Home
/
Dell
/
Brocade DCX
/
Configuration Manual

Dell Brocade DCX, Configuration Manual

Share

Page: 602 / 1436

Dell Brocade DCX Configuration Manual Download Page 602

530

BigIron RX Series Configuration Guide

53-1001810-01

Configuring numbered and named ACLs

21

The

<string>

parameter is the ACL name. You can specify a string of up to 256 alphanumeric

characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for
example, “ACL for Net1”). The

<num>

parameter allows you to specify an ACL number if you prefer.

If you specify a number, you can specify from 1 – 99 for standard ACLs or 100 – 199 for extended
ACLs.

NOTE

For convenience, the software allows you to configure numbered ACLs using the syntax for named
ACLs. The software also still supports the older syntax for numbered ACLs. Although the software
allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the
startup-config and running-config files in using the older syntax, as follows.

access-list 1 deny host 209.157.22.26 log

access-list 1 deny 209.157.22.0 0.0.0.255 log

access-list 1 permit any

access-list 101 deny tcp any any eq http log

The options at the ACL configuration level and the syntax for the ip access-group command are the
same for numbered and named ACLs and are described in

“Configuring standard numbered ACLs”

on page 518.

Configuration example for extended ACL
To configure a named extended ACL entry, enter commands such as the following.

Syntax: [no] ip access-list extended

<string>

|

<num>

deny | permit

<ip-protocol>

<source-ip>

|

<hostname>

<wildcard>

[

<operator>

<source-tcp/udp-port>

]

<destination-ip>

|

<hostname>

<wildcard>

[

<operator>

<destination-tcp/udp-port>

]

[match-all

<tcp-flags>

] [match-any

<tcp-flags>

]

[

<icmp-type>

] [established] [precedence

<name>

|

<num>

]

[tos

<number>

] [dscp-matching

<number>

]

[802.1p-priority-matching

<number>

]

[dscp-marking

<number>

802.1p-priority-marking

<number>

internal-priority-marking

<number>

]

[dscp-marking

<number>

dscp-cos-mapping]

[dscp-cos-mapping]
[fragment] [non-fragment] [first-fragment]
[fragment-offset

<number>

]

[spi

<00000000 - ffffffff>

] [log]

The 16 x 10 GE module only supports the following extended named ACLs.

Syntax: [no] ip access-list extended

<string>

|

<num>

deny | permit

<ip-protocol>

<source-ip>

|

<hostname>

<wildcard>

[

<operator>

<source-tcp/udp-port>

]

<destination-ip>

|

<hostname>

<wildcard>

[

<operator>

<destination-tcp/udp-port>

]

BigIron RX

(config)# ip access-list extended “block Telnet”

BigIron RX

(config-ext-nacl)# deny tcp host 209.157.22.26 any eq telnet log

BigIron RX

(config-ext-nacl)# permit ip any any

BigIron RX

(config-ext-nacl)# exit

BigIron RX

(config)# int eth 1/1

BigIron RX

(config-if-e10000-1/1)# ip access-group “block Telnet” in

«
...
600
601
602
603
604
...
»

Summary of Contents for Brocade DCX

Page 1: ...53 1001810 01 January 31 2010 53 1001810 01 53 1001810 01 BigIron RX Configuration Guide Supporting Multi Service IronWare v02 7 02 ...

Page 2: ...ights reserved Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc is strictly forbidden Trademarks used in this text Dell the DELL logo Inspiron Dell Precision Dimension OptiPlex Latitude PowerEdge PowerVault PowerApp Dell OpenManage and the YOURS IS HERE logo are trademarks of Dell Inc Intel Pentium and Celeron are registered trademarks of Intel Co...

Page 3: ... configuration notes in release 02 5 00 li Summary of enhancements and configuration notes in patch release 02 4 00c lii Summary of enhancements and configuration notes in release 02 4 00 liii Summary of enhancements in patch release 02 3 00a lvii Summary of enhancements and configuration notes in release 02 3 00 lviii Summary of enhancements and configuration notes in 02 2 01lxiii Summary of enha...

Page 4: ...ommand completion 18 Scroll control 18 Line editing commands 19 Searching and filtering output from CLI commands 19 Allowable characters for LAG names 23 Logging on through the Web Management Interface 24 Web Management Interface 25 Logging on through IronView Network Manager 26 Chapter 3 Using a Redundant Management Module In this chapter 27 How management module redundancy works 27 Management mo...

Page 5: ...g a file 51 Appending a file to another file 52 Copying files using the copy command 52 Copying files using the cp command 57 Loading the software 57 Saving configuration changes 59 File management messages 60 Chapter 4 Securing Access to Management Functions In this chapter 61 Securing access methods 61 Restricting remote access to management functions 63 Using ACLs to restrict remote access 63 R...

Page 6: ...ADIUS configuration considerations 99 RADIUS configuration procedure 99 Configuring Brocade specific attributes on the RADIUS server100 Enabling SNMP to configure RADIUS 101 Identifying the RADIUS server to the BigIron RX 101 Specifying different servers for individual AAA functions 102 Setting RADIUS parameters 102 Configuring authentication method lists for RADIUS 103 Configuring RADIUS authoriz...

Page 7: ...disabling Layer 2 switching 129 CAM partitioning for the BigIron RX 130 Re distributing CAM allocations 130 Nexthop table 131 Changing the MAC age time 132 Configuring static ARP entries 132 Chapter 6 Configuring Interface Parameters In this chapter 133 Assigning a port name 133 Assigning an IP address to a port 134 Speed Duplex negotiation 134 Disabling or re enabling a port 135 Changing the defa...

Page 8: ...x format 156 Configuring the default gateway 157 GRE IP tunnel 157 IPv6 over IPv4 tunnels in hardware 162 Configuring Domain Name Server DNS resolver 166 Adding host names to the DNS cache table 167 Configuring packet parameters 171 Changing the encapsulation type 171 Setting maximum frame size per PPCR 172 Changing the MTU 173 Changing the router ID 174 Specifying a single source interface for Te...

Page 9: ... IP routes 223 Displaying IP traffic statistics 223 Displaying TCP traffic statistics 226 Chapter 8 Link Aggregation In this chapter 229 Link aggregation overview 229 LAG formation rules 230 LAG load sharing 232 Hash based load sharing 232 Migration from a pre 02 6 00 trunk or LACP configuration 233 Configuration of a LAG 234 Creating a Link Aggregation Group LAG 235 Deploying a LAG 237 Commands a...

Page 10: ...or transmit TTL 259 Changing the minimum time between port reinitializations 259 LLDP TLVs advertised by the Brocade device 260 Displaying LLDP statistics and configuration settings 266 LLDP configuration summary 266 LLDP statistics 267 LLDP neighbors 268 LLDP neighbors detail 269 LLDP configuration details 271 Resetting LLDP statistics 272 Chapter 10 Configuring Uni Directional Link Detection UDL...

Page 11: ...ring super aggregated VLANs 293 Configuring aggregated VLANs 295 Complete CLI examples 296 Configuring 802 1q in q tagging 299 Configuration rules 300 Enabling 802 1Q in Q tagging 300 Example configuration 302 Configuring 802 1q tag type translation 302 Configuration rules 304 Enabling 802 1q tag type translation 305 Private VLANs 306 Implementation notes 307 Configuration notes 307 Configuring a ...

Page 12: ...rotocol STP BPDU guard 324 Displaying STP information 324 IEEE Single Spanning Tree SSTP 330 SSTP defaults 330 Enabling SSTP 331 Displaying SSTP information 332 PVST PVST compatibility 332 Overview of PVST and PVST 333 VLAN tags and dual mode 333 Enabling PVST support 334 Displaying PVST support information 334 Configuration examples 335 SuperSpan 337 Customer ID 338 BPDU forwarding 338 Configurin...

Page 13: ...aying RSTP information 383 Chapter 14 Metro Ring Protocol MRP Phase 1 and 2 In this chapter 387 Metro Ring Protocol MRP phase 1 387 MRP rings without shared interfaces 389 Ring initialization 390 How ring breaks are detected and healed 393 Master VLANs and customer VLANs in a topology group 394 Configuring MRP 395 Adding an MRP ring to a VLAN 396 Changing the hello and preforwarding times 397 MRP ...

Page 14: ...alues received from the master 422 VSRP slow start 423 Changing the Time To Live TTL 423 Changing the hello interval 424 Changing the dead interval 424 Changing the backup hello state and interval 424 Changing the hold down interval 425 Changing the default track priority 425 Specifying a track port 426 Disabling or re enabling backup pre emption 426 Port transition hold timer 426 Clearing VSRP in...

Page 15: ... VRRPE 450 Configuration rules for VRRPE 450 Configuring additional VRRP and VRRPE parameters 451 Authentication type 451 Suppression of RIP advertisements on backup routers for the backup up interface 452 Hello interval 452 Dead interval 453 Backup hello message state and interval 453 Track port 453 Track priority 454 Backup preempt 454 Master router abdication and reinstatement 455 Displaying VR...

Page 16: ...ng WRED 477 Enabling WRED 477 Setting the averaging weight Wq parameter 478 Displaying the WRED configuration 481 Scheduling traffic for forwarding 482 Configuring traffic scheduling 482 Configuring multicast traffic engineering 486 Displaying the multicast traffic engineering configuration 487 QoS for the oversubscribed 16 x 10GE modules 488 Aggregation NP QOS modes 488 Port group assignments 488...

Page 17: ...CL table to an interface 508 Increasing the maximum number of clauses per Layer 2 ACL table 508 Viewing Layer 2 ACLs 508 Example of Layer 2 ACL deny by MAC address 509 Chapter 21 Access Control List In this chapter 511 How the device processes ACLs 512 Disabling or re enabling Access Control Lists ACLs 513 Default ACL action 513 Types of IP ACLs 513 ACL IDs and entries 513 Enabling support for add...

Page 18: ...53 Enabling ACL duplication check 554 ACL accounting 554 Displaying accounting statistics for all ACLs 555 Displaying statistics for an interface 555 Clearing the ACL statistics 556 Enabling ACL filtering of fragmented or non fragmented packets 557 ACL filtering for traffic switched within a virtual routing interface 558 ICMP filtering for extended ACLs 558 Troubleshooting ACLs 560 Chapter 22 Poli...

Page 19: ...GMP V1 and V2 579 Enabling the IGMP version per interface setting 579 Enabling the IGMP version on a physical port within a virtual routing interface 580 Setting the query interval 581 Setting the group membership time 582 Setting the maximum response time 582 Displaying IGMPv3 information 582 Clearing IGMP statistics 586 IGMP V3 and source specific multicast protocols 586 Configuring a static mul...

Page 20: ...on 638 Displaying peer information 639 Displaying source active cache information 642 Clearing MSDP information 642 Clearing peer information 643 Clearing the source active cache 643 Clearing MSDP statistics 643 DVMRP overview 643 Initiating DVMRP multicasts on a network 644 Pruning a multicast tree 644 Grafts to a multicast tree 646 Configuring DVMRP 647 Enabling DVMRP globally and on an interfac...

Page 21: ...VRRPE backup interface 670 Using prefix lists and route maps as route filters 671 Setting RIP timers 672 Displaying RIP filters 672 Clearing the RIP routes from the routing table 673 Chapter 25 Configuring OSPF Version 2 IPv4 In this chapter 675 Overview of OSPF Open Shortest Path First 675 Designated routers in multi access networks 676 Designated router election in multi access networks 677 OSPF...

Page 22: ...efault network route 707 Modify SPF timers 708 Modify redistribution metric type 708 Modify administrative distance 709 Configure OSPF group Link State Advertisement LSA pacing710 OSPF ABR type 3 LSA filtering 710 Displaying the configured OSPF area prefix list 713 Modifing OSPF traps generated 714 Modify OSPF standard compliance setting 716 Modify exit overflow interval 716 Specify types of OSPF ...

Page 23: ... advertised to BGP4 neighbors 757 Configuring the BigIron RX to always compare Multi Exit Discriminators MEDs 757 Disabling or re enabling comparison of the AS path length 758 Redistributing IBGP routes 758 Disabling or re enabling client to client route reflection 759 Configuring a route reflector 759 Enabling or disabling comparison of the router IDs 759 Configuring confederations 760 Configurin...

Page 24: ...ies 795 Defining and applying IP prefix lists 797 Defining neighbor distribute lists 798 Defining route maps 798 Configuring cooperative BGP4 route filtering 807 Configuring route flap dampening 809 Generating traps for BGP 814 Updating route information and resetting a neighbor session814 Clearing traffic counters 820 Clearing route flap dampening statistics 821 Removing route flap dampening 821 ...

Page 25: ...28 Configuring Secure Shell In this chapter 867 Overview of Secure Shell SSH 867 SSH version 2 support 867 Supported features 868 Configuring SSH 869 Generating a host key pair 869 Configuring DSA challenge response authentication 870 Disabling 3 DES 875 Displaying SSH connection information 875 Using secure copy 876 Chapter 29 Configuring IS IS IPv4 In this chapter 879 Relationship to IP route ta...

Page 26: ...ibuting static IPv4 routes into IPv4 IS IS 896 Redistributing directly connected routes into IPv4 IS IS 897 Redistributing RIP routes into IPv4 IS IS 897 Redistributing OSPF routes into IPv4 IS IS 898 Redistributing BGP4 routes into IPv4 IS IS 898 Redistributing IPv4 IS IS routes within IPv4 IS IS 898 Configuring ISIS properties on an interface 899 Disabling and enabling IS IS on an interface 899 ...

Page 27: ...he same interface 929 Configuring multi device port authentication 929 Enabling multi device port authentication 930 Configuring an authentication method list for 802 1x 930 Setting RADIUS parameters 930 Specifying the format of the MAC addresses sent to the RADIUS server 931 Specifying the authentication failure action 931 Defining MAC address filters 932 Configuring dynamic VLAN assignment 932 S...

Page 28: ...ion actions 946 Port security MAC violation limit 947 Transparent port flooding 948 Displaying MAC port security information 949 Displaying port security settings 949 Displaying the secure MAC addresses on the device 950 Displaying port security statistics 950 Displaying a list of MAC addresses 951 Chapter 33 Configuring 802 1x Port Security In this chapter 953 Overview of 802 1x port security 953...

Page 29: ...on server 970 Specifying a timeout for retransmission of EAP request frames to the client 970 Initializing 802 1x on a port 970 Allowing multiple 802 1x clients to authenticate 970 Displaying 802 1x information 972 Displaying 802 1x configuration information 972 Displaying 802 1x statistics 974 Clearing 802 1x statistics 975 Displaying dynamically assigned VLAN information 975 Displaying informati...

Page 30: ...MP Access In this chapter 1001 Establishing SNMP community strings 1001 Encryption of SNMP community strings 1001 Adding an SNMP community string 1002 Displaying the SNMP community strings 1003 Using the user based security model 1003 Configuring your NMS 1003 Configuring SNMP version 3 on the BigIron RX 1004 Defining the engine ID 1004 Defining an SNMP group 1005 Defining an SNMP user account 100...

Page 31: ... enabling sFlow 1026 ACL based inbound sFlow 1030 Chapter 40 Multiple Spanning Tree Protocol MSTP 802 1s In this chapter 1037 802 1s Multiple Spanning Tree Protocol 1037 Multiple spanning tree regions 1037 Configuring MSTP 1039 Setting the MSTP name 1039 Setting the MSTP revision number 1039 Configuring an MSTP instance 1040 Configuring port priority and port path cost 1040 Configuring bridge prio...

Page 32: ...tateless autoconfiguration 1066 Chapter 43 Configuring Basic IPv6 Connectivity In this chapter 1067 Enabling IPv6 routing 1068 Configuring IPv6 on each router interface 1068 Configuring a global or site local IPv6 address 1068 Configuring a link local IPv6 address 1069 Configuring IPv6 anycast addresses 1070 Configuring the management port for an IPv6 automatic address configuration 1071 IPv6 host...

Page 33: ... load sharing for IPv6 1082 Displaying ECMP load sharing information for IPv6 1082 Configuring IPv6 ICMP 1083 Configuring ICMP rate limiting 1083 Disabling or reenabling ICMP redirect messages 1084 Configuring IPv6 neighbor discovery 1084 Neighbor solicitation and advertisement messages 1085 Router advertisement and solicitation messages 1085 Neighbor redirect messages 1086 Setting neighbor solici...

Page 34: ...IPng routes from IPv6 route table 1115 Displaying RIPng information 1115 Displaying RIPng configuration 1115 Displaying RIPng routing table 1116 Chapter 45 Configuring BGP4 In this chapter 1119 Address family configuration level 1119 Configuring BGP4 1120 Enabling BGP4 1121 Configuring BGP4 neighbors using global or site local IPv6 addresses 1121 Adding BGP4 neighbors using link local addresses 11...

Page 35: ... routes supported1176 Enabling IPv6 MBGP 1176 Adding IPv6 MBGP neighbors 1177 Optional configuration tasks 1177 Aggregating routes advertised to IPv6 BGP neighbors 1180 Displaying IPv6 MBGP information 1180 Displaying summary MBGP information 1181 Displaying the Active MBGP Configuration 1182 Displaying MBGP neighbors 1182 Displaying MBGP routes 1184 Displaying the IPv6 multicast route table 1184 ...

Page 36: ...ling event logging 1218 Displaying OSPFv3 information 1218 Displaying OSPFv3 area information 1218 Displaying OSPFv3 database Information 1219 Displaying OSPFv3 interface information 1224 Displaying OSPFv3 memory usage 1227 Displaying OSPFv3 neighbor information 1228 Displaying routes redistributed into OSPFv3 1230 Displaying OSPFv3 route information 1231 Displaying OSPFv3 SPF information 1233 Dis...

Page 37: ...affic 1264 Embedded Rendezvous Point RP 1265 Chapter 50 Configuring IPv6 Routes In this chapter 1267 Configuring a static IPv6 route 1267 Configuring a IPv6 multicast route 1269 Appendix A Using Syslog Displaying Syslog messages 1272 Configuring the Syslog service 1273 Displaying the Syslog configuration 1273 Disabling or re enabling Syslog 1277 Specifying a Syslog server 1277 Specifying an additi...

Page 38: ...net drafts 1306 Appendix C NIAP CCEVS Certification NIAP CCEVS certified Brocade equipment and Ironware releases1307 Web management access to NIAP CCEVS certified Security Guide equipment 1307 Local user password changes 1308 Appendix D Commands That Require a Reload Appendix E Index to the CLI Commands ACLs IP 1311 Numbered ACL 1311 Named ACL 1312 Other ACL commands 1312 ACLs L2 1313 BGP4 1313 FD...

Page 39: ... Access 1347 Authentication method list 1347 Passwords 1347 Privilege level 1348 RADIUS 1348 SNMP access 1349 SSH access 1349 SSL 1349 TACACS TACACS 1349 Telnet access 1350 TFTP access 1350 User account 1351 Web management access 1351 DoS protection 1351 MAC authentication 1351 MAC port security 1353 Redundant management module 1353 SNMP 1355 SSH 1356 sFlow 1357 STP 1357 SysLog messages 1358 Syste...

Page 40: ...xl BigIron RX Series Configuration Guide 53 1001810 01 ...

Page 41: ...ayer 3 Switch you should be familiar with the following protocols if applicable to your network IP RIP OSPF BGP ISIS IGMP PIM DVMRP and VRRP Supported hardware and software Although many different software and hardware configurations are tested and supported by Brocade Communications Systems Inc documenting all possible configurations and scenarios is beyond the scope of this document This guide p...

Page 42: ...anagement Options Serial and Telnet access to industry standard Command Line Interface CLI SSHv2 TFTP Web based GUI SNMP versions 1 2 and 3 IronView Network Manager Security AAA Authentication Local passwords RADIUS Secure Shell SSH version 2 Secure Copy SCP TACACS TACACS User accounts 802 1x All EAP types including MD5 TLS TTLS and PEAP Multi device port authentication AES for SNMPv3 SSHv2 SCP an...

Page 43: ...ed rate limiting on inbound ports are supported SuperSpan A Brocade STP enhancement that allows Service Providers SPs to use STP in both SP networks and customer networks Topology Groups A named set of VLANs that share a Layer 2 topology You can use topology groups with the following Layer 2 protocols STP Brocade MRP VSRP 802 1W Trunk Groups and LAG Allows you to manually configure multiple high s...

Page 44: ...Static entries Routes ARPs Virtual interfaces Secondary addresses IS IS Multicast Routing Multicast cache L2 IGMP table DVMRP routes PIM DM PIM SM PIM SSM PIM Snooping OSPF OSPF routes OSPF adjacencies Dynamic OFPF LSAs OSPF filtering of advertised routes PBR Policy Based Routing Release 02 2 01 and later RIP versions 1 and 2 RIP routes VRRP and VRRPE Virtual Router Redundancy Protocol VRRP and VR...

Page 45: ...guration Guide or the Brocade BigIron RX Series Installation Guide that contain a detailed description and operational details for the enhancement TABLE 2 Summary of enhancements in release 02 7 02 Enhancement Description See page System features Enhanced spreed duplex command The speed duplex command has been enhanced to support 24F and 24HF modules The auto Autonegotiation mode option has also b...

Page 46: ... today This release adds AES for SNMPv3 as specified in RFC 3826 To enable AES encryption specify the aes encryption type when defining an SNMP user account Book BigIron RX Series Configuration Guide Chapter Securing SNMP Access Section Defining an SNMP user account AES Encryption for SSH v2 Secure Copy SCP and Secure HTTPS HTTPS SSH v2 SCP and HTTPS now supports a very strong AES encryption algor...

Page 47: ...t security command has been added The port security command is now only used when configuring MAC port security on specific interfaces Book BigIron RX Series Configuration Guide Chapter Using the MAC Port Security Feature Section Enabling the MAC port security feature Network management DHCP Relay Enhancement Beginning with this release the IP subnet configured on the port which is directly connec...

Page 48: ... long Book BigIron RX Series Configuration Guide Chapter Link Aggregation Section Configuring an LACP timeout Rate Limiting ARP Packets This new feature allows you to rate limit ARP traffic that is destined for CPU of the device router Book BigIron RX Series Configuration Guide Chapter Configuring IP Section Applying a rate limit to ARP packets on an interface Layer 2 features VSRP Fast Start Non ...

Page 49: ... a method of providing intra domain redundancy and load balancing between multiple Rendezvous Points RP in a Protocol Independent Multicast Sparse mode PIM SM network Book BigIron RX Series Configuration Guide Chapter Configuring IP Multicast Protocols Section Anycast RP Multicast Listening Discovery MLD Release 02 6 00 adds support for MLD Snooping MLDv1 and MLDv2 on Brocade BigIron RX devices ru...

Page 50: ...router is then able to act as a proxy for the discovered hosts and perform IGMP tasks upstream of the discovered hosts Where there are multiple IGMP hosts downstream this removes the need to send multiple messages Book BigIron RX Series Configuration Guide Chapter Configuring IP Multicast Traffic Reduction Section Multicast traffic reduction per VLAN Layer 4 features Automatic ACL Rebind Beginning...

Page 51: ...ng with version 02 5 00 of the Multi Service IronWare software the upgrading procedures have been changed The new procedure is described in the Release Notes for device Multi Service IronWare Software Release 02 5 00 Book Release Notes for device Multi Service IronWare Software Release 02 5 00 SDS Over Telnet Beginning with release 02 5 00 of the Multi Service IronWare software remote SDS is suppo...

Page 52: ...nIfStpPortRole snIfStpBPDUTransmitted snIfStpBPDUReceived snIfRstpConfigBPDUReceived snIfRstpTCNBPDUReceived snIfRstpConfigBPDUTransmitted snIfRstpTCNBPDUTransmitted Book MIB Reference Chapter Interfaces Section Port STP Configuration Groups TABLE 9 Summary of enhancements in release 02 4 00c Enhancement Description See page ACL Based RP assignment The rp address command has been enhanced to allow...

Page 53: ...an Image Private VLAN A private VLAN is a VLAN that has the properties of standard Layer 2 port based VLANs but also provides additional control over flooding packets on a VLAN Book BigIron RX Series Configuration Guide Chapter VLANs Section Private VLANs MRP Phase 2 In Metro Ring Protocol MRP Phase 2 the same physical interface can be shared by multiple rings belonging to the same VLAN Book BigIr...

Page 54: ...uring OSPF Version 2 IPv4 Section Configuring a default network route IPv6 Default Route ECMP This feature allows for load distribution of traffic among the available IPv6 default route next hops Book BigIron RX Series Configuration Guide Chapter Configuring Basic IPv6 Connectivity Section ECMP load sharing for IPv6 IPv6 Tunneling in Hardware Manual configuration of IPv6 to IPv4 tunnels is now sup...

Page 55: ... guard is used on client ports to prevent IP source address spoofing Book BigIron RX Series Configuration Guide Chapter Inspecting and Tracking DHCP Packets Section IP source guard Dynamic ARP Inspection Dynamic ARP Inspection DAI is a security feature that can prevent Man in the Middle MiM or ARP spoofing poisoning attacks Book BigIron RX Series Configuration Guide Chapter Inspecting and Tracking...

Page 56: ...ection Logging all CLI commands to Syslog Syslog Source Interface You can configure the BigIron RX to use the lowest numbered IP or IPv6 address configured on a loopback interface virtual interface or Ethernet port as the source for all Syslog packets from the device Book BigIron RX Series Configuration Guide Chapter Configuring IP Section Configuring an interface as the source for Syslog packets ...

Page 57: ...be flooded to all other ports within the VLAN Starting with release 02 3 00a Book BigIron RX Series Configuration Guide Chapter Using the MAC Port Security Feature Section Transparent port flooding VLAN ID to MSTP Instance Pre assignment This feature will allow the user to assign a VLAN ID to a Common Spanning Tree CIST or Multiple Spanning Tree Instance MSTI even though a VLAN has not been create...

Page 58: ...hernet interface module Book Brocade BigIron RX Series Installation Guide Hitless OS Upgrade for Layer 2 Version 02 5 00 of the Multi Service IronWare software supports hitless upgrade of the operating system on a device switch Using this feature you can upgrade the Multi Service IronWare software without a loss or disruption of service as described Book Brocade BigIron RX Series Installation Guid...

Page 59: ...nhanced speed duplex command In this release the speed duplex command has been enhanced to include the master and slave parameters Book BigIron RX Series Configuration Guide Chapter Configuring Interface Parameters Section Speed Duplex negotiation TABLE 13 Layer 2 enhancements Enhancement Description See Flow based MAC Learning In this release the cpu flooding unknown unicast command that disables...

Page 60: ...onfiguration Guide Book BigIron RX Series Configuration Guide Chapter Configuring Basic IPv6 Connectivity OSPF v3 IPv6 supports OSPF version 3 OSPFv3 which functions similarly to OSPF version 2 Book BigIron RX Series Configuration Guide Chapter Configuring OSPF Version 3 BGP Brocade s implementation of IPv6 supports multi protocol BGP MBGP extensions which allow IPv6 BGP known as BGP4 to distribut...

Page 61: ...ure allows for load distribution of traffic among the available default route next hops Book BigIron RX Series Configuration Guide Chapter Configuring IP Section Default route ECMP Transparent Firewall Mode The Transparent Firewall mode feature allows users to insert a Firewall in front of their existing network without changing the statically defined IP addresses of their network connected device...

Page 62: ... conditions are met Book BigIron RX Series Configuration Guide Chapter Configuring IP Multicast Protocols Section Enabling membership tracking and fast leave MLDv1 v2 MLDv2 supports source filtering and the ability of a node to send reports on traffic that is from a specific address source or from all multicast addresses except the specified address sources Book BigIron RX Series Configuration Gui...

Page 63: ...nfiguration Guide Chapter Inspecting and Tracking DHCP Packets Section DHCP relay agent information DHCP option 82 TABLE 17 Network management Enhancement Description See IPv6 Management TFTP SSH Telnet AAA and WEB You can perform system management tasks for the BigIron RX using the TFTP telnet AAA and Secure Shell SSH Book BigIron RX Series Configuration Guide Chapter Configuring Basic IPv6 Conne...

Page 64: ...onfiguration level Book BigIron RX Series Configuration Guide Chapter See the Dynamic Link Aggregation chapter in the BigIron RX Series Configuration Guide Versions 02 5 00 and earlier Section Configuring Link Aggregation Parameters TABLE 20 Layer 3 enhancements Enhancement Description See page Graceful Restart With this release you can enable Graceful Restart for OSPF and BGP Book BigIron RX Seri...

Page 65: ... allows you to use ACLs and route maps to selectively modify and route IP packets in hardware The ACLs classify the traffic Route maps that match on the ACLs set routing attributes for the traffic Book BigIron RX Series Configuration Guide Chapter Policy Based Routing TABLE 21 Multicast enhancement Enhancement Description See page IGMP Snooping The device supports IGMP snooping Book BigIron RX Ser...

Page 66: ...ne of the Layer 3 Switch IP interfaces Book BigIron RX Series Configuration Guide Chapter Access Control List Section Specifying the destination mirror port for IP receive ACLs Static Route Tagging Static routes can be configured with tag values Book BigIron RX Series Configuration Guide Chapter Configuring IP Section Static route tagging MTU enhancements for IPv4 In this release you can configure...

Page 67: ...rate a new one Book Brocade BigIron RX Series Installation Guide TABLE 23 System enhancements Enhancement Description See page Unified software image for software upgrades Once the device software has been upgraded to Release 02 2 01 you can use the unified software image to upgrade the device s software Book Brocade BigIron RX Series Installation Guide Change to the SNMP MIB objects for trunking ...

Page 68: ...n RX Series Configuration Guide Chapter Configuring Traffic Reduction Hardware Forwarding of Packets Default behavior on device is hardware unknown unicast and multicast flooding Book BigIron RX Series Configuration Guide Chapter VLANs Section Hardware flooding for Layer 2 multicast and broadcast packets Switching and Routing Packets Operation of packet switching and routing have changed with the ...

Page 69: ...ents are used in this manual They are listed below in order of increasing severity of potential hazards NOTE A note provides a tip guidance or advice emphasizes important information or provides a reference to related information bold text Identifies command names Identifies the names of user manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provid...

Page 70: ...hese trademarks are the properties of their respective companies and corporations These references are made for informational purposes only Related publications The following Brocade documents supplement the information in this guide Brocade BigIron RX Series Installation Guide MIB Reference NOTE For the latest edition of these documents which contain the most up to date information see Product Ma...

Page 71: ...ck on Cases Create a New Ticket Make sure you specify the document title in the ticket description E mail access Send an e mail to IPsupport brocade com Telephone access United States and Canada 800 752 8061 International 800 ATFIBREE 800 28 34 27 33 Refer to the Services Support page on www brocade com for additional toll free numbers that may be available within your country Areas unable to acce...

Page 72: ...lxxii BigIron RX Series Configuration Guide 53 1001810 01 ...

Page 73: ...local Telnet SSH or SNMP connection by specifying the management port s IP address The commands in the CLI are organized into the following levels User EXEC Lets you display information and perform basic tasks such as pings and traceroutes Privileged EXEC Lets you use the same commands as those at the User EXEC level plus configuration commands that do not require saving the changes to the system ...

Page 74: ...ers of the command or option name to avoid ambiguity with other commands or options the CLI understands what you are typing Scroll control By default the CLI uses a page mode to paginate displays that are longer than the number of rows in your terminal emulation window For example if you display a list of all the commands at the global CONFIG level but your terminal emulation window does not have ...

Page 75: ...chy such as the Privileged EXEC level Privileged EXEC level Commands at the Privileged EXEC level enable you to transfer and store software images and configuration files between the network and the system and review the configuration TABLE 26 CLI line editing commands Ctrl key combination Description Ctrl A Moves to the first character on the command line Ctrl B Moves the cursor back one characte...

Page 76: ...al at the privileged EXEC level BigIron RX enable BigIron RX configuration terminal The prompt changes to the Global Configuration level BigIron RX config CONFIG commands CONFIG commands modify the configuration of a device Once you are at the Global Configuration level you can enter commands to configure the features in the device This section describes the following CONFIG CLI levels Redundancy ...

Page 77: ...unicast address family level allows you to configure a BGP4 unicast route For backward compatibility you can currently access BGP4 unicast address family commands at both global BGP configuration and BGP4 unicast address family configuration levels Therefore the global BGP and BGP4 unicast address family commands are documented together You reach the global BGP level by entering the router bgp com...

Page 78: ...is level by entering the vlan vlan id command at the Global CONFIG Level Metro ring level Metro rings provide Layer 2 connectivity and fast failover in ring topologies You reach this level by entering the metro ring ring id command at the Global CONFIG Level VSRP level The VSRP level allows you to configure parameters for the Virtual Switch Redundancy Protocol VSRP You reach this level by entering...

Page 79: ... password you enter for general access at initial setup You also have the option of assigning a separate password for Telnet access with the enable telnet password password command found at the Global Level At initial log on all you need to do is type enable at the prompt then press Return You only need to enter a password after a permanent password is entered at the Global CONFIG Level of the CLI...

Page 80: ...h metric value set metric value When an item is bracketed with symbols the information requested is a variable and required When an item is not enclosed by or symbols the item is a required keyword BigIron RX User Level EXEC Command BigIron RX Privileged Level EXEC Command BigIron RX config Global Level CONFIG Command BigIron RX config if e10000 5 1 Interface Level CONFIG Command BigIron RX config...

Page 81: ...ay of available options at a CLI level or for the next option in a command string enter a question mark at the prompt or press TAB Example To view all available commands at the user EXEC level enter the following or press TAB at the User EXEC CLI level BigIron RX return enable exit fastboot ping show stop trace route traceroute You also can use the question mark with an individual command to see a...

Page 82: ...xpression NOTE The vertical bar is part of the command Note that the regular expression specified as the search string is case sensitive In the example above a search string of Internet would match the line containing the IP address but a search string of Internet would not Displaying lines that do not contain a specified string The following command filters the output of the show who command so i...

Page 83: ...nge file attribute boot Boot system from bootp tftp server flash image cd Change current working directory chdir Change current working directory clear Clear table statistics keys clock Set clock configure Enter configuration mode copy Copy between flash tftp config code cp Copy file commands debug Enable debugging functions see also undebug delete Delete file on flash dir List files dm test comma...

Page 84: ...u can include special characters that influence the way the software matches the output against the search string These special characters are listed in the following table TABLE 27 Special characters for regular expressions Character Operation The period matches on any single character including a blank space For example the following regular expression matches aaz abz acz and so on but not just ...

Page 85: ...nds with deg deg _ An underscore matches on one or more of the following comma left curly brace right curly brace left parenthesis right parenthesis The beginning of the input string The end of the input string A blank space For example the following regular expression matches on 100 but not on 1002 2100 and so on Square brackets enclose a range of single character patterns For example the followi...

Page 86: ...red to distinguish it from other commands at that level For example given the possible commands copy tftp and config tftp possible shortcuts are cop tftp and con tftp respectively In this case co does not properly distinguish the two commands Saving configuration changes You can make configuration changes while the device is running The type of configuration change determines whether or not it bec...

Page 87: ...ant to make the changes permanent you need to save the changes to flash using the write memory command When you save the configuration changes to flash this will become the configuration that is initiated and run at system boot NOTE Most configuration changes are dynamic and thus do not require a software reload If a command requires a software reload to take effect the documentation states this ...

Page 88: ...16 BigIron RX Series Configuration Guide 53 1001810 01 Searching and filtering output 1 ...

Page 89: ...gement port or from a Telnet connection to the PC or terminal Web management interface A GUI based management interface accessible through an HTTP web browser connection IronView Network Manager An optional SNMP based standalone GUI application The following section describes how to log on to these applications Logging on through the CLI Once an IP address is assigned to the BigIron RX Series Swit...

Page 90: ...ent CLI level are listed If you enter part of a command then enter or press Tab the CLI lists the options you can enter at this point in the command string If you enter an invalid command followed by a message appears indicating the command was unrecognized Example BigIron RX config rooter ip Unrecognized command Command completion The CLI supports command completion so you do not need to enter th...

Page 91: ...nds and at the More prompt You can search for individual characters strings or construct complex regular expressions to filter the output TABLE 28 CLI line editing commands Ctrl key combination Description Ctrl A Moves to the first character on the command line Ctrl B Moves the cursor back one character Ctrl C Escapes and terminates command prompts and ongoing tasks such as lengthy displays and di...

Page 92: ...art of the command NOTE The regular expression specified as the search string is case sensitive In the example above a search string of Internet would match the line containing the IP address but a search string of internet would not Displaying lines that do not contain a specified string The following command filters the output of the show who command so it displays only lines that do not contain...

Page 93: ...ther attrib Change file attribute boot Boot system from bootp tftp server flash image cd Change current working directory chdir Change current working directory clear Clear table statistics keys clock Set clock configure Enter configuration mode copy Copy between flash tftp config code cp Copy file commands debug Enable debugging functions see also undebug delete Delete file on flash dir List file...

Page 94: ...e following regular expression matches aaz abz acz and so on but not just az a z The asterisk matches on zero or more sequential instances of a pattern For example the following regular expression matches output that contains the string abc followed by zero or more Xs abcX The plus sign matches on one or more sequential instances of a pattern For example the following regular expression matches ou...

Page 95: ... curly brace right curly brace left parenthesis right parenthesis The beginning of the input string The end of the input string A blank space For example the following regular expression matches on 100 but not on 1002 2100 and so on _100_ Square brackets enclose a range of single character patterns For example the following regular expression matches output that contains 1 2 3 4 or 5 1 5 You can u...

Page 96: ...ter the IP address of a BigIron RX Series Switch s management port in the Location or Address field The Web browser contacts the device and displays the login panel for the BigIron RX Series Switch as shown in Figure 1 FIGURE 1 Web Management Interface login panel NOTE If you are unable to connect with the device through a Web browser due to a proxy problem it may be necessary to set your Web brow...

Page 97: ...ng You must add one using the CLI Refer to the Security Guide Web Management Interface When you log into a device the System configuration panel is displayed This panel allows you to enable or disable major system features You can return to this panel from any other panel by selecting the Home link The Site Map link gives you a view of all available options on a single screen Figure 3 displays the...

Page 98: ...iguration Guide 53 1001810 01 Logging on through IronView Network Manager 2 Logging on through IronView Network Manager Refer to the IronView Network Management User s Guide for information about using IronView Network Manager ...

Page 99: ...ction explains the following How management module redundancy works under normal operating conditions Events that cause a standby management module to assume the role of the active module and how the switchover occurs as a result of each event Implications that you should be aware of if a switchover occurs Management module redundancy overview When you power on or reload a BigIron RX Series chassi...

Page 100: ...ion on the interface module can be overwritten in some cases which can cause an interruption of traffic forwarding Management module switchover The events cause the standby management module to become the active module which is called a switchover Those events are as follows The active module becomes unavailable You perform a manual switchover You remove and replace the active management module Th...

Page 101: ...ronizes the standby module s flash code and system config file with its own Removal and replacement of a standby management module You can remove a standby management module without causing a switchover to occur The active module continues to function as is Communication between the active module and the removed module stops until the new module is installed in the BigIron RX Series chassis After ...

Page 102: ...ge and trap MAC address changes The MAC addresses in theBigIron RX Series system are based on the MAC address of the BigIron RX Series chassis During switchover the system s MAC addresses change and the system sends out gratuitous ARP requests to flush the old MAC addresses from the ARP caches on attached IP devices and update the caches with the system s new MAC addresses Layer 2 Hitless Failover...

Page 103: ... this task Changing the default active Chassis slot By default the BigIron RX Series system considers the module installed in slot M1 to be the active management module If desired you can change the default active chassis slot to M2 The active management command determines which management module will become active after a power cycle By default the top or left mgmt module will become active after...

Page 104: ...e The flash code also includes the system config file During startup or switchover the active module compares the standby module s system config file to its own If differences exist the active module synchronizes the standby module s system config file with its own When you save changes to the system config file on the active module the active module automatically synchronizes without comparison t...

Page 105: ...izing files You can initiate a comparison of the flash code system config file and running config file on the active management module with the same files on the standby module and synchronize the files immediately if differences exist When you synchronize the files the active module copies its files to the standby module replacing the files on the standby module Synchronized at startup or switcho...

Page 106: ...eset commands at the Privileged EXEC level BigIron RX switchover or BigIron RX reset Syntax switchover Syntax reset Rebooting the active and standby management modules You can reboot the management modules maintaining the active and standby roles currently performed by each module using the boot system or reload commands You can also reboot the standby module only maintaining its current standby r...

Page 107: ...ement module in the following ways LEDs The management module s LEDs indicate whether a module is the active module or the standby module and if the module has power Module information in software The module information displayed by the software indicates whether a module is the active module or the standby module Status LED If you are located near the BigIron RX Series chassis you can determine w...

Page 108: ...t module contains a temperature sensor By default the BigIron RX system polls the temperature of each management module every 60 seconds You can display the current temperature of the management modules and all other modules by entering the following command at any CLI level Syntax show chassis The output displays the temperature of the management modules in the BigIron RX chassis and also indicat...

Page 109: ... 17 Running Config Sync Period 7 seconds MP Redundancy Statistics Current Active Session Active Slot 9 Standby Slot 10 Ready State Switchover Cause No Switchover Start Time 0 0 17 19 47 39 Wednesday Previous Active Session 1 Active Slot 10 Standby Slot 9 Switchover Cause Active Rebooted Start Time 0 0 17 19 46 9 Wednesday End Time 0 0 17 19 47 39 Wednesday Previous Active Session 2 Active Slot 9 S...

Page 110: ...t focus Display a directory of the files Display the contents of a file Display the hexadecimal output of a file Create a subdirectory Remove a subdirectory Rename a file Change the read write attribute of a file Delete a file Recover or undelete a file Append one file to another join two files Perform copy operations using the copy command Perform copy operations using the cp command Load the sys...

Page 111: ...nt the command to apply to the file system that has the current management focus you do not need to specify the file system If you want the operation to apply to the file system that does not have the current management focus you must specify one of the following keywords flash indicates flash memory slot1 indicates the flash card inserted in slot 1 slot2 indicates the flash card inserted in slot ...

Page 112: ...an be a maximum of 256 characters You can nest subdirectories as deep as you want as long as the full path name is 256 characters or less When you include a subdirectory path in a file management command use a slash between each level For example to create a subdirectory for flash code and copy a flash image file to the subdirectory enter commands such as the following BigIron RX mkdir slot1 switc...

Page 113: ...ong subdirectory name A subdirectory or file name can be a maximum of 256 characters long A complete subdirectory path name cannot contain more than 256 characters There is no maximum file size A file can be as large as the available flash card space Wildcards Commands to display a directory of files to change the read write attribute of a file or to delete files accept wildcards in the file name ...

Page 114: ...sh card in the management module s slot 2 enter the following command BigIron RX format slot2 80809984 bytes total card space 80809984 bytes available on card 2048 bytes in each allocation unit 39458 allocation units available on card Syntax format slot1 slot2 The slot1 slot2 keyword specifies the PCMCIA slot that contains the flash card you are formatting Determining the current management focus ...

Page 115: ...rectory pathname Syntax chdir directory pathname For the directory pathname parameter for both cd and chdir commands you can specify slot1 or slot2 to switch the focus to slot 1 or slot 2 respectively Specify flash to switch the focus to flash memory After you have switched the focus to a slot 2 you can specify the directory pathname parameter to switch the focus to a subdirectory on a flash card ...

Page 116: ...cify The files that match the value for a name you specify For example to list only files that contain a tmp suffix in flash memory if flash memory is the current management focus enter a command such as the following BigIron RX dir Directory of flash 07 28 2003 15 57 45 3 077 697 1060 tmp 07 28 2003 15 56 10 3 077 697 14082 tmp 07 28 2003 16 00 08 3 077 697 2084 tmp 07 25 2003 18 00 23 292 701 bo...

Page 117: ...ys File date The date on which the file was placed in the flash memory or card if the Brocade device s system clock is set Time of day The time of day at which the file was placed in the flash memory or card if the Brocade device s system clock is set File size The number of bytes in the file Read write attribute If you have set the file s read write attribute to read only R appears before the fil...

Page 118: ...y has the management focus However you do not need to change the focus to display the hexadecimal output of the file in a file system that does not currently have management focus In this case you can specify the directory file name parameter with the hd command to display the output of the file in the desired file system For example to display the hexadecimal output of a file in flash memory if f...

Page 119: ...either md or mkdir for the command name Specify the slot1 or slot2 keyword to create a subdirectory on the flash card in slot 1 or slot 2 respectively If you do not specify one of these parameters the command applies to the file system that currently has the management focus The dir name parameter specifies the subdirectory name You can enter a name that contains any combination of the following c...

Page 120: ...t flash memory has the management focus However you do not need to change the focus to remove a subdirectory from a file system that does not currently have management focus In this case you can specify the slot1 or slot2 keyword with the rd or rmdir command to remove the subdirectory from the desired file system For example to remove a subdirectory from the flash card inserted in slot 2 if the fl...

Page 121: ...w filename that you want to assign to the original file For example to rename a file on the flash card inserted in slot 2 if flash memory has the current management focus enter a command such as the following BigIron RX rename slot2 oldname slot2 newname Changing the read write attribute of a file You can specify the read write attribute of a file on a flash card as follows Read only You can displ...

Page 122: ...lete or rm command NOTE The delete or rm command deletes all files in a file system unless you explicitly specify the files you want to delete NOTE The software does not support an undelete option for the flash memory file system When deleting a file from flash memory make sure you really want to delete the file The software attempts to delete the file in the file system that has the current manag...

Page 123: ...out switching the management focus refer to Switching the management focus on page 43 For example to undelete a file on the flash card in slot 2 if flash memory has the current management focus enter a command such as the following BigIron RX cd slot2 BigIron RX undelete Undelete file RIMARY enter y or n y Input one character P File recovered successfully and named to PRIMARY For each file that ca...

Page 124: ...t currently has the management focus specify the subdirectory path in front of the file name The dest dir path dest file name parameter specifies the file to which you are appending the other file If the file is not located in the current subdirectory specify the subdirectory path in front of the file name For example to append a file in the root directory of slot 1 to another file in a subdirecto...

Page 125: ...py slot1 flash nmpr02200 bin primary Syntax copy slot1 slot2 flash from dir path from name monitor primary secondary To copy a file from flash memory to a flash card enter a command such as the following BigIron RX copy flash slot2 nmpr02200 bin primary Syntax copy flash slot1 slot2 source name monitor primary secondary startup config dest name The command in this example copies a RX Series IronWa...

Page 126: ...ules enter a command such as the following BigIron RX copy flash lp nlb02200 bin monitor all Syntax copy flash lp source file monitor primary secondary slot number all For example to copy a file called test cfg from the management module to the interface module in chassis slot 1 enter a command such as the following BigIron RX copy flash lp test cfg lptest cfg 1 Syntax copy flash lp source file de...

Page 127: ...om a flash card To copy a startup config file from a flash card to flash memory enter a command such as the following BigIron RX copy slot1 startup config test2 cfg Syntax copy slot1 slot2 startup config from dir path file name This command copies a startup configuration named test2 cfg from the flash card in slot 1 into the device s flash memory The next time you reboot or reload the device it us...

Page 128: ...the device s running configuration into a file on a TFTP server enter a command such as the following BigIron RX copy running config tftp 10 10 10 1 runip 1 Loading a running config from a flash card or a TFTP server Use the following method to load configuration commands into the BigIron RX Series Switch s active configuration NOTE A configuration file that you create must follow the same syntax ...

Page 129: ...RX cp new cfg slot2 cfg new cfg Syntax cp source dir path source file name dest dir path dest file name The source dir path parameter specifies the directory pathname of the source file Specify this parameter if the source file is in a file system that does not have current management focus The source file name specifies the name of the file you want to copy The dest dir path parameter specifies t...

Page 130: ... card slot The file name parameter specifies the file name If the file is in a subdirectory specify the subdirectory path in front of the file name If the file name you specify is not a full path name the CLI assumes that the name and path if applicable you enter are relative to the subdirectory that currently has the management focus NOTE This command also is supported at the boot PROM For exampl...

Page 131: ...nd depends on whether you enter the command at the Privileged EXEC level or the global CONFIG level If you enter multiple boot system commands at the global CONFIG level the software places them in the running config in the order you enter them and saves them to the startup config in the same order when you save the configuration When you reload or power cycle the device the device tries the boot ...

Page 132: ...to file management commands TABLE 32 Flash card file management messages This message Means File not found You specified a file name that the software could not find Verify the command you entered to make sure the command matches the source and destination you intended for the file operation Current directory is dir path You have successfully changed the management focus to the slot and subdirecto...

Page 133: ...t for login authentication Also multiple challenges are supported for TACACS login authentication The following table lists the management access methods available on the device how they are secured by default and the ways in which they can be secured TABLE 33 Ways to secure management access to the device Access method How the access method is secured by default Ways to secure the access method S...

Page 134: ... 67 Establish passwords for privilege levels of the CLI page 72 Set up local user accounts page 75 Configure TACACS TACACS security page 80 Configure RADIUS security page 96 Web management access SNMP read or read write community strings Regulate Web management access using ACLs page 65 Allow Web management access only from specific IP addresses page 67 Allow Web management access only to clients ...

Page 135: ...p SSH access group web access group and SNMP community strings Each of these configuration items accepts an ACL as a parameter The ACL contains entries that identify the IP addresses that can use the access method The following sections present examples of how to secure management access using ACLs See the asdf chapter for more information on configuring ACLs SNMP IronView Network Manager access S...

Page 136: ...ig access list 10 permit host 209 157 22 32 BigIron RX config access list 10 permit 209 157 23 0 0 0 0 255 BigIron RX config access list 10 permit 209 157 24 0 0 0 0 255 BigIron RX config access list 10 permit 209 157 25 0 24 BigIron RX config telnet access group 10 BigIron RX config write memory The ACL in the example permits Telnet access only to the IP addresses in the permit entries and denies...

Page 137: ...t from the syntax for controlling Telnet SSH and Web management access using ACLs The commands configure ACLs 25 and 30 then apply the ACLs to community strings ACL 25 is used to control read only access using the public community string ACL 30 is used to control read write access using the private community string Syntax snmp server community string ro rw standard acl name standard acl id The str...

Page 138: ...fig vlan 3 exit BigIron RX config interface ve 3 BigIron RX config ve 1 ip address 10 10 11 1 255 255 255 0 BigIron RX config ve 1 exit BigIron RX config access list 10 permit host 10 10 11 254 BigIron RX config access list 10 permit host 192 168 2 254 BigIron RX config access list 10 permit host 192 168 12 254 BigIron RX config access list 10 permit host 192 64 22 254 BigIron RX config access lis...

Page 139: ...er the following command BigIron RX config ip ssh client 209 157 22 39 Syntax no ip ssh client ip addr Restricting Web Management access to a specific IP address To allow Web Management access to the device only to the host with IP address 209 157 22 26 enter the following command BigIron RX config web client 209 157 22 26 Syntax no web client ip addr Restricting SNMP access to a specific IP addre...

Page 140: ...agement access SNMP access TFTP access By default access is allowed for all the methods listed above on all ports Once you configure security for a given access method based on VLAN ID access to the device using that method is restricted to only the ports within the specified VLAN VLAN based access control works in conjunction with other access control methods For example suppose you configure an ...

Page 141: ... within port based VLAN 40 Clients connected to ports that are not in VLAN 40 are denied access Syntax no snmp server enable vlan vlan id Restricting TFTP access to a specific VLAN To allow TFTP access only to clients in a specific VLAN enter a command such as the following BigIron RX config tftp client enable vlan 40 The command in this example configures the device to allow TFTP access only to c...

Page 142: ...er can contact the device but the device will not reply once the change takes place To disable the Web management interface enter the following command BigIron RX config no web management To re enable the Web management interface enter the following command BigIron RX config web management Syntax no web management Disabling Web management access by HP ProCurve Manager By default TCP ports 80 is en...

Page 143: ...f a user name and password and assign each user account a management privilege level Refer to Setting up local user accounts on page 75 Setting a Telnet password By default the device does not require a user name or password when you log in to the CLI using Telnet To set the password letmein for Telnet access to the CLI enter the following command at the global CONFIG level BigIron RX config enabl...

Page 144: ...ure user accounts in addition to privilege level passwords the device will validate a user s access attempt using one or both methods local user account or privilege level password depending on the order you specify in the authentication method lists Refer to Configuring authentication method lists on page 109 Follow the steps to set passwords for management privilege levels 1 At the opening CLI p...

Page 145: ...config privilege configure level 4 ip In this command configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI The level 4 parameter indicates that the enhanced access is for management privilege level 4 Port Configuration All users with Port Configuration privileges will have the enhanced access The ip parameter indicates that the enhanced access is for ...

Page 146: ...ord at the prompt You cannot abbreviate this command This command will cause the device to bypass the system password check 5 Enter boot system flash primary at the prompt 6 After the console prompt reappears assign a new password Displaying the SNMP community string If you want to display the SNMP community string enter the following commands BigIron RX config enable password display BigIron RX c...

Page 147: ...s to the device than do management privilege level passwords and SNMP community strings of SNMP versions 1 and 2 You can continue to use the privilege level passwords and the SNMP community strings as additional means of access authentication Alternatively you can choose not to use local user accounts and instead continue to use only the privilege level passwords and SNMP community strings Local u...

Page 148: ...eis This command adds a user account for user name waldo password whereis with the Read Only privilege level Waldo can look for information but cannot make configuration changes Syntax no username user string privilege privilege level password nopassword password string Enter up to 255 characters for user string The privilege parameter specifies the privilege level for the account You can specify ...

Page 149: ...e user passwords BigIron config username wonka password willy This command changes wonka s user name password to willy Syntax no username user string password password string Enter up to 255 characters for user string The password string parameter is the user password The password can be up to 255 characters and must differ from the current password and two previously configured passwords Using th...

Page 150: ...history parameter Configuring SSL security for the Web Management Interface When enabled the SSL protocol uses digital certificates and public private key pairs to establish a secure connection to the device Digital certificates serve to prove the identity of a connecting client and public private key pairs provide a means to encrypt data sent between the device and the client Configuring SSL for ...

Page 151: ...ort an RSA certificate and private key file from a client you can use TFTP to transfer the files For example to import a digital certificate using TFTP enter a command such as the following BigIron RX config ip ssl certificate data file tftp 192 168 9 210 certfile Syntax no ip ssl certificate data file tftp ip addr certificate filename NOTE If you import a digital certificate from a client it can ...

Page 152: ... authentication authorization and accounting AAA and by encrypting all traffic between the device and the TACACS server TACACS allows for arbitrary length and content authentication exchanges which allow any authentication mechanism to be utilized with the device TACACS is extensible to provide for site customization and future development features The protocol allows the device to request very pr...

Page 153: ...password 3 The user enters a username and password 4 The device sends a request containing the username and password to the TACACS server 5 The username and password are validated in the TACACS server s database 6 If the password is valid the user is authenticated TACACS authentication When TACACS authentication takes place the following events occur 1 A user attempts to gain access to the device ...

Page 154: ...uthorization 3 If the command belongs to a privilege level that requires authorization the device consults the TACACS server to see if the user is authorized to use the command 4 If the user is authorized to use the command the command is executed TACACS accounting TACACS accounting works as follows 1 One of the following events occur on the device A user logs into the management interface using T...

Page 155: ...ccounting system default start stop method list User logs into the Web Management Interface Web authentication aaa authentication web server default method list Exec authorization TACACS aaa authorization exec default tacacs User logs out of Telnet SSH session Command accounting TACACS aaa accounting commands privilege level default start stop method list EXEC accounting stop TACACS aaa accounting...

Page 156: ...em to the device s configuration You can select only one primary authentication method for each type of access to a device CLI through Telnet CLI Privileged EXEC and CONFIG levels For example you can select TACACS as the primary authentication method for Telnet CLI access but you cannot also select RADIUS authentication as a primary method for the same type of access However you can configure back...

Page 157: ...icate access to a device you must identify the servers to the device For example to identify three TACACS TACACS servers enter commands such as the following BigIron RX config tacacs server host 207 94 6 161 BigIron RX config tacacs server host 207 94 6 191 BigIron RX config tacacs server host 207 94 6 122 Syntax tacacs server host ip addr hostname auth port number The ip addr hostname parameter s...

Page 158: ...cannot perform the requested function then the next server in the configured list of servers is tried this process repeats until a server that can perform the requested function is found or every server in the configured list has been tried Setting optional TACACS TACACS parameters You can set the following optional parameters in a TACACS TACACS configuration TACACS key This parameter specifies th...

Page 159: ...ron RX config write terminal tacacs server host 1 2 3 5 auth port 49 tacacs key 1 2d NOTE Encryption of the TACACS keys is done by default The 0 parameter disables encryption The 1 parameter is not required it is provided for backwards compatibility Setting the retransmission limit The retransmit parameter specifies how many times the device will resend an authentication request when the TACACS TA...

Page 160: ...must create a separate authentication method list for Telnet SSH CLI access and for access to the Privileged EXEC level and CONFIG levels of the CLI To create an authentication method list that specifies TACACS TACACS as the primary authentication method for securing Telnet SSH access to the CLI BigIron RX config enable telnet authentication BigIron RX config aaa authentication login default tacac...

Page 161: ...CONFIG levels of the CLI BigIron RX config aaa authentication enable implicit user Syntax no aaa authentication enable implicit user Telnet SSH prompts when the TACACS server is unavailable When TACACS is the first method in the authentication method list the device displays the login prompt received from the TACACS server If a user attempts to login through Telnet or SSH but none of the configure...

Page 162: ...tication enable default tacacs command or the aaa authentication login privilege mode command must also exist in the configuration Configuring an Attribute Value pair on the TACACS server During TACACS exec authorization the Brocade device expects the TACACS server to send a response containing an A V Attribute Value pair that specifies the privilege level of the user When the device receives the ...

Page 163: ...g the user full read write access In a configuration that has both a foundry privlvl A V pair and a non foundry privlvl A V pair for the Exec service the non foundry privlvl A V pair is ignored Example user bob default service permit member admin Global password global cleartext cat service exec foundry privlvl 4 privlvl 15 In this example the user would be granted a privilege level of 4 port conf...

Page 164: ...t or SSH sessions or from the console No authorization is performed for commands entered at the Web Management Interface or IronView Network Manager TACACS command authorization is not performed for the following commands At all levels exit logout end and quit At the Privileged EXEC level enable or enable text where text is the password configured for the Super User privilege level If configured c...

Page 165: ...ounting Stop packet is sent when the service provided by the command is completed NOTE If authorization is enabled and the command requires authorization then authorization is performed before accounting takes place If authorization fails for the command no accounting takes place Syntax aaa accounting commands privilege level default start stop radius tacacs none The privilege level parameter can ...

Page 166: ...urce IP address of the loopback interface The software contains separate CLI commands for specifying the source interface for Telnet TACACS TACACS and RADIUS packets You can configure a source interface for one or more of these types of packets To specify an Ethernet loopback or virtual interface as the source for all TACACS TACACS packets from the device use the following CLI method The software ...

Page 167: ...acacs server timeout command Tacacs dead time The setting configured with the tacacs server dead time command Tacacs Server For each TACACS TACACS server the IP address port and the following statistics are displayed opensNumber of times the port was opened for communication with the server closesNumber of times the port was closed normally timeoutsNumber of times port was closed due to a timeout ...

Page 168: ...h causes the device to log information on a RADIUS accounting server when specified events occur on the device NOTE By default a user logging into the device through Telnet or SSH first enters the User EXEC level The user can then enter the enable command to get to the Privileged EXEC level A user that is successfully authenticated can be automatically placed at the Privileged EXEC level after log...

Page 169: ...evice looks at its configuration to see if the command is at a privilege level that requires RADIUS command authorization 3 If the command belongs to a privilege level that requires authorization the device looks at the list of commands delivered to it in the RADIUS Access Accept packet when the user was authenticated Along with the command list an attribute was sent that specifies whether the use...

Page 170: ... Login authentication aaa authentication login default method list EXEC accounting Start aaa accounting exec default start stop method list System accounting Start aaa accounting system default start stop method list User logs into the Web management interface Web authentication aaa authentication web server default method list User logs out of Telnet SSH session Command authorization for logout c...

Page 171: ...igure RADIUS You must deploy at least one RADIUS server in your network The device supports authentication using up to eight RADIUS servers The device tries to use the servers in the order you add them to the device s configuration If one RADIUS server is not responding the Brocade device tries the next one in the list You can select only one primary authentication method for each type of access t...

Page 172: ...commands Whether the user is allowed or denied usage of the commands in the list You must add these three Brocade vendor specific attributes to your RADIUS server s configuration and configure the attributes in the individual or group profiles of the users that will access the device Brocade s Vendor ID is 1991 with Vendor Type 1 The following table describes the Brocade vendor specific attributes...

Page 173: ...auth port parameter is the Authentication port number it is an optional parameter The default is 1812 The acct port parameter is the Accounting port number it is an optional parameter The default is 1813 foundry command string 2 string Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured The commands are delimited by semi colons You can ...

Page 174: ...this process repeats until a server that can perform the requested function is found or every server in the configured list has been tried Setting RADIUS parameters You can set the following parameters in a RADIUS configuration RADIUS key This parameter specifies the value that the device sends to the RADIUS server when trying to authenticate user access Retransmit interval This parameter specifie...

Page 175: ...o the next authentication method in the authentication method list The timeout can be from 1 15 seconds The default is 3 seconds BigIron RX config radius server timeout 5 Syntax radius server timeout number Configuring authentication method lists for RADIUS You can use RADIUS to authenticate Telnet SSH access and access to Privileged EXEC level and CONFIG levels of the CLI When configuring RADIUS ...

Page 176: ...through Telnet or SSH You can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login To do this use the following command BigIron RX config aaa authentication login privilege mode Syntax aaa authentication login privilege mode The user s privilege level is based on the privilege level granted during login Configuring Enable authentication to prompt for password...

Page 177: ...vilege level attribute is ignored and the user is granted Super User access For the aaa authorization exec default radius command to work either the aaa authentication enable default radius command or the aaa authentication login privilege mode command must also exist in the configuration Configuring command authorization When RADIUS command authorization is enabled the device consults the list of...

Page 178: ...onsole NOTE This happens because RADIUS command authorization requires a list of allowable commands from the RADIUS server This list is obtained during RADIUS authentication For console sessions RADIUS authentication is performed only if you have configured Enable authentication and specified RADIUS as the authentication method for example with the aaa authentication enable default radius command ...

Page 179: ...tem events You can configure RADIUS accounting to record when system events occur on the device System events include rebooting and when changes to the active configuration are made The following command causes an Accounting Start packet to be sent to the RADIUS accounting server when a system event occurs and a Accounting Stop packet to be sent when the system event is completed BigIron RX config...

Page 180: ...figure virtual interface 1 assign IP address 10 0 0 3 24 to the interface then designate the interface as the source for all RADIUS packets from the device Syntax ip radius source interface ethernet portnum loopback num ve num The num parameter is a loopback interface or virtual interface number If you specify an Ethernet port the portnum is the port s number including the slot number if you are c...

Page 181: ...Field Description Radius key The setting configured with the radius server key command At the Super User privilege level the actual text of the key is displayed At the other privilege levels a string of periods is displayed instead of the text Radius retries The setting configured with the radius server retransmit command Radius timeout The setting configured with the radius server timeout command...

Page 182: ...er is denied access The software will continue this process until either the authentication method is passed or the software reaches the end of the method list If the Super User level password is not rejected after all the access methods in the list have been tried access is granted NOTE If a user cannot be authenticated using local authentication then the next method on the authentication methods...

Page 183: ...words first To configure an authentication method list for the Web Management Interface enter a command such as the following BigIron RX config aaa authentication web server default local This command configures the device to use the local user accounts to authenticate access to the device through the Web Management Interface If the device does not have a user account that matches the user name an...

Page 184: ...eter column in Table 38 TABLE 38 Authentication method values Method parameter Description line Authenticate using the password you configured for Telnet access The Telnet password is configured using the enable telnet password command Refer to Setting a Telnet password on page 71 enable Authenticate using the password you configured for the Super User privilege level This password is configured u...

Page 185: ...fying system parameter default settings 127 Enabling or disabling Layer 2 switching 129 CAM partitioning for the BigIron RX 130 Changing the MAC age time 132 Configuring static ARP entries 132 This chapter describes how to configure basic system parameters The device is configured with default parameters to allow you to begin using the basic features of the system immediately However many advanced...

Page 186: ...me string Syntax snmp server contact string Syntax snmp server location string The name contact and location each can be up to 32 alphanumeric characters The text strings can contain blanks The SNMP text strings do not require quotation marks when they contain blanks but the host name does NOTE The chassis name command does not change the CLI prompt Instead the command assigns an administrative ID...

Page 187: ...ther you want the software to encrypt the string 1 or show the string in the clear 0 The default is 0 The string parameter specifies an SNMP community string configured on the device It can be a read only string or a read write string It is not used to authenticate access to the trap host but it is a useful method for filtering traps on the host For example if you configure each of your device dev...

Page 188: ...e device Regardless of the port the device uses to send traps to the receiver the traps always arrive from the same source IP address Setting the SNMP Trap holddown time When a device starts up the software waits for Layer 2 convergence STP and Layer 3 convergence OSPF before beginning to send SNMP traps to external SNMP servers Until convergence occurs the device might not be able to reach the se...

Page 189: ...e device sends Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI The feature enabled by default applies to users whose access is authenticated by an authentication method list based on a local user account RADIUS server or TACACS TACACS server NOTE The Privileged EXEC level is sometimes called the Enable level because the command for a...

Page 190: ...nabled by default To disable logging of CLI access enter the following commands BigIron RX config no logging enable user login BigIron RX config write memory BigIron RX config end BigIron RX reload Syntax no logging enable user login Refer to the MIB Guide for a list of traps Configuring an interface as the source for all Telnet packets You can designate the lowest numbered IP address configured a...

Page 191: ...figure loopback interface 2 assign IP address 10 0 0 2 24 to it then designate it as the source for all Telnet packets from the device Syntax ip telnet source interface ethernet portnum loopback num ve num The following commands configure an IP interface on an Ethernet port and designate the address port as the source for all Telnet packets from the device BigIron RX config interface ethernet 1 4 ...

Page 192: ...tware uses the lowest numbered IP or IPv6 address configured on the interface as the source IP address for the packets For example to specify the lowest numbered IP address configured on a virtual interface as the device s source for all Syslog packets enter commands such as the following BigIron RX config int ve 1 BigIron RX config vif 1 ip address 10 0 0 4 24 BigIron RX config vif 1 exit BigIron...

Page 193: ...t the device polls its SNTP server every 30 minutes 1800 seconds To configure the device to poll for clock updates from a SNTP server every 15 minutes enter the following BigIron RX config sntp poll interval 900 Syntax no sntp poll interval 1 65535 To display information about SNTP associations enter the following command Syntax show sntp associations The following table describes the information ...

Page 194: ...P refer to Specifying a Simple Network Time Protocol SNTP server on page 121 To set the system time and date to 10 15 05 on October 15 2005 enter the following command BigIron RX clock set 10 15 05 10 15 05 Syntax no clock set hh mm ss mm dd yy mm dd yyyy TABLE 40 Output from the show sntp status command This field Indicates unsynchronized System is not synchronized to an NTP peer synchronized Sys...

Page 195: ...diana Eastern Hawaii Michigan Mountain Pacific Samoa The default is US Pacific Beginning with the Multi Service IronWare 02 8 01 release you can now set the system time clock for countries like India that fall in the hour time zone Only the following zones have been added GMT 11 30 GMT 10 30 GMT 09 30 GMT 06 30 GMT 05 30 GMT 04 30 GMT 03 30 GMT 03 30 GMT 08 30 GMT 09 30 To change the time zone to ...

Page 196: ...ssage on users terminals when they enter the Privileged EXEC CLI level or access the device through Telnet In addition a device can display a message on the Console when an incoming Telnet CLI session is detected Setting a message of the day banner You can configure the device to display a message on a user s terminal when he or she establishes a Telnet CLI session For example to display the messa...

Page 197: ...ntering Privileged EXEC level Don t foul anything up As with the banner motd command you begin and end the message with a delimiting character in this example the delimiting character is pound sign To remove the banner enter the no banner exec_mode command Syntax no banner exec_mode delimiting character Displaying a message on the console when an incoming Telnet session is detected You can configu...

Page 198: ...rminal length number of lines The number of lines parameter indicates the maximum number of lines that will be displayed on a full screen of text during the current session If the displayed information requires more than one page the terminal pauses Pressing the space bar displays the next page The default for number of lines is 24 Entering a value of 0 prevents the terminal from pausing between m...

Page 199: ...gIron RX reload Syntax router bgp dvmrp ospf pim rip vrrp vrrpe Displaying and modifying system parameter default settings The device has default table sizes for the following parameters The table sizes determine the maximum number of entries the tables can hold You can adjust individual table sizes to accommodate your configuration needs MAC address entries Layer 2 Port VLANs supported on a syste...

Page 200: ...metric 10 bgp local as 1 bgp cluster id 0 bgp ext distance 20 bgp int distance 200 bgp local distance 200 when IS IS enabled isis hello interval 10 sec isis hello multiplier 3 isis port metric 10 isis priority 64 isis csnp interval 10 sec isis default metric 10 isis distance 115 isis lsp gen interval 10 sec isis lsp interval 33 msec isis lsp refresh interval 900 sec isis max lsp lifetime 1200 sec ...

Page 201: ...bnet addresses per port and can be from 1 64 The default is 24 Syntax system max subnet per system num The num parameter specifies the maximum number of subnet addresses for the entire device and can be from 1 512 The default is 256 To increase the size of the IP route table for static routes enter the following command BigIron RX config system max ip static route 8192 Syntax system max ip static ...

Page 202: ...ng enter the command with no BigIron RX config if e10000 3 2 no route only CAM partitioning for the BigIron RX In releases prior to 02 3 00 CAM partitioning was not configurable Starting in BigIron RX software release 02 3 00 you can specify the percentage of CAM assigned to each of the CAM entry types globally CAM Partitioning is not required on the device The default CAM allocations are describe...

Page 203: ...next hop Entries for directly connected hosts are also present in the nexthop table The nexthop table has 4096 entries per line card by default This table is divided into four partitions First partition contains next hop entries for routes with one routing path This included directly connected host entries Second partition contains next hop entries for routes with two or less equal cost paths Allo...

Page 204: ...ne cards are partitioned according to the parameters in above command Syntax cam partition next hop number Use the number parameter to specify the number of entries for the nexthop Use the no cam partitioning next hop command to return to the default partitioning Changing the MAC age time The MAC age time sets the aging period for ports on the device defining how long how many seconds a port addre...

Page 205: ...To modify Layer 2 Layer 3 or Layer 4 features on a port refer to the appropriate section in this chapter or other chapters For example to modify Spanning Tree Protocol STP parameters for a port refer to Changing STP port parameters on page 322 To configure trunk groups or dynamic link aggregation refer to Chapter 8 Link Aggregation All device ports are pre configured with default values that allow...

Page 206: ...ach of the 10 100 1000BaseTX ports is designed to auto sense and auto negotiate the speed and mode of the connected device If the attached device does not support this operation you can manually enter the port speed You can configure a port to accept either full duplex bi directional or half duplex uni directional traffic Port duplex mode and port speed are modified by the same command The master ...

Page 207: ...the port BigIron RX config interface ethernet 1 5 BigIron RX config if e10000 1 5 speed duplex 1000 master The following example configures the interface to 1000 Mbps and designate it as the slave port BigIron RX config interface ethernet 2 4 BigIron RX config if e10000 2 4 speed duplex 1000 slave Syntax no speed duplex auto 1000 master 1000 slave 1000 full 100 full 100 half 10 full 10 half auto A...

Page 208: ...change capability information This is the default state neg off The port does not try to perform a negotiation with its peer port Unless the ports at both ends of a Gigabit Ethernet link use the same mode either auto gig or neg off the ports cannot establish a link An administrator must intervene to manually configure one or both sides of the link to enable the ports to establish the link Changing...

Page 209: ...lds are to take effect NOTE To use this feature 802 3x flow control must be enabled globally on the device By default 802 3x flow control is enabled on the device but can be disabled with the no flow control command To specify threshold values for flow control enter the following command BigIron RX config qd flow sink 75 sunk 50 slot 1 Syntax qd flow sink sinking threshold sunk sunk threshold slot...

Page 210: ...PF is delayed according to how the delay link event is configured This command affects the physical link events However the resulting logical link events are also delayed This is a per interface command For example if VSRP is enabled on the port the ownership would not change until the port status has remained up or down for the configured amount of time to ensure that minor transient states of a ...

Page 211: ...2 BigIron RX config if e100 2 link error disable 10 3 10 Syntax no link error disable toggle threshold sampling time in sec wait time in sec The toggle threshold is the number of times a port s link state goes from up to down and down to up before the wait period is activated The default is 0 Enter a value from 1 50 NOTE Brocade does not advise setting the toggle threshold to a value lower than 2 ...

Page 212: ...o monitor By attaching a protocol analyzer to the mirror port you can observe the traffic on the monitored ports Monitoring traffic on a port is a two step process Enable a port to act as the mirror port This is the port to which you connect your protocol analyzer Enable monitoring on the ports you want to monitor You can monitor input traffic output traffic or both On a 4 X 10G module any port ca...

Page 213: ...nfig mirror port ethernet 1 1 BigIron RX config mirror port ethernet 1 2 BigIron RX config mirror port ethernet 2 1 BigIron RX config interface ethernet 3 1 BigIron RX config if e10000 3 1 monitor ethernet 1 1 both BigIron RX config if e10000 3 1 monitor ethernet 2 1 in BigIron RX config if e10000 3 1 interface ethernet 4 13 BigIron RX config if e10000 4 1 monitor ethernet 1 2 both This example co...

Page 214: ...enter commands such as the following BigIron RX config mirror ethernet 2 1 BigIron RX config trunk switch ethernet 4 1 to 4 8 BigIron RX config trunk 4 1 4 8 config trunk ind BigIron RX config trunk 4 1 4 8 monitor ethe port monitored 4 5 ethernet 2 1 in Syntax no config trunk ind Syntax no monitor ethe port monitored portnum named port monitored portname ethernet slot portnum in out both The conf...

Page 215: ...or PBR traffic outgoing packets that match the permit Access Control List ACL clause in the route map are copied to the mirror ports that you specify You can specify up to four mirror ports for each PBR route map instance For example to capture all traffic forwarded to an SSL port and mirror it to port 5 enter commands such as the following BigIron RX config route map ssl pbr map permit 1 BigIron ...

Page 216: ...LI Syntax show monitor actual This output displays the input traffic mirrored to mirror port 1 2 from port 3 1 and mirrored to mirror port 1 1 from port 4 1 which are not explicitly configured Enabling WAN PHY mode support A 10 Gigabit Ethernet port can be configured to use SONET SDH framing for Layer 1 transport across a WAN transport backbone by configuring the port in WAN PHY mode The default i...

Page 217: ...cket parameters 171 Changing the router ID 174 Specifying a single source interface for Telnet TACACS TACACS or RADIUS packets 175 Configuring an interface as the source for Syslog packets 177 Configuring ARP parameters 179 Configuring forwarding parameters 186 Displaying IP information 213 Overview of configuring IP The Internet Protocol IP is enabled by default This chapter describes how to conf...

Page 218: ...or forwards it to a port based on the route map rules 3 If the incoming packet does not match PBR rules the device looks in the hardware IP routing table to perform IP routing The hardware routing table is pre loaded with the complete routing table except for the directly connected host entries Default and statically defined routes are also pre loaded in the hardware routing table If the incoming ...

Page 219: ... of the device using proxy ARP The ARP cache can contain dynamic learned entries and static user configured entries The software places a dynamic entry in the ARP cache when the device learns a device s MAC address from an ARP request or ARP reply from the device The software can learn an entry when the device receives an ARP request from another IP forwarding device or an ARP reply Here is an exa...

Page 220: ...nistrative distance The administrative distance is a protocol independent value from 1 255 When the software receives two or more best paths from the same source and the paths have the same metric cost the software can load share traffic among the paths based on Layer 2 Layer 3 and TCP UDP information Here is an example of an entry in the IP route table Each IP route table entry contains the desti...

Page 221: ...f as shown here then next hop information indicates this The port through which the destination is reached is also listed as well as the VLAN and Layer 4 QoS priority associated with the destination if applicable To display the IP forwarding cache refer to Displaying the forwarding cache on page 219 Basic IP parameters and defaults IP is enabled by default The following protocols are disabled by d...

Page 222: ... IP Maximum Transmission Unit MTU The maximum length an Ethernet packet can be without being fragmented 1500 bytes for Ethernet II encapsulation 1492 bytes for SNAP encapsulation page 173 Address Resolution Protocol ARP A standard IP mechanism that routers use to learn the Media Access Control MAC address of a device on the network The router sends the IP address of a device in the ARP request and...

Page 223: ...ice can send the following types of ICMP messages Echo messages ping messages Destination Unreachable messages Redirect messages NOTE You also can enable or disable ICMP Redirect messages on an individual interface basis Refer to Table 42 on page 152 Enabled page 188 page 190 ICMP Router Discovery Protocol IRDP An IP protocol a router can use to advertise the IP addresses of its router interfaces ...

Page 224: ...tination and also does not contain an explicit default route 0 0 0 0 0 0 0 0 or 0 0 0 0 0 None configured page 200 Static route An IP route you place in the IP route table No entries page 191 Source interface The IP address the router uses as the source address for Telnet RADIUS or TACACS TACACS packets originated by the router The router can select the source address based on either of the follow...

Page 225: ...ault and specify the IP address to use for the Gateway field in the packets NOTE UDP broadcast forwarding for client DHCP BootP requests bootpc must be enabled and you must configure an IP helper address the server s IP address or a directed broadcast to the server s subnet on the port connected to the client The lowest numbered IP address on the interface that receives the request page 212 UDP br...

Page 226: ...et masks and so on and Classless Interdomain Routing CIDR network prefix masks To enter a classical network mask enter the mask in IP address format For example enter 209 157 22 99 255 255 255 0 for an IP address with a Class C subnet mask To enter a prefix network mask enter a forward slash and the number of bits in the mask immediately after the IP address For example enter 209 157 22 99 24 for ...

Page 227: ...opback interface Loopback interfaces are always up regardless of the states of physical interfaces They can add stability to the network because they are not subject to route flap problems that can occur due to unstable links between a device and other devices You can configure up to eight loopback interfaces on a device You can add up to 24 IP addresses to each loopback interface NOTE If you conf...

Page 228: ...splay the maximum number of virtual interfaces supported on the device enter the show default values command The maximum is listed in the System Parameters section in the Current column of the virtual interface row For the syntax of the IP address refer to Assigning an IP address to an Ethernet port on page 154 Deleting an IP address To delete an IP address enter a command such as the following Bi...

Page 229: ... If set to 1 means that the Checksum optional and Reserved optional fields are present and the Checksum optional field contains valid information Reserved0 Bits 6 0 of the field are reserved for future use and must be set to zero in transmitted packets If bits 11 7 of the field are non zero then a receiver must discard the packet unless RFC 1701 is implemented This field is assumed to be zero in t...

Page 230: ...ine rate GRE encapsulation and de encapsulation performance Configuring a tunnel interface To configure a tunnel interface use a the following command BigIron RX config interface tunnel 1 BigIron RX config tnif 1 Syntax interface tunnel tunnel number The tunnel number variable is numerical value that identifies the tunnel being configured Configuring a source address for a tunnel interface To conf...

Page 231: ... ports do not require a cable To configure a loopback port for a specified tunnel interface enter the following commands BigIron RX config interface tunnel 1 BigIron RX config tnif 1 tunnel loopback 3 1 Syntax tunnel loopback port number The port number variable is the port number assigned to be the loopback port for the specified tunnel interface A loopback port is required to perform termination...

Page 232: ... tnif 1 tunnel source 36 0 8 108 BigIron RX config tnif 1 tunnel destination 131 108 5 2 BigIron RX config tnif 1 tunnel mode gre ip BigIron RX config tnif 1 ip address 10 10 3 1 24 BigIron RX config tnif 1 exit BigIron RX config ip route 131 108 5 0 24 36 0 8 1 BigIron RX config ip route 10 10 2 0 24 tunnel 1 Configuration example for BigIron RX B BigIron RX config interface ethernet 5 1 BigIron ...

Page 233: ...tunnel 1 0 0 D The show interface tunnel command displays the status and configuration information for a tunnel interface as shown in the following BigIron RX show interface tunnel 1 Tunnel1 is up line protocol is up Hardware is Tunnel Tunnel source 63 148 1 2 Tunnel destination is 110 110 2 12 TABLE 43 CLI display of interface IP configuration information This field Displays Interface The tunnel ...

Page 234: ...he router at each end of the tunnel run both IPv4 and IPv6 protocol stacks The routers running both protocol stacks or dual stack routers can interoperate directly with both IPv4 and IPv6 end systems and routers Configuring a manual IPv6 tunnel You can use a manually configured tunnel to connect two isolated IPv6 domains You should deploy this point to point tunnel mechanism if you need a permanen...

Page 235: ... parameter specify a value between 1 32 Syntax ipv6 address ipv6 prefix prefix length eui 64 You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and keyword configures the global or site local address with an EUI 64 in...

Page 236: ...information for tunnel interface 1 enter the following command at any level of the CLI Syntax show interfaces tunnel number The number parameter indicates the tunnel interface number for which you want to display information TABLE 44 IPv6 tunnel information This field Displays Tunnel The tunnel interface number Mode The tunnel mode Possible modes include the following configured Indicates a manual...

Page 237: ... ManualTunnel1 tunnel mode ipv6ip tunnel source loopback 1 tunnel destination 2 1 1 1 TABLE 45 IPv6 tunnel interface information This field Displays Tunnel interface status The status of the tunnel interface can be one of the following up The tunnel interface is functioning properly down The tunnel interface is not functioning and is down Line protocol status The status of the line protocol can be...

Page 238: ...imes This process continues for each defined gateway address until the query is resolved The order in which the default gateway addresses are polled is the same as the order in which you enter them Suppose you want to define the domain name of newyork com on a device and then define four possible default DNS gateway addresses To do so enter the following commands BigIron RX config ip dns domain na...

Page 239: ...ant to find out what host name it resolves to enter the following command BigIron RX ip domain lookup 66 151 144 5 Host Flag TTL min Type Address border2 pc0 0 bbnet1 sje pnap net TMP OK 720 IP 66 151 144 5 You can also enter the following BigIron RX ip domain lookup border2 Host Flag TTL min Type Address border2 pc0 0 bbnet1 sje pnap net TMP OK 720 IP 66 151 144 5 Syntax ip domain loopkup ip addr...

Page 240: ...e DNS cache table enter the following command BigIron RX clear ip dns cache table To clear a specific entry in DNS cache table enter the following command BigIron RX clear ip dns cache table www foundrynet com OR BigIron RX clear ip dns cache table 63 236 63 244 Syntax clear ip dns cache table ip address host name host name Complete qualified name For example enter www company com or host company ...

Page 241: ...x ip dns poll interval minutes Enter the polling interval in minutes The default is 1 minutes Displaying the polling interval To display the current polling interval configured for the device enter the following command BigIron RX config show ip dns poll time interval Current DNS polling interval is 7 minutes Syntax show ip dns poll time interval TABLE 46 The show ip dns cache table output This fi...

Page 242: ...s debugging is on Syntax debug ip dns Using a DNS name to initiate a trace route Suppose you want to trace the route from a device to a remote server identified as NYC02 on domain newyork com FIGURE 9 Querying a host on the newyork com domain Because the newyork com domain is already defined on the device you need to enter only the host name NYC02 as noted below BigIron RX traceroute nyc02 Syntax ...

Page 243: ...efault IP MTU value depends on the encapsulation type on a port and is 1500 bytes for Ethernet II encapsulation and 1492 bytes for SNAP encapsulation Port IP MTU A port s default IP MTU depends on the encapsulation type enabled on the port Changing the encapsulation type The device encapsulates IP packets into Layer 2 packets to send the IP packets on the network A Layer 2 packet is also called a ...

Page 244: ...me size that applies to the device enter a command such as the following BigIron RX config default max frame size 2000 BigIron RX config write memory BigIron RX config reload Syntax default max frame size bytes Enter 64 9212 for bytes The default is 1518 bytes Setting a maximum frame size per interface When you set a maximum frame size on an interface that size applies to all ports in a PPCR Table...

Page 245: ... on a port that supports the frame s IP MTU size and forwarded to another port that also supports the frame s IP MTU size are forwarded in hardware Configuration considerations for Increasing the IP MTU Consider the following before configuring the maximum value to increase the IP MTU The maximum value of an IP MTU cannot exceed the configured maximum frame size minus 18 For example global IP MTU ...

Page 246: ... at the physical interface level takes precedence over the IP MTU configured at the global level for that physical interface To change the IP MTU for interface 1 5 to 1000 enter the following commands BigIron RX config int e 1 5 BigIron RX config if e10000 5 ip mtu 1000 Syntax no ip mtu bytes The bytes parameter specifies the IP MTU Ethernet II packets can hold IP packets from 572 1500 bytes long ...

Page 247: ...and at any CLI level To change the router ID enter a command such as the following BigIron RX config ip router id 209 157 22 26 Syntax ip router id ip addr The ip addr can be any valid unique IP address NOTE You can specify an IP address used for an interface but do not specify an IP address in use by another device Specifying a single source interface for Telnet TACACS TACACS or RADIUS packets Wh...

Page 248: ...enter commands such as the following BigIron RX config int loopback 2 BigIron RX config lbif 2 ip address 10 0 0 2 24 BigIron RX config lbif 2 exit BigIron RX config ip telnet source interface loopback 2 The commands configure loopback interface 2 assign IP address 10 0 0 2 24 to the interface then designate the interface as the source for all Telnet packets from the device Syntax ip telnet source...

Page 249: ...v6 address configured on the interface as the source IP address for the packets For example to specify the lowest numbered IP address configured on a virtual interface as the device s source for all Syslog packets enter commands such as the following BigIron RX config int ve 1 BigIron RX config vif 1 ip address 10 0 0 4 24 BigIron RX config vif 1 exit BigIron RX config ip syslog source interface v...

Page 250: ...processed enter a command such as the following BigIron RX config ip ip option process Syntax no ip ip option process IP receive access list The IP receive access list feature uses IPv4 ACLs to filter the packets intended for the management process to protect the management module from being overloaded with heavy traffic that was sent to one of the Layer 3 Switch IP interfaces The feature applies ...

Page 251: ...the packet s locally attached destination or the next hop router that leads to the destination For example to forward a packet whose destination is multiple router hops away the device must send the packet to the next hop router toward its destination or to a default route or default network route if the IP route table does not contain a route to the packet s destination In each case the device mu...

Page 252: ...age to the source Rate limiting ARP packets You can limit the number of ARP packets the device accepts during each second By default the software does not limit the number of ARP packets the device can receive Since the device sends ARP packets to the CPU for processing if a device in a busy network receives a high number of ARP packets in a short period of time some CPU processing might be deferr...

Page 253: ...RP packets immediately You can go to interface trunk mode to configure the ARP port rate limit When configured over trunk interface i e on the lead port the same limit will be configured on each and every port in the trunk ARP rate limiting is only supported on physical interfaces virtual interfaces ve are not supported Setting the rate limit to ARP packets on an interface You can limit the number...

Page 254: ...rp age num The num parameter specifies the number of minutes and can be from 0 240 The default is 10 If you specify 0 aging is disabled To override the globally configured IP ARP age on an individual interface enter a command such as the following at the interface configuration level BigIron RX config if e1000 1 1 ip arp age 30 Enabling proxy ARP Proxy ARP allows the device to answer ARP requests ...

Page 255: ...device that has the entry s address You can increase the number of configurable static ARP entries Refer to Changing the maximum number of entries the static ARP table can hold on page 184 To display the ARP cache and static ARP table see the following To display the ARP table refer to Displaying the ARP cache on page 217 To display the static ARP table refer to Displaying the static ARP table on ...

Page 256: ... ARP entries 2048 4096 default 2048 As of IronWare release 02 4 00 the maximum number of static ARP entries is 16384 default 2048 NOTE As of release 2 4 00 the system max static arp command no longer affects memory allocation for static ARPs Instead the BigIron RX dynamically allocates memory for static arp entries as required and this is only limited by the memory allocation for all ARP entries s...

Page 257: ... When ARP validation is disabled the static route will be installed without checking the validity of the next hop Enabling the next hop validate ARP timer The next hop validate ARP timer works only on the ARP entries created when the ARP validation check feature has been enabled The timer is used to age out the ARP entries when the next hop goes down All other ARP entries in the system which are N...

Page 258: ... the forwarding behavior of the device Time To Live TTL threshold Forwarding of directed broadcasts Forwarding of source routed packets Ones based and zero based broadcasts All these parameters are global and thus affect all IP interfaces configured on the device To configure these parameters use the procedures in the following sections Changing the TTL threshold The TTL threshold prevents routing...

Page 259: ... Routers cannot determine that a message is unicast or directed broadcast apart from the destination network prefix The decision to forward or not forward the message is by definition only possible in the last hop router To disable the directed broadcasts enter the following command in the CONFIG mode BigIron RX config no ip directed broadcast To enable directed broadcasts on an individual interfa...

Page 260: ...ive IP subnet broadcast packets with all ones in the host portion of the address However some older IP hosts instead expect IP subnet broadcast packets that have all zeros instead of all ones in the host portion of the address To accommodate this type of host you can enable the device to treat IP packets with all zeros in the host portion of the destination IP address as broadcast packets NOTE Whe...

Page 261: ...ce due to a filter or ACL configured on the device Fragmentation needed The packet has the Don t Fragment bit set in the IP Flag field but the device cannot forward the packet without fragmenting it Host The destination network or subnet of the packet is directly connected to the device but the host specified in the destination IP address of the packet is not on the network Network The device cann...

Page 262: ...t Set messages The port parameter disables ICMP Port Unreachable messages The source route fail parameter disables ICMP Unreachable caused by Source Route Failure messages To disable ICMP Host Unreachable messages and ICMP Network Unreachable messages but leave the other types of ICMP Unreachable messages enabled enter the following commands instead of the command shown above BigIron RX config no ...

Page 263: ...or RIP Default network route A statically configured default route that the device uses if other default routes to the destination are not available Refer to Configuring a default network route on page 200 Statically configured route You can add routes directly to the route table When you add a route to the IP route table you are creating a static IP route This section describes how to add static ...

Page 264: ... destination Multiple static routes to the same destination provide load sharing and redundancy You can add multiple static routes for the same destination network to provide one or more of the following benefits IP load balancing When you add multiple IP static routes for the same destination to different next hop gateways and the routes each have the same metric and administrative distance the d...

Page 265: ...hat subnet are on the same port Router A deduces that IP interface 207 95 7 188 is also on port 1 2 The software automatically removes a static IP route from the IP route table if the port used by that route becomes unavailable When the port becomes available again the software automatically re adds the route to the IP route table Configuring a static IP route To configure an IP static route with ...

Page 266: ...ce Conceptually this feature makes the destination network like a directly connected network associated with a device interface NOTE The port or virtual interface you use for the static route s next hop must have at least one IP address configured on it The address does not need to be in the same subnet as the destination network The metric parameter specifies the cost of the route and can be a nu...

Page 267: ...u can enter 209 157 22 0 24 instead of 209 157 22 0 255 255 255 0 The null0 parameter indicates that this is a null route You must specify this parameter to make this a null route The metric parameter adds a cost to the route You can specify from 1 16 The default is 1 The tag num parameter specifies the tag value of the route Possible values 0 4294967295 Default 0 The distance num parameter config...

Page 268: ... the IP address of the next hop router gateway for the route In addition the next hop ip address can also be a virtual routing interface for example ve 100 or a physical port for example ethernet 1 1 that is connected to the next hop router Enter 0 4294967295 for tag value The default is 0 meaning no tag Configuring load balancing and redundancy using multiple static routes to the same destination...

Page 269: ...unavailable Likewise the third route is used only if the first and second routes which have lower metrics are both unavailable For complete syntax information refer to Configuring a static IP route on page 193 Configuring standard static IP routes and interface or null static routes to the same destination You can configure a null0 or interface based static route to a destination and also configur...

Page 270: ...estination network 192 168 7 0 24 unless that route becomes unavailable in which case the device sends traffic to the null route instead FIGURE 11 Standard and null static routes to the same destination network X Two static routes to 192 168 7 0 24 Standard static route through gateway 192 168 6 157 with metric 1 Null route with metric 2 Router A Router B 192 168 6 188 24 192 168 6 157 24 192 168 ...

Page 271: ...op gateway The command also gives the standard static route a metric of 1 which causes the device to always prefer this route when the route is available The second command configures another static route for the same destination network but the second route is a null route The metric for the null route is 3 which is higher than the metric for the standard static route If the standard static route...

Page 272: ...nge makes the gateway unreachable the default route becomes unusable For example if you configure 10 10 10 0 24 as a candidate default network route if the IP route table does not contain an explicit default route 0 0 0 0 0 the software uses the default network route and automatically uses that route s next hop gateway as the default gateway If a topology change occurs and as a result the default ...

Page 273: ...IP load sharing is based on the destination address of the traffic device supports load sharing based on individual host addresses or on network addresses You can enable a device to load balance across up to eight equal cost paths The default maximum number of equal cost load sharing paths is four NOTE IP load sharing is not based on source routing only on next hop routing NOTE The term path refer...

Page 274: ... the IP route table For example if the device has a path learned from OSPF and a path learned from RIP for a given destination only the path with the lower administrative distance enters the IP route table Here are the default administrative distances on the device Directly connected 0 this value is not configurable Static IP route 1 applies to all static routes including default routes and defaul...

Page 275: ... load sharing for static routes OSPF routes and BGP4 routes are individually configured Multiple equal cost paths for a destination can enter the IP route table only if the source of the paths is configured to support multiple equal cost paths For example if BGP4 allows only one path with a given cost for a given destination the BGP4 route table cannot contain equal cost paths to the destination C...

Page 276: ...x no ip load sharing number Enter a value from 2 8 for number to set the maximum number of paths Response to path state changes If one of the load balanced paths becomes unavailable the IP route table in hardware is modified to stop using the unavailable path The traffic is load balanced between the available paths using the same hashing mechanism described above Refer to How IP load sharing works...

Page 277: ...oute command to display the traffic that will now be sent over all 4 links load balanced instead of being on only 1 link BigIron RX show ip route Total number of IP routes 9 Type Codes B BGP D Connected I ISIS S Static R RIP O OSPF Cost Dist Metric Destination Gateway Port Cost Type 1 0 0 0 0 0 100 1 1 2 eth 7 1 1 1 S 0 0 0 0 0 100 1 2 2 eth 7 2 1 1 S 0 0 0 0 0 100 1 3 2 eth 7 3 1 1 S 0 0 0 0 0 10...

Page 278: ...access list To determine if IP receive access list has been configured on the device enter the following command BigIron RX show access list bindings L4 configuration ip receive access list 101 Configuring IRDP The device uses ICMP Router Discovery Protocol IRDP to advertise the IP addresses of its router interfaces to directly attached hosts IRDP is disabled by default You can enable it globally ...

Page 279: ...val is 450 seconds Hold time Each Router Advertisement message contains a hold time value This value specifies the maximum amount of time the host should consider an advertisement to be valid until a newer advertisement arrives When a new advertisement arrives the hold time is reset The hold time is always longer than the maximum advertisement interval Therefore if the hold time for an advertiseme...

Page 280: ...meter the software automatically adjusts the minadvertinterval parameter to be three fourths the new value of the maxadvertinterval parameter If you want to override the automatically configured value you can specify an interval from 1 to the current value of the maxadvertinterval parameter The preference number parameter specifies the IRDP preference level of the device If a host receives Router ...

Page 281: ...ication For example if you disable forwarding of Telnet requests to helper addresses other Telnet support on the device is not also disabled Enabling forwarding for a UDP application If you want the device to forward client requests for UDP applications that the device does not forward by default you can enable forwarding support for the port To enable forwarding support for a UDP application use ...

Page 282: ... a client s broadcast request for a UDP application when the client and server are on different networks you must configure a helper address on the interface connected to the client Specify the server s IP address or the subnet directed broadcast address of the IP subnet the server is in as the helper address You can configure up to 16 helper addresses on each interface You can configure a helper ...

Page 283: ...of the IP address given by the DHCP server BootP DHCP forwarding parameters The following parameters control the device s forwarding of BootP DHCP requests Helper address The BootP DHCP server s IP address You must configure the helper address on the interface that receives the BootP DHCP requests from the client The device cannot forward a request to the server unless you configure a helper addre...

Page 284: ...configuration level for port 1 1 then change the BootP DHCP stamp address for requests received on port 1 1 to 192 157 22 26 The device will place this IP address in the Gateway Address field of BootP DHCP requests that the device receives on port 1 1 and forwards to the BootP DHCP server Syntax ip bootp gateway ip addr Changing the maximum number of hops to a BootP relay server Each BootP DHCP re...

Page 285: ...s on page 672 OSPF information refer to Displaying OSPF information on page 717 BGP4 information refer to Displaying BGP4 information on page 822 DVMRP information refer to Displaying information about an upstream neighbor device on page 651 PIM information refer to Displaying PIM Sparse configuration information and statistics on page 610 VRRP or VRRPE information refer to Displaying VRRP and VRR...

Page 286: ...er ID is the numerically lowest IP interface configured on the router To change the router ID refer to Changing the router ID on page 174 enabled The IP related protocols that are enabled on the router disabled The IP related protocols that are disabled on the router Static routes Index The row number of this entry in the IP route table IP Address The IP address of the route s destination Subnet M...

Page 287: ...lies only if the IP protocol is TCP or UDP TABLE 50 CLI display of interface IP configuration information This field Displays Interface The type and the slot and port number of the interface IP Address The IP address of the interface NOTE If an s is listed following the address this is a secondary address When the address was configured the interface already had an IP address in the same subnet so...

Page 288: ...y down Otherwise the entry in the Status field will be either up or down Protocol Whether the interface can provide two way communication If the IP address is configured and the link status of the interface is up the entry in the protocol field will be up Otherwise the entry in the protocol field will be down TABLE 50 CLI display of interface IP configuration information Continued This field Displ...

Page 289: ...sk for the mac address xxxx xxxx xxxx parameter to display entries for multiple MAC addresses Specify the MAC address mask as f s and 0 s where f s are significant bits The ip addr and ip mask parameters let you restrict the display to entries for a specific IP address and network mask Specify the IP address masks in standard decimal mask format for example 255 255 0 0 NOTE The ip mask parameter a...

Page 290: ...vice Type The type which can be one of the following Dynamic The device learned the entry from an incoming packet Static The device loaded the entry from the static ARP table when the device for the entry was connected to the device Age The number of minutes the entry has remained unused If this value reaches the ARP aging period the entry is removed from the table To display the ARP aging period ...

Page 291: ...y of static ARP table Continued This field Displays BigIron RX show ip cache Cache Entry Usage on LPs Module Host Network Free Total 15 6 6 204788 204800 BigIron RX rconsole 15 Connecting to slave CPU 15 1 Press CTRL Shift 6 X to exit rconsole 15 1 LP show ip cache Total number of host cache entries 3 D Dynamic P Permanent F Forward U Us C Conected Network W Wait ARP I ICMP Deny K Drop R Frament S...

Page 292: ...of the destination NOTE If the entry is type U indicating that the destination is this Brocade device the address consists of zeroes Type The type of host entry which can be one or more of the following D Dynamic P Permanent F Forward U Us C Complex Filter W Wait ARP I ICMP Deny K Drop R Fragment S Snap Encap Port The port through which this device reaches the destination For destinations that are...

Page 293: ...55 255 0 The longer detail debug parameter applies only when you specify an IP address and mask This option displays only the routes for the specified IP address and mask The bgp option displays the BGP4 routes The connected option displays only the IP routes that are directly attached to the device The ospf option displays the OSPF routes The rip option displays the RIP routes The isis option dis...

Page 294: ...alculated through OSPF One of the routes has a zero bit mask this is the default route 27 have a 22 bit mask 5 have a 24 bit mask and 1 has a 32 bit mask The following table lists the information displayed by the show ip route command TABLE 54 CLI display of IP route table This field Displays Destination The destination network of the route NetMask The network mask of the destination address Gatew...

Page 295: ... statistics Hardware forwarded packets are not included Type The route type which can be one of the following B The route was learned from BGP D The destination is directly connected to this device R The route was learned from RIP S The route is a static route The route is a candidate default route O The route is an OSPF route Unless you use the ospf option to display the route table O is used for...

Page 296: ... of packets dropped by the device because the value in the Protocol field of the packet header is unrecognized by this device no buffer This information is used by Brocade customer support other errors The number of packets that this device dropped due to error types other than the types listed above BigIron RX sh ip traffic IP Statistics 146806 total received 72952 mp received 6715542 sent 0 forw...

Page 297: ...r of Address Mask Request messages sent or received by the device addr mask reply The number of Address Mask Replies messages sent or received by the device irdp advertisement The number of ICMP Router Discovery Protocol IRDP Advertisement messages sent or received by the device irdp solicitation The number of IRDP Solicitation messages sent or received by the device UDP statistics received The nu...

Page 298: ...s this device has received from another RIP router for all or part of this device s RIP routing table responses sent The number of responses this device has sent to another RIP router s request for all or part of this device s RIP routing table responses received The number of responses this device has received to requests for all or part of another RIP router s routing table unrecognized This inf...

Page 299: ...ing in outbound TCP SYNC ACK packets failed attempts Number of unsuccessful TCP connection requests from either local or remote active resets Number of TCP RESET packets sent by the local router passive resets Number of normal TCP connections closed input errors Number of TCP packets received with error header too short checksum error or not a listening TCP PORT in segments Number of TCP packet re...

Page 300: ...228 BigIron RX Series Configuration Guide 53 1001810 01 Displaying IP information 7 ...

Page 301: ...p Alive LAG a single connection between a single port on 2 device switches is established In a keep alive LAG LACP PDUs are exchanged between the 2 ports to determine if the connection between the switches is still active If it is determined that the connection is no longer active the ports are blocked NOTE No trunk is created for Keep Alive LAGs The new LAG configuration procedures supersede the ...

Page 302: ...ts must have the same PBR configuration before deployment during deployment the configuration on the primary port is replicated to all ports and on undeployment each port inherits the same PBR configuration VLAN and inner VLAN translation The trunk is rejected if any LAG port has VLAN or inner VLAN translation configured Layer 2 requirements The trunk is rejected if the trunk ports do not have the...

Page 303: ...orts in the LAG Make sure the device on the other end of the trunk link can support the same number of ports in the link Figure 13 displays and example of a valid Keep ALIVE LAG link between two devices This configuration does not aggregate ports but uses the LACP PDUs to maintain the connection status between the two ports FIGURE 13 Example of a 1 port keep alive LAG Figure 14 shows an example of...

Page 304: ...P packets source MAC address and destination MAC address source IP address and destination IP address IPv4 TCP packets source MAC address and destination MAC address source IP address and destination IP address and TCP source port and TCP destination port IPv4 UDP packets source MAC address and destination MAC address source IP address and destination IP address and UDP source port and UDP destina...

Page 305: ...LACP configuration if you are upgrading from a version of the Multi Service IronWare software prior to 02 6 00 and have either Trunks or LACP configured the previous configuration will be automatically updated with the new commands to form an LAG that is equivalent to the previous configuration To accomplish this the old trunk and link aggregation commands are maintained during startup configurati...

Page 306: ...e lowest numbered port will be selected as the primary port of the LAG i The load balancing scheme in the command link aggregate configure type is automatically converted to the default hash based load balancing scheme j Port names configured in the original interface configuration will be converted to port names within the LAG k The converted LAG will be named LAG_x where x is a unique number ass...

Page 307: ... alive applications similar to the UDLD feature Adding ports to a LAG A static or dynamic LAG can consist of from 2 to 20 ports of the same type and speed that are on any interface module within the device chassis A keep alive LAG consists of only one port To configure the static LAG named blue with two ports use the following command BigIron RX config lag blue static BigIron RX config lag blue po...

Page 308: ...trunk group has 8 ports and the threshold for the trunk group is 5 then the trunk group is disabled if the number of available ports in the trunk group drops below 5 If the trunk group is disabled then traffic is forwarded over a different link or trunk group NOTE This configuration is only applicable for configuration of a static or dynamic LAGs For example the following commands establish a trun...

Page 309: ...fig lag blue lacp timeout short Syntax no lacp timeout long short The long parameter configures the port for the long timeout mode The short parameter configures the port for the short timeout mode NOTE This configuration is only applicable for configuration of a dynamic or keep alive LAGs Deploying a LAG After configuring a LAG you must explicitly enable it before it takes begins aggregating traf...

Page 310: ...n the un deployment of the LAG is executed Commands available under LAG once it is deployed Once a LAG has been deployed the following configurations can be performed on the deployed LAG Configuring ACL based Mirroring Disabling Ports within a LAG Enabling Ports within a LAG Monitoring and Individual LAG Port Assigning a name to a port within a LAG Enabling sFlow Forwarding on a port within a LAG ...

Page 311: ... with the appropriate slot port variable to specify a Ethernet port within the LAG that you want to enable Use the named option with the appropriate slot port variable to specify a named port within the LAG that you want to enable Monitoring an individual LAG port By default when you monitor the primary port in a LAG group aggregated traffic for all the ports in the LAG is copied to the mirror por...

Page 312: ...ernet port within the LAG Refer to Allowable characters for LAG names on page 14 for guidelines on LAG naming conventions Enabling sFlow forwarding on a port within a LAG You can enable sFlow forwarding on an individual port within a LAG using the sflow forwarding command within the LAG configuration as shown in the following BigIron RX config lag blue static BigIron RX config lag blue deploy BigI...

Page 313: ...out 90 default 90 LACP Short timeout 3 default 3 LAG Type Deploy Trunk Primary Port List d1 dynamic Y 3 32 2 ethe 13 2 to 13 3 ethe 32 2 e dynamic Y 1 2 3 ethe 2 1 ethe 2 3 ethe 2 5 p static Y 2 3 1 ethe 4 1 ethe 4 3 ethe 4 5 s1 static N none 32 3 ethe 13 4 ethe 32 3 to 32 4 BigIron RX show lag Total number of LAGs 4 Total number of deployed LAGs 3 Total number of trunks created 3 31 available LAC...

Page 314: ...number of trunks that have been created on the LAG The total number of Trunks available are shown also Since keep alive LAGs do not use a trunk ID they are not listed and do not subtract for the number of trunks available LACP System Priority ID The system priority configured for the switch The ID is the system priority which is the base MAC address of the switch LACP Long timeout LACP Short timeo...

Page 315: ... and receive LACPDU messages to participate in negotiation of an aggregate link initiated by another port but cannot search for a link aggregation port or initiate negotiation of an aggregate link Yes The mode is active The port can send and receive LACPDU messages Tio Indicates the timeout value of the port The timeout value can be one of the following L Long The trunk group has already been form...

Page 316: ...can have one of the following values Def The port has not received link aggregation values from the port at the other end of the link and is therefore using its default link aggregation LACP settings No The port has received link aggregation information from the port at the other end of the link and is using the settings negotiated with that port Exp Indicates whether the negotiated link aggregati...

Page 317: ...kets Collisions Errors Receive Transmit Recv Txmit InErr OutErr LAG d1 1173 1018 0 0 0 0 LAG e 1268 1277 0 0 0 0 BigIron RX show statistics lag LAG d1 Counters InOctets 127986 OutOctets 107753 InPkts 1149 OutPkts 996 InBroadcastPkts 0 OutBroadcastPkts 0 InMulticastPkts 852 OutMulticastPkts 684 InUnicastPkts 297 OutUnicastPkts 312 InDiscards 0 OutDiscards 0 InErrors 0 OutErrors 0 InCollisions 0 Out...

Page 318: ...246 BigIron RX Series Configuration Guide 53 1001810 01 Deploying a LAG 8 ...

Page 319: ...ertisements only or receive LLDP advertisements only LLDPDU LLDP Data Unit A unit of information in an LLDP packet that consists of a sequence of short variable length information elements known as TLVs MIB Management Information Base A virtual database that identifies each manageable object by its name syntax accessibility and status along with a text description and unique object identifier OID ...

Page 320: ...P commands Figure 16 illustrates LLDP connectivity FIGURE 16 LLDP Connectivity Benefits of LLDP LLDP provides the following benefits Network Management Simplifies the use of and enhances the ability of network management tools in multi vendor environments Enables discovery of accurate physical network topologies such as which devices are neighbors and through which ports they connect Enables disco...

Page 321: ...ransmit and receive LLDP packets or change the operating mode to one of the following Transmit LLDP information only Receive LLDP information only Transmit mode An LLDP agent sends LLDP packets to adjacent LLDP enabled devices The LLDP packets contain information about the transmitting device and port An LLDP agent initiates the transmission of LLDP packets whenever the transmit countdown timing c...

Page 322: ...nt Length indicates the length in octets of the information string Value is the actual information being sent for example a binary bit map or an alpha numeric string containing one or more fields TLV support This section lists the LLDP TLV support LLDP TLVs There are two types of LLDP TLVs as specified in the IEEE 802 3AB standard Basic Management TLVs consist of both optional general system infor...

Page 323: ...C PHY configuration status Link aggregation Maximum frame size Mandatory TLVs When an LLDP agent transmits LLDP packets to other agents in the same 802 LAN segments the following mandatory TLVs are always included Chassis ID Port ID Time to Live TTL This section describes the above TLVs in detail Chassis ID The Chassis ID identifies the device that sent the LLDP packets There are several ways in w...

Page 324: ... devices use port ID subtype 3 the permanent MAC address associated with the port Other third party devices may use a port ID subtype other than 3 The port ID appears similar to the following on the remote device and in the CLI display output on the Brocade device show lldp local info Port ID MAC address 0012 f233 e2d3 The LLDPDU format is shown in LLDPDU packet format on page 250 The Port ID TLV ...

Page 325: ...e The LLDPDU format is shown in LLDPDU packet format on page 250 The TTL TLV format is shown below FIGURE 19 TTL TLV packet format MIB support Brocade devices support the following standard MIB modules LLDP MIB LLDP EXT DOT1 MIB LLDP EXT DOT3 MIB Syslog messages Syslog messages for LLDP provide management applications with information related to MIB data consistency and general status These Syslog...

Page 326: ... LLDP globally enter the following command at the global CONFIG level of the CLI FastIron config lldp run Syntax no lldp run Specifying the maximum number of LLDP neighbors per port Automatically set to 4 neighbors per port Enabling SNMP notifications and Syslog messages Disabled Changing the minimum time between SNMP traps and Syslog messages Automatically set to 2 seconds when SNMP notifications...

Page 327: ...nable ports ethernet slotnum portnum all Use the no form of the command to disable the receipt and transmission of LLDP packets on a port You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both To apply the configuration to all ports on the device use the keyword all instead of listing the ports individually Enabling and disabling receive o...

Page 328: ...ig no lldp enable receive ports e 2 7 e 2 8 FastIron config lldp enable transmit ports e 2 7 e 2 8 The above commands change the LLDP operating mode on ports 2 7 and 2 8 from receive only mode to transmit only mode Any incoming LLDP packets will be dropped in software Note that if you do not disable receive only mode you will configure the port to both receive and transmit LLDP packets Syntax no l...

Page 329: ...ifications the device will send traps and corresponding Syslog messages whenever there are changes to the LLDP data received from neighboring devices LLDP SNMP notifications and corresponding Syslog messages are disabled by default To enable them enter a command such as the following at the Global CONFIG level of the CLI BigIron RX config lldp enable snmp notifications ports e 4 2 to 4 6 The above...

Page 330: ...transmit interval The LLDP transmit delay timer prevents an LLDP agent from transmitting a series of successive LLDP frames during a short time period when rapid changes occur in LLDP It also increases the probability that multiple changes rather than single changes will be reported in each LLDP frame To change the LLDP transmit delay timer enter a command such as the following at the Global CONFI...

Page 331: ...0 is encoded in the TTL field in the LLDP header To change the holdtime multiplier enter a command such as the following at the Global CONFIG level of the CLI FastIron config lldp transmit hold 6 Syntax no lldp transmit hold value where value is a number from 2 to 10 The default value is 4 NOTE Setting the transmit interval or transmit holdtime multiplier to inappropriate values can cause the LLDP...

Page 332: ...h MDI information TLVs are not automatically enabled The following sections show how to enable these advertisements General system information Except for the system description the Brocade device will advertise the following system information when LLDP is enabled on a global basis Management address Port description System capabilities System description not automatically advertised System name M...

Page 333: ...eyword all instead of listing the ports individually Note that using the keyword all may cause undesirable effects on some ports For example if you configure all ports to advertise their VLAN name and the configuration includes ports that are not members of any VLAN the system will warn of the misconfigurations on non member VLAN ports The configuration will be applied to all ports however the por...

Page 334: ... remote device and in the CLI display output on the Brocade device show lldp local info BigIron RX show lldp local info Local port 1 2 Chassis ID MAC address 000c dbf5 c000 Port ID MAC address 000c dbf5 c000 Time to live 120 seconds System name rx4 Port description 10GigabitEthernet1 2 System capabilities bridge router Enabled capabilities bridge router 802 3 MAC PHY auto negotiation supported but...

Page 335: ...tomatically advertised Untagged VLAN ID VLAN name The VLAN name TLV contains the name and VLAN ID of a VLAN configured on a port An LLDPDU may include multiple instances of this TLV each for a different VLAN To advertise the VLAN name enter a command such as the following FastIron config lldp advertise vlan name vlan 99 ports e 2 4 to 2 12 The VLAN name will appear similar to the following on the ...

Page 336: ...basis Link aggregation information MAC PHY configuration and status Maximum frame size Link aggregation The link aggregation TLV indicates the following Whether the link is capable of being aggregated Whether the link is currently aggregated The primary trunk port Brocade devices advertise link aggregation information about standard link aggregation LACP as well as static trunk configuration By de...

Page 337: ...ll ports on the device use the keyword all instead of listing the ports individually Note that using the keyword all may cause undesirable effects on some ports For example if you configure all ports to advertise their VLAN name and the configuration includes ports that are not members of any VLAN the system will warn of the misconfigurations on non member VLAN ports The configuration will be appl...

Page 338: ...t of the current LLDP neighbors show lldp neighbors detail Displays the details of the latest advertisements received from LLDP neighbors show lldp local info Displays the details of the LLDP advertisements that will be transmitted on each port This above show commands are described in this section LLDP configuration summary To display a summary of the LLDP configuration settings on the device ent...

Page 339: ...maximum number of LLDP neighbors for which LLDP data will be retained per port This field Displays Last neighbor change time The elapsed time in hours minutes and seconds since a neighbor last advertised information For example the elapsed time since a neighbor was last added deleted or its advertised information changed Neighbor entries added The number of new LLDP neighbors detected since the la...

Page 340: ...ort received Rx Pkts w Errors The number of LLDP packets the port received that have one or more detectable errors Rx Pkts Discarded The number of LLDP packets the port received then discarded Rx TLVs Unrecognz The number of TLVs the port received that were not recognized by the LLDP local agent Unrecognized TLVs are retained by the system and can be viewed in the output of the show LLDP neighbors...

Page 341: ...le format may be displayed in hexadecimal binary form Port ID The identifier for the port Brocade devices use the permanent MAC address associated with the port as the port ID Port Description The description for the port Brocade devices use the ifDescr MIB object from MIB II as the port description System Name The administratively assigned name for the system Brocade devices use the sysName MIB o...

Page 342: ...0800 0f18 cc03 TTL 101 seconds Chassis ID network address 10 43 39 151 Port ID MAC address 0800 0f18 cc03 Time to live 120 seconds Port description LAN port System name regDN 1015 MITEL 5235 DM System description regDN 1015 MITEL 5235 DM h w rev 2 ASIC rev 1 f w Boot 02 01 00 11 f w Main 02 01 00 11 System capabilities bridge telephone Enabled capabilities bridge telephone Management address IPv4 ...

Page 343: ...ice use the keyword all instead of listing the ports individually BigIron RX show lldp local info ports e 20 1 Local port 20 1 Chassis ID MAC address 0012 f233 e2c0 Port ID MAC address 0012 f233 e2d3 Time to live 40 seconds System name FESX424_POE Port description GigabitEthernet20 System description Foundry Networks Inc FESX424 PREM PoE IronWare V ersion 04 0 00b256T3e1 Compiled on Sep 04 2007 at...

Page 344: ...on the device refer to LLDP statistics on page 267 FastIron clear lldp statistics Syntax clear lldp statistics ports ethernet slot num port num all If you do not specify any ports or use the keyword all by default the system will clear lldp statistics on all ports You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both To apply the configur...

Page 345: ...e interval the port waits for two more intervals If the port still does not receive a health check packet after waiting for three intervals UDLD will be kept in a suspended state until it receives the first keep alive message from the other end In this suspended state UDLD will continue to send the keep alive message but will not bring the port down after maximum number of retries is done and no k...

Page 346: ...ts After you create the trunk group you can re add the UDLD configuration Configuring UDLD To enable UDLD on a port enter a command such as the following at the global CONFIG level of the CLI BigIron RX config link keepalive ethernet 1 1 Syntax no link keepalive ethernet slot portnum ethernet slot portnum To enable the feature on a trunk group enter commands such as the following BigIron RX config...

Page 347: ...ll not bring the port down after maximum number of retries is done and no keep alive message is received from the other end The UDLD will transition from this suspended state to active state after it receives the first keep alive message from the other end In the active state UDLD peers will continue to exchange keep alive messages periodically and if there are keep alive messages are missed for c...

Page 348: ... please specifify the protocol For example show ipx interface ve num or show appletalk interface ve num TABLE 60 CLI display of UDLD information This field Displays Total link keepalive enabled ports The total number of ports on which UDLD is enabled Keepalive Retries The number of times a port will attempt the health check before concluding that the link is down Keepalive Interval The number of s...

Page 349: ...t identifies this device The ID can be used by Brocade technical support for troubleshooting Remote System ID A unique value that identifies the device at the remote end of the link Packets sent The number of UDLD health check packets sent on this port Packets received The number of UDLD health check packets received on this port Transitions The number of times the logical link state has changed b...

Page 350: ...how interface ethernet 1 1 GigabitEthernet2 1 is disabled line protocol is down link keepalive is enabled Hardware is GigabitEthernet address is 000c dbe2 5900 bia 000c dbe2 5900 Configured speed 1Gbit actual unknown configured duplex fdx actual unknown Configured mdi mode AUTO actual unknown Member of 2 L2 VLANs port is tagged port state is Disabled STP configured to ON Priority is level7 flow co...

Page 351: ...orts two types of VLANs port based VLANs and protocol based VLANs A port based VLAN consists of interfaces that constitutes a Layer 2 broadcast domain By default all interfaces on a BigIron RX are members of the default VLAN which is VLAN 1 Thus by default all interfaces on all devices on a network constitute a single Layer 2 broadcast domain Once you create a port based VLAN and assign an interfa...

Page 352: ...ing only if a port connecting one of the devices to the other is a member of more than one port based VLAN If a port connecting one device to the other is a member of only a single port based VLAN tagging is not required If you use tagging on multiple devices each device must be configured for tagging and must use the same tag value In addition the implementation of tagging must be compatible on t...

Page 353: ...casts to all ports within the IPX protocol VLAN IPv6 The device sends IPv6 broadcasts to all ports within the IPv6 protocol VLAN NOTE You can configure a protocol based VLAN as a broadcast domain for IPv6 traffic When the device receives an IPv6 multicast packet a packet with 06 in the version field and 0xFF as the beginning of the destination address the device forwards the packet to all other po...

Page 354: ...devices support the same tag format VLAN hierarchy A hierarchy of VLANs exists between the Layer 2 and Layer 3 protocol based VLANs Port based VLANs are at the lowest level of the hierarchy Layer 3 protocol based VLANs are at the highest level of the hierarchy As a device receives packets the VLAN classification starts from the highest level VLAN first Therefore if an interface is configured as a ...

Page 355: ...sociated with the VLAN will not be forwarded on this port if the Layer 2 state is not FORWARDING It is possible that the control protocol for example STP will block one or more ports in a protocol based VLAN that uses a virtual routing interface to route to other VLANs For IP protocol and IP subnet VLANs even though some of the physical ports of the virtual routing interface are blocked the virtua...

Page 356: ...ets that do not contain 802 1q tagging The tagged parameter allows the device to add a four byte tag 802 1q tag to the packets that go through the tagged ports It also allows the ports to be members of other VLANs Enter the port that you want to assign to the VLAN for the ethernet slot number port number parameter You can add trunk group ports to the VLAN by entering the trunk group s the primary ...

Page 357: ... Displaying VLAN byte accounting information To display VLAN accounting information for all VLANs configured on a router use the show vlan command as shown BigIron RX show vlan Configured PORT VLAN entries 2 Maximum PORT VLAN entries 512 Default PORT VLAN id 1 PORT VLAN 1 Name DEFAULT VLAN Priority Level0 L2 protocols NONE Untagged Ports ethe 1 1 to 1 40 ethe 2 1 to 2 4 PORT VLAN 10 Name None Prio...

Page 358: ...ers for all VLANs Strictly or explicitly tagging a port If you want a port to be strictly or explicitly tagged that port has to be removed from the default VLAN Enter a command such as the following BigIron RX config vlan 2 BigIron RX config vlan 2 tagged e 1 1 to 1 8 BigIron RX config vlan 2 vlan 1 BigIron RX config vlan 1 no untagged e 1 1 to 1 8 Assigning or changing a VLAN priority You can pri...

Page 359: ... based VLANs 1 Create the port based VLAN that contains the interface that you want to segment using Layer 3 protocols BigIron RX config vlan 2 BigIron RX config vlan 2 untag e 1 9 to 1 16 BigIron RX config vlan 2 tagged e 1 1 to 1 8 2 Under the VLAN configuration level define the Layer 3 protocol you want to use to segment packets that go through the ports assigned to the port based VLAN BigIron ...

Page 360: ...ic at Layer 2 within a protocol based VLAN However Layer 3 traffic from one protocol based VLAN to another must be routed If you want the device to be able to send Layer 3 traffic from one protocol based VLAN to another on the same router you must configure a virtual routing interface on each protocol based VLAN then configure routing parameters on the virtual routing interfaces A virtual routing ...

Page 361: ...rfaces In this scenario you can create two separate backbones for the same protocol one bridged and one routed The following is a sample configuration for the illustration above BigIron RX config vlan 2 BigIron RX config vlan 2 tagged e 1 1 to 1 2 BigIron RX config vlan 2 router inter ve 2 BigIron RX config vlan 2 ip proto static e 1 1 to 1 2 BigIron RX config vlan 2 exit BigIron RX config vlan 3 ...

Page 362: ... ports in the port based VLAN to which you add the protocol based VLAN are 802 1q tagged You can configure multiple protocol based VLANs within the same port based VLAN In addition a port within a port based VLAN can belong to multiple protocol based VLANs of the same type or different types For example if you have a port based VLAN that contains ports 1 1 1 10 you can configure port 1 5 as a memb...

Page 363: ...ature not only simplifies VLAN configuration but also allows you to have a large number of identically configured VLANs in a startup configuration file on the device s flash memory module Normally a startup configuration file with a large number of VLANs might not fit on the flash memory module By grouping the identically configured VLANs you can conserve space in the startup configuration file so...

Page 364: ...RX config vlan group 1 add vlan 1001 to 1002 BigIron RX config vlan group 1 remove vlan 900 to 1000 Syntax no add vlan vlan id to vlan id Syntax remove vlan vlan id to vlan id Verifying VLAN group configuration To verify configuration of VLAN groups display the running configuration file If you have saved the configuration to the startup configuration file you also can verify the configuration by ...

Page 365: ...VLANs within another VLAN This provides a total VLAN capacity on one device of 16 760 836 channels 4089 4089 The devices connected through the channel are not visible to devices in other channels Therefore each client has a private link to the other side of the channel Super aggregated VLANs are useful for applications such as Virtual Private Network VPN in which you need to provide a private dedi...

Page 366: ...h client receives its own Layer 2 broadcast domain separate from the broadcast domains of other clients For example client 1 cannot ping client 5 The clients at each end of a channel appear to each other to be directly connected and thus can be on the same subnet and use network services that require connection to the same subnet In this example client 1 is in subnet 192 168 1 0 24 and so is the d...

Page 367: ... to configure device A in Figure 24 on page 294 enter commands such as the following BigIron RX config vlan 101 BigIron RX config vlan 101 tagged ethernet 2 1 BigIron RX config vlan 101 untagged ethernet 1 1 BigIron RX config vlan 101 exit BigIron RX config vlan 102 BigIron RX config vlan 102 tagged ethernet 2 1 BigIron RX config vlan 102 untagged ethernet 1 2 BigIron RX config vlan 102 exit BigIr...

Page 368: ...d VLANs on device C in Figure 24 on page 294 enter the following commands BigIron RX config tag type 9100 BigIron RX config aggregated vlan BigIron RX config vlan 101 BigIron RX config vlan 101 tagged ethernet 4 1 BigIron RX config vlan 101 untagged ethernet 3 1 BigIron RX config vlan 101 exit BigIron RX config vlan 102 BigIron RX config vlan 102 tagged ethernet 4 1 BigIron RX config vlan 102 unta...

Page 369: ...ands for device B The commands for configuring device B are identical to the commands for configuring device A Notice that you can use the same channel VLAN numbers on each device The devices that aggregate the VLANs into a path can distinguish between the identically named channel VLANs based on the ID of the path VLAN BigIron RX B config vlan 101 BigIron RX B config vlan 101 tagged ethernet 2 1 ...

Page 370: ...ron RX D config vlan 101 BigIron RX D config vlan 101 tagged ethernet 4 1 BigIron RX D config vlan 101 untagged ethernet 3 1 BigIron RX D config vlan 101 exit BigIron RX D config vlan 102 BigIron RX D config vlan 102 tagged ethernet 4 1 BigIron RX D config vlan 102 untagged ethernet 3 2 BigIron RX D config vlan 102 exit BigIron RX D config write memory Commands for device E Since the configuration...

Page 371: ...F config vlan 103 tagged ethernet 2 1 BigIron RX F config vlan 103 untagged ethernet 1 3 BigIron RX F config vlan 103 exit BigIron RX F config vlan 104 BigIron RX F config vlan 104 tagged ethernet 2 1 BigIron RX F config vlan 104 untagged ethernet 1 4 BigIron RX F config vlan 104 exit BigIron RX F config vlan 105 BigIron RX F config vlan 105 tagged ethernet 2 1 BigIron RX F config vlan 105 untagge...

Page 372: ...e with an additional 8100 tag thereby supporting devices that only support this method of VLAN tagging Configuration rules Follow the rules below when configuring 802 1q in q tagging Since the uplink to the provider cloud and the edge link to the customer port must have different 802 1Q tags make sure the uplink and edge link are in different port regions If you configure a port with an 802 1Q tag...

Page 373: ...g to the port region 1 12 the 802 1Q tag actually applies to ports 1 12 Syntax no tag type num ethernet slot number port number to slot number port number The num parameter specifies the tag type number and can be a hexadecimal value from 0 ffff The default is 8100 The ethernet port number to port number parameter specifies the ports that will use the defined 802 1Q tag This parameter operates wit...

Page 374: ...port group to the next on tagged interfaces Client 1 Port1 1 VLAN 101 Client 3 Port1 3 VLAN 103 Client 5 Port1 5 VLAN 105 Client 1 192 168 1 69 24 Client 5 209 157 2 12 24 Client 6 Port1 1 VLAN 101 Client 8 Port1 3 VLAN 103 Client 10 Port1 5 VLAN 105 Ports 1 1 1 5 Untagged Ports 1 1 1 5 Untagged Device A Tag Type 8100 Port2 1 Tagged Port2 1 Tagged Device B Tag Type 8100 Port3 1 Untagged Port3 2 Un...

Page 375: ...t it removes the 8100 tag type and replaces translates it with the 9100 tag type as it sends the packet to the uplink Provider Core Switch 2 The same process occurs between Provider Core Switch 2 and Customer Edge Switch 2 Figure 28 shows a simple application of the 802 1q tag type translation in which all of the ports are tagged and the tag types between devices match In this example each device ...

Page 376: ...he 8200 tag type and replaces translates it with the 9100 tag type as it sends the packet to the uplink Core Switch 2 For more information refer to Configuring 802 1q tag type translation on page 302 Configuration rules On the supported devices you configure 802 1q tag types per port region Use the show running config command at any level of the CLI to view port regions Note that on Gigabit Ethern...

Page 377: ...ig tag type 9100 e 11 to 12 BigIron RX config aggregated vlan Note that since ports 11 and 12 belong to the port region 9 16 the 802 1q tag type actually applies to ports 9 16 NOTE Do not configure 802 1q tag type translation on the edge link to the customer edge switch Syntax no tag type num ethernet slot number port number to slot number port number The num parameter specifies the tag type numbe...

Page 378: ...e with one another as well as through the firewall The other two hosts on ports 3 9 and 3 10 are in an isolated VLAN and thus can communicate only through the firewall The two hosts are secured from communicating with one another even though they are in the same VLAN By default the private VLAN does not forward broadcast or unknown unicast packets from outside sources into the private VLAN If need...

Page 379: ...Support for the hardware forwarding in this feature sometimes results in multiple MAC address entries for the same MAC address in the device s MAC address table In this case each of the entries is associated with a different VLAN The multiple entries are a normal aspect of the implementation of this feature and do not indicate a software problem By default the primary VLAN does not forward broadca...

Page 380: ...y VLANs can be mapped to multiple primary VLAN ports For example pvlan mapping 901 ethernet 1 2 pvlan mapping 901 ethernet 2 2 pvlan mapping 901 ethernet 3 2 Configuring a private VLAN To configure a private VLAN configure each of the component VLANs isolated community and public as a separate port based VLAN Use standard VLAN configuration commands to create the VLAN and add ports Identify the ty...

Page 381: ...et portnum Syntax no pvlan type community isolated primary The untagged command adds the ports to the VLAN The pvlan type command specifies that this port based VLAN is a private VLAN community Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN isolated Broadcasts and unknown unicasts received on is...

Page 382: ...he packet to the other private VLAN ports 3 5 3 6 3 9 and 3 10 This forwarding restriction does not apply to traffic from the private VLAN The primary port does forward broadcast and unknown unicast packets that are received from the isolated and community VLANs For example if the host on port 3 9 sends an unknown unicast packet port 3 2 forwards the packet to the firewall If you want to remove th...

Page 383: ...g vlan 7 pvlan mapping 903 ethernet 3 2 Other VLAN features Allocating memory for more VLANs or virtual routing interfaces By default you can configure up to 512 VLANs and virtual routing interfaces on the device Although this is the default maximum the device can support up to 4089 VLANs and 4095 virtual routing interfaces VLAN IDs 0 4090 4091 4092 and 4095 are reserved NOTE If many of your VLANs...

Page 384: ...n private VLANs You cannot enable this feature on the designated management VLAN for the device If you enable this feature on a VLAN that includes a trunk group hardware flooding for Layer 2 multicast and broadcast packets occurs only on the trunk group s primary port Multicast and broadcast traffic for the other ports in the trunk group is handled by software Unknown unicast flooding on VLAN port...

Page 385: ...t Use the multicast parameter to specify CPU flooding for broadcast and multicast packets Use the unknown unicast parameter to specify CPU flooding for unknown unicast packets only NOTE This command does not erase any multicast or unknown unicast flooding configuration If this command is enabled then it supersedes the per vlan configuration Configuring uplink ports within a port based VLAN You can...

Page 386: ... options You can also configure the following on a VLAN Configuring static ARP entries on page 132 Setting maximum frame size per PPCR on page 172 Displaying VLAN information After you configure the VLANs you can view and verify the configuration Displaying VLAN information Enter the following command at any CLI level Syntax show vlan vlan id begin expression exclude expression include expression ...

Page 387: ... Maximum number of port based VLANs that you can configure Note however IDs 4091 and 4092 are reserved for control purposes Default PORT VLAN id ID of the default VLAN PORT VLAN ID of the port based VLAN Name Name of the port based VLAN None appears if a name has not been assigned Priority Level Priority level assigned to the port based VLAN L2 protocols Layer 2 control protocol configured on the ...

Page 388: ...igured as dual mode ports in all the VLANs on the device Default VLAN ID of the default VLAN Control VLAN ID of the control VLAN PORT VLAN Name Priority Level Information for each VLAN in the output begins with the VLAN type and its ID name and priority level Then ports that are members of the VLAN are listed with the following information Port Port slot number port number BigIron RX show vlan det...

Page 389: ...the Transparent Firewall mode switching of self originated packets is allowed The Transparent Firewall mode feature is a per VLAN configuration and is disabled by default Enabling a transparent firewall To set the mode to transparent enter a command such as the following BigIron RX config vlan 10 transparent fw mode Type Port type physical or trunk Tag Mode Tag mode of the port untagged tagged or ...

Page 390: ...X Series Configuration Guide 53 1001810 01 Transparent firewall mode 11 To set the mode to routed enter a command such as the following BigIron RX config vlan 10 no transparent fw mode Syntax no transparent fw mode ...

Page 391: ...ishes an alternate path to prevent or limit retransmission of data NOTE The total number of supported STP RSTP or MSTP indices is 128 Enabling or disabling STP STP is disabled by default on the device Thus new VLANs you configure on the device have STP disabled by default Table 69 lists the default STP states for the device By default each VLAN on a BigIron RX runs a separate spanning tree instanc...

Page 392: ...bally using the CLI From that point on you can configure STP only within individual VLANs To enable STP for all ports in all VLANs on a device enter the following command BigIron RX config spanning tree This command enables a separate spanning tree in each VLAN including the default VLAN Syntax no spanning tree Enabling or disabling STP on a VLAN Use the following procedure to disable or enable ST...

Page 393: ...erval a bridge will wait for a hello packet from the root bridge before initiating a topology change 20 seconds Possible values 6 40 seconds Hello Time The interval of time between each configuration BPDU sent by the root bridge 2 seconds Possible values 1 10 seconds Priority A parameter used to identify the root bridge in a spanning tree instance of STP The bridge with the lowest value has the hi...

Page 394: ... value priority value disable enable The ethernet slot portnum parameter specifies the interface For descriptions of path cost and priority their default and possible values refer to Table 71 on page 321 If you enter a priority value that is not divisible by four the software rounds it to the nearest value The disable enable parameter disables or re enables STP on the port The STP state change aff...

Page 395: ... no form of the command to disable STP Root Guard on the port Setting the STP root guard timeout period To configure the STP Root protect timeout period globally enter a command such as the following BigIron RX config spanning tree root protect timeout 120 Syntax spanning tree root protect timeout timeout in seconds The timeout in seconds parameter allows you to set the timeout period The timeout ...

Page 396: ...ch as an end station to initiate or participate in an STP topology change In this case you can enable the STP BPDU Guard feature on the Brocade port to which the end station is connected Brocade s STP BPDU Guard feature disables the connected device s ability to initiate or participate in an STP topology change by dropping all BPDUs received from the connected device Enabling STP protection You ca...

Page 397: ...TP entries To display information for VLANs 10 and 2024 only enter show spanning tree 1 The detail parameter and its additional optional parameters display detailed information for individual ports Refer to Displaying detailed STP information for each interface on page 328 The show spanning tree command shows the following information TABLE 72 CLI display of STP information This field Displays Glo...

Page 398: ...dge parameters Root Identifier The ID assigned by STP to the root bridge for this spanning tree in hexadecimal Root Cost The cumulative cost from this bridge to the root bridge If this device is the root bridge then the root cost is 0 DesignatedBridge Identifier The designated bridge to which the root port is connected The designated bridge is the device that connects the network segment on the po...

Page 399: ...ermine the new topology No user frames are transmitted or received during this state LEARNING The port has passed through the LISTENING state and will change to the BLOCKING or FORWARDING state depending on the results of STP s reconvergence The port does not transmit or receive user frames during this state However the device can learn the MAC addresses of frames that the port receives during thi...

Page 400: ...for VLANs 128 and 256 only NOTE If the configuration includes VLAN groups the show span detail command displays the master VLANs of each group but not the member VLANs within the groups However the command does indicate that the VLAN is a master VLAN The show span detail vlan vlan id command displays the information for the VLAN even if it is a member VLAN To list all the member VLANs within a VLA...

Page 401: ...ameters Bridge identifier The STP identity of this device Root The ID assigned by STP to the root bridge for this spanning tree Control ports The ports in the VLAN Active global timers The global STP timers that are currently active and their current values The following timers can be listed Hello The interval between Hello packets This timer applies only to the root bridge Topology Change TC The ...

Page 402: ... The interface number of the designated port from the received BPDU if the interface is not the designated port for the LAN The state can be one of the following BLOCKING STP has blocked Layer 2 traffic on this port to prevent a loop The device or VLAN can reach the root bridge using another port whose state is FORWARDING When a port is in this state the port does not transmit or receive user fram...

Page 403: ...abling SSTP NOTE If the device has only one port based VLAN the default VLAN then it is already running a single instance of STP In this case you do not need to enable SSTP You need to enable SSTP only if the device contains more than one port based VLAN and you want all the ports to be in the same STP broadcast domain To configure the device to run a single spanning tree enter the following comma...

Page 404: ...ing with IEEE 802 1Q devices1 Brocade ports automatically detect PVST BPDUs and enable support for the BPDUs once detected When it is configured for MSTP the device can interoperate with PVST BigIron RX config show spanning tree VLAN 4095 STP instance 0 STP Bridge Parameters Bridge Bridge Bridge Bridge Hold LastTopology Topology Identifier MaxAge Hello FwdDly Time Change Change hex sec sec sec sec...

Page 405: ...N are processed by PVST regions Figure 31 shows the interaction of IEEE 802 1Q PVST and PVST regions FIGURE 31 Interaction of IEEE 802 1Q PVST and PVST regions VLAN tags and dual mode To support the IEEE 802 1Q Common Spanning Tree portion of PVST a port must be a member of VLAN 1 Cisco devices always use VLAN 1 to support the IEEE 802 1Q portion of PVST For the port to also support the other VLAN...

Page 406: ...t that is in PVST compatibility mode due to auto detection reverts to the default MSTP mode when one of the following events occurs The link is disconnected or broken The link is administratively disabled The link is disabled by interaction with the link keepalive protocol This allows a port that was originally interoperating with PVST to revert to multiple spanning tree when connected to a device...

Page 407: ...de feature allows the port to send and receive untagged frames for the default VLAN VLAN 1 in this case in addition to tagged frames for VLANs 2 3 and 4 Enabling the PVST support ensures that the port is ready to send and receive PVST BPDUs If you do not manually enable PVST support the support is not enabled until the port receives a PVST BPDU The configuration leaves the default VLAN and the por...

Page 408: ...mmands change the default VLAN ID configure port 1 1 as a tagged member of VLANs 1 and 2 and enable PVST support on port 1 1 Since VLAN 1 is tagged in this configuration the default VLAN ID must be changed from VLAN 1 to another VLAN ID Changing the default VLAN ID from 1 allows the port to process tagged frames for VLAN 1 VLAN 2 is the port native VLAN The port processes untagged frames and untag...

Page 409: ... interface ethernet 1 1 BigIron RX config if e10000 1 1 pvst mode BigIron RX config if e10000 1 1 exit BigIron RX config interface ethernet 1 2 BigIron RX config if e10000 1 2 pvst mode BigIron RX config if e10000 1 2 exit Setting the ports as dual mode ensures that the untagged IEEE 802 1Q BPDUs reach the VLAN 1 instance SuperSpan SuperSpan is an Brocade STP enhancement that allows Service Provid...

Page 410: ...cted to SP 1 The SP network behaves like a non blocking hub BPDUs are tunneled through the network To prevent a Layer 2 loop customer 1 s port 1 2 enters the blocking state Customer ID SuperSpan uses a SuperSpan customer ID to uniquely identify and forward traffic for each customer You assign the customer ID as part of the SuperSpan configuration of the Brocade devices in the SP In Table 34 on pag...

Page 411: ... Layer 2 loop and block a port The SP network remains unblocked After the Preforwarding state the Brocade ports change to the Forwarding state and forward data traffic as well as BPDUs The default length of the Preforwarding state is five seconds You can change the length of the Preforwarding state to a value from 3 30 seconds Figure 35 shows an example of how the Preforwarding state is used FIGUR...

Page 412: ...le spanning trees in the SP SuperSpan domain The examples below are in super aggregated configuration scenarios Customer and SP use multiple spanning trees Figure 36 shows an example of SuperSpan where both the customer network and the SP network use multiple spanning trees a separate spanning tree in each port based VLAN FIGURE 36 Customer and SP using Multiple Spanning Trees Both the customer an...

Page 413: ...ing trees while the SP network uses Single STP FIGURE 37 Customer using Multiple Spanning Trees and SP using single STP Customer traffic from different VLANs is maintained by different spanning trees while the SP network is maintained by a single spanning tree The SP can still use multiple VLANs at the core to separate traffic from different customers However all VLANs will have the same network t...

Page 414: ... 100 at the SP s network The main difference between this scenario and the previous tow scenarios is that all traffic at the customer s network now follows the same path having the same STP root bridge in all VLANs Therefore the customer network will not have the ability to maximize network utilization on all its links On the other hand loop free non blocking topology is still separately maintaine...

Page 415: ...estination MAC address in the customer s BPDUs The software requires you to specify a SuperSpan customer ID when configuring the boundary interface Use an ID from 1 65535 The customer ID uniquely identifies the customer Use the same customer ID for each SP interface with the same customer When tunneling BPDUs through the Brocade network the devices use the customer ID to ensure that BPDUs are forw...

Page 416: ...onfig if e1000 2 1 stp boundary 1 BigIron RX config interface 2 2 BigIron RX config if e1000 2 2 stp boundary 2 Enabling SuperSpan After you configure the SuperSpan boundary interfaces enable SuperSpan You can enable SuperSpan globally or on an individual VLAN level If you enable the feature globally the feature is enabled on all VLANs NOTE If you enable the feature globally then create a new VLAN...

Page 417: ...rmation refer to Displaying STP information on page 324 TABLE 75 CLI display of SuperSpan customer ID information This field Displays CID The SuperSpan customer ID number Port The boundary port number C BPDU Rxed The number of BPDUs received from the client spanning tree C BPDU Txed The number of BPDUs sent to the client spanning tree T BPDU Rxed The number of BPDUs received from the SuperSpan tun...

Page 418: ...346 BigIron RX Series Configuration Guide 53 1001810 01 SuperSpan 12 ...

Page 419: ...vides rapid convergence and takes advantage of point to point wiring of the spanning tree Failure in one forwarding path does not affect other forwarding paths RSTP improves the operation of the spanning tree while maintaining backward compatibility NOTE The total number of supported STP RSTP or MSTP indices is 128 Bridges and bridge port roles A bridge in an RSTP rapid spanning tree topology is a...

Page 420: ...gorithm calculates the superiority or inferiority of the RST BPDU that is received and transmitted on a port On a root bridge each port is assigned a Designated port role except for ports on the same bridge that are physically connected together In these type of ports the port that receives the superior RST BPDU becomes the Backup port while the other port becomes the Designated port On non root b...

Page 421: ...ort8 on Switch 2 are physically connected The RST BPDUs transmitted by Port7 are superior to those Port8 transmits Therefore Switch 2 is the Backup port and Port7 is the Designated port Ports on Switch 3 Port2 on Switch 3 directly connects to the Designated port on the root bridge therefore it assumes the Root port role The root path cost of the RST BPDUs received on Port4 Switch 3 is inferior to ...

Page 422: ...ated port roles Port flapping does not cause any topology change events on Edge ports since RSTP does not consider Edge ports in the spanning tree calculations FIGURE 41 Topology with edge ports However if any incoming RST BPDU is received from a previously configured Edge port RSTP automatically makes the port as a non edge port This is extremely important to ensure a loop free Layer 2 operation ...

Page 423: ...s entries to be added to the filtering database but does not permit forwarding of data frames The device can learn the MAC addresses of frames that the port receives during this state and make corresponding entries in the MAC table Disabled The port is not participating in RSTP This can occur when the port is disconnected or RSTP is administratively disabled on the port A port on a non root bridge...

Page 424: ...ach port uses the following state machines Port Information This state machine keeps track of spanning tree information currently used by the port It records the origin of the information and ages out any information that was derived from an incoming BPDU Port Role Transition This state machine keeps track of the current port role and transitions the port to the appropriate role when required It m...

Page 425: ...ort or a Backup port must wait until the forward delay timer expires twice on that port while it is still in a Designated role before it can proceed to the forwarding state Backup ports are quickly placed into discarding states Alternate ports are quickly placed into discarding states A port operating in RSTP mode may enter a learning state to allow MAC address entries to be added to the filtering...

Page 426: ...at the port receives is inferior to what it can transmit then the port is given the role of Designated port NOTE Proposed will never be asserted if the port is connected on a shared media link In Figure 43 Port3 Switch 200 is elected as the Root port FIGURE 43 Proposing and proposed stage Switch 100 Root Bridge Switch 200 Switch 300 Switch 400 Port2 Designated port Proposing Port1 Root port Propos...

Page 427: ...oles and states Figure 44 Ports that are non edge ports with a role of Designated port change into a discarding state These ports have to negotiate with their peer ports to establish their new roles and states FIGURE 44 Sync stage BigIron Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync Switch 200 Switch 300 Switch 400 Port2 Sync Discarding Port3 Sync Discarding Port2 Port3 Indica...

Page 428: ...ckup ports are synced The Root port monitors the synced signals from all the bridge ports Once all bridge ports asserts a synced signal the Root port asserts its own synced signal Figure 45 FIGURE 45 Synced stage BigIron Switch 100 Root Bridge Switch 200 Switch 300 Switch 400 Port1 Designated port Port1 Root port Synced Port2 Port3 Indicates a signal Port2 Synced Discarding Port3 Synced Discarding...

Page 429: ...e hello timers to expire on them This process starts the handshake with the downstream bridges For example Port2 Switch 200 sends an RST BPDU to Port2 Switch 300 that contains a proposal flag Port2 Switch 300 asserts a proposed signal Ports in Switch 300 then set sync signals on the ports to synchronize and negotiate their roles and states Then the ports assert a synced signal and when the Root po...

Page 430: ... 60 and Switch 100 follows the one described in the previous section Handshake when no root port is elected on page 353 The former root bridge becomes a non root bridge and establishes a Root port Figure 48 However since Switch 200 already had a Root port in a forwarding state RSTP uses the Proposing Proposed Sync and Reroot Sync and Rerooted Rerooted and Synced Agreed handshake Switch 100 Port2 D...

Page 431: ...ate Figure 48 RSTP algorithm determines that the RST BPDU that Port4 Switch 200 received is superior to what it can generate so Port4 Switch 200 assumes a Root port role FIGURE 48 New root bridge sending a proposal flag Switch 100 Port2 Designated port Switch 60 Port1 Port2 Root port Handshake Completed Port4 Designated port Proposing Proposing Port1 Root port Forwarding RST BPDU sent with a Propo...

Page 432: ... on the bridge assert their sync and reroot signals Information about the old Root port is discarded from all ports Designated ports change into discarding states Figure 49 FIGURE 49 Sync and reroot BigIron Switch 100 Port2 Root port Port2 Designated port Port1 Switch 60 Port4 Designated port Proposing Proposing Port1 Root port Sync Reroot Forwarding Port4 Root port Sync Reroot Discarding Port3 Sy...

Page 433: ...hey also continue to negotiate their roles and states with their peer ports Figure 50 FIGURE 50 Sync and rerooted BigIron Switch 100 Port2 Designated port Switch 60 Port4 Designated port Port2 Root port Port1 Port1 Designated port Sync Rerooted Discarding Port4 Root port Sync Rerooted Discarding Port3 Sync Rerooted Discarding Port2 Sync Rerooted Discarding Switch 200 Proposing Port2 Port3 Switch 3...

Page 434: ...tate FIGURE 51 Rerooted synced and agreed The old Root port on Switch 200 becomes an Alternate Port Figure 52 Other ports on that bridge are elected to appropriate roles BigIron Switch 100 Port2 Designated port Switch 60 Port4 Designated port Forwarding Port 2 Root port Port1 Proposing Port1 Rerooted Synced Discarding Port4 Root port Rerooted Synced Forwarding Port3 Rerooted Synced Discarding Port...

Page 435: ... expires on the port before it goes into forwarding state At this point the handshake between the Switch 60 and Switch 200 is complete The remaining bridges Switch 300 and Switch 400 may have to go through the reroot handshake if a new Root port needs to be assigned Convergence in a simple topology The examples in this section illustrate how RSTP convergence occurs in a simple Layer 2 topology at ...

Page 436: ...nsmits an RST BPDU with a proposal flag to Port3 Switch 3 A ports with a Designated role sends the proposal flag in its RST BPDU when they are ready to move to a forwarding state Port3 Switch 3 which starts with a role of Designated port receives the RST BPDU and finds that it is superior to what it can transmit therefore Port3 Switch 3 assumes a new port role that of a Root port Port3 Switch 3 tr...

Page 437: ...t3 Switch 3 negotiates a new role and state with its peer port Port3 Switch 2 Port4 Switch 3 sends an RST BPDU with an agreed flag to Port4 Switch 1 Both ports go into forwarding states Port2 Switch 2 receives an RST BPDU The RSTP algorithm determines that these RST BPDUs that are superior to any that any port on Switch 2 can transmit therefore Port2 Switch 2 assumes the role of a Root port The ne...

Page 438: ...are physically connected Port5 Switch 1 received RST BPDUs that are superior to those received on Port3 Switch 1 therefore Port5 Switch 1 is given the Backup port role while Port3 is given the Designated port role Port3 Switch 1 does not go directly into a forwarding state It waits until the forward delay time expires twice on that port before it can proceed to the forwarding state Once convergenc...

Page 439: ...ort Port3 Switch 3 then sends an RST BPDU with a proposal flag to Switch 2 along with the new role information However the root bridge ID transmitted in the RST BPDU is still Switch 1 When Port3 Switch 2 receives the RST BPDU RSTP algorithm determines that it is superior to the RST BPDU that it can transmit therefore Port3 Switch 2 receives a new role that of a Root port Port3 Switch 2 then sends ...

Page 440: ...also sends an RST BPDU with an agreed flag to Port2 Switch 1 and then places itself into a forwarding state When Port2 Switch 1 receives the RST BPDU with an agreed flag sent by Port2 Switch 2 it puts that port into a forwarding state The topology is now fully converged When Port3 Switch 3 receives the RST BPDU that Port3 Switch 2 sent RSTP algorithm determines that these RST BPDUs are superior to...

Page 441: ...t port RSTP algorithm selects Port7 as the Designated port while Port8 becomes the Backup port Port3 Switch 5 sends an RST BPDU to Port3 Switch 6 with a proposal flag When Port3 Switch 5 receives the RST BPDU handshake mechanisms select Port3 as the Root port of Switch 6 All other ports are given a Designated port role with discarding states Port3 Switch 6 then sends an RST BPDU with an agreed fla...

Page 442: ...s inferior to what it can transmit therefore the port retains its Designated port role and goes into forwarding state only after the forward delay timer expires twice on that port while it is still in a Designated role Port3 Switch 2 sends an RST BPDU to Port3 Switch 3 that contains a proposal flag Port3 Switch 3 becomes the Root port while all other ports on Switch 3 are given Designated port rol...

Page 443: ...ce TCN to all the bridges in the topology to propagate the topology change NOTE Edge ports Alternate ports or Backup ports do not need to propagate a topology change The TCN is sent in the RST BPDU that a port sends Ports on other bridges in the topology then acknowledge the topology change once they receive the RST BPDU and send the TCN to other bridges until all the bridges are informed of the t...

Page 444: ...t4 Switch 2 Note the new active Layer 2 path in Figure 59 FIGURE 59 Beginning of topology change notice Switch 2 then starts the TCN timer on the Designated ports and sends RST BPDUs that contain the TCN as follows Figure 60 Port5 Switch 2 sends the TCN to Port2 Switch 5 Port4 Switch 2 sends the TCN to Port4 Switch 6 Switch 1 Bridge priority 1000 Switch 2 Bridge priority 200 Switch 5 Bridge priori...

Page 445: ...dges connected to Switch 2 Switch 1 Bridge priority 1000 Switch 2 Bridge priority 200 Switch 5 Bridge priority 60 Switch 6 Bridge priority 900 Switch 4 Bridge priority 400 Switch 3 Bridge priority 300 Port3 Port3 Port3 Port3 Port3 Port3 Port4 Port4 Port4 Port4 Port2 Port2 Port2 Port2 Port5 Port5 Port5 Indicates the active Layer 2 path Indicates direction of TCN Port7 Port8 ...

Page 446: ...n one of the following events occur The port receives a legacy BPDU A legacy BPDU is an STP BPDU or a BPDU in an 802 1D format The port that receives the legacy BPDU automatically configures itself to behave like a legacy port It sends and receives legacy BPDUs only The entire bridge is configured to operate in an 802 1D mode when an administrator sets the bridge parameter to zero at the CLI forci...

Page 447: ... 000 whereas path cost of 802 1D bridges are set between 1 and 65 535 In order for the two bridge types to be able to interoperate in the same topology the administrator needs to configure the bridge path cost appropriately Path costs for either RSTP bridges or 802 1D bridges need to be changed in most cases path costs for RSTP bridges need to be changed Configuring RSTP parameters The remaining R...

Page 448: ...isable or enable RSTP on a port enter commands such as the following BigIron RX config interface 1 1 BigIron RX config if e1000 1 1 no spanning tree Syntax no spanning tree protect The value of protect will drop the BPDUs received on that specific interface Changing RSTP bridge parameters When you make changes to RSTP bridge parameters the changes are applied to individual ports on the bridge To d...

Page 449: ...P port commands can be enabled on individual ports or on multiple ports such as all ports that belong to a VLAN The RSTP port parameters are preconfigured with default values If the default parameters meet your network requirements no other action is required You can change the following RSTP port parameters using the following methods BigIron RX config vlan 10 BigIron RX config vlan 10 rstp ether...

Page 450: ...ange the path and priority costs for port 5 only To do so enter the following commands BigIron RX config spanning tree 802 1w hello time 8 BigIron RX config spanning tree 802 1w ethernet 5 path cost 15 priority 64 Fast port span When STP is running on a device message forwarding is delayed during the spanning tree recalculation period following a topology change The STP forward delay parameter spe...

Page 451: ...5 seconds in response to an STP topology change In normal STP the accelerated cache aging occurs even when a single host goes up or down Because Fast Port Span does not send a topology change notification when a host on a Fast Port Span port goes up or down the unnecessary cache aging that can occur in these circumstances under normal STP is eliminated Fast Port Span is a system wide parameter and...

Page 452: ...e following BigIron RX config fast port span exclude ethernet 1 1 to 1 24 BigIron RX config write memory Syntax no fast port span exclude ethernet portnum ethernet portnum to portnum To re enable Fast Port Span on a port enter a command such as the following BigIron RX config no fast port span exclude ethernet 1 1 BigIron RX config write memory This command re enables Fast Port Span on port 1 1 on...

Page 453: ...ring closet switches switches at the edge of the network cloud In addition enable the feature only on a group of ports intended for redundancy so that at any given time only one of the ports is expected to be in the forwarding state NOTE When the BigIron RX first comes up or when STP is first enabled the uplink ports still must go through the standard STP state transition without any acceleration ...

Page 454: ...comes unavailable one of the other links takes over Because the ports are configured in a Fast Uplink Span group the STP convergence takes about four seconds instead of taking 30 seconds or longer using the standard STP forward delay If you add a port that is the primary port of a trunk group all ports in the trunk group become members of the Fast Uplink Span group You can add ports to a Fast Upli...

Page 455: ...ridge The default is 2 Bridge FwdDly The configured forward delay time for this bridge The default is 15 Force Version The configured force version value One of the following value is displayed 0 The bridge has been forced to operate in an STP compatibility mode 2 The bridge has been forced to operate in an RSTP mode This is the default txHoldCnt The number of BPDUs that can be transmitted per Hel...

Page 456: ...d port for a duration more than the effective age the Root port ages out the existing information and recomputes the topology If the port is operating in 802 1D compatible mode then max age functionality is the same as in 802 1D STP Hello The hello value derived from the Root port It is the number of seconds between two Hello packets Fwd Dly The number of seconds a non edge Designated port waits u...

Page 457: ...Discarding Learning Disabled Refer to Bridge port states on page 351 and Edge port and non edge port states on page 352 Designated Cost The best root path cost that this port received including the best root path cost that it can transmit Designated Bridge The ID of the bridge that sent the best RST BPDU that was received on this port TABLE 78 The show rstp detail command output This field Display...

Page 458: ... number of BPDUs that can be transmitted per Hello Interval The default is 3 Port ID of the port in slot port format Role The current role of the port Root Designated Alternate Backup Disabled Refer to Bridges and bridge port roles on page 347 for definitions of the roles State The port s current RSTP state A port can have one of the following states Forwarding Discarding Learning Disabled Refer t...

Page 459: ... 399 Using MRP diagnostics 404 Displaying MRP information 405 MRP CLI example 407 Metro Ring Protocol MRP phase 1 MRP Phase 1 is a Brocade proprietary protocol that prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies It is an alternative to STP and is especially useful in Metropolitan Area Networks MANs where using STP has the following drawbacks STP allows a maximum ...

Page 460: ...rimary interface the other is the secondary interface The primary interface originates Ring Health Packets RHPs which are used to monitor the health of the ring An RHP is forwarded on the ring to the next interface until it reaches the secondary interface of the master node The secondary interface blocks the packet to prevent a Layer 2 loop NOTE When you configure MRP Brocade recommends that you d...

Page 461: ...en you configured an MRP ring any node on the ring that can be designated as the master node for the ring A master node can be the master node of more than one ring Refer to Figure 64 Each ring is an independent ring and RHP packets are processed within each ring FIGURE 64 Metro ring multiple rings In this example two nodes are each configured with two MRP rings Any node in a ring can be the maste...

Page 462: ...or the health of the ring An RHP is an MRP protocol packet The source address is the MAC address of the master node and the destination MAC address is a protocol address for MRP The Master node generates RHPs and sends them on the ring The state of a ring port depends on the RHPs A ring interface can have one of the following MRP states Preforwarding PF The interface can forward RHPs but cannot fo...

Page 463: ... all ports begin in the Preforwarding state The primary interface on the Master node although it is in the Preforwarding state like the other ports immediately sends an RHP onto the ring The secondary port on the Master node listens for the RHP If the secondary port receives the RHP all links in the ring are up and the port changes its state to Blocking The primary port then sends another MRP with...

Page 464: ...umber to determine the round trip time for RHPs in the ring Refer to MRP phase 2 on page 397 Customer A Customer A Customer A Customer A Switch B Switch A Switch C Switch D F F F F PF PF PF PF PF F F B Secondary port receives RHP 1 and changes to Blocking Primary port then sends RHP 2 with forwarding bit on Master Node Forwarding bit is on Each port changes from Preforwarding to Forwarding when it...

Page 465: ... s RHPs the interface changes state to Preforwarding Once the secondary interface changes state to Preforwarding If the interface receives an RHP the interface changes back to the Blocking state and resets the dead timer If the interface does not receive an RHP for its ring before the Preforwarding time expires the interface changes to the Forwarding state as shown in Figure 67 Forwarding interfac...

Page 466: ...g ports must be in the same VLAN Placing the ring ports in the same VLAN provides Layer 2 connectivity for a given customer across the ring Figure 68 shows an example FIGURE 68 Metro ring ring VLAN and customer VLANs Notice that each customer has their own VLAN Customer A has VLAN 30 and Customer B has VLAN 40 Customer A s host attached to Switch D can reach the Customer A host attached to Switch ...

Page 467: ...r VLAN they must be tagged Do not add another customer s interfaces to the VLAN For more information about topology groups refer to Chapter 16 Topology Groups Refer to MRP CLI example on page 407 for the configuration commands required to implement the MRP configuration shown in Figure 68 Configuring MRP To configure MRP perform the following tasks You need to perform the first task on only one of...

Page 468: ...e will initiate RHPs by default The ring takes effect in VLAN 2 Syntax no metro ring ring id The ring id parameter specifies the ring ID 1 255 Configure the same ring ID on each of the nodes in the ring Syntax no name string The string parameter specifies a name for the ring The name is optional but it can be up to 20 characters long and can include blank spaces If you use a name that has blank sp...

Page 469: ...lo time can be from 100 1000 one second The default hello time is 100 ms The preforwarding time can be from 200 5000 ms but must be at least twice the value of the hello time and must be a multiple of the hello time The default preforwarding time is 300 ms A change to the hello time or preforwarding time takes effect as soon as you enter the command NOTE You can use MRP ring diagnostics to determi...

Page 470: ...ng to the next interface until it reaches the secondary interface of the master node The secondary interface blocks the packet to prevent a Layer 2 loops In MRP Phase 1 a node can have multiple MRP rings but the rings cannot share the same interface Also when you configured an MRP ring any node on the ring that is a BigIron Chassis device can be designated as the master node for the ring Each ring...

Page 471: ...participate in the ring you specify the ring s ID and the interfaces that will be used for ring traffic In a multiple ring configuration a ring s ID determines its priority The lower the ring ID the higher priority of a ring A ring s ID is also used to identify the interfaces that belong to a ring Ring initialization for shared interfaces FIGURE 71 Interface IDs and types Example 1 Example 2 Ring ...

Page 472: ...ed through the interfaces on S4 then to S2 The packet is then forwarded through S2 to S3 but not from S2 to S1 since the link between the two nodes is not available When the packet reaches Ring 1 s master node the packet is forwarded through the secondary interface since it is currently in a preforwarding state A secondary interface in preforwarding mode ignores any RHP packet that is not from its...

Page 473: ...P packet is forwarded to the next interface Forwarding of the packet continues on the ring until the secondary interface of the master node receives the packet and blocks it If the port is a tunnel port MRP checks the priority of the RHP packet and compares it to the priority of the tunnel port If the RHP packet s priority is less than or equal to the interface s priority the packet is forwarded t...

Page 474: ...port on S1 That tunnel port determines that the RHP packet s priority is equal to the port s priority and forwards the packet The RHP packet is forwarded to the remaining interfaces on Ring 2 until it reaches port 3 2 the secondary interface of the master node Port 3 2 then blocks the packet to prevent a loop When the RHP packet from Ring 2 reached S2 it was also forwarded from S2 to S3 on Ring 1 ...

Page 475: ...hared interfaces MRP Phase 2 allows you to enter commands such as the following when configuring MRP BigIron RX config vlan 2 BigIron RX config vlan 2 metro ring 1 BigIron RX config vlan 2 mrp 1 name CustomerA BigIron RX config vlan 2 mrp 1 ring interface ethernet 1 1 ethernet 1 2 BigIron RX config vlan 2 mrp 1 enable BigIron RX config vlan 2 mrp 1 metro ring 2 BigIron RX config vlan 2 mrp 2 name ...

Page 476: ...MRP diagnostics The MRP diagnostics feature calculates how long it takes for RHP packets to travel through the ring When you enable MRP diagnostics the software tracks RHP packets according to their sequence numbers and calculates how long it takes an RHP packet to travel one time through the entire ring When you display the diagnostics the CLI shows the average round trip time for the RHP packets...

Page 477: ...command Syntax show topology group group id Refer to Displaying topology group information on page 438 for more information TABLE 79 CLI display of MRP ring diagnostic information This field Displays Ring id The ring ID Diag state The state of ring diagnostics RHP average time The average round trip time for an RHP packet on the ring The calculated time has a granularity of 1 microsecond Recommend...

Page 478: ...is ring If a topology group is used by MRP the master VLAN controls the MRP settings for all VLANs in the topology group NOTE The topology group ID is 0 if the MRP VLAN is not the master VLAN in a topology group Using a topology group for MRP configuration is optional Topo group The topology group ID Hello time The interval in milliseconds at which the Forwarding port on the ring s master node sen...

Page 479: ...oups only the primary ports of the groups are listed Interface role The interface role can be one of the following primary Master node The interface generates RHPs Member node The interface forwards RHPs received on the other interface the secondary interface secondary The interface does not generate RHPs Master node The interface listens for RHPs Member node The interface receives RHPs Interface ...

Page 480: ...net 4 1 BigIron RX config vlan 40 exit The following commands configure topology group 1 on VLAN 2 The master VLAN is the one that contains the MRP configuration The member VLANs use the MRP parameters of the master VLAN The control interfaces the ones shared by the master VLAN and member VLAN also share MRP state BigIron RX config topology group 1 BigIron RX config topo group 1 master vlan 2 BigI...

Page 481: ...n 40 tag ethernet 4 1 BigIron RX config vlan 40 exit BigIron RX config topology group 1 BigIron RX config topo group 1 master vlan 2 BigIron RX config topo group 1 member vlan 30 BigIron RX config topo group 1 member vlan 40 Commands on switch D BigIron RX config vlan 2 BigIron RX config vlan 2 tag ethernet 1 1 to 1 2 BigIron RX config vlan 2 metro ring 1 BigIron RX config vlan 2 mrp 1 name Metro ...

Page 482: ...410 BigIron RX Series Configuration Guide 53 1001810 01 MRP CLI example 14 ...

Page 483: ...laying VSRP information 429 Overview of Virtual Switch Redundancy Protocol VSRP VSRP is a Brocade proprietary protocol that provides redundancy and sub second failover in Layer 2 and Layer 3 mesh topologies Based on the Brocade s proprietary Virtual Router Redundancy Protocol Extended VRRPE VSRP provides one or more backups for the device If the active device becomes unavailable one of the backups...

Page 484: ...dant paths provided by the VSRP devices In this example three Brocade devices use the redundant paths A Brocade device that is not itself configured for VSRP but is connected to a Brocade device that is configured for VSRP is VSRP aware In this example the three Brocade devices connected to the VSRP devices are VSRP aware A Brocade device that is VSRP aware can failover its link to the new Master ...

Page 485: ... failover Each Backup listens for Hello messages from the Master The Hello messages indicate that the Master is still available If the Backups stop receiving Hello messages from the Master the election process occurs again and the Backup with the highest priority becomes the new Master Each Backup waits for a specific period of time the Dead Interval to receive a new Hello message from the Master ...

Page 486: ...However to ensure that a Backup with a high number of up ports for a given VRID is elected the device reduces the priority if a port in the VRID s VLAN goes down For example if two Backups each have a configured priority of 100 and have three ports in VRID 1 in VLAN 10 each Backup begins with an equal priority 100 This is shown in Figure 75 FIGURE 75 VSRP priority VSRP Master VSRP Backup optional ...

Page 487: ... lower than a Backup s priority the VRID fails over to the Backup Figure 76 shows an example FIGURE 76 VSRP priority recalculation Internet or enterprise Intranet Internet or enterprise Intranet Router 1 Router 2 e 2 4 e 3 2 Owner Backup 192 53 5 1 192 53 5 3 e 1 6 e 1 5 Host1 Default Gateway 192 53 5 1 VRID1 Router1 Master IP address 192 53 5 1 MAC address 00 00 5E 00 01 01 Priority 255 VRID1 Rou...

Page 488: ...o the priority of the other device This is shown in Figure 77 FIGURE 77 VSRP priority bias Track ports Optionally you can configure track ports to be included during VSRP priority calculation In VSRP a track port is a port that is not a member of the VRID s VLAN but whose state is nonetheless considered when the priority is calculated Typically a track port represents the exit side of traffic rece...

Page 489: ...e FIGURE 78 Track port priority In Figure 78 the track port is up SInce the port is up the track priority does not affect the VSRP priority calculation If the track port goes down the track priority does affect VSRP priority calculation as shown in Figure 79 FIGURE 79 Track port priority subtracted during priority calculation VSRP Master VSRP Backup optional link VSRP Aware VSRP Aware VSRP Aware F...

Page 490: ...rval 10 The values for these timers are determined by the VSRP device sending the Hello messages If the Master uses the default timer values the age time for VRID records on the VSRP aware devices is as follows 3 3 3 x 1 10 9 seconds 900 milliseconds In this case if the VSRP aware device does not receive a new Hello message for a VRID in a given VLAN on any port the device assumes the connection t...

Page 491: ...tivated or enabled on a VRID If you want to use Layer 3 VSRP you must enable it by entering the following command at the CONFIG level BigIron RX config router vsrp Syntax no router vsrp If you want to provide Layer 3 redundancy only you could use VRRP or VRRP Extended You may use router vrrp or router vrrp extended as long as router vsrp is not enabled Configuring optional VSRP parameters The foll...

Page 492: ...on which you configure a VRID are interfaces for the VRID You can remove a port from the VRID while allowing the port to remain in the VLAN Removing a port is useful in the following cases There is no risk of a loop occurring such as when the port is attached directly to an end host You plan to use a port in an MRP ring To remove a port from a VRID enter a command such as the following at the conf...

Page 493: ... on the previous VSRP Master which now becomes the Backup returns back online Ports on the non VSRP aware devices switch over to the new Master and learn its MAC address Configuring VSRP fast start The VSRP fast start feature can be enabled on a VSRP configured Brocade device either on the VLAN to which the VRID of the VSRP configured device belongs globally or on a port that belongs to the VRID T...

Page 494: ... priority enter a command such as the following at the configuration level for the VRID BigIron RX config vlan 200 vrid 1 backup priority 75 Syntax no backup priority value track priority value The priority value parameter specifies the VRRP priority for this interface and VRID You can specify a value from 3 254 The default is 100 For a description of the track priority value parameter refer to Ch...

Page 495: ...lowing command BigIron RX config router vsrp BigIron RX config vsrp router slow start 30 Syntax slow start ticks The ticks parameter can range is from 1 to 600 ticks 1 10 second to 60 seconds When the VSRP slow start timer is enabled if the Master goes down the Backup takes over immediately If the Master subsequently comes back up again the amount of time specified by the VSRP slow start timer ela...

Page 496: ...age from the Master before determining that the Master is dead The default is 300 milliseconds This is three times the default Hello interval To change the Dead interval enter a command such as the following at the configuration level for the VRID BigIron RX config vlan 200 vrid 1 dead interval 30 Syntax no dead interval units The units parameter specifies the interval which and can be from 3 84 u...

Page 497: ...milliseconds NOTE If you change the timer scale the change affects the actual number of seconds Changing the default track priority When you configure a VRID to track the link state of other interfaces if one of the tracked interface goes down the software changes the VSRP priority of the VRID interface The software reduces the VRID priority by the amount of the priority of the tracked interface t...

Page 498: ...ion applies only to Backups and takes effect only when the Master has failed and a Backup has assumed ownership of the VRID The feature prevents a Backup with a higher priority from taking over as Master from another Backup that has a lower priority but has already become the Master of the VRID Preemption is especially useful for preventing flapping in situations where there are multiple Backups a...

Page 499: ...g VSRP information You can clear all VSRP statistics globally and per instance by entering the following command BigIron RX clear vsrp Syntax clear vsrp VSRP and MRP signaling A device may connect to an MRP ring through VSRP to provide a redundant path between the device and the MRP ring VSRP and MRP signaling ensures rapid failover by flushing MAC addresses appropriately The host on the MRP ring ...

Page 500: ... MRP ring The MRP node that receives this MRP PDU empties all the MAC address entries from its interfaces that participate on the MRP ring The MRP node then forwards the MRP PDU with the mac flush flag set to the next MRP node that is in forwarding state The process continues until the Master MRP node s secondary blocking interface blocks the packet Once the MAC address entries have been flushed t...

Page 501: ...es for a VRID on page 433 TABLE 81 CLI display of VSRP VRID or VLAN information This field Displays Total number of VSRP routers defined The total number of VRIDs configured on this device VLAN The VLAN on which VSRP is configured auth type The authentication type in effect on the ports in the VSRP VLAN VRID parameters VRID The VRID for which the following information is displayed BigIron RX show ...

Page 502: ...pted by a device with a higher VSRP priority after this device becomes the Master This field can have one of the following values disabled The device cannot be pre empted enabled The device can be pre empted save current The source of VSRP timer values preferred when you save the configuration This field can have one of the following values false The timer values configured on this device are save...

Page 503: ...faults to 3 units hold interval The number of units a Backup that intends to become the Master will wait before actually beginning to forward Layer 2 traffic for the VRID 1 unit 100 milliseconds If the Backup receives a Hello message with a higher priority than its own before the hold down interval expires the Backup remains in the Backup state and does not become the new Master initial ttl The nu...

Page 504: ... VRID The VRID for which the following information is displayed ConfPri The configured priority for the device s preferability for becoming the Master for the VRID CurPri The device s current priority for becoming the Master P Pre empt mode status P pre emption is enabled for the VLAN N pre emption is disabled for the VLAN state This device s VSRP state for the VRID The state can be one of the fol...

Page 505: ...arameter For information about the display when you use the vrid num or vlan vlan id parameter refer to Displaying VRID information on page 429 TABLE 82 CLI display of VSRP aware information This field Displays VLAN ID The VLAN that contains the VSRP aware device s connection with the VSRP Master and Backups VRID The VRID Last Port The most recent active port connection to the VRID This is the por...

Page 506: ...434 BigIron RX Series Configuration Guide 53 1001810 01 Displaying VSRP information 15 ...

Page 507: ... VLANs One instance of the Layer 2 protocol controls all the VLANs For example if a device is deployed in a Metro network and provides forwarding for two MRP rings that each contain 128 VLANs you can configure a topology group for each ring If a link failure in a ring causes a topology change the change is applied to all the VLANs in the ring s topology group Without topology groups you would need...

Page 508: ...y group and MRP refer to Master VLANs and customer VLANs in a topology group on page 394 Control ports and free ports A port in a topology group can be a control port or a free port Control port is a port in the master VLAN and therefore controlled by the Layer 2 protocol configured in the master VLAN The same port in all the member VLANs is controlled by the master VLAN s Layer 2 protocol Each me...

Page 509: ... reconfigure the Layer 2 protocol information in the VLAN or VLAN group Configuring a topology group To configure a topology group enter commands such as the following BigIron RX config topology group 2 BigIron RX config topo group 2 master vlan 2 BigIron RX config topo group 2 member vlan 3 BigIron RX config topo group 2 member vlan 4 BigIron RX config topo group 2 member vlan 5 BigIron RX config...

Page 510: ...ember VLANs in the topology group Common control ports The master VLAN ports that are configured with Layer 2 protocol information The Layer 2 protocol configuration and state of these ports in the master VLAN applies to the same port numbers in all the member VLANs L2 protocol The Layer 2 protocol configured on the control ports The Layer 2 protocol can be one of the following MRP STP RSTP VSRP P...

Page 511: ...ying VRRP and VRRPE information 456 Configuration examples 461 Overview of VRRP This chapter describes how to configure the following router redundancy protocols Virtual Router Redundancy Protocol VRRP The standard router redundancy protocol described in RFC 3768 VRRP Extended VRRPE A Brocade proprietary version of VRRP that overcomes limitations in the standard protocol This protocol works only w...

Page 512: ...er the situation shown in Figure 83 FIGURE 83 Router1 is Host1 s default gateway but is a single point of failure As shown in this example Host1 uses 192 53 5 1 on Router1 as the host s default gateway out of the subnet If this interface goes down Host1 is cut off from the rest of the network Router1 is thus a single point of failure for Host1 s access to other networks Host1 Default Gateway 192 5...

Page 513: ...s configured on Router 1 and Router 2 one of the physical addresses is assigned to the virtual router For example in Figure 84 IP address 192 53 5 1 the IP address assigned to Router 1 s interface 1 6 is assigned as the IP address of virtual router VRID1 Router 1 becomes the Owner of the virtual router VRID1 and is the router that responds to packets addresses to any of the IP addresses in virtual...

Page 514: ...he Owner is still available and new Backup router has a higher priority than the Backup router that is acting as Master Virtual router MAC address When you configure a VRID the software automatically assigns its MAC address as the virtual router s MAC address The first five octets of the address are the standard MAC prefix for VRRP packets as described in RFC 3768 The last octet is the VRID THE VR...

Page 515: ...uters Suppression of RIP advertisements for backed up interfaces The Brocade implementation also enhances VRRP by allowing you to configure the protocol to suppress RIP advertisements for the backed up paths from Backup routers Normally a VRRP Backup router includes route information for the interface it is backing up in RIP advertisements As a result other routers receive multiple paths for the i...

Page 516: ...VRID VRRPE The Master and Backups are selected based on their priority You can configure any of the device devices to be the Master by giving it the highest priority There is no Owner Virtual Router s IP address VRRP requires that the virtual router has an IP address that is configured on the Owner router VRRPE requires only that the virtual router s IP address be in the same subnet as an interfac...

Page 517: ...85 shows an example of a VRRPE configuration FIGURE 85 Router1 and Router2 are configured to provide dual redundant network access for the host In this example Router1 and Router2 use VRRPE to load share as well as provide redundancy to the hosts The load sharing is accomplished by creating two VRRPE groups Each group has its own virtual IP addresses Half of the clients point to VRID 1 s virtual I...

Page 518: ...he protocols can be enabled at a time page 448 page 450 VRRP or VRRPE router The device s active participation as a VRRP or VRRPE router Enabling the protocol does not activate the device for VRRP or VRRPE You must activate the device as a VRRP or VRRPE router after you configure the VRRP or VRRPE parameters Inactive page 448 page 450 Virtual Router ID VRID The ID of the virtual router you are cre...

Page 519: ...ave a priority from 3 254 VRRPE All routers are Backups and have the same priority by default If two or more Backups are tied with the highest priority the Backup interface with the highest IP address becomes the Master for the VRID VRRP 255 for the Owner 100 for each Backup VRRPE 100 for all Backups page 448 page 450 Suppression of RIP advertisements A router that is running RIP normally advertis...

Page 520: ...ax ip address ip addr The IP address you assign to the Owner must be an IP address configured on an interface that belongs to the virtual router Refer to Configuration rules for VRRP on page 449 for additional requirements Track port Another device port or virtual interface whose link status is tracked by the VRID s interface If the link for a tracked interface goes down the VRRP or VRRPE priority...

Page 521: ...ig if e10000 1 5 vrid 1 activate When you configure a Backup router the router interface on which you are configuring the VRID must have a real IP address that is in the same subnet as the address associated with the VRID by the Owner However the address cannot be the same Syntax router vrrp Syntax backup priority value track priority value The priority value parameter specifies the VRRP priority ...

Page 522: ...ion on the auth type no auth simple text auth auth data parameters Also refer to Configuration rules for VRRPE on page 450 additional information on how to configure VRRPE device requires you to identify a VRRPE router as a Backup before you can activate the virtual router However after you configure the virtual router you can use the backup command to change its priority or track priority You als...

Page 523: ...RRPE packets on those interfaces also must use the same authentication Brocade s implementation of VRRP and VRRPE supports the following authentication types No authentication The interfaces do not use authentication This is the default for VRRP and VRRPE Simple The interfaces use a simple text string as a password in packets sent on the interface If the interfaces use simple password authenticati...

Page 524: ...sements To suppress RIP advertisements for interface on which a Backup router is defined in Router2 enter the following commands Router2 config router rip Router2 config rip router use vrrp path Syntax use vrrp path The syntax is the same for VRRP and VRRPE Hello interval The Master periodically sends Hello messages to the Backups The Backups use the Hello messages as verification that the Master ...

Page 525: ...rtise themselves to the Master You can enable these messages if desired and also change the message interval To enable a Backup to send Hello messages to the Master enter commands such as the following BigIron RX config router vrrp BigIron RX config inter e 1 6 BigIron RX config if e10000 1 6 ip vrrp vrid 1 BigIron RX config if e10000 1 6 vrid 1 advertise backup Syntax no advertise backup When you...

Page 526: ... goes down the software reduces the virtual router s priority again by the amount of the tracked interface s track priority The default track priority for a VRRP Owner is 2 The default track priority for Backups is 1 You enter the track priority as a parameter with the owner or backup command Refer to Track port on page 453 Syntax owner track priority value Syntax backup priority value track prior...

Page 527: ...e new priority is lower than at least one Backup s priority for the same virtual router the Backup takes over and becomes the new Master until the next software reload or system reset To verify the change enter the following command from any level of the CLI BigIron RX config if e10000 1 6 vrid 1 show ip vrrp Total number of VRRP routers defined 1 Interface ethernet 1 6 auth type no authentication...

Page 528: ...Refer to Displaying statistics on page 460 This display shows the following information TABLE 85 CLI display of VRRP or VRRPE summary information This field Displays Total number of VRRP or VRRP Extended routers defined The total number of virtual routers configured on this device NOTE The total applies only to the protocol the device is running For example if the device is running VRRPE the total...

Page 529: ... virtual router Backup This device is a Backup for the virtual router Master This device is the Master for the virtual router Master addr The IP address of the router interface that is currently the Master for the virtual router Backup addr The IP addresses of the router interfaces that are currently Backups for the virtual router VIP The virtual IP address that is being backed up by the virtual r...

Page 530: ...s Interface parameters Interface The interface on which VRRP or VRRPE is configured If VRRP or VRRPE is configured on multiple interfaces information for each interface is listed separately auth type The authentication type enabled on the interface Virtual router parameters VRID The virtual router configured on this interface If multiple virtual routers are configured on the interface information ...

Page 531: ... a tracked interface has gone down Refer to Track ports and track priority on page 442 track priority VRRPE priority value assigned to the tracked port hello interval The number of seconds between Hello messages from the Master to the Backups for a given virtual router backup hello interval The number of seconds between Hello messages from a Backup to the Master advertise backup The IP addresses o...

Page 532: ... The Hello message resets the expiration timer An expired Backup does not necessarily affect the Master However if you have not disabled the advertise backup option on the Backup then the expiration may indicate a problem with the Backup NOTE This field applies only when Hello messages are enabled on the Backups using the advertise backup option next hello sent in time How long until the Backup se...

Page 533: ...tead The ethernet slot portnum parameter specifies an Ethernet port If you use this parameter the command displays VRRP information only for the specified port The ve num parameter specifies a virtual interface If you use this parameter the command displays VRRP information only for the specified virtual interface The statistics parameter displays statistics the received vrrp packets with checksum...

Page 534: ...are configuring the Backup to back up the address but you are not duplicating the address NOTE When you configure a Backup router the router interface on which you are configuring the virtual router must have a real IP address that is in the same subnet as the address associated with the virtual router by the Owner However the address cannot be the same The priority parameter establishes the route...

Page 535: ... if e10000 1 6 vrid 1 backup priority 110 track priority 20 Router1 config if e10000 1 6 vrid 1 track port ethernet 2 4 Router1 config if e10000 1 6 vrid 1 ip address 192 53 5 254 Router1 config if e10000 1 6 vrid 1 activate VRRP router 1 for this interface is activating Router1 config if e10000 1 6 vrid 1 exit Router1 config interface ethernet 1 6 Router1 config if e10000 1 6 ip vrrp extended vri...

Page 536: ... as the one associated with this virtual router on the Owner you are configuring the Backup to back up the address but you are not duplicating the address NOTE When you configure a Backup router the router interface on which you are configuring the virtual router must have a real IP address that is in the same subnet as the address associated with the virtual router by the Owner However the addres...

Page 537: ...bject to limited delivery options as configured by a number of different mechanisms Classification Classification is the process of selecting packets on which to perform QoS reading the QoS information and assigning them a priority The classification process assigns a priority to packets as they enter the switch These priorities can be determined on the basis of information contained within the pa...

Page 538: ... on which criteria takes precedence Precedence follows the scheme illustrated in Figure 86 FIGURE 86 Priority resolution As shown in the figure the first criteria considered are port based MAC based and port based VLAN classifications The packet is primarily classified with the higher of these two criteria Next the packet is classified based on the trust level set If there is no trust level set th...

Page 539: ...2 2 2 2 3 3 3 3 3 3 3 3 DSCP value 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Internal Forwarding Priority 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 Forwarding Queue 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 TABLE 89 Default QoS mappings columns 32 to 47 DSCP value 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 802 1p COS Value 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 DSCP value 32 33 34 35 36 37 38 39 40 41 42 43 44 45...

Page 540: ...n Table 87 through Table 90 This mapping is used for COS marking and determining the internal priority when the trust level is COS Changing the CoS internal forwarding priority mappings on page 473 Marking Marking is the process of changing the packet s QoS information the 802 1p and DSCP information in a packet for the next hop You can mark a packet s Layer 2 CoS value its Layer 3 DSCP value or b...

Page 541: ...ies the IEEE 802 1p equivalent to one of the four Brocade QoS queues The numbers correspond to the queues as follows Changing a port s priority To change a port s QoS priority use one of the following methods The priority applies to inbound traffic on the port The default priority of each port is 0 To change the QoS priority of port 1 1 on a device to queue 2 enter the following commands BigIron R...

Page 542: ...t to one of the four QoS queues Configuring ToS based QoS To configure ToS based QoS perform the following tasks Enable ToS based QoS on an interface Once you enable the feature on an individual interface you can configure the trust level and marking for traffic that is received on that interface as described Specify the trust level for packets received on the interface Enable marking of packets r...

Page 543: ...the results of the device s QoS mapping from the specified trust level Configuring the QoS mappings The Brocade device maps a packet s 802 1p or DSCP value to an internal forwarding priority The default mappings are listed in Table 87 through Table 90 You can change the following mappings as described in this section CoS DSCP DSCP DSCP DSCP internal forwarding priority CoS internal forwarding prio...

Page 544: ...his mapping is used when the trust level is set to DSCP In addition to determining the internal forwarding priority of a packet the value also determines the outbound 802 1p value if CoS marking is enabled To change the DSCP internal forwarding priority mappings for all the DSCP ranges enter commands such as the following at the global CONFIG level of the CLI BigIron RX config qos tos map dscp pri...

Page 545: ...rmining the internal forwarding priority of a packet the value also determines the outbound 802 1p value if CoS marking is enabled To change the CoS internal forwarding priority mappings for all the CoS ranges enter commands such as the following at the global CONFIG level of the CLI BigIron RX config qos tos map cos priority 7 4 3 6 5 2 1 0 These commands configure the mappings displayed in the C...

Page 546: ...rust Level i f QoS Mark Trust Level 1 2 Yes Layer 2 CoS ve1 No Layer 2 CoS ve4 No Layer 2 CoS ve5 No Layer 2 CoS ve20 No Layer 2 CoS COS DSCP map COS 0 1 2 3 4 5 6 7 dscp 0 8 16 24 32 40 48 56 DSCP Priority map dscp d1d2 d2 0 1 2 3 4 5 6 7 8 9 d1 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 6 6 5 6 6 6 6 6 6 7 7 7 7 6 7 7 7 7 DSCP DSCP m...

Page 547: ...e and the statistical average q size when calculating the size for WRED calculations Max Instantaneous Q Size The maximum size up to which a queue is allowed to grow Packets that cause the queue to grow beyond this point are unconditionally dropped This variable is user configured TABLE 91 ToS based QoS configuration information This field Displays Interface QoS marking and trust level information...

Page 548: ... size is calculated note that this is not the statistical average queue size refer to Calculating avg q size on page 476 If q size as calculated is below the configured Min Average Queue Size then the packet is accepted If the average queue size is above the Max configured Average Queue Size threshold the packet is dropped If the Average Queue size falls between the Min Average Queue Size and the ...

Page 549: ... is configured with WRED the traffic that exceeds these thresholds can be subjected to the WRED algorithm which drops packets selectively by priority In this configuration packets that exceed the thresholds established by the rate limiting configuration are marked as either exceeding the average rate or maximum burst threshold This marking is then used to select a WRED configuration that determine...

Page 550: ...ge queue size Syntax no qos queue type queue type wred averaging weight avg weight value The queue type variable is the number of the forwarding queue type that you want to configure the averaging weight Wq parameter for There are eight forwarding queue types on device Routers They are numbered 0 to 3 The avg weight value variable is the weight ratio between instantaneous and average queue sizes I...

Page 551: ...ed 0 to 3 with zero as the lowest priority queue and three the highest The policing status variable indicates the traffic policing status for which you want to configure drop precedence The p max variable defines the maximum drop probability in when the queue size is at the value configured for max avg q size This value is expressed as a percentage Configuring the maximum instantaneous queue size ...

Page 552: ...of 64K The default values are shown in Table 93 Setting the maximum packet size To set the maximum drop probability for queue type 1 and drop precedence 0 when the queue size reaches the Max average q size value to 20 use the following command BigIron RX config qos queue type 1 wred drop precedence 0 drop probability max 20 Syntax no qos queue type queue type wred drop precedence drop precedence v...

Page 553: ... size KByte Maximum packet size Byte Maximum drop probability Maximum instantaneous queue size Average weight 0 0 356 1024 16384 2 1024 0 2 1 304 1024 16384 4 2 256 1024 16384 9 3 204 1024 16384 10 1 0 356 1024 16384 2 1024 0 2 1 304 1024 16384 4 2 256 1024 16384 9 3 204 1024 16384 10 2 0 408 1024 16384 2 1024 0 2 1 356 1024 16384 4 2 304 1024 16384 9 3 256 1024 16384 9 3 0 408 1024 16384 2 1024 0...

Page 554: ...ased scheduling With WFQ source based scheduling enabled some weight based bandwidth is allocated to all queues With this scheme the configured weight distribution from an input port is guaranteed allocation in relationship to the configured weight distribution However because multiple input ports can aggregate traffic to a single output port the traffic egressing a single port may not equal the c...

Page 555: ... in Kbps for forwarding queue 0 The Queue1 rate variable defines the minimum bandwidth allocated to lower priority traffic rate in Kbps for forwarding queue 1 The Queue2 rate variable defines the minimum bandwidth allocated to lower priority traffic rate in Kbps for forwarding queue 2 Calculating the values for WFQ source and destination based traffic scheduling Weighted Fair Queueing WFQ scheduli...

Page 556: ...value for queue2 in calculating queue2 s allocated bandwidth The queue3 weight variable defines the relative value for queue3 in calculating queue3 s allocated bandwidth Refer to Calculating the values for WFQ source and destination based traffic scheduling for information on assigning queue0 weight to queue3 weight values Configuring WFQ source based traffic scheduling To configure WFQ source bas...

Page 557: ...ated to forwarding queue 1 in Kbps The Queue2 rate variable defines the maximum bandwidth allocated to forwarding queue 2 in Kbps The Queue3 rate variable defines the maximum bandwidth allocated to forwarding queue 3 in Kbps Configuring minimum rate based traffic scheduling To configure minimum rate based scheduling use a command such as the following BigIron RX config interface ethernet 1 1 BigIr...

Page 558: ...ffort rate of 1Mbps no more then 1Mbps of multicast traffic will be forwarded at one time on ports 1 12 or 13 24 Starting release 02 5 00 data plane multicast traffic is rate limited to 1 8 Gbps per packet processor BigIron RX show qos scheduler Port Scheduler Type Prio0 Prio1 Prio2 Prio3 Rates where specified are in Kbps 13 1 strict 13 2 enhanced strict Rate 100000 200000 300000 Remaining 13 3 mi...

Page 559: ...ulticast best effort rate 10000 Syntax qos multicast best effort rate rate The rate variable defines the bandwidth of multicast traffic that is allowed to pass through the packet processor that include the port this command is configured on On a 24 port x 1 Gbps Interface module a qos multicast command applied to any of the ports numbered 1 to 12 will apply to all of these ports Any command applie...

Page 560: ...rity queue In Server mode the group scheduler uses strict priority between the high and low priority queues Scheduling within a priority is done with WRR using equal weights In Storage mode the group scheduler uses WRR to schedule all high and low priority queues The weights are configured using a CLI command The 16 port 10 Gigabit Ethernet module works in Server mode by default Configuration cons...

Page 561: ... mode This command sets the queues TC associated to the uplink ports In either mode queues 1 4 are low priority and 5 8 are high priority Each network port is assigned one low and high priority queue For example network port 1 uses queues TC 1 and 5 In the strict priority mode the scheduling between high and low priority is strict To enable the fair queuing strict priority mode enter a command suc...

Page 562: ...e of available bandwidth using the following formula Where w x The value of the queue that you want to determine the weight for It can be the value of any weight 0 7 w0 w7 the assigned values of the eight weights Weight of w x the calculated weight as a percentage of the port s total bandwidth For example if you assign the following values to weight 0 to 7 BigIron RX config if e10000 4 1 qos rcv s...

Page 563: ...d for network control traffic which is identified using an independent flag Mirroring ports The 16x 10GE module supports mirroring but with the following limitations A 16X10GE port cannot be configured as mirror port Only one port can be monitored at any time from ports 1 8 and one port can also be monitored at any time from ports 9 16 The mirror port for ingress or egress should be the same port ...

Page 564: ...ic enter the following command BigIron RX config if e10000 4 1 qos rcv scheduler wfq 1 2 1 4 To set the group port 2 weight high prioriy traffic enter the following command BigIron RX config if e10000 4 1 qos rcv scheduler wfq 1 2 1 2 NOTE The configurations for group port 2 will now be associated to s 2 s 6 s 10 s 14 5 To set the group port 3 weight low prioriy traffic enter the following command...

Page 565: ...one or more ports Use the no parameter to return to the default mode Server Use the fq sp parameter to set the 16x10G module to fair queuing strict priority mode Use the wfq parameter to set the 16x10G module to weighted fair queuing mode Use the num parameter to set the port weight Refer to Table 95 on page 491 for additional information on possible values The no qos rcv scheduler command is used...

Page 566: ...494 BigIron RX Series Configuration Guide 53 1001810 01 QoS for the oversubscribed 16 x 10GE modules 18 ...

Page 567: ...se policies can be applied to inbound and outbound traffic Port and VLAN based Limits the rate of packets tagged with a specific VLAN on an individual physical port Only one rate can be specified for each VLAN VLAN group based Limits the traffic for a group of VLANs Members of a VLAN group share the specified bandwidth defined in the rate limiting policy that has been applied to that group You can...

Page 568: ...by the amount of credit accumulated and the rate of traffic passing through the port The maximum burst rate cannot be smaller than 65536 bits Actual rate The device determines actual rate limiting rates through the use of proprietary formulas built into the packet processor hardware The resulting rate that is the closest to the requested rate This leads to variable rate limiting granularities for ...

Page 569: ...ng can be applied on a physical port For example you cannot apply inbound port and ACL based and inbound port based rate limiting policies on the same port Outbound port based rate limiting policy can be combined with any type of inbound rate limiting policy Any VLAN based rate limiting can limit only tagged packets that match the VLAN ID specified in the policy Untagged packets are not subject to...

Page 570: ...imit the rate on all inbound traffic to 500 Mbps with a maximum burst size of 750 Mbps The device adjusts the requested rate to 499639656 bits per second Syntax no rate limit input output requested rate maximum burst input applies rate limiting to inbound traffic on the port Input can be abbreviated as in Output applies rate limiting to outbound traffic on the port Output can be abbreviated as out...

Page 571: ...ing queue refer to Assigning QoS priorities to traffic on page 469 For information on the other parameters refer to Configuring a port based rate limiting policy on page 498 Configuring a port and VLAN based rate limiting policy To configure a port and VLAN based rate limiting policy enter commands such as the following BigIron RX config interface ethernet 1 3 BigIron RX config if e1000 1 3 rate l...

Page 572: ... group that you want to create The vlan command assigns VLANs to the rate limiting VLAN group Possible values are individual VLAN IDs or a range of VLAN IDs 3 Create a rate limiting policy for the VLAN group and apply it to the interface Enter the command such as the following at the interface level BigIron RX config if e1000 1 4 rate limit in group 10 500000000 750000000 The command configures a ...

Page 573: ...policies can be applied on the same ports or ports controlled by the same packet processor as long as there are no common VLANs in the policies Configuring a port and ACL based traffic policing policy You can use standard or extended ACLs for port and ACL based rate limiting policies Standard IP ACLs match traffic based on source IP address information Extended ACLs match traffic based on source a...

Page 574: ...policy on page 498 For information on the number of ACL based rate limiting policies that can be configured refer to the Configuration considerations on page 497 Configuring a port and IPv6 ACL based traffic reduction The port and IPV6 ACL based rate limiting limits the rate of traffic on individual physical ports that match the permit conditions of an IPV6 ACL Traffic that matches the deny condit...

Page 575: ...ate limit avg rate max burst np slot port all To enable Broadcast rate limiting on a specific port enter a command such as the following BigIron RX config broadcast rate limit 1000000 1 np 3 2 Syntax no broadcast rate limit avg rate max burst np slot port all To enable unknown unicast rate limiting on a specific port enter a command such as the following BigIron RX config unknown unicast rate limi...

Page 576: ...mber parameter indicates the rate limiting VLAN group for which the rate limiting policy is created interface slot port displays the rate limiting policy for a particular interface BigIron RX config show rate limit interface e 1 1 rate limit input 499321856 750000000 interface e 1 3 rate limit input vlan id 10 499321856 750000000 rate limit input vlan id 20 97523712 200000000 BigIron RX config sho...

Page 577: ...performance is limited by the CPU s processing power Layer 2 ACLs filter traffic at line rate speed Filtering based on ethertype Layer 2 ACLs can filter traffic based on protocol type For each Layer 2 ACL etype entry bound to a port a CAM entry is written to the corresponding CAM You can conserve CAM space by configuring only the Layer 2 ACLs needed For instance to filter only IPV4 Len 5 traffic s...

Page 578: ...not evaluate the traffic against subsequent clauses By default if the traffic does not match any of the clauses in the ACL table the device drops the traffic To override this behavior specify a permit any any clause at the end of the table to match and forward all traffic not matched by the previous clauses NOTE Use precaution when placing entries within the ACL table The Layer 2 ACL feature does ...

Page 579: ...nism The device accepts this command only when a deny clause is configured When you enable logging for a Layer 2 ACL all traffic matching the clause is sent to the CPU for processing and traffic is denied by the CPU The CPU creates a log entry for the first packet that is denied and once every 10 seconds thereafter The logging mechanism includes sending SNMP traps and log messages to the Syslog se...

Page 580: ...oup num in The num parameter specifies the Layer 2 ACL table ID to bind to the interface Increasing the maximum number of clauses per Layer 2 ACL table You can increase the maximum number of clauses configurable within a Layer 2 ACL table You can specify a maximum of 256 clauses per table The default value is 64 clauses per table To increase the maximum number of clauses per Layer 2 ACL table ente...

Page 581: ...fff ffff ffff 0011 2233 4455 ffff ffff ffff BigIron RX config access list 401 permit any any Using the mask you can make the access list apply to a range of addresses For instance if you changed the mask in the previous example from 0012 3456 7890 to ffff ffff fff0 all hosts with addresses from 0012 3456 7890 to 0012 3456 789f would be blocked This configuration for this example is shown in the fo...

Page 582: ...510 BigIron RX Series Configuration Guide 53 1001810 01 Viewing Layer 2 ACLs 20 ...

Page 583: ...nterface 558 ICMP filtering for extended ACLs 558 Troubleshooting ACLs 560 This chapter describes the IP Access Control List ACL feature which enables you to filter traffic based on the information in the IP packet header For details on Layer 2 ACLs refer to Types of IP ACLs on page 513 You can use IP ACLs to provide input to other features such as route maps distribution lists rate limiting and B...

Page 584: ...rwise the older version of the ACL remains in the CAM and continues to be used You can easily re apply ACLs using the ip rebind acl num name all command Refer to Applying ACLs to interfaces on page 551 You cannot enable any of the following features on the interface if an ACL is already applied to that interface Protection against ICMP or TCP Denial of Service DoS Attacks ACL based rate limiting A...

Page 585: ... standard ACL permits or denies packets based on a source IP address An extended ACL permits or denies packets based on source and destination IP addresses and also based on IP protocol information Super ACLs can match on any field in a packet header from Layer 2 to Layer 4 Super ACLs support all options currently supported in ACL and MAC ACL including QoS marking Standard or extended ACLs can be ...

Page 586: ...NFIG level of the CLI BigIron RX config system max ip filter sys 5000 Syntax no system max ip filter sys num Enter up to 8000 for num The default is 4000 statements You can load ACLs dynamically by saving them in an external configuration file on a flash card or a TFTP server then loading them using one of the following commands copy slot1 slot2 running from name ncopy slot1 slot2 from name runnin...

Page 587: ...CL with a Mirroring Clause Applying the ACL to an Interface Specifying a Destination Mirror Port Specifying the Destination Mirror Port for IP Receive ACLs Creating an ACL with a mirroring clause The mirror keyword has been added for inclusion in IPv4 L2 and IPv6 ACL clauses to direct traffic that meets the clause to be sent to another port In the following examples the ACL is used to direct IP tr...

Page 588: ...1 to 1 2 BigIron RX config trunk 1 1 1 2 acl mirror port ethe port monitored 1 1 ethernet 1 3 Syntax no acl mirror port ethernet port monitored slot port ethernet slot port The slot port variable specifies a port in the trunk that ACL mirror traffic will be mirrored from The ethernet slot port variable specifies port that ACL mirror traffic from the trunk will be mirrored to You can also use the A...

Page 589: ...e first PPCR you have to configure the acl mirror port command on both ports 1 and 2 If you want to mirror IP Receive ACL permit traffic incoming on all ports of the module you have to configure the acl mirror port command on all ports of the module Configuring ACL based mirroring for ACLs bound to virtual interfaces For configurations that have an ACL bound to a virtual interface you must configu...

Page 590: ...Ls This section describes how to configure standard numbered ACLs with numeric IDs For configuration information on named ACLs refer to Configuring standard or extended named ACLs on page 529 For configuration information on extended ACLs refer to Configuring extended numbered ACLs on page 520 Standard ACLs permit or deny packets based on source IP addresses You can configure up to 99 standard ACL...

Page 591: ...urce IP host address to match against The wildcard is a four part value in dotted decimal notation IP address format consisting of ones and zeros Zeros in the mask mean the packet s source address must match the source ip Ones mean any value matches For example the source ip and wildcard values 209 157 22 26 0 0 0 255 mean that all hosts in the Class C subnet 209 157 22 x match the policy If you p...

Page 592: ... IGMP Internet Gateway Routing Protocol IGRP Internet Protocol IP Open Shortest Path First OSPF Transmission Control Protocol TCP User Datagram Protocol UDP For TCP and UDP you also can specify a comparison operator and port name or number For example you can configure a policy to block web access to a specific website by denying all TCP port 80 HTTP packets from a specified source IP address to t...

Page 593: ...g IP traffic on the ports to which you assign the ACL The following commands apply ACL 102 to the incoming and outgoing traffic on port 1 2 and to the incoming traffic on port 4 3 Here is another example of an extended ACL BigIron RX config access list 101 deny tcp host 209 157 22 26 any eq telnet log BigIron RX config access list 101 permit ip any any BigIron RX config int eth 1 1 BigIron RX conf...

Page 594: ...section presents the syntax for creating an extended ACL and for binding the ACL to an interface Use the ip access group command in the interface level to bind the ACL to an interface Syntax no access list num deny permit ip protocol source ip hostname wildcard operator source tcp udp port destination ip hostname wildcard operator destination tcp udp port match all tcp flags match any tcp flags ic...

Page 595: ...nd wildcard values 209 157 22 26 0 0 0 255 mean that all hosts in the Class C subnet 209 157 22 x match the policy If you prefer to specify the wildcard mask value in Classless Interdomain Routing CIDR format you can enter a forward slash after the IP address then enter the number of significant bits in the mask For example you can enter the CIDR equivalent of 209 157 22 26 0 0 0 255 as 209 157 22...

Page 596: ... is bound before SNMP traps and Syslog messages can be generated even if the log parameter is entered Refer to ACL logging on page 544 operator Specifies a comparison operator for the TCP or UDP port number You can enter one of the following operators eq The policy applies to the TCP or UDP port name or number you enter after eq gt The policy applies to TCP or UDP port numbers greater than the por...

Page 597: ...ter the destination TCP or UDP port number match all tcp flags match any tcp flags If you specified TCP for ip protocol you can specify which flags inside the TCP header need to be matched Specify any of the following flags for tcp flags urg Urgent ack Acknowledge psh Push rst Reset syn Synchronize fin Finish Use a or to indicate if the matching condition requires the bit to be set to 1 or 0 separ...

Page 598: ... or number critical or 5 The ACL matches packets that have the critical precedence If you specify the option number instead of the name specify number 5 flash or 3 The ACL matches packets that have the flash precedence If you specify the option number instead of the name specify number 3 flash override or 4 The ACL matches packets that have the flash override precedence If you specify the option n...

Page 599: ... that have the maximum reliability ToS The decimal value for this option is 2 max throughput or 4 The ACL matches packets that have the maximum throughput ToS The decimal value for this option is 4 min delay or 8 The ACL matches packets that have the minimum delay ToS The decimal value for this option is 8 normal or 0 The ACL matches packets that have the normal ToS The decimal value for this opti...

Page 600: ...s mapping When you enter dscp cos mapping the DSCP value in the packet s header is compared to a column in the internal QoS table The 802 1p priority internal forwarding priority and DSCP value that are mapped to the matching column is assigned to the packet For example if the DSCP value in the packet s header is 2 using the mappings in Table 97 the packet s new QoS value is 802 1p COS value 2 DSC...

Page 601: ... packets that are not explicitly denied by the first three ACL entries For an example of how to configure the same entries in a numbered ACL refer to Configuring standard numbered ACLs on page 518 Notice that the command prompt changes after you enter the ACL type and name The std in the command prompt indicates that you are configuring entries for a standard ACL For an extended ACL this part of t...

Page 602: ...CLs and are described in Configuring standard numbered ACLs on page 518 Configuration example for extended ACL To configure a named extended ACL entry enter commands such as the following Syntax no ip access list extended string num deny permit ip protocol source ip hostname wildcard operator source tcp udp port destination ip hostname wildcard operator destination tcp udp port match all tcp flags...

Page 603: ...ted on a device refer to ACL IDs and entries on page 513 Super ACL syntax is keyword based You specify the conditions to match as keyword value pairs Each keyword value pair called a match item specifies a field in the packet header L2 L3 or L4 to be checked and gives the allowable value for this field Fields not specified are called don t care fields and are considered to be matched The match ite...

Page 604: ... keywords IPv4 and MAC ACLs The QoS options are also similar to those in the IPv4 ACL however in super ACL the three QoS marking modes are grouped under the keyword qos marking to simplify the syntax General parameters for super ACLs The following parameters apply to super ACLs num The ACL ID Enter 500 599 for super ACLs deny permit Enter deny if the packets that match the policy are to be dropped...

Page 605: ...nfigured on the device ip pkt len pkt len Specifies the IP packet length to be matched ip fragment match Enables IP fragment matching ip protocol Specifies the IP protocols to be matched sip Enables packet matching based on specific IP source addresses dip Enables packet matching based on specified IP destination addresses sp Enables packet matching based on specified source TCP UDP port dp Enable...

Page 606: ...uses the device to display 80 the port number instead of http the well known port name BigIron config ip show acl service number Syntax no ip show acl service number By default the device displays TCP UDP application information in named notation The following table lists the ports by number and well known name TABLE 98 TCP UDP port numbers and names Port service number Port name Description 1 tcp...

Page 607: ... time XNS Time Protocol 53 dns Domain Name Server 54 xns ch XNS Clearinghouse 55 isi gl ISI Graphics Language 56 xns auth XNS Authentication 58 xns mail XNS Mail 61 ni mail NI MAIL 62 acas ACA Services 64 covia Communications Integrator CI 65 tacacs ds TACACS Database Service 66 sql net Oracle SQL NET 70 gopher Gopher 71 netrjs 1 Remote Job Service 72 netrjs 2 Remote Job Service 73 netrjs 3 Remote...

Page 608: ...ram Relay 100 newacct unauthorized use 101 hostname NIC Host Name Server 102 iso tsap ISO TSAP Class 0 103 gppitnp Genesis Point to Point Trans Net 104 acr nema ACR NEMA Digital Imag Comm 300 105 csnet ns Mailbox Name Nameserver 106 3com tsmux 3COM TSMUX 107 rtelnet Remote Telnet Service 108 snagas SNA Gateway Access Server 109 pop2 Post Office Protocol Version 2 110 pop3 Post Office Protocol Vers...

Page 609: ...SYSMAINT 133 statsrv Statistics Service 134 ingres net INGRES NET Service 135 loc srv DCE endpoint resolution 136 profile PROFILE Naming System 139 netbios ssn NETBIOS Session Service 140 emfis data EMFIS Data Service 141 emfis cntl EMFIS Control Service 142 bl idm Britton Lee IDM 143 imap4 Internet Message Access Protocol 144 news NEWS 145 uaac UAAC Protocol 146 iso tp0 ISO IP0 147 iso ip ISO IP ...

Page 610: ...Xyplex 174 mailq MAILQ 175 vmnet VMNET 176 genrad mux GENRAD MUX 177 xdmcp X Display Manager Control Protocol 178 nextstep NextStep Window Server 179 bgp Border Gateway Protocol 180 ris Intergraph 181 unify Unify 182 audit Unisys Audit SITP 183 ocbinder OCBinder 184 ocserver OCServer 185 remote kis Remote KIS 186 kis KIS Protocol 187 aci Application Communication Interface 188 mumps Plus Five s MU...

Page 611: ...7 AppleTalk Unused 208 at 8 AppleTalk Unused 209 tam The Quick Mail Transfer Protocol 210 z39 50 ANSI Z39 50 211 914c g Texas Instruments 914C G Terminal 212 anet ATEXSSTR 213 ipx IPX 214 vmpwscs VM PWSCS 215 softpc Insignia Solutions 216 atls Access Technology 217 dbase dBASE Unix 218 mpp Netix Message Posting Protocol 219 uarps Unisys ARPs 220 imap3 Interactive Mail Access Protocol v3 221 fln sp...

Page 612: ... 383 hp alarm mgr hp performance data alarm manager 384 arns A Remote Network Server System 385 ibm app IBM Application 386 asa ASA Message Router Object Def 387 aurp Appletalk Update Based Routing Protocol 388 unidata ldm Unidata LDM 389 ldap Lightweight Directory Access Protocol 390 uis UIS 391 synotics relay SynOptics SNMP Relay Port 392 synotics broker SynOptics Port Broker Port 393 dis Meta5 ...

Page 613: ...eek 415 bnet BNet 416 silverplatter Silverplatter 417 onmux Onmux 418 hyper g Hyper G 419 ariel1 Ariel 1 420 smpte SMPTE 421 ariel2 Ariel 2 422 ariel3 Ariel 3 423 opc job start IBM Operations Planning and Control Start 424 opc job track IBM Operations Planning and Control Track 425 icad el ICAD 426 smartsdp smartsdp 427 svrloc Server Location 428 ocs_cmu OCS_CMU 429 ocs_amu OCS_AMU 430 utmpsd UTMP...

Page 614: ...rocess execution 513 login remote login a la telnet 514 cmd cmd 515 printer spooler 518 ntalk ntalk 519 utime inixtime 525 timed timeserver 526 tempo newdate 530 courier rpc 531 conference chat 532 netnews readnews 533 netwall for emergency broadcast 539 apertus ldp Apertus Technologies Load Determination 540 uucp uucpd 541 uucp rlogin uucp rlogin 543 klogin klogin 544 kshell krcmd 550 new rwho ne...

Page 615: ...709 entrustmanager Entrust Key Management Service Handler 729 netviewdm1 IBM Netview DM 6000 Service Handler 730 netviewdm2 IBM Netview DM 6000 send tcp 731 netviewdm3 IBM Netview DM 6000 Server Client 741 netgw netrgw 742 netrcs Network based Rev Cont Sys 744 flexlm Flexible License Manager 747 fujitsu dev Fujitsu License Manager 748 ris cm Russell Info SCI Calender Manager 749 kerberos adm kerbe...

Page 616: ...in hardware no other Syslog message is written for any denied packet during this time Once this wait time expires a Syslog message is written if the device receives another packet that matches the deny condition and the whole cycle is repeated 763 cycleserv Cycle Server 764 omserv Om Server 765 webster webster 767 phonebook phone 769 vid VID 770 cadlock 770 CADLOCK 770 771 rtip rtip 772 cycleserv2...

Page 617: ...X config if e1000 5 1 ip access group enable deny logging Syntax ip access group enable deny logging Specifying the wait time You can specify how long the system waits before it sends a message in the Syslog by entering a command such as the following BigIron RX config ip access list logging age 2 Syntax ip access list logging age minutes Enter 1 10 minutes The default is 5 minutes Modifying ACLs ...

Page 618: ... TFTP server 2 Optionally clear the ACL entries from the ACLs you are changing by placing commands such as the following at the top of the file BigIron config no access list 1 BigIron config no access list 101 When you load the ACL list into the device the software adds the ACL entries in the file after any entries that already exist in the same ACLs Thus if you intend to entirely replace an ACL y...

Page 619: ...show access list 99 Standard IP access list 99 deny host 1 2 4 5 permit host 5 6 7 8 2 To add the comment Permit all users to the second entry in the list enter a command such as the following BigIron RX config access list 99 remark Permit all users 3 Enter the filter permit any For example BigIron RX config std nacl permit any 4 Enter a show access list command displays the following BigIron RX c...

Page 620: ...ntry BigIron RX config show access list name entry Standard IP access list 99 deny host 1 2 4 5 2 Add a new entry with a remark to this named ACL by entering commands such as the following BigIron RX config ip access list standard entry BigIron RX config std nacl remark Deny traffic from Marketing BigIron RX config std nacl deny 5 6 7 8 3 Enter a show access list command to display the new ACL ent...

Page 621: ...config ip access list standard entry BigIron RX config std nacl no remark Deny traffic from Marketing Syntax no remark string Deleting ACL entries Newly created ACL entries are appended to the end of the ACL list Since ACL entries are applied to data packets in the order they appear in a list you need to create ACLs in the order you want them applied If you want to delete an ACL entry from within ...

Page 622: ...y Standard IP access list entry deny host 1 2 4 5 deny host 10 1 1 1 deny host 5 6 7 8 permit any 2 To delete the second ACL entry from the list enter a command such as the following BigIron RX config ip access list standard entry BigIron RX config std nacl no deny host 10 1 1 1 3 Enter the show access list name entry command to display the updated list BigIron RX config ip show access entry all S...

Page 623: ...ied to the ports where the ACL was bound without using the ip rebind acl command NOTE Brocade recommends that this feature only be used when a small number of ACL filters are configured otherwise a delay may be observed Enter commands such as the following to enable ACL automatic rebind BigIron RX config auto acl rebind Syntax no auto acl rebind Manually setting the ACL rebind To reapply ACLs foll...

Page 624: ... Finally the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1 Syntax no ip access group num in ethernet slot portnum slot portnum to slot portnum NOTE The timer for logging packets denied by Layer 2 filters is separate Configuring the Layer 4 session log timer You can configure the Layer 4 session log timer which tracks packets explicitly denied by an ACL ...

Page 625: ...g port VLAN membership and so on This method is described in Assigning QoS priorities to traffic on page 469 Enabling the IP ToS based QoS feature described in Configuring ToS based QoS on page 470 NOTE If you use an ACL on an interface ToS based QoS assumes that the ACL will perform QoS for all packets except the packets that match the permit ip any any ACL For a list of supported QoS ACL options...

Page 626: ...d or denied packets that matched the conditions of the filters NOTE ACL accounting does not tabulate nor display the number of Implicit denials by an ACL The counters that are displayed on the ACL accounting report are 1s Number of hits during the last second This counter is updated every second 1m Number of hits during the last minute This counter is updated every one minute 5m Number of hits dur...

Page 627: ...ing traffic on the interface Total In Hit The number of hits from incoming traffic processed by all ACL entries filters in the ACL A number is shown for each counter The Total In Hit displays the total number of hits for all the ACL entries or filters in an ACL For example if an ACL has five entries and each entry processed matching conditions three times during the last minute then the total Hits...

Page 628: ...llowing example BigIron RX config clear access list all Syntax clear access list all ethernet slot port ve ve num Enter all to clear all statistics for all ACLs Use ethernet slot port to clear statistics for ACLs a physical port Use ve ve number to clear statistics for all ACLs bound to ports that are members of a virtual routing interface This field Displays The IP multicast traffic snooping stat...

Page 629: ...for the complete syntax for super ACLs Named ACLs BigIron RX config ip access list extended entry deny ip any any fragment BigIron RX config int eth 1 1 BigIron RX config if e10000 1 1 ip access group entry in BigIron RX config write memory The first line in the example defines ACL entry to deny any fragmented packets Other packets will be denied or permitted based on the next filter condition Nex...

Page 630: ...ng of traffic switched within a virtual routing interface enter the following command at the configuration level for the interface BigIron RX config vif 1 ip access group ve traffic in Syntax no ip access group ve traffic in ICMP filtering for extended ACLs Extended ACL policies can be created to filter traffic based on its ICMP message type You can either enter the description of the message type...

Page 631: ...name in quotation marks for example ACL for Net1 The acl num parameter allows you to specify an ACL number if you prefer If you specify a number enter a number from 100 199 for extended ACLs The deny permit parameter indicates whether packets that match the policy are dropped or forwarded You can either use the icmp type and enter the name of the message type or use the type number code number par...

Page 632: ...ion TCP or UDP application ports from the ACL then reapply the ACL log mask reply 18 0 mask request 17 0 net redirect 5 0 net tos redirect 5 2 net tos unreachable 3 11 net unreachable 3 0 packet too big 3 4 parameter problem NOTE This message includes all parameter problems 12 0 port unreachable 3 3 precedence cutoff 3 15 protocol unreachable 3 2 reassembly timeout 11 1 redirect NOTE This includes...

Page 633: ...BigIron RX Series Configuration Guide 561 53 1001810 01 Troubleshooting ACLs 21 If you are using another feature that requires ACLs use the same ACL entries for filtering and for the other feature ...

Page 634: ...562 BigIron RX Series Configuration Guide 53 1001810 01 Troubleshooting ACLs 21 ...

Page 635: ...e to perform the following types of PBR based on a packet s Layer 3 and Layer 4 information Select the next hop gateway Send the packet to the null interface null0 When a PBR policy has multiple next hops to a destination PBR selects the first live next hop specified in the policy that is up If none of the policy s direct routes or next hops are available the packet is routed in the normal way Con...

Page 636: ...ACLs into the Layer 4 CAM on the interfaces and routes traffic that matches the ACLs according to the instructions in the route maps To configure a PBR policy Configure ACLs that contain the source IP addresses for the IP traffic you want to route using PBR Configure a route map that matches on the ACLs and sets the route information Apply the route map to an interface Configure the ACLs PBR uses ...

Page 637: ...specify the wildcard mask value in CIDR format you can enter a forward slash after the IP address then enter the number of significant bits in the mask For example you can enter the CIDR equivalent of 209 157 22 26 0 0 0 255 as 209 157 22 26 24 The CLI automatically converts the CIDR number into the appropriate ACL mask where zeros instead of ones are the significant bits and changes the non signi...

Page 638: ...ine an unlimited number of route maps on the device as long as system memory is available The permit deny parameter specifies the action the device will take if a route matches a match statement If you specify deny the device does not apply a PBR policy to packets that match the ACLs in a match clause Those packets are routed normally If you specify permit the device applies the match and set stat...

Page 639: ...is section presents configuration examples for Basic example on page 567 Setting the next hop on page 568 Setting the output interface to the null interface on page 569 Basic example The following commands configure and apply a PBR policy that routes HTTP traffic received on virtual routing interface 1 from the 10 10 10 x 24 network to 5 5 5 x 24 through next hop IP address 1 1 1 1 24 or if 1 1 1 ...

Page 640: ...mit 50 matches on the IP address information in ACL 50 above For IP traffic from subnet 209 157 23 0 24 this route map entry sets the next hop IP address to 192 168 2 1 BigIron RX config route map test route permit 50 BigIron RX config routemap test route match ip address 50 BigIron RX config routemap test route set ip next hop 192 168 2 1 BigIron RX config routemap test route exit The following c...

Page 641: ...instead of forwarding it thus sparing the rest of the network the unwanted traffic BigIron RX config route map file 13 permit 56 BigIron RX config routemap file 13 match ip address 56 BigIron RX config routemap file 13 set interface null0 BigIron RX config routemap file 13 exit The following command enables PBR by globally applying the route map to all interfaces BigIron RX config ip policy route ...

Page 642: ...570 BigIron RX Series Configuration Guide 53 1001810 01 Trunk formation 22 ...

Page 643: ...ing MSDP mesh groups 630 Clearing MSDP information 642 DVMRP overview 643 Configuring DVMRP 647 Configuring a static multicast route 651 Configuring IP multicast traffic reduction 652 Overview of IP multicasting Multicast protocols allow a group or channel to be accessed over different networks by multiple stations clients for the receipt and transmit of multicast data Distribution of stock quotes...

Page 644: ...r or the BigIron RX Root Node The node that initiates the tree building process It is also the router that sends the multicast packets down the multicast delivery tree Upstream Represents the direction from which a router receives multicast data packets An upstream router is a node that sends multicast packets Downstream Represents the direction to which a router forwards multicast data packets A ...

Page 645: ...nterfaces The ip multicast boundary command allows you to configure a boundary on PIM enabled interface by defining which multicast groups may not forward packets over a specified interface This includes incoming and outgoing packets By default all interfaces that are enabled for multicast are eligible to participate in a multicast flow provided they meet the multicast routing protocol s criteria ...

Page 646: ...terface command BigIron RX show ip pim interface Interface Local Mode Ver Designated Router TTL Multicast Address Address Port Thresh Boundary v10 10 1 2 1 SM V2 Itself 1 None v30 123 1 1 2 SM V2 Itself 1 None v40 124 1 1 2 SM V2 Itself 1 101 Syntax show ip pim interface ethernet slot portnum ve num The ethernet port number parameter specifies which physical port Enter ve num for a virtual interfa...

Page 647: ...config pim router hardware drop disable Syntax no hardware drop disable Displaying hardware drop Use the show ip pim sparse command to display if the hardware drop feature has been enabled or disabled BigIron RX config show ip pim sparse Global PIM Sparse Mode Settings Hello interval 30 Neighbor timeout 105 Bootstrap Msg interval 60 Candidate RP Advertisement interval 60 Join Prune interval 60 SPT...

Page 648: ...ften a router will query an interface for group membership Possible values are 1 3 600 seconds and the default value is 125 seconds To modify the default value for the IGMP V1 and V2 query interval enter the following BigIron RX config ip igmp query 120 Syntax ip igmp query interval 1 3600 Modifying IGMP V1 and V2 membership time Group membership time defines how long a group will remain active on...

Page 649: ...up 224 2 2 2 ethernet 5 2 This command adds port 5 2 in virtual routing interface 1 to multicast group 224 2 2 2 Syntax no ip igmp static group ip addr ethernet slot portnum The ip addr parameter specifies the group number The ethernet slot portnum parameter specifies the port number Use this parameter if the port is a member of a virtual routing interface and you are entering this command at the ...

Page 650: ...IS_EX from that source Filter mode change record If the interface changes its current state from IS_IN to IS_EX a TO_EX record is included in the membership report Likewise if an interface s current state changes from IS_EX to IS_IN a TO_IN record appears in the membership report IGMP V2 Leave report is equivalent to a TO_IN empty record in IGMP V3 This record means that no traffic from this group...

Page 651: ...ously receives queries from routers that are running versions of IGMP that are different from what is on the interface the interface logs warning messages in the syslog every five minutes Reports sent by interfaces to routers that contain different versions of IGMP do not trigger warning messages however you can see the versions of the packets using the show ip igmp traffic command The version of ...

Page 652: ...pecific queries to the interface to see if other clients on that interface need the data stream of the client who is leaving If no client responds the switch waits three seconds before it stops the traffic IGMP V3 contains the tracking and fast leave feature that you enable on virtual routing interfaces Once enabled all physical ports on that virtual routing interface will have the feature enabled...

Page 653: ... Syntax no ip igmp static group ip address Enter the IP address of the static IGMP group for ip address To configure a virtual port to be a permanent static member of an IGMP group enter the following commands BigIron RX config interface ve 10 BigIron RX config vif 10 ip igmp static group 224 10 1 1 ethernet 1 5 Syntax no ip igmp static group ip address ethernet slot number port number Enter the I...

Page 654: ... sent by the router Possible values are 1 10 The default is 10 To change the IGMP maximum response time enter a command such as the following at the global CONFIG level of the CLI BigIron RX config ip igmp max response time 8 Syntax no ip igmp max response time num The num parameter specifies the maximum number of seconds for the response time Enter a value from 1 10 The default is 10 Displaying I...

Page 655: ...No means it is not A port becomes a non querier port when it receives a query from a source with a lower source IP address than the port Life Shows the number of seconds the interface can remain in exclude mode An exclude mode changes to include mode if it does not receive an IS_EX or TO_EX message during a certain period of time The default is 140 seconds There is no life displayed in include mod...

Page 656: ...ces are included Group If you requested a detailed report the following information is displayed The multicast group address The mode of the group A list of sources from which traffic will be admitted include or denied exclude on the interface is listed The life of each source list If you requested a tracking report the clients from which reports were received are identified Table 0 2 This field D...

Page 657: ...for the port are displayed Table 0 3 This field Displays QryV2 Number of general IGMP V2 query received or sent by the virtual routing interface QryV3 Number of general IGMP V3 query received or sent by the virtual routing interface G Qry Number of group specific query received or sent by the virtual routing interface GSQry Number of source specific query received or sent by the virtual routing in...

Page 658: ...s not supported for DVMRP You can configure more than one static multicast route The always uses the most specific route that matches a multicast source address Thus if you want to configure a multicast static route for a specific multicast source and also configure another multicast static route for all other sources you can configure two static routes as shown in the examples below To add static...

Page 659: ...fic from multicast sources other than 207 95 10 0 24 must arrive on port 2 3 Figure 98 shows an example of an IP Multicast network The two static routes configured in the example above apply to this network The commands in the example above configure PIM router A to accept PIM packets from 207 95 10 0 24 when they use the path that arrives at port 1 2 and accept all other PIM packets only when the...

Page 660: ...rp timer commands The next hop validate ARP timer works only on the ARP entries created when the ARP validation check feature has been enabled The timer is used to age out the ARP entries when the next hop goes down All other ARP entries in the system which are NOT created due to static routes follow the normal ARP age timer with default value of 3 minutes Use the validation timer to reduce the re...

Page 661: ...ing multicast packets for group 229 225 0 1 which it receives from the server to its downstream nodes R2 R3 and R4 Router R4 is an intermediate router with R5 and R6 as its downstream routers Because R5 and R6 have no downstream interfaces they are leaf nodes The receivers in this example are those workstations that are resident on routers R2 R3 and R6 Pruning a multicast tree As multicast packets...

Page 662: ...am interfaces and sends a prune message to R1 With R4 in a prune state the resulting multicast delivery tree would consist only of leaf nodes R2 and R3 FIGURE 89 Transmission of multicast packets from the source to host group members 229 225 0 1 Group Member Group Member Video Conferencing Server 207 95 5 1 229 225 0 1 Source Group 229 225 0 1 Group Member Group Member Group Member Group Member Gr...

Page 663: ...g state for this entry is in a prune state R4 sends a graft to R1 Once R4 has joined the tree R4 along with R6 once again receive multicast packets Prune and graft messages are continuously used to maintain the multicast delivery tree No configuration is required on your part PIM DM versions The device supports PIM DM V1 and V2 The default is V2 You can specify the version on an individual interfa...

Page 664: ...ed in RFC 1075 Refer to Configuring PIM Sparse on page 598 for information about configuring PIM Sparse Enabling PIM on the router and an interface By default PIM is disabled To enable PIM Enable the feature globally Configure the IP interfaces that will use PIM Enable PIM locally on the ports that have the IP interfaces you configured for PIM Reload the software to place PIM into effect Suppose y...

Page 665: ...enter either of the following commands at the configuration level for the interface BigIron RX config if e10000 1 1 ip pim version 2 BigIron RX config if e10000 1 1 no ip pim version 1 To disable PIM DM on the interface enter the following command BigIron RX config if e10000 1 1 no ip pim Modifying PIM global parameters PIM global parameters come with preset values The defaults work well in most n...

Page 666: ...expires or a graft message is received for the forwarding entry The default value is 180 seconds To set the PIM prune timer to 90 enter the following BigIron RX config router pim BigIron RX config pim router prune timer 90 Syntax prune timer 10 3600 The default is 180 seconds Modifying the prune wait timer The prune wait command allows you to configure the amount of time a PIM router will wait bef...

Page 667: ... graft message the router responds with a Graft Ack acknowledge message If this Graft Ack message is lost the router that sent the graft message will resend it To change the graft retransmit timer from the default of 180 to 90 seconds enter the following BigIron RX config router pim BigIron RX config pim router graft retransmit timer 90 Syntax graft retransmit timer 60 3600 The default is 180 seco...

Page 668: ...s required for this feature Modifying the TTL The TTL defines the minimum value required in a packet for it to be forwarded out of the interface For example if the TTL for an interface is set at 10 it means that only those packets with a TTL value of 10 or more will be forwarded Likewise if an interface is configured with a TTL Threshold value of 1 all packets received on that interface will be fo...

Page 669: ...h PIM Sparse domain has one active BSR For redundancy you can configure ports on multiple routers as candidate BSRs The PIM Sparse protocol uses an election process to select one of the candidate BSRs as the BSR for the domain The BSR with the highest BSR priority a user configurable parameter is elected If the priorities result in a tie then the candidate BSR interface with the highest IP address...

Page 670: ...or calculating the Shortest Path Tree SPT between a given source and receiver PIM Sparse routers can use the SPT as an alternative to using the RP for forwarding traffic from a source to a receiver By default the device forward the first packet they receive from a given source to a given receiver using the RP path but forward subsequent packets from that source to that receiver through the SPT In ...

Page 671: ...evice within the PIM Sparse domain BigIron RX config router pim Syntax no router pim NOTE You do not need to globally enable IP multicast routing when configuring PIM Sparse The command in this example enables IP multicast routing and enables the PIM Sparse mode of IP multicast routing The command does not configure the device as a candidate PIM Sparse Bootstrap Router BSR and candidate Rendezvous...

Page 672: ...ice as a candidate BSR enter commands such as the following BigIron RX config router pim BigIron RX config pim router bsr candidate ethernet 2 2 30 255 BSR address 207 95 7 1 hash mask length 30 priority 255 This command configures the PIM Sparse interface on port 2 2 as a BSR candidate with a hash mask length of 30 and a priority of 255 The information shown in italics above is displayed by the C...

Page 673: ...oups that begin with 224 126 When you add a range you override the default The device then becomes a candidate RP only for the group address ranges you add You also can change the group numbers for which the device is a candidate RP by deleting address ranges For example to delete all addresses from 224 126 22 0 224 126 22 255 enter the following command BigIron RX config pim router rp candidate d...

Page 674: ...assignment In patch release 02 4 00c of the device the rp address command has been enhanced to allow multiple static RP configurations For each static RP an ACL can be given as an option to define the multicast address ranges that the static RP permit or deny to serve A static RP by default serves the range of 224 0 0 0 4 if the RP is configured without an ACL name If an ACL name is given but the ...

Page 675: ... 1 1 5 230 0 0 5 100 1 1 1 Anycast RP Anycast RP is a method of providing intra domain redundancy and load balancing between multiple Rendezvous Points RP in a Protocol Independent Multicast Sparse mode PIM SM network It is accomplished by configuring all RPs within a domain with the same anycast RP address which is typically a loopback IP address Multicast Source Discovery Protocol MSDP is used b...

Page 676: ...on each of the RPs for MSDP peering This loopback interface is also used as the MSDP originator id The non RP PIM SM routers may be configured to use the anycast RP address statically or dynamically by the PIMv2 bootstrap mechanism Example The example shown in Figure 92 is a simple Anycast enabled network with two RPs and two PIM SM routers Loopback 1 in RP 1 and RP 2 have the same IP address Loop...

Page 677: ...ress 10 1 1 1 32 RP1 config lbif 2 exit RP1 config interface ethernet 5 1 RP1 config if e1000 5 1 ip ospf area 0 RP1 config if e1000 5 1 ip address 192 1 1 1 24 RP1 config if e1000 5 1 ip pim sparse RP1 config interface ethernet 5 2 RP1 config if e1000 5 2 ip ospf area 0 RP1 config if e1000 5 2 ip ospf cost 5 RP1 config if e1000 5 2 ip address 192 2 1 1 24 RP1 config if e1000 5 2 ip pim sparse RP1...

Page 678: ...if e1000 5 2 ip ospf area 0 RP2 config if e1000 5 2 ip ospf cost 5 RP2 config if e1000 5 2 ip address 192 5 2 1 24 RP2 config if e1000 5 2 ip pim sparse RP2 config interface ethernet 5 3 RP2 config if e1000 5 3 ip ospf area 0 RP2 config if e1000 5 3 ip ospf cost 10 RP2 config if e1000 5 3 ip address 192 6 1 2 24 RP2 config if e1000 5 3 ip pim sparse RP2 config if e1000 5 3 exit RP2 config router p...

Page 679: ...ter pim PIMR2 config pim router rp address 10 0 0 1 PIMR2 config pim router exit Route selection precedence for multicast In patch 02 4 00c the route precedence command allows the user to specify a precedence table that dictates how routes are selected for multicast PIM must be enabled at the global level Configuring the route precedence by specifying the route types The route precedence mc non de...

Page 680: ...ce selection BigIron RX config show ip pim sparse Global PIM Sparse Mode Settings Hello interval 30 Neighbor timeout 105 Bootstrap Msg interval 60 Candidate RP Advertisement interval 60 Join Prune interval 60 SPT Threshold 1 Inactivity interval 180 SSM Enabled No Hardware Drop Enabled Yes Route Selection mc non default mc default uc non default uc default Interface Local Mode Ver Designated Router...

Page 681: ...st packet for a given PIM Sparse group The device maintains a separate counter for each PIM Sparse source group pair After the device receives a packet for a given source group pair the device starts a PIM data timer for that source group pair If the device does not receive another packet for the source group pair before the timer expires it reverts to using the RP for the next packet received for...

Page 682: ...ion is enabled by default except for trunks in order that trunk load sharing remains unaffected The ip multicast routing optimization oif list trunks command can be used to turn on optimization for trunks such that the degree of even balance maybe less than when not optimized BigIron RX config ip multicast routing optimization oif list trunks Syntax ip multicast routing optimization oif list trunk...

Page 683: ...RP NOTE This field contains a value only if an interface on the device is elected to be the BSR Otherwise the field is blank Candidate RP Advertisement interval How frequently the candidate PR configured on the device sends candidate RP advertisement messages to the BSR NOTE This field contains a value only if an interface on the device is configured as a candidate RP Otherwise the field is blank ...

Page 684: ...er The interface type can be one of the following Ethernet VE The number is either a port number and slot number if applicable or the virtual interface VE number TTL Threshold Following the TTL threshold value the interface state is listed The interface state can be one of the following Disabled Enabled Local Address Indicates the IP address configured on the port or virtual interface This field D...

Page 685: ...ndidate BSRs are compared and the interface with the highest BSR priority becomes the BSR Hash mask length The number of significant bits in the IP multicast group comparison mask This mask determines the IP multicast group numbers for which the device can be a BSR The default is 32 bits which allows the device to be a BSR for any valid IP multicast group number NOTE This field appears only if thi...

Page 686: ...idate RP advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages NOTE This field appears only if this device is a candidate BSR This field Displays Candidate RP advertisement in Indicates how many seconds will pass before the BSR sends its next RP message NOTE This field appears only if this device is a candidate RP RP Indicates the IP address of the Rendezv...

Page 687: ...im rp hash group addr The group addr parameter is the address of a PIM Sparse IP multicast group This display shows the following information Table 0 4 This field Displays Group address Indicates the PIM Sparse multicast group address using the listed RP RP address Indicates the IP address of the Rendezvous Point RP for the listed PIM Sparse group Table 0 5 This field Displays RP Indicates the IP ...

Page 688: ...re expected and received in the latest Bootstrap message RP num Indicates the RP number If there are multiple RPs in the PIM Sparse domain a line of information for each of them is listed and they are numbered in ascending numerical order priority The RP priority of the candidate RP During the election process the candidate RP with the highest priority is elected as the RP age The age in seconds o...

Page 689: ...ron RX show ip pim rpf 1 2 3 4 no route BigIron RX show ip pim rpf 1 10 10 24 upstream neighbor 1 1 20 1 on v21 using ip route Syntax show ip pim dvmrp rpf IP address Where IP address is a valid source IP address Table 0 7 This field Displays Port The interface through which the device is connected to the neighbor Neighbor The IP interface of the PIM neighbor interface Holdtime sec Indicates how m...

Page 690: ...dp_adv 0 age 0 fid none l2vidx none 3 239 255 255 250 RP10 159 2 2 in v87 cnt 0 Sparse Mode RPT 1 SPT 0 Reg 0 upstream neighbor 10 10 8 45 num_oifs 1 v2 L3 SW 1 e4 23 VL2702 fast 1 slow 0 leaf 0 prun 0 frag 0 tag 0 tnnl 0 swL2 0 hwL2 0 msdp_adv 0 age 0 fid none l2vidx none 4 137 80 133 220 224 225 0 3 in v16 tag e1 3 upstream neighbor 172 17 42 2 L3 HW 2 e1 4 VL15 e1 3 VL11 L2 HW 1 TR e1 5 e1 6 fa...

Page 691: ...ad of the RP path 1 The RP path is used instead of the SPT path NOTE The values of the RP and SPT flags are always opposite one is set to 0 and the other is set to 1 SPT Indicates whether the cache entry uses the RP path or the SPT path The SP flag can have one of the following values 0 The RP path is used instead of the SPT path 1 The SPT path is used instead of the RP path NOTE The values of the...

Page 692: ...e on which the PIM interface is configured Hello The number of PIM Hello messages sent or received on the interface J P The number of Join Prune messages sent or received on the interface NOTE Unlike PIM dense PIM Sparse uses the same messages for Joins and Prunes Register The number of Register messages sent or received on the interface RegStop The number of Register Stop messages sent or receive...

Page 693: ...h Tree protocol switchover occurs for groups in the 232 8 range Not configuring the SSM protocol in PIM Sparse may cause the switch or router to leak unwanted packets with the same group but containing undesired sources to clients After SPT switch over the leak stops and source specific multicast works correctly even without configuring the SSM protocol If the SSM protocol is enabled one S G entry...

Page 694: ...ddress to which the source is sending and the IP address of the RP interface with its peer By default the IP address included in the RP address field of the SA message is the IP address of the originating RP but an SA message can use the IP address of any interface on the originating RP The interface is usually a loopback interface In this example the Source Active message contains the following i...

Page 695: ...P and MBGP for interdomain operations The MSDP routers in domains 3 and 4 also forward the Source Active message to all their peers except the ones that sent them the message Figure 93 does not show additional peers Source active caching When an MSDP router that is also an RP receives a Source Active message the RP checks its PIM Sparse multicast group table for receivers for the group If the DR h...

Page 696: ...ip addr parameter specifies the IP address of the neighbor The connect source loopback num parameter specifies the loopback interface you want to use as the source for sessions with the neighbor NOTE It is strongly recommended that you use the connect source loopback num parameter when issuing the msdp peer command If you do not use this parameter the device uses the subnet interface configured on...

Page 697: ...e specified address as the IP address of the RP in an SA message This address must be the address of the interface used to connect the RP to the source There are no default originator ids The type parameter indicates the type of interface used by the RP Ethernet loopback and virtual routing interfaces ve can be used The number parameter specifies the interface number for example loopback number po...

Page 698: ...rom neighbor 2 2 2 99 NOTE The default action is to deny all source group pairs from the specified neighbor If you want to permit some pairs use route maps BigIron RX config access list 124 permit ip 10 0 0 0 0 255 255 255 any BigIron RX config access list 124 permit ip host 2 2 2 2 any BigIron RX config access list 125 permit ip any any BigIron RX config route map msdp_map deny 1 BigIron RX confi...

Page 699: ...he route map to specify the RP address NOTE The default filter action is deny If you want to permit some source group pairs use a route map A permit action in the route map allows the device to receive the matching source group pairs A deny action in the route map drops the matching source group pairs Filtering advertised source active messages The following example configures the device to advert...

Page 700: ...on is deny If you want to permit some source group pairs use a route map A permit action in the route map allows the device to receive the matching source group pairs A deny action in the route map drops the matching source group pairs Displaying the differences before and after the source active filters are applied This is an example of the Source Actives in the MSDP cache that will be displayed ...

Page 701: ... RP 2 2 2 2 Age 0 42 117 1 0 57 224 200 1 37 RP 2 2 2 2 Age 0 43 117 1 0 30 224 200 1 10 RP 2 2 2 2 Age 0 44 117 1 0 44 224 200 1 24 RP 2 2 2 2 Age 0 45 117 1 0 58 224 200 1 38 RP 2 2 2 2 Age 0 46 117 1 0 31 224 200 1 11 RP 2 2 2 2 Age 0 47 117 1 0 45 224 200 1 25 RP 2 2 2 2 Age 0 48 117 1 0 59 224 200 1 39 RP 2 2 2 2 Age 0 49 117 1 0 32 224 200 1 12 RP 2 2 2 2 Age 0 50 117 1 0 46 224 200 1 26 RP ...

Page 702: ...the SA or the first RP in a domain that receives the SA message is the only one that can forward the message to the members of a mesh group If a mesh group member receives a SA message from a MSDP peer that is not a member of the mesh group and the SA message passes the RPF check then the member forwards the SA message to all members of the mesh group An RP can forward an SA message to any MSRP ro...

Page 703: ...s on the multicast tree towards the originating RP Configuring MSDP mesh group To configure an MSDP mesh group enter commands such as the following on each device that will be included in the mesh group BigIron RX config router msdp BigIron RX config msdp router msdp peer 163 5 34 10 connect source loopback 2 BigIron RX config msdp router msdp peer 206 251 21 31 connect source loopback 2 BigIron R...

Page 704: ...eers using the msdp peer command to assign their IP addresses and the loopback interfaces This information will be used as the source for sessions with the neighbor Next place the MSDP peers within a domain into a mesh group Use the mesh group command There are no default mesh groups The group name parameter identifies the group Enter up to 31 characters for group name You can have up to 4 mesh gr...

Page 705: ...config msdp router msdp peer 1 1 3 1 connect source loopback 1 BigIron RX config msdp router msdp peer 1 1 4 1 connect source loopback 1 BigIron RX config msdp router msdp peer 1 1 2 1 connect source loopback 1 BigIron RX config msdp router msdp peer 17 17 17 7 BigIron RX config msdp router mesh group 1234 1 1 4 1 BigIron RX config msdp router mesh group 1234 1 1 3 1 BigIron RX config msdp router ...

Page 706: ...X config bgp router neighbor 12 12 12 2 next hop self BigIron RX config bgp router neighbor 14 14 14 4 remote as 444 BigIron RX config bgp router neighbor 14 14 14 4 next hop self BigIron RX config bgp router neighbor 17 17 17 7 remote as 777 BigIron RX config bgp router neighbor 17 17 17 7 next hop self BigIron RX config bgp router redistribute connected BigIron RX config bgp router write memory ...

Page 707: ...eighbor 12 12 12 1 next hop self BigIron RX config router bgp redistribute connected BigIron RX config router bgp write memory Configuration for Device C The following set of commands configure the MSDP peers of Device C 1 1 3 1 that are inside and outside MSDP mesh group 1234 Device C s peers inside the mesh group 1234 are 1 1 1 1 1 1 2 1 and 1 1 4 1 Device 35 35 35 5 is a peer of Device C but is...

Page 708: ...uter bsr neighbor 31 31 31 1 remote as 111 BigIron RX config router bsr neighbor 31 31 31 1 next hop self BigIron RX config router bsr redistribute connected BigIron RX config router bsr write memory Configuration for Device D The following set of commands configure the MSDP peers of Device D 1 1 4 1 that are inside and outside MSDP mesh group 1234 Device D s peers inside the mesh group 1234 are 1...

Page 709: ...ck 1 BigIron RX config router pim exit BigIron RX config router bgp BigIron RX config router bsr local as 444 BigIron RX config router bsr neighbor 34 34 34 3 remote as 333 BigIron RX config router bsr neighbor 34 34 34 3 next hop self BigIron RX config router bsr neighbor 14 14 14 1 remote as 111 BigIron RX config router bsr neighbor 14 14 14 1 next hop self BigIron RX config router bsr neighbor ...

Page 710: ... The session is idle LISTENING The session is in the passive open state KA In The number of MSDP Keepalive messages the MSDP router has received from the peer KA Out The number of MSDP Keepalive messages the MSDP router has sent to the peer SA In The number of Source Active messages the MSDP router has received from the peer SA Out The number of Source Active messages the MSDP router has sent to t...

Page 711: ... Hold Time The hold time which specifies how many seconds the MSDP router will wait for a KEEPALIVE or UPDATE message from an MSDP neighbor before deciding that the neighbor is dead The hold time is 90 seconds and is not configurable Keep Alive Message Sent The number of Keep Alive messages the MSDP router has sent to the peer BigIron RX show ip msdp peer Total number of MSDP Peers 2 IP Address St...

Page 712: ...s from the neighbor the message contains an error code corresponding to one of the following errors Some errors have subcodes that clarify the reason for the error Where applicable the subcode messages are listed underneath the error code messages 1 Message Header Error 2 SA Request Error 3 SA Message or SA Response Error 4 Hold Timer Expired 5 Finite State Machine Error 6 Notification 7 Cease For...

Page 713: ...previously sent to the remote TCP which includes an acknowledgment of its connection termination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request CLOSED There is no connection state Local host The IP address of the MSDP router s interface with the peer Local port The TCP port the MSDP router is using for t...

Page 714: ... The cache entry number SourceAddr The IP address of the multicast source GroupAddr The IP multicast group to which the source is sending information RP The RP through which receivers can access the group traffic from the source Age The number of seconds the entry has been in the cache TABLE 102 MSDP peer information Continued This field Displays BigIron RX show ip msdp sa cache Total Entry 4096 U...

Page 715: ...e CLI BigIron RX clear ip msdp statistics Syntax clear ip msdp statistics ip addr The command in this example clears statistics for all the peers To clear statistics for only a specific peer enter the peer s IP address DVMRP overview The device provides multicast routing with the Distance Vector Multicast Routing Protocol DVMRP routing protocol DVMRP uses IGMP to manage the IP multicast groups DVM...

Page 716: ...e multicast packet and sends a prune message back upstream This process is known as reverse path forwarding In Figure 96 the root node R1 is forwarding multicast packets for group 229 225 0 2 that it receives from the server to its downstream nodes R2 R3 and R4 Router R4 is an intermediate router with R5 and R6 as its downstream routers Because R5 and R6 have no downstream interfaces they are leaf...

Page 717: ...ceive any further multicast traffic until the prune age interval expires FIGURE 96 Downstream broadcast of IP multicast packets from source host 229 225 0 1 Group Member Group Member Video Conferencing Server 207 95 5 1 229 225 0 1 Source Group 229 225 0 1 Group Member Group Member Group Member Group Member Group Member Group Member 229 225 0 1 Leaf Node Leaf Node Leaf Node No Group Members Interm...

Page 718: ...eviously a graft will be sent upstream to R4 Since the forwarding state for this entry is in a prune state R4 sends a graft to R1 Once R4 has joined the tree it along with R6 will once again receive multicast packets You do not need to perform any configuration to maintain the multicast delivery tree The prune and graft messages automatically maintain the tree 229 225 0 1 Group Member Group Member...

Page 719: ...g a router dvmrp command to enable DVMRP does not require a software reload Entering a no router dvmrp command removes all configuration for PIM multicast on a device router pim level only Globally enabling or disabling DVMRP without deleting multicast configuration As stated above enter no router dvmrp removed PIM configuration If you want to disable or enable DVMRP without removing PIM configura...

Page 720: ...ssible values are from 20 4000 seconds The default value is 200 seconds To modify the route expire setting to 50 enter the following BigIron RX config dvmrp router route expire timeout 50 Syntax route expire timeout 20 4000 Modifying route discard time The Route Discard Time defines the period of time before a route is deleted Possible values are from 40 8000 seconds The default value is 340 secon...

Page 721: ...nds The default value is 10 seconds To modify the probe interval setting to 10 enter the following BigIron RX config dvmrp router probe 10 Syntax probe interval 5 30 Modifying report interval The Report Interval defines how often routers propagate their complete routing tables to other neighbor DVMRP routers Possible values are from 10 2000 seconds The default value is 60 seconds To support propag...

Page 722: ...a TTL Threshold value of 1 all packets received on that interface are forwarded Possible values are from 1 64 The default value is 1 To set a TTL of 64 enter the following BigIron RX config int e 1 4 BigIron RX config if e10000 1 4 ip dvmrp ttl 60 Syntax no ip dvmrp ttl threshold 1 64 Modifying the metric The router uses the metric when establishing reverse paths to some networks on directly attac...

Page 723: ... to direct multicast traffic along a specific path The ip mroute command starts with the ip address or ingress ip address the source traffic is received upon The ingress interface network mask and the next hop address leading back to the ingress source ip address To configure static IP multicast routes enter a command such as the following BigIron RX config ip mroute 12 7 1 0 255 255 255 0 17 3 1 ...

Page 724: ...evice to make forwarding decisions in hardware based on multicast group by enabling the IP Multicast Traffic Reduction feature NOTE The IP Multicast Traffic Reduction feature is applicable for Layer 2 mode only When this feature is enabled the device examines the MAC address in an IP multicast packet and forward the packet only on the ports from which the device has received Group Membership repor...

Page 725: ...traffic for all other groups The following sections describe how to configure IP multicast traffic reduction and PIM SM Traffic Snooping parameters on a device Enabling IP multicast traffic reduction By default the device forwards all IP multicast traffic out all ports except the port on which the traffic was received To reduce multicast traffic through the device you can enable IP Multicast Traff...

Page 726: ...f the route only feature is enabled on the device then IP Multicast Traffic Reduction will not be supported To verify that IP Multicast Traffic Reduction is enabled enter the following command at any level of the CLI BigIron RX config show ip multicast IP multicast is enabled Active Syntax show ip multicast Configuring the IGMP mode per VLAN NOTE A router id is required if a virtual interface ve o...

Page 727: ...form of this command disables the tracking process per VLAN For IGMPv3 the above command also internally tracks all the IGMPv3 hosts behind a given port The port is not removed from the IP multicast group entry in the forwarding table until all the hosts behind that port have left that multicast group When the last IGMPv3 host sends a IGMPv3 leave message the port is removed from the IP multicast ...

Page 728: ...to the active mode of IP Multicast Traffic reduction To modify the query interval enter a command such as the following BigIron RX config ip multicast query interval 120 Syntax no ip multicast query interval interval The interval parameter specifies the interval between queries You can specify a value from 10 600 seconds The default is 60 seconds Modifying the age interval When the device receives...

Page 729: ...dary has to be applied you must delete the old bounder first then apply the new ACL To avoid temporary loss in multicast traffic ACLs should be configured before applying them to multicast boundaries Modifying an already applied ACL will take effect immediately Configurations shoube be generated at the VLAN level if user has explicitly configured it regardless of whether it matches the global snoo...

Page 730: ...ry traffic overhead in the network For example if the device is attached to only one group source and two group receivers but has devices attached to every port the device forwards group traffic out all ports in the same broadcast domain except the port attached to the source even though there are only two receivers for the group PIM SM traffic snooping eliminates the superfluous traffic by config...

Page 731: ...t is the only port connected to a receiver for the group Notice that the receiver for group 239 255 162 69 is directly connected to the device As result the device does not see a join message on behalf of the client However since IP multicast traffic reduction also is enabled the device uses the IGMP group membership report from the client to select the port for forwarding traffic to group 239 255...

Page 732: ...es on a single device Configuration requirements IP multicast traffic reduction must be enabled on the device that will be running PIM SM snooping The PIM SM traffic snooping feature requires IP multicast traffic reduction NOTE Use the passive mode of IP multicast traffic reduction instead of the active mode The passive mode assumes that a router is sending group membership queries as well as join...

Page 733: ...and never starts forwarding the traffic This is because the device never receives a join message from the downstream router for the group The downstream router and group find each other without a join message because they are in the same subnet NOTE If the route only feature is enabled on a device PIM SM traffic snooping will not be supported Enabling PIM SM traffic snooping To enable PIM SM traff...

Page 734: ...c group uplink command which sends the traffic to the switch and saves a port The multicast static group group address port list command is for downstream traffic and uses a port Configuring a multicast static group uplink per VLAN When the multicast static group uplink command is enabled on a snooping VLAN the snooping device behaves like an IGMP host on ports connected to the multicast switch Th...

Page 735: ...were received from these ports These ports will not be aged out from the multicast group for not responding to the IGMP queries The multicast static group group address port list command can be configured under the VLAN configuration level only To configure the physical interface ethernet 2 4 to statically join a multicast group enter commands such as the following BigIron RX config vlan 100 BigIr...

Page 736: ...d on IGMPv3 The source address parameter specifies the IP address of the multicast source Each address must be added or deleted one line per source The uplink parameter specifies the port as an uplink port that can receive multicast data for the configured multicast groups Upstream traffic will be sent to the switch and will not use a port The port list parameter specifies the range of ports to in...

Page 737: ...er through which packets must travel to reach the destination If the device receives a RIP update from another router that contains a path with fewer hops than the path stored in the device s route table the device replaces the older route with the newer one The device then includes the new path in the updates it sends to other RIP routers including BigIron RX RIP routers including the device also...

Page 738: ...dd more than one to a learned or advertised route s cost Changing the cost of routes learned or advertised on a port By default a device port increases the cost of a RIP route that is learned on the port The device increases the cost by adding one to the route s metric before storing the route You can change the amount that an individual port adds to the metric of RIP routes learned on the port To...

Page 739: ...lue up to 16 Configuring redistribution filters RIP redistribution filters apply to all interfaces You use route maps to define how you want to deny or permit redistribution NOTE The default redistribution action is permit even after you configure and apply redistribution filters to the virtual routing interface If you want to tightly control redistribution apply a filter to deny all routes as the...

Page 740: ...ibution to connected types The bgp parameter applies redistribution to BGP4 routes The ospf parameter applies redistribution to OSPF routes The static parameter applies redistribution to IP static routes The metric value parameter sets the RIP metric value 1 15 that will be applied to the routes imported into RIP The route map name parameter indicates the route map s name Changing the default redi...

Page 741: ...ghbor 1 deny any Syntax no neighbor filter num permit deny source ip address any This command configures the device so that the device does not learn any RIP routes from any RIP neighbors The following commands configure the device to learn routes from all neighbors except 192 168 1 170 Once you define a RIP neighbor filter the default action changes from learning all routes from all neighbors to ...

Page 742: ...ure the device to avoid routing loops by advertising local RIP routes with a cost of 16 infinite or unreachable when these routes go down BigIron RX config rip router poison local routes Syntax no poison local routes Suppressing RIP route advertisement on a VRRP or VRRPE backup interface NOTE This section applies only if you configure the BigIron RX for Virtual Router Redundancy Protocol VRRP or V...

Page 743: ...Since the default action is permit all other routes routes not explicitly permitted or denied by the filters can be learned or advertised Syntax ip prefix list name permit deny source ip address any source mask any To apply a prefix list at the global level of RIP enter commands such as the following BigIron RX config rip router prefix list list1 in Syntax no prefix list name in out To apply prefi...

Page 744: ...TABLE 104 CLI display of neighbor filter information This field Displays RIP Summary area Shows the current configuration of RIP on the device Statis metric Shows the static metric configuration not defined means the route map has not been distributed BigIron RX show ip rip RIP Summary Default port 520 Administrative distance is 120 updates every 30 seconds expire after 180 Holddown lasts 180 seco...

Page 745: ...r filter table area Index The filter number You assign this number when you configure the filter Action The action the router takes for RIP route packets to or from the specified neighbor deny If the filter is applied to an interface s outbound filter group the filter prevents the router from advertising RIP routes to the specified neighbor on that interface If the filter is applied to an interfac...

Page 746: ...674 BigIron RX Series Configuration Guide 53 1001810 01 Displaying RIP filters 24 ...

Page 747: ...as a number of networks all of which share the same routing and administration characteristics An AS can be divided into multiple areas as shown in Figure 101 on page 676 Each area represents a collection of contiguous networks and hosts Areas limit the area to which link state advertisements are broadcast thereby limiting the amount of flooding that occurs within the network An area is represente...

Page 748: ... in a network Designated routers in multi access networks In a network that has multiple routers attached OSPF elects one router to serve as the designated router DR and another router on the segment to act as the backup designated router BDR This arrangement minimizes the amount of repetitive information that is forwarded on the network by forwarding all messages to the designated router and back...

Page 749: ... becomes the DR The router with the next highest priority becomes the new BDR This process is shown in Figure 103 NOTE Priority is a configurable option at the interface level You can use this parameter to help bias one router as the DR FIGURE 103 Backup designated router becomes designated router If two neighbors share the same priority the router with the highest router ID is designated as the D...

Page 750: ...neighbor declares itself to be the DR or BDR for the first time OSPF RFC 1583 and 2328 compliance Brocade routers are configured by default to be compliant with the RFC 1583 OSPF V2 specification Brocade routers can also be configured to operate with the latest OSPF standard RFC 2328 NOTE For details on how to configure the system to operate with the RFC 2328 refer to Modify OSPF standard complian...

Page 751: ...re BigIron RX switches are configured as ASBRs have equal cost routes to the same next hop router in an external routing domain the ASBR with the highest router ID floods the AS External LSAs for the external domain into the OSPF AS while the other ASBRs flush the equivalent AS External LSAs from their databases As a result the overall volume of route advertisement traffic within the AS is reduced...

Page 752: ...igured so that it is no longer an ASBR In this case the other ASBR floods the AS External LSAs For example if Router D goes off line then Router E starts flooding the AS with AS External LSAs for the route to Router F Support for OSPF RFC 2328 appendix E BigIron RX provides support for Appendix E in OSPF RFC 2328 Appendix E describes a method to ensure that an OSPF router generates unique link sta...

Page 753: ... results in a change to the ID of an LSA that has already been generated the router generates a new LSA to replace the previous one For example if the router has already generated an LSA for network with ID 10 0 0 0 for network 10 0 0 0 255 255 255 0 the router must generate a new LSA for the network if the router needs to generate an LSA for network 10 0 0 0 255 255 0 0 or 10 0 0 0 255 0 0 0 Dyna...

Page 754: ...n the assignment OSPF parameters You can modify or set the following global and interface OSPF parameters Global parameters Modify OSPF standard compliance setting Assign an area Define an area range Define the area virtual link Set global default metric for OSPF Change the reference bandwidth for the default cost of OSPF interfaces Disable or re enable load sharing Enable or disable default infor...

Page 755: ...e disabled protocol is removed from the startup configuration file The CLI displays a warning message such as the following BigIron RX config ospf router no router ospf router ospf mode now disabled All ospf config data will be lost when writing to flash If you have disabled the protocol but have not yet saved the configuration to the startup configuration file and reloaded the software you can re...

Page 756: ...uter ID to take over translation of LSAs for the NSSA The election process for NSSA ABRs is automatic Example To set up the OSPF areas shown in Figure 101 on page 676 use the following method BigIron RX config ospf router area 192 5 1 0 BigIron RX config ospf router area 200 5 0 0 BigIron RX config ospf router area 195 5 0 0 BigIron RX config ospf router area 0 0 0 0 BigIron RX config ospf router ...

Page 757: ... 16777215 There is no default Normal areas do not use the cost parameter The no summary parameter applies only to stub areas and disables summary LSAs from being sent into the area Assign a Not So Stubby Area NSSA The OSPF Not So Stubby Area NSSA feature enables you to configure OSPF areas that provide the benefits of stub areas but that also are capable of importing external route information OSP...

Page 758: ...Type 5 LSAs into the backbone Since the NSSA is partially stubby the ABR does not flood external LSAs from the backbone into the NSSA To provide access to the rest of the Autonomous System AS the ABR generates a default Type 7 LSA into the NSSA Configuring an NSSA To configure OSPF area 1 1 1 1 as an NSSA enter the following commands BigIron RX config router ospf BigIron RX config ospf router area...

Page 759: ...ge 209 157 22 1 255 255 0 0 BigIron RX config ospf router write memory Syntax no area num ip addr range ip addr ip mask advertise not advertise The num ip addr parameter specifies the area number which can be in IP address format If you specify a number the number can be from 0 2 147 483 647 The range ip addr parameter specifies the IP address portion of the range The software compares the address...

Page 760: ...matically included in the assignment To assign interface 1 8 of Router A to area 192 5 0 0 and then save the changes enter the following commands RouterA config ospf router interface e 1 8 RouterA config if e10000 1 8 ip ospf area 192 5 0 0 RouterA config if e10000 1 8 write memory Modify interface defaults OSPF has interface parameters that you can configure For simplicity each of these parameter...

Page 761: ...ID and an MD5 Key The key ID is a number from 1 255 and identifies the MD5 key that is being used The MD5 key can be up to sixteen alphanumeric characters long Cost Indicates the overhead required to send a packet across an interface You can modify the cost to differentiate between 100 Mbps 1Gbps and 10 Gbps The default cost is calculated by dividing 100 million by the bandwidth For 10 Mbps links ...

Page 762: ...on option 1 the software assumes that you are entering the encrypted form of the password or authentication string In this case the software decrypts the password or string you enter before using the value for authentication If you accidentally enter option 1 followed by the clear text version of the password or string authentication will fail because the value used by the software will not match ...

Page 763: ...on methods from one of the following to another of the following Simple text password MD5 authentication No authentication Configuring a new simple text password or MD5 authentication key Changing an existing simple text password or MD5 authentication key To change the authentication change interval enter a command such as the following at the interface configuration level of the CLI BigIron RX co...

Page 764: ...rea backbone The path for a virtual link is through an area shared by the neighbor ABR router with a physical backbone connection and the ABR requiring a logical connection to the backbone Two parameters fields must be defined for all virtual links transit area ID and neighbor router The transit area ID represents the shared area of the two ABRs and serves as the connection point between the two r...

Page 765: ...link is required on the routers in the transit area To define the virtual link on BigIron RXA enter the following commands BigIron RXA config router ospf BigIron RXA config ospf router area 2 BigIron RXA config ospf router area 1 BigIron RXA config ospf router area 1 virtual link 209 157 22 1 BigIron RXA config ospf router write memory Enter the following commands to configure the virtual link on ...

Page 766: ... descriptions of the optional parameters Modify virtual link parameters OSPF has some parameters that you can modify for virtual links Notice that these are the same parameters as the ones you can modify for physical interfaces You can modify default values for virtual links using the following CLI command at the OSPF router level of the CLI as shown in the following syntax Syntax no area num ip a...

Page 767: ...uthentication encrypts the authentication key you define The authentication is included in each OSPF packet transmitted MD5 Authentication Key When simple authentication is enabled the key is an alphanumeric password of up to eight characters When MD5 is enabled the key is an alphanumeric password of up to 16 characters that is later encrypted and included in each OSPF packet transmitted You must ...

Page 768: ... 1 Syntax neighbor ip address For example to configure the feature in a network with three routers connected by a hub or switch each router must have the linking interface configured as a non broadcast interface and both of the other routers must be specified as neighbors The output of the show ip ospf interface command has been enhanced to display information about non broadcast interfaces and ne...

Page 769: ...s numbered point to point networks meaning the OSPF router must have an IP interface address which uniquely identifies the router over the network Brocade does not support unnumbered point to point networks Configuring an OSPF point to point link To configure an OSPF point to point link enter commands such as the following BigIron RX config interface eth 1 5 BigIron RX config if 1 5 ip ospf networ...

Page 770: ...al OSPF area or OSPF interface basis TABLE 105 Output of the show ip ospf interface command This field Displays IP Address The IP address of the interface OSPF state ptr2ptr point to point Pri The link ID as defined in the router LSA This value can be one of the following 1 point to point link 3 point to point link with an assigned subnet Cost The configured output cost for the interface Options O...

Page 771: ...cation will fail because the value used by the software will not match the value you intended to use Changing the reference bandwidth for the cost on OSPF interfaces Each interface on which OSPF is enabled has a cost associated with it The device advertises its interfaces and their costs to OSPF neighbors For example if an interface has an OSPF cost of ten the device advertises the interface with ...

Page 772: ...uch as the following at the OSPF configuration level of the CLI BigIron RX config ospf router auto cost reference bandwidth 500 The reference bandwidth specified in this example results in the following costs 10 Mbps port s cost 500 10 50 100 Mbps port s cost 500 100 5 1000 Mbps port s cost 500 1000 0 5 which is rounded up to 1 The costs for 10 Mbps and 100 Mbps ports change as a result of the cha...

Page 773: ...e acting as the ASBR Autonomous System Boundary Router between the RIP domain and the OSPF domain to redistribute routes between the two domains NOTE The ASBR must be running both RIP and OSPF protocols to support this activity FIGURE 107 Redistributing OSPF and static routes to RIP routes You also have the option of specifying import of just ISIS RIP OSPF BGP4 or static routes as well as specifyi...

Page 774: ...gured the redistribution route map Otherwise you might accidentally overload the network with routes you did not intend to redistribute To enable redistribution of RIP and static IP routes into OSPF enter the following commands Example using a route map To configure a route map and use it for redistribution of routes into OSPF enter commands such as the following BigIron RX config router ospf BigI...

Page 775: ...c of 5 and changes the metric to 8 before placing the route into the OSPF route table The following command shows the result of the redistribution Since only one of the static IP routes configured above matches the route map only one route is redistributed Notice that the route s metric is 5 before redistribution but is 8 after redistribution Syntax no redistribution bgp connected rip isis level 1...

Page 776: ...uter software can use the route information it learns through OSPF to determine the paths and costs Figure 108 shows an example of an OSPF network containing multiple paths to a destination in this case R1 FIGURE 108 Example OSPF network with four equal cost paths In the example in Figure 108 the BigIron RX has four paths to R1 BigIron RX R3 BigIron RX R4 BigIron RX R5 BigIron RX R6 Normally the d...

Page 777: ... the aggregate route is flushed You can configure up to 32 address ranges The device sets the forwarding address of the aggregate route to zero and sets the tag to zero If you delete an address range the advertised aggregate route is flushed and all imported routes that fall within the range are advertised individually If an external LSDB overflow condition occurs all aggregate routes are flushed ...

Page 778: ...es The device advertises the default route into OSPF even if OSPF route redistribution is not enabled and even if the default route is learned through an IBGP neighbor NOTE BigIron RX never advertises the OSPF default route regardless of other configuration parameters unless you explicitly enable default route origination using the following method If the device is an ASBR you can use the always o...

Page 779: ... network route as a default route instead When the software uses the default network route it also uses the default network route s next hop gateway as the gateway of last resort This feature is especially useful in environments where network topology changes can make the next hop gateway unreachable This feature allows the device to perform default routing even if the default network route s defa...

Page 780: ...u can set the delay and hold time to lower values to cause the device to change to alternate paths more quickly in the event of a route failure Note that lower values require more CPU processing time You can change one or both of the timers To change the SPF delay and hold time enter commands such as the following BigIron RX config ospf router timers spf 10 20 The command in this example changes t...

Page 781: ...outes The distance you specify influences the choice of routes when the device has multiple routes for the same network from different protocols The device prefers the route with the lower administrative distance You can specify unique default administrative distances for the following route types Intra area routes Inter area routes External routes The default for all these OSPF route types is 110...

Page 782: ... pacing interval to 10 20 minutes might enhance performance slightly Changing the LSA pacing interval To change the LSA pacing interval use the following CLI method To change the LSA pacing interval to two minutes 120 seconds enter the following command BigIron RX config ospf router timers lsa group pacing 120 Syntax no timers lsa group pacing secs The secs parameter specifies the number of second...

Page 783: ...ilter use the no form of this command Configuring OSPF ABR type 3 LSA filtering To filter inter area routes into a specified area use the following commands beginning in router configuration mode To configure the router to run an OSPF process enter commands such as the following BigIron RX config router ospf BigIron RX config ospf router To filter prefixes advertised in type 3 link state advertise...

Page 784: ... area 10 10 10 1 The device sends routes that go to 20 20 x x to area 10 10 10 1 because the IP prefix list explicitly permits these routes to be sent to the area Syntax ip prefix list name seq seq value description string deny permit network addr mask bits ge ge value le le value The name parameter specifies the prefix list name You use this name when applying the prefix list to a neighbor The se...

Page 785: ...figuration Error Trap Enabled Virtual Interface Configuration Error Trap Enabled Interface Authentication Failure Trap Enabled Virtual Interface Authentication Failure Trap Enabled Interface Receive Bad Packet Trap Enabled Virtual Interface Receive Bad Packet Trap Enabled Interface Retransmit Packet Trap Disabled Virtual Interface Retransmit Packet Trap Disabled Originate LSA Trap Disabled Origina...

Page 786: ... ospf trap These commands are at the OSPF router Level of the CLI Here is a summary of OSPF traps supported on BigIron RX their corresponding CLI commands and their associated MIB objects from RFC 1850 The first list are traps enabled by default interface state change trap MIB object OspfIfstateChange virtual interface state change trap MIB object OspfVirtIfStateChange TABLE 107 Default settings f...

Page 787: ...ample To stop an OSPF trap from being collected use the CLI command no trap ospf trap at the Router OSPF level of the CLI To disable reporting of the neighbor state change trap enter the following command BigIron RX config ospf router no trap neighbor state change trap Example To reinstate the trap enter the following command BigIron RX config ospf router trap neighbor state change trap Syntax no ...

Page 788: ... types of OSPF Syslog messages to log You can specify which kinds of OSPF related Syslog messages are logged By default the only OSPF messages that are logged are those indicating possible system errors If you want other kinds of OSPF messages to be logged you can configure the device to log them For example to specify that all OSPF related Syslog messages be logged enter the following commands Bi...

Page 789: ... page 721 Interface information refer to Displaying OSPF interface information on page 723 Route information refer to Displaying OSPF route information on page 725 External link state information refer to Displaying OSPF external link state Information on page 727 Link state information refer to Displaying OSPF database link state information on page 728 Virtual Neighbor information refer to Displ...

Page 790: ...Enabled Interface Configuration Error Trap Enabled Virtual Interface Configuration Error Trap Enabled Interface Authentication Failure Trap Enabled Virtual Interface Authentication Failure Trap Enabled Interface Receive Bad Packet Trap Enabled Virtual Interface Receive Bad Packet Trap Enabled Interface Retransmit Packet Trap Disabled Virtual Interface Retransmit Packet Trap Disabled Originate LSA ...

Page 791: ...ac_mgr 5 wait 0000d89c 20657628 16384 0 0 1 mrp_mgr 5 wait 0000d89c 2065c628 16384 0 0 1 vsrp 5 wait 0000d89c 20663620 16384 0 0 1 snms 5 wait 0000d89c 20667628 16384 0 0 1 rtm 5 wait 0000d89c 20674628 16384 0 0 1 rtm6 5 wait 0000d89c 2068a628 16384 0 0 1 ip_tx 5 ready 0000d89c 206a9628 16384 0 0 1 rip 5 wait 0000d89c 20762628 16384 0 0 1 bgp 5 wait 0000d89c 207e6628 16384 0 0 1 bgp_io 5 wait 0000...

Page 792: ... BigIron RX Pri Priority of the task in comparison to other tasks State Current state of the task PC current instruction for the task Stack Stack location for the task Size Stack size of the task CPU Usage Percentage of the CPU being used by the task task id Task s ID number assigned by the operating system task vid A memory domain ID TABLE 109 CLI display of OSPF area information This field Displ...

Page 793: ... TABLE 110 CLI display of OSPF neighbor information Field Description Port The port through which the BigIron RX is connected to the neighbor Address The IP address of this BigIron RX s interface with the neighbor Pri The OSPF priority of the neighbor For multi access networks the priority is used during election of the Designated Router DR and Backup designated Router BDR For point to point links...

Page 794: ...nge The router is describing its entire link state database by sending Database Description packets to the neighbor Each Database Description packet has a DD sequence number and is explicitly acknowledged Only one Database Description packet can be outstanding at any time In this state Link State Request packets can also be sent asking for the neighbor s more recent advertisements All adjacencies ...

Page 795: ... router LSA This value can be one of the following 1 point to point link 3 point to point link with an assigned subnet Cost The configured output cost for the interface Options OSPF Options Bit7 Bit0 unused 1 opaque 1 summary 1 dont_propagate 1 nssa 1 multicast 1 externals 1 tos 1 Type The area type which can be one of the following Broadcast 0x01 Point to Point 0x03 Virtual Link 0x04 BigIron RX s...

Page 796: ... 0x00 Wait_Timer 0x01 Backup_Seen 0x02 Neighbor_Change 0x03 Loop_Indication 0x04 Unloop_Indication 0x05 Interface_Down 0x06 Interface_Passive 0x07 Adjacent Neighbor Count The number of adjacent neighbor routers Neighbor The neighbor router s ID TABLE 111 Output of the show ip ospf interface command Continued This field Displays ...

Page 797: ..._Type 10 65 12 1 255 255 255 255 1 0 Intra Adv_Router Link_State Dest_Type State Tag Flags 10 65 12 1 10 65 12 1 Asbr Valid 0 6000 Paths Out_Port Next_Hop Type State 1 v204 10 65 5 251 OSPF 21 01 2 v201 10 65 2 251 OSPF 20 d1 3 v202 10 65 3 251 OSPF 20 cd 4 v205 10 65 6 251 OSPF 00 00 OSPF Area Summary Routes 1 Destination Mask Path_Cost Type2_Cost Path_Type 10 65 0 0 255 255 0 0 0 0 Inter Adv_Rou...

Page 798: ...asses into another area Intra The path to the destination is entirely within the local area External1 The path to the destination is a type 1 external route External2 The path to the destination is a type 2 external route Adv_Router The OSPF router that advertised the route to this BigIron RX Link State The link state from which the route was calculated Dest_Type The destination type which can be ...

Page 799: ...d format NOTE You cannot use the extensive option in combination with other display options The entire database is displayed The link state id ip addr parameter displays the External LSAs for the LSA source specified by IP addr The router id ip addr parameter shows the External LSAs for the specified OSPF router The sequence number num Hex parameter displays the External LSA entries for the specif...

Page 800: ...ddress Netmask The subnet mask of the network Metric The cost value of the route Flag State information for the route entry This information is used by Brocade technical support TABLE 113 CLI display of OSPF external link state information Continued This field Displays BigIron RX show ip ospf database link state Index Area ID Type LS ID Adv Rtr Seq Hex Age Cksum 1 0 Rtr 10 1 10 1 10 1 10 1 800060e...

Page 801: ...ID of the OSPF area Type LS ID Link state type of the route Adv Rtr ID of the advertised route Seq Hex The sequence number of the LSA The OSPF neighbor that sent the LSA stamps the LSA with a sequence number This number enables the BigIron RX and other OSPF routers to determine which LSA for a given route is the most recent Age The age of the LSA in seconds Cksum The checksum for the LSA packet Th...

Page 802: ... summer time clock timezone us Pacific hostname R11 RX8 Outgoing interface ID of the interface on the router for the outgoing route Area ID of the OSPF area to which the OSPF router belongs TABLE 115 CLI display of OSPF border routers Continued This field Displays BigIron RX show ip ospf trap Interface State Change Trap Enabled Virtual Interface State Change Trap Enabled Neighbor State Change Trap...

Page 803: ...e configuration in Figure 109 Syntax show ip ospf virtual neighbor num The num parameter displays the table beginning at the specified entry number DeviceA R10 MG8 192 168 148 10 DeviceE R14 RX8 192 168 148 14 DeviceB R11 RX16 192 168 148 11 Area 1 Area 1 Area 2 Area 0 3A4 7 1 6 1 1 17 7 23 131 1 1 10 16 135 14 1 10 16 135 14 1 1 16 8 11 1 1 8 3A1 5 1 27 14 1 27 8 6 2 27 11 1 27 8 BigIron RX show ...

Page 804: ...As from the network informing the helper routers of the completion of the restart process If the restarting router does not re establish adjacencies with the helper router within the restart time the helper router stops the helping function and flushes the stale OSPF routes Configuring OSPF graceful restart To configure OSPF Graceful Restart on a router the restarting router and its directly conne...

Page 805: ...l restart The following is an example of what the show ip ospf data grace link state command that is displayed during a restart event The output is blank if the report is requested while the OSPF router is in normal operation The show ip ospf neighbor command displays the following information during normal operation BigIron RX show ip ospf data grace link state Area Interface Router ID Type Age R...

Page 806: ...spf router graceful restart BigIron RX config ospf router area 0 Router 3 BigIron RX config router ospf BigIron RX config ospf router graceful restart BigIron RX config ospf router area 0 BigIron RX sh ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 3 1 30 1 0 5 0 FULL OTHER 30 1 0 13 30 0 0 13 5 2 0 3 27 25 27 0 8 1 FULL DR 25 27 0 14 12 1 0 14 20 2 0 in graceful restart st...

Page 807: ...ppear once restart is complete The restarting router should resync LSDB with its peers when the restart has completed BigIron RX 1 show ip ospf neigh Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 3 7 40 0 1 1 1 EXST DR 40 0 1 3 9 0 1 24 24 2 0 in graceful restart state helping 1 timer 112 sec BigIron RX 3 show ip ospf neighbor Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt 2 2...

Page 808: ...736 BigIron RX Series Configuration Guide 53 1001810 01 Displaying OSPF information 25 ...

Page 809: ...t Discriminators MEDs 757 Redistributing IBGP routes 758 Disabling or re enabling client to client route reflection 759 Configuring a route reflector 759 Enabling or disabling comparison of the router IDs 759 Configuring confederations 760 Configuring route flap dampening 763 Originating the default route 764 Changing the default local preference 764 Changing the default metric used for redistribu...

Page 810: ...P4 is the standard Exterior Gateway Protocol EGP used on the Internet to route traffic between Autonomous Systems AS and to maintain loop free routing An autonomous system is a collection of networks that share the same routing and administration characteristics For example a corporate Intranet consisting of several networks under common administrative control might be considered an AS The network...

Page 811: ...routes and chooses only one of the routes to send to the IP route table The route that BGP chooses and sends to the IP route table is the preferred route This route is what the device advertises to other BGP neighbors If the preferred route goes down BGP4 updates the route information in the IP route table with a new BGP4 preferred route NOTE If IP load sharing is enabled and you enable multiple e...

Page 812: ... path for a route When multiple paths for the same route prefix are known to a BGP4 router the router uses the following algorithm to weigh the paths and determine the optimal path for the route The optimal path depends on various parameters which can be modified 1 Is the next hop accessible though an Interior Gateway Protocol IGP route If not ignore the path NOTE By default the device does not us...

Page 813: ... EBGP from a BGP4 neighbor outside of the confederation Routes received through EBGP from a BGP4 router within the confederation Routes received through IBGP 9 If all the comparisons above are equal prefer the route with the lowest IGP metric to the BGP4 next hop This is the closest internal path inside the AS to reach the destination 10 If the internal paths also are the same and BGP4 load sharin...

Page 814: ...ce to that neighbor goes down This capability is provided by the fast external fallover feature which is disabled by default BGP Identifier The router ID The BGP Identifier router ID identifies the BGP4 router to other BGP4 routers The device use the same router ID for OSPF and BGP4 If you do not set a router ID the software uses the IP address on the lowest numbered loopback interface configured ...

Page 815: ...TE message from a BGP4 neighbor before deciding that the neighbor is dead The Hold Time is negotiated when BGP4 routers exchange OPEN messages the lower Hold Time is then used by both neighbors For example if BGP4 Router A sends a Hold Time of 5 seconds and BGP4 Router B sends a Hold Time of 4 seconds both routers use 4 seconds as the Hold Time for their BGP4 session The default Hold Time is 180 s...

Page 816: ...d route attribute entries Dynamic memory allocation is performed automatically by the software and does not require a reload As a guideline BigIron RX switches with a 2 GB Management 4 module can accommodate 150 200 neighbors with the assumption that the device receives about one million routes total from all neighbors and sends about eight million routes total to neighbors For each additional one...

Page 817: ...lways compare med x Configuring the BigIron RX to always compare Multi Exit Discriminators MEDs on page 757 as path filter x as path ignore x Disabling or re enabling comparison of the AS path length on page 758 bgp redistribute internal x Redistributing IBGP routes on page 758 client to client reflection Disabling or re enabling client to client route reflection on page 759 cluster id x Configuri...

Page 818: ...ging the maximum number of shared BGP4 paths on page 768 med missing as worst x Treating missing MEDs as the worst MEDs on page 768 multipath x Customizing BGP4 load sharing on page 769 neighbor x x x Configuring BGP4 neighbors on page 769 Configuring a BGP4 peer group on page 776 network x x Specifying a list of networks to advertise on page 779 next hop enable default x Using the IP default rout...

Page 819: ... of the AS Path length Enable comparison of the router ID Enable next hop recursion Change the default metric Disable or re enable route reflection Configure confederation parameters Disable or re enable load sharing Change the maximum number of load sharing paths Change other load sharing parameters Define route flap dampening parameters Add change or negate redistribution parameters except chang...

Page 820: ...he BGP4 protocol For information on the local AS number refer to Setting the local AS number on page 767 NOTE By default the Brocade router ID is the IP address configured on the lowest numbered loopback interface If the BigIron RX does not have a loopback interface the default router ID is the lowest numbered IP interface address configured on the device For more information refer to Changing the...

Page 821: ...onfiguration level The BGP address family has a unicast or multicast sub level To enter the IPv4 BGP unicast address family configuration level enter the following command BigIron RX config bgp address family ipv4 unicast BigIron RX config bgp NOTE The CLI prompt for the global BGP level and the BGP address family IPv4 unicast level are the same To enter the IPv4 BGP multicast address family confi...

Page 822: ... filter the default action for addresses that do not match a filter is deny To change the default action to permit configure the last filter as permit any any The ip addr parameter specifies the IP address If you want the filter to match on all addresses enter any The wildcard parameter specifies the portion of the IP address to match against The wildcard is a four part value in dotted decimal not...

Page 823: ...s true the device stops and does not continue applying filters from the list NOTE If the filter is referred to by a route map s match statement the filter is applied in the order in which the filter is listed in the match statement The permit deny parameter indicates the action the router takes if the filter match is true If you specify permit the router permits the route into the BGP4 table if th...

Page 824: ...nfederations on page 760 The no advertise keyword filters for routes with the well known community NO_ADVERTISE A route in this community should not be advertised to any BGP4 neighbors The no export keyword filters for routes with the well known community NO_EXPORT A route in this community should not be advertised to any BGP4 neighbors outside the local AS If the router is a member of a confedera...

Page 825: ...twork prefix telling a remote router to drop all traffic for this network prefix by redistributing a null0 route into BGP Figure 113 shows a topology for a null0 routing application example FIGURE 113 Sample Null0 routing application The following steps configure a null0 routing application for stopping denial of service attacks from remote hosts on the internet Configuration steps 1 Select one ro...

Page 826: ...00 BigIron RX config bgp router neighbor router3_int_ip address remote as 100 BigIron RX config bgp router neighbor router4_int_ip address remote as 100 BigIron RX config bgp router neighbor router5_int_ip address remote as 100 BigIron RX config bgp router neighbor router7_int_ip address remote as 100 BigIron RX config bgp router redistribute static route map blockuser BigIron RX config bgp router...

Page 827: ...r neighbor router6_int_ip address remote as 100 BigIron RX config bgp router neighbor router7_int_ip address remote as 100 After configuring the null0 application you can display the configuration using the show ip route static show ip bgp route and show ip route commands For example when you issue the show ip route static command on Router 6 you see the following output Entering a show ip route s...

Page 828: ...110 0 0 80 28 90 0 1 3 100 0 I 36 115 0 0 96 28 30 0 1 3 100 0 I AS_PATH 50 37 115 0 0 192 27 192 168 0 1 1 10000000 32768 BL AS_PATH 64 120 0 7 0 24 70 0 1 3 100 0 I AS_PATH 10 65 120 0 14 0 23 192 168 0 1 1 1000000 32768 BL AS_PATH BigIron RX show ip route Total number of IP routes 133 Type Codes B BGP D Connected S Static R RIP O OSPF Cost Dist Metric Destination Gateway Port Cost Type 1 9 0 1 ...

Page 829: ...he routes in the aggregate address into a single AS path The summary only parameter prevents the router from advertising more specific routes contained within the aggregate route The suppress map map name parameter prevents the more specific routes contained in the specified route map from being advertised The advertise map map name parameter configures the router to advertise the more specific ro...

Page 830: ...mpare MEDs enter the following command BigIron RX config bgp always compare med Syntax no always compare med Release 02 4 01 of the Multi Service IronWare software initiated support for the following new BGP command that directs BGP to take the MED value into consideration even if the route has an empty as path path attribute BigIron RX config router bgp BigIron RX config bgp router compare med em...

Page 831: ...eflection does still occur between clients and non clients BigIron RX config bgp no client to client reflection Enter the following command to re enable the feature BigIron RX config bgp client to client reflection Syntax no client to client reflection Configuring a route reflector You can configure one cluster ID on the router All route reflector clients for the router are members of the cluster ...

Page 832: ...n of this feature is based on RFC 3065 Normally all BGP routers within an AS must be fully meshed so that each BGP router has BGP sessions to all the other BGP routers within the AS This is feasible in smaller ASs but becomes unmanageable in ASs containing many BGP routers When you configure BGP routers into a confederation all the routers within a sub AS a subdivision of the AS use IBGP and must ...

Page 833: ...that the routers in AS 10 are subdivided into sub ASs within a confederation Configuring a BGP confederation Perform the following configuration tasks on each BGP router within the confederation Configure the local AS number The local AS number indicates membership in a sub AS All BGP routers with the same local AS number are members of the same sub AS BGP routers use the local AS number when comm...

Page 834: ...e confederation ID is the AS number by which BGP routers outside the confederation know the confederation Thus a BGP router outside the confederation is not aware and does not care that your BGP routers are in multiple sub ASs BGP routers use the confederation ID when communicating with routers outside the confederation The confederation ID must be different from the sub AS numbers You can specify...

Page 835: ...e for use again You can configure the half life to be from 1 45 minutes The default is 15 minutes The reuse parameter specifies how low a route s penalty must become before the route becomes eligible for use again after being suppressed You can set the reuse threshold to a value from 1 20000 The default is 750 0 75 or three fourths of the penalty assessed for a one flap The suppress parameter spec...

Page 836: ... routes BGP4 neighbors can send the local preference value as an attribute of a route in an UPDATE message Local preference applies only to routes within the local AS BGP4 routers can exchange local preference information with neighbors who also are in the local AS but BGP4 routers do not exchange local preference information with neighbors in remote ASs The default local preference is 100 For rou...

Page 837: ... routes to a network may differ depending on the protocol from which the routes were learned To select one route over another based on the source of the route information the device can use the administrative distances assigned to the sources The administrative distance is a protocol independent metric that IP routers use to compare routes from different sources The device re advertises a learned ...

Page 838: ...and can be a value from 1 255 The internal distance sets the IBGP distance and can be a value from 1 255 The local distance sets the Local BGP distance and can be a value from 1 255 Requiring the first AS to be the neighbor s AS By default the device does not require the first AS listed in the AS_SEQUENCE field of an AS path Update from an EBGP neighbor to be the AS that the neighbor who sent the ...

Page 839: ...hat the neighbor is dead and closing its BGP4 session and TCP connection with the neighbor The router waits for the Hold Time to expire before ending the connection to a directly attached BGP4 neighbor that dies For directly attached neighbors the router immediately senses loss of a connection to the neighbor from a change of state of the port or interface that connects the router to its neighbor ...

Page 840: ...bgp BigIron RX config bgp maximum paths 4 BigIron RX config bgp write memory Syntax no maximum paths number The num parameter specifies the maximum number of paths across which the BigIron RX can balance traffic to a given BGP4 destination You can change the maximum number of paths to a value from 2 8 The default is 1 Treating missing MEDs as the worst MEDs By default the device favors a lower MED...

Page 841: ...haring is disabled for EBGP paths multi as Load sharing is enabled for paths from different ASs By default load sharing applies to EBGP and IBGP paths and does not apply to paths from different neighboring ASs Configuring BGP4 neighbors The BGP4 protocol does not contain a peer discovery process Therefore for each of the router s BGP4 neighbors peers you must indicate the neighbor s IP address and...

Page 842: ...vate as route map in out map name route reflector client send community soft reconfiguration inbound shutdown timers keep alive num hold time num unsuppress map map name update source ip addr ethernet slot portnum loopback num ve num weight num The ip addr peer group name parameter indicates whether you are configuring an individual neighbor or a peer group If you specify a neighbor s IP address y...

Page 843: ...ng specific IP addresses on page 749 ebgp multihop num specifies that the neighbor is more than one hop away and that the session type with the neighbor is thus EBGP multihop This option is disabled by default The num parameter specifies the TTL you are adding for the neighbor You can specify a number from 0 255 The default is 0 If you leave the EBGP TTL value set to 0 the software uses the IP TTL...

Page 844: ...ion refer to Encryption of BGP4 MD5 authentication keys on page 774 NOTE If you want the software to assume that the value you enter is the clear text form and to encrypt display of that form do not enter 0 or 1 Instead omit the encryption option and allow the software to use the default behavior If you specify encryption option 1 the software assumes that you are entering the encrypted form of th...

Page 845: ... can specify 0 or 3 65535 1 and 2 are not allowed If you set the Hold Time to 0 the router waits indefinitely for messages from a neighbor without concluding that the neighbor is dead The defaults for these parameters are the currently configured global Keep Alive Time and Hold Time For more information about these parameters refer to Changing the keep alive time and hold time on page 787 unsuppre...

Page 846: ...gure a BGP4 neighbor or neighbor peer group you can specify an MD5 authentication string for authenticating packets exchanged with the neighbor or peer group of neighbors For added security the software encrypts display of the authentication string by default The software also provides an optional parameter to disable encryption of the authentication string on an individual neighbor or peer group ...

Page 847: ... configuring an individual neighbor or a peer group If you specify a neighbor s IP address you are configuring that individual neighbor If you specify a peer group name you are configuring a peer group The password string parameter specifies an MD5 authentication string for securing sessions between the device and the neighbor You can enter a string up to 80 characters long The string can contain ...

Page 848: ...how ip bgp neighbors The enable password display command enables display of the authentication string but only in the output of the show ip bgp neighbors command Display of the string is still encrypted in the startup configuration file and running configuration Enter the command at the global CONFIG level of the CLI NOTE The command also displays SNMP community strings in clear text in the output...

Page 849: ...e AS The software prevents removing the remote AS in this case so that the neighbors in the peer group that are using the remote AS do not lose connectivity to the BigIron RX You can override neighbor parameters on an individual neighbor basis If you do not specify a parameter for an individual neighbor the neighbor uses the value in the peer group If you set the parameter for the individual neigh...

Page 850: ...ivate as route map in out map name route reflector client send community soft reconfiguration inbound shutdown timers keep alive num hold time num update source loopback num weight num The ip addr peer group name parameter indicates whether you are configuring a peer group or an individual neighbor You can specify a peer group name or IP address with the neighbor command If you specify a peer grou...

Page 851: ...ply the new option to shut down a neighbor the option takes place immediately and remains in effect until you remove the option If you save the configuration to the startup configuration file the shutdown option remains in effect even after a software reload NOTE The software also contains an option to end the session with a BGP4 neighbor and thus clear the routes learned from the neighbor Unlike ...

Page 852: ...rs when you configure a BGP4 network to be advertised The device can use the route map to set or change BGP4 attributes when creating a local BGP4 route NOTE You must configure the route map before you can specify the route map name in a BGP4 network configuration otherwise the route is not imported into BGP To configure a route map and use it to set or change route attributes for a network you de...

Page 853: ...hop lookup does not result in a valid next hop IP address or the path to the next hop IP address is a BGP path the software considers the BGP route s destination to be unreachable The route is not eligible to be installed in the IP route table It is possible for the BGP route table to contain a route whose next hop IP address is not reachable through an IGP route even though a hop farther away can...

Page 854: ...his case the device tries to use the default route if present to reach the subnet that contains the BGP route s next hop gateway BigIron RX show ip bgp route Total number of BGP Routes 5 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 0 0 0 0 0 10 1 0 2 0 100 0 BI AS_PATH 65001 435...

Page 855: ... the BGP route in the IP route table BigIron RX show ip bgp route Total number of BGP Routes 5 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 0 0 0 0 0 10 1 0 2 0 100 0 BI AS_PATH 65001 4355 701 80 2 102 0 0 0 24 10 0 0 1 1 100 0 BI AS_PATH 65001 4355 1 3 104 0 0 0 24 10 1 0 2 0 1...

Page 856: ...r bgp BigIron RX config bgp redistribute ospf BigIron RX config bgp redistribute connected BigIron RX config bgp write memory Syntax no redistribute connected ospf rip isis static The connected parameter indicates that you are redistributing routes to directly attached devices into BGP The ospf parameter indicates that you are redistributing OSPF routes into BGP4 NOTE Entering redistribute ospf si...

Page 857: ...utes enter the following command BigIron RX config bgp redistribute rip metric 10 Syntax redistribute rip metric num route map map name The rip parameter indicates that you are redistributing RIP routes into BGP4 The metric num parameter changes the metric You can specify a value from 0 4294967295 The default is not assigned The route map map name parameter specifies a route map to be consulted be...

Page 858: ...ng command BigIron RX config bgp redistribute isis level 1 Syntax redistribute isis level 1 level 1 2 level 2 metric num route map map name The isis parameter indicates that you are redistributing ISIS routes into BGP4 The level 1 parameter redistributes ISIS routes only within the area the routes The level 2 parameter redistributes ISIS routes between areas within a domain The level 1 2 parameter...

Page 859: ...or setting the tag value Do not use table maps to set other attributes To set other route attributes use route maps or filters To create a route map and identify it as a table map enter commands such as following These commands create a route map that uses an address filter For routes that match the IP prefix list filter the route map changes the tag value to 100 This route map is then identified ...

Page 860: ...ate time 15 This command changes the update timer to 15 seconds Syntax no update time secs The secs parameter specifies the number of seconds and can be from 1 30 The default is 5 Changing the router ID The OSPF and BGP4 protocols use router IDs to identify the routers that are running the protocols A router ID is a valid unique IP address and sometimes is an IP address configured on the router Th...

Page 861: ...whether the router uses the loopback interface to communicate with the neighbor As long as a path exists between the router and its neighbor BGP4 information can be exchanged The BGP4 session is not associated with a specific link but instead is associated with the virtual interfaces NOTE If you configure the BigIron RX to use a loopback interface to communicate with a BGP4 neighbor the peer IP ad...

Page 862: ... AS are fully meshed Each of the routers has an IBGP session with each of the other BGP routers in the AS Each IBGP router thus has a route for each of its IBGP neighbors For large ASs containing many IBGP routers the IBGP route information in each of the fully meshed IBGP routers can introduce too much administrative overhead To avoid this problem you can hierarchically organize your IGP routers ...

Page 863: ...reflector becomes unavailable its clients are cut off from BGP4 updates AS1 contains a cluster with two route reflectors and two clients The route reflectors are fully meshed with other BGP4 routers but the clients are not fully meshed They rely on the route reflectors to propagate BGP4 route updates FIGURE 115 Example route reflector configuration Support for RFC 2796 Route reflection is based on...

Page 864: ... To configure route reflector 2 enter the same commands on the device that will be route reflector 2 The clients require no configuration for route reflection BigIron RX config bgp cluster id 1 BigIron RX config bgp neighbor 10 0 1 0 route reflector client BigIron RX config bgp neighbor 10 0 2 0 route reflector client Syntax no cluster id num ip addr The num ip addr parameter specifies the cluster...

Page 865: ...cl1 permit 100 BigIron RX config router bgp BigIron RX config bgp neighbor 10 10 10 1 filter list 1 in The ip as path command configures an AS path ACL that permits routes containing AS number 100 in their AS paths The neighbor command then applies the AS path ACL to advertisements and updates received from neighbor 10 10 10 1 In this example the only routes the device permits from neighbor 10 10 ...

Page 866: ...ial characters Table 26 2 on page 26 45 lists the special characters The description for each special character includes an example Notice that you place some special characters in front of the characters they control but you place other special characters after the characters they control In each case the examples show where to place the special character TABLE 117 BGP4 special characters for reg...

Page 867: ...are brackets enclose a range of single character patterns For example the following regular expression matches on an AS path that contains 1 2 3 4 or 5 1 5 You can use the following expression symbols within the brackets These symbols are allowed only inside the brackets The caret matches on any characters except the ones in the brackets For example the following regular expression matches on an A...

Page 868: ... last filter or ACL entry as permit any any Community filters or ACLs can be referred to by match statements in a route map Defining a community ACL To configure community ACL 1 enter a command such as the following BigIron RX config ip community list 1 permit 123 2 This command configures a community ACL that permits routes that contain community 123 2 NOTE Refer to Matching based on community AC...

Page 869: ...networks When you apply an IP prefix list to a neighbor the device sends or receives only a route whose destination is in the IP prefix list The software interprets the prefix lists in order beginning with the lowest sequence number To configure an IP prefix list and apply it to a neighbor enter commands such as the following BigIron RX config ip prefix list Routesfor20 permit 20 20 0 0 24 BigIron...

Page 870: ... traffic to or from a neighbor To configure a distribute list that uses ACL 1 enter a command such as the following BigIron RX config bgp neighbor 10 10 10 1 distribute list 1 in This command configures the device to use ACL 1 to select the routes that the device will accept from neighbor 10 10 10 1 Syntax neighbor ip addr distribute list name or num in out The ip addr parameter specifies the neig...

Page 871: ...l filter s action If the route map contains set statements routes that are permitted by the route map s match statements are modified according to the set statements Match statements compare the route against one or more of the following The route s BGP4 MED metric A sequence of AS path filters A sequence of community filters A sequence of address filters The IP address of the next hop router The ...

Page 872: ...ters in the routes on page 804 The map name is a string of characters that names the map Map names can be up to 32 characters in length The permit deny parameter specifies the action the router will take if a route matches a match statement If you specify deny the device does not advertise or learn the route If you specify permit the device applies the match and set statements associated with this...

Page 873: ... paths on page 793 To configure a community filter or community ACL refer to Filtering communities on page 795 You can enter up to six community names on the same command line NOTE The filters must already be configured The community num parameter specifies a community ACL NOTE The ACL must already be configured The community acl exact match parameter matches a route if and only if the route s com...

Page 874: ... command Refer to Defining an AS path ACL on page 793 Matching based on community ACL To construct a route map that matches based on community ACL 1 enter the following commands BigIron RX config ip community list 1 permit 123 2 BigIron RX config route map CommMap permit 1 BigIron RX config routemap CommMap match community 1 Syntax match community string The string parameter specifies a community ...

Page 875: ...ved from 192 168 6 0 24 The remaining commands configure a route map that matches on all BGP4 routes advertised by the BGP4 neighbors whose addresses match addresses in the IP prefix list You can add a set statement to change a route attribute in the routes that match You also can use the route map as input for other commands such as the neighbor and network commands and some show commands Syntax ...

Page 876: ...h on each route that matches the corresponding match statement BigIron RX config routemap GET_ONE set as path prepend 65535 Syntax set as path prepend as num as num automatic tag comm list acl delete community num num num internet local as no advertise no export dampening half life reuse suppress max suppress time ip next hop ip addr ip next hop peer address local preference num metric num none me...

Page 877: ...e route s metric to the number you specify set metric num Increases route s metric by the number you specify set metric num Decreases route s metric by the number you specify set metric none Removes the metric from the route removes the MED attribute from the BGP4 route The metric type type 1 type 2 parameter changes the metric type of a route redistributed into OSPF The metric type internal param...

Page 878: ...at the software substitutes for peer address depends on whether the route map is used for inbound filtering or outbound filtering When you use the set ip next hop peer address command in an inbound route map filter peer address substitutes for the neighbor s IP address When you use the set ip next hop peer address command in an outbound route map filter peer address substitutes for the local IP ad...

Page 879: ...ce to send ORFs to the neighbor to receive ORFs from the neighbor or both The neighbor uses the ORFs you send as outbound filters when it sends routes to the device Likewise the device uses the ORFs it receives from the neighbor as outbound filters when sending routes to the neighbor Reset the BGP4 neighbor session to send and receive ORFs Perform these steps on the other device NOTE If the BigIro...

Page 880: ...ring the start of a session To place a prefix list change into effect after activating cooperative filtering perform a soft reset of the neighbor session A soft reset does not end the current session but sends the prefix list to the neighbor in the next route refresh message NOTE Make sure cooperative filtering is enabled on the BigIron RX and on the neighbor before you send the filters To reset a...

Page 881: ...se to route state changes When route flap dampening is configured the device suppresses unstable routes until the route s state changes reduce enough to meet an acceptable degree of stability The Brocade implementation of route flap dampening is based on RFC 2439 BigIron RX show ip bgp neighbor 10 10 10 1 1 IP Address 10 10 10 1 AS 65200 IBGP RouterID 10 10 10 1 State ESTABLISHED Time 0h0m7s KeepA...

Page 882: ...alties it does not go down again during the half life the penalty is reduced to 1000 after the half life expires You can configure the half life to be from 1 45 minutes The default is 15 minutes Reuse threshold Specifies the minimum penalty a route can have and still be suppressed by the device If the route s penalty falls below this value the device un suppresses the route and can use it again Th...

Page 883: ...within the route map to enable dampening When you associate this route map with a specific neighbor the route map enables dampening for all routes associated with the neighbor You also can use match statements within the route map to selectively perform dampening on some routes from the neighbor NOTE You still need to configure the first route map to enable dampening globally The second route map ...

Page 884: ...is applied However unless dampening is already enabled globally by the first route map the second route map has no effect The last two commands apply the route maps The dampening route map command applies the first route map which enables dampening globally The neighbor command applies the second route map to neighbor 10 10 10 1 Since the second route map does not contain match statements for spec...

Page 885: ...ening statistics This field Displays Total number of flapping routes The total number of routes in the BigIron RX s BGP4 route table that have changed state and thus have been marked as flapping routes Status code Indicates the dampening status of the route which can be one of the following This is the best route among those in the BGP4 route table to the route s destination d This route is curren...

Page 886: ...ron RX config snmp server enable traps bgp Syntax no snmp server enable traps bgp Use the no form of the command to disable BGP traps Updating route information and resetting a neighbor session The following sections describe ways to update route information with a neighbor reset the session with a neighbor and close a session with a neighbor Any change to a policy ACL route map and so on is autom...

Page 887: ...hbor eliminating the need for additional refreshes or resets when you change policies in the future To use soft reconfiguration Enable the feature Make the policy changes Apply the changes by requesting a soft reset of the inbound updates from the neighbor or group Enabling soft reconfiguration To configure a neighbor for soft reconfiguration enter a command such as the following BigIron RX config...

Page 888: ...w ip bgp filtered routes ip addr as path access list num detail prefix list string The ip addr parameter specifies the IP address of the destination network The as path access list num parameter specifies an AS path ACL Only the routes permitted by the AS path ACL are displayed The detail parameter displays detailed information for the routes The example above shows summary information You can spe...

Page 889: ...ture is based on the following specifications RFC 2842 This RFC specifies the Capability Advertisement which a BGP4 router uses to dynamically negotiate a capability with a neighbor RFC 2858 for Multi protocol Extension RFC 2918 which describes the dynamic route refresh capability The dynamic route refresh capability is enabled by default and cannot be disabled When the device sends a BGP4 OPEN me...

Page 890: ...ft in updates the routes by comparing the route policies against the route updates that the device has stored Soft reconfiguration does not request additional updates from the neighbor or otherwise affect the session with the neighbor Refer to Using soft reconfiguration on page 815 If you did not enable soft reconfiguration soft in requests the neighbor s entire BGP4 route table Adj RIB Out then a...

Page 891: ...m the neighbor that the neighbor supports the dynamic refresh capability The statistics in the Message Sent and Message Received rows under Refresh Req indicate how many dynamic refreshes have been sent to and received from the neighbor The statistic is cumulative across sessions BigIron RX config bgp show ip bgp neighbor 10 4 0 2 1 IP Address 10 4 0 2 AS 5 EBGP RouterID 100 0 0 1 Description neig...

Page 892: ...n if the neighbor already contains a route learned from the device that you later decided to filter out using the soft outbound option removes that route from the neighbor You can specify a single neighbor or a peer group To close a neighbor session and thus flush all the routes exchanged by the device and the neighbor enter the following command BigIron RX clear ip bgp neighbor all Syntax clear i...

Page 893: ... of the CLI BigIron RX clear ip bgp flap statistics Syntax clear ip bgp flap statistics regular expression regular expression address mask neighbor ip addr The parameters are the same as those for the show ip bgp flap statistics command except the longer prefixes option is not supported Refer to Displaying route flap dampening statistics on page 848 NOTE The clear ip bgp damping command not only c...

Page 894: ... no data You can clear the buffers for all neighbors for an individual neighbor or for all the neighbors within a specific peer group To clear these buffers for neighbor 10 0 0 1 enter the following commands BigIron RX clear ip bgp neighbor 10 0 0 1 last packet with error BigIron RX clear ip bgp neighbor 10 0 0 1 notification errors Syntax clear ip bgp neighbor all ip addr peer group name as num l...

Page 895: ...anging the maximum number of shared BGP4 paths on page 768 Number of Neighbors Configured The number of BGP4 neighbors configured on this BigIron RX and currently in established state Number of Routes Installed The number of BGP4 routes in the router s BGP4 route table To display the BGP4 route table refer to Displaying the BGP4 route table on page 839 Number of Routes Advertising to All Neighbors...

Page 896: ...nection from the neighbor If the state frequently changes between CONNECT and ACTIVE there may be a problem with the TCP connection OPEN SENT BGP4 is waiting for an Open message from the neighbor OPEN CONFIRM BGP4 has received an OPEN message from the neighbor and is now waiting for either a KEEPALIVE or NOTIFICATION message If the router receives a KEEPALIVE message from the neighbor the state ch...

Page 897: ... 200 200 2 2 remote as 400 neighbor 1000 2 1 1 remote as 200 neighbor 2000 1 1 2 remote as 400 neighbor 4444 1 remote as 300 address family ipv4 unicast no neighbor 1000 2 1 1 activate no neighbor 2000 1 1 2 activate no neighbor 4444 1 activate exit address family address family ipv4 multicast exit address family address family ipv6 unicast redistribute static neighbor 1000 2 1 1 activate neighbor...

Page 898: ...of routes received from the neighbor that are the best BGP4 routes to their destinations but were nonetheless not installed in the IP route table because the BigIron RX received better routes from other sources such as OSPF RIP or static IP routes Unreachable Routes The number of routes received from the neighbor that are unreachable because the BigIron RX does not have a valid RIP OSPF or static ...

Page 899: ...d Routes Advertised The number of routes the BigIron RX has advertised to this neighbor To be Sent The number of routes the BigIron RX has queued to send to this neighbor To be Withdrawn The number of NLRIs for withdrawing routes the BigIron RX has queued up to send to this neighbor in UPDATE messages NLRIs Sent in Update Message The number of NLRIs for new routes the BigIron RX has sent to this n...

Page 900: ...e entries detail flap statistics last packet with error received prefix filter received routes routes best detail best not installed best unreachable rib out routes ip addr mask bits ip addr net mask detail routes summary BigIron RX config bgp show ip bgp neighbor 10 4 0 2 1 IP Address 10 4 0 2 AS 5 EBGP RouterID 100 0 0 1 Description neighbor 10 4 0 2 State ESTABLISHED Time 0h1m0s KeepAliveTime 0...

Page 901: ...d from the neighbor that the device selected as the best routes to their destinations not installed best Displays the routes received from the neighbor that are the best BGP4 routes to their destinations but were nonetheless not installed in the IP route table because the device received better routes from other sources such as OSPF RIP or static IP routes unreachable Displays the routes that are ...

Page 902: ...inus sign indicates that the session has gone down and the software is clearing or removing routes CONNECT BGP4 is waiting for the connection process for the TCP neighbor session to be completed ACTIVE BGP4 is waiting for a TCP connection from the neighbor If the state frequently changes between CONNECT and ACTIVE there may be a problem with the TCP connection OPEN SENT BGP4 is waiting for an Open...

Page 903: ...ateAs Whether this option is enabled for the neighbor RefreshCapability Whether this BigIron RX has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability CooperativeFilteringCapability Whether the neighbor is enabled for cooperative route filtering Distribute list Lists the distribute list parameters if configured Filter list Lists the filter list parame...

Page 904: ...ity UPDATE Message Error Malformed Attribute List Unrecognized Well known Attribute Missing Well known Attribute Attribute Flags Error Attribute Length Error Invalid ORIGIN Attribute Invalid NEXT_HOP Attribute Optional Attribute Error Invalid Network Field Malformed AS_PATH Hold Timer Expired Finite State Machine Error Rcv Notification Last Connection Reset Reason cont Reasons specific to the Broc...

Page 905: ...chronized Bad Message Length Bad Message Type Unspecified Open Message Error Unsupported Version Bad Peer As Bad BGP Identifier Unsupported Optional Parameter Authentication Failure Unacceptable Hold Time Unspecified Update Message Error Malformed Attribute List Unrecognized Attribute Missing Attribute Attribute Flag Error Attribute Length Error Invalid Origin Attribute Invalid NextHop Attribute O...

Page 906: ...es an acknowledgment of its connection termination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request CLOSED There is no connection state Byte Sent The number of bytes sent Byte Received The number of bytes received Local host The IP address of the BigIron RX Local port The TCP port the BigIron RX is using f...

Page 907: ... To display summary route information enter a command such as the following at any level of the CLI DupliRcv The number of duplicate sequence numbers received from the neighbor RcvWnd The size of the receive window SendQue The number of sequence numbers in the send queue RcvQue The number of sequence numbers in the receive queue CngstWnd The number of times the window has changed TABLE 121 BGP4 ne...

Page 908: ...s not have a valid RIP OSPF or static route to the next hop History Routes The number of routes that are down but are being retained for route flap dampening purposes NLRIs Received in Update Message The number of routes received in Network Layer Reachability NLRI format in UPDATE messages Withdraws The number of withdrawn routes the BigIron RX has received Replacements The number of replacement r...

Page 909: ...o the neighbor to withdraw Replacements The number of routes the BigIron RX has sent to the neighbor to replace routes the neighbor already has Peer Out of Memory Count for Statistics for the times the BigIron RX has run out of BGP4 memory for the neighbor during the current BGP4 session Receiving Update Messages The number of times UPDATE messages were discarded because there was no memory for at...

Page 910: ...y the parameters that have values different from their defaults are listed Displaying summary route information To display summary statistics for all the routes in the BigIron RX s BGP4 route table enter a command such as the following at any level of the CLI Syntax show ip bgp routes summary BigIron RX config bgp show ip bgp neighbor 192 168 4 211 rib out routes 192 168 1 0 24 Status A AGGREGATE ...

Page 911: ...the BGP4 route table that this BigIron RX originated Routes selected as BEST routes The number of routes in the BGP4 route table that this BigIron RX has selected as the best routes to the destinations BEST routes not installed in IP forwarding table The number of BGP4 routes that are the best BGP4 routes to their destinations but were not installed in the IP route table because the BigIron RX rec...

Page 912: ...wo five digit integer values of up to 1 65535 separated by a colon for example 12345 6789 or a single long integer value The community access list num parameter filters the display using the specified community ACL The community list option lets you display routes that match a specific community filter The detail option lets you display more details about the routes You can refine your request by ...

Page 913: ...gp routes unreachable For information about the fields in this display refer to Table 124 on page 842 The fields in this display also appear in the show ip bgp display BigIron RX config bgp show ip bgp routes best Searching for matching routes use C to quit Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED E EBGP H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED F FILTERED Pref...

Page 914: ...network from the BigIron RX Metric The value of the route s MED attribute If the route does not have a metric this field is blank LocPrf The degree of preference for this route relative to other routes in the local AS When the BGP4 algorithm compares routes on the basis of local preferences the route with the higher local preference is chosen The preference can have a value from 0 4294967295 BigIr...

Page 915: ...the IP route table b NOT INSTALLED BEST The routes received from the neighbor are the best BGP4 routes to their destinations but were nonetheless not installed in the IP route table because the BigIron RX received better routes from other sources such as OSPF RIP or static IP routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS withi...

Page 916: ...eless not installed in the IP route table because the BigIron RX received better routes from other sources such as OSPF RIP or static IP routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable H HISTORY Route dampening...

Page 917: ...INCOMPLETE Weight The value that this router associates with routes from a specific neighbor For example if the router receives routes to the same destination from two BGP4 neighbors the router prefers the route from the neighbor with the larger weight Atomic Whether network information in this route has been aggregated and this aggregation has resulted in information loss NOTE Information loss un...

Page 918: ...e this set of attributes Origin The source of the route information The origin can be one of the following EGP The routes with this set of attributes came to BGP through EGP IGP The routes with this set of attributes came to BGP through IGP INCOMPLETE The routes came from an origin other than one of the above For example they may have been redistributed from OSPF or RIP When BGP4 compares multiple...

Page 919: ...outer that originated this aggregator Atomic Whether the network information in this set of attributes has been aggregated and this aggregation has resulted in information loss TRUE Indicates information loss has occurred FALSE Indicates no information loss has occurred NOTE Information loss under these circumstances is a normal part of BGP4 and does not indicate an error Local Pref The degree of ...

Page 920: ...or more filters Only the routes that have been dampened and that match the specified filters are displayed This display shows the following information TABLE 127 Route flap dampening statistics This field Displays Total number of flapping routes The total number of routes in the BigIron RX s BGP4 route table that have changed state and thus have been marked as flapping routes Status code Indicates...

Page 921: ...ins six route maps Notice that the match and set statements within each route map are listed beneath the command for the route map itself In this simplified example each route map contains only one match or set statement To display the active configuration for a specific route map enter a command such as the following which specifies a route map name BigIron RX show route map setcomm route map set...

Page 922: ...igure BGP Graceful Restart you must enable it on all BGP peers where you want it to operate and set the following timers Restart Timer Stale Routes Timer NOTE After configuring BGP Graceful Restart you need to reset neighbor session whether or not the neighbor session is up to enable BGP graceful restart Use the clear ip bgp neighbor command to clear and re establish neighbor sessions Configuring ...

Page 923: ...onfiguration Router 1 BigIron RX config router bgp BigIron RX config bgp local as 100 BigIron RX config bgp graceful restart BigIron RX config bgp neighbor 12 2 0 14 remote as 200 BigIron RX config bgp write memory Router 2 BigIron RX config router bgp BigIron RX config bgp local as 200 BigIron RX config bgp graceful restart BigIron RX config bgp neighbor 12 1 0 14 remote as 100 BigIron RX config ...

Page 924: ...control packets received from the neighbor do not have the anticipated value they are dropped by the Brocade device For more information on GTSM protection see RFC 3682 BigIron RX show ip bgp neighbor 11 11 11 2 1 IP Address 11 11 11 2 Remote AS 101 EBGP RouterID 101 101 101 1 Local AS 200 State ESTABLISHED Time 0h18m15s KeepAliveTime 60 HoldTime 180 KeepAliveTimer Expire in 44 seconds HoldTimer E...

Page 925: ...6 To enable GTSM protection for neighbor 192 168 9 210 enter the following command BigIron RX config bgp router neighbor 192 168 9 210 ebgp btsh Syntax no neighbor ip addr peer group name ebgp btsh NOTE For GTSM protection to work properly it must be enabled on both the Brocade device and the neighbor ...

Page 926: ...854 BigIron RX Series Configuration Guide 53 1001810 01 Generalized TTL security mechanism support 26 ...

Page 927: ... different sets of routing policies for unicast and multicast You can use BGP4 s powerful feature set with MBGP Figure 116 shows an example of a network that contains both a unicast topology and a multicast topology The unicast and multicast router in this example receives unicast and multicast routes from the Internet The router advertises the multicast routes to the multicast router and advertis...

Page 928: ... globally and on the individual Reverse Path Forwarding RPF interfaces PIM must be running on the device in order for the device to send multicast prefixes to other multicast routers Enable BGP4 If this is the first time you have configured BGP4 on this device you also need to specify the local AS number 3 Identify the neighboring MBGP routers 4 Optional Configure an MBGP default route 5 Optional ...

Page 929: ... for MBGP is automatically enabled Once MBGP is enabled MBGP parameters are configured under the IPv4 multicast address family Enter the following command to enter the IPv4 multicast address family level BigIron RX config bgp address family ipv4 multicast BigIron RX config bgp ipv4m Syntax address family ipv4 multicast Adding MBGP neighbors To add an MBGP neighbor enter a command such as the follo...

Page 930: ...rameter specifies the AS the MBGP neighbor is in The as number can be a number from 1 65535 There is no default NOTE The BigIron RX attempts to establish a BGP4 session with a neighbor as soon as you enter a command specifying the neighbor s IP address If you want to completely configure the neighbor parameters before the BigIron RX establishes a session with the neighbor you can administratively ...

Page 931: ... want to use to set or change BGP4 attributes for the network you are advertising The route map must already be configured The backdoor parameter changes the administrative distance of the route to this network from the EBGP administrative distance 20 by default to the Local BGP weight 200 by default thus tagging the route as a backdoor route The weight num parameter specifies a weight to be added...

Page 932: ...ork 207 95 10 0 24 the traffic must arrive on port 1 2 The second route is for all other multicast traffic Traffic from multicast sources other than 207 95 10 0 24 must arrive on port 2 3 If you configure more than one static multicast route the device always uses the most specific route that matches a multicast source address Thus if you want to configure a multicast static route for a specific m...

Page 933: ... parameter prevents the router from advertising more specific routes contained within the aggregate route The suppress map map name parameter prevents the more specific routes contained in the specified route map from being advertised The advertise map map name parameter configures the device to advertise the more specific routes in the specified route map The attribute map map name parameter conf...

Page 934: ...ddr prefix Displays a specific MBGP route show ip mbgp attribute entries Displays MBGP route attributes show ip mbgp dampened paths Displays MBGP paths that have been dampened by route flap dampening show ip mbgp flap statistics Displays route flap dampening statistics show ip mbgp filtered routes Displays routes that have been filtered out TABLE 128 MBGP Show commands Continued Command Descriptio...

Page 935: ...ng the values for all the configured parameters enter the following command This display is similar to the show ip bgp neighbor display but has additional fields that apply only to MBGP These fields are shown in bold type in the example and are explained below NOTE The display shows all the configured parameters for the neighbor Only the parameters that have values different from their defaults ar...

Page 936: ... The ip addr parameter specifies the neighbor s IP address BigIron RX show ip mbgp neighbor 7 7 7 2 Total number of BGP Neighbors 1 1 IP Address 166 1 1 2 Remote AS 200 IBGP RouterID 8 8 8 1 State ESTABLISHED Time 0h33m26s KeepAliveTime 60 HoldTime 180 KeepAliveTimer Expire in 9 seconds HoldTimer Expire in 161 seconds PeerGroup mbgp mesh MD5 Password Gsig U NextHopSelf yes RefreshCapability Receiv...

Page 937: ... ip mbgp route Total number of BGP Routes 2 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED E EBGP H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED s STALE Prefix Next Hop Metric LocPrf Weight Status 1 8 8 8 0 24 166 1 1 2 0 100 0 BI AS_PATH 2 31 1 1 0 24 166 1 1 2 0 100 0 BI AS_PATH BigIron RX show ip mroute Type Codes B BGP D Connected S Static Cost Dist Metric Destination...

Page 938: ...866 BigIron RX Series Configuration Guide 53 1001810 01 Displaying MBGP information 27 ...

Page 939: ... 2 2 and so on At the beginning of an SSH session the device negotiates the version of SSHv2 to be used The highest version of SSHv2 supported by both the device and the client is the version that is used for the session Once the SSHv2 version is negotiated the encryption algorithm with the highest security ranking is selected to be used for the session Also BigIron RX support Secure Copy SCP for ...

Page 940: ...s on a device SSH provides a function that is similar to Telnet but unlike Telnet SSH provides a secure encrypted connection SSHv2 support includes the following The following encryption cipher algorithm are supported They are listed in order of preference aes256 cbc AES in CBC mode with 256 bit key aes192 cbc AES in CBC mode with 192 bit key aes128 cbc AES in CBC mode with 128 bit key 3des cbc Tr...

Page 941: ...A key pair to negotiate a session key and encryption method with the client trying to connect to it The host DSA key pair is stored in the BigIron RX s system config file Only the public key is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the clients who want to access the device Some SSH client programs add the public key to the...

Page 942: ...lients are authenticated using these stored public keys Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH When DSA challenge response authentication is enabled the following events occur when a client attempts to gain access to the device using SSH 1 The client sends its public key to the BigIron RX 2 The device compares ...

Page 943: ...y loaded into the active configuration the next time the device is booted NOTE You must ensure the format be followed before the key is TFTPed to the Brocade device NOTE The public key may not be effective after download using Linux and Secure CRT If the file is not constructed properly you will receive an error message while loading You must fix the key files and load them again To cause a public...

Page 944: ...cation no Syntax ip ssh key authentication yes no Setting the number of SSH authentication retries By default the device attempts to negotiate a connection with the connecting host three times The number of authentication retries can be changed to between 1 5 For example the following command changes the number of authentication retries to 5 BigIron RX config ip ssh authentication retries 5 Syntax...

Page 945: ...ntially disables the SSH server entirely To disable DSA challenge response authentication BigIron RX config ip ssh key authentication no Syntax ip ssh key authentication yes no The default is yes To deactivate password authentication BigIron RX config ip ssh password authentication no Syntax ip ssh password authentication no yes The default is yes Enabling empty password logins By default empty pa...

Page 946: ...r SSH packets originated by the device NOTE When you specify a single SSH source you can use only that source address to establish SSH management sessions with the BigIron RX To specify the numerically lowest IP address configured on a loopback interface as the device s source for all SSH packets enter commands such as a the following BigIron RX config int loopback 2 BigIron RX config lbif 2 ip ad...

Page 947: ...roup 10 Syntax ssh access group standard named acl standard numbered acl Refer to the section Chapter 21 Access Control List for details on how to configure ACLs Disabling 3 DES By default both 3 DES and AES encryption algorithms are enabled on the device device You can disable 3 DES by entering the following command BigIron RX config ip ssh encryption aes only Syntax no ip ssh encryption aes only...

Page 948: ... the startup configuration and running configuration files to or from an SCP enabled remote host SCP is enabled by default and can be disabled To disable SCP enter the following command BigIron RX config ip ssh scp disable Syntax ip ssh scp disable enable Encryption The encryption method used for the connection Username The user name for the connection TABLE 129 SSH connection information Continue...

Page 949: ...cation is enabled for SSH the user is prompted for user terry s password before the file transfer takes place To copy the configuration file to the startup configuration file C scp c cfg foundry cfg terry 192 168 1 50 startConfig To copy the configuration file to a file called config1 cfg on the PCMCIA flash card in slot 1 on a management module C scp c cfg foundry cfg terry 192 168 1 50 slot1 con...

Page 950: ...878 BigIron RX Series Configuration Guide 53 1001810 01 Using secure copy 28 ...

Page 951: ...stem intra domain routing information exchange protocol for use in conjunction with the protocol for providing the connection less mode Network Service ISO 8473 1992 ISO IEC 8473 Information processing systems Data Communications Protocols for providing the connectionless mode network service 1988 ISO IEC 9542 Information Technology Telecommunication and information exchange between systems End sy...

Page 952: ... a lower administrative distance the CPU installs the other protocol s path in the IP route table instead The administrative distance is a protocol independent value from 1 255 Each path sent to the CPU regardless of the source of the path IS IS OSPF static IP route and so on has an administrative distance Each route source has a default administrative distance The default administrative distance ...

Page 953: ...T is in In Figure 117 Routers A B and C are in area 1 Routers D and E are in area 2 All the routers are in the same domain Level 1 routing and Level 2 routing You can configure an IS IS router such as a BigIron RX to perform one or both of the following levels of IS IS routing1 Level 1 A Level 1 router routes traffic only within the area the router is in To forward traffic to another area the Leve...

Page 954: ...istributing link state information to other Level 1 or Level 2 ISs within the same broadcast network LAN The Level 1 and Level 2 Designated ISs within a broadcast network are independent although the same BigIron RX can be a Level 1 Designated IS and a Level 2 Designated IS at the same time The Designated IS is elected based on the priority of each IS in the broadcast network When an IS becomes op...

Page 955: ...pseudonode A pseudonode is a logical host representing all the Level 1 or Level 2 links among the ISs in a broadcast network Level 1 and Level 2 have separate pseudonodes although the same device can be the pseudonode for Level 1 and Level 2 Route calculation and selection The Designated IS uses a Shortest Path First SPF algorithm to calculate paths to destination ISs and ESs The SPF algorithm use...

Page 956: ... is the type of routes for the configuration For IS IS you specify unicast NOTE IS IS IPv6 is currently not supported An interface level Global configuration level You enter the global configuration level of ISIS by entering the following command BigIron RX config router isis BigIron RX config isis router Syntax no router isis The config isis router prompt indicates that you are at the global leve...

Page 957: ... feature in that particular address family You cannot expect the feature which you may have configured in the IPv4 IS IS unicast address family to work in the IPv6 IS IS unicast address family unless it is explicitly configured in the IPv6 IS IS unicast address family To exit from the ipv4 IS IS unicast address family configuration level enter the following command BigIron RX config isis router ip...

Page 958: ...descriptions above are the recommended values for the NET However the CLI accepts any value that fits within the following lengths and formats xx xxxx xxxx xxxx 00 minimum length of NET xx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 00 maximum length of NET The sel parameter specifies the NSAP Selector SEL This value must always be 00 two zeros The value 00 indicates that this address is an NET T...

Page 959: ... the overload bit on is useful when you want to make configuration changes without removing the device from the network In addition you can configure the device to set the overload bit on for a specific number of seconds during startup to allow IS IS to become fully active before the device begins IS IS routing By default there is no delay 0 seconds To immediately set the overload bit on enter the...

Page 960: ...ers long The password can contain blank spaces If you use a blank space in the password you must use quotation marks around the entire password for example domain password domain 1 Configuring an area password To configure an IS IS area password enter a command such as the following BigIron RX config isis router area password area 51 This command configures the device to use the password area 51 t...

Page 961: ...outer no hostname Syntax no hostname To display the name mappings enter the show isis hostname command Changing the sequence numbers PDU interval A Complete Sequence Numbers PDU CSNP is a complete list of the LSPs in the Designated IS link state database The CSNP contains a list of all the LSPs in the database as well as other information that helps IS neighbors determine whether their LSP databas...

Page 962: ...t by it s neighbors Refer to Changing the LSP refresh interval on page 890 Changing the LSP refresh interval The LSP refresh interval is the maximum number of seconds the device waits between sending updated LSPs to its IS IS neighbors The interval can be from 1 65535 seconds The default is 900 seconds To change the LSP refresh interval to 20000 seconds enter a command such as the following BigIro...

Page 963: ...S updates the tree at regular intervals following a change in network topology or the link state database By default the device recalculates its IS IS tree every five seconds following a change You can change the SPF timer to a value from 1 120 seconds To change the SPF interval enter a command such as the following BigIron RX config isis router spf interval 30 Syntax no spf interval secs The secs...

Page 964: ...n adjacency with another IS Logging of the adjacency changes is disabled by default To enable or disable them use either of the following methods To enable logging of adjacency changes enter the following command BigIron RX config isis router log adjacency changes Syntax no log adjacency changes To disable logging of adjacency changes enter the following command BigIron RX config isis router no lo...

Page 965: ... the number of paths to one the device does not load share multiple route paths learned from IPv4 IS IS For example to change the number of paths IPv4 IS IS can calculate and install in the IPv4 forwarding table to three enter the following command at the IPv4 IS IS unicast address family configuration level BigIron RX config isis router ipv4u maximum paths 4 Syntax no maximum paths number The num...

Page 966: ...s router ipv4u default information originate route map default_level1 These commands configure a route map to set the default advertisement level to Level 1 only Syntax no route map map name permit deny sequence number Syntax no set level level 1 level 1 2 level 2 For this use of a route map use the permit option and do not specify a match statement Specify a set statement to set the level to one ...

Page 967: ...g the amount of data the device needs to send to its neighbors and reducing the CPU cycles used for IS IS When you configure a summary address the address applies only to Level 2 routes by default You can specify Level 1 only Level 2 only or Level 1 and Level 2 when you configure the address To configure a summary address enter a command such as the following BigIron RX config isis router ipv4u su...

Page 968: ... metric In this case the device assigns the default metric value to the route For information about the default metric refer to Changing the default redistribution metric on page 896 which follows this section Changing the default redistribution metric When IPv4 IS IS redistributes a route from another route source such as OSPF BGP4 or a static IPv4 route into IPv4 IS IS it uses the route s metric...

Page 969: ...onfig access list 101 permit ip any 192 168 0 0 255 255 0 0 BigIron RX config route map static permit 1 BigIron RX config routemap static match ip address 101 BigIron RX config routemap static router isis BigIron RX config isis router address family ipv4 unicast BigIron RX config isis router ipv4u redistribute static route map static Redistributing directly connected routes into IPv4 IS IS To redi...

Page 970: ...P4 routes into IPv4 IS IS enter the following command at the IPv4 IS IS unicast address family configuration level BigIron RX config isis router ipv4u redistribute bgp This command configures the router to redistribute all its BGP4 routes into Level 2 IPv4 IS IS Syntax no redistribute bgp level 1 level 1 2 level 2 metric number metric type external internal route map name The parameters are the sa...

Page 971: ...config interface ethernet 1 2 BigIron RX config if 1 2 ip router isis These commands enable IS IS on ports 1 1 and 1 2 The NET configured above at the IS IS configuration level applies to both interfaces Syntax no ip router isis Disabling or re enabling formation of adjacencies When you enable IS IS on any type of interface except a loopback interface the interface also is enabled to send advertis...

Page 972: ... or Level 2 the new priority setting applies to both IS IS levels Syntax no isis priority num level 1 level 2 The num parameter specifies the priority and can be from 0 127 A higher numeric value means a higher priority The default is 64 The level 1 level 2 parameter applies the priority to Level 1 only or Level 2 only By default the priority is applied to both levels Limiting access to adjacencie...

Page 973: ...s the following BigIron RX config interface ethernet 2 8 BigIron RX config if e1000 2 8 no isis hello padding Syntax no isis hello padding By default hello padding is enabled Enter the no form of the command to disable hello padding Changing the hello interval The hello interval controls how often an IS IS interface sends hello messages to its IS IS neighbors The default interval is 10 seconds for...

Page 974: ...tric is 10 You can change the metric on an individual interface to a value in one of the following ranges 1 63 for the narrow metric style the default metric style for IPv4 ISIS 1 16777215 for the wide metric style the default metric style for IPv4 ISIS NOTE If the metric value you want to use is higher than 63 but you have not changed the metric style to wide change the metric style first then se...

Page 975: ... configuration information are displayed To list the global IS IS configuration commands in the BigIron RX s running config enter the following command at any level of the CLI BigIron RX show isis config router isis net 20 00e0 5200 0001 00 end The running config shown in this example contains the command that enables IS IS and a command that configures a NET To display the interface configuration...

Page 976: ...erface attached to the neighbor SNPA The Subnetwork Point of Attachment SNPA which is the MAC address of the BigIron RX port or virtual interface attached to the neighbor State The state of the adjacency with the neighbor The state can be one of the following DOWN The adjacency is down INIT The adjacency is being established and is not up yet UP The adjacency is up Holdtime The neighbor s advertis...

Page 977: ...ace id The BigIron RX s adjacency with this Level 1 IS has gone down The system id is the system ID of the IS The interface id is the ID of the interface over which the adjacency was established Notification ISIS L1 ADJACENCY UP system id on interface interface id The BigIron RX s adjacency with this Level 1 IS has come up The system id is the system ID of the IS The interface id is the ID of the ...

Page 978: ...at the BigIron RX s IS IS resources are no longer overloaded TABLE 132 IS IS Syslog messages Continued Message level Message Explanation BigIron RX show isis interface Total number of IS IS Interfaces 1 Interface Eth 7 1 Circuit State UP Circuit Mode LEVEL 1 2 Circuit Type BCAST Passive State FALSE Circuit Number 0x01 MTU 1497 Authentication password None Level 1 Metric 10 Level 1 Priority 64 Leve...

Page 979: ...orm an adjacency but can still advertise itself into the area MTU The maximum length supported for IS IS PDUs sent on this interface Authentication Password The password assigned to the IS IS interface Level 1 Metric The default metric value that the BigIron RX inserts in IS IS Level 1 PDUs for this interface Level 1 Priority The priority of this IS to be elected as the Designated IS for Level 1 i...

Page 980: ...cencies Changes The number of times an adjacency has started or ended on this circuit Rejected Adjacencies The number of adjacency attempts by other ISs rejected by the BigIron RX Circuit Authentication Fails The number of times the BigIron RX rejected a circuit because the authentication did not match the authentication configured on the BigIron RX Bad LSP The number of times the interface receiv...

Page 981: ...or the destination address Cost The IS IS default metric for the route which is the cost of using this route to reach the next hop router to this destination Type The route type which can be one of the following L1 Level 1 route L2 Level 2 route Tag The tag value associated with the route Path The path number in the table The IS IS route table can contain multiple equal cost paths to the same dest...

Page 982: ...s field Displays LSPID The LSP ID which consists of the source ID 6 bytes the pseudonode 1 byte and LSPID 1 byte NOTE If the address has an asterisk at the end this indicates that the LSP is locally originated LSP Seq Num The sequence number of the LSP LSP Checksum The checksum calculated by the device that sent the LSP and used by the BigIron RX to verify that the LSP was not corrupted during tra...

Page 983: ...mary display LSP Seq Num See the description of the summary display LSP Checksum See the description of the summary display LSP Holdtime See the description of the summary display ATT P OL See the description of the summary display Area Address The address of the area NLPID The Network Layer Protocol Identifier NLPID which specifies the protocol the IS that sent the LSP is using Usually this value...

Page 984: ...nation Device type The device type at the destination The type can be one of the following End System The device is an ES IP Internal The device is an ES within the current area The IP address and subnet mask are listed IS The device is another IS The NET NSAP address is listed IP Extended Same as IP Internal except the device uses the extended TLV fields described in draft ietf isis traffic 02 tx...

Page 985: ...or maximum number of area addresses did not match the BigIron RX s value for maximum number of area addresses System ID Length Mismatch The number of times the BigIron RX received a PDU whose ID field was a different length than the ID field length configured on the BigIron RX Authentication Fail The BigIron RX is configured to authenticate IS IS packets in the packet s domain or area but the pack...

Page 986: ...ss prefix parameter clears the IS IS route table or the specified matching route The traffic parameter clears the PDU statistics Level 1 Database Overload The number of times the Level 1 state on the BigIron RX changed from Waiting to On or from On to Waiting Waiting to On This change can occur when the BigIron RX recovers from a previous Level 1 LSP database overload and is again ready to receive...

Page 987: ...Configuration Guide 915 53 1001810 01 Clearing IS IS information 29 NOTE The traffic option also clears the values displayed in the show isis interface command s Control Messages Sent and Control Messages Received fields ...

Page 988: ...916 BigIron RX Series Configuration Guide 53 1001810 01 Clearing IS IS information 29 ...

Page 989: ...on setup To provide a detection time of 150 milliseconds it is necessary to process 20 messages per second of about 70 to 100 bytes each per each session A similar number of messages also need to be transmitted out per each session Once a session is set up that same message is continuously transmitted at the negotiated rate and a check is made that the expected control message is received at the a...

Page 990: ...eive time variables set with this command are the intervals desired by the local router The actual values in use will be the negotiated values The number variable specifies the number of times in a single sequence that this router will wait to receive a BFD message from its peer before determining that the connection to that peer is not operational Acceptable values are 3 50 Number of BFD sessions...

Page 991: ...s field Displays BFD State Specifies if BFD is Enabled or Disabled on the router Version Specifies the version of the BFD protocol operating on the router Current Registered Protocols Specifies which protocols are registered to use BFD on the router Possible values are ospf ospf6 or isis_task All Sessions Current The number of BFD sessions currently operating on the router Maximum Allowed The maxi...

Page 992: ...s BFD neighbor information for the specified ethernet interface only The interface ve option displays BFD neighbor information for the specified virtual interface only Sessions The number of BFD sessions currently operating on the specified Interface module BFD Enabled ports count The number of ports on the router that have been enabled for BFD Port The port that BFD is enabled on MinTx The interv...

Page 993: ...D information This field Displays Total number of Neighbor entries The number of neighbors that have established BFD sessions with ports on this router NeighborAddress The IPv4 or IPv6 address of the remote peer State The current state of the BFD session Up Up Down Down A DOWN The administrative down state INIT The Init state UNKNOWN The current state is unknown Interface The logical port physical...

Page 994: ...ill wait for the MinRxInterval time on this port before it determines that its peer router is non operational Remote Disc Value of the local discriminator field in the BFD Control Message as received in the last message sent by the remote peer Diag Value of the diagnostic field in the BFD Control Message as received in the last message sent by the remote peer Demand Value of the demand bit in the ...

Page 995: ... use with the following protocols OSPFv2 OSPFv3 IS IS Configuring BFD for OSPFv2 You can configure your device router for BFD on the OSPFv2 protocol for all OSPFv2 enabled interfaces or for specific interfaces as shown in the following sections Enabling BFD for OSPFv2 for all interfaces You can configure BFD for OSPFv2 on all of a router s OSPFv2 enabled interfaces using the command shown in the f...

Page 996: ...d interfaces using the command shown in the following BigIron RX config ipv6 router ospf BigIron RX config ospf6 router bfd all interfaces Syntax no bfd all interfaces While this command configures BFD for OSPFv3 on all of a router s OSPFv3 enabled interfaces it is not required that it be configured if you use the ipv6 ospf bfd command to configure specific interfaces It can be used independently ...

Page 997: ...t required that it be configured if you use the isis bfd command to configure specific interfaces It can be used independently or together with that command Enabling or disabling BFD for IS IS for a specific interface You can selectively enable or disable BFD on any IS IS interface as shown in the following BigIron RX config if e1000 3 1 isis bfd Syntax isis bfd disable The disable option disables...

Page 998: ...926 BigIron RX Series Configuration Guide 53 1001810 01 Configuring BFD for the specified protocol 30 ...

Page 999: ...d an authentication failure and a specified authentication failure action can be taken The default authentication failure action is to drop traffic from the non authenticated MAC address in hardware You can also configure the device to move the port on which the non authenticated MAC address was learned into a restricted or guest VLAN which may have limited access to the network RADIUS authenticat...

Page 1000: ...ardware the default or move the port on which the traffic was received to a restricted VLAN BigIron RX Series support multi device port authentication on untagged ports only Supported RADIUS attributes The device supports the following RADIUS attributes for multi device port authentication Username 1 RFC 2865 FilterId 11 RFC 2865 Vendor Specific Attributes 26 RFC 2865 Tunnel Type 64 RFC 2868 Tunne...

Page 1001: ...o at any given time a port can have either 802 1x clients or multi device port authentication clients but not both Configuring multi device port authentication Configuring multi device port authentication on the device consists of the following tasks Enabling multi device port authentication globally and on individual interfaces Configuring an Authentication Method List for 802 1x Setting RADIUS P...

Page 1002: ... Syntax no aaa authentication dot1x default method list For the method list enter at least one of the following authentication methods radius Use the list of all RADIUS servers that support 802 1x for authentication none Use no authentication The Client is automatically authenticated without the device using information supplied by the Client NOTE If you specify both radius and none make sure radi...

Page 1003: ...the password in the request sent to the RADIUS server By default the MAC address is sent to the RADIUS server in the format xxxxxxxxxxxx You can optionally configure the device to send the MAC address to the RADIUS server in the format xx xx xx xx xx xx or the format xxxx xxxx xxxx To do this enter a command such as the following BigIron RX config mac authentication auth passwd format xxxx xxxx xx...

Page 1004: ...ddress filter when the RADIUS server itself is connected to an interface where multi device port authentication is enabled If a MAC address filter is not defined for the MAC address of the RADIUS server and applied on the interface the RADIUS authentication process would fail since the device would drop all packets from the RADIUS server itself For example the following command defines a MAC addre...

Page 1005: ...untagged ports if the VLAN ID provided by the RADIUS server is valid then the port is removed from its current VLAN and moved to the RADIUS specified VLAN as an untagged port If you configure dynamic VLAN assignment on a multi device port authentication enabled interface and the Access Accept message returned by the RADIUS server does not contain a Tunnel Private Group ID attribute then it is cons...

Page 1006: ...d removes the port from its RADIUS assigned VLAN and places it back in the VLAN where it was originally assigned This is the default The port restrict vlan keyword removes the port from its RADIUS assigned VLAN and places it in the restricted VLAN The system default vlan keyword removes the port from its RADIUS assigned VLAN and places it in the DEFAULT VLAN Saving dynamic VLAN assignments to the ...

Page 1007: ...ged out if no traffic is received from the MAC address over the device s normal MAC aging interval Non authenticated MAC addresses that are blocked by the device are aged out if no traffic is received from the address over a fixed hardware aging period 70 seconds plus a configurable software aging period See the next section for more information on configuring the software aging period You can opt...

Page 1008: ...ault 120 seconds After the software aging period ends the blocked MAC address ages out and can be authenticated again if the device receives traffic from the MAC address To change the length of the software aging period for blocked MAC addresses enter a command such as the following BigIron RX config mac authentication max age 180 Syntax no mac authentication max age seconds You can specify from 1...

Page 1009: ...ion attempts are made for MAC addresses TABLE 144 Output from the show auth mac address configuration command This field Displays Feature enabled Whether the multi device port authentication feature is enabled on the BigIron RX device Number of Ports enabled The number of ports on which the multi device port authentication feature is enabled BigIron RX show auth mac configuration Feature enabled Y...

Page 1010: ... VLAN to which non authenticated MAC addresses are assigned if the Fail Action is to assign the MAC address to a restricted VLAN DynVLAN Support Whether RADIUS dynamic VLAN assignment is enabled for the port Override Restricted Whether or not a port in a restricted VLAN due to a failed authentication is removed from the restricted VLAN on a subsequent successful authentication on the port Revert V...

Page 1011: ...us attempt at authenticating a MAC address on that port failed Port VLAN The VLAN to which the port is assigned and whether the port had been dynamically assigned to the VLAN by a RADIUS server DOS attack protection Whether denial of service attack protection has been enabled for multi device port authentication limiting the rate of authentication attempts sent to the RADIUS server Accepted MAC Ad...

Page 1012: ...n the RADIUS assigned dynamic VLAN expires MAC Filter applied Whether a MAC filter has been applied to this port to specify pre authenticated MAC addresses MAC Table The MAC addresses learned on the port TABLE 146 Output from the show auth mac address address command This field Displays MAC IP Address The MAC address for which information is displayed If the packet for which multi device port auth...

Page 1013: ...addresses To display the MAC addresses for which authentication was not successful enter the following command Syntax show auth mac addresses unauthorized mac BigIron RX show auth mac addresses authorized mac MAC TABLE MAC Address Port VLAN Access Age 00A1 0010 2000 1 18 1 Allowed 0 00A1 0010 2001 1 18 1 Allowed 120 00A1 0010 2002 1 18 1 Allowed 0 BigIron RX show auth mac addresses unauthorized ma...

Page 1014: ...942 BigIron RX Series Configuration Guide 53 1001810 01 Displaying multi device port authentication information 31 ...

Page 1015: ...ns takes place The secure MAC addresses are not flushed when an interface is disabled and brought up again The secure addresses can be kept secure permanently the default or can be configured to age out at which time they are no longer secure You can configure the device to automatically save the list of secure MAC addresses to the startup config file at specified intervals allowing addresses to b...

Page 1016: ...the feature globally on all interfaces at once or on individual interfaces To enable the feature globally BigIron RX config global port security BigIron RX config port security enable To disable the feature on all interfaces at once BigIron RX config global port security BigIron RX config port security no enable To enable the feature on a specific interface BigIron RX config int e 7 11 BigIron RX ...

Page 1017: ...ce BigIron RX config int e 7 11 BigIron RX config if e100 7 11 port security BigIron RX config port security e100 7 11 age 10 Syntax no age minutes The default is 0 never age out secure MAC addresses Specifying secure MAC addresses To specify a secure MAC address on an interface enter commands such as the following BigIron RX config int e 7 11 BigIron RX config if e100 7 11 port security BigIron R...

Page 1018: ...ion restrict Syntax restrict max deny number The violation restrict command enables the violation restrict action The restrict mac deny command specifies the number of MAC addresses that are to be denied before the device shuts the port down Enter 1 1024 The default is 128 In the example above the port will be shut down after 130 MAC addresses are denied Violation shutdown This violation shutdown ...

Page 1019: ...ckets from denied MAC addresses these packets can now be logged in the Syslog And to prevent the Syslog from being overwhelmed with messages for denied packets you can specify how many messages will be logged per second based on a packet s IP address BigIron RX config global port security BigIron RX config port security violation restrict 12 BigIron RX config port security deny log rate 7 Syntax d...

Page 1020: ...2 2224 0000 0011 1111 198 19 1 2 198 19 1 1 Protocol 114 Transparent port flooding When the transparent port flooding feature in enabled for a port all MAC learning will be disabled for that port This will result in all Layer 2 traffic to be flooded to all other ports within the VLAN The Transparent port flooding feature is disabled by default To enable Transparent port flooding enter a command su...

Page 1021: ...MAC addresses configured on the device Port security statistics for an interface or for a module Displaying port security settings You can display the port security settings for an individual port or for all the ports on a specified module For example to display the port security settings for port 7 11 enter the following command Syntax show port security module portnum BigIron RX show port securi...

Page 1022: ...he action to be undertaken when a security violation occurs either shutdown or restrict The number of seconds a port is shut down following a security violation SecureMac Remain How many minutes the restrict or shutdown action will be in effect Permanent means the port is permanently shut down Learn Age Time The amount of time in minutes MAC addresses learned on the port will remain secure TABLE 1...

Page 1023: ...een shut down due to a security violation and the number of seconds before it is enabled again TABLE 150 Output from the show port security statistics module command This field Displays Total ports The number of ports on the module Total MAC address es The total number of secure MAC addresses on the module Total violations The number of security violations encountered on the module Total shutdown ...

Page 1024: ... MAC port security information 32 Syntax show mac all Entering show mac displays MAC addresses excluding those denied when violation restrict is enabled The show mac all command displays all MAC address entries including those denied when violation resrtict is enabled ...

Page 1025: ...802 1x port security the BigIron RX grants or does not grant access to network services after the user is authenticated by an authentication server The user based authentication in 802 1x port security provides an alternative to granting network access based on a user s IP address MAC address or subnetwork IETF RFC support Brocade s implementation of 802 1x port security supports the following RFC...

Page 1026: ...thentication information supplied by the Authentication Server the Authenticator either grants or does not grant network access to the Client Client Supplicant The device that seeks to gain access to the network Clients must be running software that supports the 802 1x standard for example the Windows XP operating system Clients can either be directly connected to a port on the Authenticator or ca...

Page 1027: ...RADIUS client the Authenticator PAE passes the Supplicant s information to the Authentication Server which decides whether the Supplicant can gain access to the port If the Supplicant passes authentication the Authenticator PAE grants it access to the port Supplicant PAE The Supplicant PAE supplies information about the Client to the Authenticator PAE and responds to requests from the Authenticato...

Page 1028: ...pplicant PAE and the Authenticator PAE and RADIUS messages are exchanged between the Authenticator PAE and the Authentication Server Refer to Message exchange during authentication on page 957 for an example of this process If the Client is successfully authenticated the controlled port becomes authorized and traffic from the Client can flow through the port normally By default all controlled port...

Page 1029: ...ifies a VLAN identifier and this VLAN is available on the BigIron RX device the client s port is moved from its default VLAN to the specified VLAN When the client disconnects from the network the port is placed back in its default VLAN Refer to Configuring dynamic VLAN assignment for 802 1x ports on page 962 for more information Brocade s 802 1x implementation supports dynamically applying an IP A...

Page 1030: ... 124 Multiple clients connected to a single 802 1x enabled port If there are multiple Clients connected to a single 802 1x enabled port the device authenticates each of them individually Each client s authentication status is independent of the others so that if one authenticated client disconnects from the network it has no effect on the authentication status of any of the other authenticated cli...

Page 1031: ...nformation on how to do this 6 If authentication for the Client is unsuccessful more than the number of times specified by the attempts variable in the auth fail max attempts command an authentication failure action is taken The authentication failure action can be either to drop traffic from the Client or to place the port in a restricted VLAN If the authentication failure action is to drop traff...

Page 1032: ...rt security Configuring 802 1x port security on a device consists of the following tasks 1 Configuring the BigIron RX device s interaction with the Authentication Server Configuring an authentication method list for 802 1x on page 961 Setting RADIUS parameters on page 961 Configuring dynamic VLAN assignment for 802 1x ports on page 962 optional 2 Configuring the BigIron RX s role as the Authentica...

Page 1033: ...IUS server to authenticate access to a BigIron RX you must identify the server to the device For example BigIron RX config radius server host 209 157 22 99 auth port 1812 acct port 1813 default key mirabeau dot1x Syntax radius server host ip addr server name auth port number acct port number authentication only accounting only default key 0 1 string dot1x The host ip addr server name parameter is ...

Page 1034: ... client disconnects from the network the port is placed back in its default VLAN NOTE This feature is supported on port based VLANs only This feature cannot be used to place an 802 1x enabled port into a Layer 3 protocol VLAN To enable 802 1x VLAN ID support on the device you must add the following attributes to a user s profile on the RADIUS server The device reads the attributes as follows If th...

Page 1035: ...e port is already a member of a RADIUS specified VLAN and the RADIUS Access Accept message specifies the name or ID of that same VLAN then traffic from the Client is forwarded normally If the RADIUS Access Accept message specifies the name or ID of a VLAN that does not exist on the Brocade BigIron RX then it is considered an authentication failure If the RADIUS Access Accept message does not conta...

Page 1036: ... either globally or for specific interfaces To disable strict security mode globally enter the following commands BigIron RX config dot1x enable BigIron RX config dot1x no global filter strict security After you have globally disabled strict security mode on the device you can re enable it by entering the following command BigIron RX config dot1x global filter strict security Syntax no global filt...

Page 1037: ...llowing multiple filters to be simultaneously applied to an 802 1x authenticated port Use commas semicolons or carriage returns to separate the filters for example ip 3 in mac 2 in If 802 1x is enabled on a VE port ACLs dynamic 802 1x assigned or static user configured cannot be applied to the port Value Description ip number in Applies the specified numbered ACL to the 802 1x authenticated port i...

Page 1038: ... RADIUS server allows one instance of the Vendor Specific attribute to be sent in an Access Accept message However the Vendor Specific attribute can specify multiple IP ACLs or MAC address filters You can use commas semicolons or carriage returns to separate the filters for example ipacl e in permit ip any any ipacl e in deny ip any any Enabling 802 1x port security By default 802 1x port security...

Page 1039: ...ssfully authenticated the controlled port is then placed in the authorized state for that client The controlled port remains in the authorized state until the Client logs off To activate authentication on an 802 1x enabled interface you configure the interface to place its controlled port in the authorized state when a Client is authenticated by an Authentication Server To do this enter commands s...

Page 1040: ...igure periodic re authentication with an interval of 2 000 seconds enter the following commands BigIron RX config dot1x enable BigIron RX config dot1x re authentication BigIron RX config dot1x timeout re authperiod 2000 Syntax no timeout re authperiod seconds The re authentication interval is a global setting applicable to all 802 1x enabled interfaces If you want to re authenticate Clients connec...

Page 1041: ...identity frame to the Client This amount of time is specified with the tx period parameter The tx period parameter can be from 1 65535 seconds The default is 30 seconds For example to cause the BigIron RX to wait 60 seconds before retransmitting an EAP request identity frame to a Client enter the following command BigIron RX config dot1x timeout tx period 60 Syntax no timeout tx period seconds If ...

Page 1042: ... the Client When the device relays an EAP Request frame from the RADIUS server to the Client it expects to receive a response from the Client within 30 seconds If the Client does not respond within the allotted time the device retransmits the EAP Request frame to the Client The time constraint for retransmission of EAP Request frames to the Client can be between 1 4294967295 seconds For example to...

Page 1043: ...tication attempts the device makes before dropping packets When the authentication failure action is to drop traffic from the Client and the initial authentication attempt made by the device to authenticate the Client is unsuccessful the BigIron RX immediately retries to authenticate the Client After three unsuccessful authentication attempts the Client s dot1x mac session is set to access denied ...

Page 1044: ...Syntax show dot1x The following table describes the information displayed by the show dot1x command TABLE 152 Output from the show dot1x command This field Displays PAE Capability The Port Access Entity PAE role for the BigIron RX device This is always Authenticator Only system auth control Whether system authentication control is enabled on the device The dot1x enable command enables system authe...

Page 1045: ...ver timeout When the Authentication Server does not respond to a message sent from the Client the amount of time before the BigIron RX retransmits the message Refer to Specifying a timeout for retransmission of messages to the authentication server on page 970 for information on how to change this setting max req The number of times the BigIron RX retransmits an EAP request identity frame if it do...

Page 1046: ...multiple Supplicants accessing the interface on the BigIron RX through a hub Refer to Allowing multiple 802 1x clients to authenticate on page 970 for information on how to change this setting max clients The maximum number of clients that can be authenticated on this interface multiple clients Shows if the interface is enabled or disabled for multiple client authentication filter strict security ...

Page 1047: ...e number of EAPOL Logoff frames received on the port RX EAPOL Invalid The number of invalid EAPOL frames received on the port RX EAPOL Total The total number of EAPOL frames received on the port RX EAP Resp Id The number of EAP Response Identity frames received on the port RX EAP Resp other than Resp Id The total number of EAPOL Response frames received on the port that were not EAP Response Ident...

Page 1048: ...ured on the port This default MAC filter is the MAC filter that will be applied to the port once the dynamically assigned MAC filter is removed If a default MAC filter has not been configured the message No Port default MAC is displayed BigIron RX show interface e 12 2 GigabitEthernet1 3 is up line protocol is up Hardware is GigabitEthernet address is 000c dbe2 5800 bia 000c dbe2 5800 Configured s...

Page 1049: ...ormation is displayed BigIron RX show dot1x ip acl ethernet 1 1 Port 1 1 IP ACL information 802 1x dynamic IP ACL user defined in ip access list extended Port_1 1_E_IN in Port default IP ACL in ip access list 100 in No outbound ip access list is set The Port default IP ACL appears if a default IP ACL has been configured on the port The default IP ACL is the IP ACL that will be applied to the port ...

Page 1050: ... of the following permit The Client has been successfully authenticated and traffic from the Client is being forwarded normally blocked Authentication failed for the Client and traffic from the Client is being dropped in hardware restricted Authentication failed for the Client but traffic from the Client is allowed in the restricted VLAN only init The Client is in is in the process of 802 1x authe...

Page 1051: ...curity TABLE 156 Output from the show dot1x mac session brief command This field Displays Port Information about the users connected to each port Number of users The number of restricted and authorized those that were successfully authenticated users connected to the port Dynamic VLAN Whether or not the port is a member of a RADIUS specified VLAN Dynamic ACL Whether or not a RADIUS specified ACL h...

Page 1052: ...BigIron RX config dot1x enable e 2 1 to 2 3 BigIron RX config dot1x re authentication BigIron RX config dot1x timeout re authperiod 2000 BigIron RX config dot1x timeout quiet period 30 BigIron RX config dot1x timeout tx period 60 BigIron RX config dot1x max req 6 BigIron RX config dot1x exit BigIron RX config interface e 2 1 BigIron RX config if e100 1 dot1x port control auto BigIron RX config if ...

Page 1053: ...Iron RX in Figure 126 BigIron RX config aaa authentication dot1x default radius BigIron RX config radius server host 192 168 9 22 auth port 1812 acct port 1813 default key mirabeau dot1x BigIron RX config dot1x enable e 2 1 BigIron RX config dot1x re authentication BigIron RX config dot1x timeout re authperiod 2000 BigIron RX config dot1x timeout quiet period 30 BigIron RX config dot1x timeout tx ...

Page 1054: ...982 BigIron RX Series Configuration Guide 53 1001810 01 Sample 802 1x configurations 33 ...

Page 1055: ... how a Smurf attack works FIGURE 127 How a Smurf attack floods a victim with ICMP replies The attacker sends an ICMP echo request packet to the broadcast address of an intermediary network The ICMP echo request packet contains the spoofed address of a victim network as its source When the ICMP echo request reaches the intermediary network it is converted to a Layer 2 broadcast and sent to the host...

Page 1056: ...ions they want to regulate any particular traffic flow they have in mind This section provides examples that can be used to prevent two common types of DOS attacks Avoiding being a victim in a Smurf attack You can configure the BigIron RX to drop ICMP packets when excessive numbers are encountered as is the case when the device is the victim of a Smurf attack You can set threshold values for ICMP ...

Page 1057: ... which also controls the logging timer for ACL The following is a sample output Jun 23 00 37 58 I list 120 denied icmp 55 55 55 1 Ethernet 3 5 0000 0000 0011 14 14 14 1 1 event s Note that This feature is supported on Ethernet physical interfaces only Only the permit clauses filters are used in this feature Deny clauses are ignored Protecting against TCP SYN attacks TCP SYN attacks exploit the pro...

Page 1058: ... see the direct effect the continuing communications between the devices and the impact of the injected packet but may see the indirect impact of a terminated or corrupted session The TCP security enhancement prevents and protects against the following three types of attacks Blind TCP reset attack using the reset RST bit Blind TCP reset attack using the synchronization SYN bit Blind TCP packet inj...

Page 1059: ... acknowledgement ACK segment to the peer The TCP security enhancement is enabled by default To disable it refer to Disabling the TCP security enhancement on page 987 Protecting against a blind injection attack In a blind TCP injection attack a perpetrator tries to inject or manipulate data in a TCP connection To reduce the chances of a blind injection attack perform an additional check on all inco...

Page 1060: ...se burst thresholds were exceeded BigIron RX config clear statistics dos attack Syntax clear statistics dos attack Port Port number Packet Drop Count Number of packets that are dropped when the port is in lockup mode Packet Pass Count Number of packets that are forwarded when the port is in rate limiting mode Port Block Count Number of times the port was shut down for the particular traffic flow t...

Page 1061: ...he poisoning and disallow mis configuration of client IP addresses ARP attacks ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address Before a host can talk to another host it must map the IP address to a MAC address first If the host does not have the mapping in its ARP table it sends an ARP request to resolve the mapping All computers on the sub...

Page 1062: ...uests and responses received on untrusted ports Verifies that each of the intercepted packets has a valid IP to MAC address binding before updating the local ARP table or before forwarding the packet to the appropriate destination Drops invalid ARP packets When you enable DAI on a VLAN by default all member ports are untrusted You must manually configure trusted ports In a typical network configur...

Page 1063: ...esolved and the port mapped Refer to System reboot and the binding database on page 995 Limits and restrictions The following limits and restrictions apply when configuring DAI The maximum number of DHCP and static DAI entries depends on the maximum number of ARP table entries allowed on the device The BigIron RX Series switch can have up to 64 000 ARP entries In a BigIron RX you can use the syste...

Page 1064: ...c addr inspection The index can be from 1 up to the maximum number of static entries allowed The ip addr mac addr parameter specifies a device s IP address and MAC address pairing Enabling DAI on a VLAN DAI is disabled by default To enable DAI on an existing VLAN enter the following command BigIron RX config ip arp inspection vlan 2 The command enables DAI on VLAN 2 ARP packets from untrusted port...

Page 1065: ...10 43 11 45 0060 e040 a0c4 Dynamic 1 mgmt1 Valid 10 60 60 60 209 00d0 09a0 bd84 Inspect 14 0 64 Pending The command displays all ARP entries in the system Syntax show arp TABLE 158 show arp command This field Displays IP Address The IP address of the device MAC Address The MAC address of the device Age The ARP Age which can be one of the following The number of minutes the entry has remained unuse...

Page 1066: ... due to user mis configuration of DHCP servers Often DHCP snooping is used together with Dynamic ARP Inspection and IP Source Guard Type The ARP type which can be one of the following Dynamic The Layer 3 Switch learned the entry from an incoming packet on a trusted port Inspect Inspection ARP The entry from a statically configured IP MAC mapping where the port was initially unspecified Dhcp DHCP S...

Page 1067: ...ow DAI and DHCP snooping to work smoothly across a system reboot the binding database is saved to a file in the system flash memory after the user issues the reload command DHCP learnt entries are written to the system flash memory before the router reboots The flash file is written and read only if DHCP snooping is enabled Configuring DHCP snooping Configuring DHCP snooping consists of the follow...

Page 1068: ...nt or DHCP server VLAN Enabling trust on a port The default trust setting for a port is untrusted To enable trust on a port connected to a DHCP server enter commands such as the following FastIron SuperX Switch config interface ethernet 1 1 FastIron SuperX Switch config if e10000 1 1 dhcp snooping trust Port 1 1 is connected to a DHCP server The commands change the CLI to the interface configurati...

Page 1069: ... option 1 the relay agent circuit ID with the sub option data in the following format VLAN id 2 bytes module id 1 byte port id 1 byte The circuit ID identifies the location of the port showing where the DHCP request comes from Typical address allocation is based on the gateway address of the relay agent Disabling option 82 processing When DHCP snooping is enabled on the Brocade device option 82 pr...

Page 1070: ...g vlan 20 exit FastIron SuperX Switch config ip dhcp snooping vlan 20 On VLAN 2 client ports 1 3 and 1 4 are untrusted by default all client ports are untrusted Hence only DHCP client request packets received on ports 1 3 and 1 4 are forwarded On VLAN 20 ports 1 1 and 1 2 are connected to a DHCP server DHCP server ports are set to trusted FastIron SuperX Switch config interface ethernet 1 1 FastIr...

Page 1071: ... source guard is enabled without any IP source binding on the port an ACL that denies all IP traffic is loaded on the port Similarly when the IP source guard is disabled any IP source per port IP ACL will be removed from the interface Limits and restrictions Current implementation with this feature has the following limitations Works only on routing and virtual interface ports and does not support...

Page 1072: ...1000 BigIron RX Series Configuration Guide 53 1001810 01 IP source guard 35 Syntax show ip source guard ethernet port num ...

Page 1073: ... for the user name and password By default you cannot open a read write management session You first must configure a read write community string using the CLI Then you can log on using set as the user name and the read write community string you configure as the password You can configure as many additional read only and read write community strings as you need The number of strings you can confi...

Page 1074: ...ivate rw The string parameter specifies the community string name The string can be up to 32 characters long The ro rw parameter specifies whether the string is read only ro or read write rw The view viewstring parameter is optional It allows you to associate a view to the members of this community string Enter up to 32 alphanumeric characters If no view is specified access to the full MIB is gran...

Page 1075: ...o secure against the following threats Modification of information Masquerading the identity of an authorized entity Message stream modification Disclosure of information Furthermore SNMP version 3 supports View Based Access Control Mechanism RFC 2575 to control access at the PDU level It defines mechanisms for determining whether or not access to a managed object in a local MIB by a remote princi...

Page 1076: ...d find the following line Local SNMP Engine ID 800007c70300e05290ab60 Refer to Displaying the engine ID on page 1007 for details The default engine ID guarantees the uniqueness of the engine ID for SNMP version 3 If you want to change the default engine ID enter a command such as the following BigIron RX config snmp server engineid local 800007c70300e05290ab60 Syntax no snmp server engineid local ...

Page 1077: ... to be created The v1 v2c or v3 parameter indicates which version of SNMP is used In most cases you will be using v3 since groups are automatically created in SNMP versions 1 and 2 from community strings The auth noauth parameter determines whether or not authentication will be required to access the supported views If auth is selected then only authenticated packets are allowed to access the view...

Page 1078: ...n v3 access 2 auth md5 bobmd5 priv des bobdes The CLI for creating SNMP version 3 users has been updated as follows Syntax no snmp server user name groupname v3 access standard acl id encrypted auth md5 md5 password sha sha password priv encrypted des des password aes aes password key The name parameter defines the SNMP user name or security name used to access the management module The groupname ...

Page 1079: ...password The priv parameter defines the type of encryption that will be used to encrypt the privacy password If the encryption keyword is used enter a 16 octet DES key in hexadecimal format for the des password If the encryption keyword is not used enter a password string of at least 8 characters The agent will generate a suitable 16 octet DES key from the password string If DES is the privacy pro...

Page 1080: ...at contains one or more varbinds The varbinds contain additional information showing the cause of failures An SNMP manager application decodes the description from the varbind The following table presents a list of varbinds supported by the SNMP agent Security level Authentication none If the security model shows v1 or v2 then security level is blank User names are not used to authenticate users c...

Page 1081: ... tree included excluded The name parameter can be any alphanumeric name you choose to identify the view The names cannot contain spaces The mib_tree parameter is the name of the MIB object or family MIB objects and MIB sub trees can be identified by a name or by the numbers called Object Identifiers OIDs that represent the position of the object or sub tree in the MIB hierarchy You can use a wildc...

Page 1082: ...ple SNMP v3 configuration BigIron RX config snmp server group admingrp v3 priv read all write all notify all BigIron RX config snmp server user adminuser admingrp v3 auth md5 admin priv admin1 BigIron RX config snmp server host 10 3 1 44 More detailed SNMP v3 configuration BigIron RX config snmp server view internet internet included BigIron RX config snmp server view system system included BigIro...

Page 1083: ...odically advertises information including the following Hostname device ID Product platform and capability Software version VLAN and Layer 3 protocol address information for the port sending the update A Brocade device running FDP sends FDP updates on Layer 2 to MAC address 01 E0 52 CC CC CC Other Brocade devices listening on that address receive the updates and can display the information in the ...

Page 1084: ... seconds between updates and can be from 5 900 seconds The default is 60 seconds Changing the FDP hold time By default a BigIron RX that receives an FDP update holds the information until one of the following events occurs The device receives a new update 180 seconds have passed since receipt of the last update This is the hold time Once either of these events occurs the device discards the update...

Page 1085: ...e hostname of the neighbor Local Int The interface on which this BigIron RX received an FDP or CDP update for the neighbor Holdtm The maximum number of seconds this device can keep the information received in the update before discarding it Capability The role the neighbor is capable of playing in the network Platform The product platform of the neighbor Port ID The interface through which the nei...

Page 1086: ...he update to this device Entry address es The Layer 3 protocol addresses configured on the neighbor port that sent the update to this device If the neighbor is a Layer 2 Switch this field lists the management IP address Platform The product platform of the neighbor Capabilities The role the neighbor is capable of playing in the network Interface The interface on which this BigIron RX received an F...

Page 1087: ...BigIron RX clear fdp table Syntax clear fdp table NOTE This command clears all the updates for FDP and CDP Clearing FDP and CDP statistics To clear FDP and CDP statistics enter the following command BigIron RX clear fdp counters Syntax clear fdp counters Reading CDP packets Cisco Discovery Protocol CDP packets are used by Cisco devices to advertise themselves to other Cisco devices By default a Bi...

Page 1088: ... an interface You can disable and enable CDP at the interface level You can enter commands such as the following BigIron RX config int e 2 1 BigIron RX config if e10000 2 1 cdp enable Syntax no cdp enable By default the feature is enabled on an interface once CDP is enabled on the device Displaying CDP information You can display the following CDP information Cisco neighbors CDP entries for all Ci...

Page 1089: ...n 12 0 5 T1 RELEASE SOFTWARE fc1 Copyright c 1986 1999 by cisco Systems Inc Compiled Thu 19 Aug 99 04 12 by cmong BigIron RX show fdp neighbors ethernet 1 1 Device ID Router Entry address es IP address 207 95 6 143 Platform cisco RSP4 Capabilities Router Interface Eth 1 1 Port ID outgoing port FastEthernet5 0 0 Holdtime 127 seconds Version Cisco Internetwork Operating System Software IOS tm RSP So...

Page 1090: ...information Cisco Neighbor information CDP statistics To clear the Cisco neighbor information enter the following command BigIron RX clear fdp table Syntax clear fdp table To clear CDP statistics enter the following command BigIron RX clear fdp counters Syntax clear fdp counters BigIron RX show fdp entry Router1 Device ID Router1 Entry address es IP address 207 95 6 143 Platform cisco RSP4 Capabil...

Page 1091: ...n Syntax show version Viewing configuration information You can view a variety of configuration details and statistics with the show option The show option provides a convenient way to check configuration changes before saving them to flash The show options available will vary for the BigIron RX and by configuration level To determine the available show commands for the system or a specific level ...

Page 1092: ... commands are found at the Privileged EXEC level RMON support The Brocade RMON agent supports the following groups The group numbers come from the RMON specification RFC 1757 Statistics RMON Group 1 History RMON Group 2 Alarms RMON Group 3 Events RMON Group 9 The CLI allows you to make configuration changes to the control data for these groups but you need a separate RMON application to view and d...

Page 1093: ...bad packets This number does not include framing bits but does include Frame Check Sequence FCS octets Drop events Indicates an overrun at the port The port logic could not receive the traffic at full line rate and had to drop some packets as a result The counter indicates the total number of events in which packets were dropped by the RMON probe due to lack of resources This number is not necessa...

Page 1094: ...ntegral number of octets FCS Error or a bad FCS with a non integral number of octets Alignment Error NOTE This definition of jabber is different from the definition in IEEE 802 3 section 8 2 1 5 10BASE5 and section 10 3 1 4 10BASE2 These documents define jabber as the condition where any packet exceeds 20 ms The allowed range to detect jabber is between 20 ms and 150 ms This number does not includ...

Page 1095: ...d the bucket number of entries saved before overwrite using the CLI In the above example owner refers to the RMON station that will request the information NOTE To review the control data entry for each port or interface enter the show rmon history command Alarm RMON group 3 Alarm is designed to monitor configured thresholds for any SNMP integer time tick gauge or counter MIB object Using the CLI ...

Page 1096: ... threshold type can be falling threshold or rising threshold Event RMON group 9 There are two elements to the Event Group the event control table and the event log table The event control table defines the action to be taken when an alarm is reported Defined events can be found by entering the CLI command show event The Event Log Table collects and stores reported events for retrieval by an RMON a...

Page 1097: ...gregation is established Once Link Aggregation is established then the sFlow parameter appears on the interface mode which is configured Link Aggregation Source address The sampled sFlow data sent to the collectors includes an agent_address field This field identifies the IP address of the device that sent the data sFlow looks for an IP address in following order and uses the first address found T...

Page 1098: ...n contains information for the next hop router This information includes the next hop router s IP address and the outgoing VLAN ID Extended router information also includes the source IP address prefix length and the destination IP address prefix length Note that in IPv4 prefix length of source and destination IP addresses is collected only if BGP is configured on the devices Extended gateway info...

Page 1099: ...s field identifies the device that sent the data Refer to Source address on page 1025 Changing the polling interval The polling interval defines how often sFlow byte and packet counter data for a port are sent to the sFlow collectors If multiple ports are enabled for sFlow the BigIron RX staggers transmission of the counter data to smooth performance For example if sFlow is enabled on two ports an...

Page 1100: ...ecause four times as many packets will be sampled NOTE Brocade recommends that you do not change the denominator to a value lower than the default Sampling requires CPU resources Using a low denominator for the sampling rate can cause high CPU utilization Change to global rate If you change the global sampling rate the change is applied to all sFlow enabled ports except those ports on which you ha...

Page 1101: ...e actual sampling rate becomes one of the values listed in Changing the default sampling rate Enabling sFlow forwarding sFlow exports data only for the interfaces on which you enable sFlow forwarding You can enable sFlow forwarding on the Ethernet interfaces To enable sFlow forwarding Globally enable the sFlow feature Enable sFlow forwarding on individual interfaces NOTE Before you enable sFlow ma...

Page 1102: ...riable describes the length of the sample Within the sample are other variables including the Sequence number and the Source ID Brocade has introduced the proprietary Tag Type 1991 to identify ACL based sFlow samples For these samples standard Tag Type 1 samples collected using ACL based Inbound sFlow are encapsulated in a Tag Type 1991 sample The length variable identifies the entire length of th...

Page 1103: ...d monitoring Port based monitoring and ACL based sFlow can co exist on the same interface Port based sFlow Port and ACL based sFlow can co exist on the same interface When both features are configured on an interface packets that qualify as ACL based sFlow packets are sent to the collector as ACL sample packets Also the user can configure ACL based sFlow on an interface without configuring port ba...

Page 1104: ...nfig access list 151 permit tcp host 10 10 10 1 any established syn copy sflow BigIron RX config access list 151 permit any any The copy sflow parameter directs selected traffic to the sFlow collector Traffic can only be selected using the permit clause You must apply the ACL to an interface using the ip access group command as shown in the following BigIron RX config int eth 1 1 BigIron RX config...

Page 1105: ...collector IP address UDP port If more than one collector is configured the line above the collectors indicates how many have been configured Polling interval The port counter polling interval Configured default sampling rate The configured global sampling rate If you changed the global sampling rate the value you entered is shown here The actual rate calculated by the software based on the value y...

Page 1106: ...figured the line above the collectors indicates how many have been configured Polling interval The port counter polling interval Configured default sampling rate The configured global sampling rate If you changed the global sampling rate the value you entered is shown here The actual rate calculated by the software based on the value you entered is listed on the next line Actual default sampling r...

Page 1107: ...ears the values in the following fields of the show sflow display UDP packets exported sFlow samples collected NOTE This command also clears the statistics counters used by other features Global Sample Rate The global sampling rate for the BigIron RX Port Sampling Rates The sampling rates of a port on which sFlow is enabled Hardware Sample Rate The actual sampling rate This is the same as the Glob...

Page 1108: ...1036 BigIron RX Series Configuration Guide 53 1001810 01 sFlow 39 ...

Page 1109: ...he local instance is known as Internal Spanning Tree IST The CST treats each instance of IST as a single bridge Consequently ports are blocked to prevent loops that might occur within an IST and also throughout the CST In addition MSTP can coexist with individual devices running STP or RSTP in the Common and Internal Spanning Trees instance CIST With the exception of the provisions for multiple in...

Page 1110: ... of the ISTs and all bridges that are not formally configured into a region This instance interoperates with bridges running legacy STP and RSTP implementations Multiple Spanning Tree Instance MSTI The MSTI is identified by an MST identifier MSTid value between 1 and 4090 This defines an individual instance of an IST One or more VLANs can be assigned to an MSTI A VLAN cannot be assigned to multipl...

Page 1111: ...an MSTP instance Setting the MSTP global parameters Setting ports to be operational edge ports Setting point to point link Disabling MSTP on a port Forcing ports to transmit an MSTP BPDU Enabling MSTP on a switch Setting the MSTP name Each switch that is running MSTP is configured with a name It applies to the switch which can have many different VLANs that can belong to many different MSTP region...

Page 1112: ...ion level BigIron RX config mstp instance 7 ethernet 3 1 priority 32 path cost 200 Syntax no mstp instance instance number ethernet slot port priority port priority path cost cost The instance number variable is the number of the instance of MSTP that you are configuring priority and path cost for The ethernet slot port parameter specifies a port within a VLAN The priority and path cost configured...

Page 1113: ...efault mode only MSTP BPDUS will be sent The forward delay value specifies how long a port waits before it forwards an RST BPDU after a topology change This can be a value from 4 30 seconds The default is 15 seconds The hello time value parameter specifies the interval between two hello packets The parameter can have a value from 1 10 seconds The default is 2 seconds The max age value parameter sp...

Page 1114: ...a port To disable MSTP on a specific port use a command such as the following at the Global Configuration level BigIron RX config mstp disable 2 1 Syntax no mstp disable slot port The slot port variable specifies the location of the port that you want to disable MSTP for Forcing ports to transmit an MSTP BPDU To force a port to transmit an MSTP BPDU use a command such as the following at the Globa...

Page 1115: ...nfig vlan 20 by port BigIron RX config vlan 20 tagged ethernet 2 9 to 2 14 ethernet 2 16 BigIron RX config vlan 20 no spanning tree BigIron RX config vlan 20 exit BigIron RX config vlan 21 by port BigIron RX config vlan 21 tagged ethernet 2 9 to 2 14 ethernet 2 16 BigIron RX config vlan 21 no spanning tree BigIron RX config vlan 21 exit BigIron RX config vlan 22 by port BigIron RX config vlan 22 t...

Page 1116: ...21 vlan 21 BigIron RX config mstp instance 22 vlan 22 BigIron RX config mstp admin pt2pt mac ethernet 3 17 to 3 20 ethernet 3 5 to 3 6 BigIron RX config mstp admin pt2pt mac ethernet 3 10 BigIron RX config mstp disable ethe 3 7 ethernet 3 24 BigIron RX config mstp start BigIron RX config hostname CORE2 LAN 4 configuration BigIron RX config trunk switch ethernet 3 5 to 3 6 ethernet 3 1 to 3 2 BigIr...

Page 1117: ... configured Max Hop count variable Root MaxAge sec Max Age configured on the root bridge Root Hello sec Hello interval configured on the root bridge Root FwdDly sec FwdDly interval configured on the root bridge BigIron RX config show mstp MSTP Instance 0 CIST VLANs 1 Bridge Bridge Bridge Bridge Bridge Root Root Root Root Identifier MaxAge Hello FwdDly Hop MaxAge Hello FwdDly Hop hex sec sec sec cn...

Page 1118: ... number of the interface Pri The configured priority of the port The default is 128 PortPath Cost Configured or auto detected path cost for port P2P Mac Indicates if the port is configured with a point to point link T The port is configured in a point to point link F The port is not configured in a point to point link Edge Indicates if the port is configured as an operational edge port T indicates...

Page 1119: ...gnated Root Root Identifier Hop Bridge Cost Bridge Port Hop hex cnt hex hex cnt 8001000cdb80af01 20 8001000cdb80af01 0 8001000cdb80af01 Root 20 Port Pri PortPath Role State Designa Designated Num Cost ted cost bridge 3 1 128 2000 MASTER FORWARDING 0 8001000cdb80af01 BigIron RX config show mstp 0 MSTP Instance 0 CIST VLANs 1 Bridge Bridge Bridge Bridge Bridge Root Root Root Root Identifier MaxAge H...

Page 1120: ...n RX config show mstp detail MSTP Instance 0 CIST VLANs 4089 Bridge 800000b000c00000 Priority 32768 SysId 0 Mac 00b000c00000 FwdDelay 15 HelloTime 2 MaxHops 20 TxHoldCount 6 Port 6 54 Role DESIGNATED State FORWARDING PathCost 20000 Priority 128 OperEdge T OperPt2PtMac F Boundary T Designated Root 800000b000c00000 RegionalRoot 800000b000c00000 Bridge 800000b000c00000 ExtCost 0 IntCost 0 ActiveTimer...

Page 1121: ...ter to send IGMP queries to elicit these Group Membership reports you can enable the device to actively send the IGMP queries Query interval The query interval specifies how often the device sends Group Membership queries This query interval applies only to the active IGMP mode The default is 60 seconds You can change the interval to a value from 10 600 seconds Age interval The age interval specif...

Page 1122: ...ding to that group If the device finds an entry the device forwards the group traffic out the ports listed in the corresponding entries as long as the ports are members of the same VLAN If the table does not contain an entry corresponding to the group or if the port is a member of the default VLAN the device broadcasts the traffic NOTE When one or more BigIron RX devices are running Layer 2 IP Mul...

Page 1123: ...vices and leave the other devices configured for passive IGMP mode Passive When passive IGMP mode is enabled the device listens for IGMP Group Membership reports but does not send IGMP queries The passive mode is sometimes called IGMP snooping Use this mode when another device in the network is actively sending queries To enable active IGMP enter the following command BigIron RX config ip multicas...

Page 1124: ... RX enabled for active IP Multicast Traffic Reduction sends Group Membership queries NOTE The query interval applies only to the active mode of IP Multicast Traffic reduction To modify the query interval enter a command such as the following BigIron RX config ip multicast query interval 120 Syntax no ip multicast query interval interval The interval parameter specifies the interval between queries...

Page 1125: ...To enable IGMP Snooping Tracking globally enter a command such as the following BigIron RX config multicast tracking Syntax no ip multicast tracking The no form of this command disables the tracking process globally To enable IGMP Snooping Tracking per VLAN enter commands such as the following BigIron RX config vlan 100 BigIron RX config vlan 100 multicast tracking Syntax no multicast tracking The...

Page 1126: ...icast static group 224 10 1 1 uplink To configure the physical interface 10 43 3 12 to statically join a multicast group on port 2 4 enter commands such as the following BigIron RX config vlan 100 BigIron RX config vlan 100 multicast static group 224 10 1 1 2 4 To configure the snooping device to statically join a multicast stream with the source address of 10 43 1 12 in the include mode enter com...

Page 1127: ...include or exclude keyword is only supported on IGMPv3 The source address parameter specifies the IP address of the multicast source Each address must be added or deleted one line per source The uplink parameter specifies the port as an uplink port that can receive multicast data for the configured multicast groups Upstream traffic will be sent to the router and will not use a port The port list p...

Page 1128: ...membership report for a group the device forwards subsequent traffic for that group only on the ports from which the join messages or IGMP reports were received In this example the router connected to the receiver for group 239 255 162 1 sends a join message toward the group s source Since PIM SM traffic snooping is enabled on the device the device examines the join message to learn the group ID t...

Page 1129: ...rce and the downstream router to be on different IP subnets as shown in Figure 136 Figure 137 shows another example application for PIM SM traffic snooping This example shows devices on the edge of a Global Ethernet cloud a Layer 2 Packet over SONET cloud Assume that each device is attached to numerous other devices such as other BigIron RX FIGURE 137 PIM SM traffic reduction in global Ethernet en...

Page 1130: ...you enable IP multicast traffic reduction and PIM SM traffic snooping the device initially blocks all PIM SM traffic instead of forwarding it The device forwards PIM SM traffic to a receiver only when the device receives a join message from the receiver Consequently if the source and the downstream router are in the same subnet and PIM SM traffic snooping is enabled the device blocks the PIM SM tr...

Page 1131: ...6 00 introduces PIM proxy which are only configurable per VLAN instance Configuring the PIM SM traffic snooping per VLAN In the following example multicast traffic reduction is applied using PIM SM Traffic snooping to VLAN 2 BigIron RX config vlan 2 BigIron RX config vlan 2 multicast pimsm snooping Syntax no multicast pimsm snooping Configuring PIM proxy per VLAN instance Using the PIM proxy funct...

Page 1132: ...dress of the device that actively sends IGMP queries Router Ports The ports that are connected to routers that support IP multicast Report FID The fid and camindex values are used by Brocade Technical Support for troubleshooting Number of Multicast Group The total number of groups for which the VLAN s ports have received IGMP group membership reports join messages or prune messages Group An IP mul...

Page 1133: ...Received 60 Group Specific Queries Received 2 Others Received 0 General Queries Sent 0 Group Specific Queries Sent 0 The command in this example shows statistics for two port based VLANs Syntax show ip multicast statistics Clearing IP multicast statistics To clear IP multicast statistics on a device enter the following command at the Privileged EXEC level of the CLI BigIron RX clear ip multicast s...

Page 1134: ... group id parameter clears the flows for the specified group but does not clear the flows for other groups BigIron RX show ip multicast IP multicast is enabled Active VLAN ID 1 Active 192 168 2 30 Router Ports 4 13 Multicast Group 239 255 162 5 Port 4 4 4 13 Multicast Group 239 255 162 4 Port 4 10 4 13 BigIron RX clear ip multicast all BigIron RX show ip multicast IP multicast is enabled Active VL...

Page 1135: ... bit hexadecimal values separated by colons Figure 138 shows the IPv6 address format FIGURE 138 IPv6 address format As shown in Figure 138 HHHH is a 16 bit hexadecimal value while H is a 4 bit hexadecimal value The following is an example of an IPv6 address 2001 0000 0000 0200 002D D0FF FE48 4672 Note that the sample IPv6 address includes hexadecimal fields of zeros To make the address less cumber...

Page 1136: ...FF08 49EA D088 64 IPv6 address types As with IPv4 addresses you can assign multiple IPv6 addresses to a switch interface Table 165 presents the three major types of IPv6 addresses that you can assign to a switch interface A major difference between IPv4 and IPv6 addresses is that IPv6 addresses support scope which describes the topology in which the address may be used as a unique identifier for a...

Page 1137: ...ace ID IPv4 compatible address An address used in IPv6 transition mechanisms that tunnel IPv6 packets dynamically over IPv4 infrastructures The address embeds an IPv4 address in the low order 32 bits and the high order 96 bits are zeros The address structure is as follows 0 0 0 0 0 0 A B C D Loopback address An address 0 0 0 0 0 0 0 1 or 1 that a switch can use to send an IPv6 packet to itself You...

Page 1138: ...e on the link The duplicate address detection feature verifies that a unicast IPv6 address is unique before it is assigned to a host interface by the stateless auto configuration feature Duplicate address detection uses neighbor solicitation messages to verify that a unicast IPv6 address is unique NOTE For the stateless auto configuration feature to work properly the advertised prefix length in sw...

Page 1139: ...s an IPv6 packet can traverse 1091 QoS for IPv6 traffic 1091 Clearing global IPv6 information 1092 Displaying global IPv6 information 1094 This chapter explains how to get a Brocade Layer 3 Switch that supports IPv6 up and running To configure basic IPv6 connectivity you must do the following Enable IPv6 routing globally on the Brocade Layer 3 Switch Configure an IPv6 address or explicitly enable ...

Page 1140: ...nually configured interface ID An automatically computed EUI 64 interface ID If you prefer to assign a link local IPv6 address to the interface you must explicitly enable IPv6 on the interface which causes a link local address to be automatically computed for the interface If preferred you can override the automatically configured link local address with an address that you manually configure This...

Page 1141: ...ter Configuring a global or site local IPv6 address with an automatically computed EUI 64 interface ID To configure a global or site local IPv6 address with an automatically computed EUI 64 interface ID in the low order 64 bits enter commands such as the following BigIron RX config interface ethernet 3 1 BigIron RX config if e100 3 1 ipv6 address 2001 200 12D 1300 64 eui 64 These commands configur...

Page 1142: ... ipv6 address link local You must specify the ipv6 address parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 The link local keyword indicates that the router interface should use the manually configured link local address instead of the automatically computed link local address Configuring IPv6 anycast addresses In IPv6 an anycast address is an address for a set...

Page 1143: ... devices running the Layer 2 base Layer 3 or full Layer 3 software image This section lists the supported and unsupported IPv6 host features IPv6 host supported features The following IPv6 host features are supported Automatic address configuration NOTE Automatic IPv6 address configuration is supported Manual IPv6 address configuration is not supported Also automatic configuration of an IPv6 globa...

Page 1144: ...flash using IPv6 X X debug ipv6 Displays IPv6 debug information X X ipv6 access class Configures access control for IPv6 management traffic X X ipv6 access list Configures an IPv6 access list for IPv6 access control X X ipv6 dns domain name Configures an IPv6 domain name X X ipv6 dns server address Configures an IPv6 DNS server address X X ipv6 enable Enables IPv6 on an interface X ipv6 neighbor M...

Page 1145: ...een colons as documented in RFC 2373 show ipv6 neighbor Displays the IPv6 neighbor table X X show ipv6 route Displays IPv6 routes X show ipv6 router Displays IPv6 local routers X show ipv6 tcp Displays information about IPv6 TCP sessions X X show ipv6 traffic Displays IPv6 packet counters X X snmp client ipv6 Restricts SNMP access to a certain IPv6 node Refer to Restricting SNMP access to an IPv6 ...

Page 1146: ... IPv6 host You can restrict Web management access to the device to the IPv6 host whose IP address you specify No other device except the one with the specified IPv6 address can access the Brocade device s Web management interface For example BigIron RX config web client ipv6 3000 2383 e0bb 2 128 Syntax web client ipv6 ipv6 address The ipv6 address you specify must be in hexadecimal format using 16...

Page 1147: ...re an IPv6 access list that denies them The following shows an example configuration Example BigIron RX config ipv6 access list rtradvert BigIron RX config deny icmp any any router advertisement BigIron RX config deny icmp any any router solicitation BigIron RX config permit ipv6 any any BigIron RX show snmp server Contact Location Community ro Traps Warm Cold start Enable Link up Enable Link down...

Page 1148: ...hen a BigIron RX is running a switch only image of the code individual ports cannot be configured with an IP address IPv4 or IPv6 In this situation the BigIron RX has one IP address for the management port and one IP address for the system This has previously been supported for IPv4 but not IPv6 There is support for configuring an IPv6 address on the management port as described in Configuring the...

Page 1149: ...s such as the following BigIron RX config ipv6 address 2001 200 12D 1300 64 eui 64 These commands configure the global prefix 2001 200 12d 1300 64 and an interface ID as the system wide address and enable IPv6 Syntax ipv6 address ipv6 prefix prefix length eui 64 You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify t...

Page 1150: ...h as the following BigIron RX config ipv6 unicast routing BigIron RX config interface ethernet 3 1 BigIron RX config if e100 3 1 ip address 192 168 1 1 255 255 255 0 BigIron RX config if e100 3 1 ipv6 address 2001 200 12d 1300 64 eui 64 These commands globally enable IPv6 routing on the router and configure an IPv4 address and an IPv6 address for Ethernet interface 3 1 Syntax no ipv6 unicast routi...

Page 1151: ...ing nyc01 newyork com Defining a DNS entry You can define up to four DNS servers for each DNS entry The first entry serves as the primary default address If a query to the primary address fails to be resolved after three attempts the next gateway address is queried also up to three times This process continues for each defined gateway address until the query is resolved The order in which the defa...

Page 1152: ...st paths to that destination the device checks the IPv6 forwarding cache for a forwarding entry for the destination The IPv6 forwarding cache provides a fast path for forwarding IPv6 traffic The IPv6 forwarding cache contains entries that associate a destination host or network with a path next hop router If the IPv6 forwarding cache contains a forwarding entry for the destination the Brocade devi...

Page 1153: ...ad sharing 4 Syntax no ipv6 load sharing num The num parameter specifies the number of paths and can be from 2 8 The default is 4 Changing the maximum number of load sharing paths for IPv6 By default IPv6 ECMP load sharing allows traffic to be balanced across up to four equal paths You can change the maximum number of paths the device supports to a value from 2 8 To change the number of ECMP load ...

Page 1154: ...hich the client messages are forwarded and enables DHCP for IPv6 relay services on the interface Enabling support for network based ECMP load sharing for IPv6 Network based ECMP load sharing is supported If this configuration is selected traffic is distributed across equal cost paths based on the destination network address Routes to each network are stored in CAM and accessed when a path to a net...

Page 1155: ...ied interval until the maximum number of tokens allowed in the bucket is reached For each error message that ICMP sends a token is removed from the bucket If ICMP generates a series of error messages messages can be sent until the bucket is empty If the bucket is empty of tokens error messages cannot be sent until a new token is placed in the bucket You can adjust the following elements related to...

Page 1156: ... inform it of a better first hop router on a path to a destination No further configuration is required to enable the sending of ICMP redirect messages For more information about how ICMP redirect messages are implemented for IPv6 refer to Configuring IPv6 neighbor discovery on page 1084 For example to disable the sending of ICMP redirect messages on Ethernet interface 3 1 enter the following comm...

Page 1157: ...essage which has a value of 135 in the Type field of the ICMP packet header contains the following information Source address IPv6 address of node 1 interface that sends the message Destination address solicited node multicast address FF02 0 0 0 0 1 FF00 104 that corresponds the IPv6 address of node 2 Link layer address of node 1 A query for the link layer address of node 2 After receiving the nei...

Page 1158: ...ment parameters that you can configure refer to Enabling and disabling IPv6 router advertisements on page 1089 and Setting IPv6 router advertisement parameters on page 1087 Neighbor redirect messages After forwarding a packet by default a router can send a neighbor redirect message to a host to inform it of a better first hop router The host receiving the neighbor redirect message will then readdr...

Page 1159: ...lf To restore the default interval use the no form of this command Setting IPv6 router advertisement parameters You can adjust the following parameters for router advertisement messages The interval in seconds at which an interface sends router advertisement messages By default an interface sends a router advertisement message every 200 seconds The router lifetime value which is included in router...

Page 1160: ...nt messages sent out on Ethernet interface 3 1 with a valid lifetime of 1000 seconds a preferred lifetime of 800 seconds and the Onlink and Autoconfig flags set enter the following commands BigIron RX config interface ethernet 3 1 BigIron RX config if e100 3 1 ipv6 nd prefix advertisement 2001 e077 a487 7365 64 1000 800 onlink autoconfig Syntax no ipv6 nd prefix advertisement ipv6 prefix prefix le...

Page 1161: ... Syntax no ipv6 nd managed config flag Syntax no ipv6 nd other config flag To remove either flag from router advertisement messages sent on an interface use the no form of the respective command Enabling and disabling IPv6 router advertisements If IPv6 unicast routing is enabled on an Ethernet interface by default this interface sends IPv6 router advertisement messages However by default non LAN i...

Page 1162: ...ual interfaces Per RFC 2460 the minimum IPv6 MTU for any interface is 1280 bytes For example to configure the MTU on Ethernet interface 3 1 as 1280 bytes enter the following commands BigIron RX config interface ethernet 3 1 BigIron RX config if e100 3 1 ipv6 mtu 1280 Syntax no ipv6 mtu bytes You can specify between 1280 1500 bytes If a nondefault value is configured for an interface router adverti...

Page 1163: ...ess The ipv6 address parameter specifies the address of the neighbor The ethernet ve parameter specifies the interface through which to reach a neighbor If you specify an Ethernet interface specify the port number of the Ethernet interface If you specify a VE specify the VE number and then the Ethernet port numbers associated with the VE The link layer address is a 48 bit hardware address of the n...

Page 1164: ... the internal Brocade header based on a combination of the following information 802 1p priority Interface priority if configured VLAN priority if configured The DSCP field in the Type of Service ToS header Clearing global IPv6 information You can clear the following global IPv6 information Entries from the IPv6 cache Entries from the IPv6 neighbor table IPv6 routes from the IPv6 route table IPv6 ...

Page 1165: ...must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter You must specify the ipv6 address parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 The ethern...

Page 1166: ...v6 TCP connections and the status of individual connections IPv6 traffic statistics IPv6 session flows Displaying IPv6 cache information The IPv6 cache contains an IPv6 host table that has indices to the next hop gateway and the router interface on which the route was learned To display IPv6 cache information enter the following command at any CLI level Syntax show ipv6 cache index number ipv6 pre...

Page 1167: ...on Displaying IPv6 interface information To display IPv6 interface information enter the following command at any CLI level Syntax show ipv6 interface interface port number number The interface parameter displays detailed information for a specified interface For the interface you can specify the Ethernet loopback tunnel or VE keywords If you specify an Ethernet interface also specify the port num...

Page 1168: ...able command the status will be administratively down Otherwise the status is either up or down IPv6 status link local address The status of IPv6 The status is either enabled or disabled Displays the link local address if one is configured for the interface Global unicast address es Displays the global unicast address es if one or more are configured for the interface Joined group address es The m...

Page 1169: ...net interface also specify the port number associated with the interface If you specify a VE interface also specify the VE number This display shows the following information I MTU The setting of the maximum transmission unit MTU configured for the IPv6 interface The MTU is the maximum length an IPv6 packet can have to be transmitted on the interface If an IPv6 packet is longer than an MTU the hos...

Page 1170: ...the neighbor State The current state of the neighbor Possible states are as follows INCOMPLETE Address resolution of the entry is being performed REACH The forward path to the neighbor is functioning properly STALE This entry has remained unused for the maximum interval While stale no action takes place until a packet is sent DELAY This entry has remained unused for the maximum interval and a pack...

Page 1171: ...mand TABLE 171 IPv6 route table fields This field Displays Number of entries The number of entries in the IPv6 route table Type The route type which can be one of the following C The destination is directly connected to the router S The route is a static route R The route is learned from RIPng O The route is learned from OSPFv3 B The route is learned from BGP4 I The route is learned from IPv6 IS I...

Page 1172: ... a particular router interface Last update The amount of elapsed time in minutes between the current and previous updates received from a router Hops The default value that should be included in the Hop Count field of the IPv6 header for outgoing IPv6 packets The hops value applies to the router for which you are displaying information and should be followed by IPv6 hosts attached to the router A ...

Page 1173: ...request from the remote TCP or an acknowledgment of the connection termination request previously sent FIN WAIT 2 Waiting for a connection termination request from the remote TCP CLOSE WAIT Waiting for a connection termination request from the local user CLOSING Waiting for a connection termination request acknowledgment from the remote TCP LAST ACK Waiting for an acknowledgment of the connection ...

Page 1174: ...R percentage The percentage of free TCB queue buffer space FREE TCB SEND BUFFER percentage The percentage of free TCB send buffer space FREE TCB RECEIVE BUFFER percentage The percentage of free TCB receive buffer space FREE TCB OUT OF SEQUENCE BUFFER percentage The percentage of free TCB out of sequence buffer space TABLE 174 General IPv6 TCP connection fields Continued This field Displays BigIron...

Page 1175: ...ence number sent by the local router Send current send pointer number The current send pointer Send next sequence number to send number The next sequence number sent by the local router Send remote received window number The size of the remote received window Send total unacknowledged sequence number number The total number of unacknowledged sequence numbers sent by the local router Send total use...

Page 1176: ...redirect sent 0 frag recv 0 frag dropped 0 frag timeout 0 frag overflow 0 reassembled 0 fragmented 0 ofragments 0 can t frag 0 too short 0 too small 11 not member 0 no buffer 66819 allocated 21769 freed 0 forward cache hit 46 forward cache miss ICMP6 Statistics Received 0 dest unreach 0 pkt too big 0 time exceeded 0 param prob 2 echo req 1 echo reply 0 mem query 0 mem report 0 mem red 0 router sol...

Page 1177: ...packets dropped because they are too short too small The number of IPv6 packets dropped because they do not have enough data not member The number of IPv6 packets dropped because the recipient is not a member of a multicast group no buffer The number of IPv6 packets dropped because there is no buffer available forward cache miss The number of IPv6 packets received for which there is no correspondi...

Page 1178: ... errors in ICMP error messages too freq The number of times the node has exceeded the frequency of sending error messages Applies to sent errors only unreach no route The number of Unreachable No Route errors sent by the router admin The number of Admin errors sent by the router beyond scope The number of Beyond Scope errors sent by the router address The number of Address errors sent by the route...

Page 1179: ...v6 flows with any IPv6 source and any IPv6 destination addresses enter the following command BigIron RX show ipv6 flows any any input errors This information is used by Brocade Technical Support TCP statistics active opens The number of TCP connections opened by the router by sending a TCP SYN to another device passive opens The number of TCP connections opened by the router in response to connect...

Page 1180: ...s on two lines in the following sequence Source Address Source address of the flow Destination Address Destination address of the flow Protocol Protocol in the flow SrcPort IcmpType Either the source TCP UDP port or the ICMP type of the flow DestPort IcmpCode Either the destination TCP UDP port or the ICMP code of the flow Dscp DSCP value in the flow FlowLabel Value in the flow label field of the ...

Page 1181: ...IP and RIPng For more information about these commands refer to Configuring RIPng on page 1109 RIPng maintains a Routing Information Database RIB which is a local route table The local RIB contains the lowest cost IPv6 routes learned from other RIP routers In turn RIPng attempts to add routes from its local RIB into the main IPv6 route table This chapter describes the following How to configure RI...

Page 1182: ...ble RIPng globally enter the following command BigIron RX config rip router ipv6 router rip BigIron RX config ripng router After you enter this command the Brocade device enters the RIPng configuration level where you can access several commands that allow you to configure RIPng Syntax no ipv6 router rip To disable RIPng globally use the no form of this command After enabling RIPng globally you mu...

Page 1183: ...conds after the end of the hold down period BigIron RX config ipv6 router rip BigIron RX config ripng router timers 45 135 10 20 Syntax no timers update timer timeout timer hold down timer garbage collection timer Possible values for the timers are as follows Update timer 3 65535 seconds Timeout timer 9 65535 seconds Hold down timer 9 65535 seconds Garbage collection timer 9 65535 seconds NOTE You...

Page 1184: ...efault routes and includes all other routes in the updates To remove the explicit default routes from RIPng and suppress advertisement of these routes use the no form of this command Advertising IPv6 address summaries You can configure RIPng to advertise a summary of IPv6 addresses from a router interface and to specify an IPv6 prefix that summarizes the routes If a route s prefix length matches t...

Page 1185: ...interface 3 1 advertises an outgoing route it will increase the metric by 3 as specified in this example Syntax no ipv6 rip metric offset out 1 16 To return the metric offset to its default value use the no form of this command Redistributing routes into RIPng You can configure the Brocade device to redistribute routes from the following sources into RIPng IPv6 static routes Directly connected IPv...

Page 1186: ...face parameter you can specify the ethernet loopback ve or tunnel keywords If you specify an Ethernet interface also specify the port number associated with the interface If you specify a VE or tunnel interface also specify the VE or tunnel number To remove the distribution list use the no form of this command Configuring poison reverse parameters By default poison reverse is disabled on a RIPng r...

Page 1187: ...llowing command at any CLI level Syntax show ipv6 rip This display shows the following information TABLE 178 RIPng configuration fields This field Displays IPv6 RIP status port The status of RIPng on the Brocade device Possible status is enabled or disabled The UDP port number over which RIPng is enabled Administrative distance The setting of the administrative distance for RIPng Updates expiratio...

Page 1188: ... Default routes The status of RIPng default routes Periodic updates trigger updates The number of periodic updates and triggered updates sent by the RIPng router Distribution lists The inbound and outbound distribution lists applied to RIPng Redistribution The types of IPv6 routes redistributed into RIPng The types can include the following STATIC IPv6 static routes are redistributed into RIPng CO...

Page 1189: ... learned by RIPng CONNECTED IPv6 routes redistributed from directly connected networks STATIC IPv6 static routes are redistributed into RIPng BGP BGP4 routes are redistributed into RIPng ISIS IPv6 IS IS routes are redistributed into RIPng OSPF OSPFv3 routes are redistributed into RIPng Metric number The cost of the route The number parameter indicates the number of hops to the destination Tag numb...

Page 1190: ...1118 BigIron RX Series Configuration Guide 53 1001810 01 Displaying RIPng information 44 ...

Page 1191: ... BGP4 supports the advertising of routes among different address families However it supports BGP4 unicast routes only it does not currently support BGP4 multicast routes This chapter describes the following The address family configuration level for BGP4 How to configure BGP4 How to clear various BGP information statistics and counters How to display BGP4 information and statistics Address family...

Page 1192: ...gured in the BGP4 unicast address family to work in the BGP4 unicast address family unless it is explicitly configured in the BGP4 unicast address family To exit from the IPv6 unicast address family configuration level enter the following command BigIron RX config bgp ipv6u exit address family BigIron RX config bgp Entering this command returns you to the global BGP configuration level Configuring...

Page 1193: ...ed to exchange BGP4 unicast prefixes However if you add IPv6 neighbors while at the global BGP configuration or IPv4 BGP unicast address family configuration level the neighbors will not exchange BGP4 unicast prefixes until you explicitly enable them to do so by entering the neighbor ipv6 address peer group name activate command at the BGP4 unicast address family configuration level This section p...

Page 1194: ...he neighbor and local switch will exchange prefixes Configure a route map to set up a global next hop for packets destined for the neighbor Adding BGP4 neighbor To add the IPv6 link local address fe80 4398 ab30 45de 1 of a neighbor in remote AS 1000 to the BGP4 neighbor table of a switch enter the following commands BigIron RX config bgp address family ipv6 unicast BigIron RX config bgp ipv6u neig...

Page 1195: ...the BGP4 unicast address family configuration level BigIron RX config bgp ipv6u neighbor fe80 4398 ab30 45de 1 route map out next hop BigIron RX config bgp ipv6u exit BigIron RX config route map next hop permit 10 BigIron RX config route map match ipv6 address prefix list next hop ipv6 BigIron RX config route map set ipv6 next hop 2011 e0ff 3764 34 This route map applies to the BGP4 unicast addres...

Page 1196: ...ite local IPv6 addresses on page 1121 and Adding BGP4 neighbors using link local addresses on page 1122 NOTE You can add IPv6 neighbors only to an IPv6 peer group You cannot add an IPv4 neighbor to an IPv6 peer group and vice versa IPv6 and IPv6 peer groups must remain separate To configure a BGP4 peer group you must do the following 1 Create a peer group 2 Add a neighbor to the local switch 3 Ass...

Page 1197: ...bgp ipv6u neighbor 2001 efff 89 23 peer group peer_group1 Syntax neighbor ipv6 address peer group peer group name The ipv6 address parameter specifies the IPv6 address of the neighbor You must specify the ipv6 address parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 The peer group peer group name parameter indicates the name of the already created peer group To...

Page 1198: ... 32 into the BGP4 database enter the following command at the BGP4 unicast address family configuration level BigIron RX config bgp ipv6u network 3ff0 ec21 32 Syntax network ipv6 prefix prefix length route map name You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A ...

Page 1199: ...ggregation a switch will individually advertise routes for networks ff00 f000 0001 0000 64 ff00 f000 0002 0000 64 ff00 f000 0003 0000 64 and so on You can configure the switch to instead send a single aggregate route for the networks The aggregate route would be advertised as ff00 f000 24 to BGP4 neighbors To aggregate BGP4 routes for ff00 f000 0001 0000 64 ff00 f000 0002 0000 64 ff00 f000 0003 00...

Page 1200: ...mit 10 BigIron RX config routemap map1 match ipv6 address prefix list ipv6_uni This example configures a route map named map1 that permits incoming IPv6 unicast routes that match the prefix list named ipv6_uni 2001 eff3 32 Note that you apply the route map while at the BGP4 unicast address family configuration level Clearing BGP4 information This section contains information about clearing the fol...

Page 1201: ...CLI BigIron RX clear ipv6 bgp flap statistics Syntax clear ipv6 bgp flap statistics ipv6 prefix prefix length neighbor ipv6 address regular expression regular expression The ipv6 prefix prefix length parameter clears route flap dampening statistics for a specified IPv6 prefix You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You ...

Page 1202: ...6 address peer group name as number last packet with error notification errors The all ipv6 address peer group name as num specifies the neighbor The ipv6 address parameter specifies a neighbor by its IPv6 address You must specify this address in hexadecimal using 16 bit values between colons as documented in RFC 2373 The peer group name specifies all neighbors in a specific peer group The as num ...

Page 1203: ...pplies the filters and route maps you have configured to the list of routes If the filters or route maps result in changes to the list of routes the switch sends updates to advertise change or even withdraw routes on the neighbor as needed This ensures that the neighbor receives only the routes you want it to contain Even if the neighbor already contains a route learned from the switch that you la...

Page 1204: ...dampening status of a route To clear all of the route flap dampening statistics for a neighbor enter a command such as the following at the Privileged EXEC level or any of the Config levels of the CLI BigIron RX clear ipv6 bgp neighbor 2000 e0ff 47 1 flap statistics Syntax clear ipv6 bgp neighbor ipv6 address flap statistics The ipv6 address parameter specifies a neighbor by its IPv6 address You m...

Page 1205: ...ipv6 bgp command for IPv6 and the show ip bgp command for IPv4 Also the displays for the IPv4 and IPv6 versions of the show commands are similar except where relevant IPv6 neighbor addresses replace IPv4 neighbor addresses IPv6 prefixes replace IPv4 prefixes and IPv6 next hop addresses replace IPv4 next hop addresses Displaying the BGP4 route table BGP4 uses filters you define as well as an algori...

Page 1206: ...om two BGP4 neighbors the switch prefers the route from the neighbor with the larger weight Status The route s status which can be one or more of the following A AGGREGATE The route is an aggregate route for multiple networks B BEST BGP4 has determined that this is the optimal route to the destination b NOT INSTALLED BEST BGP4 has determined that this is the optimal route to the destination but di...

Page 1207: ...to their destinations The cidr only keyword lists only the routes whose network masks do not match their class network length The community number parameter lets you display routes for a specific community You can specify local as no export no advertise internet or a private community number You can specify the community number as either two five digit integer values of up to 1 65535 separated by ...

Page 1208: ... 1134 Prefix For information about this field refer to Table 180 on page 1134 Status For information about this field refer to Table 180 on page 1134 Age The age of the advertised route in seconds Next Hop For information about this field refer to Table 180 on page 1134 Learned from Peer The IPv6 address of the neighbor from which this route is learned Local router indicates that the switch itself...

Page 1209: ...v6 route table because the switch received better routes from other sources such as OSPFv3 RIPng or static IPv6 routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable EGP The routes with this set of attributes came to...

Page 1210: ... that match a specific community filter The detail keyword lets you display more details about the routes You can refine your request by also specifying one of the other parameters after the detail keyword The local keyword displays routes that are local to the switch The neighbor ipv6 address parameter displays routes learned from a specified BGP4 neighbor The nexthop ipv6 address option displays...

Page 1211: ...002 16 or that have a longer prefix such as 2002 e016 32 are displayed To display only those routes that match prefix 2002 16 enter the following command at any level of the CLI For example to display routes that match prefix 2002 16 or longer enter the following command at any level of the CLI BigIron RX show ipv6 bgp Total number of BGP Routes 2 Status codes s suppressed d damped h history valid...

Page 1212: ...n of the display to the left of each route The status codes are described in the command s output Origin codes A character the display uses to indicate the route s origin The origin code appears to the right of the AS path Path field The origin codes are described in the command s output Network The network prefix and prefix length Next Hop The next hop switch for reaching the network from the swi...

Page 1213: ...ect the best route IGP is preferred over EGP and both are preferred over INCOMPLETE Originator The originator of the route in a route reflector environment Cluster List The route reflector clusters through which this set of attributes has passed Aggregator Aggregator information AS Number shows the AS in which the network information in the attribute set was aggregated This value applies only to a...

Page 1214: ...001 neighbor 2001 4484 edd3 8389 1 remote as 1002 neighbor 2001 efff 80 23 peer group peer_group1 neighbor 2001 efff 80 23 remote as 1003 address family ipv4 unicast no neighbor 2001 4383 e0ff 783a 3 activate no neighbor 2001 4484 edd3 8389 1 activate no neighbor 2001 efff 80 23 activate exit address family address family ipv4 multicast exit address family address family ipv6 unicast network 3ff0 ...

Page 1215: ...pecified IPv6 prefix of the destination network only You must specify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter TABLE 184 Dampened BGP4 path information This field Displays Status codes...

Page 1216: ...s Number of BGP4 Routes matching display condition The number of routes that matched the display parameters you entered This is the number of routes displayed by the command Status codes A list of the characters the display uses to indicate the route s status The status code appears in the left column of the display to the left of each route The status codes are described in the command s output T...

Page 1217: ...onfederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable E EBGP The route was learned through a switch in another AS H HISTORY Route dampening is configured for this route and the route has a history of flapping and is unreachable now I IBGP The route was learned through a switch in the sam...

Page 1218: ...ormation TABLE 186 Detailed filtered rut BGP4 route information This field Displays Status codes A list of the characters the display uses to indicate the route s status The Status field display an F for each filtered route Prefix For information about this field refer to Table 185 on page 1144 Status For information about this field refer to Table 185 on page 1144 BigIron RX show ipv6 bgp filtere...

Page 1219: ...or in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable E EBGP The route was learned through a switch in another AS H HISTORY Route dampening is configured for this route and the route has a history of flapping and is unreachable now I IBGP The route was learned through a s...

Page 1220: ... display route flap statistics for routes learned from a neighbor by entering the following command show ipv6 bgp neighbor ipv6 address flap statistics The regular expression regular expression parameter is a regular expression The regular expressions are the same ones supported for BGP4 AS path filters You can also display route flap dampening statistics for a specified IPv6 neighbor For more inf...

Page 1221: ...atistics Router advertisements Route attribute entries Route flap dampening statistics The last packet containing an error Received Outbound Route Filters ORFs Routes received from a neighbor BGP4 Routing Information Base RIB Received best not installed best and unreachable routes Route summary Flaps The number of flaps state changes the route has experienced Since The amount of time in hh mm ss s...

Page 1222: ...ed in detail in section 3 2 of RFC 793 Transmission Control Protocol Functional Specification Syntax show ipv6 bgp neighbor ipv6 address The ipv6 address parameter allows you to display information for a specified neighbor only You must specify the ipv6 address parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 BigIron RX show ipv6 bgp neighbor 2000 4 110 1 IP Ad...

Page 1223: ...nd the software is clearing or removing routes CONNECT BGP4 is waiting for the connection process for the TCP neighbor session to be completed NOTE ACTIVE BGP4 is waiting for a TCP connection from the neighbor If the state frequently changes between CONNECT and ACTIVE there may be a problem with the TCP connection OPEN SENT BGP4 is waiting for an Open message from the neighbor OPEN CONFIRM BGP4 4 ...

Page 1224: ...or ended The reason can be one of the following No abnormal error has occurred Reasons described in the BGP specifications Message Header Error Connection Not Synchronized Bad Message Length Bad Message Type OPEN Message Error Unsupported Version Number Bad Peer AS Number Bad BGP Identifier Unsupported Optional Parameter Authentication Failure Unacceptable Hold Time Unsupported Capability UPDATE M...

Page 1225: ...e reason for the error Where applicable the subcode messages are listed underneath the error code messages Message Header Error Connection Not Synchronized Bad Message Length Bad Message Type Unspecified Open Message Error Unsupported Version Bad Peer As Bad BGP Identifier Unsupported Optional Parameter Authentication Failure Unacceptable Hold Time Unspecified Update Message Error Malformed Attrib...

Page 1226: ...iting for a connection termination request from the local user CLOSING Waiting for a connection termination request acknowledgment from the remote TCP LAST ACK Waiting for an acknowledgment of the connection termination request previously sent to the remote TCP which includes an acknowledgment of its connection termination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP...

Page 1227: ...ecify the ipv6 prefix parameter in hexadecimal using 16 bit values between colons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter UnAckSeq The current acknowledged sequence number IRcvSeq The initial receive sequence number for the session RcvNext The next sequence n...

Page 1228: ...his switch associates with routes from a specific neighbor For example if the switch receives routes to the same destination from two BGP4 neighbors the switch prefers the route from the neighbor with the larger weight Status The advertised route s status which can be one or more of the following A AGGREGATE The route is an aggregate route for multiple networks B BEST BGP4 has determined that this...

Page 1229: ... this field refer to Table 189 on page 1156 Learned from Peer The IPv6 address of the neighbor from which this route is learned Local Router indicates that the switch itself learned the route LOCAL_PREF For information about this field refer to Table 189 on page 1156 MED The value of the advertised route s MED attribute If the route does not have a metric this field is blank Origin The source of t...

Page 1230: ...ple they may have been redistributed from OSPFv3 or RIPng When BGP4 compares multiple routes to a destination to select the best route IGP is preferred over EGP and both are preferred over INCOMPLETE Originator The originator of the route in a route reflector environment Cluster List The route reflector clusters through which this set of attributes has passed Aggregator Aggregator information AS N...

Page 1231: ...4 neighbor This field Displays Total number of flapping routes The total number of routes in the neighbor s BGP4 route table that have changed state and thus have been marked as flapping routes Status code Indicates the status of the route which can be one of the following This is the best route among those in the neighbor s BGP4 route table to the route s destination d This route is currently dam...

Page 1232: ...or 2000 2 110 enter the following command Syntax show ipv6 bgp neighbor ipv6 address received prefix filter The ipv6 address parameter displays the prefix filter learned from a specified neighbor You must specify this address in hexadecimal using 16 bit values between colons as documented in RFC 2373 Displaying routes received from a BGP4 neighbor You can display a summary or detailed route inform...

Page 1233: ...cate the route s status The status code appears in the Status column of the display The status codes are described in the command s output Prefix The received route s prefix Next Hop The IPv6 address of the next switch that is used when forwarding a packet to the received route Metric The value of the route s MED attribute If the route does not have a metric this field is blank LocPrf The degree o...

Page 1234: ...s D DAMPED This route has been dampened by the route dampening feature and is currently unusable E EBGP The route was learned through a switch in another AS H HISTORY Route dampening is configured for this route and the route has a history of flapping and is unreachable now I IBGP The route was learned through a switch in the same AS L LOCAL The route originated on this switch M MULTIPATH BGP4 loa...

Page 1235: ...this field refer to Table 194 on page 1161 MED The value of the route s MED attribute If the route does not have a metric this field is blank BigIron RX show ipv6 bgp neighbor 2000 1 1 1 received routes detail There are 4 received routes from neighbor 2000 1 1 1 Searching for matching routes use C to quit Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED E EBGP H HISTORY I IBGP...

Page 1236: ...u must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter Origin The source of the route information The origin can be one of the following EGP The routes with this set of attributes came to BGP4 through EGP IGP The routes with this set of attributes came to BGP4 through IGP INCOMPLETE The routes came fr...

Page 1237: ... the Status column of the display The status codes are described in the command s output Prefix The RIB route s prefix Next Hop The next hop switch for reaching the route from the switch Metric The value of the advertised route s MED attribute If the route does not have a metric this field is blank LocPrf The degree of preference for the route relative to other routes in the local AS When the BGP4...

Page 1238: ...ED The value of the RIB route s MED attribute If the route does not have a metric this field is blank Origin The source of the route information The origin can be one of the following EGP The routes with this set of attributes came to BGP4 through EGP IGP The routes with this set of attributes came to BGP4 through IGP INCOMPLETE The routes came from an origin other than one of the above For exampl...

Page 1239: ... do not specify this parameter a summary of the routes displays This display shows the following information TABLE 198 Summary of best and unreachable routes from a BGP4 neighbor This field Displays Number of accepted routes from a specified neighbor The number of routes displayed by the command Status codes A list of the characters the display uses to indicate the route s status The status code a...

Page 1240: ...h in the same AS L LOCAL The route originated on this switch M MULTIPATH BGP4 load sharing is enabled and this route was selected as one of the best ones to the destination The best route among the multiple paths also is marked with B NOTE If the m is shown in lowercase the software was not able to install the route in the IPv6 route table S SUPPRESSED This route was suppressed during aggregation ...

Page 1241: ...his field refer to Table 198 on page 1167 Learned from Peer The IPv6 address of the neighbor from which this route is learned Local Router indicates that the switch itself learned the route LOCAL_PREF For information about this field refer to Table 198 on page 1167 MED The value of the RIB route s MED attribute If the route does not have a metric this field is blank Origin The source of the route ...

Page 1242: ... neighbor that are the best BGP4 routes to their destinations but were nonetheless not installed in the IPv6 route table because the switch received better routes from other sources such as OSPFv3 RIPng IPv6 IS IS or static IPv6 routes Unreachable Routes The number of routes received from the neighbor that are unreachable because the switch does not have a valid RIPng OSPFv3 or static IPv6 route t...

Page 1243: ... has advertised to this neighbor To be Sent The number of routes the switch has queued to send to this neighbor To be Withdrawn The number of NLRIs for withdrawing routes the switch has queued up to send to this neighbor in UPDATE messages NLRIs Sent in Update Message The number of NLRIs for new routes the switch has sent to this neighbor in UPDATE messages Withdraws The number of routes the switc...

Page 1244: ...n RX show ipv6 bgp peer group peer1 1 BGP peer group is pg1 Remote AS 65002 Description device group 1 NextHopSelf yes Address family IPV4 Unicast Address family IPV4 Multicast Address family IPV6 Unicast Members IP Address 192 169 102 2 IP Address 192 169 100 2 IP Address 192 169 101 2 IP Address 192 169 103 2 IP Address 192 169 104 2 IP Address 192 169 105 2 IP Address 192 169 106 2 IP Address 1...

Page 1245: ...in the Router Configuration Guide Number of Neighbors Configured The number of BGP4 neighbors configured on this switch Number of Routes Installed The number of BGP4 routes in the switch s BGP4 route table To display the BGP4 route table refer to Displaying the BGP4 route table on page 1133 Number of Routes Advertising to All Neighbors The total of the RtSent and RtToSend columns for all neighbors...

Page 1246: ...or NOTIFICATION message If the switch receives a KEEPALIVE message from the neighbor the state changes to Established If the message is a NOTIFICATION the state changes to Idle ESTABLISHED BGP4 is ready to exchange UPDATE packets with the neighbor If there is more BGP data in the TCP receiver queue a plus sign is also displayed NOTE If you display information for the neighbor using the show ipv6 b...

Page 1247: ... are the configuration considerations IPv6 MBGP does not redistribute DVMRP routes It redistributes static routes only You cannot redistribute IPv6 MBGP routes into BGP4 The device supports 8192 multicast routes by default You may need to increase the maximum number of multicast routes for MBGP You can configure the device to support up to 153 600 multicast routes Configuring IPv6 MBGP 1 Optional ...

Page 1248: ...num The num parameter specifies the number of multicast routes and can be from 1024 153 600 Enabling IPv6 MBGP To enable IPv6 MBGP you must enable PIM SM or DM and IPv6 BGP Enter commands such as the following BigIron RX enable BigIron RX configure terminal BigIron RX config ipv6 router pim BigIron RX config ipv6 pim router interface ethernet 1 1 BigIron RX config if e1000 1 1 ipv6 address 3001 1 ...

Page 1249: ...ast address family level Here is the full syntax for the neighbor command Syntax no neighbor ipv6 addr peer group name advertisement interval num default originate route map map name description string distribute list in out num num acl num in out ebgp multihop num filter list in out num num acl num in out weight maximum prefix num threshold teardown next hop self password 0 1 string prefix list s...

Page 1250: ...redistribution or configure static multicast routes Configuring a network prefix to advertise By default the BigIron RX advertises MBGP routes only for the networks you identify using the network command or that are redistributed into MBGP from IPv6 multicast route tables NOTE The exact route must exist in the IPv6 multicast route table so that the BigIron RX can create a local MBGP route To confi...

Page 1251: ...d devices into MBGP The static parameter indicates that you are redistributing static mroutes into MBGP The metric num parameter changes the metric You can specify a value from 0 4294967295 The default is 0 The route map map name parameter specifies a route map to be consulted before redistributing the routes into MBGP NOTE The route map you specify must already be configured Configuring static IP...

Page 1252: ...er prevents the router from advertising more specific routes contained within the aggregate route The suppress map map name parameter prevents the more specific routes contained in the specified route map from being advertised The advertise map map name parameter configures the BigIron RX to advertise the more specific routes in the specified route map The attribute map map name parameter configur...

Page 1253: ... MBGP route show ipv6 mbgp attribute entries Displays IPv6 MBGP route attributes show ipv6 mbgp dampened paths Displays IPv6 MBGP paths that have been dampened by route flap dampening show ipv6 mbgp flap statistics Displays route flap dampening statistics show ipv6 mbgp filtered routes Displays routes that have been filtered out TABLE 202 IPv6 MBGP Show commands Continued Command Description BigIr...

Page 1254: ...uding the values for all the configured parameters enter the following command This display is similar to the show ipv6 bgp neighbor display but has additional fields that apply only to MBGP These fields are shown in bold type in the example and are explained below NOTE The display shows all the configured parameters for the neighbor Only the parameters that have values different from their defaul...

Page 1255: ...The ipv6 addr parameter specifies the neighbor s IPv6 address BigIron RX show ipv6 mbgp neighbor 4fee 2343 0 ee44 1 Total number of BGP Neighbors 1 1 ipv6 Address 8eff 0 32 Remote AS 200 IBGP RouterID 8 8 8 1 State ESTABLISHED Time 0h33m26s KeepAliveTime 60 HoldTime 180 KeepAliveTimer Expire in 9 seconds HoldTimer Expire in 161 seconds PeerGroup mbgp mesh MD5 Password Gsig U NextHopSelf yes Refres...

Page 1256: ...Iron RX show ipv6 mbgp route Total number of BGP Routes 2 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED E EBGP H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED s STALE Prefix Next Hop Metric LocPrf Weight Status 1 8 8 8 0 24 166 1 1 2 0 100 0 BI AS_PATH 2 31 1 1 0 24 166 1 1 2 0 100 0 BI AS_PATH BigIron RX show ipv6 mroute Type Codes B BGP D Connected S Static Cost Dist Me...

Page 1257: ...which the statement appears in the ACL The last statement in each IPv6 ACL is an implicit deny statement for all packets that do not match the previous statements in the ACL You can configure an IPv6 ACL on a global basis then apply it to the incoming IPv6 packets on specified interfaces You can apply only one IPv6 ACL to an interface s incoming traffic When an interface sends or receives an IPv6 ...

Page 1258: ...ets from a specified source IPv6 address to the website s IPv6 address IPv6 ACLs also provide support for filtering packets based on DSCP This chapter contains the following sections Using IPv6 ACLs as input to other features on page 1186 Configuring an IPv6 ACL on page 1186 Applying an IPv6 ACL to an interface on page 1195 Adding a comment to an IPv6 ACL entry on page 1195 Displaying ACLs on page...

Page 1259: ...BigIron RX config write memory Here is another example of an ACL BigIron RX config ipv6 access list nextone BigIron RX config ipv6 access list rtr deny tcp 2001 1570 21 24 2001 1570 22 24 BigIron RX config ipv6 access list rtr deny udp any range 5 6 2001 1570 22 24 BigIron RX config ipv6 access list rtr permit ipv6 any any BigIron RX config ipv6 access list rtr write memory The first condition in ...

Page 1260: ...e ACLs that consist of explicit deny entries then add an entry to permit all access to the end of each ACL The permit entry permits packets that are not denied by the deny entries Every IPv6 ACL has the following implicit conditions as its last match conditions 1 permit icmp any any nd na Allows ICMP neighbor discovery acknowledgement 2 permit icmp any any nd ns Allows ICMP neighbor discovery soli...

Page 1261: ...ecified If you specify tcp or any other protocol instead of ipv6 the keyword fragments cannot be used ipv6 operator routing when any protocol is specified Same limitation as for ipv6 operator fragments When creating ACLs use the appropriate syntax below for the protocol you are filtering For IPv6 and supported protocols other than ICMP TCP or UDP Syntax no ipv6 access list acl name Syntax permit d...

Page 1262: ...rator source port number ipv6 destination prefix prefix length any host ipv6 destination address tcp udp operator destination port number ipv6 operator value match all tcp flags match any tcp flags established 802 1p priority matching number dscp marking number 802 1p priority marking number internal priority marking number dscp marking dscp value dscp cos mapping dscp cos mapping For UDP Syntax n...

Page 1263: ...lons as documented in RFC 2373 You must specify the prefix length parameter as a decimal value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter ipv6 destination prefix prefix length The ipv6 destination prefix prefix length parameter specify a destination prefix and prefix length that a packet must match for the specified action deny or permit to occur You...

Page 1264: ...tches any IPv6 prefix and is equivalent to the IPv6 prefix 0 host Allows you specify a host IPv6 address When you use this parameter you do not need to specify the prefix length A prefix length of all128 is implied tcp udp operator The tcp udp operator parameter can be one of the following eq The policy applies to the TCP or UDP port name or number you enter after eq gt The policy applies to TCP o...

Page 1265: ...rg Urgent ack Acknowledge psh Push rst Reset syn Synchronize fin Finish match all tcp flags match any tcp flag Enter match all tcp flags if you want all the flags you specify to be matched from a TCP session Use match any tcp flag if any of the flags will be matched You can enter more than one TCP flag Separate each flag with a space using a or to indicate if the matching condition requires the bi...

Page 1266: ...p that value to an internal QoS table to obtain the packet s new QoS value The following occurs when you use these parameters You enter 0 63 for the dscp marking number parameter The dscp cos mapping parameter takes the DSCP value you specified and compares it to an internal QoS table which is indexed by DSCP values The corresponding 802 1p priority internal forwarding priority and DSCP value is a...

Page 1267: ...to incoming IPv6 packets on the interface Adding TCP flags to an IPv6 ACL entry You can add aTCP flags to entries in an IPv6 ACL The TCP flag will appear in the output of show commands that display ACL information Enter match all tcp flags if you want all the flags you specify to be matched from a TCP session Use match any tcp flag if any of the flags will be matched You can enter more than one TC...

Page 1268: ...mmands such as the following Syntax remark entry sequence sequence number comment text The sequence number is the line number assigned to the ACL entry For a list of ACL entry numbers use the show ipv6 access list command The comment text can be up to 256 characters in length The comment must be entered separately from the actual ACL entry that is you cannot enter the ACL entry and the ACL comment...

Page 1269: ...t access list name BigIron RX show ipv6 access list rtr ipv6 access list rtr 3 entries 10 remark This entry permits ipv6 packets from 3002 2 to any destination 10 permit ipv6 host 3000 2 any 20 remark This entry denies udp packets from any source to any destination 20 deny udp any any 30 remark This entry denies IPv6 packets from any source to any destination 30 deny ipv6 any any BigIron RX show i...

Page 1270: ...1198 BigIron RX Series Configuration Guide 53 1001810 01 Displaying ACLs 47 ...

Page 1271: ...o configure OSPF version 3 How to display OSPF version 3 information and statistics IPv6 supports OSPF version 3 OSPFv3 which functions similarly to OSPF version 2 the current version that IPv4 supports except for the following enhancements Support for IPv6 addresses and prefixes In general you can configure several IPv6 addresses on a router interface OSPFv3 imports all or none of the address pre...

Page 1272: ...ssign OSPF areas Assign router interfaces to an OSPF area The following configuration tasks are optional Configure a virtual link between an ABR without a physical connection to a backbone area and the Brocade device in the same area with a physical connection to the backbone area Change the reference bandwidth for the cost on OSPFv3 interfaces Configure the redistribution of routes into OSPFv3 Co...

Page 1273: ...mation for the disabled protocol is removed from the startup config file The CLI displays a warning message such as the following BigIron RX config ospf6 router no ipv6 router ospf ipv6 router ospf mode now disabled All ospf config data will be lost when writing to flash If you have disabled the protocol but have not yet saved the configuration to the startup config file and reloaded the software ...

Page 1274: ...e disables origination of summary LSAs into a stub area but the Brocade device still accepts summary LSAs from OSPF neighbors and floods them to other areas The Brocade device can form adjacencies with other routers regardless of whether summarization is enabled or disabled for areas on each router When you disable the summary LSAs the change takes effect immediately If you apply the option to a p...

Page 1275: ...l virtual links transit area ID and neighbor router The transit area ID represents the shared area of the two ABRs and serves as the connection point between the two routers This number should match the area ID value When assigned from the router interface requiring a logical connection the neighbor router field is the router ID IPv4 address of the router that is physically connected to the backbo...

Page 1276: ... The ethernet loopback tunnel ve parameter specifies the interface from which the router derives the source IPv6 address for communication across the virtual link If you specify an Ethernet interface also specify the port number associated with the interface If you specify a loopback tunnel or VE interface also specify the number associated with the respective interface To delete the source addres...

Page 1277: ... an interface has an OSPF cost of ten the Brocade device advertises the interface with a cost of ten to other OSPF routers By default an interface s OSPF cost is based on the port speed of the interface The software uses the following formula to calculate the cost Cost reference bandwidth interface speed By default the reference bandwidth is 100 Mbps If the resulting cost is less than 1 the softwa...

Page 1278: ... 0 5 which is rounded up to 1 155 Mbps port s cost 500 155 3 23 which is rounded up to 4 622 Mbps port s cost 500 622 0 80 which is rounded up to 1 2488 Mbps port s cost 500 2488 0 20 which is rounded up to 1 The costs for 10 Mbps 100 Mbps and 155 Mbps ports change as a result of the changed reference bandwidth Costs for higher speed interfaces remain the same Syntax no auto cost reference bandwid...

Page 1279: ...OSPF version 3 on page 1208 The metric type type parameter specifies an OSPF metric type for the redistributed route You can specify external type 1 or external type 2 If a value is not specified for this option the Brocade device uses the value specified by the metric type command For information about modifying the default metric type using the metric type command refer to Modifying default metr...

Page 1280: ...s the permit or deny action of the route map NOTE For an external route that is redistributed into OSPFv3 through a route map the metric value of the route remains the same unless the metric is set by a set metric command inside the route map or the default metric num command For a route redistributed without using a route map the metric is set by the metric parameter if set or the default metric ...

Page 1281: ...ed by a specified IPv6 address range When you configure an address range the range takes effect immediately All the imported routes are summarized according to the configured address range Imported routes that have already been advertised and that fall within the range are flushed out of the AS and a single route corresponding to the range is advertised If a route that falls within a configured ad...

Page 1282: ... value A slash mark must follow the ipv6 prefix parameter and precede the prefix length parameter Filtering OSPFv3 routes You can filter the routes to be placed in the OSPFv3 route table by configuring distribution lists OSPFv3 distribution lists can be applied globally or to an interface The functionality of OSPFv3 distribution lists is similar to that of OSPFv2 distribution lists However unlike ...

Page 1283: ...ospf BigIron RX config ospf6 router distribute list prefix list filterOspfRoutes in Syntax no distribute list prefix list name in interface After this distribution list is configured route 3010 64 would be omitted from the OSPFv3 route table BigIron RX show ipv6 ospf route Current Route count 5 Intra 3 Inter 0 External 2 Type1 0 Type2 2 Equal cost multi path 0 Destination Options Area Cost Type2 C...

Page 1284: ...n list using a route map as input The following commands configure a route map that matches internal routes BigIron RX config route map allowInternalRoutes permit 10 BigIron RX config routemap allowInternalRoutes match route type internal Refer to Chapter 22 Policy Based Routing for information on configuring route maps The following commands configure a distribution list that applies the allowInt...

Page 1285: ... enable default route origination If default route origination is enabled and you disable it the default route originated by the device is flushed Default routes generated by other OSPF routers are not affected If you re enable the feature the feature takes effect immediately and thus does not require you to reload the software For example to create and advertise a default route with a metric of 2...

Page 1286: ...egins the SPF calculation after receiving a topology change SPF hold time The Brocade device waits a specific amount of time between consecutive SPF calculations By default the device waits 10 seconds You can configure the SPF hold time to a value from 0 65535 seconds If you set the SPF hold time to 0 seconds the software does not wait between consecutive SPF calculations You can set the SPF delay...

Page 1287: ...ame network from different protocols The device prefers the route with the lower administrative distance You can specify unique default administrative distances for the following OSPFv3 route types Intra area routes Inter area routes External routes The default for all of these OSPFv3 route types is 110 NOTE This feature does not influence the choice of routes within OSPFv3 For example an OSPF int...

Page 1288: ...ospf6 router timers lsa group pacing 120 Syntax no timers lsa group pacing seconds The seconds parameter specifies the number of seconds and can be from 10 1800 30 minutes The default is 240 seconds four minutes To restore the pacing interval to its default value use the no form of the command Modifying exit overflow interval If a database overflow condition occurs on the Brocade device the device...

Page 1289: ... Represents the length of time between the transmission of hello packets The command syntax is ipv6 ospf hello interval seconds The value can be from 1 65535 seconds The default is 10 seconds Instance Indicates the number of OSPFv3 instances running on an interface The command syntax is ipv6 ospf instance number The value can be from 0 255 The default is 1 MTU ignore Allows you to disable a check ...

Page 1290: ...Iron RX config ospf6 router no log status change Syntax no log status change To re enable the logging of events enter the following command BigIron RX config ospf6 router log status change Displaying OSPFv3 information You can display the information for the following OSPFv3 parameters Areas Link state databases Interfaces Memory usage Neighbors Redistributed routes Routes SPF Virtual links Virtua...

Page 1291: ... a scope of the specified area SPF algorithm executed The number of times the OSPF Shortest Path First SPF algorithm is executed within the area SPF last updated The interval in seconds that the SPF algorithm was last executed within the area Current SPF node count The current number of SPF nodes in the area Router Number of router LSAs in the area Network Number of network LSAs in the area Indx T...

Page 1292: ...router LSAs only The scope area id parameter displays detailed information about the LSAs for a specified area AS or link This display shows the following information TABLE 205 OSPFv3 database summary fields This field Displays Area ID The OSPF area in which the Brocade device resides Type Type of LSA LSA types can be the following Rtr Router LSAs Type 1 Net Network LSAs Type 2 Inap Inter area pre...

Page 1293: ... Advertising Router 223 223 223 223 Prefix Options Metric 0 Prefix 2000 4 64 Prefix Options Metric 0 Prefix 2002 c0a8 46a 64 Area ID Type LS ID Adv Rtr Seq Hex Age Cksum Len 0 Rtr 00000039 223 223 223 223 800000b1 355 8f2d 40 Capability Bits E Options V6E R Type Transit Metric 1 Interface ID 00000058 Neighbor Interface ID 00000058 Neighbor Router ID 223 223 223 223 Area ID Type LS ID Adv Rtr Seq H...

Page 1294: ...2740 MC The device forwards multicast packets as described in RFC 1586 N The device handles type 7 LSAs as described in RFC 1584 R The originator is an active router DC The device handles demand circuits Type The type of interface Possible types can be the following Point to point A point to point connection to another router Transit A connection to a transit network Virtual link A connection to a...

Page 1295: ...nal LSAs as described in RFC 2740 MC The device forwards multicast packets as described in RFC 1586 N The device handles type 7 LSAs as described in RFC 1584 R The originator is an active router DC The device handles demand circuits Metric The cost of the route Destination Router ID The ID of the router described in the LSA AS external LSA Type 5 Extn fields Bits The bit can be set to one of the f...

Page 1296: ...x is an IPv6 interface address of the advertising router MC The prefix is included in IPv6 multicast routing calculations P NSSA area prefixes are readvertised at the NSSA area border Prefix The IPv6 prefix included in the LSA Intra area prefix LSAs Type 9 Iap fields Number of Prefix The number of prefixes included in the LSA Referenced LS Type Referenced LS ID Identifies the router LSA or network...

Page 1297: ...ssive The interface is up but it does not take part in forming an adjacency Waiting The interface is trying to determine the identity of the BDR for the network None The interface does not take part in the OSPF interface state machine Down The interface is unusable No protocol traffic can be sent or received on such a interface DR other The interface is a broadcast or NBMA network on which another...

Page 1298: ...erface is functioning as a loopback interface P2P The interface is functioning as a point to point interface Passive The interface is up but it does not take part in forming an adjacency Waiting The interface is trying to determine the identity of the BDR for the network None The interface does not take part in the OSPF interface state machine Down The interface is unusable No protocol traffic can...

Page 1299: ...he interface Also the total number of bytes associated with transmitted and received link state requests LSUpdate The number of link state updates transmitted and received by the interface Also the total number of bytes associated with transmitted and received link state requests LSAck The number of link state acknowledgements transmitted and received by the interface Also the total number of byte...

Page 1300: ... by OSPFv3 This information is for use by Brocade s technical support in case of a problem Size The size of a memory type Allocated The amount of memory currently allocated to a memory type Max alloc The maximum amount of memory that was allocated to a memory type Alloc Fails The number of times an attempt to allocate memory to a memory type failed TABLE 210 Summary of OSPFv3 neighbor information ...

Page 1301: ...is a broadcast or NBMA network on which another router is selected to be the DR TABLE 211 Detailed OSPFv3 neighbor information Field Description Router ID For information about this field refer to Table 210 on page 1228 Pri For information about this field refer to Table 210 on page 1228 State For information about this field refer to Table 210 on page 1228 DR For information about this field refe...

Page 1302: ...eighbor s summary list Number of LSAs in Request List The number of LSAs in the neighbor s request list Number of LSAs in Retransmit List The number of LSAs in the neighbor s retransmit list Seqnum Mismatch The number of times sequence number mismatches occurred BadLSReq The number of times the neighbor received a bad link state request from the Brocade device One way received The number of times ...

Page 1303: ...n information This Field Displays ID An ID for the redistributed route Prefix The IPv6 routes redistributed into OSPFv3 Protocol The protocol from which the route is redistributed into OSPFv3 Redistributed protocols can be the following BGP BGP4 RIP RIPng ISIS IPv6 IS IS Static IPv6 static route table Connected A directly connected network Metric Type The metric type used for routes redistributed ...

Page 1304: ...es Inter The number of routes that pass into another area Intra The number of routes that are within the local area External1 The number of type 1 external routes External2 The number of type 2 external routes Equal cost multi path Displays with the entire OSPFv3 route table only The number of equal cost routes to the same destination in the OSPFv3 route table If load sharing is enabled the router...

Page 1305: ...bed in RFC 1586 N The device handles type 7 LSAs as described in RFC 1584 R The originator is an active router DC The device handles demand circuits Area The area whose link state information has led to the routing table entry s collection of paths Cost The type 1 cost of this route Type2 Cost The type 2 cost of this route Next Hop Router The IPv6 address of the next router a packet must traverse ...

Page 1306: ...s identified by its router ID IPv4 address If the node is a child node it is additionally identified by an interface on which the node can be reached appended to the router ID in the format router id interface id Cost The cost of traversing the SPF node to reach the destination Hops The number of hops needed to reach the parent SPF node Next Hops to Node The IPv6 address of the next hop router or ...

Page 1307: ... is a network An SPF node s router ID IPv4 address If the node is a child node it is additionally identified by an interface on which the node can be reached appended to the router ID in the format router id interface id Bits A bit that indicates the capability of the Brocade device The bit can be set to one of the following B The device is an area border router E The device is an AS boundary rout...

Page 1308: ...Area ID The ID of the shared area of two ABRs that serves as a connection point between the two routers Router ID IPv4 address of the router at the other end of the virtual link virtual neighbor Interface Address The local address used to communicate with the virtual neighbor State The state of the virtual link Possible states include the following P2P The link is functioning as a point to point i...

Page 1309: ...48 State The state between the Brocade device and the virtual neighbor The state can be one of the following Down Attempt Init 2 Way ExStart Exchange Loading Full Interface The IPv6 address of the virtual neighbor TABLE 217 OSPFv3 virtual neighbor information Continued This field Displays ...

Page 1310: ...1238 BigIron RX Series Configuration Guide 53 1001810 01 Displaying OSPFv3 information 48 ...

Page 1311: ...t is especially suitable for widely distributed multicast environments In an IPv6 PIM Sparse network an IPv6 PIM Sparse router that is connected to a host that wants to receive information for a multicast group must explicitly send a join request on behalf of the receiver host FIGURE 139 Example IPv6 PIM Sparse domain IPv6 PIM Sparse router B Port2 1 Port2 2 Rendezvous Point RP path Port3 8 Port3 ...

Page 1312: ...T and uses the SPT for subsequent packets from the source to the receiver The BigIron RX calculates a separate SPT for each source receiver pair NOTE Brocade recommends that you configure the same ports as candidate BSRs and RPs RP paths and SPT paths Figure 139 shows two paths for packets from the source for group fec0 1111 1 and a receiver for the group The source is attached to PIM Sparse route...

Page 1313: ...ade device for IPv6 PIM Sparse perform the following tasks Identify the Layer 3 switch as a candidate sparse rendezvous point RP if applicable Specify the IPv6 address of the RP to configure statically The following example enables IPv6 PIM SM routing Enter the following command at the configuration level to enable IPv6 PIM SM globally BigIron RX config ipv6 router pim BigIron RX config ipv6 pim r...

Page 1314: ... num parameter specifies the interface The BigIron RX will advertise the specified interface s IP address as a candidate BSR Enter ethernet slot portnum for a physical interface port Enter ve num for a virtual interface Enter loopback num for a loopback interface The hash mask length parameter specifies the number of bits in a group address that are significant when calculating the group to RP map...

Page 1315: ...ter rp candidate delete ff02 200 1 128 Syntax no rp candidate delete group ipv6 addr mask bits The usage of the group ipv6 addr mask bits parameter is the same as for the rp candidate add command Statically specifying the RP Brocade recommends that you use the IPv6 PIM Sparse protocol s RP election process so that a backup RP can automatically take over if the active RP router becomes unavailable ...

Page 1316: ...definition If there are overlapping group ranges among the static RPs the static RP with the longest prefix match will be selected If more than one static RP covers the exact same group range the highest IP static RP will be used Configuration considerations The Static RP has higher precedence over RP learnt from the BSR There is a limit of 32 static RPs in the systems Configuring an ACL based RP ...

Page 1317: ...ged out The clear IPv6 pim rp map command allows you to update the entries in the static multicast forwarding table immediately after making RP configuration changes This command is meant to be used with rp address command To update the entries in an IPv6 PIM sparse static multicast forwarding table with new RP configuration enter the following command at the privileged EXEC level of the CLI BigIr...

Page 1318: ... maintains a separate counter for each IPv6 PIM Sparse source group pair You can change the number of packets that the BigIron RX receives using the RP before switching to using the SPT To change the number of packets the BigIron RX receives using the RP before switching to the SPT enter commands such as the following BigIron RX config ipv6 router pim BigIron RX config ipv6 pim router spt threshol...

Page 1319: ...o all IPv6 PIM interfaces enter the following BigIron RX config ipv6 router pim BigIron RX config ipv6 pim router inactivity timer 160 Syntax no inactivity timer seconds The seconds parameter specifies the number of seconds Valid range is 60 3600 The default is 180 seconds Changing the hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces Routers use ...

Page 1320: ...ommand as described in Displaying IPv6 PIM sparse configuration information on page 1248 Passive Multicast Route Insertion PMRI To prevent unwanted multicast traffic from being sent to the CPU IPv6 PIM Routing and Passive Multicast Route Insertion PMRI can be used together to ensure that multicast streams are only forwarded out ports with interested receivers and unwanted traffic is dropped in har...

Page 1321: ...nfiguration information and statistics You can display the following PIM Sparse information Basic PIM Sparse configuration information Group information BSR information Candidate RP information RP to group mappings RP information for a IPv6 PIM Sparse group RP set list IPv6 PIM Neighbor information The IPv6 PIM flow cache The IPv6PIM multicast cache IPv6 PIM traffic statistics IPv6 PIM counter sta...

Page 1322: ...ertisement interval How frequently the candidate PR configured on the BigIron RX sends candidate RP advertisement messages to the BSR NOTE This field contains a value only if an interface on the BigIron RX is configured as a candidate RP Otherwise the field is blank Join Prune interval How frequently the BigIron RX sends IPv6 PIM Sparse Join Prune messages for the multicast groups it is forwarding...

Page 1323: ... threshold value the interface state is listed The interface state can be one of the following Disabled Enabled Local Address Indicates the IP address configured on the port or virtual interface TABLE 218 This field Displays BigIron RX show ipv6 pim Interface v30 PIM Version V2 MODE PIM SM TTL Threshold 1 Enabled DR fe80 20c dbff fef6 a00 on e3 2 Link Local Address fe80 20c dbff fef5 e900 Global A...

Page 1324: ...strap information BSR address 2001 3e8 255 255 17 BSR priority 0 BigIron RX Syntax show ipv6 pim bsr This display shows the following information This field Displays Total number of Groups Lists the total number of IPv6 multicast groups the BigIron RX is forwarding NOTE This list can include groups that are not IPv6 PIM Sparse groups If interfaces on the BigIron RX are configured for regular Ipv6 ...

Page 1325: ...y if this BigIron RX is the BSR Next Candidate RP advertisement message in Indicates how many seconds will pass before the BSR sends its next candidate PR advertisement message NOTE This field appears only if this BigIron RX is a candidate BSR RP Indicates the IPv6 address of the Rendezvous Point RP NOTE This field appears only if this BigIron RX is a candidate BSR group prefixes Indicates the mul...

Page 1326: ... NOTE This field appears only if this BigIron RX is a candidate RP Candidate RP advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages NOTE This field appears only if this BigIron RX is a candidate RP This field Displays Index The index number of the table entry in the display Group address Indicates the IPv6 PIM Sparse multicast group address using the lis...

Page 1327: ...otstrap message RP num Indicates the RP number If there are multiple RPs in the IPv6 PIM Sparse domain a line of information for each of them is listed and they are numbered in ascending numerical order priority The RP priority of the candidate RP During the election process the candidate RP with the highest priority is elected as the RP age The age in seconds of this RP set NOTE If this BigIron R...

Page 1328: ... timer starts when the BigIron RX receives the first Hello messages from the neighbor This field Displays BigIron RX show ipv6 pim mcache Total 4 entries Free mll entries 766 1 ff7e 140 2001 3e8 16 0 1 2 RP2001 3e8 16 1 in NIL cnt 0 Sparse Mode RPT 1 SPT 0 Reg 0 No upstream neighbor because RP 2001 3e8 16 1 is itself num_oifs 1 v312 L3 SW 1 e3 15 VL312 Flags fast 1 slow 0 leaf 0 prun 0 frag 0 tag ...

Page 1329: ... are currently allocated in memory in use Number of allocated nodes in use avail Number of allocated nodes are not in use allo fail Number of allocated notes that failed up limit Maximum number of nodes that can be allocated for a data structure This may or may not be configurable depending on the data structure This field Displays Port The port or virtual interface on which the IPv6 PIM interface...

Page 1330: ...lter mode are created when the IPv6 querier router sends a query The querier router is the one with the lowest source IPv6 address It sends out any of the following queries General query The querier sends this query to learn all multicast addresses that need to be listened to on an interface Address specific query The querier sends this query to determine if a specific multicast address has any li...

Page 1331: ...ing a command such as the following BigIron RX config ipv6 router pim BigIron RX config ipv6 pim router Syntax no ipv6 router pim 2 At the interface level enable MLDv2 by entering the following commands BigIron RX config interface ethernet 1 1 BigIron RX config if e10000 1 1 ipv6 pim sparse Syntax no ipv6 pim sparse 3 Once PIM SM is enabled specify which version of MLD will be used by entering the...

Page 1332: ...t is 5 seconds Setting the last listener query count The Last Listener Query Count is the number of Multicast Address Specific Queries sent before the switch assumes there are no remaining listeners for an address on a link You can set the last listener query count by entering a command such as the following BigIron RX config ipv6 mld llqc 5 Syntax ipv6 mld llqc seconds Specify 2 7 for seconds Set...

Page 1333: ...ommand such as the following at the interface level BigIron RX config vif 401 ipv6 mld port ver 1 eth 3 1 Syntax mld port ver version number Specify 1 or 2 for version number Specifying a static group A multicast group is usually learned when an MLDv1 report is received You can configure static group membership without having to receive an MLDv1 report by entering a command such as the following a...

Page 1334: ...ups This message shows the ID of the interface and how many multicast groups it has Index for the MLD group ipv6 address IPv6 address of the multicast group phy port The physical port to which the group belongs static Indicates if the group is a static group or not querier Indicates if the multicast group is a querier or not life The number of seconds the interface can remain in its current mode m...

Page 1335: ...ils The following is displayed for each interface The port ID The default MLD version being used The multicast protocol used IPV6 address of the multicast interface If the interface has groups the group source list IPv6 multicast address and the filter mode are displayed BigIron RX show ipv6 mld interface version 2 query int 125 max resp time 10 group mem time 635 robustness 5 other querier presen...

Page 1336: ...by the virtual routing interface MbrV1 Number of MLDv1 membership reports received MbrV2 Number of MLDv2 membership reports received Leave Number of MLDv1 leave messages on the interface See 2_Ex for MLDv2 Is_IN Number of source addresses that were included in the traffic Is_EX Number of source addresses that were excluded in the traffic 2_IN Number of times the interface mode changed from exclude...

Page 1337: ...group A designated router DR receiving a new multicast stream from a directly connected source checks for the presence of an embedded RP address in the group address If found it uses this RP address as the unicast destination address of the PIM Register packets that it initiates Other PIM routers that are also receiving PIM PDUs look into the group address for the presence of an embedded RP addres...

Page 1338: ...1266 BigIron RX Series Configuration Guide 53 1001810 01 Multicast Listener Discovery and source specific multicast protocols MLDv2 49 ...

Page 1339: ...face by configuring an IPv6 address or explicitly enabling IPv6 on that interface For more information on performing these configuration tasks refer to Configuring a static IPv6 route on page 1267 To configure a static IPv6 route for a destination network with the prefix 8eff 0 32 a next hop gateway with the global address 4fee 2343 0 ee44 1 and an administrative distance of 110 enter the followin...

Page 1340: ...one of the following The IPv6 address of a next hop gateway A tunnel interface You can specify the next hop gateway as one of the following types of IPv6 addresses A global address A link local address If you specify a global address you do not need to specify any additional parameters for the next hop gateway If you specify a link local address you must also specify the interface through which to...

Page 1341: ...address Thus if you want to configure a multicast static route for a specific multicast source and also configure another multicast static route for all other sources you can configure two static routes To configure a IPv6 mroute for a destination network with the prefix 8eff 0 32 a next hop gateway with the global address 4fee 2343 0 ee44 1 and an administrative distance of 110 enter the followin...

Page 1342: ...outes enter a command such as the following BigIron RX config ipv6 mroute 12 7 1 0 255 255 255 0 17 3 1 2 Syntax no ipv6 mroute ip addr ip mask next hop ip addr ethernet slot port ve num null0 cost distance num The ip addr and ip mask parameters specifies the PIM source for the route The ethernet slot port parameter specifies a physical port The ve num parameter specifies a virtual interface The n...

Page 1343: ...a Syslog server ensures that the messages remain available even after a system reload The BigIron RX s local Syslog buffer is cleared during a system reload or reboot but the Syslog messages sent to the Syslog server remain on the server The Syslog service on a Syslog server receives logging messages from applications on the local host or from devices such as a BigIron RX Syslog adds a time stamp ...

Page 1344: ...lnet or SSH sessions you also must enable display within the individual sessions To enable real time display of Syslog messages enter the following command at the global CONFIG level of the CLI BigIron RX config logging console Syntax no logging console This command enables the real time display of Syslog messages on the serial console You can enter this command from the serial console or a Telnet...

Page 1345: ...can hold up to 100 Syslog messages in an internal buffer Change the level of messages the system logs Change the number of messages the local Syslog buffer can hold Display the Syslog configuration Clear the local Syslog buffer Logging is enabled by default with the following settings Messages of all severity levels Emergencies Debugging are logged By default up to 50 messages are retained in the ...

Page 1346: ...nfiguration This field Displays Syslog logging The state enabled or disabled of the Syslog buffer messages dropped The number of Syslog messages dropped due to user configured filters By default the software logs messages for all Syslog levels You can disable individual Syslog levels in which case the software filters out messages at those levels Refer to Disabling logging of a message level on pa...

Page 1347: ...mic buffer or static buffer to clear the static buffer If you do not specify a buffer both buffers are cleared Time stamps The contents of the time stamp differ depending on whether you have set the time and date on the onboard system clock If you have set the time and date on the onboard system clock the date and time are shown in the following format mm dd hh mm ss where mm abbreviation for the ...

Page 1348: ... the system clock when the message was generated For example the system time when the most recent message the one at the top was generated was October 15 at 5 38 PM and 3 seconds BigIron RX config show log Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Buffer logging level ACDMEINW 38 messages logged level code A alert C critical D debugging M emergency E error I informational N no...

Page 1349: ...ollowing defaults Messages of all severity levels Emergencies Debugging are logged Up to 50 messages are retained in the local Syslog buffer No Syslog server is specified Specifying a Syslog server To specify a Syslog server enter a command such as the following BigIron RX config logging host 10 0 0 99 For backward compatibility the software reads the old command syntax from the startup configurat...

Page 1350: ...al basis For example to disable logging of debugging and informational messages enter the following commands BigIron RX config no logging buffered debugging BigIron RX config no logging buffered informational Syntax no logging buffered level num entries The level parameter can have one of the following values alerts critical debugging emergencies errors informational notifications warnings The com...

Page 1351: ...1 I CLI CMD router bgp from console Sep 9 18 38 07 I CLI CMD no nei 10 1 1 8 remote 10 from telnet client 10 1 1 1 Sep 9 18 38 05 I CLI CMD router bgp from telnet client 10 1 1 1 Changing the number of entries the local buffer can hold You also can use the logging buffered command to change the number of entries the local Syslog buffer can store For example BigIron RX config logging buffered 100 T...

Page 1352: ... reserved for local use local7 reserved for local use Displaying the interface name in Syslog messages By default an interface s slot number if applicable and port number are displayed when you display Syslog messages If you want to display the name of the interface instead of its number enter the following command BigIron RX config ip show portname This command is applied globally to all interfac...

Page 1353: ...ion from the TCP UDP well known port name to the TCP UDP port number For example entering the following command causes the BigIron RX to display http the well known port name instead of 80 the port number in the output of show commands and other commands that contain application port information By default the BigIron RX displays TCP UDP application information in named notation In this release yo...

Page 1354: ...rees warning level warn degrees C degrees shutdown level shutdown degrees C degrees Indicates an overtemperature condition on the active module The degrees value indicates the temperature of the module The warn degrees value is the warning threshold temperature configured for the module The shutdown degrees value is the shutdown temperature configured for the module Alert num modules modules and 1...

Page 1355: ...th a VLAN ID different from the RADIUS supplied VLAN ID Alert MAC Authentication failed for mac address on portnum RADIUS given vlan does not exist RADIUS authentication was successful for the specified mac address on the specified portnum however the RADIUS Access Accept message specified a VLAN that does not exist in the BigIron RX s configuration This is treated as an authentication failure Ale...

Page 1356: ...dress that is also configured on the BigIron RX The ip addr is the duplicate IP address The mac addr is the MAC address of the device with the duplicate IP address The portnum is the Brocade port that received the packet with the duplicate IP address The address is the packet s source IP address Warning list acl num denied ip proto src ip addr src tcp udp port Ethernet portnum mac addr dst ip addr...

Page 1357: ...u specified For example if you specified a threshold of 100 prefixes and 75 percent as the warning threshold this message is generated if the BigIron RX receives a 76th prefix from the neighbor Warning DOT1X security violation at port portnum malicious mac address detected mac address A security violation was encountered at the specified port number Notification Module was inserted to slot slot nu...

Page 1358: ...on the device has been exceeded The rate indicates the maximum rate allowed This message can occur if fragment thottling is enabled Notification ACL port fragment packet inspect rate rate exceeded on port portnum The fragment rate allowed on an individual interface has been exceeded The rate indicates the maximum rate allowed The portnum indicates the port This message can occur if fragment thottl...

Page 1359: ... of the following down loopback waiting point to point designated router backup designated router other designated router unknown Notification OSPF nbr state changed rid router id nbr addr ip addr nbr rid nbr router Id state ospf state Indicates that the state of an OSPF neighbor has changed The router id is the router ID of the BigIron RX The ip addr is the IP address of the neighbor The nbr rout...

Page 1360: ...tf addr ip addr pkt src addr src ip addr error type error type pkt type pkt type Indicates that an OSPF interface configuration error has occurred The router id is the router ID of the BigIron RX The ip addr is the IP address of the interface on the BigIron RX The src ip addr is the IP address of the interface from which the BigIron RX received the error packet The error type can be one of the fol...

Page 1361: ...ce on the BigIron RX The src ip addr is the IP address of the interface from which the BigIron RX received the error packet The error type can be one of the following bad version area mismatch unknown NBMA neighbor unknown virtual neighbor authentication type mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type...

Page 1362: ...on RX The src ip addr is the IP address of the interface from which the BigIron RX received the authentication failure The error type can be one of the following bad version area mismatch unknown NBMA neighbor unknown virtual neighbor authentication type mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type can ...

Page 1363: ...type mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type can be one of the following hello database description link state request link state update link state ack unknown Notification OSPF intf rcvd bad pkt rid router id intf addr ip addr pkt src addr src ip addr pkt type pkt type Indicates that an OSPF inter...

Page 1364: ... link state update link state ack unknown Notification OSPF intf retransmit rid router id intf addr ip addr nbr rid nbr router id pkt type is pkt type LSA type lsa type LSA id lsa id LSA rid lsa router id An OSPF interface on the BigIron RX has retransmitted a Link State Advertisement LSA The router id is the router ID of the BigIron RX The ip addr is the IP address of the interface on the BigIron...

Page 1365: ...LSA router id lsa router id An OSPF interface has originated an LSA The router id is the router ID of the BigIron RX The area id is the OSPF area The lsa type is the type of LSA The lsa id is the LSA ID The lsa router id is the LSA router ID Notification OSPF max age LSA rid router id area area id LSA type lsa type LSA id lsa id LSA rid lsa router id An LSA has reached its maximum age The router i...

Page 1366: ... received an OSPF packet with an invalid type The parameters are the same as for the Bad Checksum message The pkt type type value is unknown indicating that the packet type is invalid Notification OSPF intf rcvd bad pkt Unable to find associated neighbor rid ip addr intf addr ip addr pkt size num checksum num pkt src addr ip addr pkt type type The neighbor IP address in the packet is not on the Bi...

Page 1367: ...P packets will be dropped for the number of seconds specified by the lockup value When the lockup period expires the packet counter is reset and measurement is restarted Notification Local TCP exceeds burst max burst packets stopping for lockup seconds The number of TCP SYN packets exceeds the burst max threshold set by the ip tcp burst command The BigIron RX may be the victim of a TCP SYN DoS att...

Page 1368: ...circuit id The BigIron RX s adjacency with this Level 1 IS has gone down The system id is the system ID of the IS The circuit id is the ID of the circuit over which the adjacency was established Notification ISIS L1 ADJACENCY UP system id on circuit circuit id The BigIron RX s adjacency with this Level 1 IS has come up The system id is the system ID of the IS The circuit id is the ID of the circui...

Page 1369: ...ded Informational user name login to USER EXEC mode A user has logged into the USER EXEC mode of the CLI The user name is the user name Informational user name logout from USER EXEC mode A user has logged out of the USER EXEC mode of the CLI The user name is the user name Informational user name login to PRIVILEGED mode A user has logged into the Privileged EXEC mode of the CLI The user name is th...

Page 1370: ...on a port The vlan id is the ID of the VLAN in which the STP topology change occurred The portnum is the port number The stp state is the new STP state and can be one of the following disabled blocking listening learning forwarding unknown Informational startup configuration was changed or startup configuration was changed by user name A configuration change was saved to the startup configuration ...

Page 1371: ...system resource is not enough or the invalid information to set the dynamic assigned IP ACLs or MAC address filters 802 1x authentication could not take place on the port This happened because strict security mode was enabled and one of the following occurred Insufficient system resources were available on the device to apply an IP ACL or MAC address filter to the port Invalid information was rece...

Page 1372: ...onsole telnet ssh web snmp OR Line password deleted added modified from console telnet ssh web snmp A user created re configured or deleted an Enable or Line password through the Web SNMP console SSH or Telnet session Informational Port portnum srcip security max ipaddr per int reached Last IP ipaddr The address limit specified by the srcip security max ipaddr per interface command has been reache...

Page 1373: ...2 3x Flow Control 802 3ad Link Aggregation 802 1Q Virtual Bridged LANs 802 1D MAC Bridges 802 1w Rapid STP 802 1s Multiple Spanning Trees 802 1X User authentication 802 3 Ethernet Like MIB Repeater MIB Ethernet Interface MIB SNMP v1 v2c and V3 SNMP MIB II RFC compliance RFC compliance BGPv4 4271 BGPv4 1745 OSPF Interactions 1997 Communities Attributes 2439 Route Flap Dampening 2796 Route Reflectio...

Page 1374: ...ce OSPF 2178 OSPF 1583 OSPF v2 3103 OSPF NSSA 1745 OSPF Interactions 1765 OSPF Database Overflow 1850 OSPF Traps 2328 OSPF v2 1850 OSPF v2 MIB 2370 OSPF Opaque LSA Option 3623 Graceful OSPF Restart RFC compliance IS IS 1195 Routing in TCP IP and Dual Environments 2763 Dynamic Host Name Exchange 2966 Domain wide Prefix Distribution 3567 IS IS Cryptographic Authentication MD 5 RFC compliance RIP 105...

Page 1375: ...BGP RFC compliance general protocols 791 IP 792 ICMP 793 TCP 783 TFTP 826 ARP 768 UDP 894 IP over Ethernet 903 RARP 906 TFTP Bootstrap 1027 Proxy ARP 950 Subnets 951 BootP 1122 Host Extensions for IP Multicasting 1256 IRDP 1519 CIDR 1542 BootP Extensions 1812 Requirements for IPv4 Routers 1541 and 1542 DHCP 2131 BootP DHCP Helper 2768 VRRP 1591 DNS client 2578 Structure of Management Information V...

Page 1376: ...V3 3411 Architecture for SNMP 3412 Message Processing and Dispatching for SNMP 3413 Simple Network Management Protocol SNMP Applications 3414 USM for SNMPV3 3415 VACM for SNMPV3 3416 Version 2 of the Protocol Operations for the SNMP 3418 Management Information Base MIB for the SNMP 3584 Coexistence between Version 1 Version 2 and Version 3 of the Internet standard Network Management Framework 4251...

Page 1377: ... Global Unicast Address Format 2375 IPv6 Multicast Address Assignments 2464 Transmission of IPv6 over Ethernet Networks 2711 IPv6 Router Alert Option 3596 DNS support RFC compliance IPv6 routing 2080 RIPng for IPv6 2740 OSPFv3 for IPv6 2545 Use of MP BGP 4 for IPv6 RFC compliance IPv6 multicast 3810 Multicast Listener Discovery Version 2 for IPv6 4601 PIM SM Protocol Specification 2362 PIM SM 2710...

Page 1378: ...rnet drafts In addition to the RFCs listed in RFC compliance the BigIron RX supports the following Internet drafts Draft ietf tcpm tcpsecure TCP Security IETF Draft_ietf_isis_IPv6 for IS IS for IPv6 IETF Draft vida mld v2 Draft ietf idr restart Graceful Restart Mechanism for BGP Draft ietf idr route filter Draft holbrook idmr igmpv3 ssm IGMPv3 MLDv2 for SSM Draft ietf ssm arch SSM for IP ...

Page 1379: ...Guide equipment All Brocade devices that are to remain in compliancy with the NIAP CCEVS certification must disable all remote access through the integrated Web management graphical user interface GUI In accordance with NIAP CCEVS this functionality is considered a security risk and must be disabled Please refer to the Brocade Configuration Guides associated with each product in the table NIAP CCE...

Page 1380: ...nd if you attempt to change a user s password by executing the following syntax Foundry Router config user fdryreadonly password value The privilege level of this particular user will be changed from its current value to super user The super user level username and password combination provides full access to the Brocade command line interface CLI To prevent this from occurring use the following s...

Page 1381: ...he software without saving the change to the startup config file the device does not make the change To reload the software you must perform a cold start To perform a cold start do one of the following Enter the reload command at the Privileged EXEC level of the CLI Cycle the power by powering down the device then powering it on again NOTE The boot system command does not perform a cold start It p...

Page 1382: ...1310 BigIron RX Series Configuration Guide 53 1001810 01 Commands That Require a Reload D ...

Page 1383: ... marking number 802 1p priority marking number internal priority marking number dscp marking number dscp cos mapping dscp cos mapping fragment non fragment first fragment fragment offset number spi 00000000 ffffffff log Configuring extended numbered ACLs on page 520 Enabling ACL filtering of fragmented or non fragmented packets on page 557 access list num deny permit host ip protocol any any log a...

Page 1384: ...e 529 Enabling ACL filtering of fragmented or non fragmented packets on page 557 ip access list extended string I num deny permit host ip protocol any any log ip access list extended acl name deny permit host icmp any any log icmp type type number code number ICMP filtering for extended ACLs on page 558 ip access list standard string deny permit source ip hostname wildcard log Configuring standard...

Page 1385: ...laying statistics for an interface on page 555 system max ip filter sys num Enabling support for additional ACL statements on page 514 Commands See Commands See access list num permit deny src mac mask any dest mac mask any vlan id any etype etype str log enable Creating a Layer 2 ACL table on page 506 mac access group num in Binding a Layer 2 ACL table to an interface on page 508 show access list...

Page 1386: ...gp neighbor all ip addr peer group name as num last packet with error notification errors Clearing diagnostic buffers on page 822 clear ip bgp routes ip addr prefix length Clearing and resetting BGP4 routes in the IP route table on page 820 clear ip bgp traffic Clearing traffic counters on page 820 client to client reflection Disabling or re enabling client to client route reflection on page 759 c...

Page 1387: ...addr Changing the router ID on page 788 local as num Configuring a BGP confederation on page 761 Setting the local AS number on page 767 match as path name address filters as path filters community filters num num community acl exact match ip address acl prefix list string ip route source acl prefix name metric num next hop address filter list level 1 level 2 level 1 2 route type internal external...

Page 1388: ...t unicast multicast unicast password 0 1 string prefix list string in out remote as as number remove private as route map in out map name route reflector client send community soft reconfiguration inbound shutdown timers keep alive num hold time num unsuppress map map name update source ip addr ethernet portnum loopback num ve num weight num Configuring BGP4 neighbors on page 769 Configuring a pee...

Page 1389: ...g comm list acl delete community num num num internet local as no advertise no export dampening half life reuse suppress max suppress time ip next hop ip addr ip next hop peer address local preference num metric num none metric type type 1 type 2 external metric type internal next hop ip addr origin igp incomplete tag tag value weight num Setting parameters in the routes on page 804 set comm list ...

Page 1390: ...etail flap statistics last packet with error received prefix filter received routes routes best detail best not installed best unreachable rib out routes ip addr mask bits ip addr net mask detail routes summary Displaying BGP4 neighbor information on page 827 show ip bgp peer group peer group name Displaying peer group information on page 838 show ip bgp routes network ip addr num age secs as path...

Page 1391: ...ging the FDP hold time on page 1012 fdp run Enabling FDP globally on page 1011 fdp timer secs Changing the FDP update timer on page 1012 show fdp entry device id Displaying FDP entries on page 1014 Displaying CDP entries on page 1017 show fdp interface ethernet slot portnum Displaying FDP information for an interface on page 1014 show fdp neighbor ethernet slot portnum detail Displaying neighbor i...

Page 1392: ...nabling forwarding of directed broadcasts on page 187 ip dns domain name name Defining a DNS entry on page 166 ip dns server address ip addr ip addr ip addr ip addr Defining a DNS entry on page 166 ip dr aggregate Dropping traffic sent to the null0 interface in hardware on page 195 ip encapsulation snap ethernet 2 Changing the encapsulation type on page 171 ip forward protocol udp udp port name ud...

Page 1393: ... ip tacacs source interface ethernet slot port loopback num ve num Specifying a single source interface for Telnet TACACS TACACS or RADIUS packets on page 175 ip telnet source interface ethernet slot port loopback num ve num Specifying a single source interface for Telnet TACACS TACACS or RADIUS packets on page 175 ip ttl 1 255 Changing the TTL threshold on page 186 rate limit arp num Rate limitin...

Page 1394: ...initiate a trace route on page 170 Commands See Commands See metro ring ring id Configuring MRP with shared interfaces on page 403 name string Configuring MRP with shared interfaces on page 403 master Adding an MRP ring to a VLAN on page 396 ring interface ethernet primary if ethernet secondary if Adding an MRP ring to a VLAN on page 396 enable Configuring MRP with shared interfaces on page 403 he...

Page 1395: ...setting BGP4 routes in the IPv6 route table on page 1132 clear ipv6 bgp neighbor all ipv6 address peer group name as number traffic Clearing BGP4 neighbor diagnostic buffers on page 1130 clear ipv6 bgp neighbor all ipv6 address peer group name as number last packet with error notification errors Clearing BGP4 neighbor diagnostic buffers on page 1130 clear ipv6 bgp traffic Clearing BGP4 neighbor tr...

Page 1396: ...l ipv6 prefix prefix length longer prefixes as path access list name prefix list name Displaying filtered out BGP4 routes on page 1143 show ipv6 bgp flap statistics ipv6 prefix prefix length longer prefixes as path filter number neighbor ipv6 address regular expression regular expression Displaying route flap dampening statistics on page 1148 show ipv6 bgp neighbor ipv6 address Displaying BGP4 nei...

Page 1397: ...e table on page 1133 show ipv6 bgp routes detail ipv6 prefix prefix length table entry number age seconds as path access list name as path filter number best cidr only community number no export no advertise internet local as community access list name community filter number local neighbor ipv6 address nexthop ipv6 address no best prefix list name regular expression regular expression route map n...

Page 1398: ...p ipv6 source prefix prefix length any host source ipv6_address tcp udp operator source port number ipv6 destination prefix prefix length any host ipv6 destination address tcp udp operator destination port number ipv6 operator value For UDP on page 1190 remark comment text Adding a comment to an IPv6 ACL entry on page 1195 remark entry sequence sequence number comment text Adding a comment to an I...

Page 1399: ... name Defining a DNS entry on page 1079 ipv6 dns server address ipv6 addr ipv6 addr ipv6 addr ipv6 addr Defining a DNS entry on page 1079 ipv6 hop limit number Limiting the number of hops an IPv6 packet can traverse on page 1091 ipv6 icmp error interval interval number of tokens Configuring ICMP rate limiting on page 1083 ipv6 load sharing num Changing the maximum number of load sharing paths for ...

Page 1400: ...age 1107 show ipv6 interface interface port number number Displaying IPv6 interface information on page 1095 show ipv6 neighbor ipv6 prefix prefix length ipv6 address interface port number Displaying IPv6 neighbor information on page 1097 show ipv6 route ipv6 address ipv6 prefix prefix length bgp connect ospf rip isis static summary Displaying the IPv6 route table on page 1098 show ipv6 router Dis...

Page 1401: ...d static group multicast group address ethernet port number ethernet port number to port number Specifying a static group on page 1261 show ipv6 mld group Displaying MLD group information on page 1262 show ipv6 mld interface port number Displaying MLD definitions for an interface on page 1263 show ipv6 mld traffic Displaying MLD traffic on page 1264 clear ipv6 mld traffic ethernet slot number port...

Page 1402: ...conds Modifying virtual link parameters on page 1204 auto cost reference bandwidth number Changing the reference bandwidth for the cost on OSPFv3 interfaces on page 1205 auto cost reference bandwidth number Modifying exit overflow interval on page 1216 default information originate always metric value metric type type Configuring default route origination on page 1213 default metric number Modifyi...

Page 1403: ... memory Displaying OSPFv3 memory usage on page 1227 show ipv6 ospf neighbor router id ipv4 address Displaying OSPFv3 neighbor information on page 1228 show ipv6 ospf redistribute route ipv6 prefix Displaying routes redistributed into OSPFv3 on page 1230 show ipv6 ospf routes ipv6 prefix Displaying OSPFv3 route information on page 1231 show ipv6 ospf spf node area area id Displaying OSPFv3 SPF info...

Page 1404: ...ing hello padding on an interface on page 901 hostname Disabling or re enabling display of hostname on page 889 ip router isis Disabling and enabling IS IS on an interface on page 899 ipv4 router isis Interface level on page 885 isis circuit type level 1 level 1 2 level 2 Changing the IS IS level on an interface on page 900 isis hello interval num level 1 only level 2 only Changing the hello inter...

Page 1405: ...nto IPv4 IS IS on page 898 redistribute rip level 1 level 1 2 level 2 metric number metric type external internal route map name Redistributing RIP routes into IPv4 IS IS on page 897 redistribute static level 1 level 1 2 level 2 metric number metric type external internal route map name Redistributing static IPv4 routes into IPv4 IS IS on page 896 retransmit interval Changing the LSP interval and ...

Page 1406: ...96 name string Adding an MRP ring to a VLAN on page 396 preforwarding time ms Changing the hello and preforwarding times on page 397 ring interface ethernet primary if ethernet secondary if Adding an MRP ring to a VLAN on page 396 show metro ring id Displaying ring information on page 406 show metro ring id diag Enabling MRP diagnostics on page 404 show topology group group id Displaying topology ...

Page 1407: ...n for CIST instance 0 on page 1047 Commands See Commands See bsr candidate ethernet portnum loopback num ve num hash mask length priority Configuring BSRs on page 600 clear pim rp map Configuring RPs on page 601 default gateway ip addr Modifying default route on page 649 disable dvmrp Globally enabling or disabling DVMRP without deleting multicast configuration on page 647 graft retransmit time 5 ...

Page 1408: ... the prune wait timer on page 594 report interval 10 2000 Enabling DVMRP on an interface on page 647 route discard timeout 40 8000 Modifying route discard time on page 648 route expire timeout 20 4000 Modifying route expires time on page 648 router dvmrp Globally enabling and disabling DVMRP on page 647 router pim Globally enabling and disabling PIM on page 592 Configuring global PIM Sparse parame...

Page 1409: ... trigger interval 5 30 Modifying trigger interval on page 649 Commands See Commands See clear ip multicast all group group id Clearing IGMP group flows on page 1061 clear ip multicast statistics Clearing IP multicast statistics on page 1061 ip multicast active passive Enabling IP multicast traffic reduction on page 1050 Changing the IGMP mode on page 1051 Enabling PIM SM traffic snooping on page 1...

Page 1410: ...se overflow interval value Modify exit overflow interval on page 716 default information originate always metric value metric type type Configure default route origination on page 706 default metric value Modify default metric for redistribution on page 702 distance external inter area intra area distance Modify administrative distance on page 709 ip ospf area ip addr Assigning interfaces to an ar...

Page 1411: ... into OSPF on page 726 show ip ospf routes ip addr Displaying OSPF route information on page 725 show ip ospf trap Displaying OSPF trap status on page 730 show ip ospf virtual link num Displaying OSPF virtual link information on page 732 show ip ospf virtual neighbor num Displaying OSPF virtual neighbor and link information on page 730 show tasks Displaying CPU utilization and other OSPF tasks on ...

Page 1412: ...ber Configuring mirror ports for PBR traffic on page 143 show monitor actual Displaying mirror and monitor port configuration on page 144 show monitor config Displaying mirror and monitor port configuration on page 144 speed duplex value Speed Duplex negotiation on page 134 Commands See Commands See access list num deny permit source ip hostname wildcard Configure the ACLs on page 564 access list ...

Page 1413: ...e type queue number wred enable Enabling WRED on page 477 qos scheduler destination weighted queue0 weight queue1 weight queue2 weight queue3 weight Configuring WFQ destination based traffic scheduling on page 484 qos scheduler enhanced strict queue0 rate queue1 rate queue2 rate queue3 rate Configuring enhanced strict priority based traffic scheduling on page 483 qos scheduler max rate queue0 rate...

Page 1414: ... Configuring a port and priority based rate limiting policy on page 499 rate limit in group group number average rate maximum burst Configuring a VLAN group based rate limiting policy on page 500 rate limit in group group number priority num average rate maximum burst Configuring a VLAN group based rate limiting policy on page 500 rate limit input priority num average rate maximum burst Configurin...

Page 1415: ...the route loop prevention method on page 669 ip rip prefix list name in out Using prefix lists and route maps as route filters on page 671 ip rip route map name in out Using prefix lists and route maps as route filters on page 671 ip rip v1 only v1 compatible v2 v2 only Enabling RIP on page 666 learn default Configuring route learning and advertising parameters on page 668 neighbor filter num perm...

Page 1416: ...tics num ethernet slot port management num begin expression exclude expression include expression Statistics RMON group 1 on page 1020 show version Viewing system information on page 1019 Commands See rstp admin edge port admin pt2pt mac Changing port parameters on page 377 rstp ethernet portnum path cost value priority value admin edge port admin pt2pt mac force migration check Changing port para...

Page 1417: ...authorized auto Setting the port control on page 967 dot1x re authenticate portnum Re authenticating a port manually on page 968 dot1x enable Enabling 802 1x port security on page 966 enable all I portnum to portnum Enabling 802 1x port security on page 966 global filter strict security Disabling and enabling strict security mode for dynamic filter assignment on page 963 maxreq value Specifying th...

Page 1418: ...timeout re authperiod seconds Configuring periodic re authentication on page 968 timeout tx period seconds Setting the interval for retransmission of EAP request identity frames on page 969 Commands See all client ip addr Restricting all remote management access to a specific IP address on page 67 Commands See aaa authentication snmp server web server enable login dot1x default method1 method2 met...

Page 1419: ...authentication to prompt for password only on page 104 aaa authentication login privilege mode Entering privileged EXEC mode after a Telnet or SSH login on page 104 aaa authorization commands privilege level default radius none Configuring command authorization on page 105 aaa authorization exec default radius none Configuring Exec authorization on page 105 enable aaa console Command authorization...

Page 1420: ...ficate zeroize Deleting the SSL certificate on page 79 ip ssl certificate data file tftp ip addr certificate filename Importing digital certificates and RSA private key files on page 79 ip ssl port port number Specifying a port for SSL communication on page 78 ip ssl private key file tftp ip addr key filename Importing digital certificates and RSA private key files on page 79 web management https ...

Page 1421: ...ng only default key string Specifying different servers for individual AAA functions on page 86 tacacs server key 0 1 string Setting the TACACS key on page 87 tacacs server retransmit number Setting the retransmission limit on page 87 tacacs server timeout number Setting the timeout parameter on page 88 Commands See telnet access group num name Using an ACL to restrict Telnet access on page 64 tel...

Page 1422: ...p top tools Disabling Web management access by HP ProCurve Manager on page 70 web management http https Enabling the SSL server on the device on page 78 Commands See clear statistics dos attack Clear DoS attack statistics on page 988 dos attack prevent num burst normal bps burst max num of packets lockup seconds log Avoiding being a victim in a Smurf attack on page 984 ip directed broadcast Avoidi...

Page 1423: ...ress filters on page 932 mac authentication max age seconds Specifying the aging time for blocked MAC addresses on page 936 mac authentication move back to old vlan disable port configured vlan port restrict vlan system default vlan Specifying to which VLAN a port is moved after its RADIUS specified VLAN assignment expires on page 933 mac authentication no override restrict vlan Configuring dynami...

Page 1424: ...49 show port security mac Displaying the secure MAC addresses on the device on page 950 show port security statistics portnum I module Displaying port security statistics on page 950 shutdown time minutes Port shutdown time on page 946 violation restrict Violation restrict on page 946 violation shutdown Violation shutdown on page 946 Commands See active management mgt module Changing the default a...

Page 1425: ...source file system dest file system source dir path source file name dest dir path dest file name Appending a file to another file on page 52 copy from card to card from dir path from name to dir path to name Copying files using the copy command on page 52 copy slot1 slot2 flash from dir path from name monitor primary secondary Copying files between a flash card and flash memory on page 53 copy fl...

Page 1426: ...rite Loading a running config from a flash card or a TFTP server on page 56 cp source dir path source file name dest dir path dest file name Copying files using the cp command on page 57 boot system slot1 slot2 dir path file name Rebooting from the system on page 58 boot system tftp ip address file name Rebooting from the system on page 58 boot system flash secondary Rebooting from the system on p...

Page 1427: ...d authentication no yes Deactivating user authentication on page 873 ip ssh permit empty passwd no yes Enabling empty password logins on page 873 ip ssh port number Setting the SSH port number on page 873 ip ssh pub key file tftp I tftp server ip addr filename remove Importing authorized public keys into the BigIron RX on page 871 ip ssh scp disable enable Using secure copy on page 876 ip ssh sour...

Page 1428: ... vlan vlan id pvst mode num detail vlan vlan id ethernet slot port begin expression exclude expression include expression Displaying STP information for an entire device on page 325 show spanning tree detail vlan vlan id ethernet slot port Displaying detailed STP information for each interface on page 328 spanning tree ethernet slot port forward delay value hello time value max age value priority ...

Page 1429: ...ional Syslog server on page 1278 logging on udp port Disabling or re enabling Syslog on page 1277 show logging Displaying the Syslog configuration on page 1273 terminal monitor Enabling real time display of Syslog messages on page 1272 Commands See banner delimiting character motd delimiting character Setting a message of the day banner on page 124 banner exec_mode delimiting character Setting a p...

Page 1430: ...cs Setting the SNMP Trap holddown time on page 116 snmp server host ip addr 0 1 string port value Specifying an SNMP trap receiver on page 115 snmp server location string Entering system administration information on page 114 snmp server trap source loopback num ethernet slot port ve num Specifying a Single trap source on page 115 sntp poll interval 1 65535 Specifying a Simple Network Time Protoco...

Page 1431: ...rt Configuring an LACP timeout on page 237 deploy forced passive Deploying a LAG on page 237 acl mirror port ethe port monitored slot port named port monitored name Configuring ACL based mirroring on page 238 disable ethernet slot port named name Disabling ports within a LAG on page 239 enable ethernet slot port named name Enabling ports within a LAG on page 239 monitor ethe port monitored slot po...

Page 1432: ...l vlan name static exclude ethernet slot port to slot port router interface ve num Configuring protocol based VLANs on page 287 multicast flooding Hardware flooding for Layer 2 multicast and broadcast packets on page 311 priority num Assigning or changing a VLAN priority on page 286 remove vlan vlan id to vlan id Configuring a VLAN group on page 291 show vlan vlan id ethernet slot port detail begi...

Page 1433: ...uring parameters specific to VRRPE on page 450 Track priority on page 454 backup hello interval value Backup hello message state and interval on page 453 clear ip vrrp stat Clearing VRRP or VRRPE statistics on page 461 dead interval value Dead interval on page 453 hello interval value Hello interval on page 452 ip vrrp auth type no auth I simple text auth auth data Authentication type on page 451 ...

Page 1434: ... priority value Configuring basic VSRP parameters on page 418 Changing the backup priority on page 422 Changing the default track priority on page 425 enable disable Configuring basic VSRP parameters on page 418 include port ethernet portnum Adding or removing a port from the VRID s VLAN on page 420 initial ttl num Changing the Time To Live TTL on page 423 ip address ip addr Configuring a VRID IP ...

Page 1435: ...BigIron RX Series Configuration Guide 1363 53 1001810 01 VSRP E ...

Page 1436: ...1364 BigIron RX Series Configuration Guide 53 1001810 01 VSRP E ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands