Foundry Networks Switch and Router Installation And Configuration Manual Download Page 100 | Manualshive

Page: 100 / 1070

Foundry Networks Switch and Router Installation And Configuration Manual Download Page 100

Foundry Switch and Router Installation and Configuration Guide

3 - 36

December 2000

RADIUS Configuration Considerations

•

You must deploy at least one RADIUS server in your network.

•

Foundry devices support authentication using up to eight RADIUS servers. The device tries to use the
servers in the order you add them to the device’s configuration. If one RADIUS server is not responding, the
Foundry device tries the next one in the list.

•

You can select only one primary authentication method for each type of access to a device (CLI through
Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary
authentication method for Telnet CLI access, but you cannot also select authentication as the
primary method for the same type of access. However, you can configure backup authentication methods for
each access type.

RADIUS Configuration Procedure

Use the following procedure to configure a Foundry device for RADIUS:

1.

Configure Foundry vendor-specific attributes on the RADIUS server. See “Configuring Foundry-Specific
Attributes on the RADIUS Server” on page 3-36.

2.

Identify the RADIUS server to the Foundry device. See “Identifying the RADIUS Server to the Foundry
Device” on page 3-37.

3.

Set RADIUS parameters. See “Setting RADIUS Parameters” on page 3-38.

4.

Configure authentication-method lists. See “Configuring Authentication-Method Lists for RADIUS” on page 3-
38.

5.

Optionally configure RADIUS authorization. See “Configuring RADIUS Authorization” on page 3-40.

6.

Optionally configure RADIUS accounting. “Configuring RADIUS Accounting” on page 3-40.

Configuring Foundry-Specific Attributes on the RADIUS Server

During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server
sends an Access-Accept packet to the Foundry device, authenticating the user. Within the Access-Accept packet
are three Foundry vendor-specific attributes that indicate:

•

The privilege level of the user

•

A list of commands

•

Whether the user is allowed or denied usage of the commands in the list

You must add these three Foundry vendor-specific attributes to your RADIUS server’s configuration, and
configure the attributes in the individual or group profiles of the users that will access the Foundry device.

«
...
98
99
100
101
102
...
»

Summary of Contents for Switch and Router

Page 1: ...Foundry Switch and Router Installation and Configuration Guide 2100 Gold Street P O Box 649100 San Jose CA 95164 9100 Tel 408 586 1700 Fax 408 586 1900 www foundrynetworks com ...

Page 2: ...December 2000 Copyright 2000 by Foundry Networks Inc ...

Page 3: ... 1 4 WARRANTY COVERAGE 1 4 CHAPTER 2 INSTALLING A FOUNDRY LAYER 2 SWITCH OR LAYER 3 SWITCH 2 1 UNPACKING A SYSTEM 2 1 PACKAGE CONTENTS 2 1 GENERAL REQUIREMENTS 2 1 SUMMARY OF INSTALLATION PROCEDURES 2 1 INSTALLATION PRECAUTIONS 2 3 PREPARING THE INSTALLATION SITE 2 3 CABLING INFRASTRUCTURE 2 3 INSTALLATION LOCATION 2 3 INSTALLING OR REMOVING OPTIONAL MODULES CHASSIS DEVICES ONLY 2 4 INSTALLING MOD...

Page 4: ...LE DEVICES 2 20 POWERING ON A SYSTEM 2 21 CONNECTING NETWORK DEVICES 2 22 CONNECTORS 2 22 CABLE LENGTH 2 22 CONNECTING TO ETHERNET OR FAST ETHERNET HUBS 2 24 CONNECTING TO WORKSTATIONS SERVERS OR ROUTERS 2 24 INSTALLING OR REMOVING A GBIC 2 25 TROUBLESHOOTING NETWORK CONNECTIONS 2 26 TESTING CONNECTIVITY 2 26 PINGING AN IP ADDRESS 2 26 TRACING A ROUTE 2 26 MANAGING THE DEVICE 2 27 LOGGING ON THROU...

Page 5: ...RCE FOR ALL TACACS TACACS PACKETS 3 27 DISPLAYING TACACS TACACS STATISTICS AND CONFIGURATION INFORMATION 3 28 CONFIGURING RADIUS SECURITY 3 33 RADIUS AUTHENTICATION AUTHORIZATION AND ACCOUNTING 3 33 RADIUS CONFIGURATION CONSIDERATIONS 3 36 RADIUS CONFIGURATION PROCEDURE 3 36 CONFIGURING FOUNDRY SPECIFIC ATTRIBUTES ON THE RADIUS SERVER 3 36 IDENTIFYING THE RADIUS SERVER TO THE FOUNDRY DEVICE 3 37 S...

Page 6: ...NAGEMENT PARAMETERS 5 3 INSTALLING REDUNDANT MANAGEMENT MODULES 5 3 DETERMINING REDUNDANT MANAGEMENT MODULE STATUS 5 8 DISPLAYING SWITCHOVER MESSAGES 5 10 FILE SYNCHRONIZATION BETWEEN THE ACTIVE AND STANDBY REDUNDANT MANAGEMENT MODULES 5 11 DISPLAYING THE SYNCHRONIZATION SETTINGS 5 12 IMMEDIATELY SYNCHRONIZING SOFTWARE 5 13 AUTOMATING SYNCHRONIZATION OF SOFTWARE 5 14 SWITCHING OVER TO THE STANDBY ...

Page 7: ...G POS BOOT PARAMETERS 6 3 CHANGING THE BOOT SOURCE 6 4 BOOTING THE MODULE FROM TFTP 6 4 COPYING A POS IMAGE FILE FROM A FLASH CARD TO A POS MODULE S FLASH MEMORY 6 4 CONFIGURING POS INTERFACES 6 5 ADDING AN IP ADDRESS 6 5 CHANGING THE INTERFACE STATE 6 6 CHANGING THE ENCAPSULATION TYPE 6 6 CHANGING THE CLOCK SOURCE 6 6 CHANGING THE LOOPBACK PATH 6 7 CHANGING THE MTU 6 7 CHANGING THE CRC LENGTH 6 7...

Page 8: ...1 DOWNLOADING AND UPLOADING A SOFTWARE IMAGE ON A TFTP SERVER 7 1 UPGRADING THE BOOT CODE 7 2 UPGRADING THE FLASH CODE 7 2 CHANGING THE BLOCK SIZE FOR TFTP FILE TRANSFERS 7 3 USING THE EXECUTABLE BOOT COMMAND 7 4 LOADING AND SAVING CONFIGURATION FILES 7 5 REPLACING THE STARTUP CONFIGURATION WITH THE RUNNING CONFIGURATION 7 6 REPLACING THE RUNNING CONFIGURATION WITH THE STARTUP CONFIGURATION 7 6 LO...

Page 9: ...OS MAPPING 8 14 SELECTABLE QUEUING METHOD 8 14 CONFIGURABLE BANDWIDTH PERCENTAGES 8 14 802 1Q PRIORITY MAPPING 8 15 QUEUE ASSIGNMENT BY TRAFFIC TYPE 8 15 LAYER 2 SWITCHING FEATURES 8 15 MAC SWITCHING 8 15 STATIC MAC ENTRIES 8 15 STANDARD SPANNING TREE PROTOCOL STP 8 16 IRONSPAN STP ENHANCEMENTS 8 16 TRUNK GROUPS 8 16 PORT BASED VIRTUAL LANS VLANS 8 17 VLAN TAGGING 8 17 MAC FILTERS 8 17 ADDRESS LOC...

Page 10: ...S POLICIES 8 25 LAYER 4 CACHING FEATURES 8 25 TRANSPARENT CACHE SWITCHING TCS 8 25 TCS POLICY FILTERS 8 25 LOAD BALANCING AND REDUNDANCY FEATURES 8 26 SERVER LOAD BALANCING SLB 8 26 ROUTER SUPPORT FOR GLOBALLY DISTRIBUTED SLB 8 26 FIREWALL LOAD BALANCING 8 26 VIRTUAL ROUTER REDUNDANCY PROTOCOL VRRP 8 26 FOUNDRY SERVER REDUNDANCY PROTOCOL FSRP 8 27 LAYER 4 SWITCH REDUNDANCY 8 27 CHAPTER 9 HARDWARE ...

Page 11: ... SYSTEM CLOCK 10 12 CONFIGURING THE SYSLOG SERVICE 10 14 CHANGING THE DEFAULT GIGABIT NEGOTIATION MODE 10 22 LIMITING BROADCAST MULTICAST OR UNKNOWN UNICAST RATES 10 24 CONFIGURING CLI BANNERS 10 25 CONFIGURING BASIC PORT PARAMETERS 10 26 ASSIGNING A PORT NAME 10 28 MODIFYING PORT SPEED 10 29 MODIFYING PORT MODE 10 30 DISABLING OR RE ENABLING A PORT 10 30 DISABLING OR RE ENABLING FLOW CONTROL 10 3...

Page 12: ...ITIES TO TRAFFIC 11 11 CHANGING A PORT S PRIORITY 11 11 CHANGING A LAYER 2 PORT BASED VLAN S PRIORITY 11 12 REASSIGNING 802 1P PRIORITIES TO DIFFERENT QUEUES 11 14 ASSIGNING STATIC MAC ENTRIES TO PRIORITY QUEUES 11 16 ASSIGNING IP AND LAYER 4 SESSIONS TO PRIORITY QUEUES 11 18 ASSIGNING APPLETALK SOCKETS TO PRIORITY QUEUES 11 26 CONFIGURING A UTILIZATION LIST FOR AN UPLINK PORT 11 27 DISPLAYING UTI...

Page 13: ... ACLS 13 19 MODIFYING ACLS 13 20 APPLYING AN ACL TO A SUBSET OF PORTS ON A VIRTUAL INTERFACE 13 22 ENABLING STRICT TCP OR UDP MODE 13 22 ENABLING STRICT TCP MODE 13 23 ENABLING STRICT UDP MODE 13 23 DISPLAYING ACLS 13 24 DISPLAYING THE LOG ENTRIES 13 24 POLICY BASED ROUTING PBR 13 25 CONFIGURING PBR 13 26 ENABLING PBR 13 28 CONFIGURATION EXAMPLES 13 28 CHAPTER 14 IRONCLAD RATE LIMITING 14 1 FIXED ...

Page 14: ...ING DOMAIN NAME SERVER DNS RESOLVER 15 23 CONFIGURING PACKET PARAMETERS 15 24 CHANGING THE ROUTER ID 15 26 SPECIFYING A SINGLE SOURCE INTERFACE FOR TELNET TACACS TACACS OR RADIUS PACKETS 15 27 CONFIGURING ARP PARAMETERS 15 29 RATE LIMITING ARP PACKETS 15 30 CONFIGURING FORWARDING PARAMETERS 15 35 DISABLING ICMP MESSAGES 15 37 DISABLING ICMP REDIRECTS 15 39 CONFIGURING STATIC ROUTES 15 39 CONFIGURI...

Page 15: ...CONFIGURING RIP ROUTE FILTERS 16 13 DISPLAYING RIP FILTERS 16 16 DISPLAYING CPU UTILIZATION STATISTICS 16 18 CHAPTER 17 CONFIGURING OSPF 17 1 OVERVIEW OF OSPF 17 1 DESIGNATED ROUTERS IN MULTI ACCESS NETWORKS 17 2 DESIGNATED ROUTER ELECTION 17 3 OSPF RFC 1583 AND 2178 COMPLIANCE 17 4 REDUCTION OF EQUIVALENT AS EXTERNAL LSAS 17 4 DYNAMIC OSPF ACTIVATION AND CONFIGURATION 17 6 DYNAMIC OSPF MEMORY 17 ...

Page 16: ...ACE INFORMATION 17 46 DISPLAYING OSPF ROUTE INFORMATION 17 46 DISPLAYING OSPF EXTERNAL LINK STATE INFORMATION 17 48 DISPLAYING OSPF LINK STATE INFORMATION 17 49 DISPLAYING THE DATA IN AN LSA 17 49 DISPLAYING OSPF VIRTUAL NEIGHBOR INFORMATION 17 50 DISPLAYING OSPF VIRTUAL LINK INFORMATION 17 50 DISPLAYING OSPF ABR AND ASBR INFORMATION 17 51 DISPLAYING OSPF TRAP STATUS 17 51 CHAPTER 18 CONFIGURING I...

Page 17: ...9 GRAFTS TO A MULTICAST TREE 18 41 CONFIGURING DVMRP 18 42 ENABLING DVMRP ON THE ROUTER AND INTERFACE 18 42 MODIFYING DVMRP GLOBAL PARAMETERS 18 43 MODIFYING DVMRP INTERFACE PARAMETERS 18 47 CONFIGURING AN IP TUNNEL 18 50 CONFIGURING A STATIC MULTICAST ROUTE 18 52 TRACING A MULTICAST ROUTE 18 53 DISPLAYING ANOTHER MULTICAST ROUTER S MULTICAST CONFIGURATION 18 55 CHAPTER 19 CONFIGURING BGP4 19 1 OV...

Page 18: ... FILTERING AS PATHS 19 50 FILTERING COMMUNITIES 19 55 DEFINING IP PREFIX LISTS 19 58 DEFINING NEIGHBOR DISTRIBUTE LISTS 19 61 DEFINING ROUTE MAPS 19 63 USING A TABLE MAP TO SET THE TAG VALUE 19 72 CONFIGURING ROUTE FLAP DAMPENING 19 73 GLOBALLY CONFIGURING ROUTE FLAP DAMPENING 19 73 USING A ROUTE MAP TO CONFIGURE ROUTE FLAP DAMPENING FOR SPECIFIC ROUTES 19 75 USING A ROUTE MAP TO CONFIGURE ROUTE F...

Page 19: ...0 5 CONFIGURING DYNAMIC NAT PARAMETERS 20 5 ENABLING NAT 20 7 CHANGING TRANSLATION TABLE TIMEOUTS 20 7 DISPLAYING THE ACTIVE NAT TRANSLATIONS 20 8 DISPLAYING NAT STATISTICS 20 9 CLEARING TRANSLATION TABLE ENTRIES 20 11 NAT DEBUG COMMANDS 20 12 CONFIGURATION EXAMPLES 20 14 PRIVATE NAT CLIENTS CONNECTED TO THE LAYER 3 SWITCH BY A LAYER 2 SWITCH 20 14 PRIVATE NAT CLIENTS CONNECTED DIRECTLY TO THE LAY...

Page 20: ...UTERS 22 3 TRACK PORTS 22 3 INDEPENDENT OPERATION OF RIP AND OSPF 22 5 DYNAMIC FSRP CONFIGURATION 22 5 DIFFERENCES BETWEEN FSRP AND VRRP 22 5 CONFIGURING FSRP 22 6 CONFIGURATION RULES FOR FSRP 22 6 ENABLE FSRP ON THE ROUTER 22 6 ASSIGN VIRTUAL ROUTER IP ADDRESSES 22 7 ASSIGN THE TRACK PORT S 22 8 ASSIGNING THE ACTIVE ROUTER 22 8 MODIFY PORT PARAMETERS OPTIONAL 22 9 CONFIGURING FSRP ON VIRTUAL INTE...

Page 21: ...NFIGURING APPLETALK 24 1 OVERVIEW OF APPLETALK 24 1 ADDRESS ASSIGNMENT 24 1 NETWORK COMPONENTS 24 1 ZONE FILTERING 24 2 NETWORK FILTERING 24 3 SEED AND NON SEED ROUTERS 24 3 APPLETALK COMPONENTS SUPPORTED ON FOUNDRY ROUTERS 24 3 SESSION LAYER SUPPORT 24 3 TRANSPORT LAYER SUPPORT 24 3 NETWORK LAYER SUPPORT 24 4 DATA LINK SUPPORT 24 4 DYNAMIC APPLETALK ACTIVATION AND CONFIGURATION 24 4 CONFIGURING A...

Page 22: ...ES ROUTERS ONLY 25 14 BRIDGING AND ROUTING THE SAME PROTOCOL SIMULTANEOUSLY ON THE SAME DEVICE ROUTERS ONLY 25 15 ROUTING BETWEEN VLANS USING VIRTUAL INTERFACES ROUTERS ONLY 25 15 DYNAMIC PORT ASSIGNMENT ROUTERS ONLY 25 15 DYNAMIC PORT ASSIGNMENT LAYER 2 AND LAYER 3 SWITCHES 25 16 ASSIGNING A DIFFERENT VLAN ID TO THE DEFAULT VLAN 25 16 ASSIGNING TRUNK GROUP PORTS 25 16 CONFIGURING PORT BASED VLANS...

Page 23: ...NOT IN THE MAC VLAN LIST 25 56 CLEARING MAC VLAN ENTRIES FROM THE MAC TABLE 25 57 CONFIGURING VLANS USING THE WEB MANAGEMENT INTERFACE 25 57 CONFIGURING A PORT BASED VLAN 25 57 CONFIGURING A PROTOCOL BASED VLAN 25 58 CONFIGURING AN IP SUB NET VLAN 25 59 CONFIGURING AN IPX NETWORK VLAN 25 61 CONFIGURING AN APPLETALK CABLE VLAN 25 62 DISPLAYING VLAN INFORMATION 25 63 DISPLAYING SYSTEM WIDE VLAN INFO...

Page 24: ...ON GROUP 9 B 3 VIEWING SYSTEM INFORMATION B 3 VIEWING CONFIGURATION INFORMATION B 3 VIEWING PORT STATISTICS B 4 VIEWING STP STATISTICS B 4 CLEARING STATISTICS B 5 APPENDIX C POLICIES AND FILTERS C 1 SCOPE C 2 DEFAULT FILTER ACTIONS C 3 POLICY AND FILTER PRECEDENCE C 4 QOS C 4 PRECEDENCE AMONG FILTERS ON DIFFERENT LAYERS C 4 PRECEDENCE AMONG FILTERS ON THE SAME LAYER C 5 FOUNDRY POLICIES C 5 QUALIT...

Page 25: ...December 2000 xxv SAFETY AGENCY APPROVALS D 3 APPENDIX E SOFTWARE SPECIFICATIONS E 1 STANDARDS COMPLIANCE E 1 RFC SUPPORT E 2 INTERNET DRAFTS E 4 ...

Page 26: ...Foundry Switch and Router Installation and Configuration Guide xxvi December 2000 ...

Page 27: ... Switch you should be familiar with the following protocols if applicable to your network IP RIP OSPF BGP4 IGMP PIM DVMRP IPX AppleTalk FSRP and VRRP Nomenclature This guide uses the following typographical conventions to show information Italic highlights the title of another publication and occasionally emphasizes a word or phrase Bold highlights a CLI command Bold Italic highlights a term that ...

Page 28: ...n changes on Foundry Layer 2 Switches and Layer 3 Switches The guide also describes how to monitor Foundry products using statistics and summary screens To order additional copies of these manuals do one of the following Call 1 877 TURBOCALL 887 2622 in the United States or 408 586 1881 outside the United States Send email to info foundrynet com What s New In This Edition The following tables list...

Page 29: ... displays detailed STP information for each port on the device 12 12 Enhancement to show vlan command The show vlan command orders the display of VLANs according to VLAN ID In previous software releases the command displayed the VLANs according to the order in which they were configured does not affect this document Configuration changes to IP multicast traffic reduction no longer require a softwa...

Page 30: ...The show version and show flash commands provide more information about the software on the device does not affect this document New strict mode for ACL processing of UDP traffic You can configure a Foundry device to send all UDP packets to the CPU for ACL comparison instead of just the first UDP packet with specific source and destination information 13 23 New MIB tables for Adaptive Rate Limitin...

Page 31: ...ge the system you need the following items for serial connection to the switch or router A management station such as a PC running a terminal emulation application A straight through EIA TIA DB 9 serial cable M F The serial cable can be ordered separately from Foundry Networks If you prefer to build your own cable see the pinout information in Attaching a PC or Terminal on page 2 14 You use the se...

Page 32: ...ly replace cooling fans Generally this procedure is not required during installation but is included in case you ever need to replace a fan after the device is placed in operation See Replacing Fans 4 Slot and 8 Slot Chassis Devices Only on page 2 10 or Replacing a Fan Tray 15 Slot Chassis Devices Only on page 2 13 5 Verify that the system and module LEDs are registering the proper LED state after...

Page 33: ...er cord can be used safely with the device Ensure that the device does not overload the power circuits wiring and over current protection To determine the possibility of overloading the supply circuits add the ampere ratings of all devices installed on the same circuit as the device Compare this total with the rating limit for the circuit The maximum ampere ratings are usually printed on the devic...

Page 34: ...on the front of the module touch the chassis NOTE Modules for the 8 slot and 15 slot Chassis devices slide in vertically with port number 1 at the top Figure 2 4 Modules for the 4 slot Chassis devices slide in horizontally with port number 1 on the left Figure 2 5 5 Push the ejectors toward the center of the module until they are flush with the front panel of the module The module will be fully se...

Page 35: ...m the module front panel The card will unseat from the backplane 4 Pull the module out of the chassis and place in an anti static bag for storage 5 Cover the slot with the blank face plate that shipped with the chassis CAUTION If you remove a module and do not replace it cover the slot opening with one of the blank plates you received with the device to provide additional safety and airflow for th...

Page 36: ...river to remove the blank power supply face plate This will expose the empty power supply slot 2 Remove the power supply from its packaging 3 Hold the bar on the front panel of the power supply and insert the power supply into the empty power supply slot Use the module guides provided on either side of the compartment CAUTION Carefully follow the mechanical guides on each side of the power supply ...

Page 37: ...not be connected to a power source Otherwise the power supply or other parts of the device could be damaged 1 Unplug the power supply AC power cord from the outlet 2 Disconnect the power cord from the power supply 3 Use a screwdriver to loosen the screws on either side of the power supply 4 Hold the bar on the front panel of the power supply and pull outward This will disconnect the power supply f...

Page 38: ...Foundry Switch and Router Installation and Configuration Guide 2 8 December 2000 Figure 2 3 Fifteen slot Chassis device BigIron ...

Page 39: ...Link Activity 6 1 7 8 Link Activity Link Activity Link Activity 8 G ig a b it 3 5 4 2 B8G Link Activity 6 1 7 8 Link Activity Link Activity Link Activity 8 G ig a b it 3 5 4 2 B8G Link Activity 6 1 7 8 Link Activity Link Activity Link Activity 8 G ig a b it Link Activity 1 3 6 7 8 5 4 2 Pwr Link Activity Link Activity Link Activity B8GM 8 G ig M g m t Link Activity 1 3 6 7 8 5 4 2 Pwr Link Activit...

Page 40: ... wire in the connector is on the right side for horizontally oriented connectors or facing down for vertically oriented connectors If you accidentally reverse the wires the fan will not operate Also make sure the fan cable connector is seated over all three pins on the backplane connector Required Tools You need the following tools for this procedure Phillips head screwdriver Flat head screwdriver...

Page 41: ...les from the backplane and set the fan tray on the workbench 8 Use the wire cutters to cut the tie wraps fastening the wires of the two fans together 9 Gently use the wire cutters or similar tool to remove the four plastic fastener push ons that fasten the failed fan to the rear panel or fan tray NOTE Be careful when removing the fastener pushons They are reusable 10 Remove the fan 11 Align the ne...

Page 42: ...out of the chassis and set the tray on a workbench NOTE The fastener push ons that fasten the fans to the fan rack may catch on the chassis In this case gently move the fan rack from side to side as you pull the rack back to free it from the chassis 8 Use the wire cutters to cut the tie wraps fastening the wires of the two fans together 9 Gently use the wire cutters or similar tool to remove the f...

Page 43: ...of the chassis and set the tray on a workbench or other static free area 4 Insert the new fan tray into the fan tray slot and push it in until the face plate is flush with the chassis 5 Tighten the two screws on the fan tray 6 Access the CLI and enter the show chassis command to verify that all fans are operating normally Verifying Proper Operation After you have installed any modules or redundant...

Page 44: ...ee LEDs on page 9 17 Attaching a PC or Terminal To assign an IP address you must have access to the Command Line Interface CLI The CLI is a text based interface that can be accessed through a direct serial connection to the device and through Telnet connections The CLI is described in detail in the Foundry Switch and Router Command Line Interface Reference You need to assign an IP address using th...

Page 45: ...A 232 serial communication port serves as a connection point for management by a PC or SNMP workstation Foundry switches and Layer 3 Switches come with a standard male DB 9 connector shown in Figure 2 6 Figure 2 6 Serial port pin and signalling details Most PC serial ports also require a cable with a female DB 9 connector Terminal connections will vary requiring either a DB 9 or DB 25 connector ma...

Page 46: ...curing Access to Management Functions on page 3 1 for more information NOTE You must use the CLI to assign a password You cannot assign a password using the IronView SNMP application or the Web management interface You can set the following levels of Enable passwords Super User Allows complete read and write access to the system This is generally for system administrators and is the only password ...

Page 47: ...er a forward slash and the number of bits in the mask immediately after the IP address For example enter 209 157 22 99 24 for an IP address that has a network mask with 24 significant mask bits By default the CLI displays network masks in classical IP address format example 255 255 255 0 You can change the display to the prefix format See Changing the Network Mask Display to Prefix Format on page ...

Page 48: ...ddr mask bits secondary Use the secondary parameter if you have already configured an IP address within the same sub net on the interface Layer 2 Switches To configure an IP Address to a Foundry switch 1 At the opening CLI prompt enter enable FastIronII enable 2 Enter the following command at the Privileged EXEC level prompt for example FastIronII then press Enter This command erases the factory t...

Page 49: ...s adequately secured to prevent it from becoming unstable or falling over WARNING Mount the devices you install in a rack or cabinet as low as possible placing the heaviest device at the bottom and progressively placing lighter devices above Desktop Installation 1 Set the device on a flat desktop table or shelf Make sure that adequate ventilation is provided for the system a 3 inch clearance is re...

Page 50: ...ns two L shaped mounting brackets and mounting screws 2 Attach the mounting brackets to the sides of the device as illustrated in Figure 2 9 3 Attach the device in the rack as illustrated in Figure 2 9 4 Proceed to Testing Connectivity on page 2 26 NOTE If you are installing a Chassis device see Installing or Removing Optional Modules Chassis Devices Only on page 2 4 and Installing or Removing Red...

Page 51: ... power supply 4 Insert the power cable plug into a 115V 120V outlet NOTE When you power on a Chassis device that requires multiple power supplies make sure you apply power to all the supplies or at least the minimum number of supplies required for your configuration at the same time Otherwise the device either will not boot at all or will boot and then repeatedly display a warning message stating ...

Page 52: ...10 100BaseTX and 1000BaseT ports Cable Length 100BaseTX Cable length should not exceed 100 meters 1000BaseTX Cable length should not exceed 100 meters 100BaseFX Cable length should not exceed 2 kilometers 1000BaseSX Cable length should not exceed 550 meters when operating with multi mode cabling 1000BaseLX Cable length of 2 550 meters is supported on 62 5 µm multi mode fiber MMF cabling Cable leng...

Page 53: ...microns Modal Bandwidth MHz km Minimum Range meters 1000BaseSX MMF 62 5 160 2 200a a The TIA 568 building wiring standard specifies 160 500 MHz km MMF Multi mode Fiber MMF 62 5 200 2 275b b The international ISO IEC 11801 building wiring standard specifies 200 500 MHz km MMF MMF 50 400 2 500 MMF 50 500 2 550c c The ANSI Fibre Channel specification specifies 500 500 MHz km 50 micron MMF and 500 500...

Page 54: ...E The 802 3ab standard calls for automatic negotiation of the connection between two 1000BaseT ports Consequently a crossover cable may not be required a straight through cable may work as well Connecting to Workstations Servers or Routers Straight through UTP cabling is required for direct UTP attachment to workstations servers or routers using network interface cards NICs Fiber cabling with SC c...

Page 55: ...lip end to a metal surface such as an equipment rack to act as ground 2 Disconnect the interface cable from the GBIC 3 Insert the protective covering into the port connectors 4 Squeeze and hold the tabs on each side of the GBIC then gently pull the GBIC out of the module 5 Store the GBIC in a safe static free place Installing or Removing a Mini GBIC To install a mini GBIC 1 Put on an electrostatic...

Page 56: ...nectivity to other devices by pinging those devices You also can perform trace routes Pinging an IP Address To verify that a Foundry device can reach another device through the network enter a command such as the following at any level of the CLI on the Foundry device BigIron ping 192 33 4 7 Syntax ping ip addr hostname source ip addr count num timeout msec ttl num size byte quiet numeric no fragm...

Page 57: ... for routing protocols and other configuration areas NOTE By default any user who can open a serial or Telnet connection to the Foundry device can access all these CLI levels To secure access you can configure Enable passwords or local user accounts or you can configure the device to use a RADIUS or TACACS TACACS server for authentication See Securing Access to Management Functions on page 3 1 On ...

Page 58: ...Commands Ctrl Key Combination Description Ctrl A Moves to the first character on the command line Ctrl B Moves the cursor back one character Ctrl C Escapes and terminates command prompts and ongoing tasks such as lengthy displays and displays a fresh command prompt Ctrl D Deletes the character at the cursor Ctrl E Moves to the end of the current command line Ctrl F Moves the cursor forward one cha...

Page 59: ... with your Web browser Figure 2 13 Web management interface login dialog By default you can use the user name get and the default read only password public for read only access However for read write access you must enter set for the user name and enter a read write community string you have configured on the device for the password Beginning with software release 05 1 00 there is no default read ...

Page 60: ...with the web management command To cause the Web management interface to display the List view by default BigIron config web management list menu To disable the front panel frame BigIron config no web management front panel When you save the configuration with the write memory command the changes will take place the next time you start the Web management interface or if you are currently running t...

Page 61: ...nent are the settings to the Menu Type and the Front Panel Frame Any other elements you enable or disable will go back to their default settings the next time you start the Web management interface Logging on Through IronView See the IronView Network Management User s Guide for information about using IronView Swapping Modules Chassis devices only After you physically insert a module into the Chas...

Page 62: ... module type The slot num parameter indicates the chassis slot number The module type parameter specifies the platform module type and port configuration of the module NOTE Module options that begin with bi and are for the Management IV module also are applicable to the NetIron Internet Backbone router USING THE WEB MANAGEMENT INTERFACE To configure a chassis slot for a module 1 Log on to the devi...

Page 63: ...ssis are numbered 1 8 from left to right Slots in a 15 slot chassis are numbered 1 15 from left to right 5 Select the module type from the Module Type pulldown menu 6 Click the Add button to save the change to the device s running config file 7 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash...

Page 64: ...Foundry Switch and Router Installation and Configuration Guide 2 34 December 2000 ...

Page 65: ...unity Strings on page 3 14 explains how to configure SNMP read only and read write community strings on a Foundry device Configuring TACACS TACACS Security on page 3 18 explains how to configure TACACS TACACS authentication authorization and accounting Configuring RADIUS Security on page 3 33 explains how to configure RADIUS authentication authorization and accounting Configuring Authentication Me...

Page 66: ...5 Allow Telnet access only to clients connected to a specific VLAN 3 6 Disable Telnet access 3 7 Establish a password for Telnet access 3 9 Establish passwords for privilege levels of the CLI 3 10 Set up local user accounts 3 12 Configure TACACS TACACS security 3 18 Configure RADIUS security 3 33 Secure Shell SSH access Not configured Configure SSH 4 1 Establish passwords for privilege levels of t...

Page 67: ... management access only to clients connected to a specific VLAN 3 7 Disable Web management access 3 7 Set up local user accounts 3 12 Establish SNMP read or read write community strings 3 14 Configure TACACS TACACS security 3 18 Configure RADIUS security 3 33 SNMP IronView access SNMP read or read write community strings and the password to the Super User privilege level Note SNMP read or read wri...

Page 68: ...n config telnet access group 10 BigIron config write memory Syntax telnet access group num The num parameter specifies the number of a standard ACL and must be from 1 99 The commands above configure ACL 10 then apply the ACL as the access list for Telnet access The device allows Telnet access to all IP addresses except those listed in ACL 10 To configure a more restrictive ACL create permit entrie...

Page 69: ...snmp server community string ro rw num The string parameter specifies the SNMP community string the user must enter to gain SNMP access The ro parameter indicates that the community string is for read only get access The rw parameter indicates the community string is for read write set access The num parameter specifies the number of a standard ACL and must be from 1 99 These commands configure AC...

Page 70: ...d access control applies to the following access methods Telnet access Web management access SNMP access TFTP access By default access is allowed for all the methods listed above on all ports Once you configure security for a given access method based on VLAN ID access to the device using that method is restricted to only the ports within the specified VLAN VLAN based access control works in conju...

Page 71: ...ng BigIron config tftp client enable vlan 40 The command in this example configures the device to allow TFTP access only to clients connected to ports within port based VLAN 40 Clients connected to ports that are not in VLAN 40 are denied access Syntax no tftp client enable vlan vlan id Disabling Specific Access Methods You can specifically disable the following access methods Telnet access Web ma...

Page 72: ...device s running config file 5 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Disabling SNMP Access SNMP is enabled by default on all Foundry devices SNMP is required if you want to manage a Foundry device using IronView To disable SNMP use one of the following methods USING THE CLI ...

Page 73: ...ng USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Select the Management link from the System configuration panel to display the Management panel 3 Enter the password in the Telnet Password field 4 Click the Apply button to save the change to the device s running config file 5 Select ...

Page 74: ...ser account or privilege level password depending on the order you specify in the authentication method lists See Configuring Authentication Method Lists on page 3 47 USING THE CLI To set passwords for management privilege levels 1 At the opening CLI prompt enter the following command to change to the Privileged level of the EXEC mode BigIron enable BigIron 2 Access the CONFIG level of the CLI by ...

Page 75: ...s exec EXEC level for example BigIron or BigIron configure CONFIG level for example BigIron config interface Interface level for example BigIron config if 6 virtual interface Virtual interface level for example BigIron config vif 6 rip router RIP router level for example BigIron config rip router ospf router OSPF router level for example BigIron config ospf router dvmrp router DVMRP router level f...

Page 76: ...ice password encryption Syntax no service password encryption Setting Up Local User Accounts You can define up to 16 local user accounts on a Foundry device User accounts regulate who can access the management functions in the CLI using the following methods Telnet access Web management access SNMP access NOTE Local user accounts are not supported on the FastIron Workgroup Layer 2 Switch or the no...

Page 77: ... no username user string privilege privilege level password nopassword password string The privilege parameter specifies the privilege level for the account You can specify one of the following 0 Super User level full read write access 4 Port Configuration level 5 Read Only level The default privilege level is 0 If you want to assign Super User level access to the account you can enter the command...

Page 78: ...counts 9 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Establishing SNMP Community Strings The default passwords for Web management access are actually the SNMP community strings configured on the device The default read only community string is public To open a read only Web manage...

Page 79: ...nity string is encrypted in the CLI regardless of the access level you are using In the Web management interface the community string is encrypted at the read only access level but is visible at the read write access level The encryption option can be omitted the default or can be one of the following 0 Disables encryption for the community string you specify with the command The community string ...

Page 80: ...he command NOTE If display of the strings is encrypted the strings are not displayed Encryption is enabled by default USING THE WEB MANAGEMENT INTERFACE NOTE To make configuration changes including changes involving SNMP community strings you must first configure a read write community string using the CLI Alternatively you must configure another authentication method and log on to the CLI using a...

Page 81: ...y String link to display a panel such as the following 5 Select the community string type Select Get for a read only string Select Set for a read write string 6 Enter the community string in the Community String field 7 Select the Encrypt checkbox to remove the checkmark if you want to disable encryption of the string display Encryption prevents other users from seeing the string in the CLI or Web...

Page 82: ... by BBN for MILNET TACACS is an enhancement to TACACS and uses TCP to ensure reliable delivery TACACS is an enhancement to the TACACS security protocol TACACS improves on TACACS by separating the functions of authentication authorization and accounting AAA and by encrypting all traffic between the Foundry device and the TACACS server TACACS allows for arbitrary length and content authentication ex...

Page 83: ...ing events occur 1 A user attempts to gain access to the Foundry device by doing one of the following Logging into the device using Telnet SSH or the Web management interface Entering the Privileged EXEC level or CONFIG level of the CLI 2 The user is prompted for a username 3 The user enters a username 4 The Foundry device obtains a password prompt from a TACACS server 5 The user is prompted for a...

Page 84: ...ile 2 The Foundry device checks its configuration to see if the event is one for which TACACS accounting is required 3 If the event requires TACACS accounting the Foundry device sends a TACACS Accounting Start packet to the TACACS accounting server containing information about the event 4 The TACACS accounting server acknowledges the Accounting Start packet 5 The TACACS accounting server records i...

Page 85: ...Command accounting TACACS aaa accounting commands privilege level default start stop method list EXEC accounting stop TACACS aaa accounting exec default start stop method list User enters system commands for example reload boot system Command authorization TACACS aaa authorization commands privilege level default method list Command accounting TACACS aaa accounting commands privilege level default...

Page 86: ... 3 24 TACACS Configuration Procedure For TACACS configurations use the following procedure 1 Identify TACACS servers See Identifying the TACACS TACACS Servers on page 3 22 2 Set optional parameters See Setting Optional TACACS TACACS Parameters on page 3 23 3 Configure authentication method lists See Configuring Authentication Method Lists for TACACS TACACS on page 3 24 4 Optionally configure TACAC...

Page 87: ...guration TACACS key This parameter specifies the value that the Foundry device sends to the TACACS server when trying to authenticate user access Retransmit interval This parameter specifies how many times the Foundry device will resend an authentication request when the TACACS TACACS server does not respond The retransmit value can be from 1 5 times The default is 3 times Dead time This parameter...

Page 88: ...ONFIG levels of the CLI When configuring TACACS TACACS authentication you create authentication method lists specifically for these access methods specifying TACACS TACACS as the primary authentication method Within the authentication method list TACACS TACACS is specified as the primary authentication method and up to six backup authentication methods are specified as alternates If TACACS TACACS ...

Page 89: ...iguring TACACS Authorization Foundry devices support TACACS authorization for controlling access to management functions in the CLI Two kinds of TACACS authorization are supported Exec authorization determines a user s privilege level when they are authenticated Command authorization consults a TACACS server to get authorization for commands entered by the user Table 3 2 Authentication Method Valu...

Page 90: ...be an integer 0 4 or 5 that indicates the privilege level of the user When no privilege level is specified the default privilege level of 5 read only is used The A V pair can also be embedded in the group configuration for the user See your TACACS documentation for the configuration syntax relevant to your server Configuring Command Authorization When TACACS command authorization is enabled the Fo...

Page 91: ...rameter can be one of the following 0 Records commands available at the Super User level all commands 4 Records commands available at the Port Configuration level port config and read only commands 5 Records commands available at the Read Only level read only commands Configuring TACACS Accounting for System Events You can configure TACACS accounting to record when system events occur on the Found...

Page 92: ...interface or virtual interface number If you specify an Ethernet or POS port the portnum is the port s number including the slot number if you are configuring a chassis device Displaying TACACS TACACS Statistics and Configuration Information The show aaa command displays information about all TACACS and RADIUS servers identified on the device For example BigIron show aaa Tacacs key foundry Tacacs ...

Page 93: ...ounting port The default values work in most networks 9 Enter the key if applicable NOTE The key parameter applies only to TACACS servers not to TACACS servers If you are configuring for TACACS authentication do not configure a key on the TACACS server and do not enter a key on the Foundry device 10 Click Apply if you changed any TACACS TACACS parameters 11 Select the TACACS Server link If any TAC...

Page 94: ...wn menu Each type of access must have a separate authentication method list For example to define the authentication method list for logging into the CLI select Login 18 Select the primary authentication method by clicking on the radio button next to the method For example to use a TACACS server as the primary means of authentication for logging on to the CLI select TACACS 19 Click the Add button ...

Page 95: ...licking on one of the following radio buttons 0 Authorization is performed for commands available at the Super User level all commands 4 Authorization is performed for commands available at the Port Configuration level port config and read only commands 5 Authorization is performed for commands available at the Read Only level read only commands NOTE TACACS command authorization is performed only ...

Page 96: ...guration level port config and read only commands 5 Records commands available at the Read Only level read only commands 29 To configure TACACS accounting to record when system events occur on the Foundry device select System from the Type field s pulldown menu 30 Click on the radio button next to TACACS 31 Click the Add button to save the change to the device s running config file The accounting ...

Page 97: ...t the Privileged EXEC level after login RADIUS Authentication When RADIUS authentication takes place the following events occur 1 A user attempts to gain access to the Foundry device by doing one of the following Logging into the device using Telnet SSH or the Web management interface Entering the Privileged EXEC level or CONFIG level of the CLI 2 The user is prompted for a username and password 3...

Page 98: ...and is executed RADIUS Accounting RADIUS accounting works as follows 1 One of the following events occur on the Foundry device A user logs into the management interface using Telnet or SSH A user enters a command for which accounting has been configured A system event occurs such as a reboot or reloading of the configuration file 2 The Foundry device checks its configuration to see if the event is...

Page 99: ...rt stop method list User enters system commands for example reload boot system Command authorization aaa authorization commands privilege level default method list Command accounting aaa accounting commands privilege level default start stop method list System accounting stop aaa accounting system default start stop method list User enters the command no aaa accounting system default start stop me...

Page 100: ... Configuring Foundry Specific Attributes on the RADIUS Server on page 3 36 2 Identify the RADIUS server to the Foundry device See Identifying the RADIUS Server to the Foundry Device on page 3 37 3 Set RADIUS parameters See Setting RADIUS Parameters on page 3 38 4 Configure authentication method lists See Configuring Authentication Method Lists for RADIUS on page 3 38 5 Optionally configure RADIUS ...

Page 101: ...s 4 Port Configuration level Allows read and write access for specific ports but not for global system wide parameters 5 Read Only level Allows access to the Privileged EXEC mode and CONFIG mode of the CLI but only with read access foundry command string 2 string Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured The commands are delim...

Page 102: ...e key can be from 1 32 characters in length To specify a RADIUS server key BigIron config radius server key mirabeau Syntax radius server key key string Setting the Retransmission Limit The retransmit parameter specifies the maximum number of retransmission attempts When an authentication request times out the Foundry software will retransmit the request up to the maximum number of retransmissions...

Page 103: ...f access NOTE If you configure authentication for Web management access authentication is performed each time a page is requested from the server When frames are enabled on the Web management interface the browser sends an HTTP request for each frame The Foundry device authenticates each HTTP request from the browser To limit authentications to one per page disable frames on the Web management int...

Page 104: ...s 5 Authorization is performed for commands available at the Read Only level read only commands NOTE RADIUS authorization is performed only for commands entered from Telnet or SSH sessions No authorization is performed for commands entered at the console the Web management interface or IronView NOTE Since RADIUS authorization relies on the command list supplied by the RADIUS server during authenti...

Page 105: ...fault start stop radius Syntax aaa accounting system default start stop radius tacacs none Configuring an Interface as the Source for All RADIUS Packets You can designate the lowest numbered IP address configured an Ethernet port POS port loopback interface or virtual interface as the source IP address for all RADIUS packets from the Layer 3 Switch Identifying a single source IP address for RADIUS...

Page 106: ...t 1645 Acct Port 1646 opens 2 closes 1 timeouts 1 errors 0 packets in 1 packets out 4 no connection The following table describes the RADIUS information displayed by the show aaa command Table 3 6 Output of the show aaa command for RADIUS Field Description Radius key The setting configured with the radius server key command At the Super User privilege level the actual text of the key is displayed ...

Page 107: ...le Telnet authentication if you want to use TACACS TACACS or RADIUS to authenticate Telnet access to the device 5 Click Apply to apply the change 6 Select the Home link to return to the System configuration panel 7 Select the RADIUS link from the System configuration panel to display the RADIUS panel 8 Change the retransmit interval time out and dead time if needed 9 Enter the authentication key i...

Page 108: ...n most networks 14 Click Home to return to the System configuration panel then select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory 15 Select the Management link to display the Management panel 16 Select the Authentication Methods link to display the Login Authentication Sequence panel as ...

Page 109: ... time you add an entry for a given access type the software increments the sequence number Thus if you want to use multiple authentication methods make sure you enter the primary authentication method first the secondary authentication method second and so on If you need to delete an entry select the access type and authentication method for the entry then click Delete 20 Click Home to return to t...

Page 110: ...er to the entry When authorization is performed the software tries the authorization sources in ascending sequence order until the request is either approved or denied Each time you add an entry for a given access type the software increments the sequence number Thus if you want to use multiple authentication methods make sure you enter the primary authentication method first the secondary authent...

Page 111: ...s to the device you configure authentication method lists that set the order in which the authentication methods are consulted In an authentication method list you specify the access method Telnet Web SNMP and so on and the order in which the device tries one or more of the following authentication methods Local Telnet login password Local password for the Super User privilege level Local user acc...

Page 112: ...the Web management interface must supply a user name and password configured in one of the local user accounts on the device The user cannot access the device by entering set or get and the corresponding SNMP community string For devices that can be managed using IronView the default authentication method if no authentication method list is configured for SNMP is the CLI Super User level password ...

Page 113: ...g procedure This example to causes the device to use a RADIUS server to authenticate attempts to log in through the CLI 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Select the Management link to display the Management panel Table 3 7 Authentication Method Values Method Parameter Description line Authenticate using t...

Page 114: ...ile The access type and authentication method you selected are displayed in the table at the top of the dialog Each time you add an authentication method for a given access type the software assigns a sequence number to the entry When the user tries to log in using the access type you selected the software tries the authentication sources in ascending sequence order until the access request is eit...

Page 115: ...routers BigIron Chassis devices with Management II or higher modules FastIron II and FastIron II Plus switch and basic Layer 3 code only NetIron Layer 3 Switch stackable octal version FastIron Workgroup Layer 2 Switch 8MB models only switch code only NOTE Foundry s implementation of SSH supports SSH version 1 only All references to SSH in this document are to SSH version 1 Foundry s implementation...

Page 116: ...iding the Public Key to Clients on page 4 2 for an example of what to place in the known hosts file To generate a public and private RSA host key pair for the Foundry device BigIron config crypto key generate rsa BigIron config write memory The crypto key generate rsa command places an RSA host key pair in the running config file and enables SSH on the device To disable SSH you must delete the RSA...

Page 117: ... key is stored in another file and is not protected You should collect one public key from each client to be granted access to the Foundry device and place all of these keys into one file This public key file is imported into the Foundry device The following is an example of a public key file containing two public keys 1024 65537 16256605067838000614946055028651406123030679778206516611068664854857...

Page 118: ...blic keys enter the following command BigIron show ip client public key 1024 65537 162566050678380006149460550286514061230306797782065166110686648548574 94957339232259963157379681924847634614532742178652767231995746941441604714682680 00644536790333304202912490569077182886541839656556769025432881477252978135927821 67540629478392662275128774861815448523997023618173312328476660721888873946758201 user...

Page 119: ... SSH connections Whether the Foundry device allows users to log in without supplying a password The port number for SSH connections The SSH login timeout value A specific interface to be used as the source for all SSH traffic from the device Setting the Number of SSH Authentication Retries By default the Foundry device attempts to negotiate a connection with the connecting host three times The num...

Page 120: ...pty password logins are not allowed This means that users with an SSH client are always prompted for a password when they log into the device To gain access to the device each user must have a user name and password Without a user name and password a user is not granted access See Setting Up Local User Accounts on page 3 12 for information on setting up user names and passwords on Foundry devices ...

Page 121: ...he source for all SSH packets from the Layer 3 Switch Syntax ip ssh source interface ethernet portnum pos portnum loopback num ve num The num parameter is a loopback interface or virtual interface number If you specify an Ethernet or POS port the portnum is the port s number including the slot number if you are configuring a Chassis device For example BigIron config interface ethernet 1 4 BigIron ...

Page 122: ... id State The connection state This can be one of the following 0x00 Server started to send version number to client 0x01 Server sent version number to client 0x02 Server received version number from client 0x20 Server sent public key to client 0x21 Server is waiting for client s session key 0x22 Server received session key from client 0x23 Server is verifying client s session key 0x24 Client s se...

Page 123: ...rom a TFTP server at 192 168 1 234 To gain access to the Foundry device using SSH a user must have a private key that corresponds to one of the public keys in this file The crypto key generate rsa public_key and crypto key generate rsa private_key statements are both generated by the crypto key generate rsa command The public key is visible the private key is not You may need to copy the public ke...

Page 124: ...file C scp c cfg foundry cfg terry 192 168 1 50 startConfig To copy the configuration file to a file called config1 cfg on the PCMCIA flash card in slot 1 on a Management IV module C scp c cfg foundry cfg terry 192 168 1 50 a config1 cfg To copy the configuration file to a file called config1 cfg on the PCMCIA flash card in slot 2 on a Management IV module C scp c cfg foundry cfg terry 192 168 1 5...

Page 125: ...ent modules are fully functional CPU management modules for Chassis devices You can use one or two redundant management modules in a these devices You can use one or two redundant management modules in a Chassis device Using two redundant management modules adds fault protection against system outage The two modules work together as active and standby management modules If the active module become...

Page 126: ...contains a problem you can still use the system by running the older boot code that is on the standby module You can configure the standby to synchronize with the active module s boot code See File Synchronization Between the Active and Standby Redundant Management Modules on page 5 11 The standby module s system config file is updated whenever the system config file on the active module is update...

Page 127: ...g redundant management module parameters Installation parameters Slot configuration As with other module types you must configure a chassis slot for the type of module you are installing in the slot Active redundant management module slot By default the redundant management module with the lower slot number is the active module Operational parameters Boot code synchronization By default the standb...

Page 128: ...s the same type of module USING THE CLI To prepare slot 1 to receive an eight port Gigabit redundant management module enter the following commands at the global CONFIG level BigIron config module 1 bi 8 port gig management module BigIron config write memory Syntax module slot num module type The slot num parameter specifies the chassis slot to contain the module Slots in a 4 slot chassis are numb...

Page 129: ...ssis are divided among 4 internal regions Slots 1 4 belong to the same region slots 5 8 belong to the same region slots 9 12 belong to the same region and slots 13 15 belong to the same region If you are using redundant management modules Foundry recommends that you place both management modules in slots belonging to the same region For example if you place one management module in slot 5 Foundry ...

Page 130: ...ed 1 15 from left to right You can override the default and specify the active module NOTE The change does not take effect until you reload the system If you save the change to the active module s system config file before reloading the change persists across system reloads Otherwise the change affects only the next system reload USING THE CLI To override the default and specify the active redunda...

Page 131: ...g the next system reload select the Save link to save the configuration change to the active redundant management module s startup config file The change is automatically sent to the standby module when the active module s system config file is copied to the standby module NOTE If you do not save the change to the startup config file the change affects only the next reload NOTE The other options o...

Page 132: ...lectrostatic discharge ESD wrist strap and attach the clip end to a metal surface such as an equipment rack to act as ground 2 Remove the GBIC from its protective packaging 3 Gently insert the GBIC into the slot on the front panel of the module until the GBIC clicks into place The GBICs are keyed to prevent incorrect insertion 4 Remove the protective covering from the port connectors and store the...

Page 133: ...S5 B8GMR Fiber Management Module STANDBY 8 00e0 5202 a334 S6 B24E Copper Switch Module OK 24 00e0 5202 a2d4 S7 B24E Copper Switch Module OK 24 00e0 5202 a2d4 S8 B24E Copper Switch Module OK 24 00e0 5202 a2d4 Syntax show module NOTE The module descriptions do not distinguish between SX and LX ports The Status column shows the module status The redundant management modules can have one of the follow...

Page 134: ...ailed to come up OK This status applies only to host modules not to management modules This status indicates that the module came up and is operating normally Displaying Switchover Messages You can determine whether a switchover has occurred by viewing the system log or the traps logged on an SNMP trap receiver USING THE CLI To view the system log enter the following command at any level of the CL...

Page 135: ...ed between the redundant management modules When the system starts up the active redundant management module sends its flash code to the standby redundant management module to boot the module System config file The system config file is automatically copied from the active redundant management module to the standby redundant management module when the system starts up The file is also copied to th...

Page 136: ...wing command BigIron sync standby Sync code image TRUE Sync config data TRUE Standby Module Redundant Management Boot code System software flash code Running config file Startup config file Not automatically synchronized but can be configured to synchronize at startup or switchover Also can be immediately synchronized using the CLI or Web management interface Boot code System software flash code R...

Page 137: ...Table 5 1 CLI Display of Synchronization Settings This Field Displays Sync code image Indicates whether the active module is configured to automatically synchronize its flash code with the standby module The value can be one of the following FALSE The code is not automatically synchronized TRUE The code is automatically synchronized Sync config data Indicates whether the active module is configure...

Page 138: ...ync standby startup config USING THE WEB MANAGEMENT INTERFACE NOTE This procedure applies only to synchronizing the boot code and the running config To immediately synchronize the flash code or the startup config file use the CLI procedure above 1 Log on to the device using a valid user name and password for read write access The System configuration dialog is displayed 2 Select the Redundant link...

Page 139: ...g num To disable automatic synchronization of the boot code flash code or startup config file enter no in front of the command The num parameter with the sync standby running config command specifies the synchronization interval You can specify from 4 20 seconds The default is 10 seconds To disable automatic synchronization of the running config set the synchronization interval the num parameter t...

Page 140: ...did not specify a slot Then both redundant management modules load their own boot code and load the active redundant management module s flash code system software and system config file If you do not want to reload the system but you instead want to force the system to switch over to the standby module and thus make it the active redundant management module use one of the following methods USING ...

Page 141: ...rectory of the files on a flash card Display the contents of a file Display a hexadecimal dump of the data in a file Create a subdirectory Remove a subdirectory Rename a file Change the read write attribute of a file Delete a file from a flash card Undelete a file Append one file to another file join two files Perform the following copy operations Copy files from one flash card to the other Copy f...

Page 142: ...ntain flash cards slot 1 receives the management focus by default To determine the slot and subdirectory that currently have the management focus enter the pwd command See Determining the Flash Card Slot and Subdirectory Path That Currently Have the Management Focus on page 5 20 To change management focus to the other slot or subdirectory enter the cd or chdir command See Switching the Management ...

Page 143: ... characters _ You can use spaces in a file or subdirectory name if you enclose the name in double quotes For example to specify a subdirectory name that contains spaces enter a string such as the following a long subdirectory name A subdirectory or file name can be a maximum of 256 characters long A complete subdirectory path name cannot contain more than 260 characters There is no maximum file le...

Page 144: ...that the bad sectors do not interfere with use of the card If you do not want to use the Management IV module to reformat the card you can use a PC with a flash card drive instead USING THE CLI To reformat a flash card enter the following command BigIron format slot2 Formatting Flash Card 256 clusters per dot Verifying Flash Card 256 clusters per dot 80809984 bytes total card space 80809984 bytes ...

Page 145: ...fy then displays a new command prompt If a slot you specify does not contain a flash card the software displays the message shown in the following example BigIron cd slot2 The system can not find the drive specified To switch the management focus to a different subdirectory enter a commands such as the following BigIron cd PLOOK Current directory of slot1 is PLOOK This command changes the focus fr...

Page 146: ...bytes still free on the card To list only files that contain a specific pattern of characters in the name enter a command such as the following BigIron dir bin Volume in slot1 has no label Volume Serial Number is 19ED 1725 Directory of slot1 01 01 2000 00 00a 685935 POS BIN Table 5 2 CLI Display of Flash Card File Information This Field Displays File date The date on which the file was placed on t...

Page 147: ...ion file NOTE The syntax for the m2 active management command is changed to active management This example is from a software release before the change Display a Hexadecimal Dump of the Data in a File Use the following method to display the data in a file in hexadecimal format USING THE CLI To display the data in a file in hexadecimal format enter a command such as the following BigIron hd cfg cfg...

Page 148: ...ry on a flash card enter a command such as the following BigIron mkdir slot1 TEST To verify successful creation of the subdirectory enter a command to change to the new subdirectory level BigIron chdir TEST Current directory of slot1 is TEST Syntax md mkdir slot1 slot2 dir name You can enter either md or mkdir for the command name The slot1 slot2 parameter specifies a PCMCIA slot If you do not spe...

Page 149: ...nter the pwd command to verify that the management focus is at the appropriate level of the directory tree BigIron rmdir TEST File not found Renaming a File Use the following method to rename a file on a flash card USING THE CLI To rename a file enter a command such as the following BigIron rename oldname newname Syntax rename slot1 slot2 old name new name If the command is successful the CLI disp...

Page 150: ...lash card in slot 2 In this example slot 1 has the management focus but the files to be deleted are on the flash card in slot 2 Recovering Undeleting a File You can undelete a command you have deleted from a flash card To do so enter a command such as the following BigIron undelete Undelete file LD CFG enter y or n y Input one character O File recovered successfully and named to OLD CFG The comman...

Page 151: ...s between a flash card and the device s flash memory Copy files between a flash card and a TFTP server Copy a startup config file between a flash card and the device s flash memory Copy the running config file to a flash card Load a running config file from a flash card into the device s running configuration for loading ACLs only Copy a POS image file from a flash card to a POS module s flash mem...

Page 152: ... file from flash memory to a flash card enter a command such as the following BigIron copy flash slot2 BIS07000 bin primary Flash Card Write 128 KBytes per dot Write to slot2 BIS07000 bin succeeded The command in this example copies a software image file from the primary area in flash memory onto the flash card in slot 2 If the copy does not succeed the software lists messages to indicate the reas...

Page 153: ...tup config file on a flash card to configure itself You cannot boot or reload from a flash card USING THE CLI To copy a startup config file from a flash card to flash memory enter a command such as the following BigIron copy slot1 start test2 cfg Write startup config done Syntax copy slot1 slot2 start from dir path from name Syntax ncopy slot1 slot2 from dir path from name start This command copie...

Page 154: ...the file Copying a POS Image File from a Flash Card to a POS Module s Flash Memory To copy a POS image file from a flash card to a POS module s flash memory use the following method USING THE CLI To copy a POS image file from a flash card onto all the POS modules in the chassis enter a command such as the following BigIron pos copy slot1 flash P2R07000 bin primary Syntax pos copy slot1 slot2 flash...

Page 155: ...command syntax is the same for immediately reloading and for changing the primary boot source except the file name must be the full path name You cannot specify a relative path name If the first character in the path name is not a backslash the CLI treats the name you specify as relative to the root directory The device s response to the command depends on whether you enter the command at the Priv...

Page 156: ...e truncated The file you are trying to copy exceeds the maximum file size allowed for copy operations Access is denied You tried to copy or delete a file that has the read only attribute A duplicate file name exists You tried to rename a file using a name that is already in use by another file Fatal error can not read or write media A hardware error has occurred One possible cause of this message ...

Page 157: ... use one If the temperature equals or exceeds the shutdown temperature for five consecutive polls of the temperature by the software the software shuts down the module to prevent damage You can display the temperature of the module You also can change the warning and shutdown temperatures and the chassis poll time Displaying the Temperature By default the software polls the temperature sensor on t...

Page 158: ...e shutdown level NOTE You also can display the Device Information panel by clicking on the graphic of the chassis panel in the upper right frame The graphic is shown only if the Web management interface frames are enabled Displaying Temperature Messages The software sends a Syslog message and an SNMP trap if the temperature crosses the warning or shutdown thresholds The following methods describe ...

Page 159: ...ature is 45 0 C degrees The default shutdown temperature is 55 0 C degrees You can change the warning and shutdown temperatures using the following commands The valid range for each value is 0 125 C degrees NOTE You cannot set the warning temperature to a value higher than the shutdown temperature USING THE CLI To change the temperature at which the module sends a warning enter a command such as t...

Page 160: ...atically sent to the standby module when the active module s system config file is copied to the standby module Changing the Chassis Polling Interval The software reads the temperature sensor and polls other hardware sensors according to the value set for the chassis poll time which is 60 seconds by default You can change chassis poll time using the CLI USING THE CLI To change the chassis poll tim...

Page 161: ...y button to send the configuration change to the active module s running config file 5 If you want the change to remain in effect following the next system reload select the Save link to save the configuration change to the active redundant management module s startup config file The change is automatically sent to the standby module when the active module s system config file is copied to the sta...

Page 162: ...Foundry Switch and Router Installation and Configuration Guide 5 38 December 2000 ...

Page 163: ...e Foundry POS modules allow direct connection to interfaces within the SONET POS is a transport technology that encapsulates packet data such as an IP datagram directly into SONET The POS modules are available on NetIron Internet Backbone routers and BigIron Layer 3 Switches with redundant management modules You can use multiple POS modules in a chassis You can install the following types of POS m...

Page 164: ...t Slots on a 15 slot chassis are numbered 1 15 from left to right In the current software release the module type for a POS module can be one of the following bi pos 2 port 622m module bi pos 2 port 155m module bi pos 4 port 155m module USING THE WEB MANAGEMENT INTERFACE 1 Enter the BigIron s IP address in your Web browser s Location or Address field then press Enter 2 Log on to the BigIron using ...

Page 165: ... either the primary or secondary flash on the module For each command the parameter specifies the destination of the copy operation The slot parameter specifies a chassis slot This parameter is optional If you specify a slot number the upgrade affects only the module in the slot you specify If you do not specify a slot the upgrade affects all the POS modules in the chassis Slots on a 4 slot chassi...

Page 166: ...tax pos boot tftp tftp server ip addr pos image file name The tftp server ip addr parameter specifies the IP address of the TFTP server The pos image file name parameter lists the name of the image file you want the module to boot from the TFTP server Copying a POS Image File from a Flash Card to a POS Module s Flash Memory To copy a POS image file from a flash card to a POS module s flash memory ...

Page 167: ...smit and receive SDH Synchronous Digital Hierarchy frames or SONET Synchronous Optical Network frames The default is SONET Keepalive messages You can disable or reenable a POS interface to send PPP or HDLC keepalive messages to the POS interface at the other end of the link Keepalive messages are enabled by default ATM scramble mode You can enable or disable scrambling of the Synchronous Payload E...

Page 168: ...f the POS link must use the same encapsulation type USING THE CLI To configure POS interface 2 1 to use HDLC enter the following commands BigIron config interface pos 2 1 BigIron config posif 2 1 encapsulation hdlc BigIron config posif 2 1 write memory Syntax no encapsulation hdlc ppp frame relay ietf NOTE If you are configuring a Frame Relay interface see Configuring POS for Frame Relay on page 6...

Page 169: ...parameters specify the path for the loopback The internal parameter loops packets transmitted on the interface back to the framer The line parameter loops packets that are received on the receive fiber of the port back out on the transmit fiber Changing the MTU The MTU Maximum Transmission Unit specifies the maximum number of bytes a frame transmitted on the interface can contain You can configure...

Page 170: ... CLI To disable keepalive messages on POS interface 2 1 enter the following commands BigIron config interface pos 2 1 BigIron config posif 2 1 no keepalive BigIron config posif 2 1 write memory Syntax no keepalive To reenable the messages enter the following commands BigIron config interface pos 2 1 BigIron config posif 2 1 keepalive BigIron config posif 2 1 write memory Changing the Bandwidth Dep...

Page 171: ...rs Changing the Frame Type Foundry POS interfaces support the following frame types SDH Synchronous Digital Hierarchy An international standard for optical digital transmission at rates from 155 Mbps used for STM 1 to 2 5 Gbps used for STM 16 and higher SONET Synchronous Optical Network An American National Standards Institute ANSI standard T1 1051988 for optical digital transmission at rates from...

Page 172: ...or Foundry POS interfaces See Disabling or Reenabling Keepalive Messages on page 6 8 NOTE The current software release supports Data Terminal Equipment DTE only The other end of the link must be configured as a DCE link Also the current release supports only point to point links not point to multipoint Both ends of the link must be configured for point to point Changing the Encapsulation Type To c...

Page 173: ...ffer Received 0 CRCs 0 shorts 0 giants 0 alignments 10029741 packets output 14905847936 bytes 0 underruns The command in this example indicates that POS interface 2 1 is using the Cisco compatible Frame Relay encapsulation and the keepalive is enabled and set to 10 seconds BigIron config posif 2 1 show interface brief slot 2 Port Link State Encap Clock Loop Speed mtu frame scram crc c2 j0 h1 2 1 u...

Page 174: ...he two devices are on different sides of the POS link S2 P O S E E E E S3 S4 VLAN 40 S1 VLAN 10 VLAN 20 VLAN 30 C2 P O S E E E C3 C4 VLAN 40 C1 VLAN 10 VLAN 20 VLAN 30 Foundry switch B E 192 168 2 20 192 168 2 10 192 168 3 20 192 168 3 10 192 168 4 20 192 168 4 10 192 168 1 20 192 168 1 10 Ethernet over POS Each client and its server on the other Foundry device are in the same sub net Traffic betw...

Page 175: ...t to enable Layer 2 switching on a POS port you must add the port as a tagged port to each of the port based VLANs that contains the sub nets you want to bridge The ports are tagged so that they can properly multiplex traffic from the different VLANs for sending the traffic over the PPP link and demultiplex the traffic at the other end of the link For example when client C2 sends traffic to server...

Page 176: ... blocks the other POS port To also provide load balancing change the path cost of each the POS ports in some of the VLANs but no others For example to configure the POS ports on a switch so that STP uses one port for forwarding VLANs 10 and 20 and the other port for forwarding VLANs 30 and 40 change the port path cost on the first POS port to a lower value for VLANs 10 and 20 On the other POS port...

Page 177: ...ayer 2 Switch code not Layer 3 Switch code P O S S2 P O S E E E E S3 S4 VLAN 40 S1 VLAN 10 VLAN 20 VLAN 30 P O S C2 P O S E E E C3 C4 VLAN 40 C1 VLAN 10 VLAN 20 VLAN 30 Foundry switch B E 192 168 2 20 192 168 2 10 192 168 3 20 192 168 3 10 192 168 4 20 192 168 4 10 192 168 1 20 192 168 1 10 Ethernet over POS Each client and its server on the other Foundry device are in the same sub net Traffic bet...

Page 178: ... a POS Port for Layer 2 Switching POS ports are configured for Layer 3 IP routing by default To configure a POS port for Layer 2 switching you must add the port as a tagged port to a port based VLAN NOTE Layer 2 POS ports must be tagged You cannot add a POS port to a port based VLAN without tagging the port A POS port is by default a routing only port That is it is by default not a member of the d...

Page 179: ...s not configured use the command vlan 10 by port To verify the VLAN configuration for all the VLANs enter the following command at any level of the CLI BigIron config show vlan To view all the VLANs configured for a specific POS port enter a command such as the following at any level of the CLI BigIron config show vlan pos 2 1 Configuring STP Parameters The following STP features are supported on ...

Page 180: ...For a port based VLAN the port priorities determine the port that STP selects within that VLAN to forward traffic out of the VLAN STP prefers the port with the highest port priority You can set a port s STP priority to a value from 0 255 The default for all port types is 128 The default depends on the port type See Table 6 1 To change a POS port s STP priority use the following CLI method USING TH...

Page 181: ...tree of port vlan 1 is disabled Global STP Parameters VLAN Root Root Root Prio Max He Ho Fwd Last Chg Bridge ID ID Cost Port rity Age llo ld dly Chang cnt Address Hex sec sec sec sec sec 10 00c800e052a8a520 0 Root 00c8 20 2 2 15 0 2 00e052a8a520 Port STP Parameters VLAN Port Prio Path State Fwd Design Design Design ID Num rity Cost Trans Cost Root Bridge Hex 10 1 1 80 100 FORWARDING 1 0 00c800e052...

Page 182: ...ts are the same as the rules for Ethernet ports Each group consists of a primary port and consecutively numbered secondary ports Always specify the lowest numbered port first the primary port followed by the other ports in ascending numerical order On a two port POS module the first port on the module is the primary port and the second port is the secondary port When you configure interface parame...

Page 183: ... THE CLI To display the software version running on the POS module enter the following command at any CLI level BigIron show version SW Version 07 1 05T1 Copyright c 1996 1999 Foundry Networks Inc Compiled on Sep 29 2000 at 17 10 51 labeled as B2R07105 1357024 bytes from Primary b2r07105 car HW Chassis 4000 Router SYSIF version 21 SL 3 B8GMR Fiber Management Module ACTIVE 2048 KB BRAM SMC version ...

Page 184: ...OS module in the following ways Status LEDs Each POS port has LEDs that show link status transmit and receive activity and indicate whether an alarm condition has occurred Module information in software The module information displayed by the software indicates whether the module came up properly Status LEDs You can determine the status of a POS port by observing its LEDs Each POS port has the fol...

Page 185: ...es that the module came up and is operating normally NOTE Management modules have different status values USING THE WEB MANAGEMENT INTERFACE 1 Select the System link to display the System configuration sheet if not already displayed 2 Select the Module link to display the Module panel The Status column shows the module status A POS module can have one of the following statuses FAILED This status i...

Page 186: ...S module line The interface is using the clock source supplied on the network To change this parameter see Changing the Clock Source on page 6 6 Loop The loopback state of the interface The loopback state can be one of the following int The loopback path consists only of the POS circuitry on this interface line The loopback path consists of both this POS interface and the POS interface at the remo...

Page 187: ...e SONET headers of packets transmitted by the interface The c2 flag identifies the payload type of the packets transmitted on this interface The c2 flag is set to 0xcf by default This value indicates that the payload is SONET or SDH To change this parameter see Changing the POS Flags on page 6 8 j0 The value of the j0 flag in the SONET headers of packets transmitted by the interface This flag sets...

Page 188: ...xample appear only if the port is enabled for Layer 2 switching Displaying POS Statistics To display POS packet statistics use the following method USING THE CLI To display POS statistics for POS interface 2 1 enter the following command at any CLI level BigIron show statistics pos 2 1 POS Packets Errors Port Receive Transmit Align FCS Giant Short 2 1 1475 12301 0 1378 3 0 Syntax show statistics p...

Page 189: ...a SONET add drop multiplexer ADM which sends identical traffic through them Switching is controlled by the K1 and K2 bytes of the line overhead LOH in a SONET frame Information on signal quality is exchanged between the working and protect interface using the APS Protect Group Protocol running on top of UDP This communication takes place on a channel independent of the working and protect interfac...

Page 190: ...ing circuit number The aps working command establishes this interface as the working interface in circuit 1 This working interface corresponds to a protect interface on the BigIronB The following commands configure the protect interface on BigIronB BigIronB config interface loopback 2 BigIronB config lbif 2 ip address 10 0 0 2 24 BigIronB config lbif 2 exit BigIronB config interface pos 3 1 BigIro...

Page 191: ...IronA config posif 2 2 aps group 60 BigIronA config posif 2 2 aps protect 1 10 0 0 2 BigIronA config posif 2 2 exit The following commands configure the working and protect interfaces on BigIronB BigIronB config interface loopback 2 BigIronB config lbif 2 ip address 10 0 0 2 24 BigIronB config lbif 2 exit BigIronB config interface pos 3 1 BigIronB config posif 3 1 aps group 50 BigIronB config posi...

Page 192: ...ng Optional Parameters You can configure optional POS APS parameters to do the following Configure an authentication string for communication between the process controlling the working interface and the process controlling the protect interface Force a protect interface to take over as a working interface Prevent a protect interface from taking over from a working interface Manually cause a switc...

Page 193: ...e 1 BigIron config posif 3 1 exit Syntax aps force circuit number The circuit number is a valid POS APS circuit number In addition you can specify 0 as the circuit number aps force 0 to manually force traffic from the protect interface to the working interface The switchover takes place immediately after you enter the command The aps force command is not saved if you write the active configuration...

Page 194: ...ing interface down For example to configure the protect interface process to send hello packets every 3 seconds and wait a maximum of 6 seconds for a response enter commands such as the following on the protect interface BigIron config interface pos 3 1 BigIron config posif 3 1 aps protect 1 10 0 0 1 BigIron config posif 3 1 aps timers 3 6 BigIron config posif 3 1 exit Syntax aps timers hello time...

Page 195: ... it is configured for 622 Mbps or 155 Mbps Table 6 5 POS Specifications Transceiver Power Budget Launch Window Transmit Power Receive Power Maximum Distance OC 3c POS interfaces Single mode short reach 13 dB 1270 to 1380 nm 28 to 8 dBm 31 to 8 dBm 9 75 miles 15 Km Single mode intermediate reach 29 dB 1280 to 1335 nm 5 to 0 dBm 34 to 8 dBm 26 miles 40 Km Multimode 11 5 dB 1270 to 1380 nm 18 to 14 d...

Page 196: ...Foundry Switch and Router Installation and Configuration Guide 6 34 December 2000 ...

Page 197: ...ration files Secondary flash A second flash storage device You can use the secondary flash to store redundant images for additional booting reliability or to preserve one software image while testing out another one Only one flash device is active at a time By default the primary image will become active upon reload You can update the software contained on a flash module using TFTP to copy the upd...

Page 198: ...ad a copy of the software image to a TFTP server copy tftp flash tftp ip addr filename primary secondary Use this command to download a copy of the software image from a TFTP server into the device s flash For example to upgrade the flash code from a TFTP server enter a command such as the following BigIron copy tftp flash 192 168 1 170 B2R07100 bin primary This command copies flash code from a TF...

Page 199: ...format file names up to eight characters in the name plus up to three characters in the extension Make sure that if you rename the file on your TFTP server you give the file a name that conforms to these rules 7 Specify the origin or destination of the image code you are transferring by selecting Primary or Secondary next to Flash 8 Click on one of the following buttons to start the file transfer ...

Page 200: ... router code is required to upgrade the boot code To upgrade the boot flash code you can use the following unadvertised CLI command BigIron copy tftp flash tftp ip addr filename boot This command is at the privileged EXEC level of the CLI NOTE It is very important that you verify a successful TFTP transfer of the boot code before you reset the system If the boot code is not transferred successfull...

Page 201: ...want to reload NOTE While TFTP transfers are in process a red bar labeled processing is displayed on the screen When the TFTP transfer is actively transferring image or configuration data a green bar labeled loading is displayed When a successful transfer is complete the message TFTP transfer complete is displayed If a problem with the transfer occurs one of the error codes listed in Diagnostic Er...

Page 202: ...ve to Flash option 3 Select Yes when the Web management interface asks you whether you really want to save the configuration changes to flash Replacing the Running Configuration with the Startup Configuration If you want to back out of the changes you have made to the running configuration and return to the startup configuration use one of the following methods USING THE CLI To replace the startup...

Page 203: ...ration file from the switch or router to a TFTP server copy tftp startup config tftp ip addr filename Use this command to download a copy of the startup configuration file from a TFTP server to a switch or router USING THE WEB MANAGEMENT INTERFACE To initiate transfers of configuration files to and from a TFTP server using the Web management interface 1 Log on to the device using a valid user name...

Page 204: ...tic Error Codes and Remedies for TFTP Transfers on page 7 9 is displayed Maximum File Sizes for Startup Config File and Running Config Each Foundry device has a maximum allowable size for the running config and the startup config file If you use TFTP to load additional information into a device s running config or startup config file it is possible to exceed the maximum allowable size If this occu...

Page 205: ...TP server then delete it from flash Use the erase flash CLI command at the Privileged EXEC level to erase the image in the flash If you are copying a configuration file to flash edit the file to remove unneeded information then try again 7 TFTP busy only one TFTP session can be active Another TFTP transfer is active on another CLI session Web management session or IronView session Wait then retry ...

Page 206: ... The scheduled reload feature requires the system clock You can use a Simple Network Time Protocol SNTP server to set the clock or you can set the device clock manually See Specifying a Simple Network Time Protocol SNTP Server on page 10 10 or Setting the System Clock on page 10 12 Reloading at a Specific Time To schedule a system reload for a specific time use one of the following methods USING T...

Page 207: ...uch time is remaining before a scheduled system reload takes place use one of the following methods USING THE CLI To display how much time is remaining before a scheduled system reload enter the following command from any level of the CLI BigIron show reload USING THE WEB MANAGEMENT INTERFACE You cannot display information about a scheduled reload using the Web management interface Canceling a Sch...

Page 208: ...Foundry Switch and Router Installation and Configuration Guide 7 12 December 2000 ...

Page 209: ...view of the Stackable and Chassis hardware see Hardware Overview on page 9 1 Software Feature Summary This section lists the flash image files system software that Foundry devices can run and the features that are supported in each type of flash image Foundry products run one of three types of flash images Router code Switch code ServerIron code This section describes the features provided in each...

Page 210: ...tion Table 8 1 Foundry Flash Software Images Product Flash image Description NetIron Internet Backbone router BigIron FastIron II FastIron II Plus TurboIron 8 BIRxxxxx BIN B2Rxxxxx BIN redundant management module Router code BIPxxxxx BIN B2Pxxxxx BIN redundant management module IP only router code BISxxxxx BIN B2Sxxxxx BIN redundant management module Switch code BBRxxxxx bin Switch code with basic...

Page 211: ... is supported Table 8 2 on page 8 4 uses the following labels to indicate the flash code types Router Layer 3 Switch A device capable of performing Layer 2 Layer 3 and Layer 4 switching and Layer 3 routing The following Foundry devices are or can be configured as Layer 3 Switches NetIron Internet Backbone router BigIron Layer 3 Switch TurboIron 8 FastIron II and FastIron II Plus but only if upgrad...

Page 212: ...ACS authentication X X 8 10 RADIUS authentication X X X 8 11 Access Control Lists ACLs X X X 8 11 Dynamic configuration X X X 8 11 Soft reboot reboot flash image without resetting the system X X X 8 11 Scheduled system reload X X X 8 11 Telnet X X X 8 11 Trivial File Transfer Protocol TFTP X X X 8 11 Simple Network Time Protocol SNTP X X X 8 12 Domain Name Server DNS resolver X X X 8 12 SNMPv2c X ...

Page 213: ...ol based Virtual LANs VLANs X X X 8 18 IP router acceleration IP switching Xa 8 19 IPX router acceleration IPX switching Xb 8 20 IP and IPX route service filters used with router acceleration X 8 20 Layer 3 Routing Features Multi netting X 8 20 Multi port subnets integrated switch routing X X X 8 21 Static IP routes Address Resolution Protocol ARP entries and Reverse ARP RARP entries X 8 21 IP RIP...

Page 214: ...ticast Routing PIM and DVMRP X 8 24 IP RIP and IP OSPF redistribution filters X 8 24 User Datagram Protocol UDP Helper X 8 24 Layer 4 Switching Features Session switching X X 8 25 TCP UDP access policies X X X 8 25 Layer 4 Caching Features Transparent Cache Switching TCS Xb X 8 25 TCS filters Xb X 8 25 Load Balancing and Redundancy Features Server Load Balancing SLB Xb X 8 26 Router support for Gl...

Page 215: ...ss and management features listed in Table 8 1 on page 8 2 Secure Shell SSH Secure Shell SSH is a mechanism for allowing secure remote access to a Foundry device SSH provides a function similar to Telnet Users can log into and configure the device using a publicly or commercially available SSH client program just as they can with Telnet However unlike Telnet which provides no security SSH provides...

Page 216: ...browsers Netscape Navigator versions 2 0 or later and Microsoft Internet Explorer versions 3 0 or later No application software is required The Web management interface comes standard on all switches and routers To use the Web management interface open a web browser and enter the IP address of the Foundry device in the Location or Address field The web browser contacts the Foundry device and displ...

Page 217: ...iew and change configuration parameters NOTE The Web management interface automatically refreshes the system information at regular intervals including the link LEDs for the ports To streamline performance display of the device s front panel is disabled by default To enable front panel display select the Preference link select the Enable radio button for Front panel display then click Apply Select...

Page 218: ...nity strings The default password for get is public There is not default password for set You can configure SNMP community strings using CLI commands See Establishing SNMP Community Strings on page 3 14 You also can use locally configured user names and passwords to control access through the Web management interface See Local Access Control on page 8 10 IronView Access By default IronView access ...

Page 219: ...tem to use the new software You can boot the new software immediately from the primary flash secondary flash a TFTP server or a BootP server You also can use this feature to test new versions of flash code before replacing the previous flash image For more details on the boot commands and on copying software to and from Foundry switches and routers refer to Updating Software Images and Configurati...

Page 220: ... date You also can enable daylight savings time which is disabled by default See Setting the System Clock on page 10 12 for more information about setting the time and date Domain Name Server DNS Resolver The DNS Resolver feature allows you to use just a host name rather than a fully qualified domain name when you use Telnet ping and trace route commands To configure the feature you specify the do...

Page 221: ...a third party SyslogD server The Syslog feature can write messages at the following severity levels Emergencies Alerts Critical Errors Warnings Notifications Informational Debugging The device automatically writes the Syslog messages to a local buffer If you specify the IP address or name of a SyslogD server the device also writes the messages to the SyslogD server The default facility for message...

Page 222: ... port based VLAN membership 802 1q tag NOTE IronClad QoS is supported on the Chassis devices and the TurboIron 8 On other Foundry products you can assign certain types of traffic to the high queue instead of the normal queue but the other features described in this chapter are not supported IP Type of Service TOS Mapping Foundry devices that support IronClad QoS automatically place incoming IP pac...

Page 223: ...destined for the cached address the device does not need to send the packet as a broadcast through all the ports within the broadcast domain Instead the device can intelligently send the packet only through the port to which the destination device is connected Thus even though Layer 2 domains are typically broadcast domains MAC switching enhances performance in the domain by reducing the amount of...

Page 224: ... paths exist between ports Moreover if a selected path fails STP searches for and then establishes an alternate path to prevent or limit retransmission of data STP is disabled by default on routers but is enabled by default on Layer 2 Switches and on the ServerIron For information about configuring STP see Enabling or Disabling the Spanning Tree Protocol STP on page 10 34 IronSpan STP Enhancements...

Page 225: ...ember of a tagged VLAN the switch tags the packet to indicate its VLAN membership Other switches that support VLAN tagging recognize the tag and process the packet according to its VLAN membership For more information see Configuring Virtual LANs VLANs on page 25 1 MAC Filters A MAC filter enables you to explicitly permit or deny switching of a Layer 2 packet received by the Foundry device When th...

Page 226: ... of IP multicast packets to only those ports on the switch that are identified as IP multicast members Foundry Layer 2 Switches can provide IP multicast containment in either of the following modes Passive The switch listens for Internet Group Membership Protocol IGMP packets and forwards them to the appropriate ports Active The switch actively sends out host queries to identify IP multicast group...

Page 227: ... switching configuration NOTE Router acceleration is supported only on the FastIron Backbone and TurboIron Backbone Layer 2 Switches Figure 8 3 Example IP router acceleration configuration In this example the Foundry Layer 2 Switch forwards the first IP packet it receives for IP address 209 157 2 1 to the attached router This is shown by the solid arrow pointing from the Foundry Layer 2 Switch to ...

Page 228: ... provides Layer 3 router acceleration you can define route service filters The CLI commands and Web management or IronView interface selections for Layer 3 filters are the same as those for standard IP or IPX filters However the action that occurs when a deny filter becomes true is different When you are using standard IP or IPX routing accept filters forward packets and deny filters drop packets ...

Page 229: ...ing between the VLANs is performed without dedicating physical ports by using virtual interfaces These virtual interfaces serve as a link between the configured VLANs and the routing core of the Foundry routers The ISR architecture provides the platform for support of policy based VLANs within Foundry routers Static IP Routes Address Resolution Protocol ARP Entries and Reverse ARP RARP Entries Fou...

Page 230: ...state databases and then periodically send link state advertisements to notify other routers of route changes Foundry routers are configured to be compliant with RFC 1583 OSPF V2 RFC 1583 by default You also can configure Foundry routers to run the latest OPSF standard RFC 2178 See Configuring OSPF on page 17 1 for information Border Gateway Protocol BGP4 Routing BGP4 allows you to configure Found...

Page 231: ...et 802 2 Ethernet 802 3 and Ethernet II These are the same encapsulation types supported for IPX switching see IPX Router Acceleration on page 8 20 IPX Forward Filters You can define IPX filters to control client access to servers For example if you want to restrict access to a print server to specific users you can define a filter group containing filters that check for the source IPX addresses a...

Page 232: ...MRP does DVMRP and PIM can concurrently operate on different ports of a Foundry router For both versions of IP multicast Foundry Layer 3 Switches support IP tunneling IP tunneling allows Foundry Layer 3 Switches that are performing IP multicast to send multicast traffic through routers that do not support either PIM or DVMRP multicasting For more details on configuring the Foundry Layer 3 Switches...

Page 233: ...atically redirect traffic to other servers if a server fails TCS and SLB are described in more detail later in this chapter TCP UDP Access Policies TCP UDP access policies sometimes called session filters allow you to filter packets for specific Layer 4 sessions For example you can use session filters to prohibit specific users from using TCP port 80 HTTP for web traffic All Foundry devices suppor...

Page 234: ...ad balancing you configure two ServerIrons one on each side of your firewalls One of the ServerIrons is on the Internet side of the firewalls The other ServerIron is on the private network side For added reliability you can configure pairs of ServerIrons on each side of the firewalls One of the ServerIrons in each pair is active and performs the firewall load balancing The other ServerIron remains...

Page 235: ...ocol If you have routers that are running FSRP you do not need to reconfigure them for VRRP However if you are planning to configure your Foundry routers to use a redundancy protocol Foundry Networks recommends that you use VRRP Using VRRP allows you to include third party routers in the virtual router NOTE Foundry Networks recommends that you do not use VRRP and FSRP on the same device NOTE The v...

Page 236: ...Foundry Switch and Router Installation and Configuration Guide 8 28 December 2000 ...

Page 237: ...igIron NetIron Internet Backbone router FastIron II and FastIron II Plus BigIron Foundry Networks BigIron Layer 2 and Layer 3 Switches provide second generation hardware based Layer 2 3 4 switching and multi protocol routing on a single Chassis device Enterprises and Internet service providers ISPs can use BigIron to build very high performance end to end packet networks that provide the Quality o...

Page 238: ...ty 8 G ig a b it B24E 1 0 1 0 0 B A S E T X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 3 5 4 2 B8G Link Activity 6 1 7 8 Link Activity Link Activity Link Activity 8 G ig a b it BigIron 4000 BigIron 8000 3 5 4 2 B8G Link Activity 6 1 7 8 Link Activity Link Activity Link Activity 8 G ig a b it B24E 1 0 1 0 0 B A S E T X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ...

Page 239: ... Standard Management Modules on page 9 9 NetIron and BigIron Forwarding Modules on page 9 10 NetIron Internet Backbone Router The NetIron 400 800 and 1500 are Chassis based routers for ISP networks The NetIron is based on the BigIron architecture and provides the same high throughput non blocking performance as the BigIron Layer 3 Switches The following models are available Figure 9 4 shows an exa...

Page 240: ...IPX support is loaded into secondary flash In addition the Management IV module s PCMCIA flash card see the following section contains the IP only standard Layer 3 Switch and Layer 2 Switch software allowing you to deploy the NetIron in a wide variety of networking environments The software features are the same as those supported on the BigIron Layer 3 Switch IP only and switch images For feature...

Page 241: ... FastIron II Plus GC offers the industry s highest Gigabit Ethernet copper density with 64 ports Foundry offers many configurations of the FastIron II products listed above with various combinations of 10 100 SX LX and GC ports to meet your networking needs You also of course can order individual modules as needed for upgrades replacements or spares The following sections list the modules For more...

Page 242: ...he module down automatically to prevent damage You can use one or two redundant management modules in a Chassis device Using two redundant management modules adds fault protection against system outage The two modules work together as active and standby management modules If the active module becomes unavailable the standby module automatically takes over system operation For more information and ...

Page 243: ...s available with an LC or MTRJ connector 1000BaseLX This mini GBIC supports single mode fiber and is available with an LC connector PCMCIA Flash Card The Management IV module contains two PCMCIA slots and comes standard with an 80 MB PCMCIA flash card A second card is optional The flash cards provide room to store software image files startup config files and any other files you want to store on t...

Page 244: ...Pwr Link Activity Link Activity Link Activity B8GM 8 G i g M g m t Link Activity 1 3 6 7 8 5 4 2 Pwr Link Activity Link Activity Link Activity B8GM 8 G i g M g m t Link Activity 1 3 6 7 8 5 4 2 Pwr Link Activity Link Activity Link Activity B8GM 8 G i g M g m t Link Activity 1 3 6 7 8 5 4 2 Pwr Link Activity Link Activity Link Activity B8GM 8 G i g M g m t Pwr BZGMR Link Activity 1 3 6 7 8 5 4 2 Pw...

Page 245: ...agement module B8GM 4LX 8 port Gigabit 4SX 4LX management module B4GM 4LX 8 port Gigabit 6SX 2LX management module B8GM 2LX Pwr BZGMR Pwr B8GC 1 0 1 0 0 B A S E T X M g m t 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Pwr B16E 1 0 1 0 0 B A S E T X M g m t 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Pwr B16E Link Activity 1 3 6 7 8 5 4 2 Pwr Link Activity Link Activity Link Activity B8GM 8 G i g M g m t Link...

Page 246: ...ink Activity 6 G i g M g m t Link Activity 1 3 4 2 Pwr Link Activity 4 G i g M g m t B24E 1 0 1 0 0 B A S E T X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Link Activity Link Activity Link Activity Link Activity 3 5 4 2 BxG 6 1 7 8 8 G i g a b i t Link Activity Link Activity Link Activity Link Activity 3 5 4 2 B8G 6 ...

Page 247: ...ll POS modules require the Management II module or higher NOTE All copper ports are 10 100 Mbps auto sensing and auto negotiating for easy deployment into existing network topologies BigIron Gigabit Ethernet interfaces are available in both multi mode 1000BaseSX and single mode 1000BaseLX Foundry Networks also offers enhanced single mode 1000BaseLH that supports distances of up to 70 kilometers en...

Page 248: ...on Workgroup 24 port switch with a 2 port expansion module installed NOTE Optional Fast Ethernet and Gigabit expansion modules are also available for building large fast Gigabit networks ServerIron Switch Foundry Networks ServerIron switch provides Internet service providers ISPs and enterprise Intranet managers with a high density high performance Layer 4 switch that improves the performance of e...

Page 249: ...r 2 Switch or Layer 3 Switch System Architecture Chassis Architecture Built on a fully non blocking architecture the chassis platform provides switching capacity in the core and on each interface module Each interface module utilizes a high bandwidth shared memory switching fabric This local switching fabric houses the forwarding engines and includes Application Specific Integrated Circuits ASICs ...

Page 250: ...alue is greater than zero If so the packet will be forwarded Performs destination MAC address substitution of the next hop router or end station The source MAC address will be replaced by the MAC address of the interface Updates the header checksum Once Layer 3 operations are completed the packet s priority is determined and it is placed in the appropriate buffer for forwarding to the target outpu...

Page 251: ...9 20 21 22 23 24 3 5 4 2 B8G Link Activity 6 1 7 8 Link Activity Link Activity Link Activity 8 G i g a b i t BigIron 4000 Link Activity 1 3 6 7 8 5 4 2 Pwr Link Activity Link Activity Link Activity B8GM 8 G i g M g m t 1000BaseSX 1000BaseLX 1000BaseLH ports or Port LEDs Serial Port Power LEDs Reset Button Port LEDs AC Power Connector Power Supply LED Power Supply standard Power Supply redundant Li...

Page 252: ...ax interface ethernet portnum Syntax port name string Chassis Devices The port numbers on the modules in Chassis devices are labeled but the slot numbers are not labeled Slots on a 4 slot chassis are numbered 1 4 from top to bottom Slots on an 8 slot chassis are numbered 1 8 from left to right Slots on a 15 slot chassis are numbered 1 15 from left to right You can place a management module in any ...

Page 253: ...he device The TurboIron 8 comes standard with four fans The 4 slot Chassis devices come with four fans The 8 slot and 15 slot Chassis devices come with six fans LEDs Each Foundry device is equipped with LEDs that denote port and power supply status The tables below reflect the different port and expansion module port states Stackable All currently shipping Stackable devices come equipped with thre...

Page 254: ...onnection established no activity Off No connection established Blinking Connection established with activity on the link Table 9 3 Port LED indicators for 100BaseFX 1000BaseSX LX and 1000BaseT ports LED Position State Meaning Link Top On Port is connected Off No port connection exists Activity Bottom On Traffic is being transmitted and received on that port Off No traffic is being transmitted Bli...

Page 255: ...ate in full duplex mode and are equipped with SC connectors on fixed configuration modules and come as mini GBICs for mini GBIC modules that support this port type Multi mode fiber cabling is supported 1000BaseLX The 1000BaseLX ports operate in full duplex mode and are equipped with SC connectors on fixed configuration modules and come as mini GBICs for mini GBIC modules that support this port typ...

Page 256: ...ndry Chassis Layer 2 Switches and Layer 3 Switches are equipped with an auto ranging 90 250 VAC power supply rated at 7 5A and 47 63 Hz Standard and Redundant Power Options Redundant power is an option for all Foundry devices Each power supply can be connected to a separate AC power source for additional power redundancy When power supplies are added to a system the power supplies load balance and...

Page 257: ...often the software polls the chassis for hardware status information The software is configured with a warning temperature default 45 degrees Celsius and a shutdown temperature default 55 degrees Celsius When the software reads the temperature sensor if the temperature equals or exceeds the warning or shutdown temperature the software does the following Warning message If the temperature of the mo...

Page 258: ...Foundry Switch and Router Installation and Configuration Guide 9 22 December 2000 ...

Page 259: ... IP related parameters see Configuring IP on page 15 1 Foundry switches and routers are configured at the factory with default parameters that allow you to begin using the basic features of the system immediately However many of the advanced features such as VLANs or routing protocols for the router must first be enabled at the system global level before they can be configured If you use the Comma...

Page 260: ... from the System configuration panel Enter system administration information Review or modify the IP mask and gateway addresses Layer 2 Switches only Assign IP sub net interface addresses and masks routers only Assign DHCP gateway lists for DHCP Assist operation Layer 2 Switches only Configure Domain Name Server DNS Resolver Define a MAC address filter Set the system clock Configure the device to ...

Page 261: ...o configure these parameters Configuring Basic System Parameters The procedures in this section describe how to configure the following basic system parameters System name contact and location see Entering System Administration Information on page 10 4 SNMP trap receiver trap source address and individual traps see Configuring Simple Network Management SNMP Parameters on page 10 5 Single source ad...

Page 262: ...and Oakland config snmp server contact Suzy Creamcheese Oakland config snmp server location Centerville Oakland config end Oakland write memory Syntax hostname string NOTE On a Chassis device or TurboIron 8 you also can use the chassis name command to set the device name Syntax snmp server contact string Syntax snmp server location string The text strings can contain blanks The SNMP text strings d...

Page 263: ...community string you associate with the receiver when the string is displayed by the CLI or Web management interface If you want the software to show the community string in the clear you must explicitly specify this when you add a trap receiver In either case the software does not encrypt the string in the SNMP traps sent to the receiver To specify the host to which the device sends all SNMP trap...

Page 264: ... to ensure that all SNMP traps sent by the Foundry device use the same source IP address When you configure the SNMP source address you specify the Ethernet port POS port loopback interface or virtual interface that is the source for the traps The Foundry device then uses the first IP address configured on the port or interface as the source IP address in the SNMP traps sent by the device Identify...

Page 265: ...ress The following commands configure an IP interface on a POS port and designate the address as the SNMP trap source for a Layer 3 Switch The Foundry device always sends traps through the POS port and the source IP address of the traps is always the first IP address configured on the POS port BigIron config interface pos 2 1 BigIron config posif 2 1 ip address 209 157 22 26 24 BigIron config posi...

Page 266: ... access The System configuration panel is displayed 2 Select the Management link to display the Management panel NOTE The panel lists different traps for Layer 2 and Layer 3 Switches 3 Select the Disable or Enable button next to the trap you want to disable or enable 4 Click the Apply button to save the change to the device s running config file 5 Select the Save link at the bottom of the dialog S...

Page 267: ...E error I informational N notification W warning Static Log Buffer Dec 15 19 04 14 A Fan 1 fan on right connector failed Dynamic Log Buffer 50 entries Oct 15 18 01 11 info dg logout from USER EXEC mode Oct 15 17 59 22 info dg logout from PRIVILEDGE EXEC mode Oct 15 17 38 07 info dg login to PRIVILEDGE EXEC mode Oct 15 17 38 03 info dg login to USER EXEC mode Syntax show logging The first message t...

Page 268: ...specify the lowest numbered IP address configured on a virtual interface as the device s source for all Telnet packets enter commands such as the following BigIron config int loopback 2 BigIron config lbif 2 ip address 10 0 0 2 24 BigIron config lbif 2 exit BigIron config ip telnet source interface loopback 2 The commands in this example configure loopback interface 2 assign IP address 10 0 0 2 24...

Page 269: ...ibes the information displayed by the show sntp associations command To display information about SNTP status enter the following command BigIron show sntp status Clock is unsynchronized stratum 0 no reference clock precision is 2 0 reference time is 0 0 clock offset is 0 0 msec root delay is 0 0 msec root dispersion is 0 0 msec peer dispersion is 0 0 msec Syntax show sntp status The following tab...

Page 270: ...configuration change to the startup config file on the device s flash memory Setting the System Clock In addition to SNTP support Foundry switches and routers also allow you to set the system time counter The time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP server The counter merely starts the system time and date clock with the time and d...

Page 271: ...time zones US Pacific default Alaska Aleutian Arizona Central East Indiana Eastern Hawaii Michigan Mountain Pacific Samoa The default is US Pacific To change the time zone to Australian East Coast time which is normally 10 hours ahead of GMT enter the following command BigIron config clock timezone gmt 10 Syntax clock timezone gmt us time zone You can enter one of the following values for time zon...

Page 272: ...dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Configuring the Syslog Service The procedures in this section describe how to perform the following Syslog configuration tasks Specify a SyslogD server You can configure the Foundry device to use up to six SyslogD servers Use of a SyslogD server is optional The system can hold u...

Page 273: ...o identify each subfield and commas are delimiters The subfield order is insensitive except that the text subfield should be the last field in the message All the subfields are optional Displaying Syslog Messages To display the Syslog messages in the buffer enter the following command at any level of the CLI BigIron show logging Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Buffer...

Page 274: ... of a Message Level To change the message level disable logging of specific message levels You must disable the message levels on an individual basis For example to disable logging of debugging and informational messages enter the following commands BigIron config no logging buffered debugging BigIron config no logging buffered informational Syntax no logging buffered level num entries The level p...

Page 275: ...yntax logging facility facility name The facility name can be one of the following kern kernel messages user random user level messages mail mail system daemon system daemons auth security authorization messages syslog messages generated internally by syslogd lpr line printer subsystem news netnews subsystem uucp uucp subsystem sys9 cron at subsystem sys10 reserved for system use sys11 reserved fo...

Page 276: ...uffer messages dropped The number of Syslog messages dropped due to user configured filters By default the software logs messages for all Syslog levels You can disable individual Syslog levels in which case the software filters out messages at those levels See Disabling Logging of a Message Level on page 10 16 Each time the software filters out a Syslog message this counter is incremented flushes ...

Page 277: ... ethernet4 state up Dec 15 18 45 21 I Bridge topology change vlan 4095 interface 4 changed state to forwarding Dec 15 18 45 15 I Warm start Notice that the static buffer contains two separate messages for fan failures Each message of each type has its own buffer Thus if you replace fan 1 but for some reason that fan also fails the software replaces the first message about the failure of fan 1 with...

Page 278: ... Static Log Buffer Dec 15 19 04 14 A Fan 1 fan on right connector failed Dec 15 19 00 14 A Fan 2 fan on left connector failed Dynamic Log Buffer 50 entries Oct 15 17 38 03 warning list 101 denied tcp 209 157 22 191 0 Ethernet 4 18 0010 5a1f 77ed 198 99 4 69 http 2 packets Oct 15 07 03 30 warning list 101 denied tcp 209 157 22 26 0 Ethernet 4 18 0010 5a1f 77ed 198 99 4 69 http 2 packets Oct 15 06 5...

Page 279: ...r can hold The buffer size can be from 50 100 The default is 50 NOTE A change in the buffer size takes effect only after you restart the system The buffer size does not affect how many entries the device can log on a SyslogD server The number of entries the device can log on the server depends on the server s configuration 6 Enter the IP address of your SyslogD server if you want the device to log...

Page 280: ...orts at both ends of a Gigabit Ethernet link use the same mode either auto Gigabit or negotiation off the ports cannot establish a link An administrator must intervene to manually configure one or both sides of the link to enable the ports to establish the link Foundry Chassis software provides a solution by changing the default negotiation behavior for Gigabit Ethernet ports on Chassis devices Th...

Page 281: ...for globally changing the negotiation mode Syntax gig default neg full auto auto gig neg off Here is the syntax for changing the negotiation mode on individual ports Syntax gig default neg full auto auto gig neg off USING THE WEB MANAGEMENT INTERFACE To change the global default 1 Log on to the device using a valid user name and password for read write access The System configuration panel is disp...

Page 282: ...packets You can limit the number of broadcast multicast or unknown unicast packets a Foundry device forwards each second using the following methods The limits are individually configurable for broadcasts multicasts and unknown unicasts NOTE By default IP Multicast including IGMP is disabled You can enable it using the ip multicast passive active command As long as IP Multicast is enabled regardle...

Page 283: ...ces can be configured to display a greeting message on users terminals when they enter the Privileged EXEC CLI level or access the device through Telnet In addition a Foundry device can display a message on the Console when an incoming Telnet CLI session is detected Setting a Message of the Day Banner You can configure the Foundry device to display a message on a user s terminal when he or she est...

Page 284: ... device to display a message on the Console when a user establishes a Telnet session This message indicates where the user is connecting from and displays a configurable text message For example BigIron config banner incoming Press Return Enter TEXT message End with the character Incoming Telnet Session When a user connects to the CLI using Telnet the following message appears on the Console Telne...

Page 285: ...guration However in some cases changes to the port parameters may be necessary to adjust to attached devices or other network requirements The current port configuration for all ports is displayed when you select the Port link from the Configure tree You can easily determine a port s state by observing the color in the Port field Red indicates there is no link Green indicates the link is good This...

Page 286: ...nd 100 Mbps Assigning a Port Name A port name can be assigned to help identify interfaces on the network You can assign a port name to physical ports virtual interfaces and loopback interfaces USING THE CLI To assign a name to a port BigIron config interface e 2 8 BigIron config if 2 8 port name Marsha the Marketing Monkey Syntax port name text The text parameter is an alphanumeric string The name...

Page 287: ...nnot be modified USING THE CLI To change the port speed of interface 8 from the default of 10 100 auto sense to 10 Mbps operating at full duplex enter the following BigIron config interface e8 BigIron config if 8 speed duplex 10 full Syntax speed duplex value The value can be one of the following 10 full 10 half 100 full 100 half auto The default is auto USING THE WEB MANAGEMENT INTERFACE To modif...

Page 288: ... displayed 2 Click on the plus sign next to Configure in the tree view to display the configuration options 3 Select the Port link to display the Port table 4 Click on the Modify button next to the row of information for the port you want to reconfigure 5 Click next to Full Duplex to select or de select full duplex mode Full duplex mode is selected when the radio button small circle next to Full D...

Page 289: ...e device s flash memory NOTE You cannot disable or re enable a virtual interface using the Web management interface Disabling or Re Enabling Flow Control You can configure full duplex ports on a system to operate with or without flow control 802 3x Flow control is enabled by default USING THE CLI To disable flow control on full duplex ports on a system enter the following BigIron config no flow co...

Page 290: ...yntax gig default neg full auto auto gig neg off To change a Gigabit port on a Stackable device to auto Gigabit enter commands such as the following BigIron config int ethernet 1 4 BigIron config if 1 4 auto gig The following syntax applies to Stackable devices Syntax no auto gig USING THE WEB MANAGEMENT INTERFACE To override the global 802 3x negotiation mode for an Gigabit individual port on a C...

Page 291: ... 11 Configuring Basic Layer 2 Parameters The procedures in this section describe how to configure the following Layer 2 parameters Note that some of these parameters apply only to Foundry Layer 2 Switches not routers Spanning Tree Protocol STP see Enabling or Disabling the Spanning Tree Protocol STP on page 10 34 NOTE The procedures in this chapter describe how to configure standard STP For inform...

Page 292: ...he changes to the device s running config file 4 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Modifying STP Bridge and Port Parameters You can modify the following STP Parameters Bridge parameters forward delay maximum age hello time and priority Port parameters priority and path c...

Page 293: ...hs The default path costs therefore favor local paths over remote paths USING THE CLI EXAMPLE Suppose you want to enable STP on a system in which no port based VLANs are active and change the hello time from the default value of 2 to 8 seconds Additionally suppose you want to change the path and priority costs for port 5 only To do so enter the following commands BigIron config span hello time 8 B...

Page 294: ...e priority and path cost fields 6 Click Apply STP Port to apply the changes to only the selected port or select Apply To All Ports to apply the changes to all the ports NOTE If you want to save the priority and path costs of one port to all other ports on the switch or router within a VLAN you can click the Apply To All Ports button 7 Select the Save link at the bottom of the dialog Select Yes whe...

Page 295: ...g if 3 2 no route only USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Select Enable or Disable next to L2 Switching 3 Click Apply to save the changes to the device s running config file 4 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configurat...

Page 296: ...y routers also support the assignment of static IP Routes static ARP and static RARP entries For details on configuring these types of static entries see Configuring Static Routes on page 15 39 and Creating Static ARP Entries on page 15 32 You can manually input the MAC address of a device to prevent it from being aged out of the system address table This option can be used to prevent traffic for ...

Page 297: ...e System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to display the list of configuration options 3 Select the Static Station link If the system already contains static MAC addresses and you are adding a new static MAC address click on the Add Static Station link to display the Static Station Table configuration panel as shown in the following examp...

Page 298: ...blank spaces in the name if you enclose the name in double quotes for example Product Marketing NOTE The second command is optional and also creates the VLAN if the VLAN does not already exist You can enter the first command after you enter the second command if you first exit to the global CONFIG level of the CLI USING THE WEB MANAGEMENT INTERFACE To enable port based VLANs on the switch or route...

Page 299: ... does not apply to ports that are not in a port based VLAN and does not apply to the default VLAN 6 Click Apply to save the changes to the device s running config file 7 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Configuring Trunk Groups The Trunk Group feature allows you to esta...

Page 300: ... card installed The trunk server is designated as a server with multiple adapters or a single adapter with multiple ports that share the same MAC and IP address Figure 10 3 shows an example of a trunk group between a server and a Foundry device Figure 10 3 Trunk group between a server and a Foundry Stackable switch or router Gigabit Backbone Trunk Group Power Link Activity Link Activity Console Po...

Page 301: ... 15 16 17 18 19 20 21 22 23 24 and 25 26 NOTE You still can configure 4 port trunk groups on a Stackable device but you must begin a 4 port trunk group on one of the following primary ports 1 5 9 13 17 or 21 Port assignment must be contiguous The port range cannot contain gaps For example you can configure ports 1 2 3 and 4 together as a trunk group but not ports 1 3 and 4 excluding 2 Port assignm...

Page 302: ...oundry devices Ports in a valid 2 port trunk group on one device are connected to two ports in a valid 2 port trunk group on another device The same rules apply to 4 port trunk groups Figure 10 4 Examples of 2 port trunk groups Power Link Activity Link Activity Console Power Link Activity Link Activity Console Power Link Activity Link Activity Console Power Link Activity Link Activity Console Powe...

Page 303: ...Configuring Basic Features December 2000 10 45 Figure 10 5 shows examples of two Chassis devices connected by multi slot trunk groups Figure 10 5 Examples of multi slot trunk groups ...

Page 304: ...eginning with the primary port For example to specify a group containing ports 1 1 1 4 and 3 1 3 4 you must specify them in the order shown You cannot specify 3 1 3 4 first Port configuration for each trunk group is based on the configuration of the primary port To change port parameters you must change them on the primary port The software automatically applies the changes to the other ports in t...

Page 305: ...ends on the type of device Table 10 5 lists how Foundry devices load share traffic across the ports in a trunk group Notice that the load sharing methods differ on Chassis devices and Stackable devices for server trunk groups on Layer 3 Switches Table 10 5 Foundry Trunk Group Load Sharing Foundry Device Type Trunk Group Type Traffic Type Load Sharing Basis Chassis Switch Switch All traffic Destina...

Page 306: ...ther configuration changes 3 If the device at the other end of the trunk group is another Layer 2 or Layer 3 Switch repeat Step 2 for the other device 4 When both devices are reset re booted and operational reconnect the cables to those ports that are now configured as trunk groups starting with the first port lead port of each trunk group 5 To verify the connection is operational use the show tru...

Page 307: ...config in progress Write startup config done NetIron1 config exit NetIron1 reload To configure the trunk group link between NetIron2 and the server NetIron2 config trunk server e2 to 4 Trunk 0 is created for next power cycle Please save configuration to flash and reboot NetIron2 config write memory Write startup config in progress Write startup config done NetIron2 config exit NetIron2 reload NOTE...

Page 308: ...sts port ranges only for the slots that contain an active module In addition only the ranges that are valid for the module are listed The port ranges listed by the panel contain four ports but the default number of ports in a group is two If you select a group and leave the number of ports in a group at two the software assigns the first two ports in the group you select to the trunk group The las...

Page 309: ...o portnum The server switch parameter specifies whether the trunk ports will be connected to a server or to another Layer 2 or Layer 3 Switch This parameter affects the type of load balancing performed by the Foundry device See Trunk Group Load Sharing on page 10 47 The default is switch Each ethernet parameter introduces a port group The primary portnum to portnum parameters specify a port group ...

Page 310: ... ports to a server Otherwise the software assumes you are connecting the trunk group ports to another Layer 2 or Layer 3 Switch and uses the default value Switch 8 Click Apply to save the changes to the device s running config file 9 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory 10 ...

Page 311: ...ort 1 1 On most devices trunk groups can contain two ports or four ports but cannot contain only three ports Therefore the following command also is invalid for trunk group 1 1 1 4 BigIron config no trunk ethernet 1 4 This command is invalid because it would result in a trunk group containing three ports 1 1 1 3 USING THE WEB MANAGEMENT INTERFACE 1 Disconnect the ports to the server Layer 2 Switch...

Page 312: ...stem configuration panel is displayed 3 Click on the plus sign next to Configure in the tree view to display the configuration options 4 Select the Trunk link to display a table listing the configured trunk groups 5 Click the Delete button next to the trunk group you want to delete 6 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the s...

Page 313: ...lay to make the display easy to use Type The type of trunk group which can be one of the following Server The trunk group is connected to a server Switch The trunk group is connected to another Layer 2 or Layer 3 Switch Ports The ports in the trunk group Duplex The mode of the port which can be one of the following None The link on the primary trunk port is down Full The primary port is running in...

Page 314: ... interval to a value from 10 1220 seconds Forwarding policy The switch forwards all IP multicast traffic by default but you can enable the switch to forward IP multicast traffic only for groups for which the switch has received a Group Membership report and drop traffic for all other groups The following sections describe how to configure IP multicast parameters on a Foundry Layer 2 Switch Enablin...

Page 315: ...enable IP Multicast Traffic Reduction on a Layer 2 Switch 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Select Enable next to IP Multicast 3 Click the Apply button to save the change to the device s running config file 4 Select the Save link at the bottom of the dialog then select Yes when prompted to save the config...

Page 316: ...e the configuration change to the startup config file on the device s flash memory Disabling IGMP on Individual Ports By default when you enable IP multicast on a Foundry Layer 2 Switch all ports on the switch are configured for IGMP If you are using active IGMP all ports can send IGMP queries and receive IGMP reports If you are using passive IGMP all ports can receive IGMP queries You can disable...

Page 317: ...another Group Membership report To modify the age interval use the following CLI method NOTE In software releases earlier than 07 1 10 you must reload the software after making this configuration change and saving it to the startup config file If you are using software release 07 1 10 or later you do not need to reload the software USING THE CLI To modify the age interval enter a command such as t...

Page 318: ...is enabled Passive VLAN ID 1 Reports Received 34 Leaves Received 21 General Queries Received 60 Group Specific Queries Received 2 Others Received 0 General Queries Sent 0 Group Specific Queries Sent 0 VLAN ID 2 Reports Received 0 Leaves Received 0 General Queries Received 60 Group Specific Queries Received 2 Others Received 0 General Queries Sent 0 Group Specific Queries Sent 0 The command in this...

Page 319: ...icast Group 239 255 162 4 Port 4 10 4 13 Syntax clear ip multicast all group group id The all parameter clears the learned reports for all groups The group group id parameter clears the reports for the specified group but does not clear the reports for other groups Defining MAC Address Filters MAC layer filtering enables you to build access lists based on MAC layer headers in the Ethernet IEEE 802...

Page 320: ...umber of MAC filters support to 128 for global filter definitions The permit deny argument determines the action the software takes when a match occurs The src mac mask any parameter specifies the source MAC address You can enter a specific address value and a comparison mask or the keyword any to filter on all MAC addresses Specify the mask using f s ones and zeros For example to match on the fir...

Page 321: ...lters to a port NOTE Remember that the filters must be applied as a group For example if you want to apply four filters to an interface they must all appear on the same command line USING THE WEB MANAGEMENT INTERFACE To define a MAC filter 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to C...

Page 322: ...field Separate the bytes in the address with dashes 10 Enter the comparison mask for the destination address in the Destination Mask field 11 Select the frame type from the Frame Type field s pulldown menu 12 Select an operator from the Operator field s pulldown menu to filter by protocol type 13 Enter a protocol in the Protocol field 14 Click the Add button to save the filter to the device s runn...

Page 323: ...is or an individual port basis See Example 4 in the show logging section in the Show Commands chapter of the Foundry Switch and Router Command Line Interface Reference for a description of how the timer for the entries works Layer 2 MAC filters and IP access policies use the same timer whereas Access Control Lists ACLs use a separate timer but the timers work the same way Thus the description of h...

Page 324: ...adcast Filter To configure a broadcast filter you must have access to the CONFIG level of the CLI You can configure up to eight broadcast filters on a device Syntax no broadcast filter filter id any ip udp vlan vlan id Syntax no exclude ports ethernet portnum to portnum Or Syntax no exclude ports ethernet portnum ethernet portnum The exclude ports command specifies the ports to which the filter ap...

Page 325: ...requires the mac multicast address any parameter which specifies the multicast address Enter mac any to filter on all multicast addresses Enter mac followed by a specific multicast address to filter only on that multicast address To filter on a range of multicast addresses use the mask mask parameter For example to filter on multicast groups 0100 5e00 5200 0100 5e00 52ff use mask ffff ffff ff00 Th...

Page 326: ...ect the Port link to display the Port table 4 Click on the Modify button next to the row of information for the port you want to reconfigure 5 Select Enable next to Lock Address 6 Enter the maximum number of MAC addresses you want the device to learn on the port in the MAC Address field 7 Click Apply to save the changes to the device s running config file 8 Select the Save link at the bottom of th...

Page 327: ...ect the Enable option next to the protocol s to be enabled NOTE If you are enabling BGP4 you must also specify the local AS number in the Local AS field NOTE Do not enable both FSRP and VRRP Foundry Networks recommends that you use only one of these router redundancy protocols on a Layer 3 Switch 3 Click Apply to save the changes to the device s running config file 4 Select the Save link at the bo...

Page 328: ...n config end FastIron write memory FastIron reload Syntax ipx route accelerating USING THE WEB MANAGEMENT INTERFACE You cannot enable or disable router acceleration using the Web management interface Displaying and Modifying System Parameter Default Settings Foundry devices have default table sizes for the following parameters The table sizes determine the maximum number of entries the tables can ...

Page 329: ...es enter the following command at any level of the CLI BigIron show default values sys log buffers 50 mac age time 300 sec telnet sessions 5 ip arp age 10 min bootp relay max hops 4 ip ttl 64 hops ip addr per intf 24 when multicast enabled igmp group memb 140 sec igmp query 60 sec when ospf enabled ospf dead 40 sec ospf hello 10 sec ospf retrans 5 sec ospf transit delay 1 sec when bgp enabled bgp ...

Page 330: ...ase the number of IP sub net interfaces you can configure on each port on a NetIron Layer 3 Switch from 24 to 64 then increase the total number of IP interfaces you can configure on the device from 256 to 512 enter the following commands NetIron config system max subnet per interface 64 NetIron config write memory NetIron config exit NetIron reload Syntax system max subnet per interface num The nu...

Page 331: ... to be monitored the monitor ports You can select multiple monitor ports but only one mirror port NOTE A Chassis device can mirror only the in receive traffic across the backplane Thus if the mirror and monitor ports are on different slots only the in traffic appears on the mirror port USING THE CLI EXAMPLE Suppose you want to diagnose the in and out traffic on port 3 on a module in slot 4 of a Bi...

Page 332: ...g configuration using the following CLI method USING THE CLI To display the current mirroring and monitoring configuration enter the following command at any level of the CLI BigIron config show monitor Mirror Interface ethernet 4 1 Monitored Interfaces Both Input Output ethernet 4 3 Syntax show monitor This example shows the monitoring and mirroring configuration set up by the commands in the exa...

Page 333: ...lly useful in environments where collocated customers on different isolated ports share common uplink ports These new features add flexibility to the QoS features in earlier software releases but do not replace them The Queues Chassis devices and the TurboIron 8 use the following queues qosp3 The highest priority queue This queue corresponds to 802 1p prioritization levels 6 and 7 and Foundry prio...

Page 334: ...ove except the 802 1q tagged packets are in the best effort queue which is the lowest priority queue The 802 1q tagged packets are assigned to a queue based on the priority level 0 7 in the packet s tag The default mapping of the priority levels to the queues is as follows In cases where a packet matches more than one traffic type the highest queue level among the traffic type is used For example ...

Page 335: ...lower queue This method biases the queuing mechanism to favor the higher queues over the lower queues For example strict queuing processes as many packets as possible in qosp3 before processing any packets in qosp2 then processes as many packets as possible in qosp2 before processing any packets in qosp1 and so on Selecting the Queuing Method Foundry Chassis devices including the TurboIron 8 use t...

Page 336: ...g is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to QoS in the tree view to expand the list of QoS option links 4 Click on the Profile link to display the QoS Profile configuration panel as shown in the following figure 5 Edit the strings name the Name fields for the queue s you want to rename In th...

Page 337: ... the queue at a given stage of a cycle through the weighted fair queuing algorithm For example the default percentages shown above translate into the following weights A queue s weight specifies how many packets are sent from the queue each time the queue is serviced Thus when the default bandwidth percentages are used four packets are sent from queue qosp3 each time the queue is serviced while th...

Page 338: ...ault bandwidth percentages qosp3 bandwidth 80 weight 4 qosp2 bandwidth 15 weight 3 qosp1 bandwidth 3 3 weight 2 qosp0 bandwidth 1 7 weight 1 Total visits Total packets Total visits Total packets Total visits Total packets Total visits Total packets 1 4 1 2 8 2 3 12 1 3 4 16 1 5 20 4 6 24 5 7 28 2 6 8 32 1 2 9 36 7 10 40 8 11 44 3 9 12 48 1 1 ...

Page 339: ...nt from each queue during each visit For example if you change the percentages so that queue qosp3 receives a weight of 5 then the system processes five packets in that queue during each visit to the queue Queue 3 weight 4 minimum percentage 80 Queue 2 weight 3 minimum percentage 15 Queue 1 weight 2 minimum percentage 3 3 Queue 0 weight 1 minimum percentage 1 7 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 q3 ...

Page 340: ...must be at least 50 If you enter percentages that are less than the minimum percentages supported for a queue the CLI recalculates the percentages to fall within the supported minimums Here is an example In this example the values entered for all but the best effort queue the lowest priority queue are much lower than the minimum values supported for those queues BigIron config qos qosp3 1 qosp2 1 ...

Page 341: ...tions 3 Click on the plus sign next to QoS in the tree view to expand the list of QoS option links 4 Click on the Profile link to display the QoS Profile configuration panel as shown in the following figure 5 Edit the values in the Requested fields for the queue s you want to change In this example the following minimum bandwidths are requested qosp0 5 qosp1 10 qosp2 10 92 octane 75 NOTE The perce...

Page 342: ...d QoS Profile Configuration To display the QoS settings use either of the following methods USING THE CLI To display the QoS settings for all the queues enter the following command from any level of the CLI BigIron config show qos profiles all bandwidth scheduling mechanism weighted priority Profile qosp3 PREMIUM bandwidth requested 75 calculated 75 Profile qosp2 HIGH bandwidth requested 10 calcul...

Page 343: ...s to Different Queues on page 11 14 Although it is possible for a packet to qualify for an adjusted QoS priority based on more than one of the criteria above the system always gives a packet the highest priority for which it qualifies Thus if a packet on a Chassis device is entitled to the premium queue because of its IP source and destination addresses but is entitled only to the high queue becau...

Page 344: ...Scroll down to the port for which you want to change the QoS level then click on the Modify button to the right of the port information to display the Port configuration panel as shown in the following example 4 Select the QoS level On a Chassis device select a number from 0 7 from the QoS field s pulldown menu On a Stackable device select high or normal from the QoS field s pulldown menu 5 Click ...

Page 345: ... 1 equivalent to one of the four QoS queues To change the QoS priority of port based VLAN 20 on a Stackable device to the high queue enter the following commands NetIron config vlan 20 NetIron config vlan 20 priority high NetIron config vlan 20 write memory Syntax no priority high normal USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write a...

Page 346: ... packets that come in from tagged ports These packets have a tag in the header that specifies the packet s VLAN ID and its 802 1p priority tag value which is 3 bits long NOTE This section applies to Chassis devices only By default a Foundry device interprets the prioritization information in the 3 bit priority tag as follows This is the Foundry default interpretation for the eight prioritization v...

Page 347: ...e queue to which you are reassigning the priority level You must specify one of the named queues The default names are qosp3 qosp2 qosp1 and qosp0 The example above reassigns the 802 1p levels to queue qosp0 There is no need to reassign levels 0 and 1 in this case because they are already assigned to qosp0 by default USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name...

Page 348: ...signment for a particular level by specifying the level number as shown in the following example BigIron config show priority mapping 1 802 1p priority 1 mapped to qos profile qosp0 USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration dialog is displayed 2 Click on the plus sign next to Configure in the tree v...

Page 349: ...em configuration dialog is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Select the Static Station link to display the Static Station Table If the system already contains static MAC addresses and you are adding a new static MAC address click on the Add Static Station link to display the Static Station Table configuration panel a...

Page 350: ...s Syntax no ip access policy num priority 0 7 ip addr ip mask any ip addr ip mask any icmp igmp igrp ospf tcp udp num operator tcp udp port num Syntax ip access policy group in out policy list Here is the syntax for stackable Layer 3 Switches Syntax ip access policy num high normal ip addr ip mask any ip addr ip mask any tcp udp operator tcp udp port num Syntax ip access policy group in out policy...

Page 351: ...ber in the range must be lower than the last number in the range established This operator applies only to TCP packets If you use this operator the QoS policy applies to TCP packets that have the ACK Acknowledgment or RST Reset bits set on set to 1 in the Control Bits field of the TCP packet header Thus the policy applies only to established TCP sessions not to new sessions See Section 3 1 Header ...

Page 352: ...normal stackable priority num chassis src ip addr ip mask any dst ip addr ip mask any icmp bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet num num tcp eq gt lt neq range established CR eq gt lt neq range CR bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet num bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet num bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl teln...

Page 353: ...Layer 2 Switches Syntax no ip policy num priority 0 7 tcp udp tcp udp port num global local Syntax no ip policy num Here is the syntax for chassis Layer 2 Switches Syntax no ip policy num high normal tcp udp tcp udp port num global local Syntax no ip policy num The num parameter is the policy number The priority 0 7 parameter on Chassis devices specifies the QoS priority level The default is 0 bes...

Page 354: ...riage return also known as the Enter key Figure 11 4 QoS IP policy syntax for a Foundry Layer 2 Switch NOTE The ip policy command allows you to configure global or local QoS policies Use the ip policy command note the difference between ip policy and ip policy at the Interface level of the CLI to apply a local policy to a specific interface USING THE WEB MANAGEMENT INTERFACE The Web management opt...

Page 355: ...on to the right of the row describing the IP access policy to display the IP Access Policy configuration panel as shown in the following example 5 Enter the ID for the policy in the ID field 6 Select the QoS radio button next to Action 7 Select the QoS level On a Chassis device select a number from 0 7 from the QoS field s pulldown menu In this example select 4 On a Stackable device select high or...

Page 356: ...rotocol field and you want the policy to apply to TCP sessions that are already in effect click on the checkbox next to Established If you select this option the QoS policy applies to TCP packets that have the ACK Acknowledgment or RST Reset bits set on set to 1 in the Control Bits field of the TCP packet header Thus the policy applies only to established TCP sessions not to new sessions See Secti...

Page 357: ...view then clicking on Save to Flash Layer 2 Switch To assign a priority of 7 to FTP traffic on all ports on a FastIron II Layer 2 Switch perform the following steps 1 Log on to the device using a valid user name and password for read write access The System configuration dialog is displayed 2 Select the Layer 4 QoS link to display the QoS panel 3 Enter the ID for the policy in the ID field 4 Selec...

Page 358: ...e enter the following commands BigIron config appletalk qos socket 123 priority 7 BigIron config write memory Here is the syntax for Chassis Layer 3 Switches Syntax no appletalk qos socket num priority num Here is the syntax for Stackable Layer 3 Switches Syntax no appletalk qos socket num high normal The first num parameter specifies the socket number The second num parameter Chassis devices can ...

Page 359: ...g Utilization list number 1 2 3 or 4 One or more uplink ports One or more downlink ports Each list displays the uplink port and the percentage of that port s bandwidth that was utilized by the downlink ports over the most recent 30 second interval You can configure up to four bandwidth utilization lists To do so use either of the following methods USING THE CLI To configure an uplink utilization l...

Page 360: ...ilization panel click the Add button create the uplink utilization list 11 Select the Save link at the bottom of the dialog then select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Displaying Utilization Percentages for an Uplink After you configure an uplink utilization list you can display the list to observe the percentage of the upl...

Page 361: ... and 1 3 are in the same port based VLAN BigIron config show relative utilization 1 uplink ethe 1 30 sec total uplink packet count 3011 packet count ratio 1 2 100 1 3 100 Here is another example showing different data for the same link utilization list In this example port 1 2 is connected to a hub and is sending traffic to port 1 1 Port 1 3 is unconnected BigIron config show relative utilization ...

Page 362: ...r Installation and Configuration Guide 11 30 December 2000 This panel displays a graph of the percentage of the uplink s bandwidth that each of the downlink ports used during the most recent 30 second port statistics interval ...

Page 363: ...ard STP parameters see Configuring Standard STP Parameters To configure IronSpan parameters see Configuring IronSpan Features on page 12 16 Configuring Standard STP Parameters Foundry Layer 2 and Layer 3 Switches support standard STP as described in the IEEE 802 1D specification STP is enabled by default on Layer 2 Switches but disabled by default on Layer 3 Switches By default each port based VLA...

Page 364: ...from the root bridge before initiating a topology change 20 seconds Possible values 6 40 seconds Hello Time The interval of time between each configuration BPDU sent by the root bridge 2 seconds Possible values 1 10 seconds Priority A parameter used to identify the root bridge in a spanning tree instance of STP The bridge with the lowest value has the highest priority and is the root A higher nume...

Page 365: ... STP for all ports on a Foundry device enter the following command BigIron config spanning tree Syntax no spanning tree USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Select Enable next to Spanning Tree NOTE For information about the Single and Fast checkboxes see Single Spanning Tre...

Page 366: ...12 16 The hello time value parameter specifies the hello time and can be a value from 1 10 seconds The default is 2 seconds NOTE This parameter applies only when this device or VLAN is the root bridge for its spanning tree The maximum age value parameter specifies the amount of time the device waits for receipt of a hello packet before initiating a topology change You can specify from 6 40 seconds...

Page 367: ...an 10 BigIron config vlan 10 spanning tree ethernet 1 5 path cost 15 priority 64 Syntax spanning tree ethernet pos portnum path cost value priority value The ethernet pos portnum parameter specifies the interface The path cost value parameter specifies the port s cost as a path to the spanning tree s root bridge STP prefers the path with the lowest cost You can specify a value from 0 65535 The def...

Page 368: ... device has multiple port based VLANs select the Modify button next to the VLAN on which you want to change the parameters A dialog such as the following is displayed 5 Select the port and slot if applicable from the Port and Slot pulldown lists 6 Enter the desired changes to the priority and path cost fields 7 Click Apply STP Port to apply the changes to only the selected port or select Apply To ...

Page 369: ...0000000000000 0000000000000000 1 3 4 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 3 5 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 3 6 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 3 7 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 3 8 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 3 9 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 3 10 80 0 DISABLED ...

Page 370: ...arameters on page 12 4 Max age sec The number of seconds this device or VLAN waits for a hello message from the root bridge before deciding the root has become unavailable and performing a reconvergence Hello sec The interval between each configuration BPDU sent by the root bridge Hold sec The minimum number of seconds that must elapse between transmissions of consecutive Configuration BPDUs on a ...

Page 371: ...istening for a BPDU from neighboring bridge s in order to determine the new topology No user frames are transmitted or received during this state LEARNING The port has passed through the LISTENING state and will change to the BLOCKING or FORWARDING state depending on the results of STP s reconvergence The port does not transmit or receive user frames during this state However the device can learn ...

Page 372: ... 4 Max Age The number of seconds this device or VLAN waits for a hello message from the root bridge before deciding the root has become unavailable and performing a reconvergence Hello Time The interval between each configuration BPDU sent by the root bridge Hold Time The minimum number of seconds that must elapse between transmissions of consecutive Configuration BPDUs on a port Forward Delay The...

Page 373: ...ve frames LISTENING STP is responding to a topology change and this port is listening for a BPDU from neighboring bridge s in order to determine the new topology No user frames are transmitted or received during this state LEARNING The port has passed through the LISTENING state and will change to the BLOCKING or FORWARDING state depending on the results of STP s reconvergence The port does not tr...

Page 374: ... cpu num The num parameter specifies the number of seconds and can be from 1 900 If you use this parameter the command lists the usage statistics only for the specified number of seconds If you do not use this parameter the command lists the usage statistics for the previous one second one minute five minute and fifteen minute intervals USING THE WEB MANAGEMENT INTERFACE You cannot display this in...

Page 375: ...is port is listening for a BPDU from neighboring bridge s in order to determine the new topology No user frames are transmitted or received during this state LEARNING The port has passed through the LISTENING state and will change to the BLOCKING or FORWARDING state depending on the results of STP s reconvergence The port does not transmit or receive user frames during this state However the devic...

Page 376: ...f any active trunks Not member of any configured trunks No port name MTU 1500 bytes encapsulation ethernet 5 minute input rate 352 bits sec 0 packets sec 0 00 utilization 5 minute output rate 0 bits sec 0 packets sec 0 00 utilization 1238 packets input 79232 bytes 0 no buffer Received 686 broadcasts 0 runts 0 giants 0 input errors 0 CRC 0 frame 0 ignored 529 multicast 918 packets output 63766 byte...

Page 377: ...device using a valid user name and password for read only or read write access The System configuration panel is displayed 2 Click on the plus sign next to Monitor in the tree view to display the monitoring options 3 Select the STP link to display the STP bridge and port parameters Displaying the STP State of a Port Based VLAN When you display information for a port based VLAN that information inc...

Page 378: ...P state changes blocking to listening to learning to forwarding more quickly than is allowed by the standard STP convergence time Fast Port Span performs the convergence on these ports in four seconds two seconds for listening and two seconds for learning In addition Fast Port Span enhances overall network performance in the following ways Fast Port Span reduces the number of STP topology change n...

Page 379: ...ude specific ports These parameters are shown in the following section To re enable Fast Port Span enter the following commands BigIron config fast port span BigIron config write memory USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access 2 Click the Fast checkbox next to Spanning Tree to remove the checkmark from the box 3 Click Appl...

Page 380: ...e time for the uplink ports to another device to just four seconds two seconds for listening and two seconds for learning The wiring closet switch must be a Foundry device but the device at the other end of the link can be a Foundry device or another vendor s switch Configuration of the Fast Uplink Span feature takes place entirely on the Foundry device To configure the Fast Uplink Span feature sp...

Page 381: ...inks takes over Because the ports are configured in a Fast Uplink Span group the STP convergence takes about four seconds instead of taking 30 seconds or longer using the standard STP forward delay If you add a port that is the primary port of a trunk group all ports in the trunk group become members of the Fast Uplink Span group You can add ports to a Fast Uplink Span group by entering the fast u...

Page 382: ...ANs with STP enabled become members of a single spanning tree domain Thus the ports share a single BPDU broadcast domain The Foundry device places all the ports in a non configurable VLAN 4094 to implement the single STP domain However this VLAN does not affect port membership in the port based VLANs you have configured Other broadcast traffic is still contained within the individual port based VL...

Page 383: ...the following methods USING THE CLI To verify that single STP is in effect enter the following command at any level of the CLI BigIron config show span Syntax show span vlan vlan id Here is an example of the information displayed by this command Notice that the top of the display contains a message stating that VLAN 2 is not in the single STP domain STP was disabled on this port based VLAN when si...

Page 384: ... None PORT VLAN 2 Name Wolalak Priority level0 not in single spanning tree domain Untagged Ports S1 1 2 3 4 Tagged Ports None SINGLE SPANNING TREE VLAN Name Single spanning tree vlan Priority level0 in single spanning tree domain Untagged Ports S1 1 2 3 4 5 6 7 8 Untagged Ports S2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Untagged Ports S2 17 18 19 20 21 22 23 24 Untagged Ports S4 1 2 3 4 5 6 7 8 9 1...

Page 385: ...rate with Cisco devices that are running Per VLAN Spanning Tree PVST or PVST Cisco proprietary STP implementations that support separate spanning trees in each port based VLAN A Foundry device configured to run a separate spanning tree in each port based VLAN automatically enables PVST PVST support on a port if that port receives an STP BPDU with PVST PVST format You also can enable PVST PVST supp...

Page 386: ...pport separate spanning trees on an individual port based VLAN basis However until the IEEE standard for multiple spanning trees is finalized vendors are using different methods to support multiple spanning trees within their own products PVST is an extension to PVST that enables a Cisco device to interoperate with other devices that are running a single spanning tree IEEE 802 1Q while still runni...

Page 387: ...shows that for VLAN 200 PVST support is statically enabled on port 11 PVST is not statically enabled on Port 10 but because port 10 received an incoming PVST BPDU on its interface the port converted to using PVST mode Syntax show span pvst mode The show span pvst mode command displays the following information Table 12 6 CLI Display of PVST Information This Field Displays VLAN ID The VLAN to which...

Page 388: ...Foundry Switch and Router Installation and Configuration Guide 12 26 December 2000 USING THE WEB MANAGEMENT INTERFACE You cannot display PVST information using the Web management interface ...

Page 389: ...scribes IP forwarding ACLs and management access ACLs only For information about ACLs used for BGP4 filtering see Configuring BGP4 on page 19 1 NOTE For optimal performance apply deny ACLs to inbound ports instead of outbound ports This way traffic is dropped as it tries to enter the Foundry device instead of being dropped after it has been forwarded internally to the outbound port NOTE Outbound A...

Page 390: ... system max session limit num command at the global CONFIG level of the CLI Avoid the following implementations when possible Do not apply ACLs to outbound traffic The system creates separate inbound ACLs to ensure that an outbound ACL is honored for traffic that normally would be forwarded to other ports Do not enable the strict TCP ACL mode unless you need it for tighter security Avoid ICMP base...

Page 391: ...ment IV modules can support up to 4096 ACL entries You configure ACLs on a global basis then apply them to the incoming or outgoing traffic on specific ports You can apply only one ACL to a port s inbound traffic and only one ACL to a port s outbound traffic The software applies the entries within an ACL in the order they appear in the ACL s configuration As soon as a match is found the software t...

Page 392: ...five minute timer The timer keeps track of all packets explicitly denied by the ACL entries After five minutes the software generates a single Syslog entry for each ACL entry that has denied a packet The message indicates the number of packets denied by the ACL entry during the previous five minutes If no ACL entries explicitly deny packets during an entire five minute timer interval the timer sto...

Page 393: ...command disables all packet forwarding ACLs those associated with specific ports and also prevents you from associating an ACL with a port However the command does not remove existing ACLs from the startup config file In addition the command does not affect ACLs used for controlling management access to the device Enabling ACL Mode If you try to apply an ACL to a port when the ACL mode is disabled...

Page 394: ...g on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to IP in the tree view to expand the list of IP option links 4 Click on the General link to display the IP configuration panel 5 Select the Disa...

Page 395: ...ource address must match the source ip Ones mean any value matches For example the source ip and wildcard values 209 157 22 26 0 0 0 255 mean that all hosts in the Class C sub net 209 157 22 x match the policy If you prefer to specify the wildcard mask value in CIDR format you can enter a forward slash after the IP address then enter the number of significant bits in the mask For example you can e...

Page 396: ...nterface See Configuring Named ACLs on page 13 19 USING THE WEB MANAGEMENT INTERFACE To configure a standard ACL 1 Log on to the device using a valid user name and password for read write access The System configuration dialog is displayed 2 Click on the plus sign next to Configure in the tree view to display the list of configuration options 3 Click on the plus sign next to System or IP to displa...

Page 397: ...ss Group link from the tree view If the device does not already have some ACLs applied to interfaces the IP Access Group configuration panel is displayed as shown in the following example Otherwise if the device already has some ACLs applied to interfaces the IP Access Group table is displayed Select the Add link to display the IP Access Group configuration panel as shown in the following example ...

Page 398: ... the website s IP address USING THE CLI To configure an extended access list that blocks all Telnet traffic received on port 1 1 from IP host 209 157 22 26 enter the following commands BigIron config access list 101 deny tcp host 209 157 22 26 any eq telnet log BigIron config access list 101 permit ip any any BigIron config int eth 1 1 BigIron config if 1 1 ip access group 101 in BigIron config wr...

Page 399: ... to the 209 157 22 x network The third entry denies TCP traffic from the 209 157 21 x network to the 209 157 22 x network if the TCP port number of the traffic is less than the well known TCP port number for Telnet 23 and if the TCP port is not equal to 5 Thus TCP packets whose TCP port numbers are 5 or are greater than 23 are allowed The fourth entry denies UDP packets from any source to the 209 ...

Page 400: ... ip hostname wildcard operator destination tcp udp port precedence name num tos name num log Syntax no access list num deny permit host ip protocol any any log Syntax no ip access group num in out The num parameter indicates the ACL number and be from 100 199 for an extended ACL The deny permit parameter indicates whether packets that match the policy are dropped or forwarded The ip protocol param...

Page 401: ...t numbers greater than the port number or the numeric equivalent of the port name you enter after gt lt The policy applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt neq The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq range The policy applies to all TCP or UDP ...

Page 402: ...e critical precedence If you specify the option number instead of the name specify number 5 flash or 3 The ACL matches packets that have the flash precedence If you specify the option number instead of the name specify number 3 flash override or 4 The ACL matches packets that have the flash override precedence If you specify the option number instead of the name specify number 4 immediate or 2 The...

Page 403: ...all options select 15 The log parameter enables SNMP traps and Syslog messages for packets denied by the ACL NOTE You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use To do so re enter the ACL or filter command and add the log parameter to the end of the ACL or filter The software replaces the ACL or filter command with the new one The n...

Page 404: ... field NOTE You cannot specify a name 6 Select the ACL action You can select Permit or Deny Permit Forwards traffic that matches the ACL Deny Drops traffic that matches the ACL 7 Enter the source IP information You can enter the source IP address and network mask or the host name If you enter the address you also must enter the network mask To specify all enter 0 0 0 0 ...

Page 405: ...e ACL matches packets that have the minimum monetary cost TOS max reliability The ACL matches packets that have the maximum reliability TOS max throughput The ACL matches packets that have the maximum throughput TOS min delay The ACL matches packets that have the minimum delay TOS NOTE To select more than one TOS option hold the CTRL key while selecting each option 11 If you specified the Deny act...

Page 406: ...ect the Source Range System Defined button to change the entry fields into pulldown menus containing well known names Even if you specify the ports by name you still must select the lower numbered port first then select the higher numbered port 17 Specify the destination TCP or UDP port You can specify a single port or a range of ports The procedures and requirements are the same as those for sele...

Page 407: ...ACL number with one command which places you in the configuration level for that ACL Once you enter the configuration level for the ACL the command syntax is the same as the syntax for numbered ACLs The following examples show how to configure a named standard ACL entry and a named extended ACL entry Configuration Example for Standard ACL To configure a named standard ACL entry enter commands such...

Page 408: ...E You cannot configure IP ACLs using the Web management interface Modifying ACLs NOTE This section applies to standard ACLs and to extended ACLs When you use the Foundry device s CLI or Web management interface to configure an ACL the software places the ACL entries in the ACL in the order you enter them For example if you enter the following entries in the order shown below the software always ap...

Page 409: ...e ACL Here is an example of some ACL entries access list 1 deny host 209 157 22 26 log access list 1 deny 209 157 22 0 0 0 0 255 log access list 1 permit any access list 101 deny tcp any any eq http log The software will apply the entries in ACL 1 in the order shown and stop at the first match Thus if a packet is denied by one of the first three entries the packet will not be permitted by the four...

Page 410: ... 1 3 ethernet 2 1 to 2 4 The commands in this example configure port based VLAN 10 add ports 1 1 2 12 to the VLAN and add virtual routing interface 1 to the VLAN The commands following the VLAN configuration commands configure ACL 1 Finally the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1 Syntax no ip access group num in ethernet portnum portnum to por...

Page 411: ...s TCP control packets against the configured ACLs To enable the strict ACL TCP mode use the following CLI method NOTE If the device s configuration currently has ACLs associated with interfaces remove the ACLs from the interfaces before changing the ACL mode To enable the strict ACL TCP mode enter the following command at the global CONFIG level of the CLI BigIron config ip strict acl tcp Syntax n...

Page 412: ...ters Any other port applicable filters ICMP applicable filters Other protocol applicable filters Syntax show access list num To display the syntax for the entries in the ACLs enter the show ip access lists command Here is an example BigIron config show access list Extended IP access list 101 deny tcp host 209 157 22 26 host 209 157 22 26 eq http log Syntax show ip access lists num Displaying the L...

Page 413: ...her log entry and SNMP trap for denied packets In this example the software generates the second log entry five minutes later The second entry indicates that the same ACL denied two packets The time stamp for the third entry is much later than the time stamps for the first two entries In this case no ACLs denied packets for a very long time In fact since no ACLs denied packets during the five minu...

Page 414: ...tches based on this ACL the software uses the route map to set route attributes for the traffic thus enforcing PBR NOTE Do not use an access group to apply the ACL to an interface Instead use a route map to apply the ACL globally or to individual interfaces for PBR as shown in the following sections Syntax no access list num deny permit source ip hostname wildcard log or Syntax no access list num ...

Page 415: ...me When you use this parameter you do not need to specify the mask A mask of all zeros 0 0 0 0 is implied The any parameter configures the policy to match on all host addresses The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy NOTE You can enable logging on ACLs and filters that support logging even when t...

Page 416: ...e explicit routing information for the traffic Enabling PBR After you configure the ACLs and route map entries you can enable PBR globally on individual interfaces or both as described in this section To enable PBR you apply a route map you have configured for PBR globally or locally Enabling PBR Globally To enable PBR globally enter a command such as the following at the global CONFIG level BigIr...

Page 417: ...BigIron config route map test route permit 2 BigIron config routemap test route match ip address 2 BigIron config routemap test route set ip next hop 192 168 2 2 BigIron config routemap test route exit The following commands configure the third entry in the test route route map This entry permit 3 matches on the IP address information in ACL 3 above For IP traffic from sub net 209 157 25 0 24 this...

Page 418: ...ute map called send to pos The first entry permit 5 matches on the IP address information in ACL 5 above For IP traffic from sub net 209 168 0 0 16 this route map entry sets the egress port on the Layer 3 Switch to the specified POS interface BigIron config route map send to pos permit 5 BigIron config routemap send to pos match ip address 5 BigIron config routemap send to pos set interface pos 4 ...

Page 419: ...e 13 Alternatively you can enable the PBR on specific interfaces as shown in the following example The commands in this example configure IP addresses in the source sub net identified in ACL 6 then apply route map file 13 to the interface BigIron config interface ethernet 3 11 BigIron config if 3 11 ip address 192 168 1 204 32 BigIron config if 3 11 ip policy route map file 13 ...

Page 420: ...Foundry Switch and Router Installation and Configuration Guide 13 32 December 2000 ...

Page 421: ...ing to forward modify the IP precedence of and forward or drop traffic based on whether the traffic is within the limit or exceeds the limit NOTE If you want to use ARP rate limiting see Rate Limiting ARP Packets on page 15 30 Rate limiting support differs depending on the Foundry product Table 14 1 lists the Foundry products on which rate limiting is supported and the specific rate limiting suppo...

Page 422: ... depends on the direction you specify when you configure the rate limit on the port If the number of bytes exceeds the maximum number you specify when you configure the rate the port drops all further packets for the rate limited direction for the duration of the one second interval Once the one second interval is complete the port clears the counter and re enables traffic Figure 14 1 shows an exa...

Page 423: ... the port drops all inbound packets on the port until the next one second interval starts Syntax no rate limiting input output fixed rate The input output parameter specifies whether the rate limit applies to inbound or outbound traffic on the port The rate parameter specifies the maximum rate for the port Specify the rate in bits per second You can specify from 1 up to any number There is no defa...

Page 424: ...his Field Displays Total rate limited interface count The total number of ports that are configured for Fixed Rate Limiting Port The port number Input rate The maximum rate allowed for inbound traffic The rate is measured in bits per second bps RX Enforced The number of one second intervals in which the Fixed Rate Limiting policy has dropped traffic received on the port Output rate The maximum rat...

Page 425: ...u cannot apply rate limiting to a port unless that port already has an IP address configured You can configure rate policies for the following types of traffic Layer 3 IP traffic Specific source or destination IP addresses or networks Specific source or destination TCP or UDP application ports Specific MAC addresses Specific IP precedence values or Diffserv control points NOTE Rate limiting for Di...

Page 426: ...f two one Gigabit Ethernet ports Figure 14 2 Adaptive Rate Limiting applied to uplink Rate Policies on Trunk Group ports 25 and 26 Inbound TCP traffic Normal Burst set IP precedence to 5 and forward Excess Burst set IP precedence to 0 and forward Inbound FTP traffic Normal Burst set IP precedence to 5 and forward Excess Burst drop Outbound DNS traffic Normal Burst set IP precedence to 5 and forwar...

Page 427: ...for the Normal Burst Size and Excess Burst Size are incremented Each rule incudes one of the following actions depending on whether the traffic is conforming with the Normal Burst Size or has exceeded the Normal Burst Size Forward the traffic Drop the traffic Change the IP precedence or Diffserv control point and forward the traffic Change the IP precedence or Diffserv control point then continue ...

Page 428: ...ends more bytes than the number of bytes allowed by the Normal Burst Size the policy drops the excess bytes The other hosts in the VLAN do not have rules As a result their bandwidth is not limited Figure 14 3 Adaptive Rate Limiting applied to virtual routing interface The rule could be applied to the port attached to the host for the same results However since the rule is associated with the virtu...

Page 429: ...se ACLs if you apply the rate policy to a VLAN s virtual interface instead Adaptive Rate Limiting Parameters The application examples in Examples of Adaptive Rate Limiting Applications on page 14 6 describe the rate policies but do not describe the parameters used to configure the policies The parameters specify the portion of an interface s bandwidth you are allocating to specific traffic the con...

Page 430: ...he interface can forward within the Committed Time Interval explained below Depending on how the rate limiting is configured the device can take different actions for traffic within the Normal Burst Size and traffic that falls into the Excess Burst Size For example you can forward all traffic in the Normal Burst Size and reset the precedence to a lower priority for all Excess Burst Size traffic or...

Page 431: ...e ratio of the Normal Burst Size to the Excess Burst Size in the examples is quite different How Adaptive Rate Limiting Works Foundry s Adaptive Rate Limiting polices bandwidth usage on specific interfaces for specific IP traffic and takes the actions you specify based on whether the traffic is within the amount of bandwidth you have allocated for the traffic or has exceeded the bandwidth allocati...

Page 432: ...r the remaining traffic In this example the action for conforming traffic is to set the IP precedence to 5 then forward the traffic The action for exceed traffic is to set the IP precedence to 0 then forward the traffic Line rate 1 000 000 000 bps one Gigabit Average Rate 500 000 000 bits Normal Burst Size 62 500 000 bytes 500 000 000 bits Excess Burst Size 93 750 000 Committed Time Interval 1 sec...

Page 433: ... Size maximum is reached Regardless of the actions for conforming and exceed traffic the interface drops all traffic that matches a rule after the rule has matched the maximum number bytes for the rule s Normal Burst Size and Excess Burst Size Line rate 1 000 000 000 bps one Gigabit Average Rate 500 000 000 bits Normal Burst Size 62 500 000 bytes 500 000 000 bits Excess Burst Size 93 750 000 Commi...

Page 434: ...f the rate policing The Committed Time Interval can be from 1 10th second up to one second The length depends on the ratio of the Average Rate to the Normal Burst Size parameters you specify when you configure a rate policy rule The examples in the previous section all use a Committed Time Interval of one second Since the Normal Burst Size is equal to the Average Rate the ratio is 1 1 Therefore th...

Page 435: ...CL Matches packets based on source MAC address IP precedence or Diffserv control points or a set of IP precedence values You can configure a rate policy rule without using an ACL In this case the rule applies to all types of IP traffic In fact you cannot use ACLs in a rate policy rule you apply to a port based VLAN A rate policy rule you apply to a port based VLAN applies to all types of IP traffi...

Page 436: ...have the critical precedence 6 The ACL matches packets that have the internetwork control precedence 7 The ACL matches packets that have the network control precedence To specify a mask value for a set of IP precedence values enter mask followed by a two digit hexadecimal number for the precedence values The precedence values are in an 8 bit field in the IP packet header To calculate the hexadecim...

Page 437: ...he software performs the action associated with that rule You can apply rate policy rules to the following types of interfaces Physical port Trunk group apply the policy to the trunk group s primary port Virtual interface Port based VLAN CLI Examples To specify the values for the rate policies in Figure 14 2 on page 14 6 and apply the policies enter the following commands NetIron config interface ...

Page 438: ...ommitted Time Interval and still be within that traffic s rate limit The minimum value is 32771 or 1 10th of the Average Rate whichever is higher and the maximum value is the Average Rate The smallest fraction of the Average Rate you can specify is 1 10th The excess burst size parameter specifies the maximum number of additional bytes bytes over the normal burst size that can be transmitted within...

Page 439: ...contains port 26 NetIron config interface ethernet 25 The following command configures a rate limit rule that uses ACL 101 NetIron config if e1000 25 rate limit input access group 101 10000000 125000 187500 conform action set prec transmit 5 exceed action set prec transmit 0 The rule compares all inbound packets on the trunk group to ACL 101 For packets that match the ACL the rule either sets the ...

Page 440: ...characterize the traffic In this case the rate policy is for a specific host so the rate limit ACL specifies a host MAC address NetIron config access list rate limit 100 aaaa bbbb cccc The following command changes the CLI to the configuration level for virtual interface ve2 NetIron config interface virtual ve2 The following command configures rule for inbound traffic that matches the rate limit A...

Page 441: ...P OSPF or RIP and you disable exemption the rate limiting polices can result in routing protocol traffic being dropped To disable rate limiting exemption for control packets on an interface enter the following command at the CLI configuration level for that interface NetIron config if e1000 25 rate limit control packet no This command disables exemption of all the control packets listed in Table 1...

Page 442: ...Foundry Switch and Router Installation and Configuration Guide 14 22 December 2000 ...

Page 443: ...formation and Statistics on page 15 83 NOTE The NetIron 400 and NetIron 800 are chassis based Internet backbone routers References to chassis based Layer 3 Switches also apply to the NetIron 400 and NetIron 800 unless otherwise noted Basic Configuration IP is enabled by default Basic configuration consists of adding IP addresses and for Layer 3 Switches enabling a route exchange protocol such as R...

Page 444: ...ncy Protocol VRRP Foundry Standby Router Protocol FSRP IP Interfaces Foundry Layer 3 Switches and Layer 2 Switches allow you to configure IP addresses On Layer 3 Switches IP addresses are associated with individual interfaces On Layer 2 Switches a single IP address serves as the management access address for the entire device All Foundry Layer 3 Switches and Layer 2 Switches support configuration ...

Page 445: ...an configure an IP address on a Foundry Layer 2 Switch for management access to the Layer 2 Switch An IP address is required for Telnet access Web management access and SNMP access You also can specify the default gateway for forwarding traffic to other sub nets IP Packet Flow Through a Layer 3 Switch Figure 15 1 shows how an IP packet moves through a Foundry Layer 3 Switch Figure 15 1 IP Packet f...

Page 446: ...ayer 3 Switch makes an entry in the session table or the forwarding cache and sends the route to a queue on the outgoing port s If the running config contains a Policy Based Routing PBR definition or an IP access policy for the packet the software makes an entry in the session table The Layer 3 Switch uses the new session table entry to forward subsequent packets from the same source to the same d...

Page 447: ...crease the size of the ARP cache and static ARP table see the following For dynamic entries see Displaying and Modifying System Parameter Default Settings on page 10 70 Layer 2 Switches and Layer 3 Switches The ip arp parameter controls the ARP cache size Static entries Changing the Maximum Number of Entries the Static ARP Table Can Hold on page 15 33 Layer 3 Switches only The ip static arp parame...

Page 448: ... entries for IP destinations When a Foundry Layer 3 Switch has completed processing and addressing for a packet and is ready to forward the packet the device checks the IP forwarding cache for an entry to the packet s destination If the cache contains an entry with the destination IP address the device uses the information in the entry to forward the packet out the ports listed in the entry The de...

Page 449: ...e for fast path forwarding for the following features Policy Based Routing PBR Layer 4 Quality of Service QoS policies IP access policies To increase the size of the session table see Displaying and Modifying System Parameter Default Settings on page 10 70 The ip qos session parameter controls the size of the session table IP Route Exchange Protocols Foundry Layer 3 Switches support the following ...

Page 450: ... VRRP see Configuring VRRP and VRRPE on page 21 1 Foundry Standby Router Protocol FSRP see Configuring FSRP on page 22 1 Network Address Translation Foundry s chassis Layer 3 Switches support Network Address Translation NAT NAT enables private IP networks that use nonregistered IP addresses to connect to the Internet Configure NAT on a Foundry Layer 3 Switch that is placed at the border of an insi...

Page 451: ...r those protocols When Parameter Changes Take Effect Most IP parameters described in this chapter are dynamic They take effect immediately as soon as you enter the CLI command or select the Web management interface option You can verify that a dynamic change has taken effect by displaying the running config To display the running config enter the show running config or write terminal command at an...

Page 452: ...e lowest numbered virtual routing interface VE If no VE is configured then the lowest numbered IP address configured on the device 15 26 Address Resolution Protocol ARP A standard IP mechanism that routers use to learn the Media Access Control MAC address of a device on the network The router sends the IP address of a device in the ARP request and receives the device s MAC address in an ARP reply ...

Page 453: ...ted broadcasts all ones directed broadcasts remain enabled 15 37 Source routed packet forwarding A source routed packet contains a list of IP addresses through which the packet must pass to reach its destination Enabled 15 36 ICMP Router Discovery Protocol IRDP An IP protocol a router can use to advertise the IP addresses of its router interfaces to directly attached hosts You can enable or disabl...

Page 454: ...option when the router is handling a very large number of unicast flows source plus destination pairs and you want to ensure that more flows can remain in the cache at one time Standard 15 64 IP load sharing A Foundry feature that enables the router to balance traffic to a specific destination across multiple equal cost paths Load sharing uses a simple round robin mechanism and is based on destina...

Page 455: ...ute if the IP route table does not contain a route to the destination and also does not contain an explicit default route 0 0 0 0 0 0 0 0 or 0 0 0 0 0 None configured 15 49 Static route An IP route you place in the IP route table No entries 15 39 Source interface The IP address the router uses as the source address for Telnet RADIUS or TACACS TACACS packets originated by the router The router can ...

Page 456: ...r Ethernet II encapsulated packets 1492 for SNAP encapsulated packets 15 26 Metric A numeric cost the router adds to RIP routes learned on the interface This parameter applies only to RIP routes 1 one 16 5 Directed broadcast forwarding Locally overrides the global setting See Table 15 1 on page 15 10 Disabled 15 35 ICMP Router Discovery Protocol IRDP Locally overrides the global IRDP settings See ...

Page 457: ...ps forward broadcasts for the following UDP application protocols bootps dns netbios dgm netbios ns tacacs tftp time 15 71 IP helper address The IP address of a UDP application server such as a BootP or DHCP server or a directed broadcast address IP helper addresses allow the router to forward requests for certain UDP applications from a client on one sub net to a server on another sub net None co...

Page 458: ...u can enter addresses in either format regardless of the display setting 15 83 IP address A Layer 3 network interface address Note Layer 2 Switches have a single IP address used for management access to the entire device Layer 3 Switches have separate IP addresses on individual interfaces None configureda 15 76 Default gateway The IP address of a locally attached router or a router attached to the...

Page 459: ...uses its management IP address as the source address for these packets The management IP address of the Layer 2 Switch Note This parameter is not configurable on Layer 2 Switches n a DHCP gateway stamp The device can assist DHCP BootP Discovery packets from one sub net to reach DHCP BootP servers on a different sub net by placing the IP address of the router interface that forwards the packet in t...

Page 460: ...eters for Layer 2 Switches Table 15 4 Interface IP Parameters Layer 2 Switches Parameter Description Default See page DHCP gateway stamp You can configure a list of DHCP stamp addresses for a port When the port receives a DHCP BootP Discovery packet from a client the port places the IP address es in the gateway list into the packet s Gateway field None configured 15 82 ...

Page 461: ...A B and C sub net masks and so on and Classless Interdomain Routing CIDR network prefix masks To enter a classical network mask enter the mask in IP address format For example enter 209 157 22 99 255 255 255 0 for an IP address with a Class C sub net mask To enter a prefix network mask enter a forward slash and the number of bits in the mask immediately after the IP address For example enter 209 1...

Page 462: ... port already has an IP address configured select the Secondary checkbox 6 Click the Add button to save the change to the device s running config file 7 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory NOTE You also can access the dialog for saving configuration changes by clicking on ...

Page 463: ...nter commands such as those shown in the following example BigIron config bgp router exit BigIron config int loopback 1 BigIron config lbif 1 ip address 10 0 0 1 24 Syntax interface loopback num The num value can be from 1 8 on a chassis Layer 3 Switch The value can be from 1 4 on a stackable Layer 3 Switch Syntax no ip address ip addr ip mask secondary or Syntax no ip address ip addr mask bits se...

Page 464: ...h uses the lowest MAC address on the device the MAC address of port 1 or 1 1 as the MAC address for all ports within all virtual interfaces you configure on the device For more information about VLANs and how to configure them see Configuring Virtual LANs VLANs on page 25 1 USING THE CLI To add a virtual interface to a VLAN and configure an IP address on the interface enter commands such as the fo...

Page 465: ...il the query is resolved The order in which the default gateway addresses are polled is the same as the order in which you enter them USING THE CLI Suppose you want to define the domain name of newyork com on a Layer 3 Switch and then define four possible default DNS gateway addresses To do so enter the following commands BigIron config ip dns domain name newyork com BigIron config ip dns server a...

Page 466: ...ound Trip Time2 207 95 6 30 93 msec 121 msec NOTE In the above example 209 157 22 199 is the IP address of the domain name server default DNS gateway address and 209 157 22 80 represents the IP address of the NYC02 host USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read only or read write access The System configuration panel is displayed 2 Clic...

Page 467: ...efault You can change the IP encapsulation to Ethernet SNAP on individual ports if needed NOTE All devices connected to the Layer 3 Switch port must use the same encapsulation type NOTE POS interfaces use different encapsulation types See Changing the Encapsulation Type on page 6 6 To change the encapsulation type on a Layer 3 Switch port use either of the following methods USING THE CLI To change...

Page 468: ...view to expand the list of configuration options 3 Click on the plus sign next to IP in the tree view to expand the list of IP option links 4 Click on the Interface link to display the interface table 5 Click on the Modify button in the row for the port 6 Enter an MTU value from 572 1492 if the interface is operating with Ethernet SNAP encapsulation If the interface is operating with Ethernet II e...

Page 469: ...Click on the plus sign next to IP in the tree view to expand the list of IP option links 4 Click on the General link to display the IP configuration panel 5 Edit the value in the Router ID field Specify a valid IP address that is not in use on another device in the network 6 Click the Apply button to save the change to the device s running config file 7 Select the Save link at the bottom of the di...

Page 470: ...he interface then designate the interface as the source for all Telnet packets from the Layer 3 Switch Syntax ip telnet source interface ethernet portnum pos portnum loopback num ve num The num parameter is a loopback interface or virtual interface number If you specify an Ethernet or POS port the portnum is the port s number including the slot number if you are configuring a chassis device The fo...

Page 471: ...e router hops away Since the Layer 3 Switch s IP route table and IP forwarding cache contain IP address information but not MAC address information the Layer 3 Switch cannot forward IP packets based solely on the information in the route table or forwarding cache The Layer 3 Switch needs to know the MAC address that corresponds with the IP address of either the packet s locally attached destinatio...

Page 472: ...ork receives a high number of ARP packets in a short period of time some CPU processing might be deferred while the CPU processes the ARP packets To prevent the CPU from becoming flooded by ARP packets in a busy network you can restrict the number of ARP packets the device will accept each second When you configure an ARP rate limit the device accepts up to the maximum number of packets you specif...

Page 473: ...he bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Enabling Proxy ARP Proxy ARP allows a Layer 3 Switch to answer ARP requests from devices on one network on behalf of devices in another network Since ARP requests are MAC layer broadcasts they reach only the devices that are directly connected to the sender of t...

Page 474: ... that has the entry s address NOTE You cannot create static ARP entries on a Layer 2 Switch The maximum number of static ARP entries you can configure depends on the product See Changing the Maximum Number of Entries the Static ARP Table Can Hold on page 15 33 To display the ARP cache and static ARP table see the following To display the ARP table see Displaying the ARP Cache on page 15 89 To disp...

Page 475: ...lt maximum and configurable maximum number of entries in the static ARP table that are supported on each type of Foundry Layer 3 Switch If you need to change the maximum number of entries supported on a Layer 3 Switch use either of the following methods NOTE You must save the configuration to the startup config file and reload the software after changing the static ARP table size to place the chan...

Page 476: ...on next to the ip static arp row 4 Enter the new value for the cache size The value you enter specifies the maximum number of entries the cache can hold 5 Click Apply to save the changes to the device s running config 6 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory 7 Click on the pl...

Page 477: ...stem configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to display the list of configuration options 3 Click on the plus sign next to IP to display the list of IP configuration options 4 Select the General link to display the IP configuration panel 5 Enter a value from 1 255 into the TTL field 6 Click the Apply button to save the change to the device s run...

Page 478: ...tion change to the startup config file on the device s flash memory Disabling Forwarding of IP Source Routed Packets A source routed packet specifies the exact router path for the packet The packet specifies the path by listing the IP addresses of the router interfaces through which the packet must pass on its way to the destination The Layer 3 Switch supports both types of IP source routing Stric...

Page 479: ... zero based sub net broadcasts the Layer 3 Switch still treats IP packets with all ones the host portion as IP sub net broadcasts too Thus the Layer 3 Switch can be configured to support all ones only the default or all ones and all zeroes NOTE This feature applies only to IP sub net broadcasts not to local network broadcasts The local network broadcast address is still expected to be all ones To ...

Page 480: ...ket In this case the host sends the ICMP Port Unreachable message to the Foundry device which in turn sends the message to the host that sent the packet Protocol The TCP or UDP protocol on the destination host is not running This message is different from the Port Unreachable message which indicates that the protocol is running on the host but the requested protocol port is unavailable Source rout...

Page 481: ...vidual port basis To disable ICMP redirects globally enter the following command at the global CONFIG level of the CLI BigIron config no ip icmp redirects Syntax no ip icmp redirects To disable ICMP redirects on a specific interface enter the same command at the configuration level for the interface BigIron config int e 3 11 BigIron config if e100 3 11 no ip redirect Syntax no ip redirect Configur...

Page 482: ...e destination The metric applies only to routes that the Layer 3 Switch has already placed in the IP route table The default metric for static IP routes is 1 The route s administrative distance The value that the Layer 3 Switch uses to compare this route with routes from other route sources to the same destination before placing a route in the IP route table This parameter does not apply to routes...

Page 483: ... and also assumes that local interfaces within that sub net are on the same port Router A deduces that IP interface 207 95 7 188 is also on port 1 2 The software automatically removes a static IP route from the IP route table if the port used by that route becomes unavailable When the port becomes available again the software automatically re adds the route to the IP route table Configuring a Stat...

Page 484: ...op must have at least one IP address configured on it The address does not need to be in the same sub net as the destination network The metric parameter can be a number from 1 16 The default is 1 NOTE If you specify 16 RIP considers the metric to be infinite and thus also considers the route to be unreachable The distance num parameter specifies the administrative distance of the route When compa...

Page 485: ...utes to a destination the Layer 3 Switch prefers lower administrative distances over higher ones so make sure you use a low value for your default route The default is 1 12 Click the Add button to save the change to the device s running config file 13 Repeat steps 8 12 for each static route to the same destination 14 Select the Save link at the bottom of the dialog Select Yes when prompted to save...

Page 486: ...s to the same destination but give the routes different next hop gateways and different metrics the Layer 3 Switch will always use the route with the lowest metric If this route becomes unavailable the Layer 3 Switch will fail over to the static route with the next lowest metric and so on NOTE You also can bias the Layer 3 Switch to select one of the routes by configuring them with different admin...

Page 487: ...ou are adding a new route click on the Add Static Route link to display the Static Route configuration panel as shown in the following example If you are modifying an existing static route click on the Modify button to the right of the row describing the static route to display the Static Route configuration panel as shown in the following example 6 Enter the network address for the route in the N...

Page 488: ...wards to the null interface traffic for that network instead of using alternate paths to route the traffic In this case assign the normal static route to the destination network a lower metric than the null route When you want to use a specific interface by default to route traffic to a given destination network but want to allow the Layer 3 Switch to use other interfaces to reach the destination ...

Page 489: ...ailable However if the interface based route becomes unavailable the Layer 3 Switch still forwards the traffic toward the destination using an alternate route through gateway 192 168 8 11 24 Router A Router B 192 168 7 69 24 X 192 168 6 157 24 192 168 7 7 24 192 168 6 188 24 Router A Router B 192 168 7 69 24 192 168 6 157 24 192 168 7 7 24 192 168 6 188 24 Two static routes to 192 168 7 0 24 Stand...

Page 490: ...ard static route If the standard static route is unavailable the software uses the null route For complete syntax information see Configuring a Static IP Route on page 15 41 To configure a standard static route and an interface based route to the same destination enter commands such as the following BigIron config ip route 192 168 6 0 24 ethernet 1 1 1 BigIron config ip route 192 168 6 0 24 192 16...

Page 491: ...rt loopback interface or virtual interface from the Next Hop by Interface field s pulldown menu s Loopback interfaces and virtual interfaces are listed in the Port pulldown menu not in the Slot pulldown menu To select a loopback interface or a virtual interface on a Chassis device ignore the Slot pulldown menu and select the interface from the Port pulldown menu NOTE You cannot configure a null IP...

Page 492: ...est IP address If the routes are from the same routing protocol use the route with the best metric The meaning of best metric depends on the routing protocol RIP The metric is the number of hops additional routers to the destination The best route is the route with the fewest hops OSPF The metric is the path cost associated with the route The path cost does not indicate the number of hops but is i...

Page 493: ...cumentation uses the term route throughout The term path is used in this section to refer to an individual next hop router to a destination while the term route refers collectively to the multiple paths to the destination Load sharing applies when the IP route table contains multiple equal cost paths to a destination How Multiple Equal Cost Paths Enter the IP Route Table IP load sharing applies to...

Page 494: ...he IP route table contains more than one path with the lowest cost to a destination the Layer 3 Switch uses IP load sharing to select one of the lowest cost paths The source of a path s cost value depends on the source of the path IP static route The value you assign to the metric parameter when you configure the route The default metric is 1 See Configuring Load Balancing and Redundancy Using Mul...

Page 495: ...dress This is the only method supported by stackable Layer 3 Switches and also is supported on chassis Layer 3 Switches Network based The Layer 3 Switch distributes traffic across equal cost paths based on destination network address The software selects a path based on a calculation involving the maximum number of load sharing paths allowed and the actual number of paths to the destination networ...

Page 496: ...witch receives traffic for a destination host and the IP route table has multiple equal cost paths to the host the Layer 3 Switch checks the IP forwarding cache for a forwarding entry to the destination If the IP forwarding cache contains a forwarding entry for the destination the device uses the entry to forward the traffic If the IP forwarding cache does not contain a forwarding entry for the de...

Page 497: ...and load sharing configurations are the same but the order in which R1 receives traffic for the host is different The paths differ due to the order in which the Layer 3 Switch receives the traffic for the destination hosts H6 192 168 2 155 H5 192 168 2 193 H4 192 168 2 175 H9 192 168 3 111 H3 192 168 1 218 H2 192 168 1 170 H1 192 168 7 1 H8 H7 192 168 3 159 192 168 3 209 IP Forwarding Cache Host B...

Page 498: ...ng selection The software then creates an IP forwarding cache entry that associates the destination network address with the selected path IP forwarding cache entries for network based load sharing do not age out Once the software creates a cache entry for a destination network traffic for all hosts on the network uses the same path The cache entries remain in effect until the state of one of the ...

Page 499: ...op routers set the maximum paths value to six See Changing the Maximum Number of Load Sharing Paths on page 15 62 NOTE If the setting for the maximum number of paths is lower than the actual number of equal cost paths the software does not use all the paths for load sharing The network based IP load sharing mechanism selects a path based on the following calculation which involves the maximum numb...

Page 500: ...destination network The software orders the available paths based on when they enter the IP route table The first path to enter the table is path 1 and so on The rows with maximum path value 4 list the path selections that occur using the default maximum number of load sharing paths which is four Table 15 7 Path Selection for Network Based IP Load Sharing Number of Paths Maximum Paths Path Counter...

Page 501: ... 6 6 2 3 4 5 6 1 7 2 3 4 5 6 1 2 8 2 3 4 5 6 1 2 3 7 2 2 3 3 2 3 4 4 2 3 4 5 5 2 3 4 5 6 6 2 3 4 5 6 7 7 2 3 4 5 6 7 1 8 2 3 4 5 6 7 1 2 8 2 2 3 3 2 3 4 4 2 3 4 5 5 2 3 4 5 6 6 2 3 4 5 6 7 7 2 3 4 5 6 7 8 8 2 3 4 5 6 7 8 1 Table 15 7 Path Selection for Network Based IP Load Sharing Continued Number of Paths Maximum Paths Path Counter Value 1 2 3 4 5 6 7 8 ...

Page 502: ...ect the paths beginning with the first path but the algorithm nonetheless results in an evenly distributed selection of paths Disabling or Re Enabling Load Sharing If you do not use IP load sharing and you want to disable the feature use either of the following methods USING THE CLI To disable IP load sharing enter the following commands BigIron config no ip load sharing Syntax no ip load sharing ...

Page 503: ...tch the Layer 3 Switch always load shares paths for default routes and the network default route based on destination host address USING THE CLI To enable host based IP load sharing enter the following command BigIron config ip load sharing by host This command enables host based IP load sharing on the device The command also disables network based IP load sharing at the same time Syntax no ip loa...

Page 504: ...eb management interface Disabling Host Based Load Sharing You can disable host based load sharing for specific destination networks or for all networks When you disable host based load sharing for a destination network or for all destination networks the software removes the host based forwarding cache entries for the destination network s and uses network based forwarding entries instead NOTE Thi...

Page 505: ...f the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Optimizing the IP Forwarding Cache NOTE This section applies only to chassis Layer 3 Switches The IP forwarding cache provides fast path forwarding for IP traffic The entries in the cache contain the following information Source IP address and TCP or UDP port Destination I...

Page 506: ... cache s capacity for default routes by aggregating forwarding information for multiple destinations into single default route entries NOTE This feature applies only to the NetIron chassis BigIron and TurboIron 8 Layer 3 Switches When you enable default route aggregation the Layer 3 Switch associates a network prefix length with each forwarding cache entry that is based on a default network route ...

Page 507: ...nter the destination address as shown in the following example BigIron config show ip dr aggregate 207 96 7 7 Total number of cache entries 2 Start index 1 D Dynamic P Permanent F Forward U Us C Complex Filter W Wait ARP I ICMP Deny K Drop R Fragment S Snap Encap IP Address Next Hop MAC Type Port Vlan Pri 1 207 96 7 7 12 207 95 6 60 0044 052e 4302 DF 1 1 1 0 This example shows the second entry fro...

Page 508: ...can send Router Advertisement messages as IP broadcasts or as IP multicasts addressed to IP multicast group 224 0 0 1 The packet type is IP broadcast Maximum message interval and minimum message interval When IRDP is enabled the Layer 3 Switch sends the Router Advertisement messages every 450 600 seconds by default The time within this interval that the Layer 3 Switch selects is random for each me...

Page 509: ...tisement as multicast packets addressed to IP multicast group 224 0 0 1 The holdtime seconds parameter specifies how long a host that receives a Router Advertisement from the Layer 3 Switch should consider the advertisement to be valid When a host receives a new Router Advertisement message from the Layer 3 Switch the host resets the hold time for the Layer 3 Switch to the hold time specified in t...

Page 510: ...DHCP RARP and BootP DHCP are different methods for providing IP addresses to IP hosts when they boot These methods differ in the following ways Location of configured host addresses RARP requires static configuration of the host IP addresses on the Layer 3 Switch The Layer 3 Switch replies directly to a host s request by sending an IP address you have configured in the RARP table The Layer 3 Switc...

Page 511: ...the request by sending IP address 192 53 4 2 to the client Syntax rarp number mac addr ip addr The number parameter identifies the RARP entry number You can specify an unused number from 1 to the maximum number of RARP entries supported on the device To determine the maximum number of entries supported on the device see Displaying and Modifying System Parameter Default Settings on page 10 70 The m...

Page 512: ...y on client requests sent as limited IP broadcasts addressed to the UDP s application port If a server for the application receives such a broadcast the server can reply to the client Routers do not forward limited broadcasts so the client and server must be on the same network for the broadcast to reach the server If the client and server are on different networks on opposite sides of a router th...

Page 513: ... for a UDP Application If you want the Layer 3 Switch to forward client requests for UDP applications that the Layer 3 Switch does not forward by default you can enable forwarding support for the port To enable forwarding support for a UDP application use either of the following methods You also can disable forwarding for an application using these methods NOTE You also must configure a helper add...

Page 514: ...ation sheet Configuring an IP Helper Address To forward a client s broadcast request for a UDP application when the client and server are on different networks you must configure a helper address on the interface connected to the client Specify the server s IP address or the limited broadcast address of the IP sub net the server is in as the helper address You can configure up to four helper addre...

Page 515: ...ile on the device s flash memory To select an application to be forwarded to the server by the Layer 3 Switch 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to RIP in the tree view to exp...

Page 516: ...mbered IP address on the interface that receives the request as the Gateway address You can override the default by specifying the IP address you want the Layer 3 Switch to use Hop Count Each router that forwards a BootP DHCP packet increments the hop count by 1 Routers also discard a forwarded BootP DHCP request instead of forwarding the request if the hop count is greater than the maximum number...

Page 517: ... forwarded BootP DHCP requests use either of the following methods NOTE The BootP DHCP hop count is not the TTL parameter USING THE CLI To modify the maximum number of BootP DHCP hops enter the following command BigIron config bootp relay max hops 10 This command allows the Layer 3 Switch to forward BootP DHCP requests that have passed through up to ten previous hops before reaching the Layer 3 Sw...

Page 518: ...e CLI displays network masks in classical IP address format example 255 255 255 0 You can change the display to prefix format See Changing the Network Mask Display to Prefix Format on page 15 83 To configure an IP address and specify the default gateway use the following CLI method USING THE CLI To assign an IP address to a Foundry Layer 2 Switch enter a command such as the following at the global...

Page 519: ...DNS entry The first entry serves as the primary default address If a query to the primary address fails to be resolved after three attempts the next gateway address is queried also up to three times This process continues for each defined gateway address until the query is resolved The order in which the default gateway addresses are polled is the same as the order in which you enter them USING TH...

Page 520: ...t ip addr maxttl value minttl value numeric timeout value source ip ip addr The only required parameter is the IP address of the host at the other end of the route See the Foundry Switch and Router Command Line Interface Reference for information about the parameters After you enter the command a message indicating that the DNS query is in process and the current gateway address IP address of the ...

Page 521: ...The default TTL is 64 You can change the TTL to a value from 1 255 To modify the TTL use the following CLI method USING THE CLI To modify the TTL threshold to 25 enter the following commands FastIron config ip ttl 25 FastIron config exit Syntax ip ttl 1 255 USING THE WEB MANAGEMENT INTERFACE You cannot change the TTL on a Layer 2 Switch using the Web management interface Configuring DHCP Assist DH...

Page 522: ... assignments are made because the Layer 2 Switch provides the stamping service How DHCP Assist Works Upon initiation of a DHCP session the client sends out a DHCP discovery packet for an address from the DHCP server as seen in Figure 15 11 When the DHCP discovery packet is received at a Foundry Layer 2 Switch with the DHCP Assist feature enabled the gateway address configured on the receiving inte...

Page 523: ...on of the connecting router needs to be turned on Server Server DHCP Server 207 95 7 6 Link Activity Link Activity Power Console FastIron Workgroup Host 1 200 95 6 x Host 2 192 95 5 x Sub net 1 Host 3 Host 4 Router 202 95 1 x Sub net 3 Sub net 2 Step 1 DHCP IP address requests for Hosts 1 2 3 and 4 in Sub nets 1 2 3 and 4 202 95 5 x Sub net 4 192 95 5 1 200 95 6 1 202 95 1 1 202 95 5 1 Step 2 Fast...

Page 524: ...et in a round robin fashion Up to 32 gateway lists can be defined for each Layer 2 Switch USING THE CLI EXAMPLE To create the configuration indicated in Figure 15 11 and Figure 15 12 FastIron config dhcp gateway list 1 192 95 5 1 FastIron config dhcp gateway list 2 200 95 6 1 FastIron config dhcp gateway list 3 202 95 1 1 202 95 5 1 FastIron config int e 2 FastIron config if 2 dhcp gateway list 1 ...

Page 525: ...ayer 2 Switch see Displaying IP Information Layer 2 Switches on page 15 104 Changing the Network Mask Display to Prefix Format By default the CLI displays network masks in classical IP address format example 255 255 255 0 You can change the displays to prefix format example 18 on a Layer 3 Switch or Layer 2 Switch using the following CLI method NOTE This option does not affect how information is d...

Page 526: ...h and Router Command Line Interface Reference VRRP or VRRPE information see Displaying VRRP and VRRPE Information on page 21 19 FSRP information see the Show Commands chapter in the Foundry Switch and Router Command Line Interface Reference Displaying Global IP Configuration Information To display global IP configuration information for the router use one of the following methods USING THE CLI To ...

Page 527: ... this value see Changing the Maximum Number of Hops to a BootP Relay Server on page 15 75 router id The 32 bit number that uniquely identifies the Foundry router By default the router ID is the numerically lowest IP interface configured on the router To change the router ID see Changing the Router ID on page 15 26 enabled The IP related protocols that are enabled on the router disabled The IP rela...

Page 528: ...red it Action The action the router takes if a packet matches the comparison values in the policy The action can be one of the following deny The router drops packets that match this policy permit The router forwards packets that match this policy Source The source IP address the policy matches Destination The destination IP address the policy matches Protocol The IP protocol the policy matches Th...

Page 529: ... 0 OSPF 0 00 0 RIP 0 00 0 STP 0 00 0 VRRP 0 00 0 Syntax show process cpu num The num parameter specifies the number of seconds and can be from 1 900 If you use this parameter the command lists the usage statistics only for the specified number of seconds If you do not use this parameter the command lists the usage statistics for the previous one second one minute five minute and fifteen minute int...

Page 530: ...interface Method Whether the IP address has been saved in NVRAM If you have set the IP address for the interface in the CLI or Web Management interface but have not saved the configuration the entry for the interface in the Method field is manual Status The link status of the interface If you have disabled the interface with the disable command the entry in the Status field will be administrativel...

Page 531: ...c address xxxx xxxx xxxx parameter lets you restrict the display to entries for a specific MAC address The mask parameter lets you specify a mask for the mac address xxxx xxxx xxxx parameter to display entries for multiple MAC addresses Specify the MAC address mask as f s and 0 s where f s are significant bits The ip addr and ip mask parameters let you restrict the display to entries for a specifi...

Page 532: ... ARP Cache link to display the IP ARP cache This display shows the following information Table 15 11 CLI Display of ARP Cache This Field Displays IP Address The IP address of the device MAC Address The MAC address of the device Type The type which can be one of the following Dynamic The Layer 3 Switch learned the entry from an incoming packet Static The Layer 3 Switch loaded the entry from the sta...

Page 533: ...AC addresses Specify the MAC address mask as f s and 0 s where f s are significant bits The ip addr and ip mask parameters let you restrict the display to entries for a specific IP address and network mask Specify the IP address masks in standard decimal mask format for example 255 255 0 0 NOTE The ip mask parameter and mask parameter perform different operations The ip mask parameter specifies th...

Page 534: ...00 PU n a 0 2 192 168 1 255 DIRECT 0000 0000 0000 PU n a 0 3 255 255 255 255 DIRECT 0000 0000 0000 PU n a 0 Syntax show ip cache ip addr num The ip addr parameter displays the cache entry for the specified IP address The num parameter displays the cache beginning with the row following the number you enter For example to begin displaying the cache at row 10 enter the following command show ip cach...

Page 535: ... the next hop router to the destination This field contains either an IP address or the value DIRECT DIRECT means the destination is either directly attached or the destination is an address on this Foundry device For example the next hop for loopback addresses and broadcast addresses is shown as DIRECT MAC The MAC address of the destination Note If the entry is type U indicating that the destinat...

Page 536: ... destination is an address on this Foundry device For example the next hop for loopback addresses and broadcast addresses is shown as DIRECT MAC The MAC address of the destination Note If the entry is type U indicating that the destination is this Foundry device the address consists of zeroes Type The type of host entry which can be one or more of the following D Dynamic P Permanent F Forward U Us...

Page 537: ...he tenth row in the table enter 10 The bgp option displays the BGP4 routes The direct option displays only the IP routes that are directly attached to the Layer 3 Switch The ospf option displays the OSPF routes The rip option displays the RIP routes The static option displays only the static IP routes Here is an example of how to use the direct option To display only the IP routes that go to devic...

Page 538: ...access The System configuration panel is displayed 2 Click on the plus sign next to Monitor in the tree view to list the monitoring options 3 Click on the plus sign next to IP to list the IP monitoring options 4 Click on the Routing Table link to display the table Table 15 16 CLI Display of IP Route Table This Field Displays Destination The destination network of the route NetMask The network mask...

Page 539: ...t to Command in the tree view to expand the list of command options 3 Click on the Clear link to display the Clear panel 4 Select the box next to IP Route 5 Click Apply Displaying IP Traffic Statistics To display IP traffic statistics use one of the following methods USING THE CLI To display IP traffic statistics enter the following command at any CLI level BigIron show ip traffic IP Statistics 13...

Page 540: ...ce to accommodate the MTU of this device or of another device reassembled The total number of fragmented IP packets that this device re assembled bad header The number of IP packets dropped by the device due to a bad packet header no route The number of packets dropped by the device because there was no route unknown proto The number of packets dropped by the device because the value in the Protoc...

Page 541: ...ceived The number of UDP packets received by the device sent The number of UDP packets sent by the device no port The number of UDP packets dropped because the packet did not contain a valid UDP port number input errors This information is used by Foundry customer support TCP statistics The TCP statistics are derived from RFC 793 Transmission Control Protocol active opens The number of TCP connect...

Page 542: ...P router for all or part of this device s RIP routing table responses sent The number of responses this device has sent to another RIP router s request for all or part of this device s RIP routing table responses received The number of responses this device has received to requests for all or part of another RIP router s routing table unrecognized This information is used by Foundry customer suppo...

Page 543: ...tocol No Buffer The number of packets dropped because the device ran out of buffer space Other Errors The number of packets dropped due to errors other than the ones listed above ICMP statistics Total Received The number of ICMP packets received by the device Total Sent The number of ICMP packets sent by the device Received Errors This information is used by Foundry customer support Sent Errors Th...

Page 544: ...Sent Address Mask Reply The number of Address Mask Replies messages sent by the device Received IRDP Advertisement The number of ICMP Router Discovery Protocol IRDP Advertisement messages received by the device Sent IRDP Advertisement The number of IRDP Advertisement messages sent by the device Received IRDP Solicitation The number of IRDP Solicitation messages received by the device Sent IRDP Sol...

Page 545: ...device s RIP routing table Responses Sent The number of responses this device has sent to another RIP router s request for all or part of this device s RIP routing table Responses Received The number of responses this device has received to requests for all or part of another RIP router s routing table Unrecognized This information is used by Foundry customer support Bad Version The number of RIP ...

Page 546: ...yntax show ip This display shows the following information USING THE WEB MANAGEMENT INTERFACE To display the management IP address and default gateway Table 15 19 CLI Display of Global IP Configuration Information Layer 2 Switch This Field Displays IP configuration Switch IP address The management IP address you configured on the Layer 2 Switch Specify this address for Telnet or Web management acc...

Page 547: ...is display shows the following information USING THE WEB MANAGEMENT INTERFACE To display the ARP cache 1 Log on to the device using a valid user name and password for read only or read write access The System configuration panel is displayed 2 Click on the plus sign next to Monitor in the tree view to display the list of configuration options Table 15 20 CLI Display of ARP Cache This Field Display...

Page 548: ...tion Sent 0 total 0 errors 0 unreachable 0 time exceed 0 parameter 0 source quench 0 redirect 0 echo 0 echo reply 0 timestamp 0 timestamp rely 0 addr mask 0 addr mask reply 0 irdp advertisement 0 irdp solicitation UDP Statistics 0 received 0 sent 0 no port 0 input errors TCP Statistics 1 current active tcbs 4 tcbs allocated 0 tcbs freed 0 tcbs protected 0 active opens 0 passive opens 0 failed atte...

Page 549: ...ropped due to error types other than the types listed above ICMP statistics The ICMP statistics are derived from RFC 792 Internet Control Message Protocol RFC 950 Internet Standard Subnetting Procedure and RFC 1256 ICMP Router Discovery Messages Statistics are organized into Sent and Received The field descriptions below apply to each total The total number of ICMP messages sent or received by the...

Page 550: ... The number of TCBs that have been freed tcbs protected This information is used by Foundry customer support active opens The number of TCP connections opened by this device by sending a TCP SYN to another device passive opens The number of TCP connections opened by this device in response to connection requests TCP SYNs received from other devices failed attempts This information is used by Found...

Page 551: ...the device Bad Header The number of packets dropped because they had a bad header No Route The number of packets dropped because they had no route information Unknown Protocols The number of packets dropped because they were using an unknown protocol No Buffer The number of packets dropped because the device ran out of buffer space Other Errors The number of packets dropped due to errors other tha...

Page 552: ...ask Request messages received by the device Sent Address Mask The number of Address Mask Request messages sent by the device Received Address Mask Reply The number of Address Mask Replies messages received by the device Sent Address Mask Reply The number of Address Mask Replies messages sent by the device Received IRDP Advertisement The number of ICMP Router Discovery Protocol IRDP Advertisement m...

Page 553: ...e number of TCP segments sent by the device Retransmission The number of segments that this device retransmitted because the retransmission timer for the segment had expired before the device at the other end of the connection had acknowledged receipt of the segment Current Active TCBs The number of TCP Control Blocks TCBs that are currently active TCBs Allocated The number of TCBs that have been ...

Page 554: ...Foundry Switch and Router Installation and Configuration Guide 15 112 December 2000 ...

Page 555: ... RIP routers including the Foundry Layer 3 Switch also can modify a route s cost generally by adding to it to bias the selection of a route for a given destination In this case the actual number of router hops may be the same but the route has an administratively higher cost and is thus less likely to be used than other lower cost routes A RIP route can have a maximum cost of 15 Any destination wi...

Page 556: ... route is one that a router learns through another protocol then distributes into RIP Disabled 16 7 Redistribution metric RIP assigns a RIP metric cost to each external route redistributed from another routing protocol into RIP An external route is a route with at least one hop packets must travel through at least one other router to reach the destination This parameter applies to routes that are ...

Page 557: ...g Version 1 only Version 2 only Version 1 but also compatible with version 2 Version 2 only 16 4 Metric A numeric cost the router adds to RIP routes learned on the interface This parameter applies only to RIP routes 1 one 16 5 Advertising and learning of default routes Locally overrides the global setting See Table 16 1 on page 16 2 Disabled 16 10 Loop prevention The method a router uses to preven...

Page 558: ...igIron config interface ethernet 1 1 BigIron config if 1 1 ip rip v1 only BigIron config if 1 1 exit BigIron config write memory Syntax no ip rip v1 only v1 compatible v2 v2 only USING THE WEB MANAGEMENT INTERFACE To change the RIP version on an individual port 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on t...

Page 559: ... ip metric 1 16 USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to IP in the tree view to expand the list of IP option links 4 Click on the Interface lin...

Page 560: ...hanging the Administrative Distance By default the Layer 3 Switch assigns the default RIP administrative distance 120 to RIP routes When comparing routes based on administrative distance the Layer 3 Switch selects the route with the lower distance You can change the administrative distance for RIP routes NOTE See Changing Administrative Distances on page 19 33 for a list of the default distances f...

Page 561: ...nter a command such as the following BigIron config rip router deny redistribute 2 all 207 92 0 0 255 255 0 0 This command denies redistribution for all incoming routes received from the 207 92 0 0 network Syntax no permit deny redistribute filter num all bgp ospf static ip addr ip mask match metric value set metric value The filter num specifies the redistribution filter ID The all parameter appl...

Page 562: ... mask ranges 6 Enter the filter ID 7 Select either Permit or Deny as the action 8 Select the types of routes you want to filter on next to Protocol 9 Enable the Match Metric parameter if you want to limit the import of routes to only those that match the metric specified in the Match Metric field 10 Enable the Set Metric parameter to define and assign a specific metric to an imported route If enab...

Page 563: ...ess The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to RIP in the tree view to expand the list of RIP option links 4 Click on the General link to display the RIP configuration panel shown in Figure 16 1 on page 16 10 5 Select Disable or Enable next to Redistribution 6 C...

Page 564: ...s 4 Click on the General link to display the RIP configuration panel shown in Figure 16 1 on page 16 10 5 Enter a value from 1 1000 in the Update Time field 6 Click the Apply button to save the change to the device s running config file 7 To configure settings for another port select the port and slot if applicable and go to step 5 8 Select the Save link at the bottom of the dialog Select Yes when...

Page 565: ... the following BigIron config rip router neighbor 1 deny any Syntax no neighbor filter num permit deny source ip address any This command configures the Layer 3 Switch so that the device does not learn any RIP routes from any RIP neighbors The following commands configure the Layer 3 Switch to learn routes from all neighbors except 192 168 1 170 Once you define a RIP neighbor filter the default ac...

Page 566: ...e tree view to expand the list of configuration options 3 Click on the plus sign next to RIP in the tree view to expand the list of RIP option links 4 Click on the Neighbor Filter link 5 Click the Modify or Delete button next to the filter that is to be changed or deleted If you click Modify enter the changes to the Action or IP Address fields and then click the Modify button apply the changes If ...

Page 567: ...e startup config file on the device s flash memory Suppressing RIP Route Advertisement on a VRRP or VRRPE Backup Interface NOTE This section applies only if you configure the Layer 3 Switch for Virtual Router Redundancy Protocol VRRP or VRRP Extended VRRPE See Configuring VRRP and VRRPE on page 21 1 Normally a VRRP or VRRPE Backup includes route information for the virtual IP address the backed up...

Page 568: ...eny once you configure and apply a RIP filter no other routes can be learned or advertised on the interfaces to which you apply these filters Syntax filter filter num permit deny source ip address any source mask any log The following commands deny a specific route and permit all other routes BigIron config rip router filter 5 deny 192 168 1 170 255 255 255 0 BigIron config rip router filter 1024 ...

Page 569: ...configuration information 7 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Applying a RIP Route Filter to an Interface Once you define RIP route filters you must assign them to individual interfaces The filters do not take effect until you apply them to interfaces When you apply a RI...

Page 570: ...s shown in the following example 6 Select the port and slot if applicable to which you are assigning the filter 7 Select either or both the In Filter and Out Filter options Selecting In Filter applies the filters to all RIP updates received on the port Selecting Out Filter applies the filters to all routes advertised on the port Selecting both options applies the filters to both incoming updates a...

Page 571: ...hat interface If applied to an interface s inbound filter group the filter allows the router to add the route to its IP route table Route IP Address The IP address of the route s destination network or host Subnet Mask The network mask for the IP address Neighbor filters The rows underneath RIP Neighbor Filter Table list the RIP neighbor filters If no RIP neighbor filters are configured on the dev...

Page 572: ...rocess cpu Process Name 5Sec 1Min 5Min 15Min Runtime ms ARP 0 01 0 03 0 09 0 22 9 BGP 0 04 0 06 0 08 0 14 13 ICMP 0 00 0 00 0 00 0 00 0 IP 0 00 0 00 0 00 0 00 0 OSPF 0 00 0 00 0 00 0 00 0 RIP 0 04 0 07 0 08 0 09 7 STP 0 00 0 00 0 00 0 00 0 VRRP 0 00 0 00 0 00 0 00 0 If the software has been running less than 15 minutes the maximum interval for utilization statistics the command indicates how long ...

Page 573: ...f you use this parameter the command lists the usage statistics only for the specified number of seconds If you do not use this parameter the command lists the usage statistics for the previous one second one minute five minute and fifteen minute intervals USING THE WEB MANAGEMENT INTERFACE You cannot display this information using the Web management interface ...

Page 574: ...Foundry Switch and Router Installation and Configuration Guide 16 20 December 2000 ...

Page 575: ...tion on those interfaces The router floods these LSAs to all neighboring routers to update them regarding the interfaces Each router maintains an identical database that describes its area topology to help a router determine the shortest path between it and any neighboring router Foundry Layer 3 Switches support the following types of LSAs which are described in RFC 1583 Router link Network link S...

Page 576: ...ails on redistribution and configuration examples see Enable Route Redistribution on page 17 30 Figure 17 1 OSPF operating in a network Designated Routers in Multi Access Networks In a network that has multiple routers attached OSPF elects one router to serve as the designated router DR and another router on the segment to act as the backup designated router BDR This arrangement minimizes the amou...

Page 577: ... ID is the IP address configured on the lowest numbered loopback interface If the Layer 3 Switch does not have a loopback interface the default router ID is the lowest numbered IP address configured on the device For more information or to change the router ID see Changing the Router ID on page 15 26 When multiple routers on the same network are declaring themselves as DRs then both priority and r...

Page 578: ...r routing domain such as a BGP4 or RIP domain The ASBR advertises the route to the external domain by flooding AS External LSAs to all the other OSPF routers except those inside stub networks within the local OSPF Autonomous System AS In some cases multiple ASBRs in an AS can originate equivalent LSAs The LSAs are equivalent when they have the same cost the same next hop and the same destination S...

Page 579: ... Switches configured as ASBRs have equal cost routes to the same next hop router in an external routing domain the ASBR with the highest router ID floods the AS External LSAs for the external domain into the OSPF AS while the other ASBRs flush the equivalent AS External LSAs from their databases As a result the overall volume of route advertisement traffic within the AS is reduced and the Layer 3 ...

Page 580: ...line then Router E starts flooding the AS with AS External LSAs for the route to Router F Dynamic OSPF Activation and Configuration OSPF is automatically activated when you enable it The protocol does not require a software reload You can configure and save the following OSPF changes without resetting the system all OSPF interface related parameters for example area hello timer router dead time co...

Page 581: ...onfiguring OSPF To begin using OSPF on the router perform the steps outlined below 1 Enable OSPF on the router 2 Assign the areas to which the router will be attached 3 Assign individual interfaces to the OSPF areas 4 Define redistribution filters if desired 5 Enable redistribution if you defined redistribution filters 6 Modify default global and port parameters as required 7 Modify OSPF standard ...

Page 582: ...er ospf at the global CONFIG Level Interface parameters for OSPF are set at the interface CONFIG Level using the CLI command ip ospf When using the Web management interface you set OSPF global parameters using the OSPF configuration panel All other parameters are accessed through links accessed from the OSPF configuration sheet Enable OSPF on the Router When you enable OSPF on the router the proto...

Page 583: ...D for each area The area ID is representative of all IP addresses sub nets on a router port Each port on a router can support one area An area can be normal a stub or a Not So Stubby Area NSSA Normal OSPF routers within a normal area can send and receive External Link State Advertisements LSAs Stub OSPF routers within a stub area cannot send or receive External LSAs In addition OSPF routers in a s...

Page 584: ...e radio button next to OSPF on the System configuration panel then clicking Apply to apply the change 3 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 4 Click on the plus sign next to OSPF in the tree view to expand the list of OSPF option links 5 Click on the Area link to display the OSPF Area configuration panel as shown in the following fig...

Page 585: ...p addr parameter specifies the area number which can be a number or in IP address format If you specify an number the number can be from 0 2 147 483 647 The nssa parameter specifies that this is an NSSA For more information about configuring NSSAs see Assign a Not So Stubby Area NSSA on page 17 11 The cost specifies an additional cost for using a route to or from this area and can be from 1 167772...

Page 586: ...to the NSSA as Type 7 LSAs which the ASBR floods throughout the NSSA The ABR translates the Type 7 LSAs into Type 5 LSAs If an area range is configured for the NSSA the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type 5 LSA s into the backbone Since the NSSA is partially stubby the ABR does not flood external LSAs from the backbone into the NSSA To provide access to the ...

Page 587: ...sent into the area See Assign a Totally Stubby Area on page 17 11 NOTE You can assign one area on a router interface For example if the system or chassis module has 16 ports 16 areas are supported on the chassis or module To configure additional parameters for OSPF interfaces in the NSSA use the ip ospf area command at the interface level of the CLI USING THE WEB MANAGEMENT INTERFACE 1 Log on to t...

Page 588: ...NSSA 1 1 1 1 BigIron config router ospf BigIron config ospf router area 1 1 1 1 range 209 157 22 1 255 255 0 0 BigIron config ospf router write memory Syntax area num ip addr range ip addr ip mask The num ip addr parameter specifies the area number which can be in IP address format The ip addr parameter following range specifies the IP address portion of the range The software compares the address...

Page 589: ...d Ranges allow a specific IP address and mask to represent a range of IP addresses within an area so that only that reference range address is advertised to the network instead of all the addresses within that range Each area can have up to 32 range addresses USING THE CLI EXAMPLE To define an area range for sub nets on 193 45 5 1 and 193 45 6 2 enter the following command BigIron config router os...

Page 590: ...dd the area 11 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Assigning Interfaces to an Area Once you define OSPF areas you can assign interfaces the areas All router ports must be assigned to one of the defined areas on an OSPF router When a port is assigned to an area all correspo...

Page 591: ... following example 6 Select the port and slot if applicable to be assigned to the area from the Port and Slot pulldown menus NOTE If you are configuring a Chassis device a Slot Number pulldown menu will appear on the configuration panel in addition to the Port pulldown menu 7 Select the IP address of the area to which the interface is to be assigned from the Area ID pull down menu NOTE You must co...

Page 592: ...figure in the tree view to expand the list of configuration options 4 Click on the plus sign next to OSPF in the tree view to expand the list of OSPF option links 5 Click on the Interface link NOTE If the device already has OSPF interfaces a table listing the interfaces is displayed Click the Modify button to the right of the row describing the interface to change its configuration or click the Ad...

Page 593: ...ps links the cost is 10 The cost for both 100 Mbps and 1000 Mbps links is 1 because the speed of 1000 Mbps was not in use at the time the OSPF cost formula was devised Dead interval Indicates the number of seconds that a neighbor router waits for a hello packet from the current router before declaring the router down The value can be from 1 65535 seconds The default is 40 seconds Hello interval Re...

Page 594: ...ware to use the default behavior If you specify encryption option 1 the software assumes that you are entering the encrypted form of the password or authentication string In this case the software decrypts the password or string you enter before using the value for authentication If you accidentally enter option 1 followed by the clear text version of the password or string authentication will fai...

Page 595: ...ves as the connection point between the two routers This number should match the area ID value The neighbor router field is the router ID IP address of the router that is physically connected to the backbone when assigned from the router interface requiring a logical connection When assigning the parameters from the router with the physical connection the router ID is the IP address of the router ...

Page 596: ...outer area 1 virtual link 209 157 22 1 BigIronA config ospf router write memory Enter the following commands to configure the virtual link on BigIronC BigIronC config ospf router area 1 virtual link 10 0 0 1 BigIronC config ospf router write memory Syntax area ip addr num virtual link router id authentication key dead interval hello interval retransmit interval transmit delay value The area ip add...

Page 597: ...layed as shown in the following example If an OSPF virtual link is already configured and you are adding a new one click on the Add OSPF Virtual Link link to display the OSPF Virtual Link Interface configuration panel as shown in the following example If you are modifying an existing OSPF virtual link click on the Modify button to the right of the row describing the virtual link to display the OSP...

Page 598: ...id user name and password for read write access 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to OSPF in the tree view to expand the list of OSPF option links 4 Click on the Virtual Link link to display a table listing the virtual links 5 Click on the Modify button to the right of the row describing the virtual...

Page 599: ...nt router before declaring the router down The range is 1 65535 seconds The default is 40 seconds Encrypted Display of the Authentication String or MD5 Authentication Key The optional 0 1 parameter with the authentication key and md5 authentication key id parameters affects encryption For added security software release 07 1 10 and later encrypts display of the password or authentication string En...

Page 600: ...tribution for example by the OSPF redistribute command In Figure 17 7 on page 17 27 an administrator wants to configure the BigIron Layer 3 Switch acting as the ASBR Autonomous System Boundary Router between the RIP domain and the OSPF domain to redistribute routes between the two domains NOTE The ASBR must be running both RIP and OSPF protocols to support this activity To configure for redistribu...

Page 601: ... permit redistribute 1 all BigIronASBR config rip router write memory NOTE Redistribution is permitted for all routes by default so the permit redistribute 1 all command in the example above is shown for clarity but is not required You also have the option of specifying import of just OSPF BGP4 or static routes as well as specifying that only routes for a specific network or with a specific cost m...

Page 602: ...bute and deny redistribute commands The redistribute commands allow you to control redistribution of routes by filtering on the IP address and network mask of a route The redistribution commands enable redistribution for routes of specific types static directly connected and so on Configure all your redistribution filters before enabling redistribution NOTE Do not enable redistribution until you h...

Page 603: ...c for the imported routes and specify the metric 12 Click the Add button to apply the filter to the device s running config file 13 Select the Save link at the bottom of the dialog then select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Modify Default Metric for Redistribution The default metric is a global parameter that specifies the...

Page 604: ...hen select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Enable Route Redistribution To enable route redistribution use one of the following methods NOTE Do not enable redistribution until you have configured the redistribution filters Otherwise you might accidentally overload the network with routes you did not intend to redistribute US...

Page 605: ...ext to Redistribution 6 Click the Apply button to apply the change to the device s running config file 7 Select the Save link at the bottom of the dialog then select Yes when prompted to save the configuration change to the startup config file on the device s flash memory ...

Page 606: ...router will choose the path to the R1 with the lower metric For example if R3 s metric is 1400 and R4 s metric is 600 the Foundry router will always choose R4 However suppose the metric is the same for all four routers in this example If the costs are the same the router now has four equal cost paths to R1 To allow the router to load share among the equal cost routes enable IP load sharing The sof...

Page 607: ... external routes When the Layer 3 Switch exits the external LSDB overflow condition all the imported routes are summarized according to the configured address ranges NOTE If you use redistribution filters in addition to address ranges the Layer 3 Switch applies the redistribution filters to routes first then applies them to the address ranges NOTE If you disable redistribution all the aggregate ro...

Page 608: ...te and advertise a default route if it does not already have one configured If default route origination is enabled and you disable it the default route originated by the Layer 3 Switch is flushed Default routes generated by other OSPF routers are not affected If you re enable the feature the feature takes effect immediately and thus does not require you to reload the software To enable default ro...

Page 609: ...his example changes the SPF delay to 10 seconds and changes the SPF hold time to 20 seconds Syntax timers spf delay hold time The delay parameter specifies the SPF delay The hold time parameter specifies the SPF hold time To set the timers back to their default values enter a command such as the following BigIron config ospf router no timers spf 10 20 USING THE WEB MANAGEMENT INTERFACE You cannot ...

Page 610: ... administrative distance You can specify unique default administrative distances for the following route types Intra area routes Inter area routes External routes The default for all these OSPF route types is 110 NOTE This feature does not influence the choice of routes within OSPF For example an OSPF intra area route is always preferred over an OSPF inter area route even if the intra area route s...

Page 611: ... command BigIron config ospf router no timers lsa group pacing USING THE WEB MANAGEMENT INTERFACE You cannot configure this option using the Web management interface Modify OSPF Traps Generated OSPF traps as defined by RFC 1850 are supported on Foundry routers OSPF trap generation is enabled on the router by default USING THE CLI When using the CLI you can disable all or specific OSPF trap generat...

Page 612: ...onfigure in the tree view to expand the list of configuration options 3 Click on the plus sign next to OSPF in the tree view to expand the list of OSPF option links 4 Click on the Trap link to display the OSPF Trap panel 5 Select the Disable radio button beside each OSPF trap you want to disable 6 Click the Apply button to save the change to the device s running config file 7 Select the Save link ...

Page 613: ...econds The default is 0 seconds USING THE WEB MANAGEMENT INTERFACE To modify the exit overflow interval 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to OSPF in the tree view to expand t...

Page 614: ...able size The change does not take effect until you reload or reboot USING THE CLI To change the maximum number of summary LSA entries from 2000 to 18000 enter the following commands BigIron config ospf router maximum number of lsa summary 18000 BigIron config ospf router write memory BigIron config ospf router exit Syntax maximum number of lsa external network router summary value USING THE WEB M...

Page 615: ...playing OSPF Virtual Neighbor Information on page 17 50 Virtual Link information see Displaying OSPF Virtual Link Information on page 17 50 ABR and ASBR information see Displaying OSPF ABR and ASBR Information on page 17 51 Trap state information see Displaying OSPF Trap Status on page 17 51 Displaying General OSPF Configuration Information To display general OSPF configuration information enter t...

Page 616: ...o expand the list of OSPF option links 4 Click on the General link to display the OSPF configuration panel Displaying CPU Utilization Statistics You can display CPU utilization statistics for OSPF and other IP protocols USING THE CLI To display CPU utilization statistics for OSPF for the previous one second one minute five minute and fifteen minute intervals enter the following command at any leve...

Page 617: ... this information using the Web management interface Displaying OSPF Area Information To display global OSPF area information for the router use one of the following methods USING THE CLI To display OSPF area information enter the following command at any CLI level BigIron show ip ospf area Indx Area Type Cost SPFR ABR ASBR LSA Chksum Hex 1 0 0 0 0 normal 0 1 0 0 1 0000781f 2 192 147 60 0 normal 0...

Page 618: ...r router id ip addr num The router id ip addr parameter displays only the neighbor entries for the specified router The num parameter displays only the entry in the specified index position in the neighbor table For example if you enter 1 only the first entry in the table is displayed This display shows the following information Cost The area s cost SPFR The SPFR value ABR The ABR number ASBR The ...

Page 619: ...t The first step in creating an adjacency between the two neighboring routers The goal of this step is to decide which router is the master and to decide upon the initial Database Description DD sequence number Neighbor conversations in this state or greater are called adjacencies Exchange The router is describing its entire link state database by sending Database Description packets to the neighb...

Page 620: ...F route information enter the following command at any CLI level BigIron show ip ospf routes Index Destination Mask Path_Cost Type2_Cost Path_Type 1 212 95 7 0 255 255 255 0 1 0 Intra Adv_Router Link_State Dest_Type State Tag Flags 173 35 1 220 212 95 7 251 Network Valid 00000000 7000 Paths Out_Port Next_Hop Type Arp_Index State 1 5 6 209 95 7 250 OSPF 8 84 00 Index Destination Mask Path_Cost Type...

Page 621: ...System Boundary Router Network the network State The route state which can be one of the following Changed Invalid Valid This information is used by Foundry technical support Tag The external route tag Flags State information for the route entry This information is used by Foundry technical support Paths The number of paths to the destination Out_Port The router port through which the Layer 3 Swit...

Page 622: ...lays the hexadecimal data in the specified LSA packet The num parameter identifies the LSA packet by its position in the router s External LSA table To determine an LSA packet s position in the table enter the show ip ospf external link state command to display the table See Displaying the Data in an LSA on page 17 49 for an example The link state id ip addr parameter displays the External LSAs fo...

Page 623: ...dr parameter shows the External LSAs for the specified OSPF router The sequence number num Hex parameter displays the External LSA entries for the specified hexadecimal LSA sequence number USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read only or read write access The System configuration panel is displayed 2 Click on the plus sign next to Moni...

Page 624: ...able beginning at the specified entry number USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read only or read write access The System configuration panel is displayed 2 Click on the plus sign next to Monitor in the tree view to expand the list of monitoring options 3 Click on the plus sign next to OSPF in the tree view to expand the list of OSPF ...

Page 625: ...n page 17 37 USING THE CLI To display the state of each OSPF trap enter the following command at any CLI level BigIron show ip ospf trap Interface State Change Trap Enabled Virtual Interface State Change Trap Enabled Neighbor State Change Trap Enabled Virtual Neighbor State Change Trap Enabled Interface Configuration Error Trap Enabled Virtual Interface Configuration Error Trap Enabled Interface A...

Page 626: ...Foundry Switch and Router Installation and Configuration Guide 17 52 December 2000 ...

Page 627: ... transmit of multicast data Distribution of stock quotes video transmissions such as news services and remote classrooms and video conferencing are all examples of applications that use multicast routing Foundry Layer 3 Switches support two different multicast routing protocols Distance Vector Multicast Routing Protocol DVMRP and Protocol Independent Multicast PIM protocol along with the Internet ...

Page 628: ...s IP Multicast members Foundry devices support IGMP versions 1 and 2 The router actively sends out host queries to identify IP Multicast groups on the network inserts the group information in an IGMP packet and forwards the packet to IP Multicast neighbors The following parameters apply to PIM and DVMRP IGMP query interval Specifies how often the Layer 3 Switch queries an interface for group membe...

Page 629: ...240 Syntax ip igmp group membership time 1 7200 USING THE WEB MANAGEMENT INTERFACE To modify the default value for the IGMP membership time you would do the following 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to display the configuration options 3 Click on...

Page 630: ...ed multicast groups with the focus on WAN PIM primarily differs from DVMRP by using the IP routing table instead of maintaining its own thereby being routing protocol independent Initiating PIM Multicasts on a Network Once PIM is enabled on each router a network user can begin a video conference multicast from the server on R1 When a multicast packet is received on a PIM capable router interface t...

Page 631: ...res When a node on the multicast delivery tree has all of its downstream branches downstream interfaces in the prune state a prune message is sent upstream In the case of R4 if both R5 and R6 are in a prune state at the same time R4 becomes a leaf node with no downstream interfaces and sends a prune message to R1 With R4 in a prune state the resulting multicast delivery tree would consist only of ...

Page 632: ...e the forwarding state for this entry is in a prune state R4 sends a graft to R1 Once R4 has joined the tree R4 along with R6 once again receive multicast packets Prune and graft messages are continuously used to maintain the multicast delivery tree No configuration is required on your part Console NetIron Console NetIron Console NetIron Console NetIron Console NetIron Console NetIron Group Member...

Page 633: ...er is required when PIM is first enabled Thereafter all changes are dynamic USING THE CLI EXAMPLE To enable PIM on router1 and interface 3 enter the following Router1 config router pim Router1 config pim router int e 3 Router1 config if 3 ip address 207 95 5 1 24 Router1 config if 3 ip pim Router1 config if 3 write memory Router1 config if 3 end Router1 reload USING THE WEB MANAGEMENT INTERFACE 1 ...

Page 634: ... options 13 Select the Reload link and select Yes when prompted to reload the software You must reload after enabling PIM to place the change into effect If PIM was already enabled when you added the interface you do not need to reload Modifying PIM Global Parameters PIM global parameters come with preset values The defaults work well in most networks but you can modify the following parameters if...

Page 635: ...s 2 If you have not already enabled PIM enable it by clicking on the Enable radio button next to PIM on the System configuration panel then clicking Apply to apply the change 3 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 4 Click on the plus sign next to PIM in the tree view to expand the list of PIM option links 5 Click on the General link ...

Page 636: ...ing Graft Retransmit Timer The Graft Retransmit Timer defines the interval between the transmission of graft messages A graft message is sent by a router to cancel a prune state When a router receives a graft message the router responds with a Graft Ack acknowledge message If this Graft Ack message is lost the router that sent the graft message will resend it USING THE CLI To change the graft retr...

Page 637: ...tom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Modifying PIM Interface Parameters TTL is the only interface parameter for PIM TTL defines the minimum value required in a packet for it to be forwarded out of the interface For example if the TTL for an interface is set at 10 it means that only those packets with a T...

Page 638: ... simple example of a PIM Sparse domain This example shows three BigIron Layer 3 Switches configured as PIM Sparse routers The configuration is described in detail following the figure Figure 18 3 Example PIM Sparse domain PIM Sparse Router Types Routers that are configured with PIM Sparse interfaces also can be configured to fill one or more of the following roles PMBR A PIM router that has some i...

Page 639: ...outer A and the recipient is attached to PIM Sparse router C PIM Sparse router B in is the RP for this multicast group As a result the default path for packets from the source to the receiver is through the RP However the path through the RP sometimes is not the shortest path In this case the shortest path between the source and the receiver is over the direct link between router A and router C wh...

Page 640: ...ip NOTE You do not need to globally enable IP multicast routing when configuring PIM Sparse The commands in this example enable IP multicast routing enable the PIM Sparse mode of IP multicast routing and then enable RIP For simplicity this example does not show configuration of specific RIP parameters In addition the commands in this example do not configure the Layer 3 Switch as a candidate PIM S...

Page 641: ... BSR address 207 95 7 1 hash mask length 30 priority 255 This command configures the PIM Sparse interface on port 2 2 as a BSR candidate with a hash mask length of 30 and a priority of 255 The information shown in italics above is displayed by the CLI after you enter the candidate BSR configuration command Syntax no router pim Syntax no bsr candidate ethernet ve portnum num hash mask length priori...

Page 642: ... the net effect is that the Layer 3 Switch becomes a candidate RP for groups 224 126 0 0 224 126 21 255 and groups 224 126 23 0 224 126 255 255 USING THE WEB MANAGEMENT INTERFACE You cannot configure PIM Sparse parameters using the Web management interface Statically Specifying the RP Foundry Networks recommends that you use the PIM Sparse protocol s RP election process so that a backup RP can aut...

Page 643: ...air In accordance with the PIM Sparse RFC s recommendation the timer is 210 seconds and is not configurable The counter is reset to zero each time the Layer 3 Switch receives a packet for the source group pair You can change the number of packets that the Layer 3 Switch sends using the RP before switching to using the SPT To do so use the following CLI method USING THE CLI To change the number of ...

Page 644: ...on The PIM flow cache The PIM multicast cache PIM traffic statistics Displaying Basic PIM Sparse Configuration Information To display basic configuration information for PIM Sparse use the following CLI method USING THE CLI To display PIM Sparse configuration information enter the following command at any CLI level BigIron config pim router show ip pim sparse Global PIM Sparse Mode Settings Hello ...

Page 645: ...d contains a value only if an interface on the Layer 3 Switch is configured as a candidate RP Otherwise the field is blank Join Prune interval How frequently the Layer 3 Switch sends PIM Sparse Join Prune messages for the multicast groups it is forwarding This field show the number of seconds between Join Prune messages The Layer 3 Switch sends Join Prune messages on behalf of multicast receivers ...

Page 646: ... following CLI method USING THE CLI To display BSR information enter the following command at any CLI level BigIron config pim router show ip pim bsr PIMv2 Bootstrap information This system is the elected Bootstrap Router BSR BSR address 207 95 7 1 Uptime 00 33 52 BSR priority 5 Hash mask length 32 TTL Threshold Following the TTL threshold value the interface state is listed The interface state ca...

Page 647: ...ning Note This field appears only if this Layer 3 Switch is the BSR BSR priority or local BSR priority The priority assigned to the interface for use during the BSR election process During BSR election the priorities of the candidate BSRs are compared and the interface with the highest BSR priority becomes the BSR Note If the word local does not appear in the field this Layer 3 Switch is the BSR I...

Page 648: ...im rp candidate This display shows the following information RP Indicates the IP address of the Rendezvous Point RP Note This field appears only if this Layer 3 Switch is the BSR group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP Note This field appears only if this Layer 3 Switch is the BSR Candidate RP advertisement period Indicates how ...

Page 649: ...rmation for a PIM Sparse Group To display RP information for a specific PIM Sparse group use the following CLI method USING THE CLI To display RP information for a PIM Sparse group enter the following command at any CLI level BigIron config pim router show ip pim rp hash 239 255 162 1 RP 207 95 7 1 v2 Info source 207 95 7 1 via bootstrap Syntax show ip pim rp hash group addr The group addr paramet...

Page 650: ... IP address is the port or virtual interface through which this Layer 3 Switch learned the identity of the RP Info source Indicates the IP address on which the RP information was received Following the IP address is the method through which this Layer 3 Switch learned the identity of the RP This Field Displays Number of group prefixes The number f PIM Sparse group prefixes for which the RP is resp...

Page 651: ...face table Displaying the PIM Flow Cache To display the PIM flow cache use the following CLI method USING THE CLI To display the PIM flow cache enter the following command at any CLI level This Field Displays Port The interface through which the Layer 3 Switch is connected to the neighbor Neighbor The IP interface of the PIM neighbor interface Holdtime sec Indicates how many seconds the neighbor w...

Page 652: ...BigIron config pim router show ip pim mcache 1 239 255 162 1 RP207 95 7 1 forward port v1 Count 2 member ports ethe 3 3 virtual ports v2 prune ports virtual prune ports 2 209 157 24 162 239 255 162 4 forward port v2 flags 00004900 Count 130 member ports virtual ports prune ports virtual prune ports 3 209 157 24 162 239 255 162 1 forward port v2 flags 00005a01 Count 12 member ports ethe 3 8 virtual...

Page 653: ... 1 The entry is for PIM Sparse RPT Indicates whether the cache entry uses the RP path or the SPT path The RPT flag can have one of the following values 0 The SPT path is used instead of the RP path 1 The RP path is used instead of the SPT path Note The values of the RP and SPT flags are always opposite one is set to 0 and the other is set to 1 SPT Indicates whether the cache entry uses the RP path...

Page 654: ...p pim traffic NOTE If you have configured interfaces for standard PIM dense mode on the Layer 3 Switch statistics for these interfaces are listed first by the display This display shows the following information prune ports Indicates the physical ports on which the Layer 3 Switch has received a prune notification in a Join Prune message to remove the receiver from the list of recipients for the gr...

Page 655: ...of Register Stop messages sent or received on the interface Assert The number of Assert messages sent or received on the interface Total Recv Xmit The total number of IGMP messages sent and received by the Layer 3 Switch Total Discard chksum The total number of IGMP messages discarded including a separate counter for those that failed the checksum comparison This Field Displays ...

Page 656: ...e RP is configured for MSDP which enables the RP to exchange source information with other PIM Sparse domains by communicating with RPs in other domains that are running MSDP The RP sends the source information to each of its peers by sending a Source Active message The message contains the IP address of the source the group address to which the source is sending and the IP address of the RP inter...

Page 657: ...rd the Source Active message to all their peers except the ones that sent them the message Figure 18 4 does not show additional peers Source Active Caching When an MSDP router that is also an RP receives a Source Active message the RP checks its PIM Sparse multicast group table for receivers for the group If the DR has a receiver for the group being advertised in the Source Active message the DR s...

Page 658: ...he Web management interface Displaying MSDP Information You can display the following MSDP information Summary information the IP addresses of the peers the state of the Layer 3 Switch s MSDP session with each peer and statistics for Keepalive Source Active and Notification messages sent to and received from each of the peers Peer information the IP address of the peer along with detailed MSDP and...

Page 659: ... Not Applicable MSDP Summary Information This Field Displays Peer Address The IP address of the peer s interface with the Layer 3 Switch State The state of the MSDP router s connection with the peer The state can be one of the following CONNECTING The session is in the active open state ESTABLISHED The MSDP session is fully up INACTIVE The session is idle LISTENING The session is in the passive op...

Page 660: ...session is idle LISTENING The session is in the passive open state Keep Alive Time The keep alive time which specifies how often this MSDP router sends keep alive messages to the neighbor The keep alive time is 60 seconds and is not configurable Hold Time The hold time which specifies how many seconds the MSDP router will wait for a KEEPALIVE or UPDATE message from an MSDP neighbor before deciding...

Page 661: ...A Message SA Response Error 4 Hold Timer Expired 5 Finite State Machine Error 6 Notification 7 Cease For information about these error codes see section 17 in the Internet draft describing MSDP draft ietf msdp spec Notification Message Error SubCode Received See above Notification Message Error Code Transmitted The error message corresponding to the error code in the NOTIFICATION message this MSDP...

Page 662: ... local user CLOSING Waiting for a connection termination request acknowledgment from the remote TCP LAST ACK Waiting for an acknowledgment of the connection termination request previously sent to the remote TCP which includes an acknowledgment of its connection termination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection term...

Page 663: ...7 RP 206 251 17 41 Age 30 10 100 100 1 254 233 1 0 57 RP 206 251 17 41 Age 90 Syntax show ip msdp sa cache This display shows the following information ReTrans The number of sequence numbers that the MSDP router retransmitted because they were not acknowledged IRcvSeq The initial receive sequence number for the session RcvNext The next sequence number expected from the neighbor RcvWnd The size of ...

Page 664: ...ve Cache To clear the entries from the Source Active cache enter the following command at the Privileged EXEC level of the CLI BigIron clear ip msdp sa cache Syntax clear ip msdp sa cache source addr group addr The command in this example clears all the cache entries Use the source addr parameter to clear only the entries for a specified course Use the group addr parameter to clear only the entrie...

Page 665: ...DVMRP capable router interface the interface checks its DVMRP routing table to determine whether the interface that received the message provides the shortest path back to the source If the interface does provide the shortest path the interface forwards the multicast packet to adjacent peer DVMRP routers except for the router interface that originated the packet Otherwise the interface discards th...

Page 666: ...ole NetIron Console NetIron Console NetIron Console NetIron Console NetIron Group Member Group Member Leaf Node No Group Members R5 R3 R4 R6 R1 R2 Leaf Node Leaf Node Video Conferencing Server 207 95 5 1 229 225 0 1 Source Group Group Member Group Member Group Member Group Member Group Member Group Member 229 225 0 1 229 225 0 1 229 225 0 1 Interrmediate Node No Group Members ...

Page 667: ...tate for this entry is in a prune state R4 sends a graft to R1 Once R4 has joined the tree it along with R6 will once again receive multicast packets You do not need to perform any configuration to maintain the multicast delivery tree The prune and graft messages automatically maintain the tree Console NetIron Console NetIron Console NetIron Console NetIron Console NetIron Console NetIron Group Me...

Page 668: ...ration panel then clicking Apply to apply the change 3 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 4 Click on the plus sign next to DVMRP in the tree view to expand the list of DVMRP option links 5 Click on the Virtual Interface link to display the DVMRP Interface configuration panel NOTE If the device already has DVMRP interfaces a table l...

Page 669: ...you can modify the following global parameters if you need to Neighbor timeout Route expire time Route discard time Prune age Graft retransmit time Probe interval Report interval Trigger interval Default route Modifying Neighbor Timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down Possible values are 40 8000 s...

Page 670: ... the route expire setting to 50 enter the following BigIron config dvmrp router route expire timeout 50 Syntax route expire timeout 20 4000 USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to DVMRP ...

Page 671: ...iod expires flooding will resume Possible values are from 20 3600 seconds The default value is 180 seconds USING THE CLI To modify the prune age setting to 150 enter the following BigIron config dvmrp router prune 25 Syntax prune age 20 3600 USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access 2 Click on the plus sign next to Configur...

Page 672: ...E 1 Log on to the device using a valid user name and password for read write access 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to DVMRP in the tree view to expand the list of DVMRP option links 4 Click on the General link to display the DVMRP configuration panel 5 Enter a value from 5 30 in the Probe Interva...

Page 673: ... field 6 Click the Apply button to save the change to the device s running config file 7 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Modifying Default Route This defines the default gateway for IP multicast routing USING THE CLI To define the default gateway for DVMRP enter the fo...

Page 674: ...ace link to display a table listing the configured DVMRP Interfaces 5 Click on the Modify button next to the interface you want to modify The DVMRP Interface configuration panel is displayed 6 Enter a value from 1 64 in the Time To Live Threshold TTL field 7 Click the Add button to save the changes to the device s running config file 8 Select the Save link at the bottom of the dialog Select Yes wh...

Page 675: ... name and password for read write access 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to DVMRP in the tree view to expand the list of DVMRP option links 4 Select the Virtual Interface link to display a table listing the configured DVMRP Interfaces 5 Click on the Modify button next to the interface you want to ...

Page 676: ...affic through routers that do not support PIM or DVMRP multicasting IP multicast datagrams are encapsulated within an IP packet and then sent to the remote address Routers that are not configured for PIM or DVMRP route that packet as a normal IP packet When the DVMRP or PIM router at the remote end of the tunnel receives the packet the router strips off the IP encapsulation and forwards the packet...

Page 677: ...ion router interface as well 8 Modify the time to live threshold TTL if necessary The TTL defines the minimum value required in a packet in order for the packet to be forwarded out the interface NOTE For example if the TTL for an interface is set at 10 it means that only those packets with a TTL value of 10 or more will be forwarded Likewise if an interface is configured with a TTL Threshold value...

Page 678: ...OTE In IP multicasting a route is handled in terms of its source rather than its destination You can use the ethernet portnum parameter to specify a physical port or the ve num parameter to specify a virtual interface The distance num parameter sets the administrative distance for the route When comparing multiple paths for a route the Layer 3 Switch prefers the path with the lower administrative ...

Page 679: ...ticast an Internet draft by S Casner and B Fenner To trace a PIM route use the following CLI method NOTE This feature is not supported for DVMRP USING THE CLI To trace a PIM route to PIM source 209 157 24 62 in group 239 255 162 1 enter a command such as the following BigIron mtrace source 209 157 24 62 group 239 255 162 1 Type Control c to abort Server e3 19 Client e1 4 207 95 7 1 Multicast group...

Page 680: ...oup The command example above indicates that the source address 209 157 24 62 is three hops three PIM routers away from PIM router A In PIM terms each of the three routers has a forwarding state for the specified source address and multicast group The value following Thresh in some of the lines indicates the TTL threshold The threshold 0 means that all multicast packets are forwarded on the interf...

Page 681: ...address of the next hop PIM router on that interface In this example PIM interface 207 95 8 1 on PIM router 207 95 8 1 is connected to PIM router 207 95 8 10 The connection can be a direct one or can take place through non PIM routers In this example the PIM routers are directly connected When the arrow following an interface address points to zeros 0 0 0 0 the interface is not connected to a PIM ...

Page 682: ...Foundry Switch and Router Installation and Configuration Guide 18 56 December 2000 ...

Page 683: ...mmunities Attributes RFC 2385 TCP MD5 Signature Option RFC 2439 Route Flap Dampening RFC 2796 Route Reflection RFC 2842 Capability Advertisement To display BGP4 configuration information and statistics see Displaying BGP4 Information on page 19 88 This chapter shows the commands you need in order to configure the Foundry Layer 3 Switch for BGP4 For a detailed list of all CLI commands including syn...

Page 684: ...atic routes Figure 19 1 Example BGP4 ASs Relationship Between the BGP4 Route Table and the IP Route Table The Foundry Layer 3 Switch s BGP4 route table can have multiple routes to the same destination which are learned from different BGP4 neighbors A BGP4 neighbor is another router that also is running BGP4 BGP4 neighbors communicate using Transmission Control Protocol TCP port 179 for BGP communi...

Page 685: ... the following You can modify some of these parameters See Optional Configuration Tasks on page 19 27 Weight A value that the Foundry BGP4 Layer 3 Switch associates with a specific BGP4 neighbor For example if the Layer 3 Switch receives routes to the same destination from two BGP4 neighbors the Layer 3 Switch prefers the route from the neighbor with the larger weight Local preference An attribute...

Page 686: ...following types of messages OPEN UPDATE KEEPALIVE NOTIFICATION OPEN Message After a BGP4 router establishes a TCP connection with a neighboring BGP4 router the routers exchange OPEN messages An OPEN message indicates the following BGP version Indicates the version of the protocol that is in use on the router BGP version 4 supports Classless Interdomain Routing CIDR and is the version most widely u...

Page 687: ...ist of routes that have been in the sending router s BGP4 table but are no longer feasible The UPDATE message lists unreachable routes in the same format as new routes IP address CIDR prefix KEEPALIVE Message BGP4 routers do not regularly exchange UPDATE messages to maintain the BGP4 sessions For example if a NetIron Internet Backbone router configured to perform BGP4 routing has already sent the ...

Page 688: ...p BGP4 Please configure local as parameter in order to enable BGP4 BigIron config bgp router local as 10 BigIron config bgp router neighbor 209 157 23 99 remote as 100 BigIron config bgp router write memory NOTE When BGP4 is enabled on a Foundry Layer 3 Switch you do not need to reset the system The protocol is activated as soon as you enable it Moreover the router begins a BGP4 session with a BGP...

Page 689: ...P4 Parameters You can modify or set the following BGP4 parameters Optional Define the router ID The same router ID also is used by OSPF Required Specify the local AS number Optional Add a loopback interface for use with neighbors Required Identify BGP4 neighbors Optional Change the Keep Alive Time and Hold Time Optional Enable fast external fallover Optional Specify a list of individual networks i...

Page 690: ...lobal level parameters at the BGP CONFIG Level of the CLI You can reach the BGP CONFIG level by entering router bgp at the global CONFIG level NOTE When using the Web management interface you set BGP4 global parameters using the BGP configuration panel shown in Figure 19 2 on page 19 8 You can access all other parameters using links on the BGP configuration panel or from the Configure BGP options ...

Page 691: ...MED see below After Resetting Neighbor Sessions The following parameter changes take effect only after the router s BGP4 sessions are cleared or reset using the soft clear option See Closing or Resetting a Neighbor Session on page 19 121 Change the Hold Time or Keep Alive Time Aggregate routes Add change or negate filter tables Add change or negate route maps After Disabling and Re Enabling Redist...

Page 692: ...l neighbors and sends about eight million routes total to neighbors For each additional one million incoming routes the capacity for outgoing routes decreases by around two million Memory Configuration Options Obsoleted by Dynamic Memory Devices that support dynamic BGP4 memory allocation do not require or even support static configuration of memory for BGP4 neighbors routes or route attributes Co...

Page 693: ...ers or community filters 18 Optionally define IP prefix lists 19 Optionally define neighbor distribute lists 20 Optionally define BGP4 route map entries 21 Optionally define route flap dampening parameters 22 Save the changes to flash memory Basic Configuration Tasks The following sections describe how to perform the configuration tasks that are required to use BGP4 on the Foundry Layer 3 Switch Y...

Page 694: ...he router is already configured for OSPF you may want to use the router ID that is already in use on the router rather than set a new one To display the router ID enter the show ip CLI command at any CLI level or select the IP General links from the Configure tree in the Web management interface USING THE CLI To change the router ID enter a command such as the following BigIron config ip router id...

Page 695: ... port to communicate with a BGP4 neighbor A loopback interface adds stability to the network by working around route flap problems that can occur due to unstable links between the router and its neighbors Loopback interfaces are always up regardless of the states of physical interfaces Loopback interfaces are especially useful for IBGP neighbors neighbors in the same AS that are multiple hops away...

Page 696: ...twork mask in the Subnet Mask field 13 Click the Add button to save the change to the device s running config file 14 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Adding BGP4 Neighbors The BGP4 protocol does not contain a peer discovery process Therefore for each of the router s BG...

Page 697: ...up to 80 characters long distribute list in out num num specifies a distribute list to be applied to updates to or from the specified neighbor The in out keyword specifies whether the list is applied on updates received from the neighbor or sent to the neighbor The num num parameter specifies the list of address list filters The router applies the filters in the order in which you list them and st...

Page 698: ...g is shown as clear text in the output of commands that display neighbor or peer group configuration information 1 Assumes that the authentication string you enter is the encrypted form and decrypts the value before using it For more information see Encryption of BGP4 MD5 Authentication Keys on page 19 20 NOTE If you want the software to assume that the value you enter is the clear text form and t...

Page 699: ...e and Hold Time For more information about these parameters see Changing the Keep Alive Time and Hold Time on page 19 27 update source loopback num configures the router to communicate with the neighbor through the loopback address on the specified interface Using a loopback address for neighbor communication avoids problems that can be caused by unstable router interfaces Generally loopback inter...

Page 700: ...s multiple EBGP hops away 6 If you enabled EBGP Multihop enter the TTL for EBGP multihop in the EBGP Multihop TTL field You can specify a number from 0 255 The default is 0 If you leave the EBGP TTL value set to 0 the software uses the IP TTL value 7 Select Enable next to Next Hop Self if the router should list itself as the next hop in updates sent to the neighbor This option is disabled by defau...

Page 701: ...The remote AS number is the number of the AS the neighbor is in 15 Enter the weight you want the Layer 3 Switch to add to routes received from the specified neighbor BGP4 prefers larger weights over smaller weights The default weight is 0 16 Enter the number of an update source loopback interface in the Update Source field This parameter configures the router to communicate with the neighbor throu...

Page 702: ...7 1 14 on a device that is already configured for BGP4 when you save the configuration to the startup config file the software automatically converts the command syntax for BGP4 neighbors and peer groups into the new syntax that includes the encryption option If you display the running config after reloading with software release 07 1 14 or later the BGP4 commands that specify an authentication st...

Page 703: ...that the authentication string you enter is the encrypted form and decrypts the value before using it NOTE If you want the software to assume that the value you enter is the clear text form and to encrypt display of that form do not enter 0 or 1 Instead omit the encryption option and allow the software to use the default behavior If you specify encryption option 1 the software assumes that you are...

Page 704: ... not set a neighbor parameter in the peer group and the parameter also is not set for the individual neighbor the neighbor uses the default value You can set the following neighbor parameters using a peer group Advertisement interval Default information originate Description Distribute list EBGP multihop Filter list Maximum prefix Next hop self Password Prefix list Remote AS Remove private AS Rout...

Page 705: ...dually for each neighbor If you add an outbound parameter to a peer group that parameter is automatically applied to all neighbors within the peer group When you add a neighbor to a peer group the software removes any outbound parameters for that neighbor from the running configuration running config As a result when you save the configuration to the startup config file the file does not contain a...

Page 706: ...ternal blanks you must use quotation marks around the name For example the command neighbor My Three Peers peer group is valid but the command neighbor My Three Peers peer group is not valid Syntax no neighbor ip addr peer group name advertisement interval num default originate route map map name description string distribute list in out num num acl num in out ebgp multihop num filter list in out ...

Page 707: ...e added it the Layer 3 Switch configure the neighbor parameters then allow the Layer 3 Switch to reestablish a session with the neighbor by removing the shutdown option from the neighbor When you apply the new option to shut down a neighbor the option takes place immediately and remains in effect until you remove the option If you save the configuration to the startup config file the shutdown opti...

Page 708: ...ght of the row describing the neighbor to change its configuration or click the Add Neighbor link to display the BGP Neighbor configuration panel 5 Enter or modify parameters as needed For detailed information see Adding BGP4 Neighbors on page 19 14 6 Select the Enable radio button next to Shutdown 7 Click the Add button if you are adding a new neighbor or the Modify button if you are modifying a ...

Page 709: ... is dead USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to BGP in the tree view to expand the list of BGP option links 4 Click on the General link to di...

Page 710: ...ons 3 Click on the plus sign next to BGP in the tree view to expand the list of BGP option links 4 Click on the General link to display the BGP configuration panel shown in Figure 19 2 on page 19 8 5 Select Disable or Enable next to Fast External Fall Over 6 Click the Apply button to apply the changes to the device s running config file 7 Select the Save link at the bottom of the dialog Select Yes...

Page 711: ...P route table changes then the BGP4 paths and IP paths are adjusted accordingly For example if one of the OSPF paths to reach the BGP4 next hop goes down the software removes this path from the BGP4 route table and the IP route table Similarly if an additional OSPF path becomes available to reach the BGP4 next hop router for a particular destination the software adds the additional path to the BGP...

Page 712: ...parameter specifies the name of the route map you want to use to set or change BGP4 attributes for the network you are advertising The route map must already be configured The weight num parameter specifies a weight to be added to routes to this network The backdoor parameter changes the administrative distance of the route to this network from the EBGP administrative distance 20 by default to the...

Page 713: ... network configuration USING THE CLI To configure a route map and use it to set or change route attributes for a network you define for BGP4 to advertise enter commands such as the following BigIron config route map set_net permit 1 BigIron config routemap set_net set community no export BigIron config routemap set_net exit BigIron config router bgp BigIron config bgp router network 100 100 1 0 24...

Page 714: ... methods USING THE CLI To change the default local preference to 200 enter the following command BigIron config bgp router default local preference 200 Syntax default local preference num The num parameter indicates the preference and can be a value from 0 4294967295 USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System conf...

Page 715: ...e set independently for each protocol and have different ranges USING THE CLI To change the default metric to 40 enter the following command BigIron config bgp router default metric 40 Syntax default metric num The num indicates the metric and can be a value from 0 4294967295 USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The Sy...

Page 716: ...inistrative distances on the Foundry Layer 3 Switch Directly connected 0 this value is not configurable Static 1 applies to all static routes including default routes EBGP 20 OSPF 110 RIP 120 IBGP 200 Local BGP 200 Unknown 255 the router will not use this route Lower administrative distances are preferred over higher distances For example if the router receives routes for the same network from OSP...

Page 717: ...g paths through the same AS For example if the router receives BGP4 updates from a remote AS with multiple paths for the same route the router compares the MEDs in those paths to select a preferred path for the route You can change the router s default behavior and configure the router to instead compare the MEDs for all paths for a route regardless of the AS through which the paths pass For examp...

Page 718: ...ks 4 Click on the General link to display the BGP configuration panel shown in Figure 19 2 on page 19 8 5 Select Disable or Enable next to Synchronization 6 Click the Apply button to apply the changes to the device s running config file 7 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memor...

Page 719: ...rs of a route reflection cluster All members of the cluster must be in the same AS The cluster ID can be any number from 1 4294967295 The default is the router ID expressed as a 32 bit number NOTE If the cluster contains more than one route reflector you need to configure the same cluster ID on all the route reflectors in the cluster The cluster ID helps route reflectors avoid loops within the clu...

Page 720: ... the CLUSTER_LIST If a route reflector receives a route that has its own cluster ID the router discards the advertisement and does not forward it Software release 07 0 10 and higher handles the attributes as follows The Layer 3 Switch adds the attributes only if it is a route reflector and only when advertising IBGP route information to other IBGP neighbors The attributes are not used when communi...

Page 721: ...uter All route reflector clients for the router are members of the cluster NOTE If the cluster contains more than one route reflector you need to configure the same cluster ID on all the route reflectors in the cluster The cluster ID helps route reflectors avoid loops within the cluster To add an IBGP neighbor to the cluster enter the following command Syntax neighbor ip addr route reflector clien...

Page 722: ...g the complexity of the Interior Border Gateway Protocol IBGP mesh among the BGP routers in the AS The Foundry implementation of this feature is based on RFC 1965 Normally all BGP routers within an AS must be fully meshed so that each BGP router has interfaces to all the other BGP routers within the AS This is feasible in smaller ASs but becomes unmanageable in ASs containing many BGP routers When...

Page 723: ...er indicates membership in a sub AS All BGP routers with the same local AS number are members of the same sub AS BGP routers use the local AS number when communicating with other BGP routers within the confederation Configure the confederation ID The confederation ID is the AS number by which BGP routers outside the confederation know the confederation Thus a BGP router outside the confederation i...

Page 724: ...the confederation You must specify all the sub ASs contained in the confederation All the routers within the same sub AS use IBGP to exchange router information Routers in different sub ASs within the confederation use EBGP to exchange router information You can specify a number from 1 65535 Commands for Router B BigIronB config router bgp BigIronB config bgp router local as 64512 BigIronB config ...

Page 725: ... 23 0 and 209 157 24 0 enter the following command BigIron config bgp router aggregate address 209 157 0 0 255 255 0 0 Syntax aggregate address ip addr ip mask as set summary only suppress map map name advertise map map name attribute map map name The ip addr and ip mask parameters specify the aggregate value for the networks Specify 0 for the host portion and for the network portion that differs ...

Page 726: ...ld 7 Select one of the following options from the Option field s pulldown list Address Use this option when you are adding the address This is the default option AS Set This option causes the router to aggregate AS path information for all the routes in the aggregate address into a single AS path Summary Only This option prevents the router from advertising more specific routes contained within th...

Page 727: ...lue from 0 4294967295 The default is 0 The route map map name parameter specifies a route map to be consulted before adding the filter to the IP route table NOTE The route map you specify must already be configured on the router See Defining Route Maps on page 19 63 for information about defining route maps The weight num parameter changes the weight You can specify a value from 0 65535 The defaul...

Page 728: ...he changes to the device s running config file 11 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Redistributing OSPF Routes To configure the Layer 3 Switch to redistribute OSPF external type 1 routes enter the following command BigIron config bgp router redistribute ospf match extern...

Page 729: ...Advertisement of All Learned BGP4 Routes to All BGP4 Neighbors By default the Layer 3 Switch re advertises all learned best BGP4 routes to BGP4 neighbors unless the routes are discarded or blocked by route maps or other filters If you want to prevent the Layer 3 Switch from re advertising a learned best BGP4 route unless that route also is installed in the IP route table use the following CLI meth...

Page 730: ...ess filter to deny routes to 209 157 0 0 enter the following command BigIron config bgp router address filter 1 deny 209 157 0 0 255 255 0 0 Syntax address filter num permit deny ip addr wildcard mask wildcard The num parameter is the filter number The permit deny parameter indicates the action the Layer 3 Switch takes if the filter match is true If you specify permit the Layer 3 Switch permits th...

Page 731: ...the Address Filter link to display the BGP Address Filter panel If the device does not have any BGP address filters configured the BGP Address Filter configuration panel is displayed as shown in the following example If BGP address filters are already configured and you are adding a new one click on the Add Address Filter link to display the BGP Address Filter configuration panel as shown in the f...

Page 732: ...AS path filter 4 to permit AS 2500 enter the following command BigIron config bgp router as path filter 4 permit 2500 Syntax as path filter num permit deny as path The num parameter identifies the filter s position in the AS path filter list and can be from 1 100 Thus the AS path filter list can contain up to 100 filters The Foundry Layer 3 Switch applies the filters in numerical order beginning w...

Page 733: ... the Add button to apply the changes to the device s running config file 9 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Defining an AS Path ACL To configure an AS path ACL use either of the following methods USING THE CLI To configure an AS path list that uses ACL 1 enter a command...

Page 734: ...g example If an AS Path ACL is already configured and you are adding a new one click on the Add AS Path Access List link to display the IP AS Path Access List panel as shown in the following example NOTE You cannot modify an AS Path ACL Instead you can delete and then re add the ACL To delete an ACL click on the Delete button to the right of the row describing the ACL then click on the Add AS Path...

Page 735: ...acters in brackets For example to filter on AS paths that contain x y or z enter the following command BigIron config bgp router as path filter 1 permit xyz Special Characters When you enter as single character expression or a list of characters you also can use the following special characters Table 19 2 on page 19 53 lists the special characters The description for each special character include...

Page 736: ...lar expression matches on an AS path that contains 1 2 3 4 or 5 1 5 You can use the following expression symbols within the brackets These symbols are allowed only inside the brackets The caret matches on any characters except the ones in the brackets For example the following regular expression matches on an AS path that does not contain 1 2 3 4 or 5 1 5 The hyphen separates the beginning and end...

Page 737: ...ities 1 10 1 20 and 1 30 can be easily identified as member communities of AS 1 The Layer 3 Switch provides the following methods for filtering on AS path information Community filters Community list ACLs NOTE The Layer 3 Switch cannot actively support community filters and community list ACLs at the same time Use one method or the other but do not mix methods NOTE Once you define a filter or ACL ...

Page 738: ...Confederations on page 19 40 USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to BGP in the tree view to expand the list of BGP option links 4 Click on th...

Page 739: ...y ACL on page 19 69 for information about how to use a community list as a match condition in a route map Syntax ip community list num seq seq value deny permit community num The num parameter specifies the ACL number and can be from 1 199 The seq seq value parameter is optional and specifies the community list s sequence number You can configure up to 199 entries in a community list If you do not...

Page 740: ...t specify a sequence number the software numbers them in increments of 5 beginning with number 5 The software interprets the entries in ascending sequence order 7 Select the action you want the software to perform if a route s community list matches this ACL entry 8 Select the community type by clicking on the checkbox to the left of the description or enter the community numbers in the Community ...

Page 741: ...st matches only on this network unless you use the ge ge value or le le value parameters See below The network addr mask bits parameter specifies the network number and the number of bits in the network mask You can specify a range of prefix length for prefixes that are more specific than network addr mask bits If you specify only ge ge value then the mask length range is from ge value to 32 If yo...

Page 742: ... Greater Value or Less Value this prefix list entry matches only on the exact network prefix you specified with the values in the Address and Mask fields 10 Enter a number from 1 32 in the Greater Value field if you want the prefix list to match on prefixes that are more specific than the one you entered in the Address and Mask fields in addition to matching on the prefix in those fields The value...

Page 743: ...o the device s running config file 8 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Defining Neighbor Distribute Lists A neighbor distribute list is a list of BGP4 address filters or ACLs that filter the traffic to or from a neighbor To configure a neighbor distribute list use either...

Page 744: ...lick the Modify button to the right of the row describing the neighbor to change its configuration or click the Add Neighbor link to display the BGP Neighbor configuration panel 5 If you are adding a new neighbor or you need to change additional parameters see the complete procedure in Adding BGP4 Neighbors on page 19 14 6 Select the Distribute List link at the bottom of the panel to display the B...

Page 745: ...tion configure the last match statement in the last instance of the route map to permit any any If there is no match statement the software considers the route to be a match For route maps that contain address filters AS path filters or community filters if the action specified by a filter conflicts with the action specified by the route map the route map s action takes precedence over the individ...

Page 746: ...racters in length You can define up 50 route maps on the router The permit deny parameter specifies the action the router will take if a route matches a match statement If you specify deny the Layer 3 Switch does not advertise or learn the route If you specify permit the Layer 3 Switch applies the match and set statements associated with this route map instance The num parameter specifies the inst...

Page 747: ...ditions for instance 1 of the route map GET_ONE This instance compares the route updates against BGP4 address filter 11 BigIron config routemap GET_ONE match address filters 11 Syntax match as path num address filters as path filters community filters num num community num ip address next hop acl num prefix list string metric num next hop address filter list route type internal external type1 exte...

Page 748: ...the BGP Route Map Filter panel go to step 7 Otherwise go to step 2 2 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 3 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 4 Click on the plus sign next to BGP in the tree view to expand the list of BGP option links 5 Click on...

Page 749: ...er the following commands BigIron config route map PathMap permit 1 BigIron config routemap PathMap match as path 1 Syntax match as path num The num parameter specifies an AS path ACL and can be a number from 1 199 You can specify up to five AS path ACLs To configure an AS path ACL use the ip as path access list command See Defining an AS Path ACL on page 19 51 USING THE WEB MANAGEMENT INTERFACE 1...

Page 750: ...d applies the match and set statements you configure for the instance 7 Select the action you want the Layer 3 Switch to perform if the comparison results in a true value If you select Deny the Layer 3 Switch does not advertise or learn the route If you select Permit the Layer 3 Switch applies the match and set statements associated with this route map instance 8 Click the Add button to apply the ...

Page 751: ...Defining a Community ACL on page 19 57 USING THE WEB MANAGEMENT INTERFACE Use the procedure in Matching Based on AS Path ACL on page 19 67 but select Community Access List instead of AS Path Access List Matching Based on Destination Network To construct match statements for a route map that match based on destination network use either of the following methods You can use the results of an IP ACL ...

Page 752: ...ic tag parameter calculates and sets an automatic tag value for the route NOTE This parameter applies only to routes redistributed into OSPF The community parameter sets the community attribute for the route to the number or well known type you specify The dampening half life reuse suppress max suppress time parameter sets route dampening parameters for the route The half life parameter specifies ...

Page 753: ...EB MANAGEMENT INTERFACE NOTE To simplify testing and configuration you can specify an option and then choose whether to activate it To activate an option select the checkbox in front of the option s field Leave the checkbox unselected to leave the option inactive 1 If you have just added the route map and the map is displayed in the BGP Route Map Filter panel go to step 7 Otherwise go to step 2 2 ...

Page 754: ...nge the value A table map is a route map that you have associated with the IP routing table The Layer 3 Switch applies the set statements for tag values in the table map to routes before adding them to the route table To configure a table map you configure the route map then identify it as a table map The table map does not require separate configuration You create it simply by calling an existing...

Page 755: ...s a penalty of 1000 By default when a route has a penalty value greater than 2000 the Layer 3 Switch stops using the route Thus by default if a route goes down more than twice the Layer 3 Switch stops using the route You can set the suppression threshold to a value from 1 20000 The default is 2000 Half life Once a route has been assigned a penalty the penalty decreases exponentially and decreases ...

Page 756: ...E WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to BGP in the tree view to expand the list of BGP option links 4 Click on the General link to display the BGP con...

Page 757: ...n config routemap DAMPENING_MAP exit BigIron config route map DAMPENING_MAP permit 10 BigIron config routemap DAMPENING_MAP match address filters 10 BigIron config routemap DAMPENING_MAP set dampening 20 200 2500 60 BigIron config routemap DAMPENING_MAP router bgp BigIron config bgp router dampening route map DAMPENING_MAP The address filter commands in this example configure two BGP4 address filt...

Page 758: ...ter compares The filter disregards the bits for which the mask contains zeros 9 Enter the mask in the Prefix Mask field If you specify any all masks match the filter 10 Enter the masking bits for the network mask in the Prefix Mask Masking Bits field 11 Click the Add button to apply the changes to the device s running config file 12 Repeat steps 5 11 for each address filter 13 In the tree view und...

Page 759: ...ddress filter number Using the same number is a convenient way to remember that these configuration items are associated but is not a requirement 16 Select the action you want the Layer 3 Switch to perform if the comparison results in a true value If you select Deny the Layer 3 Switch does not advertise or learn the route If you select Permit the Layer 3 Switch applies the match and set statements...

Page 760: ... indicate that you are using an address filter as a match condition 20 Enter the address filter number in the Address Filter field 21 Click Apply to apply the changes to the device s running config file 22 Select the Route Map Set link at the bottom of the panel to display the BGP Route Map Set panel as shown in the following example ...

Page 761: ...d to specify the maximum suppression value you want this route map to set 28 Click Apply to apply the changes to the device s running config file 29 In the tree view under BGP in the Configure section click on the General link to display the BGP configuration panel 30 In the Dampening section click next to Route Map then select the dampening route map from the Route Map field s pulldown menu In th...

Page 762: ... 10 10 1 route map in DAMPENING_MAP_NEIGHBOR_A In this example the first command globally enables route flap dampening This route map does not contain any match or set statements At the BGP configuration level the dampening route map command refers to the DAMPENING_MAP_ENABLE route map created by the first command thus enabling dampening globally The third and fourth commands configure a second ro...

Page 763: ... learn the route If you select Permit the Layer 3 Switch applies the match and set statements associated with this route map instance In this example select Permit 11 Click the Add button to apply the changes to the device s running config file 12 Select the Route Map Set link to display the BGP Route Map Set panel NOTE If the interface displays a table listing the configured route maps select the...

Page 764: ...un suppress all the suppressed routes enter the following command at the Privileged EXEC level of the CLI BigIron clear ip bgp damping Syntax clear ip bgp damping ip addr ip mask The ip addr parameter specifies a particular network The ip mask parameter specifies the network s mask To un suppress a specific route enter a command such as the following BigIron clear ip bgp damping 209 157 22 0 255 2...

Page 765: ...ons are the same ones supported for BGP4 AS path filters See Using Regular Expressions on page 19 53 The address mask parameter specifies a particular route If you also use the optional longer prefixes parameter then all statistics for routes that match the specified route or have a longer prefix than the specified route are displayed For example if you specify 209 157 0 0 longer then all routes w...

Page 766: ...tistics but also un suppresses the routes See Displaying Route Flap Dampening Statistics on page 19 83 USING THE WEB MANAGEMENT INTERFACE You cannot clear dampening statistics using the Web management interface Statically Allocating Memory in Earlier Software Releases NOTE These procedures apply only to the TurboIron 8 or NetIron stackable running a software release earlier than 07 1 00 or to the ...

Page 767: ...age 19 8 5 Change the number in the Maximum Neighbors field The maximum number you can enter depends on the device you are configuring See Memory Considerations on page 19 9 for the maximum for your device 6 Click the Apply button to apply the changes to the device s running config file 7 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to ...

Page 768: ...e BGP4 route table lists the route attributes associated with each route in the table These attributes include the following IP address of the next hop router Metric Local Preference Origin Communities and others A collection of these attributes is called a route attributes entry Each route attributes entry is a unique set of values for these attributes For example the following set of attribute v...

Page 769: ...list of BGP option links 4 Click on the General link to display the BGP configuration panel shown in Figure 19 2 on page 19 8 5 Change the number in the Maximum Attribute Entries field The maximum number you can enter depends on the device you are configuring See Memory Considerations on page 19 9 for the maximum for your device 6 Click the Apply button to apply the changes to the device s running...

Page 770: ...ollowing command at any CLI prompt BigIron show ip bgp summary Here is an example of the information displayed by this command BigIron show ip bgp summary BGP4 Summary Router ID 1 2 4 2 Local AS Number 1 Confederation Identifier not configured Confederation Peers Maximum Number of Paths Supported for Load Sharing 2 Number of Neighbors Configured 3 Number of Routes Installed 65871 Number of Routes ...

Page 771: ...mber of Routes Installed The number of BGP4 routes in the router s BGP4 route table To display the BGP4 route table see Displaying the BGP4 Route Table on page 19 107 Number of Routes Advertising to All Neighbors The total of the RtSent and RtToSend columns for all neighbors Number of Attribute Entries Installed The number of BGP4 route attribute entries in the router s route attributes table To d...

Page 772: ...ween CONNECT and ACTIVE there may be a problem with the TCP connection OPEN SENT BGP4 is waiting for an Open message from the neighbor OPEN CONFIRM BGP4 has received an OPEN message from the neighbor and is now waiting for either a KEEPALIVE or NOTIFICATION message If the router receives a KEEPALIVE message from the neighbor the state changes to Established If the message is a NOTIFICATION the sta...

Page 773: ... paths 4 neighbor pg1 peer group neighbor pg1 remote as 65001 neighbor pg1 description BigIron group 1 neighbor pg1 distribute list out 1 neighbor 192 169 100 1 peer group pg1 neighbor 192 169 101 1 peer group pg1 neighbor 192 169 102 1 peer group pg1 neighbor 192 169 201 1 remote as 65101 neighbor 192 169 201 1 shutdown neighbor 192 169 220 3 remote as 65432 network 1 1 1 0 255 255 255 0 network ...

Page 774: ...conds enter a command such as the following BigIron show process cpu 1 Process Name Sec Time ms ARP 0 00 0 BGP 0 00 0 ICMP 0 01 1 IP 0 00 0 OSPF 0 00 0 RIP 0 00 0 STP 0 00 0 VRRP 0 00 0 Syntax show process cpu num The num parameter specifies the number of seconds and can be from 1 900 If you use this parameter the command lists the usage statistics only for the specified number of seconds If you d...

Page 775: ...Switch did not accept or install because they were denied by filters on the Layer 3 Switch Routes Selected as BEST Routes The number of routes that the Layer 3 Switch selected as the best routes to their destinations BEST Routes not Installed in IP Forwarding Table The number of routes received from the neighbor that are the best BGP4 routes to their destinations but were nonetheless not installed...

Page 776: ... NLRIs for withdrawing routes the Layer 3 Switch has queued up to send to this neighbor in UPDATE messages NLRIs Sent in Update Message The number of NLRIs for new routes the Layer 3 Switch has sent to this neighbor in UPDATE messages Withdraws The number of routes the Layer 3 Switch has sent to the neighbor to withdraw Replacements The number of routes the Layer 3 Switch has sent to the neighbor ...

Page 777: ...akes the display easier to read The TCP statistics at the end of the display show status for the TCP session with the neighbor Most of the fields show information stored in the Layer 3 Switch s Transmission Control Block TCB for the TCP session between the Layer 3 Switch and its neighbor These fields are described in detail in section 3 2 of RFC 793 Transmission Control Protocol Functional Specifi...

Page 778: ...rmation base RIB for outbound routes You can display all the routes or specify a network address The routes summary option displays a summary of the following information Number of routes received from the neighbor Number of routes accepted by this Layer 3 Switch from the neighbor Number of routes this Layer 3 Switch filtered out of the UPDATES received from the neighbor and did not accept Number ...

Page 779: ... problem with the TCP connection OPEN SENT BGP4 is waiting for an Open message from the neighbor OPEN CONFIRM BGP4 has received an OPEN message from the neighbor and is now waiting for either a KEEPALIVE or NOTIFICATION message If the router receives a KEEPALIVE message from the neighbor the state changes to Established If the message is a NOTIFICATION the state changes to Idle ESTABLISHED BGP4 is...

Page 780: ...ion is enabled for the neighbor ReflectorClient Whether this option is enabled for the neighbor UpdateSource Whether this option is enabled for the neighbor and the value of the option if enabled Message Sent The number of messages this router has sent to the neighbor The display shows statistics for the following message types Open Update KeepAlive Notification Refresh Req Message Received The nu...

Page 781: ...Bad Peer AS Number Bad BGP Identifier Unsupported Optional Parameter Authentication Failure Unacceptable Hold Time Unsupported Capability UPDATE Message Error Malformed Attribute List Unrecognized Well known Attribute Missing Well known Attribute Attribute Flags Error Attribute Length Error Invalid ORIGIN Attribute Invalid NEXT_HOP Attribute Optional Attribute Error Invalid Network Field Malformed...

Page 782: ... to the Foundry implementation Reset All Peer Sessions User Reset Peer Session Port State Down Peer Removed Peer Shutdown Peer AS Number Change Peer AS Confederation Change TCP Connection KeepAlive Timeout TCP Connection Closed by Remote TCP Data Stream Error Detected Table 19 6 BGP4 Neighbor Information Continued This Field Displays ...

Page 783: ...gth Bad Message Type Unspecified Open Message Error Unsupported Version Bad Peer As Bad BGP Identifier Unsupported Optional Parameter Authentication Failure Unacceptable Hold Time Unspecified Update Message Error Malformed Attribute List Unrecognized Attribute Missing Attribute Attribute Flag Error Attribute Length Error Invalid Origin Attribute Invalid NextHop Attribute Optional Attribute Error I...

Page 784: ...quest acknowledgment from the remote TCP LAST ACK Waiting for an acknowledgment of the connection termination request previously sent to the remote TCP which includes an acknowledgment of its connection termination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request CLOSED There is no connection state Local h...

Page 785: ...Route Information To display summary route information enter a command such as the following at any level of the CLI BigIron config bgp router show ip bgp neighbor 192 168 4 211 routes summary Routes Received 18 Accepted Installed 18 Filtered 0 Routes Selected as BEST Routes 17 BEST Routes not Installed in IP Forwarding Table 1 Unreachable Routes no IGP Route for NEXTHOP 1 History Routes 0 NLRIs R...

Page 786: ...n the IP route table because the Layer 3 Switch received better routes from other sources such as OSPF RIP or static IP routes Unreachable Routes The number of routes received from the neighbor that are unreachable because the Layer 3 Switch does not have a valid RIP OSPF or static route to the next hop History Routes The number of routes that are down but are being retained for route flap dampeni...

Page 787: ... be Sent The number of routes the Layer 3 Switch has queued to send to this neighbor To be Withdrawn The number of NLRIs for withdrawing routes the Layer 3 Switch has queued up to send to this neighbor in UPDATE messages NLRIs Sent in Update Message The number of NLRIs for new routes the Layer 3 Switch has sent to this neighbor in UPDATE messages Withdraws The number of routes the Layer 3 Switch h...

Page 788: ...tinations Are Unreachable To display BGP4 routes whose destinations are unreachable using any of the BGP4 paths in the BGP4 route table enter a command such as the following at any level of the CLI BigIron config bgp router show ip bgp neighbor 192 168 4 211 received routes unreachable Syntax show ip bgp neighbor ip addr received routes unreachable For information about the fields in this display ...

Page 789: ...l the routes BGP4 knows about you can display the BGP4 table using either of the following methods Table 19 8 BGP4 Summary Route Information This Field Displays Total number of BGP routes NLRIs Installed The number of BGP4 routes the Layer 3 Switch has installed in the BGP4 route table Distinct BGP destination networks The number of destination networks the installed routes represent The BGP4 rout...

Page 790: ...S path ACL The best parameter displays the routes received from the neighbor that the Layer 3 Switch selected as the best routes to their destinations The cidr only option lists only the routes whose network masks do not match their class network length The community option lets you display routes for a specific community You can specify local as no export no advertise internet or a private commun...

Page 791: ...bgp routes not installed best Searching for matching routes use C to quit Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED Network ML Next Hop Metric LocPrf Weight Status 1 7 7 7 0 24 192 168 4 211 0 101 0 b Each of the displayed routes is a valid path to its destination but the Layer 3 Switch received another path from a diffe...

Page 792: ...STORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED Network ML Next Hop Metric LocPrf Weight Status 1 7 7 7 0 24 192 168 4 211 0 101 0 b These displays show the following information Table 19 9 BGP4 Network Information This Field Displays Number of BGP Routes matching display condition The number of routes that matched the display parameters you entered This is the number of routes displayed by the comm...

Page 793: ...ived from the neighbor are the best BGP4 routes to their destinations but were nonetheless not installed in the IP route table because the Layer 3 Switch received better routes from other sources such as OSPF RIP or static IP routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been da...

Page 794: ...s are described in the command s output Network The network address Next Hop The next hop router for reaching the network from the Layer 3 Switch Metric The value of the route s MED attribute If the route does not have a metric this field is blank LocPrf The degree of preference for this route relative to other routes in the local AS When the BGP4 algorithm compares routes on the basis of local pr...

Page 795: ...heir destinations but were nonetheless not installed in the IP route table because the Layer 3 Switch received better routes from other sources such as OSPF RIP or static IP routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is current...

Page 796: ...te entries Here is an example of the information displayed by this command A zero value indicates that the attribute is not set BigIron show ip bgp attribute entries Total number of BGP Attribute Entries 7753 1 Next Hop 192 168 11 1 Metric 0 Origin IGP Originator 0 0 0 0 Cluster List None Aggregator AS Number 0 Router ID 0 0 0 0 Atomic FALSE Local Pref 100 Communities Internet AS Path 65002 65001 ...

Page 797: ...on to select the best route IGP is preferred over EGP and both are preferred over INCOMPLETE Originator The originator of the route in a route reflector environment Cluster List The route reflector clusters through which this set of attributes has passed Aggregator Aggregator information AS Number shows the AS in which the network information in the attribute set was aggregated This value applies ...

Page 798: ...255 254 0 192 168 13 2 1 1 0 B 12 6 42 0 255 255 254 0 192 168 13 2 1 1 0 B remaining 50824 entries not shown USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read only or read write access The System configuration panel is displayed 2 Click on the plus sign next to Monitor in the tree view to expand the list of monitoring options 3 Click on the pl...

Page 799: ...routes that have been dampened and that match the specified filter s are displayed This display shows the following information You also can display all the dampened routes by entering the following command show ip bgp dampened paths USING THE WEB MANAGEMENT INTERFACE You cannot display dampening statistics using the Web management interface Table 19 12 Route Flap Dampening Statistics This Field D...

Page 800: ... active configuration for a specific route map enter a command such as the following which specifies a route map name BigIron show route map setcomm route map setcomm permit 1 set community 1234 2345 no export This example shows the active configuration for a route map called setcomm Syntax show route map map name USING THE WEB MANAGEMENT INTERFACE You cannot display the active route map configura...

Page 801: ... same as those for the show ip bgp flap statistics command except the longer prefixes option is not supported See Displaying Route Flap Dampening Statistics on page 19 83 NOTE The clear ip bgp damping command not only clears statistics but also un suppresses the routes See Displaying Route Flap Dampening Statistics on page 19 83 USING THE WEB MANAGEMENT INTERFACE You cannot clear dampening statist...

Page 802: ... Adj RIB Out again The Layer 3 Switch applies its filters to the incoming routes and adds modifies or removes BGP4 routes as necessary Syntax clear ip bgp neighbor all ip addr peer group name as num soft outbound soft in out The all ip addr peer group name as num specifies the neighbor The ip addr parameter specifies a neighbor by its IP interface with the Layer 3 Switch The peer group name specif...

Page 803: ... this example the dynamic refresh statistics are shown in bold type Notice that the layout of the display has been changed slightly to allow room for this new information The RefreshCapability field indicates whether this Layer 3 Switch has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability The statistics in the Message Sent and Message Received rows ...

Page 804: ...m soft outbound soft in out The all ip addr peer group name as num specifies the neighbor The ip addr parameter specifies a neighbor by its IP interface with the Layer 3 Switch The peer group name specifies all neighbors in a specific peer group The as num parameter specifies all neighbors within the specified AS The all parameter specifies all neighbors To resend routes to a neighbor without clos...

Page 805: ...l Support to resolve a problem The buffers do not identify the system time when the data was written to the buffer If you want to ensure that diagnostic data in a buffer is recent you can clear the buffers You can clear the buffers for a specific neighbor or for all neighbors If you clear the buffer containing the first 400 bytes of the last packet that contained errors all the bytes are changed t...

Page 806: ...ions 3 Click on the Clear link to display the Clear panel 4 Select one of the following BGP Neighbor Last Packet with Error Clears the buffer containing the first 400 bytes of the last BGP4 packet that contained an error BGP Neighbor Notification Error Clears the buffer containing the last NOTIFICATION message sent or received 5 Click the Apply button to implement the change ...

Page 807: ...number of global IP addresses you can configure depends on how much memory the Layer 3 Switch has and whether you enable the Port Address Translation feature Regardless of the amount of memory you cannot configure more than 256 global IP addresses NOTE NAT support is available for traffic originated by hosts on the private network You cannot configure NAT to translate global addresses into private...

Page 808: ...es that you configure In the example in Figure 20 1 the pool is the range of addresses from 209 157 1 2 24 209 157 1 254 24 When you use dynamic NAT the software uses a round robin technique to select a global IP address to map to a private address from a pool that you configure Static NAT Static NAT maps a particular global IP address with a particular private address Use static NAT when you want...

Page 809: ... UDP port number for each private address to distinguish them Notice that the Port Address Translation feature does not attempt to use the same TCP or UDP port number as in the client s packet The way NAT deals with the client s TCP or UDP port number depends on whether Port Address Translation is enabled Port Address Translation enabled NAT treats the client s IP address and TCP or UDP port numbe...

Page 810: ... to ensure that the addresses are always mapped together Use static address mappings when you want to ensure that a specific host in the private network is always mapped to the Internet address you specify Configure dynamic NAT parameters Configure a standard or extended ACL for each range of private addresses for which you want to provide NAT Configure a pool for each consecutive range of Interne...

Page 811: ... This command associates a specific private address with a specific Internet address Use this command when you want to ensure that the specified addresses are always mapped together The inside source parameter specifies that the mapping applies to the private address sending traffic to the Internet The private ip parameter specifies the private IP address The global ip parameter specifies the Inte...

Page 812: ...e Specify the highest numbered IP address in the range NOTE The address range cannot contain any gaps Make sure you own all the IP addresses in the range If the range contains gaps you must create separate pools containing only the addresses you own The netmask ip mask prefix length length parameter specifies a classical sub net mask example netmask 255 255 255 0 or the length of a Classless Inter...

Page 813: ... BigIron config vif 1 ip nat inside This command enables inside NAT on virtual interface 4 Enabling Outside NAT To enable outside NAT on the interface attached to public addresses use the following CLI method USING THE CLI To enable outside NAT on an interface enter commands such as the following BigIron config interface ethernet 1 2 BigIron config if 1 2 ip nat outside This command enables outsid...

Page 814: ... The default is 120 seconds To change the timeout for a dynamic entry type use the following CLI method USING THE CLI To change the age timeout for all entries that do not use Port Address Translation to 1800 seconds one half hour enter a command such as the following at the global CONFIG level of the CLI BigIron config ip nat timeout 1800 Syntax no ip nat translation timeout udp timeout tcp timeo...

Page 815: ...ide Local xmit pkts xmit bytes rx pkts rx bytes cnt 192 168 2 79 10 10 100 18 62 4012 42 4285 10 Table 20 1 CLI Display of Active NAT Translations This Field Displays Pro When Port Address Translation is enabled this field indicates the protocol NAT is using to uniquely identify the host NAT can map the same IP address to multiple hosts and use the protocol port to distinguish among the hosts This...

Page 816: ... table Expired translations The total number of dynamic translations that have aged of the translation table since the Foundry device was booted Dynamic mappings Lists the dynamic translation parameters configured for the device The following information is displayed pool The name of the pool from which the address used for the translation was drawn mask The sub net mask or prefix used for address...

Page 817: ...he translations Total The total number of both used and available internal session resources Avail The number of free internal session resources NAT The number of internal session resources currently used by NAT For information about the session table see Layer 4 Session Table on page 15 7 Inside global A global IP address Last Inside Local The last inside local IP address to use the global IP add...

Page 818: ...rc 10 10 100 18 trans 192 168 2 78 dst 192 168 3 11 NAT ICMP src 10 10 100 18 trans 192 168 2 78 dst 192 168 3 11 NAT 192 168 2 78 192 168 3 11 ID 60950 len 60 txfid 13 icmp 8 0 512 13824 NAT ICMP dest 192 168 2 78 trans 192 168 3 11 dst 10 10 100 18 NAT 192 168 3 11 10 10 100 18 ID 5571 len 60 txfid 15 icmp 0 0 512 13824 NAT icmp src 10 10 100 18 trans 192 168 2 78 dst 192 168 3 11 NAT ICMP src 1...

Page 819: ... 3 11 53 NAT 192 168 2 78 8008 192 168 3 11 53 ID 54806 len 63 txfid 13 NAT udp src 10 10 100 18 1141 trans 192 168 2 78 8009 dst 192 168 3 11 53 NAT udp data src 10 10 100 18 1141 trans 192 168 2 78 8009 dst 192 168 3 11 53 NAT 192 168 2 78 8009 192 168 3 11 53 ID 55062 len 63 txfid 13 NAT udp data dest 192 168 2 78 8008 trans 192 168 3 11 53 dst 10 10 100 18 1140 NAT 192 168 3 11 53 10 10 100 18...

Page 820: ...shown in Figure 20 3 These commands configure the following An IP address and default gateway on the Layer 2 Switch An Access Control List ACL for the range of private addresses in the private network on virtual interface 10 A Pool of public Internet address to use for translation of the private addresses An association of the ACL for the private addresses with the pool for translation A default r...

Page 821: ...sends traffic to a public network in this case a network located somewhere on the Internet BigIron config ip nat pool np1 63 251 295 47 63 251 295 48 netmask 255 255 255 192 This command configures a pool named np1 and adds public address range 63 251 295 47 26 63 251 295 48 26 to the pool Generally a pool contains more than two addresses but this pool is small so that this configuration can also ...

Page 822: ...tup config file ensures that the changes are reinstated following a system reload BigIron config write memory Private NAT Clients Connected Directly to the Layer 3 Switch Figure 20 3 shows an example of a NAT configuration in which the NAT clients on the private network are directly connected to the Layer 3 Switch The configuration commands are similar to those for the configuration in Private NAT...

Page 823: ...3 Switch The following commands access the configuration level of the CLI then configure port based VLAN 2 and add virtual interface 10 to the VLAN BigIron en BigIron configure terminal BigIron config vlan 2 by port BigIron config vlan 2 untagged ethernet 8 1 to 8 24 BigIron config vlan 2 router interface ve 10 BigIron config vlan 2 exit These commands add ports 8 1 through 8 24 as untagged ports ...

Page 824: ...tion of the command identifies the range of source addresses The value 9 is the number of the ACL configured above The pool np1 portion of the command identifies the IP address pool configured above The overload parameter enables Port Address Translation When this feature is enabled NAT associates a TCP or UDP port number with the public address for a client In this case there are four clients but...

Page 825: ...ges above to the Layer 3 Switch s startup config file on flash memory The Layer 3 Switch applies NAT configuration information as soon as you enter it into the CLI Saving the changes to the startup config file ensures that the changes are reinstated following a system reload BigIron config write memory ...

Page 826: ...Foundry Switch and Router Installation and Configuration Guide 20 20 December 2000 ...

Page 827: ...ate protocols You cannot use them together NOTE You can use a Foundry Layer 3 Switch configured for VRRP with another Foundry Layer 3 Switch or a third party router that is also configured for VRRP You can use a Foundry Layer 3 Switch configured for VRRPE only with another Foundry Layer 3 Switch that also is configured for VRRPE Foundry Standby Router Protocol FSRP a Foundry router redundancy prot...

Page 828: ...ure As shown in this example Host1 uses 192 53 5 1 on Router1 as the host s default gateway out of the sub net If this interface goes down Host1 is cut off from the rest of the network Router1 is thus a single point of failure for Host1 s access to other networks If Router1 fails you could configure Host1 to use Router2 Configuring one host with a different default gateway might not require too mu...

Page 829: ...s of one Master router and one or more Backup routers The Master router is the router that owns the IP address es you associate with the VRID For this reason the Master router is sometimes called the Owner Configure the VRID on the router that owns the default gateway interface The other router in the VRID does not own the IP address es associated with VRID but provides the backup path if the Mast...

Page 830: ... the host believes is the MAC address of the router interface for its default gateway However the Backup cannot reply to IP pings sent to the IP address es associated with the VRID Because the IP address es are owned by the Owner if the Owner is unavailable the IP addresses are unavailable as packet destinations Master Negotiation The routers within a VRID use the VRRP priority values associated w...

Page 831: ...In the configuration shown in Figure 21 2 on page 21 3 Router1 s priority changes from 255 to 20 One of the parameters contained in the Hello messages the Master router sends to its Backups is the Master router s priority If the track port feature results in a change in the Master router s priority the Backup routers quickly become aware of the change and initiate a negotiation for Master router I...

Page 832: ...s VRID s MAC Address VRRP source MAC is a virtual MAC address defined as 00 00 5E 00 01 vrid where vrid is the VRID The Master owns the Virtual MAC address VRRPE uses the interface s actual MAC address as the source MAC address The MAC address is 02 E0 52 hash value vrid where hash value is a two octet hashed value for the IP address and vrid is the VRID Hello packets VRRP sends Hello messages to ...

Page 833: ...D MAC address has the format 02 E0 52 hash value vrid where hash value is a two octet hashed value for the IP address and vrid is the VRID The priority for the router on the right is 100 which is the default priority for Backups in VRRP and VRRPE However the priority for the router on the left is 200 In this case the priority has been changed during configuration from the default value to 200 In F...

Page 834: ...faces configured in the Layer 3 Switches As a result the protocol does not have an Owner as VRRP does There is no restriction on which router can be the default master router In VRRP the Owner the Layer 3 Switch on which the IP interface that is used for the VRID is configured must be the default Master Foundry Layer 3 Switches configured for VRRPE can interoperate only with other Foundry Layer 3 ...

Page 835: ...not use more than one redundancy protocol VRRP VRRPE or FSRP on the same device VRRP and VRRPE Parameters Table 21 1 lists the VRRP and VRRPE parameters Most of the parameters and default values are the same for both protocols The exceptions are noted in the table Table 21 1 VRRP and VRRPE Parameters Parameter Description Default See page Protocol The Virtual Router Redundancy Protocol VRRP based ...

Page 836: ...able 21 3 Authentication type The type of authentication the VRRP or VRRPE routers use to validate VRRP or VRRPE packets The authentication type must match the authentication type the VRID s port uses with other routing protocols such as OSPF No authentication The interfaces do not use authentication This is the VRRP default Simple The interface uses a simple text string as a password in packets s...

Page 837: ...the Backups for a given VRID The interval can from 1 84 seconds One second 21 4 21 16 Dead interval The number of seconds a Backup waits for a Hello message from the Master for the VRID before determining that the Master is no longer active If the Master does not send a Hello message before the dead interval expires the Backups negotiate compare priorities to select a new Master for the VRID Three...

Page 838: ...RID must already be configured on the router that will be the Owner router An IP address es associated with the VRID must be on only one router The Hello interval must be set to the same value on both the Owner and Backup s for the VRID The Dead interval must be set to the same value on both the Owner and Backup s for the VRID The track priority on a router must be lower than the router s VRRP pri...

Page 839: ...e protocols all the configuration information for the disabled protocol is removed from the startup config file The CLI displays a warning message such as the following BigIron config vrrp router no router vrrp router vrrp mode now disabled All vrrp config data will be lost when writing to flash The Web management interface does not display a warning message If you have disabled the protocol but h...

Page 840: ...terfaces also must use the same authentication Foundry s implementation of VRRP and VRRPE supports the following authentication types No authentication The interfaces do not use authentication This is the default for VRRP and VRRPE Simple The interfaces use a simple text string as a password in packets sent on the interface If the interfaces use simple password authentication the VRID configured o...

Page 841: ...RID When you configure a Backup router the router interface on which you are configuring the VRID must have a real IP address that is in the same sub net as the address associated with the VRID by the Owner However the address cannot be the same USING THE CLI To configure Router1 as a VRRP VRID s Owner enter the following commands Router1 config inter e 1 6 Router1 config if 1 6 ip vrrp vrid 1 Rou...

Page 842: ...o the Backups The Backups use the Hello messages as verification that the Master is still on line If the Backup routers stop receiving the Hello messages for the period of time specified by the Dead interval the Backup routers determine that the Master router is dead At this point the Backup router with the highest priority becomes the new Master router The Hello interval can be from 1 84 seconds ...

Page 843: ...e same for VRRP and VRRPE Track Port You can configure the VRID on one interface to track the link state of another interface on the Layer 3 Switch This capability is quite useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy See Track Ports and Track Priority on page 21 5 USING THE CLI To configure 1 6 on Router1 to track interface 2 4 enter ...

Page 844: ...navailable when ownership changed If you enable the non preempt mode thus disabling the preemption feature on all the Backups the Backup that becomes the Master following the disappearance of the Master continues to be the Master The new Master is not preempted NOTE In VRRP regardless of the setting for the preempt parameter the Owner always becomes the Master again when it comes back online USING...

Page 845: ... active In addition the administrative status is now deactivated instead of activated To change the Master s priority back to the default Owner priority 255 enter no followed by the command you entered to change the priority For example to change the priority of a VRRP Owner back to 255 from 99 enter the following command BigIron config if 1 6 vrid 1 no owner priority 99 You cannot set the priorit...

Page 846: ... a virtual interface If you use this parameter the command displays VRRP or VRRPE information only for the specified virtual interface The stat parameter displays statistics See Displaying Statistics on page 21 27 This display shows the following information Table 21 2 CLI Display of VRRP or VRRPE Summary Information This Field Displays Total number of VRRP or VRRP Extended routers defined The tot...

Page 847: ...P Backup BigIron Router config show ip vrrp Total number of VRRP routers defined 1 Interface ethernet 1 5 auth type no authentication State This Layer 3 Switch s VRRP or VRRPE state for the VRID The state can be one of the following Init The VRID is not enabled activated If the state remains Init after you activate the VRID make sure that the VRID is also configured on the other routers and that t...

Page 848: ...n 00 00 03 track port 2 4 Syntax show ip vrrp brief ethernet portnum ve num stat Syntax show ip vrrp extended brief ethernet portnum ve num stat The brief parameter displays summary information See Displaying Summary Information on page 21 19 The ethernet portnum parameter specifies an Ethernet port If you use this parameter the command displays VRRP or VRRPE information only for the specified por...

Page 849: ...3 Switch is a Backup for the VRID master This Layer 3 Switch is the Master for the VRID administrative status The administrative status of the VRID The administrative status can be one of the following disabled The VRID is configured on the interface but VRRP or VRRPE has not been activated on the interface enabled VRRP or VRRPE has been activated on the interface mode Indicates whether the Layer ...

Page 850: ...ue actually in use by this interface for the VRID Note This field does not apply to VRRP Owners preempt mode Whether the backup preempt mode is enabled Note This field does not apply to VRRP Owners virtual ip address The virtual IP addresses that this VRID is backing up advertise backup The IP addresses of Backups that have advertised themselves to this Layer 3 Switch by sending Hello messages Not...

Page 851: ...ter and the Backup is configured to send Hello messages the advertise backup option is enabled master router ip addr expires in time The IP address of the Master and the amount of time until the Master s dead interval expires If the Backup does not receive a Hello message from the Master by the time the interval expires either the IP address listed for the Master will change to the IP address of t...

Page 852: ...he VRID Backup Dead Intv The number of seconds a Backup waits for a Hello message from the Master for the VRID before determining that the Master is no longer active If the Master does not send a Hello message before the dead interval expires the Backups negotiate compare priorities to select a new Master for the VRID Backup Preempt The state of the Backup preempt mode The Backup preempt mode prev...

Page 853: ...um parameter specifies an Ethernet port If you use this parameter the command displays detailed VRRP or VRRPE information only for the specified port See Displaying Detailed Information on page 21 21 The ve num parameter specifies a virtual interface If you use this parameter the command displays detailed VRRP or VRRPE information only for the specified virtual interface See Displaying Detailed In...

Page 854: ...nother VRRP or VRRPE router the Backup becomes the Master rxed vrrp vrid not found error count The number of VRRP or VRRPE packets received by the interface that contained a VRID that is not configured on this interface VRID Statistics rxed arp packet drop count The number of ARP packets addressed to the VRID that were dropped rxed ip packet drop count The number of IP packets addressed to the VRI...

Page 855: ...an one interface the display lists the statistics separately for each interface ID The VRID State This Layer 3 Switch s VRRP state for the VRID The state can be one of the following Init The VRID is not enabled activated If the state remains Init after you activate the VRID make sure that the VRID is also configured on the other routers and that the routers can communicate with each other Note If ...

Page 856: ...n display CPU utilization statistics for VRRP and other IP protocols USING THE CLI To display CPU utilization statistics for the previous one second one minute five minute and fifteen minute intervals enter the following command at any level of the CLI BigIron show process cpu Process Name 5Sec 1Min 5Min 15Min Runtime ms ARP 0 01 0 03 0 09 0 22 9 BGP 0 04 0 06 0 08 0 14 13 ICMP 0 00 0 00 0 00 0 00...

Page 857: ...he num parameter specifies the number of seconds and can be from 1 900 If you use this parameter the command lists the usage statistics only for the specified number of seconds If you do not use this parameter the command lists the usage statistics for the previous one second one minute five minute and fifteen minute intervals USING THE WEB MANAGEMENT INTERFACE You cannot display this information ...

Page 858: ...is the same IP address as the one entered when configuring Router1 In this case the IP address cannot also exist on Router2 but the interface on which you are configuring the VRID Backup must have an IP address in the same sub net By entering the same IP address as the one associated with this VRID on the Owner you are configuring the Backup to back up the address but you are not duplicating the a...

Page 859: ...assword for read write access The System configuration dialog is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to VRRP in the tree view to expand the list of VRRP option links 4 Click on the Virtual Router link If the device does not have a VRRP virtual router configured the VRRP configuration panel i...

Page 860: ...nterface s IP address in the IP Address List field In this example enter 192 53 5 1 10 Select the mode Owner or Backup Select Owner in this example 11 Enter the track priority or leave the field blank to use the default In this example enter 20 12 Enter or select the track interface or port If you want to use a virtual interface as a track port enter the virtual interface name If you want to use a...

Page 861: ... the IP Address List field In this example enter 192 53 5 1 By entering the same IP address as the one associated with this VRID on the Owner you configure the Backup to back up the address but you are not duplicating the address NOTE When you configure a Backup router the router interface on which you are configuring the VRID must have a real IP address that is in the same sub net as the address ...

Page 862: ...entered when configuring Router1 In this case the IP address cannot also exist on Router2 but the interface on which you are configuring the VRID Backup must have an IP address in the same sub net By entering the same IP address as the one associated with this VRID on the Owner you are configuring the Backup to back up the address but you are not duplicating the address NOTE When you configure a B...

Page 863: ...ique IP addresses to ports on existing routers in the network routers that could provide a path between the given hosts NOTE Virtual IP router addresses are in addition to the IP address assigned to each IP interface For example in Figure 22 1 suppose you want to provide continual connectivity between Host 1 and Host 3 with the use of redundant paths A virtual router is created by assigning the sa...

Page 864: ...ink Activity Power Console TurboIron FDX Link Act FDX Link Act Link Activity Link Activity Power Console TurboIron FDX Link Act FDX Link Act 192 53 5 2 192 53 5 3 192 55 4 2 192 55 4 3 A B C D Host 3 IP Address for Interface A 192 53 5 2 Virtual Router IP address for Interface A 192 53 5 1 Router 1 IP Address for Interface C 192 55 4 2 Virtual Router IP address for Interface C 192 55 4 1 IP Addres...

Page 865: ...er preference to the router If the preference for two routers is equal the interface with the higher IP address takes precedence as the active router Link status is monitored using a track port Track Ports A track port tracks the status of the ports that are providing redundant paths You can assign any port to be a track port however a port that is providing a redundant path cannot serve as its ow...

Page 866: ...inks This results in NetIron1 the router that was originally assigned to serve as the active router having a mix of active and standby links To bias all traffic and link traffic to the standby router assign all other redundant links as track ports for all other interfaces on the router For example on NetIron1 you would assign interfaces e1 e2 and e3 as track ports for e4 Interfaces e1 e2 and e4 wo...

Page 867: ...ncy you can use either protocol The features provided by the two protocols are similar yet the protocols do differ in the following ways VRRP uses an IP multicast address for VRRP management traffic while FSRP uses pre defined unicast addresses VRRP uses real IP addresses assigned to an interface and does not use virtual IP addresses whereas FSRP must use one pre defined virtual IP address for eac...

Page 868: ...s ip addr parameter commands NOTE If you are using the Web Management interface you enable FSRP on the System configuration panel All other parameters interface are configured on the FSRP configuration panel Configuration Rules for FSRP Virtual interfaces cannot be assigned as track ports The keep alive time value must be set to the same value on both the active and standby router when both router...

Page 869: ...192 53 5 1 for interface A defined by IP address 192 53 5 2 and Ethernet port 17 enter the following commands Router1 config inter e 17 Router1 config if 17 ip fsrp address 192 53 5 2 vir rtr ip 192 53 5 1 other rtr ip 192 53 5 3 Notice that the latter command also defines the other router used in this configuration by entering the IP address for Interface B on Router 2 other rtr ip 192 53 5 3 Vir...

Page 870: ... 2 Router2 config inter e 17 Router2 config if 17 ip fsrp address 192 53 5 3 vir rtr ip 192 53 5 1 other rtr ip 192 53 5 2 NOTE The steps outlined in examples 1 and 2 also should be followed when creating and assigning the virtual router IP address 192 55 4 1 for interfaces C 192 55 4 2 and D 192 55 4 3 Assign the Track Port s Track ports monitor the relationship between the active and standby rou...

Page 871: ...ad If the configured period of time expires the standby router becomes active NOTE The router dead time parameter must be set to the same value on both the active and standby router when both routers are connected to the same sub net EXAMPLE To modify the router dead time parameter for interfaces A and C on Router 1 to 30 seconds from the default of 9 seconds you would enter the following Router1 ...

Page 872: ... being configured a value of 200 is entered 8 Modify the keep alive time parameter if a value other than the default value of 3 seconds is desired For this configuration modify the value to 15 NOTE The keep alive time parameter allows the user to modify how often the FSRP hello message is sent on an interface Possible values are 1 120 seconds The default is 3 seconds NOTE The keep alive time param...

Page 873: ...y state when a subset of the ports goes down you need to configure track ports Figure 22 6 Configuring FSRP on virtual interfaces Configuring Multiple Track Ports for Virtual Interfaces In Figure 22 6 NetIron1 is the active router and NetIron2 the standby router for all active FSRP interfaces Suppose you want NetIron1 to go into the FSRP standby state and establish NetIron2 as the active router in...

Page 874: ...e following commands NetIron config int ve1 NetIron config vif 1 ip address 192 147 200 1 255 255 255 0 NetIron config vif 1 ip fsrp address 192 147 200 1 vir rtr 192 147 200 100 other rtr 192 147 200 2 NetIron config vif 1 ip fsrp addr 192 147 200 1 track port 1 2 3 8 To enable FSRP on physical interface 8 and to configure ports 1 2 and 3 as its track ports you would enter the following commands ...

Page 875: ... updates at 60 second intervals NetWare uses these broadcasts to collect information for the routing and service tables that it uses for communicating NOTE IPX RIP is different from IP RIP IP RIP configuration parameters do not apply to IPX RIP and IPX RIP parameters do not apply to IP RIP Multiple IPX Frame Type Support per Interface Up to four different IPX network numbers and frame encapsulatio...

Page 876: ...terface Parameters Adding deleting or modifying IPX network numbers and frame types Adding deleting or modifying filter groups assigned to interfaces Modifying the RIP advertisement packet size Modifying the SAP advertisement packet size Modifying the RIP advertisement interval Modifying the SAP advertisement interval Modifying the age timer for learned IPX routes Modifying the age timer for learn...

Page 877: ... on the plus sign next to IPX in the tree view to expand the list of IPX option links 4 Click on the Allow NetBIOS Type 20 link to display the NetBIOS panel 5 Select Enable 6 Click the Apply button to apply the changes to the device s running config file 7 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the de...

Page 878: ... displayed as shown in the following example If an IPX interface is already configured and you are adding a new one click on the Configure IPX Interface link to display the IPX interface configuration panel as shown in the following example If you are modifying an existing IPX interface click on the Modify button to the right of the row describing the interface to display the IPX configuration pan...

Page 879: ...any source node number any destination network number any destination node number any destination socket number any Syntax ipx forward filter group in out filter id NOTE When you define filters the network number for a server is its internal network number The node number for a client is the client s MAC address The value 1 represents a server USING THE WEB MANAGEMENT INTERFACE EXAMPLE To allow IP...

Page 880: ...ept any destination network number 11 Enter the Destination Node network number If you enter all zeros in this field the filter will accept any destination node network number 12 Click the Add button to apply the changes to the device s running config file 13 Select the Forward Filter Group link If the device does not have an IPX forward filter group configured the Filter Group configuration panel...

Page 881: ...r outgoing traffic You can define up to 128 IPX RIP filters on a router NOTE An IPX interface must be defined on the router before you can assign a filter to that interface EXAMPLE To block RIP routes from being advertised outside of Network 100 shown in Figure 23 1 define and assign the following RIP filter on interface 1 USING THE CLI NetIron config ipx rip filter 1 deny 100 01010101 any NetIron...

Page 882: ...does not have an IPX RIP filter group configured the Filter Group configuration panel is displayed as shown in the following example If an IPX RIP filter group is already configured and you are adding a new one click on the Add RIP Filter Group link to display the Filter Group configuration panel as shown in the following example If you are modifying an existing IPX RIP filter group click on the M...

Page 883: ...t and received by default However once you configure an access filter the default action changes from permit to deny Thus SAP updates that are not explicitly permitted are denied To change the default action to permit configure SAP access list 32 to permit all updates on all networks NOTE Each IPX SAP access list is a single filter This is different from the system wide ACLs which each can contain...

Page 884: ...o use round robin to select servers for replies to GSN requests enter the following commands BigIron config ipx gns round robin BigIron config write memory Syntax no ipx gns round robin USING THE WEB MANAGEMENT INTERFACE You cannot enable round robin for GNS replies using the Web management interface Filter GNS Replies You can use IPX access lists to permit or deny specific services and servers in...

Page 885: ...ne of the following methods to do so USING THE CLI To disable IPX GNS replies on port 1 1 enter the following commands GNS replies are disabled for all IPX interfaces on the port BigIron config int eth 1 1 BigIron config if 1 1 ipx gns reply disable BigIron config if 1 1 write memory Syntax no ipx gns reply disable USING THE WEB MANAGEMENT INTERFACE You cannot disable IPX GNS replies using the Web...

Page 886: ...o reload the software Changes to table sizes do not take effect until you reload the software Modify RIP and SAP Hop Count Increment You can modify the incremental value hop that the router adds to a RIP or SAP record before propagating the record to the next interface By default a value of one is added to a record before it is broadcast to the next interface In a network of parallel routers the r...

Page 887: ...he following command This command increases the number of IPX RIP routes an advertisement packet holds from 50 to 100 BigIron config int e 1 1 BigIron config if 1 1 ipx rip max packetsize 832 BigIron config if 1 1 write memory Syntax ipx rip max packetsize bytes The number of bytes can be from 40 bytes enough for one route 1488 bytes enough for 182 routes The default is 432 bytes USING THE WEB MAN...

Page 888: ...interface 1 1 from 60 seconds to 30 seconds enter the following commands BigIron config int e 1 1 BigIron config if 1 1 ipx update time 30 BigIron config if 1 1 write memory Syntax ipx update time interval The interval can be from 10 65535 seconds The default is 60 USING THE WEB MANAGEMENT INTERFACE You cannot modify the RIP advertisement interval using the Web management interface Modify the SAP ...

Page 889: ...yntax ipx rip multiplier num The num parameter specifies the age time and can be from 1 65535 The default is 3 USING THE WEB MANAGEMENT INTERFACE You cannot modify the route age timer using the Web management interface Modify the Age Timer for Learned SAP Entries The age timer specifies how many seconds a learned IPX server can remain in the Layer 3 Switch s IPX service table before aging out The ...

Page 890: ...G THE CLI To display IPX configuration information enter the following command at any CLI level BigIron show ipx IPX Enabled NetBIOS type 20 Disallowed Maximum RIP entries 2048 Maximum SAP entries 4096 Maximum IPX RIP filters 32 Maximum IPX SAP filters 32 Maximum IPX forward filters 32 Syntax show ipx This display shows the following information Table 23 1 CLI Display of Global IPX Configuration I...

Page 891: ... filter IPX SAP filters Displaying IPX Interface Information To display IPX interface information for the router use one of the following methods USING THE CLI To display IPX interface information enter the following command at any CLI level BigIron show ipx interface ethernet 3 5 Interface Ethernet 3 5 MAC address 00e0 5284 0b44 Port state UP IPX network 0000ABCD Frame type ethernet_snap Allow Ne...

Page 892: ...ent interval specifies how often the Layer 3 Switch sends IPX RIP updates to neighboring IPX routers To modify this parameter see Modify the RIP Advertisement Interval on page 23 14 rip max packet size The maximum packet size for IPX RIP updates The default IPX RIP packet size is 432 bytes which allows 50 routes plus 32 bytes of header in an IPX RIP update packet To modify this parameter see Modif...

Page 893: ...thernet_802 3 5 3 32D564FA 00a0 24bf 89ca off ethernet_802 3 5 Syntax show ipx cache num hex The num hex parameter lets you specify an IPX network number This display shows the following information sap max packet size The maximum packet size for IPX SAP advertisements The default IPX SAP packet size is 480 bytes which allows seven servers plus 32 bytes of header in an IPX SAP update packet To mod...

Page 894: ...nd at any CLI level BigIron show ipx route Total number of IPX route entries 3 Forwarding Index Network Router Hops Ticks Port 1 11110007 0000 0000 0000 0 1 7 2 32D564FA 00a0 24bf 89ca 1 2 5 3 11110005 0000 0000 0000 0 1 5 Syntax show ipx route num hex The num hex parameter lets you specify an IPX network number Router The MAC address of the next hop IPX router If the destination is local the addr...

Page 895: ...lowing command at any CLI level BigIron show ipx servers Total number of IPX server entries 3 Index Network Node Socket Type Hops 1 32D564FA 0000 0000 0001 0005 026B 1 Server name FoundryD 2 32D564FA 0000 0000 0001 4006 0278 1 Server name FoundryM 3 32D564FA 0000 0000 0001 0451 0004 1 Server name Foundry MPR2 Syntax show ipx servers name The name parameter lets you specify a server name Table 23 4...

Page 896: ...ped Filtered Port Forward Receive Transmit Receive Transmit Receive Transmit 1 5 46 36 8 2 0 0 0 1 7 0 0 6 0 0 0 0 Tot 46 36 14 2 0 0 0 Syntax show ipx traffic This display shows the following information Table 23 5 CLI Display of IPX Server Table This Field Displays Index The index number of the table entry Network The network in which the server is located Node The six byte node number The node ...

Page 897: ...opped Receive The number of packets received on this port by the Layer 3 Switch that the Layer 3 Switch dropped Dropped Transmit The number of packets queued for sending on this port by the Layer 3 Switch but then dropped Filtered Receive The number of packets received by this port that matched an inbound IPX filter configured on the port Filtered Transmit The number of packets queued for sending ...

Page 898: ...cv Packets The number of IPX packets received on the port Tx Packets The number of IPX packets originated on the Layer 3 Switch and sent on the port Rcv Drop Packets The number of packets received on this port by the Layer 3 Switch that the Layer 3 Switch dropped Tx Drop Packets The number of packets queued for sending on this port by the Layer 3 Switch but then dropped Rcv Filter Packets The numb...

Page 899: ...ron Each network is composed of nodes workstations printers and servers AppleTalk zones are assigned across AppleTalk networks to further define end user access to shared resources such as printers and servers Address Assignment AppleTalk node addresses are assigned dynamically When a Macintosh running AppleTalk starts up it selects a network address and checks to see if that address is already in...

Page 900: ...sections on filtering Figure 24 1 AppleTalk Zones defined within and across AppleTalk networks Zone Filtering Zone filtering allows you to define access for a network and its nodes by defining single permit or deny filters rather than defining an access list for each node independently By eliminating the need to enter separate numbers for each device or network segment zone filters improve overall...

Page 901: ...Zone Information Protocol ZIP maintains the mapping between defined network numbers and zone names within an AppleTalk network This information is stored on a router in the zone information table ZIP also uses information from the RTMP routing table to stay current on the network topology Transport Layer Support Routing Table Maintenance Protocol RTMP RTMP establishes and maintains the AppleTalk r...

Page 902: ...begin using AppleTalk on a Foundry router perform the following tasks 1 Enable AppleTalk on the router if it is not already enabled 2 Configure AppleTalk as either a seed or a non seed router When you configure a seed router you define the cable range address and zone names for the router When you configure a non seed router the router will learn its parameters from another AppleTalk router on the...

Page 903: ...USING THE CLI This section describes defining a cable range assigning network addresses and zones and enabling AppleTalk routing on an interface Configuring the Cable Range for an Interface To support network numbers from 10 50 on interface 3 enter the following commands BigIron config int e 3 BigIron config if 3 appletalk cable 10 50 Syntax appletalk cable network number network number network nu...

Page 904: ... AppleTalk on the router as well as how to configure the cable range network address and zones for an AppleTalk seed router To enable AppleTalk on the router 1 Log on to the device using a valid user name and password for read write access The System configuration dialog is displayed 2 Select the Enable radio button next to AppleTalk 3 Click the Apply button to apply the changes to the device s ru...

Page 905: ...1 Enter the AppleTalk address for the port The address should be a two decimal number and the first number should be within the network range entered in step 10 above 12 Enter a zone name for the port NOTE If you do not enter any values other than zero in the network range or address field and the zone name field is empty the router will be a non seed router 13 Click the Apply button to apply the ...

Page 906: ...ase 3 0 software or earlier you must reset reboot the system using the reload command All changes after that are dynamic and take effect immediately NOTE By definition values for the network range AppleTalk address and zone name fields are never entered for a non seed router If you enter information into these fields the router is a seed router NOTE Once configured as a non seed router the router ...

Page 907: ...of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Modifying AppleTalk Interface Configurations Once AppleTalk is active on a router all configuration changes are dynamic and require no reset However once you configure an interface for AppleTalk you must disable AppleTalk routing before you can make any changes to the cab...

Page 908: ...Click the Apply button to apply the changes to the device s running config file 9 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Filtering AppleTalk Zones and Networks Defining Zone Filters Zone filtering allows you to define access for a network and its nodes by entering single perm...

Page 909: ...ING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access The System configuration dialog is displayed 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to AppleTalk in the tree view to expand the list of AppleTalk option links FieldService Zone Apple Server ...

Page 910: ... from the RTMP packet before it is transmitted out of the interface 9 Click the Apply button to apply the changes to the device s running config file 10 Select the Save link at the bottom of the dialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory Define Additional Zone Filters When defining AppleTalk zone filters you must define ...

Page 911: ...ure AppleTalk Zone Filter link to display the AppleTalk Zone Filter configuration panel If you are modifying an existing AppleTalk zone filter click on the Modify button to the right of the row describing the filter to display the AppleTalk Zone Filter configuration panel 5 Select the interface for which the zone filter is to be defined from the port or slot port pull down menu s In this example y...

Page 912: ...rting AppleTalk VLANs Foundry routers support routing between AppleTalk VLANs using virtual interfaces The virtual interfaces provide VLANs access to the router functions of Foundry routers Using these virtual interfaces eliminates the need to assign a physical port for routing between local VLANs AppleTalk routing between virtual and physical interfaces is also supported EXAMPLE In Figure 24 3 Ap...

Page 913: ...k address 300 50 BigIron config if 8 appletalk zone name Finance BigIron config if 8 appletalk routing To configure the defined AppleTalk VLAN virtual interface ve3 enter the following commands BigIron config if 8 int ve 3 BigIron config vif 3 appletalk cable range 100 100 BigIron config vif 3 appletalk address 100 50 BigIron config vif 3 appletalk zone name Marketing BigIron config vif 3 appletal...

Page 914: ...gure physical interface port 8 NOTE Each of the above tasks is described in the following sections Figure 24 4 Routing between AppleTalk VLANs USING THE CLI BigIron config vlan 2 by port BigIron config vlan 2 untag e3 to 4 BigIron config vlan 2 atalk proto BigIron config vlan atalk proto static e3 to 4 BigIron config vlan atalk proto router interface ve 5 BigIron config vlan atalk proto end BigIro...

Page 915: ...Talk ARP retransmission count AppleTalk ARP retransmission interval AppleTalk glean packets AppleTalk QoS socket assigns a higher priority AppleTalk RTMP update interval AppleTalk ZIP query interval The following sections describe these parameters and show how to change them AppleTalk ARP Age To change the AppleTalk ARP age in software release 06 0 00 use one of the following methods USING THE CLI...

Page 916: ...defined until the information is received If no response is received before the count number expires the router does not send any additional packets Possible values are from 1 10 The default is 2 EXAMPLE To modify the number of times packet requests are sent out for ARP updates from the default 2 to 8 use one of the following methods USING THE CLI BigIron config appletalk arp retransmit count 8 Sy...

Page 917: ...e following methods USING THE CLI BigIron config appletalk glean packets Syntax appletalk glean packets USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid user name and password for read write access 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the plus sign next to AppleTalk in the tree view to expand the l...

Page 918: ... the router retransmits ZIP query messages Possible values are from 1 1000 seconds The default is 10 seconds EXAMPLE To change the ZIP query interval to 30 seconds from the default value 10 seconds use one of the following methods USING THE CLI BigIron config appletalk zip query interval 30 Syntax appletalk zip query 1 1 000 USING THE WEB MANAGEMENT INTERFACE 1 Log on to the device using a valid u...

Page 919: ...Monitor in the tree view to display the monitoring options 3 Click on the plus sign next to AppleTalk in the tree view to expand the list of AppleTalk option links 4 Select one of the following links The ARP Cache link The Forward Cache link The Interface link The Interface Zone link The Routing Table link The Traffic link The Zone Table link Clearing AppleTalk Information USING THE CLI When using...

Page 920: ...d for read write access The System configuration dialog is displayed 2 Click on the plus sign next to Command in the tree view to expand the list of command options 3 Click on the Clear link to display the Clear panel 4 Select one of the following AppleTalk ARP Cache AppleTalk Forward Cache AppleTalk Route AppleTalk Statistics 5 Click the Apply button to implement the change ...

Page 921: ...ypes of VLANs on Foundry devices Layer 2 port based VLAN a set of physical ports that share a common exclusive Layer 2 broadcast domain Layer 3 protocol VLANs a subset of ports within a port based VLAN that share a common exclusive broadcast domain for Layer 3 broadcasts of the specified protocol type IP sub net VLANs a subset of ports in a port based VLAN that share a common exclusive sub net bro...

Page 922: ... AppleTalk VLAN accepts only broadcasts for the specified IP sub net IPX network or AppleTalk cable range NOTE Protocol VLANs are different from IP sub net IPX network and AppleTalk cable VLANs A port based VLAN cannot contain both an IP sub net IPX network or AppleTalk cable VLAN and a protocol VLAN for the same protocol For example a port based VLAN cannot contain both an IP protocol VLAN and an...

Page 923: ...e Layer 2 broadcast domain by default each VLAN runs a separate instance of the Spanning Tree Protocol STP Layer 2 traffic is bridged within a port based VLAN and Layer 2 broadcasts are sent to all the ports within the VLAN Layer 3 Protocol Based VLANs If you want some or all of the ports within a port based VLAN to be organized according to Layer 3 protocol you must configure a Layer 3 protocol b...

Page 924: ...h Routing ISR Foundry Networks Integrated Switch Routing ISR feature enables VLANs configured on Layer 3 Switches to route Layer 3 traffic from one protocol VLAN or IP sub net IPX network or AppleTalk cable VLAN to another Normally to route traffic from one IP sub net IPX network or AppleTalk cable VLAN to another you would need to forward the traffic to an external router The VLANs provide Layer ...

Page 925: ...t based VLAN that contains ports 1 10 you can configure port 5 as a member of an AppleTalk protocol VLAN an IP protocol VLAN and an IPX protocol VLAN and so on IP Sub Net IPX Network and AppleTalk Cable VLANs The protocol based VLANs described in the previous section provide separate protocol broadcast domains for specific protocols For IP IPX and AppleTalk you can provide more granular broadcast ...

Page 926: ... port based VLANs by tagging the port See the following section If your network requires that you use VLAN ID 1 for a user configured VLAN you can reassign the default VLAN to another valid VLAN ID See Assigning a Different VLAN ID to the Default VLAN on page 25 16 802 1q Tagging 802 1q tagging is an IEEE standard that allows a networking device to add information to a Layer 2 packet in order to i...

Page 927: ... single port based VLAN tagging is not required If you use tagging on multiple devices each device must be configured for tagging and must use the same tag value In addition the implementation of tagging must be compatible on the devices The tagging on all Foundry devices is compatible with other Foundry devices 6 bytes Destination Address 2 bytes Length Field Up to 1496 bytes Data Field 4 bytes C...

Page 928: ...can enable STP for the ports within a port based VLAN even when STP is globally disabled or disable the ports within a port based VLAN when STP is globally enabled STP is a Layer 2 protocol Thus you cannot enable or disable STP for individual protocol VLANs or for IP sub net IPX network or AppleTalk cable VLANs The STP state of a port based VLAN containing these other types of VLANs determines the...

Page 929: ...n Layer 3 Switch to route IP traffic from one IP sub net VLAN to another you must configure a virtual interface on each IP sub net VLAN then configure the appropriate IP routing parameters on each of the virtual interfaces Figure 25 6 shows an example of Layer 3 protocol VLANs that use virtual interfaces for routing Figure 25 6 Use virtual interfaces for routing between Layer 3 protocol VLANs VE 1...

Page 930: ...inutes the port is removed from the VLAN However the port remains a candidate for port membership Thus if the port receives traffic for the VLAN s protocol the device adds the port back to the VLAN After the port is added back to the VLAN the port can remain an active member of the VLAN up to 20 minutes without receiving traffic for the VLAN s protocol If the port ages out it remains a candidate f...

Page 931: ...age out after 10 minutes and become candidate ports Figure 25 8 VLAN with dynamic ports inactive ports time out after 10 minutes C candidate port A active port When you add ports dynamically all the ports are added when you add the VLAN A A A A A A A A All ports are active when you add the VLAN but time out after 10 minutes without receiving traffic for the VLAN s protocol IP sub net IPX network o...

Page 932: ...dcast packets and never broadcasts any Layer 3 broadcasts of other protocol types If you want to ensure that no broadcasts other than those of the VLAN s protocol get through use static ports Dynamic ports leak every eighth broadcast packet of another protocol type through the port Thus if an IP protocol VLAN receives eight AppleTalk broadcast packets the VLAN port drops the first seven packets bu...

Page 933: ...ual Private Network VPN applications ins which you need to provide a private dedicated Ethernet connection for an individual client to transparently reach its sub net across multiple networks For an application example and configuration information see Configuring Super Aggregated VLANs on page 25 47 Trunk Group Ports and VLAN Membership A trunk group is a set of physical ports that are configured...

Page 934: ...VLAN A protocol VLAN cannot include ports from multiple port based VLANs This rule is required to ensure that port based VLANs remain loop free Layer 2 broadcast domains IP Protocol and IP Subnet VLANs cannot operate concurrently on the system or within the same port based VLAN IPX Protocol and IPX Network VLANs cannot operate concurrently on the system or within the same port based VLAN If you fi...

Page 935: ...e protocols If the router interfaces for IP IPX or AppleTalk are configured on physical ports then routing occurs independent of the Spanning Tree Protocol STP However if the router interfaces are defined for any type VLAN they are virtual interfaces and are subject to the rules of STP If your backbone is comprised of virtual interfaces all within the same STP domain it is a bridged backbone not a...

Page 936: ... can assign a different VLAN ID to the default VLAN To reassign the default VLAN to a different VLAN ID enter the following command BigIron config default vlan id 4095 Syntax default vlan d vlan id You must specify a valid VLAN ID that is not already in use For example if you have already defined VLAN 10 do not try to use 10 as the new VLAN ID for the default VLAN Valid VLAN IDs are numbers from 1...

Page 937: ... 222 vlan 333 by port FastIron config vlan 333 untag e9 to 16 Syntax vlan vlan id by port Syntax untagged ethernet portnum to portnum ethernet portnum VLAN 222 Ports 1 8 VLAN 333 Ports 9 16 NetIron Router 1 2 3 4 5 6 7 8 FDX Link Act FDX Link Act 9 10 11 12 13 14 15 16 FDX Link Act FDX Link Act Power Console Port 1 Port 9 FastIron NetIron Router FastIron Workgroup 1 2 3 4 5 6 7 8 FDX Link Act FDX ...

Page 938: ...t 25 to 26 NetIron Router 1 2 3 4 5 6 7 8 FDX Link Act FDX Link Act 9 10 11 12 13 14 15 16 FDX Link Act FDX Link Act Power Console NetIron Router FastIron A FastIron B IP Subnet1 IPX Net 1 Atalk 100 1 Zone A IP Subnet4 IPX Net 4 Atalk 400 1 Zone D IP Subnet2 IPX Net 2 Atalk 200 1 Zone B IP Subnet3 IPX Net 3 Atalk 300 1 Zone C Port 17 Port 18 Port 19 Port 20 FastIron C FastIron Workgroup 17 18 19 2...

Page 939: ... 500 FastIron B config vlan 3 vlan 4 name BLUE FastIron B config vlan 4 untag ethernet 9 to 12 FastIron B config vlan 4 tag ethernet 25 to 26 FastIron B config vlan 4 vlan 5 name RED FastIron B config vlan 5 untag ethernet 13 to 16 FastIron B config vlan 5 tag ethernet 25 to 26 FastIron B config vlan 5 end FastIron B write memory Configuring FastIron C Enter the following commands to configure Fas...

Page 940: ...on A configure terminal FastIron A config 2 Enter the following command FastIron A config no vlan 5 FastIron A config 3 Enter the following commands to exit the CONFIG level and save the configuration to the system config file on flash memory FastIron A config FastIron A config end FastIron A write memory FastIron A 4 Repeat steps 1 3 on FastIron B Syntax no vlan vlan id by port Removing a Port fr...

Page 941: ...n A enable No password has been assigned yet FastIron A configure terminal FastIron A config 2 Access the level of the CLI for configuring port based VLAN 2 by entering the following command FastIron A config FastIron A config vlan 2 FastIron A config vlan 2 3 Enable all packets exiting the Layer 2 Switch on VLAN 2 to transmit from the high priority hardware queue of each transmit interface Note t...

Page 942: ...ter the following commands to exit the VLAN CONFIG mode and save the configuration to the system config file on flash memory FastIron B config vlan 3 FastIron B config vlan 3 end FastIron B write memory FastIron B 5 Repeat steps 1 4 on FastIron B NOTE You do not need to configure values for the STP parameters All parameters have default values as noted below Additionally all values will be globall...

Page 943: ...IPX Network and Protocol Based VLANs Protocol based VLANS provide the ability to define separate broadcast domains for several unique Layer 3 protocols within a single Layer 2 broadcast domain Some applications for this feature might include security between departments with unique protocol requirements This feature enables you to limit the amount of broadcast traffic end stations servers and rout...

Page 944: ... 0 24 name Yellow FastIron config ip subnet no dynamic FastIron config ip subnet static ethernet 9 to 16 ethernet 25 3 To permanently assign ports 17 25 to IP sub net VLAN 1 1 3 0 enter the following commands FastIron config ip subnet ip subnet 1 1 3 0 24 name Brown NetIron Router FastIron Workgroup 17 18 19 20 21 22 23 24 FDX 100 Link Act FDX 100 Link Act FDX 100 Link Act FDX 100 Link Act 9 10 11...

Page 945: ... separate STP domains EXAMPLE Suppose you need to provide three separate STP domains across an enterprise campus backbone The first STP domain VLAN 2 requires a set of ports at each Layer 2 Switch location to be statically mapped to IP only No other protocols can enter the switches on this set of ports A second set of ports within STP domain VLAN 2 will be restricted to only IPX traffic The IP and...

Page 946: ...n 2 ip proto name Red FastIron A config vlan ip proto no dynamic FastIron A config vlan ip proto static e1 to 4 e25 to 26 FastIron A config vlan ip proto exclude e5 to 8 V2 V4 V3 V2 V4 V3 V2 V4 V3 NetIron Router 1 2 3 4 5 6 7 8 FDX Link Act FDX Link Act 9 10 11 12 13 14 15 16 FDX Link Act FDX Link Act Power Console FastIron Workgroup 17 18 19 20 21 22 23 24 FDX 100 Link Act FDX 100 Link Act FDX 10...

Page 947: ...to 26 FastIron A config vlan ip subnet exclude e13 to 16 FastIron A config vlan ip subnet ipx net 1 ethernet_802 3 name Brown FastIron A config vlan ipx network no dynamic FastIron A config vlan ipx network static e9 e13 to 16 e25 to 26 FastIron A config vlan ipx network exclude e10 to 12 FastIron A config vlan ipx network other proto name Block_other_proto FastIron A config vlan other proto no dy...

Page 948: ...ands to configure FastIron C FastIron config t FastIron config host FastIron C FastIron C config vlan 2 name IP_IPX_Protocol FastIron C config vlan 2 untag e1 to 8 FastIron C config vlan 2 tag e25 to 26 FastIron C config vlan 2 spanning tree FastIron C config vlan 2 ip proto name Red FastIron C config vlan ip proto no dynamic FastIron C config vlan ip proto static e1 to 4 e25 to 26 FastIron C conf...

Page 949: ...N 4 must remain a flat Layer 2 switched STP domain You enable routing for IP and IPX on a virtual interface only on NetIron A This will provide the flat IP and IPX segment with connectivity to the rest of the network Within VLAN 4 IP and IPX will follow the STP topology All other IP sub nets and IPX networks will be fully routed and have use of all paths at all times during normal operation Figure...

Page 950: ...t based VLAN 2 or 8 Note that the only port based VLAN that requires STP in this example is VLAN 4 You will need to configure the rest of the network to prevent the need to run STP NetIron A config ospf router vlan 2 name IP Subnet_1 1 2 0 24 NetIron A config vlan 2 untag e1 to 4 NetIron A config vlan 2 no spanning tree NetIron A config vlan 2 router interface ve1 NetIron A config vlan 2 other pro...

Page 951: ...config vlan 4 int ve5 NetIron A config vif 5 ip address 1 1 3 1 24 NetIron A config vif 5 ip ospf area 0 0 0 0 NetIron A config vif 5 ipx network 3 ethernet_802 3 NetIron A config vif 5 It is time to configure a separate port based VLAN for each of the routed backbone ports Ethernet 25 and 26 If you do not create a separate tagged port based VLAN for each point to point backbone link you need to i...

Page 952: ...roto no dynamic NetIron B config vlan other proto exclude e1 to 4 NetIron B config vlan other proto int ve1 NetIron B config vif 1 ip addr 1 1 6 1 24 NetIron B config vif 1 ip ospf area 0 0 0 0 NetIron B config vif 1 vlan 8 name IPX_Network6 NetIron B config vlan 8 untag e 5 to 8 NetIron B config vlan 8 no span NetIron B config vlan 8 router int ve2 NetIron B config vlan 8 other proto name block o...

Page 953: ... config ospf router router ipx NetIron C config ospf router vlan 2 name IP Subnet_1 1 9 0 24 NetIron C config vlan 2 untag e1 to 4 NetIron C config vlan 2 no spanning tree NetIron C config vlan 2 router interface ve1 NetIron C config vlan 2 other proto name block other protocols NetIron C config vlan other proto no dynamic NetIron C config vlan other proto exclude e1 to 4 NetIron C config vlan oth...

Page 954: ...rea 0 0 0 0 NetIron C config vif 6 ipx network 5 ethernet_802 3 NetIron C config vif 6 Configuring AppleTalk Cable VLANs You can configure up to eight AppleTalk cable VLANs within a port based VLAN NOTE This feature applies only to Chassis Layer 3 Switches and the TurboIron 8 To configure an AppleTalk cable VLAN you create a port based VLAN then create up to eight cable VLANs within the port based...

Page 955: ...shown in Figure 3 enter the following CLI commands BigIron config vlan 10 by port BigIron config vlan 10 untag ethe 2 1 to 2 2 ethe 3 1 to 3 8 The two commands above add port based VLAN 10 and add ports 2 1 2 2 and 3 1 3 16 to the VLAN The untag command removes ports from the default VLAN and adds them to port based VLAN 10 The default VLAN contains all the ports in the system by default The untag...

Page 956: ...h virtual interface additional commands configure the AppleTalk routing parameters for the interface Notice that each virtual interface has a separate set of routing parameters The routing parameters on each virtual interface are independent of the routing parameters on other virtual interfaces Since each AppleTalk cable VLAN is associated with a separate virtual interface each AppleTalk cable VLA...

Page 957: ... over Each time the port receives traffic for the VLAN s IP sub net or IPX network the aging timer starts over Dynamic ports within any protocol VLAN age out after 10 minutes if no member protocol traffic is received on a port within the VLAN The aged out port however remains as a candidate dynamic port for that VLAN The port becomes active in the VLAN again if member protocol traffic is received ...

Page 958: ...igure an IP sub net VLAN with dynamic ports use one of the following methods USING THE CLI To configure port based VLAN 10 then configure an IP sub net VLAN within the port based VLAN with dynamic ports enter commands such as the following BigIron config vlan 10 by port name IP_VLAN BigIron config vlan 10 untag ethernet 1 1 to 1 6 added untagged port ethe 1 1 to 1 6 to port vlan 10 BigIron config ...

Page 959: ...ink ports When you configure uplink ports in a port based VLAN the device sends all broadcast and unknown unicast traffic from a port in the VLAN to the uplink ports but not to other ports within the VLAN Thus the uplink ports provide tighter broadcast control within the VLAN For example if two ports within a port based VLAN are Gigabit ports attached to the network and the other ports in the VLAN...

Page 960: ... 3 traffic between the sub nets using the sub net addresses NOTE This feature applies only to BigIron Layer 3 Switches NOTE Before using the method described in this section see Configuring VLAN Groups and Virtual Interface Groups on page 25 43 You might be able to achieve the results you want using the methods in that section instead Figure 25 17 shows an example of this type of configuration Fig...

Page 961: ...cy Protocol or FSRP Foundry Standby Router Protocol The Foundry device performs proxy Address Resolution Protocol ARP for hosts that want to send IP traffic to hosts in other VLANs that are sharing the same IP sub net address If the source and destination hosts are in the same VLAN the Foundry device does not need to use ARP If a host attached to one VLAN sends an ARP message for the MAC address o...

Page 962: ... 1 8 In this example all three VLANs contain port 1 8 so the port must be tagged to allow the port to be in multiple VLANs You can configure VLANs to share a Layer 3 protocol interface regardless of tagging A combination of tagged and untagged ports is shown in this example to demonstrate that sharing the interface does not change other VLAN features Notice that each VLAN still requires a unique v...

Page 963: ...l interface group feature is useful when you want to configure the same IP sub net address on all the port based VLANs within a VLAN group You can configure a virtual interface group only after you configure a VLAN group with the same ID The virtual interface group automatically applies to the VLANs in the VLAN group that has the same ID and cannot be applied to other VLAN groups or to individual ...

Page 964: ...commands BigIron config vlan group 1 add vlan 1001 to 1002 BigIron config vlan group 1 remove vlan 900 to 1000 Syntax add vlan vlan id to vlan id Syntax remove vlan vlan id to vlan id USING THE WEB MANAGEMENT INTERFACE You cannot configure this feature using the Web management interface Configuring a Virtual Interface Group A virtual interface group allows you to associate the same IP sub net inte...

Page 965: ...tual interface groups display the running config file If you have saved the configuration to the startup config file you also can verify the configuration by displaying the startup config file The following example shows the running config information for the VLAN group and virtual interface group configured in the previous examples The information appears in the same way in the startup config fil...

Page 966: ... depends on the device you are configuring See Table 25 1 USING THE WEB MANAGEMENT INTERFACE To modify a table size using the Web management interface 1 Log on to the device using a valid user name and password for read write access The System configuration panel is displayed 2 Select the Max Parameter link to display the Configure System Parameter Maximum Value table This table lists the settings...

Page 967: ...gated VLANs You can aggregate multiple VLANs within another VLAN This feature allows you to construct Layer 2 paths and channels This feature is particularly useful for Virtual Private Network VPN applications in which you need to provide a private dedicated Ethernet connection for an individual client to transparently reach its sub net across multiple networks Conceptually the paths and channels ...

Page 968: ...c through the core The core can consist of multiple devices that forward the aggregated VLAN traffic The edge device at the other end of the core separates the aggregated VLANs into the individual client VLANs before forwarding the traffic The edge devices forward the individual client traffic to the clients For the clients perspective the channel is a direct point to point link Figure 25 20 shows...

Page 969: ...red on the core devices is an aggregate of multiple client VLANs the aggregated VLANs greatly increase the number of clients a core device can accommodate This example shows a single link between the core devices However you can use a trunk group to add link level redundancy Port 2 1 Tagged Port 3 1 Untagged Port 2 1 Tagged Ports 1 1 1 5 Untagged Ports 1 1 1 5 Untagged Port 4 1 Tagged Port 3 2 Unt...

Page 970: ...s The edge devices also must have the same tag type but the type must be different from the tag type on the core devices NOTE You can enable the Spanning Tree Protocol STP on the edge devices or the core devices but not both If you enable STP on the edge devices and the core devices STP will prevent client traffic from travelling through the core to the other side Configuring Aggregated VLANs on a...

Page 971: ...decimal value from 0 ffff The default is 8100 USING THE WEB MANAGEMENT INTERFACE You cannot enable VLAN aggregation using the Web management interface Verifying the Configuration You can verify the VLAN VLAN aggregation option and tag configuration by viewing the running config To display the running config enter the show running config command from any CLI prompt After you save the configuration ...

Page 972: ...nfig vlan 101 by port BigIronB config vlan 101 tagged ethernet 2 1 BigIronB config vlan 101 untagged ethernet 1 1 BigIronB config vlan 101 exit BigIronB config vlan 102 by port BigIronB config vlan 102 tagged ethernet 2 1 BigIronB config vlan 102 untagged ethernet 1 2 BigIronB config vlan 102 exit BigIronB config vlan 103 by port BigIronB config vlan 103 tagged ethernet 2 1 BigIronB config vlan 10...

Page 973: ...01 exit BigIronE config vlan 102 by port BigIronE config vlan 102 tagged ethernet 2 1 BigIronE config vlan 102 untagged ethernet 1 2 BigIronE config vlan 102 exit BigIronE config vlan 103 by port BigIronE config vlan 103 tagged ethernet 2 1 BigIronE config vlan 103 untagged ethernet 1 3 BigIronE config vlan 103 exit BigIronE config vlan 104 by port BigIronE config vlan 104 tagged ethernet 2 1 BigI...

Page 974: ...or the packet is a tagged port the switch adds the 802 1q tag to the packet To configure the switch for MAC VLAN support you create a text file containing a list of MAC VLAN entries The MAC VLAN list is a text file that the switch reads from a TFTP server during startup The MAC VLAN file contains entries in the following format Syntax ext mac vlan source mac address vlan id ethernet input port pri...

Page 975: ...h then assigns that packet to the VLAN indicated in the MAC VLAN file In this case the VLAN ID is 10 Since the packet s destination is reached through switch port 10 a tagged port the switch also adds the tag to the packet before placing the packet in the output queue on port 10 The MAC VLAN list does not specify a priority for the packet so the switch uses the priority associated with the port In...

Page 976: ...n the switch to save the configuration change to flash memory write memory Loading a MAC VLAN List The switch automatically uses the information you enter with the ext get config file command to load the MAC VLAN list the next time you reload the switch However you can load a MAC VLAN list at any time by entering the following command at the Privileged EXEC level of the CLI Syntax ext refresh conf...

Page 977: ...OSPF on the System configuration dialog then clicking Apply to apply the change 3 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 4 Click on the plus sign next to VLAN in the tree view to expand the list of VLAN option links 5 Click on the Port link If the device does not have any port based VLANs the Port VLAN configuration panel is displayed ...

Page 978: ...uring a Protocol Based VLAN This procedure describes how to configure a protocol based VLAN To configure an IP sub net VLAN IPX network VLAN or AppleTalk cable VLAN se the sections following this one 1 Log on to the device using a valid user name and password for read write access 2 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 3 Click on the...

Page 979: ...Ports on page 25 12 NOTE All the ports must be members of the port based VLAN that contains this IP sub net VLAN See Layer 3 Protocol Based VLANs on page 25 3 10 Click the Add button if you are adding a new VLAN or the Modify button if you are modifying an existing VLAN to save the change to the device s running config file 11 Select the Save link at the bottom of the dialog Select Yes when prompt...

Page 980: ...a virtual interface for routing into and out of the VLAN 8 Enter the IP address of the VLAN in the IP_Address field 9 Enter the network mask in the Mask field 10 Specify the port that are members for the VLAN Select Dynamic Port if you want the port membership to be dynamic For information see Dynamic Ports on page 25 10 Click the Change Static Members button if you want to configure static ports ...

Page 981: ... type of VLAN you are modifying The following example shows the IPX Network Protocol VLAN configuration dialog used for configuring an IPX network protocol VLAN not a protocol IP sub net or AppleTalk cable VLAN 5 Enter the VLAN ID that will contain the IPX network VLAN in the VLAN ID field 6 Enter a name for the VLAN in the Protocol_VLAN_Name field 7 Select the virtual interface from the Router_In...

Page 982: ...on links 4 Click on the Protocol link If the device does not have any protocol VLANs the Protocol VLAN configuration panel is displayed as shown in the following example If at least one protocol VLAN is already configured and you are adding a new one click on the AppleTalk Cable link to display the AppleTalk Cable VLAN configuration panel If you are modifying an existing protocol VLAN click on the...

Page 983: ...g methods Displaying System Wide VLAN Information Use one of the following methods to display VLAN information for all the VLANs configured on the device USING THE CLI Enter the following command at any CLI level This example shows the display for the IP sub net and IPX network VLANs configured in the examples in Configuring an IP Sub Net VLAN with Dynamic Ports on page 25 38 and Configuring an IP...

Page 984: ...e Protocol based VLAN table Displaying VLAN Information for Specific Ports Use one of the following methods to display VLAN information for specific ports USING THE CLI To display VLAN information for all the VLANs of which port 7 1 is a member enter the following command BigIron config show vlans e 7 1 Total PORT VLAN entries 3 Maximum PORT VLAN entries 8 legend S Slot PORT VLAN 100 Name None Pri...

Page 985: ... HTTP web service on the IP address is available The health check and how to configure it are described later in this section NOTE This feature supports health checks only for TCP port 80 HTTP Normally an IP address should exist on only one host on the public Internet However the Foundry ServerIron and some third party SLBs allow the same IP address to exist on multiple machines using virtual IP a...

Page 986: ...3 Switch Suppose the DNS entry for this IP address maps the address to a site named www foundrynet com When a web client in Los Angeles enters this domain in their web browser the web browser goes to the client s local DNS to resolve the name into an IP address When the DNS returns the address to the web browser the browser then attempts to contact the HTTP port usually TCP port 80 on the host wit...

Page 987: ... VIP 209 157 22 1 209 157 22 249 209 157 22 3 ServerIron S1 Third party SLB If Los Angeles site is unavailable the path ages out and is replaced by the path to the www foundrynet com in New York IP address Cost Location 209 157 22 249 6 New York 209 157 22 51 Third party SLB s management IP address 209 157 22 50 ServerIron s management IP address BigIron 8000 3 5 4 2 B8G Link Activity 6 1 7 8 Link...

Page 988: ...ry Layer 3 Switches advertise paths only to for web site locations that are available If the web site passes the health check the Foundry Layer 3 Switch advertises a host route to the web site s IP address If the web site fails the health check the Foundry Layer 3 Switch removes the host route The route is no longer advertised and ages out of the routing tables in clients gateway routers As a resu...

Page 989: ...yntax Use the following commands to configure the health check parameters on the Layer 3 Switch Global CONFIG Level Use the following command at the global CONFIG level to identify the VIP that has the HTTP port the Layer 3 Switch is checking Syntax server real name vip The name parameter identifies the ServerIron third party SLB or real server This value does not need to match a value on the Serv...

Page 990: ...work containing the web site even if the web site itself is unavailable After you enter the ip dont advertise command the Layer 3 Switch advertises only a host route to the IP address Thus if the web site fails the HTTP health check the Layer 3 Switch removes the static host route for the web site s IP address and also does not advertise a network route for the network containing the IP address Sy...

Page 991: ... itself for multiple IP sub nets add IP addresses using the source ip command See the Foundry ServerIron Installation and Configuration Guide for information The ip dont advertise command configures the Foundry Layer 3 Switch to block advertisement of the network route for this IP sub net address This command ensures that the Layer 3 Switch advertises only the host route to the IP address If the L...

Page 992: ...s 209 157 22 3 24 NetIron config if 9 ip dont advertise 209 157 22 3 24 NetIron config if 9 write memory Syntax server port 80 Syntax tcp keepalive interval retries The interval parameter specifies the number of seconds between health checks sent by the Layer 3 Switch You can specify a number from 2 60 seconds The default is 5 seconds The retries parameter specifies how many times the Layer 3 Swit...

Page 993: ...f the real server This is the name you assigned to the server when you configured it on the ServerIron IP The IP address of the real server If you configured a host range of VIPs on the server the number following the IP address after the colon is the number of hosts on the server State The state of the real server The state can be one of the states listed by Server State at the top of the display...

Page 994: ...Foundry Switch and Router Installation and Configuration Guide 26 10 December 2000 ...

Page 995: ... sends an ICMP echo request packet to the broadcast address of an intermediary network The ICMP echo request packet contains the spoofed address of a victim network as its source When the ICMP echo request reaches the intermediary network it is converted to a Layer 2 broadcast and sent to the hosts on the intermediary network The hosts on the intermediary network then send ICMP replies to the vict...

Page 996: ...t to Configure in the tree view to display the list of configuration options 3 Click on the plus sign next to IP to display the list of IP configuration options 4 Select the General link to display the IP configuration panel 5 Select Disable next to Directed Broadcast Forward 6 Click the Apply button to save the change to the device s running config file 7 Select the Save link at the bottom of the...

Page 997: ...the source host does not exist no ACK packet is sent back to the destination host and an entry remains in the connection queue until it ages out after around a minute If the attacker sends enough TCP SYN packets the connection queue can fill up and service can be denied to legitimate TCP connections To protect against TCP SYN attacks you can configure the Foundry device to drop TCP SYN packets whe...

Page 998: ...gIron config show statistics dos attack Local Attack Statistics ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count 0 0 0 0 Transit Attack Statistics Port ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count 3 11 0 0 0 0 Syntax show statistics dos attack To clear statistics about ICMP and TCP SYN packets dropped because burst thresholds were exceeded BigIron config clear sta...

Page 999: ... and display the data graphically Statistics RMON Group 1 Count information on multicast and broadcast packets total packets sent undersized and oversized packets CRC alignment errors jabbers collision fragments and dropped events is collected for each port on a Foundry Layer 2 or Layer 3 Switch No configuration is required to activate collection of statistics for the switch or router This activit...

Page 1000: ...ow NetIron config rmon history 1 interface 1 buckets 10 interval 10 owner nyc02 Syntax rmon history entry number interface portnum buckets number interval sampling interval owner text string You can modify the sampling interval and the bucket number of entries saved before overwrite using the CLI In the above example owner refers to the RMON station that will request the information NOTE To review...

Page 1001: ...ring log trap log and trap owner rmon station USING THE WEB MANAGEMENT INTERFACE This display is not supported on the Web management interface Viewing System Information You can access software and hardware specifics for a Foundry Layer 2 or Layer 3 Switch USING THE CLI To view the software and hardware details for the system enter the show version command BigIron show version Syntax show version ...

Page 1002: ...the port statistics for all ports on a Layer 2 or Layer 3 Switch 1 Log on to the device using a valid user name and password for read only or read write access The System configuration dialog is displayed 2 Click on the plus sign next to Monitor in the tree view to expand the list of monitoring options 3 Click on the plus sign next to Port to expand the list of port monitoring options 4 Select the...

Page 1003: ...clear CLI commands and their displays see the Foundry Switch and Router Command Line Interface Reference NOTE Clear commands are found at the Privileged EXEC level USING THE WEB MANAGEMENT INTERFACE You can clear statistics by doing the following 1 Log on to the device using a valid user name and password for read write access The System configuration dialog is displayed 2 Click on the plus sign n...

Page 1004: ...Foundry Switch and Router Installation and Configuration Guide B 6 December 2000 ...

Page 1005: ... other zones Control learning and advertisement of routes learned from BGP4 neighbors You can filter based on network address information AS path information and community names Redistribute routes among RIP OSPF and BGP4 In ServerIron Transparent Cache Switching TCS configurations redirect HTTP traffic to cache servers or send the traffic to the Internet In router acceleration configurations redi...

Page 1006: ...ply it to each port Access policy see forwarding filters See Forwarding filters Forwarding filters MAC forwarding filters IP forwarding filters same as IP access policy IPX forwarding filters TCP UDP forwarding filters Configured globally then applied locally to a port s inbound or outbound policy or filter group You can use the same policy or filter in a port s inbound policy or filter group and ...

Page 1007: ...gured Default action after a policy or filter is configured QoS policy Queue all packets in normal or 0 priority queue Queue all packets in normal or 0 priority queue unless explicitly configured for a higher queue Cache server redirection policy applies only to ServerIron s Transparent Cache Switching Deny all HTTP packets do not redirect to cache server If global redirect all HTTP packets if loc...

Page 1008: ...rmation To filter for Layer 4 information use IP access policies filters Route filters RIP route filters RIP neighbor filters IPX RIP route filters IPX SAP service filters AppleTalk zone and network filters BGP4 address filters BGP4 AS path filters BGP4 community filters Permit learn and advertise all routes or services Deny do not learn or advertise all routes or services Router acceleration poli...

Page 1009: ...nd filter list For example if you apply three filters 3 2 and 1024 to port 1 1 s outbound filter list the filters are applied in the following order 3 2 1024 You must configure the policies or filters before you can add them to a policy or filter group When you configure a policy or filter group you must add all the policies or filters at the same time You cannot edit policy or filter groups To ch...

Page 1010: ...lt queue for all packets is normal or 0 You can change QoS policy by placing a port VLAN static MAC entry Layer 4 session or AppleTalk socket into a higher queue See IronClad Quality of Service QoS on page 11 1 for more information about the Foundry QoS algorithms Actions QoS policies place packets in the specified queue for forwarding Scope You can apply QoS policies to individual ports VLANs sta...

Page 1011: ...e Static Station Layer 4 session BigIron config ip access policy num priority 0 7 ip addr ip mask any ip addr ip mask any tcp udp operator tcp udp port num BigIron config if 1 1 ip access policy group in out policy list FastIronII config ip policy num priority 0 7 tcp udp tcp udp port num global local FastIronII config if 1 1 ip policy num TurboIron config ip access policy num high normal ip addr ...

Page 1012: ...ther protocol type the device drops the packet For example when a port in an AppleTalk VLAN receives an AppleTalk packet the port forwards the packet The same port drops IPX packets unless the port also is a member of an IPX VLAN IP sub net and IPX network VLANs are similar except for these VLAN types the device examines the IP sub net or IPX network address If the IP sub net or IPX network addres...

Page 1013: ...n this example packets enter the port from left to right The first three packets have entered the port and have been permitted or denied The two packets on the left have not yet entered the port When they do they will be permitted Since the last policy in the group is a permit any policy all packets that do not match another policy are permitted The permit any policy changes the default action to ...

Page 1014: ... default However once you configure an IP access policy the device denies all IP packets by default unless you explicitly permit them Thus if you want the device to permit all IP packets except the ones you filter out you must configure the last IP access policy to permit all IP packets If a packet does not match other filters and thus is not denied the packet matches the last filter and is permit...

Page 1015: ...icy to all source or destination addresses you do not need to specify any again for the mask Make sure you specify a separate address and mask or any for the source and destination address The icmp igmp igrp ospf tcp udp num parameter specifies the IP protocol to which you are applying the policy If you specify tcp or udp you also can use the optional operator and tcp udp port num parameters to fi...

Page 1016: ...s chapter in the Foundry Switch and Router Command Line Interface Reference for a description of how the timer for the entries works Layer 2 MAC filters and IP access policies use the same timer whereas Access Control Lists ACLs use a separate timer but the timers work the same way Thus the description of how the ACL timer works also applies to the Layer 2 MAC filters and IP access policies NOTE Y...

Page 1017: ...tcp eq gt lt neq range established CR eq gt lt neq range CR bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet num bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet num bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet num bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet num bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet num udp see the next page CR ...

Page 1018: ...Access Policy configuration panel is displayed as shown in the following example If an IP access policy is already configured and you are adding a new policy click on the Add IP Access Policy link to display the IP Access Policy configuration panel as shown in the following example If you are modifying an existing IP access policy click on the Modify button to the right of the row describing the p...

Page 1019: ... enter a single zero 0 in the protocol field 8 Enter the destination address and mask for the policy 9 If you want to filter on a specific IP protocol select the protocol from the Protocol field s pulldown menu For example to filter on TCP packets select TCP You can enter the protocol number or select one of the following ICMP IGMP IGRP OSPF TCP UDP 10 If you selected TCP or UDP you can select a c...

Page 1020: ...ialog Select Yes when prompted to save the configuration change to the startup config file on the device s flash memory 14 Go to Applying IP Access Policies to Ports on page C 16 The policy does not take effect until you apply it to a port Modifying or Deleting an IP Access Policy To modify or delete an IP access policy 1 Log on to the device using a valid user name and password for read write acc...

Page 1021: ...link to display the Access Policy Group configuration panel as shown in the following example If you are modifying an existing IP access policy group click on the Modify button to the right of the row describing the policy group to display the IP Access Policy Group configuration panel as shown in the following example 6 Select the port and slot if applicable to which you are assigning the access ...

Page 1022: ...PX forward filters You configure the filters globally then apply them to specific ports When you apply an IP or IPX filter to a port you specify whether the filter applies to inbound packets or outbound packets NOTE A Foundry device can either route or switch IP or IPX but cannot be configured to both route and switch the same protocol IP and IPX forwarding filter behavior differs depending on whe...

Page 1023: ...on 1 Deny any 128 24 26 0 24 1024 Permit any any Permitted Source 209 157 22 69 24 Dest 211 44 29 67 24 Source 209 157 22 26 24 Dest 128 24 26 7 24 Source 209 157 22 128 24 Dest 209 184 66 128 24 Source 209 157 22 69 24 Dest 209 211 44 128 24 Source 209 157 22 11 24 Dest 209 241 12 66 24 Permitted 211 44 29 0 24 Router Denied Router Router 128 24 26 0 24 209 211 44 0 24 128 24 26 0 24 209 241 12 0...

Page 1024: ...ss to deny certain types of traffic from that address You can selectively allow some types of traffic while dropping others For example you can configure a Layer 4 policy to drop web HTTP packets from a host but allow all other traffic from the host You can filter on the following Layer 4 application types ICMP IGMP IGRP OSPF TCP UDP For TCP and UDP you also specify an operator and the port number...

Page 1025: ...same policy in a port s inbound policy group and outbound policy group When you configure a policy group you 3 5 4 2 Link Activity 6 1 7 8 Link Activity Link Activity Link Activity 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Link Activity Link Activity Link Activity Link Activity 3 5 4 2 6 1 7 8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 3 5 4 2 Link Activity...

Page 1026: ... you enable TCS on the ports that are connected to the Internet Enable TCS for outbound traffic Table C 8 TCP UDP Access Policies Foundry Product CLI syntax Web management links NetIron Internet Backbone router BigIron FastIron II TurboIron 8 BigIron config ip access policy policy num permit deny ip addr ip mask any ip addr ip mask any tcp udp operator tcp udp port num log BigIron config if 1 1 ip...

Page 1027: ...e lists the various types of filters you can configure on Foundry devices Table C 9 Cache Server Redirection Policies Foundry Product CLI syntax Web management links ServerIron ServerIron config ip policy policy num cache tcp udp tcp udp port num global local ServerIron config if 18 ip policy policy num Layer 4 QoS link from the System configuration panel Table C 10 Foundry Filters Filter Type Sup...

Page 1028: ... deny packets Scope You configure MAC filters globally then apply them to individual ports The filters do not take effect until applied to specific ports MAC filters apply only to incoming packets Syntax Use the following CLI commands or Web management interface panels to configure MAC filters BGP AS path filters X C 34 BGP community filters X C 35 RIP redistribution filters X C 37 OSPF redistribu...

Page 1029: ...ANs Use the first command for adding a range of ports Use the second command for adding separate ports not in a range You also can combine the syntax For example you can enter exclude ports ethernet 1 4 ethernet 2 6 to 2 9 Multicast Filters Multicast filters are outbound filters that apply to packets that have a Layer 2 multicast address in the destination MAC address field You can configure multi...

Page 1030: ...addition the device generates an SNMP trap for other packets received by the port Figure C 4 shows an example of an address lock filter In this example the Foundry device is configured to learn only two MAC addresses on port 1 1 After the device learns two addresses port 1 1 can forward only a packet whose source address is one of the two learned addresses The port drops all other packets This app...

Page 1031: ...f the filter Syntax Use the following CLI commands or Web management interface panels to configure address lock filters Table C 14 Address Lock Filters CLI syntax Web management links FastIronII config lock address ethernet portnum addr count num Configure Port 2nd MAC learned MAC address 9876 MAC address efef MAC address 1234 MAC address abcd Address lock filter for port 3 1 Two 2 addresses can b...

Page 1032: ...device sends and receives and the routes that the device learns or advertises IP forwarding filters IP Access policies control transmission and receipt of IP packets while RIP route and neighbor filters control the routes that the device leans or advertises Route filters filter on specific network addresses while neighbor filters filter on the IP addresses of the RIP neighbors IP Forwarding Filter...

Page 1033: ...n example of an RIP neighbor filter In this example the Foundry device is configured to drop all RIP advertisements from the RIP neighbor 192 99 26 1 24 Since this is an outbound filter the filter does not affect advertisements received by the Foundry device from 192 99 26 1 24 The Foundry device can still learn RIP routes from this neighbor Table C 15 RIP Route Filters CLI syntax Web management l...

Page 1034: ...rtisement Protocol SAP messages IPX forwarding filters filter on source and destination IPX address and socket information IPX RIP filters filter based on a route s network address IPX SAP filters filter based on server type and server name IPX Forwarding Filters IPX forwarding filters control forwarding of IPX packets Action An IPX forward filter applied to inbound packets forwards or drops IPX p...

Page 1035: ...outbound traffic advertises or does not advertise services Scope You configure IPX SAP filters globally then apply them to specific ports Syntax Use the following CLI commands or Web management interface panels to configure IPX SAP filters Table C 17 IPX Forwarding Filters CLI syntax Web management links BigIron config ipx forward filter filter num permit deny source network number any source node...

Page 1036: ...one RTMP filtering is not used on this filter Therefore users in the Marketing zone can still ping individual devices in the Engineering zone However the overhead caused by unnecessary zone information exchanges between the two groups is eliminated To prevent users in the Marketing zone from even pinging individual devices in the Engineering zone the RTMP filtering option can be used with the filt...

Page 1037: ...me segment should be configured with the same filters You can prevent local Macintosh computers from accessing a zone but still allow the downstream routers with Macintosh computers attached to other networks to access those zones To do so do not use the RTMP filtering option with the zone filter When you configure an AppleTalk zone filter to also filter network information the Foundry device remo...

Page 1038: ...bor command adds a BGP neighbor The distribute list parameter specifies a list of address filters and whether the list is applied to inbound or outbound BGP updates NOTE The match command compares the information you configure for the command s parameters against BGP routes You use this command when configuring a route map If the comparison matches a route set statements in the route map specify t...

Page 1039: ...Route Maps on page 19 63 BGP4 Community Filters BGP4 community filters control whether the Foundry device learns or drops BGP4 route information based on the route s community membership Actions A BGP4 community filter applied to inbound packets permits learns or denies drops routes for networks with the specified community membership in BGP4 updates received from a BGP4 neighbor A BGP4 AS path fi...

Page 1040: ...ameter settings that a Foundry Layer 3 Switch can use to modify route attributes and to control redistribution of routes For more information see Defining Route Maps on page 19 63 BGP4 allows you to include the redistribution filters as part of a route map A route map examines and modifies route information exchanged between BGP4 and RIP or OSPF See Configuring BGP4 on page 19 1 for more informati...

Page 1041: ...h or you can set the metric on redistributed routes By setting the metric you can cause the router to prefer RIP routes or redistributed routes to the specified network Actions RIP redistribution filters permit redistribute or deny do not redistribute OSPF or BGP4 routes into RIP Scope You configure RIP redistribution filters globally They are automatically applied as soon as you configure them OS...

Page 1042: ... routes from other protocols into BGP4 A Foundry device running BGP4 can redistribute static routes RIP routes and OSPF routes into BGP4 Optionally you can modify a route s metric and weight and use a route map to change additional attributes of the route Actions BGP4 redistribution filters permit redistribute or deny don t redistribute RIP or OSPF routes into RIP Scope You configure and apply BGP...

Page 1043: ...ayer 3 Switches Layer 4 filters are access policies that control access to Layer 4 applications based on TCP UDP or other port number On the ServerIron Layer 4 filters are policies that control whether the ServerIron redirects HTTP traffic from web clients to cache servers or sends the traffic to the Internet TCP UDP Forwarding Filters TCP UDP forwarding filters are the same as TCP UDP access poli...

Page 1044: ...Foundry Switch and Router Installation and Configuration Guide C 40 December 2000 ...

Page 1045: ...quency All Chassis devices TurboIron 8 ServerIronXL G 90 250 VAC auto ranging 7 5 amperes 47 63 Hz FastIron Workgroup FastIron Backbone NetIron stackable ServerIron ServerIronXL TurboIron 4 to 6 port Gigabit Layer 2 Switch 90 250 VAC auto ranging 2 5 amperes 47 63 Hz Table D 2 DC electrical specifications for Foundry devices Platform Input Voltage Range Current Rating Watts Nominal Inrush All Chas...

Page 1046: ...Physical dimensions for Foundry devices Platform Depth Width Length Height Weight 15 slot Chassis device 15 17 5 29 75 256 lbs fully populated 10 slot Chassis device 15 17 5 23 69 1 lbs fully populated 4 slot Chassis device 15 17 5 9 47 7 lbs fully populated TurboIron 8 FastIron Workgroup FastIron Backbone NetIron stackable ServerIron ServerIronXL ServerIronXL G TurboIron 4 to 6 port Gigabit Layer...

Page 1047: ...densing for DC power supply Operating Altitude 0 10 000 feet Storage Environment Storage Temperature 9 158 F 25 70 C Storage Humidity 95 maximum non condensing Storage Altitude 10 000 feet 3 000 meter maximum Electromagnetic Emissions FCC Class A Part 15 Subpart B EN 55022A Class A VCCI Class A EN50082 1 Safety Agency Approvals UL 1950 CSA C22 2 No 950 93 TUV EN 60950 EN 60825 ...

Page 1048: ...Foundry Switch and Router Installation and Configuration Guide D 4 December 2000 ...

Page 1049: ...ndards Compliance Foundry devices support the following standards NOTE The routing protocol standards apply only to the Layer 3 Switches IEEE 802 3 10BaseT IEEE 802 3u 100BaseTX 100BaseFX 802 3z 1000BaseSX 1000BaseLX 802 3x Flow Control 802 1p q VLAN Tagging 802 1d Bridging 802 3 Ethernet like MIB Repeater MIB Ethernet Interface MIB SNMP V1 and V2 SNMP MIB II ...

Page 1050: ... Protocol ARP 854 855 and 857 Telnet 894 IP over Ethernet frames 903 Reverse ARP RARP 906 Bootstrap loading using TFTP 919 Broadcast Internet datagrams 920 Domain requirements 922 Broadcast Internet datagrams in the presence of subnets 950 Internet standard subnetting procedure 951 Bootstrap Protocol BootP 1027 Proxy ARP 1042 IP datagrams over IEEE 802 networks for Ethernet 1058 Route Information ...

Page 1051: ...tions 1757 Remote Monitoring RMON groups 1 2 3 9 1771 Border Gateway Protocol BGP version 4 1812 Requirements for IP version 4 routers 1850 Open Shortest Path First OSPF version 2 MIB 1965 BGP Confederations 1966 BGP Route Reflection 1977 BGP Communities 1997 BGP Communities Attributes 2003 IP Tunneling 2030 Simple Network Time Protocol SNTP version 4 2068 HTTP 2138 Remote Authentication Dial In U...

Page 1052: ...ts BGP DRAFT ROUTE REFRESH 1 TXT which describes the dynamic route refresh capability IETF IDMR DVMRP version 3 05 obsoletes RFC 1075 IETF IDMR PIM DM 05 version 1 format 2439 BGP Route Flap Dampening 2453 BGP Route Information Protocol RIP version 2 2796 BGP Route Reflection 2842 Capability Advertisement 2858 BGP Multi protocol Extension Table E 1 Foundry RFC Support Continued RFC Number Protocol...

Page 1053: ...ng 3 14 IP ACL 3 5 restricting 3 5 TACACS TACACS 3 18 Telnet setting password 3 9 Web management interface 3 14 8 8 disabling 3 7 Access Control List See ACL Access levels 2 16 Access policy C 9 C 10 C 20 ACL AS path 19 51 BGP4 AS path 19 51 community 19 57 community 19 57 IP 13 1 IPX SAP 23 9 Policy Based Routing 13 25 SNMP access 3 5 strict TCP mode 13 23 strict UDP mode 13 23 Telnet access 3 4 ...

Page 1054: ...rea OSPF 17 1 assigning to interface 17 16 configuring 17 9 displaying information 17 43 Area range OSPF 17 2 configuring 17 15 ARP age AppleTalk 24 17 IP 15 30 IP Host unreachable message 16 1 proxy 15 31 retransmit count AppleTalk 24 18 retransmit interval AppleTalk 24 18 ARP cache IP RIP displaying 15 89 15 105 ASBR 17 2 displaying information 17 51 AS path length 19 3 Assigning IP address 2 17...

Page 1055: ...n hardware overview 9 1 Boot POS 6 3 software 7 4 BootP hops 15 75 IP address stamp 15 74 Bridging architecture 9 13 Broadcast directed 15 35 filter 10 66 C 25 leaks 25 12 limiting 10 24 BSR 18 13 displaying 18 20 Buffer port 9 17 Syslog 10 16 10 21 C Cable AppleTalk range 24 5 AppleTalk VLAN 25 34 crossover 2 24 straight through 2 24 Cache ARP displaying 15 89 15 105 IP host displaying 15 92 IPX ...

Page 1056: ...1 Cooling 2 4 Counters BGP4 clearing 19 118 CRC length POS 6 7 Ctrl A 2 28 Ctrl B 2 28 Ctrl C 2 28 Ctrl D 2 28 Ctrl E 2 28 Ctrl F 2 28 Ctrl K 2 28 Ctrl L 2 28 Ctrl N 2 28 Ctrl P 2 28 Ctrl R 2 28 Ctrl U 2 28 Ctrl W 2 28 Ctrl X 2 28 Ctrl Z 2 28 Current rating D 1 D DC power 9 21 DDP 24 4 Dead interval FSRP 22 9 VRRP 21 16 DECnet VLAN 25 3 25 23 25 25 Default system 8 6 10 70 Default gateway 2 18 DVM...

Page 1057: ...12 Exit overflow interval OSPF 17 39 Extended IP ACL 13 10 External LSA displaying 17 48 F Facility Syslog 10 17 Fan 9 17 replacing 2 10 Fast Ethernet cabling 2 24 Fast external fallover 19 27 Fast Port Span 12 16 Fast Uplink Span 12 18 FastIron II hardware overview 9 5 Features 8 3 Fiber cabling 2 24 File flash card attribute 5 25 copying 5 27 deleting 5 26 renaming 5 25 File data flash card disp...

Page 1058: ...erval 22 9 differences from VRRP 22 5 differences from VRRP and VRPE 21 8 enabling on the router 22 6 keepalive time 22 9 port parameters 22 9 routers 22 3 track port 22 3 22 8 22 11 virtual interface 22 3 22 11 virtual router IP address configuring 22 7 FWLB 8 26 G Gateway default 2 18 DVMRP 18 47 Getting help 1 4 Gigabit negotiation 10 22 10 32 Glean AppleTalk 24 19 GNS replies disabling 23 11 f...

Page 1059: ... information 23 17 frame type 23 1 parameters 23 2 loopback 19 13 number 9 16 OSPF blocking LSAs 17 20 defaults 17 18 displaying information 17 46 PIM DM parameters 18 11 PIM SM parameters 18 14 POS 6 5 displaying 6 23 track port FSRP 22 8 22 11 VRRP 21 17 track priority VRRP 21 17 virtual 25 5 25 14 VLAN 25 9 25 29 VRRP track port 21 5 Intermediate node IP multicast 18 2 Internet drafts supported...

Page 1060: ...affic statistics 15 97 15 106 update time 16 10 IPX age timer learned routes 23 15 learned SAP entries 23 15 configuring 23 1 interface 23 3 displaying information 23 16 forwarding cache 23 19 route 23 20 server table 23 21 summary 23 16 enabling 23 2 filter forward 23 5 C 30 GNS replies 23 10 frame type 23 1 GNS replies disabling 23 11 round robin 23 10 interface configuring 23 3 displaying infor...

Page 1061: ...terface 19 13 Loopback path POS 6 7 LSA displaying 17 49 External displaying 17 48 LSDB exit overflow interval 17 39 maximum 17 40 M MAC address filter 10 61 C 24 address lock 10 68 C 26 QoS priority 11 16 static entries 10 38 switching 8 15 virtual router 21 3 MAC VLAN configuring 25 54 MAC VLAN list 25 55 Management focus Flash card 5 20 5 21 PCMCIA 5 18 Management II 5 1 9 6 Management III 5 1 ...

Page 1062: ...Name port 10 28 software image file 8 2 Named IP ACL 13 19 NBP 24 3 Negotiation Gigabit 10 22 VRRP master 21 4 Neighbor BGP4 19 14 displaying information 19 95 distribute list 19 61 maximum 19 84 resetting session 19 119 DVMRP timeout 18 43 OSPF 17 21 displaying information 17 44 PIM DM timeout 18 8 PIM SM displaying information 18 25 RIP filter 16 11 C 29 NetBIOS enabling 23 3 VLAN 25 3 25 23 25 ...

Page 1063: ...area 17 21 trap 17 37 virtual link 17 21 displaying information 17 50 parameters 17 24 virtual neighbor displaying information 17 50 Other VLAN 25 3 25 23 25 25 P Package contents 2 1 Parameters AppleTalk 24 17 BGP4 19 7 DVMRP interface 18 47 FSRP 22 9 IP multicast 18 2 IPX 23 2 OSPF 17 7 interface 17 19 virtual link 17 24 PIM DM 18 8 18 43 interface 18 11 PIM SM 18 14 interface 18 14 Password ass...

Page 1064: ...tistics B 4 STP parameters 10 34 12 4 VLAN 25 23 tagged 11 14 25 6 track FSRP 22 3 22 8 22 11 VRRP 21 5 21 17 track priority VRRP 21 17 trunk group 10 41 displaying 10 54 VLAN 25 13 virtual interface VLAN 25 9 VLAN aging 25 37 displaying information 25 64 dynamic 25 10 25 15 25 37 excluded 25 12 static 25 12 types 25 10 Port based VLAN configuring 25 57 default 25 5 25 16 POS 6 1 adding IP address...

Page 1065: ...1 10 naming 11 4 R Rack installation 2 19 Rack Mounting 2 20 RADIUS 3 33 RARP 15 68 static entry 15 69 Read only community string 8 8 Read write community string 8 8 no default 3 14 Redistribution C 36 BGP4 19 45 C 38 IP RIP 16 7 C 37 enabling 16 9 metric 16 8 metric OSPF 17 29 OSPF 17 26 C 38 enabling 17 30 metric type 17 35 Redundant link trunk group 10 41 Redundant management module 5 1 9 6 con...

Page 1066: ... 18 Router ID 15 26 19 12 Routing architecture 9 14 enabling 10 68 RP 18 13 18 16 displaying 18 22 displaying group information 18 23 displaying set list 18 24 RTMP 24 3 update interval 24 19 Running config file 7 5 S Scheduled reload 7 10 Scroll control 2 27 SDH 6 1 Secure Shell 4 1 Security C 1 assigning Enable password 2 16 Authentication method list 3 47 IP access policy C 9 C 10 IP ACL 3 4 IP...

Page 1067: ...ic port 25 12 Static route IP multicast configuring 18 52 Statistics AppleTalk 24 20 clearing 24 21 BGP4 clearing 19 118 clearing B 5 IP RIP 15 97 15 106 IPX 23 22 PIM SM 18 18 18 28 port B 4 POS 6 26 RMON Group 1 B 1 route dampening 19 83 19 116 STP B 4 VRRP clearing 21 30 Storage environment D 3 STP bridge and port parameters 10 34 12 4 bridge parameters VLAN 25 22 enabling or disabling 10 34 12...

Page 1068: ...nsparent Cache Switching 8 25 policy C 22 Trap 8 13 disabling 10 7 OSPF 17 37 displaying status 17 51 receiver 10 5 source 10 6 Syslog 10 14 Trigger interval timer DVMRP 18 47 Troubleshooting network connections 2 26 Trunk group 10 41 displaying 10 54 load sharing 10 47 VLAN 25 13 TTL DVMRP 18 48 IP 15 35 TurboIron hardware overview 9 13 TurboIron Switching Router 9 13 U Undeliverable IP ARP 16 1 ...

Page 1069: ...on 21 5 21 14 backup 21 15 priority 21 15 backup preempt 21 18 configuring 21 1 21 12 dead interval 21 16 differences from FSRP 22 5 differences from FSRP and VRRPE 21 8 hello 21 4 hello timer 21 16 master 21 15 master negotiation 21 4 RIP advertisement suppression 21 5 21 16 statistics clearing 21 30 track port 21 5 21 17 track priority 21 17 virtual router IP address 21 4 virtual router MAC addr...

Page 1070: ...Foundry Switch and Router Installation and Configuration Guide Index 18 December 2000 ...

Reviews:

No comments