE ACL filtering for remote management access is done in hardware Using an ACL to restrict Telnet access To...

Page 140: ...fies the IPv6 access list These commands configure ACL 12 then apply the ACL as the access list for SSH access The device denies SSH access from the IP addresses listed in ACL 12 and permits SSH access from all other IP addresses Without the last ACL entry for permitting all packets this ACL would deny SSH access from all IP addresses NOTE In this example the command ssh access group 10 could have...

Page 141: ...mp server community string ro rw standard acl name standard acl id The string parameter specifies the SNMP community string the user must enter to gain SNMP access NOTE The ro parameter indicates that the community string is for read only get access The rw parameter indicates the community string is for read write set access The standard acl name standard acl id ipv6 ipv6 access list name paramete...

Page 142: ...rivate rw 10 vlan 3 In this example a Layer 3 VLAN is configured as a remote access management VLAN and a router interface The IP address specified for the router interface becomes the management IP address of the VLAN Restricting remote access to the device to specific IP addresses By default a device does not control remote management access based on the IP address of the managing device You can...

Page 143: ...pv6 addr Restricting all remote management access to a specific IP address To allow Telnet Web and SNMP management access to the device only to the host with IP address 209 157 22 69 you can enter three separate commands one for each access type or you can enter the following command BigIron RX config all client 209 157 22 69 Syntax no all client ip addr ipv6 ipv6 addr Specifying the maximum numbe...

Page 144: ...mitted still cannot access the device through Telnet Restricting Telnet access to a specific VLAN To allow Telnet access only to clients in a specific VLAN enter a command such as the following BigIron RX config telnet server enable vlan 10 The command configures the device to allow Telnet management access only to clients connected to ports within port based VLAN 10 Clients connected to ports tha...

Page 145: ...l not be able to use IronView Network Manager or third party SNMP management applications Disabling Telnet access Telnet access is enabled by default You can use a Telnet client to access the CLI on the device over the network If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from establishing CLI sessions with the device enter the following com...

Page 146: ...ed if you want to manage a device using IronView Network Manager or Brocade Network Advisor Enter the command to disable SNMP management of the device BigIron RX config no snmp server enable Enter the command to later re enable SNMP management of the device BigIron RX config snmp server enable Syntax no snmp server enable Setting passwords Passwords can be used to secure the following access metho...

Page 147: ...can set one password for each of the following management privilege levels Super User level Allows complete read and write access to the system This is generally for system administrators and is the only management privilege level that allows you to configure passwords Port Configuration level Allows read and write access for specific ports but not for global system wide parameters Read Only level...

Page 148: ...ort config password text Syntax enable read only password text NOTE If you forget your Super User level password refer to Recovering from a lost password on page 73 Augmenting management privilege levels Each management privilege level provides access to specific areas of the CLI by default Super User level provides access to all commands and displays Port Configuration level gives access to The U...

Page 149: ... example BigIron RX config vif 6 rip router RIP router level for example BigIron RX config rip router ospf router OSPF router level for example BigIron RX config ospf router bgp router BGP4 router level for example BigIron RX config bgp router port vlan Port based VLAN level for example BigIron RX config vlan protocol vlan Protocol based VLAN level dot1x loopback interface tunnel interface vrrp ro...

Page 150: ...ash as part of the configuration file By default the passwords are encrypted so that the passwords cannot be observed by another user who displays the configuration file Even if someone observes the file while it is being transmitted over TFTP the password is encrypted If you want to remove the password encryption you can disable encryption by entering the following command BigIron RX config no se...

Page 151: ...r level Allows complete read and write access to the system This is generally for system administrators and is the only privilege level that allows you to configure passwords This is the default Port Configuration level Allows read and write access for specific ports but not for global system wide parameters Read Only level Allows access to the Privileged EXEC mode and CONFIG mode but only with re...

Page 152: ... for a local user but the previous two passwords configured for the user as well The local user s password cannot be changed to one of the stored passwords Consequently if you change the password for a local user you must select a password that is different from the current password as well as different from the previous two passwords that had been configured for that user For example say local us...

Page 153: ...ivilege pulldown menu By default the system assigns privilege level 5 Read Only which allows the user to display information but not to make configuration changes 8 Click the Add button to save the change to the device s running config file 9 Repeat step 3 to step 8 for each user account 10 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration The curr...

Page 154: ... the password security feature Enter a command such as the following BigIron RX config enable strict password enforcement Syntax no enable strict password enforcement This feature is disabled by default When the command is configured the passwords that users create for their accounts must not share four or more concurrent characters with any other passwords configured on the device otherwise the f...

Page 155: ...ing out user accounts after three login attempts A user has three login attempts If he or she fails to login after the third attempt that his or her account is locked out disabled To re enable the user account do one of the following Reboot the device to re enable all disabled users Enable the user account by entering the following command BigIron RX config username sandy enable Syntax no username...

Page 156: ...word option allows you to create a password with a numeric value in the password string variable The generated password will be encrypted The show running config command displays the password as shown BigIron RX config username sandy 8 tomorrow BigIron RX show user Username Password Encrypt Priv Status Expire Time sandy 1 Gz uX wQ44fVGtsqbKWkQknzAZ6 enabled 0 enabled 20 days Granting access by tim...

Page 157: ...port for SSL communication By default SSL protocol exchanges occur on TCP port 443 You can optionally change the port number used for SSL communication For example the following command causes the device to use TCP port 334 for SSL communication BigIron RX config ip ssl port 334 Syntax no ip ssl port port number The default port for SSL communication is 443 Importing digital certificates and RSA p...

Page 158: ...rypto ssl certificate generate Syntax no crypto ssl certificate generate Deleting the SSL certificate To delete the SSL certificate enter the following command BigIron RX config crypto ssl certificate zeroize Syntax no crypto ssl certificate zeroize Configuring TACACS and TACACS security You can use the security protocol Terminal Access Controller Access Control System TACACS or TACACS to authenti...

Page 159: ...on the device prompts users who are trying to access the CLI for a user name and password then verifies the password with the TACACS and TACACS server If you are using TACACS Brocade recommends that you also configure authorization in which the device consults a TACACS server to determine which management privilege level and which associated set of commands an authenticated user is allowed to use ...

Page 160: ...CS authorization The device supports two kinds of TACACS authorization Exec authorization determines a user s privilege level when they are authenticated Command authorization consults a TACACS server to get authorization for commands entered by the user When TACACS exec authorization takes place the following events occur 1 A user logs into the device using Telnet SSH or the Web Management Interf...

Page 161: ... the TACACS accounting server 7 The TACACS accounting server acknowledges the Accounting Stop packet AAA operations for TACACS and TACACS The following table lists the sequence of authentication authorization and accounting operations that take place when a user gains access to a device that has TACACS and TACACS security configured User action Applicable AAA operations User attempts to gain acces...

Page 162: ...supports authentication using up to eight TACACS and TACACS servers The device tries to use the servers in the order you add them to the device s configuration User logs out of Telnet SSH session Command accounting TACACS aaa accounting commands privilege level default start stop method list EXEC accounting stop TACACS aaa accounting exec default start stop method list User enters system commands ...

Page 163: ...hod lists for TACACS and TACACS on page 90 TACACS configuration procedure For TACACS configurations use the following procedure 1 Enable TACACS refer to Enabling SNMP to configure TACACS and TACACS on page 87 2 Identify TACACS servers Refer to Identifying the TACACS and TACACS servers on page 88 3 Set optional parameters Refer to Setting optional TACACS and TACACS parameters on page 89 4 Configure...

Page 164: ...lowing order the software tries the servers in the same order 1 207 94 6 161 2 207 94 6 191 3 207 94 6 122 You can remove a TACACS and TACACS server by entering no followed by the tacacs server command For example to remove 207 94 6 161 enter the following command BigIron RX config no tacacs server host 207 94 6 161 NOTE If you erase a tacacs server command by entering no followed by the command m...

Page 165: ...rimary authentication server to reply before deciding the server is dead and trying to authenticate using the next server The dead time value can be from 1 5 seconds The default is 3 seconds Timeout This parameter specifies how many seconds the Brocade device waits for a response from a TACACS and TACACS server before either retrying the authentication request or determining that the TACACS and TA...

Page 166: ...on server to reply before deciding the server is dead and trying to authenticate using the next server The dead time value can be from 1 5 seconds The default is 3 seconds To set the TACACS and TACACS dead time value enter the following command BigIron RX config tacacs server dead time 5 Syntax tacacs server dead time number Setting the timeout parameter The timeout parameter specifies how many se...

Page 167: ...method for securing access to Privileged EXEC level and CONFIG levels of the CLI If TACACS and TACACS authentication fails due to an error with the server local authentication is used instead If local authentication fails no authentication is used the device automatically permits access For information on the command syntax refer to Examples of authentication method lists on page 113 NOTE For exam...

Page 168: ...and authorization consults a TACACS server to get authorization for commands entered by the user Configuring Exec authorization When TACACS exec authorization is performed the device consults a TACACS server to determine the privilege level of the authenticated user To configure TACACS exec authorization on the device enter the following command BigIron RX config aaa authorization exec default tac...

Page 169: ...ge level of the user Possible values are 0 for super user level 4 for port config level or 5 for read only level If a value other than 0 4 or 5 is specified in the foundry privlvl A V pair the default privilege level of 5 read only is used The foundry privlvl A V pair can also be embedded in the group configuration for the user Refer to your TACACS documentation for the configuration syntax releva...

Page 170: ...g a privilege level whose commands require authorization For example to configure the BigIron RX to perform authorization for the commands available at the Super User privilege level that is all commands on the device enter the following command BigIron RX config aaa authorization commands 0 default tacacs Syntax aaa authorization commands privilege level default tacacs radius none The privilege l...

Page 171: ...gIron RX and an Accounting Stop packet when the user logs out BigIron RX config aaa accounting exec default start stop tacacs Syntax aaa accounting exec default start stop radius tacacs none Configuring TACACS accounting for CLI commands You can configure TACACS accounting for CLI commands by specifying a privilege level whose commands require accounting For example to configure the BigIron RX to ...

Page 172: ...figuring the Brocade device to always send the TACACS and TACACS packets from the same link or source address If you specify a loopback interface as the single source for TACACS and TACACS packets TACACS and TACACS servers can receive the packets regardless of the states of individual links Thus if a link to the TACACS and TACACS server becomes unavailable but the client or server can be reached t...

Page 173: ...ription Tacacs key The setting configured with the tacacs server key command At the Super User privilege level the actual text of the key is displayed At the other privilege levels a string of periods is displayed instead of the text Tacacs retries The setting configured with the tacacs server retransmit command Tacacs timeout The setting configured with the tacacs server timeout command Tacacs de...

Page 174: ...log information on a RADIUS accounting server when specified events occur on the device NOTE By default a user logging into the device through Telnet or SSH first enters the User EXEC level The user can then enter the enable command to get to the Privileged EXEC level A user that is successfully authenticated can be automatically placed at the Privileged EXEC level after login Refer to Entering pr...

Page 175: ...tributes are used with RADIUS authorization if configured 9 The user is authenticated and the information supplied in the Access Accept packet for the user is stored on the BigIron RX The user is granted the specified privilege level If you configure RADIUS authorization the user is allowed or denied usage of the commands in the list RADIUS authorization When RADIUS authorization takes place the f...

Page 176: ... server 7 The RADIUS accounting server acknowledges the Accounting Stop packet AAA operations for RADIUS The following table lists the sequence of authentication authorization and accounting operations that take place when a user gains access to a BigIron RX that has RADIUS security configured User action Applicable AAA operations User attempts to gain access to the Privileged EXEC and CONFIG leve...

Page 177: ...so use RADIUS command authorization RADIUS configuration considerations Consider the following to configure RADIUS You must deploy at least one RADIUS server in your network The device supports authentication using up to eight RADIUS servers The device tries to use the servers in the order you add them to the device s configuration If one RADIUS server is not responding the Brocade device tries th...

Page 178: ...tion method lists Refer to Configuring authentication method lists for RADIUS on page 105 5 Optionally configure RADIUS authorization Refer to Configuring RADIUS authorization on page 107 6 Optionally configure RADIUS accounting Configuring RADIUS accounting on page 109 Configuring Brocade specific attributes on the RADIUS server NOTE For the BigIron RX RADIUS Challenge is supported for 802 1x aut...

Page 179: ...y management privilege level that allows you to configure passwords 4 Port Configuration level Allows read and write access for specific ports but not for global system wide parameters 5 Read Only level Allows access to the Privileged EXEC mode and CONFIG mode of the CLI but only with read access brocade command string 2 string Specifies a list of CLI commands that are permitted or denied to the u...

Page 180: ...on only key def BigIron RX config radius server host 1 2 3 6 accounting only key ghi Syntax radius server host ip addr server name auth port number acct port number authentication only authorization only accounting only default key string The default parameter causes the server to be used for all AAA functions After authentication takes place the server that performed the authentication is used fo...

Page 181: ...r of retransmission attempts When an authentication request times out the Brocade software will retransmit the request up to the maximum number of retransmissions configured The default retransmit value is 3 retries The range of retransmit values is from 1 5 Use the command to set the RADIUS retransmit limit BigIron RX config radius server retransmit 5 Syntax radius server retransmit number Settin...

Page 182: ...nd CONFIG levels of the CLI If RADIUS authentication fails due to an error with the server local authentication is used instead If local authentication fails no authentication is used the device automatically permits access For information on the command syntax refer to Examples of authentication method lists on page 113 NOTE For examples of how to define authentication method lists for types of a...

Page 183: ...the aaa authorization exec command from the device s configuration no exec authorization is performed NOTE If the aaa authorization exec default radius command exists in the configuration following successful authentication the device assigns the user the privilege level specified by the brocade privilege level attribute received from the RADIUS server If the aaa authorization exec default radius ...

Page 184: ...n without RADIUS authentication Command authorization and accounting for console commands The BigIron RX supports command authorization and command accounting for CLI commands entered at the console To configure the device to perform command authorization and command accounting for console commands enter the following command BigIron RX config enable aaa console Syntax no enable aaa console CAUTIO...

Page 185: ...ig aaa accounting commands 0 default start stop radius An Accounting Start packet is sent to the RADIUS accounting server when a user enters a command and an Accounting Stop packet is sent when the service provided by the command is completed NOTE If authorization is enabled and the command requires authorization then authorization is performed before accounting takes place If authorization fails ...

Page 186: ...ce interface for Telnet TACACS and TACACS and RADIUS packets You can configure a source interface for one or more of these types of packets To specify an Ethernet or a loopback or virtual interface as the source for all RADIUS packets from the device use the following CLI method The software uses the lowest numbered IP address configured on the port or interface as the source IP address for RADIUS...

Page 187: ...wing statistics are displayed Auth PortRADIUS authentication port number default 1645 Acct PortRADIUS accounting port number default 1646 opensNumber of times the port was opened for communication with the server closesNumber of times the port was closed normally timeoutsNumber of times port was closed due to a timeout errorsNumber of times an error occurred while opening the port packets inNumber...

Page 188: ...s on page 63 or Restricting remote access to the device to specific IP addresses on page 66 In an authentication method list for a particular access method you can specify up to seven authentication methods If the first authentication method is successful the software grants access and stops the authentication process If the access is rejected by the first authentication method the software denies...

Page 189: ...e corresponding SNMP community string For devices that can be managed using IronView Network Manager the default authentication method if no authentication method list is configured for SNMP is the CLI Super User level password If no Super User level password is configured then access through IronView Network Manager is not authenticated To use local user accounts to authenticate access through Ir...

Page 190: ... for each frame The Brocade device authenticates each HTTP request from the browser To limit authentications to one per page disable frames on the Web management interface NOTE TACACS and TACACS and RADIUS are not supported with the snmp server parameter The method1 parameter specifies the primary authentication method The remaining optional method parameters specify additional methods to try if a...

Page 191: ...4 radius Authenticate using the database on a RADIUS server You also must identify the server to the device using the radius server command none Do not use any authentication method The device automatically permits access TABLE 40 Authentication method values Continued Method parameter Description ...

Page 192: ...116 BigIron RX Series Configuration Guide 53 1002253 01 Configuring authentication method lists 4 ...

Page 193: ...d location for the device and save the information locally in the configuration file for future reference The information is not required for system operation but recommended When you configure a system name it replaces the default system name in the CLI command prompt To configure a system name contact and location enter commands such as the following BigIron RX config hostname home home config s...

Page 194: ...ecify whether to have the community string encrypted or to have it shown in the clear In either case the software does not encrypt the string in the SNMP traps sent to the receiver To specify an SNMP trap receiver enter a command such as the following BigIron RX config snmp server host 2 2 2 2 1 mypublic port 200 BigIron RX config write memory The first commands adds trap receiver 2 2 2 2 configur...

Page 195: ...mes unavailable but the receiver can be reached through another link the receiver still receives the trap and the trap still has the source IP address of the loopback interface To configure the device to send all SNMP traps from the first configured IP address on port 4 11 enter the following commands BigIron RX config snmp server trap source ethernet 4 11 BigIron RX config write memory Syntax snm...

Page 196: ... enable traps holddown time secs The secs parameter specifies the number of seconds 1 600 The default is 60 Disabling SNMP traps The device comes with SNMP trap generation enabled by default for all traps NOTE By default all SNMP traps are enabled at system startup You can selectively disable one or more of the following traps SNMP authentication key Power supply failure Fan failure Cold start Lin...

Page 197: ...el NOTE Messages for accessing the User EXEC level apply only to access through Telnet The device does not authenticate initial access through serial connections but does authenticate serial access to the Privileged EXEC level Messages for accessing the Privileged EXEC level apply to access through the serial connection or Telnet The following examples show login and logout messages for the User E...

Page 198: ... address If you specify a loopback interface as the single source for Telnet packets Telnet servers can receive the packets regardless of the states of individual links Thus if a link to the Telnet server becomes unavailable but the client or server can be reached through another link the client or server still receives the packets and the packets still have the source IP address of the loopback i...

Page 199: ...he lowest numbered IP address configured on a virtual routing interface as the device s source for all TFTP packets enter commands such as the following BigIron RX config int ve 1 BigIron RX config vif 1 ip address 10 0 0 3 24 BigIron RX config vif 1 exit BigIron RX config ip tftp source interface ve 1 The commands configure virtual routing interface 1 assign IP address 10 0 0 3 24 to it then desi...

Page 200: ...consulted only if a positive ACK is not received from the first one NOTE The device does not retain time and date information across power cycles Unless you want to reconfigure the system time counter each time the system is reset Brocade recommends that you use the SNTP feature To identify an SNTP server with IP address 208 99 8 95 to act as the clock reference for a device enter the following Bi...

Page 201: ...Dispersion in seconds TABLE 42 Output from the show sntp status command This field Indicates unsynchronized System is not synchronized to an NTP peer synchronized System is synchronized to an NTP peer stratum NTP stratum level of this system reference clock IP Address of the peer if any to which the unit is synchronized precision Precision of this system s clock in Hz reference time Reference time...

Page 202: ...Network Time Protocol SNTP server on page 124 To set the system time and date to 10 15 05 on October 15 2005 enter the following command BigIron RX clock set 10 15 05 10 15 05 Syntax no clock set hh mm ss mm dd yy mm dd yyyy By default the device does not change the system time for daylight savings time To enable daylight savings time enter the following command BigIron RX config clock summer time...

Page 203: ...7 affects only networks following the US time zones This software release supports the DST automatic feature but to trigger the device to the correct time the device must be configured to the US time zone not the GMT offset To configure your device to use the US time zone enter the following command BigIron RX config clock timezone us pacific Syntax no clock timezone us timezone type Enter pacific...

Page 204: ...mple the delimiting character is dollar sign The text in between the dollar signs is the contents of the banner The banner text can be up to 2047 characters long and can consist of multiple lines To remove the banner enter the no banner motd command Syntax no banner delimiting character motd delimiting character NOTE If a message of the day MOTD is configured the user will be required to press the...

Page 205: ...erminal screen during the current CLI session The terminal length command allows you to determine how many lines will be displayed on the screen during the current CLI session This command is useful when reading multiple lines of displayed information especially those that do not fit on one screen To specify the maximum number of lines displayed on one page enter a command such as the following Bi...

Page 206: ...P FSRP To reset a system enter the reload command at the privileged level of the CLI To enable a protocol on a device enter router at the global CONFIG level followed by the protocol to be enabled The following example shows how to enable OSPF BigIron RX config router ospf BigIron RX config end BigIron RX write memory BigIron RX reload Syntax router bgp dvmrp ospf pim rip vrrp vrrpe Displaying and...

Page 207: ... increase the number of subnet addresses you can configure on each port to a higher amount you might also need to increase the total number of subnets that you can configure on the device NOTE Changing the table size for a parameter reconfigures the device s memory Whenever you reconfigure the memory on a device you must save the change to the startup configuration file then reload the software to...

Page 208: ... 3 isis port metric 10 isis priority 64 isis csnp interval 10 sec isis default metric 10 isis distance 115 isis lsp gen interval 10 sec isis lsp interval 33 msec isis lsp refresh interval 900 sec isis max lsp lifetime 1200 sec isis maximum paths 4 isis retransmit interval 5 sec isis spf interval 5 sec System Parameters Default Maximum Current mac 32768 65536 65536 vlan 512 4095 512 spanning tree 3...

Page 209: ...esses per port and can be from 1 64 The default is 24 Syntax system max subnet per system num The num parameter specifies the maximum number of subnet addresses for the entire device and can be from 1 512 The default is 256 To increase the size of the IP route table for static routes enter the following command BigIron RX config system max ip static route 8192 Syntax system max ip static route num...

Page 210: ...ng enter the command with no BigIron RX config if e10000 3 2 no route only CAM partitioning for the BigIron RX In releases prior to 02 3 00 CAM partitioning was not configurable Starting in BigIron RX software release 02 3 00 you can specify the percentage of CAM assigned to each of the CAM entry types globally CAM Partitioning is not required on the device The default CAM allocations are describe...

Page 211: ...next hop Entries for directly connected hosts are also present in the nexthop table The nexthop table has 4096 entries per line card by default This table is divided into four partitions First partition contains next hop entries for routes with one routing path This included directly connected host entries Second partition contains next hop entries for routes with two or less equal cost paths Allo...

Page 212: ...ne cards are partitioned according to the parameters in above command Syntax cam partition next hop number Use the number parameter to specify the number of entries for the nexthop Use the no cam partitioning next hop command to return to the default partitioning Changing the MAC age time The MAC age time sets the aging period for ports on the device defining how long how many seconds a port addre...

Page 213: ...s the maximum number of hops You can specify a TTL from 1 255 The default is 64 The size byte parameter specifies the size of the ICMP data portion of the packet This is the payload and does not include the header You can specify from 0 4000 The default is 16 The no fragment parameter turns on the don t fragment bit in the IP header of the ping packet This option is disabled by default The quiet p...

Page 214: ...ber of characters displayed may not correspond to the number of server timeouts that occurred while waiting for a reply The success or timeout results are shown in the display as Success rate is XX percent X Y The optional max print per sec number parameter specifies the maximum number of target responses the BigIron RX device can display per second while in brief mode You can specify from 0 2047 ...

Page 215: ...ther network requirements A port name can be assigned to help identify interfaces on the network You can assign a port name to physical ports virtual routing interfaces and loopback interfaces To assign a name to a port BigIron RX config interface e 2 8 BigIron RX config if e10000 2 8 port name Marsha Markey Syntax port name text The text parameter is an alphanumeric string The name can be up to 2...

Page 216: ...en using two 24C s Setting both sides to 100 full and using gig links or actual 24C s is recommended for switch uplinks Host PC s that are connected are not affected NOTE Modifying the port speed of a port that has a pre configured rate limit policy may result in the inability to remove the port s rate limit policy NOTE Brocade recommends using gig links or 24C s links for switch uplinks when tran...

Page 217: ...riate status option The default value for a port is enabled To disable port 8 on module 1 of a device enter the following BigIron RX config interface e 1 8 BigIron RX config if e10000 1 8 disable Syntax disable Syntax enable You also can disable or re enable a virtual routing interface To do so enter commands such as the following BigIron RX config interface ve v1 BigIron RX config vif 1 disable S...

Page 218: ...nter commands such as the following BigIron RX config int ethernet 4 1 to 4 4 BigIron RX config mif 4 1 4 4 gig default neg off This command changes the default auto gig setting and sets the negotiation mode to neg off for ports 4 1 4 4 Syntax gig default auto full neg full auto auto gig neg off Default is gig default auto gig The auto full neg full auto auto gig and neg off options are as describ...

Page 219: ...nager When the sinking threshold is reached the device sends out 802 3x PAUSE frames telling the sender to stop sending traffic for a period of time When the sunk threshold is reached the device drops traffic at the specified priority level The slot parameter specifies the location of the module where the thresholds are to take effect Locking a port to restrict addresses Address lock filters allow...

Page 220: ...00ms the delayed down event is cancelled otherwise the down event is sent after 100ms This allows the upper layer applications not to be affected by a port state flapping BigIron RX config if e1000 1 2 delay link event 2 down Syntax delay link event time up down The time parameter is the number of 50 ms units The default is 0 The up parameter means only up events are delayed The down parameter mea...

Page 221: ... will detect and count this transition as an up to down toggle The sampling time in sec is the amount of time during which the specified toggle threshold can occur before the wait period is activated The default is 0 seconds Enter a value between 1 and 65565 seconds The wait time in sec is the amount of time the port remains disabled down before it becomes enabled Entering 0 indicates that the por...

Page 222: ... have its own set of monitored ports For example you can configure ports 1 1 and 5 1 as mirror ports and monitor ports 1 2 1 8 on port 1 1 and ports 5 2 5 8 on port 5 1 The mirror port and monitored ports also can be on different slots However on a 24 X 1G module you can configure only one mirror port per packet processor PPCR For example if you configure port 3 1 to be mirrored by port 5 1 all ot...

Page 223: ...e 147 53 1002253 01 Assigning a mirror port and monitor ports 6 NOTE You cannot monitor outbound traffic from one armed router traffic NOTE Mirror analyzer ports cannot be assigned to the 16x10 card You can monitor traffic on 16x10 ports ...

Page 224: ...to which inbound traffic from port 3 1 is mirrored Because only one mirror port is configured on this module the traffic is mirrored as configured If input monitoring is enabled on two ports controlled by the same packet processor then the input traffic on these two ports will be mirrored to all the ports configured as mirror ports for these two monitored ports This restriction does not apply to o...

Page 225: ...nk port you want to monitor Use ethe port monitored portnum to specify a port number Use named port monitored portname to specify a trunk port name The ethernet slot portnum parameter specifies the port to which the traffic analyzer is attached The in out both parameter specifies the traffic direction to be monitored Mirror ports for Policy Based Routing PBR traffic You can mirror traffic on ports...

Page 226: ...s list 100 permit tcp any any eq ssl The above commands complete the following configuration tasks 1 Configures an entry in the PBR route map named ssl pbr map The match statement matches on IP information in ACL 100 The set mirror interface statement specifies interface e 5 as the mirror port for matched ACL permit clauses The set next hop statement sets the IP address of the route s next hop rou...

Page 227: ...1 which are not explicitly configured Enabling WAN PHY mode support A 10 Gigabit Ethernet port can be configured to use SONET SDH framing for Layer 1 transport across a WAN transport backbone by configuring the port in WAN PHY mode The default is for the port to operate in LAN PHY mode To enable a 10 GB Ethernet port to support WAN PHY mode use the following command BigIron RX config if e10000 6 3...

Page 228: ...152 BigIron RX Series Configuration Guide 53 1002253 01 Enabling WAN PHY mode support 6 ...

Page 229: ... packet moves through a device FIGURE 5 IP Packet flow through a device Figure 5 Shows the following packet flow Incoming Port Drop Permit Deny IP ACLs hardware PBR hardware Yes No Next Hop Table hardware Match No Match IP Routing hardware Forward to CPU Lowest Metric Directly connected host forwarding cache software ECMP and Trunk Load Balancing hardware Outgoing Port IP Route Table software ARP ...

Page 230: ... and the host is reachable the CPU creates a route entry in the hardware to route subsequent packets in hardware The software enables you to display the ARP cache and static ARP table the IP route table the IP forwarding cache ARP cache table The Address Resolution Protocol ARP is supported on the device Refer to IP fragmentation protection on page 185 The ARP cache contains entries that map IP ad...

Page 231: ... connected destination which means there are no router hops to the destination A static IP route which is a user configured route A route learned through RIP A route learned through OSPF A route learned through BGP4 The IP route table contains the best path to a destination When the software receives paths from more than one of the sources listed above the software compares the administrative dist...

Page 232: ... a directly connected host Host entries are set to age out after a certain period if no traffic is seen for that entry 2 Network entries These entries are created when a route table entry is created in software These entries are not subjected to aging A route table entry is created when routes are learned by routing protocols such as OSPF or when routes are statically configured Here is an example...

Page 233: ...al parameters Parameter Description Default See page IP state The Internet Protocol version 4 Enabled NOTE You cannot disable IP n a IP address and mask notation Format for displaying an IP address and its network mask information You can enable one of the following Class based format example 192 168 1 1 255 255 255 0 Classless Interdomain Routing CIDR format example 192 168 1 1 24 Class based NOT...

Page 234: ... router drops the packet instead of forwarding it 64 hops page 194 Directed broadcast forwarding A directed broadcast is a packet containing all ones or in some cases all zeros in the host portion of the destination IP address When a router forwards such a broadcast it sends a copy of the packet out each of its enabled IP interfaces NOTE You also can enable or disable this parameter on an individu...

Page 235: ...pings trace routes and Telnet management connections to the router None configured page 174 DNS default gateway addresses A list of gateways attached to the router through which clients attached to the router can reach DNSs None configured page 174 IP load sharing A Brocade feature that enables the router to balance traffic to a specific destination across multiple equal cost paths Load sharing is...

Page 236: ...ault See page IP state The Internet Protocol version 4 Enabled NOTE You cannot disable IP n a IP address A Layer 3 network interface address The device has separate IP addresses on individual interfaces None configureda page 161 Encapsulation type The format of the packets in which the router encapsulates IP datagrams The encapsulation format can be one of the following Ethernet II SNAP Ethernet I...

Page 237: ...a directed broadcast to the server s subnet on the port connected to the client The lowest numbered IP address on the interface that receives the request page 220 UDP broadcast forwarding The router can forward UDP broadcast packets for UDP applications such as BootP By forwarding the UDP broadcasts the router enables clients on one subnet to find servers attached to other subnets NOTE To complete...

Page 238: ...fix format on page 164 Assigning an IP address to an Ethernet port To assign an IP address to port 1 1 enter the following commands BigIron RX config interface ethernet 1 1 BigIron RX config if e1000 1 1 ip address 192 45 6 1 255 255 255 0 NOTE You also can enter the IP address and mask in CIDR format as follows BigIron RX config if e10000 1 1 ip address 192 45 6 1 24 Syntax interface ethernet slo...

Page 239: ...he IP address refer to Assigning an IP address to an Ethernet port on page 162 Assigning an IP address to a virtual interface A virtual interface is a logical port associated with a Layer 3 Virtual LAN VLAN configured on a device NOTE Other sections in this chapter that describe how to configure interface parameters also apply to virtual interfaces NOTE The device uses the lowest MAC address on th...

Page 240: ... ip address ip addr Changing the network mask display to prefix format By default the CLI displays network masks in classical IP address format example 255 255 255 0 If you enable the software to display IP subnet masks in CIDR format the mask is saved in the file in mask bits format You can use the CIDR format to configure ACL entries regardless of whether the software is configured to display th...

Page 241: ...in this version GRE MTU configuration considerations The default value of IP GRE tunnel MTU is 1476 bytes The MTU of the GRE tunnel is compared with the outgoing packet before the encapsulation is done After the encapsulation the packet size increases by 24 bytes If a user wants to change the GRE tunnel MTU the MTU should be at least 24 bytes less than the IP MTU of the outgoing interface Otherwis...

Page 242: ...RX config tnif 1 tunnel source 35 0 8 108 Syntax tunnel source ip address The ip address variable is source IP address being configured for the specified tunnel Configuring a destination address for a tunnel interface To configure a destination address for a specific tunnel interface enter the following command BigIron RX config interface tunnel 1 BigIron RX config tnif 1 tunnel destination 131 10...

Page 243: ...gured tunnel termination is performed by the CPU When a port is used as a loopback port for a tunnel it should not be used for any other purpose NOTE The tunnel loopback port is one of the router s physical ports It is defined so the GRE packet processing Is done on by the port s LP CPU instead of the MP s CPU You can use a 10 GBE port without a loopback connector but the optical transceiver modul...

Page 244: ...nterface ethernet 5 1 BigIron RX config if e1000 5 1 ip address 131 108 5 2 24 BigIron RX config exit BigIron RX config interface tunnel 1 BigIron RX config tnif 1 tunnel loopback 1 1 BigIron RX config tnif 1 tunnel source 131 108 5 2 BigIron RX config tnif 1 tunnel destination 36 0 8 108 BigIron RX config tnif 1 tunnel mode gre ip BigIron RX config tnif 1 ip address 10 10 3 2 24 BigIron RX config...

Page 245: ... Tunnel destination is 110 110 2 12 Tunnel mode gre ip Tunnel loopback is 1 3 No port name MTU 1476 Bytes Syntax show interface tunnel number The number parameter indicates the tunnel interface number for which you want to display information TABLE 45 CLI display of interface IP configuration information This field Displays Interface The tunnel and tunnel number IP Address The IP address of the tu...

Page 246: ...nect two isolated IPv6 domains You should deploy this point to point tunnel mechanism if you need a permanent and stable connection Configuration notes The tunnel mode should be ipv6ip indicating that this is ipv6 manual tunnel Both source and destination addresses needs to be configured on the tunnel On the remote side we need to have exactly opposite source or destination pair The tunnel destina...

Page 247: ...al or site local address with an EUI 64 interface ID in the low order 64 bits The interface ID is automatically constructed in IEEE EUI 64 format using the interface s MAC address Syntax tunnel source ipv4 address ethernet port loopback number ve number You must specify the ipv4 address parameter using 8 bit values in dotted decimal notation The ethernet loopback ve parameter specifies an interfac...

Page 248: ...c IPv4 compatible tunnel Packet Received The number of packets received by a tunnel interface Packet Sent The number of packets sent by a tunnel interface TABLE 47 IPv6 tunnel interface information This field Displays Tunnel interface status The status of the tunnel interface can be one of the following up The tunnel interface is functioning properly down The tunnel interface is not functioning an...

Page 249: ...display command above reflects the following configuration BigIron RX show running config interface tunnel 1 interface tunnel 1 port name ManualTunnel1 tunnel mode ipv6ip tunnel source loopback 1 tunnel destination 2 1 1 1 ipv6 address fe80 3 4 2 link local ipv6 address 1011 1 64 ipv6 address 1001 1 64 ipv6 ospf area 0 Tunnel source The tunnel source can be one of the following An IPv4 address The...

Page 250: ...u enter them Suppose you want to define the domain name of newyork com on a device and then define four possible default DNS gateway addresses To do so enter the following commands BigIron RX config ip dns domain name newyork com BigIron RX config ip dns server address 209 157 22 199 205 96 7 15 208 95 7 25 201 98 7 15 Syntax ip dns domain name name Syntax ip dns server address ip addr ip addr ip ...

Page 251: ...ype Address border2 pc0 0 bbnet1 sje pnap net TMP OK 720 IP 66 151 144 5 You can also enter the following BigIron RX ip domain lookup border2 Host Flag TTL min Type Address border2 pc0 0 bbnet1 sje pnap net TMP OK 720 IP 66 151 144 5 Syntax ip domain loopkup ip address host name ip address Enter an IP address to obtain the host name host name Enter the host name to obtain the IP address The comple...

Page 252: ... table To clear a specific entry in DNS cache table enter the following command BigIron RX clear ip dns cache table www brocade com OR BigIron RX clear ip dns cache table 63 236 63 244 Syntax clear ip dns cache table ip address host name host name Complete qualified name For example enter www company com or host company com ip address Enter the IP address of the host This must be the correct IP ad...

Page 253: ...evice enter the following command BigIron RX config show ip dns poll time interval Current DNS polling interval is 7 minutes Syntax show ip dns poll time interval Displaying the server list To display the current DNS server list configured for the device enter the following command BigIron RX show ip dns server list Total number of DNS Servers configured 2 Server List 10 51 17 30 10 51 17 29 TABLE...

Page 254: ... a host on the newyork com domain Because the newyork com domain is already defined on the device you need to enter only the host name NYC02 as noted below BigIron RX traceroute nyc02 Syntax traceroute host ip addr maxttl value minttl value numeric timeout value source ip ip addr The only required parameter is the IP address of the host at the other end of the route After you enter the command a m...

Page 255: ...and 1492 bytes for SNAP encapsulation Port IP MTU A port s default IP MTU depends on the encapsulation type enabled on the port Changing the encapsulation type The device encapsulates IP packets into Layer 2 packets to send the IP packets on the network A Layer 2 packet is also called a MAC layer packet or an Ethernet frame The MAC address of the device interface sending the packet is the source a...

Page 256: ... jumbo frame that applies to the device enter a command such as the following BigIron RX config default max frame size 2000 BigIron RX config write memory BigIron RX config reload Syntax default max frame size bytes Enter 64 9212 for bytes The default is 1518 bytes Setting a maximum frame size per interface When you set a maximum frame size on an interface that size applies to all ports in a PPCR ...

Page 257: ...port that supports the frame s IP MTU size and forwarded to another port that also supports the frame s IP MTU size are forwarded in hardware Configuration considerations for Increasing the IP MTU Consider the following before configuring the maximum value to increase the IP MTU The maximum value of an IP MTU cannot exceed the configured maximum frame size jumbo frame minus 18 For example global I...

Page 258: ...ured at the physical interface level takes precedence over the IP MTU configured at the global level for that physical interface To change the IP MTU for interface 1 5 to 1000 enter the following commands BigIron RX config int e 1 5 BigIron RX config if e10000 5 ip mtu 1000 Syntax no ip mtu bytes The bytes parameter specifies the IP MTU Ethernet II packets can hold IP packets from 572 1500 bytes l...

Page 259: ...and at any CLI level To change the router ID enter a command such as the following BigIron RX config ip router id 209 157 22 26 Syntax ip router id ip addr The ip addr can be any valid unique IP address NOTE You can specify an IP address used for an interface but do not specify an IP address in use by another device Specifying a single source interface for Telnet TACACS TACACS or RADIUS packets Wh...

Page 260: ...r commands such as the following BigIron RX config int loopback 2 BigIron RX config lbif 2 ip address 10 0 0 2 24 BigIron RX config lbif 2 exit BigIron RX config ip telnet source interface loopback 2 The commands configure loopback interface 2 assign IP address 10 0 0 2 24 to the interface then designate the interface as the source for all Telnet packets from the device Syntax ip telnet source int...

Page 261: ...rtual interface as the device s source for all Syslog packets enter commands such as the following BigIron RX config int ve 1 BigIron RX config vif 1 ip address 10 0 0 4 24 BigIron RX config vif 1 exit BigIron RX config ip syslog source interface ve 1 The commands in this example configure virtual interface 1 assign IP address 10 0 0 4 24 to the interface then designate the interface s address as ...

Page 262: ...nterfaces The feature applies to IPv4 unicast and multicast packets Configuring IP receive access list IP receive access list is a global configuration command Once it is applied the command will be effective on all the management modules on the device To configure the feature do the following 1 Create a numbered ACL that will be used as the IP receive ACL This ACL can be a standard 1 99 or extend...

Page 263: ... the MAC address of a locally attached device the next hop router toward the IP packet s destination To obtain the MAC address required for forwarding a datagram the device does the following First the device looks in the ARP cache not the static ARP table for an entry that lists the MAC address for the IP address The ARP cache maps IP addresses to MAC addresses The cache also lists the port attac...

Page 264: ...onal ARP packets received during the one second interval When a new one second interval starts the counter restarts at zero so the device again accepts up to the maximum number of ARP packets you specified but drops additional packets received within the interval To limit the number of ARP packets the device will accept each second enter a command such as the following at the global CONFIG level o...

Page 265: ...on an interface of a Layer 3 Switch enter a command such as the following BigIron RX config interface ethernet 1 4 BigIron RX config vif 10 arp port rate limit 2000 Syntax no arp port rate limit rate There is no default value for rate Enter 0 30 000 Displaying the rate limit for ARP packets To determine how many ARP packets were dropped by an interface due to the configured rate limit for ARP pack...

Page 266: ...rride the globally configured IP ARP age on an individual interface enter a command such as the following at the interface configuration level BigIron RX config if e1000 1 1 ip arp age 30 Enabling proxy ARP Proxy ARP allows the device to answer ARP requests from devices on one network on behalf of devices in another network Since ARP requests are MAC layer broadcasts they reach only the devices th...

Page 267: ...ng BigIron RX config arp 1 192 53 4 2 1245 7654 2348 e 1 2 The command adds a static ARP entry that maps IP address 192 53 4 2 to MAC address 1245 7654 2348 The entry is for a MAC address connected to port 1 2 of the device Syntax arp ip addr mac addr ethernet slot port The ip addr command specifies the IP address of the device that has the MAC address of the entry The mac addr parameter specifies...

Page 268: ...ed is added to the ARP Inspection table the mapping is checked against the current static ARP table If an ARP entry with a matching IP but mismatch MAC is found it will be deleted and a re arp on the IP will be issued When an ARP entry is deleted from ARP Inspection table the corresponding entry in the static ARP table will also be deleted To create a floating static ARP entry for a static MAC ent...

Page 269: ...te nexthop arp BigIron RX config ip route validate nexthop arp timer 30 Syntax no ip route validate nexthop arp timer value The default is 200 seconds The value parameter speocifies the amount of time before a nexthop down is replaced by an active nexthop Possible values are10 200 seconds Use the no form of the command to disable the validation timer Displaying the routes waiting for the next hop ...

Page 270: ...m 1 255 To modify the TTL threshold to 25 enter the following commands BigIron RX config ip ttl 25 Syntax ip ttl 1 255 Enabling forwarding of directed broadcasts A directed broadcast is an IP broadcast to all devices within a single directly attached network or subnet A net directed broadcast goes to all devices on a given network A subnet directed broadcast goes to all devices within a given subn...

Page 271: ...6 Loose source routing requires that the packet pass through all of the listed routers but also allows the packet to travel through other routers which are not listed in the packet The device forwards both types of source routed packets by default You cannot enable or disable strict or loose source routing separately To disable forwarding of IP source routed packets enter the following command Big...

Page 272: ... receives an IP packet that it cannot deliver to its destination the device discards the packet and sends a message back to the device that sent the packet The message informs the device that the destination cannot be reached by the device Disabling replies to broadcast ping requests By default the device is enabled to respond to broadcast ICMP echo packets which are ping requests To disable respo...

Page 273: ...nter the following command BigIron RX config no ip icmp unreachable Syntax no ip icmp unreachable network host protocol administration fragmentation needed port source route fail If you enter the command without specifying a message type as in the example above all types of ICMP Unreachable messages listed above are disabled If you want to disable only specific types of ICMP Unreachable messages y...

Page 274: ...ollowing command at the configuration level for the interface BigIron RX config int e 3 11 BigIron RX config if e100 3 11 no ip redirect Syntax no ip redirect Configuring static routes The IP route table can receive routes from the following sources Directly connected networks When you add an IP interface the device automatically creates a route for the network the interface is in RIP If RIP is en...

Page 275: ...VLANs for routing Layer 3 protocol traffic among one another A null interface The device drops traffic forwarded to the null interface The following parameters are optional The route s metric The value the device uses when comparing this route to other routes in the IP route table to the same destination The metric applies only to routes that the device has already placed in the IP route table The...

Page 276: ...his feature allows the device to adjust to changes in network topology The device does not continue trying to use routes on unavailable paths but instead uses routes only when their paths are available Figure 10 shows a network containing a static route The static route is configured on Router A as shown in the CLI following the figure FIGURE 10 Example of a static route The following command conf...

Page 277: ...mask for the route s destination IP address Alternatively you can specify the network mask information by entering followed by the number of bits in the network mask For example you can enter 192 0 0 0 255 255 255 0 as 192 0 0 0 24 The next hop ip addr is the IP address of the next hop router gateway for the route For a default route enter 0 0 0 0 0 0 0 0 xxx xxx xxx xxx use 0 for the mask bits if...

Page 278: ...s command The maximum number of static IP routes the system can hold is listed in the ip static route row in the System Parameters section of the display To change the maximum value use the system max ip static route num command at the global CONFIG level The ip addr parameter specifies the network or host address The device will drop packets that contain this address in the destination field inst...

Page 279: ...n be used to color routes and filter routes during a redistribution process When tagged static routes are redistributed to OSPF or to a protocol that can carry tag information they are redistributed with their tag values To add a tag value to a static route enter commands such as the following BigIron RX config ip route 192 122 12 1 255 255 255 0 192 122 1 1 tag 20 Syntax ip route dest ip addr des...

Page 280: ...69 255 255 255 0 209 157 22 1 BigIron RX config ip route 192 128 2 69 255 255 255 0 192 111 10 1 The commands in the example above configure two static IP routes The routes go to different next hop gateways but have the same metrics These commands use the default metric value 1 so the metric is not specified These static routes are used for load sharing among the next hop gateways The following co...

Page 281: ...te When you want to use a specific interface by default to route traffic to a given destination network but want to allow the device to use other interfaces to reach the destination network if the path that uses the default interface becomes unavailable In this case give the interface route a lower metric than the normal static route NOTE You cannot add a null or interface based static route to a ...

Page 282: ...hen the route is available However if the interface based route becomes unavailable the device still forwards the traffic toward the destination using an alternate route through gateway 192 168 8 11 24 X Two static routes to 192 168 7 0 24 Standard static route through gateway 192 168 6 157 with metric 1 Null route with metric 2 Router A Router B 192 168 6 188 24 192 168 6 157 24 192 168 7 7 24 19...

Page 283: ...the software uses the null route For complete syntax information refer to Configuring a static IP route on page 201 To configure a standard static route and an interface based route to the same destination enter commands such as the following BigIron RX config ip route 192 168 6 0 24 ethernet 1 1 1 BigIron RX config ip route 192 168 6 0 24 192 168 8 11 24 3 The first command configured an interfac...

Page 284: ...and as a result the default network route s next hop gateway changes the software can still use the default network route If you configure more than one default network route the device uses the following algorithm to select one of the routes 1 Use the route with the lowest administrative distance 2 If the administrative distances are equal Are the routes from different routing protocols RIP OSPF ...

Page 285: ...routing only on next hop routing NOTE The term path refers to the next hop router to a destination not to the entire route to a destination Thus when the software compares multiple equal cost paths the software is comparing paths that use different next hop routers with equal costs to the same destination In many contexts the terms route and path mean the same thing Most of the user documentation ...

Page 286: ... 200 Unknown 255 the router will not use this route Lower administrative distances are preferred over higher distances For example if the router receives routes for the same network from OSPF and from RIP the router will prefer the OSPF route by default NOTE You can change the administrative distances individually Refer to the configuration chapter for the route source for information Since the so...

Page 287: ...at can provide equal cost paths to the IP route table The table also lists where to find configuration information for the route source s load sharing parameters The load sharing state for all the route sources is based on the state of IP load sharing Since IP load sharing is enabled by default on the device load sharing for static IP routes RIP routes OSPF routes and BGP4 routes also is enabled b...

Page 288: ...e traffic is load balanced between the available paths using the same hashing mechanism described above Refer to How IP load sharing works on page 211 Default route ECMP On the BigIron RX IP load sharing also known as ECMP load sharing is done by the hardware If there is more than one path to a given destination a hash is calculated based on the source MAC address destination MAC address source IP...

Page 289: ...5 70 1 1 0 24 DIRECT eth 7 9 0 0 D 6 100 1 1 0 24 DIRECT eth 7 1 0 0 D 7 100 1 2 0 24 DIRECT eth 7 2 0 0 D 8 100 1 3 0 24 DIRECT eth 7 3 0 0 D 9 100 1 4 0 24 DIRECT eth 7 4 0 0 D IP receive access list The IP receive access list feature uses IPv4 ACLs to filter the packets intended for the management process to protect the management module from being overloaded with heavy traffic that was sent to...

Page 290: ...ce s IP addresses to directly attached hosts who listen for the messages In addition hosts can be configured to query the device for the information by sending Router Solicitation messages Some types of hosts use the Router Solicitation messages to discover their default gateway When IRDP is enabled the device responds to the Router Solicitation messages Some clients interpret this response to mea...

Page 291: ...change IRDP parameters enter commands such as the following BigIron RX config interface ethernet 1 3 BigIron RX config if e10000 1 3 ip irdp maxadvertinterval 400 This example shows how to enable IRDP on a specific port and change the maximum advertisement interval for Router Advertisement messages to 400 seconds NOTE To enable IRDP on individual ports you must leave the feature globally disabled ...

Page 292: ...dressed to the UDP s application port If a server for the application receives such a broadcast the server can reply to the client Routers do not forward subnet directed broadcasts so the client and server must be on the same network for the broadcast to reach the server If the client and server are on different networks on opposite sides of a router the client s request cannot reach the server To...

Page 293: ...vice does not forward by default you can enable forwarding support for the port To enable forwarding support for a UDP application use either of the following methods You also can disable forwarding for an application using these methods NOTE You also must configure a helper address on the interface that is connected to the clients for the application The device cannot forward the requests unless ...

Page 294: ...erface 2 on device module 1 enter the following commands BigIron RX config interface e 1 2 BigIron RX config if e1000 1 2 ip helper address 207 95 7 6 The commands in this example change the CLI to the configuration level for port 1 2 then add a helper address for server 207 95 7 6 to the port If the port receives a client request for any of the applications that the device is enabled to forward t...

Page 295: ... replies to the client using a unicast or broadcast packet depending on the server By default the device uses the lowest numbered IP address on the interface that receives the request as the Gateway address You can override the default by specifying the IP address you want the device to use Hop Count Each router that forwards a BootP DHCP packet increments the hop count by 1 Routers also discard a...

Page 296: ...s the device discards the request NOTE The BootP DHCP hop count is not the TTL parameter To modify the maximum number of BootP DHCP hops enter the following command BigIron RX config bootp relay max hops 10 This command allows the device to forward BootP DHCP requests that have passed through up to ten previous hops before reaching the device Syntax bootp relay max hops 1 15 Default 4 Displaying I...

Page 297: ...onfiguration information This field Displays Global settings ttl The Time To Live TTL for IP packets The TTL specifies the maximum number of router hops a packet can travel before reaching the device If the packet s TTL value is higher than the value specified in this field the Brocade router drops the packet To change the maximum TTL refer to Changing the TTL threshold on page 194 arp age The ARP...

Page 298: ...ter interface to which the Brocade router sends packets for the route Metric The cost of the route Usually the metric represents the number of hops to the destination Distance The administrative distance of the route The default administrative distance for static IP routes in Brocade routers is 1 To list the default administrative distances for all types of routes or to change the administrative d...

Page 299: ...he address this is a secondary address When the address was configured the interface already had an IP address in the same subnet so the software required the secondary option before the software could add the interface OK Whether the IP address has been configured on the interface Method Whether the IP address has been saved in NVRAM If you have set the IP address for the interface in the CLI but...

Page 300: ...ces on the device The static ARP table contains the user configured ARP entries An entry in the static ARP table enters the ARP cache when the entry s interface comes up The tables require separate display commands Displaying the ARP cache To display the contents of the ARP cache enter the following command at any CLI level BigIron RX show ip interface ethernet 1 1 Interface Ethernet 1 1 port stat...

Page 301: ...s the network mask for a specific IP address whereas the mask parameter provides a filter for displaying multiple MAC addresses that have specific values in common The num parameter lets you display the table beginning with a specific entry number NOTE The entry numbers in the ARP cache are not related to the entry numbers for static ARP table entries This display shows the following information T...

Page 302: ... removed from the table To display the ARP aging period refer to Displaying global IP configuration information on page 221 To change the ARP aging interval refer to Changing the ARP aging period on page 190 NOTE Static entries do not age out Port The port on which the entry was learned TABLE 54 CLI display of static ARP table This field Displays Static ARP table size The maximum number of static ...

Page 303: ...le the next hop for loopback addresses and broadcast addresses is shown as DIRECT MAC The MAC address of the destination NOTE If the entry is type U indicating that the destination is this Brocade device the address consists of zeroes BigIron RX show ip cache Cache Entry Usage on LPs Module Host Network Free Total 15 6 6 204788 204800 BigIron RX rconsole 15 Connecting to slave CPU 15 1 Press CTRL ...

Page 304: ...xpression include expression Type The type of host entry which can be one or more of the following D Dynamic P Permanent F Forward U Us C Complex Filter W Wait ARP I ICMP Deny K Drop R Fragment S Snap Encap Port The port through which this device reaches the destination For destinations that are located on this device the port number is shown as n a VLAN Indicates the VLANs the listed port is in P...

Page 305: ... routes The isis option displays the RIP routes The static option displays only the static IP routes The summary option displays a summary of the information in the IP route table The default routes are displayed first Here is an example of how to use the connected option To display only the IP routes that go to devices directly attached to the device Notice that the route displayed in this exampl...

Page 306: ...ault route 27 have a 22 bit mask 5 have a 24 bit mask and 1 has a 32 bit mask The following table lists the information displayed by the show ip route command TABLE 56 CLI display of IP route table This field Displays Destination The destination network of the route NetMask The network mask of the destination address Gateway The next hop router Port The port through which this router sends packets...

Page 307: ... statistics Hardware forwarded packets are not included Type The route type which can be one of the following B The route was learned from BGP D The destination is directly connected to this device R The route was learned from RIP S The route is a static route The route is a candidate default route O The route is an OSPF route Unless you use the ospf option to display the route table O is used for...

Page 308: ... of packets dropped by the device because the value in the Protocol field of the packet header is unrecognized by this device no buffer This information is used by Brocade customer support other errors The number of packets that this device dropped due to error types other than the types listed above BigIron RX sh ip traffic IP Statistics 146806 total received 72952 mp received 6715542 sent 0 forw...

Page 309: ...r of Address Mask Request messages sent or received by the device addr mask reply The number of Address Mask Replies messages sent or received by the device irdp advertisement The number of ICMP Router Discovery Protocol IRDP Advertisement messages sent or received by the device irdp solicitation The number of IRDP Solicitation messages sent or received by the device UDP statistics received The nu...

Page 310: ...s this device has received from another RIP router for all or part of this device s RIP routing table responses sent The number of responses this device has sent to another RIP router s request for all or part of this device s RIP routing table responses received The number of responses this device has received to requests for all or part of another RIP router s routing table unrecognized This inf...

Page 311: ...ing in outbound TCP SYNC ACK packets failed attempts Number of unsuccessful TCP connection requests from either local or remote active resets Number of TCP RESET packets sent by the local router passive resets Number of normal TCP connections closed input errors Number of TCP packets received with error header too short checksum error or not a listening TCP PORT in segments Number of TCP packet re...

Page 312: ...236 BigIron RX Series Configuration Guide 53 1002253 01 Displaying IP information 7 ...

Page 313: ...OTE No trunk is created for Keep Alive LAGs LAG formation rules Given below are the LAG formation rules You cannot configure a port concurrently as a member of a static dynamic or keep alive LAG Any number or combination of ports between 1 and 8 within the same device can be used to configure a LAG The maximum number of LAG ports is checked when adding ports to a LAG All ports configured in a LAG ...

Page 314: ...example port 1 4 cannot be in the LAG named red and in the LAG named blue All the ports in a trunk group must be connected to the same device at the other end For example a if port 1 4 and 1 5 in Device 1 are in the same trunk group both ports must be connected to a ports in Device 2 or in Device 3 You cannot have one port connected to Device 2 and another port connected to Device 3 All LAG member...

Page 315: ...over a 4 port LAG where the ports on each end of the LAG are on different interface modules FIGURE 15 Examples of multi slot multi port LAG Port1 1 Port1 2 Port1 3 Port1 4 Port1 5 Port1 6 Port1 7 Port1 8 Port1 1 Port1 2 Port1 3 Port1 4 Port1 5 Port1 6 Port1 7 Port1 8 Port1 1 Port1 2 Port1 3 Port1 4 Port1 5 Port1 6 Port1 7 Port1 8 Port1 1 Port1 2 Port1 3 Port1 4 Port1 5 Port1 6 Port1 7 Port1 8 Port...

Page 316: ...ination MAC address source IP address and destination IP address IPv6 TCP packets source MAC address and destination MAC address source IP address and destination IP address and TCP source port and TCP destination port IPv6 UDP packets source MAC address and destination MAC address source IP address and destination IP address and UDP source port and UDP destination port For L2 VPN traffic the hash...

Page 317: ...ation Group LAG Before setting up ports or configuring any other aspects of a LAG you must create it as shown in the following BigIron RX config lag blue static BigIron RX config lag blue Syntax no lag lag name static dynamic keep alive Refer to Allowable characters for LAG names on page 13 for guidelines on LAG naming conventions The static option specifies that the LAG with the name specified by...

Page 318: ... primary port for the static LAG blue use the following command BigIron RX config lag blue static BigIron RX config lag blue primary port 3 2 Syntax no primary port slot port Once a primary port has been configured for a LAG all configurations that apply to the primary port are applied to the other ports in the LAG NOTE This configuration is only applicable for configuration of a static or dynamic...

Page 319: ...x no lacp port priority slot port number For a port specified by the slot port variable you can specify a priority in the number variable from 0 65535 A higher value indicates a lower priority The default is 1 NOTE This configuration is only applicable for configuration of a dynamic or keep alive LAGs Configuring an LACP timeout In a dynamic or keep alive LAG a port s timeout can be configured as ...

Page 320: ... static and dynamic LAGs the current trunk veto mechanism is invoked to make sure the trunk can be formed If the trunk is not vetoed a trunk is formed with all the ports in the LAG For dynamic LAGs LACP is activated on all LAG ports When activating LACP use active mode if passive is not specified otherwise use passive mode For a keep alive LAGs no trunk is formed and LACP is started on the LAG por...

Page 321: ...dividual port within a LAG using the disable command within the LAG configuration as shown in the following BigIron RX config lag blue static BigIron RX config lag blue deploy BigIron RX config lag blue disable ethernet 3 1 Syntax no disable ethernet slot port named name Use the ethernet option with the appropriate slot port variable to specify a Ethernet port within the LAG that you want to disab...

Page 322: ...rt monitored option with the appropriate slot port variable to specify a named port within the LAG that you want monitor The ethernet slot port parameter specifies the port to which the traffic analyzer is attached The input output both parameters specify the traffic direction to be monitored NOTE Mirror analyzer ports cannot be assigned to the 16x10G card You can monitor traffic on 16x10 ports As...

Page 323: ...he LAG that you want to configure the sampling rate for Use the port name option with the appropriate text variable to specify the named port within the LAG that you want to configure the sampling rate for The num variable specifies the average number of packets from which each sample will be taken The software rounds the value you enter up to the next odd power of 2 This can be a value between 51...

Page 324: ...level0 0004 80a0 402a Port Sys P Port P Key Act Tio Agg Syn Col Dis Def Exp Ope 2 1 1 1 105 Yes L Agg Syn Col Dis No No Ope 2 3 1 1 105 Yes L Agg Syn Col Dis No No Ope 2 5 1 1 105 Yes L Agg Syn Col Dis No No Ope Syntax show lag lag name brief deployed dynamic keep alive static Table 58 describes the information displayed by the show lag command TABLE 58 Show LAG information This field Displays Tot...

Page 325: ...oyment The Trunk ID number Port The slot and port number of the interface Link The status of the link which can be one of the following up down L2 State The L2 state for the port Dupl The duplex state of the port which can be one of the following Full Half None Speed The bandwidth of the interface Trunk The Trunk ID of the port Tag Indicates whether the ports have 802 1q VLAN tagging The value can...

Page 326: ...as expired and the ports are starting a new information exchange Agg Indicates the link aggregation state of the port The state can be one of the following Agg Link aggregation is enabled on the port No Link aggregation is disabled on the port Syn Indicates the synchronization state of the port The state can be one of the following No The port is out of sync with the remote port The port does not ...

Page 327: ...es from the port at the other end of the link and is therefore using its default link aggregation LACP settings No The port has received link aggregation information from the port at the other end of the link and is using the settings negotiated with that port Exp Indicates whether the negotiated link aggregation settings have expired The settings expire if the port does not receive an LACPDU mess...

Page 328: ...ies Configuration Guide 53 1002253 01 Deploying a LAG 8 GiantPkts 0 ShortPkts 0 InBitsPerSec 0 OutBitsPerSec 0 InPktsPerSec 0 OutPktsPerSec 0 InUtilization 0 0 OutUtilization 0 0 Syntax show statistics brief lag lag name ...

Page 329: ...tation and Network Connectivity Device are used interchangeably in this chapter and mean the same thing See Station below Station A node in a network It generally refers to a client PC workstation rather than a server but may include both Also referred to as Network Connectivity Device this is a forwarding 802 LAN device such as a router switch or wireless access point TLV Type Length Value An inf...

Page 330: ...ents Ensures proper aging so only valid network device data is presented Network Inventory Data Supports optional system name system description system capabilities and management address System description can contain the device s product name or model number version of hardware type and operating system Provides device capability such as switch router or WLAN access port Network troubleshooting ...

Page 331: ...n of LLDP packets whenever the transmit countdown timing counter expires or whenever LLDP information has changed When a transmit cycle is initiated the LLDP manager extracts the MIB objects and formats this information into TLVs The TLVs are inserted into an LLDPDU addressing parameters are prepended to the LLDPDU and the information is sent out LLDP enabled ports to adjacent LLDP enabled devices...

Page 332: ...more fields TLV support This section lists the LLDP TLV support LLDP TLVs There are two types of LLDP TLVs as specified in the IEEE 802 3AB standard Basic Management TLVs consist of both optional general system information TLVs as well as mandatory TLVs Mandatory TLVs cannot be manually configured They are always the first three TLVs in the LLDPDU and are part of the packet header General system i...

Page 333: ...lowing mandatory TLVs are always included Chassis ID Port ID Time to Live TTL This section describes the above TLVs in detail Chassis ID The Chassis ID identifies the device that sent the LLDP packets There are several ways in which a device may be identified A Chassis ID subtype included in the TLV and shown in Table 59 indicates how the device is being referenced in the Chassis ID field Brocade ...

Page 334: ...lldp local info Port ID MAC address 0012 f233 e2d3 The LLDPDU format is shown in LLDPDU packet format on page 256 The Port ID TLV format is shown below FIGURE 18 Port ID TLV packet format TTL value The Time to Live TTL Value is the length of time the receiving device should maintain the information acquired through LLDP in its MIB The TTL value is automatically computed based on the LLDP configura...

Page 335: ...DU format is shown in LLDPDU packet format on page 256 The TTL TLV format is shown below FIGURE 19 TTL TLV packet format MIB support Brocade devices support the following standard MIB modules LLDP MIB LLDP EXT DOT1 MIB LLDP EXT DOT3 MIB Syslog messages Syslog messages for LLDP provide management applications with information related to MIB data consistency and general status These Syslog messages ...

Page 336: ...l configuration tasks and default behavior value Global task Default behavior value when LLDP is enabled Enabling LLDP on a global basis Disabled Specifying the maximum number of LLDP neighbors per device Automatically set to 392 neighbors per device Specifying the maximum number of LLDP neighbors per port Automatically set to 4 neighbors per port Enabling SNMP notifications and Syslog messages Di...

Page 337: ...e To disable the receipt and transmission of LLDP packets on individual ports enter a command such as the following at the Global CONFIG level of the CLI BigIron RX config no lldp enable ports e 2 4 e 2 5 The above command disables LLDP on ports 2 4 and 2 5 These ports will not transmit nor receive LLDP packets To enable LLDP on a port after it has been disabled enter the following command BigIron...

Page 338: ...ONFIG level of the CLI BigIron RX config no lldp enable receive ports e 2 4 e 2 5 e 2 6 The above command changes the LLDP operating mode on ports 2 4 2 5 and 2 6 from transmit and receive mode to transmit only mode Any incoming LLDP packets will be dropped in software To change a port s LLDP operating mode from receive only to transmit only first disable the receive only mode then enable the tran...

Page 339: ...command to remove the static configuration and revert to the default value of four where value is a number from 1 to 64 The default is number of LLDP neighbors per port is four Use the show lldp command to view the configuration Enabling LLDP SNMP notifications and Syslog messages SNMP notifications and Syslog messages for LLDP provide management applications with information related to MIB data u...

Page 340: ...gent will send no more than one SNMP notification and Syslog message every 60 seconds Syntax no lldp snmp notification interval seconds where seconds is a value between 5 and 3600 The default is 5 seconds Changing the minimum time between LLDP transmissions The LLDP transmit delay timer limits the number of LLDP frames an LLDP agent can send within a specified time frame When you enable LLDP the s...

Page 341: ...re excessively high This in turn can affect how long a receiving device will retain the information if it is not refreshed Changing the holdtime multiplier for transmit TTL The holdtime multiplier for transmit TTL is used to compute the actual time to live TTL value used in an LLDP frame The TTL value is the length of time the receiving device should maintain the information in its MIB When you en...

Page 342: ...evel of the CLI BigIron RX config lldp reinit delay 5 The above command causes the device to wait five seconds after LLDP is disabled before attempting to honor a request to re enable it Syntax no lldp reinit delay seconds where seconds is a value from 1 10 The default is two seconds LLDP TLVs advertised by the Brocade device When a port is enabled to transmit LLDP packets it will advertise the fo...

Page 343: ...interface VE Router interface on a VLAN that the port is a member of Other physical interface If no IP address is configured the port s current MAC address will be advertised To advertise the IPv4 management address enter a command such as the following BigIron RX config lldp advertise management address ipv4 209 157 2 1 ports e 1 4 The management address will appear similar to the following on th...

Page 344: ...rtise their VLAN name and the configuration includes ports that are not members of any VLAN the system will warn of the misconfigurations on non member VLAN ports The configuration will be applied to all ports however the ports that are not members of any VLAN will not send VLAN name advertisements System capabilities The system capabilities TLV identifies the primary functions of the device and i...

Page 345: ...5 c000 Port ID MAC address 000c dbf5 c000 Time to live 120 seconds System name rx4 Port description 10GigabitEthernet1 2 System capabilities bridge router Enabled capabilities bridge router 802 3 MAC PHY auto negotiation supported but disabled Operational MAU type 10GigBaseLR Link aggregation not capable Maximum frame size 9212 octets Port VLAN ID none Management address IPv4 200 200 200 11 Manage...

Page 346: ...igIron RX config lldp advertise vlan name vlan 99 ports e 2 4 to 2 12 The VLAN name will appear similar to the following on the remote device and in the CLI display output on the Brocade device show lldp local info VLAN name VLAN 99 Voice VLAN 99 Syntax no lldp advertise vlan name vlan vlan ID ports ethernet slotnum portnum all For vlan ID enter the VLAN ID to advertise You can list all of the por...

Page 347: ...is advertisement enter a command such as the following BigIron RX config no lldp advertise port vlan id ports e 2 4 to 2 12 The untagged VLAN ID will appear similar to the following on the remote device and in the CLI display output on the Brocade device show lldp local info Port VLAN ID 99 Syntax no lldp advertise port vlan id ports ethernet slotnum portnum all You can list all of the ports indiv...

Page 348: ...ndesirable effects on some ports For example if you configure all ports to advertise their VLAN name and the configuration includes ports that are not members of any VLAN the system will warn of the misconfigurations on non member VLAN ports The configuration will be applied to all ports however the ports that are not members of any VLAN will not send VLAN name advertisements MAC PHY configuration...

Page 349: ...pear similar to the following on the remote device and in the CLI display output on the Brocade device show lldp local info Maximum frame size 1522 octets Syntax no lldp advertise max frame size ports ethernet slotnum portnum all You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both To apply the configuration to all ports on the device us...

Page 350: ... hold multiplier The multiplier used to compute the actual time to live TTL value of an LLDP advertisement The TTL value is the transmit interval multiplied by the transmit hold multiplier LLDP transmit delay The number of seconds the LLDP agent will wait after transmitting an LLDP frame and before transmitting another LLDP frame LLDP reinitialize delay The minimum number of seconds the device wil...

Page 351: ...DP neighbors dropped on all ports after the time to live expired Note that LLDP entries age out naturally when a port s cable or module is disconnected or when a port becomes disabled However if a disabled port is re enabled the system will delete the old LLDP entries Neighbor advertisements dropped The number of valid LLDP neighbors the device detected but could not add This can occur for example...

Page 352: ... Brocade devices use the base MAC address of the device as the Chassis ID Port ID The identifier for the port Brocade devices use the permanent MAC address associated with the port as the port ID Port Description The description for the port Brocade devices use the ifDescr MIB object from MIB II as the port description System Name The administratively assigned name for the system Brocade devices u...

Page 353: ...C address 0800 0f18 cc03 Time to live 120 seconds Port description LAN port System name regDN 1015 MITEL 5235 DM System description regDN 1015 MITEL 5235 DM h w rev 2 ASIC rev 1 f w Boot 02 01 00 11 f w Main 02 01 00 11 System capabilities bridge telephone Enabled capabilities bridge telephone Management address IPv4 10 43 39 151 802 3 MAC PHY auto negotiation enabled Advertised capabilities 10Bas...

Page 354: ...bed in the individual TLV advertisement sections in this chapter Syntax show lldp local info ports ethernet slot num port num all If you do not specify any ports or use the keyword all by default the report will show the local information advertisements for all ports You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both To apply the confi...

Page 355: ...n the device refer to LLDP statistics on page 274 BigIron RX clear lldp statistics Syntax clear lldp statistics ports ethernet slot num port num all If you do not specify any ports or use the keyword all by default the system will clear lldp statistics on all ports You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both To apply the configu...

Page 356: ...280 BigIron RX Series Configuration Guide 53 1002253 01 Resetting LLDP statistics 9 ...

Page 357: ...r end In this suspended state UDLD will continue to send the keep alive message but will not bring the port down after maximum number of retries is done and no keep alive message is received from the other end The UDLD will transition from this suspended state to active state after it receives the first keep alive message from the other end In the active state UDLD peers will continue to exchange ...

Page 358: ...igIron RX config link keepalive ethernet 1 1 ethernet 1 2 BigIron RX config link keepalive ethernet 1 3 ethernet 1 4 These commands enable UDLD on ports 1 1 1 4 You can specify up to two ports on the same command line Changing the keepalive interval By default ports enabled for UDLD send a link health check packet once every 500 ms You can change the interval to a value from 1 60 where 1 is 100 ms...

Page 359: ...f times from the other end UDLD will bring down the logical port The UDLD will then transition from active to suspended state Displaying UDLD information Displaying information for all ports To display UDLD information for all ports enter the following command Syntax show link keepalive ethernet slot portnum Displaying link keepalive information The show link keepalive command will indicate the ph...

Page 360: ...f ports on which UDLD is enabled Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down Keepalive Interval The number of seconds between health check packets Port The port number Physical Link The state of the physical link This is the link between the BigIron RX port and the directly connected device Link keepalive Show if the keepalive ...

Page 361: ...e that identifies this BigIron RX The ID can be used by Brocade technical support for troubleshooting Remote System ID A unique value that identifies the BigIron RX at the remote end of the link Packets sent The number of UDLD health check packets sent on this port Packets received The number of UDLD health check packets received on this port Transitions The number of times the logical link state ...

Page 362: ...how interface ethernet 1 1 GigabitEthernet2 1 is disabled line protocol is down link keepalive is enabled Hardware is GigabitEthernet address is 000c dbe2 5900 bia 000c dbe2 5900 Configured speed 1Gbit actual unknown configured duplex fdx actual unknown Configured mdi mode AUTO actual unknown Member of 2 L2 VLANs port is tagged port state is Disabled STP configured to ON Priority is level7 flow co...

Page 363: ...d behaves as dual mode port Tagged untagged and dual mode ports Interfaces assigned to port based VLANs can be defined as untagged tagged and dual mode ports An untagged port is a member of only one VLAN while a tagged port can be a member of more than one VLAN Thus a tagged port can be a member of more than one broadcast domain Dual mode ports are configured by adding one or more tagged VLANs and...

Page 364: ...th other Brocade devices Figure 22 shows an example of two devices that have the same Layer 2 port based VLANs configured across them Notice that only one of the VLANs requires tagging Untagged Packet Format 6 bytes Destination Address 6 bytes Source Address 2 bytes Type Field Up to 1500 bytes Data Field 4 bytes CRC Ethernet II IEEE 802 3 802 1q Tagged Packet Format 4 bytes 802 1q Tag Ethernet II ...

Page 365: ...sts to all ports within the IPv6 protocol VLAN NOTE You can configure a protocol based VLAN as a broadcast domain for IPv6 traffic When the device receives an IPv6 multicast packet a packet with 06 in the version field and 0xFF as the beginning of the destination address the device forwards the packet to all other ports in the VLAN except to the port that received the packet Protocol based VLANs c...

Page 366: ...hierarchy A hierarchy of VLANs exists between the Layer 2 and Layer 3 protocol based VLANs Port based VLANs are at the lowest level of the hierarchy Layer 3 protocol based VLANs are at the highest level of the hierarchy As a device receives packets the VLAN classification starts from the highest level VLAN first Therefore if an interface is configured as a member of a port based VLAN and a protoco...

Page 367: ...ssible that the control protocol for example STP will block one or more ports in a protocol based VLAN that uses a virtual routing interface to route to other VLANs For IP protocol and IP subnet VLANs even though some of the physical ports of the virtual routing interface are blocked the virtual routing interface can still route as long as at least one port in the virtual routing interface s proto...

Page 368: ...lows the ports to be members of other VLANs Enter the port that you want to assign to the VLAN for the ethernet slot number port number parameter You can add trunk group ports to the VLAN by entering the trunk group s the primary port A trunk group s primary port is the port with the lowest number in the trunk group When you add the trunk group s primary port all the ports on the trunk group becom...

Page 369: ...ORT VLAN entries 512 Default PORT VLAN id 1 PORT VLAN 1 Name DEFAULT VLAN Priority Level0 L2 protocols NONE Untagged Ports ethe 1 1 to 1 40 ethe 2 1 to 2 4 PORT VLAN 10 Name None Priority Level0 L2 protocols NONE Tagged Ports ethe 1 2 to 1 5 Bytes received 18527 To display VLAN accounting information for a specific VLAN use the show vlan vlan command as shown BigIron RX show vlan 10 PORT VLAN 10 N...

Page 370: ...igning or changing a VLAN priority You can prioritize traffic on a VLAN by assigning a priority to a VLAN All packets associated with the VLAN will be classified to the configured priority BigIron RX config vlan 2 priority 2 Syntax no priority num Possible Values 0 7 0 assigns the lowest priority and 7 the highest priority The default is 0 Assigning a different ID to the default VLAN As stated abo...

Page 371: ...to atalk proto other proto name protocol vlan name Enter ip proto to create a IP protocol VLAN ipv6 proto to create a IPv6 protocol VLAN ipx proto to create a IPX protocol VLAN atalk proto to create an Appletalk protocol VLAN other proto to create a protocol VLAN for protocols other than an IP protocol IPv6 IPX or Appletalk protocol Enter name vlan name if you want to assign a name to the protocol...

Page 372: ...l routing interfaces A virtual routing interface is a logical routing interface that the device uses to route Layer 3 protocol traffic between protocol based VLANs It is a logical port on which you can configure Layer 3 routing parameters For example to enable a device to route IP traffic from one IP protocol VLAN to another you must configure a virtual routing interface on each IP protocol VLAN t...

Page 373: ...ample configuration for the illustration above BigIron RX config vlan 2 BigIron RX config vlan 2 tagged e 1 1 to 1 2 BigIron RX config vlan 2 router inter ve 2 BigIron RX config vlan 2 ip proto static e 1 1 to 1 2 BigIron RX config vlan 2 exit BigIron RX config vlan 3 BigIron RX config vlan 3 tagged e 1 13 to 1 24 BigIron RX config vlan 3 router int ve 3 BigIron RX config vlan 3 exit BigIron RX co...

Page 374: ... ports in the port based VLAN to which you add the protocol based VLAN are 802 1q tagged You can configure multiple protocol based VLANs within the same port based VLAN In addition a port within a port based VLAN can belong to multiple protocol based VLANs of the same type or different types For example if you have a port based VLAN that contains ports 1 1 1 10 you can configure port 1 5 as a memb...

Page 375: ...ature not only simplifies VLAN configuration but also allows you to have a large number of identically configured VLANs in a startup configuration file on the device s flash memory module Normally a startup configuration file with a large number of VLANs might not fit on the flash memory module By grouping the identically configured VLANs you can conserve space in the startup configuration file so...

Page 376: ...RX config vlan group 1 add vlan 1001 to 1002 BigIron RX config vlan group 1 remove vlan 900 to 1000 Syntax no add vlan vlan id to vlan id Syntax remove vlan vlan id to vlan id Verifying VLAN group configuration To verify configuration of VLAN groups display the running configuration file If you have saved the configuration to the startup configuration file you also can verify the configuration by ...

Page 377: ...VLANs within another VLAN This provides a total VLAN capacity on one device of 16 760 836 channels 4089 4089 The devices connected through the channel are not visible to devices in other channels Therefore each client has a private link to the other side of the channel Super aggregated VLANs are useful for applications such as Virtual Private Network VPN in which you need to provide a private dedi...

Page 378: ...ch client receives its own Layer 2 broadcast domain separate from the broadcast domains of other clients For example client 1 cannot ping client 5 The clients at each end of a channel appear to each other to be directly connected and thus can be on the same subnet and use network services that require connection to the same subnet In this example client 1 is in subnet 192 168 1 0 24 and so is the ...

Page 379: ... to configure device A in Figure 24 on page 302 enter commands such as the following BigIron RX config vlan 101 BigIron RX config vlan 101 tagged ethernet 2 1 BigIron RX config vlan 101 untagged ethernet 1 1 BigIron RX config vlan 101 exit BigIron RX config vlan 102 BigIron RX config vlan 102 tagged ethernet 2 1 BigIron RX config vlan 102 untagged ethernet 1 2 BigIron RX config vlan 102 exit BigIr...

Page 380: ...d VLANs on device C in Figure 24 on page 302 enter the following commands BigIron RX config tag type 9100 BigIron RX config aggregated vlan BigIron RX config vlan 101 BigIron RX config vlan 101 tagged ethernet 4 1 BigIron RX config vlan 101 untagged ethernet 3 1 BigIron RX config vlan 101 exit BigIron RX config vlan 102 BigIron RX config vlan 102 tagged ethernet 4 1 BigIron RX config vlan 102 unta...

Page 381: ...ds for configuring device A Notice that you can use the same channel VLAN numbers on each device The devices that aggregate the VLANs into a path can distinguish between the identically named channel VLANs based on the ID of the path VLAN BigIron RX B config vlan 101 BigIron RX B config vlan 101 tagged ethernet 2 1 BigIron RX B config vlan 101 untagged ethernet 1 1 BigIron RX B config vlan 101 exi...

Page 382: ... RX D config vlan 102 BigIron RX D config vlan 102 tagged ethernet 4 1 BigIron RX D config vlan 102 untagged ethernet 3 2 BigIron RX D config vlan 102 exit BigIron RX D config write memory Commands for device E Since the configuration in Figure 24 on page 302 is symmetrical the commands for configuring device E are identical to the commands for configuring device A BigIron RX E config vlan 101 Big...

Page 383: ... 1 3 BigIron RX F config vlan 103 exit BigIron RX F config vlan 104 BigIron RX F config vlan 104 tagged ethernet 2 1 BigIron RX F config vlan 104 untagged ethernet 1 4 BigIron RX F config vlan 104 exit BigIron RX F config vlan 105 BigIron RX F config vlan 105 tagged ethernet 2 1 BigIron RX F config vlan 105 untagged ethernet 1 5 BigIron RX F config vlan 105 exit BigIron RX F config write memory Co...

Page 384: ...802 1Q tag type on the uplink port is 8100 so the device will switch the frames to the uplink device with an additional 8100 tag thereby supporting devices that only support this method of VLAN tagging Configuration rules Follow the rules below when configuring 802 1q in q tagging Since the uplink to the provider cloud and the edge link to the customer port must have different 802 1Q tags make sur...

Page 385: ...X config aggregated vlan Note that since ports 11 and 12 belong to the port region 1 12 the 802 1Q tag actually applies to ports 1 12 Syntax no tag type num ethernet slot number port number to slot number port number The num parameter specifies the tag type number and can be a hexadecimal value from 0 ffff The default is 8100 The ethernet port number to port number parameter specifies the ports th...

Page 386: ...cation of the 802 1q tag type translation feature Client 1 Port1 1 VLAN 101 Client 3 Port1 3 VLAN 103 Client 5 Port1 5 VLAN 105 Client 1 192 168 1 69 24 Client 5 209 157 2 12 24 Client 6 Port1 1 VLAN 101 Client 8 Port1 3 VLAN 103 Client 10 Port1 5 VLAN 105 Ports 1 1 1 5 Untagged Ports 1 1 1 5 Untagged Device A Tag Type 8100 Port2 1 Tagged Port2 1 Tagged Device B Tag Type 8100 Port3 1 Untagged Port...

Page 387: ... Core Switch 2 and Customer Edge Switch 2 Figure 28 shows a simple application of the 802 1q tag type translation in which all of the ports are tagged and the tag types between devices match In this example each device performs the 802 1q tag type translation as the packet traverses the network Figure 29 shows a more complex example application in which some ports are untagged not all tag types be...

Page 388: ...supported devices you configure 802 1q tag types per port region Use the show running config command at any level of the CLI to view port regions Note that on Gigabit Ethernet modules ports 1 and 2 belong to the same port region Since the uplink to the provider cloud and the edge link to the customer port must have different 802 1q tag types make sure the uplink and edge link are in different port...

Page 389: ...actually applies to ports 9 16 NOTE Do not configure 802 1q tag type translation on the edge link to the customer edge switch Syntax no tag type num ethernet slot number port number to slot number port number The num parameter specifies the tag type number and can be a hexadecimal value from 0 ffff The default is 8100 Note that you must specify a value other than 8100 The slot number port number t...

Page 390: ...cating with one another even though they are in the same VLAN By default the private VLAN does not forward broadcast or unknown unicast packets from outside sources into the private VLAN If needed you can override this behavior for broadcast packets unknown unicast packets or both Refer to Enabling broadcast multicast or unknown unicast traffic to the private VLAN on page 318 You can configure a c...

Page 391: ... address filters to control traffic forwarded into and out of the private VLAN If you are implementing the private VLAN on a Layer 2 Switch you also can use ACLs to control the traffic into and out of the private VLAN Configuration notes When Private VLAN mappings are enabled the BigIron RX forwards unknown unicast unknown multicast and broadcast packets in software By default the device forwards ...

Page 392: ... be enabled or disabled in the individual port based VLANs However private VLANs are not supported with single instance STP single span You can configure only one private VLAN within a given port based VLAN Thus you must configure a separate port based VLAN for each private VLAN Each private VLAN can have only one primary VLAN and can not belong LACP ports Each private VLAN can have multiple isola...

Page 393: ...ort Configuring the primary VLAN Use the following CLI method to configure the primary VLAN Using the CLI To configure a primary private VLAN enter commands such as the following BigIron RX config vlan 7 BigIron RX config vlan 7 untagged ethernet 3 2 BigIron RX config vlan 7 pvlan type primary BigIron RX config vlan 7 pvlan mapping 901 ethernet 3 2 These commands create port based VLAN 7 add port ...

Page 394: ...following commands at the global CONFIG level of the CLI BigIron RX config pvlan preference broadcast flood BigIron RX config pvlan preference unknown unicast flood These commands enable forwarding of broadcast multicast and unknown unicast packets to ports within the private VLAN To again disable forwarding enter a command such as the following BigIron RX config no pvlan preference broadcast floo...

Page 395: ...re flooding for Layer 2 multicast and broadcast packets Broadcast and multicast packets do not have a specific recipient In order for these special packets to reach their intended recipient they needed to be sent on all ports of the VLAN or flooded across the VLAN By default the device performs hardware flooding for Layer 2 multicast and broadcast packets Layer 2 multicast packets have a multicast...

Page 396: ...unicast flooding Flow based MAC learning In this release the cpu flooding command that disables hardware flooding of unknown unicast multicast and broadcast packets on all VLAN has been added When using this command unknown unicast packets will go to the CPU and will be CPU forwarded Source MAC learning will be done by CPU The first packet for unknown DA will go to the CPU and CPU will program the...

Page 397: ... to the uplink ports The clients on the network do not receive broadcast and unknown unicast traffic from other ports including other clients To configure a port based VLAN containing uplink ports enter commands such as the following BigIron RX config vlan 10 by port BigIron RX config vlan 10 untag ethernet 1 1 to 1 24 BigIron RX config vlan 10 untag ethernet 2 1 to 2 2 BigIron RX config vlan 10 u...

Page 398: ...4092 are reserved for control purposes Default PORT VLAN id ID of the default VLAN PORT VLAN ID of the port based VLAN Name Name of the port based VLAN None appears if a name has not been assigned Priority Level Priority level assigned to the port based VLAN L2 protocols Layer 2 control protocol configured on the VLAN Untagged Tagged Ports ID of the untagged or tagged ports that are members of the...

Page 399: ...slot number port number is a member of VLANs The number of VLANs a port is a member of VLANs The IDs of the VLANs that the port is a member of BigIron RX show vlan detail Untagged Ports ethe 2 1 to 2 24 ethe 4 4 Tagged Ports None Dual mode Ports ethe 3 1 to 3 24 ethe 4 1 to 4 3 Default VLAN 1 Control VLAN 4095 VLAN Tag type 0x8100 PORT VLAN 1 Name DEFAULT VLAN Priority Level0 Port Type Tag Mode Pr...

Page 400: ... This line appears if you do not specify a VLAN It lists all the ports that are configured as dual mode ports in all the VLANs on the device Default VLAN ID of the default VLAN Control VLAN ID of the control VLAN PORT VLAN Name Priority Level Information for each VLAN in the output begins with the VLAN type and its ID name and priority level Then ports that are members of the VLAN are listed with ...

Page 401: ...ress i e self originated packet from the switch or router Under the Transparent Firewall mode switching of self originated packets is allowed The Transparent Firewall mode feature is a per VLAN configuration and is disabled by default Enabling a transparent firewall To set the mode to transparent enter a command such as the following BigIron RX config vlan 10 transparent fw mode To set the mode to...

Page 402: ...326 BigIron RX Series Configuration Guide 53 1002253 01 Transparent firewall mode 11 ...

Page 403: ...te spanning tree instance Each device has one VLAN VLAN 1 by default that contains all of its ports However if you configure additional port based VLANs on a device then each of those VLANs on which STP is enabled and VLAN 1 all run separate spanning trees You can enable or disable STP on the following levels Globally Affects all VLANs on the device Individual VLAN Affects all ports within the spe...

Page 404: ...yntax no spanning tree Enabling or disabling STP on a port Use the following procedure to disable or enable STP on an individual port NOTE If you change the STP state of the primary port in a trunk group the change affects all ports in the trunk group To enable STP on an individual port enter commands such as the following BigIron RX config interface 1 1 BigIron RX config if e1000 1 1 spanning tre...

Page 405: ...s possible values and defaults refer to Table 72 on page 328 Hello Time The interval of time between each configuration BPDU sent by the root bridge 2 seconds Possible values 1 10 seconds Priority A parameter used to identify the root bridge in a spanning tree instance of STP The bridge with the lowest value has the highest priority and is the root A higher numerical value means a lower priority t...

Page 406: ...lacement in the network and trigger errors if any changes from the root bridge placement are detected This feature allows STP to interoperate with user network bridges while still maintaining the bridged network topology that the administrator requires When Root Guard is enabled on a port it keeps the port in designated FORWARDING state If the port receives a superior STP BPDU it sets the port int...

Page 407: ...ed after the Root Guard unblocks a port STP Root Guard Port 12 21 VLAN 10 consistent Timeout Spanning Tree Protocol STP BPDU guard STP protection provides the ability to prohibit an end station from initiating or participating in an STP topology The STP BPDU Guard is used to keep all active network topologies predictable The spanning tree protocol detects and eliminates logical loops in a redundan...

Page 408: ... 1 spanning tree protect do disable Syntax no spanning tree protect do disable If both spanning tree protect and spanning tree protect do disable are configured on an interface spanning tree protect do disable takes precedence This means that when the port receives a BPDU the port will drop the BPDU and disable the port If you issue a no spanning tree protect do disable command the port will be re...

Page 409: ...ter show spanning tree 1 The detail parameter and its additional optional parameters display detailed information for individual ports Refer to Displaying detailed STP information for each interface on page 335 The show spanning tree command shows the following information TABLE 74 CLI display of STP information This field Displays Global STP parameters VLAN ID The port based VLAN that contains th...

Page 410: ...dge parameters Root Identifier The ID assigned by STP to the root bridge for this spanning tree in hexadecimal Root Cost The cumulative cost from this bridge to the root bridge If this device is the root bridge then the root cost is 0 DesignatedBridge Identifier The designated bridge to which the root port is connected The designated bridge is the device that connects the network segment on the po...

Page 411: ...his port is listening for a BPDU from neighboring bridges in order to determine the new topology No user frames are transmitted or received during this state LEARNING The port has passed through the LISTENING state and will change to the BLOCKING or FORWARDING state depending on the results of STP s reconvergence The port does not transmit or receive user frames during this state However the devic...

Page 412: ... the show span detail command displays the master VLANs of each group but not the member VLANs within the groups However the command does indicate that the VLAN is a master VLAN The show span detail vlan vlan id command displays the information for the VLAN even if it is a member VLAN To list all the member VLANs within a VLAN group enter the show vlan group group id command The show spanning tree...

Page 413: ...ameters Bridge identifier The STP identity of this device Root The ID assigned by STP to the root bridge for this spanning tree Control ports The ports in the VLAN Active global timers The global STP timers that are currently active and their current values The following timers can be listed Hello The interval between Hello packets This timer applies only to the root bridge Topology Change TC The ...

Page 414: ... the port does not transmit or receive user frames but the port does continue to receive STP BPDUs DISABLED The port is not participating in STP This can occur when the port is disconnected or STP is administratively disabled on the port FORWARDING STP is allowing the port to send and receive frames LISTENING STP is responding to a topology change and this port is listening for a BPDU from neighbo...

Page 415: ... 1 STP information STP Port Parameters VLAN ID 11 Port Prio Path State Designat Designated Designated Num rity Cost ed Cost Root Bridge 3 1 128 4 FORWARDING 0 8000000cdbf5ee00 8000000cdbf5ee00 STP Port Parameters VLAN ID 12 Port Prio Path State Designat Designated Designated Num rity Cost ed Cost Root Bridge 3 1 128 4 FORWARDING 0 8000000cdbf5ee00 8000000cdbf5ee00 RSTP information No RSTP configur...

Page 416: ...ice or VLAN can reach the root bridge using another port whose state is FORWARDING When a port is in this state the port does not transmit or receive user frames but the port does continue to receive STP BPDUs DISABLED The port is not participating in STP This can occur when the port is disconnected or STP is disabled on the port FORWARDING STP is allowing the port to send and receive frames LISTE...

Page 417: ...q tagging Tagged and untagged ports alike can be members of the single spanning tree domain NOTE When SSTP is enabled the BPDUs on tagged ports go out untagged If you disable SSTP all VLANs that were members of the single spanning tree run MSTP instead In MSTP each VLAN has its own spanning tree VLANs that were not members of the single spanning tree were not enabled for STP Therefore STP remains ...

Page 418: ... to Enabling or disabling RSTP on a single spanning tree on page 386 Displaying SSTP information To verify that SSTP is in effect enter the following commands at any level of the CLI For information on the command syntax refer to Displaying STP information on page 332 BigIron RX config show spanning tree VLAN 4095 STP instance 0 STP Bridge Parameters Bridge Bridge Bridge Bridge Hold LastTopology T...

Page 419: ...e running a single spanning tree IEEE 802 1Q The PVST support allows the device to interoperate with PVST spanning trees and the IEEE 802 1Q spanning tree at the same time IEEE 802 1Q and PVST regions cannot interoperate directly but can interoperate indirectly through PVST regions PVST BPDUs are tunneled through 802 1Q regions while PVST BPDUs for VLAN 1 the IEEE 802 1Q VLAN are processed by PVST...

Page 420: ...U You can manually enable the support at any time or disable the support if desired If you want a tagged port to also support IEEE 802 1Q BPDUs you need to enable the dual mode feature on the port The dual mode feature is disabled by default and must be enabled manually A port that is in PVST compatibility mode due to auto detection reverts to the default MSTP mode when one of the following events...

Page 421: ...BigIron RX config vlan group 1 tagged ethernet 1 1 BigIron RX config vlan group 1 exit BigIron RX config interface ethernet 1 1 BigIron RX config if e10000 1 1 pvst mode TABLE 77 CLI Display of PVST Information This field Displays Port The Brocade port number NOTE The command lists information only for the ports on which PVST support is enabled Method The method by which PVST support was enabled o...

Page 422: ...d port using VLAN 2 as port native VLAN In Figure 33 a port s Port Native VLAN is not VLAN 1 In this case VLAN 1 uses tagged frames and VLAN 2 uses untagged frames FIGURE 33 Port native VLAN 2 for untagged BPDUs To implement this configuration enter the following commands on the device BigIron RX config default vlan id 4000 BigIron RX config vlan 1 BigIron RX config vlan 1 tagged ethernet 1 1 BigI...

Page 423: ...an 1 BigIron RX config vlan 1 tagged ethernet 1 1 to 1 2 BigIron RX config vlan 1 exit BigIron RX config interface ethernet 1 1 BigIron RX config if e10000 1 1 pvst mode BigIron RX config if e10000 1 1 exit BigIron RX config interface ethernet 1 2 BigIron RX config if e10000 1 2 pvst mode BigIron RX config if e10000 1 2 exit Setting the ports as dual mode ensures that the untagged IEEE 802 1Q BPDU...

Page 424: ...perSpan uses a SuperSpan customer ID to uniquely identify and forward traffic for each customer You assign the customer ID as part of the SuperSpan configuration of the Brocade devices in the SP In Table 34 on page 348 the spanning trees of customer 1 and customer 2 do not interfere with one another because the SP network isolates each customer s spanning tree based on the SuperSpan customer IDs i...

Page 425: ...the Preforwarding state the Brocade ports change to the Forwarding state and forward data traffic as well as BPDUs The default length of the Preforwarding state is five seconds You can change the length of the Preforwarding state to a value from 3 30 seconds Figure 35 shows an example of how the Preforwarding state is used FIGURE 35 SuperSpan preforwarding state In this example a customer has two ...

Page 426: ...le spanning trees in the SP SuperSpan domain The examples below are in super aggregated configuration scenarios Customer and SP use multiple spanning trees Figure 36 shows an example of SuperSpan where both the customer network and the SP network use multiple spanning trees a separate spanning tree in each port based VLAN FIGURE 36 Customer and SP using Multiple Spanning Trees Both the customer an...

Page 427: ...ing trees while the SP network uses Single STP FIGURE 37 Customer using Multiple Spanning Trees and SP using single STP Customer traffic from different VLANs is maintained by different spanning trees while the SP network is maintained by a single spanning tree The SP can still use multiple VLANs at the core to separate traffic from different customers However all VLANs will have the same network t...

Page 428: ...ario and the previous two scenarios is that all traffic at the customer s network now follows the same path having the same STP root bridge in all VLANs Therefore the customer network will not have the ability to maximize network utilization on all its links On the other hand loop free non blocking topology is still separately maintained by the customer network s single spanning tree and the SP s ...

Page 429: ...uires you to specify a SuperSpan customer ID when configuring the boundary interface Use an ID from 1 65535 The customer ID uniquely identifies the customer Use the same customer ID for each SP interface with the same customer When tunneling BPDUs through the Brocade network the devices use the customer ID to ensure that BPDUs are forwarded only to the customer s devices and not to other customers...

Page 430: ...2 BigIron RX config if e1000 2 2 stp boundary 2 Enabling SuperSpan After you configure the SuperSpan boundary interfaces enable SuperSpan You can enable SuperSpan globally or on an individual VLAN level If you enable the feature globally the feature is enabled on all VLANs NOTE If you enable the feature globally then create a new VLAN the new VLAN inherits the global SuperSpan state For example if...

Page 431: ... CLI display of SuperSpan customer ID information This field Displays CID The SuperSpan customer ID number Port The boundary port number C BPDU Rxed The number of BPDUs received from the client spanning tree C BPDU Txed The number of BPDUs sent to the client spanning tree T BPDU Rxed The number of BPDUs received from the SuperSpan tunnel T BPDU Txed The number of BPDUs sent to the SuperSpan tunnel...

Page 432: ...356 BigIron RX Series Configuration Guide 53 1002253 01 SuperSpan 12 ...

Page 433: ...rithm uses this information to determine if the RST BPDU received by a port is superior to the RST BPDU that the port transmits The two values are compared in the order as given above starting with the Root bridge ID The RST BPDU with a lower value is considered superior The superiority and inferiority of the RST BPDU is used to assign a role to a port If the value of the received RST BPDU is the ...

Page 434: ...up port while the other port becomes the Designated port If a non root bridge already has a Root port then the port that receives an RST BPDU that is superior to those it can transmit becomes the Alternate port If the RST BPDU that a port receives is inferior to the RST BPDUs it transmits then the port becomes a Designated port If the port is down or if RSTP is disabled on the port that port is gi...

Page 435: ...uperior to those Port8 transmits Therefore Switch 2 is the Backup port and Port7 is the Designated port Ports on Switch 3 Port2 on Switch 3 directly connects to the Designated port on the root bridge therefore it assumes the Root port role The root path cost of the RST BPDUs received on Port4 Switch 3 is inferior to the RST BPDUs transmitted by the port therefore Port4 Switch 3 becomes the Designa...

Page 436: ...ated port roles Port flapping does not cause any topology change events on Edge ports since RSTP does not consider Edge ports in the spanning tree calculations FIGURE 41 Topology with edge ports However if any incoming RST BPDU is received from a previously configured Edge port RSTP automatically makes the port as a non edge port This is extremely important to ensure a loop free Layer 2 operation ...

Page 437: ...continue to receive RST BPDUs This state corresponds to the listening and blocking states of 802 1D Learning RSTP is allowing MAC address entries to be added to the filtering database but does not permit forwarding of data frames The device can learn the MAC addresses of frames that the port receives during this state and make corresponding entries in the MAC table Disabled The port is not partici...

Page 438: ... changes occur State machines The bridge uses the Port Role Selection state machine to determine if port role changes are required on the bridge This state machine performs a computation when one of the following events occur New information is received on any port on the bridge The timer expires for the current information on a port on the bridge Each port uses the following state machines Port I...

Page 439: ...to a discarding state and negotiates with its peer port for a new role and a new state A peer port is the port on the other bridge to which the port is connected For example in Figure 43 Port1 of Switch 200 is the peer port of Port2 of Switch 100 A port with a Designated role is quickly placed into a forwarding state if one of the following occurs The Designated port receives an RST BPDU that cont...

Page 440: ...s is superior to what it can transmit the port assumes the role of a Root port Refer to Bridges and bridge port roles on page 357 If the RST BPDU that the port receives is inferior to what it can transmit then the port is given the role of Designated port NOTE Proposed will never be asserted if the port is connected on a shared media link In Figure 43 Port3 Switch 200 is elected as the Root port F...

Page 441: ...ly Alternate ports and Backup ports are synced The Root port monitors the synced signals from all the bridge ports Once all bridge ports asserts a synced signal the Root port asserts its own synced signal Figure 45 BigIron Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync Switch 200 Switch 300 Switch 400 Port2 Sync Discarding Port3 Sync Discarding Port2 Port3 Indicates a signal ...

Page 442: ...eed flag to its peer Designated port and moves into the forwarding state When the peer Designated port receives the RST BPDU it rapidly transitions into a forwarding state BigIron Switch 100 Root Bridge Switch 200 Switch 300 Switch 400 Port1 Designated port Port1 Root port Synced Port2 Port3 Indicates a signal Port2 Synced Discarding Port3 Synced Discarding ...

Page 443: ...s a proposed signal Ports in Switch 300 then set sync signals on the ports to synchronize and negotiate their roles and states Then the ports assert a synced signal and when the Root port in Switch 300 asserts it is synced signal it sends an RST BPDU to Switch 200 with an agreed flag This handshake is repeated between Switch 200 and Switch 400 until all Designated and Root ports are in forwarding ...

Page 444: ...oposing Proposed Sync and Reroot Sync and Rerooted Rerooted and Synced Agreed handshake Proposing and Proposed The Designated port on the new root bridge Port4 Switch 60 sends an RST BPDU that contains a proposing signal to Port4 Switch 200 to inform the port that it is ready to put itself in a forwarding state Figure 48 RSTP algorithm determines that the RST BPDU that Port4 Switch 200 received is...

Page 445: ...o renegotiate their new roles and states The other ports on the bridge assert their sync and reroot signals Information about the old Root port is discarded from all ports Designated ports change into discarding states Figure 49 Switch 100 Port2 Designated port Switch 60 Port1 Port2 Root port Handshake Completed Port4 Designated port Proposing Proposing Port1 Root port Forwarding RST BPDU sent wit...

Page 446: ...gnals as they continue in their discarding states They also continue to negotiate their roles and states with their peer ports Figure 50 BigIron Switch 100 Port2 Root port Port2 Designated port Port1 Switch 60 Port4 Designated port Proposing Proposing Port1 Root port Sync Reroot Forwarding Port4 Root port Sync Reroot Discarding Port3 Sync Reroot Discarding Port2 Sync Reroot Discarding Switch 200 S...

Page 447: ...Switch 60 that contains an agreed flag Figure 50 The Root port also moves into a forwarding state BigIron Switch 100 Port2 Designated port Switch 60 Port4 Designated port Port2 Root port Port1 Port1 Designated port Sync Rerooted Discarding Port4 Root port Sync Rerooted Discarding Port3 Sync Rerooted Discarding Port2 Sync Rerooted Discarding Switch 200 Proposing Port2 Port3 Switch 300 Switch 400 In...

Page 448: ... port on Switch 60 goes into a forwarding state once it receives the RST BPDU with the agreed flag BigIron Switch 100 Port2 Designated port Switch 60 Port4 Designated port Forwarding Port 2 Root port Port1 Proposing Port1 Rerooted Synced Discarding Port4 Root port Rerooted Synced Forwarding Port3 Rerooted Synced Discarding Port2 Rerooted Synced Discarding Port2 Port3 Switch 300 Indicates a signal ...

Page 449: ... At this point the handshake between the Switch 60 and Switch 200 is complete The remaining bridges Switch 300 and Switch 400 may have to go through the reroot handshake if a new Root port needs to be assigned Convergence in a simple topology The examples in this section illustrate how RSTP convergence occurs in a simple Layer 2 topology at start up NOTE The remaining examples assume that the appr...

Page 450: ...with a proposal flag to Port3 Switch 3 A port with a Designated role sends the proposal flag in its RST BPDU when they are ready to move to a forwarding state Port3 Switch 3 which starts with a role of Designated port receives the RST BPDU and finds that it is superior to what it can transmit therefore Port3 Switch 3 assumes a new port role that of a Root port Port3 Switch 3 transmits an RST BPDU ...

Page 451: ...tes a new role and state with its peer port Port3 Switch 2 Port4 Switch 3 sends an RST BPDU with an agreed flag to Port4 Switch 1 Both ports go into forwarding states Port2 Switch 2 receives an RST BPDU The RSTP algorithm determines that these RST BPDUs that are superior to any that any port on Switch 2 can transmit therefore Port2 Switch 2 assumes the role of a Root port The new Root port then si...

Page 452: ...ose received on Port3 Switch 1 therefore Port5 Switch 1 is given the Backup port role while Port3 is given the Designated port role Port3 Switch 1 does not go directly into a forwarding state It waits until the forward delay time expires twice on that port before it can proceed to the forwarding state Once convergence is achieved the active Layer 2 forwarding path converges as shown in Figure 55 F...

Page 453: ...ith the new role information However the root bridge ID transmitted in the RST BPDU is still Switch 1 When Port3 Switch 2 receives the RST BPDU RSTP algorithm determines that it is superior to the RST BPDU that it can transmit therefore Port3 Switch 2 receives a new role that of a Root port Port3 Switch 2 then sends an RST BPDU with an agreed flag to Port3 Switch 3 Port3 Switch 2 goes into a forwa...

Page 454: ...o Port2 Switch 1 and then places itself into a forwarding state When Port2 Switch 1 receives the RST BPDU with an agreed flag sent by Port2 Switch 2 it puts that port into a forwarding state The topology is now fully converged When Port3 Switch 3 receives the RST BPDU that Port3 Switch 2 sent RSTP algorithm determines that these RST BPDUs are superior to those that Port3 Switch 3 can transmit Ther...

Page 455: ...shake mechanisms select Port3 as the Root port of Switch 6 All other ports are given a Designated port role with discarding states Port3 Switch 6 then sends an RST BPDU with an agreed flag to Port3 Switch 5 to confirm that it is the Root port The Root port then goes into a forwarding state Now Port4 Switch 6 receives RST BPDUs that are superior to what it can transmit therefore it is given the Alt...

Page 456: ...le Port3 Switch 2 sends an RST BPDU to Port3 Switch 3 that contains a proposal flag Port3 Switch 3 becomes the Root port while all other ports on Switch 3 are given Designated port roles and go into discarding states Port3 Switch 3 sends an RST BPDU with an agreed flag to Port3 Switch 2 and Port3 Switch 3 goes into a forwarding state Now Port2 Switch 3 receives an RST BPDUs that is superior to wha...

Page 457: ...knowledge the topology change once they receive the RST BPDU and send the TCN to other bridges until all the bridges are informed of the topology change For example Port3 Switch 2 in Figure 59 fails Port4 Switch 3 becomes the new Root port Port4 Switch 3 sends an RST BPDU with a TCN to Port4 Switch 4 To propagate the topology change Port4 Switch 4 then starts a TCN timer on itself on the bridge s ...

Page 458: ...2 sends the TCN to Port2 Switch 5 Port4 Switch 2 sends the TCN to Port4 Switch 6 Port2 Switch 2 sends the TCN to Port2 Switch 1 Switch 1 Bridge priority 1000 Switch 2 Bridge priority 200 Switch 5 Bridge priority 60 Switch 6 Bridge priority 900 Switch 4 Bridge priority 400 Switch 3 Bridge priority 300 Port2 Port2 Port2 Port2 Port3 Port3 Port3 Port3 Port3 Port3 Port4 Port4 Port4 Port4 Port5 Port 5 P...

Page 459: ...TCN to Switch 3 and Switch 4 to complete the TCN propagation Figure 61 Switch 1 Bridge priority 1000 Switch 2 Bridge priority 200 Switch 5 Bridge priority 60 Switch 6 Bridge priority 900 Switch 4 Bridge priority 400 Switch 3 Bridge priority 300 Port3 Port3 Port3 Port3 Port3 Port3 Port4 Port4 Port4 Port4 Port2 Port2 Port2 Port2 Port5 Port5 Port5 Indicates the active Layer 2 path Indicates direction...

Page 460: ... A legacy BPDU is an STP BPDU or a BPDU in an 802 1D format The port that receives the legacy BPDU automatically configures itself to behave like a legacy port It sends and receives legacy BPDUs only The entire bridge is configured to operate in an 802 1D mode when an administrator sets the bridge parameter to zero at the CLI forcing all ports on the bridge to send legacy BPDUs only Once a port op...

Page 461: ...e set between 1 and 65 535 In order for the two bridge types to be able to interoperate in the same topology the administrator needs to configure the bridge path cost appropriately Path costs for either RSTP bridges or 802 1D bridges need to be changed in most cases path costs for RSTP bridges need to be changed Configuring RSTP parameters The remaining RSTP sections explain how to configure the R...

Page 462: ...nds such as the following BigIron RX config interface 1 1 BigIron RX config if e1000 1 1 no spanning tree Syntax no spanning tree protect The value of protect will drop the BPDUs received on that specific interface Changing RSTP bridge parameters When you make changes to RSTP bridge parameters the changes are applied to individual ports on the bridge To designate a priority for a bridge enter a co...

Page 463: ...P port commands can be enabled on individual ports or on multiple ports such as all ports that belong to a VLAN The RSTP port parameters are preconfigured with default values If the default parameters meet your network requirements no other action is required You can change the following RSTP port parameters using the following methods BigIron RX config vlan 10 BigIron RX config vlan 10 rstp ether...

Page 464: ...spanning tree 802 1w ethernet 5 path cost 15 priority 64 Fast port span When STP is running on a device message forwarding is delayed during the spanning tree recalculation period following a topology change The STP forward delay parameter specifies the period of time a bridge waits before forwarding data packets The forward delay controls the listening and learning periods of STP reconvergence Yo...

Page 465: ...wn the unnecessary cache aging that can occur in these circumstances under normal STP is eliminated Fast Port Span is a system wide parameter and is enabled by default Thus when you boot a device all the ports that are attached only to end stations run Fast Port Span For ports that are not eligible for Fast Port Span such as ports connected to other networking devices the device automatically uses...

Page 466: ...n RX config write memory This command re enables Fast Port Span on port 1 1 only and does not re enable Fast Port Span on other excluded ports You also can re enable Fast Port Span on a list or range of ports using the syntax shown above this example To re enable Fast Port Span on all excluded ports disable and then re enable Fast Port Span by entering the following commands BigIron RX config no f...

Page 467: ...ndard STP state transition without any acceleration This behavior guards against temporary routing loops as the switch tries to determine the states for all the ports Fast Uplink Span acceleration applies only when a working uplink becomes unavailable Fast uplink span rules for trunk groups If you add a port to a Fast Uplink Span group that is a member of a trunk group the following rules apply If...

Page 468: ...ing the standard STP forward delay If you add a port that is the primary port of a trunk group all ports in the trunk group become members of the Fast Uplink Span group You can add ports to a Fast Uplink Span group by entering the fast uplink span command additional times with additional ports The device can have only one Fast Uplink Span group so all the ports you identify as Fast Uplink Span por...

Page 469: ...0 The bridge has been forced to operate in an STP compatibility mode 2 The bridge has been forced to operate in an RSTP mode This is the default txHoldCnt The number of BPDUs that can be transmitted per Hello Interval The default is 3 Root bridge parameters Root Bridge Identifier ID of the Root bridge that is associated with this bridge Root Path Cost The cost to reach the root bridge from this br...

Page 470: ...ame as in 802 1D STP Hello The hello value derived from the Root port It is the number of seconds between two Hello packets Fwd Dly The number of seconds a non edge Designated port waits until it can apply any of the following transitions if the RST BPDU it receives does not have an agreed flag Discarding state to learning state Learning state to forwarding state When a non edge port receives the ...

Page 471: ... edge port states on page 362 Designated Cost The best root path cost that this port received including the best root path cost that it can transmit Designated Bridge The ID of the bridge that sent the best RST BPDU that was received on this port TABLE 81 The show rstp detail command output This field Displays VLAN ID ID of the VLAN that owns the instance of RSTP and the number of RSTP instances o...

Page 472: ... Discarding Learning Disabled Refer to Bridge port states on page 361 and Edge port and non edge port states on page 362 Path Cost The configured path cost on a link connected to this port Priority The configured priority of the port The default is 128 or 0x80 AdminOperEdge Indicates if the port is an operational Edge port Edge ports may either be auto detected or configured forced to be Edge port...

Page 473: ...nge timer The value shown is the interval when topology change notices can be propagated on this port fdWhile Forward delay timer See the explanation for Fwd Dly on page 394 mdelayWhile Migration delay timer The amount of time that a bridge on the same LAN has to synchronize its migration state with this port before another BPDU type can cause this port to change the BPDU that it transmits Machine...

Page 474: ...rs Port Num The port number shown in a slot port format Pri The configured priority of the port The default is 128 or 0x80 Port Path Cost The configured path cost on a link connected to this port BigIron RX show xstp Ethernet 3 1 STP information No STP configured VLANs for the port 3 1 RSTP information RSTP IEEE 802 1w Port Parameters VLAN ID 11 Config Params Current state Port Pri PortPath P2P Ed...

Page 475: ...bridge that sent the best RST BPDU that was received on this port State The port s STP state The state can be one of the following BLOCKING STP has blocked Layer 2 traffic on this port to prevent a loop The device or VLAN can reach the root bridge using another port whose state is FORWARDING When a port is in this state the port does not transmit or receive user frames but the port does continue t...

Page 476: ...is connected to this port If the designated bridge is the root bridge itself then the cost is 0 The identity of the designated bridge is shown in the Design Bridge field Designated Root The root bridge as recognized on this port The value is the same as the root bridge ID listed in the Root ID field Designated Bridge The bridge as recognized on this port This field Displays ...

Page 477: ...orks MANs where using STP has the following drawbacks STP allows a maximum of seven nodes Metro rings can easily contain more nodes than this STP has a slow reconvergence time taking many seconds or even minutes MRP can detect and heal a break in the ring in sub second time Figure 63 shows an MRP metro ring FIGURE 63 Metro ring normal state F F F Customer A Member Node Switch B Customer A Customer...

Page 478: ...the ring to the next interface until it reaches the secondary interface of the master node The secondary interface blocks the packet to prevent a Layer 2 loop NOTE When you configure MRP Brocade recommends that you disable one of the ring interfaces before beginning the ring configuration Disabling an interface prevents a Layer 2 loop from occurring while you are configuring MRP on the ring nodes ...

Page 479: ...de also can be the master for more than one ring Ring initialization The ring shown in Figure 63 shows the port states in a fully initialized ring without any broken links Figure 65 shows the initial state of the ring when MRP is first enabled on the ring s switches All ring interfaces on the master node and member nodes begin in the Preforwarding state PF Ring 1 Ring 2 Ring 3 port1 1 port1 2 port...

Page 480: ... forward data as well as RHPs An interface changes from Preforwarding to Forwarding when the port s preforwarding time expires This occurs if the port does not receive an RHP from the Master or if the forwarding bit in the RHPs received by the port is off This indicates a break in the ring The port heals the ring by changing its state to Forwarding The preforwarding time is the number of milliseco...

Page 481: ...ndary port does not receive the RHP by the time the preforwarding time expires a break has occurred in the ring The port changes its state to Forwarding The member ports also change their states from Preforwarding to Forwarding as their preforwarding timers expire The ring is not intact but data can still travel among the nodes using the links that are up Figure 66 shows an example FIGURE 66 Metro...

Page 482: ...e Master node has a dead timer If the dead time expires before the interface receives one of its ring s RHPs the interface changes state to Preforwarding Once the secondary interface changes state to Preforwarding If the interface receives an RHP the interface changes back to the Blocking state and resets the dead timer If the interface does not receive an RHP for its ring before the Preforwarding...

Page 483: ...P packet is sent to the Foundry MRP master indicating that the link is down This Foundry MRP packet is sent from the Foundry MRP member to the Foundry MRP master only when the secondary link goes down and it is sent on the primary link The destination MAC address in the packet is the ring MAC address This allows the packet to be hardware forwarded all the way to the Foundry MRP master When the Mas...

Page 484: ...lure There is no CLI command required to enable this feature FIGURE 68 A Foundry MRP ring under normal operation A and after detection of a failure in the ring B Master VLANs and customer VLANs in a topology group All the ring ports must be in the same VLAN Placing the ring ports in the same VLAN provides Layer 2 connectivity for a given customer across the ring Figure 69 shows an example Switch A...

Page 485: ...gle instance of a Layer 2 protocol such as MRP A topology group contains a master VLAN and member VLANs The master VLAN contains all the configuration parameters for the Layer 2 protocol STP MRP or VSRP The member VLANs use the Layer 2 configuration of the master VLAN In Figure 69 VLAN 2 is the master VLAN and contains the MRP configuration parameters for ring 1 VLAN 30 and VLAN 40 the customer VL...

Page 486: ...n only one of the nodes Perform the remaining tasks on all the nodes Disable one of the ring interfaces This prevents a Layer 2 loop from occurring while you are configuring the devices for MRP Add an MRP ring to a port based VLAN When you add a ring the CLI changes to the configuration level for the ring where you can do the following Optionally specify a name for the ring On the master node only...

Page 487: ...and can include blank spaces If you use a name that has blank spaces enclose the name in double quotation marks for example Customer A Syntax no master Configures this node as the master node for the ring Enter this command only on one node in the ring The node is a member non master node by default Syntax no ring interface ethernet primary if ethernet secondary if The ethernet primary if paramete...

Page 488: ...l interface that belong to the same VLAN to be shared by multiple rings MRP is a Brocade proprietary protocol that prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies It is an alternative to STP and is especially useful in Metropolitan Area Networks MANs that require more nodes and faster reconvergence time than what STP provides An MRP ring consists of nodes and each...

Page 489: ...he same interface MRP Phase2 On each node that will participate in the ring you specify the ring s ID and the interfaces that will be used for ring traffic In a multiple ring configuration a ring s ID determines its priority The lower the ring ID the higher priority of a ring A ring s ID is also used to identify the interfaces that belong to a ring Ring 1 Ring 2 Ring 3 port1 1 port1 2 port4 2 port...

Page 490: ...on S1 and Port 2 2 on S2 have a priority of 1 since 1 is the highest priority lowest ID of the rings that share the interface If a node has interfaces that have different IDs the interfaces that belong to the ring with the highest priority become regular ports Those interfaces that do not belong to the ring with the highest priority become tunnel ports In Figure 72 nodes S1 and S2 have interfaces ...

Page 491: ...hared interfaces nodes that do not have tunnel ports can be designated as the master node of that ring If none of the nodes meet these criteria you must change the rings priorities by reconfiguring the rings ID In Figure 72 any of the nodes on Ring 1 even S1 or S2 can be a master node since none of its interfaces are tunnel ports However in Ring 2 neither S1 nor S2 can be a master node since these...

Page 492: ...ority is the same as the tunnel port s priority the packet is forwarded up the link shared by Rings 1 and 2 When the RHP packet reaches the interface on node S2 shared by Rings 1 and 2 the packet is forwarded since its priority is less than the interface s priority The packet continues to be forwarded to node S1 until it reaches the tunnel port on S1 That tunnel port determines that the RHP packet...

Page 493: ...hen the RHP packet forwarded by its primary interface is returned The packet then continues around Ring 1 through the interfaces on S1 to Ring 2 until it reaches Ring 2 s master node Port 3 2 the secondary interface on Ring 2 changes to blocking mode since it received its own packet then blocks the packet to prevent a loop FIGURE 74 Flow of RHP packets when a link for shared interfaces brakes RHP ...

Page 494: ...the primary interface is the one that originates RHPs Ring control traffic and Layer 2 data traffic will flow in the outward direction from this interface by default On member nodes the direction of traffic flow depends on the traffic direction selected by the master node Therefore on a member node the order in which you enter the interfaces does not matter The ethernet secondary if parameter spec...

Page 495: ...to Displaying topology group information on page 449 for more information TABLE 83 CLI display of MRP ring diagnostic information This field Displays Ring id The ring ID Diag state The state of ring diagnostics RHP average time The average round trip time for an RHP packet on the ring The calculated time has a granularity of 1 microsecond Recommended hello time The hello time recommended by the so...

Page 496: ...is ring If a topology group is used by MRP the master VLAN controls the MRP settings for all VLANs in the topology group NOTE The topology group ID is 0 if the MRP VLAN is not the master VLAN in a topology group Using a topology group for MRP configuration is optional Topo group The topology group ID Hello time The interval in milliseconds at which the Forwarding port on the ring s master node sen...

Page 497: ...he primary ports of the groups are listed Interface role The interface role can be one of the following primary The primary interface Master node The interface generates RHPs Member node The interface forwards RHPs received on the other interface the secondary interface secondary The interface does not generate RHPs Master node The interface listens for RHPs Member node The interface receives RHPs...

Page 498: ...net 4 1 BigIron RX config vlan 40 exit The following commands configure topology group 1 on VLAN 2 The master VLAN is the one that contains the MRP configuration The member VLANs use the MRP parameters of the master VLAN The control interfaces the ones shared by the master VLAN and member VLAN also share MRP state BigIron RX config topology group 1 BigIron RX config topo group 1 master vlan 2 BigI...

Page 499: ...n 40 tag ethernet 4 1 BigIron RX config vlan 40 exit BigIron RX config topology group 1 BigIron RX config topo group 1 master vlan 2 BigIron RX config topo group 1 member vlan 30 BigIron RX config topo group 1 member vlan 40 Commands on switch D BigIron RX config vlan 2 BigIron RX config vlan 2 tag ethernet 1 1 to 1 2 BigIron RX config vlan 2 metro ring 1 BigIron RX config vlan 2 mrp 1 name Metro ...

Page 500: ...424 BigIron RX Series Configuration Guide 53 1002253 01 MRP CLI example 14 ...

Page 501: ...e backups takes over as the active device and continues forwarding traffic for the network Layer 2 and Layer 3 share the same VSRP configuration information Figure 75 shows a VSRP configuration FIGURE 75 VSRP mesh redundant paths for Layer 2 and Layer 3 traffic In this example two devices are configured as redundant paths for VRID 1 On each device a Virtual Router ID VRID is configured on a port b...

Page 502: ...Iron Edge Switch X Series Switch as the VSRP aware switches the vsrp aware vrid num tc vlan flush command is required to be configured on the non BigIron RX devices Refer to the FastIron Configuration Guide for additional information Layer 2 and Layer 3 redundancy You can configure VSRP to provide redundancy for Layer 2 only or both for Layer 2 and Layer 3 Layer 2 only The Layer 2 links are backed...

Page 503: ... its own by the time the hold down timer expires the Backup becomes the new Master and starts forwarding Layer 2 traffic on all ports VSRP priority calculation Each VSRP device has a VSRP priority for each VRID and its VLAN The VRID is used during Master election for the VRID By default a device s VSRP priority is the value configured on the device which is 100 by default However to ensure that a ...

Page 504: ...150 In this case failure of a single link does not cause failover The link failure caused the priority to be reduced to 100 which is still equal to the priority of the other device This is shown in Figure 78 Internet or enterprise Intranet Internet or enterprise Intranet Router 1 Router 2 e 2 4 e 3 2 Owner Backup 192 53 5 1 192 53 5 3 e 1 6 e 1 5 Host1 Default Gateway 192 53 5 1 VRID1 Router1 Mast...

Page 505: ...ck ports are configured When you configure a track port you assign a priority value to the port If the port goes down VSRP subtracts the track port s priority value from the configured VSRP priority For example if the you configure a track port with priority 20 and the configured VSRP priority is 100 the software subtracts 20 from 100 if the track port goes down resulting in a VSRP priority of 80 ...

Page 506: ...VLAN When the device has received a Hello message for a VRID in a given VLAN the device creates a record for that VRID and VLAN and includes the port number in the record Each subsequent time the device receives a Hello message for the same VRID and VLAN the device checks the port number VSRP Master VSRP Backup optional link VSRP Aware VSRP Aware VSRP Aware F F F B B B Configured priority 100 Trac...

Page 507: ... a given VLAN on any port the device assumes the connection to the Master is unavailable and removes the VRID record Configuring basic VSRP parameters To configure VSRP perform the following required tasks 1 Configure a port based VLAN containing the ports for which you want to provide VSRP service NOTE If you already have a port based VLAN but only want to use VSRP on a sub set of the VLANs ports...

Page 508: ...eters The following sections describe how to configure optional VSRP parameters Disabling VSRP on a VRID If you want to deactivate VSRP on a VRID enter the following command BigIron RX config vlan 200 vrid 1 disable Syntax disable Configuring authentication If the interfaces on which you configure the VRID use authentication the VSRP packets on those interfaces also must use the same authenticatio...

Page 509: ...n 200 vrid 1 no include port ethernet 1 2 To return the port to the VRID enter the following command BigIron RX config vlan 200 vrid 1 include port ethernet 1 2 Syntax no include port ethernet slot portnum The ethernet slot portnum parameter specifies the port you are removing from the VRID The port remains in the VLAN but its forwarding state is not controlled by VSRP Configuring a VRID IP addres...

Page 510: ...e VLAN to which the VRID of the VSRP configured device belongs globally or on a port that belongs to the VRID To globally configure a VSRP configured device to shut down its ports when a failover occurs then restart after five seconds enter the following command BigIron RX configure vlan 100 BigIron RX configure vlan 100 vsrp vrid 1 BigIron RX configure vlan 100 vrid 1 fast start 5 Syntax no fast ...

Page 511: ...RID BigIron RX config vlan 200 vrid 1 backup priority 75 Syntax no backup priority value track priority value The priority value parameter specifies the VRRP priority for this interface and VRID You can specify a value from 3 254 The default is 100 For a description of the track priority value parameter refer to Changing the default track priority on page 438 Saving the timer values received from ...

Page 512: ...BigIron RX config vsrp router slow start 30 Syntax slow start ticks The ticks parameter can range from 1 to 600 ticks 1 10 second to 60 seconds When the VSRP slow start timer is enabled if the Master goes down the Backup takes over immediately If the Master subsequently comes back up again the amount of time specified by the VSRP slow start timer elapses in this example 3 seconds before the Master...

Page 513: ...Hello interval To change the Dead interval enter a command such as the following at the configuration level for the VRID BigIron RX config vlan 200 vrid 1 dead interval 30 Syntax no dead interval units The units parameter specifies the interval which and can be from 3 84 units 1 unit 100 milliseconds The default is 3 3 units 300 milliseconds NOTE If you change the timer scale the change affects th...

Page 514: ... seconds Changing the default track priority When you configure a VRID to track the link state of other interfaces if one of the tracked interface goes down the software changes the VSRP priority of the VRID interface The software reduces the VRID priority by the amount of the priority of the tracked interface that went down For example if the VSRP interface s priority is 100 and a tracked interfa...

Page 515: ...ion applies only to Backups and takes effect only when the Master has failed and a Backup has assumed ownership of the VRID The feature prevents a Backup with a higher priority from taking over as Master from another Backup that has a lower priority but has already become the Master of the VRID Preemption is especially useful for preventing flapping in situations where there are multiple Backups a...

Page 516: ...g VSRP information You can clear all VSRP statistics globally and per instance by entering the following command BigIron RX clear vsrp Syntax clear vsrp VSRP and MRP signaling A device may connect to an MRP ring through VSRP to provide a redundant path between the device and the MRP ring VSRP and MRP signaling ensures rapid failover by flushing MAC addresses appropriately The host on the MRP ring ...

Page 517: ...over Then each MRP instance does the following The MRP node sends out an MRP PDU with the mac flush flag set three times on the MRP ring The MRP node that receives this MRP PDU empties all the MAC address entries from its interfaces that participate on the MRP ring The MRP node then forwards the MRP PDU with the mac flush flag set to the next MRP node that is in forwarding state The process contin...

Page 518: ...ath 1 Path 2 MRP Member MRP Master MRP Member MRP Member MRP MRP Member VSRP Backup VSRP Host MRP Member VSRP Master MRP Member MRP Member MRP MRP Master VSRP Backup VSRP MRP Member VSRP Master Device 1 Device 1 Host BigIron RX show vsrp vrid 100 VLAN 10 Auth type no authentication VRID 10 State Administrative status Advertise backup Preempt mode Master Enabled Disabled True Parameter Configured C...

Page 519: ... of the VRID The administrative status can be one of the following disabled The VRID is configured on the interface but VSRP or VRRPE has not been activated on the interface enabled VSRP has been activated on the interface Advertise backup Whether the device is enabled to send VSRP Hello messages when it is a Backup This field can have one of the following values disabled The device does not send ...

Page 520: ...w Master for the VRID NOTE The value is never 0 as it defaults to 3 units hold interval The number of units a Backup that intends to become the Master will wait before actually beginning to forward Layer 2 traffic for the VRID 1 unit 100 milliseconds If the Backup receives a Hello message with a higher priority than its own before the hold down interval expires the Backup remains in the Backup sta...

Page 521: ...pecific VLAN enter a command such as the following BigIron RX show vsrp statistics vlan 100 This field Displays VLAN The VLAN on which VSRP is configured VRID The VRID for which the following information is displayed ConfPri The configured priority for the device s preferability for becoming the Master for the VRID CurPri The device s current priority for becoming the Master P Pre empt mode status...

Page 522: ...arameter For information about the display when you use the vrid num or vlan vlan id parameter refer to Displaying VRID information on page 442 TABLE 86 CLI display of VSRP aware information This field Displays VLAN ID The VLAN that contains the VSRP aware device s connection with the VSRP Master and Backups VRID The VRID Last Port The most recent active port connection to the VRID This is the por...

Page 523: ...ain one or more member VLANs and VLAN groups Master VLAN The master VLAN contains the configuration information for the Layer 2 protocol For example if you plan to use the topology group for MRP the topology group s master VLAN contains the ring configuration information Member VLANs The member VLANs are additional VLANs that share ports with the master VLAN The Layer 2 protocol settings for the p...

Page 524: ...Ns A VLAN cannot be controlled by more than one topology group The topology group must contain a master VLAN and can also contain individual member VLANs VLAN groups or a combination of individual member VLANs and VLAN groups Therefore configure the master VLAN and member VLANs or member VLAN groups before you configure a topology group Once you add a VLAN as a member of a topology group all the L...

Page 525: ... Syntax no topology group group id The command creates a topology group The group id parameter assigns an ID 1 256 to the topology group Syntax no master vlan vlan id This command adds the master VLAN to the topology group The VLAN must already be configured Make sure all the Layer 2 protocol settings in the VLAN are correct for your configuration before you add the VLAN to the topology group A to...

Page 526: ...rotocol information The Layer 2 protocol configuration and state of these ports in the master VLAN applies to the same port numbers in all the member VLANs L2 protocol The Layer 2 protocol configured on the control ports The Layer 2 protocol can be one of the following MRP STP RSTP VSRP Per vlan free ports The ports that are not controlled by the Layer 2 protocol information in the master VLAN Big...

Page 527: ...h Brocade devices This section presents the standard VRRP options and the options that Brocade added in its implementation of VRRP Standard VRRP VRRP is an election protocol that provides redundancy to routers within a LAN VRRP allows you to provide alternate router paths for a host without changing the IP address or MAC address by which the host knows its gateway Consider the situation shown in F...

Page 528: ...default router for hosts on a shared LAN For example Figure 85 has one virtual router configured identified as VRID1 This virtual router ID is associated with Router 1 and Router 2 Since there are more than one IP addresses configured on Router 1 and Router 2 one of the physical addresses is assigned to the virtual router For example in Figure 85 IP address 192 53 5 1 the IP address assigned to Ro...

Page 529: ...Master router and the current Master router returns to being a backup router Pre emption If the pre emption feature is enabled a Backup router that is acting as the Master can be pre empted by another Backup router that has a higher priority This can occur if you add a new Backup while the Owner is still available and new Backup router has a higher priority than the Backup router that is acting as...

Page 530: ... providing an open path for Host1 s traffic To take advantage of the track port feature make sure the track priorities are always lower than the VRRP priorities The default track priority for the router that owns the VRID IP address es is 2 The default track priority for Backup routers is 1 If you change the track port priorities make sure you assign a higher track priority to the Owner of the IP ...

Page 531: ...he highest priority becomes the Master If there is a tie for highest priority the router with the highest IP address becomes the Master The elected Master owns the virtual IP address and answers ping and ARP requests and so on Master and Backups VRRP The Owner of the IP address of the VRID is the default Master and has the highest priority 255 The precedence of the Backups is determined by their p...

Page 532: ... priorities configured on the Backups For example if the VRRP interface s priority is 100 and a tracked interface with track priority 20 goes down the software changes the VRRP interface s priority to 20 VRRPE reduces the priority of a VRRPE interface by the amount of a tracked interface s priority if the tracked interface s link goes down For example if the VRRPE interface s priority is 200 and a...

Page 533: ...estined to the Internet is sent through Router2 instead Similarly Router2 is the master for VRID 2 backup priority 110 and Router1 is the backup for VRID 2 backup priority 100 Router1 and Router2 are both tracking the uplinks to the Internet If an uplink failure occurs on Router2 its backup priority is decremented by 20 track priority 20 so that all traffic destined to the internet is sent through...

Page 534: ... a real IP address configured on the VRID interface on one of the VRRP routers This router is the IP address Owner and is the default Master VRRPE The virtual router IP address must be in the same subnet as a real IP address configured on the VRRPE interface but cannot be the same as a real IP address configured on the interface None page 460 page 462 VRID MAC address The source MAC address in VRR...

Page 535: ...rrently the active router for the VRID Suppression of these advertisements helps ensure that other routers do not receive invalid route paths for the VRID Disabled page 464 Hello interval The number of seconds between Hello messages from the Master to the Backups for a given VRID The interval can from 1 84 seconds One second page 464 Dead interval The number of seconds a Backup waits for a Hello m...

Page 536: ... this interface and VRID from the default 2 to a value from 1 254 Syntax ip address ip addr The IP address you assign to the Owner must be an IP address configured on an interface that belongs to the virtual router Refer to Configuration rules for VRRP on page 461 for additional requirements Configuring basic VRRP parameters To implement a simple VRRP configuration using all the default values ent...

Page 537: ...ed with the VRID by the Owner However the address cannot be the same Syntax router vrrp Syntax backup priority value track priority value The priority value parameter specifies the VRRP priority for this virtual router You can specify a value from 3 254 The default is 100 Enter a value of 3 254 for the track priority value parameter if you want VRRP to monitor the state of the interface The defaul...

Page 538: ...wever after you configure the virtual router you can use the backup command to change its priority or track priority You also can use the enable command to activate the configuration This command does the same thing as the activate command Configuration rules for VRRPE The interfaces of all routers in a virtual router must be in the same IP subnet The IP address assigned to the virtual router cann...

Page 539: ... on the interface If the interfaces use simple password authentication the virtual router configured on the interfaces must use the same authentication type and the same password To configure the interface on Router1 for simple password authentication using the password ourpword enter the following commands Configuring router 1 Router1 config inter e 1 6 Router1 config if e10000 1 6 ip vrrp auth t...

Page 540: ...that the Master router is dead At this point the Backup router with the highest priority becomes the new Master router The default Dead interval is three times the Hello Interval plus one half second Generally if you change the Hello interval you also should change the Dead interval on the Backup routers To change the Hello interval on the Master to 10 seconds enter the following commands Router1 ...

Page 541: ...owing BigIron RX config router vrrp BigIron RX config inter e 1 6 BigIron RX config if e10000 1 6 ip vrrp vrid 1 BigIron RX config if e10000 1 6 vrid 1 backup hello interval 180 Syntax no backup hello interval num The num parameter specifies the message interval and can be from 60 3600 seconds The default is 60 seconds The syntax is the same for VRRP and VRRPE Track port You can configure the virt...

Page 542: ...gher priority than another Backup that has become the Master can preempt the Master and take over the role of Master If you want to prevent this behavior disable preemption Preemption applies only to Backups and takes effect only when the Master has failed and a Backup has assumed ownership of the virtual router The feature prevents a Backup with a higher priority from taking over as Master from a...

Page 543: ...e status enabled mode owner priority 99 current priority 99 hello interval 1 sec ip address 192 53 5 1 backup routers 192 53 5 2 This example shows that even though this BigIron RX is the Owner of the virtual router mode owner the BigIron RX s priority for the virtual router is only 99 and the state is now backup instead of active In addition the administrative status is enabled To change the Mast...

Page 544: ...he total applies only to the protocol the BigIron RX is running For example if the BigIron RX is running VRRPE the total applies only to VRRPE routers Interface The interface on which VRRP or VRRPE is configured If VRRP or VRRPE is configured on multiple interfaces information for each interface is listed separately VRID The ID of the virtual router configured on this interface If multiple virtual...

Page 545: ...the virtual router Master This BigIron RX is the Master for the virtual router Master addr The IP address of the router interface that is currently the Master for the virtual router Backup addr The IP addresses of the router interfaces that are currently Backups for the virtual router VIP The virtual IP address that is being backed up by the virtual router TABLE 89 CLI display of VRRP or VRRPE sum...

Page 546: ...outer configured on this interface If multiple virtual routers are configured on the interface information for each virtual router is listed separately state This BigIron RX s VRRP or VRRPE state for the virtual router The state can be one of the following initialize The virtual router is not enabled activated If the state remains initialize after you activate the virtual router make sure that the...

Page 547: ...ween Hello messages from a Backup to the Master advertise backup The IP addresses of Backups that have advertised themselves to this BigIron RX by sending Hello messages NOTE Hello messages from Backups are disabled by default You must enable the Hello messages on the Backup for the Backup to advertise itself to the current Master Refer to Hello interval on page 464 dead interval The configured va...

Page 548: ...he Hello message resets the expiration timer An expired Backup does not necessarily affect the Master However if you have not disabled the advertise backup option on the Backup then the expiration may indicate a problem with the Backup NOTE This field applies only when Hello messages are enabled on the Backups using the advertise backup option next hello sent in time How long until the Backup send...

Page 549: ...ied port The ve num parameter specifies a virtual interface If you use this parameter the command displays VRRP information only for the specified virtual interface The statistics parameter displays statistics The received vrrp packets with checksum errors shows the number of packets that is contained in checksum errors The received vrrp packets with invalid version number shows the number of pack...

Page 550: ...ou are not duplicating the address NOTE When you configure a Backup router the router interface on which you are configuring the virtual router must have a real IP address that is in the same subnet as the address associated with the virtual router by the Owner However the address cannot be the same The priority parameter establishes the router s VRRP priority in relation to the other VRRP routers...

Page 551: ... if e10000 1 6 vrid 1 backup priority 110 track priority 20 Router1 config if e10000 1 6 vrid 1 track port ethernet 2 4 Router1 config if e10000 1 6 vrid 1 ip address 192 53 5 254 Router1 config if e10000 1 6 vrid 1 activate VRRP router 1 for this interface is activating Router1 config if e10000 1 6 vrid 1 exit Router1 config interface ethernet 1 6 Router1 config if e10000 1 6 ip vrrp extended vri...

Page 552: ... as the one associated with this virtual router on the Owner you are configuring the Backup to back up the address but you are not duplicating the address NOTE When you configure a Backup router the router interface on which you are configuring the virtual router must have a real IP address that is in the same subnet as the address associated with the virtual router by the Owner However the addres...

Page 553: ...precedence for forwarding These classes are determined by the following criteria in ascending order Configured port priority A priority can be set for all traffic that arrives at a port This is implemented through the interface configuration VLAN priority A priority can be set for a specified port based VLAN in the VLAN configuration Packet Source MAC address A priority can be set for a specified ...

Page 554: ...our queues designated as 0 to 3 The internal forwarding priority maps to one of these four queues as shown in Table 91 through Table 94 The mapping between the internal priority and the forwarding queue cannot be changed Table 91 through Table 94 show the default QoS mappings on the device which are used if the trust level for CoS or DSCP is enabled TABLE 91 Default QoS mappings columns 0 to 15 DS...

Page 555: ...rmining the internal priority when the trust level is DSCP Refer to Changing the DSCP internal forwarding priority mappings on page 484 TABLE 92 Default QoS mappings columns 16 to 31 DSCP value 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 802 1p COS Value 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 DSCP value 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Internal Forwarding Priority 2 2 2 2 2 2 2 2 3 3 3...

Page 556: ... by interface You can configure DSCP classification on an interface to set the DSCP value of every packet that arrives on the interface to a value that you configure After the packet s DSCP value has been set using this command it is subject to classification marking and scheduling operations that are configured To configure the 1 1 interface to set all packets that arrive on it to a DSCP value of...

Page 557: ...e following methods The priority applies to inbound traffic on ports in the VLAN To change the QoS priority of port based VLAN 20 to queue 3 enter the following commands BigIron RX config vlan 20 BigIron RX config vlan 20 priority 7 Syntax no priority num The num parameter can be from 0 7 and specifies the priority level equivalent to one of the four QoS queues Assigning static MAC address entries...

Page 558: ... or DSCP priority To set the trust level for an interface to dscp enter the following command at the configuration level for the interface BigIron RX config if e1000 1 1 qos tos trust dscp Syntax no qos tos trust cos dscp The cos dscp parameter specifies the trust level cos The device uses the 802 1p CoS priority value in the packet s Ethernet frame header to determine the packet s internal forwar...

Page 559: ...nging the CoS DSCP mappings The CoS DSCP mappings are used if the trust level is CoS and DSCP marking is enabled To change the CoS DSCP mappings enter commands such as the following at the global CONFIG level of the CLI BigIron RX config qos tos map cos dscp 0 33 25 49 17 7 55 41 BigIron RX config ip rebind acl all This command configures the mappings displayed in the COS DSCP map portion of the Q...

Page 560: ...ap dscp priority 48 to 3 BigIron RX config qos tos map dscp priority 56 to 6 These commands configure the mappings displayed in the DSCP to forwarding priority portion of the QoS information display To read this part of the display select the first part of the DSCP value from the d1 column and select the second part of the DSCP value from the d2 row For example to read the DSCP to forwarding prior...

Page 561: ... select the first part of the CoS value from the d1 column and select the second part of the CoS value from the d2 row For example to read the CoS to forwarding priority mapping for CoS value 24 select 2 from the d1 column and select 4 from the d2 row The mappings that are changed by the command above are shown below in bold type BigIron RX config if e10000 1 1 show qos tos portions of table omitt...

Page 562: ...oS Mark Trust Level 1 2 Yes Layer 2 CoS ve1 No Layer 2 CoS ve4 No Layer 2 CoS ve5 No Layer 2 CoS ve20 No Layer 2 CoS COS DSCP map COS 0 1 2 3 4 5 6 7 dscp 0 8 16 24 32 40 48 56 DSCP Priority map dscp d1d2 d2 0 1 2 3 4 5 6 7 8 9 d1 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 6 6 5 6 6 6 6 6 6 7 7 7 7 6 7 7 7 7 DSCP DSCP map dscp d1d2 d2 ...

Page 563: ...that cause the queue to grow beyond this point are unconditionally dropped This variable is user configured Min Average Q Size The average queue size below which all packets are accepted This variable is user configured Max Average Q Size The average queue size above which all packets are dropped This variable is user configured Pmax The maximum drop probability when queue size is at Max Average Q...

Page 564: ...tion graph Calculating avg q size The algorithm first calculates the avg q size through the following equation avg q size 1 Wq Statistical Average Q Size Wq Current Q Size The Wq value is instrumental to the calculation and can be equal to the statistical average queue size Wq 0 or equal to the current queue size Wq 1 or be between 0 and 1 0 Wq 1 Lower Wq values cause the avg q size to lean toward...

Page 565: ... parameters described in that section to enable the use of WRED on a device To configure WRED you must configure the following parameters Enabling WRED Setting the averaging weight Wq parameter Configuring the drop precedence parameters Enabling WRED WRED must be enabled on any forwarding queue that you want it to operate on To enable WRED for the forwarding queue 3 enter the following command Big...

Page 566: ... Configuring the drop precedence parameters The DSCP TOS bits in packets are used to prioritize packet delivery for specified queue types These values are from 0 to 3 Packets with a DSCP TOS value of 0 are least likely to be dropped and packets with a DSCP TOS of 3 are most likely to be dropped In addition the maximum drop probability the minimum and maximum average queue size and the maximum pack...

Page 567: ... to grow beyond this setting are unconditionally dropped To set the maximum instantaneous queue size for queues with a queue type of 1 to 32000 use the following command BigIron RX config qos queue type 1 max queue size 32 Syntax no qos queue type queue number max queue size max queue The queue type variable is the number of the forwarding queue type that you want to configure the instantaneous qu...

Page 568: ...ity max 20 Syntax no qos queue type queue type wred drop precedence drop precedence value drop probability max p max The queue type variable is the number of the forwarding queue type that you want to configure drop precedence for There are eight forwarding queue types on BigIron RX Routers They are numbered 0 to 3 The drop precedence value variable for the drop precedence parameter is the TOS DSC...

Page 569: ...24 16384 2 1024 0 2 1 304 1024 16384 4 2 256 1024 16384 9 3 204 1024 16384 10 1 0 356 1024 16384 2 1024 0 2 1 304 1024 16384 4 2 256 1024 16384 9 3 204 1024 16384 10 2 0 408 1024 16384 2 1024 0 2 1 356 1024 16384 4 2 304 1024 16384 9 3 256 1024 16384 9 3 0 408 1024 16384 2 1024 0 2 1 356 1024 16384 4 2 304 1024 16384 9 3 256 1024 16384 9 BigIron RX show qos wred QType Enable AverWt MaxQSz DropPrec...

Page 570: ...ased scheduling With WFQ source based scheduling enabled some weight based bandwidth is allocated to all queues With this scheme the configured weight distribution from an input port is guaranteed allocation in relationship to the configured weight distribution However because multiple input ports can aggregate traffic to a single output port the traffic egressing a single port may not equal the c...

Page 571: ...minimum bandwidth allocated to lower priority traffic rate in Kbps for forwarding queue 1 The Queue2 rate variable defines the minimum bandwidth allocated to lower priority traffic rate in Kbps for forwarding queue 2 Calculating the values for WFQ source and destination based traffic scheduling Weighted Fair Queueing WFQ scheduling is configured to be a percentage of available bandwidth using the ...

Page 572: ...d traffic scheduling for information on assigning queue0 weight to queue3 weight values Configuring WFQ source based traffic scheduling To configure WFQ source based scheduling use a command such as the following BigIron RX config interface ethernet 1 1 BigIron RX config if e1000 1 1 qos scheduler source weighted 25 25 25 25 Syntax qos scheduler source weighted Queue0 weight Queue1 weight Queue2 w...

Page 573: ...um rate based traffic scheduling To configure minimum rate based scheduling use a command such as the following BigIron RX config interface ethernet 1 1 BigIron RX config if e1000 1 1 qos min rate 100 100 100 100 Syntax qos scheduler min rate Queue0 rate Queue1 rate Queue2 rate Queue3 rate The Queue0 rate variable defines the minimum bandwidth allocated to forwarding queue 0 in Kbps The Queue1 rat...

Page 574: ...l protocol multicast broadcast and unknown unicast flooded traffic that prior to inclusion of the command there was a potential for this traffic to starve other traffic from accessing an egress queue The limiting on a per traffic manager basis to 1 8 Gbps was best for the majority of environments Some high intensity multicast environments may need to increase this value to better match their netwo...

Page 575: ...in Kbps The minimum configurable rate is 10 Mbps Displaying the multicast traffic engineering configuration To view multicast traffic engineering configurations use the following command BigIron RX show qos multicast Port Best Effort Bandwidth Kbps 13 1 140000 13 2 140000 13 3 140000 13 4 140000 13 5 140000 13 6 140000 13 7 140000 13 8 140000 13 9 140000 13 10 140000 13 11 140000 13 12 140000 13 1...

Page 576: ...will have the following QOS profiles 1 TCx low priority DP1 2 TCx low priority DP0 3 TCx high priority DP1 4 TCx high priority DP0 Table 98 represents the QOS profiles required for the ingress direction TABLE 98 QOS profile table Index TC DP Associated port Network Port 1 0 QOS profile 0 0 1 0 or 4 Low priority TC DP1 default 1 1 1 1 or 5 Low priority TC DP1 default 2 2 1 2 or 6 Low priority TC DP...

Page 577: ... of w x the calculated weight as a percentage of the port s total bandwidth For example if you assign the following values to weight 0 to 7 BigIron RX config if e10000 4 1 qos rcv scheduler wfq 1 5 1 5 1 5 1 5 Weight 0 1 Weight 1 5 Weight 2 1 Weight 3 5 Weight 4 1 Weight 5 5 Weight 6 1 and Weight 7 5 To determine the weight of w3 5 Weight of w3 1 5 1 5 1 5 1 5 The weight of w3 is 20 8 Consequently...

Page 578: ...dard extended named and numbered egress ACLs Refer to Chapter 21 Access Control List for additional information Configuring QoS for the 16 x 10G module New CLI commands have been added to allow alternating between server and storage modes on the 10 x 16GE module The new commands are part of the qos group and configured at the interface level Configuration steps 1 To set the group port 1 weight low...

Page 579: ...r wfq 1 2 1 2 1 6 To set the group port 3 weight high prioriy traffic BigIron RX config if e10000 4 1 qos rcv scheduler wfq 1 2 1 2 1 2 NOTE The configurations for group port 3 will now be associated to s 3 s 7 s 11 s 15 7 To set the group port 4 weight low prioriy traffic BigIron RX config if e10000 4 1 qos rcv scheduler wfq 1 2 1 2 1 2 1 8 To set the group port 4 weight high prioriy traffic BigI...

Page 580: ...504 BigIron RX Series Configuration Guide 53 1002253 01 Configuring multicast traffic engineering 18 ...

Page 581: ...se policies can be applied to inbound and outbound traffic Port and VLAN based Limits the rate of packets tagged with a specific VLAN on an individual physical port Only one rate can be specified for each VLAN VLAN group based Limits the traffic for a group of VLANs Members of a VLAN group share the specified bandwidth defined in the rate limiting policy that has been applied to that group You can...

Page 582: ...by the amount of credit accumulated and the rate of traffic passing through the port The maximum burst rate cannot be smaller than 65536 bits Actual rate The device determines actual rate limiting rates through the use of proprietary formulas built into the packet processor hardware The resulting rate that is the closest to the requested rate This leads to variable rate limiting granularities for ...

Page 583: ... can be applied on a physical port For example you cannot apply inbound port and ACL based and inbound port based rate limiting policies on the same port Outbound port based rate limiting policy can be combined with any type of inbound rate limiting policy Any VLAN based rate limiting can limit only tagged packets that match the VLAN ID specified in the policy Untagged packets are not subject to r...

Page 584: ... on port 1 1 The policy requests to limit the rate on all outbound traffic to 500 Mbps with a maximum burst size of 750 Mbps The device adjusts the requested rate to 499639656 bits per second Syntax no rate limit input output requested rate maximum burst Input applies rate limiting to inbound traffic on the port Input can be abbreviated as in Output applies rate limiting to outbound traffic on the...

Page 585: ...rding queues 0 and 1 on the port with a maximum burst size of 750 Mbits The device adjusts the requested rate to 499639656 bits per second Syntax no rate limit input priority num requested rate maximum burst The priority num parameter specifies the 802 1p priority levels 0 7 equivalent to one of the four QoS queues For information on the priority level and the corresponding queue refer to Assignin...

Page 586: ...xit The commands assign VLANs 3 5 6 and 7 to rate limiting VLAN group 10 Syntax no rl vlan group vlan group number Syntax no vlan vlan number to vlan number The rl vlan group command defines a rate limiting VLAN group and takes you to the VLAN group rate limiting configuration level vlan group number specifies the VLAN group that you want to create The vlan command assigns VLANs to the rate limiti...

Page 587: ...lled by the same packet processor A VLAN can be member of multiple rate limit VLAN groups but two groups with common members cannot be applied on ports controlled by the same packet processor VLAN based rate limiting and VLAN groups based rate limiting policies can be applied on the same ports or ports controlled by the same packet processor as long as there are no common VLANs in the policies Con...

Page 588: ...access group ACL name requested rate maximum burst The access group number parameter or the named access group acl name specifies the ACL used in the policy For information on the other parameters refer to Configuring a port based rate limiting policy on page 508 For information on the number of ACL based rate limiting policies that can be configured refer to the Configuration considerations on pa...

Page 589: ...ort enter a command such as the following BigIron RX config multicast rate limit 1000000 1 np 2 2 Syntax no multicast rate limit avg rate max burst np slot port all To enable Broadcast rate limiting on a specific port enter a command such as the following BigIron RX config broadcast rate limit 1000000 1 np 3 2 Syntax no broadcast rate limit avg rate max burst np slot port all To enable unknown uni...

Page 590: ...mber parameter indicates the rate limiting VLAN group for which the rate limiting policy is created interface slot port displays the rate limiting policy for a particular interface BigIron RX config show rate limit interface e 1 1 rate limit input 499321856 750000000 interface e 1 3 rate limit input vlan id 10 499321856 750000000 rate limit input vlan id 20 97523712 200000000 BigIron RX config sho...

Page 591: ...BigIron RX Series Configuration Guide 515 53 1002253 01 Displaying traffic reduction 19 ...

Page 592: ...516 BigIron RX Series Configuration Guide 53 1002253 01 Displaying traffic reduction 19 ...

Page 593: ...M space by configuring only the Layer 2 ACLs needed For instance to filter only IPV4 Len 5 traffic specify that particular etype This results in one CAM entry Configuration examples are provided in the section Configuring Layer 2 ACLs on page 518 You can configure Layer 2 ACLs to use the etype argument to filter on the following etypes IPv4 Len 5 Etype 0x0800 IPv4 HeaderLen 20 bytes ARP Etype 0x08...

Page 594: ...ffic not matched by the previous clauses NOTE Use precaution when placing entries within the ACL table The Layer 2 ACL feature does not attempt to resolve conflicts and assumes you know what you are doing Creating a Layer 2 ACL table You create a Layer 2 ACL table by defining a Layer 2 ACL clause To create a Layer 2 ACL table enter commands clauses such as the following at the Global CONFIG level ...

Page 595: ... a Layer 2 ACL all traffic matching the clause is sent to the CPU for processing and traffic is denied by the CPU The CPU creates a log entry for the first packet that is denied and once every 10 seconds thereafter The logging mechanism includes sending SNMP traps and log messages to the Syslog servers and writing the log entry to the log buffer on the device In addition if specified with a permit...

Page 596: ... to bind to the interface Increasing the maximum number of clauses per Layer 2 ACL table You can increase the maximum number of clauses configurable within a Layer 2 ACL table You can specify a maximum of 256 clauses per table The default value is 64 clauses per table To increase the maximum number of clauses per Layer 2 ACL table enter a command such as the following at the Global CONFIG level of...

Page 597: ...fff ffff ffff 0011 2233 4455 ffff ffff ffff BigIron RX config access list 401 permit any any Using the mask you can make the access list apply to a range of addresses For instance if you changed the mask in the previous example from 0012 3456 7890 to ffff ffff fff0 all hosts with addresses from 0012 3456 7890 to 0012 3456 789f would be blocked This configuration for this example is shown in the fo...

Page 598: ...522 BigIron RX Series Configuration Guide 53 1002253 01 Viewing Layer 2 ACLs 20 ...

Page 599: ...ted The device uses these CAM entries to permit or deny packets in the hardware without sending the packets to the CPU for processing General configuration guidelines ACLs are supported on physical interfaces trunk groups and virtual routing interfaces ACLs are supported only for inbound traffic An error message is displayed if you apply an ACL to an outbound interface You can create up to 416 CAM...

Page 600: ...be disabled Default ACL action The default action when no ACLs are configured on a BigIron RX is to permit all traffic However once you configure an ACL and apply it to a port the default action for that port is to deny all traffic that is not explicitly permitted on the port To control access more tightly configure ACLs consisting of permit entries for the access you want to permit The ACLs impli...

Page 601: ...nfigure is a system wide parameter and depends on the BigIron RX you are configuring You can configure up to the maximum number of entries in any combination in different ACLs The total number of entries in all ACLs cannot exceed the system maximum You configure ACLs on a global basis then apply them to the incoming traffic on specific ports You can apply only one ACL to a port s inbound traffic T...

Page 602: ...based Inbound Mirroring For Example where ports 4 1 and 4 2 belong to the same PPCR the following configuration that configures them with different destination ACL mirror ports will fail and generate an error message as shown BigIron RX config interface ethernet 4 1 BigIron RX config if e10000 4 1 acl mirror port ethernet 6 1 BigIron RX config if e10000 4 1 interface ethernet 4 2 BigIron RX config...

Page 603: ...mirror port ethernet 1 3 You can also use the ACL mirroring feature to mirror traffic from multiple ports to a single port using the Multiple Interface Configuration MIF mode as shown in the following example BigIron RX config interface ethernet 1 1 to 1 2 BigIron RX config mif e10000 1 1 1 2 acl mirror port ethernet 1 3 Syntax no acl mirror port ethernet slot port The slot port variable specifies...

Page 604: ...nfigured on port 2 1 please remove it and try again Trunk transaction failed Trunk Config Vetoed Deleting a trunk with ACL based Mirroring Configured When a trunk is deleted the ACL based Mirroring configuration is propagated to the individual ports that made up the trunk Example If the trunk is configured as shown BigIron RX config trunk switch ethernet 4 1 to 4 2 BigIron RX config trunk 4 1 4 2 ...

Page 605: ...ng to VLAN 10 traffic arriving on port 4 3 you must add the following command to the configuration BigIron RX config interface ethernet 4 3 BigIron RX config if e10000 4 3 acl mirror port ethernet 5 1 Configuring numbered and named ACLs When you configure ACLs you can refer to the ACL by a numeric ID or by an alphanumeric name except for super ACLs which must be assigned numeric IDs The commands t...

Page 606: ...num deny permit source ip hostname wildcard log or Syntax no access list num deny permit source ip mask bits hostname log Syntax no access list num deny permit host source ip hostname log Syntax no access list num deny permit any log Syntax no ip access group num in The 16 x 10 GE module only supports the following standard ACLs Syntax no ip access list num deny permit ip protocol source ip hostna...

Page 607: ...he CLI automatically converts the CIDR number into the appropriate ACL mask where zeros instead of ones are the significant bits and changes the non significant portion of the IP address into zeros For example if you specify 209 157 22 26 24 or 209 157 22 26 0 0 0 255 then save the changes to the startup config file the value appears as 209 157 22 0 24 if you have enabled display of subnet lengths...

Page 608: ... not thus configured The first entry permits ICMP traffic from hosts in the 209 157 22 x network to hosts in the 209 157 21 x network The second entry denies IGMP traffic from the host device named rkwong to the 209 157 21 x network The third entry denies IGRP traffic from the 209 157 21 x network to the host device named rkwong The fourth entry denies all IP traffic from host 209 157 21 100to hos...

Page 609: ...o which you assign the ACL The following commands apply ACL 103 to the incoming and outgoing traffic on ports 2 1 and 2 2 Extended ACL syntax This section presents the syntax for creating an extended ACL and for binding the ACL to an interface Use the ip access group command in the interface level to bind the ACL to an interface Syntax no access list num deny permit ip protocol source ip hostname ...

Page 610: ...shed precedence name num General parameters for extended ACLs The following parameters apply to any extended ACL you are creating num Enter 100 199 for a super ACL deny permit Enter deny if the packets that match the policy are to be dropped permit if they are to be forwarded any log Add this parameter to the end of an ACL statement to enable the generation of SNMP traps and Syslog messages for pa...

Page 611: ...startup config files but are shown with subnet mask in the display produced by the show access list command dst mac dst mac mask Specify the destination MAC host for the policy If you want the policy to match on all destination addresses enter any fragment Enter this keyword if you want to filter fragmented packets Refer to Enabling ACL filtering of fragmented or non fragmented packets on page 568...

Page 612: ... to apply the policy to all ports between and including 23 Telnet and 53 DNS enter the following range 23 53 The first port number in the range must be lower than the last number in the range established This operator applies only to TCP packets If you use this operator the policy applies to TCP packets that have the ACK Acknowledgment or RST Reset bits set on set to 1 in the Control Bits field of...

Page 613: ...ield of the packet s header You can specify one of the following name or number critical or 5 The ACL matches packets that have the critical precedence If you specify the option number instead of the name specify number 5 flash or 3 The ACL matches packets that have the flash precedence If you specify the option number instead of the name specify number 3 flash override or 4 The ACL matches packet...

Page 614: ...imum reliability ToS The decimal value for this option is 2 max throughput or 4 The ACL matches packets that have the maximum throughput ToS The decimal value for this option is 4 min delay or 8 The ACL matches packets that have the minimum delay ToS The decimal value for this option is 8 normal or 0 The ACL matches packets that have the normal ToS The decimal value for this option is 0 num A numb...

Page 615: ... COS value 2 DSCP value 15 Internal Forwarding Priority 6 For more information on QoS and internal forwarding queues refer to Chapter 18 Configuring Quality of Service Parameters to bind standard ACLs to an interface Use the ip access group command to bind the ACL to an interface and enter the ACL number for num Configuring standard or extended named ACLs The commands for configuring named ACL ent...

Page 616: ... Syntax no ip access list standard string num deny permit source ip hostname wildcard log or Syntax no ip access list standard string num deny permit source ip mask bits hostname log Syntax no ip access list standard string num deny permit host source ip hostname log Syntax no ip access list standard string num deny permit any log Syntax no ip access group num in The standard parameter indicates t...

Page 617: ...ostname wildcard operator source tcp udp port destination ip hostname wildcard operator destination tcp udp port match all tcp flags match any tcp flags icmp type established precedence name num tos number dscp matching number 802 1p priority matching number dscp marking number 802 1p priority marking number internal priority marking number dscp marking number dscp cos mapping dscp cos mapping fra...

Page 618: ...ord value pairs Each keyword value pair called a match item specifies a field in the packet header L2 L3 or L4 to be checked and gives the allowable value for this field Fields not specified are called don t care fields and are considered to be matched The match items may be specified in any order with one exception because of its variable length tcp flags must be specified as the last item in a f...

Page 619: ...eral parameters for super ACLs The following parameters apply to super ACLs num The ACL ID Enter 500 599 for super ACLs deny permit Enter deny if the packets that match the policy are to be dropped permit if they are to be forwarded any Matches any packet log Enables logging for denied packets ACL logging is disabled by default it must be explicitly enabled on a port NOTE Logging is not currently ...

Page 620: ...rameter 1 99 for standard ACLs 100 199 for extended ACLs 500 599 for super ACLs Enter all to display all of the ACLs configured on the device Named ACL For a named ACL enter a command such as the following sp Enables packet matching based on specified source TCP UDP port dp Enables packet matching based on specified destination TCP UDP port icmp detail Enables packet matching based on ICMP informa...

Page 621: ...e well known port name BigIron RX config ip show acl service number Syntax no ip show acl service number By default the device displays TCP UDP application information in named notation The following table lists the ports by number and well known name TABLE 102 TCP UDP port numbers and names Port service number Port name Description 1 tcpmux TCP Port Service Multiplexer 2 compressnt 2 Management U...

Page 622: ...XNS Clearinghouse 55 isi gl ISI Graphics Language 56 xns auth XNS Authentication 58 xns mail XNS Mail 61 ni mail NI MAIL 62 acas ACA Services 64 covia Communications Integrator CI 65 tacacs ds TACACS Database Service 66 sql net Oracle SQL NET 70 gopher Gopher 71 netrjs 1 Remote Job Service 72 netrjs 2 Remote Job Service 73 netrjs 3 Remote Job Service 74 netrjs 4 Remote Job Service 76 deos Distribu...

Page 623: ... Name Server 102 iso tsap ISO TSAP Class 0 103 gppitnp Genesis Point to Point Trans Net 104 acr nema ACR NEMA Digital Imag Comm 300 105 csnet ns Mailbox Name Nameserver 106 3com tsmux 3COM TSMUX 107 rtelnet Remote Telnet Service 108 snagas SNA Gateway Access Server 109 pop2 Post Office Protocol Version 2 110 pop3 Post Office Protocol Version 3 111 sunrpc SUN Remote Procedure Call 112 mcidas McIDAS...

Page 624: ...rvice 135 loc srv DCE endpoint resolution 136 profile PROFILE Naming System 139 netbios ssn NETBIOS Session Service 140 emfis data EMFIS Data Service 141 emfis cntl EMFIS Control Service 142 bl idm Britton Lee IDM 143 imap4 Internet Message Access Protocol 144 news NEWS 145 uaac UAAC Protocol 146 iso tp0 ISO IP0 147 iso ip ISO IP 148 cronus CRONUS SUPPORT 149 aed 512 AED 512 Emulation Service 150 ...

Page 625: ...lay Manager Control Protocol 178 nextstep NextStep Window Server 179 bgp Border Gateway Protocol 180 ris Intergraph 181 unify Unify 182 audit Unisys Audit SITP 183 ocbinder OCBinder 184 ocserver OCServer 185 remote kis Remote KIS 186 kis KIS Protocol 187 aci Application Communication Interface 188 mumps Plus Five s MUMPS 189 qft Queued File Transport 190 gacp Gateway Access Control Protocol 191 pr...

Page 626: ...Transfer Protocol 210 z39 50 ANSI Z39 50 211 914c g Texas Instruments 914C G Terminal 212 anet ATEXSSTR 213 ipx IPX 214 vmpwscs VM PWSCS 215 softpc Insignia Solutions 216 atls Access Technology 217 dbase dBASE Unix 218 mpp Netix Message Posting Protocol 219 uarps Unisys ARPs 220 imap3 Interactive Mail Access Protocol v3 221 fln spx Berkeley rlogind with SPX auth 222 rsh spx Berkeley rshd with SPX ...

Page 627: ...larm manager 384 arns A Remote Network Server System 385 ibm app IBM Application 386 asa ASA Message Router Object Def 387 aurp Appletalk Update Based Routing Protocol 388 unidata ldm Unidata LDM 389 ldap Lightweight Directory Access Protocol 390 uis UIS 391 synotics relay SynOptics SNMP Relay Port 392 synotics broker SynOptics Port Broker Port 393 dis Meta5 394 embl ndt EMBL Nucleic Data Transfer...

Page 628: ...ilverplatter 417 onmux Onmux 418 hyper g Hyper G 419 ariel1 Ariel 1 420 smpte SMPTE 421 ariel2 Ariel 2 422 ariel3 Ariel 3 423 opc job start IBM Operations Planning and Control Start 424 opc job track IBM Operations Planning and Control Track 425 icad el ICAD 426 smartsdp smartsdp 427 svrloc Server Location 428 ocs_cmu OCS_CMU 429 ocs_amu OCS_AMU 430 utmpsd UTMPSD 431 utmpcd UTMPCD 432 iasd IASD 43...

Page 629: ...lnet 514 cmd cmd 515 printer spooler 518 ntalk ntalk 519 utime inixtime 525 timed timeserver 526 tempo newdate 530 courier rpc 531 conference chat 532 netnews readnews 533 netwall for emergency broadcast 539 apertus ldp Apertus Technologies Load Determination 540 uucp uucpd 541 uucp rlogin uucp rlogin 543 klogin klogin 544 kshell krcmd 550 new rwho new who 554 rtsp Real Time Stream Control Protoco...

Page 630: ...e Handler 729 netviewdm1 IBM Netview DM 6000 Service Handler 730 netviewdm2 IBM Netview DM 6000 send tcp 731 netviewdm3 IBM Netview DM 6000 Server Client 741 netgw netrgw 742 netrcs Network based Rev Cont Sys 744 flexlm Flexible License Manager 747 fujitsu dev Fujitsu License Manager 748 ris cm Russell Info SCI Calender Manager 749 kerberos adm kerberos administration 750 rfile remote file 751 pum...

Page 631: ...n hardware no other Syslog message is written for any denied packet during this time Once this wait time expires a Syslog message is written if the device receives another packet that matches the deny condition and the whole cycle is repeated NOTE BigIron RX does not support permit logging 765 webster webster 767 phonebook phone 769 vid VID 770 cadlock 770 CADLOCK 770 771 rtip rtip 772 cycleserv2 ...

Page 632: ... access group enable deny logging Syntax ip access group enable deny logging Specifying the wait time You can specify how long the system waits before it sends a message in the Syslog by entering a command such as the following BigIron RX config ip access list logging age 2 Syntax ip access list logging age minutes Enter 1 10 minutes The default is 5 minutes Modifying ACLs When you configure any A...

Page 633: ...ver 2 Optionally clear the ACL entries from the ACLs you are changing by placing commands such as the following at the top of the file BigIron RX config no access list 1 BigIron RX config no access list 101 When you load the ACL list into the device the software adds the ACL entries in the file after any entries that already exist in the same ACLs Thus if you intend to entirely replace an ACL you ...

Page 634: ...show access list 99 Standard IP access list 99 deny host 1 2 4 5 permit host 5 6 7 8 2 To add the comment Permit all users to the second entry in the list enter a command such as the following BigIron RX config access list 99 remark Permit all users 3 Enter the filter permit any For example BigIron RX config std nacl permit any 4 Enter a show access list command displays the following BigIron RX c...

Page 635: ...entry BigIron RX config show access list name entry Standard IP access list 99 deny host 1 2 4 5 2 Add a new entry with a remark to this named ACL by entering commands such as the following BigIron RX config ip access list standard entry BigIron RX config std nacl remark Deny traffic from Marketing BigIron RX config std nacl deny 5 6 7 8 3 Enter a show access list command to display the new ACL en...

Page 636: ...config ip access list standard entry BigIron RX config std nacl no remark Deny traffic from Marketing Syntax no remark string Deleting ACL entries Newly created ACL entries are appended to the end of the ACL list Since ACL entries are applied to data packets in the order they appear in a list you need to create ACLs in the order you want them applied If you want to delete an ACL entry from within ...

Page 637: ...y Standard IP access list entry deny host 1 2 4 5 deny host 10 1 1 1 deny host 5 6 7 8 permit any 2 To delete the second ACL entry from the list enter a command such as the following BigIron RX config ip access list standard entry BigIron RX config std nacl no deny host 10 1 1 1 3 Enter the show access list name entry command to display the updated list BigIron RX config ip show access entry all S...

Page 638: ...here the ACL was bound without using the ip rebind acl command NOTE Brocade recommends that this feature only be used when a small number of ACL filters are configured otherwise a delay may be observed Enter commands such as the following to enable ACL automatic rebind BigIron RX config auto acl rebind Syntax no auto acl rebind Manually setting the ACL rebind To reapply ACLs following an ACL confi...

Page 639: ... Finally the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1 Syntax no ip access group num in ethernet slot portnum slot portnum to slot portnum NOTE The timer for logging packets denied by Layer 2 filters is separate Configuring the Layer 4 session log timer You can configure the Layer 4 session log timer which tracks packets explicitly denied by an ACL ...

Page 640: ...port VLAN membership and so on This method is described in Assigning QoS priorities to traffic on page 466 Enabling the IP ToS based QoS feature described in Configuring ToS based QoS on page 468 NOTE If you use an ACL on an interface ToS based QoS assumes that the ACL will perform QoS for all packets except the packets that match the permit ip any any ACL For a list of supported QoS ACL options r...

Page 641: ...unting does not tabulate nor display the number of Implicit denials by an ACL The counters that are displayed on the ACL accounting report are 1s Number of hits during the last second This counter is updated every second 1m Number of hits during the last minute This counter is updated every one minute 5m Number of hits during the last five minutes This counter is updated every five minutes ac Accu...

Page 642: ...its from incoming traffic processed by all ACL entries filters in the ACL A number is shown for each counter The Total In Hit displays the total number of hits for all the ACL entries or filters in an ACL For example if an ACL has five entries and each entry processed matching conditions three times during the last minute then the total Hits for the 1m counter is 15 BigIron RX config show access l...

Page 643: ...n RX config clear access list all Syntax clear access list all ethernet slot port ve ve num Enter all to clear all statistics for all ACLs Use ethernet slot port to clear statistics for ACLs a physical port Use ve ve number to clear statistics for all ACLs bound to ports that are members of a virtual routing interface This field Displays The IP multicast traffic snooping state The first line of th...

Page 644: ...omplete syntax for extended ACLs Refer to Super ACL syntax on page 542 for the complete syntax for super ACLs Named ACLs BigIron RX config ip access list extended entry deny ip any any fragment BigIron RX config int eth 1 1 BigIron RX config if e10000 1 1 ip access group entry in BigIron RX config write memory The first line in the example defines ACL entry to deny any fragmented packets Other pac...

Page 645: ...ure does not apply to ACLs applied to outbound traffic To enable filtering of traffic switched within a virtual routing interface enter the following command at the configuration level for the interface BigIron RX config vif 1 ip access group ve traffic in Syntax no ip access group ve traffic in ICMP filtering for extended ACLs Extended ACL policies can be created to filter traffic based on its IC...

Page 646: ...ame in quotation marks for example ACL for Net1 The acl num parameter allows you to specify an ACL number if you prefer If you specify a number enter a number from 100 199 for extended ACLs The deny permit parameter indicates whether packets that match the policy are dropped or forwarded You can either use the icmp type and enter the name of the message type or use the type number code number para...

Page 647: ... log mask reply 18 0 mask request 17 0 net redirect 5 0 net tos redirect 5 2 net tos unreachable 3 11 net unreachable 3 0 packet too big 3 4 parameter problem NOTE This message includes all parameter problems 12 0 port unreachable 3 3 precedence cutoff 3 15 protocol unreachable 3 2 reassembly timeout 11 1 redirect NOTE This includes all redirects 5 x router advertisement 9 0 router solicitation 10...

Page 648: ...Ls 21 To determine whether the issue is specific to fragmentation remove the Layer 4 information TCP or UDP application ports from the ACL then reapply the ACL If you are using another feature that requires ACLs use the same ACL entries for filtering and for the other feature ...

Page 649: ...ly PBR on a port if that port already has ACLs ACL based rate limiting or TOS based QoS The number of route maps that you can define is limited by the system memory When a route map is used in a PBR policy the PBR policy uses up to 6 instances of a route map up to 6 ACLs in a matching policy of each route map instance and up to 6 next hops in a set policy of each route map instance ACLs with the l...

Page 650: ...the following BigIron RX config access list 99 permit 209 157 23 0 0 0 0 255 The command in this example configures a standard ACL that permits traffic from subnet 209 157 23 0 24 After you configure a route map that matches based on this ACL the software uses the route map to set route attributes for the traffic thus enforcing PBR NOTE Do not use an access group to apply the ACL to an interface I...

Page 651: ...e changes to the startup config file the value appears as 209 157 22 0 24 if you have enabled display of subnet lengths or 209 157 22 0 0 0 0 255 in the startup config file If you enable the software to display IP subnet masks in CIDR format the mask is saved in the file in mask bits format To enable the software to display the CIDR masks enter the ip show subnet length command at the global CONFI...

Page 652: ...plies the match and set statements associated with this route map instance The num parameter specifies the instance of the route map you are defining Routes are compared to the instances in ascending numerical order For example a route is compared to instance 1 then instance 2 and so on PBR uses up to 6 route map instances for comparison and ignore the rest Syntax no match ip address ACL num or na...

Page 653: ...ng commands configure and apply a PBR policy that routes HTTP traffic received on virtual routing interface 1 from the 10 10 10 x 24 network to 5 5 5 x 24 through next hop IP address 1 1 1 1 24 or if 1 1 1 x is unavailable through 2 2 2 1 24 Syntax no route map map name permit l deny num route map Syntax no set ip next hop ip addr This command sets the next hop IP address for traffic that matches ...

Page 654: ...outemap test route set ip next hop 192 168 2 1 BigIron RX config routemap test route exit The following commands configure the second entry in the route map This entry permit 51 matches on the IP address information in ACL 51 above For IP traffic from subnet 209 157 24 0 24 this route map entry sets the next hop IP address to 192 168 2 2 BigIron RX config route map test route permit 51 BigIron RX ...

Page 655: ...n RX config routemap file 13 exit The following command enables PBR by globally applying the route map to all interfaces BigIron RX config ip policy route map file 13 Alternatively you can enable the PBR on specific interfaces as shown in the following example The commands in this example configure IP addresses in the source subnet identified in ACL 56 then apply route map file 13 to the interface...

Page 656: ...580 BigIron RX Series Configuration Guide 53 1002253 01 Trunk formation 22 ...

Page 657: ...can hold up to 1535 IPv4 multicast entries NOTE Each of the multicast protocols uses IGMP IGMP is automatically enabled on an interface when you configure PIM or DVMRP on an interface and is disabled on the interface if you disable PIM or DVMRP on the interface The following are commonly used terms in discussing multicast capable routers These terms are used throughout this chapter Multicast terms...

Page 658: ...arameter specifies the maximum number of multicast cache entries for DVMRP Enter a number from 128 2048 The default is 512 Defining the maximum number of PIM cache entries The PIM cache system parameter defines the maximum number of repeated PIM traffic being sent from the same source address and being received by the same destination address To define this maximum enter a command such as the foll...

Page 659: ...g multicast boundaries To define boundaries for PIM enabled interfaces enter a commands such as the following BigIron RX config interface ve 40 BigIron RX config vif 40 ip multicast boundary MyBrocadeAccessList Syntax no ip multicast boundary acl spec port list Use the acl spec parameter to define the number or name identifying an access list that controls the range of group addresses affected by ...

Page 660: ...registration with RP or If non directly connected source passed source RPF check In PIM DM The route has no OIF and passed source RPF check and Router has no downstream PIM neighbor If the OIF is inserted after the hardware drop entries are installed the hardware entries will be updated to include the OIFs NOTE Disabling hardware drop does not immediately take away existing hardware drop entries t...

Page 661: ...parameters you must first enable IP multicast routing by entering the following CLI command at the global CLI level BigIron RX config ip multicast routing Syntax no ip multicast routing NOTE You must enter the ip multicast routing command before changing the global IP Multicast parameters Otherwise the changes do not take effect and the software uses the default values Also entering no ip multicas...

Page 662: ...ticast packets for the group but does not itself accept packets for the group You can manually add a multicast group to individual ports only If the port is a member of a virtual routing interface you must add the ports to the group individually To manually add a port to a multicast group enter a command such as the following at the configuration level for the port BigIron RX config if e10000 1 1 ...

Page 663: ...t address of interest and the Number of Sources N field contains zero A Group and Source Specific Query is sent by a multicast router to learn if any neighboring interface desires reception of packets sent to a specified multicast address from any of a specified list of sources In a Group and Source Specific Query the Group Address field contains the multicast address of interest and the Source Ad...

Page 664: ...is reflected in the membership reports that the interfaces send to the router Routers and interfaces must be configured to recognized the version of IGMP you want them to process An interface or router sends the queries and reports that include its IGMP version specified on it It may recognize a query or report that has a different version For example an interface running IGMP V2 can recognize IGM...

Page 665: ...he ethernet port number parameter specifies which physical port within a virtual routing interface is being configured Enabling membership tracking and fast leave IGMP V3 provides membership tracking and fast leave of clients In IGMP V2 only one client on an interface needs to respond to a router s queries therefore some of the clients may be invisible to the router making it impossible for the sw...

Page 666: ...he following BigIron RX config interface ve 13 BigIron RX config vif 13 ip igmp tracking Syntax ip igmp tracking NOTE IGMPv2 tracking will not operate correctly if the system is reloaded NOTE IGMP tracking is not supported when an IGMPv3 configured port is in the EXCLUDE mode Creating a static IGMP group To configure a physical port to be a permanent static member of an IGMP group enter the follow...

Page 667: ...conds and the default value is 140 seconds To define an IGMP membership time of 240 seconds enter the following BigIron RX config ip igmp group membership time 240 Syntax ip igmp group membership time 20 7200 Setting the maximum response time The maximum response time defines the maximum number of seconds that a client can wait before it replies to the query sent by the router Possible values are ...

Page 668: ...s include 19 Interface v110 3 groups group phy port static querier life mode _src 2 239 0 0 1 e4 5 no yes include 10 3 239 0 0 1 e4 6 no yes 100 exclude 13 4 224 1 10 1 e4 5 no yes include 1 BigIron RX show ip igmp group 239 0 0 1 detail Display group 239 0 0 1 in all interfaces Interface v18 1 groups group phy port static querier life mode _src 1 239 0 0 1 e4 20 no yes include 19 group 239 0 0 1 ...

Page 669: ...f the interface is in Include mode it admits traffic only from the source list If an interface is in Exclude mode it denies traffic from the source list and accepts the rest _src Identifies the source list that will be included or excluded on the interface If IGMP V2 group is in Exclude mode with a _src of 0 the group excludes traffic from 0 zero source list which means that all traffic sources ar...

Page 670: ...t is running DVMRP PIM DM PIM SM Address of the multicast group on the interface If the interface is a virtual routing interface the physical port to which that interface belongs the number of groups on that physical port whether or not the port is a querier or a non querier port the age of the port and other multicast information for the port are displayed This field Displays QryV2 Number of gene...

Page 671: ...e than one static multicast route The device always uses the most specific route that matches a multicast source address Thus if you want to configure a multicast static route for a specific multicast source and also configure another multicast static route for all other sources you can configure two static routes as shown in the examples below To add static routes to multicast router A refer to F...

Page 672: ...rce network 207 95 10 0 24 If the receives multicast traffic for network 207 95 10 0 24 the traffic must arrive on port 1 2 The second route is for all other multicast traffic Traffic from multicast sources other than 207 95 10 0 24 must arrive on port 2 3 Figure 98 shows an example of an IP Multicast network The two static routes configured in the example above apply to this network The commands ...

Page 673: ... timer The ip arp validate nexthop timer command has been introduced which replaces the ip route validate nexthop arp timer and the ip mroute validate nexthop arp timer commands The next hop validate ARP timer works only on the ARP entries created when the ARP validation check feature has been enabled The timer is used to age out the ARP entries when the next hop goes down All other ARP entries in...

Page 674: ...ed and a prune message is sent back upstream In Figure 90 the root node R1 is forwarding multicast packets for group 229 225 0 1 which it receives from the server to its downstream nodes R2 R3 and R4 Router R4 is an intermediate router with R5 and R6 as its downstream routers Because R5 and R6 have no downstream interfaces they are leaf nodes The receivers in this example are those workstations th...

Page 675: ...am interfaces and sends a prune message to R1 With R4 in a prune state the resulting multicast delivery tree would consist only of leaf nodes R2 and R3 FIGURE 90 Transmission of multicast packets from the source to host group members 229 225 0 1 Group Member Group Member Video Conferencing Server 207 95 5 1 229 225 0 1 Source Group 229 225 0 1 Group Member Group Member Group Member Group Member Gr...

Page 676: ...state for this entry is in a prune state R4 sends a graft to R1 Once R4 has joined the tree R4 along with R6 once again receive multicast packets Prune and graft messages are continuously used to maintain the multicast delivery tree No configuration is required on your part PIM DM versions The BigIron RX supports PIM DM V1 and V2 The default is V2 You can specify the version on an individual inter...

Page 677: ...iguring PIM Sparse on page 607 for information about configuring PIM Sparse Enabling PIM on the router and an interface By default PIM is disabled To enable PIM Enable the feature globally Configure the IP interfaces that will use PIM Enable PIM locally on the ports that have the IP interfaces you configured for PIM Reload the software to place PIM into effect Suppose you want to initiate the use ...

Page 678: ...ing commands at the configuration level for the interface BigIron RX config if e10000 1 1 ip pim version 2 BigIron RX config if e10000 1 1 no ip pim version 1 To disable PIM DM on the interface enter the following command BigIron RX config if e10000 1 1 no ip pim Modifying PIM global parameters PIM global parameters come with preset values The defaults work well in most networks but you can modify...

Page 679: ...ing entry The default value is 180 seconds To set the PIM prune timer to 90 enter the following BigIron RX config router pim BigIron RX config pim router prune timer 90 Syntax prune timer 10 3600 The default is 180 seconds Modifying the prune wait timer The prune wait command allows you to configure the amount of time a PIM router will wait before stopping traffic to neighbor routers that do not w...

Page 680: ... The default is 180 seconds Modifying inactivity timer The router deletes a forwarding entry if the entry is not used to send multicast packets The PIM inactivity timer defines how long a forwarding entry can remain unused before the router deletes it To apply a PIM inactivity timer of 90 seconds to all PIM interfaces enter the following BigIron RX config router pim BigIron RX config pim router in...

Page 681: ...X supports Protocol Independent Multicast PIM Sparse version 2 PIM Sparse provides multicasting that is especially suitable for widely distributed multicast environments The Brocade implementation is based on RFC 2362 In a PIM Sparse network a PIM Sparse router that is connected to a host that wants to receive information for a multicast group must explicitly send a join request on behalf of the r...

Page 682: ...ie then the candidate BSR interface with the highest IP address is elected In the example in Figure 92 PIM Sparse router B is the BSR Port 2 2 is configured as a candidate BSR RP The RP is the rendezvous point for PIM Sparse sources and receivers A PIM Sparse domain can have multiple RPs but each PIM Sparse multicast group address can have only one active RP PIM Sparse routers learn the addresses ...

Page 683: ...ing the RP for forwarding traffic from a source to a receiver By default the BigIron RX forwards the first packet they receive from a given source to a given receiver using the RP path but forward subsequent packets from that source to that receiver through the SPT In Figure 92 BigIron RX A forwards the first packet from group 239 255 162 1 s source to the destination by sending the packet to rout...

Page 684: ...cast routing when configuring PIM Sparse The command in this example enables IP multicast routing and enables the PIM Sparse mode of IP multicast routing The command does not configure the BigIron RX as a candidate PIM Sparse Bootstrap Router BSR and candidate Rendezvous Point RP You can configure a BigIron RX as a PIM Sparse router without configuring the BigIron RX as a candidate BSR and RP Howe...

Page 685: ... address 207 95 7 1 hash mask length 30 priority 255 This command configures the PIM Sparse interface on port 2 2 as a BSR candidate with a hash mask length of 30 and a priority of 255 The information shown in italics above is displayed by the CLI after you enter the candidate BSR configuration command Syntax no bsr candidate ethernet slot portnum loopback num ve num hash mask length priority The ...

Page 686: ...all addresses from 224 126 22 0 224 126 22 255 enter the following command BigIron RX config pim router rp candidate delete 224 126 22 0 24 Syntax no rp candidate delete group addr mask bits The usage of the group addr mask bits parameter is the same as for the rp candidate add command If you enter both commands shown in the example above the net effect is that the BigIron RX becomes a candidate R...

Page 687: ...e RP is configured without an ACL name If an ACL name is given but the ACL is not defined the static RP is set to inactive mode and it will not cover any multicast group ranges The optional static RP ACL can be configured as a standard ACL or as an extended ACL For an extended ACL the destination filter will be used to derive the multicast group range and all other filters are ignored The content ...

Page 688: ...rp map Number of group to RP mappings 5 Group address RP address 1 230 0 0 1 100 1 1 1 2 230 0 0 2 100 1 1 1 3 230 0 0 3 100 1 1 1 4 230 0 0 4 100 1 1 1 5 230 0 0 5 100 1 1 1 Route selection precedence for multicast he route precedence command allows the user to specify a precedence table that dictates how routes are selected for multicast PIM must be enabled at the global level Configuring the ro...

Page 689: ...he uc non default parameter to specify a unicast non default route Use the uc default parameter to specify a unicast default route Use the none parameter to ignore certain types of routes The no form of this command removes the configuration Displaying the route selection Use the show ip pim sparse command to display the current route selection The example below displays the default route preceden...

Page 690: ...e domain with the BigIron RX itself as the root of the tree The first time a BigIron RX is configured as a PIM router and receives a packet for a PIM receiver the BigIron RX sends the packet to the RP for the group The BigIron RX also calculates the SPT from itself to the receiver The next time the BigIron RX receives a PIM Sparse packet for the receiver the BigIron RX sends the packet toward the ...

Page 691: ...interval the performance of PIM Sparse can be adversely affected To change the Join Prune interval enter commands such as the following BigIron RX config router pim BigIron RX config pim router message interval 30 Syntax no message interval num The num parameter specifies the number of seconds and can from 1 65535 The default is 60 MLL optimization MLL optimization is enabled by default except for...

Page 692: ... and removing cached PIM Sparse forwarding entries for the neighbor Bootstrap Msg interval How frequently the BSR configured on the BigIron RX sends the RP set to the RPs within the PIM Sparse domain The RP set is a list of candidate RPs and their group prefixes A candidate RP s group prefix indicates the range of PIM Sparse group numbers for which it can be an RP NOTE This field contains a value ...

Page 693: ...using the SPT path PIM Sparse interface information NOTE You also can display IP multicast interface information using the show ip pim interface command However this command lists all IP multicast interfaces including regular PIM dense mode and DVMRP interfaces The show ip pim sparse command lists only the PIM Sparse interfaces Interface The type of interface and the interface number The interface...

Page 694: ...Router BSR Uptime The amount of time the BSR has been running NOTE This field appears only if this BigIron RX is the BSR BSR priority The priority assigned to the interface for use during the BSR election process During BSR election the priorities of the candidate BSRs are compared and the interface with the highest BSR priority becomes the BSR Hash mask length The number of significant bits in th...

Page 695: ... advertisement message NOTE This field appears only if this BigIron RX is a candidate BSR RP Indicates the IP address of the Rendezvous Point RP NOTE This field appears only if this BigIron RX is a candidate BSR group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP NOTE This field appears only if this BigIron RX is a candidate BSR Candidate R...

Page 696: ... following command at any CLI level Syntax show ip pim rp hash group addr The group addr parameter is the address of a PIM Sparse IP multicast group This display shows the following information group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP NOTE This field appears only if this BigIron RX is a candidate RP Candidate RP advertisement per...

Page 697: ...ity of the RP This field Displays Number of group prefixes The number of PIM Sparse group prefixes for which the RP is responsible Group prefix Indicates the multicast groups for which the RP listed by the previous field is a candidate RP RPs expected received Indicates how many RPs were expected and received in the latest Bootstrap message RP num Indicates the RP number If there are multiple RPs ...

Page 698: ...r messages that the BigIron RX displays with this command This field Displays Port The interface through which the BigIron RX is connected to the neighbor Neighbor The IP interface of the PIM neighbor interface Holdtime sec Indicates how many seconds the neighbor wants this BigIron RX to hold the entry for this neighbor in memory The neighbor sends the Hold Time in its Hello packets If the BigIron...

Page 699: ...parse Mode RPT 1 SPT 0 Reg 0 upstream neighbor 10 10 8 33 num_oifs 1 v2 L3 SW 1 e4 24 VL2702 fast 1 slow 0 leaf 0 prun 0 frag 0 tag 0 tnnl 0 swL2 0 hwL2 0 msdp_adv 0 age 0 fid none l2vidx none 3 239 255 255 250 RP10 159 2 2 in v87 cnt 0 Sparse Mode RPT 1 SPT 0 Reg 0 upstream neighbor 10 10 8 45 num_oifs 1 v2 L3 SW 1 e4 23 VL2702 fast 1 slow 0 leaf 0 prun 0 frag 0 tag 0 tnnl 0 swL2 0 hwL2 0 msdp_ad...

Page 700: ...the RP path 1 The RP path is used instead of the SPT path NOTE The values of the RP and SPT flags are always opposite one is set to 0 and the other is set to 1 SPT Indicates whether the cache entry uses the RP path or the SPT path The SP flag can have one of the following values 0 The RP path is used instead of the SPT path 1 The SPT path is used instead of the RP path NOTE The values of the RP an...

Page 701: ...which the PIM interface is configured Hello The number of PIM Hello messages sent or received on the interface J P The number of Join Prune messages sent or received on the interface NOTE Unlike PIM dense PIM Sparse uses the same messages for Joins and Prunes Register The number of Register messages sent or received on the interface RegStop The number of Register Stop messages sent or received on ...

Page 702: ... cause the switch or router to leak unwanted packets with the same group but containing undesired sources to clients After SPT switch over the leak stops and source specific multicast works correctly even without configuring the SSM protocol If the SSM protocol is enabled one S G entry is created for every source of the multicast group even for sources with non existent traffic For example if ther...

Page 703: ...s example the Source Active message contains the following information Source address 206 251 14 22 Group address 232 1 0 95 RP address 206 251 17 41 Figure 93 shows only one peer for the MSDP router which is also the RP here in domain 1 so the Source Active message goes to only that peer When an MSDP router has multiple peers it sends a Source Active message to each of those peers Each peer sends...

Page 704: ...an RP receives a Source Active message the RP checks its PIM Sparse multicast group table for receivers for the group If the DR has a receiver for the group being advertised in the Source Active message the DR sends a Join message for that receiver back to the DR in the domain from which the Source Active message came Usually the DR is also the MSDP router that sent the Source Active message In Fi...

Page 705: ...e neighbor The connect source loopback num parameter specifies the loopback interface you want to use as the source for sessions with the neighbor NOTE It is strongly recommended that you use the connect source loopback num parameter when issuing the msdp peer command If you do not use this parameter the BigIron RX uses the subnet interface configured on the port Also make sure the IP address of t...

Page 706: ...e specified address as the IP address of the RP in an SA message This address must be the address of the interface used to connect the RP to the source There are no default originator ids The type parameter indicates the type of interface used by the RP Ethernet loopback and virtual routing interfaces ve can be used The number parameter specifies the interface number for example loopback number po...

Page 707: ...m neighbor 2 2 2 99 NOTE The default action is to deny all source group pairs from the specified neighbor If you want to permit some pairs use route maps BigIron RX config access list 124 permit ip 10 0 0 0 0 255 255 255 any BigIron RX config access list 124 permit ip host 2 2 2 2 any BigIron RX config access list 125 permit ip any any BigIron RX config route map msdp_map deny 1 BigIron RX config ...

Page 708: ...s deny If you want to permit some source group pairs use a route map A permit action in the route map allows the BigIron RX to receive the matching source group pairs A deny action in the route map drops the matching source group pairs Filtering advertised source active messages The following example configures the BigIron RX to advertise all source group pairs except the ones that have source add...

Page 709: ...e the matching source group pairs A deny action in the route map drops the matching source group pairs Displaying the differences before and after the source active filters are applied This is an example of the Source Actives in the MSDP cache that will be displayed before the filter is applied BigIron RX show ip msdp sa Total 50 entries Index SourceAddr GroupAddr Age 1 117 1 0 60 224 200 1 40 RP ...

Page 710: ... 0 44 224 200 1 24 RP 2 2 2 2 Age 0 45 117 1 0 58 224 200 1 38 RP 2 2 2 2 Age 0 46 117 1 0 31 224 200 1 11 RP 2 2 2 2 Age 0 47 117 1 0 45 224 200 1 25 RP 2 2 2 2 Age 0 48 117 1 0 59 224 200 1 39 RP 2 2 2 2 Age 0 49 117 1 0 32 224 200 1 12 RP 2 2 2 2 Age 0 50 117 1 0 46 224 200 1 26 RP 2 2 2 2 Age 0 Total number of SA Cache entries50 Syntax show ip msdp sa This is an example of the Source Actives i...

Page 711: ...hat receives the SA message is the only one that can forward the message to the members of a mesh group If a mesh group member receives a SA message from a MSDP peer that is not a member of the mesh group and the SA message passes the RPF check then the member forwards the SA message to all members of the mesh group An RP can forward an SA message to any MSRP router as long as that peer is farther...

Page 712: ...h group BigIron RX config router msdp BigIron RX config msdp router msdp peer 163 5 34 10 connect source loopback 2 BigIron RX config msdp router msdp peer 206 251 21 31 connect source loopback 2 BigIron RX config msdp router msdp peer 206 251 17 31 connect source loopback 2 BigIron RX config msdp router msdp peer 206 251 13 31 connect source loopback 2 BigIron RX config msdp router mesh group Gro...

Page 713: ...have up to 4 mesh groups within a multicast network Each mesh group can include up to 32 peers The peer address parameter specifies the IP address of the MSDP peer that is being placed in the group NOTE On each of the device that will be part of the mesh group there must be a mesh group definition for all the peers in the mesh group Up to 32 MSDP peers can be configured per mesh group In Figure 95...

Page 714: ... 2 1 BigIron RX config if 2 1 ip address 12 12 12 1 255 255 255 0 BigIron RX config if 2 1 ip pim sparse BigIron RX config if 2 1 exit BigIron RX config interface ethernet 2 20 BigIron RX config if 2 20 ip address 159 159 159 1 255 255 255 0 BigIron RX config if 2 20 ip pim sparse BigIron RX config if 2 20 exit BigIron RX config interface ethernet 4 1 BigIron RX config if 4 1 ip address 31 31 31 1...

Page 715: ...net 1 24 BigIron RX config if 1 24 ip address 168 72 2 2 255 255 255 0 BigIron RX config if 1 24 exit BigIron RX config interface ethernet 1 25 BigIron RX config if 1 25 ip address 24 24 24 2 255 255 255 0 BigIron RX config if 1 25 ip pim sparse BigIron RX config if 1 24 exit BigIron RX config interface ethernet 8 1 BigIron RX config if 8 1 ip address 32 32 32 2 255 255 255 0 BigIron RX config if ...

Page 716: ...ace ethernet 12 2 BigIron RX config if 12 1 ip address 34 34 34 3 255 255 255 0 BigIron RX config if 12 1 ip pim sparse BigIron RX config if 12 1 exit BigIron RX config interface ethernet 14 4 BigIron RX config if 14 4 ip address 154 154 154 1 255 255 255 0 BigIron RX config if 12 1 ip pim sparse BigIron RX config if 12 1 exit BigIron RX config router pim BigIron RX config router pim bsr candidate...

Page 717: ...RX config interface ethernet 7 1 BigIron RX config if ip address 14 14 14 4 255 255 255 0 BigIron RX config if ip pim sparse BigIron RX config if exit BigIron RX config interface ethernet 7 7 BigIron RX config if ip address 48 48 48 4 255 255 255 0 BigIron RX config if ip pim sparse BigIron RX config if ip pim border BigIron RX config if exit BigIron RX config interface ethernet 7 8 BigIron RX con...

Page 718: ...r s interface with the BigIron RX State The state of the MSDP router s connection with the peer The state can be one of the following CONNECTING The session is in the active open state ESTABLISHED The MSDP session is fully up INACTIVE The session is idle LISTENING The session is in the passive open state KA In The number of MSDP Keepalive messages the MSDP router has received from the peer KA Out ...

Page 719: ...able Hold Time The hold time which specifies how many seconds the MSDP router will wait for a KEEPALIVE or UPDATE message from an MSDP neighbor before deciding that the neighbor is dead The hold time is 90 seconds and is not configurable Keep Alive Message Sent The number of Keep Alive messages the MSDP router has sent to the peer BigIron RX show ip msdp peer Total number of MSDP Peers 2 IP Addres...

Page 720: ...s from the neighbor the message contains an error code corresponding to one of the following errors Some errors have subcodes that clarify the reason for the error Where applicable the subcode messages are listed underneath the error code messages 1 Message Header Error 2 SA Request Error 3 SA Message or SA Response Error 4 Hold Timer Expired 5 Finite State Machine Error 6 Notification 7 Cease For...

Page 721: ...ledgment of its connection termination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request CLOSED There is no connection state Local host The IP address of the MSDP router s interface with the peer Local port The TCP port the MSDP router is using for the BGP4 TCP session with the neighbor Remote host The IP a...

Page 722: ...s for which the cache has room Index The cache entry number SourceAddr The IP address of the multicast source GroupAddr The IP multicast group to which the source is sending information RP The RP through which receivers can access the group traffic from the source Age The number of seconds the entry has been in the cache BigIron RX show ip msdp sa cache Total Entry 4096 Used 1800 Free 2296 Index S...

Page 723: ...atistics ip addr The command in this example clears statistics for all the peers To clear statistics for only a specific peer enter the peer s IP address DVMRP overview The BigIron RX provides multicast routing with the Distance Vector Multicast Routing Protocol DVMRP routing protocol DVMRP uses IGMP to manage the IP multicast groups DVMRP is a broadcast and pruning multicast protocol that deliver...

Page 724: ...he root node R1 is forwarding multicast packets for group 229 225 0 2 that it receives from the server to its downstream nodes R2 R3 and R4 Router R4 is an intermediate router with R5 and R6 as its downstream routers Because R5 and R6 have no downstream interfaces they are leaf nodes The receivers in this example are those workstations that are resident on routers R2 R3 and R6 Pruning a multicast ...

Page 725: ...ckets from source host 229 225 0 1 Group Member Group Member Video Conferencing Server 207 95 5 1 229 225 0 1 Source Group 229 225 0 1 Group Member Group Member Group Member Group Member Group Member Group Member 229 225 0 1 Leaf Node Leaf Node Leaf Node No Group Members Intermediate Node No Group Members R2 R1 R3 R4 R5 R6 ...

Page 726: ...eviously a graft will be sent upstream to R4 Since the forwarding state for this entry is in a prune state R4 sends a graft to R1 Once R4 has joined the tree it along with R6 will once again receive multicast packets You do not need to perform any configuration to maintain the multicast delivery tree The prune and graft messages automatically maintain the tree 229 225 0 1 Group Member Group Member...

Page 727: ...ering a router dvmrp command to enable DVMRP does not require a software reload Entering a no router dvmrp command removes all configuration for PIM multicast on a BigIron RX router pim level only Globally enabling or disabling DVMRP without deleting multicast configuration As stated above enter no router dvmrp removed PIM configuration If you want to disable or enable DVMRP without removing PIM c...

Page 728: ...ssible values are from 20 4000 seconds The default value is 200 seconds To modify the route expire setting to 50 enter the following BigIron RX config dvmrp router route expire timeout 50 Syntax route expire timeout 20 4000 Modifying route discard time The Route Discard Time defines the period of time before a route is deleted Possible values are from 40 8000 seconds The default value is 340 secon...

Page 729: ...conds To modify the probe interval setting to 10 enter the following BigIron RX config dvmrp router probe 10 Syntax probe interval 5 30 Modifying report interval The Report Interval defines how often routers propagate their complete routing tables to other neighbor DVMRP routers Possible values are from 10 2000 seconds The default value is 60 seconds To support propagation of DVMRP routing informa...

Page 730: ... packets received on that interface are forwarded Possible values are from 1 64 The default value is 1 To set a TTL of 64 enter the following BigIron RX config int e 1 4 BigIron RX config if e10000 1 4 ip dvmrp ttl 60 Syntax no ip dvmrp ttl threshold 1 64 Modifying the metric The router uses the metric when establishing reverse paths to some networks on directly attached interfaces Possible values...

Page 731: ...direct multicast traffic along a specific path The ip mroute command starts with the ip address or ingress ip address the source traffic is received upon The ingress interface network mask and the next hop address leading back to the ingress source ip address To configure static IP multicast routes enter a command such as the following BigIron RX config ip mroute 12 7 1 0 255 255 255 0 17 3 1 2 If...

Page 732: ...igIron RX to make forwarding decisions in hardware based on multicast group by enabling the IP Multicast Traffic Reduction feature NOTE The IP Multicast Traffic Reduction feature is applicable for Layer 2 mode only When this feature is enabled the BigIron RX examines the MAC address in an IP multicast packet and forward the packet only on the ports from which the device has received Group Membersh...

Page 733: ...fic for all other groups The following sections describe how to configure IP multicast traffic reduction and PIM SM Traffic Snooping parameters on a BigIron RX Enabling IP multicast traffic reduction By default the BigIron RX forwards all IP multicast traffic out all ports except the port on which the traffic was received To reduce multicast traffic through the device you can enable IP Multicast T...

Page 734: ...NOTE If the route only feature is enabled on the BigIron RX then IP Multicast Traffic Reduction will not be supported To verify that IP Multicast Traffic Reduction is enabled enter the following command at any level of the CLI BigIron RX config show ip multicast IP multicast is enabled Active Syntax show ip multicast Configuring the IGMP mode per VLAN NOTE A router id is required if a virtual inte...

Page 735: ...he no form of this command disables the tracking process per VLAN For IGMPv3 the above command also internally tracks all the IGMPv3 hosts behind a given port The port is not removed from the IP multicast group entry in the forwarding table until all the hosts behind that port have left that multicast group When the last IGMPv3 host sends a IGMPv3 leave message the port is removed from the IP mult...

Page 736: ... the active mode of IP Multicast Traffic reduction To modify the query interval enter a command such as the following BigIron RX config ip multicast query interval 120 Syntax no ip multicast query interval interval The interval parameter specifies the interval between queries You can specify a value from 10 600 seconds The default is 60 seconds Modifying the age interval When the device receives a...

Page 737: ...e applied you must delete the old bounder first then apply the new ACL To avoid temporary loss in multicast traffic ACLs should be configured before applying them to multicast boundaries Modifying an already applied ACL will take effect immediately Configurations shoube be generated at the VLAN level if user has explicitly configured it regardless of whether it matches the global snooping configur...

Page 738: ...hed to every port the device forwards group traffic out all ports in the same broadcast domain except the port attached to the source even though there are only two receivers for the group PIM SM traffic snooping eliminates the superfluous traffic by configuring the device to forward IP multicast group traffic only on the ports that are attached to receivers for the group PIM SM traffic snooping r...

Page 739: ...client However since IP multicast traffic reduction also is enabled the device uses the IGMP group membership report from the client to select the port for forwarding traffic to group 239 255 162 69 receivers The IP multicast traffic reduction feature and the PIM SM traffic snooping feature together build a list of groups and forwarding ports for the VLAN The list includes PIM SM groups learned th...

Page 740: ...t will be running PIM SM snooping The PIM SM traffic snooping feature requires IP multicast traffic reduction NOTE Use the passive mode of IP multicast traffic reduction instead of the active mode The passive mode assumes that a router is sending group membership queries as well as join and prune messages on behalf of receivers The active mode configures the device to send group membership queries...

Page 741: ... in the same subnet NOTE If the route only feature is enabled on a BigIron RX PIM SM traffic snooping will not be supported Enabling PIM SM traffic snooping To enable PIM SM traffic snooping enter the following commands at the global CONFIG level of the CLI BigIron RX config ip multicast BigIron RX config ip pimsm snooping The first command enables IP multicast traffic reduction This feature is si...

Page 742: ...nected to the multicast switch The snooping device will respond to IGMP queries from the uplink multicast PIM switch for the groups and sources configured Upon the multicast switch receiving the IGMP join message it will initiate the PIM join on its upstream path towards the source to pull the source traffic down The source traffic will stop at the IGMP snooping device The traffic will then be for...

Page 743: ...lan 100 BigIron RX config vlan 100 multicast static group 224 10 1 1 ethernet 2 4 To configure the physical interface ethernet 3 4 to statically join a multicast stream with source address of 10 43 1 12 in the include mode enter commands such as the following BigIron RX config vlan 100 BigIron RX config vlan 100 multicast static group 224 10 1 1 include 10 43 1 12 ethernet 3 4 To configure the phy...

Page 744: ...n uplink port that can receive multicast data for the configured multicast groups Upstream traffic will be sent to the switch and will not use a port The port list parameter specifies the range of ports to include in the configuration The no form of this command removes the static multicast definition Each configuration must be deleted separately ...

Page 745: ...y a route s cost generally by adding to it to bias the selection of a route for a given destination In this case the actual number of router hops may be the same but the route has an administratively higher cost and is thus less likely to be used than other lower cost routes A RIP route can have a maximum cost of 15 Any destination with a higher cost is considered unreachable Although limiting to ...

Page 746: ...e command configures port 1 1 to add 5 to the cost of each route it learns Syntax no ip rip metric offset num in out The number is 1 16 A route with a metric of 16 is unreachable Use 16 only if you do not want the route to be used In fact you can prevent the device from using a specific port for routes learned though that port by setting its metric to 16 In applies to routes the port learns from R...

Page 747: ... route map consists of a sequence of up to 50 instances If you think of a route map as a table an instance is a row in that table The router evaluates a route according to a route map s instances in ascending numerical order The route is first compared against instance 1 then against instance 2 and so on As soon as a match is found the router stops evaluating the route against the route map instan...

Page 748: ...RIP metric of 10 to each route that is redistributed into RIP Syntax no default metric 1 15 Configuring route learning and advertising parameters By default a device learns routes from all its RIP neighbors and advertises RIP routes to those neighbors You can configure the following learning and advertising parameters Learning and advertising of RIP default routes The device learns and advertises ...

Page 749: ... the highest filter number Otherwise the software can match on the permit all filter before a filter that denies a specific neighbor and learn routes from that neighbor BigIron RX config rip router neighbor 2 deny 192 16 1 170 BigIron RX config rip router neighbor 1024 permit any Changing the route loop prevention method RIP uses the following methods to prevent routing loops Split horizon The dev...

Page 750: ...path to the Backup rather than the path to the Master You can prevent the Backups from advertising route information for the backed up interface by enabling suppression of the advertisements To suppress RIP advertisements for the backed up interface in Router2 enter the following commands Router2 config router rip Router2 config rip router use vrrp path Syntax no use vrrp path The syntax is the sa...

Page 751: ...x list name in out In applies the prefix list to routes the device learns from its neighbor on the interface Out applies the prefix list to routes the device advertises to its neighbor on the interface The commands apply RIP list2 route filters to all routes learned from the RIP neighbor on port 1 2 and applies the lists to all routes advertised on port 1 2 To apply a route map to a RIP interface ...

Page 752: ...ed to an interface s inbound filter group the filter prevents the router from receiving RIP updates from the specified neighbor permit If the filter is applied to an interface s outbound filter group the filter allows the router to advertise RIP routes to the specified neighbor on that interface If the filter is applied to an interface s inbound filter group the filter allows the router to receive...

Page 753: ...config clear ip rip local routes Syntax clear ip rip local routes To clear the RIP routes from the RIP database enter a command such as the following BigIron RX config clear ip rip routes Syntax clear ip rip routes ip addr mask bits Use the ip address to specify which routes in the database you want to clear Use the subnet mask to specify which subnets you want to clear NOTE Using the clear ip rou...

Page 754: ...678 BigIron RX Series Configuration Guide 53 1002253 01 Displaying RIP filters 24 ...

Page 755: ...ch link state advertisements are broadcast thereby limiting the amount of flooding that occurs within the network An area is represented in OSPF by either an IP address or a number You can further limit the broadcast area of flooding by defining an area range The area range allows you to assign an aggregate value to a range of IP addresses This aggregate value becomes the address that is advertise...

Page 756: ...ing all messages to the designated router and backup designated routers responsible for forwarding the updates throughout the network Designated router election in multi access networks In a network with no designated router and no backup designated router the neighboring router with the highest priority is elected as the DR and the router with the next largest priority is elected as the BDR as sh...

Page 757: ...ble option at the interface level You can use this parameter to help bias one router as the DR FIGURE 103 Backup designated router becomes designated router If two neighbors share the same priority the router with the highest router ID is designated as the DR The router with the next highest router ID is designated as the BDR Router A Router B Router C priority 10 priority 20 priority 5 Designated...

Page 758: ...rs can also be configured to operate with the latest OSPF standard RFC 2328 NOTE For details on how to configure the system to operate with the RFC 2328 refer to Modify OSPF standard compliance setting on page 718 Reduction of equivalent AS external LSAs An OSPF ASBR uses AS External link advertisements AS External LSAs to originate advertisements of a route learned from another routing domain suc...

Page 759: ...isement traffic within the AS is reduced and the BigIron RX switches that flush the duplicate AS External LSAs have more memory for other OSPF data In Figure 104 since Router D has a higher router ID than Router E Router D floods the AS External LSAs for Router F to Routers A B and C Router E flushes the equivalent AS External LSAs from its database Algorithm for AS external LSA reduction Figure 1...

Page 760: ... BigIron RX provides support for Appendix E in OSPF RFC 2328 Appendix E describes a method to ensure that an OSPF router generates unique link state IDs for type 5 External link state advertisements LSAs in cases where two networks have the same network address but different network masks NOTE Support for Appendix E of RFC 2328 is enabled automatically and cannot be disabled No user configuration ...

Page 761: ... ID 10 0 0 0 for network 10 0 0 0 255 255 255 0 the router must generate a new LSA for the network if the router needs to generate an LSA for network 10 0 0 0 255 255 0 0 or 10 0 0 0 255 0 0 0 Dynamic OSPF activation and configuration OSPF is automatically activated when you enable it The protocol does not require a software reload You can configure and save the following OSPF changes without rese...

Page 762: ...range Define the area virtual link Set global default metric for OSPF Change the reference bandwidth for the default cost of OSPF interfaces Disable or re enable load sharing Enable or disable default information originate Modify Shortest Path First SPF timers Define external route summarization Define redistribution metric type Define redistribution route maps Enable redistribution Change the LSA...

Page 763: ...tup configuration file and reloaded the software you can restore the configuration information by re entering the router ospf command to enable the protocol If you have already saved the configuration to the startup configuration file and reloaded the software the information is gone If you are testing an OSPF configuration and are likely to disable and re enable the protocol you might want to mak...

Page 764: ...mber can be from 0 2 147 483 647 Assign a totally stubby area By default the device sends summary LSAs LSA type 3 into stub areas You can further reduce the number of link state advertisements LSA sent into a stub area by configuring the device to stop sending summary LSAs type 3 LSAs into the area You can disable the summary LSAs when you are configuring the stub area or later after you have conf...

Page 765: ...om the NSSA into other areas such as the backbone NSSAs are especially useful when you want to summarize Type 5 External LSAs external routes before forwarding them into an OSPF area The OSPF specification RFC 2328 prohibits summarization of Type 5 LSAs and requires OSPF to flood Type 5 LSAs throughout a routing domain When you configure an NSSA you can specify an address range for aggregating the...

Page 766: ...t To configure additional parameters for OSPF interfaces in the NSSA use the ip ospf area command at the interface level of the CLI Configuring an address range for the NSSA If you want the ABR that connects the NSSA to other areas to summarize the routes in the NSSA before translating them into Type 5 LSAs and flooding them into the other areas configure an address range The ABR creates an aggreg...

Page 767: ...ddresses that match this comparison are summarized in a single route advertised by the router The ip mask parameter specifies the portions of the IP address that a route must contain to be summarized in the summary route In the example above all networks that begin with 193 45 are summarized into a single route Assigning interfaces to an area Once you define OSPF areas you can assign interfaces to...

Page 768: ...d The simple password method of authentication requires you to configure an alphanumeric password on an interface The simple password setting takes effect immediately All OSPF packets transmitted on the interface contain this password Any OSPF packet received on the interface is checked for this password If the password is not present then the packet is dropped The password can be up to eight char...

Page 769: ...etwork The wait time can be from 0 14400 seconds The default is 300 seconds 5 minutes MD5 authentication key ID and key A method of authentication that requires you to configure a key ID and an MD5 key The key ID is a number from 1 255 and identifies the MD5 key that is being used The MD5 key consists of up to 16 alphanumeric characters The MD5 is encrypted and included in each OSPF packet transmi...

Page 770: ...ge interval After this the software uses the new authentication for sending packets Inbound OSPF packets The software accepts packets containing the new authentication and continues to accept packets containing the older authentication for two authentication change intervals After the second interval ends the software accepts packets only if they contain the new authentication key The default auth...

Page 771: ...l links All ABRs area border routers must have either a direct or indirect link to the OSPF backbone area 0 0 0 0 or 0 If an ABR does not have a physical link to the area backbone the ABR can configure a virtual link to another router within the same area which has a physical connection to the area backbone The path for a virtual link is through an area shared by the neighbor ABR router with a phy...

Page 772: ...it area To define the virtual link on BigIron RXA enter the following commands BigIron RXA config router ospf BigIron RXA config ospf router area 2 BigIron RXA config ospf router area 1 BigIron RXA config ospf router area 1 virtual link 209 157 22 1 BigIron RXA config ospf router write memory Enter the following commands to configure the virtual link on BigIron RXC BigIron RXC config router ospf B...

Page 773: ...ifferent authentication methods on a port by port basis OSPF supports three methods of authentication for each interface none simple password and MD5 Only one method of authentication can be active on an interface at a time The simple password method of authentication requires you to configure an alphanumeric password on an interface The password can be up to eight characters long The simple passw...

Page 774: ...ecify the IP address of the neighbor in the OSPF configuration The non broadcast interface configuration must be done on the OSPF routers on both ends of the link For example the following commands configure VE 20 as a non broadcast interface The following commands specify 1 1 20 1 as an OSPF neighbor address The address specified must be in the same sub net as a non broadcast interface BigIron RX...

Page 775: ...Backup Designated routers a point to point network establishes adjacency and converges faster The neighboring routers become adjacent whenever they can communicate directly In contrast in broadcast and non broadcast multi access NBMA networks the Designated Router and Backup Designated Router become adjacent to all other routers attached to the network NOTE This feature is supported on Gigabit Eth...

Page 776: ...LE 109 Output of the show ip ospf interface command This field Displays IP Address The IP address of the interface OSPF state ptr2ptr point to point Pri The link ID as defined in the router LSA This value can be one of the following 1 point to point link 3 point to point link with an assigned subnet Cost The configured output cost for the interface Options OSPF Options Bit7 Bit0 unused 1 opaque 1 ...

Page 777: ...ssword or authentication string you enter is the encrypted form and decrypts the value before using it NOTE If you want the software to assume that the value you enter is the clear text form and to encrypt display of that form do not enter 0 or 1 Instead omit the encryption option and allow the software to use the default behavior If you specify encryption option 1 the software assumes that you ar...

Page 778: ...s port s cost 100 10 10 100 Mbps port s cost 100 100 1 1000 Mbps port s cost 100 1000 0 10 which is rounded up to 1 10 Gbps port s cost 100 10000 0 01 which is rounded up to 1 The bandwidth for interfaces that consist of more than one physical port is calculated as follows Trunk group The combined bandwidth of all the ports Virtual interface The combined bandwidth of all the ports in the port base...

Page 779: ...e default costs of interfaces to their default values enter the following command BigIron RX config ospf router no auto cost reference bandwidth Define redistribution filters Route redistribution imports and translates different protocol routes into a specified protocol type On the BigIron RX redistribution is supported for static routes ISIS OSPF RIP and BGP4 OSPF redistribution supports the impo...

Page 780: ...bution bgp connected rip static route map map name For example to enable redistribution of RIP and static IP routes into OSPF enter the following commands BigIron RX config router ospf BigIron RX config ospf router redistribution rip BigIron RX config ospf router redistribution static BigIron RX config ospf router write memory Modify default metric for redistribution The default metric is a global...

Page 781: ...command begins configuration of a route map called abc The number indicates the route map entry called the instance you are configuring A route map can contain multiple entries The software compares routes to the route map entries in ascending numerical order and stops the comparison once a match is found The match command in the route map matches on routes that have 5 for their metric value cost ...

Page 782: ...etric num match tag tag value The following set parameters are valid for OSPF redistribution set ip next hop ip addr set metric num none set metric type type 1 type 2 set tag tag value NOTE You must configure the route map before you configure a redistribution that uses the route map NOTE When you use a route map for route redistribution the software disregards the permit or deny action of the rou...

Page 783: ... metric is 600 the BigIron RX will always choose R4 However suppose the metric is the same for all four routers in this example If the costs are the same the router now has four equal cost paths to R1 To allow the router to load share among the equal cost routes enable IP load sharing The software supports four equal cost OSPF paths by default when you enable load sharing You can specify from 2 8 ...

Page 784: ... LSDB overflow condition occurs all aggregate routes are flushed out of the AS along with other external routes When the device exits the external LSDB overflow condition all the imported routes are summarized according to the configured address ranges NOTE If you use redistribution filters in addition to address ranges the BigIron RX applies the redistribution filters to routes first then applies...

Page 785: ...wing method If the BigIron RX is an ASBR you can use the always option when you enable the default route origination The always option causes the ASBR to create and advertise a default route if it does not already have one configured If default route origination is enabled and you disable it the default route originated by the BigIron RX is flushed Default routes generated by other OSPF routers ar...

Page 786: ...perform default routing even if the default network route s default gateway changes The feature thus differs from standard default routes When you configure a standard default route you also specify the next hop gateway If a topology change makes the gateway unreachable the default route becomes unusable For example if you configure 10 10 10 0 24 as a candidate default network route if the IP rout...

Page 787: ...s the OSPF routing table when new Type 3 or Type 4 Summary Type 5 External or Type 7 External NSSA LSAs are received You can set the delay and hold time to lower values to cause the BigIron RX to change to alternate paths more quickly in the event of a route failure Note that lower values require more CPU processing time You can change one or both of the timers To change the SPF delay and hold tim...

Page 788: ... the same network from different protocols The device prefers the route with the lower administrative distance You can specify unique default administrative distances for the following route types Intra area routes Inter area routes External routes The default for all these OSPF route types is 110 NOTE This feature does not influence the choice of routes within OSPF For example an OSPF intra area ...

Page 789: ...ter timers lsa group pacing 120 Syntax no timers lsa group pacing secs The secs parameter specifies the number of seconds and can be from 10 1800 30 minutes The default is 240 seconds four minutes To restore the pacing interval to its default value enter the following command BigIron RX config ospf router no timers lsa group pacing OSPF ABR type 3 LSA filtering OSPF ABR Type 3 LSA filtering increa...

Page 790: ...ospf BigIron RX config ospf router To filter prefixes advertised in type 3 link state advertisements LSAs between OSPF areas of an Area Border Router ABR use the area prefix list command in router configuration mode To change or cancel the filter use the no form of this command BigIron RX config ospf router area 1 prefix list area 1 in To configure the switch to filter inter area routes out of the...

Page 791: ... list name seq seq value description string deny permit network addr mask bits ge ge value le le value The name parameter specifies the prefix list name You use this name when applying the prefix list to a neighbor The seq seq value parameter is optional and specifies the IP prefix list s sequence number If you do not specify a sequence number the software numbers them in increments of 5 beginning...

Page 792: ...ilure Trap Enabled Interface Receive Bad Packet Trap Enabled Virtual Interface Receive Bad Packet Trap Enabled Interface Retransmit Packet Trap Disabled Virtual Interface Retransmit Packet Trap Disabled Originate LSA Trap Disabled Originate MaxAge LSA Trap Disabled Link State Database Overflow Trap Disabled Link State Database Approaching Overflow Trap Disabled OSPF Area currently defined Area ID ...

Page 793: ...ed MIB objects from RFC 1850 The first list are traps enabled by default interface state change trap MIB object OspfIfstateChange virtual interface state change trap MIB object OspfVirtIfStateChange neighbor state change trap MIB object ospfNbrStateChange virtual neighbor state change trap MIB object ospfVirtNbrStateChange interface config error trap MIB object ospfIfConfigError TABLE 111 Default ...

Page 794: ...state change trap enter the following command BigIron RX config ospf router no trap neighbor state change tra To reinstate the trap enter the following command BigIron RX config ospf router trap neighbor state change trap Syntax no snmp server trap ospf ospf trap Enabling OSPF logging By default most OSPF logging is enabled Refer to Table 111 on page 717 for a complete list of the OSPF default tra...

Page 795: ...of OSPF related Syslog messages are logged By default the only OSPF messages that are logged are those indicating possible system errors If you want other kinds of OSPF messages to be logged you can configure the device to log them For example to specify that all OSPF related Syslog messages be logged enter the following commands BigIron RX config router ospf BigIron RX config ospf router log all ...

Page 796: ...mation on page 725 Route information refer to Displaying OSPF route information on page 727 External link state information refer to Displaying OSPF external link state Information on page 729 Link state information refer to Displaying OSPF database link state information on page 730 Virtual Neighbor information refer to Displaying OSPF virtual neighbor and link information on page 732 Virtual Lin...

Page 797: ...State Change Trap Enabled Interface Configuration Error Trap Enabled Virtual Interface Configuration Error Trap Enabled Interface Authentication Failure Trap Enabled Virtual Interface Authentication Failure Trap Enabled Interface Receive Bad Packet Trap Enabled Virtual Interface Receive Bad Packet Trap Enabled Interface Retransmit Packet Trap Disabled Virtual Interface Retransmit Packet Trap Disab...

Page 798: ...89c 20648618 16384 0 0 1 mac_mgr 5 wait 0000d89c 20657628 16384 0 0 1 mrp_mgr 5 wait 0000d89c 2065c628 16384 0 0 1 vsrp 5 wait 0000d89c 20663620 16384 0 0 1 snms 5 wait 0000d89c 20667628 16384 0 0 1 rtm 5 wait 0000d89c 20674628 16384 0 0 1 rtm6 5 wait 0000d89c 2068a628 16384 0 0 1 ip_tx 5 ready 0000d89c 206a9628 16384 0 0 1 rip 5 wait 0000d89c 20762628 16384 0 0 1 bgp 5 wait 0000d89c 207e6628 1638...

Page 799: ...id Task s ID number assigned by the operating system task vid A memory domain ID TABLE 113 CLI display of OSPF area information This field Displays Indx The row number of the entry in the router s OSPF area table Area The area number Type The area type which can be one of the following nssa normal stub Cost The area s cost SPFR The SPFR value ABR The ABR number ASBR The ABSR number LSA The LSA num...

Page 800: ...ption Port The port through which the device is connected to the neighbor Address The IP address of this device s interface with the neighbor Pri The OSPF priority of the neighbor For multi access networks the priority is used during election of the Designated Router DR and Backup designated Router BDR For point to point links this field shows one of the following values 1 point to point link 3 po...

Page 801: ...ions in this state or greater are called adjacencies Exchange The router is describing its entire link state database by sending Database Description packets to the neighbor Each Database Description packet has a DD sequence number and is explicitly acknowledged Only one Database Description packet can be outstanding at any time In this state Link State Request packets can also be sent asking for ...

Page 802: ... the interface Options OSPF Options Bit7 Bit0 unused 1 opaque 1 summary 1 dont_propagate 1 nssa 1 multicast 1 externals 1 tos 1 Type The area type which can be one of the following Broadcast 0x01 Point to Point 0x03 Virtual Link 0x04 Events OSPF Interface Event Interface_Up 0x00 Wait_Timer 0x01 Backup_Seen 0x02 Neighbor_Change 0x03 Loop_Indication 0x04 Unloop_Indication 0x05 Interface_Down 0x06 In...

Page 803: ...t Path_Type 10 65 12 1 255 255 255 255 1 0 Intra Adv_Router Link_State Dest_Type State Tag Flags 10 65 12 1 10 65 12 1 Asbr Valid 0 6000 Paths Out_Port Next_Hop Type State 1 v204 10 65 5 251 OSPF 21 01 2 v201 10 65 2 251 OSPF 20 d1 3 v202 10 65 3 251 OSPF 20 cd 4 v205 10 65 6 251 OSPF 00 00 OSPF Area Summary Routes 1 Destination Mask Path_Cost Type2_Cost Path_Type 10 65 0 0 255 255 0 0 0 0 Inter A...

Page 804: ...nation passes into another area Intra The path to the destination is entirely within the local area External1 The path to the destination is a type 1 external route External2 The path to the destination is a type 2 external route Adv_Router The OSPF router that advertised the route to this device Link State The link state from which the route was calculated Dest_Type The destination type which can...

Page 805: ...s External LSA table To determine an LSA packet s position in the table enter the show ip ospf external link state command to display the table The extensive option displays the LSAs in decrypted format NOTE You cannot use the extensive option in combination with other display options The entire database is displayed The link state id ip addr parameter displays the External LSAs for the LSA source...

Page 806: ...oute Router The router IP address Netmask The subnet mask of the network Metric The cost value of the route Flag State information for the route entry This information is used by Brocade technical support BigIron RX show ip ospf database link state Index Area ID Type LS ID Adv Rtr Seq Hex Age Cksum 1 0 Rtr 10 1 10 1 10 1 10 1 800060ef 3 0x4be2 2 0 Rtr 10 65 12 1 10 65 12 1 80005264 6 0xc870 3 0 Ne...

Page 807: ...rder routers ip addr The ip addr parameter displays the ABR and ASBR entries for the specified IP address Syntax show ip ospf border routers TABLE 118 CLI display of OSPF database link state information This field Displays Index ID of the entry Area ID ID of the OSPF area Type LS ID Link state type of the route Adv Rtr ID of the advertised route Seq Hex The sequence number of the LSA The OSPF neig...

Page 808: ...Index Displayed index number of the border router Router ID ID of the OSPF router Router type Type of OSPF router ABR or ASBR Next hop router ID of the next hop router Outgoing interface ID of the interface on the router for the outgoing route Area ID of the OSPF area to which the OSPF router belongs BigIron RX show ip ospf trap Interface State Change Trap Enabled Virtual Interface State Change Tr...

Page 809: ...rmation The following example relates to the configuration in Figure 109 Syntax show ip ospf virtual neighbor num The num parameter displays the table beginning at the specified entry number DeviceA R10 MG8 192 168 148 10 DeviceE R14 RX8 192 168 148 14 DeviceB R11 RX16 192 168 148 11 Area 1 Area 1 Area 2 Area 0 3A4 7 1 6 1 1 17 7 23 131 1 1 10 16 135 14 1 10 16 135 14 1 1 16 8 11 1 1 8 3A1 5 1 27 ...

Page 810: ...As from the network informing the helper routers of the completion of the restart process If the restarting router does not re establish adjacencies with the helper router within the restart time the helper router stops the helping function and flushes the stale OSPF routes Configuring OSPF graceful restart To configure OSPF Graceful Restart on a router the restarting router and its directly conne...

Page 811: ...uring a restart event The output is blank if the report is requested while the OSPF router is in normal operation The show ip ospf neighbor command displays the following information during normal operation The show ip ospf neighbor command displays the following information during a restart event on a helper router Note the in graceful restart state entry appears only during restart It does not a...

Page 812: ...r area 0 Use the show ip ospf neighbor command to display the state of the OSPF neighbors after enabling graceful restart For example BigIron RX sh ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 3 1 30 1 0 5 0 FULL OTHER 30 1 0 13 30 0 0 13 5 2 0 3 27 25 27 0 8 1 FULL DR 25 27 0 14 12 1 0 14 20 2 0 in graceful restart state helping 1 timer 104 sec v31 21 23 0 5 1 FULL DR 21...

Page 813: ...ync LSDB with its peers when the restart has completed BigIron RX 1 show ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 3 7 40 0 1 1 1 EXST DR 40 0 1 3 9 0 1 24 24 2 0 in graceful restart state helping 1 timer 112 sec BigIron RX 3 show ip ospf neighbor Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 2 2 40 0 10 1 1 EXST DR 40 0 10 3 8 0 0 23 23 2 0 in graceful rest...

Page 814: ...738 BigIron RX Series Configuration Guide 53 1002253 01 Displaying OSPF information 25 ...

Page 815: ... can use different Interior Gateway Protocols IGPs such as RIP and OSPF to communicate with one another However for routers in different ASs to communicate they need to use an EGP BGP4 is the standard EGP used by Internet routers and therefore is the EGP implemented on the device Figure 111 on page 739 shows a simple example of two BGP4 ASs Each AS contains three BGP4 routers All of the BGP4 route...

Page 816: ...her ASs through which a route passes BGP4 routers can use the AS path to detect and eliminate routing loops For example if a route received by a BGP4 router contains the AS that the router is in the router does not add the route to its own BGP4 table The BGP4 RFCs refer to the AS path as AS_PATH Additional path attributes A list of additional parameters that describe the route The route MED and ne...

Page 817: ...pe prefer the path with the lowest MED The device compares the MEDs of two otherwise equivalent paths if and only if the routes were learned from the same neighboring AS This behavior is called deterministic MED Deterministic MED is always enabled and cannot be disabled In addition you can enable the device to always compare the MEDs regardless of the AS information in the paths To enable this com...

Page 818: ...fer the route with the smallest RD value BGP4 message types BGP4 routers communicate with their neighbors other BGP4 routers using the following types of messages OPEN UPDATE KEEPALIVE NOTIFICATION ROUTE REFRESH OPEN message After a BGP4 router establishes a TCP connection with a neighboring BGP4 router the routers exchange OPEN messages An OPEN message indicates the following BGP version Indicate...

Page 819: ... advertised by the UPDATE message The prefix consists of an IP network number and the length of the network portion of the number For example an UPDATE message with the NLRI entry 192 215 129 0 18 indicates a route to IP network 192 215 129 0 with network mask 255 255 192 0 The binary equivalent of this mask is 18 consecutive one bits thus 18 in the NLRI entry Path attributes Parameters that indic...

Page 820: ...pe of message can be useful if an inbound route filtering policy has been changed Brocade implementation of BGP4 BGP4 is described in RFC 1771 and the latest BGP drafts The Brocade implementation fully complies with RFC 1771 and also supports the following RFC 1745 OSPF Interactions RFC 1997 BGP Communities Attributes RFC 2385 TCP MD5 Signature Option RFC 2439 Route Flap Dampening RFC 2796 Route R...

Page 821: ...he router bgp level The command requires you to specify the IPv4 or IPv6 network protocol The address family command also requires you to select a sub address family which is the type of routes for the configuration You specify multicast or unicast routes FIGURE 112 BGP configuration levels Table 26 1 shows what commands are available at the various BGP configuration levels TABLE 120 IPv4 BGP comm...

Page 822: ...nce x Changing administrative distances on page 767 enforce first as x Requiring the first AS to be the neighbor s AS on page 768 exit address family x x x Entering and exiting the address family configuration level on page 751 fast external fallover x Enabling fast external fallover on page 768 local as x Setting the local AS number on page 769 maximum paths x Changing the maximum number of share...

Page 823: ...ticast IPv6 Address Family Unicast See address family x x x x Entering and exiting the address family configuration level on page 751 address filter x Filtering specific IP addresses on page 751 aggregate address x x x Aggregating routes advertised to BGP4 neighbors on page 759 always compare med x Configuring the device to always compare MEDs on page 759 as path filter x as path ignore x Disablin...

Page 824: ... worst x Treating missing MEDs as the worst MEDs on page 770 multipath x x Customizing BGP4 load sharing on page 770 neighbor x x x x Configuring BGP4 neighbors on page 771 Configuring a BGP4 peer group on page 778 network x x x Specifying a list of networks to advertise on page 781 next hop enable defaul t x x Using the IP default route as a valid next hop for a BGP4 route on page 782 next hop re...

Page 825: ...BGP neighbor to be the neighbor s AS Change MED comparison parameters Disable comparison of the AS Path length Enable comparison of the router ID Enable next hop recursion Change the default metric Disable or re enable route reflection Configure confederation parameters Disable or re enable load sharing Change the maximum number of load sharing paths Change other load sharing parameters Define rou...

Page 826: ...he BGP4 protocol For information on the local AS number refer to Setting the local AS number on page 769 NOTE By default the Brocade router ID is the IP address configured on the lowest numbered loopback interface If the device does not have a loopback interface the default router ID is the lowest numbered IP interface address configured on the device For more information refer to Changing the rou...

Page 827: ...onfiguration level The BGP address family has a unicast or multicast sub level To enter the IPv4 BGP unicast address family configuration level enter the following command BigIron RX config bgp address family ipv4 unicast BigIron RX config bgp NOTE The CLI prompt for the global BGP level and the BGP address family IPv4 unicast level are the same To enter the IPv4 BGP multicast address family confi...

Page 828: ...ter the default action for addresses that do not match a filter is deny To change the default action to permit configure the last filter as permit any any The ip addr parameter specifies the IP address If you want the filter to match on all addresses enter any The wildcard parameter specifies the portion of the IP address to match against The wildcard is a four part value in dotted decimal notatio...

Page 829: ...s true the device stops and does not continue applying filters from the list NOTE If the filter is referred to by a route map s match statement the filter is applied in the order in which the filter is listed in the match statement The permit deny parameter indicates the action the router takes if the filter match is true If you specify permit the router permits the route into the BGP4 table if th...

Page 830: ...nfederations on page 762 The no advertise keyword filters for routes with the well known community NO_ADVERTISE A route in this community should not be advertised to any BGP4 neighbors The no export keyword filters for routes with the well known community NO_EXPORT A route in this community should not be advertised to any BGP4 neighbors outside the local AS If the router is a member of a confedera...

Page 831: ...twork prefix telling a remote router to drop all traffic for this network prefix by redistributing a null0 route into BGP Figure 113 shows a topology for a null0 routing application example FIGURE 113 Sample Null0 routing application The following steps configure a null0 routing application for stopping denial of service attacks from remote hosts on the internet Configuration steps 1 Select one ro...

Page 832: ...00 BigIron RX config bgp router neighbor router3_int_ip address remote as 100 BigIron RX config bgp router neighbor router4_int_ip address remote as 100 BigIron RX config bgp router neighbor router5_int_ip address remote as 100 BigIron RX config bgp router neighbor router7_int_ip address remote as 100 BigIron RX config bgp router redistribute static route map blockuser BigIron RX config bgp router...

Page 833: ...s remote as 100 BigIron RX config bgp router neighbor router7_int_ip address remote as 100 After configuring the null0 application you can display the configuration using the show ip route static show ip bgp route and show ip route commands For example when you issue the show ip route static command on Router 6 you see the following output Entering a show ip route static on Router 1 and Router 2 d...

Page 834: ...6 115 0 0 96 28 30 0 1 3 100 0 I AS_PATH 50 37 115 0 0 192 27 192 168 0 1 1 10000000 32768 BL AS_PATH 64 120 0 7 0 24 70 0 1 3 100 0 I AS_PATH 10 65 120 0 14 0 23 192 168 0 1 1 1000000 32768 BL AS_PATH BigIron RX show ip route Total number of IP routes 133 Type Codes B BGP D Connected S Static R RIP O OSPF Cost Dist Metric Destination Gateway Port Cost Type 1 9 0 1 24 32 DIRECT loopback 1 0 0 D 2 ...

Page 835: ...rmation for all the routes in the aggregate address into a single AS path The summary only parameter prevents the router from advertising more specific routes contained within the aggregate route The suppress map map name parameter prevents the more specific routes contained in the specified route map from being advertised The advertise map map name parameter configures the router to advertise the...

Page 836: ... enter the following command BigIron RX config bgp always compare med Syntax no always compare med The following BGP command directs BGP to take the MED value into consideration even if the route has an empty as path path attribute BigIron RX config router bgp BigIron RX config bgp router compare med empty aspath Syntax no compare med empty aspath Disabling or re enabling comparison of the AS path...

Page 837: ...he following command to re enable the feature BigIron RX config bgp client to client reflection Syntax no client to client reflection Configuring a route reflector You can configure one cluster ID on the router All route reflector clients for the router are members of the cluster To configure a device as route reflector 1 enter the following command BigIron RX config bgp cluster id 1 Syntax no clu...

Page 838: ...so that each BGP router has BGP sessions to all the other BGP routers within the AS This is feasible in smaller ASs but becomes unmanageable in ASs containing many BGP routers When you configure BGP routers into a confederation all the routers within a sub AS a subdivision of the AS use IBGP and must be fully meshed However routers use EBGP to communicate between different sub ASs NOTE Another met...

Page 839: ...n each BGP router within the confederation Configure the local AS number The local AS number indicates membership in a sub AS All BGP routers with the same local AS number are members of the same sub AS BGP routers use the local AS number when communicating with other BGP routers within the confederation Configure the confederation ID The confederation ID is the AS number by which BGP routers outs...

Page 840: ...confederation ID when communicating with routers outside the confederation The confederation ID must be different from the sub AS numbers You can specify a number from 1 65535 Syntax confederation peers num num The num parameter with the confederation peers command indicates the sub AS numbers for the sub ASs in the confederation You may list all sub ASs in the confederation Also you must specify ...

Page 841: ...for a one flap The suppress parameter specifies how high a route s penalty can become before the device suppresses the route You can set the suppression threshold to a value from 1 20000 The default is 2000 more than two flaps The max suppress time parameter specifies the maximum number of minutes that a route can be suppressed regardless of how unstable it is You can set the maximum suppression t...

Page 842: ... preference is chosen NOTE To set the local preference for individual routes use route maps Refer to Defining route maps on page 801 Refer to How BGP4 selects a path for a route on page 740 for information about the BGP4 algorithm To change the default local preference to 200 enter the following command BigIron RX config bgp default local preference 200 Syntax default local preference num The num ...

Page 843: ...rces such as static IP routes RIP or OSPF the BGP4 paths are installed in the IP route table Here are the default administrative distances on the BigIron RX Directly connected 0 this value is not configurable Static 1 is the default and applies to all static routes including default routes This can be assigned a different value EBGP 20 OSPF 110 ISIS 115 RIP 120 IBGP 200 Local BGP 200 Unknown 255 t...

Page 844: ...ne AS to appear to also be a member of another AS This feature is useful for example if Company A purchases Company B but Company B does not want to modify its peering configurations This feature can only be used for true EBGP peers When establishing a BGP connection the router will use the configured neighbor local AS instead of the system AS number For example if you want a router to use AS 200 ...

Page 845: ...4 router is in To set the local AS number enter commands such as the following BigIron RX config router bgp BGP4 Please configure local as parameter in order to enable BGP4 BigIron RX config bgp local as 10 BigIron RX config bgp write memory Syntax no local as num The num parameter specifies the local AS number 1 65535 There is no default AS numbers 64512 65535 are the well known private BGP4 AS n...

Page 846: ...sed on other criteria For example a route path with no MED can be selected if its weight is larger than the weights of the other route paths Customizing BGP4 load sharing By default when BGP4 load sharing is enabled both IBGP and EBGP paths are eligible for load sharing while paths from different neighboring ASs are not eligible You can change load sharing to apply only to IBGP or EBGP paths or to...

Page 847: ... the neighbor s IP address If you want to completely configure the neighbor parameters before the device establishes a session with the neighbor you can administratively shut down the neighbor Refer to Administratively shutting down a session with a BGP4 neighbor on page 781 NOTE When a route map prefix list or as path ACL is modified BGP will be notified Outbound route polices will be updated aut...

Page 848: ...the capability both capabilities are enabled The prefixlist parameter specifies the type of filter you want to send to the neighbor For more information refer to Configuring cooperative BGP4 route filtering on page 809 NOTE The current release supports cooperative filtering only for filters configured using IP prefix lists default originate route map map name configures the device to send the defa...

Page 849: ...e default behavior configure the last filter or ACL as permit any any NOTE The AS path filter or ACL must already be configured Refer to Filtering AS paths on page 795 maximum prefix num specifies the maximum number of IP network prefixes routes that can be learned from the specified neighbor or peer group You can specify a value from 0 4294967295 The default is 0 unlimited The num parameter speci...

Page 850: ...er specifies the AS the remote neighbor is in The as number can be a number from 1 65535 There is no default remove private as configures the router to remove private AS numbers from UPDATE messages the router sends to this neighbor The router will remove AS numbers 64512 65535 the well known BGP4 private AS numbers from the AS path attribute in UPDATE messages the device sends to the neighbor Thi...

Page 851: ...been suppressed due to aggregation and allow the routes to be advertised to a specific neighbor or peer group Here is an example In the example above the aggregate address command configures an aggregate address of 209 1 0 0 255 255 0 0 and the summary only parameter prevents the device from advertising more specific routes contained within the aggregate route Entering a show ip bgp route command ...

Page 852: ...cation string on an individual neighbor or peer group basis By default the MD5 authentication strings are displayed in encrypted format in the output of the following commands show running config or write terminal show configuration show ip bgp config When encryption of the authentication string is enabled the string is encrypted in the CLI regardless of the access level you are using In addition ...

Page 853: ...umber If the password contains a number do not enter a space following the number The 0 1 parameter is the encryption option which you can omit the default or which can be one of the following 0 Disables encryption for the authentication string you specify with the command The password or string is shown as clear text in the output of commands that display neighbor or peer group configuration info...

Page 854: ...A peer group is a set of BGP4 neighbors that share common parameters Peer groups provide the following benefits Simplified neighbor configuration You can configure a set of neighbor parameters and then apply them to multiple neighbors You do not need to individually configure the common parameters individually on each neighbor Flash memory conservation Using peer groups instead of individually con...

Page 855: ...value you set in the peer group If you add a parameter to a peer group that already contains neighbors the parameter value is applied to neighbors that do not already have the parameter explicitly set If a neighbor has the parameter explicitly set the explicitly set value overrides the value you set for the peer group If you remove the setting for a parameter from a peer group the value for that p...

Page 856: ...eer group name you are configuring a peer group If you specify a neighbor s IP address you are configuring that individual neighbor Use the ip addr parameter if you are configuring an individual neighbor instead of a peer group Refer to Configuring BGP4 neighbors on page 771 and Configuring a BGP4 peer group on page 778 The remaining parameters are the same ones supported for individual neighbors ...

Page 857: ...outes learned from the neighbor Unlike this clear option the option for shutting down the neighbor can be saved in the startup configuration file and thus can prevent the device from establishing a BGP4 session with the neighbor even after reloading the software NOTE If you notice that a particular BGP4 neighbor never establishes a session with the device check the device s running configuration a...

Page 858: ...nds such as the following BigIron RX config route map set_net permit 1 BigIron RX config routemap set_net set community no export BigIron RX config routemap set_net exit BigIron RX config router bgp BigIron RX config bgp network 100 100 1 0 24 route map set_net The first two commands in this example create a route map named set_net that sets the community attribute for routes that use the route ma...

Page 859: ...through an IGP route This can occur when the IGPs do not learn a complete set of IGP routes resulting in the device learning about an internal route through IBGP instead of through an IGP In this case the IP route table does not contain a route that can be used to reach the BGP route s destination To enable the device to find the IGP route to a BGP route s next hop gateway enable recursive next ho...

Page 860: ...looks up the next hop gateways along the route until the device finds an IGP route to the BGP route s destination Here is an example BigIron RX show ip bgp route Total number of BGP Routes 5 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 0 0 0 0 0 10 1 0 2 0 100 0 BI AS_PATH 65001...

Page 861: ... show ip bgp route Total number of BGP Routes 5 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 0 0 0 0 0 10 1 0 2 0 100 0 BI AS_PATH 65001 4355 701 80 2 102 0 0 0 24 10 0 0 1 1 100 0 BI AS_PATH 65001 4355 1 3 104 0 0 0 24 10 1 0 2 0 100 0 BI AS_PATH 65001 4355 701 1 189 4 240 0 0 ...

Page 862: ...ribute ospf BigIron RX config bgp redistribute connected BigIron RX config bgp write memory Syntax no redistribute connected ospf rip isis static The connected parameter indicates that you are redistributing routes to directly attached devices into BGP The ospf parameter indicates that you are redistributing OSPF routes into BGP4 NOTE Entering redistribute ospf simply redistributes internal OSPF r...

Page 863: ...g route maps Redistributing RIP routes To configure BGP4 to redistribute RIP routes and add a metric of 10 to the redistributed routes enter the following command BigIron RX config bgp redistribute rip metric 10 Syntax redistribute rip metric num route map map name The rip parameter indicates that you are redistributing RIP routes into BGP4 The metric num parameter changes the metric You can speci...

Page 864: ...e software uses only the route map for filtering Redistributing ISIS To configure the device to redistribute ISIS routes enter the following command BigIron RX config bgp redistribute isis level 1 Syntax redistribute isis level 1 level 1 2 level 2 metric num route map map name The isis parameter indicates that you are redistributing ISIS routes into BGP4 The level 1 parameter redistributes ISIS ro...

Page 865: ...y calling an existing route map a table map You can have one table map NOTE Use table maps only for setting the tag value Do not use table maps to set other attributes To set other route attributes use route maps or filters To create a route map and identify it as a table map enter commands such as following These commands create a route map that uses an address filter For routes that match the IP...

Page 866: ...he update timer to a value from 1 30 seconds To change the BGP4 update timer value enter a command such as the following at the BGP configuration level of the CLI BigIron RX config bgp update time 15 This command changes the update timer to 15 seconds Syntax no update time secs The secs parameter specifies the number of seconds and can be from 1 30 The default is 5 Changing the router ID The OSPF ...

Page 867: ...s up regardless of the states of physical interfaces Loopback interfaces are especially useful for IBGP neighbors neighbors in the same AS that are multiple hops away from the router When you configure a BGP4 neighbor on the router you can specify whether the router uses the loopback interface to communicate with the neighbor As long as a path exists between the router and its neighbor BGP4 inform...

Page 868: ...ng IP load sharing on page 209 Configuring route reflection parameters Normally all the BGP routers within an AS are fully meshed Each of the routers has an IBGP session with each of the other BGP routers in the AS Each IBGP router thus has a route for each of its IBGP neighbors For large ASs containing many IBGP routers the IBGP route information in each of the fully meshed IBGP routers can intro...

Page 869: ...ctor becomes unavailable its clients are cut off from BGP4 updates AS1 contains a cluster with two route reflectors and two clients The route reflectors are fully meshed with other BGP4 routers but the clients are not fully meshed They rely on the route reflectors to propagate BGP4 route updates FIGURE 115 Example route reflector configuration Support for RFC 2796 Route reflection is based on RFC ...

Page 870: ...nfigure route reflector 2 enter the same commands on the device that will be route reflector 2 The clients require no configuration for route reflection BigIron RX config bgp cluster id 1 BigIron RX config bgp neighbor 10 0 1 0 route reflector client BigIron RX config bgp neighbor 10 0 2 0 route reflector client Syntax no cluster id num ip addr The num ip addr parameter specifies the cluster ID an...

Page 871: ...cl1 permit 100 BigIron RX config router bgp BigIron RX config bgp neighbor 10 10 10 1 filter list 1 in The ip as path command configures an AS path ACL that permits routes containing AS number 100 in their AS paths The neighbor command then applies the AS path ACL to advertisements and updates received from neighbor 10 10 10 1 In this example the only routes the device permits from neighbor 10 10 ...

Page 872: ...ial characters Table 26 2 on page 26 45 lists the special characters The description for each special character includes an example Notice that you place some special characters in front of the characters they control but you place other special characters after the characters they control In each case the examples show where to place the special character TABLE 122 BGP4 special characters for reg...

Page 873: ...patterns For example the following regular expression matches on an AS path that contains 1 2 3 4 or 5 1 5 You can use the following expression symbols within the brackets These symbols are allowed only inside the brackets The caret matches on any characters except the ones in the brackets For example the following regular expression matches on an AS path that does not contain 1 2 3 4 or 5 1 5 The...

Page 874: ...Ls at the same time Use one method or the other but do not mix methods NOTE Once you define a filter or ACL the default action for communities that do not match a filter or ACL is deny To change the default action to permit configure the last filter or ACL entry as permit any any Community filters or ACLs can be referred to by match statements in a route map Defining a community ACL To configure c...

Page 875: ...ssion parameter specifies a regular expression for matching on community names For information about regular expression syntax refer to Using regular expressions on page 796 You can specify a regular expression only in an extended community ACL To use a community list filter use route maps with the match community parameter Defining and applying IP prefix lists An IP prefix list specifies a list o...

Page 876: ...ue you specify must meet the following condition length ge value le value 32 If you do not specify ge ge value or le le value the prefix list matches only on the exact network prefix you specify with the network addr mask bits parameter For the syntax of the neighbor command shown in the example above refer to Configuring BGP4 neighbors on page 771 and Configuring a BGP4 peer group on page 778 Def...

Page 877: ...e last instance of the route map to permit any any If there is no match statement the software considers the route to be a match For route maps that contain address filters AS path filters or community filters if the action specified by a filter conflicts with the action specified by the route map the route map s action takes precedence over the individual filter s action If the route map contains...

Page 878: ...example the command prompt changes to the Route Map level You can enter the match and set statements at this level Refer to Specifying the match conditions on page 803 and Setting parameters in the routes on page 806 The map name is a string of characters that names the map Map names can be up to 32 characters in length The permit deny parameter specifies the action the router will take if a route...

Page 879: ... types of filters use commands at the BGP configuration level To configure an address filter refer to Filtering specific IP addresses on page 751 To configure an AS path filter or AS path ACL refer to Filtering AS paths on page 795 To configure a community filter or community ACL refer to Filtering communities on page 798 You can enter up to six community names on the same command line NOTE The fi...

Page 880: ... up to five AS path ACLs To configure an AS path ACL use the ip as path access list command Refer to Defining an AS path ACL on page 795 Matching based on community ACL To construct a route map that matches based on community ACL 1 enter the following commands BigIron RX config ip community list 1 permit 123 2 BigIron RX config route map CommMap permit 1 BigIron RX config routemap CommMap match co...

Page 881: ...ved from 192 168 6 0 24 The remaining commands configure a route map that matches on all BGP4 routes advertised by the BGP4 neighbors whose addresses match addresses in the IP prefix list You can add a set statement to change a route attribute in the routes that match You also can use the route map as input for other commands such as the neighbor and network commands and some show commands Syntax ...

Page 882: ...h on each route that matches the corresponding match statement BigIron RX config routemap GET_ONE set as path prepend 65535 Syntax set as path prepend as num as num automatic tag comm list acl delete community num num num internet local as no advertise no export dampening half life reuse suppress max suppress time ip next hop ip addr ip next hop peer address local preference num metric num none me...

Page 883: ...the route s metric to the number you specify set metric num Increases route s metric by the number you specify set metric num Decreases route s metric by the number you specify set metric none Removes the metric from the route removes the MED attribute from the BGP4 route The metric type type 1 type 2 parameter changes the metric type of a route redistributed into OSPF The metric type internal par...

Page 884: ...at the software substitutes for peer address depends on whether the route map is used for inbound filtering or outbound filtering When you use the set ip next hop peer address command in an inbound route map filter peer address substitutes for the neighbor s IP address When you use the set ip next hop peer address command in an outbound route map filter peer address substitutes for the local IP ad...

Page 885: ...vice to send ORFs to the neighbor to receive ORFs from the neighbor or both The neighbor uses the ORFs you send as outbound filters when it sends routes to the device Likewise the device uses the ORFs it receives from the neighbor as outbound filters when sending routes to the neighbor Reset the BGP4 neighbor session to send and receive ORFs Perform these steps on the other device NOTE If the devi...

Page 886: ... change into effect after activating cooperative filtering perform a soft reset of the neighbor session A soft reset does not end the current session but sends the prefix list to the neighbor in the next route refresh message NOTE Make sure cooperative filtering is enabled on the device and on the neighbor before you send the filters To reset a neighbor session and send ORFs to the neighbor enter ...

Page 887: ... s state changes reduce enough to meet an acceptable degree of stability The Brocade implementation of route flap dampening is based on RFC 2439 Route flap dampening is disabled by default You can enable the feature globally or on an individual route basis using route maps BigIron RX show ip bgp neighbor 10 10 10 1 1 IP Address 10 10 10 1 AS 65200 IBGP RouterID 10 10 10 1 State ESTABLISHED Time 0h...

Page 888: ...configure the half life to be from 1 45 minutes The default is 15 minutes Reuse threshold Specifies the minimum penalty a route can have and still be suppressed by the device If the route s penalty falls below this value the device un suppresses the route and can use it again The software evaluates the dampened routes every ten seconds and un suppresses the routes that have penalties below the reu...

Page 889: ...ate this route map with a specific neighbor the route map enables dampening for all routes associated with the neighbor You also can use match statements within the route map to selectively perform dampening on some routes from the neighbor NOTE You still need to configure the first route map to enable dampening globally The second route map does not enable dampening by itself it just applies damp...

Page 890: ... map the second route map has no effect The last two commands apply the route maps The dampening route map command applies the first route map which enables dampening globally The neighbor command applies the second route map to neighbor 10 10 10 1 Since the second route map does not contain match statements for specific routes the route map enables dampening for all routes received from the neigh...

Page 891: ...ield Displays Total number of flapping routes The total number of routes in the device s BGP4 route table that have changed state and thus have been marked as flapping routes Status code Indicates the dampening status of the route which can be one of the following This is the best route among those in the BGP4 route table to the route s destination d This route is currently dampened and thus unusa...

Page 892: ...ting route information and resetting a neighbor session The following sections describe ways to update route information with a neighbor reset the session with a neighbor and close a session with a neighbor Any change to a policy ACL route map and so on is automatically applied to outbound routes that are learned from a BGP4 neighbor or peer group after the policy change occurs However for existin...

Page 893: ... in the future To use soft reconfiguration Enable the feature Make the policy changes Apply the changes by requesting a soft reset of the inbound updates from the neighbor or group Enabling soft reconfiguration To configure a neighbor for soft reconfiguration enter a command such as the following BigIron RX config bgp neighbor 10 10 200 102 soft reconfiguration inbound This command enables soft re...

Page 894: ...IP address of the destination network The as path access list num parameter specifies an AS path ACL Only the routes permitted by the AS path ACL are displayed The detail parameter displays detailed information for the routes The example above shows summary information You can specify any of the other options after detail to further refine the display request The prefix list string parameter speci...

Page 895: ...8 for Multi protocol Extension RFC 2918 which describes the dynamic route refresh capability The dynamic route refresh capability is enabled by default and cannot be disabled When the device sends a BGP4 OPEN message to a neighbor the device includes a Capability Advertisement to inform the neighbor that the device supports dynamic route refresh NOTE The option for dynamically refreshing routes re...

Page 896: ...e session with the neighbor Refer to Using soft reconfiguration on page 817 If you did not enable soft reconfiguration soft in requests the neighbor s entire BGP4 route table Adj RIB Out then applies the filters to add change or exclude routes If a neighbor does not support dynamic refresh soft in resets the neighbor session soft out updates all outbound routes then sends the device s entire BGP4 ...

Page 897: ...en sent to and received from the neighbor The statistic is cumulative across sessions Closing or resetting a neighbor session You can close a neighbor session or resend route updates to a neighbor BigIron RX config bgp show ip bgp neighbor 10 4 0 2 1 IP Address 10 4 0 2 AS 5 EBGP RouterID 100 0 0 1 Description neighbor 10 4 0 2 State ESTABLISHED Time 0h1m0s KeepAliveTime 0 HoldTime 0 PeerGroup pg1...

Page 898: ... using the soft outbound option removes that route from the neighbor You can specify a single neighbor or a peer group To close a neighbor session and thus flush all the routes exchanged by the device and the neighbor enter the following command BigIron RX clear ip bgp neighbor all Syntax clear ip bgp neighbor all ip addr peer group name as num soft outbound soft in out The all ip addr peer group ...

Page 899: ...s Syntax clear ip bgp flap statistics regular expression regular expression address mask neighbor ip addr The parameters are the same as those for the show ip bgp flap statistics command except the longer prefixes option is not supported Refer to Displaying route flap dampening statistics on page 849 NOTE The clear ip bgp damping command not only clears statistics but also un suppresses the routes...

Page 900: ...ns no data You can clear the buffers for all neighbors for an individual neighbor or for all the neighbors within a specific peer group To clear these buffers for neighbor 10 0 0 1 enter the following commands BigIron RX clear ip bgp neighbor 10 0 0 1 last packet with error BigIron RX clear ip bgp neighbor 10 0 0 1 notification errors Syntax clear ip bgp neighbor all ip addr peer group name as num...

Page 901: ...ng the maximum number of shared BGP4 paths on page 769 Number of Neighbors Configured The number of BGP4 neighbors configured on this device and currently in established state Number of Routes Installed The number of BGP4 routes in the router s BGP4 route table To display the BGP4 route table refer to Displaying the BGP4 route table on page 841 Number of Routes Advertising to All Neighbors The tot...

Page 902: ...nection from the neighbor If the state frequently changes between CONNECT and ACTIVE there may be a problem with the TCP connection OPEN SENT BGP4 is waiting for an Open message from the neighbor OPEN CONFIRM BGP4 has received an OPEN message from the neighbor and is now waiting for either a KEEPALIVE or NOTIFICATION message If the router receives a KEEPALIVE message from the neighbor the state ch...

Page 903: ...or 2000 1 1 2 remote as 400 neighbor 4444 1 remote as 300 address family ipv4 unicast no neighbor 1000 2 1 1 activate no neighbor 2000 1 1 2 activate no neighbor 4444 1 activate exit address family address family ipv4 multicast exit address family address family ipv6 unicast redistribute static neighbor 1000 2 1 1 activate neighbor 2000 1 1 2 activate neighbor 4444 1 activate exit address family e...

Page 904: ...ces such as OSPF RIP or static IP routes Unreachable Routes The number of routes received from the neighbor that are unreachable because the device does not have a valid RIP OSPF or static route to the next hop History Routes The number of routes that are down but are being retained for route flap dampening purposes NLRIs Received in Update Message The number of routes received in Network Layer Re...

Page 905: ...e has advertised to this neighbor To be Sent The number of routes the device has queued to send to this neighbor To be Withdrawn The number of NLRIs for withdrawing routes the device has queued up to send to this neighbor in UPDATE messages NLRIs Sent in Update Message The number of NLRIs for new routes the device has sent to this neighbor in UPDATE messages Withdraws The number of routes the devi...

Page 906: ...dr net mask detail routes summary The ip addr option lets you narrow the scope of the command to a specific neighbor The advertised routes option displays only the routes that the device has advertised to the neighbor during the current BGP4 neighbor session BigIron RX config bgp show ip bgp neighbor 10 4 0 2 1 IP Address 10 4 0 2 AS 5 EBGP RouterID 100 0 0 1 Description neighbor 10 4 0 2 State ES...

Page 907: ...le because the device received better routes from other sources such as OSPF RIP or static IP routes unreachable Displays the routes that are unreachable because the device does not have a valid RIP OSPF or static route to the next hop detail Displays detailed information for the specified routes You can refine your information request by also specifying one of the options above best not installed...

Page 908: ...EN CONFIRM BGP4 has received an OPEN message from the neighbor and is now waiting for either a KEEPALIVE or NOTIFICATION message If the router receives a KEEPALIVE message from the neighbor the state changes to Established If the message is a NOTIFICATION the state changes to Idle ESTABLISHED BGP4 is ready to exchange UPDATE messages with the neighbor NOTE If there is more BGP data in the TCP rece...

Page 909: ...ltering Distribute list Lists the distribute list parameters if configured Filter list Lists the filter list parameters if configured Prefix list Lists the prefix list parameters if configured Route map Lists the route map parameters if configured Messages Sent The number of messages this router has sent to the neighbor The display shows statistics for the following message types Open Update KeepA...

Page 910: ...ity UPDATE Message Error Malformed Attribute List Unrecognized Well known Attribute Missing Well known Attribute Attribute Flags Error Attribute Length Error Invalid ORIGIN Attribute Invalid NEXT_HOP Attribute Optional Attribute Error Invalid Network Field Malformed AS_PATH Hold Timer Expired Finite State Machine Error Rcv Notification Last Connection Reset Reason cont Reasons specific to the Broc...

Page 911: ...chronized Bad Message Length Bad Message Type Unspecified Open Message Error Unsupported Version Bad Peer As Bad BGP Identifier Unsupported Optional Parameter Authentication Failure Unacceptable Hold Time Unspecified Update Message Error Malformed Attribute List Unrecognized Attribute Missing Attribute Attribute Flag Error Attribute Length Error Invalid Origin Attribute Invalid NextHop Attribute O...

Page 912: ...eviously sent to the remote TCP which includes an acknowledgment of its connection termination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request CLOSED There is no connection state Byte Sent The number of bytes sent Byte Received The number of bytes received Local host The IP address of the device Local por...

Page 913: ...tion enter a command such as the following at any level of the CLI TotalRcv The number of sequence numbers received from the neighbor DupliRcv The number of duplicate sequence numbers received from the neighbor RcvWnd The size of the receive window SendQue The number of sequence numbers in the send queue RcvQue The number of sequence numbers in the receive queue CngstWnd The number of times the wi...

Page 914: ...s not have a valid RIP OSPF or static route to the next hop History Routes The number of routes that are down but are being retained for route flap dampening purposes NLRIs Received in Update Message The number of routes received in Network Layer Reachability NLRI format in UPDATE messages Withdraws The number of withdrawn routes the device has received Replacements The number of replacement route...

Page 915: ...o the neighbor to withdraw Replacements The number of routes the device has sent to the neighbor to replace routes the neighbor already has Peer Out of Memory Count for Statistics for the times the device has run out of BGP4 memory for the neighbor during the current BGP4 session Receiving Update Messages The number of times UPDATE messages were discarded because there was no memory for attribute ...

Page 916: ...y the parameters that have values different from their defaults are listed Displaying summary route information To display summary statistics for all the routes in the device s BGP4 route table enter a command such as the following at any level of the CLI Syntax show ip bgp routes summary BigIron RX config bgp show ip bgp neighbor 192 168 4 211 rib out routes 192 168 1 0 24 Status A AGGREGATE B BE...

Page 917: ... in the BGP4 route table that this device originated Routes selected as BEST routes The number of routes in the BGP4 route table that this device has selected as the best routes to the destinations BEST routes not installed in IP forwarding table The number of BGP4 routes that are the best BGP4 routes to their destinations but were not installed in the IP route table because the device received be...

Page 918: ...wo five digit integer values of up to 1 65535 separated by a colon for example 12345 6789 or a single long integer value The community access list num parameter filters the display using the specified community ACL The community list option lets you display routes that match a specific community filter The detail option lets you display more details about the routes You can refine your request by ...

Page 919: ... 844 The fields in this display also appear in the show ip bgp display Displaying information for a specific route To display BGP4 network information by specifying an IP address within the network enter a command such as the following at any level of the CLI BigIron RX config bgp show ip bgp routes best Searching for matching routes use C to quit Status A AGGREGATE B BEST b NOT INSTALLED BEST C C...

Page 920: ...When the BGP4 algorithm compares routes on the basis of local preferences the route with the higher local preference is chosen The preference can have a value from 0 4294967295 Weight The value that this router associates with routes from a specific neighbor For example if the router receives routes to the same destination from two BGP4 neighbors the router prefers the route from the neighbor with...

Page 921: ... better routes from other sources such as OSPF RIP or static IP routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable H HISTORY Route dampening is configured for this route and the route has a history of flapping and...

Page 922: ...s learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable H HISTORY Route dampening is configured for this route and the route has a history of flapping and is unreachable now I INTERNAL The route was learned through BGP4 L LOCAL The route originated on...

Page 923: ...rred over INCOMPLETE Weight The value that this router associates with routes from a specific neighbor For example if the router receives routes to the same destination from two BGP4 neighbors the router prefers the route from the neighbor with the larger weight Atomic Whether network information in this route has been aggregated and this aggregation has resulted in information loss NOTE Informati...

Page 924: ...rs through which this set of attributes has passed Aggregator Aggregator information AS Number shows the AS in which the network information in the attribute set was aggregated This value applies only to aggregated routes and is otherwise 0 Router ID shows the router that originated this aggregator Atomic Whether the network information in this set of attributes has been aggregated and this aggreg...

Page 925: ... regular expressions are the same ones supported for BGP4 AS path filters Refer to Using regular expressions on page 796 Communities The communities that routes with this set of attributes are in AS Path The ASs through which routes with this set of attributes have passed The local AS is shown in parentheses TABLE 131 BGP4 route attribute entries information Continued This field Displays BigIron R...

Page 926: ... running configuration without displaying the entire running configuration To display the device s active route map configuration enter the following command at any level of the CLI BigIron RX show route map route map permitnet4 permit 10 match ip address prefix list plist1 route map permitnet1 permit 1 match ip address prefix list plist2 route map setcomm permit 1 set community 1234 2345 no expor...

Page 927: ...ularly this can degrade performance significantly and limit the availability of network resources BGP graceful restart dampens the network topology changes and limits route flapping by allowing routes to remain available between routers during a restart BGP Graceful restart operates between a router and its peers and must be configured on both the router and its peers A BGP router with graceful re...

Page 928: ...seconds variable sets the maximum number of seconds the restarting router will take to restart Also the peer routers waits this number of seconds to re establish BGP connection and to keep using the learned routes from the restarting router Enter 10 3600 seconds The default value is 120 seconds Configuring BGP graceful restart stale routes timer Use the following command to specify the maximum amo...

Page 929: ...onfig bgp local as 200 BigIron RX config bgp graceful restart BigIron RX config bgp neighbor 12 1 0 14 remote as 100 BigIron RX config bgp neighbor 12 3 0 14 remote as 300 BigIron RX config bgp write memory Router 3 BigIron RX config router bgp BigIron RX config bgp local as 300 BigIron RX config bgp graceful restart BigIron RX config bgp neighbor 12 2 0 14 remote as 100 BigIron RX config bgp writ...

Page 930: ... on GTSM protection see RFC 3682 To enable GTSM protection for neighbor 192 168 9 210 enter the following command BigIron RX config bgp router neighbor 192 168 9 210 ebgp btsh BigIron RX show ip bgp neighbor 11 11 11 2 1 IP Address 11 11 11 2 Remote AS 101 EBGP RouterID 101 101 101 1 Local AS 200 State ESTABLISHED Time 0h18m15s KeepAliveTime 60 HoldTime 180 KeepAliveTimer Expire in 44 seconds Hold...

Page 931: ...on Guide 855 53 1002253 01 Generalized TTL security mechanism support 26 Syntax no neighbor ip addr peer group name ebgp btsh NOTE For GTSM protection to work properly it must be enabled on both the Brocade device and the neighbor ...

Page 932: ...856 BigIron RX Series Configuration Guide 53 1002253 01 Generalized TTL security mechanism support 26 ...

Page 933: ...ains both a unicast topology and a multicast topology The unicast and multicast router in this example receives unicast and multicast routes from the Internet The router advertises the multicast routes to the multicast router and advertises the unicast routes to the unicast router Likewise the unicast and multicast router can advertise unicast routes received from the unicast router to the Interne...

Page 934: ...lso need to specify the local AS number 3 Identify the neighboring MBGP routers 4 Optional Configure an MBGP default route 5 Optional Configure an IP multicast static route 6 Optional Configure an MBGP aggregate address 7 Optional Configure a route map to apply routing policy to multicast routes 8 Save the configuration changes to the startup config file Setting the maximum number of multicast rou...

Page 935: ...ly ipv4 multicast Adding MBGP neighbors To add an MBGP neighbor enter a command such as the following BigIron RX config bgp ipv4m neighbor 1 2 3 4 remote as 44 This command adds a router with IP address 1 2 3 4 as an MBGP neighbor The remote as 44 parameter specifies that the neighbor is in remote BGP4 AS 44 The device will exchange only multicast routes with the neighbor NOTE If the BigIron RX ha...

Page 936: ...s a session with the neighbor you can administratively shut down the neighbor Optional configuration tasks The following sections describe how to perform some optional BGP4 configuration tasks NOTE This section shows some of the more common optional tasks including all the tasks that require you to specify that they are for MBGP Most tasks are configured only for BGP4 but apply both to BGP4 and MB...

Page 937: ... routes to this network Enabling redistribution of directly connected multicast routes into MBGP To redistribute a directly connected multicast route into MBGP enable redistribution of directly connected routes into MBGP using a route map to specify the routes to be redistributed Here is an example BigIron RX config access list 10 permit 207 95 22 0 0 0 0 255 BigIron RX config route map mbgpmap pe...

Page 938: ...l0 cost distance num The ip addr and ip mask parameters specifies the PIM source for the route The ethernet slot port parameter specifies a physical port The ve num parameter specifies a virtual interface The null0 parameter is the same as dropping the traffic The distance num parameter sets the administrative distance for the route The cost parameter specifies the cost metric of the route Possibl...

Page 939: ...GP route table enter the show ip mbgp routes command instead of the show ip bgp routes command Table 133 lists the MBGP show commands and describes their output For information about a command refer to Chapter 26 Configuring BGP4 IPv4 and IPv6 The following sections show examples of some of the MBGP show commands An example of the show ip mroute command is also included This command displays the I...

Page 940: ...e BGP and MBGP configuration commands that are in the running config BigIron RX show ip mbgp summary BGP4 Summary Router ID 9 9 9 1 Local AS Number 200 Confederation Identifier not configured Confederation Peers Maximum Number of Paths Supported for Load Sharing 1 Number of Neighbors Configured 1 UP 1 Number of Routes Installed 5677 Number of Routes Advertising to All Neighbors 5673 Number of Attr...

Page 941: ...ored in the device s Transmission Control Block TCB for the TCP session between the device and its neighbor These fields are described in detail in section 3 2 of RFC 793 Transmission Control Protocol Functional Specification Syntax show ip mbgp neighbors ip addr BigIron RX show ip mbgp neighbor 7 7 7 2 Total number of BGP Neighbors 1 1 IP Address 166 1 1 2 Remote AS 200 IBGP RouterID 8 8 8 1 Stat...

Page 942: ...c routes only BigIron RX show ip mbgp route Total number of BGP Routes 2 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED E EBGP H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED s STALE Prefix Next Hop Metric LocPrf Weight Status 1 8 8 8 0 24 166 1 1 2 0 100 0 BI AS_PATH 2 31 1 1 0 24 166 1 1 2 0 100 0 BI AS_PATH BigIron RX show ip mroute Type Codes B BGP D Connected S Static...

Page 943: ...Intermediate system intra domain routing information exchange protocol for use in conjunction with the protocol for providing the connection less mode Network Service ISO 8473 1988 RFC 1195 Use of OSI IS IS for Routing in TCP IP and Dual Environments 1990 RFC 2763 Dynamic Host Name Exchange Mechanism for IS IS 2000 RFC 2966 Domain wide Prefix Distribution with Two Level IS IS 2000 Portions of the ...

Page 944: ...for IS IS and other routes sources Intermediate systems and end systems IS IS uses the following categories to describe devices within an IS IS routing domain similar to an OSPF Autonomous System Intermediate System IS A device capable of forwarding packets from one device to another within the domain In Internet Protocol IP terminology an IS is a router End System ES A device capable of generatin...

Page 945: ...as within a domain In Figure 117 on page 868 Routers A and B are Level 1s only Routers C and D are Level 1 and Level 2 ISs Router E is a Level 1 IS only Neighbors and adjacencies A device configured for IS IS forms an adjacency with each of the IS IS devices to which it is directly connected An adjacency is a two way direct link a link without router hops over which the two devices can exchange IS...

Page 946: ...rs in Figure 117 on page 868 with the same domain and areas FIGURE 118 Each broadcast network has a Level 1 designated IS and a Level 2 designated IS Designated IS election has the following results in this network topology Router B is the Level 1 Designated IS for broadcast network 1 Router C is the Level 1 Designated IS for broadcast network 2 Router D is the Level 2 Designated IS for broadcast ...

Page 947: ...S CLI levels The CLI includes various levels of commands for IS IS Figure 119 diagrams these levels FIGURE 119 IS IS CLI levels The IS IS CLI levels are as follows A global level for the configuration of the IS IS protocol At this level all IS IS configurations at this level apply to IPv4 and IPv6 You enter this layer using the router isis command Under the global level you specify an address fami...

Page 948: ...uter ipv4u prompt indicates that you are at the IPv4 IS IS unicast address family configuration level While at this level you can access several commands that allow you to configure IPv4 IS IS unicast settings NOTE Each address family configuration level allows you to access commands that apply to that particular address family only To enable a feature in a particular address family you must speci...

Page 949: ...e is to use the device s base MAC address as the system ID The base MAC address is also the MAC address of port 1 To determine the base MAC address enter the following command at any level of the CLI show interfaces brief The base MAC address is listed in the first row of information in the MAC column You must use the same system ID in all the NETs on the BigIron RX NOTE The parameter descriptions...

Page 950: ... Level 1 traffic if applicable If an IS is in the overload state for both levels the IS cannot forward traffic at either level By default the device automatically sets the overload bit to 1 on in its LSPDUs to other ISs if an overload condition occurs You can set the overload bit on to administratively shut down IS IS without disabling the protocol Setting the overload bit on is useful when you wa...

Page 951: ...Iron RX config isis router domain password domain 1 This command configures the device to use the password domain 1 to authenticate Level 2 LSPDUs Syntax no domain password string The string parameter specifies the password You can enter an alphanumeric string up to 80 characters long The password can contain blank spaces If you use a blank space in the password you must use quotation marks around...

Page 952: ...is displayed in each CLI command prompt for example BigIron RX config isis router The name mapping feature is enabled by default If you want to disable name mapping enter the following command BigIron RX config isis router no hostname Syntax no hostname To display the name mappings enter the show isis hostname command Changing the sequence numbers PDU interval A Complete Sequence Numbers PDU CSNP ...

Page 953: ...t be set in such a way that the LSPs are refreshed before the max lsp lifetime expires otherwise the device s originated LSPs may be timed out by it s neighbors Refer to Changing the LSP refresh interval on page 877 Changing the LSP refresh interval The LSP refresh interval is the maximum number of seconds the device waits between sending updated LSPs to its IS IS neighbors The interval can be fro...

Page 954: ...Changing the SPF timer Every IS maintains a Shortest Path First SPF tree which is a representation of the states of each of the IS s links to ESs and other ISs If the IS is both a Level 1 and Level 2 IS it maintains separate SPF trees for each level To ensure that the SPF tree remains current the IS updates the tree at regular intervals following a change in network topology or the link state data...

Page 955: ...dding Syntax no hello padding By default hello padding is enabled Enter the no form of the command to disable hello padding To disable hello padding on an interface refer to Disabling and enabling hello padding on an interface on page 888 Logging adjacency changes The device can generate a Syslog entry and an SNMP trap to indicate a change in the status of an adjacency with another IS Logging of t...

Page 956: ...ging the maximum number of load sharing paths By default IPv4 IS IS can calculate and install four equal cost paths into the IPv4 forwarding table You can change the number of paths IPv4 IS IS can calculate and install in the IPv4 forwarding table to a value from 1 8 If you change the number of paths to one the device does not load share multiple route paths learned from IPv4 IS IS For example to ...

Page 957: ...te map to specify the router to advertise a default route to Level 1 enter commands such as the following at the Global CONFIG level BigIron RX config route map default_level1 permit 1 BigIron RX config routemap default_level1 set level level 1 BigIron RX config routemap default_level1 exit BigIron RX config router isis BigIron RX config isis router address family ipv4 unicast BigIron RX config is...

Page 958: ... all IPv4 IS IS routes to 100 The number parameter specifies the administrative distance You can specify a value from 1 255 Routes with a distance value of 255 are not installed in the routing table The default for IPv4 IS IS is 115 Configuring summary addresses You can configure summary addresses to aggregate IS IS route information Summary addresses can enhance performance by reducing the size o...

Page 959: ...ot need to enable this type of redistribution You also can enable redistribution of Level 2 routes into Level 1 routes The device attempts to use the redistributed route s metric as the route s IPv4 IS IS metric For example if an OSPF route has an OSPF cost of 20 the router uses 20 as the route s IPv4 IS IS metric The device uses the redistributed route s metric as the IPv4 IS IS metric unless the...

Page 960: ...l metric internal The metric value is comparable to metric values used by IPv4 IS IS This is the default The route map name parameter restricts redistribution to those routes that match the specified route map The route map must already be configured before you use the route map name with the redistribute command For example to configure a route map that redistributes only the static IPv4 routes t...

Page 961: ...yntax no redistribute ospf level 1 level 1 2 level 2 match external1 external2 internal metric number metric type external internal route map name Most of the parameters are the same as the parameters for the redistribute static command However the redistribute ospf command also has the match external1 external2 internal parameter This parameter specifies the OSPF route type you want to redistribu...

Page 962: ...stributes Level 1 routes into Level 2 This is the default level 2 into level 1 Redistributes Level 2 routes into Level 1 The prefix list name specifies an IP prefix list Configuring ISIS properties on an interface This section describe the IS IS parameters for an interface Disabling and enabling IS IS on an interface In addition to enabling IS IS globally you also must enable the protocol on the i...

Page 963: ...igure a different priority for each level In case of a tie if two or more devices have the highest priority within a given level the device with the highest MAC address becomes the Designated IS for that level NOTE You can set the IS IS priority on an individual interface basis only You cannot set the priority globally To set the IS IS priority on an interface enter commands such as the following ...

Page 964: ...Syntax no isis circuit type level 1 level 1 2 level 2 The level 1 level 1 2 level 2 parameter specifies the IS IS type If you want to re enable support for both IS IS types re enter the command you entered to change the IS IS type and use no in front of the command Disabling and enabling hello padding on an interface The section Globally disabling or re enabling hello padding on page 878 explains ...

Page 965: ...tric added to advertised routes When the device originates an IS IS route or calculates a route the device adds a metric cost to the route Each IS IS interface has a separate metric value The default is 10 The device applies the interface level metric to routes originated on the interface and also when calculating routes The device does not apply the metric to link state information that the devic...

Page 966: ...affic statistics Displaying traffic statistics on page 900 Error statistics Displaying error statistics on page 901 Displaying the IS IS configuration in the running config You can display the global IS IS configuration commands that are in effect on the device using the following CLI method NOTE The running config does not list the default values Only commands that change a setting or add configu...

Page 967: ...hows the following information TABLE 135 IS IS neighbor information This field Displays Total number of IS IS Neighbors The number of ISs with which the device has formed IS IS adjacencies System ID The System ID of the neighbor or the hostname of the neighbor Interface The device port or virtual interface attached to the neighbor SNPA The Subnetwork Point of Attachment SNPA which is the MAC addre...

Page 968: ...cency The type can be one of the following ISL1 Level 1 IS ISL2 Level 2 IS ES ES NOTE The device forms a separate adjacency for each IS IS type Thus if the device has both types of IS IS adjacencies with the neighbor the display contains a separate row of information for each adjacency Pri The priority of this IS to be elected as the Designated IS in this broadcast network StateChgeTime The amount...

Page 969: ...S has come up The system id is the system ID of the IS The interface id is the ID of the interface over which the adjacency was established Notification ISIS L2 ADJACENCY DOWN system id on interface interface id The device s adjacency with this Level 2 IS has gone down The system id is the system ID of the IS The interface id is the ID of the interface over which the adjacency was established Noti...

Page 970: ...llowing LEVEL 1 LEVEL 2 LEVEL 1 2 Circuit State The state of the circuit which can be one of the following DOWN UP BigIron RX show isis interface Total number of IS IS Interfaces 1 Interface Eth 7 1 Circuit State UP Circuit Mode LEVEL 1 2 Circuit Type BCAST Passive State FALSE Circuit Number 0x01 MTU 1497 Authentication password None Level 1 Metric 10 Level 1 Priority 64 Level 1 Hello Interval 10 ...

Page 971: ...ce inserts in IS IS Level 2 PDUs for this interface Level 2 Priority The priority of this IS to be elected as the Designated IS for Level 2 in this broadcast network Level 2 Hello Interval The number of seconds the software waits between sending Level 2 Hello messages to the IS at the other end of the circuit Level 2 Hello Multiplier The number by which the software multiplies the hello interval t...

Page 972: ...ived The number of IS IS control PDUs received on this interface IP Enabled If set to TRUE the IP protocol is enabled for this circuit TABLE 138 IS IS route information This field Displays Total number of IS IS routes The total number of routes in the device s IS IS route table The total includes Level 1 and Level 2 routes Destination The IP destination of the route Mask The subnet mask for the de...

Page 973: ...te Path The path number in the table The IS IS route table can contain multiple equal cost paths to the same destination in which case the paths are numbered consecutively When IP load sharing is enabled the device can load balance traffic to the destination across the multiple paths Next Hop IP The IP address of the next hop interface to the destination Interface The device interface port or virt...

Page 974: ...urce ID 6 bytes the pseudonode 1 byte and LSPID 1 byte NOTE If the address has an asterisk at the end this indicates that the LSP is locally originated LSP Seq Num The sequence number of the LSP LSP Checksum The checksum calculated by the device that sent the LSP and used by the device to verify that the LSP was not corrupted during transmission over the network LSP Holdtime The maximum number of ...

Page 975: ...yer Protocol Identifier NLPID which specifies the protocol the IS that sent the LSP is using Usually this value is CC IP BigIron RX show isis database detail IS IS Level 1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT P OL RX 00 00 0x0000000b 0x23fb 971 1 0 0 Area Address 49 NLPID CC IP Hostname RX Metric 10 IP Internal 4 1 1 0 24 Up bit 0 Metric 10 IS RX 01 IS IS Level 2 Lin...

Page 976: ...ollowing information Metric The value of the default metric which is the IS IS cost of using the IP address above as the next hop to reach this destination Device type The device type at the destination The type can be one of the following End System The device is an ES IP Internal The device is an ES within the current area The IP address and subnet mask are listed IS The device is another IS The...

Page 977: ...r of Level 2 PSNPs sent and received by the device TABLE 142 IS IS error statistics This field Displays Area Mismatch The number of times the device interface was unable to create a Level 1 adjacency with a neighbor because the device interface and the neighbor did not have any areas in common Max Area Mismatch The number of times the device received a PDU whose value for maximum number of area ad...

Page 978: ...same neighbor LSP Max Sequence Number Exceeded The number of times the device attempted to set an LSP sequence number to a value higher than the highest number in the CSNP sent by the Designated IS Level 1 Database Overload The number of times the Level 1 state on the device changed from Waiting to On or from On to Waiting Waiting to On This change can occur when the device recovers from a previou...

Page 979: ...bors and clears the neighbor statistics The route ip address subnet mask ip address prefix parameter clears the IS IS route table or the specified matching route The traffic parameter clears the PDU statistics NOTE The traffic option also clears the values displayed in the show isis interface command s Control Messages Sent and Control Messages Received fields ...

Page 980: ...904 BigIron RX Series Configuration Guide 53 1002253 01 Clearing IS IS information 28 ...

Page 981: ...age is continuously transmitted at the negotiated rate and a check is made that the expected control message is received at the agreed frequency from the neighbor If the agreed upon messages are not received from the neighbor within a short period of time the neighbor is considered to be down The maximum number of sessions supported on an interface module LP is 20 while the maximum per system is 1...

Page 982: ...termining that the connection to that peer is not operational Acceptable values are 3 50 Number of BFD sessions supported The device supports a maximum of 100 BFD sessions per system with a maximum number of 20 sessions per interface module This number is inclusive of the fact that IS IS and OSPF sessions on an interface module will include both transmit and receive sessions Consequently the 20 se...

Page 983: ...e maximum number of BFD sessions that are allowed on the router The maximum number of sessions supported on a router is 100 Maximum Exceeded Count The number of times the request to set up a BFD session was declined because it would have resulted in exceeding the maximum number of BFD sessions allowed on the router LP Sessions Maximum Allowed on LP The maximum number of BFD sessions that are allow...

Page 984: ...isplays BFD neighbor information for the specified ethernet interface only The interface ve option displays BFD neighbor information for the specified virtual interface only This display shows the following information Mult The number of times that the router will wait for the MinRx time on this port before it determines that its peer router is non operational Sessions The number of BFD sessions o...

Page 985: ...n be either Ethernet or POS Holddown The interval after which the session will transition to the down state if no message is received Interval The negotiated interval at which the local router sends BFD messages to the remote peer RH Heard from remote TABLE 146 Display of BFD neighbor detail information This field Displays Total number of Neighbor entries Total number of BFD sessions NeighborAddre...

Page 986: ...as received in the last message sent by the remote peer Demand Value of the demand bit in the BFD Control Message as received in the last message sent by the remote peer Poll Value of the poll bit in the BFD Control Message as received in the last message sent by the remote peer MinTxInterval The interval in microseconds between which the router negotiates to send a BFD message from the remote nei...

Page 987: ...g sections Enabling BFD for OSPFv2 for all interfaces You can configure BFD for OSPFv2 on all of a router s OSPFv2 enabled interfaces using the command shown in the following BigIron RX config router ospf BigIron RX config ospf router bfd all interfaces Syntax no bfd all interfaces While this command configures BFD for OSPFv2 on all of a router s OSPFv2 enabled interfaces it is not required that i...

Page 988: ... disable The disable option disables BFD for OSPFv3 on the interface Configuring BFD for IS IS You can configure your BigIron RX router for BFD for the IS IS protocol for all IS IS enabled interfaces or for specific interfaces as shown in the following sections Enabling BFD for IS IS for all interfaces You can configure IS IS for IS IS on all of a router s IS IS enabled interfaces using the comman...

Page 989: ... 1 2 2 and so on At the beginning of an SSH session the device negotiates the version of SSHv2 to be used The highest version of SSHv2 supported by both the device and the client is the version that is used for the session Once the SSHv2 version is negotiated the encryption algorithm with the highest security ranking is selected to be used for the session Also the device support Secure Copy SCP fo...

Page 990: ...r to Telnet but unlike Telnet SSH provides a secure encrypted connection SSHv2 support includes the following The following encryption cipher algorithm are supported They are listed in order of preference aes256 cbc AES in CBC mode with 256 bit key aes192 cbc AES in CBC mode with 192 bit key aes128 cbc AES in CBC mode with 128 bit key 3des cbc Triple DES Key exchange methods in the order of prefer...

Page 991: ...device s system config file Only the public key is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the clients who want to access the device Some SSH client programs add the public key to the known hosts file automatically in other cases you must manually create a known hosts file and place the device s public key in it Refer to Pro...

Page 992: ...ents occur when a client attempts to gain access to the device using SSH 1 The client sends its public key to the device 2 The device compares the client s public key to those stored in memory 3 If there is a match the device uses the public key to encrypt a random sequence of bytes 4 The device sends these encrypted bytes to the client 5 The client uses its private key to decrypt the bytes 6 The ...

Page 993: ...cted properly you will receive an error message while loading You must fix the key files and load them again To cause a public key file called pkeys txt to be loaded from a TFTP server each time the device is booted enter a command such as the following BigIron RX config ip ssh pub key file tftp 192 168 1 234 pkeys txt Syntax ip ssh pub key file tftp tftp server ip addr filename remove The tftp se...

Page 994: ... 5 For example the following command changes the number of authentication retries to 5 BigIron RX config ip ssh authentication retries 5 Syntax ip ssh authentication retries number Deactivating user authentication After the SSH server on the device negotiates a session key and encryption method with the connecting client user authentication takes place Brocade s implementation of SSH supports DSA ...

Page 995: ...rd authentication no yes The default is yes Enabling empty password logins By default empty password logins are not allowed This means that users with an SSH client are always prompted for a password when they log into the device To gain access to the device each user must have a user name and password Without a user name and password a user is not granted access Refer to Setting up local user acc...

Page 996: ...r commands such as the following BigIron RX config int loopback 2 BigIron RX config lbif 2 ip address 10 0 0 2 24 BigIron RX config lbif 2 exit BigIron RX config ip ssh source interface loopback 2 The commands in this example configure loopback interface 2 assign IP address 10 0 0 2 24 to the interface then designate the interface as the source for all SSH packets from the device Syntax ip ssh sou...

Page 997: ...s are enabled on the BigIron RX device You can disable 3 DES by entering the following command BigIron RX config ip ssh encryption aes only Syntax no ip ssh encryption aes only Displaying SSH connection information Up to five SSH connections can be active on the device To display information about SSH connections enter the following command Syntax show ip ssh begin expression exclude expression in...

Page 998: ...uration and running configuration files to or from an SCP enabled remote host SCP is enabled by default and can be disabled To disable SCP enter the following command BigIron RX config ip ssh scp disable Syntax ip ssh scp disable enable NOTE If you disable SSH SCP is also disabled The following are examples of using SCP to transfer files from and to a device BigIron RX show who Console connections...

Page 999: ...ssword before the file transfer takes place To copy the configuration file to the startup configuration file C scp c cfg brocade cfg terry 192 168 1 50 startConfig To copy the configuration file to a file called config1 cfg on the PCMCIA flash card in slot 1 on a management module C scp c cfg brocade cfg terry 192 168 1 50 slot1 config1 cfg To copy the configuration file to a file called config1 c...

Page 1000: ...924 BigIron RX Series Configuration Guide 53 1002253 01 Using secure copy 30 ...

Page 1001: ... found MAC address The device supports multiple RADIUS servers if communication with one of the RADIUS servers times out the others are tried in sequential order If a response from a RADIUS server is not received within a specified time by default 3 seconds the RADIUS session times out and the device retries the request up to three times If no response is received the next RADIUS server is chosen ...

Page 1002: ...rt authentication feature supports dynamic VLAN assignment where a port can be placed in a VLAN based on the MAC address learned on that interface When a MAC address is successfully authenticated the RADIUS server sends the device a RADIUS Access Accept message that allows the device to forward traffic from that MAC address The RADIUS Access Accept message can also contain attributes set for the M...

Page 1003: ...n Configuring multi device port authentication on the BigIron RX consists of the following tasks Enabling multi device port authentication globally and on individual interfaces Configuring an Authentication Method List for 802 1x Setting RADIUS Parameters Specifying the format of the MAC addresses sent to the RADIUS server optional Specifying the authentication failure action optional Defining MAC...

Page 1004: ...es before none in the method list Setting RADIUS parameters To use a RADIUS server to authenticate access to a BigIron RX you must identify the server to the device For example BigIron RX config radius server host 209 157 22 99 auth port 1812 acct port 1813 default key mirabeau dot1x Syntax radius server host ip addr server name auth port number acct port number authentication only accounting only...

Page 1005: ...x xx xx xx xx xx xxxxxxxxxxxx Specifying the authentication failure action When RADIUS authentication for a MAC address fails you can configure the device to perform one of two actions Drop traffic from the MAC address in hardware the default Move the port on which the traffic was received to a restricted VLAN To configure the device to move the port to a restricted VLAN when multi device port aut...

Page 1006: ...filter filter The following commands apply the MAC address filter on an interface so that address 0010 dc58 aca4 is excluded from multi device port authentication BigIron RX config interface e 3 1 BigIron RX config if e100 3 1 mac authentication apply mac auth filter 1 Syntax no mac authentication apply mac auth filter filter id Configuring dynamic VLAN assignment An interface can be dynamically a...

Page 1007: ...evice port authentication feature and 802 1X authentication subsequently specifies a different PVID then the PVID specified through 802 1X authentication overrides the PVID specified through multi device port authentication To specify tagged VLANs use the following T 12 T 20 or T 12 T marketing In this example the port is added to VLANs 12 and 20 or VLANs 12 and the VLAN named marketing When a tag...

Page 1008: ... attribute then it is considered an authentication failure and the configured authentication failure action is performed for the MAC address If the vlan name string does not match either the name or the ID of a VLAN configured on the device then it is considered an authentication failure and the configured authentication failure action is performed for the MAC address For untagged ports if the VLA...

Page 1009: ...ort Specifying to which VLAN a port is moved after its RADIUS specified VLAN assignment expires When a port is dynamically assigned to a VLAN through the authentication of a MAC address and the MAC session for that address is deleted on the device then by default the port is removed from its RADIUS assigned VLAN and placed back in the VLAN where it was originally assigned A port can be removed fro...

Page 1010: ...how auth mac address detail commands Clearing authenticated MAC addresses The device maintains an internal table of the authenticated MAC addresses viewable with the show authenticated mac address command You can clear the contents of the authenticated MAC address table either entirely or just for the entries learned on a specified interface In addition you can clear the MAC session for an address...

Page 1011: ... denied mac only permitted mac only denied mac only disables aging of denied sessions and enables aging of permitted sessions permitted mac only disables aging of permitted authenticated and restricted sessions and enables aging of denied sessions Specifying the aging time for blocked MAC addresses When the device is configured to drop traffic from non authenticated MAC addresses traffic from the ...

Page 1012: ...To display information about authenticated MAC addresses on the ports where the multi device port authentication feature is enabled enter the following command Syntax show auth mac address The following table describes the information displayed by the show auth mac address command Displaying multi device port authentication configuration information To display a summary of multi device port authen...

Page 1013: ...AC addresses are assigned if the Fail Action is to assign the MAC address to a restricted VLAN DynVLAN Support Whether RADIUS dynamic VLAN assignment is enabled for the port Override Restricted Whether or not a port in a restricted VLAN due to a failed authentication is removed from the restricted VLAN on a subsequent successful authentication on the port Revert VLAN The VLAN that the port reverts...

Page 1014: ...hether RADIUS dynamic VLAN assignment has been enabled for the port RADIUS failure action What happens to traffic from a MAC address for which RADIUS authentication has failed either block the traffic or assign the MAC address to a restricted VLAN Override restrict vlan Whether a port can be dynamically assigned to a VLAN specified by a RADIUS server if the port had been previously placed in the r...

Page 1015: ...sent to the RADIUS server Accepted MAC Addresses The number of MAC addresses that have been successfully authenticated Rejected MAC Addresses The number of MAC addresses for which authentication has failed Aging of MAC sessions Whether software aging of MAC addresses is enabled Max Age of MAC sessions The configured software aging period Port move back VLAN The VLAN that the port reverts to when t...

Page 1016: ...e port authentication with dynamic VLAN assignment and multi device port authentication and 802 1X authentication Access Whether or not the MAC address was allowed or denied access into the network Age The age of the MAC address entry in the authenticated MAC address list TABLE 151 Output from the show auth mac address address command Continued This field Displays BigIron RX show auth mac addresse...

Page 1017: ...VLAN 102 If authentication for the PC fails then the PC can be placed in a specified restricted VLAN or traffic from the PC can be blocked in hardware In this example if authentication for the PC fails the PC would be placed in VLAN 1023 the restricted VLAN If authentication for the IP phone is successful then port 2 1 is added to VLAN 3 If authentication for the IP phone fails then traffic from t...

Page 1018: ...C is successfully authenticated dual mode port 2 1 PVID is changed from the VLAN 1 the DEFAULT VLAN to VLAN 102 If authentication for the PC fails then the PC can be placed in a specified restricted VLAN or traffic from the PC can be blocked in hardware In this example if authentication for the PC fails the PC would be placed in VLAN 1023 the restricted VLAN If authentication for the IP phone is s...

Page 1019: ...cation n the same port In this configuration a PC and an IP phone are connected to port e 1 3 on a Brocade device Port e 1 3 is configured as a dual mode port The profile for the PC MAC address on the RADIUS server specifies that the PC should be dynamically assigned to VLAN Login VLAN and the RADIUS profile for the IP phone specifies that it should be dynamically assigned to the VLAN named IP Pho...

Page 1020: ...authentication is required for this MAC address The PVID of the port e 1 3 is temporarily changed to VLAN 1024 pending 802 1X authentication When User 1 attempts to connect to the network from the PC he is subject to 802 1X authentication If User 1 is successfully authenticated the Access Accept message from the RADIUS server specifies that the PVID for User 1 port be changed to the VLAN named Use...

Page 1021: ...to perform 802 1X authentication when a device fails multi device port authentication Figure 123 shows a configuration where multi device port authentication is performed for an IP phone and 802 1X authentication is performed for a user PC There is a profile on the RADIUS server for the IP phone MAC address but not for the PC MAC address FIGURE 123 802 1X Authentication is performed when a device ...

Page 1022: ...thentication If User 1 is successfully authenticated the PVID for port e 1 4 is changed to the VLAN named User VLAN NOTE This example assumes that the IP phone initially transmits untagged packets for example CDP or DHCP packets which trigger the authentication process on the Brocade device and client lookup on the RADIUS server If the phone sends only tagged packets and the port e 1 4 is not a me...

Page 1023: ...f the secure learned MAC addresses the address is considered a security violation NOTE The MAC Port Security feature applies only to Ethernet interfaces It is not available on loopback virtual routing ve or other interface types Violation actions When a security violation occurs a Syslog entry is generated In addition the device takes one of the following actions Shuts down the interface either pe...

Page 1024: ... Port Security feature Set the maximum number of secure MAC addresses for an interface Set the MAC Port Security age timer Specify secure MAC addresses Configure the device to automatically save secure MAC addresses to the startup config file Specify the action taken when a security violation occurs Enabling the MAC Port Security feature By default MAC Port Security is disabled at the global and i...

Page 1025: ...default You can increase the number of MAC addresses that can be secured up to a maximum of 64 plus the total number of global resources available For example to configure interface 7 11 to have a maximum of 10 secure MAC addresses BigIron RX config int e 7 11 BigIron RX config if e100 7 11 port security BigIron RX config if e100 7 11 maximum 10 Syntax maximum number of addresses Enter 0 64 for th...

Page 1026: ...rn Denying specific MAC addresses If there are specific MAC addresses that you want to block you can add those addresses to a deny MAC address table by entering commands such as the following BigIron RX config int e 7 11 BigIron RX config if e100 7 11 port security BigIron RX config port security e100 7 11 deny mac address 124a 3cad 01a3 Syntax no deny mac address mac address There can be up to 64...

Page 1027: ...affic from the MAC address is received the following occurs Secure MAC addresses on an interface and at the global level remain in the MAC table as long as traffic with that address is received However it is removed from the MAC table and the running config if the age timer elapses and no traffic has been received from the MAC address Deny MAC addresses are removed from the MAC address table globa...

Page 1028: ...n RX config port security e100 7 11 violation restrict Syntax no violation restrict denied packets processed force The violation restrict command enables the violation restrict action Entering a value for denied packets processed specifies the number of packets from one unsecure MAC address that can be processed in one second on the interface Once this number is reached the interface is shutdown R...

Page 1029: ...packets You can specify how many packets can be logged per second To enable this option enter the following command BigIron RX config int e 7 11 BigIron RX config if e100 7 11 port security BigIron RX config port security e100 7 11 violation restrict 3200 BigIron RX config port security e100 7 11 deny log rate 5 Syntax no deny log rate number per second Enter 1 10 The default is 0 which means the ...

Page 1030: ...col 114 Mar 10 17 38 51 I Port security denied pkt 0000 0022 2224 0000 0011 1111 198 19 1 2 198 19 1 1 Protocol 114 Denying a MAC address The action violation deny can be configured for unsecure MAC addresses that are received on an interface This option denies all MAC addresses in the deny MAC address list To enable this violation action enter the following command BigIron RX config int e 7 11 Bi...

Page 1031: ...ollowing occur All interfaces that inherit the global violation action inherit the new global violation action All MAC address entries are cleared on all interfaces that inherit the new global violation action Interfaces that are configured with shutdown or restrict violation action inherit any new deny MAC addresses configured at the global level Interfaces that are configured with deny violation...

Page 1032: ...lation restrict is configured For example you can enter commands such as the following BigIron RX config int e 7 11 BigIron RX config if e100 7 11 port security BigIron RX config port security e100 7 11 violation shutdown BigIron RX config port security e100 7 11 shutdown time 60 Syntax no shutdown time minutes Enter 0 1440 minutes with 0 as the default Specifying 0 shuts down the interface perman...

Page 1033: ...ation SecureMac Age Time How many minutes the restrict or shutdown action will be in effect Permanent means the interface is permanently shut down Learn The amount of time in minutes MAC addresses that were learned on the interface will remain secure BigIron RX show port security Port Security MacAddrs Violation PortShutdn minutes SecureMac Learn Learnt Max Total Count Type Status Time Remain AgeT...

Page 1034: ...Addr S The secure MAC address S means secure VLAN ID of VLAN to which the interface is assigned Age Left The number of minutes the MAC address will remain secure TABLE 154 Output from the show port security statistics portnum command This field Displays Port The slot and port number of the interface Total Addrs The total number of secure MAC addresses on the interface Maximum Addrs The maximum num...

Page 1035: ...ns encountered on the module Total shutdown ports The number of interfaces on the module shut down as a result of security violations TABLE 155 Output from the show port security statistics module command Continued This field Displays BigIron RX show mac Total active entries from all ports 8 MAC Address Port Age VLAN Type 0003 0000 0001 3 2 Secure 1 secure Allow 0003 0000 0003 3 2 Secure 1 secure ...

Page 1036: ... the interface Secure Addr S Deny Addr D The secure or denied MAC address that was received on the interface Secure MAC addresses are labeled with S while denied MAC addresses are labeled with D VLAN The VLAN on which the MAC address was received Age left Amount of time left before the address ages out After the age timer expires the MAC address is removed from secure or deny list TABLE 157 Output...

Page 1037: ...ress is 0004 1234 ffff bia 0004 1234 ffff Configured speed 1Gbit actual unknown configured duplex fdx actual unknown Configured mdi mode AUTO actual unknown Member of L2 VLAN ID 1 port is untagged port state is Disabled STP configured to ON Priority is level0 flow control enabled Force DSCP disabled SA learning is disabled mirror disabled monitor disabled Not member of any active trunks Not member...

Page 1038: ...ion Guide 53 1002253 01 Transparent port flooding 32 0 runts 0 giants DMA received 0 packets 0 packets output 0 bytes 0 underruns Transmitted 0 broadcasts 0 multicasts 0 unicasts 0 output errors 0 collisions DMA transmitted 0 packets ...

Page 1039: ...802 1x port security supports the following RFCs RFC 2284 PPP Extensible Authentication Protocol EAP RFC 2865 Remote Authentication Dial In User Service RADIUS RFC 2869 RADIUS Extensions How 802 1x port security works This section explains the basic concepts behind 802 1x port security including device roles how the devices communicate and the procedure used for authenticating clients Device roles...

Page 1040: ...ectly connected to a port on the Authenticator or can be connected by way of a hub Authentication Server The device that validates the Client and specifies whether or not the Client may access services on the device Brocade supports Authentication Servers running RADIUS Communication between the devices For communication between the devices 802 1x port security uses the Extensible Authentication P...

Page 1041: ...lient to the Authenticator PAE and responds to requests from the Authenticator PAE The Supplicant PAE can also initiate the authentication procedure with the Authenticator PAE as well as send logoff messages Controlled and uncontrolled ports A physical port on the device used with 802 1x port security has two virtual access points a controlled port and an uncontrolled port The controlled port prov...

Page 1042: ...low through the port normally By default all controlled ports on the BigIron RX are placed in the authorized state allowing all traffic When authentication is activated on an 802 1x enabled interface the interface s controlled port is placed initially in the unauthorized state When a Client connected to the port is successfully authenticated the controlled port is then placed in the authorized sta...

Page 1043: ... default VLAN to the specified VLAN When the client disconnects from the network the port is placed back in its default VLAN Refer to Configuring dynamic VLAN assignment for 802 1x ports on page 972 for more information Brocade s 802 1x implementation supports dynamically applying an IP ACL or MAC address filter to a port based on information received from the Authentication Server If a Client doe...

Page 1044: ... Multiple clients connected to a single 802 1x enabled port If there are multiple Clients connected to a single 802 1x enabled port the BigIron RX authenticates each of them individually Each client s authentication status is independent of the others so that if one authenticated client disconnects from the network it has no effect on the authentication status of any of the other authenticated cli...

Page 1045: ...or information on how to do this 6 If authentication for the Client is unsuccessful more than the number of times specified by the attempts variable in the auth fail max attempts command an authentication failure action is taken The authentication failure action can be either to drop traffic from the Client or to place the port in a restricted VLAN If the authentication failure action is to drop t...

Page 1046: ... security Configuring 802 1x port security on a BigIron RX consists of the following tasks 1 Configuring the BigIron RX device s interaction with the Authentication Server Configuring an authentication method list for 802 1x on page 971 Setting RADIUS parameters on page 971 Configuring dynamic VLAN assignment for 802 1x ports on page 972 optional 2 Configuring the BigIron RX s role as the Authenti...

Page 1047: ...S server to authenticate access to a BigIron RX you must identify the server to the BigIron RX For example BigIron RX config radius server host 209 157 22 99 auth port 1812 acct port 1813 default key mirabeau dot1x Syntax radius server host ip addr server name auth port number acct port number authentication only accounting only default key 0 1 string dot1x The host ip addr server name parameter i...

Page 1048: ...ent disconnects from the network the port is placed back in its default VLAN NOTE This feature is supported on port based VLANs only This feature cannot be used to place an 802 1x enabled port into a Layer 3 protocol VLAN To enable 802 1x VLAN ID support on the BigIron RX you must add the following attributes to a user s profile on the RADIUS server The device reads the attributes as follows If th...

Page 1049: ...ration The following considerations apply when a Client in a 802 1x multiple client configuration is successfully authenticated and the RADIUS Access Accept message specifies a VLAN for the port If the port is not already a member of a RADIUS specified VLAN and the RADIUS Access Accept message specifies the name or ID of a valid VLAN on the Brocade BigIron RX then the port is placed in that VLAN I...

Page 1050: ...lue that does not refer to an existing filter that is a MAC address filter or IP ACL configured on the device then the port is still authenticated but no filter is dynamically applied to it If the Vendor Specific attribute specifies the syntax for a filter but there are insufficient system resources to implement the filter then the port is still authenticated but the filter specified in the Vendor...

Page 1051: ...utbound ACL filters are not supported MAC address filters are supported only for the inbound direction Outbound MAC address filters are not supported Dynamically assigned IP ACLs and MAC address filters are subject to the same configuration restrictions as non dynamically assigned IP ACLs and MAC address filters Value Description ip number in Applies the specified numbered ACL to the 802 1x authen...

Page 1052: ...AC address filter statements The following table shows examples of IP ACLs and MAC address filters configured in the Brocade Vendor Specific attribute on a RADIUS server These IP ACLs and MAC address filters follow the same syntax as other Brocade ACLs and MAC address filters Refer to Chapter 21 Access Control List for information on syntax The RADIUS server allows one instance of the Vendor Speci...

Page 1053: ... traffic between the Client and the Authentication Server Refer to Figure 126 on page 966 for an illustration of this concept By default all controlled ports on the device are in the authorized state allowing all traffic When you activate authentication on an 802 1x enabled interface its controlled port is placed in the unauthorized state When a Client connected to the interface is successfully au...

Page 1054: ...ault You can optionally specify a different re authentication interval of between 1 4294967295 seconds To configure periodic re authentication using the default interval of 3 600 seconds enter the following command BigIron RX config dot1x enable BigIron RX config dot1x re authentication Syntax no re authentication To configure periodic re authentication with an interval of 2 000 seconds enter the ...

Page 1055: ...frame You can specify the amount of time the BigIron RX waits before retransmitting the EAP request identity frame to the Client This amount of time is specified with the tx period parameter The tx period parameter can be from 1 65535 seconds The default is 30 seconds For example to cause the BigIron RX to wait 60 seconds before retransmitting an EAP request identity frame to a Client enter the fo...

Page 1056: ...from the RADIUS server encapsulates them as EAPOL frames and sends them to the Client When the BigIron RX relays an EAP Request frame from the RADIUS server to the Client it expects to receive a response from the Client within 30 seconds If the Client does not respond within the allotted time the device retransmits the EAP Request frame to the Client The time constraint for retransmission of EAP R...

Page 1057: ...n To specify the ID of the restricted VLAN as VLAN 300 enter the following command BigIron RX config dot1x auth fail vlanid 300 Syntax no auth fail vlanid vlan id Specifying the number of authentication attempts the device makes before dropping packets When the authentication failure action is to drop traffic from the Client and the initial authentication attempt made by the device to authenticate...

Page 1058: ...ssigned to a VLAN Information about the user defined and dynamically applied Mac address and IP ACLs currently active on the device Information about the 802 1x multiple client configuration Displaying 802 1x configuration information To display information about the 802 1x configuration on the BigIron RX device enter the following command Syntax show dot1x The following table describes the inform...

Page 1059: ...RX waits before retransmitting the EAP request identity frame to a Client default 30 seconds Refer to Setting the interval for retransmission of EAP request identity frames on page 979 for information on how to change this setting supp timeout When a Client does not respond to an EAP request frame the amount of time before the BigIron RX retransmits the frame Refer to Specifying a timeout for retr...

Page 1060: ...thControlledPortControl The port control type configured for the interface If set to auto authentication is activated on the 802 1x enabled interface multiple hosts Whether the port is configured to allow multiple Supplicants accessing the interface on the BigIron RX through a hub Refer to Allowing multiple 802 1x clients to authenticate on page 980 for information on how to change this setting ma...

Page 1061: ...n number of the last EAPOL frame received on the port Last EAPOL Source The source MAC address in the last EAPOL frame received on the port TX EAPOL Total The total number of EAPOL frames transmitted on the port TX EAP Req Id The number of EAP Request Identity frames transmitted on the port TX EAP Req other than Req Id The number of EAP Request frames transmitted on the port that were not EAP Requ...

Page 1062: ...802 1x enabled port has been moved from VLAN 1 to VLAN 4094 When the client disconnects the port will be moved back to VLAN 1 BigIron RX show interface e 12 2 GigabitEthernet1 3 is up line protocol is up Hardware is GigabitEthernet address is 000c dbe2 5800 bia 000c dbe2 5800 Configured speed auto actual 100Mbit configured duplex fdx actual fdx Configured mdi mode AUTO actual MDIX Member of L2 VLA...

Page 1063: ...amically assigned MAC address filter is removed the display shows the following information BigIron RX show dot1x mac address ethernet 1 1 Port 1 1 MAC Address Filter information Port default MAC Filter mac access list 400 in Syntax show dot1x mac address filter all ethernet slot port begin expression exclude expression include expression The all keyword displays all dynamically applied MAC addres...

Page 1064: ...mmand TABLE 163 Output from the show dot1x mac session command This field Displays Port The port on which the dot1x mac session exists MAC The MAC address of the Client Username The username used for RADIUS authentication Vlan The VLAN to which the port is currently assigned Auth State The authentication state of the dot1x mac session This can be one of the following permit The Client has been suc...

Page 1065: ...ed to the port Age The software age of the dot1x mac session TABLE 164 Output from the show dot1x mac session brief command This field Displays Port Information about the users connected to each port Number of users The number of restricted and authorized those that were successfully authenticated users connected to the port Dynamic VLAN Whether or not the port is a member of a RADIUS specified VL...

Page 1066: ...BigIron RX config dot1x enable e 2 1 to 2 3 BigIron RX config dot1x re authentication BigIron RX config dot1x timeout re authperiod 2000 BigIron RX config dot1x timeout quiet period 30 BigIron RX config dot1x timeout tx period 60 BigIron RX config dot1x max req 6 BigIron RX config dot1x exit BigIron RX config interface e 2 1 BigIron RX config if e100 1 dot1x port control auto BigIron RX config if ...

Page 1067: ...Iron RX in Figure 130 BigIron RX config aaa authentication dot1x default radius BigIron RX config radius server host 192 168 9 22 auth port 1812 acct port 1813 default key mirabeau dot1x BigIron RX config dot1x enable e 2 1 BigIron RX config dot1x re authentication BigIron RX config dot1x timeout re authperiod 2000 BigIron RX config dot1x timeout quiet period 30 BigIron RX config dot1x timeout tx ...

Page 1068: ...User 1 is authenticated first then the PVID for port 2 1 is changed to VLAN 3 If User 2 is authenticated first then the PVID for port 2 1 is changed to VLAN 20 Since a PVID cannot be changed by RADIUS authentication after it has been dynamically assigned if User 2 is authenticated after the port PVID was changed to VLAN 3 then User 2 would not be able to gain access to the network If there were on...

Page 1069: ...lock traffic from a MAC address based on information received from a RADIUS server Incoming traffic originating from a given MAC address is switched or forwarded by the device only if the source MAC address is successfully authenticated by a RADIUS server The MAC address itself is used as the username and password for RADIUS authentication A connecting user does not need to provide a specific user...

Page 1070: ...994 BigIron RX Series Configuration Guide 53 1002253 01 Using multi device port authentication and 802 1X security on the same port 33 ...

Page 1071: ...ictim network as its source When the ICMP echo request reaches the intermediary network it is converted to a Layer 2 broadcast and sent to the hosts on the intermediary network The hosts on the intermediary network then send ICMP replies to the victim network For each ICMP echo request packet sent by the attacker a number of ICMP replies equal to the number of hosts on the intermediary network are...

Page 1072: ... numbers are encountered as is the case when the device is the victim of a Smurf attack You can set threshold values for ICMP packets that are targeted at the router itself or passing through an interface and drop them when the thresholds are exceeded For example to set threshold values for ICMP packets received on interface 3 11 enter the following command BigIron RX config access list 101 permit...

Page 1073: ...s feature Deny clauses are ignored Protecting against TCP SYN attacks TCP SYN attacks exploit the process of how TCP connections are established in order to disrupt normal traffic flow When a TCP connection starts the connecting host first sends a TCP SYN packet to the destination host The destination host responds with a SYN ACK packet and the connecting host sends back an ACK packet This process...

Page 1074: ...rity enhancement is automatically enabled If necessary you can disable this feature Refer to Disabling the TCP security enhancement on page 999 Protecting against a blind TCP reset attack using the RST bit In a blind TCP reset attack using the RST bit a perpetrator attempts to guess the RST segments in order to prematurely terminate an active TCP session To prevent a user from using the RST bit to...

Page 1075: ...t is enabled by default To disable it refer to Disabling the TCP security enhancement on page 999 Disabling the TCP security enhancement The TCP security enhancement is automatically enabled If necessary you can disable this feature When you disable this feature the device reverts to the original behavior To disable the TCP security enhancement enter the following command at the Global CONFIG leve...

Page 1076: ... SYN packets dropped because burst thresholds were exceeded BigIron RX config clear statistics dos attack Syntax clear statistics dos attack Port Port number Packet Drop Count Number of packets that are dropped when the port is in lockup mode Packet Pass Count Number of packets that are forwarded when the port is in rate limiting mode Port Block Count Number of times the port was shut down for the...

Page 1077: ...d an ARP reply An ARP poisoning attack can target hosts switches and routers connected to the Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet For instance a malicious host can reply to an ARP request with its own MAC address thereby causing other hosts on the same subnet to store this information in t...

Page 1078: ...s ARP packets received on untrusted ports as shown in Figure 133 DAI carries out the inspection based on IP to MAC address bindings stored in a trusted binding database For the BigIron RX the binding database is the ARP table which supports DAI DHCP snooping and IP Source Guard To inspect an ARP request packet DAI checks the source IP and source MAC address against the ARP table For an ARP reply p...

Page 1079: ...ends on the maximum number of ARP table entries allowed on the device The BigIron RX Series switch can have up to 64 000 ARP entries In a BigIron RX switch you can use the system max ip arp command to change the maximum number of ARP entries for the device The current implementation works on routing and virtual routing interface ports and does not support Layer 2 switching only ports in VLANs with...

Page 1080: ...s allowed The ip addr mac addr parameter specifies a device s IP address and MAC address pairing Enabling DAI on a VLAN DAI is disabled by default To enable DAI on an existing VLAN enter the following command BigIron RX config ip arp inspection vlan 2 The command enables DAI on VLAN 2 ARP packets from untrusted ports in VLAN 2 will undergo DAI inspection Syntax no ip arp inspection vlan vlan numbe...

Page 1081: ...d84 Inspect 14 0 64 Pending The command displays all ARP entries in the system Syntax show arp TABLE 166 show arp command This field Displays IP Address The IP address of the device MAC Address The MAC address of the device Age The ARP Age which can be one of the following The number of minutes the entry has remained unused If this value reaches the ARP aging period of 10 minutes the entry is remo...

Page 1082: ...untrusted ports those connected to host ports and trusted ports those connected to DHCP servers A VLAN with DHCP snooping enabled forwards DHCP request packets from clients and discards DHCP server reply packets on untrusted ports and it forwards DHCP server reply packets on trusted ports to DHCP clients as shown in the following figures Type The ARP type which can be one of the following Dynamic ...

Page 1083: ... the router reboots The flash file is written and read only if DHCP snooping is enabled Configuring DHCP snooping Configuring DHCP snooping consists of the following steps 1 Enable DHCP snooping on a VLAN Refer to Enabling DHCP snooping on a VLAN on page 1008 2 For ports that are connected to a DHCP server change their trust setting to trusted Refer to Enabling trust on a port on page 1008 The fol...

Page 1084: ... connected to a DHCP server enter commands such as the following BigIron RX config interface ethernet 1 1 BigIron RX config if e10000 1 1 dhcp snooping trust Port 1 1 is connected to a DHCP server The commands change the CLI to the interface configuration level of port 1 1 and set the trust setting of port 1 1 to trusted Syntax no dhcp snooping trust DHCP relay agent information DHCP option 82 DHC...

Page 1085: ...e port showing where the DHCP request comes from Typical address allocation is based on the gateway address of the relay agent Disabling option 82 processing When DHCP snooping is enabled on the Brocade device option 82 processing is enabled by default To disable option 82 processing enter the following commands BigIron RX config interface ethernet 1 1 BigIron RX config if e10000 1 1 no dhcp relay...

Page 1086: ...HCP client request packets received on ports 1 3 and 1 4 are forwarded On VLAN 20 ports 1 1 and 1 2 are connected to a DHCP server DHCP server ports are set to trusted BigIron RX config interface ethernet 1 1 BigIron RX config if e1000 1 1 dhcp snooping trust BigIron RX config if e1000 1 1 exit BigIron RX config interface ethernet 1 2 BigIron RX config if e1000 1 2 dhcp snooping trust BigIron RX c...

Page 1087: ...d on the port Similarly when the IP source guard is disabled any IP source per port IP ACL will be removed from the interface Limits and restrictions Current implementation with this feature has the following limitations Works only on routing and virtual interface ports and does not support Layer 2 switching only ports in VLANs without an assigned IP address on the router Does not support auto sav...

Page 1088: ...1012 BigIron RX Series Configuration Guide 53 1002253 01 IP source guard 35 ...

Page 1089: ...word You can configure as many additional read only and read write community strings as you need The number of strings you can configure depends on the memory on the device There is no practical limit If you delete the startup configuration file the device automatically re adds the default public read only community string the next time you load the software Encryption of SNMP community strings Th...

Page 1090: ...cters If no view is specified access to the full MIB is granted The view that you want must exist before you can associate it to a community string Here is an example of how to use the view parameter in the community string command BigIron RX config snmp s community myread ro view sysview The command in this example associates the view sysview to the community string named myread The community str...

Page 1091: ... Notification is not supported at this time The system will generate traps in SNMP version 1 format NOTE SNMP may timeout when trying to get module temperature values You must increase the timeout value to 10 seconds to prevent a timeout Configuring your NMS To be able to use the SNMP version 3 features 1 Make sure that your Network Manager System NMS supports SNMP version 3 2 Configure your NMS a...

Page 1092: ...ne IDs cannot be configured at this time The hex string variable consists of 11 octets entered as hexadecimal values There are two hexadecimal characters in each octet There should be an even number of hexadecimal characters in an engine ID The default engine ID has a maximum of 11 octets Octets 1 through 4 represent the agent s SNMP management private enterprise number as assigned by the Internet...

Page 1093: ...rs The auth noauth priv parameter is available when you select v3 not v1 or v2 The access standard acl id parameter is optional It allows incoming SNMP packets to be filtered based on the standard ACL attached to the group The read viewstring write viewstring parameter is optional It indicates that users who belong to this group have either read or write access to the MIB The viewstring variable i...

Page 1094: ...arameter is required The access standard acl id parameter is optional It indicates that incoming SNMP packets are filtered based on the ACL attached to the user account NOTE The ACL specified in a user account overrides the ACL assigned to the group to which the user is mapped If no ACL is entered for the user account then the ACL configured for the group will be used to filter packets The encrypt...

Page 1095: ...ne ID To display the engine ID of a management module enter a command such as the following BigIron RX config show snmp engineid Local SNMP Engine ID 800007c70300e05290ab60 Engine Boots 3 Engine time 5 Syntax show snmp engineid The engine ID identifies the source or destination of the packet The engine boots represents the number of times that the SNMP engine reinitialized itself with the same eng...

Page 1096: ...numbers wildcards or a combination of the three The numbers represent the hierarchical location of the object in the MIB tree You can reference individual objects in the MIB tree or a subset of objects from the MIB tree Varbind object identifier Description 1 3 6 1 6 3 11 2 1 3 0 Unknown packet data unit 1 3 6 1 6 3 12 1 5 0 The value of the varbind shows the engine ID that needs to be used in the...

Page 1097: ...ncluded excluded parameter specifies whether the MIB objects identified by the mib_family parameter are included in the view or excluded from the view NOTE All MIB objects are automatically excluded from any view unless they are explicitly included therefore when creating views using the snmp server view command indicate which portion of the MIB you want users to access For example you may want to...

Page 1098: ...sc operations BigIron RX config snmp server location sdh pillbox BigIron RX config snmp server host 128 91 255 32 BigIron RX config snmp server group ops v3 priv read internet write system BigIron RX config snmp server group admin v3 priv read internet write internet BigIron RX config snmp server group restricted v3 priv read internet BigIron RX config snmp server user ops ops v3 encrypted auth md...

Page 1099: ... the following Hostname device ID Product platform and capability Software version VLAN and Layer 3 protocol address information for the port sending the update A Brocade device running FDP sends FDP updates on Layer 2 to MAC address 01 E0 52 CC CC CC Other Brocade devices listening on that address receive the updates and can display the information in the updates FDP is disabled by default NOTE I...

Page 1100: ... updates and can be from 5 900 seconds The default is 60 seconds Changing the FDP hold time By default a BigIron RX that receives an FDP update holds the information until one of the following events occurs The device receives a new update 180 seconds have passed since receipt of the last update This is the hold time Once either of these events occurs the device discards the update To change the F...

Page 1101: ...e hostname of the neighbor Local Int The interface on which this device received an FDP or CDP update for the neighbor Holdtm The maximum number of seconds this device can keep the information received in the update before discarding it Capability The role the neighbor is capable of playing in the network Platform The product platform of the neighbor Port ID The interface through which the neighbo...

Page 1102: ...ighbor port that sent the update to this device If the neighbor is a Layer 2 Switch this field lists the management IP address Platform The product platform of the neighbor Capabilities The role the neighbor is capable of playing in the network Interface The interface on which this device received an FDP or CDP update for the neighbor Port ID The interface through which the neighbor sent the updat...

Page 1103: ...ou can clear the following FDP and CDP information Information received in FDP and CDP updates FDP and CDP statistics The same commands clear information for both FDP and CDP Clearing FDP and CDP neighbor information To clear the information received in FDP and CDP updates from neighboring devices enter the following command BigIron RX clear fdp table Syntax clear fdp table NOTE This command clear...

Page 1104: ...s the packets As a result Cisco devices will no longer receive the packets Enabling interception of CDP packets globally To enable the device to intercept and display CDP packets enter the following command at the global CONFIG level of the CLI BigIron RX config cdp run Syntax no cdp run The feature is disabled by default Enabling interception of CDP packets on an interface You can disable and ena...

Page 1105: ...thernet5 0 0 BigIron RX show fdp neighbors detail Device ID Router Entry address es IP address 207 95 6 143 Platform cisco RSP4 Capabilities Router Interface Eth 1 1 Port ID outgoing port FastEthernet5 0 0 Holdtime 150 seconds Version Cisco Internetwork Operating System Software IOS tm RSP Software RSP JSV M Version 12 0 5 T1 RELEASE SOFTWARE fc1 Copyright c 1986 1999 by cisco Systems Inc Compiled...

Page 1106: ...clear fdp table Syntax clear fdp table BigIron RX show fdp entry Device ID Router Entry address es IP address 207 95 6 143 Platform cisco RSP4 Capabilities Router Interface Eth 1 1 Port ID outgoing port FastEthernet5 0 0 Holdtime 124 seconds Version Cisco Internetwork Operating System Software IOS tm RSP Software RSP JSV M Version 12 0 5 T1 RELEASE SOFTWARE fc1 Copyright c 1986 1999 by cisco Syste...

Page 1107: ...BigIron RX Series Configuration Guide 1031 53 1002253 01 Reading CDP packets 37 To clear CDP statistics enter the following command BigIron RX clear fdp counters Syntax clear fdp counters ...

Page 1108: ...1032 BigIron RX Series Configuration Guide 53 1002253 01 Reading CDP packets 37 ...

Page 1109: ...n provides a convenient way to check configuration changes before saving them to flash The show options available will vary for the device and by configuration level To determine the available show commands for the system or a specific level of the CLI enter the following command BigIron RX show Syntax show option You also can enter show at the command prompt then press the TAB key Viewing port st...

Page 1110: ...o view and display the data graphically Statistics RMON group 1 Count information on multicast and broadcast packets total packets sent undersized and oversized packets CRC alignment errors jabbers collision fragments and dropped events is collected for each port on a device No configuration is required to activate collection of statistics for the device This activity is by default automatically a...

Page 1111: ...tected Packets The total number of packets received This number includes bad packets broadcast packets and multicast packets Broadcast pkts The total number of good packets received that were directed to the broadcast address This number does not include multicast packets Multicast pkts The total number of good packets received that were directed to a multicast address This number does not include...

Page 1112: ...ng bits but does include FCS octets NOTE Not supported in BigIron RX 65 to 127 octets pkts The total number of packets received that were 65 127 octets long This number includes bad packets This number does not include framing bits but does include FCS NOTE Not supported in BigIron RX 128 to 255 octets pkts The total number of packets received that were 128 255 octets long This number includes bad...

Page 1113: ...tory command Alarm RMON group 3 Alarm is designed to monitor configured thresholds for any SNMP integer time tick gauge or counter MIB object Using the CLI you can define what MIB objects are monitored the type of thresholds that are monitored falling rising or both the value of those thresholds and the sample type absolute or delta An alarm event is reported each time that a threshold is exceeded...

Page 1114: ...ort 38 A sample entry and syntax of the event control table is shown below BigIron RX config rmon event 1 description testing a longer string log and trap public owner nyc02 Syntax rmon event event entry description text string log trap log and trap owner rmon station ...

Page 1115: ...ntil Link Aggregation is established Once Link Aggregation is established then the sFlow parameter appears on the interface mode which is configured Link Aggregation Source address The sampled sFlow data sent to the collectors includes an agent_address field This field identifies the IP address of the device that sent the data sFlow looks for an IP address in following order and uses the first add...

Page 1116: ...router s IP address and the outgoing VLAN ID Extended router information also includes the source IP address prefix length and the destination IP address prefix length Note that in IPv4 prefix length of source and destination IP addresses is collected only if BGP is configured on the devices Extended gateway information Extended gateway information is included in an sFlow sampled packet if BGP is ...

Page 1117: ...es the device that sent the data Refer to Source address on page 1039 Changing the polling interval The polling interval defines how often sFlow byte and packet counter data for a port are sent to the sFlow collectors If multiple ports are enabled for sFlow the device staggers transmission of the counter data to smooth performance For example if sFlow is enabled on two ports and the polling interv...

Page 1118: ...ases because four times as many packets will be sampled NOTE Brocade recommends that you do not change the denominator to a value lower than the default Sampling requires CPU resources Using a low denominator for the sampling rate can cause high CPU utilization Change to global rate If you change the global sampling rate the change is applied to all sFlow enabled ports except those ports on which ...

Page 1119: ... actual sampling rate becomes one of the values listed in Changing the default sampling rate Enabling sFlow forwarding sFlow exports data only for the interfaces on which you enable sFlow forwarding You can enable sFlow forwarding on the Ethernet interfaces To enable sFlow forwarding Globally enable the sFlow feature Enable sFlow forwarding on individual interfaces NOTE Before you enable sFlow mak...

Page 1120: ...L based sFlow samples For these samples standard Tag Type 1 samples collected using ACL based Inbound sFlow are encapsulated in a Tag Type 1991 sample The length variable identifies the entire length of the Tag Type 1991 sample including the encapsulated Tag Type 1 sample The encapsulated sample has a length variable of its own that only identifies the length of that sample The Tag Type 1991 sampl...

Page 1121: ...tor as ACL sample packets Also the user can configure ACL based sFlow on an interface without configuring port based sFlow Policy Based Routing The copy sflow keyword is applicable for PBR ACLs IPv4 ACL based Rate Limiting When the copy sflow keyword is used in an IPv4 Rate Limiting ACL only traffic permitted by the Rate Limiting engine is copied to the CPU for forwarding to the sFlow collector Pa...

Page 1122: ... an interface using the ip access group command as shown in the following BigIron RX config int eth 1 1 BigIron RX config if e10000 1 1 ip access group 151 in Specifying an sFlow collector sFlow exports traffic statistics to an external collector You can specify up to four collectors You can specify more than one collector with the same IP address if the UDP port numbers are unique You can have up...

Page 1123: ...how many have been configured Polling interval The port counter polling interval Configured default sampling rate The configured global sampling rate If you changed the global sampling rate the value you entered is shown here The actual rate calculated by the software based on the value you entered is listed on the next line Actual default sampling rate UDP packets exported The number of sFlow exp...

Page 1124: ...te TABLE 170 sFlow information Continued This field Displays BigIron RX config show interface ethernet 1 1 GigabitEthernet2 1 is disabled line protocol is down link keepalive is enabled Hardware is GigabitEthernet address is 000c dbe2 5900 bia 000c dbe2 5900 Configured speed 1Gbit actual unknown configured duplex fdx actual unknown Configured mdi mode AUTO actual unknown Member of 2 L2 VLANs port ...

Page 1125: ...BigIron RX Series Configuration Guide 1049 53 1002253 01 Clearing sFlow statistics 39 sFlow samples collected NOTE This command also clears the statistics counters used by other features ...

Page 1126: ...1050 BigIron RX Series Configuration Guide 53 1002253 01 Clearing sFlow statistics 39 ...

Page 1127: ...s that might occur within an IST and also throughout the CST In addition MSTP can coexist with individual devices running STP or RSTP in the Common and Internal Spanning Trees instance CIST With the exception of the provisions for multiple instances MSTP operates exactly like RSTP For example in Figure 139 a network is configured with two regions Region 1 and Region 2 The entire network is running...

Page 1128: ...plementations Multiple Spanning Tree Instance MSTI The MSTI is identified by an MST identifier MSTid value between 1 and 4090 however VLAN 4090 is a reserved VLAN MSTI defines an individual instance of an IST One or more VLANs can be assigned to an MSTI A VLAN cannot be assigned to multiple MSTIs MSTP Region These are clusters of bridges that run multiple instances of the MSTP protocol Multiple br...

Page 1129: ...an MSTP instance Setting the MSTP global parameters Setting ports to be operational edge ports Setting point to point link Disabling MSTP on a port Forcing ports to transmit an MSTP BPDU Enabling MSTP on a switch Setting the MSTP name Each switch that is running MSTP is configured with a name It applies to the switch which can have many different VLANs that can belong to many different MSTP region...

Page 1130: ...ion level BigIron RX config mstp instance 7 ethernet 3 1 priority 32 path cost 200 Syntax no mstp instance instance number ethernet slot port priority port priority path cost cost The instance number variable is the number of the instance of MSTP that you are configuring priority and path cost for The ethernet slot port parameter specifies a port within a VLAN The priority and path cost configured...

Page 1131: ... an RST BPDU after a topology change This can be a value from 4 30 seconds The default is 15 seconds The hello time value parameter specifies the interval between two hello packets The parameter can have a value from 1 10 seconds The default is 2 seconds The max age value parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change You can...

Page 1132: ... slot port variable specifies the location of the port that you want to disable MSTP for Forcing ports to transmit an MSTP BPDU To force a port to transmit an MSTP BPDU use a command such as the following at the Global Configuration level BigIron RX config mstp force migration check ethernet 3 1 Syntax no mstp force migration check ethernet slot port The slot port variable specifies the port or po...

Page 1133: ...14 ethernet 2 16 BigIron RX config vlan 20 no spanning tree BigIron RX config vlan 20 exit BigIron RX config vlan 21 by port BigIron RX config vlan 21 tagged ethernet 2 9 to 2 14 ethernet 2 16 BigIron RX config vlan 21 no spanning tree BigIron RX config vlan 21 exit BigIron RX config vlan 22 by port BigIron RX config vlan 22 tagged ethernet 2 9 to 2 14 ethernet 2 16 BigIron RX config vlan 22 no sp...

Page 1134: ...21 vlan 21 BigIron RX config mstp instance 22 vlan 22 BigIron RX config mstp admin pt2pt mac ethernet 3 17 to 3 20 ethernet 3 5 to 3 6 BigIron RX config mstp admin pt2pt mac ethernet 3 10 BigIron RX config mstp disable ethe 3 7 ethernet 3 24 BigIron RX config mstp start BigIron RX config hostname CORE2 LAN 4 configuration BigIron RX config trunk switch ethernet 3 5 to 3 6 ethernet 3 1 to 3 2 BigIr...

Page 1135: ...ariable Bridge Hop cnt Displays configured Max Hop count variable Root MaxAge sec Max Age configured on the root bridge Root Hello sec Hello interval configured on the root bridge BigIron RX config show mstp MSTP Instance 0 CIST VLANs 1 Bridge Bridge Bridge Bridge Bridge Root Root Root Root Identifier MaxAge Hello FwdDly Hop MaxAge Hello FwdDly Hop hex sec sec sec cnt sec sec sec cnt 8000000cdb80a...

Page 1136: ... indicating shortest path to root Set to Root if this bridge is the root bridge Port Num The port number of the interface Pri The configured priority of the port The default is 128 PortPath Cost Configured or auto detected path cost for port P2P Mac Indicates if the port is configured with a point to point link T The port is configured in a point to point link F The port is not configured in a poi...

Page 1137: ...entifier Hop Bridge Cost Bridge Port Hop hex cnt hex hex cnt 8001000cdb80af01 20 8001000cdb80af01 0 8001000cdb80af01 Root 20 Port Pri PortPath Role State Designa Designated Num Cost ted cost bridge 3 1 128 2000 MASTER FORWARDING 0 8001000cdb80af01 BigIron RX config show mstp 0 MSTP Instance 0 CIST VLANs 1 Bridge Bridge Bridge Bridge Bridge Root Root Root Root Identifier MaxAge Hello FwdDly Hop Max...

Page 1138: ...Priority 128 OperEdge T OperPt2PtMac F Boundary T Designated Root 800000b000c00000 RegionalRoot 800000b000c00000 Bridge 800000b000c00000 ExtCost 0 IntCost 0 ActiveTimers helloWhen 1 MachineState PRX DISCARD PTX IDLE PPM SENDING_RSTP PIM CURRENT PRT ACTIVE_PORT PST FORWARDING TCM INACTIVE BPDUs Rcvd MST 0 RST 0 Config 0 TCN 0 Sent MST 6 RST 0 Config 0 TCN 0 BigIron RX show xstp Ethernet 3 1 STP inf...

Page 1139: ...ted to this port P2P Mac Indicates if the point to point mac parameter is configured to be a point to point link T The link is configured as a point to point link F The link is not configured as a point to point link This is the default Edge port Indicates if the port is configured as an operational Edge port T The port is configured as an Edge port F The port is not configured as an Edge port Thi...

Page 1140: ...1064 BigIron RX Series Configuration Guide 53 1002253 01 802 1s Multiple Spanning Tree Protocol 40 ...

Page 1141: ... you can enable the device to actively send the IGMP queries Query interval The query interval specifies how often the device sends Group Membership queries This query interval applies only to the active IGMP mode The default is 60 seconds You can change the interval to a value from 10 600 seconds Age interval The age interval specifies how long an IGMP group can remain in the IGMP group table wit...

Page 1142: ...the device forwards the group traffic out the ports listed in the corresponding entries as long as the ports are members of the same VLAN If the table does not contain an entry corresponding to the group or if the port is a member of the default VLAN the device broadcasts the traffic NOTE When one or more BigIron RX devices are running Layer 2 IP Multicast Traffic reduction configure one of the de...

Page 1143: ...ve When passive IGMP mode is enabled the device listens for IGMP Group Membership reports but does not send IGMP queries The passive mode is sometimes called IGMP snooping Use this mode when another device in the network is actively sending queries To enable active IGMP enter the following command BigIron RX config ip multicast active BigIron RX config write memory BigIron RX config end BigIron RX...

Page 1144: ...tive IP Multicast Traffic Reduction sends Group Membership queries NOTE The query interval applies only to the active mode of IP Multicast Traffic reduction To modify the query interval enter a command such as the following BigIron RX config ip multicast query interval 120 Syntax no ip multicast query interval interval The interval parameter specifies the interval between queries You can specify a...

Page 1145: ...To enable IGMP Snooping Tracking globally enter a command such as the following BigIron RX config multicast tracking Syntax no ip multicast tracking The no form of this command disables the tracking process globally To enable IGMP Snooping Tracking per VLAN enter commands such as the following BigIron RX config vlan 100 BigIron RX config vlan 100 multicast tracking Syntax no multicast tracking The...

Page 1146: ...atically join a multicast group on port 2 4 enter commands such as the following BigIron RX config vlan 100 BigIron RX config vlan 100 multicast static group 224 10 1 1 2 4 To configure the snooping device to statically join a multicast stream with the source address of 10 43 1 12 in the include mode enter commands such as the following BigIron RX config vlan 100 BigIron RX config vlan 100 multica...

Page 1147: ...or the configured multicast groups Upstream traffic will be sent to the router and will not use a port The port list parameter specifies the range of ports to include in the configuration The no form of this command removes the static multicast definition Each configuration must be deleted separately PIM SM traffic snooping By default when a BigIron RX receives an IP multicast packet the device do...

Page 1148: ... to learn the group ID then makes a forwarding entry for the group ID and the port connected to the receiver s router The next time the device receives traffic for 239 255 162 1 from the group s source the device forwards the traffic only on port 5 1 since that is the only port connected to a receiver for the group Notice that the receiver for group 239 255 162 69 is directly connected to the devi...

Page 1149: ...ous other devices such as other BigIron RX FIGURE 142 PIM SM traffic reduction in global Ethernet environment The devices on the edge of the Global Ethernet cloud are configured for IP multicast traffic reduction and PIM SM traffic snooping Although this application uses multiple devices the feature has the same requirements and works the same way as it does on a single device Configuration requir...

Page 1150: ...Consequently if the source and the downstream router are in the same subnet and PIM SM traffic snooping is enabled the device blocks the PIM SM traffic and never starts forwarding the traffic This is because the device never receives a join message from the downstream router for the group The downstream router and group find each other without a join message because they are in the same subnet NOT...

Page 1151: ...uring PIM proxy per VLAN instance Using the PIM proxy function multicast traffic can be reduced by configuring a device to issue PIM join and prune messages on behalf of hosts that the configured router discovers through standard PIM interfaces The router is then able to act as a proxy for the discovered hosts and perform PIM tasks upstream of the discovered hosts Where there are multiple PIM down...

Page 1152: ...ely sends IGMP queries Router Ports The ports that are connected to routers that support IP multicast Report FID The fid and camindex values are used by Brocade Technical Support for troubleshooting Number of Multicast Group The total number of groups for which the VLAN s ports have received IGMP group membership reports join messages or prune messages Group An IP multicast group IGMP Report Port ...

Page 1153: ...he CLI BigIron RX clear ip multicast statistics This command resets statistics counters for all the statistics displayed by the show ip multicast statistics command to zero Syntax clear ip multicast statistics Clearing IGMP group flows To clear all the IGMP flows learned by the device enter the following command at the Privileged EXEC level of the CLI BigIron RX clear ip multicast all The followin...

Page 1154: ...ll group group id The all parameter clears the learned flows for all groups The group group id parameter clears the flows for the specified group but does not clear the flows for other groups BigIron RX show ip multicast IP multicast is enabled Active VLAN ID 1 Active 192 168 2 30 Router Ports 4 13 Multicast Group 239 255 162 5 Port 4 4 4 13 Multicast Group 239 255 162 4 Port 4 10 4 13 BigIron RX ...

Page 1155: ... is a 4 bit hexadecimal value The following is an example of an IPv6 address 2001 0000 0000 0200 002D D0FF FE48 4672 Note that the sample IPv6 address includes hexadecimal fields of zeros To make the address less cumbersome you can do the following Omit the leading zeros for example 2001 0 0 200 2D D0FF FE48 4672 Compress the successive groups of zeros at the beginning middle or end of an IPv6 add...

Page 1156: ... three major types of IPv6 addresses that you can assign to a switch interface A major difference between IPv4 and IPv6 addresses is that IPv6 addresses support scope which describes the topology in which the address may be used as a unique identifier for an interface or set of interfaces Unicast and multicast addresses support scoping as follows Unicast addresses support two types of scope global...

Page 1157: ...ace ID IPv4 compatible address An address used in IPv6 transition mechanisms that tunnel IPv6 packets dynamically over IPv4 infrastructures The address embeds an IPv4 address in the low order 32 bits and the high order 96 bits are zeros The address structure is as follows 0 0 0 0 0 0 A B C D Loopback address An address 0 0 0 0 0 0 0 1 or 1 that a switch can use to send an IPv6 packet to itself You...

Page 1158: ...e on the link The duplicate address detection feature verifies that a unicast IPv6 address is unique before it is assigned to a host interface by the stateless auto configuration feature Duplicate address detection uses neighbor solicitation messages to verify that a unicast IPv6 address is unique NOTE For the stateless auto configuration feature to work properly the advertised prefix length in sw...

Page 1159: ... MTU Configure an unnumbered interface Configure static neighbor entries Limit the hop count of an IPv6 packet Configure Quality of Service QoS for IPv6 traffic Enabling IPv6 routing By default IPv6 routing is disabled To enable the forwarding of IPv6 traffic globally on the router enter the following command BigIron RX config ipv6 unicast routing Syntax no ipv6 unicast routing To disable the forw...

Page 1160: ...ally joins the following required multicast groups for that link Solicited node multicast group FF02 0 0 0 0 1 FF00 104 for each unicast address assigned to the interface All nodes link local multicast group FF02 1 All routers link local multicast group FF02 2 The neighbor discovery feature sends messages to these multicast groups For more information refer to Configuring IPv6 neighbor discovery o...

Page 1161: ... address To explicitly enable IPv6 on a router interface without configuring a global or site local address for the interface enter commands such as the following BigIron RX config interface ethernet 3 1 BigIron RX config if e100 3 1 ipv6 enable These commands enable IPv6 on Ethernet interface 3 1 and specify that the interface is assigned an automatically computed link local address Syntax no ipv...

Page 1162: ...efix length anycast IPv6 anycast addresses are described in detail in RFC 1884 Refer to RFC 2461 for a description of how the IPv6 Neighbor Discovery mechanism handles anycast addresses Configuring the management port for an IPv6 automatic address configuration You can have the management port configured to automatically obtain an IPv6 address This process is the same for any other port and is des...

Page 1163: ...g access list 12 deny 3000 4828 fe19 128 log BigIron RX config access list 12 permit any BigIron RX config web access group ipv6 12 Syntax web access group ipv6 ipv6 ACL name where ipv6 ACL name is a valid IPv6 ACL Restricting web management access to an IPv6 host You can restrict Web management access to the device to the IPv6 host whose IP address you specify No other device except the one with ...

Page 1164: ...ress is exactly like configuration of an IPv6 address in router mode except that all of the IPv6 configuration is at the Global Config level instead of at the Interface Config level The process for defining the system wide interface for IPv6 is described in the following sections Configuring a global or site local IPv6 address with a manually configured interface ID as the switch s system wide add...

Page 1165: ...lobal or site local address with an EUI 64 interface ID in the low order 64 bits The interface ID is automatically constructed in IEEE EUI 64 format using the interface s MAC address Configuring a link local IPv6 address as the switch s system wide address To enable IPv6 and automatically configure a global interface enter commands such as the following BigIron RX config ipv6 enable This command e...

Page 1166: ...o form of this command Syntax ip address ip address sub net mask secondary You must specify the ip address parameter using 8 bit values in dotted decimal notation You can specify the sub net mask parameter in either dotted decimal notation or as a decimal value preceded by a slash mark The secondary keyword specifies that the configured address is a secondary IPv4 address To remove the IPv4 addres...

Page 1167: ...s are polled is the same as the order in which you enter them Suppose you want to define the domain name of newyork com on a Brocade device and then define four possible default DNS gateway addresses To do so using IPv4 addressing you would enter the following commands BigIron RX config ip dns domain name newyork com BigIron RX config ip dns server address 209 157 22 199 205 96 7 15 208 95 7 25 20...

Page 1168: ...es not contain a forwarding entry for the destination the software selects a path from among the available equal cost paths to the destination then creates an entry in the in the cache based on the calculation Subsequent traffic for the same destination uses the forwarding entry Entries remain in the IPv6 forwarding cache for one minute then are aged out If the path selected by the device becomes ...

Page 1169: ...ffic based on destination host address or destination network The default is network based IP load sharing If you want to enable the device to perform host based IP load sharing instead enter the following command BigIron RX config ipv6 load sharing by host Syntax no ipv6 load sharing by host This command enables host based ECMP load sharing on the device The command also disables network based EC...

Page 1170: ...e destination network address Routes to each network are stored in CAM and accessed when a path to a network is required Because multiple hosts are likely to reside on a network this method uses fewer CAM entries than load sharing by host When you select network based ECMP load sharing you can choose either of the following two CAM modes Dynamic Mode In the dynamic mode routes are entered into the...

Page 1171: ... algorithm To illustrate how this algorithm works imagine a virtual bucket that contains a number of tokens Each token represents the ability to send one ICMP error message Tokens are placed in the bucket at a specified interval until the maximum number of tokens allowed in the bucket is reached For each error message that ICMP sends a token is removed from the bucket If ICMP generates a series of...

Page 1172: ...ges You can disable or re enable the sending of ICMP redirect messages by a router By default a router can send an ICMP redirect message to a neighboring host to inform it of a better first hop router on a path to a destination No further configuration is required to enable the sending of ICMP redirect messages For more information about how ICMP redirect messages are implemented for IPv6 refer to...

Page 1173: ...de 2 on the same link To do so node 1 the source node multicasts a neighbor solicitation message The neighbor solicitation message which has a value of 135 in the Type field of the ICMP packet header contains the following information Source address IPv6 address of node 1 interface that sends the message Destination address solicited node multicast address FF02 0 0 0 0 1 FF00 104 that corresponds ...

Page 1174: ...nd automatically enables the sending of router advertisement messages on all configured router Ethernet interfaces You can configure several router advertisement message parameters For information about disabling the sending of router advertisement messages and the router advertisement parameters that you can configure refer to Enabling and disabling IPv6 router advertisements on page 1101 and Set...

Page 1175: ... the default value use the no form of this command For the interval between neighbor solicitation messages you can specify any number of seconds Brocade does not recommend very short intervals in normal IPv6 operation When a non default value is configured the configured time is both advertised and used by the router itself To restore the default interval use the no form of this command Setting IP...

Page 1176: ...e link upon which it is advertised Nodes sending traffic to addresses that contain the specified prefix consider the destination to be reachable on the local link Autoconfiguration flag Optional If this flag is set the stateless auto configuration feature can use the specified prefix in the automatic configuration of 128 bit IPv6 addresses for hosts on the local link For example to advertise the p...

Page 1177: ...s Configuration flag is not set and the Other Stateful Configuration flag is set then the setting of the Other Stateful Configuration flag is used By default the Managed Address Configuration and Other Stateful Configuration flags are not set in router advertisement messages For example to set these flags in router advertisement messages sent from Ethernet interface 3 1 enter the following command...

Page 1178: ...IPv6 MTU The IPv6 MTU is the maximum length of an IPv6 packet that can be transmitted on a particular interface If an IPv6 packet is longer than an MTU the host that originated the packet fragments the packet and transmits its contents in multiple packets that are shorter than the configured MTU You can configure the MTU on individual interfaces Per RFC 2460 the minimum IPv6 MTU for any interface ...

Page 1179: ...e through Ethernet interface 3 1 enter the following command BigIron RX config ipv6 neighbor 3001 ffe0 2678 47b ethernet 3 1 0004 6a2b 8641 Syntax no ipv6 neighbor ipv6 address ethernet port ve ve number ethernet port link layer address The ipv6 address parameter specifies the address of the neighbor The ethernet ve parameter specifies the interface through which to reach a neighbor If you specify...

Page 1180: ...e change into effect This applies whether you are enabling QoS for IPv6 or IPv4 traffic The port priority command globally enables QoS for IPv6 traffic on all interfaces On the BigIron RX routers when QoS is enabled with the port priority command the device inserts a value in the internal Brocade header based on a combination of the following information 802 1p priority Interface priority if confi...

Page 1181: ...hbor table or specify an entry based on the following IPv6 prefix IPv6 address Interface type For example to remove entries for Ethernet interface 3 1 enter the following command at the Privileged EXEC level or any of the CONFIG levels of the CLI BigIron RX clear ipv6 neighbor ethernet 3 1 Syntax clear ipv6 neighbor ipv6 prefix prefix length ipv6 address ethernet port ve number You must specify th...

Page 1182: ... enter the following command at the Privileged EXEC level or any of the Config levels of the CLI BigIron RX config clear ipv6 traffic Syntax clear ipv6 traffic Deleting IPv6 session flows To delete all flows from the IPv6 session cache enter the following command BigIron RX clear ipv6 flows Syntax clear ipv6 flows Displaying global IPv6 information You can display output for the following global I...

Page 1183: ...u specify an Ethernet interface also specify the port number associated with the interface If you specify a VE interface also specify the VE number If you specify a tunnel interface also specify the tunnel number This display shows the following information Displaying IPv6 interface information To display IPv6 interface information enter the following command at any CLI level TABLE 174 IPv6 cache ...

Page 1184: ...at any CLI level TABLE 175 General IPv6 interface information fields This field Displays Routing protocols A one letter code that represents a routing protocol that can be enabled on an interface Interface The interface type and the port number or number of the interface Status The status of the interface The entry in the Status field will be either up up or down down Routing The routing protocols...

Page 1185: ...ed for the IPv6 interface The MTU is the maximum length an IPv6 packet can have to be transmitted on the interface If an IPv6 packet is longer than an MTU the host that originated the packet fragments the packet and transmits its contents in multiple packets that are shorter than the configured MTU ICMP The setting of the ICMP redirect parameter for the interface ND The setting of the various neig...

Page 1186: ...on fields This field Displays Total number of neighbor entries The total number of entries in the IPv6 neighbor table IPv6 Address The 128 bit IPv6 address of the neighbor Link Layer Address The 48 bit interface ID of the neighbor State The current state of the neighbor Possible states are as follows INCOMPLETE Address resolution of the entry is being performed REACH The forward path to the neighb...

Page 1187: ...e isis keyword restricts the display to entries for IPv6 IS IS routes The ospf keyword restricts the display to entries for OSPFv3 routes The rip keyword restricts the display to entries for RIPng routes The static keyword restricts the display to entries for static IPv6 routes The summary keyword displays a summary of the prefixes and different route types The following table lists the informatio...

Page 1188: ...ting using the ipv6 unicast routing command and you enter the show ipv6 router command you will receive the following output Meaningful output for this command is generated for Brocade devices configured to function as IPv6 hosts only This display shows the following information Next Hop Router The next hop router Interface The interface through which this router sends packets to reach the route s...

Page 1189: ...ld unspecified Lifetime The amount of time in seconds that the router is useful as the default router Reachable time The amount of time in milliseconds that a router assumes a neighbor is reachable after receiving a reachability confirmation The reachable time value applies to the router for which you are displaying information and should be followed by IPv6 hosts attached to the router A value of...

Page 1190: ...state of the connection FIN WAIT 1 Waiting for a connection termination request from the remote TCP or an acknowledgment of the connection termination request previously sent FIN WAIT 2 Waiting for a connection termination request from the remote TCP CLOSE WAIT Waiting for a connection termination request from the local user CLOSING Waiting for a connection termination request acknowledgment from ...

Page 1191: ...4 or IPv6 address and port number The state of the TCP connection For information on possible states refer to Table 181 on page 1114 The port numbers of the local interface Send initial sequence number number The initial sequence number sent by the local router Send first unacknowledged sequence number number The first unacknowledged sequence number sent by the local router Send current send point...

Page 1192: ...he local router in setting up the TCP connection Receive initial incoming sequence number number The initial incoming sequence number received by the local router Receive expected incoming sequence number number The incoming sequence number expected by the local router Receive received window number The size of the local router s receive window Receive bytes in receive queue number The number of b...

Page 1193: ...t 0 frag recv 0 frag dropped 0 frag timeout 0 frag overflow 0 reassembled 0 fragmented 0 ofragments 0 can t frag 0 too short 0 too small 11 not member 0 no buffer 66819 allocated 21769 freed 0 forward cache hit 46 forward cache miss ICMP6 Statistics Received 0 dest unreach 0 pkt too big 0 time exceeded 0 param prob 2 echo req 1 echo reply 0 mem query 0 mem report 0 mem red 0 router soli 2393 route...

Page 1194: ...mber The number of IPv6 packets dropped because the recipient is not a member of a multicast group no buffer The number of IPv6 packets dropped because there is no buffer available forward cache miss The number of IPv6 packets received for which there is no corresponding cache entry ICMP6 statistics Some ICMP statistics apply to both Received and Sent some apply to Received only some apply to Sent...

Page 1195: ...es to sent errors only unreach no route The number of Unreachable No Route errors sent by the router admin The number of Admin errors sent by the router beyond scope The number of Beyond Scope errors sent by the router address The number of Address errors sent by the router no port The number of No Port errors sent by the router pkt too big The number of Packet Too Big errors sent by the router ti...

Page 1196: ...RESET message to the device at the other end of the connection passive resets The number of TCP connections the router reset because the device at the other end of the connection sent a TCP RESET message input errors This information is used by Brocade Technical Support in segments The number of TCP segments received by the router out segments The number of TCP segments sent by the router retransm...

Page 1197: ... RIP routers In turn RIPng attempts to add routes from its local RIB into the main IPv6 route table This chapter describes the following How to configure RIPng How to clear RIPng information from the RIPng route table How to display RIPng information and statistics Configuring RIPng To configure RIPng you must do the following Enable RIPng globally on the Brocade device and on individual router in...

Page 1198: ... physical as well as virtual routing interfaces For example to enable RIPng on Ethernet interface 3 1 enter the following commands BigIron RX config interface ethernet 3 1 BigIron RX config if e100 3 1 ipv6 rip enable Syntax no ipv6 rip enable To disable RIPng on an individual router interface use the no form of this command Configuring RIPng timers Table 184 describes the RIPng timers and provide...

Page 1199: ... want to retain the current setting of a particular timer To return to the default values of the RIPng timers use the no form of this command Configuring route learning and advertising parameters You can configure the following learning and advertising parameters Learning and advertising of RIPng default routes Advertising of IPv6 address summaries Metric of routes learned and advertised on a rout...

Page 1200: ...ss ipv6 prefix prefix length You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter To stop the advertising of the summarized IPv6 prefix use the no form of this command Changing th...

Page 1201: ...ng distribution of routes through RIPng You can create a prefix list and then apply it to RIPng routing updates that are received or sent on a router interface Performing this task allows you to control the distribution of routes through RIPng For example to permit the inclusion of routes with the prefix 2001 16 in RIPng routing updates sent from Ethernet interface 3 1 enter the following commands...

Page 1202: ...gIron RX config ipv6 router rip BigIron RX config ripng router poison reverse Syntax no poison reverse To disable poison reverse use the no version of this command By default if a RIPng interface goes down the Brocade device does not send a triggered update for the interface s IPv6 networks To better handle this situation you can configure a RIPng router to send a triggered update containing the l...

Page 1203: ...The status of the RIPng split horizon and poison reverse features Possible status is on or off Default routes The status of RIPng default routes Periodic updates trigger updates The number of periodic updates and triggered updates sent by the RIPng router Distribution lists The inbound and outbound distribution lists applied to RIPng Redistribution The types of IPv6 routes redistributed into RIPng...

Page 1204: ...dress The IPv6 prefix and prefix length The IPv6 address Next hop router The next hop router for this Brocade device If appears the route is originated locally Interface The interface name If null appears the interface is originated locally Source of route The source of the route information The source can be one of the following RIP routes learned by RIPng CONNECTED IPv6 routes redistributed from...

Page 1205: ... MBGP except for the following enhancements An IPv6 unicast address family and network layer reachability information NLRI Next hop attributes that use IPv6 addresses NOTE Brocade s implementation of BGP4 supports the advertising of routes among different address families However it supports BGP4 unicast routes only it does not currently support BGP4 multicast routes This chapter describes the fol...

Page 1206: ...gured in the BGP4 unicast address family to work in the BGP4 unicast address family unless it is explicitly configured in the BGP4 unicast address family To exit from the IPv6 unicast address family configuration level enter the following command BigIron RX config bgp ipv6u exit address family BigIron RX config bgp Entering this command returns you to the global BGP configuration level Configuring...

Page 1207: ...ed to exchange BGP4 unicast prefixes However if you add IPv6 neighbors while at the global BGP configuration or IPv4 BGP unicast address family configuration level the neighbors will not exchange BGP4 unicast prefixes until you explicitly enable them to do so by entering the neighbor ipv6 address peer group name activate command at the BGP4 unicast address family configuration level This section p...

Page 1208: ...he neighbor and local switch will exchange prefixes Configure a route map to set up a global next hop for packets destined for the neighbor Adding BGP4 neighbor To add the IPv6 link local address fe80 4398 ab30 45de 1 of a neighbor in remote AS 1000 to the BGP4 neighbor table of a switch enter the following commands BigIron RX config bgp address family ipv6 unicast BigIron RX config bgp ipv6u neig...

Page 1209: ...the BGP4 unicast address family configuration level BigIron RX config bgp ipv6u neighbor fe80 4398 ab30 45de 1 route map out next hop BigIron RX config bgp ipv6u exit BigIron RX config route map next hop permit 10 BigIron RX config route map match ipv6 address prefix list next hop ipv6 BigIron RX config route map set ipv6 next hop 2011 e0ff 3764 34 This route map applies to the BGP4 unicast addres...

Page 1210: ...ite local IPv6 addresses on page 1131 and Adding BGP4 neighbors using link local addresses on page 1132 NOTE You can add IPv6 neighbors only to an IPv6 peer group You cannot add an IPv4 neighbor to an IPv6 peer group and vice versa IPv6 and IPv6 peer groups must remain separate To configure a BGP4 peer group you must do the following 1 Create a peer group 2 Add a neighbor to the local switch 3 Ass...

Page 1211: ...bgp ipv6u neighbor 2001 efff 89 23 peer group peer_group1 Syntax neighbor ipv6 address peer group peer group name The ipv6 address parameter specifies the IPv6 address of the neighbor You must specify the ipv6 address parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 The peer group peer group name parameter indicates the name of the already created peer group To...

Page 1212: ... 32 into the BGP4 database enter the following command at the BGP4 unicast address family configuration level BigIron RX config bgp ipv6u network 3ff0 ec21 32 Syntax network ipv6 prefix prefix length route map name You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A ...

Page 1213: ...ggregation a switch will individually advertise routes for networks ff00 f000 0001 0000 64 ff00 f000 0002 0000 64 ff00 f000 0003 0000 64 and so on You can configure the switch to instead send a single aggregate route for the networks The aggregate route would be advertised as ff00 f000 24 to BGP4 neighbors To aggregate BGP4 routes for ff00 f000 0001 0000 64 ff00 f000 0002 0000 64 ff00 f000 0003 00...

Page 1214: ...mit 10 BigIron RX config routemap map1 match ipv6 address prefix list ipv6_uni This example configures a route map named map1 that permits incoming IPv6 unicast routes that match the prefix list named ipv6_uni 2001 eff3 32 Note that you apply the route map while at the BGP4 unicast address family configuration level Clearing BGP4 information This section contains information about clearing the fol...

Page 1215: ...CLI BigIron RX clear ipv6 bgp flap statistics Syntax clear ipv6 bgp flap statistics ipv6 prefix prefix length neighbor ipv6 address regular expression regular expression The ipv6 prefix prefix length parameter clears route flap dampening statistics for a specified IPv6 prefix You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You ...

Page 1216: ...r notification errors The all ipv6 address peer group name as num specifies the neighbor The ipv6 address parameter specifies a neighbor by its IPv6 address You must specify this address in hexadecimal using 16 bit values between colons as documented in RFC 2373 The peer group name specifies all neighbors in a specific peer group The as num parameter specifies all neighbors within the specified AS...

Page 1217: ...the list of routes If the filters or route maps result in changes to the list of routes the switch sends updates to advertise change or even withdraw routes on the neighbor as needed This ensures that the neighbor receives only the routes you want it to contain Even if the neighbor already contains a route learned from the switch that you later decided to filter out using the soft outbound option ...

Page 1218: ...ng statistics The switch allows you to clear all route flap dampening statistics for a specified BGP4 neighbor NOTE Clearing the dampening statistics for a neighbor does not change the dampening status of a route To clear all of the route flap dampening statistics for a neighbor enter a command such as the following at the Privileged EXEC level or any of the Config levels of the CLI BigIron RX cle...

Page 1219: ...figuration information Dampened BGP4 paths Filtered out BGP4 routes BGP4 route flap dampening statistics BGP4 neighbor information BGP4 peer group configuration information BGP4 summary information NOTE The show commands implemented for BGP4 correspond to the show commands implemented for IPv4 BGP For example you can specify the show ipv6 bgp command for IPv6 and the show ip bgp command for IPv4 A...

Page 1220: ...s field is blank LocPrf The degree of preference for the advertised route relative to other routes in the local AS When the BGP4 algorithm compares routes on the basis of local preferences the route with the higher local preference is chosen The preference can have a value from 0 4294967295 Weight The value that this switch associates with routes from a specific neighbor For example if the switch ...

Page 1221: ... list name parameter filters the display using the specified AS path ACL Status The route s status which can be one or more of the following A AGGREGATE The route is an aggregate route for multiple networks B BEST BGP4 has determined that this is the optimal route to the destination b NOT INSTALLED BEST BGP4 has determined that this is the optimal route to the destination but did not install it in...

Page 1222: ... keyword The local keyword displays routes that are local to the switch The neighbor ipv6 address parameter displays routes learned from a specified BGP4 neighbor The nexthop ipv6 address parameter displays the routes for a specified next hop IPv6 address You must specify this address in hexadecimal using 16 bit values between colons as documented in RFC 2373 The no best keyword displays the route...

Page 1223: ... Learned from Peer The IPv6 address of the neighbor from which this route is learned Local router indicates that the switch itself learned the route LOCAL_PREF For information about this field refer to Table 187 on page 1144 MED The value of the advertised route s MED attribute If the route does not have a metric this field is blank BigIron RX show ipv6 bgp routes detail Total number of BGP Routes...

Page 1224: ...v6 route table because the switch received better routes from other sources such as OSPFv3 RIPng or static IPv6 routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable EGP The routes with this set of attributes came to...

Page 1225: ... that match a specific community filter The detail keyword lets you display more details about the routes You can refine your request by also specifying one of the other parameters after the detail keyword The local keyword displays routes that are local to the switch The neighbor ipv6 address parameter displays routes learned from a specified BGP4 neighbor The nexthop ipv6 address option displays...

Page 1226: ...onger prefix such as 2002 e016 32 are displayed To display only those routes that match prefix 2002 16 enter the following command at any level of the CLI For example to display routes that match prefix 2002 16 or longer enter the following command at any level of the CLI These displays show the following information BigIron RX show ipv6 bgp Total number of BGP Routes 2 Status codes s suppressed d...

Page 1227: ... left of each route The status codes are described in the command s output Origin codes A character the display uses to indicate the route s origin The origin code appears to the right of the AS path Path field The origin codes are described in the command s output Network The network prefix and prefix length Next Hop The next hop switch for reaching the network from the switch Metric The value of...

Page 1228: ...ect the best route IGP is preferred over EGP and both are preferred over INCOMPLETE Originator The originator of the route in a route reflector environment Cluster List The route reflector clusters through which this set of attributes has passed Aggregator Aggregator information AS Number shows the AS in which the network information in the attribute set was aggregated This value applies only to a...

Page 1229: ...e0ff 783a 3 remote as 1001 neighbor 2001 4484 edd3 8389 1 remote as 1002 neighbor 2001 efff 80 23 peer group peer_group1 neighbor 2001 efff 80 23 remote as 1003 address family ipv4 unicast no neighbor 2001 4383 e0ff 783a 3 activate no neighbor 2001 4484 edd3 8389 1 activate no neighbor 2001 efff 80 23 activate exit address family address family ipv4 multicast exit address family address family ipv...

Page 1230: ... the destination network only You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter TABLE 191 Dampened BGP4 path information This field Displays Status codes A list of the characte...

Page 1231: ...s Number of BGP4 Routes matching display condition The number of routes that matched the display parameters you entered This is the number of routes displayed by the command Status codes A list of the characters the display uses to indicate the route s status The status code appears in the left column of the display to the left of each route The status codes are described in the command s output T...

Page 1232: ...Pv6 routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable E EBGP The route was learned through a switch in another AS H HISTORY Route dampening is configured for this route and the route has a history of flapping and...

Page 1233: ...es A list of the characters the display uses to indicate the route s status The Status field display an F for each filtered route Prefix For information about this field refer to Table 192 on page 1155 Status For information about this field refer to Table 192 on page 1155 Age The age of the route in seconds BigIron RX show ipv6 bgp filtered routes detail Status A AGGREGATE B BEST b NOT INSTALLED ...

Page 1234: ...Pv6 routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable E EBGP The route was learned through a switch in another AS H HISTORY Route dampening is configured for this route and the route has a history of flapping and...

Page 1235: ...ics The regular expression regular expression parameter is a regular expression The regular expressions are the same ones supported for BGP4 AS path filters You can also display route flap dampening statistics for a specified IPv6 neighbor For more information refer to Displaying route flap dampening statistics for a BGP4 neighbor on page 1171 This display shows the following information TABLE 194...

Page 1236: ...sements Route attribute entries Route flap dampening statistics The last packet containing an error Received Outbound Route Filters ORFs Routes received from a neighbor BGP4 Routing Information Base RIB Received best not installed best and unreachable routes Route summary Displaying IPv6 neighbor configuration information and statistics To display BGP4 neighbor configuration information and statis...

Page 1237: ...or a specified neighbor only You must specify the ipv6 address parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 This display shows the following information TABLE 195 BGP4 neighbor configuration information and statistics This field Displays IP Address The IPv6 address of the neighbor AS The AS in which the neighbor resides BigIron RX show ipv6 bgp neighbor 200...

Page 1238: ...requently changes between CONNECT and ACTIVE there may be a problem with the TCP connection OPEN SENT BGP4 is waiting for an Open message from the neighbor OPEN CONFIRM BGP4 4 has received an OPEN message from the neighbor and is now waiting for either a KEEPALIVE or NOTIFICATION message If the switch receives a KEEPALIVE message from the neighbor the state changes to Established If the message is...

Page 1239: ... occurred Reasons described in the BGP specifications Message Header Error Connection Not Synchronized Bad Message Length Bad Message Type OPEN Message Error Unsupported Version Number Bad Peer AS Number Bad BGP Identifier Unsupported Optional Parameter Authentication Failure Unacceptable Hold Time Unsupported Capability UPDATE Message Error Malformed Attribute List Unrecognized Well known Attribu...

Page 1240: ...ade implementation Reset All Peer Sessions User Reset Peer Session Port State Down Peer Removed Peer Shutdown Peer AS Number Change Peer AS Confederation Change TCP Connection KeepAlive Timeout TCP Connection Closed by Remote TCP Data Stream Error Detected TABLE 195 BGP4 neighbor configuration information and statistics Continued This field Displays ...

Page 1241: ...r Authentication Failure Unacceptable Hold Time Unspecified Update Message Error Malformed Attribute List Unrecognized Attribute Missing Attribute Attribute Flag Error Attribute Length Error Invalid Origin Attribute Invalid NextHop Attribute Optional Attribute Error Invalid Network Field Malformed AS Path Unspecified Hold Timer Expired Finite State Machine Error Cease Unspecified Notification Rece...

Page 1242: ... the remote TCP which includes an acknowledgment of its connection termination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request CLOSED There is no connection state Byte Sent The number of bytes sent Byte Received The number of bytes received Local host The IPv6 address of the switch Local port The TCP port...

Page 1243: ...rameter displays the specified route advertised to the neighbor only You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter This display shows the following information TotalRcv The...

Page 1244: ...his switch associates with routes from a specific neighbor For example if the switch receives routes to the same destination from two BGP4 neighbors the switch prefers the route from the neighbor with the larger weight Status The advertised route s status which can be one or more of the following A AGGREGATE The route is an aggregate route for multiple networks B BEST BGP4 has determined that this...

Page 1245: ...onds Next Hop For information about this field refer to Table 196 on page 1168 Learned from Peer The IPv6 address of the neighbor from which this route is learned Local Router indicates that the switch itself learned the route LOCAL_PREF For information about this field refer to Table 196 on page 1168 MED The value of the advertised route s MED attribute If the route does not have a metric this fi...

Page 1246: ...t the best route IGP is preferred over EGP and both are preferred over INCOMPLETE Originator The originator of the route in a route reflector environment Cluster List The route reflector clusters through which this set of attributes has passed Aggregator Aggregator information AS Number shows the AS in which the network information in the attribute set was aggregated This value applies only to agg...

Page 1247: ...ing statistics for a BGP4 neighbor This field Displays Total number of flapping routes The total number of routes in the neighbor s BGP4 route table that have changed state and thus have been marked as flapping routes Status code Indicates the status of the route which can be one of the following This is the best route among those in the neighbor s BGP4 route table to the route s destination d Thi...

Page 1248: ...rned from a specified neighbor You must specify this address in hexadecimal using 16 bit values between colons as documented in RFC 2373 Displaying routes received from a BGP4 neighbor You can display a summary or detailed route information received in route updates from a specified BGP4 neighbor since you enabled the soft reconfiguration feature For example to display a summary of the route infor...

Page 1249: ...lay The status codes are described in the command s output Prefix The received route s prefix Next Hop The IPv6 address of the next switch that is used when forwarding a packet to the received route Metric The value of the route s MED attribute If the route does not have a metric this field is blank LocPrf The degree of preference for the advertised route relative to other routes in the local AS W...

Page 1250: ...utes from other sources such as OSPFv3 RIPng or static IPv6 routes D DAMPED This route has been dampened by the route dampening feature and is currently unusable E EBGP The route was learned through a switch in another AS H HISTORY Route dampening is configured for this route and the route has a history of flapping and is unreachable now I IBGP The route was learned through a switch in the same AS...

Page 1251: ...oute s MED attribute If the route does not have a metric this field is blank BigIron RX show ipv6 bgp neighbor 2000 1 1 1 received routes detail There are 4 received routes from neighbor 2000 1 1 1 Searching for matching routes use C to quit Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED E EBGP H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED F FILTERED 1 Prefix 1000 1 1 64...

Page 1252: ...u must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter Origin The source of the route information The origin can be one of the following EGP The routes with this set of attributes came to BGP4 through EGP IGP The routes with this set of attributes came to BGP4 through IGP INCOMPLETE The routes came fr...

Page 1253: ...y uses to indicate the route s status The status code appears in the Status column of the display The status codes are described in the command s output Prefix The RIB route s prefix Next Hop The next hop switch for reaching the route from the switch Metric The value of the advertised route s MED attribute If the route does not have a metric this field is blank LocPrf The degree of preference for ...

Page 1254: ...ld refer to Table 203 on page 1177 MED The value of the RIB route s MED attribute If the route does not have a metric this field is blank Origin The source of the route information The origin can be one of the following EGP The routes with this set of attributes came to BGP4 through EGP IGP The routes with this set of attributes came to BGP4 through IGP INCOMPLETE The routes came from an origin ot...

Page 1255: ...utes from a specified neighbor The number of routes displayed by the command Status codes A list of the characters the display uses to indicate the route s status The status code appears in the Status column of the display The status codes are described in the command s output Prefix The route s prefix Next Hop The next hop switch for reaching the route from the switch Metric The value of the rout...

Page 1256: ...ed and this route was selected as one of the best ones to the destination The best route among the multiple paths also is marked with B NOTE If the m is shown in lowercase the software was not able to install the route in the IPv6 route table S SUPPRESSED This route was suppressed during aggregation and thus is not advertised to neighbors F FILTERED This route was filtered out by BGP4 route polici...

Page 1257: ...onds Next Hop For information about this field refer to Table 205 on page 1179 Learned from Peer The IPv6 address of the neighbor from which this route is learned Local Router indicates that the switch itself learned the route LOCAL_PREF For information about this field refer to Table 205 on page 1179 MED The value of the RIB route s MED attribute If the route does not have a metric this field is ...

Page 1258: ... OSPFv3 RIPng IPv6 IS IS or static IPv6 routes Unreachable Routes The number of routes received from the neighbor that are unreachable because the switch does not have a valid RIPng OSPFv3 or static IPv6 route to the next hop History Routes The number of routes that are down but are being retained for route flap dampening purposes NLRIs Received in Update Message The number of routes received in N...

Page 1259: ...the switch has queued to send to this neighbor To be Withdrawn The number of NLRIs for withdrawing routes the switch has queued up to send to this neighbor in UPDATE messages NLRIs Sent in Update Message The number of NLRIs for new routes the switch has sent to this neighbor in UPDATE messages Withdraws The number of routes the switch has sent to the neighbor to withdraw Replacements The number of...

Page 1260: ...e AS 65002 Description device group 1 NextHopSelf yes Address family IPV4 Unicast Address family IPV4 Multicast Address family IPV6 Unicast Members IP Address 192 169 102 2 IP Address 192 169 100 2 IP Address 192 169 101 2 IP Address 192 169 103 2 IP Address 192 169 104 2 IP Address 192 169 105 2 IP Address 192 169 106 2 IP Address 192 169 107 2 IP Address 192 169 108 2 IP Address 192 169 109 2 IP...

Page 1261: ...ighbors Configured The number of BGP4 neighbors configured on this switch Number of Routes Installed The number of BGP4 routes in the switch s BGP4 route table To display the BGP4 route table refer to Displaying the BGP4 route table on page 1143 Number of Routes Advertising to All Neighbors The total of the RtSent and RtToSend columns for all neighbors Number of Attribute Entries Installed The num...

Page 1262: ...r NOTIFICATION message If the switch receives a KEEPALIVE message from the neighbor the state changes to Established If the message is a NOTIFICATION the state changes to Idle ESTABLISHED BGP4 is ready to exchange UPDATE packets with the neighbor If there is more BGP data in the TCP receiver queue a plus sign is also displayed NOTE If you display information for the neighbor using the show ipv6 bg...

Page 1263: ...outes into BGP4 The BigIron RX supports 8192 multicast routes by default You may need to increase the maximum number of multicast routes for MBGP You can configure the device to support up to 153 600 multicast routes Configuring IPv6 MBGP 1 Optional Set the maximum number of multicast routes supported by the BigIron RX 2 Enable IPv6 MBGP by doing the following Enable PIM Sparse Mode PIM SM or PIM ...

Page 1264: ... BGP Enter commands such as the following BigIron RX enable BigIron RX configure terminal BigIron RX config ipv6 router pim BigIron RX config ipv6 pim router interface ethernet 1 1 BigIron RX config if e1000 1 1 ipv6 address 3001 1 BigIron RX config if 1 1 ipv6 pim BigIron RX config if 1 1 exit BigIron RX config router bgp ipv6BGP Please configure local as parameter in order to enable ipv6BGP BigI...

Page 1265: ... num num acl num in out ebgp multihop num filter list in out num num acl num in out weight maximum prefix num threshold teardown next hop self password 0 1 string prefix list string in out remote as as number remove private as route map in out map name route reflector client send community soft reconfiguration inbound shutdown timers keep alive num hold time num update source loopback num weight n...

Page 1266: ...ct route must exist in the IPv6 multicast route table so that the device can create a local MBGP route To configure the device to advertise network 207 95 22 0 24 as a multicast route enter the following command BigIron RX config bgp ipv6m network 207 95 22 0 255 255 255 0 Syntax network ipv6 addr ipv6 mask route map map name backdoor weight num The ipv6 addr is the network number and the ipv6 mas...

Page 1267: ... route map to be consulted before redistributing the routes into MBGP NOTE The route map you specify must already be configured Configuring static IPv6 multicast routes To configure static IPv6 multicast routes enter a command such as the following BigIron RX config ipv6 mroute 8eff 0 32 4fee 2343 0 ee44 1 If you configure more than one static multicast route the BigIron RX Router always uses the ...

Page 1268: ... map name parameter configures the device to advertise the more specific routes in the specified route map The attribute map map name parameter configures the device to set attributes for the aggregate routes based on the specified route map NOTE For the suppress map advertise map and attribute map parameters the route map must already be defined Displaying IPv6 MBGP information All of the IPv6 BG...

Page 1269: ...ing config enter the following command at any level of the CLI show ipv6 mbgp dampened paths Displays IPv6 MBGP paths that have been dampened by route flap dampening show ipv6 mbgp flap statistics Displays route flap dampening statistics show ipv6 mbgp filtered routes Displays routes that have been filtered out TABLE 209 IPv6 MBGP Show commands Continued Command Description BigIron RX show ipv6 mb...

Page 1270: ...ow ipv6 bgp neighbor display but has additional fields that apply only to MBGP These fields are shown in bold type in the example and are explained below NOTE The display shows all the configured parameters for the neighbor Only the parameters that have values different from their defaults are shown BigIron RX show ipv6 mbgp config Current BGP configuration router bgp local as 200 neighbor 166 1 1...

Page 1271: ... IPv6 address Displaying MBGP routes To display the MBGP route table enter the following command BigIron RX show ipv6 mbgp neighbor 4fee 2343 0 ee44 1 Total number of BGP Neighbors 1 1 ipv6 Address 8eff 0 32 Remote AS 200 IBGP RouterID 8 8 8 1 State ESTABLISHED Time 0h33m26s KeepAliveTime 60 HoldTime 180 KeepAliveTimer Expire in 9 seconds HoldTimer Expire in 161 seconds PeerGroup mbgp mesh MD5 Pas...

Page 1272: ...of BGP Routes 2 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED E EBGP H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED s STALE Prefix Next Hop Metric LocPrf Weight Status 1 8 8 8 0 24 166 1 1 2 0 100 0 BI AS_PATH 2 31 1 1 0 24 166 1 1 2 0 100 0 BI AS_PATH BigIron RX show ipv6 mroute Type Codes B BGP D Connected S Static Cost Dist Metric Destination Gateway Port Cost Type 1 ...

Page 1273: ...n an interface sends or receives an IPv6 packet it applies the statements within the ACL in their order of appearance to the packet As soon as a match occurs the BigIron RX takes the specified action permit or deny the packet and stops further comparison for that packet Both IPv4 and IPv6 ACLs can co exist on the same interface NOTE IPv6 ACLs are supported on inbound traffic and are implemented in...

Page 1274: ...eatures such as route maps and distribution lists When you use an ACL this way use permit statements in the ACL to specify the traffic that you want to send to the other feature If you use deny statements the traffic specified by the deny statements is not supplied to the other feature Configuring an IPv6 ACL To configure an IPv6 ACL you must do the following Create the ACL Apply the ACL to an int...

Page 1275: ...v6 access list rtr deny udp any range 5 6 2001 1570 22 24 BigIron RX config ipv6 access list rtr permit ipv6 any any BigIron RX config ipv6 access list rtr write memory The first condition in this ACL denies TCP traffic from the 2001 1570 21 x network to the 2001 1570 22 x network The next condition denies UDP packets from any source with source UDP port in ranges 5 to 6 and whose destination is t...

Page 1276: ...ny as the last statement in the access list if you want to permit IPv6 traffic that were not denied by the previous statements The conditions are applied in the order shown above with deny ipv6 any any as the last condition applied For example if you want to deny ICMP neighbor discovery acknowledgement then permit any remaining IPv6 traffic enter commands such as the following The first permit sta...

Page 1277: ... ipv6 access list acl name Syntax permit deny protocol ipv6 source prefix prefix length any host source ipv6_address ipv6 destination prefix prefix length any host ipv6 destination address ipv6 operator value 802 1p priority matching number dscp marking number 802 1p priority marking number internal priority marking number dscp marking dscp value dscp cos mapping dscp cos mapping For ICMP Syntax n...

Page 1278: ...tor value 802 1p priority matching number dscp marking number 802 1p priority marking number internal priority marking number dscp marking dscp value dscp cos mapping dscp cos mapping TABLE 210 Syntax descriptions Arguments Description ipv6 access list acl name Enables the IPv6 configuration level and defines the name of the IPv6 ACL The acl name can contain up to 199 characters and numbers but ca...

Page 1279: ...re filtered by ICMP message type can also be filtered by the ICMP message code The code is a number from 0 to 255 icmp message ICMP packets are filtered by ICMP messages Refer to ICMP message configurations on page 1205 for a list of ICMP message types tcp Indicates the you are filtering TCP packets udp Indicates the you are filtering UDP packets ipv6 source prefix prefix leng th The ipv6 source p...

Page 1280: ... the traffic class field of the IPv6 packet header This operator allows you to filter traffic based on TOS or IP precedence You can specify a value from 0 63 fragments The policy applies to fragmented packets that contain a non zero fragment offset NOTE This option is not applicable to filtering based on source or destination port TCP flags and ICMP flags routing The policy applies only to IPv6 so...

Page 1281: ... to specify a new QoS value to the packet If a packet matches the filters in the ACL statement this parameter assigns the internal priority that you specify to the packet Enter 0 7 dscp marking number Use the dscp marking number dscp cos mapping parameters parameters to specify a DSCP value and map that value to an internal QoS table to obtain the packet s new QoS value The following occurs when y...

Page 1282: ...prefix fec0 0 0 2 64 and the global prefix 2001 100 1 48 and permits all other incoming packets Syntax ipv6 traffic filter ipv6 acl name in For the ipv6 acl name parameter specify the name of an IPv6 ACL created using the ipv6 access list command The in keyword applies the specified IPv6 ACL to incoming IPv6 packets on the interface Adding TCP flags to an IPv6 ACL entry You can add a TCP flags to ...

Page 1283: ...o any destination BigIron RX config ipv6 access list rtr deny ipv6 any any BigIron RX config ipv6 access list rtr write memory Syntax remark comment text The comment text can be up to 256 characters in length To apply a comment to a specific ACL entry specify the ACL s entry number with the remark entry sequence command Use the show ipv6 access list command to list ACL entry number Enter commands ...

Page 1284: ...6 host 3000 2 any remark This entry denies udp packets from any source to any destination deny udp any any remark This entry denies IPv6 packets from any source to any destination deny ipv6 any any BigIron RX show ipv6 access list rtr ipv6 access list rtr 3 entries 10 remark This entry permits ipv6 packets from 3002 2 to any destination 10 permit ipv6 host 3000 2 any 20 remark This entry denies ud...

Page 1285: ...ersion that IPv4 supports except for the following enhancements Support for IPv6 addresses and prefixes In general you can configure several IPv6 addresses on a router interface OSPFv3 imports all or none of the address prefixes configured on a router interface You cannot select which addresses to import You can run one instance of OSPF version 2 and one instance of OSPFv3 concurrently on a link I...

Page 1286: ... SPF timers Modify the administrative distances for OSPFv3 routes Configure the OSPFv3 LSA pacing interval Modify how often the Brocade device checks on the elimination of the database overflow condition Modify the external link state database limit Modify the default values of OSPFv3 parameters for router interfaces Disable or re enable OSPFv3 event logging Enabling OSPFv3 Before enabling the Bro...

Page 1287: ...might want to make a backup copy of the startup config file containing the protocol s configuration information This way if you remove the configuration information by saving the configuration after disabling the protocol you can restore the configuration by copying the backup copy of the startup config file onto the flash memory Assigning OSPFv3 areas After OSPFv3 is enabled you can assign OSPFv3...

Page 1288: ...area 40 and specify an additional metric of 99 enter the following command BigIron RX config ospf6 router area 40 stub 99 no summary Syntax area number ipv4 address stub metric no summary The number ipv4 address parameter specifies the area number which can be a number or in IPv4 address format If you specify a number the number can be from 0 2 147 483 647 The stub metric parameter specifies an ad...

Page 1289: ...en you establish an area virtual link you must configure it on both of the routers both ends of the virtual link For example imagine that ABR1 in areas 1 and 2 is cut off from the backbone area area 0 To provide backbone access to ABR1 you can add a virtual link between ABR1 and ABR2 in area 1 using area 1 as a transit area To configure the virtual link you define the link on the router that is at...

Page 1290: ...lt is 10 seconds Retransmit interval The interval between the re transmission of link state advertisements to router adjacencies for this interface The range is 0 3600 seconds The default is 5 seconds Transmit delay The period of time it takes to transmit Link State Update packets on the interface The range is 0 3600 seconds The default is 1 second NOTE The values of the dead interval and hello in...

Page 1291: ...nsist of more than one physical port is calculated as follows Trunk group The combined bandwidth of all the ports Virtual Ethernet interface The combined bandwidth of all the ports in the port based VLAN that contains the virtual interface You can change the default reference bandwidth from 100 Mbps to a value from 1 4294967 Mbps If a change to the reference bandwidth results in a cost change to a...

Page 1292: ... the following aspects related to route redistribution Default metric Metric type Advertisement of an external aggregate route Configuring route redistribution into OSPFv3 You can configure the Brocade device to redistribute routes from the following sources into OSPFv3 IPv6 static routes Directly connected IPv6 networks BGP4 IPv6 IS IS RIPng You can redistribute routes in the following ways By ro...

Page 1293: ...gIron RX config routemap abc match metric 5 BigIron RX config routemap abc set metric 8 BigIron RX config routemap abc ipv6 router ospf BigIron RX config ospf6 router redistribute static route map abc The commands in this example configure some static IPv6 routes and a route map and use the route map for redistributing the static IPv6 routes into OSPFv3 The ipv6 route commands configure the static...

Page 1294: ...alue of the protocol from which they are redistributed For information about the redistribute command refer to Configuring route redistribution into OSPFv3 on page 1216 NOTE You also can define the cost on individual interfaces The interface cost overrides the default cost For information about defining the cost on individual interfaces refer to Modifying OSPFv3 interface defaults on page 1226 and...

Page 1295: ...2 address ranges The Brocade device sets the forwarding address of the aggregate route to zero and sets the tag to zero If you delete an address range the advertised aggregate route is flushed and all imported routes that fall within the range are advertised individually If an external link state database overflow LSDB condition occurs all aggregate routes are flushed out of the AS along with othe...

Page 1296: ...ring using global prefix lists Filtering using prefix lists for a specific interface has lower priority than the other two filtering methods The example in this section assume the following routes are in the OSPFv3 route table Configuring an OSPFv3 distribution list using an IPv6 prefix list as input The following example illustrates how to use an IPv6 prefix list is used to filter OSPFv3 routes T...

Page 1297: ...ipv6 router ospf BigIron RX config ospf6 router distribute list prefix list filterOspfRoutes in ve 10 After this distribution list is configured route 3015 64 pointing to virtual interface 10 would be omitted from the OSPFv3 route table BigIron RX show ipv6 ospf route Current Route count 4 Intra 3 Inter 0 External 1 Type1 0 Type2 1 Equal cost multi path 0 Destination Options Area Cost Type2 Cost N...

Page 1298: ...ation or default information origination By default the Brocade device does not advertise the default route into the OSPFv3 domain If you want the device to advertise the OSPF default route you must explicitly enable default route origination When you enable OSPF default route origination the device advertises a type 5 default route that is flooded throughout the AS except stub areas The device ad...

Page 1299: ...e origination enter the no form of the command Modifying shortest path first timers The Brocade device uses the following timers when calculating the shortest path for OSPFv3 routes SPF delay When the Brocade device receives a topology change the software waits before it starts a Shortest Path First SPF calculation By default the software waits 5 seconds You can configure the SPF delay to a value ...

Page 1300: ...PF inter area route and to prefer OSPF intra area routes to static routes The distance you specify influences the choice of routes when the device has multiple routes to the same network from different protocols The device prefers the route with the lower administrative distance You can specify unique default administrative distances for the following OSPFv3 route types Intra area routes Inter are...

Page 1301: ... BigIron RX config ipv6 router ospf BigIron RX config ospf6 router timers lsa group pacing 120 Syntax no timers lsa group pacing seconds The seconds parameter specifies the number of seconds and can be from 10 1800 30 minutes The default is 240 seconds four minutes To restore the pacing interval to its default value use the no form of the command Modifying exit overflow interval If a database over...

Page 1302: ... Represents the length of time between the transmission of hello packets The command syntax is ipv6 ospf hello interval seconds The value can be from 1 65535 seconds The default is 10 seconds Instance Indicates the number of OSPFv3 instances running on an interface The command syntax is ipv6 ospf instance number The value can be from 0 255 The default is 1 MTU ignore Allows you to disable a check ...

Page 1303: ... and database overflow conditions By default the Brocade device logs these events To disable the logging of events enter the following command BigIron RX config ospf6 router no log status change Syntax no log status change To re enable the logging of events enter the following command BigIron RX config ospf6 router log status change Displaying OSPFv3 information You can display the information for...

Page 1304: ...s area The router interfaces attached to the area Number of Area scoped LSAs Number of LSAs with a scope of the specified area SPF algorithm executed The number of times the OSPF Shortest Path First SPF algorithm is executed within the area SPF last updated The interval in seconds that the SPF algorithm was last executed within the area Current SPF node count The current number of SPF nodes in the...

Page 1305: ...outer LSAs only The scope area id parameter displays detailed information about the LSAs for a specified area AS or link This display shows the following information TABLE 212 OSPFv3 database summary fields This field Displays Area ID The OSPF area in which the Brocade device resides Type Type of LSA LSA types can be the following Rtr Router LSAs Type 1 Net Network LSAs Type 2 Inap Inter area pref...

Page 1306: ... LSA stamps it with a sequence number to enable the Brocade device and other OSPF routers to determine which LSA for a given route is the most recent Age The age of the LSA in seconds Chksum A checksum for the LSA packet The checksum is based on all the fields in the packet except the age field The Brocade device uses the checksum to verify that the packet is not corrupted Len The length in bytes ...

Page 1307: ...3 223 223 223 Prefix Options Metric 0 Prefix 2000 4 64 Prefix Options Metric 0 Prefix 2002 c0a8 46a 64 Area ID Type LS ID Adv Rtr Seq Hex Age Cksum Len 0 Rtr 00000039 223 223 223 223 800000b1 355 8f2d 40 Capability Bits E Options V6E R Type Transit Metric 1 Interface ID 00000058 Neighbor Interface ID 00000058 Neighbor Router ID 223 223 223 223 Area ID Type LS ID Adv Rtr Seq Hex Age Cksum Len 0 Net...

Page 1308: ... packets as described in RFC 1586 N The device handles type 7 LSAs as described in RFC 1584 R The originator is an active router DC The device handles demand circuits Type The type of interface Possible types can be the following Point to point A point to point connection to another router Transit A connection to a transit network Virtual link A connection to a virtual link Metric The cost of usin...

Page 1309: ...nal LSAs as described in RFC 2740 MC The device forwards multicast packets as described in RFC 1586 N The device handles type 7 LSAs as described in RFC 1584 R The originator is an active router DC The device handles demand circuits Metric The cost of the route Destination Router ID The ID of the router described in the LSA AS external LSA Type 5 Extn fields Bits The bit can be set to one of the f...

Page 1310: ...culations LA The prefix is an IPv6 interface address of the advertising router MC The prefix is included in IPv6 multicast routing calculations P NSSA area prefixes are readvertised at the NSSA area border Prefix The IPv6 prefix included in the LSA Intra area prefix LSAs Type 9 Iap fields Number of Prefix The number of prefixes included in the LSA Referenced LS Type Referenced LS ID Identifies the...

Page 1311: ...ssive The interface is up but it does not take part in forming an adjacency Waiting The interface is trying to determine the identity of the BDR for the network None The interface does not take part in the OSPF interface state machine Down The interface is unusable No protocol traffic can be sent or received on such a interface DR other The interface is a broadcast or NBMA network on which another...

Page 1312: ...as a loopback interface P2P The interface is functioning as a point to point interface Passive The interface is up but it does not take part in forming an adjacency Waiting The interface is trying to determine the identity of the BDR for the network None The interface does not take part in the OSPF interface state machine Down The interface is unusable No protocol traffic can be sent or received o...

Page 1313: ...he interface Also the total number of bytes associated with transmitted and received link state requests LSUpdate The number of link state updates transmitted and received by the interface Also the total number of bytes associated with transmitted and received link state requests LSAck The number of link state acknowledgements transmitted and received by the interface Also the total number of byte...

Page 1314: ... by OSPFv3 This information is for use by Brocade s technical support in case of a problem Size The size of a memory type Allocated The amount of memory currently allocated to a memory type Max alloc The maximum amount of memory that was allocated to a memory type Alloc Fails The number of times an attempt to allocate memory to a memory type failed TABLE 217 Summary of OSPFv3 neighbor information ...

Page 1315: ...is a broadcast or NBMA network on which another router is selected to be the DR TABLE 218 Detailed OSPFv3 neighbor information Field Description Router ID For information about this field refer to Table 217 on page 1238 Pri For information about this field refer to Table 217 on page 1238 State For information about this field refer to Table 217 on page 1238 DR For information about this field refe...

Page 1316: ...bor Number of LSAs in Summary List The number of LSAs in the neighbor s summary list Number of LSAs in Request List The number of LSAs in the neighbor s request list Number of LSAs in Retransmit List The number of LSAs in the neighbor s retransmit list Seqnum Mismatch The number of times sequence number mismatches occurred BadLSReq The number of times the neighbor received a bad link state request...

Page 1317: ...ation This Field Displays ID An ID for the redistributed route Prefix The IPv6 routes redistributed into OSPFv3 Protocol The protocol from which the route is redistributed into OSPFv3 Redistributed protocols can be the following BGP BGP4 RIP RIPng ISIS IPv6 IS IS Static IPv6 static route table Connected A directly connected network Metric Type The metric type used for routes redistributed into OSP...

Page 1318: ...rea Intra The number of routes that are within the local area External1 The number of type 1 external routes External2 The number of type 2 external routes Equal cost multi path Displays with the entire OSPFv3 route table only The number of equal cost routes to the same destination in the OSPFv3 route table If load sharing is enabled the router equally distributes traffic among the routes Destinat...

Page 1319: ...740 MC The device forwards multicast packets as described in RFC 1586 N The device handles type 7 LSAs as described in RFC 1584 R The originator is an active router DC The device handles demand circuits Area The area whose link state information has led to the routing table entry s collection of paths Cost The type 1 cost of this route Type2 Cost The type 2 cost of this route Next Hop Router The I...

Page 1320: ...v4 address If the node is a child node it is additionally identified by an interface on which the node can be reached appended to the router ID in the format router id interface id Cost The cost of traversing the SPF node to reach the destination Hops The number of hops needed to reach the parent SPF node Next Hops to Node The IPv6 address of the next hop router or the router interface through whi...

Page 1321: ...ode s router ID IPv4 address If the node is a child node it is additionally identified by an interface on which the node can be reached appended to the router ID in the format router id interface id Bits A bit that indicates the capability of the Brocade device The bit can be set to one of the following B The device is an area border router E The device is an AS boundary router V The device is a v...

Page 1322: ...Area ID The ID of the shared area of two ABRs that serves as a connection point between the two routers Router ID IPv4 address of the router at the other end of the virtual link virtual neighbor Interface Address The local address used to communicate with the virtual neighbor State The state of the virtual link Possible states include the following P2P The link is functioning as a point to point i...

Page 1323: ...48 State The state between the Brocade device and the virtual neighbor The state can be one of the following Down Attempt Init 2 Way ExStart Exchange Loading Full Interface The IPv6 address of the virtual neighbor TABLE 224 OSPFv3 virtual neighbor information Continued This field Displays ...

Page 1324: ...1248 BigIron RX Series Configuration Guide 53 1002253 01 Displaying OSPFv3 information 48 ...

Page 1325: ... is connected to a host that wants to receive information for a multicast group must explicitly send a join request on behalf of the receiver host FIGURE 144 Example IPv6 PIM Sparse domain PIM sparse router types Routers that are configured with PIM Sparse interfaces also can be configured to fill one or more of the following roles IPv6 PIM Sparse router B Port2 1 Port2 2 Rendezvous Point RP path ...

Page 1326: ...r NOTE Brocade recommends that you configure the same ports as candidate BSRs and RPs RP paths and SPT paths Figure 144 shows two paths for packets from the source for group fec0 1111 1 and a receiver for the group The source is attached to PIM Sparse router A and the recipient is attached to PIM Sparse router C PIM Sparse router B in is the RP for this multicast group As a result the default path...

Page 1327: ...fy the Layer 3 switch as a candidate sparse rendezvous point RP if applicable Specify the IPv6 address of the RP to configure statically The following example enables IPv6 PIM SM routing Enter the following command at the configuration level to enable IPv6 PIM SM globally BigIron RX config ipv6 router pim BigIron RX config ipv6 pim router Syntax no ipv6 router pim To enable IPv6 PIM Sparse mode on...

Page 1328: ...ice will advertise the specified interface s IP address as a candidate BSR Enter ethernet slot portnum for a physical interface port Enter ve num for a virtual interface Enter loopback num for a loopback interface The hash mask length parameter specifies the number of bits in a group address that are significant when calculating the group to RP mapping You can specify a value from 1 32 The priorit...

Page 1329: ...r mask bits The usage of the group ipv6 addr mask bits parameter is the same as for the rp candidate add command Statically specifying the RP Brocade recommends that you use the IPv6 PIM Sparse protocol s RP election process so that a backup RP can automatically take over if the active RP router becomes unavailable However if you do not want the RP to be selected by the RP election process but ins...

Page 1330: ... longest prefix match will be selected If more than one static RP covers the exact same group range the highest IP static RP will be used Configuration considerations The Static RP has higher precedence over RP learnt from the BSR There is a limit of 32 static RPs in the systems Configuring an ACL based RP assignment To configure an ACL based RP assignment enter commands such as the following BigI...

Page 1331: ...Pv6 PIM sparse static multicast forwarding table with new RP configuration enter the following command at the privileged EXEC level of the CLI BigIron RX config clear ipv6 pim rp map Syntax clear ipv6 pim rp map Embedded Rendezvous Point RP Global deployment of IPv4 Multicast within multiple PIM Sparse domain relies on MSDP to convey information about the active sources Since IPv6 provides more ad...

Page 1332: ...r spt threshold 1000 Syntax no spt threshold infinity num The infinity num parameter specifies the number of packets If you specify infinity the device sends packets using the RP indefinitely and does not switch over to the SPT If you enter a specific number of packets the device does not switch over to using the SPT until it has sent the number of packets you specify using the RP Setting the RP a...

Page 1333: ...ello timer seconds The seconds parameter specifies the number of seconds Valid range is 10 3600 The default is 60 seconds Enabling source specific multicast Using the Any Source Multicast ASM service model sources and receivers register with a multicast address The protocol uses regular messages to maintain a correctly configured broadcast network where all sources can send data to all receivers a...

Page 1334: ...en connected to another PIM router transit network When a multicast stream has no output interfaces the Layer 3 Switch can drop packets in hardware if the multicast traffic meets either of the following conditions In PIM SM The route has no OIF and If directly connected source passed source RPF check and completed data registration with RP or If non directly connected source passed source RPF chec...

Page 1335: ...nformation To display IPv6 PIM Sparse configuration information enter the following command at any CLI level Syntax show ipv6 pim sparse This display shows the following information BigIron RX show ipv6 pim sparse Global PIM Sparse Mode Settings Hello interval 30 Neighbor timeout 105 Bootstrap Msg interval 60 Candidate RP Advertisement interval 60 Join Prune interval 60 SPT Threshold 1 SSM Enabled...

Page 1336: ...tisement messages to the BSR NOTE This field contains a value only if an interface on the device is configured as a candidate RP Otherwise the field is blank Join Prune interval How frequently the device sends IPv6 PIM Sparse Join Prune messages for the multicast groups it is forwarding This field show the number of seconds between Join Prune messages The device sends Join Prune messages on behalf...

Page 1337: ...ce is forwarding NOTE This list can include groups that are not IPv6 PIM Sparse groups If interfaces on the device are configured for regular Ipv6 PIM dense mode or DVMRP these groups are listed too Group The multicast group address Ports The device ports connected to the receivers of the groups BigIron RX show ipv6 pim Interface v30 PIM Version V2 MODE PIM SM TTL Threshold 1 Enabled DR fe80 20c d...

Page 1338: ...date BSRs are compared and the interface with the highest BSR priority becomes the BSR Hash mask length The number of significant bits in the IPv6 multicast group comparison mask This mask determines the IPv6 multicast group numbers for which the device can be a BSR The default is 32 bits which allows the device to be a BSR for any valid IPv6 multicast group number NOTE This field appears only if ...

Page 1339: ...ndicates how many seconds will pass before the BSR sends its next RP message NOTE This field appears only if this device is a candidate RP RP Indicates the IPv6 address of the Rendezvous Point RP NOTE This field appears only if this device is a candidate RP group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP NOTE This field appears only if ...

Page 1340: ... source Indicates the IPv6 address on which the RP information was received Following the IPv6 address is the method through which this device learned the identity of the RP This field Displays Number of group prefixes The number of IPv6 PIM Sparse group prefixes for which the RP is responsible Group prefix Indicates the multicast groups for which the RP listed by the previous field is a candidate...

Page 1341: ...e of the IPv6 PIM neighbor interface Phy_Port Holdtime sec Indicates how many seconds the neighbor wants this device to hold the entry for this neighbor in memory The neighbor sends the Hold Time in its Hello packets If the device receives a new Hello packet before the Hold Time received in the previous packet expires the device updates its table entry for the neighbor If the device does not recei...

Page 1342: ... ff7e 140 2001 3e8 16 0 1 2 RP2001 3e8 16 1 in NIL cnt 0 Sparse Mode RPT 1 SPT 0 Reg 0 No upstream neighbor because RP 2001 3e8 16 1 is itself num_oifs 1 v312 L3 SW 1 e3 15 VL312 Flags fast 1 slow 0 leaf 0 prun 0 frag 0 tag 0 needRte 0 age 0 fid 0405 mvid 1 2 2001 3e8 0 170 101 ff7e 140 2001 3e8 16 0 1 2 in v23 e3 23 cnt 2 Sparse Mode RPT 0 SPT 1 Reg 0 upstream neighbor fe80 45 0 160 4 num_oifs 0 ...

Page 1343: ...t the specified address sources The information is then provided to the source specific multicast SSM routing protocols such as PIM SSM allo fail Number of allocated notes that failed up limit Maximum number of nodes that can be allocated for a data structure This may or may not be configurable depending on the data structure This field Displays Port The port or virtual interface on which the IPv6...

Page 1344: ...of a specific multicast address have any listeners In response to these queries multicast listeners send the following reports Current state This report specifies the source list for a multicast address and whether the filter mode for that source list is INCLUDE or EXCLUDE Filter mode change This report specifies if there has been a change to the filter mode for the source list and provides a new ...

Page 1345: ... RX config if e10000 1 1 ipv6 mld port version 2 Syntax ipv6 mld port version version number Enter 1 or 2 for version number Be sure to enter 2 if you want to use source filtering Enabling source specific multicast Once MDLv2 is enabled source specific multicast for PIM can be enabled for multicast group addresses in the ff30 0 16 IPv6 address range If MLDv2 is enabled but SSM is not the IPv6 rout...

Page 1346: ...ay inserted into Multicast Address Specific Queries sent in response to Done messages and is also the amount of time between Multicast Address Specific Query messages When the device receives an MLDv1 leave message or an MLDv2 state change report it sends out a query and expects a response within the time specified by this value Using a lower value allows members to leave groups more quickly You c...

Page 1347: ... a command such as the following BigIron RX config if e1000 5 23 ipv6 mld static ff01 6f Syntax ipv6 mld static group multicast group address ethernet port number ethernet port number to port number Enter the IPv6 multicast group address for the multicast group address Enter number of the port that will be included in this static group for the ethernet port number parameter The asterisk in the syn...

Page 1348: ...v6 mld group Interface e6 18 has 11 groups group phy port static querier life mode 1 ff33 6 b 1 e6 18 no yes 0 incl 2 ff33 6 a 1 e6 18 no yes 0 incl 3 ff33 6 9 1 e6 18 no yes 0 incl 4 ff33 6 8 1 e6 18 no yes 0 incl 5 ff33 6 7 1 e6 18 no yes 0 incl 6 ff33 6 6 1 e6 18 no yes 0 incl 7 ff33 6 5 1 e6 18 no yes 0 incl 8 ff33 6 4 1 e6 18 no yes 0 incl 9 ff33 6 3 1 e6 18 no yes 0 incl 10 ff33 6 2 1 e6 18 ...

Page 1349: ...icast interface If the interface has groups the group source list IPv6 multicast address and the filter mode are displayed This field Displays QryV1 Number of general MLDv1 queries received or sent by the virtual routing interface QryV2 Number of general MLDv2 queries received or sent by the virtual routing interface G Qry Number of group specific queries received or sent by the virtual routing in...

Page 1350: ...irectly connected source checks for the presence of an embedded RP address in the group address If found it uses this RP address as the unicast destination address of the PIM Register packets that it initiates Other PIM routers that are also receiving PIM PDUs look into the group address for the presence of an embedded RP address in the group address If found it uses this RP address for all its pr...

Page 1351: ...3 01 Multicast Listener Discovery and source specific multicast protocols MLDv2 49 Enabling the embedded RP The following command may be used to enable the embedded RP feature BigIron RX config ipv6 pim router rp embedded Syntax no rp embedded Default On ...

Page 1352: ...1276 BigIron RX Series Configuration Guide 53 1002253 01 Multicast Listener Discovery and source specific multicast protocols MLDv2 49 ...

Page 1353: ...on on performing these configuration tasks refer to Configuring a static IPv6 route on page 1277 To configure a static IPv6 route for a destination network with the prefix 8eff 0 32 a next hop gateway with the global address 4fee 2343 0 ee44 1 and an administrative distance of 110 enter the following command BigIron RX config ipv6 route 8eff 0 32 4fee 2343 0 ee44 1 distance 110 Syntax ipv6 route d...

Page 1354: ...documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter Mandatory for all static IPv6 routes The route s next hop gateway which can be one of the following The IPv6 address of a next hop gateway A tunnel interface You can specify the next hop gateway as one of the following typ...

Page 1355: ...ult next hop recursion metric distance number tag number Syntax ipv6 mroute ipv6 addr interface ethernet slot portnum ve num tunnel num distance num tag number The ipv6 addr command specifies the next hop IP address NOTE In IPv6 multicasting a route is handled in terms of its source rather than its destination You can use the ethernet slot portnum parameter to specify a physical port or the ve num...

Page 1356: ...ifies the PIM source for the route The ethernet slot port parameter specifies a physical port The ve num parameter specifies a virtual interface The null0 parameter is the same as dropping the traffic The distance num parameter sets the administrative distance for the route The cost parameter specifies the cost metric of the route Possible values are 1 6 Default value 1 Regardless of the administr...

Page 1357: ...ort the failure by generating the syslog messages In some cases the failed device will be shutdown or isolated from the system In other cases the software may attempt to recover the failed device The Sysmon is a collection of event types that are monitored periodically Sysmon detects errors based on polling and interrupt Polling is reading specific hardware registers Interrupt is an instantaneous ...

Page 1358: ...System ALARM LP15 TM3 has 6 links less than the minimum to maintain line rate FE_LINK FE link is the link between the line card and the switch fabric module The event type FE_LINK monitors this link for the errors reported on the link by the FE Such as CRC misalignment code group error down links and others Here is an example from Syslog Dec 29 15 31 24 W System ALARM LP15 TM3 has 6 links less tha...

Page 1359: ...too many multicast packets received NOTE The event type FE_FIFO doesnot generate any syslog messages TCAM_SCAN The event type TCAM_SCAN check each entry of the TCAM memory on the line card to determine if an error has occurred To detect an error TCAM_SCAN event validates all entries in the TCAM memory during Line card boot up and it periodically checks for bad TCAM entry on the operational Line ca...

Page 1360: ...as implemented ECC associated with this external memory Sysmon periodically scans these registers to detect an error condition Here is an example from Syslog Feb 3 20 13 00 E System ALARM LPM Error LP3 NP1 set 3 cause ECC address 0x55d0 FE_RW This event type tests write and read access to the switch fabrics A Syslog message is generated to indicate a SFM FE failure Here is an example from Syslog S...

Page 1361: ...ation command to view the current configuration for system monitoring services Look for lines similar to the following BigIron RX show sysmon config Event TM Link Enabled Threshold 5 10 Log Backoff Number 1800 Action SHUTDOWN_LINK Event TM Clock Sync Enabled Threshold 1 10 Log Backoff Number 1800 Action SYSLOG Event TM Reg Enabled Threshold 1 10 FAP Shutdown Allowed Reg 0440 monitor mask 00fefbff ...

Page 1362: ...5 10 Log Backoff Number 1800 Action Event TM Tx Buffer Enabled Threshold 1 10 Log Backoff Number 1800 Action REINIT_FAP Event TM DRAM CRC Enabled DRAM CRC Count Threshold 2 Log Backoff Number 1800 Action SHUTDOWN Event LPM Error Enabled Threshold 1 10 Log Backoff Number 1800 Action SYSLOG Event FE Link Enabled Threshold 5 10 Log Backoff Number 1800 Action SHUTDOWN_LINK Event FE FIFO Overflow Enabl...

Page 1363: ...BigIron RX Series Configuration Guide 1287 53 1002253 01 Continuous System Monitor 51 ...

Page 1364: ...1288 BigIron RX Series Configuration Guide 53 1002253 01 Continuous System Monitor 51 ...

Page 1365: ... a system reload The device s local Syslog buffer is cleared during a system reload or reboot but the Syslog messages sent to the Syslog server remain on the server The Syslog service on a Syslog server receives logging messages from applications on the local host or from devices such as a device Syslog adds a time stamp to each received message and directs messages to a log file Most Unix worksta...

Page 1366: ...eal time display of Syslog messages on the serial console You can enter this command from the serial console Once real time display of Syslog messages is enabled you can enter the show logging command at the monitor prompt on an ACTIVE or STANDBY Management Processor To also enable the real time display for a Telnet or SSH session enter the following command from the Privileged EXEC level of the s...

Page 1367: ...local Syslog buffer Logging is enabled by default with the following settings Messages of all severity levels Emergencies Debugging are logged By default up to 3800 messages are retained in the local Syslog buffer This cannot be changed No Syslog server is specified Displaying the Syslog configuration To display the Syslog parameters currently in effect on a device enter the following command from...

Page 1368: ... buffer messages dropped The number of Syslog messages dropped due to user configured filters By default the software logs messages for all Syslog levels You can disable individual Syslog levels in which case the software filters out messages at those levels Refer to Disabling logging of a message level on page 1296 Each time the software filters out a Syslog message this counter is incremented fl...

Page 1369: ...BigIron RX clear logging dynamic buffer Syntax clear logging dynamic buffer static buffer You can specify dynamic buffer to clear the dynamic buffer or static buffer to clear the static buffer If you do not specify a buffer both buffers are cleared Time stamps The contents of the time stamp differ depending on whether you have set the time and date on the onboard system clock If you have set the t...

Page 1370: ...onds Example of Syslog messages on a device whose onboard clock is not set The example shows the format of messages on a device whose onboard system clock is not set Each time stamp shows the amount of time the device had been running when the message was generated For example the most recent message at the top of the list of messages was generated when the device had been running for 21 days seve...

Page 1371: ...the old command syntax from the startup configuration and converts it to the new command syntax in the running configuration Syntax logging host ip addr server name Specifying an additional Syslog server To specify an additional Syslog server enter the logging host ip addr command again as in the following example You can specify up to six Syslog servers Enter a command such as the following BigIr...

Page 1372: ...l debugging emergencies errors informational notifications warnings The commands in the example above change the log level to notification messages or higher The software will not log informational or debugging messages The changed message level also applies to the Syslog servers Logging all CLI commands to Syslog This feature allows you to log all valid CLI command from each user session into the...

Page 1373: ...The number of entries that the Syslog buffer can hold cannot be changed The buffer can hold up to 3800 lines Changing the log facility The Syslog daemon on the Syslog server uses a facility to determine where to log the messages from the device The default facility for messages the device sends to the Syslog server is user You can change the facility using the following command NOTE You can specif...

Page 1374: ...you see lab2 displayed as in the example below BigIron RX show logging Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Buffer logging level ACDMEINW 3 messages logged level code A alert C critical D debugging M emergency E error I informational N notification W warning Static Log Buffer Dec 15 19 04 14 A Fan 1 fan on right connector failed Dynamic Log Buffer 50 entries Dec 15 18 46 ...

Page 1375: ...ate changed from module state to module state Indicates a state change in a management module The slot num indicates the device slot containing the module The module state can be one of the following active standby crashed coming up unknown Alert Temperature degrees C degrees warning level warn degrees C degrees shutdown level shutdown degrees C degrees Indicates an overtemperature condition on th...

Page 1376: ... specified mac address on the specified portnum however dynamic VLAN assignment was enabled for the port but the RADIUS Access Accept message did not include VLAN information This is treated as an authentication failure Alert MAC Authentication failed for mac address on portnum RADIUS given VLAN does not match with TAGGED vlan Multi device port authentication failed for the mac address on a tagged...

Page 1377: ...e MAC address did not match an address learned by the port before the lock took effect The e portnum is the port number The mac address is the MAC address that was denied by the address lock Assuming that you configured the port to learn only the addresses that have valid access to the port this message indicates a security violation Warning NTP server ip addr failed to respond Indicates that a Si...

Page 1378: ...ates that a RIP route filter denied dropped packets The list num is the ID of the filter list The direction indicates whether the filter was applied to incoming packets or outgoing packets The value can be one of the following in out The V1 or V2 value specifies the RIP version RIPv1 or RIPv2 The ip addr indicates the network number in the denied updates The num indicates how many packets matching...

Page 1379: ...using flow based ACL instead The port does not have enough Layer 4 CAM entries for the ACL To correct this condition allocate more Layer 4 CAM entries To allocate more Layer 4 CAM entries enter the following command at the CLI configuration level for the interface ip access group max l4 cam num Notification ACL insufficient L4 cam resource using flow based ACL instead The port does not have a larg...

Page 1380: ...designated router other designated router unknown Notification OSPF virtual intf state changed rid router id area area id nbr ip addr state ospf state Indicates that the state of an OSPF virtual routing interface has changed The router id is the router ID of the router the interface is on The area id is the area the interface is in The ip addr is the IP address of the OSPF neighbor The ospf state ...

Page 1381: ... the following down attempt initializing 2 way exchange start exchange loading full unknown Notification OSPF virtual nbr state changed rid router id nbr addr ip addr nbr rid nbr router id state ospf state Indicates that the state of an OSPF virtual neighbor has changed The router id is the router ID of the device The ip addr is the IP address of the neighbor The nbr router id is the router ID of ...

Page 1382: ...device The src ip addr is the IP address of the interface from which the device received the error packet The error type can be one of the following bad version area mismatch unknown NBMA neighbor unknown virtual neighbor authentication type mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type can be one of the...

Page 1383: ...face on the device The src ip addr is the IP address of the interface from which the device received the error packet The error type can be one of the following bad version area mismatch unknown NBMA neighbor unknown virtual neighbor authentication type mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type can b...

Page 1384: ...ice The src ip addr is the IP address of the interface from which the device received the authentication failure The error type can be one of the following bad version area mismatch unknown NBMA neighbor unknown virtual neighbor authentication type mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type can be one...

Page 1385: ...type mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type can be one of the following hello database description link state request link state update link state ack unknown Notification OSPF intf rcvd bad pkt rid router id intf addr ip addr pkt src addr src ip addr pkt type pkt type Indicates that an OSPF inter...

Page 1386: ... link state update link state ack unknown Notification OSPF intf retransmit rid router id intf addr ip addr nbr rid nbr router id pkt type is pkt type LSA type lsa type LSA id lsa id LSA rid lsa router id An OSPF interface on the device has retransmitted a Link State Advertisement LSA The router id is the router ID of the device The ip addr is the IP address of the interface on the device The nbr ...

Page 1387: ...d LSA router id lsa router id An OSPF interface has originated an LSA The router id is the router ID of the device The area id is the OSPF area The lsa type is the type of LSA The lsa id is the LSA ID The lsa router id is the LSA router ID Notification OSPF max age LSA rid router id area area id LSA type lsa type LSA id lsa id LSA rid lsa router id An LSA has reached its maximum age The router id ...

Page 1388: ... received an OSPF packet with an invalid type The parameters are the same as for the Bad Checksum message The pkt type type value is unknown indicating that the packet type is invalid Notification OSPF intf rcvd bad pkt Unable to find associated neighbor rid ip addr intf addr ip addr pkt size num checksum num pkt src addr ip addr pkt type type The neighbor IP address in the packet is not on the de...

Page 1389: ...ckets will be dropped for the number of seconds specified by the lockup value When the lockup period expires the packet counter is reset and measurement is restarted Notification Local TCP exceeds burst max burst packets stopping for lockup seconds The number of TCP SYN packets exceeds the burst max threshold set by the ip tcp burst command The device may be the victim of a TCP SYN DoS attack All ...

Page 1390: ...m id on circuit circuit id The device s adjacency with this Level 1 IS has gone down The system id is the system ID of the IS The circuit id is the ID of the circuit over which the adjacency was established Notification ISIS L1 ADJACENCY UP system id on circuit circuit id The device s adjacency with this Level 1 IS has come up The system id is the system ID of the IS The circuit id is the ID of th...

Page 1391: ...ded Informational user name login to USER EXEC mode A user has logged into the USER EXEC mode of the CLI The user name is the user name Informational user name logout from USER EXEC mode A user has logged out of the USER EXEC mode of the CLI The user name is the user name Informational user name login to PRIVILEGED mode A user has logged into the Privileged EXEC mode of the CLI The user name is th...

Page 1392: ... a port The vlan id is the ID of the VLAN in which the STP topology change occurred The portnum is the port number The stp state is the new STP state and can be one of the following disabled blocking listening learning forwarding unknown Informational startup configuration was changed or startup configuration was changed by user name A configuration change was saved to the startup configuration fi...

Page 1393: ...system resource is not enough or the invalid information to set the dynamic assigned IP ACLs or MAC address filters 802 1x authentication could not take place on the port This happened because strict security mode was enabled and one of the following occurred Insufficient system resources were available on the device to apply an IP ACL or MAC address filter to the port Invalid information was rece...

Page 1394: ...onsole telnet ssh web snmp OR Line password deleted added modified from console telnet ssh web snmp A user created re configured or deleted an Enable or Line password through the Web SNMP console SSH or Telnet session Informational Port portnum srcip security max ipaddr per int reached Last IP ipaddr The address limit specified by the srcip security max ipaddr per interface command has been reache...

Page 1395: ...ol 802 3ad Link Aggregation 802 1Q Virtual Bridged LANs 802 1D MAC Bridges 802 1w Rapid STP 802 1s Multiple Spanning Trees 802 1X User authentication 802 3 Ethernet Like MIB Repeater MIB Ethernet Interface MIB SNMP v1 v2c and V3 SNMP MIB II RFC compliance RFC compliance BGPv4 4271 BGPv4 1745 OSPF Interactions 1997 Communities Attributes 2439 Route Flap Dampening 2796 Route Reflection 3065 BGP4 Con...

Page 1396: ... NSSA 1745 OSPF Interactions 1765 OSPF Database Overflow 1850 OSPF Traps 2328 OSPF v2 1850 OSPF v2 MIB 2370 OSPF Opaque LSA Option 3623 Graceful OSPF Restart RFC compliance IS IS 1195 Routing in TCP IP and Dual Environments 2763 Dynamic Host Name Exchange 2966 Domain wide Prefix Distribution 3567 IS IS Cryptographic Authentication MD 5 RFC compliance RIP 1058 RIP v1 1723 RIP v2 1812 RIP Requiremen...

Page 1397: ...027 Proxy ARP 950 Subnets 951 BootP 1122 Host Extensions for IP Multicasting 1256 IRDP 1519 CIDR 1542 BootP Extensions 1812 Requirements for IPv4 Routers 1541 and 1542 DHCP 2131 BootP DHCP Helper 2768 VRRP 1591 DNS client 2578 Structure of Management Information Version 2 SMIv2 2579 Textual Conventions for SMIv2 1354 IP Forwarding Table MIB 2784 Generic Routing Encapsulation GRE 1305 Network Time ...

Page 1398: ...MIB for the SNMP 3584 Coexistence between Version 1 Version 2 and Version 3 of the Internet standard Network Management Framework 4251 The Secure Shell SSH Protocol Architecture 4252 The Secure Shell SSH Authentication Protocol 4253 The Secure Shell SSH Transport Protocol 4254 The Secure Shell SSH Connection Protocol RFC compliance IPv6 core 2373 IPv6 Addressing Architecture 1886 DNS Extensions to...

Page 1399: ...ocol Specification 2362 PIM SM 2710 Multicast Listener Discovery MLD for IPv6 3306 Unicast Prefix based IPv6 Multicast Addresses RFC compliance IPv6 transitioning 2893 Transition Mechanisms for IPv6 Hosts and Routers 3056 Connection of IPv6 Domains through IPv4 Clouds RFC compliance IPv6 management 2452 IPv6 MIB for TCP 2454 IPv6 MIB for UDP 2465 IPv6 MIB for Textual Conventions and General Group ...

Page 1400: ...1324 BigIron RX Series Configuration Guide 53 1002253 01 Internet drafts B Draft ietf idr route filter Draft holbrook idmr igmpv3 ssm IGMPv3 MLDv2 for SSM Draft ietf ssm arch SSM for IP ...

Page 1401: ...uipment All Brocade devices that are to remain in compliancy with the NIAP CCEVS certification must disable all remote access through the integrated Web management graphical user interface GUI In accordance with NIAP CCEVS this functionality is considered a security risk and must be disabled Please refer to the Brocade Configuration Guides associated with each product in the table NIAP CCEVS certi...

Page 1402: ...ig and if you attempt to change a user s password by executing the following syntax BigIron RX config user brcdreadonly password value The privilege level of this particular user will be changed from its current value to super user The super user level username and password combination provides full access to the Brocade command line interface CLI To prevent this from occurring use the following s...

Page 1403: ...he software without saving the change to the startup config file the device does not make the change To reload the software you must perform a cold start To perform a cold start do one of the following Enter the reload command at the Privileged EXEC level of the CLI Cycle the power by powering down the device then powering it on again NOTE The boot system command does not perform a cold start It p...

Page 1404: ...1328 BigIron RX Series Configuration Guide 53 1002253 01 Commands That Require a Reload D ...

Page 1405: ... marking number 802 1p priority marking number internal priority marking number dscp marking number dscp cos mapping dscp cos mapping fragment non fragment first fragment fragment offset number spi 00000000 ffffffff log Configuring extended numbered ACLs on page 531 Enabling ACL filtering of fragmented or non fragmented packets on page 568 access list num deny permit host ip protocol any any log a...

Page 1406: ...e 539 Enabling ACL filtering of fragmented or non fragmented packets on page 568 ip access list extended string I num deny permit host ip protocol any any log ip access list extended acl name deny permit host icmp any any log icmp type type number code number ICMP filtering for extended ACLs on page 569 ip access list standard string deny permit source ip hostname wildcard log Configuring standard...

Page 1407: ...laying statistics for an interface on page 566 system max ip filter sys num Enabling support for additional ACL statements on page 525 Commands See Commands See access list num permit deny src mac mask any dest mac mask any vlan id any etype etype str log enable Creating a Layer 2 ACL table on page 518 mac access group num in Binding a Layer 2 ACL table to an interface on page 520 show access list...

Page 1408: ...gp neighbor all ip addr peer group name as num last packet with error notification errors Clearing diagnostic buffers on page 824 clear ip bgp routes ip addr prefix length Clearing and resetting BGP4 routes in the IP route table on page 822 clear ip bgp traffic Clearing traffic counters on page 822 client to client reflection Disabling or re enabling client to client route reflection on page 761 c...

Page 1409: ...gp neighbor all ip addr peer group name as num last packet with error notification errors Clearing diagnostic buffers on page 824 clear ip bgp routes ip addr prefix length Clearing and resetting BGP4 routes in the IP route table on page 822 clear ip bgp traffic Clearing traffic counters on page 822 client to client reflection Disabling or re enabling client to client route reflection on page 761 c...

Page 1410: ...addr Changing the router ID on page 790 local as num Configuring a BGP confederation on page 763 Setting the local AS number on page 769 match as path name address filters as path filters community filters num num community acl exact match ip address acl prefix list string ip route source acl prefix name metric num next hop address filter list level 1 level 2 level 1 2 route type internal external...

Page 1411: ... unicast multicast unicast password 0 1 string prefix list string in out remote as as number remove private as route map in out map name route reflector client send community soft reconfiguration inbound shutdown timers keep alive num hold time num unsuppress map map name update source ip addr ethernet portnum loopback num ve num weight num Configuring BGP4 neighbors on page 771 Configuring a peer...

Page 1412: ...g comm list acl delete community num num num internet local as no advertise no export dampening half life reuse suppress max suppress time ip next hop ip addr ip next hop peer address local preference num metric num none metric type type 1 type 2 external metric type internal next hop ip addr origin igp incomplete tag tag value weight num Setting parameters in the routes on page 806 set comm list ...

Page 1413: ...etail flap statistics last packet with error received prefix filter received routes routes best detail best not installed best unreachable rib out routes ip addr mask bits ip addr net mask detail routes summary Displaying BGP4 neighbor information on page 829 show ip bgp peer group peer group name Displaying peer group information on page 840 show ip bgp routes network ip addr num age secs as path...

Page 1414: ...ging the FDP hold time on page 1024 fdp run Enabling FDP globally on page 1023 fdp timer secs Changing the FDP update timer on page 1024 show fdp entry device id Displaying FDP entries on page 1026 Displaying CDP entries on page 1029 show fdp interface ethernet slot portnum Displaying FDP information for an interface on page 1026 show fdp neighbor ethernet slot portnum detail Displaying neighbor i...

Page 1415: ...nabling forwarding of directed broadcasts on page 194 ip dns domain name name Defining a DNS entry on page 174 ip dns server address ip addr ip addr ip addr ip addr Defining a DNS entry on page 174 ip dr aggregate Dropping traffic sent to the null0 interface in hardware on page 203 ip encapsulation snap ethernet 2 Changing the encapsulation type on page 179 ip forward protocol udp udp port name ud...

Page 1416: ... ip tacacs source interface ethernet slot port loopback num ve num Specifying a single source interface for Telnet TACACS TACACS or RADIUS packets on page 183 ip telnet source interface ethernet slot port loopback num ve num Specifying a single source interface for Telnet TACACS TACACS or RADIUS packets on page 183 ip ttl 1 255 Changing the TTL threshold on page 194 rate limit arp num Rate limitin...

Page 1417: ...initiate a trace route on page 178 Commands See Commands See metro ring ring id Configuring MRP with shared interfaces on page 417 name string Configuring MRP with shared interfaces on page 417 master Adding an MRP ring to a VLAN on page 411 ring interface ethernet primary if ethernet secondary if Adding an MRP ring to a VLAN on page 411 enable Configuring MRP with shared interfaces on page 417 he...

Page 1418: ...setting BGP4 routes in the IPv6 route table on page 1142 clear ipv6 bgp neighbor all ipv6 address peer group name as number traffic Clearing BGP4 neighbor diagnostic buffers on page 1140 clear ipv6 bgp neighbor all ipv6 address peer group name as number last packet with error notification errors Clearing BGP4 neighbor diagnostic buffers on page 1140 clear ipv6 bgp traffic Clearing BGP4 neighbor tr...

Page 1419: ...l ipv6 prefix prefix length longer prefixes as path access list name prefix list name Displaying filtered out BGP4 routes on page 1154 show ipv6 bgp flap statistics ipv6 prefix prefix length longer prefixes as path filter number neighbor ipv6 address regular expression regular expression Displaying route flap dampening statistics on page 1158 show ipv6 bgp neighbor ipv6 address Displaying BGP4 nei...

Page 1420: ...e table on page 1143 show ipv6 bgp routes detail ipv6 prefix prefix length table entry number age seconds as path access list name as path filter number best cidr only community number no export no advertise internet local as community access list name community filter number local neighbor ipv6 address nexthop ipv6 address no best prefix list name regular expression regular expression route map n...

Page 1421: ...p ipv6 source prefix prefix length any host source ipv6_address tcp udp operator source port number ipv6 destination prefix prefix length any host ipv6 destination address tcp udp operator destination port number ipv6 operator value For UDP on page 1202 remark comment text Adding a comment to an IPv6 ACL entry on page 1207 remark entry sequence sequence number comment text Adding a comment to an I...

Page 1422: ... name Defining a DNS entry on page 1091 ipv6 dns server address ipv6 addr ipv6 addr ipv6 addr ipv6 addr Defining a DNS entry on page 1091 ipv6 hop limit number Limiting the number of hops an IPv6 packet can traverse on page 1103 ipv6 icmp error interval interval number of tokens Configuring ICMP rate limiting on page 1095 ipv6 load sharing num Changing the maximum number of load sharing paths for ...

Page 1423: ...eighbor information on page 1109 show ipv6 route ipv6 address ipv6 prefix prefix length bgp connect ospf rip isis static summary Displaying the IPv6 route table on page 1111 show ipv6 router Displaying local IPv6 routers on page 1112 show ipv6 tcp connections Displaying IPv6 TCP information on page 1113 show ipv6 tcp status local ip address local port number remote ip address remote port number Di...

Page 1424: ...ce on page 1272 show ipv6 mld traffic Displaying MLD traffic on page 1273 clear ipv6 mld traffic ethernet slot number port number ve ve number Clearing IPv6 MLD traffic on page 1274 Commands See Commands See clear ipv6 rip routes Clearing RIPng routes from IPv6 route table on page 1126 distribute list prefix list name in out interface port Controlling distribution of routes through RIPng on page 1...

Page 1425: ...efault route origination on page 1222 default metric number Modifying default metric for routes redistributed into OSPF version 3 on page 1218 distance external inter area intra area distance Configuring administrative distance based on route type on page 1224 distribute list prefix list name in interface Configuring an OSPFv3 distribution list using an IPv6 prefix list as input on page 1220 distr...

Page 1426: ...SPFv3 SPF information on page 1243 show ipv6 ospf spf table area area id Displaying OSPFv3 SPF information on page 1243 show ipv6 ospf spf tree area area id Displaying OSPFv3 SPF information on page 1243 show ipv6 ospf virtual link Displaying IPv6 OSPF virtual link information on page 1246 show ipv6 ospf virtual neighbor Displaying IPv6 OSPF virtual link information on page 1246 summary address ip...

Page 1427: ...o multiplier num level 1 only level 2 only Changing the hello multiplier on page 889 isis metric num Changing the metric added to advertised routes on page 889 isis passive Disabling or re enabling formation of adjacencies on page 886 isis password string Limiting access to adjacencies with a neighbor on page 887 isis priority num level 1 only level 2 only Setting the priority for designated IS el...

Page 1428: ...e LSP interval and retransmit interval on page 878 route map map name permit deny sequence number Enabling advertisement of a default route on page 880 router isis Global configuration level on page 871 Disabling and enabling IS IS on an interface on page 886 set level level 1 level 1 2 level 2 Enabling advertisement of a default route on page 880 set overload bit on startup secs Setting the overl...

Page 1429: ...See mstp name name Setting the MSTP name on page 1053 mstp revision revision number Setting the MSTP revision number on page 1053 mstp instance instance number vlan vlan id vlan group group id Configuring an MSTP instance on page 1054 mstp instance instance number ethernet slot port priority port priority path cost cost Configuring port priority and port path cost on page 1054 mstp instance instan...

Page 1430: ...ransmit time 5 3600 Modifying graft retransmit time on page 653 graft retransmit timer 10 3600 Modifying graft retransmit timer on page 604 hello timer 10 3600 Modifying hello timer on page 603 inactivity timer 10 3600 Modifying inactivity timer on page 604 ip dvmrp Enabling DVMRP on an interface on page 651 ip dvmrp metric 1 31 ttl threshold 1 64 advertise local on off Modifying the metric on pag...

Page 1431: ...parameters on page 608 rp address ip addr Statically specifying the RP on page 610 rp candidate add I delete group addr mask bits Configuring RPs on page 609 rp candidate ethernet slot portnum loopback num ve num Configuring RPs on page 609 show ip pim dvmrp rpf IP address Displaying information about an upstream neighbor device on page 655 Displaying information about an upstream neighbor device ...

Page 1432: ...nooping on page 1074 ip multicast age interval interval Modifying the age interval on page 1068 ip multicast filter Filtering multicast groups on page 1068 ip multicast query interval interval Modifying the query interval on page 1068 ip pimsm snooping Enabling PIM SM traffic snooping on page 1074 show ip multicast igmp snooping Displaying multicast information on page 1075 show ip multicast pimsm...

Page 1433: ... ospf area ip addr Assigning interfaces to an area on page 691 ip ospf auth change wait time secs Change the timer for OSPF authentication changes on page 694 ip ospf database filter all out Block flooding of outbound LSAs on specific OSPF interfaces on page 695 log all adjacency bad_packet checksum database memory retransmit Specify types of OSPF Syslog messages to log on page 719 metric type typ...

Page 1434: ... CPU utilization and other OSPF tasks on page 721 snmp server trap ospf ospf trap Modifying OSPF traps generated on page 716 summary address ip addr ip mask Configure external route summarization on page 708 timers lsa group pacing secs Changing the LSA pacing interval on page 713 timers spf delay hold time Modify SPF timers on page 711 Commands See Commands See config trunk ind Monitoring an indi...

Page 1435: ...y permit source ip hostname wildcard Configure the ACLs on page 574 access list num deny permit source ip mask bits hostname access list num deny permit any access list num deny permit host source ip hostname ip policy route map map name Enabling PBR on page 576 match ip address ACL num or name Configure the route map on page 575 route map map name permit deny num Configure the route map on page 5...

Page 1436: ...iority based traffic scheduling on page 495 qos scheduler max rate queue0 rate queue1 rate queue2 rate queue3 rate Configuring maximum rate based traffic scheduling on page 496 qos scheduler min rate queue0 rate queue1 rate queue2 rate queue3 rate Configuring minimum rate based traffic scheduling on page 497 qos scheduler source weighted queue0 weight queue1 weight queue2 weight queue3 weight Conf...

Page 1437: ...ng policy on page 510 rate limit input priority num average rate maximum burst Configuring a port and priority based rate limiting policy on page 509 rate limit input average rate maximum burst Configuring a port based rate limiting policy on page 508 rate limit input vlan vlan number average rate maximum burst Configuring a port and VLAN based rate limiting policy on page 509 rate limit strict ac...

Page 1438: ...ing and advertising parameters on page 672 neighbor filter num permit deny source ip address any Configuring a RIP neighbor filter on page 673 poison local routes Changing the route loop prevention method on page 673 poison reverse Changing the route loop prevention method on page 673 prefix list name in out Using prefix lists and route maps as route filters on page 674 redistribute connected bgp ...

Page 1439: ...in edge port admin pt2pt mac force migration check Changing port parameters on page 387 rstp single Enabling or disabling RSTP on a single spanning tree on page 386 rstp Enabling or disabling RSTP in a port based VLAN on page 385 show rstp vlan vlan id Displaying RSTP information on page 392 show rstp detail vlan vlan id Displaying RSTP information on page 392 show xstp ethernet slot port Displayi...

Page 1440: ...st ip addr server name auth port number acct port number authentication only accounting only default key 0 1 string dot1x Setting RADIUS parameters on page 971 re authentication Configuring periodic re authentication on page 978 servertimeout seconds Specifying a timeout for retransmission of messages to the authentication server on page 980 show dot1x Displaying 802 1x configuration information o...

Page 1441: ...s on page 113 Commands See enable password min length number of characters Specifying a minimum password length on page 74 enable port config password text Setting passwords for management privilege levels on page 71 enable read only password text Setting passwords for management privilege levels on page 71 enable super user password text Setting passwords for management privilege levels on page 7...

Page 1442: ...adius none Configuring Exec authorization on page 107 enable aaa console Command authorization and accounting for console commands on page 108 radius server host ip addr server name auth port number acct port number authentication only authorization only accounting only default key string Identifying the RADIUS server to the BigIron RX on page 104 Specifying different servers for individual AAA fu...

Page 1443: ...ing TACACS accounting for CLI commands on page 95 aaa accounting exec default start stop tacacs none Configuring TACACS accounting for Telnet SSH Shell access on page 95 aaa accounting system default start stop tacacs none Configuring TACACS accounting for system events on page 96 aaa authentication enable implicit user Configuring Enable authentication to prompt for password only on page 91 aaa a...

Page 1444: ... id Restricting Telnet access to a specific VLAN on page 68 telnet server suppress reject message Suppressing Telnet connection rejection messages on page 71 telnet server Disabling Telnet access on page 69 Commands See tftp client enable vlan vlan id Restricting TFTP access to a specific VLAN on page 69 Commands See username user string privilege privilege level password nopassword password strin...

Page 1445: ...henticated MAC addresses on page 934 mac authentication apply mac auth filter filter id Defining MAC address filters on page 930 mac authentication auth fail action block traffic Specifying the authentication failure action on page 929 mac authentication auth fail action restrict vlan vlan id Specifying the authentication failure action on page 929 mac authentication auth fail vlan id vlan id Spec...

Page 1446: ... port authentication configuration information on page 936 show auth mac address Displaying authenticated MAC address information on page 936 show auth mac addresses authorized mac Displaying the authenticated MAC addresses on page 940 show auth mac addresses unauthorized mac Displaying the non authenticated MAC addresses on page 940 Commands See age minutes Setting the MAC Port Security age timer...

Page 1447: ...lename tftp ip address filename Rebooting the active and standby management modules on page 32 reload Rebooting the active and standby management modules on page 32 reboot standby Rebooting the active and standby management modules on page 32 show module Determining management module status on page 33 show chassis Displaying temperature information on page 34 format slot1 slot2 Formatting a flash ...

Page 1448: ...es between active and standby management modules on page 53 copy flash lp source file dest file slot number all Copying files from a management module to an interface module on page 53 copy flash tftp ip addr dest file name primary secondary Copying BigIron RX Series Multi Service IronWare images from flash memory to a TFTP server on page 53 copy slot1 slot2 tftp ip addr from dir path source file ...

Page 1449: ...1 slot2 flash memory dir path name file name Specifying the location for saving configuration changes on page 58 Commands See Commands See show snmp engineid Displaying the engine ID on page 1019 show snmp group Defining an SNMP group on page 1016 show snmp server Displaying the SNMP community strings on page 1014 show snmp user Displaying user information on page 1020 snmp server community 0 stri...

Page 1450: ...urce interface ethernet slot port loopback num ve num Designating an interface as the source for all SSH packets on page 920 ip ssh timeout seconds Setting the SSH login timeout value on page 920 kill ssh connection id Displaying SSH connection information on page 921 show ip client pub key begin expression exclude expression include expression Importing authorized public keys into the device on p...

Page 1451: ...terface on page 338 spanning tree ethernet slot port forward delay value hello time value max age value priority value Changing STP bridge parameters on page 329 spanning tree ethernet portnum path cost value priority value disable enable Changing STP port parameters on page 330 spanning tree single ethernet portnum path cost value priority value Enabling SSTP on page 341 spanning tree single forw...

Page 1452: ... 128 banner exec_mode delimiting character Setting a privileged EXEC CLI level banner on page 128 banner incoming delimiting character Displaying a message on the console when an incoming Telnet session is detected on page 129 broadcast limit number Configuring CLI banners on page 127 clock set hh mm ss mm dd yy mm dd yyyy Setting the system clock on page 126 clock summer time Setting the system c...

Page 1453: ...source loopback num ethernet slot port ve num Specifying a Single trap source on page 119 sntp poll interval 1 65535 Specifying a Simple Network Time Protocol SNTP server on page 124 sntp server ip addr hostname version Specifying a Simple Network Time Protocol SNTP server on page 124 static mac address mac addr ethernet portnum to portnum ethernet portnum priority number host type router type fix...

Page 1454: ...eploying a LAG on page 244 acl mirror port ethe port monitored slot port named port monitored name Configuring ACL based mirroring on page 245 disable ethernet slot port named name Disabling ports within a LAG on page 245 enable ethernet slot port named name Enabling ports within a LAG on page 245 monitor ethe port monitored slot port named port monitored name ethernet slot port input output both ...

Page 1455: ...l vlan name static exclude ethernet slot port to slot port router interface ve num Configuring protocol based VLANs on page 295 multicast flooding Hardware flooding for Layer 2 multicast and broadcast packets on page 319 priority num Assigning or changing a VLAN priority on page 294 remove vlan vlan id to vlan id Configuring a VLAN group on page 299 show vlan vlan id ethernet slot port detail begi...

Page 1456: ...uring parameters specific to VRRPE on page 462 Track priority on page 465 backup hello interval value Backup hello message state and interval on page 465 clear ip vrrp stat Clearing VRRP or VRRPE statistics on page 473 dead interval value Dead interval on page 464 hello interval value Hello interval on page 464 ip vrrp auth type no auth I simple text auth auth data Authentication type on page 463 ...

Page 1457: ... priority value Configuring basic VSRP parameters on page 431 Changing the backup priority on page 435 Changing the default track priority on page 438 enable disable Configuring basic VSRP parameters on page 431 include port ethernet portnum Adding or removing a port from the VRID s VLAN on page 433 initial ttl num Changing the Time To Live TTL on page 436 ip address ip addr Configuring a VRID IP ...

Page 1458: ...1382 BigIron RX Series Configuration Guide 53 1002253 01 VSRP E ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands