53-1002494-02 20 July 2012 FastIron Configuration Guide Supporting FastIron Software Release 07.4.
© 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Guide Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . li Device nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . li Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lii What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lii Summary of enhancements in FastIron release 07.4.00a . . . . .
Chapter 2 Basic Software Features Basic system parameter configuration . . . . . . . . . . . . . . . . . . . . . . . 18 Entering system administration information . . . . . . . . . . . . . . . 19 SNMP parameter configuration . . . . . . . . . . . . . . . . . . . . . . . . . 19 Displaying virtual routing interface statistics. . . . . . . . . . . . . . . 22 Disabling Syslog messages and traps for CLI access . . . . . . . . 23 Cancelling an outbound Telnet session . . . . . . . . . . . . . . . . . . .
Using SNMP to upgrade software . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Software reboot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Software boot configuration notes . . . . . . . . . . . . . . . . . . . . . . . 81 Displaying the boot preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Loading and saving configuration files . . . . . . . . . . . . . . . . . . . . . . .
Remote access to management function restrictions . . . . . . . . . .112 ACL usage to restrict remote access . . . . . . . . . . . . . . . . . . . .112 Defining the console idle time . . . . . . . . . . . . . . . . . . . . . . . . .115 Remote access restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Restricting access to the device based on IP or MAC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Defining the Telnet idle time . . . . . . . . .
TACACS and TACACS+ security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 How TACACS+ differs from TACACS . . . . . . . . . . . . . . . . . . . . . .139 TACACS/TACACS+ authentication, authorization, and accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 TACACS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 TACACS/TACACS+ configuration considerations . . . . . . . . . . .145 Enabling TACACS . . . . . . . . . . . . . . . . .
SSH2 authentication types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Enabling and disabling SSH by generating and deleting host keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Configuring DSA or RSA challenge-response authentication .183 Optional SSH parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185 Setting the number of SSH authentication retries . . . . . . . . .186 Deactivating user authentication . . . . . . . . . . . . .
Upgrading or downgrading configuration considerations for PoD .212 Configuration considerations for stacking or trunking PoD ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Configuration considerations when configuring PoD on an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Configuration considerations when configuring PoD for ICX 6450 devices only . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connecting ICX 6450 and ICX 6430 devices in a stack . . . . . . . .244 Connecting ICX 6450 devices in a stack. . . . . . . . . . . . . . . . .245 Connecting ICX 6430 devices in a stack . . . . . . . . . . . . . . . . .245 Trunking configuration considerations for ICX 6430 and ICX 6450 devices. . . . . . . . . . . . . . . . . . . . . . . .245 Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 IronStack construction methods. . . . . . . . . . . . . . . . . . . . . . . .
IronStack troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Troubleshooting an unsuccessful stack build . . . . . . . . . . . . .315 Troubleshooting a stacking upgrade. . . . . . . . . . . . . . . . . . . . . 317 Troubleshooting image copy issues . . . . . . . . . . . . . . . . . . . . .318 Stack mismatches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318 Image mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 host address on a Layer 2 switch . . . . . . . . . . . . . . . . . . . . . .360 Configuring a global or site-local IPv6 address with a manually configured interface ID . . . . . . . . . . . . . . . . .361 Configuring a link-local IPv6 address as a system-wide address for a switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361 Configuring the management port for an IPv6 automatic address configuration. . . . . . . . . . . . . . . . . . . . . . .
IPv6 neighbor discovery configuration . . . . . . . . . . . . . . . . . . . . . .384 IPv6 neighbor discovery configuration notes . . . . . . . . . . . . . .385 Neighbor solicitation and advertisement messages . . . . . . . .385 Router advertisement and solicitation messages . . . . . . . . . .386 Neighbor redirect messages . . . . . . . . . . . . . . . . . . . . . . . . . . .386 Setting neighbor solicitation parameters for duplicate address detection . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 management features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413 IPv6 management ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413 IPv6 Web management using HTTP and HTTPS . . . . . . . . . . .413 IPv6 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Name-to-IPv6 address resolution using IPv6 DNS server . . . . 415 Defining an IPv6 DNS entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Pinging IPv6 . . . . .
Chapter 11 Foundry Discovery Protocol (FDP) and Cisco Discovery Protocol (CDP) Packets FDP Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 FDP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 Displaying FDP information . . . . . . . . . . . . . . . . . . . . . . . . . . . .439 Clearing FDP and CDP information. . . . . . . . . . . . . . . . . . . . . .442 CDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LLDP-MED attributes advertised by the Brocade device . . . . . . . .485 Extended power-via-MDI information . . . . . . . . . . . . . . . . . . . .486 Displaying LLDP statistics and configuration settings. . . . . . .488 LLDP configuration summary . . . . . . . . . . . . . . . . . . . . . . . . . .488 Displaying LLDP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489 Displaying LLDP neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . .491 Displaying LLDP neighbors detail . .
Chapter 15 Network Monitoring Basic system management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521 Viewing system information . . . . . . . . . . . . . . . . . . . . . . . . . . .521 Viewing configuration information . . . . . . . . . . . . . . . . . . . . . .522 Viewing port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523 Viewing STP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .525 Clearing statistics. . . . . . . . . . . . . .
Clearing MAC address entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563 Flow-based MAC address learning. . . . . . . . . . . . . . . . . . . . . . . . . .564 Flow-based learning overview . . . . . . . . . . . . . . . . . . . . . . . . . .564 Flow-based learning configuration considerations . . . . . . . . .565 Configuring flow-based MAC address learning . . . . . . . . . . . .566 Displaying information about flow-based MACs. . . . . . . . . . . .
Link Fault Signaling for 10Gbps Ethernet devices . . . . . . . . . . . . .604 Jumbo frame support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .606 Chapter 17 Metro Features Topology groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607 Master VLAN and member VLANs . . . . . . . . . . . . . . . . . . . . . .608 Control ports and free ports . . . . . . . . . . . . . . . . . . . . . . . . . . .608 Topology group configuration considerations . . .
Enabling the detection of PoE power requirements advertised through CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .670 Command syntax for PoE power requirements . . . . . . . . . . . .670 Setting the maximum power level for a PoE powerconsuming device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .670 Setting power levels configuration note . . . . . . . . . . . . . . . . . . 671 Configuring power levels command syntax . . . . . . . . . . . . . . .
Configuring a trunk group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707 CLI syntax for configuring consecutive ports in a trunk group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707 CLI syntax for configuring non-consecutive ports in a trunk group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .708 Example 1: Configuring the trunk groups. . . . . . . . . . . . . . . . .
Routing between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765 Virtual routing interfaces (Layer 2 switches only) . . . . . . . . . .765 Routing between VLANs using virtual routing interfaces (Layer 3 switches only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765 Dynamic port assignment (Layer 2 switches and Layer 3 switches) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .766 Assigning a different VLAN ID to the default VLAN . . . . . .
802.1ad tagging configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .804 Configuration rules for 802.1ad tagging . . . . . . . . . . . . . . . . .805 Enabling 802.1ad tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .805 Example 802.1ad configuration . . . . . . . . . . . . . . . . . . . . . . . .806 Configuring 802.1ad tag profiles . . . . . . . . . . . . . . . . . . . . . . .808 Private VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying MCT information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .860 Displaying peer and client states . . . . . . . . . . . . . . . . . . . . . . .860 Displaying state machine information . . . . . . . . . . . . . . . . . . .861 Displaying cluster, peer, and client states . . . . . . . . . . . . . . . .862 Displaying information about Ethernet interfaces. . . . . . . . . .862 Displaying STP information . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 24 MAC-based VLANs MAC-based VLAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .905 Static and dynamic hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .905 MAC-based VLAN feature structure . . . . . . . . . . . . . . . . . . . . .906 Dynamic MAC-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .907 Configuration notes and feature limitations for dynamic MAC-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC address filter-based mirroring . . . . . . . . . . . . . . . . . . . . . . . . .936 Configuring MAC address filter-based mirroring . . . . . . . . . . .936 VLAN-based mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .937 VLAN-based mirroring on FastIron X Series devices . . . . . . . .939 Chapter 26 IP Configuration Basic IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .946 IP configuration overview . . . . . . . . . . . . . . . . .
Configuring IP parameters – Layer 2 Switches . . . . . . . . . . . . . . .1037 Configuring the management IP address and specifying the default gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1037 Configuring Domain Name Server (DNS) resolver. . . . . . . . 1038 Changing the TTL threshold . . . . . . . . . . . . . . . . . . . . . . . . . 1039 DHCP Assist configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 1040 IPv4 point-to-point GRE tunnels . . . . . . . . . . . . .
BPDU guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling BPDU protection by port. . . . . . . . . . . . . . . . . . . . . Re-enabling ports disabled by BPDU guard . . . . . . . . . . . . . Displaying the BPDU guard status . . . . . . . . . . . . . . . . . . . . BPDU guard status example console messages . . . . . . . . . 1163 1163 1164 1164 1165 Root guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 29 RIP (IPv4) RIP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199 ICMP host unreachable message for undeliverable ARPs . 1200 RIP parameters and defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1200 RIP global parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1200 RIP interface parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 RIP parameter configuration . . . . . . . . . . . . . . . . . . . . .
Chapter 31 OSPF version 2 (IPv4) OSPF overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF point-to-point links . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designated routers in multi-access networks . . . . . . . . . . . Designated router election in multi-access networks . . . . . OSPF RFC 1583 and 2178 compliance . . . . . . . . . . . . . . . . Reduction of equivalent AS External LSAs . . . . . . . . . . . . . . Support for OSPF RFC 2328 Appendix E .
Clearing OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270 Clearing OSPF neighbor information . . . . . . . . . . . . . . . . . . 1270 Clearing OSPF topology information . . . . . . . . . . . . . . . . . . . .1271 Clearing redistributed routes from the OSPF routing table . .1271 Clearing information for OSPF areas . . . . . . . . . . . . . . . . . . .1271 Displaying OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying OSPF V3 Information . . . . . . . . . . . . . . . . . . . . . . . . . .1314 Displaying OSPF V3 area information. . . . . . . . . . . . . . . . . . .1315 Displaying OSPF V3 database information. . . . . . . . . . . . . . .1316 Displaying OSPF V3 interface information . . . . . . . . . . . . . . 1321 Displaying OSPF V3 memory usage . . . . . . . . . . . . . . . . . . . 1324 Displaying OSPF V3 neighbor information . . . . . . . . . . . . . . 1325 Displaying routes redistributed into OSPF V3 . . . .
Optional BGP4 configuration tasks . . . . . . . . . . . . . . . . . . . . . . . 1365 Changing the Keep Alive Time and Hold Time . . . . . . . . . . . 1365 Changing the BGP4 next-hop update timer . . . . . . . . . . . . . 1365 Enabling fast external fallover. . . . . . . . . . . . . . . . . . . . . . . . 1366 Changing the maximum number of paths for BGP4 load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1366 Customizing BGP4 load sharing . . . . . . . . . . . . . . . . . . . . .
Route flap dampening configuration . . . . . . . . . . . . . . . . . . . . . . .1414 Globally configuring route flap dampening . . . . . . . . . . . . . .1415 Using a route map to configure route flap dampening for specific routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1416 Using a route map to configure route flap dampening for a specific neighbor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1417 Removing route dampening from a route. . . . . . . . . . . .
Chapter 34 IP Multicast Traffic Reduction on Brocade FastIron X Series switches IGMP snooping overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1461 MAC-based implementation on FastIron X Series devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 1462 Queriers and non-queriers . . . . . . . . . . . . . . . . . . . . . . . . . . 1463 VLAN-specific configuration . . . . . . . . . . . . . . . . . . . . . . . . . 1463 Tracking and fast leave . . . . . . . . . . . . . . . . . .
PIM SM snooping show commands. . . . . . . . . . . . . . . . . . . . . . . Displaying PIM SM snooping information. . . . . . . . . . . . . . . Displaying PIM SM snooping information on a Layer 2 switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying PIM SM snooping information for a specific group or source group pair . . . . . . . . . . . . . . . . . . . . . . . . . . Clear commands for IGMP snooping . . . . . . . . . . . . . . . . . . . . . . Clearing the IGMP mcache . .
PIM Dense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Initiating PIM multicasts on a network . . . . . . . . . . . . . . . . . Pruning a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . Grafts to a multicast Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . PIM DM versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PIM DM configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disabling CPU processing for select multicast groups . . . . . . . . 1591 CLI command syntax to disable CPU processing . . . . . . . . . 1592 Viewing disabled multicast addresses . . . . . . . . . . . . . . . . . 1592 Configuring a static multicast route. . . . . . . . . . . . . . . . . . . . . . . 1593 Displaying the multicast configuration for another multicast router. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1595 IGMP V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MLD snooping configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1615 Configuring the hardware and software resource limits . . . .1616 Disabling transmission and receipt of MLD packets on a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1616 Configuring the global MLD mode . . . . . . . . . . . . . . . . . . . . .1617 Modifying the age interval . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MLD snooping configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1635 Global tasks for MLD Snooping . . . . . . . . . . . . . . . . . . . . . . 1635 VLAN-specific tasks for MLD Snooping . . . . . . . . . . . . . . . . 1635 Configuring the hardware and software resource limits . . . 1636 Disabling transmission and receipt of MLD packets on a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1636 Configuring the global MLD mode . . . . . . . . . . . . . .
Basic VRRP-E parameter configuration . . . . . . . . . . . . . . . . . . . . Configuration rules for VRRP-E . . . . . . . . . . . . . . . . . . . . . . . Configuring IPv4 VRRP-E . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring IPv6 VRRP-E . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1668 1668 1668 1669 Additional VRRP and VRRP-E parameter configuration . . . . . . . 1670 VRRP and VRRP-E authentication types. . . . . . . . . . . . . . . . .1671 VRRP router type . . . . . . . .
Extended numbered ACL configuration . . . . . . . . . . . . . . . . . . . . . 1714 Extended numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . 1714 Configuration examples for extended numbered ACLs . . . . .1718 Extended named ACL configuration. . . . . . . . . . . . . . . . . . . . . . . .1720 Extended named ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . . .1721 Configuration example for extended named ACLs. . . . . . . . .1725 Applying egress ACLs to Control (CPU) traffic . . .
Policy-based routing (PBR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1747 Chapter 41 IPv6 ACLs IPv6 ACL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1755 IPv6 ACL traffic filtering criteria . . . . . . . . . . . . . . . . . . . . . . .1756 IPv6 protocol names and numbers. . . . . . . . . . . . . . . . . . . . .1756 IPv6 ACL configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1757 Configuring an IPv6 ACL . . . . . . . . . .
CPU rate-limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1787 Chapter 43 802.1X Port Security IETF RFC support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1789 How 802.1X port security works . . . . . . . . . . . . . . . . . . . . . . . . . .1790 Device roles in an 802.1X configuration . . . . . . . . . . . . . . . .1790 Communication between the devices . . . . . . . . . . . . . . . . . .1791 Controlled and uncontrolled ports . . . . .
Multi-device port authentication and 802.1X security on the same port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1836 Chapter 44 MAC Port Security MAC port security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1838 Local and global resources used for MAC port security . . . 1838 Configuration notes and feature limitations for MAC port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1838 MAC port security configuration. . . . . . . . . . . . .
Multi-device port authentication configuration. . . . . . . . . . . . . . Enabling multi-device port authentication . . . . . . . . . . . . . . Specifying the format of the MAC addresses sent to the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying the authentication-failure action . . . . . . . . . . . . Generating traps for multi-device port authentication . . . . Defining MAC address filters. . . . . . . . . . . . . . . . . . . . . . . . .
Web authentication options configuration . . . . . . . . . . . . . . . . . Enabling RADIUS accounting for web authentication . . . . . Changing the login mode (HTTPS or HTTP) . . . . . . . . . . . . . Specifying trusted ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying hosts that are permanently authenticated . . . . Configuring the re-authentication period . . . . . . . . . . . . . . . Defining the web authentication cycle . . . . . . . . . . . . . . . . .
DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How DHCP snooping works . . . . . . . . . . . . . . . . . . . . . . . . . . System reboot and the binding database . . . . . . . . . . . . . . Configuration notes and feature limitations for DHCP snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . Clearing the DHCP binding database . . . . . . . . . . . . . . . . . .
Fixed rate limiting on inbound port configuration. . . . . . . . . . . . Minimum and maximum inbound rate limits. . . . . . . . . . . . Configuration notes for fixed rate limiting . . . . . . . . . . . . . . Configuration syntax for fixed rate limiting. . . . . . . . . . . . . . 1957 1957 1957 1957 Fixed rate limiting on outbound port configuration . . . . . . . . . . Minimum and maximum outbound rate limits . . . . . . . . . . Configuration notes for outbound rate limiting . . . . . . . . . .
Configuring QoS mapping configuration . . . . . . . . . . . . . . . . . . . Default DSCP to internal forwarding priority mappings. . . . Changing the DSCP to internal forwarding priority mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the VLAN priority 802.1p to hardware forwarding queue mappings . . . . . . . . . . . . . . . . . . . . . . . . . Default scheduling configuration for the SX-FI48GPP module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Guide Introduction This guide describes the following product families from Brocade: • FastIron X Series devices: • FastIron Edge Switch X Series (FESX) Layer 2/Layer 3 switch • FastIron Edge Switch X Series Expanded (FESXE) Layer 2/Layer 3 switch • FastIron SX 800 and 1600 Layer 2/Layer 3 switches • FastIron WS (FWS) Layer 2, base Layer 3, and EPREM devices • Brocade FCX Series (FCX) Stackable Switch • Brocade ICX™ 6610 (ICX 6610) Stackable Switch • Brocade ICX 6430 Series (ICX 6430) • Brocade
Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP. What’s new in this document This document includes the information from IronWare software release 07.4.00. Summary of enhancements in FastIron release 07.4.
Summary of enhancements in FastIron release 07.4.00 Table 3 lists the enhancements for FastIron release 07.4.00. TABLE 3 Summary of Enhancements in FastIron release 07.4.00 Feature Description Described in New hardware This release introduces the new Brocade ICX 6430 and ICX 6450 Series stackable switches.
TABLE 3 Summary of Enhancements in FastIron release 07.4.00 (Continued) Feature Description Described in Maximum Trunk support and Maximum trunk port member support on FastIron SX interface modules The following Interface modules support up to 12 ports per trunk group on the FastIron SX chassis for both static and LACP trunks.
TABLE 3 Summary of Enhancements in FastIron release 07.4.00 (Continued) Feature Description Described in Stacking configuration for ICX 6430 and ICX 6450 devices ICX 6430 and ICX 6450 devices have four ports on the front panel for stacking configuration. ICX 6430 and ICX 6450 devices ship with two default stacking ports configured. ICX 6430 and ICX 6450 devices support linear and ring stack topologies, and can also operate as standalone devices.
TABLE 4 Unsupported Features Unsupported features System-level features not supported: • • • ACL logging of permitted packets Broadcast and multicast MAC address filters Outbound ACLs on FWS devices Layer 2 features not supported: • • SuperSpan VLAN-based priority Layer 3 features not supported: • • • • • • • • AppleTalk Routing Foundry Standby Router Protocol (FSRP) IPv6 Multicast Routing IPX Routing IS-IS Multiprotocol Border Gateway Protocol (MBGP) Multiprotocol Label Switching (MPLS) Network A
Command syntax conventions Command syntax in this manual follows these conventions: command and parameters Commands and parameters are printed in bold. [] Optional parameter. variable Variables are printed in italics enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” | Choose from one of the parameters. Notes, cautions, and danger notices The following notices and statements are used in this manual.
• Brocade FCX and Brocade ICX 6610 Debug Guide • Brocade FCX Series Hardware Installation Guide • Unified IP MIB Reference The latest version of these guides are posted at http://www.brocade.com/ethernetproducts. If you find errors in the guides, send an email to documentation@brocade.com Getting technical help To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.
1 Management Applications Table 5 lists the individual Brocade FastIron switches and the management application features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images.
Management port overview For SX 800 and SX 1600 devices, the MAC address for the management port is derived as if the management port is the last port on the management module where it is located. For example, on a 2 X 10G management module, the MAC address of the management port is that of the third port on that module.
Management port overview Link Error Dampening is Disabled STP configured to OFF, priority is level0, mac-learning is enabled Flow Control is config disabled, oper enabled Mirror disabled, Monitor disabled Not member of any active trunks Not member of any configured trunks No port name IPG MII 0 bits-time, IPG GMII 0 bits-time IP MTU 1500 bytes 300 second input rate: 83728 bits/sec, 130 packets/sec, 0.01% utilization 300 second output rate: 24 bits/sec, 0 packets/sec, 0.
Logging on through the CLI Brocade(config)#show statistics brief management 1 PortIn PacketsOut PacketsTrunkIn ErrorsOut Errors mgmt1399462200 Total399452200 Logging on through the CLI Once an IP address is assigned to a Brocade device running Layer 2 software or to an interface on the Brocade device running Layer 3 software, you can access the CLI either through the direct serial connection to the device or through a local or remote Telnet session.
Logging on through the CLI Scroll control By default, the CLI uses a page mode to paginate displays that are longer than the number of rows in your terminal emulation window. For example, if you display a list of all the commands at the global CONFIG level but your terminal emulation window does not have enough rows to display them all at once, the page mode stops the display and lists your choices for continuing the display. An example is given below.
Using stack-unit, slot number, and port number with CLI commands TABLE 6 CLI line editing commands (Continued) Ctrl+Key combination Description Ctrl+W Deletes the last word you typed. Ctrl+Z Moves from any CONFIG level of the CLI to the Privileged EXEC level; at the Privileged EXEC level, moves to the User EXEC level.
Using stack-unit, slot number, and port number with CLI commands CLI nomenclature on Stackable devices Stackable devices (FCX and ICX) use the stack-unit/slot/port nomenclature. When you enter CLI commands that include the port number as part of the syntax, you must use the stack-unit/slot/port number format.
Using stack-unit, slot number, and port number with CLI commands Brocade#show who | exclude closed Console connections: established you are connecting to this session 2 seconds in idle Telnet connections (inbound): 1 established, client ip address 192.168.9.
Using stack-unit, slot number, and port number with CLI commands --More--, next page: Space, next line: Return key, quit: Control-c +telnet The filtered results are displayed. filtering... telnet Telnet by name or IP address To display lines that do not contain a specified search string (similar to the exclude option for show commands) press the minus sign key ( - ) at the --More-- prompt and then enter the search string.
Using stack-unit, slot number, and port number with CLI commands TABLE 7 Special characters for regular expressions (Continued) Character Operation ? The question mark matches on zero occurrences or one occurrence of a pattern. For example, the following regular expression matches output that contains "dg" or "deg": de?g NOTE: Normally when you type a question mark, the CLI lists the commands or options at that CLI level that begin with the character or string you entered.
Using stack-unit, slot number, and port number with CLI commands Brocade#show ip route bgp | include \* Creating an alias for a CLI command You can create aliases for CLI commands. An alias serves as a shorthand version of a longer CLI command. For example, you can create an alias called shoro for the CLI command show ip route. Then when you enter shoro at the command prompt, the show ip route command is executed.
Logging on through the Web Management Interface Logging on through the Web Management Interface To use the Web Management Interface, open a Web browser and enter the IP address of the management port on the Brocade device in the Location or Address field. The Web browser contacts the Brocade device and displays a Login panel, such as the one shown below.
Logging on through the Web Management Interface Navigating the Web Management Interface When you log into a device, the System configuration panel is displayed. This panel allows you to enable or disable major system features. You can return to this panel from any other panel by selecting the Home link. The Site Map link gives you a view of all available options on a single screen.
Logging on through the Web Management Interface NOTE If you are using Internet Explorer 6.0 to view the Web Management Interface, make sure the version you are running includes the latest service packs. Otherwise, the navigation tree (the left-most pane in Figure 3) will not display properly. For information on how to load the latest service packs, refer to the on-line help provided with your Web browser.
Logging on through the Web Management Interface Menu Type (Tree View shown) Page Menu Menu Frame NOTE The tree view is available when you use the Web Management Interface with Netscape 4.0 or higher or Internet Explorer 4.0 or higher browsers. If you use the Web Management Interface with an older browser, the Web Management Interface displays the List view only, and the Web Management Preferences panel does not include an option to display the tree view. 6.
Logging on through the Web Management Interface 16 FastIron Configuration Guide 53-1002494-02
Chapter 2 Basic Software Features Table 8 lists the individual Brocade FastIron switches and the basic software features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Basic system parameter configuration TABLE 8 Supported basic software features Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6430 ICX 6450 Port status (enable or disable) Yes Yes Yes Yes Yes Flow control: • Responds to flow control packets, but does not generate them Yes Yes Yes Yes Yes Symmetric flow control • Can transmit and receive 802.
Basic system parameter configuration Entering system administration information You can configure a system name, contact, and location for a Brocade device and save the information locally in the configuration file for future reference. This information is not required for system operation but is suggested. When you configure a system name, the name replaces the default system name in the CLI command prompt. The name, contact, and location each can be up to 255 alphanumeric characters.
Basic system parameter configuration When you add a trap receiver, the software automatically encrypts the community string you associate with the receiver when the string is displayed by the CLI or Web Management Interface. If you want the software to show the community string in the clear, you must explicitly specify this when you add a trap receiver. In either case, the software does not encrypt the string in the SNMP traps sent to the receiver.
Basic system parameter configuration Setting the SNMP trap holddown time When a Brocade device starts up, the software waits for Layer 2 convergence (STP) and Layer 3 convergence (OSPF) before beginning to send SNMP traps to external SNMP servers. Until convergence occurs, the device might not be able to reach the servers, in which case the messages are lost. By default, a Brocade device uses a one-minute holddown time to wait for the convergence to occur before starting to send SNMP traps.
Basic system parameter configuration SNMP Layer 3 traps The following traps are generated on devices running Layer 3 software: • • • • • • • • • • • • • SNMP authentication key Power supply failure Fan failure Cold start Link up Link down Bridge new root Bridge topology change Locked address violation BGP4 OSPF VRRP VRRP-E To stop link down occurrences from being reported, enter the following.
Basic system parameter configuration Disabling Syslog messages and traps for CLI access Brocade devices send Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS/TACACS+ server.
Specifying an SNTP server The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session. Disabling the Syslog messages and traps Logging of CLI access is enabled by default. If you want to disable the logging, enter the following commands.
Specifying an SNTP server The order in which the SNTP servers are configured is the order in which they are consulted. The server that was configured first is the first server consulted after the poll cycle; the next server will be consulted only if a positive ACK is not received from the first one. To specify an IPv6 address for the SNTP server, use the ipv6 option. The authentication-key option allows you to configure an authentication key for communication with the SNTP server.
Specifying an SNTP server TABLE 9 Output from the show sntp associations command (Continued) Field Description delay The total delay time in milliseconds along the path to the root clock. disp The dispersion of the root path in milliseconds. To display detailed information about SNTP associations, enter the show sntp associations details command. Brocade# show sntp associations details 208.99.8.95 configured,insane, unsynched,invalid, stratum 16 ref ID 0.0.0.0,time 0.
Specifying an SNTP server Field Description root delay The total delay time in milliseconds along the path to the root clock. root disp The dispersion of the root path in milliseconds. delay The round trip delay to the peer in milliseconds. offset The offset of the peer clock relative to the system clock. precision The precision of the system clock in Hz. version The NTP version of the peer. The version can be from 1 - 4. org time The original timestamp of the system clock.
Configuring the device as an SNTP server Configuring the device as an SNTP server You can configure the Brocade device to function as an SNTP server to its downstream clients. When using the device as an SNTP server, you can also set it to use its own internal clock as the reference source if an upstream server becomes unavailable. To use the device as a an SNTP server, enter a command such as the following at the Privileged EXEC level.
Configuring the device as an SNTP server NOTE You cannot enable or disable the use-local-clock option (or its stratum number) or change the authentication string when the SNTP server is up. To change these settings after enabling SNTP server mode, you must disable server mode using the command no sntp server-mode, then re-enable it with the new parameters. Displaying SNTP server information Use the show sntp server-mode command to display the status of the SNTP server and its configuration.
Configuring the device as an SNTP server Enabling broadcast mode for an SNTP client The Brocade device can be configured as an SNTP client. You can enable an SNTP client to function in a broadcast mode when the NTP server is within the same LAN, and the expected delay in response to calibrate the system clock is minimal. In a broadcast mode, the SNTP client will not send queries to the NTP server.
Configuring the device as an SNTP server To synchronize the time counter with your SNTP server time, enter the following command. Brocade# sntp sync Syntax: sntp sync By default, Brocade switches and routers do not change the system time for daylight saving time. To enable daylight saving time, enter the clock summer-time command.
Configuring the device as an SNTP server New start and end dates for US daylight saving time NOTE This feature applies to US time zones only. The system will automatically change the system clock to Daylight Saving Time (DST), in compliance with the new federally mandated start of daylight saving time, which is extended one month beginning in 2007. The DST will start at 2:00am on the second Sunday in March and will end at 2:00am on the first Sunday in November.
Configuring the device as an SNTP server • FastIron X Series devices, except for the SX-FI48GPP interface module - Unknown unicast limiting is independent of broadcast and multicast limiting. To enable multicast limiting, enable it after enabling broadcast limiting. Multicast limiting uses the limit defined in broadcast limiting. You cannot set a separate limit for multicast limiting.
Configuring the device as an SNTP server Brocade(config)# interface ethernet 1 Brocade(config-if-e1000-1)# unknown-unicast limit 65536 The combined number of inbound Unknown Unicast packets permitted for ports 1 to 12 is now set to 65536 Brocade((config-if-e1000-1)# NOTE On the SX-FI48GPP module, multicast and unknown-unicast limiting use the value defined in broadcast limiting. You cannot set a separate limit for unknown-unicast limiting and multicast limiting.
Configuring the device as an SNTP server Command syntax for packet-based limiting on Brocade ICX 6610 and 6450 devices To enable broadcast limiting on a group of ports by counting the number of bytes received, enter commands such as the following. Brocade(config)# interface ethernet 1/1/1 to 1/1/8 Brocade(config-mif-e1000-1/1/1-1/1/8)# broadcast limit 8192 To include unknown-unicast limiting, enter the unknown-unicast limit command after enabling broadcast limiting.
Configuring the device as an SNTP server Brocade# config terminal Brocade(config)# interface ethernet 13 Brocade(config-if-e1000-13)# unknown-unicast limit 65536 bytes The combined number of bytes of inbound Unknown Unicast packets permitted for ports 13 to 24 is now set to 65536 Brocade((config-if-e1000-13)# Syntax: [no] broadcast limit bytes Syntax: [no] multicast limit Syntax: [no] unknown-unicast limit bytes The variable can be any number that is a multiple of 65536, up to a maximum
Configuring the device as an SNTP server Syntax: show run interface Use the show rate-limit unknown-unicast command to display the unknown unicast limit for each port region to which it applies.
Configuring the device as an SNTP server NOTE The banner command is equivalent to the banner motd command. When you access the Web Management Interface, the banner is displayed. NOTE If you are using a Web client to view the message of the day, and your banners are very wide, with large borders, you may need to set your PC display resolution to a number greater than the width of your banner.
Configuring the device as an SNTP server However, if the requirement to press the Enter key after a MOTD is enabled, the following messages are displayed when accessing the switch on the console. Press Enter key to login Authorized Access Only ... Press to accept and continue the login process.... The user must press the Enter key to continue to the login prompt. To enable the requirement to press the Enter key after the MOTD is displayed, enter a command such as the following.
Basic port parameter configuration As with the banner motd command, you begin and end the message with a delimiting character; in this example, the delimiting character is $(dollar sign). The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. The text in between the dollar signs is the contents of the banner. Banner text can be up to 4000 characters, which can consist of multiple lines.
Basic port parameter configuration To assign a name to a port. Brocade(config)# interface ethernet 2 Brocade(config-if-e1000-2)# port-name Marsha Syntax: port-name The parameter is an alphanumeric string. The name can be up to 64 characters long. The name can contain blanks. You do not need to use quotation marks around the string, even when it contains blanks.
Basic port parameter configuration NOTE Auto negotiated FESX combo ports may flap for a few seconds before the link is up. NOTE On Brocade ICX 6610 and Series devices, after you remove 10 Gbps speed from the running configuration, plugging in a 1G optic SFP transceiver into a 10 Gbps port causes the software to fail to revert the ports back from the default 10G LRM mode to 1 Gbps speed.
Basic port parameter configuration Maximum port speed application notes • Port speed down-shift and maximum port speed advertisement work only when auto-negotiation is enabled (CLI command speed-duplex auto). If auto-negotiation is OFF, the device will reject the port speed down-shift and maximum port speed advertisement configuration.
Basic port parameter configuration Syntax: [no] link-config gig copper autoneg-control [down-shift | 100m-auto | 10m-auto] ethernet The is the list of ports to which the command will be applied.
Basic port parameter configuration • FSX 800 and FSX 1600 chassis devices – slotnum/portnum • FESX compact switches – portnum You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. You can enable maximum port speed advertisement on one or two ports at a time. To disable maximum port speed advertisement after it has been enabled, enter the no form of the command.
Basic port parameter configuration MDI and MDIX configuration notes • This feature applies to copper ports only. • The mdi-mdix mdi and mdi-mdix mdix commands work independently of auto-negotiation. Thus, these commands work whether auto-negotiation is turned ON or OFF. MDI and MDIX configuration syntax The auto MDI/MDIX detection feature is enabled on all Gbps copper ports by default. For each port, you can disable auto MDI/MDIX, designate the port as an MDI port, or designate the port as an MDIX port.
Basic port parameter configuration Flow control configuration Flow control (802.3x) is a QoS mechanism created to manage the flow of data between two full-duplex Ethernet devices. Specifically, a device that is oversubscribed (is receiving more traffic than it can handle) sends an 802.3x PAUSE frame to its link partner to temporarily reduce the amount of data the link partner is transmitting. Without flow control, buffers would overflow, packets would be dropped, and data retransmission would be required.
Basic port parameter configuration Brocade(config)# interface ethernet 0/1/21 Brocade(config-if-e1000-0/1/21)# no flow-control To enable flow control negotiation, enter the following commands.
Basic port parameter configuration 0 runts, 0 giants 5 packets output, 320 bytes, 0 underruns Transmitted 0 broadcasts, 5 multicasts, 0 unicasts 0 output errors, 0 collisions Issuing the show interface command on a FSX device displays the following output: Brocade# show interface ethernet 18/1 GigabitEthernet18/1 is up, line protocol is up Hardware is GigabitEthernet, address is 0012.f228.0600 (bia 0012.f228.
Basic port parameter configuration Symmetric flow control addresses the requirements of a lossless service class in an Internet Small Computer System Interface (iSCSI) environment. It is supported on FCX standalone units as well as on all FCX units in an IronStack. About XON and XOFF thresholds An 802.3x PAUSE frame is generated when the buffer limit at the ingress port reaches or exceeds the port’s upper watermark threshold (XOFF limit).
Basic port parameter configuration • The following QoS features are not supported together with symmetric flow control: - Dynamic buffer allocation (CLI commands qd-descriptor and qd-buffer) - Buffer profiles (CLI command buffer-profile port-region) - DSCP-based QoS (CLI command trust dscp) NOTE Although the above QoS features are not supported with symmetric flow control, the CLI will still accept these commands. The last command issued will be the one placed into effect on the device.
Basic port parameter configuration In the above configuration examples, when the XOFF limit of 91% is reached or exceeded, the Brocade device will send PAUSE frames to the sender telling it to stop transmitting data temporarily. When the XON limit of 75% is reached, the Brocade device will send PAUSE frames to the sender telling it to resume sending data. Syntax: symmetric-flow-control set 1 | 2 xoff <%> xon <%> symmetric-flow-control set 1 sets the XOFF and XON limits for 1G ports.
Basic port parameter configuration Brocade(config)# show symmetric Symmetric Flow Control Information: ----------------------------------Symmetric Flow Control is enabled on units: 2 3 Buffer parameters: 1G Ports: Total Buffers : 272 XOFF Limit : 240(91%) XON Limit : 200(75%) 10G Ports: Total Buffers : 416 XOFF Limit : 376(91%) XON Limit : 312(75%) Syntax: show symmetric-flow-control PHY FIFO Rx and Tx depth configuration PHY devices on FWS devices contain transmit and receive synchronizing FIFOs to adju
Basic port parameter configuration IPG on a FastIron X series switch configuration notes • The CLI syntax for IPG differs on FastIron X Series devices compared to FastIron Stackable devices. This section describes the configuration procedures for FastIron X Series devices. For FastIron Stackable devices, refer to “IPG on FastIron Stackable devices” on page 55. • IPG configuration commands are based on "port regions". All ports within the same port region should have the same IPG configuration.
Basic port parameter configuration IPG on FastIron Stackable devices On FWS, FCX, and ICX devices, you can configure an IPG for each port. An IPG is a configurable time delay between successive data packets. You can configure an IPG with a range from 48-120 bit times in multiples of 8, with a default of 96. The IPG may be set from either the interface configuration level or the multiple interface level.
Basic port parameter configuration IPG configuration notes • The CLI syntax for IPG differs on FastIron Stackable devices compared to FastIron X Series devices. This section describes the configuration procedures for FastIron Stackable devices. For FastIron X Series devices, refer to “Interpacket Gap (IPG) on a FastIron X Series switch” on page 53. • When an IPG is applied to a trunk group, it applies to all ports in the trunk group.
Basic port parameter configuration Enabling and disabling support for 100BaseTX For FastIron X Series devices, you can configure a 1000Base-TX SFP (part number E1MG-TX) to operate at a speed of 100 Mbps. To do so, enter the 100-tx command at the Interface level of the CLI. Brocade(config-if-e1000-11)# 100-tx After the link is up, it will be in 100M/full-duplex mode, as shown in the following example.
Basic port parameter configuration Enabling and disabling100BaseFX on FESX Compact device This section shows how to enable 100BaseFX on a FESX Compact device.
Basic port parameter configuration For information about supported SFP and SFP+ transceivers on FastIron devices, refer to the following Brocade website: http://www.brocade.com/downloads/documents/data_sheets/product_data_sheets/Optics_ DS.pdf NOTE Connect the 100BaseFX fiber transceiver after configuring both sides of the link. Otherwise, the link could become unstable, fluctuating between up and down states.
Basic port parameter configuration Port priority (QoS) modification You can give preference to the inbound traffic on specific ports by changing the Quality of Service (QoS) level on those ports. For information and procedures, refer to Chapter 51, “Quality of Service”. Dynamic configuration of Voice over IP (VoIP) phones You can configure a FastIron device to automatically detect and re-configure a VoIP phone when it is physically moved from one port to another within the same device.
Basic port parameter configuration Brocade(config)# interface ethernet 1-8 Brocade(config-mif-1-8)# voice-vlan 1001 Syntax: [no] voice-vlan where is a valid VLAN ID between 1 – 4095. To remove a voice VLAN ID, use the no form of the command. Viewing voice VLAN configurations You can view the configuration of a voice VLAN for a particular port or for all ports. To view the voice VLAN configuration for a port, specify the port number with the show voice-vlan command.
Basic port parameter configuration Port flap dampening configuration notes • When a flap dampening port becomes a member of a trunk group, that port, as well as all other member ports of that trunk group, will inherit the primary port configuration. This means that the member ports will inherit the primary port flap dampening configuration, regardless of any previous configuration. • The Brocade device counts the number of times a port link state toggles from "up to down", and not from "down to up".
Basic port parameter configuration Displaying ports configured with port flap dampening Ports that have been disabled due to the port flap dampening feature are identified in the output of the show link-error-disable command. The following shows an example output. Brocade# show link-error-disable Port 2/1 is forced down by link-error-disable. Use the show link-error-disable all command to display the ports with the port flap dampening feature enabled.
Basic port parameter configuration TABLE 14 Output of show link-error-disable (Continued) Column Description State The port state can be one of the following: Idle – The link is normal and no link state toggles have been detected or sampled. • Down – The port is disabled because the number of sampled errors exceeded the configured threshold. • Err – The port sampled one or more errors. • • • Counter • If the port state is Idle, this field displays N/A.
Basic port parameter configuration NOTE If a port name is longer than five characters, the port name is truncated in the output of the show interface brief command. Syslog messages for port flap dampening The following Syslog messages are generated for port flap dampening. • If the threshold for the number of times that a port link toggles from “up” to “down” then “down” to “up” has been exceeded, the following Syslog message is displayed.
Basic port parameter configuration • With Loose Mode, two ports of a loop are disabled. • Different VLANs may disable different ports. A disabled port affects every VLAN using it. • Loose Mode floods test packets to the entire VLAN. This can impact system performance if too many VLANs are configured for Loose Mode loop detection. NOTE Brocade recommends that you limit the use of Loose Mode.
Basic port parameter configuration This command sets the loop-detection interval to 5 seconds (50 x 0.1). To revert to the default global loop detection interval of 10, enter one of the following. Brocade(config)# loop-detection-interval 10 OR Brocade(config)# no loop-detection-interval 50 Syntax: [no] loop-detection-interval where is a value from 1 to 100. The system multiplies your entry by 0.1 to calculate the interval at which test packets will be sent.
Basic port parameter configuration Clearing loop-detection To clear loop detection statistics and re-enable all ports that are in Err-Disable state because of a loop detection, enter the clear loop-detection command. Brocade# clear loop-detection Displaying loop-detection information Use the show loop-detection status command to display loop detection status, as shown. Brocade# show loop-detection status loop detection packets interval: 10 (unit 0.
Basic port parameter configuration Displaying loop detection resource information Use the show loop-detection resource command to display the hardware and software resource information on loop detection.
Basic port parameter configuration Received 0 broadcasts, 63650 multicasts, 107669 unicasts 0 input errors, 0 CRC, 0 frame, 0 ignored 0 runts, 0 giants 51094 packets output, 3925313 bytes, 0 underruns Transmitted 2 broadcasts, 42830 multicasts, 8262 unicasts 0 output errors, 0 collisions Relay Agent Information option: Disabled Syslog message due to disabled port in loop detection The following message is logged when a port is disabled due to loop detection. This message also appears on the console.
Chapter 3 Operations, Administration, and Maintenance Table 16 lists the individual Brocade FastIron switches and the operations, administration, and maintenance (OAM) features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Software versions installed and running on a device • Primary flash – The default local storage device for image files and configuration files. • Secondary flash – A second flash storage device. You can use the secondary flash to store redundant images for additional booting reliability or to preserve one software image while testing another one. Only one flash device is active at a time. By default, the primary image will become active upon reload.
Software versions installed and running on a device 512 MB DRAM STACKID 1 system uptime is 3 minutes 39 seconds The system : started=warm start reloaded=by "reload" The version information is shown in bold type in this example: • “03.0.00T53” indicates the flash code version number. The “T53” is used by Brocade for record keeping. • “labeled as FER03000” indicates the flash code image label. The label indicates the image type and version and is especially useful if you change the image file name.
Software versions installed and running on a device 512 KB boot flash memory 16384 KB code flash memory 512 MB DRAM Standby Management Module: 660 MHz Power PC processor 8541 (version 0020/0020) 66 MHz bus 512 KB boot flash memory 16384 KB code flash memory 512 MB DRAM The system uptime is 1 minutes 2 seconds The system : started=warm start reloaded=by "reload" The version information is shown in bold type in this example: • “03.1.00aT3e3” indicates the flash code version number.
Software versions installed and running on a device NOTE To minimize the boot-monitor image size on FastIron devices, the ping and tftp operations performed in the boot-monitor mode are restricted to copper ports on the FastIron Chassis management modules and to copper ports on the FastIron stackable switch combination copper and fiber ports. The fiber ports on these devices do not have the ability to ping or tftp from the boot-monitor mode.
Image file types Brocade#verify md5 secondary 01c410d6d153189a4a5d36c955653861 Brocade#.........................Done Size = 2044830, MD5 01c410d6d153189a4a5d36c955653862 Verification FAILED. In the previous example, the codes did not match, and verification failed. If verification succeeds, the output will look like this. Brocade#verify md5 secondary 01c410d6d153189a4a5d36c955653861 Brocade#.........................Done Size = 2044830, MD5 01c410d6d153189a4a5d36c955653861 Verification SUCEEDED.
Software upgrades Software upgrades Refer to the release notes for instructions about upgrading the software. Boot code synchronization feature The Brocade device supports automatic synchronization of the boot image in the active and redundant management modules. When the new boot image is copied into the active module, it is automatically synchronized with the redundant management module. NOTE There is currently no option for manual synchronization of the boot image.
Viewing the contents of flash files Brocade#show dir 133 [38f4] boot-parameter 0 [ffff] bootrom 3802772 [0000] primary 4867691 [0000] secondary 163 [dd8e] stacking.boot 1773 [0d2d] startup-config 1808 [acfa] startup-config.backup 8674340 bytes 7 File(s) 56492032 bytes free Syntax: show dir To display the contents of a flash configuration file, enter a command such as the following from the User EXEC or Privileged EXEC mode of the CLI: Brocade#copy flash console startup-config.backup ver 07.0.
Viewing the contents of flash files Syntax: copy flash console For , enter the name of a file stored in flash memory.
Using SNMP to upgrade software Using SNMP to upgrade software You can use a third-party SNMP management application such as HP OpenView to upgrade software on a Brocade device. NOTE The syntax shown in this section assumes that you have installed HP OpenView in the “/usr” directory. NOTE Brocade recommends that you make a backup copy of the startup-config file before you upgrade the software. If you need to run an older release, you will need to use the backup copy of the startup-config file. 1.
Software reboot Software reboot You can use boot commands to immediately initiate software boots from a software image stored in primary or secondary flash on a Brocade device or from a BootP or TFTP server. You can test new versions of code on a Brocade device or choose the preferred boot source from the console boot prompt without requiring a system reset. NOTE It is very important that you verify a successful TFTP transfer of the boot code before you reset the system.
Loading and saving configuration files Boot system preference (Default) Boot system flash primary Boot system flash secondary Syntax: show boot-preference The results of the show run command for the configured example above appear as follows. Brocade#show run Current Configuration: ! ver 04.0.00x1T7el ! module 1 fgs-48-port-copper-base-module module 2 fgs-xfp-1-port-10g-module module 3 fgs-xfp-1-port-10g-module ! alias cp=copy tf 10.1.1.1 FGS04000bl.bin pri ! ! boot sys fl sec boot sys df 10.1.1.
Loading and saving configuration files Replacing the startup configuration with the running configuration After you make configuration changes to the active system, you can save those changes by writing them to flash memory. When you write configuration changes to flash memory, you replace the startup configuration with the running configuration. To replace the startup configuration with the running configuration, enter the following command at any Enable or CONFIG command prompt.
Loading and saving configuration files To initiate transfers of configuration files to or from a TFTP server using the CLI, enter one of the following commands: • copy startup-config tftp – Use this command to upload a copy of the startup configuration file from the Layer 2 Switch or Layer 3 Switch to a TFTP server.
Loading and saving configuration files • The default CLI configuration level in a configuration file is the global CONFIG level. Thus, the first command in the file must be a global CONFIG command or “ ! ”. The ! (exclamation point) character means “return to the global CONFIG level”. NOTE You can enter text following “ ! “ as a comment. However, the “ !” is not a comment marker. It returns the CLI to the global configuration level.
Loading and saving configuration files interface ethernet 11 no ip address 20.20.20.69/24 ip address 10.10.10.69/24 This time, the CLI accepts the command, and no error message is displayed. Brocade(config)#interface ethernet 11 Brocade(config-if-e1000-11)#no ip add 20.20.20.69/24 Brocade(config-if-e1000-111)#ip add 10.10.10.69/24 Brocade(config-if-e1000-11) • Always use the end command at the end of the file. The end command must appear on the last line of the file, by itself.
Loading and saving configuration files with IPv6 Loading and saving configuration files with IPv6 This section describes the IPv6 copy and ncopy commands.
Loading and saving configuration files with IPv6 Specify the startup-config keyword to copy the startup configuration file to the specified IPv6 TFTP server. The tftp parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The parameter specifies the name of the file that is copied to the IPv6 TFTP server.
Loading and saving configuration files with IPv6 The parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The parameter specifies the name of the file that is copied from the IPv6 TFTP server. The overwrite keyword specifies that the device should overwrite the current configuration file with the copied file.
Loading and saving configuration files with IPv6 The tftp parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The parameter specifies the name of the running configuration that is copied to the IPv6 TFTP server. IPv6 TFTP server file upload You can upload the following files from an IPv6 TFTP server: • • • • Primary boot image. Secondary boot image.
Loading and saving configuration files with IPv6 Specify the running-config keyword to upload the specified file from the IPv6 TFTP server to the device. The device copies the specified file into the current running configuration but does not overwrite the current configuration. Specify the startup-config keyword to upload the specified file from the IPv6 TFTP server to the device.
System reload scheduling 22 – Upload the running-config from the flash memory of the Brocade device to the TFTP server. 23 – Download a configuration file from a TFTP server into the running-config of the Brocade device. NOTE Option 23 adds configuration information to the running-config on the device, and does not replace commands.
Diagnostic error codes and remedies for TFTP transfers Reloading after a specific amount of time To schedule a system reload to occur after a specific amount of time has passed on the system clock, use reload after command. For example, to schedule a system reload from the secondary flash one day and 12 hours later, enter the following command at the global CONFIG level of the CLI.
Diagnostic error codes and remedies for TFTP transfers Error code Message Explanation and action 7 TFTP busy, only one TFTP session can be active. Another TFTP transfer is active on another CLI session, or Web management session, or network management system. Wait, then retry the transfer. 8 File type check failed. You accidentally attempted to copy the incorrect image code into the system. For example, you might have tried to copy a Chassis image into a Compact device.
Network connectivity testing Network connectivity testing After you install the network cables, you can test network connectivity to other devices by pinging those devices. You also can observe the LEDs related to network connection and perform trace routes. For more information about observing LEDs, refer to the Brocade FastIron X Series Chassis Hardware Installation Guide and the Brocade FastIron Compact Switch Hardware Installation Guide.
Network connectivity testing The data <1 – 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default data pattern, “abcd”, in the packet data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet. NOTE For numeric parameter values, the CLI does not check that the value you enter is within the allowed range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid value.
Hitless management on the FSX 800 and FSX 1600 Possible and default values are as follows. minttl – minimum TTL (hops) value: Possible values are 1 – 255. Default value is 1 second. maxttl – maximum TTL (hops) value: Possible values are 1 – 255. Default value is 30 seconds. timeout – Possible values are 1 – 120. Default value is 2 seconds. numeric – Lets you change the display to list the devices by their IP addresses instead of their names.
Hitless management on the FSX 800 and FSX 1600 Benefits of hitless management The benefits of Hitless management include the following: • The standby management module (the module that takes over the active role) and all interface modules in the chassis are not reset • • • • Existing data traffic flows continue uninterrupted with no traffic loss Port link states remain UP for the duration of the hitless management event System configurations applied through Console/SNMP/HTTP interfaces remain intact Hit
Hitless management on the FSX 800 and FSX 1600 TABLE 18 Hitless-supported services and protocols – FSX 800 and FSX 1600 Traffic type Supported protocols and services Impact Layer 2 switched traffic, including unicast and multicast + System-level + Layer 4 • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 802.1p and 802.1Q 802.3ad – LACP 802.3af – PoE 802.
Hitless management on the FSX 800 and FSX 1600 TABLE 18 Hitless-supported services and protocols – FSX 800 and FSX 1600 Traffic type Supported protocols and services Impact Security • 802.1X, including use with dynamic ACLs and VLANs IPv4 ACLs IPv6 ACLs DHCP snooping Dynamic ARP inspection EAP with RADIUS IP source guard Multi-device port authentication, including use with dynamic ACLs and VLANs Supported security protocols and services are not impacted during a switchover or failover.
Hitless management on the FSX 800 and FSX 1600 • A hitless-reload must not have already been issued on the previous active management module. • • • • • POE firmware must not be in progress. The SXR running configuration must not be classified as too large (greater than 512KB). A TFTP session must not be in progress. An image sync session must not be in progress. The current active management card cannot have a memory utilization of greater than 90% of available memory.
Hitless management on the FSX 800 and FSX 1600 • Layer 3 IP forwarding information – This includes the routing table, IP cache table, and ARP table, as well as static and connected routes. • Layer 3 routing protocols are not copied to the standby management module, but remain in init state on the standby module until a switchover occurs. Peer adjacency will be restored after a switchover.
Hitless management on the FSX 800 and FSX 1600 NOTE Since both the standby and active management modules run the same code, a command that brings down the active management module will most likely bring down the standby management module. Because all configuration commands are synchronized from active to standby management module in real time, both management modules will reload at almost the same time.
Hitless management on the FSX 800 and FSX 1600 Executing a hitless switchover on the FSX 800 and FSX 1600 Hitless failover must be enabled before a hitless switchover can be executed. To enable hitless failover, refer to “Enabling hitless failover on the FSX 800 and FSX 1600” on page 103. To switch over to the standby module (and thus make it the active module), enter the following command. Brocade# switch-over-active-role Once you enter this command, the system will prompt you as follows.
Hitless management on the FSX 800 and FSX 1600 NOTE The events described above occur internally and do not create or affect the external network topology.
Hitless management on the FSX 800 and FSX 1600 Hitless OS upgrade considerations Consider the following when using the hitless OS upgrade feature: • Hitless OS upgrade allows for upgrading the software in a system between two releases of the OS that support this functionality and have compatible data structures. A hitless O/S downgrade may also be supported if the current and target code releases have compatible data structures.
Hitless management on the FSX 800 and FSX 1600 Hitless OS upgrade configuration steps The following is a summary of the configuration steps for a hitless OS software upgrade. 1. Copy the software image that supports hitless software upgrade from a TFTP server to the FastIron switch. Refer to “Loading the software onto the switch”. 2. Install the software image in flash memory on the active and standby management modules. 3. Enter the hitless-reload command on the active management module.
Hitless management on the FSX 800 and FSX 1600 Displaying diagnostic information Use the following commands to display diagnostic information for a hitless switchover or failover.
Chapter 4 Security Access Table 19 lists the individual Brocade FastIron switches and the security access features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Securing access methods Securing access methods The following table lists the management access methods available on a Brocade device, how they are secured by default, and the ways in which they can be secured.
Securing access methods TABLE 20 Ways to secure management access to Brocade devices (Continued) Access method How the access method is secured by default Ways to secure the access method See page Secure Shell (SSH) access Not configured Configure SSH page 1419 Regulate SSH access using ACLs page 113 Allow SSH access only from specific IP addresses page 116 Allow SSH access only from specific MAC addresses page 117 Establish passwords for privilege levels of the CLI page 125 Set up local
Remote access to management function restrictions TABLE 20 Ways to secure management access to Brocade devices (Continued) Access method How the access method is secured by default Ways to secure the access method See page TFTP access Not secured Allow TFTP access only to clients connected to a specific VLAN page 120 Disable TFTP access page 124 Extra steps must be taken to secure multiple consoles in an IronStack.
Remote access to management function restrictions Using an ACL to restrict Telnet access To configure an ACL that restricts Telnet access to the device, enter commands such as the following. Brocade(config)#access-list 10 deny host 209.157.22.32 log Brocade(config)#access-list 10 deny 209.157.23.0 0.0.0.255 log Brocade(config)#access-list 10 deny 209.157.24.0 0.0.0.255 log Brocade(config)#access-list 10 deny 209.157.25.
Remote access to management function restrictions Using an ACL to restrict Web management access To configure an ACL that restricts Web management access to the device, enter commands such as the following. Brocade(config)#access-list 12 deny host 209.157.22.98 log Brocade(config)#access-list 12 deny 209.157.23.0 0.0.0.255 log Brocade(config)#access-list 12 deny 209.157.24.
Remote access to management function restrictions NOTE When snmp-server community is configured, all incoming SNMP packets are validated first by their community strings and then by their bound ACLs. Defining the console idle time By default, a Brocade device does not time out serial console sessions. A serial session remains open indefinitely until you close it. You can however define how many minutes a serial management session can remain idle before it is timed out.
Remote access to management function restrictions Restricting Telnet access to a specific IP address To allow Telnet access to the Brocade device only to the host with IP address 209.157.22.39, enter the following command. Brocade(config)#telnet-client 209.157.22.39 Syntax: [no] telnet-client | Restricting SSH access to a specific IP address To allow SSH access to the Brocade device only to the host with IP address 209.157.22.39, enter the following command.
Remote access to management function restrictions Restricting access to the device based on IP or MAC address You can restrict remote management access to the Brocade device, using Telnet, SSH, HTTP, and HTTPS, based on the connecting client IP or MAC address. Restricting Telnet connection You can restrict Telnet connection to a device based on the client IP address or MAC address. To allow Telnet access to the Brocade device only to the host with IP address 209.157.22.39 and MAC address 0007.e90f.
Remote access to management function restrictions Brocade(config)#web client any 0007.e90f.10ba Syntax: [no] web client any Defining the Telnet idle time You can define how many minutes a Telnet session can remain idle before it is timed out. An idle Telnet session is a session that is still sending TCP ACKs in response to keepalive messages from the device, but is not being used to send data. To configure the idle time for a Telnet session, use the following command.
Remote access to management function restrictions Restricting remote access to the device to specific VLAN IDs You can restrict management access to a Brocade device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods: • • • • Telnet access Web management access SNMP access TFTP access By default, access is allowed for all the methods listed above on all ports.
Remote access to management function restrictions The command in this example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access. Syntax: [no] snmp-server enable vlan Restricting TFTP access to a specific VLAN To allow TFTP access only to clients in a specific VLAN, enter a command such as the following.
Remote access to management function restrictions These commands configure port-based VLAN 10 to consist of ports 1/1 – 1/4 and to be the designated management VLAN. The last two commands configure default gateways for the VLAN. Since the 10.10.10.1 gateway has a lower metric, the software uses this gateway. The other gateway remains in the configuration but is not used. You can use the other one by changing the metrics so that the 20.20.20.1 gateway has the lower metric.
Remote access to management function restrictions Brocade(config)#web-management http Syntax: [no] web-management http | https When using the web-management command, specify the http or https parameters. The http parameter specifies that web management is enabled for HTTP access. The https parameter specifies that web management is enabled for HTTPS access.
Remote access to management function restrictions Disabling Telnet access You can use a Telnet client to access the CLI on the device over the network. If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from establishing CLI sessions with the device, enter the following command. Brocade(config)#no telnet server To re-enable Telnet operation, enter the following command.
Passwords used to secure access Disabling SNMP access To disable SNMP management of the device. Brocade(config)#no snmp-server To later re-enable SNMP management of the device. Brocade(config)#snmp-server Syntax: no snmp-server Disabling TFTP access You can globally disable TFTP to block TFTP client access. By default, TFTP client access is enabled. To disable TFTP client access, enter the following command at the Global CONFIG level of the CLI.
Passwords used to secure access Syntax: [no] enable telnet password Suppressing Telnet connection rejection messages By default, if a Brocade device denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message. When you enable the option, a denied Telnet client does not receive a message from the Brocade device. Instead, the denied client simply does not gain access.
Passwords used to secure access Brocade(config)#enable super-user-password NOTE You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number. 4. Enter the following commands to set the Port Configuration level and Read Only level passwords.
Passwords used to secure access Syntax: [no] privilege level The parameter specifies the CLI level and can be one of the following values: • • • • • • • • • • • • • • • • • exec – EXEC level; for example, Brocade> or Brocade# configure – CONFIG level; for example, Brocade(config)# interface – Interface level; for example, Brocade(config-if-6)# loopback-interface – loopback interface level virtual-interface – Virtual-interface level; for example,
Passwords used to secure access 5. Enter boot system flash primary at the prompt. On ICX 6430 and ICX 6450 devices, enter boot_primary. 6. After the console prompt reappears, assign a new password. Displaying the SNMP community string If you want to display the SNMP community string, enter the following commands.
Local user accounts Local user accounts You can define up to 16 local user accounts on a Brocade device. User accounts regulate who can access the management functions in the CLI using the following methods: • Telnet access • Web management access • SNMP access Local user accounts provide greater flexibility for controlling management access to Brocade devices than do management privilege level passwords and SNMP community strings of SNMP versions 1 and 2.
Local user accounts • Quarterly updates of user passwords • You can configure the system to store up to 15 previously configured passwords for each user. • You can use the disable-on-login-failure command to change the number of login attempts (up to 10) before users are locked out. • A password can now be set to expire.
Local user accounts Enabling user password masking By default, when you use the CLI to create a user password, the password displays on the console as you type it. For enhanced security, you can configure the Brocade device to mask the password characters entered at the CLI. When password masking is enabled, the CLI displays asterisks (*) on the console instead of the actual password characters entered. The following shows the default CLI behavior when configuring a username and password.
Local user accounts • The username and password is deleted from the configuration • The username password expires When a username set-time configuration is removed, it no longer appears in the show running configuration output. Note that if a username does not have an assigned password, the username will not have a set-time configuration. Password aging is disabled by default. To enable it, enter the following command at the global CONFIG level of the CLI.
Local user accounts Example Brocade(config)#user sandy enable Brocade#show user Username Password Encrypt Priv Status Expire Time ============================================================================ == sandy $1$Gz...uX/$wQ44fVGtsqbKWkQknzAZ6. enabled 0 enabled 90 days Syntax: username enable Setting passwords to expire You can set a user password to expire. Once a password expires, the administrator must assign a new password to the user.
Local user accounts NOTE You must grant Super User level privilege to at least one account before you add accounts with other privilege levels. You need the Super User account to make further administrative changes. Local user accounts with no passwords To create a user account without a password, enter the following command at the global CONFIG level of the CLI.
Local user accounts • At least two numeric characters • At least two special characters NOTE You must be logged on with Super User access (privilege level 0) to add user accounts or configure other access parameters. To display user account information, enter the following command.
SSL security for the Web Management Interface • 5 – Read Only level Enter up to 255 alphanumeric characters for . Changing a local user password To change a local user password for an existing local user account, enter a command such as the following at the global CONFIG level of the CLI. NOTE You must be logged on with Super User access (privilege level 0) to change user passwords.
SSL security for the Web Management Interface Enabling the SSL server on the Brocade device To enable the SSL server on the Brocade device, enter the following command. Brocade(config)#web-management https Syntax: [no] web-management http | https You can enable either the HTTP or HTTPs servers with this command. You can disable both the HTTP and HTTPs servers by entering the following command.
SSL security for the Web Management Interface Support for SSL digital certificates larger than 2048 bits Brocade devices have the ability to store and retrieve SSL digital certificates that are up to 4000 bits in size. Support for SSL certificates larger than 2048 bits is automatically enabled. You do not need to perform any configuration procedures to enable it.
TACACS and TACACS+ security Deleting the SSL certificate To delete the SSL certificate, enter the following command.
TACACS and TACACS+ security If you are using TACACS+, Brocade recommends that you also configure authorization, in which the Brocade device consults a TACACS+ server to determine which management privilege level (and which associated set of commands) an authenticated user is allowed to use. You can also optionally configure accounting, which causes the Brocade device to log information on the TACACS+ server when specified events occur on the device.
TACACS and TACACS+ security stack9#show who Console connections (by unit number): 1 established you are connecting to this session 4 seconds in idle 2 established 1 hours 3 minutes 12 seconds in idle 3 established 1 hours 3 minutes 9 seconds in idle 4 established 1 hours 3 minutes 3 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed stack9# stack9#show telnet Console
TACACS and TACACS+ security TACACS authentication NOTE Also, multiple challenges are supported for TACACS+ login authentication. When TACACS authentication takes place, the following events occur. 1. A user attempts to gain access to the Brocade device by doing one of the following: • Logging into the device using Telnet, SSH, or the Web Management Interface • Entering the Privileged EXEC level or CONFIG level of the CLI 2. The user is prompted for a username and password. 3.
TACACS and TACACS+ security 3. The Brocade device consults the TACACS+ server to determine the privilege level of the user. 4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the privilege level of the user. 5. The user is granted the specified privilege level. When TACACS+ command authorization takes place, the following events occur. 1.
TACACS and TACACS+ security User action Applicable AAA operations User attempts to gain access to the Privileged EXEC and CONFIG levels of the CLI Enable authentication: aaa authentication enable default Exec authorization (TACACS+): aaa authorization exec default tacacs+ System accounting start (TACACS+): aaa accounting system default start-stop User logs in using Telnet/SSH Login authentication: aaa authentication login default Exec authorization (TACACS+):
TACACS and TACACS+ security AAA security for commands pasted into the running-config If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were entered manually. When you paste commands into the running-config, and AAA command authorization or accounting, or both, are configured on the device, AAA operations are performed on the pasted commands.
TACACS and TACACS+ security Enabling TACACS TACACS is disabled by default. To configure TACACS/TACACS+ authentication parameters, you must enable TACACS by entering the following command. Brocade(config)#enable snmp config-tacacs Syntax: [no] enable snmp The parameter specifies the RADIUS configuration mode. RADIUS is disabled by default. The parameter specifies the TACACS configuration mode. TACACS is disabled by default.
TACACS and TACACS+ security The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the authentication port on the server. The default port number is 49. Specifying different servers for individual AAA functions In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example, you can designate one TACACS+ server to handle authorization and another TACACS+ server to handle accounting. You can set the TACACS+ key for each server.
TACACS and TACACS+ security Setting the TACACS+ key The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent over the network. The value for the key parameter on the Brocade device should match the one configured on the TACACS+ server. The key can be from 1 – 32 characters in length and cannot include any space characters. NOTE The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers.
TACACS and TACACS+ security Configuring authentication-method lists for TACACS and TACACS+ You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring TACACS/TACACS+ authentication, you create authentication-method lists specifically for these access methods, specifying TACACS/TACACS+ as the primary authentication method.
TACACS and TACACS+ security TABLE 21 Authentication method values Method parameter Description line Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password… command. Refer to “Setting a Telnet password” on page 124. enable Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password… command.
TACACS and TACACS+ security Telnet and SSH prompts when the TACACS+ Server is unavailable When TACACS+ is the first method in the authentication method list, the device displays the login prompt received from the TACACS+ server.
TACACS and TACACS+ security Configuring an Attribute-Value pair on the TACACS+ server During TACACS+ exec authorization, the Brocade device expects the TACACS+ server to send a response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the Brocade device receives the response, it extracts an A-V pair configured for the Exec service and uses it to determine the user privilege level.
TACACS and TACACS+ security In the example above, the A-V pair configured for the Exec service is privlvl = 15. The Brocade device uses the value in this A-V pair to set the user privilege level to 0 (super-user), granting the user full read-write access. In a configuration that has both a “foundry-privlvl” A-V pair and a non-”foundry-privlvl” A-V pair for the Exec service, the non-”foundry-privlvl” A-V pair is ignored.
TACACS and TACACS+ security If configured, command accounting is performed for these commands. AAA support for console commands NOTE This feature is not supported on FastIron WS Series devices.
TACACS and TACACS+ security NOTE If authorization is enabled, and the command requires authorization, then authorization is performed before accounting takes place. If authorization fails for the command, no accounting takes place.
TACACS and TACACS+ security Displaying TACACS/TACACS+ statistics and configuration information The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device. Brocade#show aaa Tacacs+ key: foundry Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.
RADIUS security The show web connection command displays the privilege level of Web Management Interface users. Example Brocade#show web-connection We management Sessions: User Privilege IP address roy READ-WRITE 10.1.1.3 MAC address Timeout(secs) 0030.488.
RADIUS security 3. The user enters a username and password. 4. The Brocade device sends a RADIUS Access-Request packet containing the username and password to the RADIUS server. 5. The RADIUS server validates the Brocade device using a shared secret (the RADIUS key). 6. The RADIUS server looks up the username in its database. 7. If the username is found in the database, the RADIUS server validates the password. 8.
RADIUS security • A system event occurs, such as a reboot or reloading of the configuration file 2. The Brocade device checks its configuration to see if the event is one for which RADIUS accounting is required. 3. If the event requires RADIUS accounting, the Brocade device sends a RADIUS Accounting Start packet to the RADIUS accounting server, containing information about the event. 4. The RADIUS accounting server acknowledges the Accounting Start packet. 5.
RADIUS security User action Applicable AAA operations User enters the command: Command authorization: [no] aaa accounting system default aaa authorization commands default start-stop Command accounting: aaa accounting commands default start-stop System accounting start: aaa accounting system default start-stop User enters other commands Command authorization: aaa authorization commands default <
RADIUS security • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access. However, you can configure backup authentication methods for each access type.
RADIUS security TABLE 24 Brocade vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Description foundry-privilege-level 1 integer Specifies the privilege level for the user. This attribute can be set to one of the following: • 0 - Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
RADIUS security TABLE 24 Brocade vendor-specific attributes for RADIUS (Continued) Attribute name Attribute ID Data type Description foundry-802.1x-valid-lookup 7 integer Specifies if 802.
RADIUS security To specify different RADIUS servers for authentication, authorization, and accounting, enter commands such as the following. Brocade(config)#radius-server host 1.2.3.4 authentication-only key abc Brocade(config)#radius-server host 1.2.3.5 authorization-only key def Brocade(config)#radius-server host 1.2.3.
RADIUS security Syntax: radius-server host | [auth-port ] [acct-port ] [default key dot1x] [port-only] The host is the IPv4 address. The auth-port parameter is the Authentication port number; it is an optional parameter. The default is 1645. The acct-port parameter is the Accounting port number; it is an optional parameter. The default is 1646.
RADIUS security RADIUS parameters You can set the following parameters in a RADIUS configuration: • RADIUS key – This parameter specifies the value that the Brocade device sends to the RADIUS server when trying to authenticate user access. • Retransmit interval – This parameter specifies how many times the Brocade device will resend an authentication request when the RADIUS server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times.
RADIUS security Setting the timeout parameter The timeout parameter specifies how many seconds the Brocade device waits for a response from the RADIUS server before either retrying the authentication request, or determining that the RADIUS server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
RADIUS security The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
RADIUS security Entering privileged EXEC mode after a Telnet or SSH login By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login. To do this, use the following command. Brocade(config)#aaa authentication login privilege-mode Syntax: aaa authentication login privilege-mode The user privilege level is based on the privilege level granted during login.
RADIUS security Also note that in order for the aaa authorization exec default radius command to work, either the aaa authentication enable default radius command, or the aaa authentication login privilege-mode command must also exist in the configuration. Configuring command authorization When RADIUS command authorization is enabled, the Brocade device consults the list of commands supplied by the RADIUS server during authentication to determine whether a user can execute a command he or she has entered.
RADIUS security This happens because RADIUS command authorization requires a list of allowable commands from the RADIUS server. This list is obtained during RADIUS authentication. For console sessions, RADIUS authentication is performed only if you have configured Enable authentication and specified RADIUS as the authentication method (for example, with the aaa authentication enable default radius command).
RADIUS security Configuring RADIUS accounting for system events You can configure RADIUS accounting to record when system events occur on the Brocade device. System events include rebooting and when changes to the active configuration are made. The following command causes an Accounting Start packet to be sent to the RADIUS accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed.
RADIUS security TABLE 26 Output of the show aaa command for RADIUS Field Description Radius key The setting configured with the radius-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is displayed instead of the text. Radius retries The setting configured with the radius-server retransmit command. Radius timeout The setting configured with the radius-server timeout command.
Authentication-method lists Authentication-method lists To implement one or more authentication methods for securing access to the device, you configure authentication-method lists that set the order in which the authentication methods are consulted.
Authentication-method lists Configuration considerations for authenticationmethod lists • For CLI access, you must configure authentication-method lists if you want the device to authenticate access using local user accounts or a RADIUS server. Otherwise, the device will authenticate using only the locally based password for the Super User privilege level.
Authentication-method lists • snAgGblPassword=”” (for AAA method line, enable) NOTE Certain SNMP objects need additional validation. These objects include but are not limited to: snAgReload, snAgWriteNVRAM, snAgConfigFromNVRAM, snAgImgLoad, snAgCfgLoad and snAgGblTelnetPassword. For more information, see snAgGblPassword in the IronWare MIB Reference Guide. If AAA is set up to check both the username and password, the string contains the username, followed by a space then the password.
TCP Flags - edge port security TABLE 27 Authentication method values Method parameter Description line Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password… command. Refer to “Setting a Telnet password” on page 124. enable Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password… command.
TCP Flags - edge port security Example Brocade(config-ext-nACL)#permit tcp 1.1.1.1 0.0.0.255 eq 100 2.2.2.2 0.0.0.255 eq 300 match-all +urg +ack +syn -rst This command configures a single rule in CAM hardware. This rule will contain all of the configured TCP flags (urg, ack, syn, and rst). Using TCP Flags in combination with other ACL features The TCP Flags feature has the added capability of being combined with other ACL features.
Chapter 5 SSH2 and SCP Table 28 lists individual Brocade switches and the SSH2 and Secure Copy features they support.
SSH version 2 overview • • • • • SECSH Public Key File Format SSH Fingerprint Format SSH Protocol Assigned Numbers SSH Transport Layer Encryption Modes SCP/SSH URI Format Tested SSH2 clients The following SSH clients have been tested with SSH2: • • • • • • SSH Secure Shell 3.2.3 Van Dyke SecureCRT 5.2.2 F-Secure SSH Client 5.3 and 6.0 PuTTY 0.60 OpenSSH 4.3p2 Brocade FastIron SSH Client NOTE Supported SSH client public key sizes are 1024 bits for DSA keys, and 1024 or 2048 bits for RSA keys.
SSH2 authentication types SSH2 authentication types The Brocade implementation of SSH2 supports the following types of user authentication: • DSA challenge-response authentication, where a collection of public keys are stored on the device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH. • RSA challenge-response authentication, where a collection of public keys are stored on the device.
SSH2 authentication types NOTE If you have generated SSH keys on the switch, you should delete and regenerate it when you upgrade or downgrade the software version before ssh session. Setting the CPU priority for key generation (ICX 6430 and ICX 6450 only) Generating the key is a resource-intensive operation. You can set the priority for this operation to high so that the device allocates more CPU time for this operation. So you must use this option only when the device is in the maintenance window.
SSH2 authentication types The optional [modulus modulus-size] parameter specifies the modulus size of the RSA key pair, in bits. The valid values for modulus-size are 1024 or 2048. The default value is 1024. The zeroize keyword deletes the RSA host key pair from the flash memory. This disables SSH if no other authentication keys exist on the device. The rsa keyword specifies an RSA host key pair. NOTE On ICX 6430 and ICX 6450 devices, the crypto key generate command can take up to 30 minutes to complete.
SSH2 authentication types 1. The client sends its public key to the Brocade device. 2. The Brocade device compares the client public key to those stored in memory. 3. If there is a match, the Brocade device uses the public key to encrypt a random sequence of bytes. 4. The Brocade device sends these encrypted bytes to the client. 5. The client uses its private key to decrypt the bytes. 6. The client sends the decrypted bytes back to the Brocade device. 7.
Optional SSH parameters Syntax: ip ssh pub-key-file tftp | remove The variable is the IP address of the tftp server that contains the public key file that you want to import into the Brocade device. The variable is the name of the public key file that you want to import into the Brocade device. The remove parameter deletes the public keys from the device. To display the currently loaded public keys, enter the following command.
Optional SSH parameters • • • • The port number for SSH connections The SSH login timeout value A specific interface to be used as the source for all SSH traffic from the device The maximum idle time for SSH sessions Setting the number of SSH authentication retries By default, the Brocade device attempts to negotiate a connection with the connecting host three times. The number of authentication retries can be changed to between 1 – 5.
Optional SSH parameters If you enable empty password logins, users are not prompted for a password when they log in. Any user with an SSH client can log in without being prompted for a password. To enable empty password logins, enter the following command. Brocade(config)#ip ssh permit-empty-passwd yes Syntax: ip ssh permit-empty-passwd no | yes Setting the SSH port number By default, SSH traffic occurs on TCP port 22. You can change this port number.
Filtering SSH access using ACLs Filtering SSH access using ACLs You can permit or deny SSH access to the Brocade device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL Enter commands such as the following. Brocade(config)#access-list 10 permit host 192.168.144.241 Brocade(config)#access-list 10 deny host 192.168.144.242 log Brocade(config)#access-list 10 permit host 192.168.144.
Displaying SSH information TABLE 29 SSH connection information (Continued) Field Description Encryption The encryption method used for the connection. Username The user name for the connection. HMAC The HMAC version Server Hostkey The type of server hostkey. This can be DSA or RSA. IP Address The IP address of the SSH client SSH-v2.0 enabled Indicates that SSHv2 is enabled. hostkey Indicates that at least one host key is on the device.
Displaying SSH information Field Description Authentication methods The authentication methods used for SSH. The authentication can have one or more of the following values: • Password - indicates that you are prompted for a password when attempting to log into the device. • Public-key - indicates that DSA or RSA challenge-response authentication is enabled. • Interactive - indicates the interactive authentication si enabled. Authentication retries The number of authentication retries.
Secure copy with SSH2 Secure copy with SSH2 Secure Copy (SCP) uses security built into SSH to transfer image and configuration files to and from the device. SCP automatically uses the authentication methods, encryption algorithm, and data compression level configured for SSH. For example, if password authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file to be transferred. No additional configuration is required for SCP on top of SSH.
Secure copy with SSH2 Copying a file to the startup config To copy the configuration file to the startup configuration file, enter the following command. C:\> scp c:\cfg\brocade.cfg terry@192.168.1.50:startConfig Copying the running config file to an SCP-enabled client To copy the running configuration file on the Brocade device to a file called c:\cfg\fdryrun.cfg on the SCP-enabled client, enter the following command. C:\> scp terry@192.168.1.50:runConfig c:\cfg\brcdrun.
Secure copy with SSH2 FastIron WS devices To copy a software image file from an SCP-enabled client to the primary flash on these devices, enter the following command. C:\> scp SXL03200.bin terry@192.168.1.50:flash:primary.bin or C:\> scp terry@192.168.1.50:flash:primary.bin SXL03200.bin To copy a software image file from an SCP-enabled client to the secondary flash on these devices, enter the following command. C:\> scp SXL03200.bin terry@192.168.1.50:flash:secondary.bin or C:\> scp terry@192.168.1.
Secure copy with SSH2 Importing a digital certificate using SCP To import a digital certificate using SCP, enter a command such as the following one: C:\> scp certfile user@192.168.89.210:sslCert Syntax: scp @:sslCert. The variable is the IP address of the server from which the digital certificate file is downloaded. The variable is the file name of the digital certificate that you are importing to the device.
SSH2 client SSH2 client SSH2 client allows you to connect from a Brocade device to an SSH2 server, including another Brocade device that is configured as an SSH2 server. You can start an outbound SSH2 client session while you are connected to the device by any connection method (SSH2, Telnet, console). Brocade devices support one outbound SSH2 client session at a time.
SSH2 client Generating and deleting a client DSA key pair To generate a client DSA key pair, enter the following command. Brocade(config)#crypto key client generate dsa To delete the DSA host key pair, enter the following command. Brocade(config)#crypto key client zeroize dsa Syntax: crypto key client generate | zeroize dsa The generate keyword places a host key pair in the flash memory. The zeroize keyword deletes the host key pair from the flash memory. The dsa keyword specifies a DSA host key pair.
SSH2 client To start an SSH2 client connection to an SSH2 server using public key authentication, enter a command such as the following: Brocade# ssh 10.10.10.2 public-key dsa Syntax: ssh ipv4Addr | ipv6Addr | host-name [public-key [dsa | rsa]] [port portnum] The ipv4Addr | ipv6Addr | host-name variable identifies an SSH2 server. You identify the server to connect to by entering its IPv4 or IPv6 address or its hostname.
SSH2 client 198 FastIron Configuration Guide 53-1002494-02
Chapter 6 Software-based Licensing Table 30 lists the individual Brocade FastIron switches and the software licensing features they support. TABLE 30 Supported software licensing features Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6450 Software-based licensing Yes (FESX6, FSX 800 and FSX 1600 only) Yes Yes Yes Yes License generation License query Deleting a license Software license terminology This section defines the key terms used in this chapter.
Software-based licensing overview If a delivery method is not specified at the time of the order, the key will be delivered by the way of paper-pack. Software-based licensing overview Prior to the introduction of software-based licensing, Brocade supported hardware-based licensing, where an EEPROM was used to upgrade a Layer 2 or base Layer 3 switch to a premium or advanced Layer 3 switch.
Software-based licensing overview • When a trial license expires, the commands and CLI related to the feature are disabled, but the feature itself cannot be disabled until the system reloads. Seamless transition for legacy devices In this chapter, the term legacy device refers to a Brocade device that was shipped prior to the introduction of software-based licensing, has an EEPROM installed, and is running pre-release 07.1.00 software.
Non-licensed features Non-licensed features Table 31 lists the FastIron software images that do not require a license to run on the device. TABLE 31 = Software image files that do not require a license Product Image filename FESX6 FSX 800 FSX 1600 SXSxxxxx.bin (Layer 2) SXLxxxxx.bin (base Layer 3) SXRxxxxx.bin FWS FWSxxxxx.bin (Layer 2) FWSLxxxxx.bin (base Layer 3) FCX ICX 6610 FCXSxxxxx.bin (Layer 2) FCXRxxxxx.bin (Layer 3) ICX 6430 ICX 6450 ICX64Sxxxxx.bin (Layer 2) ICX64Rxxxxx.
Licensed features and part numbers TABLE 32 Licensed features and part numbers (Continued) Product Licensed feature or feature set Image filename Part numbers for software license only Part numbers for hardware with pre-installed software license FCX Advance Layer 3: • BGP4 • GRE N/A1 FCX-ADV-LIC-SW FCX624-E-ADV FCX-624-I-ADV FCX624S-ADV FCX624S-HPOE-ADV FCX624S-F-ADV FCX648-E-ADV FCX648-I-ADV FCX648S-ADV FCX648S-HPOE-ADV ICX 6610 Software-based licensing is only supported on ICX 6610 devices.
Licensed features and part numbers TABLE 32 Product FESX6 204 Licensed features and part numbers (Continued) Licensed feature or feature set Image filename Part numbers for software license only Part numbers for hardware with pre-installed software license ICX 6450- Ports on Demand license The ICX 6450 device has four active uplink or stacking ports on slot 2. By default, ports 1 and 3 are 10 Gbps ports.
Licensed features and part numbers TABLE 32 Licensed features and part numbers (Continued) Product Licensed feature or feature set Image filename Part numbers for software license only Part numbers for hardware with pre-installed software license FSX 800 and FSX 1600 IPv4 PREM Layer 3 for IPv4 management modules: • 6,000 active host routes • Anycast RP • BGP4 • DVMRP V2 • IGMP V1, V2, and V3 • ICMP redirect messages • IGMP V3 fast leave (for routing) • MSDP • OSPF V2 • PIM-DM • PIM-SM • PIM passive
Licensing rules Table 33 lists the supported software packages.
Licensing rules Licensing rules for FCX and ICX 6610 devices The following licensing rules apply to FCX and ICX 6610 devices for software-based licensing. To describe the behavior for running software-based licensing in an FCX IronStack, the FCX-ADV-LIC-SW license is used as an example. NOTE For FCX and ICX 6610 devices, the behavior for running software-based licensing with different licenses (Premium, Advance, or Upgrade licenses) is the same. One license allows multiple protocols to run in a stack.
Licensing for Ports on Demand • If BGP is not enabled on the Active controller, a stack unit is operational whether or not the Active controller or the stack units have the FCX-ADV-LIC-SW license. This implies that in a stack where all units (Active controller, Standby controller, and member units) have the FCX-ADV-LIC-SW license, a stack can be formed whether or not BGP is enabled.
Licensing for Ports on Demand 1. Download the PoD license to the device. For more information about copying the license file on ICX devices, refer to “Using TFTP to copy a license file on FCX and ICX devices” on page 221. 2. Insert the 10 Gbps optic transceiver. 3. Enter the speed-duplex 10g-full command on a single, multiple, or interface range as shown in the example below. Brocade(config)# interface ethernet 1/3/1 Brocade(config-if-e10000-1/3/1)# speed-duplex 10g-full 4.
Licensing for Ports on Demand Brocade(config-mif-2/3/5-2/3/8)#speed-duplex 10g-full Port 2/3/5 mode changed from 1G to 10G Port 2/3/6 mode changed from 1G to 10G Port 2/3/7 mode changed from 1G to 10G Port 2/3/8 mode changed from 1G to 10G Brocade(config-mif-2/3/5-2/3/8)#end Syntax: [no] flexible-10g-ports upper Use the no form of the flexible-10g-ports upper command when you want to enable the lower four PoD ports, instead of the upper four PoD ports, to 10 Gbps port speed.
Licensing for Ports on Demand 1/3/6 1/3/7 1/3/8 acquired acquired acquired Unit-Id: 2 PoD license capacity: 8 PoD license capacity used: PoD-ports 2/3/1 2/3/2 2/3/3 2/3/4 2/3/5 2/3/6 2/3/7 2/3/8 Lic-state acquired acquired acquired acquired acquired acquired acquired acquired Unit-Id: 3 PoD license capacity: 4 PoD license capacity used: PoD-ports 3/3/1 3/3/2 3/3/3 3/3/4 3/3/5 3/3/6 3/3/7 3/3/8 8 (LOWER) 4 Lic-state acquired acquired acquired acquired default default default default Syntax: show pod
Upgrading or downgrading configuration considerations for PoD Displaying license configuration for PoD ports for ICX 6450 devices By default at bootup, the license state for ports 2 and 4 are in the acquired state. The following output from the show pod command displays port 2 and 4 as acquired. Upon installing the ICX6450-2X10G-LIC-POD license, ports 2 and 4 can be enabled to run in 10 Gbps port speed. The license state for ports 2 and 4 remains in the acquired state.
Upgrading or downgrading configuration considerations for PoD Configuration considerations for stacking or trunking PoD ports Consider the following when stacking or trunking PoD ports for ICX 6610 or ICX 6450 devices: • In an ICX Ironstack, a stack member unit without a PoD license can join a stack even when the active or master stack unit has a PoD license. • All trunk ports must operate at 1 Gbps or 10 Gbps speed in a stack. You cannot mix and match trunk ports with different port speeds.
Upgrading or downgrading configuration considerations for PoD Brocade#show interface ethernet 3/2/2 10GigabitEthernet3/2/2 is ERR-DISABLED (invalid license), line protocol is down Hardware is 10GigabitEthernet, address is 748e.f883.01fa (bia 748e.f883.
Upgrading or downgrading configuration considerations for PoD • For any of the four uplink ports on slot 2, if you re-configure any port from 1 Gbps to 10 Gbps port speed, you must reload the switch to begin using the ports in 10 Gbps port speed. Until you reload the switch, the ports will remain in an error-disabled state. The following example output displays ethernet port 4 in an error-disabled state.
Software licensing configuration tasks Software licensing configuration tasks This section describes the configuration tasks for generating and obtaining a software license, and then installing it on the Brocade device. Perform the tasks in the order listed in Table 35. TABLE 35 Configuration tasks for software licensing Configuration task Reference... 1 Order the desired license. For a list of available licenses and associated part numbers, refer to “Licensed features and part numbers” on page 202.
Software licensing configuration tasks Figure 5 shows the Software Portal Login window.
Software licensing configuration tasks From the License Management menu, select Brocade IP/ADP > License Generation with Transaction key. The IP/ADP License Generation dialog box displays.
Software licensing configuration tasks Figure 7 shows the IP/ADP License Generation dialog box for generating a license using a transaction key and LID. FIGURE 7 IP/ADP License Generation window IP/ADP Licence Generation Enter the required information. • For a description of the field, move the pointer over the field. • An asterisk next to a field indicates that the information is required. NOTE You can generate more than one license at a time.
Software licensing configuration tasks Click the Generate button to generate the license. Figure 8 shows the results window, which displays an order summary and the results of the license request. • If the license request is successful, the Status field shows “Success” and the License File field contains a hyperlink to the generated license file. The license file is automatically sent by e-mail to the specified customer e-mail address.
Installing a license file Installing a license file Once you obtain a license file, place it on a TFTP or SCP server to which the Brocade device has access, and then use TFTP or SCP to copy the file to the license database of the Brocade device.
Deleting a license file The scp @:license command is supported on FESX, SX 800 and SX 1600, and FWS devices. To copy a license file from an SCP-enabled client to the license database of the Brocade device, enter a command such as the following on the SCP-enabled client: c:\scp c:\license\license101 terry@10.1.1.
Using a trial license The variable is a valid license index number. The license index number can be retrieved from the show license command output. For more information, refer to “Viewing information about software licenses” on page 227.
Viewing software license information from the Brocade software portal Console, syslog, and trap messages for trial license expiration Three days prior to the date that a trial license is set to expire, the following warning message will appear daily on the console. On the day that the license will expire, the warning message will appear every two hours. Syslog and trap messages will also be generated.
Viewing software license information from the Brocade software portal FIGURE 9 License Query window • To view software license information for a particular unit, enter the LID in the Unit ID field and click Search. • To view software license information for a particular transaction key, enter the unique number in the Transaction key field and click Search. Figure 10 shows an example of the license query results.
Transferring a license Transferring a license A license can be transferred between Brocade devices if both the following conditions are true: • The device is under an active support contract. • The license is being transferred between two similar models (for example, from a 24-port model to another 24-port model or from a 48-port model to another 48-port model).
Syslog messages and trap information Syslog messages and trap information Table 36 lists the syslog messages and traps that are supported for software-based licensing. TABLE 36 Syslog messages Message level Message Explanation Informational License: Package with LID is added The license package has been added. Informational License: Package with LID is removed The license package has been deleted.
Viewing information about software licenses HW: Stackable FCX648S ========================================================================== UNIT 1: SL 1: FCX-48GS POE 48-port Management Module Serial #: BCY2253E0PM License: FCX_ADV_ROUTER_SOFT_PACKAGE (LID: deaHHKIgFro) P-ENGINE 0: type DB90, rev 01 P-ENGINE 1: type DB90, rev 01 PROM-TYPE: FCX-ADV-U ========================================================================== UNIT 1: SL 2: FCX-2XGC 2-port 16G Module (2-CX4) ==================================
Viewing information about software licenses Brocade#show license Index License Name Capacity Stack unit 3: 1 FCX-ADV-LIC-SW Stack unit 4: 1 FCX-ADV-LIC-SW Stack unit 5: 1 FCX-ADV-LIC-SW Lid License Type Status License Period License deaHHKIgFrN Normal Active Unlimited 1 dexHHIIgFFd Normal Active Unlimited 1 writcfgMFMH Normal Active Unlimited 1 Syntax: show license Viewing the license database NOTE The show license command can be used to display software license information for the FE
Viewing information about software licenses To display software license information on an ICX 6430 device, enter the following command. In the example below, the premium and PoD licenses are installed on stack unit 1, and on stack unit 2 only the premium license is installed.
Viewing information about software licenses Syntax: show license [unit ] The unit parameter specifies the unit ID number. The unit ID number is available only on FCX, ICX 6610, and ICX 6450 devices. Table 37 describes the information displayed by the show license unit command TABLE 37 Output from the show license unit command Field Description Index The index number specifies the software license file for a specific stack The index number is generated by the member unit.
Viewing information about software licenses The index parameter specifies the software license file that you want to display information for. The index option is available only on FCX, ICX 6610, and ICX 6450 devices. Table 38 describes the information displayed by the show license unit [index ] command. TABLE 38 Output from the show license command Field Description +license name The name of the license installed on the unit.
Viewing information about software licenses Boot-Monitor Image size = 369286, Version:07.0.
Viewing information about software licenses 234 FastIron Configuration Guide 53-1002494-02
Chapter 7 Brocade Stackable Devices Table 39 lists the individual Brocade FastIron switches and the IronStack features they support. These features are supported only on FastIron stackable devices, and are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Brocade IronStack overview Brocade IronStack overview This section gives a brief overview of IronStack technology, including IronStack terminology. This section also lists the FastIron models that support stacking. Brocade IronStack features A stack is a group of devices that are connected so that they operate as a single chassis. Brocade IronStack technology features include: • • • • • • • • • • • • Management by a single IP address Support for up to eight units per stack.
Brocade IronStack overview Brocade IronStack terminology Stack unit roles • Active Controller - Handles stack management and configures all system- and interface-level features. - Future Active Controller - The unit that will take over as Active Controller after the next reload, if its priority has been changed to the highest priority.
Brocade IronStack overview • IronStack - A set of Brocade stackable units (maximum of eight) and their connected stacking links so that: all units can be accessed through their common connections, a single unit can manage the entire stack, and configurable entities, such as VLANs and trunk groups, can have members on multiple stack units.
Supported IronStack topologies Supported IronStack topologies This section describes how to build an IronStack. Before you begin, you should be familiar with the supported stack topologies and the software requirements. When you are ready to build your stack, you can go directly to the instructions. Brocade IronStack topologies Brocade IronStack technology supports linear and ring stack topologies.
Supported IronStack topologies Figure 14 shows a mixed linear topology stack of FCX-S, FCXS-F, and FCX-E or FCX-I devices. Because the FCX-E and FCX-I devices are cabled from the front panel, and FCX-S and FCXS-F devices are cabled from the rear panel by default, you need to reconfigure the default stacking ports on FCX-S or FCXS-F devices to the ports on the front panel. For more information about reconfiguring default stacking ports, refer to “Configuring default ports on FCX devices” on page 261.
Supported IronStack topologies FIGURE 12 FCX-E ring topology stack using SFP+ module ports Reset 1 Console PS Mgmt 1 2 2 1 Console Mgmt 7 6 2 8 9 11 13 10 12 15 14 17 16 19 18 21 23 25 27 29 31 33 35 37 39 41 43 45 47 22 24 26 28 30 32 34 36 38 40 42 44 46 48 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 20 Diag PS Reset 1 Cons
Supported IronStack topologies ICX 6610 stack topologies In contrast to earlier generations of switches, ICX 6610 devices have four ports on their back panels that are exclusively dedicated to stacking. These cannot be used as data ports, even when stacking is not enabled. These are the two 40-Gbps ports and two 4 x 10-Gpbs ports arranged in two rows. The top row consists of port 1/2/1 and 1/2/2, and the bottom row has 1/2/6 and 1/2/7. Here ports 1/2/1 and 1/2/6 are 40G ports.
Supported IronStack topologies FIGURE 16 ICX 6610 linear stack topology FIGURE 17 ICX 6610 ring stack topology FastIron Configuration Guide 53-1002494-02 243
Connecting ICX 6450 and ICX 6430 devices in a stack Figure 18 shows a linear and ring topology with missing partial trunk cables. They both still work. FIGURE 18 ICX 6610 linear and ring stack topologies with partially missing cables Connecting ICX 6450 and ICX 6430 devices in a stack ICX 6430 and ICX 6450 support linear and ring stack topologies, and can also operate as standalone devices. ICX 6430 and ICX 6450 devices have four ports on the front panel for a stacking configuration.
Connecting ICX 6450 and ICX 6430 devices in a stack can be used for data or uplink ports. By default, ICX 6430 and ICX 6450 devices are not configured for trunked stacking. You can dynamically configure or remove a stacking trunk port configuration using the stack-trunk command or the multi-trunk command. For more information about these commands, refer to “Configuring an ICX 6430 and ICX 6450 IronStack” on page 266. ICX 6450 and ICX 6430 devices support hitless stacking switchover and failover.
Connecting ICX 6450 and ICX 6430 devices in a stack For example, you can connect ports 1/2/3 to 1/2/4 to form one trunk on one device, and ports 2/2/1 to 2/2/2 to form a second trunk on another device. • If you connect both ports in a trunk, both ports must connect to both ports of one trunk on another device. ICX 6430 and ICX 6450 stack topologies In a linear stack topology, there is a single stack cable connection between each switch that carries two-way communications across the stack.
Connecting ICX 6450 and ICX 6430 devices in a stack FIGURE 19 ICX 6430 and ICX 6450 stacking with one port per trunk FIGURE 20 ICX 6430 and ICX 6450 linear stacking configuration FastIron Configuration Guide 53-1002494-02 247
Connecting ICX 6450 and ICX 6430 devices in a stack FIGURE 21 ICX 6430 and ICX 6450 ring stacking configuration Software requirements All units in an IronStack must be running the same software version. Refer to “IronStack troubleshooting” on page 315 for more information.
Connecting ICX 6450 and ICX 6430 devices in a stack IronStack construction methods There are three ways to build an IronStack. 1. Use the secure-setup utility to form your stack. Secure-setup gives you control over the design of your stack topology and provides security through password verification. For the secure-setup procedure, refer to “Scenario 1 - Three-member IronStack in a ring topology using secure-setup” on page 250. 2. Automatic stack configuration.
Connecting ICX 6450 and ICX 6430 devices in a stack Scenario 1 - Three-member IronStack in a ring topology using secure-setup NOTE For more detailed information about configuring an FCX IronStack, refer to “FCX IronStack configuration” on page 258. This scenario describes how to build an IronStack using the secure-setup utility. Secure-setup lets you easily configure your entire stack through the Active Controller, which propagates the configuration to all stack members.
Connecting ICX 6450 and ICX 6430 devices in a stack Configuring a three-member IronStack in a ring topology using secure-setup 1. Connect the devices using the stacking ports and stack cabling. For more information refer to the appropriate hardware installation guides. 2. Power on the units. 3. Connect your console to the intended Active Controller. The unit through which you run secure-setup becomes the Active Controller by default. 4. Issue the stack enable command on the intended Active Controller.
Connecting ICX 6450 and ICX 6430 devices in a stack Selected DOWNSTREAM units Hop(s) Id Type Mac Address 1 2 FCX624 0012.f2d5.2100 2 3 FCX624 0012.f239.2d40 Do you accept the unit ids (y/n)?: y To accept the unit ID assignments, type y. If you do not want to accept the ID assignments, type n. You can use secure-setup to renumber the units in your stack. Refer to “Renumbering stack units” on page 313.
Connecting ICX 6450 and ICX 6430 devices in a stack Brocade# stack secure-setup Brocade# Discovering the stack topology... Verifying password for the password protected units... Found UPSTREAM units Hop(s) Type Mac Address 1 2 FCX648 001b.ed5e.c480 2 3 FCX648 00e0.5205.0000 Enter password for FCX648 located at 2 hop(s): **** Enter the number of the desired UPSTREAM units (1-2)[1]: 2 Selected Topology: Active Id Type 1 FCX624 Mac Address 00e0.5201.
Connecting ICX 6450 and ICX 6430 devices in a stack up ports: 1/2/1, 1/2/2, 1/2/3, 1/2/4, 1/2/5 up ports: 1/2/6, 1/2/7, 1/2/8, 1/2/9, 1/2/10 4 up (4/2/1-4/2/5) up (4/2/6-4/2/10) up ports: 4/2/1, 4/2/2, 4/2/3, 4/2/4, 4/2/5 up ports: 4/2/6, 4/2/7, 4/2/8, 4/2/9, 4/2/10 5 up (5/2/1-5/2/5) up (5/2/6-5/2/10) up ports: 5/2/1, 5/2/2, 5/2/3, 5/2/4, 5/2/5 up ports: 5/2/6, 5/2/7, 5/2/8, 5/2/9, 5/2/10 NOTE A 4x10G port consists of four sub-ports and the show stack-port command displays all sub-ports.
Connecting ICX 6450 and ICX 6430 devices in a stack Configuring a three-member IronStack in a ring topology using the automatic setup process Complete the following steps to configure a three-member IronStack in a ring topology using automatic setup process. 1. Power on the devices. 2. This process requires clean devices (except for the Active Controller) that do not contain any configuration information. To change a device to a clean device, enter the erase startup-config command and reset the device.
Connecting ICX 6450 and ICX 6430 devices in a stack NOTE When you are configuring individual stack units, you can skip ID numbers. However, the sequence in which the units are connected must match the order in which you configure them. For example, you could configure unit 1 as FCX624, unit 3 as FCX648, unit 4 as FCX624, unit 6 as FCX624 and unit 7 as FCX648. The physical connection order must be: Active (FCX624), FCX648 (3), FCX624 (4), FCX624 (6) and FCX648 (7). The Active Controller is stack unit 1.
Connecting ICX 6450 and ICX 6430 devices in a stack NOTE For field descriptions for the show stack command, refer to “Displaying stack information” on page 293. Configuration notes for building a stack using the automatic setup process • If a new unit configuration matches other unit configurations, the Active Controller gives this unit the lowest sequential ID.
FCX IronStack configuration Flash Memory Write (8192 bytes per dot) .Flash to Flash Done. Brocade(config-unit-1)# end Brocade# config t Unit 3 Brocade# config t Brocade(config)# stack unit 1 Brocade(config-unit-1)# priority 240 Brocade(config-unit-1)# stack enable Enable stacking. This unit actively participates in stacking Brocade(config-unit-1)# end 3. Connect the devices in a stack topology. The Active Controller will retain its ID.
FCX IronStack configuration Configuring FCX stacking ports Brocade FCX-S and FCXS-F devices have two 10 Gbps ports on the front panel and two 16 Gbps ports on the rear panel. All of these ports may be used as stacking ports, however the non-default ports must be configured as stacking ports when setting up your FCX-S or FCXS-F IronStack. FCX-I and FCX-E devices do not have 16 Gpbs ports on the rear panel.
FCX IronStack configuration Link Error Dampening is Disabled STP configured to ON, priority is level0, mac-learning is enabled Flow Control is enabled mirror disabled, monitor disabled Not member of any active trunks Not member of any configured trunks No port name IP MTU 1500 bytes, encapsulation ethernet 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 0 bits/sec, 0 packets/sec, 0.
FCX IronStack configuration Configuring default ports on FCX devices On FCX devices, the default-port command is used to define stacking port candidates. A stacking port is always a default port, but a default port may not necessarily be a stacking port. Default ports can become stacking ports using the secure-setup utility, or through automatic stack building. Secure-setup probe packets can be received by a default port whether or not it is acting as a stacking port.
FCX IronStack configuration TABLE 40 Slot and port designations for FastIron stackable devices Device Slot 1 Slot 2 Slot 3 Slot 4 FCX624S-F 24 10/100/1000 ports on front panel Two 16 Gbps ports on rear panel Two 10 Gbps ports on front panel N/A FCX648S-F 48 10/100/1000 ports on front panel Two 16 Gbps ports on rear panel Two 10 Gbps ports on front panel N/A FCX-E devices with four-port 1 Gbps SFP module Four-port 1 Gbps SFP module plus the first four copper ports act as a combo port.
FCX IronStack configuration Using secure-setup to build an FCX IronStack You can use the secure-setup utility to build an FCX IronStack by performing the following step. Enter stack enable and stack secure-setup commands when you have designated the desired stacking ports and connected your FCX units together, on stack unit 1, as shown in the following output. Brocade# stack enable Brocade# stack secure-setup Brocade# Discovering the stack topology...
FCX IronStack configuration Brocade# show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 1 S FCX624POE active 001b.f2e5.0100 128 local Ready 2 D FCX648POE standby 0012.f2d6.0511 0 remote Ready 3 D FCX624 member 0200.9999.0000 0 remote Ready standby active +---+ +---+ +---+ | 3 |3/1--3/1| 2 |2/1--2/1| 1 | +---+ +---+ +---+ Current stack management MAC is 001b.f2e5.0100 Brocade# write mem Write startup-config done.
Configuring an ICX 6610 IronStack Configuring an ICX 6610 IronStack ICX 6610 devices can be stacked using the methods and topologies described in “Supported IronStack topologies” on page 239. This section describes how stacking ports on the ICX 6610 devices can be trunked. ICX 6610 trunked stacking ports configuration A trunk doubles the stacking port bandwidth, and provides better resilience.
Configuring an ICX 6430 and ICX 6450 IronStack Periodic background stack diagnosis for ICX 6610 devices After a stack forms, the system periodically probes the topology to check the connections between units of this stack. It can detect the following errors. The purposes are to detect user's connection problem and hardware failures. Error messages are printed about every 10 minutes. If there is no printout, there is no problem. This diagnosis runs in the background.
Configuring an ICX 6430 and ICX 6450 IronStack Configuring ICX 6430 or ICX 6450 trunked stacking ports NOTE Brocade advises using the stack-trunk command in a new environment on first deployment. Brocade recommends using the multi-trunk command in a production environment. For more information about the multi-trunk command refer to “Configuring ICX 6430 or ICX 6450 multi-trunked stacking ports” on page 267. The stack-trunk command forms a single trunk-to-port connection on two connected stack units.
Configuring an ICX 6430 and ICX 6450 IronStack Error- Primary trunk port 1/2/3 is not UP; removing the trunk might break the stack To upgrade to a double port trunk configuration, enter the multi-trunk command under the stack unit configuration level. Enter the following command.
Configuring an ICX 6430 and ICX 6450 IronStack 1. Ports of the same trunk connect to different units. 2. Ports of the same trunk connect to different trunks of the same unit. 3. One end of a 10G port is up and the other end is down. 4. Communication problems between units of the stack Another connection error is that the two cables of a trunk go to different units, or to different trunks of the same unit as in case 1 and 2. Stack might still form in these cases.
Verifying an IronStack configuration Please remove stack-trunk 1/2/3 - 1/2/4 using "stack-trunk" or "multi-trunk" command before removing stack port 1/2/3. Verifying an IronStack configuration Complete the following step to verify your IronStack configuration. Log in to the Active Controller and verify the stack information by entering the show running-config and show stack or show stack detail commands.
Verifying an IronStack configuration ========================================================================== UNIT 2: SL 2: FCX-2XGC 2-port 16G Module (2-CX4) ========================================================================== UNIT 3: SL 1: FCX-24G POE 24-port Management Module P-ENGINE 0: type DB90, rev 01 ========================================================================== UNIT 3: SL 2: FCX-2XGC 2-port 16G Module (2-CX4) =====================================================================
Verifying an IronStack configuration active standby +---+ +---+ +---+ | 1 |3/1--2/1| 2 |3/1--2/2| 3 | +---+ +---+ +---+ For more detailed information, you can enter the show stack detail command.
Brocade IronStack management Brocade IronStack management Your Brocade IronStack can be managed through a single IP address. You can manage the stack using this IP address even if you remove the Active Controller or any member from the stack. You can also connect to the Active Controller through Telnet or SSH using this address. All management functions, such as SNMP, use this IP address to acquire MIB information and other management data.
Brocade IronStack management When a stack unit establishes communication with the Active Controller, it also establishes a remote console session to the Active Controller. In a normally functioning IronStack, a console cable may be connected to any of the stack units and provide access to the same commands on the Active Controller. You can terminate a session by entering Ctrl+O followed by x or X, or by entering the exit command from the User EXEC level, or by entering the logout command at any level.
Brocade IronStack management rconsole-2@Brocade# exit rconsole-2@Brocade> exit Disconnected. Returning to local session... Establish a remote console session with stack unit 3. Brocade# rconsole 3 Connecting to unit 3... (Press Ctrl-O X to exit) rconsole-3@Brocade# show stack ID Type Role Mac Address Prio State 3 S FCX624P member 001b.ed7a.22c0 0 local Comment Ready rconsole-3@Brocade# logout Disconnected. Returning to local session...
Brocade IronStack management To configure a stack MAC address manually, enter the following command. Brocade(config)# stack mac 0000.0000.0011 Syntax: [no] stack mac The variable is a hexadecimal MAC address in the xxxx.xxxx.xxxx format. Enter the no form of this command to return the MAC address to that of the Active Controller. Output for this command resembles the following. Brocade(config)# stack mac 0000.0000.
Brocade IronStack management NOTE For field descriptions for the show chassis command, refer to “Displaying IronStack chassis information” on page 291.
Brocade IronStack management You can assign the highest priority value to the stack unit you want to function as the Active Controller. When you enter a new priority value for a stack unit, that value takes effect immediately, but does not affect the current Active Controller until the next reset. However, if you enable hitless stacking failover, the stack unit with the highest priority will become the active controller in about five minutes (2 minutes in the case of ICX 6430 devices).
Brocade IronStack management CLI command syntax for stack units CLI syntax that refers to stack units must contain all of the following parameters: // • - If the device is operating as a standalone, the stack-unit will be 1. Stack IDs can be any number from 1 through 8. • - Refers to a specific group of ports on each device. • - A valid port number.
Brocade IronStack management TABLE 41 Stacking CLI commands (Continued) Command Description location show version “Displaying software version information” on page 307 stack enable “Enabling the stacking mode” on page 280 stack disable “Enabling the stacking mode” on page 280 stack mac [mac-address] “IronStack management MAC address” on page 275 stack persistent-mac-timer “Persistent MAC address for the IronStack” on page 286 stack-port “Changing default stacking port configurations” on page
Brocade IronStack management To remove this restriction, enter the no stack disable command. Important notes about stacking images Consider the notes in this section when upgrading from a pre-stacking release to a stacking release, or when reverting from a stacking release to a pre-stacking release. Refer to the release notes for instructions about upgrading the software. Converting from a pre-stacking image to a stacking image When you boot a stacking image (release 05.
Brocade IronStack management BOOT INFO: branch to 00400100 Starting Main Task....... ***************************************************************************** ERR: This software needs License PROM to be installed in the system ***************************************************************************** System Reset! If your memory DIMM is not installed correctly, you will see output similar to the following. FCX Mem size: 0x8000000 Flash Config... FCX Boot Code Version 05.0.
Brocade IronStack management NOTE If any unit in the IronStack is running an incorrect version of the software, it will appear as non-operational. You must install the correct software version on that unit for it to operate properly in the stack. For more information, refer to “Copying the flash image to a stack unit from the Active Controller” in the next section.
Brocade IronStack management Brocade# stack secure-setup Brocade# Discovering the stack topology... Current Discovered Topology - RING Available UPSTREAM units Hop(s) Type Mac Address 1 FCX624 0012.f2d5.2100 2 FCX624 001b.ed5d.9940 Available DOWNSTREAM units Hop(s) Type Mac Address 1 FCX624 001b.ed5d.9940 2 FCX624 0012.f2d5.2100 Do you accept the topology (RING) (y/n)?: n Available UPSTREAM units Hop(s) Type Mac Address 1 FCX624 0012.f2d5.2100 2 FCX624 001b.ed5d.
Brocade IronStack management When a stack breaks into partitions, the partition with the Active Controller remains operational. If a partition contains the Standby Controller, this partition will become operational because the Standby Controller will assume the Active role and will reload the partition units. A partition without an Active or Standby Controller will not function. To reconfigure these units to act in standalone mode, you must first do a stack unconfigure me command on each unit.
Brocade IronStack management Persistent MAC address for the IronStack The MAC address for the entire IronStack is determined by the MAC address of the Active Controller. When an Active Controller is removed from the stack, and a new Active Controller is elected, by default the MAC address of the new Active Controller becomes the MAC address for the IronStack. When you enable the Persistent MAC Address feature, you configure a time delay before the stack MAC address changes.
Brocade IronStack management module 1 fcx-24-port-copper-base-module module 2 fcx-cx4-1-port-10g-module module 3 fcx-cx4-1-port-10g-module stack 3 module 1 fcx-48-port-management-module module 2 fcx-cx4-2-port-10g-module priority 40 stack enable stack persistent-mac 60 To display the stack MAC addresses, enter the show stack command. Brocade(config)# show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Prio State Comment 1 S FCX648p active 0012.f2d5.
Brocade IronStack management To remove the configuration from a specific IronStack unit, or from the entire stack, enter a command similar to the following.
Brocade IronStack management The stack unconfigure and stack unconfigure rollback commands are unrelated and recover different startup-config.txt files. Both commands permanently delete the current startup-config.txt and replace it with a pre-stacking (pre-05.X) startup-config.txt file. NOTE When you issue the stack unconfigure rollback command to recover the previous startup-config.v4 file, DO NOT issue a write memory command, as write memory will overwrite the recovered file.
Brocade IronStack management For stack member 3 only: Brocade# show flash unit 3 Stack unit 3: Compressed Pri Code size = 3034232, Version 05.0.00T7e1 (fcx05000.bin) Compressed Sec Code size = 2873568, Version 04.2.00T7e1 (fcx04200.bin) Compressed BootROM Code size = 405217, Version 04.0.00T7e5 Code Flash Free Space = 2252800 Brocade# Table 42 describes the fields displayed in this example.
Brocade IronStack management TABLE 43 Field definitions for the show memory command Field Description Total DRAM The size (in bytes) of DRAM Dynamic memory The total number of bytes in dynamic memory, including the number of bytes that are available (free, or unused), and the percentage of memory used. Displaying IronStack chassis information The show chassis command displays chassis information for each stack unit. Output resembles the following (in this example, a three member stack).
Brocade IronStack management Intake Side Temperature Readings: Current temperature : 32.0 deg-C Boot Prom MAC: 0012.f2db.e500 Syntax: show chassis Table 44 describes the fields displayed in this output example. TABLE 44 Field definitions for the show chassis command Field Description Power Supply 1 The status of the primary power supply. Power Supply 2 The status of the secondary power supply, if present.
Brocade IronStack management Syntax: show module Table 45 describes the fields displayed in this output example.
Brocade IronStack management The following output covers the entire stack, as shown in this example output from a Brocade ICX 6610 switch. Brocade#show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 1 S ICX6610-24P member 748e.f834.5238 0 remote Ready 2 S ICX6610-48P member 748e.f834.4800 0 remote Ready 3 S ICX6610-24F member 001b.f385.0124 0 remote Ready 4 S ICX6610-48P active 748e.f834.4930 200 local Ready 5 S ICX6610-48P standby 748e.f834.
Brocade IronStack management | +---+ +---+ +---+ +---+ +---+ +---+ | | | | standby | | +---+ | ------------------------------------------------------------------2/1| 5 |2/6= +---+ Standby u5 - protocols ready, can failover or manually switch over Current stack management MAC is 001b.1234.
Brocade IronStack management TABLE 47 Field descriptions for the show stack command (Continued) Field Description State The operational state of this unit. Comments Additional information about this unit (optional). NOTE The Active Controller removes the dynamic configuration of a unit when the unit leaves. However, if there is a static trunk configuration associated with the unit, the Active Controller cannot remove the dynamic configuration.
Brocade IronStack management Syntax: show stack flash Table 49 describes the output from the show stack flash command. TABLE 49 Field descriptions for the show stack flash command Field Description ID Device ID role The role of this device in the stack priority The priority of this device in the stack config Indicates the port state (up or down) and identifies the port by number (stack-ID/slot/port). The rest of the fields are used for debug purposes only.
Brocade IronStack management Session state: established (last established 15 hours 11 minutes 2 seconds ago) Connections established: 1 Remote resets: 0, Reset packets sent: 0 Connection statistics (for current connection, if established): Msgs sent: 9850, Msgs received: 1 Atomic batches sent: 0, Atomic batches received: 0 Pkts sent: 9899, Pkts received: 10606 Msg bytes sent: 10124076, Msg bytes received: 8 Pkt bytes sent: 10341308, Pkt bytes received: 127284 Flushes requested: 1, Suspends: 0, Resumes: 0 P
Brocade IronStack management Pkts sent: 14, Pkts received: 40 Msg bytes sent: 183, Msg bytes received: 56 Pkt bytes sent: 384, Pkt bytes received: 1052 Flushes requested: 5, Suspends: 0, Resumes: 0 Packets sent with data (DAT), ACKs, and window updates (WND): Other: 4, ACK: 5, WND: 0, ACK+WND: 0 DAT: 5, DAT+ACK: 0, DAT+WND: 0, DAT+ACK+WND: 0 Data retransmits done: 0, Zero-window probes sent: 0 Dup ACK pkts rcvd: 0, Pkts rcvd w/dup data: 0 Pkts rcvd w/data past window: 0 Unit 3 statistics: Msgs sent: 41356
Brocade IronStack management Connection statistics (for current connection, if established): Msgs sent: 7004, Msgs received: 0 Atomic batches sent: 0, Atomic batches received: 0 Pkts sent: 7447, Pkts received: 7300 Msg bytes sent: 616352, Msg bytes received: 0 Pkt bytes sent: 774304, Pkt bytes received: 87600 Flushes requested: 0, Suspends: 0, Resumes: 0 Packets sent with data (DAT), ACKs, and window updates (WND): Other: 2, ACK: 0, WND: 0, ACK+WND: 0 DAT: 7445, DAT+ACK: 0, DAT+WND: 0, DAT+ACK+WND: 0 Data
Brocade IronStack management Session state: established (last established 15 hours 11 minutes 2 seconds ago) Connections established: 1 Remote resets: 0, Reset packets sent: 0 Connection statistics (for current connection, if established): Msgs sent: 9850, Msgs received: 1 Atomic batches sent: 0, Atomic batches received: 0 Pkts sent: 9852, Pkts received: 10675 Msg bytes sent: 10124076, Msg bytes received: 8 Pkt bytes sent: 10284896, Pkt bytes received: 128112 Flushes requested: 1, Suspends: 0, Resumes: 0 P
Brocade IronStack management Brocade# show stack rel-ipc stats unit 3 Unit 3 statistics: Msgs sent: 1217 Msgs received: 509, Pkt sends failed: 0 Message types sent: [9]=1182, [10]=2, [19]=29, Message types received: [9]=506, [10]=1, [11]=2, [13]=2, [13]=2, Session statistics, unit 3, channel 0: Session state: established (last established 32 minutes 19 seconds ago) Connections established: 1 Remote resets: 0, Reset packets sent: 0 Connection statistics (for current connection, if established): Msgs sen
Brocade IronStack management Other: 1, ACK: 0, WND: 0, ACK+WND: 0 DAT: 242, DAT+ACK: 0, DAT+WND: 0, DAT+ACK+WND: 0 Data retransmits done: 0, Zero-window probes sent: 0 Dup ACK pkts rcvd: 4, Pkts rcvd w/dup data: 0 Pkts rcvd w/data past window: 0 Session statistics, unit 3, channel 6: Session state: established (last established 32 minutes 17 seconds ago) Connections established: 1 Remote resets: 0, Reset packets sent: 0 Connection statistics (for current connection, if established): Msgs sent: 2, Msgs rece
Brocade IronStack management | +---+ | ------------------------------------------------------------------2/1| 5 |2/6= +---+ Syntax: show stack neighbors Table 50 describes the output from the show stack neighbors command. TABLE 50 Field descriptions for the show stack neighbors command Field Description U The stack identification number for this unit. Stack-port1 Identifies the neighbor stack unit for stack-port1 for this unit ID.
Brocade IronStack management up ports: 4/2/6, 4/2/7, 4/2/8, 4/2/9, 4/2/10 5 up (5/2/1-5/2/5) up (5/2/6-5/2/10) up ports: 5/2/1, 5/2/2, 5/2/3, 5/2/4, 5/2/5 up ports: 5/2/6, 5/2/7, 5/2/8, 5/2/9, 5/2/10 6 up (6/2/1-6/2/5) up (6/2/6-6/2/10) up ports: 6/2/1, 6/2/2, 6/2/3, 6/2/4, 6/2/5 up ports: 6/2/6, 6/2/7, 6/2/8, 6/2/9, 6/2/10 7 up (7/2/1-7/2/5) up (7/2/6-7/2/10) up ports: 7/2/1, 7/2/2, 7/2/3, 7/2/4, 7/2/5 up ports: 7/2/6, 7/2/7, 7/2/8, 7/2/9, 7/2/10 Syntax: show stack stack-ports Table 51 describes the
Brocade IronStack management module 3 icx6610-8-port-10g-dual-mode-module priority 128 stack-trunk 1/2/1 to 1/2/2 stack-trunk 1/2/6 to 1/2/7 stack-port 1/2/1 1/2/6 stack unit 4 module 1 icx6610-48p-poe-port-management-module module 2 icx6610-qsfp-10-port-160g-module module 3 icx6610-8-port-10g-dual-mode-module priority 100 stack-trunk 4/2/1 to 4/2/2 stack-trunk 4/2/6 to 4/2/7 stack-port 4/2/1 4/2/6 stack unit 5 module 1 icx6610-48-port-management-module module 2 icx6610-qsfp-10-port-160g-module module 3 ic
Brocade IronStack management 3. If one stacking port is configured, that port will be displayed whether or not stacking is enabled. stack unit 1 module 1 fcx-24-port-management-module module 2 fcx-cx4-2-port-10g-module module 3 fcx-xfp-1-port-10g-module stack-port 1/3/1 Displaying software version information The show version command shows the software version that the stack is running. Note that the last line of this output shows the bootup ID and role for this unit. Output resembles the following.
Brocade IronStack management STACKID 2 system uptime 18 minutes 3 seconds STACKID 3 system uptime 18 minutes 3 seconds The system started at 21:08:51 GMT+00 Fri Jul 25 2008 The system : started=warm start reloaded=by "reload" My stack unit ID = 1, bootup role = active Syntax: show version Displaying stacking port interface information The show interfaces stack-ports command displays information about the stacking ports on all stack units.
Brocade IronStack management NOTE If a unit is provisional (reserved; and does not have a physical unit associated with the unit ID), its interface MAC address shows as 0000.0000.0000 Displaying stacking port statistics The show statistics stack-ports command displays information about all stacking ports in an IronStack topology.
Brocade IronStack management | standby | | +---+ | ------------------------------------------------------------------2/1| 5 |2/6= +---+ trunk probe results: 7 links Link 1: u7 -- u1, num=5 1: 1/2/1 (T0) <---> 7/2/1 (T0) 2: 1/2/2 (T0) <---> 7/2/2 (T0) 3: 1/2/3 (T0) <---> 7/2/3 (T0) 4: 1/2/4 (T0) <---> 7/2/4 (T0) 5: 1/2/5 (T0) <---> 7/2/5 (T0) Link 2: u2 -- u1, num=5 1: 1/2/6 (T1) <---> 2/2/6 (T1) 2: 1/2/7 (T1) <---> 2/2/7 (T1) 3: 1/2/8 (T1) <---> 2/2/8 (T1) 4: 1/2/9 (T1) <---> 2/2/9 (T1) 5: 1/2/10(T1) <--->
Brocade IronStack management Syntax: show stack connection Adding, removing, or replacing units in an IronStack The following sections describe how to add, remove, or replace units in an IronStack. The recommended method is to connect units to the stack before you supply power to the units; however, you can also connect powered units. Installing a new unit in an IronStack using secure-setup This method can be applied to clean units, or units that have existing configurations. 1.
Brocade IronStack management Removing a unit from an IronStack To remove a unit from the stack, disconnect the cables from the stacking ports. This can be done whether the units are powered-on or powered-off. When you remove a unit that is powered-on, it is still in stacking enabled mode. To remove the stacking files, enter the stack unconfigure me or stack unconfigure clean command. When the unit reboots, it will operate as a standalone unit. Refer to “Unconfiguring an IronStack” on page 287.
Brocade IronStack management Moving a unit to another stack Moving a member from a stack and to another stack can result in non-sequential ID assignment. The Active Controller will honor the new unit original ID if that ID is not being used in the new stack. The Active Controller will assign a new ID if the original ID is already being used. To prevent non-sequential stack ID assignments, configure the unit that is moving as a clean unit before adding it to the new stack.
Brocade IronStack management reset unit 3: diff bootup id=6 Election, was active, no role change, assigned-ID=1 Brocade# show stack ID Type Role Mac Address Pri 1 S FCX624 active 0012.f239.2d40 128 2 S FCX624 standby 0012.f2d5.2100 0 3 S FCX624 member 001b.ed5d.
IronStack troubleshooting All stack units support SNMP gets, sets, and traps, which are managed by the Active Controller. An SNMP trap is sent from a stack unit to the stack Active Controller, and forwarded from the Active Controller to an SNMP-configured server. An external network management station can execute SNMP gets and sets for MIBs and collect information about any port on the stack.
IronStack troubleshooting 1. Enter the show run command on each unit to make sure the configuration contains “stack enable”. If it does not, enter the stack enable command on the unit. Before a stack is formed, you can still access the console port on each device. Once a stack is successfully formed, you are redirected to the Active Controller. NOTE If you are building a stack using secure-setup, you do not have to enter stack enable on each unit. 2.
IronStack troubleshooting target ID 1 1 target MAC 15230 15230 unrel target ID 7615 There is 1 current jumbo IPC session 0 0 0 0 0 Possible errors: *** recv from non-exist unit 2 times: unit 5 If the send message types: field is empty, it means that stack enable has not been configured. If the number of Recv IPC packets increases, but there are no Recv message types, then the packets are being dropped for various reasons, including the wrong IPC version, or a checksum error.
Stack mismatches BOOT INFO: load monitor from primary, size=103408 BOOT INFO: load image from primary.......... BOOT INFO: bootparam at 000543e8, mp_flash_size=002ee6c5 BOOT INFO: code decompression completed BOOT INFO: branch to 00400100 Starting Main Task.......
Image mismatches NOTE The Active Controller can still download an image to the non-operational unit. The Active Controller generates a log message whenever it puts a stack unit into a non-operational state. The following examples describe the types of mismatches and the related log message: • Advanced feature mismatch - The Active Controller is enabled for advanced features (such as BGP) and the stack unit is not enabled. Stack: Unit 2 00e0.1020.
Image mismatches In a major mismatch, the stack cannot be built and will not operate. You must download the correct version of the software to the mismatched units individually. Minor mismatch for stack units With a minor mismatch, an operating stack can still exist, but traffic is dropped from all ports except for the stacking ports for units with the mismatched software. You can download the correct image to the mismatched devices from the Active Controller.
Image mismatches Auto Image Copy for stack units The Auto Image Copy feature ensures that all units in a stack are running the same flash image after a stack merge. This feature also enables automatic reload of the stack units. It prevents the image mismatch that occurs when one or more member units join the stack with a different running image and signature than that of the master and standby units.
Image mismatches Auto Image Copy limitations The following limitations apply to the Auto Image Copy feature: • This feature is applicable to those stack units that are in a non-operational image mismatch state only. • Auto Image Copy does not work if the image version of the IPC is different from the stack unit version in the case of a major image mismatch.
Image mismatches Recovering from a stack unit mismatch When a configuration mismatch occurs, the Active Controller logs and displays a configuration mismatch message, and puts the mismatched unit into a non-operational state. In the following example, the original stack unit 3 has failed, and a replacement unit has been installed that does not match the configuration of the original unit. You should see the following message.
Image mismatches Troubleshooting secure-setup Secure-setup can be used to form linear and ring stack topologies. For information about the procedure, refer to “Scenario 1 - Three-member IronStack in a ring topology using secure-setup” on page 250.
More about IronStack technology More about IronStack technology This section discusses stacking technology in greater detail than the information presented in Section 1. Configuration, startup configuration files, and stacking flash Stacking system behavior is defined by the run time configuration, which can be displayed using the show run command. The write memory command stores the run time configuration in a flash file called startup-config.txt.
More about IronStack technology IronStack topologies Brocade IronStack technology supports both linear and ring stack topologies. Because the unicast switching follows the shortest path in a ring topology, this topology offers the strongest redundancy. When the ring is broken, the stack recalculates the forwarding path the resumes the flow of traffic within a few seconds.
More about IronStack technology If the Active Controller fails, the Standby Controller waits 30 seconds, and then takes over as Active Controller, resetting itself and all other stack members. If the old Active Controller becomes operational, it may or may not resume its role as Active, depending on the configured priorities. If hitless stacking failover is enabled, the standby unit can take over immediately without reloading any unit.
More about IronStack technology • Greater number of members - The unit that has control over the greater number of stack members. • Longer up time - An up time that is more than 30 seconds longer that the next one in size is considered. Where up times are compared, there is no effect if the difference is less than 30 seconds. • Lowest boot stack ID - The unit that has the lowest boot stack ID (1-8, 1 is the lowest). • MAC address - The member with the lowest MAC address.
Hitless stacking Since Standby election candidates must have startup configurations that have been synchronized with the Active Controller, if the Active Controller does not have a startup-config.txt file, there will not be a Standby Controller. Once a write memory is performed on the Active Controller, the startup-config.txt file is written and synchronized to all stack members, and a Standby Controller can be elected. Hitless stacking Hitless stacking is supported on FCX and ICX units in an IronStack.
Hitless stacking Non-supported hitless stacking events The following events are not supported by hitless stacking. These events require a software reload, resulting in an impact to data traffic. • Unit ID change – When a stack is formed or when a unit is renumbered using secure-setup. • Stack merge – When the old Active Controller comes back up, it reboots. If it has fewer number of members than the Active Controller, it loses the election, regardless of its priority.
Hitless stacking TABLE 56 Hitless-supported services and protocols Traffic type Supported protocols and services Impact Layer 3 IPv4 routed traffic (unicast) • • • • • • Layer 3 routed traffic for supported protocols is not impacted during a hitless stacking event. IPv4 unicast forwarding Static routes OSPF v2 OSPF v2 with ECMP VRRP VRRP-E All existing Layer 3 IPv4 multicast flows and receivers may be interrupted. Traffic will converge to normalcy after the new active module becomes operational.
Hitless stacking TABLE 56 Hitless-supported services and protocols Traffic type Supported protocols and services Impact Security • • • • • • • Supported security protocols and services are not impacted during a switchover or failover, with the following exceptions: • 802.1X is impacted if re-authentication does not occur in a specific time window. • MDPA is impacted if re-authentication does not occur in a variable-length time window.
Hitless stacking Hitless stacking configuration notes and feature limitations • For hitless stacking on the FCX, Brocade recommends that you configure the IronStack MAC address using the stack mac command. Without this configuration, the MAC address of the stack will change to the new base MAC address of the Active Controller. This could cause a spanning tree root change.
Hitless stacking • Start-up and run-time configuration (CLI) – These files are copied to the Standby Controller only. • Layer 2 protocols – Layer 2 protocols such as STP, RSTP, MRP, and VSRP run concurrently on both the Active and Standby Controller. • Hardware Abstraction Layer (HAL) – This includes the prefix-based routing table, next hop information for outgoing interfaces, and tunnel information.
Hitless stacking Standby Controller role in hitless stacking In software releases that do not support hitless stacking, the Standby Controller functions as a dummy device, meaning it provides limited access to the CLI, such as show, stack, and a few debug commands. The Active Controller can access the full range of the CLI. The Standby Controller synchronizes its configuration with the Active Controller at each reset.
Hitless stacking Runtime configuration mismatch In some cases, such as a runtime configuration mismatch between the Active Controller and candidate Standby Controller, the Standby Controller cannot be assigned by the Active Controller unless the candidate Standby Controller is reloaded. As shown in the following example, the show stack command output will indicate whether there is a runtime configuration mismatch.
Hitless stacking Support during stack formation, stack merge, and stack split This section illustrates hitless stacking support during stack formation, stack merge, and stack split. Figure 22 illustrates hitless stacking support during stack formation. Operational stages 1 and 2 are also shown in this illustration.
Hitless stacking Figure 23 illustrates hitless stacking support during a stack merge. FIGURE 23 Hitless stacking support during a stack merge FCX stack merge Stack 1 Active 1 (pri=30) Standby 2 (pri=20) Member 3 (pri=10) Member 4 (pri=0) Stack 2 Active 1 (pri=100) Standby 2 (pri=50) 1 1 Member 1 (pri=30) Member 2 (pri=20) Member 3 (pri=10) Member 4 (pri=0) Active 5 (pri=100) Standby 6 (pri=50) 1 When hitless failover is enabled, the stack with more units will win.
Hitless stacking Figure 24 illustrates hitless stacking support in a stack split. FIGURE 24 Hitless stacking support in a stack split FCX stack split Active 1 (pri=30) Standby 2 (pri=20) Member 3 (pri=10) Member 4 (pri=0) Active 1 (pri=30) Standby 2 (pri=20) 1 1 Member 3 (pri=10) Member 4 (pri=0) The stack splits into one operational stack and two “orphan” units.
Hitless stacking Hitless stacking default behavior Hitless stacking is disabled by default. When disabled, the following limitations are in effect: • If a failover occurs, every unit in the stack will reload • Manual switchover is not allowed. If the CLI command stack switch-over is entered, the following message will appear on the console: Switch-over is not allowed. Reason: hitless-failover not configured.
Hitless stacking Enabling hitless stacking Hitless stacking is disabled by default. To enable it, enable hitless failover as described in “Enabling hitless stacking failover” on page 342. Displaying hitless stacking status You can use the show stack command to view whether or not hitless stacking is enabled. The following example shows that hitless stacking is disabled.
Hitless stacking Brocade#show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 2 S FCX648S member 0000.0000.0000 0 reserve 3 S FCX624 standby 0024.3876.2640 200 remote Ready, active if reloaded 5 S FCX624 member 00e0.5200.0400 128 remote Ready, standby if reloaded 8 S FCX648 active 0024.3877.
Hitless stacking Hitless stacking failover example Figure 25 illustrates hitless stacking failover operation when the Active Controller fails. FIGURE 25 Hitless stacking failover when the Active Controller fails The stack comes back without the Active controller . The Active controller fails after the stack reloads Active 1 Member 2 = bootup Standby Member 3 Member 4 Member 2 = bootup Standby Member 3 Member 4 1 1 The bootup Standby will become the Active controller in 90 50 seconds.
Hitless stacking For a description of this feature’s impact on major system functions, refer to Table 56 on page 330. For examples of hitless stacking switchover operation, refer to “Hitless stacking switchover examples” on page 345.
Hitless stacking Hitless stacking switchover examples This section illustrates hitless stacking failover and switchover operation during a CLI-driven switchover or priority change. Figure 26 illustrates a hitless stacking switchover triggered by the stack switch-over command.
Hitless stacking Figure 27 illustrates a hitless stacking switchover when the Active Controller goes down then comes back up. The stack in this example has user-configured priorities. FIGURE 27 Hitless stacking switchover when the Active Controller comes back up Active controller comes back (in a stack with user-assigned priorities).
Hitless stacking Figure 28 illustrates a hitless stacking switchover after the network administrator increases the priority value of the Standby Controller.
Hitless stacking Figure 29 illustrates a hitless stacking switchover after the network administrator increases the priority value of one of the stack members. FIGURE 29 Scenario 2 – Hitless stacking switchover after a priority change FCX stackFCX priority change - Scenario 2 stack formation Active 1 (pri=100) Standby 2 (pri=0) Member 3 (pri=0) Member 4 (pri=0) Standby 1 (pri=100) Member 2 (pri=0) Active 3 (pri=200) Member 4 (pri=0) 1 A switchover occurs. Stages 1 and 2 are complete.
Hitless stacking Figure 30 illustrates a hitless stacking switchover after the network administrator increases the priority value for two of the stack members.
Hitless stacking Displaying information about hitless stacking Use the show stack command to view information pertinent to a hitless stacking switchover or failover. The command output illustrates the Active and Standby Controllers, as well as the readiness of the Standby Controller to take over the role of Active Controller, if needed. Brocade#show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 1 S FCX624S active 00e0.5200.
Hitless stacking global_ctrl_dest: ffffffff individual_ctrl_dest: ee status_dest: 30 Syslog messages for hitless stacking failover and switchover Syslog messages are generated for the following events: • Switchover • Failover • Standby Controller assignment Table 57 lists the supported syslog messages.
Hitless stacking Brocade# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 12 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Dynamic Log Buffer (50 lines): 0d00h04m41s:I:Stack: Stack unit 3 has been assigned as STANDBY unit of the stack system 0d00h04m12s:I:System: Interface ethernet mgmt1, state up 0d00h04m10s:I:System: Interface ethernet mgmt1, state down 0d00h04m10s:I:Syst
Chapter IPv6 Configuration on FastIron X Series, FCX, and ICX Series Switches 8 Table 58 lists the individual Brocade FastIron switches and the IPv6 features they support. These features are supported in the Layer 2, base Layer 3, and full Layer 3 software images, except where explicitly noted.
IPv6 Configuration on FastIron X Series, FCX, and ICX Series Switches TABLE 58 1 FESX FSX 800 FSX 1600 FCX ICX 6610 ICX 6430 ICX 6450 SNTP Yes Yes Yes Yes Telnet Yes Yes Yes Yes TFTP Yes Yes Yes Yes Router advertisement and solicitation Yes Yes Yes ICX 6450 only IPv6 static routes Yes Yes Yes ICX 6450 only IPv6 over IPv4 tunnels Yes Yes No No ECMP load sharing Yes Yes Yes ICX 6450 only IPv6 ICMP Yes Yes Yes Yes IPv6 routing protocols1 Yes Yes Yes No ICMP r
Full Layer 3 IPv6 feature support Full Layer 3 IPv6 feature support The following IPv6 Layer 3 features are supported only with the IPv6 Layer 3 PROM, IPv6-series hardware, and the full Layer 3 image: • • • • • • • • IPv6 unicast routing (multicast routing is not supported) OSPF V3 RIPng IPv6 ICMP redirect messages IPv6 route redistribution IPv6 static routes IPv6 over IPv4 tunnels in hardware IPv6 Layer 3 forwarding IPv6 addressing overview IPv6 was designed to replace IPv4, the Internet protocol that
IPv6 addressing overview As shown in Figure 31, the IPv6 network prefix is composed of the left-most bits of the address. As with an IPv4 address, you can specify the IPv6 prefix using the / format, where the following applies. The parameter is specified as 16-bit hexadecimal values separated by a colon. The parameter is specified as a decimal value that indicates the left-most bits of the IPv6 address. The following is an example of an IPv6 prefix.
IPv6 addressing overview TABLE 59 . IPv6 address types Address type Description Address structure Unicast An address for a single interface. A packet sent to a unicast address is delivered to the interface identified by the address. Depends on the type of the unicast address: • Aggregatable global address—An address equivalent to a global or public IPv4 address.
IPv6 CLI command support IPv6 stateless auto-configuration Brocade routers use the IPv6 stateless autoconfiguration feature to enable a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. The automatic configuration of a host interface is performed without the use of a server, such as a Dynamic Host Configuration Protocol (DHCP) server, or manual configuration.
IPv6 CLI command support TABLE 60 IPv6 CLI command support (Continued) IPv6 command Description clear ipv6 tunnel Clears statistics for IPv6 tunnels copy tftp Downloads a copy of a Brocade software image from a TFTP server into the system flash using IPv6. X X debug ipv6 Displays IPv6 debug information. X X ipv6 access-class Configures access control for IPv6 management traffic. X X ipv6 access-list Configures an IPv6 access control list for IPv6 access control.
IPv6 host address on a Layer 2 switch TABLE 60 IPv6 CLI command support (Continued) IPv6 command Description Switch code Router code show ipv6 interface Displays IPv6 information for an interface. show ipv6 mld-snooping Displays information about MLD snooping. X X show ipv6 neighbor Displays the IPv6 neighbor table. X X show ipv6 ospf Displays information about OSPF V3. X show ipv6 prefix-lists Displays the configured IPv6 prefix lists.
IPv6 host address on a Layer 2 switch • “Configuring a link-local IPv6 address as a system-wide address for a switch” on page 361 NOTE When configuring an Ipv6 host address on a Layer 2 switch that has multiple VLANs, make sure the configuration includes a designated management VLAN that identifies the VLAN to which the global IP address belongs. Refer to “Designated VLAN for Telnet management sessions to a Layer 2 Switch” on page 120.
Configuring the management port for an IPv6 automatic address configuration Configuring the management port for an IPv6 automatic address configuration You can have the management port configured to automatically obtain an IPv6 address.
Configuring basic IPv6 connectivity on a Layer 3 switch • Configuring a global or site-local address with a manually configured or automatically computed interface ID for an interface. • Automatically or manually configuring a link-local address for an interface.
Configuring basic IPv6 connectivity on a Layer 3 switch IPv6 Routing Table - 1 entries: Type Codes: C - Connected, S - Static, R - RIP, O - OSPF, B - BGP OSPF Sub Type Codes: O - Intra, Oi - Inter, O1 - Type1 external, O2 - Type2 external Type IPv6 Prefix Next Hop Router Interface Dis/Metric C 2020::/122 :: ve 11 0/0 Configuring a global IPv6 address with an automatically computed EUI-64 interface ID To configure a global IPv6 address with an automatically computed EUI-64 interface ID in the low-order 64-
Configuring basic IPv6 connectivity on a Layer 3 switch These commands explicitly configure the link-local address FE80::240:D0FF:FE48:4672 for Ethernet interface 3/1. Syntax: ipv6 address link-local You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The link-local keyword indicates that the router interface should use the manually configured link-local address instead of the automatically computed link-local address.
IPv6 management (IPv6 host support) You can specify the parameter in either dotted decimal notation or as a decimal value preceded by a slash mark (/). The secondary keyword specifies that the configured address is a secondary IPv4 address. To remove the IPv4 address from the interface, enter the no form of this command. Syntax: ipv6 address / [eui-64] This syntax specifies a global or site-local IPv6 address.
IPv6 management (IPv6 host support) Brocade(config)#snmp-client ipv6 2001:efff:89::23 Syntax: snmp-client ipv6 The you specify must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373. Specifying an IPv6 SNMP trap receiver You can specify an IPv6 host as a trap receiver to ensure that all SNMP traps sent by the device will go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network.
IPv6 management (IPv6 host support) The telnet command establishes a Telnet connection from a Brocade device to a remote IPv6 host using the console. Up to five read-access Telnet sessions are supported on the router at one time. Write-access through Telnet is limited to one session, and only one outgoing Telnet session is supported on the router at one time. To see the number of open Telnet sessions at any time, enter the show telnet command.
IPv6 management (IPv6 host support) IPv6 Web management using HTTP and HTTPS When you have an IPv6 management station connected to a switch with an IPv6 address applied to the management port, you can manage the switch from a Web browser by entering one of the following in the browser address field. http://[] or https://[] NOTE You must enclose the IPv6 address with square brackets [ ] in order for the Web browser to work.
IPv6 management (IPv6 host support) Configuring name-to-IPv6 address resolution using IPv6 DNS resolver The Domain Name Server (DNS) resolver feature lets you use a host name to perform Telnet and ping commands. You can also define a DNS domain on a Brocade device and thereby recognize all hosts within that domain. After you define a domain name, the Brocade device automatically appends the appropriate domain to the host and forwards it to the domain name server. For example, if the domain “newyork.
IPv6 management (IPv6 host support) Syntax: ping ipv6 [outgoing-interface [ | ve ]] [source ] [count ] [timeout ] [ttl ] [size ] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief] • The parameter specifies the address of the router. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373.
IPv6 management (IPv6 host support) Configuring an IPv6 Syslog server To enable IPv6 logging, specify an IPv6 Syslog server. Enter a command such as the following. Brocade(config)#log host ipv6 2000:2383:e0bb::4/128 Syntax: log host ipv6 [] The must be in hexadecimal using 16-bit values between colons as documented in RFC 2373. The optional parameter specifies the UDP application port used for the Syslog facility.
Static IPv6 route configuration Disabling router advertisement and solicitation messages Router advertisement and solicitation messages enable a node on a link to discover the routers on the same link. By default, router advertisement and solicitation messages are permitted on the device. To disable these messages, configure an IPv6 access control list that denies them. The following shows an example configuration.
Static IPv6 route configuration Brocade(config)#ipv6 route 8eff::0/32 4fee:2343:0:ee44::1 distance 110 Syntax: ipv6 route / [] [distance ] To configure a static IPv6 route for a destination network with the prefix 8eff::0/32 and a next-hop gateway with the link-local address fe80::1 that the Layer 3 switch can access through Ethernet interface 3/1, enter the following command.
Static IPv6 route configuration TABLE 61 Static IPv6 route parameters Parameter Configuration details Status The IPv6 prefix and prefix length of the route’s destination network. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter.
IPv6 over IPv4 tunnels IPv6 over IPv4 tunnels NOTE This feature is supported only with the IPv6 Layer 3 PROM and the full Layer 3 image. To enable communication between isolated IPv6 domains using the IPv4 infrastructure, you can manually configure IPv6 over IPv4 tunnels that provide static point-point connectivity. As shown in Figure 32, these tunnels encapsulate an IPv6 packet within an IPv4 packet.
IPv6 over IPv4 tunnels • If a tunnel source port is a multi-homed IPv4 source, the tunnel will use the first IPv4 address only. For proper tunnel operation, use the ip address option. • Hitless management is not supported with IPv6-over-IPv4 tunnels or GRE tunnels. When either of these tunnel types are enabled on non supported devices, the behavior is as follows: • The CLI commands that execute a hitless switchover (switch-over-active-role and hitless reload) are disabled.
IPv6 over IPv4 tunnels The ipv6 enable command enables the tunnel. Alternatively, you could specify an IPv6 address, which would also enable the tunnel. Syntax: ipv6 address / [eui-64] The ipv6 address command enables the tunnel. Alternatively, you could enter ipv6 enable, which would also enable the tunnel. Specify the parameter in hexadecimal format using 16-bit values between colons as documented in RFC 2373.
IPv6 over IPv4 tunnels TABLE 62 IPv6 tunnel summary information Field Description Tunnel The tunnel interface number. Mode The tunnel mode. Possible modes include the following: configured – Indicates a manually configured tunnel. • Packet Received The number of packets received by a tunnel interface. Note that this is the number of packets received by the CPU. It does not include the number of packets processed in hardware. Packet Sent The number of packets sent by a tunnel interface.
IPv6 over IPv4 tunnels TABLE 63 IPv6 tunnel interface information (Continued) Field Description Port name The port name configured for the tunnel interface. MTU The setting of the IPv6 maximum transmission unit (MTU). Displaying interface level IPv6 settings To display Interface level IPv6 settings for tunnel interface 1, enter the following command at any level of the CLI.
ECMP load sharing for IPv6 TABLE 64 Interface level IPv6 tunnel information Field Interface Tunnel status Line protocol status Description The status of the tunnel interface can be one of the following: up – IPv4 connectivity is established. down – The tunnel mode is not set. administratively down – The tunnel interface was disabled with the disable command. • • • The status of the line protocol can be one of the following: up – IPv6 is enabled through the ipv6 enable or ipv6 address command.
ECMP load sharing for IPv6 Disabling or re-enabling ECMP load sharing for IPv6 ECMP load sharing for IPv6 is enabled by default. To disable the feature, enter the following command. Brocade(config)#no ipv6 load-sharing If you want to re-enable the feature after disabling it, you must specify the number of load-sharing paths. The maximum number of paths the device supports is a value from 2–8. By entering a command such as the following, iPv6 load-sharing will be re-enabled.
IPv6 ICMP feature configuration IPv6 ICMP feature configuration As with the Internet Control Message Protocol (ICMP) for IPv4, ICMP for IPv6 provides error and informational messages. Implementation of the stateless auto configuration, neighbor discovery, and path MTU discovery features use ICMP messages.
IPv6 neighbor discovery configuration Enabling IPv6 ICMP redirect messages NOTE This feature is supported only with the IPv6 Layer 3 PROM and the full Layer 3 image. You can enable a Layer 3 switch to send an IPv6 ICMP redirect message to a neighboring host to inform it of a better first-hop router on a path to a destination. By default, the sending of IPv6 ICMP redirect messages by a Layer 3 switch is disabled.
IPv6 neighbor discovery configuration • Interval between router advertisement messages. • Value that indicates a router is advertised as a default router (for use by all nodes on a given link). • Prefixes advertised in router advertisement messages. • Flags for host stateful autoconfiguration. • Amount of time during which an IPv6 node considers a remote node reachable (for use by all nodes on a given link).
IPv6 neighbor discovery configuration After the link-layer address of node 2 is determined, node 1 can send neighbor solicitation messages to node 2 to verify that it is reachable. Also, nodes 1, 2, or any other node on the same link can send a neighbor advertisement message to the all-nodes multicast address (FF02::1) if there is a change in their link-layer address.
IPv6 neighbor discovery configuration Setting neighbor solicitation parameters for duplicate address detection Although the stateless auto configuration feature assigns the 64-bit interface ID portion of an IPv6 address using the MAC address of the host’s NIC, duplicate MAC addresses can occur. Therefore, the duplicate address detection feature verifies that a unicast IPv6 address is unique before it is assigned to a host interface by the stateless auto configuration feature.
IPv6 neighbor discovery configuration • The interval (in seconds) at which an interface sends router advertisement messages. By default, an interface sends a router advertisement message every 200 seconds. • The "router lifetime" value, which is included in router advertisements sent from a particular interface. The value (in seconds) indicates if the router is advertised as a default router on this interface.
IPv6 neighbor discovery configuration NOTE By default, router advertisements will always have the MTU option. To suppress the MTU option, use the following command at the Interface level of the CLI: ipv6 nd suppress-mtu-option. Prefixes advertised in IPv6 router advertisement messages By default, router advertisement messages include prefixes configured as addresses on router interfaces using the ipv6 address command.
IPv6 neighbor discovery configuration Setting flags in IPv6 router advertisement messages An IPv6 router advertisement message can include the following flags: • Managed Address Configuration—This flag indicates to hosts on a local link if they should use the stateful autoconfiguration feature to get IPv6 addresses for their interfaces. If the flag is set, the hosts use stateful autoconfiguration to get addresses as well as non-IPv6-address information.
IPv6 MTU Configuring reachable time for remote IPv6 nodes You can configure the duration (in seconds) that a router considers a remote IPv6 node reachable. By default, a router interface uses the value of 30 seconds. The router advertisement messages sent by a router interface include the amount of time specified by the ipv6 nd reachable-time command so that nodes on a link use the same reachable time duration. By default, the messages include a default value of 0.
Static neighbor entries configuration • For a virtual routing interface, the maximum value of the MTU is the maximum frame size configured for the VLAN to which it is associated, minus 18 (Layer 2 MAC header + CRC). If a maximum frame size for a VLAN is not configured, then configure the MTU based on the smallest maximum frame size of all the ports of the VLAN that corresponds to the virtual routing interface, minus 18 (Layer 2 MAC header + CRC).
Limiting the number of hops an IPv6 packet can traverse To remove a static IPv6 entry from the IPv6 neighbor discovery cache, use the no form of this command. Limiting the number of hops an IPv6 packet can traverse By default, the maximum number of hops an IPv6 packet can traverse is 64. You can change this value to between 0 – 255 hops. For example, to change the maximum number of hops to 70, enter the following command.
TCAM space on FCX device configuration TCAM space on FCX device configuration FCX devices store routing information for IPv4 and IPv6 and GRE tunnel information in the same TCAM table. You can configure the amount of TCAM space to allocate for IPv4 routing information and GRE tunnels. The remaining space is allocated automatically for IPv6 routing information. FCX devices have TCAM space to store 16,000 IPv4 route entries.
Clearing global IPv6 information Clearing global IPv6 information You can clear the following global IPv6 information: • • • • Entries from the IPv6 cache. Entries from the IPv6 neighbor table. IPv6 routes from the IPv6 route table. IPv6 traffic statistics. Clearing the IPv6 cache You can remove all entries from the IPv6 cache or specify an entry based on the following: • IPv6 prefix. • IPv6 address. • Interface type.
Displaying global IPv6 information You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value. A slash mark (/) must follow the parameter and precede the parameter. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
Displaying global IPv6 information Displaying IPv6 cache information The IPv6 cache contains an IPv6 host table that has indices to the next hop gateway and the router interface on which the route was learned. To display IPv6 cache information, enter the following command at any CLI level.
Displaying global IPv6 information Displaying IPv6 interface information To display IPv6 interface information, enter the following command at any CLI level.
Displaying global IPv6 information Brocade#show ipv6 interface ethernet 3/1 Interface Ethernet 3/1 is up, line protocol is up IPv6 is enabled, link-local address is fe80::2e0:52ff:fe99:97 Global unicast address(es): Joined group address(es): ff02::9 ff02::1:ff99:9700 ff02::2 ff02::1 MTU is 1500 bytes ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 3 ND reachable time is 30 seconds ND advertised reachable time is 0 seconds ND retransmit interval is 1 seconds ND advertised retransmit in
Displaying global IPv6 information Displaying IPv6 neighbor information You can display the IPv6 neighbor table, which contains an entry for each IPv6 neighbor with which the router exchanges IPv6 packets. To display the IPv6 neighbor table, enter the following command at any CLI level. Brocade(config)#show ipv6 neighbor Total number of Neighbor entries: 3 IPv6 Address IsR 5555::55 2000:4::110 fe80::2e0:52ff:fe91:bb37 fe80::2e0:52ff:fe91:bb40 LinkLayer-Addr State Age Port 0002.0002.
Displaying global IPv6 information TABLE 69 IPv6 neighbor information fields (Continued) Field Description Age The number of seconds the entry has remained unused. If this value remains unused for the number of seconds specified by the ipv6 nd reachable-time command (the default is 30 seconds), the entry is removed from the table. Port The physical port on which the entry was learned. vlan The VLAN on which the entry was learned.
Displaying global IPv6 information The following table lists the information displayed by the show ipv6 route command. TABLE 70 IPv6 route table fields Field Description Number of entries The number of entries in the IPv6 route table. Type The route type, which can be one of the following: • C – The destination is directly connected to the router. • S – The route is a static route. • R – The route is learned from RIPng. • O – The route is learned from OSPFv3. • B – The route is learned from BGP4.
Displaying global IPv6 information Syntax: show ipv6 router If you configure your Brocade device to function as an IPv6 router (you configure IPv6 addresses on its interfaces and enable IPv6 routing using the ipv6 unicast-routing command) and you enter the show ipv6 router command, you will receive the following output. No IPv6 router in table Meaningful output for this command is generated for Brocade devices configured to function as IPv6 hosts only. This display shows the following information.
Displaying global IPv6 information Brocade#show ipv6 tcp connections Local IP address:port <-> Remote IP address:port 192.168.182.110:23 <-> 192.168.8.186:4933 192.168.182.110:8218 <-> 192.168.182.106:179 192.168.182.110:8039 <-> 192.168.2.119:179 192.168.182.110:8159 <-> 192.168.2.
Displaying global IPv6 information TABLE 73 General IPv6 TCP connection fields (Continued) Field Description FREE TCP QUEUE BUFFER = The percentage of free TCP queue buffer space. FREE TCP SEND BUFFER = The percentage of free TCP send buffer space. FREE TCP RECEIVE BUFFER = The percentage of free TCP receive buffer space. FREE TCP OUT OF SEQUENCE BUFFER = The percentage of free TCP out of sequence buffer space.
Displaying global IPv6 information This display shows the following information. TABLE 74 406 Specific IPv6 TCP connection fields Field Description TCP = The location of the TCP. This field provides a general summary of the following: • The local IPv4 or IPv6 address and port number. • The remote IPv4 or IPv6 address and port number. • The state of the TCP connection.
Displaying global IPv6 information Displaying IPv6 traffic statistics To display IPv6 traffic statistics, enter the following command at any CLI level.
Displaying global IPv6 information Field Description (Continued) bad scope The number of IPv6 packets dropped by the router because of a bad address scope. bad options The number of IPv6 packets dropped by the router because of bad options. too many hdr The number of IPv6 packets dropped by the router because the packets had too many headers. no route The number of IPv6 packets dropped by the router because there was no route.
Displaying global IPv6 information Field Description (Continued) router adv The number of Router Advertisement messages sent or received by the router. nei soli The number of Neighbor Solicitation messages sent or received by the router. nei adv The number of Router Advertisement messages sent or received by the router. redirect The number of redirect messages sent or received by the router. Applies to received only bad code The number of Bad Code messages received by the router.
Displaying global IPv6 information 410 Field Description (Continued) active opens The number of TCP connections opened by the router by sending a TCP SYN to another device. passive opens The number of TCP connections opened by the router in response to connection requests (TCP SYNs) received from other devices. failed attempts This information is used by Brocade Technical Support.
Chapter 9 FWS Series Switch IPv6 management Table 75 lists the individual Brocade FastIron switches and the IPv6 management features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
IPv6 management overview IPv6 management overview IPv6 was designed to replace IPv4, the Internet protocol that is most commonly used currently throughout the world. IPv6 increases the number of network address bits from 32 (IPv4) to 128, which provides more than enough unique IP addresses to support all of the network devices on the planet into the future. IPv6 is expected to quickly become the network standard. Brocade FastIron devices that support IPv6 may be used as management hosts.
IPv6 management features As shown in Figure 33, the IPv6 network prefix is composed of the left-most bits of the address. As with an IPv4 address, you can specify the IPv6 prefix using the / format, where the following applies. The parameter is specified as 16-bit hexadecimal values separated by a colon. The parameter is specified as a decimal value that indicates the left-most bits of the IPv6 address. The following is an example of an IPv6 prefix.
IPv6 management features NOTE You must enclose the IPv6 address with square brackets [ ] in order for the Web browser to work. Restricting web access You can restrict Web management access to include only management functions on a Brocade device that is acting as an IPv6 host, or restrict access so that the Brocade host can be reached by a specified IPv6 device.
IPv6 management features The optional parameter specifies the UDP application port used for the Syslog facility. Name-to-IPv6 address resolution using IPv6 DNS server The Domain Name Server (DNS) resolver feature lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a Brocade device and thereby recognize all hosts within that domain.
IPv6 management features ] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief] • The parameter specifies the address of the router. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. • The outgoing-interface keyword specifies a physical interface over which you can verify connectivity.
IPv6 management features NOTE On 48GC modules in non-jumbo mode, the maximum size of ping packets is 1486 bytes and the maximum frame size of tagged traffic is no larger than 1581 bytes. SNTP over IPv6 To enable the Brocade device to send SNTP packets over IPv6, enter the sntp server ipv6 command at the Global CONFIG level of the CLI. Brocade(config)#sntp server ipv6 3000::400 Syntax: sntp server ipv6 The is the IPv6 address of the SNTP server.
IPv6 management features The telnet command establishes a Telnet connection from a Brocade device to a remote IPv6 host using the console. Up to five read-access Telnet sessions are supported on the router at one time. Write-access through Telnet is limited to one session, and only one outgoing Telnet session is supported on the router at one time. To see the number of open Telnet sessions at any time, enter the show telnet command.
IPv6 management commands IPv6 traceroute The traceroute command allows you to trace a path from the Brocade device to an IPv6 host. The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests display all responses to a minimum TTL of 1 second and a maximum TTL of 30 seconds. In addition, if there are multiple equal-cost routes to the destination, the Brocade device displays up to three responses.
IPv6 management commands 420 FastIron Configuration Guide 53-1002494-02
Chapter 10 SNMP Access Table 76 lists individual Brocade switches and the SNMP access methods they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
SNMP community strings Restricting SNMP access using ACL, VLAN, or a specific IP address constitute the first level of defense when the packet arrives at a Brocade device. The next level uses one of the following methods: • Community string match In SNMP versions 1 and 2 • User-based model in SNMP version 3 SNMP views are incorporated in community strings and the user-based model. SNMP community strings SNMP versions 1 and 2 use community strings to restrict SNMP access.
SNMP community strings You can assign other SNMP community strings, and indicate if the string is encrypted or clear. By default, the string is encrypted. To add an encrypted community string, enter commands such as the following. Brocade(config)#snmp-server community private rw Brocade(config)#write memory Syntax: snmp-server community [0 | 1] ro | rw [view ] [ | ] The parameter specifies the community string name.
SNMP community strings To add a non-encrypted community string, you must explicitly specify that you do not want the software to encrypt the string. Here is an example. Brocade(config)#snmp-server community 0 private rw Brocade(config)#write memory The command in this example adds the string “private” in the clear, which means the string is displayed in the clear. When you save the new community string to the startup-config file, the software adds the following command to the file.
User-based security model Brocade#show snmp server Contact: Marshall Location: Copy Center Community(ro): public Community(rw): private Traps Cold start: Link up: Link down: Authentication: Locked address violation: Power supply failure: Fan failure: Temperature warning: STP new root: STP topology change: ospf: Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Total Trap-Receiver Entries: 4 Trap-Receiver IP Address Community 1 207.95.6.211 2 207.95.5.
User-based security model Configuring your NMS In order to use the SNMP version 3 features. 1. Make sure that your Network Manager System (NMS) supports SNMP version 3. 2. Configure your NMS agent with the necessary users. 3. Configure the SNMP version 3 features in Brocade devices. Configuring SNMP version 3 on Brocade devices Follow the steps given below to configure SNMP version 3 on Brocade devices. 1.
User-based security model The variable consists of 11 octets, entered as hexadecimal values. There are two hexadecimal characters in each octet. There should be an even number of hexadecimal characters in an engine ID. The default engine ID has a maximum of 11 octets: • Octets 1 through 4 represent the agent's SNMP management private enterprise number as assigned by the Internet Assigned Numbers Authority (IANA). The most significant bit of Octet 1 is "1".
User-based security model The variable is the name of the view to which the SNMP group members have access. If no view is specified, then the group has no access to the MIB. The value of is defined using the snmp-server view command. The SNMP agent comes with the "all" default view, which provides access to the entire MIB; however, it must be specified when creating the group.
Defining SNMP views NOTE The ACL specified in a user account overrides the ACL assigned to the group to which the user is mapped. If no ACL is entered for the user account, then the ACL configured for the group will be used to filter packets. The encrypted parameter means that the MD5 or SHA password will be a digest value. MD5 has 16 octets in the digest. SHA has 20. The digest string has to be entered as a hexadecimal string. In this case, the agent need not generate any explicit digest.
SNMP version 3 traps Brocade(config)#snmp-server view Maynes system included Brocade(config)#snmp-server view Maynes system.2 excluded Brocade(config)#snmp-server view Maynes 2.3.*.6 included Brocade(config)#write mem NOTE The snmp-server view command supports the MIB objects as defined in RFC 1445. Syntax: [no] snmp-server view included | excluded The parameter can be any alphanumeric name you choose to identify the view. The names cannot contain spaces.
SNMP version 3 traps To configure an SNMP user group, first configure SNMP v3 views using the snmp-server view command.Refer to “SNMP v3 configuration examples” on page 436. Then enter a command such as the following.
SNMP version 3 traps NOTE If the configured version is v2c, then the notification is sent out in SMIv2 format, using the community string, but in cleartext mode. To send the SMIv2 notification in SNMPv3 packet format, configure v3 with auth or privacy parameters, or both, by specifying a security name. The actual authorization and privacy values are obtained from the security name. For SNMP version 2c, enter v2 and the name of the community string. This string is encrypted within the system.
SNMP version 3 traps SNMP v3 over IPv6 Some FastIron devices support IPv6 for SNMP version 3. Restricting SNMP Access to an IPv6 Node You can restrict SNMP access so that the Brocade device can only be accessed by the IPv6 host address that you specify. To do so, enter a command such as the following . Brocade(config)#snmp-client ipv6 2001:efff:89::23 Syntax: snmp-client ipv6 The must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373.
Displaying SNMP Information Brocade#show snmp server Contact: Location: Community(ro): ..... Traps Warm/Cold start: Link up: Link down: Authentication: Locked address violation: Power supply failure: Fan failure: Temperature warning: STP new root: STP topology change: vsrp: Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Total Trap-Receiver Entries: 4 Trap-Receiver IP-Address 1 192.147.201.100 2 4000::200 3 192.147.202.100 4 3000::200 Port-Number Community 162 ..... 162 ....
Displaying SNMP Information Displaying SNMP groups To display the definition of an SNMP group, enter a command such as the following. Brocade#show snmp group groupname = exceptifgrp security model = v3 security level = authNoPriv ACL id = 2 readview = exceptif writeview = Syntax: show snmp group The value for security level can be one of the following. Security level Authentication If the security model shows v1 or v2, then security level is blank.
SNMP v3 configuration examples Varbind object Identifier Description 1. 3. 6. 1. 6. 3. 15. 1. 1. 2. 0 Not in time packet. 1. 3. 6. 1. 6. 3. 15. 1. 1. 3. 0 Unknown user name. This varbind may also be generated: If the configured ACL for this user filters out this packet. If the group associated with the user is unknown. • • 1. 3. 6. 1. 6. 3. 15. 1. 1. 4. 0 Unknown engine ID. The value of this varbind would be the correct authoritative engineID that should be used. 1. 3. 6. 1. 6. 3. 15. 1. 1. 5.
Chapter Foundry Discovery Protocol (FDP) and Cisco Discovery Protocol (CDP) Packets 11 Table 77 lists individual Brocade switches and the discovery protocols they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
FDP Overview FDP configuration The following sections describe how to enable Foundry Discovery Protocol (FDP) and how to change the FDP update and hold timers. Enabling FDP globally To enable a Brocade device to globally send FDP packets, enter the following command at the global CONFIG level of the CLI. Brocade(config)# fdp run Syntax: [no] fdp run The feature is disabled by default.
FDP Overview To change the FDP update timer, enter a command such as the following at the global CONFIG level of the CLI. Brocade(config)# fdp timer 120 Syntax: [no] fdp timer The parameter specifies the number of seconds between updates and can be from 5 – 900 seconds. The default is 60 seconds. Changing the FDP hold time By default, a Brocade device that receives an FDP update holds the information until one of the following events occurs: • The device receives a new update.
FDP Overview Brocade# show fdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater (*) indicates a CDP device Device ID Local Int Holdtm Capability Platform Port ID -------------- ------------ ------ ---------- ----------- ------------FastIronB Eth 2/9 178 Router FastIron Rou Eth 2/9 Syntax: show fdp neighbor [ethernet ] [detail] The ethernet parameter lists the information for updates received on the specified port.
FDP Overview TABLE 79 Detailed FDP and CDP neighbor information Parameter Definition Device ID The hostname of the neighbor. In addition, this line lists the VLAN memberships and other VLAN information for the neighbor port that sent the update to this device. Entry address(es) The Layer 3 protocol addresses configured on the neighbor port that sent the update to this device. If the neighbor is a Layer 2 Switch, this field lists the management IP address.
FDP Overview This example shows information for Ethernet port 2/3. The port sends FDP updates every 5 seconds. Neighbors that receive the updates can hold them for up to 180 seconds before discarding them. Syntax: show fdp interface [ethernet ] The ethernet parameter lists the information only for the specified interface. Displaying FDP and CDP statistics To display FDP and CDP packet statistics, enter the following command.
CDP packets CDP packets Cisco Discovery Protocol (CDP) packets are used by Cisco devices to advertise themselves to other Cisco devices. By default, Brocade devices forward these packets without examining their contents. You can configure a Brocade device to intercept and display the contents of CDP packets. This feature is useful for learning device and interface information for Cisco devices in the network. Brocade devices support intercepting and interpreting CDP version 1 and version 2 packets.
CDP packets Displaying neighbors To display the Cisco neighbors the Brocade device has learned from CDP packets, enter the show fdp neighbors command.
CDP packets Displaying CDP entries To display CDP entries for all neighbors, enter the show fdp entry command. Brocade# show fdp entry * Device ID: Router Entry address(es): IP address: 207.95.6.143 Platform: cisco RSP4, Capabilities: Router Interface: Eth 1/1, Port ID (outgoing port): FastEthernet5/0/0 Holdtime : 124 seconds Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-JSV-M), Version 12.0(5)T1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc.
CDP packets To clear the Cisco neighbor information, enter the clear fdp table command. Brocade# clear fdp table Syntax: clear fdp table To clear CDP statistics, enter the following command.
Chapter 12 LLDP and LLDP-MED Table 80 lists the individual Brocade FastIron switches and the Link Layer Discovery Protocol (LLDP) features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
LLDP terms used in this chapter The information generated by LLDP and LLDP-MED can be used to diagnose and troubleshoot misconfigurations on both sides of a link. For example, the information generated can be used to discover devices with misconfigured or unreachable IP addresses, and to detect port speed and duplex mismatches. LLDP and LLDP-MED facilitate interoperability across multiple vendor devices. Brocade devices running LLDP can interoperate with third-party devices running LLDP.
LLDP overview LLDP overview LLDP enables a station attached to an IEEE 802 LAN/MAN to advertise its capabilities to, and to discover, other stations in the same 802 LAN segments. The information distributed by LLDP (the advertisement) is stored by the receiving device in a standard Management Information Base (MIB), accessible by a Network Management System (NMS) using a management protocol such as the Simple Network Management Protocol (SNMP).
LLDP-MED overview Benefits of LLDP LLDP provides the following benefits: • Network Management: • Simplifies the use of and enhances the ability of network management tools in multi-vendor environments • Enables discovery of accurate physical network topologies such as which devices are neighbors and through which ports they connect • Enables discovery of stations in multi-vendor environments • Network Inventory Data: • Supports optional system name, system description, system capabilities and management
LLDP-MED overview FIGURE 35 LLDP-MED connectivity LLDP-MED Network Connectivity Devices (e.g., L2/L3 switch, bridge, etc.) provide IEEE 802 network access to LLDP-MED endpoints LLDP-MED Generic Endpoints (Class I) act as basic participants in LLDP-MED. Example Class I device: Communications controller IP Network Infrastructure (IEEE 802 LAN) LLDP-MED Media Endpoints (Class II) support IP media streams.
General LLDP operating principles LLDP-MED class An LLDP-MED class specifies an Endpoint type and its capabilities. An Endpoint can belong to one of three LLDP-MED class types: • Class 1 (Generic endpoint) – A Class 1 Endpoint requires basic LLDP discovery services, but does not support IP media nor does it act as an end-user communication appliance. A Class 1 Endpoint can be an IP communications controller, other communication-related server, or other device requiring basic LLDP discovery services.
General LLDP operating principles An LLDP agent initiates the transmission of LLDP packets whenever the transmit countdown timing counter expires, or whenever LLDP information has changed. When a transmit cycle is initiated, the LLDP manager extracts the MIB objects and formats this information into TLVs. The TLVs are inserted into an LLDPDU, addressing parameters are prepended to the LLDPDU, and the information is sent out LLDP-enabled ports to adjacent LLDP-enabled devices.
General LLDP operating principles TLV support This section lists the LLDP and LLDP-MED TLV support. LLDP TLVs There are two types of LLDP TLVs, as specified in the IEEE 802.3AB standard: • Basic management TLVs consist of both optional general system information TLVs as well as mandatory TLVs. Mandatory TLVs cannot be manually configured. They are always the first three TLVs in the LLDPDU, and are part of the packet header.
General LLDP operating principles LLDP-MED TLVs Brocade devices honor and send the following LLDP-MED TLVs, as defined in the TIA-1057 standard: • • • • LLDP-MED capabilities Network policy Location identification Extended power-via-MDI Mandatory TLVs When an LLDP agent transmits LLDP packets to other agents in the same 802 LAN segments, the following mandatory TLVs are always included: • Chassis ID • Port ID • Time to Live (TTL) This section describes the above TLVs in detail.
General LLDP operating principles Port ID The Port ID identifies the port from which LLDP packets were sent. There are several ways in which a port may be identified, as shown in Figure 82. A port ID subtype, included in the TLV, indicates how the port is being referenced in the Port ID field.
MIB support If the TTL field value is zero, the receiving LLDP agent is notified that all system information associated with the LLDP agent/port is to be deleted. This TLV may be used, for example, to signal that the sending port has initiated a port shutdown procedure. The LLDPDU format is shown in “LLDPDU packet format” on page 453. The TTL TLV format is shown below.
LLDP configuration LLDP configuration This section describes how to enable and configure LLDP. Table 83 lists the LLDP global-level tasks and the default behavior/value for each task.
LLDP configuration Enabling and disabling LLDP LLDP is enabled by default on individual ports. However, to run LLDP, you must first enable it on a global basis (on the entire device). To enable LLDP globally, enter the following command at the global CONFIG level of the CLI. Brocade(config)#lldp run Syntax: [no] lldp run Enabling support for tagged LLDP packets By default, Brocade devices do not accept tagged LLDP packets from other vendors’ devices.
LLDP configuration Syntax: [no] lldp enable ports ethernet | all Use the [no] form of the command to disable the receipt and transmission of LLDP packets on a port.
LLDP configuration You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Enabling and Disabling Transmit Only Mode When LLDP is enabled on a global basis, by default, each port on the Brocade device will be capable of transmitting and receiving LLDP packets.
LLDP configuration Maximum number of LLDP neighbors You can change the limit of the number of LLDP neighbors for which LLDP data will be retained, per device as well as per port. Specifying the maximum number of LLDP neighbors per device You can change the maximum number of neighbors for which LLDP data will be retained for the entire system. For example, to change the maximum number of LLDP neighbors for the entire device to 26, enter the following command.
LLDP configuration LLDP SNMP notifications and corresponding Syslog messages are disabled by default. To enable them, enter a command such as the following at the Global CONFIG level of the CLI. Brocade(config)#lldp enable snmp notifications ports e 4/2 to 4/6 The above command enables SNMP notifications and corresponding Syslog messages on ports 4/2 and 4/6. By default, the device will send no more than one SNMP notification and Syslog message within a five second period.
LLDP configuration NOTE The LLDP transmit delay timer must not be greater than one quarter of the LLDP transmission interval (CLI command lldp transmit-interval). The LLDP transmit delay timer prevents an LLDP agent from transmitting a series of successive LLDP frames during a short time period, when rapid changes occur in LLDP. It also increases the probability that multiple changes, rather than single changes, will be reported in each LLDP frame.
LLDP configuration To compute the TTL value, the system multiplies the LLDP transmit interval by the holdtime multiplier. For example, if the LLDP transmit interval is 30 and the holdtime multiplier for TTL is 4, then the value 120 is encoded in the TTL field in the LLDP header. To change the holdtime multiplier, enter a command such as the following at the Global CONFIG level of the CLI. Brocade(config)#lldp transmit-hold 6 Syntax: [no] lldp transmit-hold where is a number from 2 to 10.
LLDP configuration • • • • Link aggregation information MAC/PHY configuration and status Maximum frame size Power-via-MDI information (not automatically advertised) The above TLVs are described in detail in the following sections. NOTE The system description, VLAN name, and power-via-MDI information TLVs are not automatically enabled. The following sections show how to enable these advertisements.
LLDP configuration Brocade(config)#lldp advertise management-address ipv4 209.157.2.1 ports e 1/4 The management address will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info): Management address (IPv4): 209.157.2.
LLDP configuration System capabilities The system capabilities TLV identifies the primary functions of the device and indicates whether these primary functions are enabled.
LLDP configuration Brocade(config)#lldp advertise system-description ports e 2/4 to 2/12 The system description will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). + System description : "Brocade Communications, Inc.,FESX424-PREM-PoE, IronWare Version 04.0.
LLDP configuration You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
LLDP configuration The untagged VLAN ID will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info).
LLDP configuration • FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum • FSX 800 and FSX 1600 chassis devices – slotnum/portnum • FESX compact switches – portnum You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
LLDP configuration You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
LLDP-MED configuration • Power class – Indicates the range of power that the connected powered device has negotiated or requested. NOTE The power-via-MDI TLV described in this section applies to LLDP. There is also a power-via-MDI TLV for LLDP-MED devices, which provides extensive POE information. Refer to “Extended power-via-MDI information” on page 486. To advertise the power-via-MDI information, enter a command such as the following.
LLDP-MED configuration TABLE 84 LLDP-MED configuration tasks and default behavior / value Task Default behavior / value Changing the Fast Start Repeat Count The system automatically sets the fast start repeat count to 3 when a Network Connectivity Device receives an LLDP packet from an Endpoint that is newly connected to the network. NOTE: The LLDP-MED fast start mechanism is only intended to run on links between Network Connectivity devices and Endpoint devices.
LLDP-MED configuration • FESX compact switches – portnum You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
LLDP-MED configuration The above location ID formats are defined in the following sections. Coordinate-based location Coordinate-based location is based on the IETF RFC 3825 [6] standard, which specifies a Dynamic Host Configuration Protocol (DHCP) option for the coordinate-based geographic location of a client.
LLDP-MED configuration • wgs84 – (geographical 3D) – World Geodesic System 1984, CRS Code 4327, Prime Meridian Name: Greenwich • nad83-navd88 – North American Datum 1983, CRS Code 4269, Prime Meridian Name: Greenwich; The associated vertical datum is the North American Vertical Datum of 1988 (NAVD88). Use this datum when referencing locations on land. If land is near tidal water, use nad83-mllw (below).
LLDP-MED configuration Configuring civic address location When you configure a media Endpoint location using the address-based location, you specify the location the entry refers to, the country code, and the elements that describe the civic or postal address. To configure a civic address-based location for LLDP-MED, enter commands such as the following at the Global CONFIG level of the CLI.
LLDP-MED configuration TABLE 85 480 Elements used with civic address Civic Address (CA) type Description Acceptable values / examples 0 Language The ISO 639 language code used for presenting the address information.
LLDP-MED configuration TABLE 85 Elements used with civic address (Continued) Civic Address (CA) type Description Acceptable values / examples 20 House number suffix A modifier to the house number. It does not include parts of the house number. Example: A, 1/2 21 Landmark or vanity address A string name for a location. It conveys a common local designation of a structure, a group of buildings, or a place that helps to locate the place.
LLDP-MED configuration TABLE 85 Elements used with civic address (Continued) Civic Address (CA) type Description Acceptable values / examples 128 Script The script (from ISO 15924 [14]) used to present the address information.
LLDP-MED configuration • FWS, FCX and ICX stackable switches – stack-unit/slotnum/portnum • FSX 800 and FSX 1600 chassis devices – slotnum/portnum • FESX compact switches – portnum You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
LLDP-MED configuration LLDP-MED network policy configuration syntax The CLI syntax for defining an LLDP-MED network policy differs for tagged, untagged, and priority tagged traffic. Refer to the appropriate syntax, below.
LLDP-MED attributes advertised by the Brocade device • voice-signaling – For use in network topologies that require a different policy for voice signaling than for voice media. Note that this application type should not be advertised if all the same network policies apply as those advertised in the voice policy TLV. • tagged vlan specifies the tagged VLAN that the specified application type will use. • untagged indicates that the device is using an untagged frame format.
LLDP-MED attributes advertised by the Brocade device The LLDP-MED capabilities advertisement includes the following information: • The supported LLDP-MED TLVs • The device type (Network Connectivity device or Endpoint (Class 1, 2, or 3)) By default, LLDP-MED information is automatically advertised when LLDP-MED is enabled. To disable this advertisement, enter a command such as the following.
LLDP-MED attributes advertised by the Brocade device • Power sourcing device/equipment (PSE) – This is the source of the power, or the device that integrates the power onto the network. Power sourcing devices/equipment have embedded POE technology. In this case, the power sourcing device is the Brocade POE device. • Powered device (PD) – This is the Ethernet device that requires power and is situated on the other end of the cable opposite the power sourcing device.
LLDP-MED attributes advertised by the Brocade device Brocade(config)#no lldp advertise med-power-via-mdi ports e 2/4 to 2/12 The LLDP-MED power-via-MDI advertisement will appear similar to the following on the remote device, and in the CLI display output on the Brocade device (show lldp local-info). + MED Extended Power via MDI Power Type : PSE device Power Source : Unknown Power Source Power Priority : Low (3) Power Value : 6.
LLDP-MED attributes advertised by the Brocade device Brocade#show lldp LLDP transmit interval LLDP transmit hold multiplier LLDP transmit delay LLDP SNMP notification interval LLDP reinitialize delay LLDP-MED fast start repeat count : : : : : : LLDP maximum neighbors LLDP maximum neighbors per port : 392 : 4 10 seconds 4 (transmit TTL: 40 seconds) 1 seconds 5 seconds 1 seconds 3 Syntax: show lldp The following table describes the information displayed by the show lldp statistics command.
LLDP-MED attributes advertised by the Brocade device Brocade#show lldp statistics Last neighbor change time: 23 hours 50 minutes 40 seconds ago Neighbor Neighbor Neighbor Neighbor entries added entries deleted entries aged out advertisements dropped Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Tx Pkts Total 60963 0 60963 60963 0 0 0 0 0 60974 0 0 0 0 Rx Pkts Total 75179 0 60963 121925 0 0 0 0 0 0 0 0 0 0 : : : : 14 5 4 0 Rx Pkts Rx Pkts Rx TLVs Rx TLVs Neighbors w/Errors Discarded Unrecognz Discarded Aged
LLDP-MED attributes advertised by the Brocade device Field Description Rx Pkts w/Errors The number of LLDP packets the port received that have one or more detectable errors. Rx Pkts Discarded The number of LLDP packets the port received then discarded. Rx TLVs Unrecognz The number of TLVs the port received that were not recognized by the LLDP local agent. Unrecognized TLVs are retained by the system and can be viewed in the output of the show LLDP neighbors detail command or retrieved through SNMP.
LLDP-MED attributes advertised by the Brocade device Displaying LLDP neighbors detail The show lldp neighbors detail command displays the LLDP advertisements received from LLDP neighbors. The following shows an example show lldp neighbors detail report. NOTE The show lldp neighbors detail output will vary depending on the data received. Also, values that are not recognized or do not have a recognizable format, may be displayed in hexadecimal binary form.
LLDP-MED attributes advertised by the Brocade device Field Description Neighbor The source MAC address from which the packet was received, and the remaining TTL for the neighbor entry. Syntax: show lldp neighbors detail [ports ethernet | all] If you do not specify any ports or use the keyword all, by default, the report will show the LLDP neighbor details for all ports.
LLDP-MED attributes advertised by the Brocade device VLAN ID : 99 L2 Priority : 3 DSCP Value : 22 + MED Network Policy Application Type : Video Conferencing Policy Flags : Known Policy, Tagged VLAN ID : 100 L2 Priority : 5 DSCP Value : 10 + MED Location ID Data Format: Coordinate-based location Latitude Resolution : 20 bits Latitude Value : -78.303 degrees Longitude Resolution : 18 bits Longitude Value : 34.27 degrees Altitude Resolution : 16 bits Altitude Value : 50.
Resetting LLDP statistics If you do not specify any ports or use the keyword all, by default, the report will show the local information advertisements for all ports. For port-list , specify the ports in one of the following formats: • FWS, FCX and ICX stackable switches – stack-unit/slotnum/portnum • FSX 800 and FSX 1600 chassis devices – slotnum/portnum • FESX compact switches – portnum You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both.
Clearing cached LLDP neighbor information • FWS, FCX and ICX stackable switches – stack-unit/slotnum/portnum • FSX 800 and FSX 1600 chassis devices – slotnum/portnum • FESX compact switches – portnum You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
Chapter 13 Hardware Component Monitoring Table 87 lists the individual Brocade FastIron switches and the hardware monitoring features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images.
Virtual cable testing Virtual cable testing command syntax To diagnose a cable using TDR, enter commands such as the following at the Privileged EXEC level of the CLI. Brocade#phy cable-diag tdr 1 The above command diagnoses the cable attached to port 1. When you issue the phy-cable-diag command, the command brings the port down for a second or two, then immediately brings the port back up.
Virtual cable testing FIGURE 39 T568A pin/pair assignment Pair 2 Orange Pair 3 Green Pair 1 Blue Pair 4 Brown PC STRAIGHT-THRU HUB TX+ 1 1 RX+ TX- 2 2 RX- RX+ 3 3 TX+ 4 4 5 5 RX- 6 RJ-45 JACK T568A STANDARD 6 TX- 7 7 8 8 Syntax: show cable-diag tdr Specify the port variable in one of the following formats: • • • • FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum FSX 800 and FSX 1600 chassis devices – slotnum/portnum ICX devices – slotnum/portnum FESX compac
Digital optical monitoring Digital optical monitoring You can configure your Brocade device to monitor optical transceivers in the system, either globally or by specified ports. When this feature is enabled, the system will monitor the temperature and signal power levels for the optical transceivers in the specified ports. Console messages and Syslog messages are sent when optical operating conditions fall below or rise above the XFP, SFP, and SFP+ manufacturer recommended thresholds.
Digital optical monitoring Displaying information about installed media Use the show media, show media slot, and show media ethernet commands to obtain information about the media devices installed per device, per slot, and per port. The results displayed from these commands provide the Type, Vendor, Part number, Version and Serial number of the SFP, SFP+, or XFP optical device installed in the port. If there is no SFP, SFP+, or XFP optical device installed in a port, the “Type” field will display “EMPTY”.
Digital optical monitoring Port Port Port Port Port Port 1/8: 1/9: 1/10: 1/11: 1/12: 1/13: Vendor: Part# : Type : Type : Vendor: Part# : Type : Type : Vendor: Part# : Type : Type : Vendor: Part# : Brocade Communications, Inc. Version: FTLF1323P1BTR-FD Serial#: UCT000T EMPTY 100M M-FX-LR(SFP) Brocade Communications, Inc. Version: FTLF1323P1BTL-FD Serial#: UD3085J EMPTY 100M M-FX-SR(SFP) Brocade Communications, Inc.
Digital optical monitoring Use the show optic slot command on a FastIron X Series chassis to view information about all qualified XFPs, SFPs, and SFP+ in a particular slot. The following shows example output. Brocade>show optic slot 4 Port Temperature Tx Power Rx Power Tx Bias Current +----+-----------+----------+------------+-------------------+ 4/1 30.8242 C -001.8822 dBm -002.5908 dBm 41.790 mA Normal Normal Normal Normal 4/2 31.7070 C -001.4116 dBm -006.4092 dBm 41.
Digital optical monitoring TABLE 91 Alarm status value description Status value Description Low-Alarm Monitored level has dropped below the "low-alarm" threshold set by the manufacturer of the optical transceiver. Low-Warn Monitored level has dropped below the "low-warn" threshold set by the manufacturer of the optical transceiver. Normal Monitored level is within the "normal" range set by the manufacturer of the optical transceiver.
Digital optical monitoring For Temperature, Supply Voltage, TX Bias, TX Power, and RX Power, values are displayed for each of the following four alarm and warning settings: High alarm, Low alarm, High warning, and Low warning. The hexadecimal values are the manufacturer internal calibrations, as defined in the SFF-8472 standard. The other values indicate at what level (above the high setting or below the low setting) the system should send a warning message or an alarm.
Digital optical monitoring 506 FastIron Configuration Guide 53-1002494-02
Chapter 14 Syslog Table 92 lists individual Brocade switches and the Syslog features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
About Syslog messages About Syslog messages Brocade software can write syslog messages to provide information at the following severity levels: • • • • • • • • Emergencies Alerts Critical Errors Warnings Notifications Informational Debugging The device writes the messages to a local buffer. You also can specify the IP address or host name of up to six Syslog servers. When you specify a Syslog server, the Brocade device writes the messages both to the system log and to the Syslog server.
Displaying Syslog messages Dynamic Log Buffer (50 entries): Dec 15 18:46:17:I:Interface ethernet 4, state up Dec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, changed state to forwarding Dec 15 18:45:15:I:Warm start For information about the Syslog configuration information, time stamps, and dynamic and static buffers, refer to “Displaying the Syslog configuration” on page 510.
Syslog service configuration Displaying real-time Syslog messages Any terminal logged on to a Brocade switch can receive real-time Syslog messages when the terminal monitor command is issued. Syslog service configuration The procedures in this section describe how to perform the following Syslog configuration tasks: • Specify a Syslog server. You can configure the Brocade device to use up to six Syslog servers. (Use of a Syslog server is optional.
Syslog service configuration TABLE 93 CLI display of Syslog buffer configuration Field Definition Syslog logging The state (enabled or disabled) of the Syslog buffer. messages dropped The number of Syslog messages dropped due to user-configured filters. By default, the software logs messages for all Syslog levels. You can disable individual Syslog levels, in which case the software filters out messages at those levels. Refer to “Disabling logging of a message level” on page 515.
Syslog service configuration Brocade#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 3 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dec 15 19:00:14:A:Fan 2, fan on left connector, failed Dynamic Log Buffer (50 entries): Dec 15 18:46:17:I:Interface ethernet 4, state up Dec 15 18:45:21:I:Bridge to
Syslog service configuration • If you have not set the time and date on the onboard system clock, the time stamp shows the amount of time that has passed since the device was booted, in the following format. dhms where • • • • d – day h – hours m – minutes s – seconds For example, “188d1h01m00s” means the device had been running for 188 days, 11 hours, one minute, and zero seconds when the Syslog entry with this time stamp was generated.
Syslog service configuration Brocade#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dynamic Log Buffer (50 entries): 21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s) 19d07h03m30s:warning:list 101 denied tcp 209.157.22.
Syslog service configuration Disabling logging of a message level To change the message level, disable logging of specific message levels. You must disable the message levels on an individual basis. For example, to disable logging of debugging and informational messages, enter the following commands.
Syslog service configuration Changing the log facility The Syslog daemon on the Syslog server uses a facility to determine where to log the messages from the Brocade device. The default facility for messages the Brocade device sends to the Syslog server is “user”. You can change the facility using the following command. NOTE You can specify only one facility. If you configure the Brocade device to use two Syslog servers, the device uses the same facility on both servers.
Syslog service configuration Displaying interface names in Syslog messages By default, an interface slot number (if applicable) and port number are displayed when you display Syslog messages. If you want to display the name of the interface instead of its number, enter the following command: FastIron(config)# ip show-portname This command is applied globally to all interfaces on Layer 2 Switches and Layer 3 Switches.
Syslog service configuration Retaining Syslog messages after a soft reboot You can configure the device to save the System log (Syslog) after a soft reboot (reload command). Syslog reboot configuration considerations • If the Syslog buffer size was set to a different value using the CLI command logging buffered, the System log will be cleared after a soft reboot, even when this feature (logging persistence) is in effect.
Syslog service configuration Brocade>#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 3 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Dynamic Log Buffer (50 lines): 0d00h00m27s:I:System: Interface ethernet mgmt1, state up 0d00h00m26s:N:powered On switch Fabric 0d00h00m17s:N:powered On switch Fabric 0d00h00m08s:I:System: Warm start 0d00h00m08s:I:SNMP: read-only community
Syslog service configuration 520 FastIron Configuration Guide 53-1002494-02
Chapter 15 Network Monitoring Table 94 lists the individual FastIron switches and the network monitoring features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Basic system management Brocade#show version ========================================================================== Active Management CPU [Slot-9]: SW: Version 04.3.00b17T3e3 Copyright (c) 1996-2008 Brocade Communications, Inc., Inc. Compiled on Sep 25 2008 at 04:09:20 labeled as SXR04300b17 (4031365 bytes) from Secondary sxr04300b17.bin BootROM: Version 04.0.
Basic system management To determine the available show commands for the system or a specific level of the CLI, enter the following command. Brocade#show ? Syntax: show
Basic system management TABLE 95 Port statistics Parameter Description Port configuration Port The port number. Link The link state. State The STP state. Dupl The mode (full-duplex or half-duplex). Speed The port speed (10M, 100M, or 1000M). Trunk The trunk group number, if the port is a member of a trunk group. Tag Whether the port is a tagged member of a VLAN. Priori The QoS forwarding priority of the port (level0 – level7). MAC The MAC address of the port.
Basic system management TABLE 95 Port statistics (Continued) Parameter CRC Description The total number of packets received for which all of the following was true: The data length was between 64 bytes and the maximum allowable frame size. • No Collision or Late Collision was detected. • The CRC was invalid. • Collisions The total number of packets received in which a Collision event was detected. InErrors The total number of packets received that had Alignment errors or phy errors.
Basic system management Clearing statistics You can clear statistics for many parameters using the clear command. To determine the available clear commands for the system, enter the clear command at the Privileged EXEC level of the CLI. Brocade#clear ? Syntax: clear
Basic system management • Unknown unicast and unregistered multicast packets are filtered. Traffic counters configuration syntax This section provides the syntax and configuration examples for enhanced traffic counters. Example To configure traffic counters for outbound traffic on a specific port, enter a command such as the following. Brocade(config)#transmit-counter 4 port 18 only vlan 1 prio 7 enable The above command creates and enables traffic counter 4 on port 18.
Basic system management Displaying enhanced traffic counter statistics To display the traffic counters for outbound traffic, enter the show transmit-counter profiles command. NOTE Once the enhanced traffic counters are displayed, the counters are cleared (reset to zero). The following shows an example output.
Basic system management TABLE 96 Outbound traffic counter statistics (Continued) This line... Displays... Bridge Egress Filtered The number of bridged outbound packets that were filtered and dropped. This number includes the number of packets that were dropped because of any one of the following conditions: • The port was disabled or the link was down. • The port or port region does not belong to the VLAN specified in the transmit counter configuration. • A Layer 2 protocol (e.g.
Basic system management Viewing egress queue counters on FCX devices The show interface command displays the number of packets on a port that were queued for each QoS priority (traffic class) and dropped because of congestion. NOTE These counters do not include traffic on management ports or for a stack member unit that is down. The egress queue counters display at the end of the show interface command output as shown in the following example.
RMON support TABLE 97 Egress queue statistics Parameter Description Queue counters The QoS traffic class. Queued packets The number of packets queued on the port for the given traffic class. Dropped packets The number of packets for the given traffic class that were dropped because of congestion. Clearing the egress queue counters You can clear egress queue statistics (reset them to zero), using the clear statistics and clear statistics ethernet command.
RMON support where can be: • 1536 – 32768 for FSX 800 and FSX 1600 devices • 128 – 32768 for FESX devices Statistics (RMON group 1) Count information on multicast and broadcast packets, total packets sent, undersized and oversized packets, CRC alignment errors, jabbers, collision, fragments and dropped events is collected for each port on a Brocade Layer 2 Switch or Layer 3 Switch. The statistics group collects statistics on promiscuous traffic across an interface.
RMON support TABLE 98 Export configuration and statistics Parameter Definition Octets The total number of octets of data received on the network. This number includes octets in bad packets. This number does not include framing bits but does include Frame Check Sequence (FCS) octets. Drop events Indicates an overrun at the port. The port logic could not receive the traffic at full line rate and had to drop some packets as a result.
RMON support TABLE 98 Export configuration and statistics (Continued) Parameter Definition 65 to 127 octets pkts The total number of packets received that were 65 – 127 octets long. This number includes bad packets. This number does not include framing bits but does include FCS octets. 128 to 255 octets pkts The total number of packets received that were 128 – 255 octets long. This number includes bad packets. This number does not include framing bits but does include FCS octets.
sFlow An alarm event is reported each time that a threshold is exceeded. The alarm entry also indicates the action (event) to be taken if the threshold be exceeded. A sample CLI alarm entry and its syntax is shown below. Brocade(config)#rmon alarm 1 ifInOctets.6 10 delta rising-threshold 100 1 falling threshold 50 1 owner nyc02 Syntax: rmon alarm
sFlow On FWS and FCX Series devices, you can use QoS queue 1 for priority traffic, even when sFlow is enabled on the port. This differs from FastIron X Series devices, which support seven priorities instead of eight when sFlow is enabled. In this case, QoS queue 1 is reserved for sFlow and is not used by other packets. Any non-sFlow packets assigned to QoS queue 1 will be directed to QoS queue 0. sFlow version 5 sFlow version 5 enhances and modifies the format of the data sent to the sFlow collector.
sFlow Extended gateway information If BGP is enabled, extended gateway information is included in IPv6 sFlow sampled packets, including the following BGP information about a packet destination route: • • • • The autonomous system (AS) number for the router The source IP AS of the route The source peer AS for the route The AS patch to the destination NOTE AS communities and local preferences are not included in the sampled packets.
sFlow • On a Layer 2 Switch, agent_address is the Layer 2 Switch management IP address. You must configure the management IP address in order to export sFlow data from the device. If the switch has both an IPv4 and IPv6 address, the agent_address is the IPv4 address. If the switch has an IPv6 address only, the agent_address is the global IPv6 address.
sFlow • FastIron X Series devices support port monitoring and sFlow together on the same device. The caveat is that these features cannot be configured together within the same port region on non-third generation modules. The following third-generation SX modules support sFlow and mirroring on the same port: - SX-FI48GPP SX-FI-24GPP SX-FI-24HF SX-FI-2XG SX-FI-8XG Configuring and enabling sFlow NOTE The commands in this section apply to sFlow version 2 and sFlow version 5.
sFlow Syntax: [no] sflow destination [] The parameter specifies the IP address of the collector. The parameter specifies the UDP port on which the sFlow collector will be listening for exported sFlow data. The default port number is 6343. The sampled sFlow data sent to the collectors includes an agent_address field. This field identifies the device that sent the data. Refer to “sFlow and source address” on page 537.
sFlow Specifying an sFlow collector on IPv6 devices To specify an sFlow collector on an IPv6 device, enter a command such as the following. Brocade(config)#sflow destination ipv6 2003:0:0::0b:02a This command specifies a collector with IPv6 address 2003:0::0b:02a, listening for sFlow data on UDP port 6343. Syntax: [no] sflow destination ipv6 [] The parameter specifies the IP address of the collector.
sFlow Configuration considerations The sampling rate is a fraction in the form 1/N, meaning that, on average, one out of every N packets will be sampled. The sflow sample command at the global level or port level specifies N, the denominator of the fraction. Thus a higher number for the denominator means a lower sampling rate since fewer packets are sampled. Likewise, a lower number for the denominator means a higher sampling rate because more packets are sampled.
sFlow When you enable sFlow on a port, the port's sampling rate is set to the global default sampling rate. This also applies to ports on which you disable and then re-enable sFlow. The port does not retain the sampling rate it had when you disabled sFlow on the port, even if you had explicitly set the sampling rate on the port. Changing the default sampling rate To change the default (global) sampling rate, enter a command such as the following at the global CONFIG level of the CLI.
sFlow To change the sampling rate on an individual port, enter a command such as the following at the configuration level for the port. Brocade(config-if-1/1)#sflow sample 8192 Syntax: [no] sflow sample The parameter specifies the average number of packets from which each sample will be taken. The software rounds the value you enter up to the next odd power of 2. The actual sampling rate becomes one of the values listed in “Changing the default sampling rate”.
sFlow Changing the sFlow source port By default, sFlow sends data to the collector using UDP source port 8888, but you can change the source UDP port to any port number in the range 1025-65535. To change the source UDP port, enter a command such as the following: Brocade(config)#sflow source-port 8000 Syntax: [no] sflow source-port The parameter specifies the sFlow source port. Enabling sFlow forwarding sFlow exports data only for the interfaces on which you enable sFlow forwarding.
sFlow Brocade(config)#sflow enable Brocade(config)#interface ethernet 1/1 to 1/8 Brocade(config-mif-1/1-1/8)#sflow forwarding These commands globally enable sFlow, then enable sFlow forwarding on Ethernet ports 1/1 – 1/8. You must use both the sflow enable and sflow forwarding commands to enable the feature. Syntax: [no] sflow enable Syntax: [no] sflow forwarding Enabling sFlow forwarding on individual trunk ports This feature is supported on individual ports of a static trunk group.
sFlow Egress interface ID for sampled broadcast and multicast packets For broadcast and multicast traffic, the egress interface ID for sampled traffic is always 0x80000000. When broadcast and multicast packets are sampled, they are usually forwarded to more than one port. However, the output port field in an sFlow datagram supports the display of one egress interface ID only.
sFlow Specifying the maximum flow sample size With sFlow version 5, you can specify the maximum size of the flow sample sent to the sFlow collector. If a packet is larger than the specified maximum size, then only the contents of the packet up to the specified maximum number of bytes is exported. If the size of the packet is smaller than the specified maximum, then the entire packet is exported. For example, to specify 1024 bytes as the maximum flow sample size, enter the following command.
sFlow Enabling the sFlow agent to export CPU-directed data To enable the sFlow agent on a Brocade device to export data destined to the CPU to the sFlow collector, enter the following command. Brocade(config)# sflow export cpu-traffic Syntax: [no] sflow export cpu-traffic By default, this feature is disabled. The sFlow agent does not send data destined to the CPU to the sFlow collector.
sFlow Brocade#show sflow sFlow version:5 sFlow services are enabled. sFlow agent IP address: 123.123.123.1 4 collector destinations configured: Collector IP 192.168.4.204, UDP 6343 Collector IP 192.168.4.200, UDP 6333 Collector IP 192.168.4.202, UDP 6355 Collector IP 192.168.4.203, UDP 6565 Configured UDP source port: 33333 Polling interval is 0 seconds.
sFlow ...continued from previous page...
Utilization list for an uplink port TABLE 99 sFlow information (Continued) Parameter Definition exporting system-info Indicates whether or not the sFlow agent is configured to export information about CPU and memory usage to the sFlow collector: • enabled • disabled exporting system-info polling interval Specifies the interval, in seconds, that sFlow data is sent to the sFlow collector. UDP packets exported The number of sFlow export packets the Brocade device has sent.
Utilization list for an uplink port Each uplink utilization list consists of the following: • Utilization list number (1, 2, 3, or 4) • One or more uplink ports • One or more downlink ports Each list displays the uplink port and the percentage of that port bandwidth that was utilized by the downlink ports over the most recent 30-second interval. You can configure up to four bandwidth utilization lists.
Utilization list for an uplink port In this example, ports 1/2 and 1/3 are sending traffic to port 1/1. Port 1/2 and port 1/3 are isolated (not shared by multiple clients) and typically do not exchange traffic with other ports except for the uplink port, 1/1. Syntax: show relative-utilization The parameter specifies the list number. NOTE The example above represents a pure configuration in which traffic is exchanged only by ports 1/2 and 1/1, and by ports 1/3 and 1/1.
Chapter 16 Basic Layer 2 Features Table 100 lists the individual Brocade FastIron switches and the basic Layer 2 features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
About port regions TABLE 100 Supported basic Layer 2 features Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6430 ICX 6450 Link Fault Signaling (LFS) for 10G Yes Yes Yes Yes ICX 6450 only Layer 2 jumbo frames Yes Yes Yes Yes Yes User-configurable buffer profiles No No Yes Yes Yes Buffer profile for VoIP on FastIron Stackable devices No Yes Yes Yes No The procedures in this chapter describe how to configure basic Layer 2 parameters.
About port regions FastIron Edge Switch X448: • • • • • • Ports 1 – 12 belong to port region 0 Ports 13 – 24 belong to port region 1 Ports 25 – 36 belong to port region 2 Ports 37 – 48 belong to port region 3 Port 49 belongs to port region 4 Port 50 belongs to port region 5 FCX and FWS device port regions The port region rules for FWS and FCX devices are as follows: • For all platforms, a 24-port Gbps module has one port region.
Enabling or disabling the Spanning Tree Protocol (STP) • A 48-port Gbps module has two port regions: - Ports 1-24 and SFP ports 1& 2 belong to port region 0 - Ports 25-48 and SFP ports 3 & 4 belong to port region 1 ICX 6450 device port regions • A 24-port Gbps module has one port region. The four SFP+ ports on the device also belong to this single port region.
Management MAC address for stackable devices Management MAC address for stackable devices In an IronStack, the management MAC address of the Active Controller is always used as the STP bridge ID. The Active Controller management MAC address is always used for control protocols for the following reasons: • Unlike standalone devices, each stack member has a different range of MAC addresses.
Changing the MAC age time and disabling MAC address learning Changing the MAC age time and disabling MAC address learning To change the MAC address age timer, enter a command such as the following. Brocade(config)#mac-age-time 60 Syntax: [no] mac-age-time specifies the number of seconds.
Static MAC entry configuration Displaying the MAC address table To display the MAC table, enter the show mac-address command. Brocade#show mac-address Total active entries from all ports = 3 Total static entries from all ports = 1 MAC-Address Port Type VLAN 1234.1234.1234 15 Static 1 0004.8038.2f24 14 Dynamic 1 0004.8038.2f00 13 Dynamic 1 0010.5a86.b159 10 Dynamic 1 In the output of the show mac-address command, the Type column indicates whether the MAC entry is static or dynamic.
Static MAC entry configuration Multi-port static MAC address configuration notes • This feature is applicable for Layer 2 traffic. • This feature can be used to configure unicast as well as IPv4 and IPv6 multicast MAC addresses on one or more ports. However, when a multicast MAC address is configured, the corresponding MAC address entry cannot be used for IGMP snooping. For IPv4 multicast addresses (range 0100.5e00.000 to 0100.5e7f.ffff) and IPv6 multicast addresses (range 3333.0000.0000 to 3333.ffff.
VLAN-based static MAC entries configuration VLAN-based static MAC entries configuration You can configure a VLAN to drop packets that have a particular source or destination MAC address. You can configure a maximum of 2048 static MAC address drop entries on a Brocade device. Use the CLI command show running-config to view the static MAC address drop entries currently configured on the device.
Flow-based MAC address learning Flow-based MAC address learning NOTE Flow-based MAC address learning is supported on FastIron X Series and Brocade FCX Series devices. It does not apply to FastIron WS Series devices. However, on Brocade FCX Series devices, this feature is enabled by default. There is no command to enable or disable it. Therefore, the CLI commands in this section apply to FastIron X Series devices only.
Flow-based MAC address learning MAC address is learned on a trunk port, the MAC address is also programmed on all of the packet processors that have ports in the same trunk group. Once the MAC address is programmed in hardware, subsequent packets with this destination MAC are forwarded as known unicast packets and are not copied to the CPU. Flow-based MAC addresses are aged out by the source packet processor according to the MAC age time learned on the local port.
Flow-based MAC address learning Configuring flow-based MAC address learning To configure flow-based MAC address learning, simply enable it globally. If necessary, increase the capacity of the MAC address table as well. Enabling flow-based MAC address learning To enable flow-based MAC address learning, enter the following command at the Global CONFIG level of the CLI. Brocade(config)#mac-learning-flow-based This command enables flow-based MAC address learning.
Enabling port-based VLANs Displaying information about flow-based MACs The show mac-address command includes information related to flow-based MAC address learning. The following shows an example show mac output. Brocade# show mac Total active entries from all ports = 15 MAC-Address Port Type 0000.0000.0001 1/1 Dynamic 0000.0000.
Enabling port-based VLANs The parameter is the VLAN name and can be a string up to 32 characters. You can use blank spaces in the name if you enclose the name in double quotes (for example, “Product Marketing”.) You can configure up to 4063 port-based VLANs on a device running Layer 2 code or 4061 port-based VLANs on a device running Layer 3 code. Each port-based VLAN can contain either tagged or untagged ports. A port cannot be a member of more than one port-based VLAN unless the port is tagged.
Defining MAC address filters Defining MAC address filters MAC layer filtering enables you to build access lists based on MAC layer headers in the Ethernet/IEEE 802.3 frame. You can filter on the source and destination MAC addresses. The filters apply to incoming traffic only. You configure MAC address filters globally, then apply them to individual interfaces. To apply MAC address filters to an interface, you add the filters to that interface MAC address filter group.
Defining MAC address filters MAC address filters command syntax To configure and apply a MAC address filter, enter commands such as the following. Brocade(config)# mac filter Brocade(config)# mac filter Brocade(config)# mac filter Brocade(config)# mac filter Brocade(config)# mac filter Brocade(config)# mac filter Brocade(config)# int e 1 Brocade(config-if-e1000-1)# 1 deny 3565.3475.3676 ffff.0000.0000 2 deny any ffff.ffff.ffff ffff.ffff.ffff 3 deny any 0180.c200.0000 ffff.ffff.fff0 4 deny any 0000.1234.
Defining MAC address filters NOTE You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the filter group again containing all the filters you want to apply to the port. NOTE If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group. When a MAC address filter is applied to or removed from an interface, a Syslog message such as the following is generated.
Defining MAC address filters MAC address filter logging command syntax To configure MAC address filter logging globally, enter the following CLI commands at the global CONFIG level. Brocade(config)#mac filter log-enable Brocade(config)#write memory Syntax: [no] mac filter log-enable To configure MAC address filter logging for MAC address filters applied to ports 1 and 3, enter the following CLI commands.
Defining MAC address filters Syntax: mac filter permit | deny | any The permit | deny argument determines the action the software takes when a match occurs. In the previous example, the permit action creates an 802.1X session in the FORCE AUTHORIZE state, meaning that the device is placed unconditionally in the authorized state, bypassing 802.
Locking a port to restrict addresses Locking a port to restrict addresses Address-lock filters allow you to limit the number of devices that have access to a specific port. Access violations are reported as SNMP traps. This feature is disabled by default. A maximum of 2048 entries can be specified for access. The default address count is eight. Lock address configuration notes • Static trunk ports and link-aggregation configured ports do not support the lock-address option.
Monitoring MAC address movement • Interval-history notifications are best suited for a statistical analysis of the number of MAC address movements for a configured time interval. For example, you may want to find out how many MAC addresses have moved in the system over a given interval or how many times a specific MAC address has moved during that interval. However, it is not possible to get this information for every MAC address if there are a lot of MAC addresses that moved during the interval.
Monitoring MAC address movement Viewing the MAC address movement threshold rate configuration To display the configuration of the MAC address movement threshold rate, enter the show notification mac-movement threshold-rate command at the privileged EXEC level. This command also displays ongoing statistics for the current sampling interval.
Monitoring MAC address movement Configuring an interval for collecting MAC address move notifications To configure an interval for collecting statistical data about MAC address moves, enter the mac-movement notification interval-history command at the privileged EXEC level. This command enables a corresponding SNMP trap.
Displaying and modifying system parameter default settings Table 102 defines the fields in the output of the show notification mac-movement interval-history command. TABLE 102 Field definitions for the show notification mac-movement interval-history command Field Description Interval-History Mac Movement Notification is Specifies whether the interval-history data collection is enabled. Configured Interval The interval over which the MAC address movement statistics were collected.
Displaying and modifying system parameter default settings The following shows an example output of the show default values command on a FastIron Layer 2 device.
Displaying and modifying system parameter default settings The following shows an example output on a FastIron IPV4 device running Layer 3 software. Brocade#show default values sys log buffers:50 mac age time:300 sec ip arp age:10 min ip addr per intf:24 when multicast enabled : igmp group memb.:260 sec when ospf enabled : ospf dead:40 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
Displaying and modifying system parameter default settings The following shows an example output on a FCX serving as a management host in an IPv6 network and running the Layer 3 software image. Brocade#show default values sys log buffers:50 mac age time:300 sec ip arp age:10 min ip addr per intf:24 when multicast enabled : igmp group memb.:260 sec when ospf enabled : ospf dead:40 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
Displaying and modifying system parameter default settings The following shows an example output on a FastIron X Series IPV6 device running the Layer 3 software image. Brocade#show default values sys log buffers:50 mac age time:300 sec ip arp age:10 min ip addr per intf:24 when multicast enabled : igmp group memb.:260 sec when ospf enabled : ospf dead:40 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
Displaying and modifying system parameter default settings Table 103 defines the system parameters in the show default values command output.
Dynamic buffer allocation for QoS priorities for FastIron X Series devices Modifying system parameter default values Information for the configurable tables appears under the columns that are shown in bold type in the above examples. To simplify configuration, the command parameter you enter to configure the table is used for the table name. For example, to increase the capacity of the IP route table, enter the following commands.
Dynamic buffer allocation for QoS priorities for FastIron X Series devices • Total Transmit Queue Depth Limit – The total maximum number of transmit buffers allocated for all outbound packets on a port. Packets are added to the port's outbound queue as long as the number of buffers currently in use is less than the total transmit queue depth limit. When this limit is reached, any new packets attempting to enter the port’s transmit queue will be dropped until at least one buffer is freed.
Dynamic buffer allocation for QoS priorities for FastIron X Series devices To set the total transmit queue depth limit on a port, enter a command such as the following. Brocade(config)#qd 2 2049 This command sets the queue depth limit on port 2 to 2049. Packets are added to the port's outbound queue as long as the packets do not cause the port to exceed 2048 buffers.
Dynamic buffer allocation for QoS priorities for FastIron X Series devices Removing buffer allocation limits on FastIron X Series devices You can remove buffer allocation limits on all ports and all Traffic Classes globally. This permits all available buffers in a port region to be used in a first-come-first-serve basis by any of its ports, regardless of priority. This can be done using the following command.
Dynamic buffer allocation for QoS priorities for FastIron X Series devices Configuring a buffer profile and defining the queue depth limits 1. Create a buffer profile and assign it to a port. For example, to create buffer profile 2 and assign it to port 1/1, enter the following command. Brocade(config)#qd 1/1 profile-id 2 Syntax: [no] qd / profile-id The variable specifies the buffer profile ID associated with the /.
Dynamic buffer allocation for FCX, FWS, and ICX devices Displaying the buffer profile configuration To display the buffer profile configuration for an SX-FI48GPP Interface module, use the show configuration command. The following example shows that buffer profile 2 and its configured queue depth values apply to ports 1/1 and 1/2. Although the profile configuration was changed for port 1/1 only, port 1/2 has also changed to match the configuration.
Dynamic buffer allocation for FCX, FWS, and ICX devices Configuring buffer profiles There are two different methods of allocating buffers and descriptors to the ports and its queues. One method uses the qd-descriptor and qd-buffer CLI commands to allocate descriptors and buffers, respectively, to the port and its queues. This method is available on FWS, FCX, and ICX devices. The other method uses user-configurable buffer profiles.
Dynamic buffer allocation for FCX, FWS, and ICX devices For example, for an 8-unit stack of 48 ports, the packet processor numbering scheme is as follows: • • • • • • • • Stack unit 1 - Packet processors 0 and 1 Stack unit 2 - Packet processors 2 and 3 Stack unit 3 - Packet processors 4 and 5 Stack unit 4 - Packet processors 6 and 7 Stack unit 5 - Packet processors 8 and 9 Stack unit 6 - Packet processors 10 and 11 Stack unit 7 - Packet processors 12 and 13 Stack unit 8 - Packet processors 14 and 15 In
Dynamic buffer allocation for FCX, FWS, and ICX devices The variable refers to the specific queue of the port from 0 through 7. 3. Configure the port buffers. The minimum limit for port buffers is 16. The maximum limit for the port buffer depends on the hardware device. Port buffer limits of different platforms are listed in “Buffer and descriptor maximum and default allocation values” on page 596. Configure the allowable packet buffers by entering a command similar to the following.
Dynamic buffer allocation for FCX, FWS, and ICX devices qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-descriptor qd-buffer 0 1 qd-buffer 1 1 qd-buffer 2 1 qd-buffer 4 1 qd-buffer 5 1 qd-buffer 6 1 qd-buffer 0 2 qd-buffer 1 2 qd-buffer 2 2 qd-buffer 4 2 qd-buffer 5 2 qd-buffer 6 2 qd-buffer 0 1 qd-buffer 1 1 qd-buffer 2 1 qd-buffer 4 1 qd-buff
Dynamic buffer allocation for FCX, FWS, and ICX devices Configuring and applying a user-configurable buffer profile is a two-step process. First, create a user-configurable buffer profile with the qd-buffer-profile CLI command. Define a name for the user-configurable buffer profile, assign buffer and descriptor limits at the port level, and then define buffer and descriptor limits per queue of that port.
Dynamic buffer allocation for FCX, FWS, and ICX devices 3. Configure the port buffers. Port buffer sets the maximum buffer limit for the ports. The maximum limit depends on the hardware device. Port buffer limits of different platforms are listed in the section “Buffer and descriptor maximum and default allocation values” on page 596. To configure the port buffers for the user-configurable buffer profile named “profile1”, enter the following command at the profile configuration level.
Dynamic buffer allocation for FCX, FWS, and ICX devices The variable is the device number on which the user-configurable buffer profile is applied. The variable is the name of the user-configured profile. Buffer and descriptor maximum and default allocation values This section lists the maximum and default buffers and descriptors values of a port and its queues on each hardware platform. The following tables are included: • • • • • Table 105 describes FCX devices.
Dynamic buffer allocation for FCX, FWS, and ICX devices TABLE 107 Port buffer and descriptors values on ICX 6610 devices 1 Gbps buffers and descriptors 10 Gbps buffers and descriptors 40 Gbps buffers and descriptors Port Limit 8096 8096 8096 TC0 128 160 256 TC1 32 48 64 TC2 32 48 64 TC3 32 48 64 TC4 32 48 64 TC5 64 96 144 TC6 64 96 144 TC7 64 96 144 TABLE 108 Port buffer and descriptors values on ICX 6430 devices1 1 Gbps buffers 10 Gbps buffers 1Gbps descriptors
Dynamic buffer allocation for FCX, FWS, and ICX devices Configuring values for the ICX 6430 Port buffer and descriptor values in Table 108 are default values for software traffic classes. For the ICX 6430, traffic classes are mapped to shared hardware queues (refer to “Queues for the ICX 6430 switch” on page 1973. Refer to the following are considerations for configuring your own values and buffer profiles. • User-defined values have precedence over default values.
Dynamic buffer allocation for FCX, FWS, and ICX devices TABLE 110 Field definitions for the output of show qd-buffer-profile command Field Description Per Queue details The names of the queues Buffers The total number of buffers allocated to the queue Descriptors The total number of descriptors allocated to the queue Configuring buffer sharing on FCX and ICX devices Network congestion can be caused by various reasons such as port shaping, flow control received on the link due to congestion on the
Dynamic buffer allocation for FCX, FWS, and ICX devices FCX buffer sharing levels The FCX buffer sharing level configures the shared buffers on the device. Table 111 defines the FCX buffer sharing level settings. For information about configuring buffer sharing, refer to “Configuring buffer sharing on FCX and ICX devices” on page 599. If you configure buffers at the port or queue level (using qd commands or buffer profiles), the buffer sharing level automatically changes to 1. You can change it manually.
Dynamic buffer allocation for FCX, FWS, and ICX devices TABLE 112 Buffer sharing level ICX 6610 buffer sharing level definitions (Continued) Shared buffer limit Shared buffer total (in kilobytes) Pool 0 sharing buffers (in kilobytes) Pool 0 –TC 0, 1 Pool 1 – TC 2, 3, 4 Pool 2 – TC 5, 6 Pool 3 – TC 7 5 (default) 768 128 192 192 625 375 6 1024 128 192 192 750 500 7 1280 128 192 192 875 625 8 1536 128 192 192 1000 750 ICX 6430 and ICX 6450 buffer sharing levels The ICX 6430
Dynamic buffer allocation for FCX, FWS, and ICX devices ICX6610-48 Router# show qd-share-level Sharing level: 1-64KB, 2-250KB, 3-375KB, 4-500KB, 5-625KB (default), 6-750KB, 7-875KB, 8-1000KB Current qd sharing level 5 Sharing pools to Traffic Class (TC) map: Pool 0: TC 0,1 Pool 1: TC 2,3,4 Pool 2: TC 5,6 Pool 3: TC 7 Device 0 Sharing pool 0 buffers in use 0 Device 0 Sharing pool 1 buffers in use 0 Device 0 Sharing pool 2 buffers in use 0 Device 0 Sharing pool 3 buffers in use 0 Device 1 Sharing pool 0 buff
Remote Fault Notification on 1Gbps fiber connections Buffer profiles for VoIP on FastIron stackable devices NOTE Configuring buffer profiles for VoIP traffic is not supported on FastIron X Series devices. Default buffer settings are currently optimized for 1 GbE-to-1 GbE traffic. Configuring VoIP buffer profiles adds buffer profiles for 1 GbE-to-100 Mbit traffic, simplifying configuration and improving performance.
Link Fault Signaling for 10Gbps Ethernet devices When you enable this feature, the transmit port notifies the remote port whenever the fiber cable is either physically disconnected or has failed. When this occurs and the feature is enabled, the device disables the link and turns OFF both LEDs associated with the ports. By default, RFN is enabled.
Link Fault Signaling for 10Gbps Ethernet devices Enabling Link Fault Signaling To enable Link Fault Signaling (LFS) between two 10 Gbps Ethernet devices, enter commands such as the following on both ends of the link. Brocade(config)#interface e 1/1 Brocade(config-if-e1000-1/1)#link-fault-signal Syntax: [no] link-fault-signal Use the no form of the command to disable LFS. LFS is OFF by default.
Jumbo frame support Jumbo frame support Ethernet traffic moves in units called frames. The maximum size of frames is called the Maximum Transmission Unit (MTU). When a network device receives a frame larger than its MTU, the data is either fragmented or dropped. Historically, Ethernet has a maximum frame size of 1500 bytes, so most devices use 1500 as their default MTU. Jumbo frames are Ethernet frames with more than 1,500 bytes MTU. Conventionally, jumbo frames can carry up to 9,000 bytes MTU.
Chapter 17 Metro Features Table 114 lists the individual Brocade FastIron switches and the metro features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Topology groups Master VLAN and member VLANs Each topology group contains a master VLAN and can contain one or more member VLANs and VLAN groups: • Master VLAN – The master VLAN contains the configuration information for the Layer 2 protocol. For example, if you plan to use the topology group for MRP, the topology group master VLAN contains the ring configuration information. • Member VLANs – The member VLANs are additional VLANs that share ports with the master VLAN.
Topology groups • If you remove the master VLAN (by entering no master-vlan ), the software selects the new master VLAN from member VLANs. A new candidate master VLAN will be in configured order to a member VLAN so that the first added member VLAN will be a new candidate master VLAN. Once you save and reload, a member-vlan with the youngest VLAN ID will be the new candidate master. The new master VLAN inherits the Layer 2 protocol settings of the older master VLAN.
Topology groups NOTE Once you add a VLAN or VLAN group as a member of a topology group, all the Layer 2 protocol configuration information for the VLAN or group is deleted. For example, if STP is configured on a VLAN and you add the VLAN to a topology group, the STP configuration is removed from the VLAN. Once you add the VLAN to a topology group, the VLAN uses the Layer 2 protocol settings of the master VLAN.
Metro Ring Protocol This display shows the following information. TABLE 115 CLI display of topology group information Field Description master-vlan The master VLAN for the topology group. The settings for STP, MRP, or VSRP on the control ports in the master VLAN apply to all control ports in the member VLANs within the topology group. member-vlan The member VLANs in the topology group. Common control ports The master VLAN ports that are configured with Layer 2 protocol information.
Metro Ring Protocol Figure 40 shows an example of an MRP metro ring. FIGURE 40 Metro ring – normal state Customer A F F Switch B F F F F Switch A Master Node Switch C Customer A F This interface blocks Layer 2 traffic to prevent a loop F Switch D F Customer A B F F Customer A The ring in this example consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network.
Metro Ring Protocol Metro Ring Protocol configuration notes • When you configure Metro Ring Protocol (MRP), Brocade recommends that you disable one of the ring interfaces before beginning the ring configuration. Disabling an interface prevents a Layer 2 loop from occurring while you are configuring MRP on the ring nodes. Once MRP is configured and enabled on all the nodes, you can re-enable the interface. • The above configurations can be configured as MRP masters or MRP members (for different rings).
Metro Ring Protocol Master Node Port1/1 Port4/1 Port1/2 Port4/2 Ring 1 Ring 2 Master Node Ring 3 In this example, two nodes are each configured with two MRP rings. Any node in a ring can be the master for its ring. A node also can be the master for more than one ring. MRP rings with shared interfaces (MRP Phase 2) With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN.
Metro Ring Protocol Example 1 Example 2 S1 Port1/1 VLAN 2 Ring 1 S1 Ring 1 Port1/1 VLAN 2 Port2/2 VLAN 2 Ring 2 S2 Ring 2 Port2/2 VLAN 2 S3 S2 S4 Ring 3 On each node that will participate in the ring, you specify the ring ID and the interfaces that will be used for ring traffic. In a multiple ring configuration, a ring ID determines its priority. The lower the ring ID, the higher priority of a ring. A ring ID is also used to identify the interfaces that belong to a ring.
Metro Ring Protocol The ring ID is also used to determine an interface priority. Generally, a ring ID is also the ring priority and the priority of all interfaces on that ring. However, if the interface is shared by two or more rings, then the highest priority (lowest ID) becomes the priority of the interface. For example, in Figure 43, all interfaces on Ring 1, except for Port 1/1 on node S1 and Port 2/2 on node S2 have a priority of 1.
Metro Ring Protocol Customer A F PF Switch B PF PF PF All ports start in Preforwarding state. F Switch C Customer A PF Primary port on Master node sends RHP 1 PF Switch D Switch A Master Node F Customer A PF PF F Customer A MRP uses Ring Health Packets (RHPs) to monitor the health of the ring. An RHP is an MRP protocol packet. The source address is the MAC address of the master node and the destination MAC address is a protocol address for MRP.
Metro Ring Protocol • Forwarding (F) – The interface can forward data as well as RHPs. An interface changes from Preforwarding to Forwarding when the port preforwarding time expires. This occurs if the port does not receive an RHP from the Master, or if the forwarding bit in the RHPs received by the port is off. This indicates a break in the ring. The port heals the ring by changing its state to Forwarding.
Metro Ring Protocol RHP 2 Customer A Forwarding bit is on. Each port changes from Preforwarding to Forwarding when it receives this RHP. F PF F Switch B PF F Switch C Customer A PF F Secondary port receives RHP 1 and changes to Blocking Switch A Master Node Primary port then sends RHP 2 with forwarding bit on PF Switch D F Customer A B PF F Customer A Each RHP also has a sequence number. MRP can use the sequence number to determine the round-trip time for RHPs in the ring.
Metro Ring Protocol 1 1 1 (secondary interface) Port2/2 1 2 2 1,2 Ring 1 Master node (primary interface) Port2/1 T 2 S1 1 1 S3 Port3/2 (secondary interface) 2 Port3/1 (primary interface) Master node 1,2 1 2 Ring 2 1 S2 T 2 2 S4 2 = Ring 1 RHP packet = Ring 2 RHP packet Port 2/1 on Ring 1 master node is the primary interface of the master node. The primary interface forwards an RHP packet on the ring.
Metro Ring Protocol How ring breaks are detected and healed Figure 47 shows ring interface states following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks.
Metro Ring Protocol If a break in the ring occurs, MRP heals the ring by changing the states of some of the ring interfaces: • Blocking interface – The Blocking interface on the Master node has a dead timer. If the dead time expires before the interface receives one of its ring RHPs, the interface changes state to Preforwarding. Once the secondary interface changes state to Preforwarding: • If the interface receives an RHP, the interface changes back to the Blocking state and resets the dead timer.
Metro Ring Protocol FIGURE 48 Flow of RHP packets when a link for shared interfaces breaks 1 1 T 2 S1 1,2 2 2 1 Port2/2 changes to preforwarding 1 (primary interface) Port2/1 X1,2 Ring 1 Master node 1 1 S3 1 1 S2 T 2 2 Port3/2 2 Port3/1 (primary interface) Master node Ring 2 2 S4 2 = Ring 2 RHP packet RHP packets follow this flow until the link is restored; then the RHP packet returns to it normal flow as shown in Figure 46.
Metro Ring Protocol Customer B VLAN 40 Customer A VLAN 30 Switch B ====== ring 1 interfaces 1/1, 1/2 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1, 1/2, 2/1) member VLAN 40 (1/1, 1/2, 4/1) Port4/1 Port2/1 Port1/2 Port1/1 Switch B Switch D Port1/2 Port2/1 Customer A VLAN 30 Port1/1 Port4/1 Switch D ====== ring 1 interfaces 1/1, 1/2 topology group 2 master VLAN 2 (1/1, 1/2) member VLAN 30 (1/1, 1/2, 2/1) member VLAN 40 (1/1, 1/2, 4/1) Customer B VLAN 40 Notice that each customer h
Metro Ring Protocol In Figure 49, VLAN 2 is the master VLAN and contains the MRP configuration parameters for ring 1. VLAN 30 and VLAN 40, the customer VLANs, are member VLANs in the topology group. Since a topology group is used, a single instance of MRP provides redundancy and loop prevention for both the customer VLANs. If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs.
Metro Ring Protocol Adding an MRP ring to a VLAN To add an MRP ring to a VLAN, enter commands such as the following. NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group master VLAN.
Metro Ring Protocol Configures this node as the master node for the ring. Enter this command only on one node in the ring. The node is a member (non-master) node by default. Syntax: [no] ring-interface ethernet ethernet The ethernet parameter specifies the primary interface. On the master node, the primary interface is the one that originates RHPs. Ring control traffic and Layer 2 data traffic will flow in the outward direction from this interface by default.
Metro Ring Protocol Metro Ring Protocol diagnostics The Metro Ring Protocol (MRP) diagnostics feature calculates how long it takes for RHP packets to travel through the ring. When you enable MRP diagnostics, the software tracks RHP packets according to their sequence numbers and calculates how long it takes an RHP packet to travel one time through the entire ring. When you display the diagnostics, the CLI shows the average round-trip time for the RHP packets sent since you enabled diagnostics.
Metro Ring Protocol TABLE 116 CLI display of MRP ring diagnostic information (Continued) Field Description Diag frame sent The number of diagnostic RHPs sent for the test. Diag frame lost The number of diagnostic RHPs lost during the test. If the recommended hello time and preforwarding time are different from the actual settings and you want to change them, refer to “Metro Ring Protocol configuration” on page 625.
Metro Ring Protocol TABLE 117 CLI display of MRP ring information Field Description Ring id The ring ID State The state of MRP. The state can be one of the following: • enabled – MRP is enabled • disabled – MRP is disabled Ring role Whether this node is the master for the ring. The role can be one of the following: • master • member Master vlan The ID of the master VLAN in the topology group used by this ring.
Metro Ring Protocol TABLE 117 CLI display of MRP ring information (Continued) Field Active interface Description The physical interfaces that are sending and receiving RHPs. NOTE: If a port is disabled, its state is shown as “disabled”. NOTE: If an interface is a trunk group, only the primary port of the group is listed. Interface Type Shows if the interface is a regular port or a tunnel port. RHPs sent The number of RHPs sent on the interface. NOTE: This field applies only to the master node.
Metro Ring Protocol The following commands configure the customer VLANs. The customer VLANs must contain both the ring interfaces as well as the customer interfaces.
VSRP Brocade(config)#vlan 30 Brocade(config-vlan-30)#tag ethernet 1/1 Brocade(config-vlan-30)#tag ethernet 2/1 Brocade(config-vlan-30)#exit Brocade(config)#vlan 40 Brocade(config-vlan-40)#tag ethernet 1/1 Brocade(config-vlan-40)#tag ethernet 4/1 Brocade(config-vlan-40)#exit Brocade(config)#topology-group 1 Brocade(config-topo-group-1)#master-vlan Brocade(config-topo-group-1)#member-vlan Brocade(config-topo-group-1)#member-vlan to 1/2 to 1/2 2 30 40 MRP commands on Switch D Brocade(config)#vlan 2 Brocad
VSRP Figure 50 shows an example of a VSRP configuration. FIGURE 50 VSRP mesh – redundant paths for Layer 2 and Layer 3 traffic VSRP Master F F VSRP Aware VSRP Backup optional link F B VSRP Aware B B VSRP Aware Hello packets In this example, two Brocade devices are configured as redundant paths for VRID 1. On each of the devices, a Virtual Router ID (VRID) is configured on a port-based VLAN. Since VSRP is primarily a Layer 2 redundancy protocol, the VRID applies to the entire VLAN.
VSRP Layer 2 and Layer 3 redundancy You can configure VSRP to provide redundancy for Layer 2 only or also for Layer 3: • Layer 2 only – The Layer 2 links are backed up but specific IP addresses are not backed up. • Layer 2 and Layer 3 – The Layer 2 links are backed up and a specific IP address is also backed up. Layer 3 VSRP is the same as VRRP-E. However, using VSRP provides redundancy at both layers at the same time. Layer 2 Switches support Layer 2 VSRP only.
VSRP • If the Backup does not receive a Hello message with a higher priority than its own by the time the hold-down timer expires, the Backup becomes the new Master and starts forwarding Layer 2 traffic on all ports. If you increase the timer scale value, each timer value is divided by the scale value. To achieve sub-second failover times, you can change the scale to a value up to 10. This shortens all the VSRP timers to 10 percent of their configured values.
VSRP FIGURE 52 VSRP priority recalculation Configured priority = 100 Actual priority = 100 * (3/3) = 100 Configured priority = 100 Actual priority = 100 * (2/3) = 67 VSRP Backup B B Link down VSRP Master optional link F F B F X VSRP Aware VSRP Aware VSRP Aware You can reduce the sensitivity of a VSRP device to failover by increasing its configured VSRP priority. For example, you can increase the configured priority of the VSRP device on the left in Figure 52 to 150.
VSRP When you configure a track port, you assign a priority value to the port. If the port goes down, VSRP subtracts the track port priority value from the configured VSRP priority. For example, if the you configure a track port with priority 20 and the configured VSRP priority is 100, the software subtracts 20 from 100 if the track port goes down, resulting in a VSRP priority of 80. The new priority value is used when calculating the VSRP priority. Figure 54 shows an example.
VSRP MAC address failover on VSRP-aware devices VSRP-aware devices maintain a record of each VRID and its VLAN. When the device has received a Hello message for a VRID in a given VLAN, the device creates a record for that VRID and VLAN and includes the port number in the record.
VSRP If VSRP hello packets do not meet the acceptance criteria, the VSRP-aware device forwards the packets normally, without any VSRP-aware security processing. To configure VSRP-Aware Security features, refer to “Configuring security features on a VSRP-aware device” on page 645. VSRP parameters Table 118 lists the VSRP parameters.
VSRP TABLE 118 VSRP parameters (Continued) Parameter Description Default For more information VSRP ports The ports in the VRID VLAN that you want to use as VRID interfaces. You can selectively exclude individual ports from VSRP while allowing them to remain in the VLAN. All ports in the VRID VLAN page 646 VRID IP address A gateway address you are backing up. Configuring an IP address provides VRRP-E Layer 3 redundancy in addition to VSRP LAyer 2 redundancy.
VSRP TABLE 118 VSRP parameters (Continued) Parameter Description Default For more information Hold-down interval The amount of time a Backup that has sent a Hello packet announcing its intent to become Master waits before beginning to forward traffic for the VRID. The hold-down interval prevents Layer 2 loops from occurring during VSRP rapid failover. The interval can from 1 – 84 seconds. 3 seconds page 649 Track priority A VSRP priority value assigned to the tracked ports.
VSRP • Activate the VRID. The following example shows a simple VSRP configuration. Brocade(config)#vlan 200 Brocade(config-vlan-200)#tag ethernet 1/1 to 1/8 Brocade(config-vlan-200)#vsrp vrid 1 Brocade(config-vlan-200-vrid-1)#backup Brocade(config-vlan-200-vrid-1)#activate Syntax: [no] vsrp vrid The parameter specifies the VRID and can be from 1 – 255. Syntax: [no] backup [priority ] [track-priority ] This command is required.
VSRP Changing the timer scale To achieve sub-second failover times, you can shorten the duration of all scale timers for VSRP, VRRP, and VRRP-E by adjusting the timer scale. The timer scale is a value used by the software to calculate the timers. By default, the scale value is 1. If you increase the timer scale, each timer value is divided by the scale value. Using the timer scale to adjust timer values enables you to easily change all the timers while preserving the ratios among their values.
VSRP Syntax: [no] vsrp auth-type no-auth | simple-text-auth The auth-type no-auth parameter indicates that the VRID and the interface it is configured on do not use authentication. The auth-type simple-text-auth parameter indicates that the VRID and the interface it is configured on use a simple text password for authentication. The value is the password, and can be up to eight characters.
VSRP Removing a port from the VRID VLAN By default, all the ports on which you configure a VRID are interfaces for the VRID. You can remove a port from the VRID while allowing it to remain in the VLAN. Removing a port is useful in the following cases: • There is no risk of a loop occurring, such as when the port is attached directly to an end host. • You plan to use a port in an MRP ring. To remove a port from a VRID, enter a command such as the following at the configuration level for the VRID.
VSRP • The backup priority is used for election of the Master. The VSRP Backup with the highest priority value for the VRID is elected as the Master for that VRID. The default priority is 100. If two or more Backups are tied with the highest priority, the Backup with the highest IP address becomes the Master for the VRID. • The track priority is used with the track port feature. Refer to “VSRP priority calculation” on page 636 and “Changing the default track priority setting” on page 649.
VSRP To change the TTL for a VRID, enter a command such as the following at the configuration level for the VRID. Brocade(config-vlan-200-vrid-1)#initial-ttl 5 Syntax: [no] initial-ttl The parameter specifies the TTL and can be from 1 – 255. The default TTL is 2. Changing the hello interval setting The Master periodically sends Hello messages to the Backups. To change the Hello interval, enter a command such as the following at the configuration level for the VRID.
VSRP When a Backup is enabled to send Hello messages, the Backup sends a Hello message to the Master every 60 seconds by default. You can change the interval to be up to 3600 seconds. To change the Backup Hello interval, enter a command such as the following at the configuration level for the VRID. Brocade(config-vlan-200-vrid-1)#backup-hello-interval 180 Syntax: [no] backup-hello-interval The parameter specifies the message interval and can be from 60 – 3600 seconds.
VSRP Syntax: [no] backup [priority ] [track-priority ] Specifying a track port setting You can configure the VRID on one interface to track the link state of another interface on the device. This capability is useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy. Refer to “VSRP priority calculation” on page 636. To configure a VRID to track an interface, enter a command such as the following at the configuration level for the VRID.
VSRP You can prevent the Backups from advertising route information for the backed up interface by enabling suppression of the advertisements. NOTE This parameter applies only if you specified an IP address to back up and is valid only on Layer 3 Switches. To suppress RIP advertisements, enter the following commands.
VSRP Displaying VRID information To display VSRP information, enter the following command.
VSRP TABLE 119 CLI display of VSRP VRID or VLAN information (Continued) Field Description Advertise-backup Whether the device is enabled to send VSRP Hello messages when it is a Backup. This field can have one of the following values: • disabled – The device does not send Hello messages when it is a Backup. • enabled – The device does send Hello messages when it is a Backup.
VSRP TABLE 119 CLI display of VSRP VRID or VLAN information (Continued) Field Description Operational ports The member ports that are currently up. Forwarding ports The member ports that are currently in the Forwarding state. Ports that are forwarding on the Master are listed. Ports on the Standby, which are in the Blocking state, are not listed.
VSRP Configuring VSRP fast start The VSRP fast start feature can be enabled on a VSRP-configured Brocade device, either on the VLAN to which the VRID of the VSRP-configured device belongs (globally) or on a port that belongs to the VRID. To globally configure a VSRP-configured device to shut down its ports when a failover occurs, then restart after five seconds, enter the following command.
VSRP VSRP and MRP signaling A device may connect to an MRP ring through VSRP to provide a redundant path between the device and the MRP ring. VSRP and MRP signaling ensures rapid failover by flushing MAC addresses appropriately. The host on the MRP ring learns the MAC addresses of all devices on the MRP ring and VSRP link. From these MAC addresses, the host creates a MAC database (table), which is used to establish a data path from the host to a VSRP-linked device.
VSRP • The MRP node sends out an MRP PDU with the mac-flush flag set three times on the MRP ring. • The MRP node that receives this MRP PDU empties all the MAC entries from its interfaces that participate on the MRP ring. • The MRP node then forwards the MRP PDU with the mac-flush flag set to the next MRP node that is in forwarding state. The process continues until the Master MRP node secondary (blocking) interface blocks the packet.
VSRP 658 FastIron Configuration Guide 53-1002494-02
Chapter 18 Power over Ethernet Table 121 lists the individual Brocade FastIron switches and the Power over Ethernet (PoE) features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where noted. TABLE 121 SXS Supported PoE features Feature FESX FSX 800 FSX 1600 PoE interface modules1 FWS PoE models only FCX PoE+ models only ICX 6610 PoE models only ICX 6430 ICX 6450 PoE models only PoE+ (802.
Power over Ethernet overview IP technology devices. The 802.3at specification expands the standards to support higher power levels for more demanding powered devices, such as video IP phones, pan-tilt-zoom cameras and high-power outdoor antennas for wireless access points. Except where noted, this document will use the term PoE to refer to both PoE and PoE+. Table 121 lists the FastIron devices and modules that support PoE, PoE+, or both.
Power over Ethernet overview With the Endspan solution, there are two supported methods of delivering power. In Alternative A, four wires deliver data and power over the network. Specifically, power is carried over the live wire pairs that deliver data, as illustrated in Figure 59. In Alternative B, the four wires of the spare pairs are used to deliver power over the network. Brocade PoE devices support Alternative A. The Endspan method is illustrated in Figure 59.
Power over Ethernet overview FIGURE 60 PoE Midspan delivery method PoE Midspan Delivery Method 1 POWER PS1 PS2 49C CONSOLE 50C 49F LINK 2 3 4 5 6 7 8 9 10 11 12 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 48 Switch 50F ACT FastIron Edge 4802 POE Intermediat
Power over Ethernet overview TABLE 122 Class Power classes for PDs Usage Power (watts) from Power Sourcing Device Standard PoE PoE+ 0 default 15.4 30 1 optional 4 4 2 optional 7 7 3 optional 15.4 15.4 4 optional 15.4 30 Power specifications The 802.3af (PoE) standard limits power to 15.4 watts (44 to 50 volts) from the power sourcing device, in compliance with safety standards and existing wiring limitations. Though limited by the 802.3af standard, 15.
Power over Ethernet overview • When a PoE power supply is installed in the chassis • When a PoE power supply is removed from the chassis These events are described in detail in the following sections. NOTE A PoE power supply upgrade does not persist beyond a single power cycle. Therefore, an upgrade will occur automatically each time a power supply is re-inserted in the chassis.
Power over Ethernet overview • If a 52 volt-capable power supply is installed in a chassis that is operating with 54 volt-capable power supplies that are actively providing power, the system will reject the newly installed power supply since it cannot safely operate with the 54 volt-capable power supplies. In this case, the 52-volt power supply will be powered OFF and an error message similar to the following will display on the console.
Power over Ethernet overview VoIP Voice over IP (VoIP) is the convergence of traditional telephony networks with data networks, utilizing the existing data network infrastructure as the transport system for both services. Traditionally, voice is transported on a network that uses circuit-switching technology, whereas data networks are built on packet-switching technology.
Power over Ethernet overview Filename refers to the name of the file, including the pathname. FCX and ICX platforms To install PoE firmware on FCX and ICX platforms, enter a command such as the following. Brocade#inline power install-firmware stack-unit 1 fcx_poeplus_07400.fw tftp 10.120.54.161 Syntax: inline power install-firmware stack-unit tftp Stack-unit refers to the unit-id of the switch.
Power over Ethernet overview PoE Info: FW Download on slot 1 module 1...(re)sending download command... PoE Info: FW Download on slot 1 module 1...TPE response received. PoE PoE PoE PoE Info: Info: Info: Info: FW FW FW FW Download Download Download Download on on on on slot slot slot slot 1 1 1 1 module module module module 1...(re)sending erase command... 1...erase command...accepted. 1...erasing firmware memory... 1...erasing firmware memory...completed PoE Info: FW Download on slot 1 module 1..
Enabling and disabling Power over Ethernet Enabling and disabling Power over Ethernet To enable a port to receive inline power for power consuming devices, enter commands such as the following. Brocade#configure terminal Brocade(config)# interface ethernet 1/1 Brocade(config-if-e1000-1/1)# inline power After entering the above commands, the console displays the following message. Brocade(config-if-e1000-1/1)#PoE Info: Power enabled on port 1/1.
Enabling the detection of PoE power requirements advertised through CDP To re-enable support for legacy power consuming devices after it has been disabled, enter the legacy-inline-power command (without the no parameter). The variable is required on chassis devices when disabling or re-enabling legacy support on a slot. Use the show run command to view whether support for PoE legacy power consuming devices is enabled or disabled.
Setting the maximum power level for a PoE power- consuming device Setting power levels configuration note Consider the following when enabling this feature: • There are two ways to configure the power level for a PoE or PoE+ power consuming device. The first method is discussed in this section. The other method is provided in the section “Setting the power class for a PoE power- consuming device” on page 672. For each PoE port, you can configure either a maximum power level or a power class.
Setting the power class for a PoE power- consuming device Setting the power class for a PoE powerconsuming device A power class specifies the maximum amount of power that a Brocade PoE or PoE+ device will supply to a power consuming device. Table 124 shows the different power classes and their respective maximum power allocations. TABLE 124 Class Power classes for PDs Usage Power (watts) from Power Sourcing Device Standard PoE PoE+ 0 default 15.
Setting the power budget for a PoE interface module These commands enable inline power on interface ethernet 1 in slot 1 and set the power class to 2. Syntax: inline power power-by-class The variable is the power class. Enter a value between 0 and 4. The default is 0. Table 124 shows the different power classes and their respective maximum power allocations. NOTE Do not configure a class value of 4 on a PoE+ port on which a standard PoE PD is connected.
Setting the inline power priority for a PoE port slot number then by port number, provided enough power is available for the ports. For example, PoE port 1/11 should receive power before PoE port 2/1. However, if PoE port 1/11 needs 12 watts of power and PoE port 2/1 needs 10 watts of power, and 11 watts of power become available on the device, the FastIron PoE device will allocate the power to port 2/1 because it does not have sufficient power for port 1/11.
Resetting PoE parameters Resetting PoE parameters NOTE Resetting PoE parameters applies to the FastIron X Series PoE chassis. You can override or reset PoE port parameters including power priority, power class, and maximum power level. To do so, you must specify each PoE parameter in the CLI command line. This section provides some CLI examples.
Displaying Power over Ethernet information Brocade#show inline power Power Capacity: Total is 2160000 mWatts. Current Free is 18800 mWatts. Power Allocations: Requests Honored 769 times ... some lines omitted for brevity... Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/ State State Consumed Allocated Error -------------------------------------------------------------------------4/1 On On 5070 9500 802.3af n/a 3 n/a 4/2 On On 1784 9500 Legacy n/a 3 n/a 4/3 On On 2347 9500 802.
Displaying Power over Ethernet information Table 125 provides definitions for the show inline power command. TABLE 125 Field definitions for the show inline power command Column Definition Power Capacity The total PoE power supply capacity and the amount of available power (current free) for PoE power consuming devices. Both values are shown in milliwatts. Power Allocations The number of times the FSX fulfilled PoE requests for power. Port The slot number and port number.
Displaying Power over Ethernet information TABLE 125 Field definitions for the show inline power command (Continued) Column Definition Fault/Error If applicable, this is the fault or error that occurred on the port. This value can be one of the following: • critical temperature – The PoE chip temperature limit rose above the safe operating level, thereby powering down the port.
Displaying Power over Ethernet information To following is an example of the show inline power detail command output on an FCX POE+ switch. Brocade#FCX#show inline power detail Power Supply Data On stack 1: ++++++++++++++++++ Power Supply #1: Max Curr: 7.5 Amps Voltage: 54.0 Volts Capacity: 410 Watts POE Details Info. On Stack 1 : General PoE Data: +++++++++++++++++ Firmware Version -------02.1.
Displaying Power over Ethernet information ... continued from previous page...
Displaying Power over Ethernet information To following is an example of the show inline power detail command output on a FastIron X Series PoE switch. Brocade#show inline power detail Power Supply Data: ++++++++++++++++++ PoE+ Max Operating Voltage: 54 V Power Supply #1: Model Number: Serial Number: Firmware Ver: Test Date: H/W Status: Max Curr: Voltage: Capacity: PoE Capacity: Consumption: 32004000 093786124716 1.6 9/12/09 (mm/dd/yy) 807 50.0 Amps 54.
Displaying Power over Ethernet information ... continued from previous page... Cumulative Port Power Data: +++++++++++++++++++++++++++ Slot #Ports #Ports #Ports Power Power Power Pri: 1 Pri: 2 Pri: 3 Consumption Allocation Budget -----------------------------------------------------------------3 0 0 48 513.90 W 739.200 W 65535.0 W 4 0 0 48 1346.497 W 1440.0 W 65535.0 W 6 0 0 24 0.0 W 0.0 W 65535.0 W 7 0 0 48 43.72 W 61.600 W 65535.0 W 8 0 0 24 0.0 W 0.0 W 65535.
Displaying Power over Ethernet information TABLE 126 Field definitions for the show inline power detail command (Continued) Column Definition Firmware Version The Interface module / slot number firmware version. Cumulative port state data NOTE: When you enable a port using the CLI, it may take 12 or more seconds before the operational state of that port is displayed correctly in the show inline power output. Slot The Interface module / slot number.
Displaying Power over Ethernet information 684 FastIron Configuration Guide 53-1002494-02
Chapter 19 UDLD and Protected Link Groups Table 127 lists the individual Brocade FastIron switches and the Uni-Directional Link Detection (UDLD) and protected link group features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
UDLD overview When UDLD is enabled on the trunk ports on each Brocade device, the devices detect the failed link, disable the ports connected to the failed link, and use the remaining ports in the trunk group to forward the traffic. Ports enabled for UDLD exchange proprietary health-check packets once every second (the keepalive interval). If a port does not receive a health-check packet from the port at the other end of the link within the keepalive interval, the port waits for two more intervals.
UDLD overview To enable UDLD on a port, enter a command such as the following at the global CONFIG level of the CLI. Brocade(config)#link-keepalive ethernet 0/1/1 To enable the feature on a trunk group, enter commands such as the following. Brocade(config)#link-keepalive ethernet 0/1/1 ethernet 0/1/2 Brocade(config)#link-keepalive ethernet 0/1/3 ethernet 0/1/4 Syntax: [no] link-keepalive ethernet [to | ethernet ] This command is not supported if you downgrade the device to FCX 6.
UDLD overview Changing the Keepalive interval By default, ports enabled for UDLD send a link health-check packet once every 500 ms. You can change the interval to a value from 1 – 60, where 1 is 100 ms, 2 is 200 ms, and so on. To change the interval, enter a command such as the following. Brocade(config)#link-keepalive interval 3 Syntax: [no] link-keepalive interval The parameter specifies how often the ports send a UDLD packet. You can specify from 1 – 60, in 100 ms increments.
UDLD overview TABLE 128 CLI display of UDLD information (Continued) Field Description Keepalive Interval The number of seconds between health check packets. Port The port number. Physical Link The state of the physical link. This is the link between the Brocade port and the directly connected device. Logical Link The state of the logical link. This is the state of the link between this Brocade port and the Brocade port on the other end of the link. State The traffic state of the port.
UDLD overview TABLE 129 CLI display of detailed UDLD information (Continued) Field Description Local System ID A unique value that identifies this Brocade device. The ID can be used by Brocade technical support for troubleshooting. Remote System ID A unique value that identifies the Brocade device at the remote end of the link. Packets sent The number of UDLD health-check packets sent on this port. Packets received The number of UDLD health-check packets received on this port.
Protected link groups Protected link groups A protected link group minimizes disruption to the network by protecting critical links from loss of data and power. In a protected link group, one port in the group acts as the primary or active link, and the other ports act as secondary or standby links. The active link carries the traffic. If the active link goes down, one of the standby links takes over.
Protected link groups • FastIron WS and Brocade FCX Series devices support protected link groups consisting of Gbps fiber ports, 10/100/1000 copper ports, and 10/100 ports, or any combination thereof. These devices do not support protected link groups on 10-GbE ports. • • • • This feature is supported with tagged and untaggedports. This feature is supported with trunk ports. The protected link groups feature is not supported with LACP.
Protected link groups NOTE If you do not explicitly configure an active port, the Brocade device automatically assigns one as the first port in the protected link group to come up. These commands configure port e1 as the active port and ports e2 – e4 as standby ports. If port 1 goes down, the Brocade device enables the first available standby port, and switches the traffic to that port.
Protected link groups TABLE 130 CLI display of protected link group information Field Description Group ID The ID number of the protected link group. Member Port(s) The ports that are members of the protected link group. Configured Active Port The statically configured active port. If you do not statically configure an active port, this value will be "None". Current Active Port The current active port for the protected link group. If all member ports are down, this value will be "None".
Protected link groups • FSX 800 and FSX 1600 chassis devices – slotnum/portnum • ICX devices – slotnum/portnum • FESX compact switches – portnum FastIron Configuration Guide 53-1002494-02 695
Protected link groups 696 FastIron Configuration Guide 53-1002494-02
Chapter 20 Trunk Groups and Dynamic Link Aggregation Table 131 lists the individual Brocade FastIron switches and the trunk groups and dynamic link aggregation features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Trunk group overview FIGURE 62 Trunk group application within a FastIron network FESX Gigabit Backbone ... Trunk Group Server Power Users Dedicated 100 Mbps FSX1 FSX2 Trunk Group NOTE The ports in a trunk group make a single logical link. Therefore, all the ports in a trunk group must be connected to the same device at the other end.
Trunk group overview FIGURE 63 Trunk group between a server and a Brocade compact Layer 2 switch or Layer 3 switch Multi-homing Server Multi-homing adapter has the same IP and MAC address Tr unk Group FastIron Switch ... Trunk group rules Table 132 lists the maximum number of trunk groups you can configure on a Brocade device and the valid number of ports in a trunk group. The table applies to static and LACP trunk ports.
Trunk group overview • 48-port 10/100/1000 Mbps (RJ45) Ethernet PoE interface module (SX-FI48GPP) and IPv4/IPv6 interface modules or management modules with user ports.
Trunk group overview To change port parameters, you must change them on the primary port. The software automatically applies the changes to the other ports in the trunk group.
Trunk group overview Configuration notes for FastIron devices in an IronStack In a Brocade IronStack system, a trunk group may have port members distributed across multiple stack units. Both static and dynamic trunking are supported. NOTE Cascaded trunks between stack units are supported on Brocade ICX devices only. To configure trunk groups for FastIron devices in an IronStack, use the CLI syntax in “CLI syntax for configuring consecutive ports in a trunk group” on page 707.
Trunk group overview FIGURE 64 Examples of 2-port and 3-port trunk groups 1 42XG 2 Lnk Act 424F Lnk Act 424C 424C 424C 424C 424C 424F 8X-12GM-4 Console Odd Odd Even Even Lnk Pwr Lnk Odd Odd Even Lnk Even 424F 424C POE AC OK DC OK ALM EJECT SYS AC OK DC OK ALM EJECT SYS AC OK DC OK ALM EJECT SYS Lnk AC OK DC OK ALM EJECT SYS Figure 65 shows examples of two chassis devices connected by multi-slot trunk groups.
Trunk group overview FIGURE 65 Examples of multi-slot trunk groups 1 1 2 2 424F 42XG 424C 424C 424C 424C 424C 424C 424C 424C 424C 424F 424C 42XG Lnk Act Lnk Act Odd Odd Even Even 8X-12GM-4 Console Lnk Act 424F Lnk Act 424F Odd 8X-12GM-4 Odd Even Console Lnk Even Lnk Pwr Pwr Lnk Lnk Odd FastIron SuperX Odd Even Lnk POE AC OK DC OK EJECT SYS ALM AC OK DC OK EJECT SYS ALM AC OK DC OK EJECT SYS ALM Odd FastIron SuperX Even DC OK Even 424F 424C Lnk
Trunk group overview NOTE For FCX devices only, flexible trunk group membership is supported from Web Management, but not from SNMP. For all other FastIron devices, this feature is not supported from Web Management or SNMP. For configuration details, refer to “CLI syntax for configuring non-consecutive ports in a trunk group” on page 708. Trunk group load sharing Brocade devices load-share across the ports in the trunk group.
Trunk group overview Table 133 shows how the FastIron X Series devices load balance traffic across the ports in a trunk group.
Configuring a trunk group Syntax: [no] trunk hash-options include-layer2 Configuring a trunk group 1. Disconnect the cables from those ports on both systems that will be connected by the trunk group. Do not configure the trunk groups with the cables connected. NOTE If you connect the cables before configuring the trunk groups and rebooting, the traffic on the ports can create a spanning tree loop. 2.
Configuring a trunk group The variable specifies the primary port. Notice that each port group must begin with a primary port. The primary port of the first port group specified (which must be the group with the lower port numbers) becomes the primary port for the entire trunk group.
Configuring a trunk group Example 1: Configuring the trunk groups To configure the trunk groups shown in Figure 62, enter the following commands. Notice that the commands are entered on multiple devices. To configure the trunk group link between FSX1 and the FESX, enter the following commands. NOTE The text shown in italics in the following CLI example shows messages echoed to the screen in answer to the CLI commands entered.
Configuring a trunk group NOTE If you disable a module that is part of a multi-slot trunk group, the corresponding trunk ports will go down, but the remaining ports in the trunk will remain up and running. However, when you re-enable the module, all of the trunk ports will go down and then come back up. In other words, trunk ports are redeployed when a module is re-enabled.
Configuring a trunk group Example 5: Configuring a static trunk group for devices in an IronStack The following example shows how to configure a static trunk group for units in an IronStack, and the result of the configured trunk group in the show trunk output.
Configuring a trunk group Naming a trunk port Naming a trunk port is supported on individual ports of a static trunk group. To name an individual port in a trunk group, enter a command such as the following at the trunk group configuration level. Brocade(config)#trunk e 4/1 to 4/4 Brocade(config-trunk-4/1-4/4)#port-name customer1 ethernet 4/2 This command assigns the name “customer1” to port 4/2 in the trunk group consisting of ports 4/1 to 4/4.
Configuring a trunk group NOTE If you enter no config-trunk-ind, all port configuration commands are removed from the individual ports and the configuration of the primary port is applied to all the ports. Also, once you enter the no config-trunk-ind command, the enable, disable, and monitor commands are valid only on the primary port and apply to the entire trunk group. To enable an individual port in a trunk group, enter commands such as the following at the trunk group configuration level.
Configuring a trunk group You can specify a range and a list on the same command line. For example, to re-enable some trunk ports, enter a command such as the following. Brocade(config-trunk-2/1-2/4)#enable ethernet 2/1 to 2/2 ethernet 2/4 Syntax: [no] disable ethernet to | ethernet Syntax: [no] enable ethernet to | ethernet The variable specifies an individual port.
Configuring a trunk group For example, the following commands establish a trunk group consisting of four ports, and then establish a threshold for this trunk group of three ports. Brocade(config)#trunk e 3/31 to 3/34 Brocade(config-trunk-3/31-3/34)#threshold 3 In this example, if the number of active ports drops below three, then all the ports in the trunk group are disabled.
Displaying trunk group configuration information Setting the sFlow sampling rate on a trunk port You can configure an individual trunk port to use a different sampling rate than the global default sampling rate. This feature is supported on static trunk ports. For configuration details, refer to “Changing the sampling rate for a trunk port” on page 544. Displaying trunk group configuration information To display configuration information for the trunk groups, use the show trunk command.
Displaying trunk group configuration information TABLE 135 CLI trunk group information (Continued) Field Description Tag Indicates whether the ports have 802.1Q VLAN tagging. The value can be Yes or No. Priority Indicates the Quality of Service (QoS) priority of the ports. The priority can be a value from 0 through 7. Active Ports The number of ports in the trunk group that are currently active. Ports The ports in the trunk group. Link_Status The link status of each port in the trunk group.
Dynamic link aggregation Dynamic link aggregation Brocade software supports the IEEE 802.3ad standard for link aggregation. This standard describes the Link Aggregation Control Protocol (LACP), a mechanism for allowing ports on both sides of a redundant link to form a trunk link (aggregate link), without the need for manual configuration of the ports into trunk groups.
Dynamic link aggregation IronStack LACP trunk group configuration example To configure a trunk group consisting of two groups of two ports each on an IronStack, enter commands similar to the following.
Dynamic link aggregation FIGURE 67 Examples of valid aggregate links Brocade ports enabled for link aggregation follow the same rules as ports configured for trunk groups.
Dynamic link aggregation Configuration notes and limitations for configuring IronStack LACP trunk groups This section lists the configuration considerations and limitations for dynamic link aggregation. FastIron stackable devices The following notes and feature limitations apply to the FastIron WS and Brocade FCX Series devices: • The dynamic link aggregation (802.3ad) implementation allows any number of ports up to eight to be aggregated into a link.
Dynamic link aggregation FastIron X Series devices The following notes and feature limitations apply to the FastIron X Series devices: • You cannot use 802.3ad link aggregation on a port configured as a member of a static trunk group. • The dynamic link aggregation (802.3ad) implementation on FastIron X Series devices allows different numbers of ports to be aggregated in a link, depending on the IP version (IPv6 or IPv4) and the software version running on the device.
Dynamic link aggregation Flexible trunk eligibility The criteria for trunk port eligibility in an aggregate link are flexible. A range of ports can contain down ports and remain eligible to become an aggregate link. By default, the device places the ports into 2-port groups, consisting of an odd-numbered port and the next even-numbered port. For example, ports 1/1 and 1/2 are a 2-port group, as are ports 1/3 and 1/4, 9/1 and 9/2, and so on.
Dynamic link aggregation As shown in Table 136, all or a subset of the ports within a port range will be eligible for formation into an aggregate link based on port states. Notice that the sets of ports that are eligible for the aggregate link must be valid static trunk configurations. Enabling dynamic link aggregation By default, link aggregation is disabled on all ports. To enable link aggregation on a set of ports, enter commands such as the following at the Interface configuration level of the CLI.
Dynamic link aggregation To disable link aggregation on a port, enter a command such as the following. Brocade(config-if-e1000-1/8)#link-aggregate off Syntax: [no] link-aggregate active | passive | off Syntax: [no] link-aggregate configure [system-priority ] | [port-priority ] | [key ] NOTE For more information about keys, including details about the link-aggregate and link-aggregate configure commands, refer to “Key” on page 726.
Dynamic link aggregation System priority The system priority parameter specifies the link aggregation priority on the Brocade device relative to the devices at the other ends of the links on which link aggregation is enabled. A higher value indicates a lower priority. You can specify a priority from 0 through 65535. The default is 1.
Dynamic link aggregation FIGURE 69 Ports with the same key in different aggregate links Port1/1 Port1/2 System ID: dddd.eeee.ffff All these ports have the same key, but are in two separate aggregate links with two other devices. Port1/3 Ports 1/5 - 1/8: Key 4 Port1/4 Port1/5 Port1/6 Port1/7 Port1/8 System ID: aaaa.bbbb.cccc Ports 1/1 - 1/8 Key 0 System ID: 1111.2222.3333 Ports 1/5 - 1/8: Key 69 Notice that the keys between one device and another do not need to match.
Dynamic link aggregation FIGURE 70 Multi-slot aggregate link All ports in a multi-slot aggregate link have the same key. Port1/1 Port1/2 Port1/3 Port1/4 Port3/5 Port3/6 Port3/7 Port3/8 System ID: aaaa.bbbb.cccc Ports 1/1 - 1/4: Key 0 Ports 3/5 - 3/8: Key 0 By default, the device ports are divided into 4-port groups. The software dynamically assigns a unique key to each 4-port group.
Dynamic link aggregation Brocade#show link-aggregate System ID: 0004.8055.
Dynamic link aggregation Brocade(config)#interface ethernet 1/1 to 1/4 Brocade(config-mif-1/1-1/4)#link-aggregate off Brocade(config-mif-1/1-1/4)#link-aggregate configure key 10000 Brocade(config-mif-1/1-1/4)#link-aggregate active Brocade(config-mif-1/1-1/4)#interface ethernet 3/5 to 3/8 Brocade(config-mif-3/5-3/8)#link-aggregate off Brocade(config-mif-3/5-3/8)#link-aggregate configure key 10000 Brocade(config-mif-3/5-3/8)#link-aggregate active These commands change the key for ports 1/1 through 1/4 and 3
Displaying and determining the status of aggregate links Displaying and determining the status of aggregate links The show link-aggregate command provides the ability to view the status of dynamic links. You can determine the status of ports that are members of an aggregate link, and whether LACP messages are being transmitted between the ports.
Displaying and determining the status of aggregate links Brocade#show link-aggregate System ID: 00e0.52a9.
Displaying and determining the status of aggregate links TABLE 137 Description of show link-aggregate command output (Continued) Field Description Tio Indicates the timeout value of the port. The timeout value can be one of the following: • L – Long. The trunk group has already been formed and the port is therefore using a longer message timeout for the LACPDU messages exchanged with the remote port. Typically, these messages are used as confirmation of the health of the aggregate link. • S – Short.
Clearing the negotiated aggregate links table Displaying link aggregation and port status information for FastIron stackable devices To display link aggregation information for devices in an IronStack, enter the show link-aggregate command. The output for an Ironstack resembles the following. Brocade(config)#show link-aggregate System ID: 0012.f2e5.
Single instance LACP configuration Configuration notes for single link LACP • • • • Single link LACP is supported on 1-GbE and 10-GbE ports, as well as across modules. Single link LACP is not supported on static trunk ports. Single link LACP is not intended for the creation of trunk groups. The single link LACP timer is always short (3 seconds) and is not configurable. PDUs are sent out every three seconds.
Single instance LACP configuration 736 FastIron Configuration Guide 53-1002494-02
Chapter 21 VLANs Table 138 lists the individual Brocade FastIron switches and the virtual LAN (VLAN) features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted. TABLE 138 Supported VLAN features Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6430 ICX 6450 VLAN Support Yes Yes Yes Yes Yes 4096 maximum VLANs Yes Yes Yes Yes Yes 802.1Q with tagging Yes Yes Yes Yes Yes 802.
VLAN overview VLAN overview The following sections provide details about the VLAN types and features supported on the FastIron family of switches. Types of VLANs This section describes the VLAN types supported on Brocade devices.
VLAN overview Layer 2 port-based VLANs On all Brocade devices, you can configure port-based VLANs. A port-based VLAN is a subset of ports on a Brocade device that constitutes a Layer 2 broadcast domain. By default, all the ports on a Brocade device are members of the default VLAN. Thus, all the ports on the device constitute a single Layer 2 broadcast domain. When you configure a port-based VLAN, the device automatically removes the ports you add to the VLAN from the default VLAN.
VLAN overview DEFAULT-VLAN VLAN ID = 1 Layer 2 Port-based VLAN User-configured port-based VLAN When you add a port-based VLAN, the device removes all the ports in the new VLAN from DEFAULT-VLAN. Configuring port-based VLANs Port-based VLANs allow you to provide separate spanning tree protocol (STP) domains or broadcast domains on a port-by-port basis.
VLAN overview FSX interface e 1 IP Subnet 1 IPX Network 1 Appletalk Cable-Range 100 Appletalk Zone Prepress VLAN 222 Ports 1 - 8 Port1 interface e 2 IP Subnet 2 IPX Network 2 Appletalk Cable-Range 200 Appletalk Zone CTP Port9 VLAN 333 Ports 9 - 16 FESX Layer 3 Switch Ports 2 - 8 IP Subnet 1 IPX Network 1 Appletalk Cable-Range 100 Appletalk Zone Prepress Ports 9 - 16 IP Subnet 2 IPX Network 2 Appletalk Cable-Range 200 Appletalk Zone CTP To create the two port-based VLANs shown in Figure 72, enter t
VLAN overview Example 2—More complex port-based VLAN configuration Figure 73 shows a more complex port-based VLAN configuration using multiple Layer 2 switches and IEEE 802.1Q VLAN tagging. The backbone link connecting the three Layer 2 switches is tagged. One untagged port within each port-based VLAN on FESX-A connects each separate network wide Layer 2 broadcast domain to the router for Layer 3 forwarding between broadcast domains.
VLAN overview Brocade-A(config-vlan-4)# Brocade-A(config-vlan-4)# Brocade-A(config-vlan-4)# Brocade-A(config-vlan-4)# Brocade-A(config-vlan-4)# Brocade-A(config-vlan-5)# Brocade-A(config-vlan-5)# Brocade-A(config-vlan-5)# Brocade-A(config-vlan-5)# Brocade-A(config-vlan-5)# Brocade-A# write memory untagged ethernet 9 to 12 ethernet 19 tagged ethernet 25 to 26 spanning-tree spanning-tree priority 500 vlan 5 name RED untagged ethernet 13 to 16 ethernet 20 tagged ethernet 25 to 26 spanning-tree spanning-tree
VLAN overview Syntax: vlan by port Syntax: untagged ethernet [/] [to [/] | ethernet [/]] Syntax: tagged ethernet [/] [to <[/]portnum> | ethernet [/]] Syntax: [no] spanning-tree Syntax: spanning-tree [ethernet [/] path-cost priority ] forward-delay hello-time maximum-age
VLAN overview 2. Access the level of the CLI for configuring port-based VLAN 4 by entering the following command. Brocade-A(config)# Brocade-A(config)# vlan 4 Brocade-A(config-vlan-4)# 3. Enter the following commands. Brocade-A(config-vlan-4)# Brocade-A(config-vlan-4)# no untagged ethernet 11 deleted port ethe 11 from port-vlan 4. Brocade-A(config-vlan-4)# 4. Enter the following commands to exit the VLAN CONFIG mode and save the configuration to the system-config file on flash memory.
VLAN overview Brocade(config)#vlan 2 to 7 20 25 Brocade(config-mvlan-2*25)# Syntax: [no] vlan to Deleting a multi-range VLAN You can also delete multiple VLANs with a single command. To delete a continuous range of VLANs, enter command such as the following. Brocade(config)#no vlan 2 to 7 Syntax: [no] vlan to To delete discontinuous VLANs, enter command such as the following.
VLAN overview The following VLAN parameters can be configured with the specified VLAN range.
VLAN overview Added tagged port(s) ethe 1/1/1 to port-vlan 22. Added tagged port(s) ethe 1/1/1 to port-vlan 23. Added tagged port(s) ethe 1/1/1 to port-vlan 24. Brocade(config-mvlan-16*24)#span 802-1w The Ethernet port e 1/1/1 and spanning tree 802.1w is added to the database of each VLAN separately. You can verify the configuration with the show running-config command. See the example below.
VLAN overview In the following example, disable the spanning tree 802.1w on VLANs 22,23 and 24, And, verify with show running-config output that the spanning tree 802.1w is disabled on specified VLANs, VLAN 22, 23 and 24 and not on the VLANs 16, 17, 20 and 21.
VLAN overview Brocade(config-mvlan-4-6)#show 802-1w --- VLAN 4 [ STP Instance owned by VLAN 4 ] ---------------------------Bridge IEEE 802.1W Parameters: Bridge Identifier hex 8000002022227700 Bridge MaxAge sec 20 Bridge Hello sec 2 RootBridge RootPath Identifier Cost hex 8000002022227700 0 Bridge Force FwdDly Version sec 15 Default tx Hold cnt 3 DesignatedBriRoot dge Identifier Port hex 8000002022227700 Root Max Age sec 20 Fwd Dly sec 15 Hel lo sec 2 Port IEEE 802.
VLAN overview Port Num 1/1/1 <--- Config Params --><-------------- Current state -----------------> Pri PortPath P2P Edge Role State Designa- Designated Cost Mac Port ted cost bridge 128 20000 F F DESIGNATED FORWARDING 0 8000002022227700 The following show parameters can be viewed for the specified VLAN range from the multi-range VLAN configuration mode.The output of these commands displays information about the specified VLANs only.
VLAN overview FIGURE 74 Layer 3 protocol VLANs within a Layer 2 port-based VLAN DEFAULT-VLAN VLAN ID = 1 Layer 2 Port-based VLAN User-configured port-based VLAN User-configured protocol VLAN, IP sub-net VLAN, IPX network VLAN, or Apple Talk cable VLAN You can add Layer 3 protocol VLANs or IP sub-net, IPX network, and AppleTalk cable VLANs to port-based VLANs. Layer 3 VLANs cannot span Layer 2 port-based VLANs. However, Layer 3 VLANs can overlap within a Layer 2 port-based VLAN.
VLAN overview ISR eliminates the need for an external router by allowing you to route between VLANs using virtual routing interfaces (ves). A virtual routing interface is a logical port on which you can configure Layer 3 routing parameters. You configure a separate virtual routing interface on each VLAN that you want to be able to route from or to.
VLAN overview NOTE IP subnet VLANs are not the same thing as IP protocol VLANs. An IP protocol VLAN sends all IP broadcasts on the ports within the IP protocol VLAN. An IP subnet VLAN sends only the IP subnet broadcasts for the subnet of the VLAN. You cannot configure an IP protocol VLAN and an IP subnet VLAN within the same port-based VLAN. This note also applies to IPX protocol VLANs and IPX network VLANs, and to AppleTalk protocol VLANs and AppleTalk cable VLANs.
VLAN overview When you configure a port-based VLAN, one of the configuration items you provide is the ports that are in the VLAN. When you configure the VLAN, the Brocade device automatically removes the ports that you place in the VLAN from DEFAULT-VLAN. By removing the ports from the default VLAN, the Brocade device ensures that each port resides in only one Layer 2 broadcast domain. NOTE Information for the default VLAN is available only after you define another VLAN.
VLAN overview FIGURE 76 Packet containing a Brocade 802.1Q VLAN tag Untagged Packet Format 6 bytes 6 bytes 2 bytes Destination Address Source Address Type Field 6 bytes 6 bytes 2 bytes Destination Address Source Address Length Field Up to 1500 bytes 4 bytes Data Field CRC Up to 1496 bytes 4 bytes Data Field CRC Ethernet II IEEE 802.3 802.1q Tagged Packet Format 6 bytes 6 bytes 4 bytes 2 bytes Destination Address Source Address 802.
VLAN overview FIGURE 77 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port T T Segment 1 T T T T T Segment 2 Segment 1 Segment 2 Tagging is required for the ports on Segment 1 because the ports are in multiple port-based VLANs. Tagging is not required for the ports on Segment 2 because each port is in only one port-based VLAN. Without tagging, a device receiving VLAN traffic from the other device would not be sure which VLAN the traffic is for.
VLAN overview 802.1 ad tagging for FastIron WS and Brocade FCX Series devices The following enhancements allow the FastIron WS and Brocade FCX Series devices, including those in an IronStack, to use Q-in-Q and SAV, by allowing the changing of a tag profile for ports: • In addition to the default tag type 0x8100, you can now configure one additional global tag profile with a number from 0xffff. • Tag profiles on a single port, or a group of ports can be configured to point to the global tag profile.
VLAN overview It is possible that STP will block one or more ports in a protocol VLAN that uses a virtual routing interface to route to other VLANs. For IP protocol and IP subnet VLANs, even though some of the physical ports of the virtual routing interface are blocked, the virtual routing interface can still route so long as at least one port in the virtual routing interface protocol VLAN is not blocked by STP.
VLAN overview FIGURE 78 Use virtual routing interfaces for routing between Layer 3 protocol VLANs User-configured port-based VLAN User-configured protocol VLAN, IP sub-net VLAN, IPX network VLAN, or AppleTalk cable VLAN VE = virtual interface (“VE” stands for “Virtual Ethernet”) VE 3 VE 1 VE 4 VE 2 Layer 2 and Layer 3 traffic within a VLAN is bridged at Layer 2. Layer 3 traffic between protocol VLANs is routed using virtual interfaces (VE).
VLAN overview Dynamic, static, and excluded port membership When you add ports to a protocol VLAN, IP subnet VLAN, IPX network VLAN, or AppleTalk cable VLAN, you can add them dynamically or statically: • Dynamic ports • Static ports You also can explicitly exclude ports. Dynamic ports Dynamic ports are added to a VLAN when you create the VLAN. However, if a dynamically added port does not receive any traffic for the VLAN protocol within ten minutes, the port is removed from the VLAN.
VLAN overview FIGURE 79 VLAN with dynamic ports—all ports are active when you create the VLAN A = active port C = candidate port When you add ports dynamically, all the ports are added when you add the VLAN. A A A A A A A A SUBNET Ports in a new protocol VLAN that do not receive traffic for the VLAN protocol age out after 10 minutes and become candidate ports. Figure 80 shows what happens if a candidate port receives traffic for the VLAN protocol.
VLAN overview Static ports Static ports are permanent members of the protocol VLAN. The ports remain active members of the VLAN regardless of whether the ports receive traffic for the VLAN protocol. You must explicitly identify the port as a static port when you add it to the VLAN. Otherwise, the port is dynamic and is subject to aging out.
VLAN overview Summary of VLAN configuration rules A hierarchy of VLANs exists between the Layer 2 and Layer 3 protocol-based VLANs: • Port-based VLANs are at the lowest level of the hierarchy. • Layer 3 protocol-based VLANs, IP, IPv6, IPX, AppleTalk, Decnet, and NetBIOS are at the middle level of the hierarchy. • IP subnet, IPX network, and AppleTalk cable VLANs are at the top of the hierarchy.
Routing between VLANs Routing between VLANs Brocade Layer 3 switches can locally route IP, IPX, and Appletalk between VLANs defined within a single router. All other routable protocols or protocol VLANs (for example, DecNet) must be routed by another external router capable of routing the protocol.
Routing between VLANs If your backbone consists of virtual routing interfaces all within the same STP domain, it is a bridged backbone, not a routed one. This means that the set of backbone interfaces that are blocked by STP will be blocked for routed protocols as well. The routed protocols will be able to cross these paths only when the STP state of the link is FORWARDING. This problem is easily avoided by proper network design.
Routing between VLANs NOTE does not change the properties of the default VLAN. Changing the name allows you to use the VLAN ID “1” as a configurable VLAN. Assigning different VLAN IDs to reserved VLANs 4091 and 4092 If you want to use VLANs 4091 and 4092 as configurable VLANs, you can assign them to different VLAN IDs. For example, to reassign reserved VLAN 4091 to VLAN 10, enter the following commands. Brocade(config)# Reload required.
Routing between VLANs The following table defines the fields in the output of the show reserved-vlan-map command. TABLE 140 Output of the show reserved-vlan-map command Field Description Reserved Purpose Describes for what the VLAN is reserved. Note that the description is for Brocade internal VLAN management. Default The default VLAN ID of the reserved VLAN. Re-assign The VLAN ID to which the reserved VLAN was reassigned.1 Current The current VLAN ID for the reserved VLAN.1 1.
Routing between VLANs 4. Enter the following commands to exit the VLAN CONFIG mode and save the configuration to the system-config file on flash memory. Brocade-B(config-vlan-3)# Brocade-B(config-vlan-3)# end Brocade-B# write memory Brocade-B# 5. Repeat steps 1 – 4 on FESX-B. NOTE You do not need to configure values for the STP parameters. All parameters have default values as noted below.
Configuring IP subnet, IPX network and protocol-based VLANs Configuring IP subnet, IPX network and protocol-based VLANs Protocol-based VLANs provide the ability to define separate broadcast domains for several unique Layer 3 protocols within a single Layer 2 broadcast domain. Some applications for this feature might include security between departments with unique protocol requirements. This feature enables you to limit the amount of broadcast traffic end-stations, servers, and routers need to accept.
Configuring IP subnet, IPX network and protocol-based VLANs To configure the VLANs shown in Figure 81, use the following procedure. 1. To permanently assign ports 1 – 8 and port 25 to IP subnet VLAN 1.1.1.0, enter the following commands. Brocade(config-vlan-2)# ip-subnet 1.1.1.0/24 name Green Brocade(config-vlan-ip-subnet)# no dynamic Brocade(config-vlan-ip-subnet)# static ethernet 1 to 8 ethernet 25 2. To permanently assign ports 9 – 16 and port 25 to IP subnet VLAN 1.1.2.0, enter the following commands.
IP subnet, IPX network, and protocol-based VLANs within port-based VLANs IP subnet, IPX network, and protocol-based VLANs within port-based VLANs If you plan to use port-based VLANs in conjunction with protocol-based VLANs, you must create the port-based VLANs first. Once you create a port-based VLAN, then you can assign Layer 3 protocol VLANs within the boundaries of the port-based VLAN. Generally, you create port-based VLANs to allow multiple separate STP domains.
IP subnet, IPX network, and protocol-based VLANs within port-based VLANs FSX Port9 Port1 Port17 V2 FESX-A V3 V2 V2 V3 V3 V4 V4 VLAN 2 VLAN 3 VLAN 4 FESX-B V4 VLAN 2 VLAN 3 VLAN 4 = STP Blocked VLAN FESX-C VLAN 2 VLAN 3 VLAN 4 To configure the Layer 3 VLANs on the FESX Layer 2 switches in Figure 82, use the following procedure. Configuring Layer 3 VLANs on FESX-A Enter the following commands to configure FESX-A. 1.
IP subnet, IPX network, and protocol-based VLANs within port-based VLANs 4. To prevent machines with non-IP protocols from getting into the IP portion of VLAN 2, create another Layer 3 protocol VLAN to exclude all other protocols from the ports that contains the IP-protocol VLAN. To do so, enter the following commands.
IP subnet, IPX network, and protocol-based VLANs within port-based VLANs Brocade-B(config-vlan-ipx-proto)# static e5 to 8 e25 to 26 Brocade-B(config-vlan-ipx-proto)# exclude e1 to 4 Brocade-B(config-vlan-other-proto)# vlan 3 name IP-Sub_IPX-Net_VLANs Brocade-B(config-vlan-3)# untagged e9 to 16 Brocade-B(config-vlan-3)# tagged e25 to 26 Brocade-B(config-vlan-3)# spanning-tree Brocade-B(config-vlan-3)# spanning-tree priority 500 Brocade-B(config-vlan-3)# ip-sub 1.1.1.
IPv6 protocol VLAN configuration IPv6 protocol VLAN configuration You can configure a protocol-based VLAN as a broadcast domain for IPv6 traffic. When the Layer 3 switch receives an IPv6 multicast packet (a packet with 06 in the version field and 0xFF as the beginning of the destination address), the Layer 3 switch forwards the packet to all other ports.
Routing between VLANs using virtual routing interfaces (Layer 3 switches only) Example Suppose you want to move routing out to each of three buildings in a network. Remember that the only protocols present on VLAN 2 and VLAN 3 are IP and IPX. Therefore, you can eliminate tagged ports 25 and 26 from both VLAN 2 and VLAN 3 and create new tagged port-based VLANs to support separate IP subnets and IPX networks for each backbone link.
Routing between VLANs using virtual routing interfaces (Layer 3 switches only) Configuring Layer 3 VLANs and virtual routing interfaces on the FESX-A Enter the following commands to configure FESX-A. The following commands enable OSPF or RIP routing. Brocade>en No password has been assigned yet... Brocade# configure terminal Brocade(config)# hostname FESX-A Brocade-A(config)# router ospf Brocade-A(config-ospf-router)# area 0.0.0.0 normal Please save configuration to flash and reboot.
Routing between VLANs using virtual routing interfaces (Layer 3 switches only) The next thing you need to do is create VLAN 3. This is very similar to the previous example with the addition of virtual routing interfaces to the IP subnet and IPX network VLANs. Also there is no need to exclude ports from the IP subnet and IPX network VLANs on the router.
Routing between VLANs using virtual routing interfaces (Layer 3 switches only) Brocade-A(config-vlan-ipx-network)# exit Brocade-A(config-vlan-6)# router-interface ve7 Brocade-A(config-vlan-6)# interface ve6 Brocade-A(config-vif-6)# ip addr 1.1.4.1/24 Brocade-A(config-vif-6)# ip ospf area 0.0.0.0 Brocade-A(config-vif-6)# interface ve7 Brocade-A(config-vif-7)# ip addr 1.1.5.1/24 Brocade-A(config-vif-7)# ip ospf area 0.0.0.0 Brocade-A(config-vif-7)# This completes the configuration for FESX-A.
Routing between VLANs using virtual routing interfaces (Layer 3 switches only) Brocade-B(config-vlan-ip-subnet)# ipx-network 7 ethernet_802.
Configuring protocol VLANs with dynamic ports Brocade-C(config-vlan-ipx-network)# exit Brocade-C(config-vlan-8)# router-interface ve2 Brocade-C(config-vlan-8)# other-proto name block-other-protocols Brocade-C(config-vlan-other-proto)# no dynamic Brocade-C(config-vlan-other-proto)# exclude ethernet 5 to 8 Brocade-C(config-vlan-other-proto)# interface ve2 Brocade-C(config-vif-1)# ip addr 1.1.9.2/24 Brocade-C(config-vif-1)# ip ospf area 0.0.0.
Configuring protocol VLANs with dynamic ports • IP subnet • IPX network NOTE The software does not support dynamically adding ports to AppleTalk cable VLANs. Conceptually, an AppleTalk cable VLAN consists of a single network cable, connected to a single port. Therefore, dynamic addition and removal of ports is not applicable. NOTE You cannot route to or from protocol VLANs with dynamically added ports.
Configuring protocol VLANs with dynamic ports Syntax: [no] no-dynamic-aging Enter the no form of the command to disable this feature after it has been enabled. By default, VLAN membership of dynamically assigned ports will age out after a period of time if no packets belonging to that protocol or subnet VLAN are received by the CPU. The output of the show running-config command indicates if the no-dynamic-aging feature is enabled for a specific protocol or subnet VLAN.
Configuring protocol VLANs with dynamic ports NOTE Use the first untagged command for adding a range of ports. Use the second command for adding separate ports (not in a range). Syntax: ip-proto [name ] Syntax: ipx-proto [name ] Syntax: appletalk-cable-vlan [name ] Syntax: dynamic The procedure is similar for IPX and AppleTalk protocol VLANs. Enter ipx-proto or atalk-proto instead of ip-proto.
Configuring protocol VLANs with dynamic ports Brocade(config)# vlan 20 name IPX_VLAN by port Brocade(config-vlan-10)# untagged ethernet 2/1 to 2/6 added untagged port ethe 2/1 to 2/6 to port-vlan 20.
Configuring uplink ports within a port-based VLAN Syntax: untagged ethernet [/] to [/] or Syntax: untagged ethernet [/] ethernet [/] NOTE Use the first untagged command for adding a range of ports. Use the second command for adding separate ports (not in a range). Syntax: ipx-network ethernet_ii | ethernet_802.2 | ethernet_802.
IP subnet address on multiple port-based VLAN configuration In this example, 24 ports on a 10/100 module and two Gbps ports on a Gbps module are added to port-based VLAN 10. The two Gbps ports are then configured as uplink ports. IP subnet address on multiple port-based VLAN configuration For a Brocade device to route between port-based VLANs, you must add a virtual routing interface to each VLAN. Generally, you also configure a unique IP subnet address on each virtual routing interface.
IP subnet address on multiple port-based VLAN configuration FIGURE 85 Multiple port-based VLANs with the same protocol address VLAN 2 VLAN 3 VLAN 4 FSX Switch VLAN 2 VE 1 -IP 10.0.0.1/24 VLAN 3 VE 2 -Follow VE 1 VLAN 4 VE 3 -Follow VE 1 Each VLAN still requires a separate virtual routing interface. However, all three VLANs now use the same IP subnet address. In addition to conserving IP subnet addresses, this feature allows containment of Layer 2 broadcasts to segments within an IP subnet.
IP subnet address on multiple port-based VLAN configuration NOTE If the Brocade device ARP table does not contain the requested host, the Brocade device forwards the ARP request on Layer 2 to the same VLAN as the one that received the ARP request. Then the device sends an ARP for the destination to the other VLANs that are using the same IP subnet address. • If the destination is in the same VLAN as the source, the Brocade device does not need to perform a proxy ARP.
VLAN groups and virtual routing interface group NOTE Because virtual routing interfaces 2 and 3 do not have their own IP subnet addresses but instead are “following” virtual routing interface a IP address, you still can configure an IPX or AppleTalk interface on virtual routing interfaces 2 and 3. VLAN groups and virtual routing interface group To simplify configuration when you have many VLANs with the same configuration, you can configure VLAN groups and virtual routing interface groups.
VLAN groups and virtual routing interface group The first command in this example begins configuration for VLAN group 1, and assigns VLANs 2 through 257 to the group. The second command adds ports 1/1 and 1/2 as tagged ports. Because all the VLANs in the group share the ports, you must add the ports as tagged ports.
VLAN groups and virtual routing interface group The to parameters specify a contiguous range (a range with no gaps) of individual VLAN IDs. Specify the low VLAN ID first and the high VLAN ID second. You can add or remove up to 256 VLANs at a time. To add or remove more than 256 VLANs, do so using separate commands. For example, to remove 512 VLANs from VLAN group 1, enter the following commands.
VLAN groups and virtual routing interface group These commands enable VLAN group 1 to have a group virtual routing interface, then configure virtual routing interface group 1. The software always associates a virtual routing interface group only with the VLAN group that has the same ID. In this example, the VLAN group ID is 1, so the corresponding virtual routing interface group also must have ID 1.
VLAN groups and virtual routing interface group router-interface-group lines not related to the virtual routing interface group omitted... interface group-ve 1 ip address 10.10.10.1 255.255.255.0 NOTE If you have enabled display of subnet masks in CIDR notation, the IP address information is shown as follows: 10.10.10.1/24. Allocating memory for more VLANs or virtual routing interfaces Brocade Layer 2 and Layer 3 Switches support up to 4095 VLANs.
Super-aggregated VLAN configuration Increasing the number of virtual routing interfaces you can configure To increase the maximum number of virtual routing interfaces you can configure, enter commands such as the following at the global CONFIG level of the CLI. Brocade(config)# system-max virtual-interface 512 Brocade(config)# write memory Brocade(config)# end Brocade# reload Syntax: system-max virtual-interface The parameter indicates the maximum number of virtual routing interfaces.
Super-aggregated VLAN configuration FIGURE 86 Conceptual model of the super aggregated VLAN application Client 1 . . . Client 3 . . . Client 5 Client 1 192.168.1.69/24 Path = a single VLAN into which client VLANs are aggregated Channel = a client VLAN nested inside a Path sub-net 192.168.1.0/24 Each client connected to the edge device is in its own port-based VLAN, which is like an ATM channel. All the clients’ VLANs are aggregated by the edge device into a single VLAN for connection to the core.
Super-aggregated VLAN configuration FIGURE 87 Client 1 Port1/1 VLAN 101 . . . Example of a super aggregated VLAN application Client 3 Port1/3 VLAN 103 Client 6 Port1/1 VLAN 101 Client 5 Port1/5 VLAN 105 . . . Client 1 192.168.1.69/24 . . . Client 8 Port1/3 VLAN 103 . . . Client 10 Port1/5 VLAN 105 209.157.2.
Super-aggregated VLAN configuration This example shows a single link between the core devices. However, you can use a trunk group to add link-level redundancy. Configuration notes for aggregated VLANs • This feature is not supported on the 48-port 10/100/1000 Mbps (RJ45) Ethernet POE interface module (SX-FI48GPP). • Super Aggregated VLANs and VSRP are not supported together on the same device.
Super-aggregated VLAN configuration Configuring aggregated VLANs on an edge device To configure the aggregated VLANs on device A in Figure 87 on page 798, enter the following commands.
Super-aggregated VLAN configuration The parameter specifies the tag type can be a hexadecimal value from 0 – ffff. The default is 8100. Verifying the aggregated VLAN configuration You can verify the VLAN, VLAN aggregation option, and tag configuration by viewing the running-config. To display the running-config, enter the show running-config command from any CLI prompt.
Super-aggregated VLAN configuration Commands for configuring aggregated VLANs on device B The commands for configuring device B are identical to the commands for configuring device A. Notice that you can use the same channel VLAN numbers on each device. The devices that aggregate the VLANs into a path can distinguish between the identically named channel VLANs based on the ID of the path VLAN.
Super-aggregated VLAN configuration BrocadeD(config)# vlan 102 by port BrocadeD(config-vlan-102)# tagged ethernet 4/1 BrocadeD(config-vlan-102)# untagged ethernet 3/2 BrocadeD(config-vlan-102)# exit BrocadeD(config)# write memory Commands for configuring aggregated VLANs on device E Because the configuration in Figure 87 on page 798 is symmetrical, the commands for configuring device E are identical to the commands for configuring device A.
802.1ad tagging configuration BrocadeF(config-vlan-105)# tagged ethernet 2/1 BrocadeF(config-vlan-105)# untagged ethernet 1/5 BrocadeF(config-vlan-105)# exit BrocadeF(config)# write memory 802.1ad tagging configuration 802.1ad tagging provides finer granularity for configuring 802.1Q tagging, enabling you to configure 802.1Q tag-types on a group of ports. This feature allows you to create two identical 802.1Q tags (802.1ad tagging) on a single device.
802.1ad tagging configuration Configuration rules for 802.1ad tagging • Because the uplink (to the provider cloud) and the edge link (to the customer port) must have different 802.1Q tags, make sure the uplink and edge link are in different port regions. Refer to “About port regions” on page 556 for a list of valid port regions. • On devices that support port regions, if you configure a port with an 802.1Q tag-type, the Brocade device automatically applies the 802.
802.1ad tagging configuration The ethernet to parameter specifies the ports that will use the defined 802.1Q tag. This parameter operates with the following rules: • If you specify a single port number, the 802.1Q tag applies to all ports within the port region. For example, if you enter the command tag-type 9100 ethernet 1, the Brocade device automatically applies the 802.1Q tag to ports 1 – 12 because all of these ports are in the same port region.
802.1ad tagging configuration Client 1 Port1 VLAN 101 Client 3 Port3 VLAN 103 . . . . . . Client 6 Port1 VLAN 101 Client 5 Port5 VLAN 105 Client 1 192.168.1.69/24 . . . Client 8 Port3 VLAN 103 . . . Client 10 Port5 VLAN 105 Client 5 209.157.2.
802.1ad tagging configuration Configuring 802.1ad tag profiles NOTE 802.1ad tag profiles are not supported on FastIron X Series devices. The 802.1ad tagging feature supports a tag-profile command that allows you to add a tag profile with a value of 0 to 0xffff in addition to the default tag-type 0x8100. This enhancement also allows you to add a tag profile for a single port, or to direct a group of ports to a globally-configured tag profile. Configuration notes for 802.
Private VLAN configuration Private VLAN configuration A private VLAN (PVLAN) is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 90 shows an example of an application using a PVLAN. FIGURE 90 PVLAN used to secure communication between a workstation and servers A private VLAN secures traffic between a primary port and host ports.
Private VLAN configuration You can configure a combination of the following types of PVLANs: • Primary – The primary PVLAN ports are “promiscuous”. They can communicate with all the isolated PVLAN ports and community PVLAN ports in the isolated and community VLANs that are mapped to the promiscuous port. • Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the promiscuous ports and switch – switch ports. They are not flooded to other ports in the isolated VLAN.
Private VLAN configuration FIGURE 91 PVLAN across switches PVLAN-Trunk Ports Firewall VLAN 100 Primary VLAN Routers Switch A Switch B 1/5 1/15 1/11 1/1 VLAN 10 Isolated VLAN 1/10 1/2 1/3 1/11 VLAN 20 Community VLAN 1/16 1/20 VLAN 10 Isolated VLAN 1/12 1/13 VLAN 20 Community VLAN PVLAN-Trunk Port - carries traffic for VLAN 10, 20 and 100 FastIron Configuration Guide 53-1002494-02 811
Private VLAN configuration Figure 92 shows an example PVLAN network with tagged switch-switch link ports.
Private VLAN configuration Configuration notes for PVLANs and standard VLANs • PVLANs are supported on untagged ports on all FastIron platforms. PVLANs are also supported on tagged ports on the FCX platform only. • Normally, in any port-based VLAN, the Brocade device floods unknown unicast, unregistered multicast, and broadcast packets in hardware, although selective packets, such as IGMP, may be sent only to the CPU for analysis, based on the IGMP snooping configuration.
Private VLAN configuration Configuring the primary VLAN To configure a primary VLAN, enter commands such as the following. Brocade(config)# vlan 7 Brocade(config-vlan-7)# untagged ethernet 3/2 Brocade(config-vlan-7)# pvlan type primary Brocade(config-vlan-7)# pvlan mapping 901 ethernet 3/2 These commands create port-based VLAN 7, add port 3/2 as an untagged port, identify the VLAN as the primary VLAN in a PVLAN, and map the other secondary VLANs to the ports in this VLAN.
Private VLAN configuration Configuring an isolated or community PVLAN You can use the pvlan type command to configure the PVLAN as an isolated or community PVLAN. The following are some configuration considerations to be noted for configuring isolated and community PVLANs. Isolated VLANs • A port being added to the isolated VLAN can be either a tagged port or an untagged port. • A member port of an isolated VLAN classifies a frame based on PVID only.
Private VLAN configuration The pvlan type command specifies that this port-based VLAN is a PVLAN and can be of the following types: • community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN. • isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN.
Private VLAN configuration Brocade(config-vlan-903)# pvlan type community Brocade(config-vlan-903)# exit Brocade(config)# vlan 7 Brocade(config-vlan-7)# untagged ethernet 3/2 Brocade(config-vlan-7)# pvlan type primary Brocade(config-vlan-7)# pvlan mapping 901 ethernet 3/2 Brocade(config-vlan-7)# pvlan mapping 902 ethernet 3/2 Brocade(config-vlan-7)# pvlan mapping 903 ethernet 3/2 CLI example for a PVLAN network with switch-switch link ports To configure the PVLANs with tagged switch-switch link ports as s
Dual-mode VLAN ports Brocade(config-vlan-102)# untagged ethernet 1/1/1 to 1/1/2 Brocade(config-vlan-102)# pvlan type community Brocade(config)# vlan 100 Brocade(config-vlan-100)# Brocade(config-vlan-100)# Brocade(config-vlan-100)# Brocade(config-vlan-100)# by port tagged ethernet 1/1/10 to 1/1/11 pvlan type primary pvlan pvlan-trunk 102 ethernet 1/1/10 to 1/1/11 pvlan pvlan-trunk 101 ethernet 1/1/10 to 1/1/11 FCX Switch 4 Brocade(config)# vlan 101 by port Brocade(config-vlan-101)# untagged ethernet 1/1/3
Dual-mode VLAN ports VLAN 20 Traffic Untagged Traffic Hub Port2/11 Tagged, VLAN 20 dual-mode FastIron Switch Port2/9 Tagged, VLAN 20 VLAN 20 Traffic Port2/10 Untagged Untagged Traffic To enable the dual-mode feature on port 2/11 in Figure 93,enter the following commands.
Dual-mode VLAN ports FIGURE 94 Specifying a default VLAN ID for a dual-mode port VLAN 10 Untagged Traffic VLAN 10 Untagged Traffic Port2/10 Untagged, VLAN 10 Dual-mode Port2/11 Default VLAN ID 10 Tagged, VLAN 20 Hub FastIron Switch Port2/9 Tagged, VLAN 20 VLAN 20 Tagged Traffic VLAN 20 Tagged Traffic In Figure 94, tagged port 2/11 is a dual-mode port belonging to VLANs 10 and 20. The default VLAN assigned to this dual-mode port is 10.
Displaying VLAN information The show vlan command displays a separate row for dual-mode ports on each VLAN.
Displaying VLAN information Displaying system-wide VLAN information Use the show vlans command to display VLAN information for all the VLANs configured on the device. The following example shows the display for the IP subnet and IPX network VLANs configured in the examples in “Configuring an IP subnet VLAN with dynamic ports” on page 785 and “Configuring an IPX network VLAN with dynamic ports” on page 785.
Displaying VLAN information Brocade# show vlan 4 Total PORT-VLAN entries: 5 Maximum PORT-VLAN entries: 3210 PORT-VLAN 4, Name [None], Priority level0, Spanning tree Off Untagged Ports: None Tagged Ports: 6 9 10 11 Uplink Ports: None DualMode Ports: 7 8 ESX624FE+2XG Router# show vlan 3 Total PORT-VLAN entries: 5 Maximum PORT-VLAN entries: 3210 PORT-VLAN 3, Name [None], Priority level0, Spanning tree Off Untagged Ports: None Tagged Ports: 6 7 8 9 10 Uplink Ports: None DualMode Ports: None Syntax: show vlans
Displaying VLAN information Brocade# show vlans ethernet 7/1 Total PORT-VLAN entries: 3 Maximum PORT-VLAN entries: 8 legend: [S=Slot] PORT-VLAN 100, Name [None], Priority level0, Spanning tree Off Untagged Ports: (S7) 1 2 3 4 Tagged Ports: None Syntax: show vlans [ | ethernet [/] The parameter specifies a VLAN for which you want to display the configuration information. The parameter is required on chassis devices. The parameter specifies a port.
Displaying VLAN information Displaying port default VLAN IDs (PVIDs) The output of the show interfaces brief command lists the port default VLAN IDs (PVIDs) for each port. PVIDs are displayed as follows: • For untagged ports, the PVID is the VLAN ID number. • For dual-mode ports, the PVID is the dual-mode VLAN ID number. • For tagged ports without dual-mode, the PVID is always Not Applicable (NA).
Displaying VLAN information 826 FastIron Configuration Guide 53-1002494-02
Chapter 22 Multi-Chassis Trunking Table 143 lists the individual Brocade FastIron switches and the Multi-Chassis Trunking (MCT) features they support. TABLE 143 Supported MCT features Feature FSX 800 FSX 1600a FWS FCX ICX 6610 ICX 6430 ICX 6450 MCTb Yes No No No No Cluster client automatic configuration Yes No No No No Cluster operation features Yes No No No No xSTP BPDU forwarding Yes No No No No a.
22 Multi-Chassis Trunking Overview MCT inherits all of the benefits of a trunk group by providing multiple physical links to act as a single logical link. The new available bandwidth is an aggregate of all the links in the group. The traffic is shared across the links in the group using dynamic flow-based load balancing and traffic is moved to a remaining link group in sub-seconds in the event of a failure in one of the links.
Multi-Chassis Trunking Overview 22 • Traffic received from non-ICL ports is forwarded the same way as non-MCT devices. • Known unicast, multicast, and broadcast traffic received on Cluster Edge Ports (CEP) or ICL ports is forwarded to the destination port. • For unknown unicast, multicast, and broadcast traffic received on ICL ports, the forwarding behavior depends on the peer MCT device’s ability to reach the same client.
22 Multi-Chassis Trunking Overview MCT data flow MCT can be deployed in a single-level configuration involving two MCT cluster devices or in a cascading configuration with a pair of MCT cluster devices operating as switches and another pair operating as routers. Refer to “Single-level MCT example” on page 867 for a single-level illustration and configuration example, and “Two-level MCT example” on page 871 for a two-level or cascading configuration example. Basic MCT data flow works as follows.
Multi-Chassis Trunking Overview 22 Unicast traffic from a client through a CCEP to a CEP 1. Traffic originates at the client. 2. Because the link between the client switch and the MCT cluster is a trunk, the traffic travels over one physical link. In the example in Figure 97, the traffic travels over the link towards cluster device 2. The traffic enters the MCT cluster through the CCEP of cluster device 2. 3. Depending on the destination, the traffic may pass over the ICL link to the other cluster device.
22 Multi-Chassis Trunking Overview Broadcast, unknown unicast, and multicast (BUM) traffic from a client through a CEP 1. Traffic originates at the client and enters one of the MCT cluster devices through a CEP. 2. The traffic is sent to the peer cluster device through the ICL link and also sent to any local CCEPs and CEPs. Once traffic is received on the peer cluster device, it will be sent to its local CEPs. 3. Traffic does not pass back down to the client through the CCEP. Refer to Figure 98.
Multi-Chassis Trunking Overview 22 Unicast traffic from a client through a CEP to another CEP or a CCEP 1. Traffic originates at the client and enters one of the cluster devices through the CEP. 2. Depending on the destination, the traffic may pass over the ICL link to the other cluster device or sent to a local CCEP. 3. The traffic passes out to the destination. Refer to Figure 97.
22 Multi-Chassis Trunking Overview Port failure on the cluster device 1. A CCEP on the cluster device that received the unicast or BUM traffic fails. 2. The traffic is automatically redirected to the other MCT cluster device over the ICL and on to its destinations through CCEPs. Refer to Figure 100. FIGURE 100 MCT data flow with port failure 2 1 X X 2 MCT and VLANs MCT relies on the following VLAN types: • Session VLAN: Provides the control channel for CCP.
Multi-Chassis Trunking Overview 22 Cluster client automatic configuration Client configuration includes setting the client name, client RBridgeID (unique identification for each client), client interface (CCEP), and deployment settings on both MCT cluster devices. With up to 150 clients per cluster, manual configuration can take a considerable amount of time. Cluster client automatic configuration saves the time that would be required to complete the entire configuration manually.
22 Multi-Chassis Trunking Overview • Ingress ACLs on all MCT ports. Egress ACLs are supported only on MCT CEPs or ICL ports. Egress ACLs are not supported on MCT CCEPs. • QoS and MAC filters and profiles with the same configuration on both cluster devices. • IPv4 ACLs and rate limits. If the rules are applied on the CCEPs, the same rules must be applied to the CCEP ports on both cluster devices. • Layer 3 Routing. VE with IP address assignment is supported on CCEPs for VRRP.
Basic MCT configuration 22 Basic MCT configuration This section describes how to set up a basic MCT configuration. Figure 101 shows a basic MCT topology, which applies to Layer 2 and Layer 3. MCT can also be supported with VRRP or VRRP-E. Refer to “MCT for VRRP or VRRP-E” on page 857.
22 Basic MCT configuration • • • • • • • • • • • An ICL cannot be an LACP trunk (must be either a static trunk or single port). MAC learning is disabled on ICL ports for all VLANs. MDUP synchronizes all MAC entries for VLANs served by an ICL link. The cluster ID should be same on both cluster devices. The cluster RBridgeID should not conflict with any client RBridgeID or the peer RBridgeID. The client RBridgeID is unique and should be the same on the cluster devices.
Basic MCT configuration 22 Step 1: Configure trunks (if needed) An ICL is typically a trunk group that provides port level redundancy and higher bandwidth for cluster communication. The ICL can be a single interface or a static trunk. LACP on ICL is not supported. If needed, configure the ICL trunk as follows on each cluster device (configuration shown for Brocade-1 in Figure 101).
22 Basic MCT configuration To implicitly configure the session VLAN and add the ICL as a tagged member of the VLAN, enter the following commands. Brocade-1(config)#vlan 1000 name MCT-VLAN-example Brocade-1(config-vlan-1000)#tagged ether 1/4 to 1/5 e 1/7 to 1/8 Step 3: Configure the cluster Cluster local configuration uses the cluster ID and RBridgeID for the local switch or router.
Basic MCT configuration 22 The client RBridgeID must be identical on both of the cluster devices. To configure the client RBridgeID, use the following command. Syntax: [no] rbridge-id To configure the physical port or static trunk as the client CCEP, use the following command. Syntax: [no] client-interface ethernet To configure the LACP client CCEP port (you must specify all LACP ports with this command), use the following command.
22 Basic MCT configuration In the port list, specify all the CCEPs for all potential clients. 2. Start the client auto-detect process on both cluster devices. Brocade-1(config-cluster-SX)#client-auto-detect start Within one minute, the system reports information and errors (if there are mismatches such as an LACP configuration mismatch). You can fix the mismatch while the process is running. 3. Check and fix the automatically detected clients.
Basic MCT configuration 22 Use the following command to start the cluster client automatic configuration. Within one minute of the time that each client is discovered, the client is automatically configured and deployed into the running configuration. Make sure that the network connection and configuration are in place before using this command. Syntax: client-auto-detect start [config-deploy-all] Use the following command to stop the current running cluster client automatic configuration process.
22 Basic MCT configuration • Double failures (for example, when the ICL goes down and the client interface goes down on one of the MCT cluster devices) Multiple failures could drop traffic in this scenario, even if there is a physical path available. Cluster failover mode The following failover modes can be configured with MCT: • Fast-failover (default) - As soon as the ICL interface goes down the CCP goes down. All the remote MAC addresses are flushed.
Basic MCT configuration 22 Using the keep-alive VLAN CCRR messages are used to exchange information between peer devices. When the CCP is up, CCRR messages are sent over the CCP. When the CCP client reachability is down, you can use the keep-alive-vlan command under the cluster context so CCRR messages are periodically sent over the keep-alive VLAN. Only one VLAN can be configured as a keep-alive VLAN. The keep-alive VLAN cannot be a member VLAN of the MCT and this VLAN can be tagged or untagged.
22 Layer 2 behavior with MCT Layer 2 behavior with MCT This section describes the Layer 2 behavior when MCT is configured. MAC operations This section describes MAC address-related configuration operations. MAC Database Update The MAC addresses that are learned locally are given the highest priority or the cost of 0 so they are always selected as the best MAC address. Each MAC address is advertised with a cost. Low cost MAC addresses are given preference over high cost addresses.
Layer 2 behavior with MCT 22 Cluster Multi-Destination Remote MAC (CMR): A static MAC entry is configured on MCT VLAN on the peer side and there is no associated local configuration. The CMR entry has only the remote MDB. The port list of a CMR entry has an ICL port, and all the client ports from the client list in the remote configuration. When there is local configuration for the same entry, the CMR is converted to CML. MAC aging Only the local MAC entries are aged on a cluster device.
22 Layer 2 behavior with MCT Brocade#clear mac cluster AGG-1 local Syntax: clear mac cluster | { local | remote } Clearing client-specific MAC addresses To clear client-specific MAC addresses in the system, enter a command such as the following.
Layer 2 behavior with MCT 22 Syntax: show mac mdup-stats Syncing router MAC addresses to peer MCT devices The MCT cluster device uses a router MAC address to identify the packets that are addressed to the switch. Such packets may be received by a peer cluster device. The peer device switches packets over the ICL to the local MCT device to be routed properly. Dynamic trunks MCT client creates a single dynamic trunk group towards the MCT cluster devices.
22 Layer 2 behavior with MCT MCT Layer 2 protocols Keep the following information in mind when configuring Layer 2 protocols with MCT. MRP • An ICL interface cannot be configured as an MRP secondary interface or vice versa, because the ICL cannot be BLOCKING. • MRP cannot be enabled on MCT CCEP port and vice versa. STP/RSTP • STP is not recommended to be configured on MCT VLANs at MCT cluster devices. By default, the spanning tree is disabled in the MCT VLANs.
Layer 2 behavior with MCT 22 In a cluster, both cluster devices should have exactly same protocol VLAN membership with respect to ICL and CCEP. ICL and CCEPs should be configured with same type of protocol/VLAN membership, although there is no such restriction from the CLI. Uplink switch Uplink switch is supported on MCT VLANs. ICLs and CCEPs can be configured as uplink-switch ports. Both cluster devices should have exactly same uplink-switch port memberships with respect to the ICL and CCEPs.
22 Layer 2 behavior with MCT IGMP/MLD snooping behavior on MCT cluster devices • Local information is synchronized to the MCT peer device using CCP. The information includes Mcache/FDB entry (on arrival of data traffic), joins/leaves, dynamic router ports, and PIM-SM snooping joins/prunes. • Native control packets (joins/leaves) that are received are processed by protocol code, and also forwarded out if required. • All control/data traffic is received on ICL.
Layer 2 behavior with MCT • • • • • • • 22 Both MCT1 devices must run pimsm-snoop. PIM messages are forwarded by way of hardware. PIM join/prune is synced to the peer cluster device using CCP. PIM prune is processed only if indicated by the peer cluster device. PIM join/prune received natively on ICL is ignored. PIM hello is not synced, but is received natively on ICL. PIM port/source information is refreshed on both cluster devices by syncing PIM messages and ages out if not refreshed.
22 Layer 3 behavior with MCT Layer 3 behavior with MCT Table 146 lists the type of Layer 3 support available with MCT. Note that routing protocols are not supported on ICL and CCEPs. At the edge network, it is highly recommended to configure VRRP/VRRP-E when MCT is enabled.
Layer 3 behavior with MCT 22 Layer 3 unicast over MCT The following examples show a sample configuration for the Layer 3 unicast configuration shown in Figure 102.
22 Layer 3 behavior with MCT client-interface ethernet 3/3 deploy ! VRRP-E Configuration ! vlan 100 by port tagged ethe 3/1 ethe 3/3 router-interface ve 100 ! router vrrp-extended ! interface ve 100 ip address 100.1.1.1 255.255.255.0 ip vrrp-extended vrid 1 backup priority 255 ip-address 100.1.1.254 enable ! Device B MCT Configuration ! vlan 10 by port tagged ethe 3/1 router-interface ve 10 ! interface ve 10 ip address 10.1.1.2 255.255.255.
Layer 3 behavior with MCT 22 Switch S1 ! trunk ethe 3 to 4 ! vlan 100 by port tagged ethe 3 to 4 router-interface ve 100 ! interface ve 100 ip address 100.1.1.100 255.255.255.0 ! MCT for VRRP or VRRP-E A simple MCT topology addresses resiliency and efficient load balancing in Layer 2 network topologies. To interface with a Layer 3 network, MCT is configured with Virtual Router Redundancy Protocol (VRRP) to add redundancy in Layer 3.
22 Layer 3 behavior with MCT If S1 triggers an ARP request, it generally does so for the default gateway address (virtual IP address if VRRP is deployed). This ARP request can reach A either directly from S1, or through B. • If the ARP request reaches A directly, it replies through the same port on which it learned S1's MAC address.
Layer 3 behavior with MCT 22 • For MCT devices configured with VRRP or VRRP-E, track-port features can be enabled to track the link status to the core devices so the VRRP or VRRP-E failover can be triggered. • It is not supported to configure several Layer 3 features on VE of the session VLAN. If already configured, such a VLAN cannot be made the session VLAN. • It is not supported to configure UC/MC routing protocols and the IP follow feature on VEs of member VLANs.
22 Displaying MCT information VRRP-E short-path forwarding and revertible option Under the VRRP-E VRID configuration level, use the short-path-forwarding command. If the revertible option is not enabled, the default behavior will remain the same. Use the following command to enable short path forwarding. The track-port command will monitor the status of the outgoing port on the backup.
Displaying MCT information 22 Syntax: show cluster config Displaying state machine information Use the show cluster client command to display additional state machine information including the reason for Local CCEP down. You can optionally specify an individual cluster and client.
22 Displaying MCT information Displaying cluster, peer, and client states Use the show cluster ccp peer command to display cluster, peer device, and client states. You can optionally specify an individual cluster and request additional details. Brocade#show cluster 1 ccp peer … PEER IP ADDRESS STATE UP TIME ---------------------------------------1.1.1.
Displaying MCT information 22 Mirror disabled, Monitor disabled Not member of any active trunks Not member of any configured trunks No port name IPG MII 96 bits-time, IPG GMII 96 bits-time MTU 1500 bytes, encapsulation Ethernet ICL port for icl1 in cluster id 1 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 0 bits/sec, 0 packets/sec, 0.
22 Displaying MCT information Displaying STP information Use the show span command to display STP information for an entire device. The MCT-related information is shown in bold in the following example. Brocade#show span … STP instance owned by VLAN 10 Global STP (IEEE 802.
Displaying MCT information 22 Brocade# show ip multicast pimsm-snooping vlan 100, has 1 caches. 1 (11.0.0.2 224.10.10.10) has 2 pim join ports out of 2 OIF 7/3 (age=10), 7/5 (age=10), Brocade# show ip multicast pimsm-snooping vlan 100, has 1 caches. 1 (11.0.0.2 224.10.10.10) has 3 pim join ports out of 3 OIF 3/8 (age=0), 3/3 (age=50), 3/7 (age=50), (*,G) entry: Brocade# show ip multicast pimsm-snooping vlan 100, has 1 caches. 1 (* 224.10.10.
22 Displaying MCT information OIF: TR(e5/4) tag TR(e5/5) age=1s up-time=2005s, change=4s vidx=8187 (ref-cnt=1) The following command displays status about the IGMP router port. Brocade(config)#show ip multicast cluster vlan 100 Version=2, Intervals: Query=125, Group Age=260, Max Resp=10, Other Qr=260 VL100: cfg V3, vlan cfg passive, 1 grp, 2 (SG) cache, rtr ports, router ports: e5/9(260) 100.100.100.
MCT configuration examples 22 MCT configuration examples The examples in this section show the topology and configuration for a single-level MCT deployment, two-level MCT deployment, VRRP/VRRP-E, and multicast snooping. Single-level MCT example Table 104 shows an example single-level MCT configuration. The associated configuration follows.
22 MCT configuration examples link-aggregate configure timeout short link-aggregate active ! interface ethernet 7/1/3 link-aggregate configure link-aggregate configure link-aggregate active ! interface ethernet 8/1/1 link-aggregate configure link-aggregate configure link-aggregate active ! interface ethernet 8/1/2 link-aggregate configure link-aggregate configure link-aggregate active ! interface ethernet 8/1/3 link-aggregate configure link-aggregate configure link-aggregate active ! key 10011 timeout sh
MCT configuration examples 22 interface ethernet 3/1/3 link-aggregate configure key 20011 link-aggregate configure timeout short link-aggregate active ! AGG-A (R1) - Configuration This section presents the configuration for the AGG-A(R1) cluster device in Table 104.
22 MCT configuration examples AGG-B(R2) - Configuration This section presents the configuration for the AGG-B(R2) cluster device in Table 104. trunk ethe 2/1 to 2/2 ! vlan 2 name session-vlan by port tagged ethe 2/1 to 2/2 router-interface ve 2 ! vlan 3 by port tagged ethe 1/11 router-interface ve 3 ! ! vlan 1905 name MAC-scaling-vlan by port tagged ethe 1/15 to 1/19 ethe 1/21 to 1/23 ethe 2/1 to 2/2 ethe 2/5 ethe 3/1 ! hostname R2 ! interface ve 2 ip address 21.1.1.2 255.255.255.
MCT configuration examples 22 Two-level MCT example Table 105 shows an example two-level MCT configuration. The associated configuration follows.
22 MCT configuration examples AGG-A (R1) - Configuration This example presents the configuration for the AGG-A(R1) cluster device in Table 105.
MCT configuration examples 22 AGG-B (R2) - Configuration This example presents the configuration for the AGG-B(R2) cluster device in Table 105. ! trunk ethe 1/15 to 1/16 trunk ethe 2/1 to 2/2 ! vlan 2 name session-vlan by port tagged ethe 2/1 to 2/2 router-interface ve 2 ! vlan 3 by port tagged ethe 1/11 router-interface ve 3 ! ! vlan 1905 name MAC-scaling-vlan by port tagged ethe 1/15 to 1/19 ethe 1/21 to 1/23 ethe 2/1 to 2/2 ethe 2/5 ethe 3/1 ! hostname R2 ! interface ve 2 ip address 21.1.1.2 255.255.
22 MCT configuration examples DIST-A (R3) - Configuration This example presents the configuration for the DIST-A(R3) cluster device in Table 105.
MCT configuration examples 22 DIST-B (R4) - Configuration This example presents the configuration for the DIST-B(R4) cluster device in Table 105.
22 MCT configuration examples MCT configuration with VRRP-E example Figure 106 shows a sample MCT configuration with VRRP-E. The associated configuration follows. The configuration for VRRP is similar. FIGURE 106 Sample MCT configuration with VRRP-E SX800A 5/3 Keep-alive SX800B 5/3 ICL (5/1-5/2) 4/1 4/1 VRRP-E VRID:110 VRIP:1.110.0.254/24 MCT Rbridge-id 777 1/1/1 1/1/2 S1-SW SX800A - MCT configuration This example presents the MCT configuration for the SX800A cluster device in Table 105.
MCT configuration examples 22 peer 1.0.0.253 rbridge-id 800 icl FI_SX-MCT deploy client S1-SW rbridge-id 777 client-interface ethe 4/1 deploy ! SX800A - VRRP-E configuration This example presents the VRRP-E configuration for the SX800A cluster device in Table 105. ! router vrrp-extended ! interface ve 110 port-name S1-SW ip address 1.110.0.253 255.255.255.0 ip vrrp-extended vrid 110 backup ip-address 1.110.0.
22 MCT configuration examples rbridge-id 777 client-interface ethe 4/1 deploy ! SX800B - VRRP-E configuration This example presents the VRRP-E configuration for the SX800B cluster device in Table 105. ! router vrrp-extended ! interface ve 110 port-name S1-SW ip address 1.110.0.252 255.255.255.0 ip vrrp-extended vrid 110 backup ip-address 1.110.0.254 short-path-forwarding enable ! S1-SW configuration This example presents the configuration for the S1-SW device in Table 105.
MCT configuration examples 22 Multicast snooping configuration example Figure 107 shows an example multicast snooping configuration. Sample configurations follow. FIGURE 107 Multicast snooping over MCT Figure 107 MCT1 MCT2 CEP1 (1/10) CEP2 (3/8) ICL (7/3-3/3) vlan CCEP1 (7/5) CCEP2 (3/7) Client-1 The following example shows the configuration for multicast snooping for the MCT1 cluster device in Figure 107.
22 MCT configuration examples icl SX-MCT ethernet 7/3 peer 1.1.1.3 rbridge-id 3 icl SX-MCT deploy client client-1 rbridge-id 100 client-interface ethernet 7/5 deploy ! The following example shows the configuration for multicast snooping for the MCT2 cluster device in Figure 107.
MCT configuration examples 22 vlan 3001 name keep-alive-vlan tagged eth 7/4 ip multicast active interface ve 3000 ip address 1.1.1.2 255.255.255.0 ! cluster SX 3000 rbridge-id 2 session-vlan 3000 keep-alive-vlan 3001 icl SX-MCT ethernet 7/3 peer 1.1.1.3 rbridge-id 3 icl SX-MCT deploy client client-1 rbridge-id 100 client-interface ethernet 7/5 deploy ! The following example shows the global configuration for multicast snooping for the MCT2 cluster device in Figure 107.
22 882 MCT configuration examples FastIron Configuration Guide 53-1002494-02
Chapter 23 GVRP Table 148 lists the individual Brocade FastIron switches and the GARP VLAN Registration Protocol (GVRP) features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
GVRP application examples The Brocade implementation of GARP and GVRP is based on the following standards: • • • • • ANSI/IEEE standard 802.1D, 1998 edition IEEE standard 802.1Q, 1998 edition; approved December 8, 1998 IEEE draft P802.1w/D10, March 26, 2001 IEEE draft P802.1u/D9, November 23, 2000 IEEE draft P802.1t/D10, November 20, 2000 GVRP application examples Figure 108 shows an example of a network that uses GVRP. This section describes various ways you can use GVRP in a network such as this one.
GVRP application examples Dynamic core and fixed edge In this configuration, all ports on the core device are enabled to learn and advertise VLAN information. The edge devices are configured to advertise their VLAN configurations on the ports connected to the core device. GVRP learning is disabled on the edge devices. Core device Edge device A Edge device B Edge device C • • • • • GVRP is enabled on all ports. Both learning and advertising are enabled.
VLAN names created by GVRP Dynamic core and dynamic edge GVRP is enabled on the core device and on the edge devices. This type of configuration is useful if the devices in the edge clouds are running GVRP and advertise their VLANs to the edge devices. The edge devices learn the VLANs and also advertise them to the core. In this configuration, you do not need to statically configure the VLANs on the edge or core devices, although you can have statically configured VLANs on the devices.
Configuration notes for GVRP • The default VLAN (VLAN 1) is not advertised by the Brocade implementation of GVRP. The default VLAN contains all ports that are not members of statically configured VLANs or VLANs enabled for GVRP. NOTE The default VLAN has ID 1 by default. You can change the VLAN ID of the default VLAN, but only before GVRP is enabled. You cannot change the ID of the default VLAN after GVRP is enabled. • Single STP must be enabled on the device.
GVRP configuration NOTE If you plan to change the GVRP base VLAN ID (4093) or the maximum configurable value for the Leaveall timer (300000 ms by default), you must do so before you enable GVRP. GVRP configuration To configure a device for GVRP, globally enable support for the feature, then enable the feature on specific ports. Optionally, you can disable VLAN learning or advertising on specific interfaces. You can also change the protocol timers and the GVRP base VLAN ID.
GVRP configuration Syntax: [no] gvrp-max-leaveall-timer The parameter specifies the maximum number of ms to which you can set the Leaveall timer. You can specify from 300000 – 1000000 (one million) ms. The value must be a multiple of 100 ms. The default is 300000 ms. Enabling GVRP To enable GVRP, enter commands such as the following at the global CONFIG level of the CLI.
GVRP configuration ethernet specifies a port. Specify the port variable in one of the following formats: • • • • FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum FSX 800 and FSX 1600 chassis devices – slotnum/portnum ICX devices – slotnum/portnum FESX compact switches – portnum To specify a list of ports, enter each port as ethernet followed by a space.
GVRP configuration • Join – The maximum number of milliseconds (ms) a device GVRP interfaces wait before sending VLAN advertisements on the interfaces. The actual interval between Join messages is randomly calculated to a value between 0 and the maximum number of milliseconds specified for Join messages. You can set the Join timer to a value from 200 – one third the value of the Leave timer. The default is 200 ms.
Converting a VLAN created by GVRP into a statically-configured VLAN Changing the Join, Leave, and Leaveall timers The same CLI command controls changes to the Join, Leave, and Leaveall timers. To change values to the timers, enter a command such as the following. Brocade(config-gvrp)#join-timer 1000 leave-timer 3000 leaveall-timer 15000 This command changes the Join timer to 1000 ms, the Leave timer to 3000 ms, and the Leaveall timer to 15000.
Displaying GVRP information NOTE You cannot add the VLAN ports as untagged ports. NOTE After you convert the VLAN, the VLAN name changes from “‘GVRP_VLAN_“ to “STATIC_VLAN_“. ethernet specifies a port.
Displaying GVRP information Displaying GVRP configuration information To display GVRP configuration information, enter a command such as the following.
Displaying GVRP information TABLE 149 CLI display of summary GVRP information (Continued) Field GVRP Join Timer Description The value of the Join timer. NOTE: For descriptions of the Join, Leave, and Leaveall timers or to change the timers, refer to “Changing the GVRP timers” on page 890. GVRP Leave Timer The value of the Leave timer. GVRP Leave-all Timer The value of the Leaveall timer. Configuration that is being used The configuration commands used to enable GVRP on individual ports.
Displaying GVRP information Brocade#show gvrp Port 2/1 GVRP Enabled : GVRP Learning : GVRP Applicant : Port State : Forwarding : VLAN Membership: ethernet 2/1 YES ALLOWED ALLOWED UP YES [VLAN-ID] 1 2 1001 1003 1004 1007 1009 1501 2507 4001 4093 4094 [MODE] FORBIDDEN FIXED NORMAL NORMAL NORMAL NORMAL NORMAL NORMAL NORMAL NORMAL FORBIDDEN FORBIDDEN This display shows the following information.
Displaying GVRP information Brocade#show gvrp vlan brief Number of VLANs in the GVRP Database: 7 Maximum Number of VLANs that can be present: 4095 [VLAN-ID] [MODE] [VLAN-INDEX] 1 7 11 1001 1003 4093 4094 STATIC-DEFAULT STATIC STATIC DYNAMIC DYNAMIC STATIC-GVRP-BASE-VLAN STATIC-SINGLE-SPAN-VLAN 0 2 4 7 8 6 5 =========================================================================== Syntax: show gvrp vlan all | brief | This display shows the following information.
Displaying GVRP information This display shows the following information. TABLE 152 CLI display of summary VLAN information for GVRP Field Description VLAN-ID The VLAN ID. VLAN-INDEX A number used as an index into the internal database. STATIC Whether the VLAN is a statically configured VLAN. DEFAULT Whether this is the default VLAN. BASE-VLAN Whether this is the base VLAN for GVRP.
Displaying GVRP information • • • • FastIron Configuration Guide 53-1002494-02 FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum FSX 800 and FSX 1600 chassis devices – slotnum/portnum ICX devices – slotnum/portnum FESX compact switches – portnum 899
Displaying GVRP information This display shows the following information for the port. TABLE 153 CLI display of GVRP statistics Field Description Leave All Received The number of Leaveall messages received. Join Empty Received The number of Join Empty messages received. Join In Received The number of Join In messages received. Leave Empty Received The number of Leave Empty messages received. Leave In Received The number of Leave In messages received.
Displaying GVRP information Displaying CPU utilization statistics You can display CPU utilization statistics for GVRP. To display CPU utilization statistics for GVRP for the previous one-second, one-minute, five-minute, and fifteen-minute intervals, enter the following command at any level of the CLI. Brocade#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.00 0.00 GVRP 0.00 0.03 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.09 0.00 0.
Clearing GVRP statistics Syntax: show process cpu [] The parameter specifies the number of seconds and can be from 1 – 900. If you use this parameter, the command lists the usage statistics only for the specified number of seconds. If you do not use this parameter, the command lists the usage statistics for the previous one-second, one-minute, five-minute, and fifteen-minute intervals. Clearing GVRP statistics To clear the GVRP statistics counters, enter the clear gvrp statistics all command.
GVRP CLI examples Enter the following commands on edge device A.
GVRP CLI examples Brocade> enable Brocade#configure terminal Brocade(config)#gvrp-enable Brocade(config-gvrp)#enable all Fixed core and dynamic edge In this configuration, GVRP learning is enabled on the edge devices. The VLANs on the core device are statically configured, and the core device is enabled to advertise its VLANs but not to learn VLANs. The edge devices learn the VLANs from the core. Enter the following commands on the core device.
Chapter 24 MAC-based VLANs Table 154 lists the individual Brocade FastIron switches and the MAC-based VLAN features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
MAC-based VLAN overview MAC-based VLAN feature structure The MAC-based VLAN feature operates in two stages: • Source MAC Address Authentication • Policy-Based Classification and Forwarding Source MAC address authentication Source MAC address authentication is performed by a central RADIUS server when it receives a PAP request with a username and password that match the MAC address being authenticated.
Dynamic MAC-based VLAN Dynamic MAC-based VLAN When enabled, the dynamic MAC-based VLAN feature allows the dynamic addition of mac-vlan-permit ports to the VLAN table only after successful RADIUS authentication. Ports that fail RADIUS authentication are not added to the VLAN table. When this feature is not enabled, the physical port is statically added to the hardware table, regardless of the outcome of the authentication process.
Dynamic MAC-based VLAN TABLE 155 CLI commands for MAC-based VLANs (Continued) CLI command Description CLI level mac-auth mac-vlan max-mac-entries The maximum number of allowed and denied MAC addresses (static and dynamic) that can be learned on a port. The default is 2.
MAC-based VLAN configuration mac-vlan-permit ethe 0/1/1 ethe 0/1/3 default-vlan-id 4000 ip address 10.44.3.3 255.255.255.0 ip default-gateway 10.44.3.1 radius-server host 10.44.3.111 radius-server key 1 $-ndUno mac-authentication enable mac-authentication mac-vlan-dyn-activation mac-authentication max-age 60 mac-authentication hw-deny-age 30 mac-authentication auth-passwd-format xxxx.xxxx.
MAC-based VLAN configuration Using MAC-based VLANs and 802.1X security on the same port On Brocade devices, MAC-based VLANs and 802.1X security can be configured on the same port. When both of these features are enabled on the same port, MAC-based VLAN is performed prior to 802.1X authentication. If MAC-based VLAN is successful, 802.1X authentication may be performed, based on the configuration of a vendor-specific attribute (VSA) in the profile for the MAC address on the RADIUS server.
MAC-based VLAN configuration TABLE 157 Brocade vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Optional or mandatory Description Foundry-MAC-based VLAN-QoS 8 decimal Optional The QoS attribute specifies the priority of the incoming traffic based on any value between 0 (lowest priority) and 7 (highest priority). Default is 0. Foundry-802_1x-en able 6 integer Optional Specifies whether 802.
MAC-based VLAN configuration aging period ends, the software aging period begins. The software aging period lasts for a configurable amount of time (the default is 120 seconds). After the software aging period ends, the MAC-based VLAN session is flushed, and the MAC address can be authenticated or denied if the Brocade device again receives traffic from that MAC address. For MAC-based dynamic activation If all of the sessions age out on a port, the port is dynamically removed from the VLAN table.
MAC-based VLAN configuration Disabling the aging on interfaces To disable aging on a specific interface where MAC-based VLAN has been enabled, enter the command at the interface level.
MAC-based VLAN configuration 6. To remove and disable the MAC-based VLAN configuration. Brocade(config)#interface e 0/1/1 Brocade(config-if-e1000-0/1/1)#no mac-auth mac-vlan Configuring MAC-based VLAN for a dynamic host Follow the steps given below to configure MAC-based VLAN for a dynamic host. 1. Enable multi-device port authentication globally using the following command. Brocade(config)#mac-authentication enable 2.
Configuring MAC-based VLANs using SNMP NOTE If the Dynamic MAC-based VLAN is enabled after any MAC-based VLAN sessions are established, all sessions are flushed and the mac-vlan-permit ports are removed from the VLAN. The ports are then added back to the VLAN dynamically after they successfully pass the RADIUS authentication process. Configuring MAC-based VLANs using SNMP Several MIB objects have been developed to allow the configuration of MAC-based VLANs using SNMP.
Displaying Information about MAC-based VLANs Displaying the MAC-VLAN table for a specific MAC address Enter the show table-mac-vlan command to display the MAC-VLAN table information for a specific MAC address. Brocade(config)#show table-mac-vlan 0000.0010.1001 ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age dot1x ------------------------------------------------------------------------------0000.0010.
Displaying Information about MAC-based VLANs Field Description Time The time at which each MAC address was authenticated. If the clock is set on the Brocade device, then the actual date and time are displayed. If the clock has not been set, then the time is displayed relative to when the device was last restarted. Age The age of the MAC address entry in the authenticated MAC address list. Dot1x Indicates whether 802.1X authentication is enabled or disabled for each MAC address.
Displaying Information about MAC-based VLANs Displaying detailed MAC-VLAN data Enter the show table-mac-vlan detailed command to display a detailed version of MAC-VLAN information. . Brocade#show table-mac-vlan detailed e 0/1/2 Port : 0/1/2 Dynamic-Vlan Assignment : Disabled RADIUS failure action : Block Traffic Failure restrict use dot1x : No Override-restrict-vlan : Yes Vlan : (MAC-PERMIT-VLAN ) Port Vlan State : DEFAULT 802.
Displaying Information about MAC-based VLANs Displaying MAC-VLAN information for a specific interface Enter the show table-mac-vlan e command to display MAC-VLAN information for a specific interface. Brocade#show table-mac-vlan e 0/1/1 ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age CAM MAC Dot1x Type Pri Index Index ------------------------------------------------------------------------------0000.0100.
Displaying Information about MAC-based VLANs Field Description Type Dyn Indicates a dynamic host. Sta indicates a static host. Pri This field indicates the value set for Foundry-MAC-based VLAN-QoS attribute in the RADIUS configuration for dynamic hosts, if configured. If the Foundry-MAC-based VLAN-QoS attribute is not configured, the value will be zero. For static hosts, the user-configured priority value for the MAC address is displayed.
Clearing MAC-VLAN information Displaying MAC-based VLAN logging Enter the show logging command to display MAC-based VLAN logging activity.
Sample MAC-based VLAN application FIGURE 109 Sample MAC-based VLAN configuration RADIUS Server User: 0030.4875.3f73 (Host B) Tunnel-Private-Group-ID = VLAN2 No profile for MAC 0030.4875.3ff5 (Host C) Power PS1 PS2 1 2 Console Lnk/ Act Lnk/ Act 49C 49F 50C Lnk 13 14 25 26 37 38 Brocade Device FDX FDX 50F Act Port e1 mac-vlan-permit Hub Untagged Host station A MAC: 0030.4888.b9fe Untagged Host station B MAC: 0030.4875.3f73 Untagged Host station C MAC: 0030.4875.
Sample MAC-based VLAN application mac-authentication hw-deny-age 30 mac-authentication auth-passwd-format xxxx.xxxx.xxxx interface ethernet 0/1/1 mac-authentication mac-vlan max-mac-entries 5 mac-authentication mac-vlan 0030.4888.b9fe vlan 1 priority 1 mac-authentication mac-vlan enable ! interface ethernet 0/1/2 mac-authentication mac-vlan max-mac-entries 5 mac-authentication mac-vlan enable ! ! end The show table-mac-vlan command returns the following results for all ports in this configuration.
Sample MAC-based VLAN application 924 FastIron Configuration Guide 53-1002494-02
Chapter 25 Port mirroring and Monitoring Table 158 lists the individual Brocade FastIron switches and the mirroring features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Port mirroring and monitoring overview You can configure port mirroring, by assigning a port (known as the Monitor port), from which the packets are copied and sent to a destination port (known as the Mirror port). All packets received on the Monitor port or issued from it, are forwarded to the second port. You next attach a protocol analyzer on the mirror port to monitor each segment separately. The analyzer captures and evaluates the data without affecting the client on the original port.
Port mirroring and monitoring configuration Port mirroring and monitoring configuration To configure port monitoring, first specify the mirror port, then enable monitoring on the monitored port. The mirror port is the port to which the monitored traffic is copied. Attach your protocol analyzer to the mirror port. The monitored port is the port with the traffic you want to monitor. Table 159 lists the number of mirror and monitor ports supported on the Brocade devices.
Port mirroring and monitoring configuration • The same port can be monitored by one mirror port for ingress traffic and another mirror port for egress traffic. • The mirror port cannot be a trunk port. • The monitored port and its mirror port do not need to belong to the same port-based VLAN: - If the mirror port is in a different VLAN from the monitored port, the packets are tagged with the monitor port VLAN ID. This does not apply if the mirror port resides on the SX-FI48GPP module.
Port mirroring and monitoring configuration The previous command is required even though the analyzer port is already set globally by the port mirroring command.
mirroring configuration on an IronStack To display the port monitoring configuration, enter the show monitor and show mirror commands. Monitoring an individual trunk port You can monitor the traffic on an individual port of a static trunk group, and on an individual port of an LACP trunk group. By default, when you monitor the primary port in a trunk group, aggregated traffic for all the ports in the trunk group is copied to the mirror port.
ACL-based inbound mirroring • The maximum number of monitored VLANs on an IronStack is 8. Configuring mirroring for ports on different members in an IronStack example In this example, although two ports are configured as active ports, only one active mirror port (port 1/1/24) is allowed for the entire stack because the mirror ports and the monitored ports are on different stack members.
ACL-based inbound mirroring Brocade(config-if-e1000-1/1/5)#acl-mirror-port ethernet 1/1/2 To display ACL mirror settings, enter the show access-list all command. Brocade#show access-list all Extended IP access list 101 permit ip any any mirror ACL-based inbound mirror clauses for FastIron X Series devices The mirror parameter in an ACL clause causes the system to direct traffic that meets the clause to be sent to a mirror port. Consider the following example.
ACL-based inbound mirroring Specify the port variable in one of the following formats: • • • • FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum FSX 800 and FSX 1600 chassis devices – slotnum/portnum ICX devices – slotnum/portnum FESX compact switches – portnum Ports from a port region must be mirrored to the same destination mirror port Port regions, as described in “About port regions” on page 556, are important when defining a destination mirror port.
ACL-based inbound mirroring Brocade(config)#trunk ethernet 1/1 to 1/4 Brocade(config)#interface ethernet 1/1 Brocade(config-if-e10000-1/1)#ACL-mirror-port ethernet 1/8 Using this configuration, all trunk traffic is mirrored to port 1/8.
ACL-based inbound mirroring Configuring ACL-based mirroring for ACLs bound to virtual interfaces For configurations that have an ACL configured for ACL-based mirroring bound to a virtual interface, you must use the ACL-mirror-port command on a physical port that is a member of the same VLAN as the virtual interface. Additionally, only traffic that arrives at ports that belong to the same port group as the physical port where the ACL-mirror-port command has been used is mirrored.
MAC address filter-based mirroring MAC address filter-based mirroring NOTE The MAC address filter-based mirroring feature is not supported on FastIron X Series devices. This feature allows traffic entering an ingress port to be monitored from a mirror port connected to a data analyzer, based on specific source and destination MAC addresses. This feature supports mirroring of inbound traffic only. Outbound mirroring is not supported.
VLAN-based mirroring In this example, any flow matching the source address (SA) 0000.1111.2222 and the destination address (DA) 0000.2222.3333 is mirrored. Other flows are not mirrored. 3. Apply ing the MAC address filter to an interface Apply the MAC address filter to an interface using the mac-filter-group command. Brocade(config)#interface ethernet 0/1/1 Brocade(config-if-e10000-0/1/1)#mac filter-group 1 4.
VLAN-based mirroring Brocade#show vlan Total PORT-VLAN entries: 4 Maximum PORT-VLAN entries: 4060 Legend: [Stk=Stack-Unit, S=Slot] PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree On Untagged Ports: (Stk0/S1) 3 4 5 6 7 8 9 10 11 12 Untagged Ports: (Stk0/S1) 15 16 17 18 19 20 21 22 23 24 Untagged Ports: (Stk0/S1) 27 28 29 30 31 32 33 34 35 36 Untagged Ports: (Stk0/S1) 39 40 41 42 43 44 45 46 47 48 Untagged Ports: (Stk0/S2) 1 2 Tagged Ports: None Uplink Ports: None DualMode Ports: None Mac-Vlan
VLAN-based mirroring VLAN-based mirroring on FastIron X Series devices WIth the new FastIron X Series of modules, the sFlow processing has been separated from the packet mirroring functionality. This allows for support of VLAN-based mirroring on the FastIron X Series devices. The packet processor on the FastIron X Series of modules also allows for egress VLAN-based mirroring. In order for VLAN-based monitoring to function, the FastIron X Series must have only the following SX modules installed.
VLAN-based mirroring • sFlow can be enabled concurrently with VLAN-based mirroring and port mirroring. • VLAN-based mirroring is supported on the default VLAN. If the default VLAN is changed dynamically, the configuration is not lost. • VLAN-based mirroring on VLAN groups is not supported, but it is supported on topology groups. • In the case of enabling VLAN-based monitoring on the interface modules in an MCT-enabled chassis, the VLAN configuration is not synced across the cluster.
VLAN-based mirroring • If the VLAN is egress monitored and ports belonging to the VLAN are also egress monitored, the egress traffic is mirrored for each egress port, as well as the VLAN, resulting in several duplicated mirrored packets. The count of duplicate packets is computed as (1 + Number of egress mirrored ports in the VLAN) * Number of egress packets.
VLAN-based mirroring Brocade(config)#vlan 10 Brocade(config-VLAN-10)#monitor ethernet 6/24 both Brocade(config-VLAN-10)#exit Brocade(config)#vlan 20 Brocade(config-VLAN-20)#monitor ethernet 6/24 both Brocade(config-VLAN-20)#end To disable mirroring on VLAN 20, enter the following commands.
VLAN-based mirroring Displaying VLAN-based mirroring status The show vlan command displays the VLAN-based mirroring status.
VLAN-based mirroring 944 FastIron Configuration Guide 53-1002494-02
Chapter 26 IP Configuration Table 163 lists the individual Brocade FastIron switches and the IP features they support. These features are supported with the base Layer 3, edge Layer 3 and full Layer 3 software image, except where explicitly noted.
Basic IP configuration TABLE 163 Supported IP features Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6430 ICX 6450 Routing for directly connected IP subnets Yes Yes Yes Yes ICX 6450 only Virtual Interfaces: • Up to 512 virtual interfaces Yes Yes Yes Yes ICX 6450 only, up to 255 31-bit subnet mask on point-to-point networks Yes on devices running full Layer 3 image No Yes on devices running full Layer 3 image Yes on devices running full Layer 3 image No Address Resolution Prot
IP configuration overview If you are configuring a Layer 3 Switch, refer to “Configuring IP addresses” on page 964 to add IP addresses, then enable and configure the route exchange protocols, as described in other chapters of this guide. If you are configuring a Layer 2 Switch, refer to “Configuring the management IP address and specifying the default gateway” on page 1037 to add an IP address for management access through the network and to specify the default gateway.
IP configuration overview • Multicast protocols: - Internet Group Membership Protocol (IGMP) - Protocol Independent Multicast Dense (PIM-DM) - Protocol Independent Multicast Sparse (PIM-SM) - Distance Vector Multicast Routing Protocol (DVMRP) • Router redundancy protocols: - Virtual Router Redundancy Protocol Extended (VRRP-E) - Virtual Router Redundancy Protocol (VRRP) IP interfaces NOTE This section describes IPv4 addresses.
IP configuration overview Layer 2 Switches You can configure an IP address on a Brocade Layer 2 Switch for management access to the Layer 2 Switch. An IP address is required for Telnet access, Web management access, and SNMP access. You also can specify the default gateway for forwarding traffic to other subnets. IP packet flow through a Layer 3 Switch Figure 110 shows how an IP packet moves through a Brocade Layer 3 Switch.
IP configuration overview Figure 110 shows the following packet flow: 1. When the Layer 3 Switch receives an IP packet, the Layer 3 Switch checks for filters on the receiving interface.1 If a deny filter on the interface denies the packet, the Layer 3 Switch discards the packet and performs no further processing, except generating a Syslog entry and SNMP message, if logging is enabled for the filter. 2.
IP configuration overview ARP cache The ARP cache can contain dynamic (learned) entries and static (user-configured) entries. The software places a dynamic entry in the ARP cache when the Layer 3 Switch learns a device MAC address from an ARP request or ARP reply from the device. The software can learn an entry when the Layer 2 Switch or Layer 3 Switch receives an ARP request from another IP forwarding device or an ARP reply. Here is an example of a dynamic entry: IP Address 207.95.6.
IP configuration overview NOTE Layer 2 Switches do not have an IP route table. A Layer 2 Switch sends all packets addressed to another subnet to the default gateway, which you specify when you configure the basic IP information on the Layer 2 Switch.
IP configuration overview IP forwarding cache The IP forwarding cache provides a fast-path mechanism for forwarding IP packets. The cache contains entries for IP destinations.
IP configuration overview IP route exchange protocols Brocade Layer 3 Switches support the following IP route exchange protocols: • Routing Information Protocol (RIP) • Open Shortest Path First (OSPF) • Border Gateway Protocol version 4 (BGP4) All these protocols provide routes to the IP route table. You can use one or more of these protocols, in any combination. The protocols are disabled by default.
Basic IP parameters and defaults – Layer 3 Switches ACLs and IP access policies Brocade Layer 3 Switches provide two mechanisms for filtering IP traffic: • Access Control Lists (ACLs) • IP access policies Both methods allow you to filter packets based on Layer 3 and Layer 4 source and destination information. ACLs also provide great flexibility by providing the input to various other filtering mechanisms such as route maps, which are used by BGP4.
Basic IP parameters and defaults – Layer 3 Switches When parameter changes take effect Most IP parameters described in this chapter are dynamic. They take effect immediately, as soon as you enter the CLI command or select the Web Management Interface option. You can verify that a dynamic change has taken effect by displaying the running-config. To display the running-config, enter the show running-config or write terminal command at any CLI prompt.
Basic IP parameters and defaults – Layer 3 Switches TABLE 164 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default For more information Maximum Transmission Unit (MTU) The maximum length an Ethernet packet can be without being fragmented.
Basic IP parameters and defaults – Layer 3 Switches TABLE 164 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default For more information Source-routed packet forwarding A source-routed packet contains a list of IP addresses through which the packet must pass to reach its destination.
Basic IP parameters and defaults – Layer 3 Switches TABLE 164 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default For more information Maximum IP load sharing paths The maximum number of equal-cost paths across which the Layer 3 Switch is allowed to distribute traffic.
Basic IP parameters and defaults – Layer 3 Switches TABLE 165 IP interface parameters – Layer 3 Switches (Continued) Parameter Description Default For more information Maximum Transmission Unit (MTU) The maximum length (number of bytes) of an encapsulated IP datagram the router can forward. 1500 for Ethernet II encapsulated packets 1492 for SNAP encapsulated packets page 975 ARP age Locally overrides the global setting. Refer to Table 164 on page 956.
Basic IP parameters and defaults – Layer 3 Switches TABLE 165 IP interface parameters – Layer 3 Switches (Continued) Parameter Description Default For more information UDP broadcast forwarding The router can forward UDP broadcast packets for UDP applications such as BootP. By forwarding the UDP broadcasts, the router enables clients on one subnet to find servers attached to other subnets.
Basic IP parameters and defaults – Layer 2 Switches Basic IP parameters and defaults – Layer 2 Switches IP is enabled by default. The following tables list the Layer 2 Switch IP parameters, their default values, and where to find configuration information. NOTE Brocade Layer 2 Switches also provide IP multicast forwarding, which is enabled by default. For information about this feature, refer to Chapter 34, “IP Multicast Traffic Reduction on Brocade FastIron X Series switches”.
Basic IP parameters and defaults – Layer 2 Switches TABLE 166 IP global parameters – Layer 2 Switches (Continued) Parameter Description Default For more information Time to Live (TTL) The maximum number of routers (hops) through which a packet can pass before being discarded. Each router decreases a packet TTL by 1 before forwarding the packet. If decreasing the TTL causes the TTL to be 0, the router drops the packet instead of forwarding it.
Configuring IP parameters – Layer 3 Switches Interface IP parameters – Layer 2 Switches Table 167 lists the interface-level IP parameters for Layer 2 Switches. TABLE 167 Interface IP parameters – Layer 2 Switches Parameter Description Default For more information DHCP gateway stamp You can configure a list of DHCP stamp addresses for a port. When the port receives a DHCP/BootP Discovery packet from a client, the port places the IP addresses in the gateway list into the packet Gateway field.
Configuring IP parameters – Layer 3 Switches Brocade devices support both classical IP network masks (Class A, B, and C subnet masks, and so on) and Classless Interdomain Routing (CIDR) network prefix masks: • To enter a classical network mask, enter the mask in IP address format. For example, enter “209.157.22.99 255.255.255.0” for an IP address with a Class-C subnet mask. • To enter a prefix network mask, enter a forward slash ( / ) and the number of bits in the mask immediately after the IP address.
Configuring IP parameters – Layer 3 Switches NOTE All physical IP interfaces on Brocade FastIron Layer 3 devices share the same MAC address. For this reason, if more than one connection is made between two devices, one of which is a Brocade FastIron Layer 3 device, Brocade recommends the use of virtual interfaces. It is not recommended to connect two or more physical IP interfaces between two routers.
Configuring IP parameters – Layer 3 Switches To add a virtual interface to a VLAN and configure an IP address on the interface, enter commands such as the following. Brocade(config)# vlan 2 name IP-Subnet_1.1.2.0/24 Brocade(config-vlan-2)# untag ethernet 1 to 4 Brocade(config-vlan-2)# router-interface ve1 Brocade(config-vlan-2)# interface ve1 Brocade(config-vif-1)# ip address 1.1.2.1/24 The first two commands in this example create a Layer 3 protocol-based VLAN name “IP-Subnet_1.1.2.
Configuring IP parameters – Layer 3 Switches Brocade(config-vif-1)# Brocade(config-vif-2)# Brocade(config-vif-2)# Brocade(config-vif-3)# interface ip follow interface ip follow ve ve ve ve 2 1 3 1 Syntax: [no] ip follow ve For , enter the ID of the virtual routing interface. Use the no form of the command to disable the configuration. Virtual routing interface 2 and 3 do not have their own IP subnet addresses, but are sharing the IP address of virtual routing interface 1.
Configuring IP parameters – Layer 3 Switches Configuring an IPv4 address with a 31-bit subnet mask To configure an IPv4 address with a 31-bit subnet mask, enter the following commands. You can configure an IPv4 address with a 31-bit subnet mask on any interface (for example, Ethernet, loopback, VE, or tunnel interfaces). Brocade(config)# interface ethernet 1/1/5 Brocade(config-if-e1000-1/5)# ip address 9.9.9.9 255.255.255.
Configuring IP parameters – Layer 3 Switches RouterB(config# interface ethernet 1/3/1 RouterB(config-if-e1000-1/3/1)# ip address 2.2.2.1/24 Router C RouterC(config# interface ethernet 1/3/1 RouterC(config-if-e1000-1/3/1)# ip address 2.2.2.
Configuring IP parameters – Layer 3 Switches FIGURE 112 DNS resolution with one domain name DNS Servers with host names and IP addresses configured Domain name eng.company.com is configured in the FastIron switch DNS Server 1 DNS Server 2 1. Client sends a command to ping "mary" DNS Server 3 2. FastIron switch sends "mary.eng.company.com to DNS servers for resolution. DNS Server 4 This server has “mary.eng.company.com” 4. If “mary.eng.company.com” is in the DNS servers, its IP address is returned.
Configuring IP parameters – Layer 3 Switches Defining a domain list If you want to use more than one domain name to resolve host names, you can create a list of domain names. For example, enter the commands such as the following. Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# ip ip ip ip dns dns dns dns domain-list domain-list domain-list domain-list company.com ds.company.com hw_company.com qa_company.
Configuring IP parameters – Layer 3 Switches Configuring packet parameters You can configure the following packet parameters on Layer 3 Switches. These parameters control how the Layer 3 Switch sends IP packets to other devices on an Ethernet network. The Layer 3 Switch always places IP packets into Ethernet packets to forward them on an Ethernet port. • Encapsulation type – The format for the Layer 2 packets within which the Layer 3 Switch sends IP packets.
Configuring IP parameters – Layer 3 Switches Changing the MTU The Maximum Transmission Unit (MTU) is the maximum length of IP packet that a Layer 2 packet can contain. IP packets that are longer than the MTU are fragmented and sent in multiple Layer 2 packets. You can change the MTU globally or on individual ports. The default MTU is 1500 bytes for Ethernet II packets and 1492 for Ethernet SNAP packets.
Configuring IP parameters – Layer 3 Switches Globally changing the Maximum Transmission Unit The Maximum Transmission Unit (MTU) is the maximum size an IP packet can be when encapsulated in a Layer 2 packet. If an IP packet is larger than the MTU allowed by the Layer 2 packet, the Layer 3 Switch fragments the IP packet into multiple parts that will fit into the Layer 2 packets, and sends the parts of the fragmented IP packet separately, in different Layer 2 packets.
Configuring IP parameters – Layer 3 Switches The parameter specifies the MTU. Ethernet II packets can hold IP packets from 576 through 1500 bytes long. If jumbo mode is enabled, Ethernet II packets can hold IP packets up to 10,240 bytes long. Ethernet SNAP packets can hold IP packets from 576 through 1492 bytes long. If jumbo mode is enabled, SNAP packets can hold IP packets up to 10,240 bytes long. The default MTU for Ethernet II packets is 1500. The default MTU for SNAP packets is 1492.
Configuring IP parameters – Layer 3 Switches To change the router ID, enter a command such as the following. Brocade(config)# ip router-id 209.157.22.26 Syntax: ip router-id The can be any valid, unique IP address. NOTE You can specify an IP address used for an interface on the Brocade Layer 3 Switch, but do not specify an IP address in use by another device.
Configuring IP parameters – Layer 3 Switches Telnet packets To specify the lowest-numbered IP address configured on a virtual interface as the device source for all Telnet packets, enter commands such as the following. Brocade(config)# interface loopback 2 Brocade(config-lbif-2)# ip address 10.0.0.2/24 Brocade(config-lbif-2)# exit Brocade(config)# ip telnet source-interface loopback 2 The commands in this example configure loopback interface 2, assign IP address 10.0.0.
Configuring IP parameters – Layer 3 Switches Brocade(config)# interface ve 1 Brocade(config-vif-1)# ip address 10.0.0.3/24 Brocade(config-vif-1)# exit Brocade(config)# ip radius source-interface ve 1 The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then designate the interface as the source for all RADIUS packets from the Layer 3 Switch.
Configuring IP parameters – Layer 3 Switches The variable is a valid port number. The variable is a loopback interface or virtual interface number. The default is the lowest-numbered IP or IPv6 address configured on the port through which the packet is sent. The address therefore changes, by default, depending on the port. SNTP packets To specify the lowest-numbered IP address configured on a virtual interface as the device source for all SNTP packets, enter commands such as the following.
Configuring IP parameters – Layer 3 Switches SNMP packets To specify a loopback interface as the SNMP single source trap, enter commands such as the following. Brocade(config)# interface loopback 1 Brocade(config-lbif-1)# ip address 10.0.0.1/24 Brocade(config-lbif-1)# exit Brocade(config)# snmp-server trap-source loopback 1 The commands in this example configure loopback interface 1, assign IP address 10.00.
Configuring IP parameters – Layer 3 Switches To obtain the MAC address required for forwarding a datagram, the Layer 3 Switch does the following: • First, the Layer 3 Switch looks in the ARP cache (not the static ARP table) for an entry that lists the MAC address for the IP address. The ARP cache maps IP addresses to MAC addresses. The cache also lists the port attached to the device and, if the entry is dynamic, the age of the entry.
Configuring IP parameters – Layer 3 Switches To limit the number of ARP packets the device will accept each second, enter the rate-limit-arp command at the global CONFIG level of the CLI. Brocade(config)# rate-limit-arp 100 This command configures the device to accept up to 100 ARP packets each second. If the device receives more than 100 ARP packets during a one-second interval, the device drops the additional ARP packets during the remainder of that one-second interval.
Configuring IP parameters – Layer 3 Switches For example, if Proxy ARP is enabled on a Layer 3 Switch connected to two subnets, 10.10.10.0/24 and 20.20.20.0/24, the Layer 3 Switch can respond to an ARP request from 10.10.10.69 for the MAC address of the device with IP address 20.20.20.69. In standard ARP, a request from a device in the 10.10.10.0/24 subnet cannot reach a device in the 20.20.20.0 subnet if the subnets are on different network cables, and thus is not answered.
Configuring IP parameters – Layer 3 Switches When Local Proxy ARP is enabled on a router port, the port will respond to ARP requests for IP addresses within the same subnet, if it has ARP entries for the destination IP addresses in the ARP cache. If it does not have ARP entries for the IP addresses, the port will attempt to resolve them by broadcasting its own ARP requests. Local Proxy ARP is disabled by default.
Configuring IP parameters – Layer 3 Switches • • • • FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum FSX 800 and FSX 1600 chassis devices – slotnum/portnum ICX devices – slotnum/portnum FESX compact switches – portnum Changing the maximum number of entries the static ARP table can hold Table 168 on page 986 lists the default maximum and configurable maximum number of entries in the static ARP table that are supported on a Brocade Layer 3 Switch.
Configuring IP parameters – Layer 3 Switches To configure these parameters, use the procedures in the following sections. Changing the TTL threshold The time to live (TTL) threshold prevents routing loops by specifying the maximum number of router hops an IP packet originated by the Layer 3 Switch can travel through. Each device capable of forwarding IP that receives the packet decrements (decreases) the packet TTL by one.
Configuring IP parameters – Layer 3 Switches Disabling forwarding of IP source-routed packets A source-routed packet specifies the exact router path for the packet. The packet specifies the path by listing the IP addresses of the router interfaces through which the packet must pass on its way to the destination. The Layer 3 Switch supports both types of IP source routing: • Strict source routing – requires the packet to pass through only the listed routers.
Configuring IP parameters – Layer 3 Switches Brocade(config)# ip broadcast-zero Brocade(config)# write memory Brocade(config)# end Brocade# reload NOTE You must save the configuration and reload the software to place this configuration change into effect. Syntax: [no] ip broadcast-zero Disabling ICMP messages Brocade devices are enabled to reply to ICMP echo messages and send ICMP Destination Unreachable messages by default.
Configuring IP parameters – Layer 3 Switches • Protocol – The TCP or UDP protocol on the destination host is not running. This message is different from the Port Unreachable message, which indicates that the protocol is running on the host but the requested protocol port is unavailable. • Source-route-failure – The device received a source-routed packet but cannot locate the next-hop IP address indicated in the packet Source-Route option.
Configuring IP parameters – Layer 3 Switches NOTE FESX and FSX devices do not generate ICMP redirect and network unreachable messages. NOTE The device forwards misdirected traffic to the appropriate router, even if you disable the redirect messages.
Configuring IP parameters – Layer 3 Switches • Null – the static route consists of the destination network address and network mask, and the “null0” parameter. Typically, the null route is configured as a backup route for discarding traffic if the primary route is unavailable. Static IP route parameters When you configure a static IP route, you must specify the following parameters: • The IP address and network mask for the route destination network.
Configuring IP parameters – Layer 3 Switches Static route states follow port states IP static routes remain in the IP route table only so long as the port or virtual interface used by the route is available. If the port or virtual routing interface becomes unavailable, the software removes the static route from the IP route table. If the port or virtual routing interface becomes available again later, the software adds the route back to the route table.
Configuring IP parameters – Layer 3 Switches Brocade(config)# ip route 192.128.2.71 255.255.255.0 ve 3 The command in the following example configures an IP static route that uses port 2/2 as its next hop. Brocade(config)# ip route 192.128.2.73 255.255.255.
Configuring IP parameters – Layer 3 Switches Configuring a “Null” route You can configure the Layer 3 Switch to drop IP packets to a specific network or host address by configuring a “null” (sometimes called “null0”) static route for the address. When the Layer 3 Switch receives a packet destined for the address, the Layer 3 Switch drops the packet instead of forwarding it. To configure a null static route, use the following CLI method.
Configuring IP parameters – Layer 3 Switches Configuring load balancing and redundancy using multiple static routes to the same destination You can configure multiple static IP routes to the same destination, for the following benefits: • IP load sharing – If you configure more than one static route to the same destination, and the routes have different next-hop gateways but have the same metrics, the Layer 3 Switch load balances among the routes using basic round-robin.
Configuring IP parameters – Layer 3 Switches Configuring standard static IP routes and interface or null static routes to the same destination You can configure a null0 or interface-based static route to a destination and also configure a normal static route to the same destination, so long as the route metrics are different. When the Layer 3 Switch has multiple routes to the same destination, the Layer 3 Switch always prefers the route with the lowest metric.
Configuring IP parameters – Layer 3 Switches Two static routes to 192.168.7.0/24: --Standard static route through gateway 192.168.6.157, with metric 1 --Null route, with metric 2 192.168.6.188/24 192.168.6.157/24 Switch A 192.168.7.7/24 Switch B When standard static route is good, Switch A uses that route. 192.168.7.69/24 Switch A 192.168.6.188/24 192.168.6.157/24 If standard static route is unavailable, Switch A uses the null route (in effect dropping instead of forwarding the packets).
Configuring IP parameters – Layer 3 Switches FIGURE 115 Standard and interface routes to the same destination network Two static routes to 192.168.7.0/24: --Interface-based route through Port1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. Switch A 192.168.8.12/24 Port4/4 192.168.6.188/24 Port1/1 When route through interface 1/1 is available, Switch A always uses that route. 192.168.6.69/24 192.168.8.
Configuring IP parameters – Layer 3 Switches Configuring a default network route The Layer 3 Switch enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Configuring IP parameters – Layer 3 Switches To verify that the route is in the route table, enter the following command at any level of the CLI. Brocade# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected R:RIP Destination NetMask 1 209.157.20.0 255.255.255.0 2 209.157.22.0 255.255.255.0 S:Static Gateway 0.0.0.0 0.0.0.0 O:OSPF *:Candidate default Port Cost Type lb1 1 D 4/11 1 *D This example shows two routes.
Configuring IP parameters – Layer 3 Switches • Routes learned through BGP4 Administrative distance for each IP route The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. The administrative distance is not used when performing IP load sharing, but the administrative distance is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on.
Configuring IP parameters – Layer 3 Switches The source of a path cost value depends on the source of the path: • IP static route – The value you assign to the metric parameter when you configure the route. The default metric is 1. Refer to “Configuring load balancing and redundancy using multiple static routes to the same destination” on page 996. • RIP – The number of next-hop routers to the destination. • OSPF – The Path Cost associated with the path.
Configuring IP parameters – Layer 3 Switches • If the IP load forwarding cache does not contain a forwarding entry for the destination, the software selects a path from among the available equal-cost paths to the destination, then creates a forwarding entry in the cache based on the calculation. Subsequent traffic for the same destination uses the forwarding entry.
Configuring IP parameters – Layer 3 Switches • If you leave the feature disabled globally but enable it on individual ports, you also can configure the IRDP parameters on an individual port basis. NOTE You can configure IRDP parameters only an individual port basis. To do so, IRDP must be disabled globally and enabled only on individual ports. You cannot configure IRDP parameters if the feature is globally enabled.
Configuring IP parameters – Layer 3 Switches This command enables IRDP on the IP interfaces on all ports. Each port uses the default values for the IRDP parameters. The parameters are not configurable when IRDP is globally enabled. Enabling IRDP on an individual port To enable IRDP on an individual interface and change IRDP parameters, enter commands such as the following.
Configuring IP parameters – Layer 3 Switches Reverse Address Resolution Protocol configuration The Reverse Address Resolution Protocol (RARP) provides a simple mechanism for directly-attached IP hosts to boot over the network. RARP allows an IP host that does not have a means of storing its IP address across power cycles or software reloads to query a directly-attached router for an IP address. RARP is enabled by default.
Configuring IP parameters – Layer 3 Switches Disabling RARP RARP is enabled by default. To disable RARP, enter the following command at the global CONFIG level. Brocade(config)# no ip rarp Syntax: [no] ip rarp To re-enable RARP, enter the following command. Brocade(config)# ip rarp Creating static RARP entries You must configure the RARP entries for the RARP table. The Layer 3 Switch can send an IP address in reply to a client RARP request only if create a RARP entry for that client.
Configuring IP parameters – Layer 3 Switches Configuring UDP broadcast and IP helper parameters Some applications rely on client requests sent as limited IP broadcasts addressed to the UDP application port. If a server for the application receives such a broadcast, the server can reply to the client. Routers do not forward subnet directed broadcasts, so the client and server must be on the same network for the broadcast to reach the server.
Configuring IP parameters – Layer 3 Switches Enabling forwarding for a UDP application If you want the Layer 3 Switch to forward client requests for UDP applications that the Layer 3 Switch does not forward by default, you can enable forwarding support for the port. To enable forwarding support for a UDP application, use the following method. You also can disable forwarding for an application using this method.
Configuring IP parameters – Layer 3 Switches Configuring an IP helper address To forward a client broadcast request for a UDP application when the client and server are on different networks, you must configure a helper address on the interface connected to the client. Specify the server IP address or the subnet directed broadcast address of the IP subnet the server is in as the helper address. You can configure up to 16 helper addresses on each interface.
Configuring IP parameters – Layer 3 Switches • Gateway address – The Layer 3 Switch places the IP address of the interface that received the BootP/DHCP request in the request packet Gateway Address field (sometimes called the Router ID field). When the server responds to the request, the server sends the response as a unicast packet to the IP address in the Gateway Address field.
Configuring IP parameters – Layer 3 Switches Brocade(config)# interface ethernet 1/1 Brocade(config-if-1/1)# ip bootp-gateway 109.157.22.26 These commands change the CLI to the configuration level for port 1/1, then change the BootP/DHCP stamp address for requests received on port 1/1 to 192.157.22.26. The Layer 3 Switch will place this IP address in the Gateway Address field of BootP/DHCP requests that the Layer 3 Switch receives on port 1/1 and forwards to the BootP/DHCP server.
Configuring IP parameters – Layer 3 Switches DHCP introduces the concept of a lease on an IP address. Refer to “How DHCP Client-Based Auto-Configuration and Flash image update works” on page 1030. The DHCP server can allocate an IP address for a specified amount of time, or can extend a lease for an indefinite amount of time. DHCP provides greater control of address distribution within a subnet. This feature is crucial if the subnet has more devices than available IP address.
Configuring IP parameters – Layer 3 Switches DHCP Server options A FastIron configured as a DHCP server can support up to 1000 DHCP clients, offering them the following options: • NetBIOS over TCP/IP Name Server - Specifies a list of RFC1001/1002 NBNS name servers listed in order of preference. • Domain Name Server - Specifies a list of Domain Name System (RFC 1035) name servers available to the client. Servers are listed in order of preference.
Configuring IP parameters – Layer 3 Switches FIGURE 116 DHCP Server configuration flow chart Classify incoming message Yes DHCP enabled? Yes No previous allocation in DB for this host? Reserve the previous allocated address Yes Send offer to host and listen for response Host responds? No No Use RX Portnum, Ciaddr field, and Giaddr field to select proper address pool End Reserve an address from the address pool Reserve the address No Available address in the pool? Yes Host options requeste
Configuring IP parameters – Layer 3 Switches Configuring DHCP Server on a device Perform the following steps to configure the DHCP Server feature on your FastIron device: 1. Enable DHCP Server by entering a command similar to the following. Brocade(config)# ip dhcp-server enable 2. Create a DHCP Server address pool by entering a command similar to the following. Brocade(config)# ip dhcp-server pool cabo 3. Configure the DHCP Server address pool by entering commands similar to the following.
Configuring IP parameters – Layer 3 Switches Default DHCP server settings Table 171 shows the default DHCP server settings.
Configuring IP parameters – Layer 3 Switches TABLE 173 DHCP Server CLI commands Command Description ip dhcp-server arp-ping-timeout <#> Specifies the time (in seconds) the server will wait for a response to an arp-ping packet before deleting the client from the binding database. The minimum setting is 5 seconds and the maximum time is 30 seconds. NOTE: Do not alter the default value unless it is necessary. Increasing the value of this timer may increase the time to get console access after a reboot.
Configuring IP parameters – Layer 3 Switches TABLE 173 DHCP Server CLI commands (Continued) Command Description netbios-name-server
[ | ] Specifies the IP address of a NetBIOS WINS server or servers that are available to Microsoft DHCP clients. Refer to “Configuring the NetBIOS server for DHCP clients” on page 1023. network / Configures the subnet network and mask of the DHCP address pool.Configuring IP parameters – Layer 3 Switches Setting the wait time for ARP-ping response At startup, the server reconciles the lease-binding database by sending an ARP-ping packet out to every client. If there is no response to the ARP-ping packet within a set amount of time (set in seconds), the server deletes the client from the lease-binding database. The minimum setting is 5 seconds and the maximum is 30 seconds.
Configuring IP parameters – Layer 3 Switches • - The IP address of the DHCP server This command assigns an IP address to the selected DHCP server. Configuring the boot image The bootfile command specifies a boot image name to be used by the DHCP client. Brocade(config-dhcp-cabo)# bootfile foxhound In this example, the DHCP client should use the boot image called “foxhound”.
Configuring IP parameters – Layer 3 Switches Specifying addresses to exclude from the address pool The excluded-address command specifies either a single address, or a range of addresses that are to be excluded from the address pool. Brocade(config-dhcp-cabo)# excluded-address 101.2.3.
Configuring IP parameters – Layer 3 Switches Configuring the TFTP server The tftp-server command specifies the address or name of the TFTP server to be used by the DHCP clients. To configure a TFTP server by specifying its IP address, enter a command similar to the following. Brocade(config-dhcp-cabo)# tftp-server 101.7.5.48 To configure a TFTP server by specifying its server name, enter a command similar to the following. Brocade(config-dhcp-cabo)# tftp-server tftp.domain.
Configuring IP parameters – Layer 3 Switches TABLE 174 CLI display of show ip dhcp-server binding command Field Description IP address The IP addresses currently in the binding database Client ID/Hardware address The hardware address for the client Lease expiration The time when this lease will expire Type The type of lease Displaying address-pool information This show ip dhcp-server address-pool command displays information about a specific address pool, or for all address pools.
Configuring IP parameters – Layer 3 Switches TABLE 175 CLI display of show ip dhcp-server address pools command Field Description Pool name The name of the address pool Time elapsed since last save The time that has elapsed since the last save. Total number of active leases The number of leases that are currently active. Address pool state The state of the address pool (active or inactive).
Configuring IP parameters – Layer 3 Switches TABLE 176 CLI display of show ip dhcp-server flash command Field Description IP address The IP address of the flash memory lease-binding database Client-ID/Hardware address The address of the client Lease expiration The time when the lease will expire Type The type of lease Displaying summary DHCP server information The show ip dhcp-server summary command displays information about active leases, deployed address-pools, undeployed address-pools, and
Configuring IP parameters – Layer 3 Switches TABLE 177 CLI display of show ip dhcp-server summary command Field Description Total number of active leases Indicates the number of leases that are currently active Total number of deployed address-pools The number of address pools currently in use. Total number of undeployed address-pools The number of address-pools being held in reserve. Server uptime The amount of time that the server has been active.
Configuring IP parameters – Layer 3 Switches 2. If auto-update is enabled, the TFTP flash image is downloaded and updated. The device compares the filename of the requested flash image with the image stored in flash. If the filenames are different, then the device will download the new image from a TFTP server, write the downloaded image to flash, then reload the device or stack. 3.
Configuring IP parameters – Layer 3 Switches • This feature is not supported together with DHCP snooping. The following configuration rules apply to flash image update: • To enable flash image update (ip dhcp-client auto-update enable command), also enable auto-configuration (ip dhcp-client enable command). • The image filename to be updated must have the extension .bin. • The DHCP option 067 bootfile name will be used for image update if it has the extension .bin.
Configuring IP parameters – Layer 3 Switches FIGURE 118 The DHCP Client-Based Auto-Configuration steps IP Address Validation and Lease Negotiation Legend: Typical process (may change depending on environment) System boot/ feature enable (start) Has IP address? Existing Device Asks server if Dynamic address is valid? (in pool and not leased) Static or dynamic address? Yes Other Possible Events DHCP Yes server responds? (4 tries) Static No Yes Is IP address valid? Dynamic IP is re-leased to syst
Configuring IP parameters – Layer 3 Switches 3. If the device has a dynamic address, the device asks the DHCP server to validate that address. If the server does not respond, the device will continue to use the existing address until the lease expires. If the server responds, and the IP address is outside of the DHCP address pool or has been leased to another device, it is automatically rejected, and the device receives a new IP address from the server.
Configuring IP parameters – Layer 3 Switches The TFTP configuration download and update step NOTE This process only occurs when the client device reboots, or when Auto-Configuration has been disabled and then re-enabled. 1.
Configuring IP parameters – Layer 3 Switches • 067 - bootfile name • 150 - TFTP server IP address (private option, datatype = IP Address) Configuration notes for DHCP servers • When using DHCP on a router, if you have a DHCP address for one interface, and you want to connect to the DHCP server from another interface, you must disable DHCP on the first interface, then enable DHCP on the second interface.
Configuring IP parameters – Layer 3 Switches The following example shows output from the show ip address command for a Layer 2 device. Brocade(config)# show ip address IP Address Type Lease Time 10.44.16.116 Dynamic 174 Interface 0/1/1 The following example shows output from the show ip address command for a Layer 3 device. Brocade(config)# show ip address IP Address Type Lease Time 10.44.3.233 Dynamic 672651 1.0.0.
Configuring IP parameters – Layer 3 Switches Brocade(config)# show run Current configuration: ! ver 04.2.00b47T7e1 ! module 1 fgs-24-port-management-module module 2 fgs-cx4-2-port-10g-module module 3 fgs-xfp-1-port-10g-module ! vlan 1 name DEFAULT-VLAN by port ! ip dns domain-name test.com ip dns server-address 10.44.3.111 interface ethernet 0/1/2 ip address 10.44.3.233 255.255.255.0 dynamic ip dhcp-client lease 691109 ! interface ethernet 0/1/15 ip address 1.0.0.1 255.0.0.0 ip helper-address 1 10.44.3.
Configuring IP parameters – Layer 2 Switches Configuring IP parameters – Layer 2 Switches The following sections describe how to configure IP parameters on a Brocade Layer 2 Switch. NOTE This section describes how to configure IP parameters for Layer 2 Switches. For IP configuration information for Layer 3 Switches, refer to “Configuring IP parameters – Layer 3 Switches” on page 964.
Configuring IP parameters – Layer 2 Switches NOTE When configuring an IP address on a Layer 2 switch that has multiple VLANs, make sure the configuration includes a designated management VLAN that identifies the VLAN to which the global IP address belongs. Refer to “Designated VLAN for Telnet management sessions to a Layer 2 Switch” on page 120.
Configuring IP parameters – Layer 2 Switches After you enter the command, a message indicating that the DNS query is in process and the current gateway address (IP address of the domain name server) being queried appear on the screen. Type Control-c to abort Sending DNS Query to 209.157.22.199 Tracing Route to IP node 209.157.22.80 To ABORT Trace Route, Please use stop-traceroute command. Traced route to target IP node 209.157.22.80: IP Address Round Trip Time1 Round Trip Time2 207.95.6.
Configuring IP parameters – Layer 2 Switches DHCP Assist configuration DHCP Assist allows a Brocade Layer 2 Switch to assist a router that is performing multi-netting on its interfaces as part of its DHCP relay function. DHCP Assist ensures that a DHCP server that manages multiple IP subnets can readily recognize the requester IP subnet, even when that server is not on the client local LAN segment.
Configuring IP parameters – Layer 2 Switches For example, in Figure 120, a host from each of the four subnets supported on a Layer 2 Switch requests an IP address from the DHCP server. These requests are sent transparently to the router. Because the router is unable to determine the origin of each packet by subnet, it assumes the lowest IP address or the ‘primary address’ is the gateway for all ports on the Layer 2 Switch and stamps the request with that address.
Configuring IP parameters – Layer 2 Switches When the stamped DHCP discovery packet is then received at the router, it is forwarded to the DHCP server. The DHCP server then extracts the gateway address from each request and assigns an available IP address within the corresponding IP subnet (Figure 122). The IP address is then forwarded back to the workstation that originated the request. NOTE When DHCP Assist is enabled on any port, Layer 2 broadcast packets are forwarded by the CPU.
IPv4 point-to-point GRE tunnels NOTE When DHCP Assist is enabled on any port, Layer 2 broadcast packets are forwarded by the CPU. Unknown unicast and multicast packets are still forwarded in hardware, although selective packets such as IGMP are sent to the CPU for analysis. When DHCP Assist is not enabled, Layer 2 broadcast packets are forwarded in hardware. Configuring DHCP Assist You can associate a gateway list with a port.
IPv4 point-to-point GRE tunnels IPv4 GRE tunnel overview Generic Routing Encapsulation is described in RFC 2784. Generally, GRE provides a way to encapsulate arbitrary packets (payload packet) inside of a transport protocol, and transmit them from one tunnel endpoint to another. The payload is encapsulated in a GRE packet. The resulting GRE packet is then encapsulated in a delivery protocol, then forwarded to the tunnel destination.
IPv4 point-to-point GRE tunnels • Ver – 3 bits. The GRE protocol version. This field must be set to zero in this version. • Protocol Type – 16 bits. The Ethernet protocol type of the packet, as defined in RFC 1700. • Checksum (optional) – 16 bits. This field is optional. It contains the IP checksum of the GRE header and the payload packet. • Reserved (optional) – 16 bits. This field is optional. It is reserved for Brocade internal use.
IPv4 point-to-point GRE tunnels • When the new PMTUD value is smaller than all of the eight MTU values configured in the system, the PMTUD feature is disabled for the tunnel, and the value is not added to the system. For example, the new PMTUD value is 620 which is smaller in value than all of the eight, different MTU path values configured in the system.
IPv4 point-to-point GRE tunnels the destination endpoint of the tunnel. The router that terminates the tunnel (i.e., the router where the tunnel endpoint is an ingress interface) de-encapsulates the GRE tunneled packet to retrieve the native multicast data packets. After de-encapsulation, data packets are forwarded in the direction of its receivers, and control packets may be consumed. This creates a PIM-enabled virtual or logical link between the two GRE tunnel endpoints.
IPv4 point-to-point GRE tunnels For FastIron SX devices only, traffic coming from a tunnel can be filtered by an ACL both before and after the tunnel is terminated and also redirected by PBR after tunnel is terminated. An ACL classifies and sets QoS for GRE traffic. If the ACL or PBR is applied to the tunnel loopback port, it would apply to the inner IP packet header (the payload packet) after the tunnel is terminated.
IPv4 point-to-point GRE tunnels • When a GRE tunnel is configured, you cannot configure the same routing protocol on the tunnel through which you learn the route to the tunnel destination. For example, if the FastIron learns the tunnel destination route through the OSPF protocol, you cannot configure the OSPF protocol on the same tunnel and vice-versa. When a tunnel has OSPF configured, the FastIron cannot learn the tunnel destination route through OSPF. This could cause the system to become unstable.
IPv4 point-to-point GRE tunnels Configuration tasks for GRE tunnels Brocade recommends that you perform the configuration tasks in the order listed in Table 179.
IPv4 point-to-point GRE tunnels • Increasing the cost of routes learned on the port (CLI command ip metric) – for configuration details, refer to “Changing the cost of routes learned on a port” on page 1203. After performing the configuration steps listed in Table 179, you can view the GRE configuration and observe the routes that use GRE tunnels. For details, refer to “Displaying GRE tunneling information” on page 1059.
IPv4 point-to-point GRE tunnels The ethernet variable is the source slot (chassis devices only) and port number of the physical interface being configured for the specified tunnel, for example 3/1. The ve variable is the VE interface number being configured for the specified tunnel.
IPv4 point-to-point GRE tunnels Syntax: [no] tunnel mode gre ip • gre specifies that the tunnel will use GRE encapsulation (IP protocol 47). • ip specifies that the tunneling protocol is IPv4. NOTE Before configuring a new GRE tunnel, the system should have at least one slot available for adding the default tunnel MTU value to the system tables. Depending on the configuration, the default tunnel MTU range is ((1500 or 10218) - 24) .
IPv4 point-to-point GRE tunnels Applying an ACL or PBR to a tunnel interface on the SX-FI48GPP interface module To apply an ACL or PBR policy to a tunnel interface on the SX-FI48GPP interface module, enter commands such as the following: NOTE Configuration of tunnel loopback ports are not applicable on the SX-FI48GPP interface module.
IPv4 point-to-point GRE tunnels Changing the MTU value for a tunnel interface For important configuration considerations regarding this feature, refer to “GRE MTU configuration considerations” on page 1049. You can set an MTU value for packets entering the tunnel.
IPv4 point-to-point GRE tunnels Configuring GRE link keepalive When GRE tunnels are used in combination with static routing or policy-based routing, and a dynamic routing protocol such as RIP, BGP, or OSPF is not deployed over the GRE tunnel, a configured tunnel does not have the ability to bring down the line protocol of either tunnel endpoint, if the far end becomes unreachable. Traffic sent on the tunnel cannot follow alternate paths because the tunnel is always UP.
IPv4 point-to-point GRE tunnels To re-enable PMTUD after it has been disabled, enter the following command: Brocade(config-tnif-1)# no tunnel path-mtu-discovery disable Syntax: [no] tunnel path-mtu-discovery disable Changing the age timer for PMTUD By default, when PMTUD is enabled on a tunnel interface, the path MTU is reset to its original value every 10 minutes. If desired, you can change the reset time (default age timer) to a value of up to 30 minutes.
IPv4 point-to-point GRE tunnels Enabling PIM-SM on a GRE tunnel To enable PIM-SM on a GRE tunnel interface, enter commands such as the following: Brocade(config)# interface tunnel 10 Brocade(config-tnif-10)# ip pim-sparse Syntax: [no] ip pim-sparse Use the no form of the command to disable PIM-SM on the tunnel interface.
IPv4 point-to-point GRE tunnels Configuring point-to-point GRE tunnel for FastIron A Brocade (config)# interface ethernet 3/1 Brocade (config-if-e1000-3/1)# ip address 36.0.8.108/24 Brocade (config)# exit Brocade (config)# interface tunnel 1 Brocade(config-tnif-1)# tunnel source 36.0.8.108 Brocade(config-tnif-1)# tunnel destination 131.108.5.2 Brocade(config-tnif-1)# tunnel mode gre ip Brocade(config-tnif-1)# tunnel loopback 4/1 Brocade(config-tnif-1)# ip address 10.10.3.
IPv4 point-to-point GRE tunnels Syntax: show ip interface The show ip route command displays routes that are pointing to a GRE tunnel as shown in the following example. Brocade# show ip route Total number of IP routes: 3, avail: 79996 (out of max 80000) B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port 1 7.1.1.0 255.255.255.0 0.0.0.0 7 2 7.1.2.0 255.255.255.0 7.1.1.3 7 3 10.34.3.0 255.255.255.0 0.0.0.
IPv4 point-to-point GRE tunnels TABLE 180 CLI display of show interface tunnel command (Continued) Field Definition Tunnel loopback The tunnel loopback port for the tunnel (if applicable). Port name The port name (if applicable). Internet address The internet address. MTU The maximum transmission unit. encapsulation GRE GRE encapsulation is enabled on the port. Keepalive Indicates whether or not GRE link keepalive is enabled.
IPv4 point-to-point GRE tunnels TABLE 181 CLI display of show ip tunnel traffic command Field Description Tunnel Status Indicates whether the tunnel is up or down. Possible values are: • Up/Up – The tunnel and line protocol are up. • Up/Down – The tunnel is up and the line protocol is down. • Down/Up – The tunnel is down and the line protocol is up. • Down/Down – The tunnel and line protocol are down.
IPv4 point-to-point GRE tunnels The following shows an example output of the show ip pim nbr command. The line in bold shows the GRE tunnel-specific information. Brocade# show ip pim nbr Total number of neighbors: 1 on 1 ports Port Phy_p Neighbor Holdtime Age tn1 tn1:e2 1.1.1.20 180 60 UpTime 1740 Syntax: show ip pim nbr The following shows an example output of the show ip pim mcache command. The line in bold shows the GRE tunnel-specific information. Brocade# show ip pim mcache 230.1.1.1 1 (10.10.10.
Displaying IP configuration information and statistics Brocade(config-tnif-10)#show ip mtu idx size usage ref-count 0 10218 1 default 1 800 0 1 2 900 0 1 3 750 0 1 4 10194 1 1 5 10198 0 1 Syntax: show ip mtu Clearing GRE statistics Use the clear ip tunnel command to clear statistics related to GRE tunnels. To clear GRE tunnel statistics, enter a command such as the following.
Displaying IP configuration information and statistics Changing the network mask display to prefix format By default, the CLI displays network masks in classical IP address format (example: 255.255.255.0). You can change the displays to prefix format (example: /18) on a Layer 3 Switch or Layer 2 Switch using the following CLI method. NOTE This option does not affect how information is displayed in the Web Management Interface.
Displaying IP configuration information and statistics Displaying global IP configuration information To display IP configuration information, enter the following command at any CLI level. Brocade# show ip Global Settings ttl: 64, arp-age: 10, bootp-relay-max-hops: 4 router-id : 207.95.11.128 enabled : UDP-Broadcast-Forwarding IRDP Proxy-ARP RARP OSPF disabled: BGP4 Load-Sharing RIP DVMRP FSRP VRRP Static Routes Index IP Address Subnet Mask Next Hop Router Metric Distance 1 0.0.0.0 0.0.0.0 209.157.23.
Displaying IP configuration information and statistics TABLE 182 CLI display of global IP configuration information – Layer 3 Switch (Continued) Field Description Next Hop Router The IP address of the router interface to which the Brocade router sends packets for the route. Metric The cost of the route. Usually, the metric represents the number of hops to the destination. Distance The administrative distance of the route.
Displaying IP configuration information and statistics Brocade# show process cpu Process Name 5Sec(%) 1Min(%) ACL 0.00 0.00 ARP 0.01 0.01 BGP 0.00 0.00 DOT1X 0.00 0.00 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 L2VLAN 0.01 0.00 OSPF 0.00 0.00 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.00 0.01 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 15Min(%) 0.00 0.01 0.00 0.00 0.00 0.00 0.00 0.01 0.00 0.00 0.00 0.
Displaying IP configuration information and statistics When you specify how many seconds’ worth of statistics you want to display, the software selects the sample that most closely matches the number of seconds you specified. In this example, statistics are requested for the previous two seconds. The closest sample available is actually for the previous 1 second plus 80 milliseconds. Syntax: show process cpu [] The parameter specifies the number of seconds and can be from 1 through 900.
Displaying IP configuration information and statistics To display detailed IP information for a specific interface, enter a command such as the following. Brocade# show ip interface ethernet 1/1 Interface Ethernet 1/1 port state: UP ip address: 192.168.9.51 subnet mask: 255.255.255.0 encapsulation: ETHERNET, mtu: 1500, metric: 1 directed-broadcast-forwarding: disabled proxy-arp: disabled ip arp-age: 10 minutes Ip Flow switching is disabled No Helper Addresses are configured.
Displaying IP configuration information and statistics NOTE The parameter and parameter perform different operations. The parameter specifies the network mask for a specific IP address, whereas the parameter provides a filter for displaying multiple MAC addresses that have specific values in common. The parameter lets you display the table beginning with a specific entry number.
Displaying IP configuration information and statistics Displaying the static ARP table To display the static ARP table instead of the ARP cache, enter the following command at any CLI level. Brocade# show ip static-arp Static ARP table size: 512, configurable from 512 to 1024 Index IP Address MAC Address Port 1 207.95.6.111 0800.093b.d210 1/1 3 207.95.6.123 0800.093b.d211 1/1 This example shows two static entries.
Displaying IP configuration information and statistics TABLE 185 CLI display of static ARP table Field Description Static ARP table size The maximum number of static entries that can be configured on the device using the current memory allocation. The range of valid memory allocations for static ARP entries is listed after the current allocation. To change the memory allocation for static ARP entries, refer to “Changing the maximum number of entries the static ARP table can hold” on page 986.
Displaying IP configuration information and statistics TABLE 186 CLI display of IP forwarding cache – Layer 3 Switch (Continued) Field Description Type The type of host entry, which can be one or more of the following: • D – Dynamic • P – Permanent • F – Forward • U – Us • C – Complex Filter • W – Wait ARP • I – ICMP Deny • K – Drop • R – Fragment • S – Snap Encap Port The port through which this device reaches the destination.
Displaying IP configuration information and statistics The bgp option displays the BGP4 routes. The direct option displays only the IP routes that are directly attached to the Layer 3 Switch. The ospf option displays the OSPF routes. The rip option displays the RIP routes. The static option displays only the static IP routes. The default routes are displayed first. Here is an example of how to use the direct option.
Displaying IP configuration information and statistics Example Brocade# show ip route summary IP Routing Table - 35 entries: 6 connected, 28 static, 0 RIP, 1 OSPF, 0 BGP, 0 ISIS, 0 MPLS Number of prefixes: /0: 1 /16: 27 /22: 1 /24: 5 /32: 1 Syntax: show ip route summary In this example, the IP route table contains 35 entries. Of these entries, 6 are directly connected devices, 28 are static routes, and 1 route was calculated through OSPF.
Displaying IP configuration information and statistics Clearing IP routes If needed, you can clear the entire route table or specific individual routes. To clear all routes from the IP route table, enter the following command. Brocade# clear ip route To clear route 209.157.22.0/24 from the IP routing table, enter the clear ip route command. Brocade# clear ip route 209.157.22.
Displaying IP configuration information and statistics The show ip traffic command displays the following information. TABLE 188 CLI display of IP traffic statistics – Layer 3 Switch Field Description IP statistics received The total number of IP packets received by the device. sent The total number of IP packets originated and sent by the device. forwarded The total number of IP packets received by the device and forwarded to other devices.
Displaying IP configuration information and statistics TABLE 188 CLI display of IP traffic statistics – Layer 3 Switch (Continued) Field Description received The number of UDP packets received by the device. sent The number of UDP packets sent by the device. no port The number of UDP packets dropped because they did not have a valid UDP port number. input errors This information is used by Brocade customer support.
Displaying IP configuration information and statistics TABLE 188 CLI display of IP traffic statistics – Layer 3 Switch (Continued) Field Description resp from loopback The number of RIP responses received from loopback interfaces. packets rejected This information is used by Brocade customer support.
Displaying IP configuration information and statistics TABLE 189 CLI display of global IP configuration information – Layer 2 Switch Field Description Configuration filename The name under which the Layer 2 Switch startup-config file was uploaded or downloaded during the most recent TFTP access. Image filename The name of the Layer 2 Switch flash image (system software file) that was uploaded or downloaded during the most recent TFTP access.
Displaying IP configuration information and statistics Displaying IP traffic statistics To display IP traffic statistics on a Layer 2 Switch, enter the show ip traffic command at any CLI level.
Displaying IP configuration information and statistics TABLE 191 CLI display of IP traffic statistics – Layer 2 Switch (Continued) Field Description ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received. The field descriptions below apply to each.
Disabling IP checksum check TABLE 191 CLI display of IP traffic statistics – Layer 2 Switch (Continued) Field Description passive resets The number of TCP connections this device reset because the device at the other end of the connection sent a TCP RESET message. input errors This information is used by Brocade customer support. in segments The number of TCP segments received by the device. out segments The number of TCP segments sent by the device.
Disabling IP checksum check Brocade# )# no disable-hw-ip-checksum-check ethernet 13 disable-hw-ip-checksum-check cleared for ports the 13 to 24 NOTE The port range could be any consecutive range, it may not nescesarily be a decimal number. Syntax: [no] disable-hw-ip-checksum-check ethernet NOTE This command only functions on the IPv4 platform.
Disabling IP checksum check 1086 FastIron Configuration Guide 53-1002494-02
Chapter 27 Spanning Tree Protocol Table 192 lists the individual Brocade FastIron switches and the Spanning Tree Protocol (STP) features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted. TABLE 192 Supported STP features Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6430 ICX 6450 802.1s Multiple Spanning Tree Yes Yes Yes Yes Yes 802.
Standard STP parameter configuration Standard STP parameter configuration Brocade Layer 2 Switches and Layer 3 Switches support standard STP as described in the IEEE 802.1D specification. STP is enabled by default on Layer 2 Switches but disabled by default on Layer 3 Switches. By default, each port-based VLAN on a Brocade device runs a separate spanning tree (a separate instance of STP). A Brocade device has one port-based VLAN (VLAN 1) by default that contains all the device ports.
Standard STP parameter configuration TABLE 194 Default STP bridge parameters (Continued) Parameter Description Default and valid values Hello Time The interval of time between each configuration BPDU sent by the root bridge. 2 seconds Possible values: 1 – 10 seconds Priority A parameter used to identify the root bridge in a spanning tree (instance of STP). The bridge with the lowest value has the highest priority and is the root.
Standard STP parameter configuration NOTE The CLI converts the STP groups into topology groups when you save the configuration. For backward compatibility, you can still use the STP group commands. However, the CLI converts the commands into the topology group syntax. Likewise, the show stp-group command displays STP topology groups. Enabling or disabling STP globally Use the following method to enable or disable STP on a device on which you have not configured port-based VLANs.
Standard STP parameter configuration Changing STP bridge and port parameters Table 194 on page 1088 and Table 195 on page 1089 list the default STP parameters. If you need to change the default value for an STP parameter, use the following procedures. Changing STP bridge parameters NOTE If you plan to change STP bridge timers, Brocade recommends that you stay within the following ranges, from section 8.10.2 of the IEEE STP specification.
Standard STP parameter configuration You can specify some or all of these parameters on the same command line. If you specify more than one parameter, you must specify them in the order shown above, from left to right. Changing STP port parameters To change the path and priority costs for a port, enter commands such as the following.
Standard STP parameter configuration In some instances, it is unnecessary for a connected device, such as an end station, to initiate or participate in an STP topology change. In this case, you can enable the STP Protection feature on the Brocade port to which the end station is connected. STP Protection disables the connected device ability to initiate or participate in an STP topology change, by dropping all BPDUs received from the connected device.
Standard STP parameter configuration Brocade#show stp-protect Port ID BPDU Drop Count 3 478 5 213 6 0 12 31 To view STP Protection configuration for a specific port, enter the following command at any level of the CLI. Brocade#show stp-protect e 3 STP-protect is enabled on port 3. BPDU drop count is 478 If you enter the show stp-protect command for a port that does not have STP protection enabled, the following message displays on the console.
Standard STP parameter configuration Displaying STP information for an entire device To display STP information, enter the following command at any level of the CLI. Brocade#show span VLAN 1 BPDU cam_index is 3 and the Master DMA Are(HEX) STP instance owned by VLAN 1 Global STP (IEEE 802.
Standard STP parameter configuration TABLE 196 CLI display of STP information Field Description Global STP parameters VLAN ID The port-based VLAN that contains this spanning tree (instance of STP). VLAN 1 is the default VLAN. If you have not configured port-based VLANs on this device, all STP information is for VLAN 1. Root ID The ID assigned by STP to the root bridge for this spanning tree. Root Cost The cumulative cost from this bridge to the root bridge.
Standard STP parameter configuration TABLE 196 CLI display of STP information (Continued) Field State Description The port STP state. The state can be one of the following: BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is FORWARDING. When a port is in this state, the port does not transmit or receive user frames, but the port does continue to receive STP BPDUs.
Standard STP parameter configuration Brocade#show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 GVRP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Runtime(ms) 0 0 0 1 0 0 0 0 0 To display utilization statistics for a specific number of seconds, enter a command such as the following.
Standard STP parameter configuration Brocade#show vlans Total PORT-VLAN entries: 2 Maximum PORT-VLAN entries: 16 legend: [S=Slot] PORT-VLAN Untagged Untagged Untagged Untagged Tagged Uplink 1, Name DEFAULT-VLAN, Priority level0, Spanning tree On Ports: (S3) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Ports: (S3) 17 18 19 20 21 22 23 24 Ports: (S4) 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Ports: (S4) 18 19 20 21 22 23 24 Ports: None Ports: None PORT-VLAN Untagged Untagged Tagged Uplink 2, Name greenwell, Prior
Standard STP parameter configuration NOTE The line in the above output, VLAN 1 - MULTIPLE SPANNING TREE (MSTP) ACTIVE, is not the 802.1s standard. It is the same Global STP (IEEE 802.1D) type as shown in the output of the show span CLI command. If a port is disabled, the only information shown by this command is “DISABLED”. If a port is enabled, this display shows the following information. Syntax: show span detail [vlan [ethernet | ] The vlan parameter specifies a VLAN.
Standard STP parameter configuration TABLE 197 CLI display of detailed STP information for ports (Continued) Field Description Port number and STP state The internal port number and the port STP state. The internal port number is one of the following: • The port interface number, if the port is the designated port for the LAN. • The interface number of the designated port from the received BPDU, if the interface is not the designated port for the LAN.
Standard STP parameter configuration Displaying detailed STP information for a single port in a specific VLAN Enter a command such as the following to display STP information for an individual port in a specific VLAN.
STP feature configuration The STP information is shown in bold type in this example.
STP feature configuration This slow convergence is undesirable and unnecessary in some circumstances. The Fast Port Span feature allows certain ports to enter the forwarding state in four seconds. Specifically, Fast Port Span allows faster convergence on ports that are attached to end stations and thus do not present the potential to cause Layer 2 forwarding loops.
STP feature configuration NOTE The fast port-span command has additional parameters that let you exclude specific ports. These parameters are shown in the following section. To re-enable Fast Port Span, enter the following commands. Brocade(config)#fast port-span Brocade(config)#write memory Excluding specific ports from fast port span To exclude a port from Fast Port Span while leaving Fast Port Span enabled globally, enter commands such as the following.
STP feature configuration Disabling and then re-enabling Fast Port Span clears the exclude settings and thus enables Fast Port Span on all eligible ports. To make sure Fast Port Span remains enabled on the ports following a system reset, save the configuration changes to the startup-config file after you re-enable Fast Port Span. Otherwise, when the system resets, those ports will again be excluded from Fast Port Span.
STP feature configuration NOTE Use caution when changing the spanning tree priority. If the switch becomes the root bridge, Fast Uplink Span will be disabled automatically. Fast Uplink Span Rules for Trunk Groups If you add a port to a Fast Uplink Span group that is a member of a trunk group, the following rules apply: • If you add the primary port of a trunk group to the Fast Uplink Span group, all other ports in the trunk group are automatically included in the group.
STP feature configuration To remove a Fast Uplink Span group or to remove individual ports from a group, use “no” in front of the appropriate fast uplink-span command. For example, to remove ports 4/3 and 4/4 from the Fast Uplink Span group configured above, enter the following commands: Brocade(config)# no fast uplink-span ethernet 4/3 to 4/4 Brocade(config)# write memory To check the status of ports with Fast Uplink Span enabled.
STP feature configuration Port STP Parameters: Port Num 1/1/1 Prio Path rity Cost Hex 80 4 State Fwd Trans Design Cost Designated Root Designated Bridge LISTENING 0 0 8000000011111111 8000000011111111 Syntax: show span vlan fast-uplink-span The VLAN parameter displays Fast Uplink Span information for the specified VLAN. 802.1W Rapid Spanning Tree (RSTP) Earlier implementation by Brocade of Rapid Spanning Tree Protocol (RSTP), which was 802.
STP feature configuration Unique roles are assigned to ports on the root and non-root bridges. Role assignments are based on the following information contained in the Rapid Spanning Tree Bridge Packet Data Unit (RST BPDU): • • • • Root bridge ID Path cost value Transmitting bridge ID Designated port ID The 802.1W algorithm uses this information to determine if the RST BPDU received by a port is superior to the RST BPDU that the port transmits.
STP feature configuration The following example (Figure 126) explains role assignments in a simple RSTP topology. NOTE All examples in this document assume that all ports in the illustrated topologies are point-to-point links and are homogeneous (they have the same path cost value) unless otherwise specified. The topology in Figure 126 contains four bridges. Switch 1 is the root bridge since it has the lowest bridge priority. Switch 2 through Switch 4 are non-root bridges. FIGURE 126 Simple 802.
STP feature configuration Similarly Switch 3 has a bridge priority value inferior to Switch 2. Port3 on Switch 3 connects to Port 3 on Switch 2. This port will be given the Alternate port role, since a Root port is already established on this bridge. Assignment of ports on Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4.
STP feature configuration The 802.1W protocol can auto-detect an Edge port and a non-edge port. An administrator can also configure a port to be an Edge port using the CLI. It is recommended that Edge ports are configured explicitly to take advantage of the Edge port feature, instead of allowing the protocol to auto-detect them. Point-to-point ports To take advantage of the 802.1W features, ports on an 802.1W topology should be explicitly configured as point-to-point links using the CLI.
STP feature configuration A port on a non-root bridge with a Designated role starts in the discarding state. When that port becomes elected to the Root port role, 802.1W quickly places it into a forwarding state. However, if the Designated port is an Edge port, then the port starts and stays in a forwarding state and it cannot be elected as a Root port. A port with an Alternate or Backup role is always in a discarding state.
STP feature configuration • Port Protocol Migration – This state machine deals with compatibility with 802.1D bridges. When a legacy BPDU is detected on a port, this state machine configures the port to transmit and receive legacy BPDUs and operate in the legacy mode. • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode.
STP feature configuration • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 129). The Designated port continues to send this flag in its RST BPDU until it is placed in a forwarding state (Figure 132) or is forced to operate in 802.1D mode. (Refer to “Compatibility of 802.1W with 802.1D” on page 1136).
STP feature configuration • Sync – Once the Root port is elected, it sets a sync signal on all the ports on the bridge. The signal tells the ports to synchronize their roles and states (Figure 130). Ports that are non-edge ports with a role of Designated port change into a discarding state. These ports have to negotiate with their peer ports to establish their new roles and states.
STP feature configuration • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports. Once all bridge ports asserts a synced signal, the Root port asserts its own synced signal (Figure 131).
STP feature configuration • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state.
STP feature configuration Handshake when a root port has been elected If a non-root bridge already has a Root port, 802.1W uses a different type of handshake. For example, in Figure 133, a new root bridge is added to the topology.
STP feature configuration • Proposing and Proposed – The Designated port on the new root bridge (Port4/Switch 60) sends an RST BPDU that contains a proposing signal to Port4/Switch 200 to inform the port that it is ready to put itself in a forwarding state (Figure 134). 802.1W algorithm determines that the RST BPDU that Port4/Switch 200 received is superior to what it can generate, so Port4/Switch 200 assumes a Root port role.
STP feature configuration • Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge. The signal tells the ports that a new Root port has been assigned and they are to renegotiate their new roles and states. The other ports on the bridge assert their sync and reroot signals. Information about the old Root port is discarded from all ports. Designated ports change into discarding states (Figure 135).
STP feature configuration • Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue to assert their sync signals as they continue in their discarding states. They also continue to negotiate their roles and states with their peer ports (Figure 136).
STP feature configuration • Synced and Agree – When all the ports on the bridge assert their synced signals, the new Root port asserts its own synced signal and sends an RST BPDU to Port4/Switch 60 that contains an agreed flag (Figure 136). The Root port also moves into a forwarding state.
STP feature configuration The Designated port on Switch 60 goes into a forwarding state once it receives the RST BPDU with the agreed flag.
STP feature configuration Convergence at start up In Figure 139, two bridges Switch 2 and Switch 3 are powered up. There are point-to-point connections between Port3/Switch 2 and Port3/Switch 3. FIGURE 139 Convergence between two bridges Bridge priority = 1500 Switch 2 Port3 Designated port Port3 Root port Switch 3 Bridge priority = 2000 At power up, all ports on Switch 2 and Switch 3 assume Designated port roles and are at discarding states before they receive any RST BPDU.
STP feature configuration Next, Switch 1 is powered up (Figure 140).
STP feature configuration The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2. The 802.
STP feature configuration Convergence after a link failure Figure 142 illustrates a link failure in the 802.1W topology. In this example, Port2/Switch, which is the port that connects Switch 2 to the root bridge (Switch 1), failed and both Switch 2 and Switch 1 are affected by the topology change.
STP feature configuration Convergence at link restoration When Port2/Switch 2 is restored, both Switch 2 and Switch 1 recognize the change. Port2/Switch 1 starts assuming the role of a Designated port and sends an RST BPDU containing a proposal flag to Port2/Switch 2. When Port2/Switch 2 receives the RST BPDUs, 802.1W algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port.
STP feature configuration Convergence in a complex 802.1W topology Figure 143 illustrates a complex 802.1W topology. FIGURE 143 Complex 802.
STP feature configuration Next Switch 2 sends RST BPDUs with a proposal flag to Port3/Switch 4. Port3 becomes the Root port for the bridge; all other ports are given a Designated port role with discarding states. Port3/Switch 4 sends an RST BPDU with an agreed flag to Switch 2 to confirm that it is the new Root port. The port then goes into a forwarding state. Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit.
STP feature configuration After convergence is complete, Figure 144 shows the active Layer 2 path of the topology in Figure 143.
STP feature configuration For example, Port3/Switch 2 in Figure 145, fails. Port4/Switch 3 becomes the new Root port. Port4/Switch 3 sends an RST BPDU with a TCN to Port4/Switch 4. To propagate the topology change, Port4/Switch 4 then starts a TCN timer on itself, on the bridge Root port, and on other ports on that bridge with a Designated role. Then Port3/Switch 4 sends RST BPDU with the TCN to Port4/Switch 2. (Note the new active Layer 2 path in Figure 145.
STP feature configuration FIGURE 146 Sending TCN to bridges connected to Switch 2 Bridge priority = 200 Port 7 Bridge priority = 1000 Port2 Switch 1 Port2 Port8 Port5 Port3 Port4 Switch 5 Port4 Port3 Switch 3 Port3 Port3 Port4 Bridge priority = 300 Port2 Switch 2 Port3 Port2 Bridge priority = 60 Switch 4 Bridge priority = 400 Port4 Port5 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN FastIron Configuration Guide 53-10
STP feature configuration Then Switch 1, Switch 5, and Switch 6 send RST BPDUs that contain the TCN to Switch 3 and Switch 4 to complete the TCN propagation (Figure 147).
STP feature configuration For example, in Figure 148, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 148 802.1W bridges with an 802.1D bridge Switch 10 802.1W Switch 20 802.1D Switch 30 802.1W Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other.
STP feature configuration Enabling or disabling 802.1W in a port-based VLAN Use the following procedure to disable or enable 802.1W on a device on which you have configured a port-based VLAN. Changing the 802.1W state in a VLAN affects only that VLAN. To enable 802.1W for all ports in a port-based VLAN, enter commands such as the following. Brocade(config)#vlan 10 Brocade(config-vlan-10)#spanning-tree 802-1w Syntax: [no] spanning-tree 802-1w Note regarding pasting 802.
STP feature configuration Once 802.1W is enabled on a port, it can be disabled on individual ports. 802.1W that have been disabled on individual ports can then be enabled as required. NOTE If you change the 802.1W state of the primary port in a trunk group, the change affects all ports in that trunk group. To disable or enable 802.1W on an individual port, enter commands such as the following.
STP feature configuration The default is 2. The priority parameter specifies the priority of the bridge. You can enter a value from 0 – 65535. A lower numerical value means the bridge has a higher priority. Thus, the highest priority is 0. The default is 32768. You can specify some or all of these parameters on the same command line. If you specify more than one parameter, you must specify them in the order shown above, from left to right. Changing port parameters The 802.
STP feature configuration • The priority parameter specifies the preference that 802.1W gives to this port relative to other ports for forwarding traffic out of the topology. You can specify a value from 0 – 240, in increments of 16. If you enter a value that is not divisible by 16, the software returns an error message. The default value is 128. A higher numerical value means a lower priority; thus, the highest priority is 0. • Set the admin-edge-port to enabled or disabled.
STP feature configuration TABLE 199 CLI display of 802.1W summary Field Description VLAN ID The port-based VLAN that owns the STP instance. VLAN 1 is the default VLAN. If you have not configured port-based VLANs on this device, all 802.1W information is for VLAN 1. Bridge IEEE 802.1W parameters 1142 Bridge Identifier The ID of the bridge. Bridge Max Age The configured max age for this bridge. The default is 20. Bridge Hello The configured hello time for this bridge.The default is 2.
STP feature configuration TABLE 199 CLI display of 802.1W summary (Continued) Field Description Fwd Dly The number of seconds a non-edge Designated port waits until it can apply any of the following transitions, if the RST BPDU it receives does not have an agreed flag: • Discarding state to learning state • Learning state to forwarding state When a non-edge port receives the RST BPDU it goes into forwarding state within 4 seconds or after two hello timers expire on the port.
STP feature configuration To display detailed information about 802-1W, enter the 802-1w command. Brocade#show 802-1w detail ====================================================================== VLAN 1 - MULTIPLE SPANNING TREE (MSTP - IEEE 802.
STP feature configuration TABLE 200 CLI display of show spanning-tree 802.1W (Continued) Field Description State The port current 802.1W state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge port states” on page 1113 and “Edge port and non-edge port states” on page 1114. Path Cost The configured path cost on a link connected to this port. Priority The configured priority of the port. The default is 128 or 0x80.
STP feature configuration TABLE 200 CLI display of show spanning-tree 802.1W (Continued) Field Description Machine States The current states of the various state machines on the port: PIM – State of the Port Information state machine. PRT – State of the Port Role Transition state machine. PST – State of the Port State Transition state machine. TCM – State of the Topology Change state machine. PPM – State of the Port Protocol Migration. PTX – State of the Port Transmit state machine.
STP feature configuration The arrow shows the path to the root bridge Port1/2 FWD Root Bridge Bridge priority = 2 Switch 2 Switch 1 Port1/4 FWD Port2/4 FWD Port1/3 FWD Port2/3 FWD Port3/3 FWD Port4/3 BLK Port3/4 BLK Bridge priority = 6 Root port = 3/3 Alternate = 3/4 Port2/2 FWD Switch 3 Port4/4 FWD Switch 4 Bridge priority = 4 Root port = 2/2 Alternate = 2/3, 2/4 Bridge priority = 8 Root port = 4/4 Alternate = 4/3 If the root port on a Switch becomes unavailable, 802.
STP feature configuration FIGURE 150 802.
STP feature configuration Once a failover occurs, the Switch no longer has an alternate root port. If the port that was an alternate port but became the root port fails, standard STP is used to reconverge with the network. You can minimize the reconvergence delay in this case by setting the forwarding delay on the root bridge to a lower value. For example, if the forwarding delay is set to 15 seconds (the default), change the forwarding delay to a value from 3 – 10 seconds. During failover, 802.
STP feature configuration Enabling 802.1W Draft 3 802.1W Draft 3 is disabled by default. The procedure for enabling the feature differs depending on whether single STP is enabled on the device. NOTE STP must be enabled before you can enable 802.1W Draft 3. Enabling 802.1W Draft 3 when single STP is not enabled By default, each port-based VLAN on the device has its own spanning tree. To enable 802.1W Draft 3 in a port-based VLAN, enter commands such as the following.
STP feature configuration Single Spanning Tree (SSTP) By default, each port-based VLAN on a Brocade device runs a separate spanning tree, which you can enable or disable on an individual VLAN basis. Alternatively, you can configure a Brocade device to run a single spanning tree across all ports and VLANs on the device. The Single STP feature (SSTP) is especially useful for connecting a Brocade device to third-party devices that run a single spanning tree in accordance with the 802.1Q specification.
STP feature configuration NOTE If the device has only one port-based VLAN, the CLI command for enabling SSTP is not listed in the CLI. The command is listed only if you have configured a port-based VLAN. To change a global STP parameter, enter a command such as the following at the global CONFIG level. Brocade(config)# spanning-tree single priority 2 This command changes the STP priority for all ports to 2. To change an STP parameter for a specific port, enter commands such as the following.
STP feature configuration The detail parameter and its additional optional parameters display detailed information for individual ports. Refer to “Displaying detailed STP information for each interface” on page 1099. STP per VLAN group STP per VLAN group is an STP enhancement that provides scalability while overcoming the limitations of the following scalability alternatives: • Standard STP – You can configure up to 254 instances of standard STP on a Brocade device.
STP feature configuration STP load balancing Notice that the STP groups each have different STP priorities. In configurations that use the STP groups on multiple devices, you can use the STP priorities to load balance the STP traffic. By setting the STP priorities for the same STP group to different values on each device, you can cause each of the devices to be the root bridge for a different STP group.
STP feature configuration Syntax: [no] master-vlan This command adds a master VLAN to the STP group. The master VLAN contains the STP settings for all the VLANs in the STP per VLAN group. The parameter specifies the VLAN ID. An STP group can contain one master VLAN. If you delete the master VLAN from an STP group, the software automatically assigns the first member VLAN in the group to be the new master VLAN for the group.
STP feature configuration The STP group ID identifies the STP instance. All VLANs within an STP group run the same instance of STP. The master VLAN specifies the bridge STP parameters for the STP group, including the bridge priority. In this example, each of the devices in the core is configured to be the default root bridge for a different master VLAN. This configuration ensures that each link can be used for forwarding some traffic.
PVST/PVST+ compatibility Brocade(config)#stp-group 1 Brocade(config-stp-group-1)#master-vlan 1 Brocade(config-stp-group-1)#member-group 1 Brocade(config-stp-group-1)#member-vlan 4001 4004 to 4010 Brocade(config-stp-group-1)#stp-group 2 Brocade(config-stp-group-2)#master-vlan 201 Brocade(config-stp-group-2)#member-group 2 Brocade(config-stp-group-2)#member-vlan 4002 4003 4011 to 4015 Brocade(config-stp-group-2)#stp-group 3 Brocade(config-stp-group-3)#master-vlan 401 Brocade(config-stp-group-3)#member-group
PVST/PVST+ compatibility IEEE 802.1Q and PVST regions cannot interoperate directly but can interoperate indirectly through PVST+ regions. PVST BPDUs are tunnelled through 802.1Q regions, while PVST BPDUs for VLAN 1 (the IEEE 802.1Q VLAN) are processed by PVST+ regions. Figure 153 shows the interaction of IEEE 802.1Q, PVST, and PVST+ regions. FIGURE 153 Interaction of IEEE 802.1Q, PVST, and PVST+ regions PVST BPDUs tunneled through the IEEE 802.1Q region 802.1D BPDUs PVST+Region dual mode port 802.
PVST/PVST+ compatibility To support the IEEE 802.1Q with non-standard proprietary protocols such as PVST and PVST+, a port must always send and receive untagged frames on VLAN 1 on both sides. In this case, enable the dual-mode 1 feature to allow untagged BPDUs on VLAN 1and use Native VLAN 1 on the interoperating vendor side. You should not use VLAN 1 for tagged frames in this case. Configuring PVST+ support PVST+ support is automatically enabled when the port receives a PVST BPDU.
PVST/PVST+ compatibility Displaying PVST+ support information To display PVST+ information for ports on a Brocade device, enter the following command at any level of the CLI. Brocade#show span pvst-mode PVST+ Enabled on: Port Method 1/1 Set by configuration 1/2 Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information.
PVST/PVST+ compatibility Commands on the Brocade Device Brocade(config)#vlan-group 1 vlan 2 to 4 Brocade(config-vlan-group-1)#tagged ethernet 1/1 Brocade(config-vlan-group-1)#exit Brocade(config)#interface ethernet 1/1 Brocade(config-if-1/1)#dual-mode Brocade(config-if-1/1)#pvst-mode These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port.
PVST/PVST+ compatibility Brocade(config)#interface ethernet 1/1 Brocade(config-if-1/1)#dual-mode 2 Brocade(config-if-1/1)#pvst-mode Brocade(config-if-1/1)#exit These commands change the default VLAN ID, configure port 1/1 as a tagged member of VLANs 1 and 2, and enable the dual-mode feature and PVST+ support on port 1/1. Since VLAN 1 is tagged in this configuration, the default VLAN ID must be changed from VLAN 1 to another VLAN ID.
PVRST compatibility Setting the ports as dual-mode ensures that the untagged IEEE 802.1Q BPDUs reach the VLAN 1 instance. PVRST compatibility PVRST, the "rapid" version of per-VLAN spanning tree (PVST), is a Cisco proprietary protocol. PVRST corresponds to the Brocade full implementation of IEEE 802.1w (RSTP). Likewise, PVST, also a Cisco proprietary protocol, corresponds to the Brocade implementation of IEEE 802.1D (STP). When a Brocade device receives PVRST BPDUs on a port configured to run 802.
BPDU guard Example Brocade(config)#interface ethernet 1/1 to 1/9 Brocade(config-mif-1/1-1/9)#stp-bpdu-guard Brocade(config-mif-1/1-1/9)# This will enable stp-bpdu-guard on ports 0/1/1 to 0/1/9 Re-enabling ports disabled by BPDU guard When a BPDU Guard-enabled port is disabled by BPDU Guard, the Brocade device will place the port in errdisable state and display a message on the console indicating that the port is errdisabled (refer to “BPDU guard status example console messages” on page 1165).
BPDU guard BPDU guard status example configurations Example The following example shows how to configure BPDU guard at the interface level and to verify the configuration by issuing the show stp-bpdu-guard and the show interface commands.
Root guard Root guard The standard STP (802.1D), RSTP (802.1W) or 802.1S does not provide any way for a network administrator to securely enforce the topology of a switched layer 2 network. The forwarding topology of a switched network is calculated based on the root bridge position, along with other parameters. This means any switch can be the root bridge in a network as long as it has the lowest bridge ID. The administrator cannot enforce the position of the root bridge.
Error disable recovery Displaying the root guard by VLAN You can display root guard information for all VLANs or for a specific VLAN. For example, to display root guard violation information for VLAN 7. Syntax: show spanning-tree [] If you do not specify a , information for all VLANs is displayed. For example, to display root guard violation information for VLAN 7. Brocade#show spanning-tree vlan 7 STP instance owned by VLAN 7 Global STP (IEEE 802.
Error disable recovery The all parameter allows ports to recover from an errdisabled state caused by any reason, for example, a BPDU Guard violation or loop detection violation. Setting the recovery interval The errdisable recovery interval command allows you to configure a timeout for ports in errdisable state, after which the ports are reenabled automatically. To set the errdisable recovery time-out interval, enter a command such as the following.
802.1s Multiple Spanning Tree Protocol Timeout Value: 300 seconds Interface that will be enabled at the next timeout: Interface Errdisable reason Time left (sec) -------------- ----------------- --------------Port 6 bpduguard 297 Syntax: show errdisable recovery Displaying the recovery state by port number and cause To see which ports are under an errdisabled state, use the show errdisable summary command.
802.1s Multiple Spanning Tree Protocol Multiple spanning-tree regions Using MSTP, the entire network runs a common instance of RSTP. Within that common instance, one or more VLANs can be individually configured into distinct regions. The entire network runs the common spanning tree instance (CST) and the regions run a local instance. The local instance is known as Internal Spanning Tree (IST). The CST treats each instance of IST as a single bridge.
802.1s Multiple Spanning Tree Protocol Internal Spanning Tree (IST) – IST is a new terminology introduced in 802.1s. An MSTP bridge must handle at least these two instances: one IST and one or more MSTIs (Multiple Spanning Tree Instances). Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance known as IST, which extends CST inside the MST region. IST always exists if the switch runs MSTP.
802.1s Multiple Spanning Tree Protocol • The CIST is created and all VLANS inside the MSTP scope are attached with the CIST Make sure that no physical layer-2 loops exist prior to switching from non-MSTP mode to MSTP mode. If, for example, you have an L2 loop topology configured as a redundancy mechanism before you perform the switch, a Layer 2 storm should be expected. To configure a system into MSTP mode, use the following command at the Global Configuration level.
802.1s Multiple Spanning Tree Protocol Brocade(config-vlan-20)#show run Current configuration: ! ver 04.2.00bT3e1 ! ! vlan 1 name DEFAULT-VLAN by port no spanning-tree ! vlan 10 by port tagged ethe 1 to 2 no spanning tree ! vlan 20 by port tagged ethe 1 to 2 no spanning-tree ! mstp scope all mstp instance 0 vlan 1 mstp instance 1 vlan 20 mstp start some lines ommitted for brevity... Brocade(config-vlan-20)#no vlan 20 Brocade(config-vlan-20)#show run Current configuration: ! ver 04.2.
802.1s Multiple Spanning Tree Protocol The instance parameter defines the number for the instance of MSTP that you are deleting. The vlan parameter identifies one or more VLANs or a range of VLANs to the instance defined in this command. The vlan-group parameter identifies one or more VLAN groups to the instance defined in this command. Viewing the MSTP configuration digest The MSTP Configuration Digest indicates the occurrence of an MSTP reconvergence.
802.1s Multiple Spanning Tree Protocol • “Forcing ports to transmit an MSTP BPDU” • “Activating MSTP on a switch” Setting the MSTP name Each switch that is running MSTP is configured with a name. It applies to the switch which can have many different VLANs that can belong to many different MSTP regions. To configure an MSTP name, use a command such as the following at the Global Configuration level.
802.1s Multiple Spanning Tree Protocol The no option moves a VLAN or VLAN group from its assigned MSTI back into the CIST. NOTE The system does not allow an MSTI without any VLANs mapped to it. Consequently, removing all VLANs from an MSTI, deletes the MSTI from the system. The CIST by contrast will exist regardless of whether or not any VLANs are assigned to it or not. Consequently, if all VLANs are moved out of a CIST, the CIST will still exist and functional.
802.1s Multiple Spanning Tree Protocol The max-hops parameter specifies the maximum hop count. You can specify a value from 1 – 40 hops. The default value is 20 hops. Setting ports to be operational edge ports You can define specific ports as edge ports for the region in which they are configured to connect to devices (such as a host) that are not running STP, RSTP, or MSTP. If a port is connected to an end device such as a PC, the port can be configured as an edge port.
802.1s Multiple Spanning Tree Protocol Disabling MSTP on a port To disable MSTP on a specific port, use a command such as the following at the Global Configuration level. Brocade(config)#mstp disable ethernet 2/1 Syntax: [no] mstp disable ethernet The variable specifies the location of the port for which you want to disable MSTP.
802.1s Multiple Spanning Tree Protocol Example of an MSTP configuration In Figure 157 four Brocade device routers are configured in two regions. There are four VLANs in four instances in Region 2. Region 1 is in the CIST.
802.1s Multiple Spanning Tree Protocol Brocade(config)#mstp admin-pt2pt-mac ethernet 2/16 Brocade(config)#mstp disable ethernet 2/240.
802.1s Multiple Spanning Tree Protocol Displaying MSTP statistics MSTP statistics can be displayed using the commands shown below. To display all general MSTP information, enter the following command.
802.1s Multiple Spanning Tree Protocol TABLE 202 Output from Show MSTP (Continued) Field Description Root FwdDly sec FwdDly interval configured on the root bridge. Root Hop Cnt Current hop count from the root bridge. Root Bridge Bridge identifier of the root bridge. ExtPath Cost The configured path cost on a link connected to this port to an external MSTP region. Regional Root Bridge The Regional Root Bridge is the MAC address of the Root Bridge for the local region.
802.1s Multiple Spanning Tree Protocol Displaying MSTP information for a specified instance The following example displays MSTP information specified for an MSTP instance.
802.1s Multiple Spanning Tree Protocol To display details about the MSTP that is configured on the device, enter the following command.
Chapter 28 Base Layer 3 and Routing Protocols Table 203 lists the individual Brocade FastIron switches and the base Layer 3 features they support. These features are supported in the base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
TCAM entries in FWS devices TCAM entries in FWS devices The size of the TCAM in FWS devices is limited to 1024 routing entries. When this limit is reached, the following warning message is displayed. No free TCAM entry available. System will be unstable. Please reboot system. At the same time, the following syslog message is generated. System: No Free Tcam Entry available. System will be unstable. You must reboot the device when you see these messages.
Adding a static ARP entry Adding a static ARP entry NOTE Adding a static ARP entry is supported on FastIron X Series and Brocade FCX Series devices. It is not supported on FastIron WS Series devices. Static entries are useful in cases where you want to pre-configure an entry for a device that is not connected to the Brocade device, or you want to prevent a particular entry from aging out.
Modifying and displaying Layer 3 system parameter limits Modifying and displaying Layer 3 system parameter limits This section shows how to view and configure some of the Layer 3 system parameter limits. Layer 3 configuration notes • Changing the system parameters reconfigures the device memory. Whenever you reconfigure the memory on a Brocade device, you must save the change to the startup-config file, and then reload the software to place the change into effect.
Modifying and displaying Layer 3 system parameter limits If the default route is configured and its next hop ARP is resolved, unknown unicast packets are hardware-routed to the next hop, and not VLAN-flooded. Once the device runs out of TCAM, it traps the unknown unicast packets to the CPU for processing. If the default route is defined and its next hop ARP is resolved, the packets are routed by the CPU. Otherwise, they follow the default Layer 2 behavior.
Modifying and displaying Layer 3 system parameter limits Brocade(config)#system-max hw-logical-interface 2048 Brocade(config)#system-max hw-ip-next-hop 3072 Brocade(config)#system-max hw-ip-mcast-mll 2048 Brocade(config)#write memory Brocade(config)#reload Syntax: system-max hw-ip-next-hop Syntax: system-max hw-logical-interface Syntax: system-max hw-ip-mcast-mll NOTE The system-max commands are not supported on IPv6 devices. Refer to “FastIron second generation modules” on page 1190.
Modifying and displaying Layer 3 system parameter limits • Number of hardware logical interfaces (physical port and VLAN pairs) – This value is the same as the maximum number of VLANs supported systemwide, so it is not configurable nor displayed in the show default value output in second generation modules. • Number of multicast output interfaces (clients) – 3072 maximum. This value is fixed in second generation modules and cannot be modified. This system parameter occupies its own hardware memory space.
Modifying and displaying Layer 3 system parameter limits The following example shows output on a FastIron X Series with second generation modules. Brocade#show default value sys log buffers:50 mac age time:300 sec telnet sessions:5 ip arp age:10 min ip addr per intf:24 bootp relay max hops:4 ip ttl:64 hops igmp group memb.
Configuring RIP Configuring RIP If you want the Brocade device to use Routing Information Protocol (RIP), you must enable the protocol globally, and then enable RIP on individual ports. When you enable RIP on a port, you also must specify the version (version 1 only, version 2 only, or version 1 compatible with version 2). Optionally, you also can set or change the following parameters: • Route redistribution – You can enable the software to redistribute static routes from the IP route table into RIP.
Configuring RIP NOTE The default redistribution action is permit, even after you configure and apply a permit or deny filter. To deny redistribution of specific routes, you must configure a deny filter. NOTE The option to set the metric is not applicable to static routes. 2. Enable redistribution. NOTE If you plan to configure redistribution filters, do not enable redistribution until you have configured the filters.
Configuring RIP Configuring a redistribution filter To configure a redistribution filter, enter a command such as the following. Brocade(config-rip-router)#deny redistribute 1 static address 207.92.0.0 255.255.0.0 This command denies redistribution of all 207.92.x.x IP static routes. Syntax: [no] permit | deny redistribute static address [match-metric | set-metric ] The variable specifies the redistribution filter ID.
Other Layer 3 protocols Enabling learning of default routes By default, the software does not learn RIP default routes. To enable learning of default RIP routes, enter commands such as the following.
Enabling or disabling Layer 2 switching • • • • • PIM RIPV1 and V2 VRRP VRRP-E VSRP IP routing is enabled by default on devices running Layer 3 code. All other protocols are disabled, so you must enable them to configure and use them. To enable a protocol on a device running full Layer 3 code, enter router at the global CONFIG level, followed by the protocol to be enabled. The following example shows how to enable OSPF.
Enabling or disabling Layer 2 switching Brocade(config)#no route-only Brocade(config)#exit Brocade#write memory Brocade#reload Syntax: [no] route-only To disable Layer 2 switching only on a specific interface, go to the interface configuration level for that interface, and then disable the feature. The following commands show how to disable Layer 2 switching on port 2.
Chapter 29 RIP (IPv4) Table 204 lists the individual Brocade FastIron switches and the Routing Information Protocol (RIP) for IPv4 features they support. These features are supported in the edge Layer 3 and full Layer 3 software images.
RIP parameters and defaults A RIP route can have a maximum cost of 15. Any destination with a higher cost is considered unreachable. Although limiting to larger networks, the low maximum hop count prevents endless loops in the network.
RIP parameters and defaults TABLE 205 RIP global parameters (Continued) Parameter Description Default Reference Redistribution metric RIP assigns a RIP metric (cost) to each external route redistributed from another routing protocol into RIP. An external route is a route with at least one hop (packets must travel through at least one other router to reach the destination). This parameter applies to routes that are redistributed from other protocols into RIP.
RIP parameter configuration TABLE 206 RIP interface parameters (Continued) Parameter Description Default Reference Loop prevention The method a router uses to prevent routing loops caused by advertising a route on the same interface as the one on which the router learned the route. • Split horizon – The router does not advertise a route on the same interface as the one on which the router learned the route.
RIP parameter configuration Enabling ECMP for routes in RIP ECMP for routes in RIP is disabled by default. Use the ecmp-enable command to enable the feature at the router rip level. Brocade(config-rip-router)#ecmp-enable Syntax: [no] ecmp-enable Configuring metric parameters By default, a Brocade Layer 3 Switch port increases the cost of a RIP route that is learned on the port by one. You can configure individual ports to add more than one to a learned route cost.
RIP parameter configuration The software adds the offset value to the routing metric (cost) of the routes that match the ACL. If a route matches both a global offset list and an interface-based offset list, the interface-based offset list takes precedence. The interface-based offset list metric is added to the route in this case. You can configure up to 24 global RIP offset lists and up to 24 RIP offset lists on each interface. To configure a global RIP offset list, enter commands such as the following.
RIP parameter configuration Configuring redistribution You can configure the Layer 3 Switch to redistribute routes learned through Open Shortest Path First (OSPF) or Border Gateway Protocol version 4 (BGP4) into RIP. When you redistribute a route from one of these other protocols into RIP, the Layer 3 Switch can use RIP to advertise the route to its RIP neighbors. To configure redistribution, perform the following tasks: 1. Configure redistribution filters (optional).
RIP parameter configuration The address parameters apply redistribution to the specified network and subnet address. Use 0 to specify “any”. For example, “207.92.0.0 255.255.0.0“ means “any 207.92.x.x subnet”. However, to specify any subnet (all subnets match the filter), enter “address 255.255.255.255 255.255.255.255”. The match-metric parameter applies the redistribution filter only to those routes with the specified metric value; possible values are from 1 through 15.
RIP parameter configuration Syntax: [no] redistribution The no form of this command disables RIP redistribution. Removing a RIP redistribution deny filter To remove a previously configured RIP redistribution deny filter, perform the following task: 1. Remove the RIP redistribution deny filter. 2. Disable the redistribution function. 3. Re-enable redistribution. The following shows an example of how to remove a RIP redistribution deny filter.
RIP parameter configuration To enable learning of default RIP routes on a global basis, enter the following command. Brocade(config-rip-router)#learn-default Syntax: [no] learn-default To enable learning of default RIP routes on an individual interface basis, enter commands such as the following.
RIP parameter configuration Changing the route loop prevention method RIP can use the following methods to prevent routing loops: • Split horizon – The Layer 3 Switch does not advertise a route on the same interface as the one on which the router learned the route. • Poison reverse – The Layer 3 Switch assigns a cost of 16 (“infinite” or “unreachable”) to a route before advertising it on the same interface as the one on which the router learned the route. This is the default.
RIP parameter configuration Configuring RIP route filters You can configure RIP route filters to permit or deny learning or advertising of specific routes. Configure the filters globally, then apply them to individual interfaces. When you apply a RIP route filter to an interface, you specify whether the filter applies to learned routes (in) or advertised routes (out). NOTE A route is defined by the destination IP address and network mask.
Displaying RIP filters Displaying RIP filters To display the RIP filters configured on the router, enter the show ip rip command at any CLI level. Brocade#show ip rip Index 1 Index 1 RIP Route Filter Table Route IP Address Subnet Mask any any RIP Neighbor Filter Table Action Neighbor IP Address permit any Action deny Syntax: show ip rip Table 207 describes the information displayed by the show ip rip command.
Displaying CPU utilization statistics Displaying CPU utilization statistics You can display CPU utilization statistics for RIP and other IP protocols. To display CPU utilization statistics for RIP for the previous five-second, one-minute, five-minute, fifteen-minute, and runtime intervals, enter the show process cpu command at any level of the CLI. Brocade#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.04 0.07 STP 0.
Displaying CPU utilization statistics When you specify how many seconds’ worth of statistics you want to display, the software selects the sample that most closely matches the number of seconds you specified. In this example, statistics are requested for the previous two seconds. The closest sample available is for the previous 1 second and 80 milliseconds. Syntax: show process cpu [] The parameter specifies the number of seconds and can be from 1 through 900.
Displaying CPU utilization statistics 1214 FastIron Configuration Guide 53-1002494-01
Chapter 30 RIP (IPv6) Table 208 lists the individual Brocade FastIron switches and the Routing Information Protocol (RIP) for IPv6 features they support.
Summary of configuration tasks Summary of configuration tasks To configure RIPng, you must enable RIPng globally on the Brocade device and on individual router interfaces.
RIPng timers Syntax: [no] ipv6 rip enable To disable RIPng on an individual router interface, use the no form of this command. RIPng timers Table 209 describes the RIPng timers and provides their defaults. TABLE 209 RIPng timers Timer Description Default Update Amount of time (in seconds) between RIPng routing updates. 30 seconds. Timeout Amount of time (in seconds) after which a route is considered unreachable. 180 seconds.
Route learning and advertising parameters NOTE You must enter a value for each timer, even if you want to retain the current setting of a particular timer. To return to the default values of the RIPng timers, use the no form of this command.
Route learning and advertising parameters For example, to advertise the summarized prefix 2001:DB8::/36 instead of the IPv6 address 2001:469e:0:adff:8935:e838:78:e0ff with a prefix length of 64 bits from Ethernet interface 3/1, enter the following commands.
Redistributing routes into RIPng Redistributing routes into RIPng You can configure the Brocade device to redistribute routes from the following sources into RIPng: • IPv6 static routes • Directly connected IPv6 networks • OSPF V3 When you redistribute a route from IPv6 or OSPF V3 into RIPng, the Brocade device can use RIPng to advertise the route to its RIPng neighbors. When configuring the Brocade device to redistribute routes, you can optionally specify a metric for the redistributed routes.
Configuring poison reverse parameters For the parameter, you can specify the ethernet, loopback, ve, or tunnel keywords. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE or tunnel interface, also specify the VE or tunnel number. To remove the prefix list, use the no form of this command. Configuring poison reverse parameters By default, poison reverse is disabled on a RIPng router.
Displaying the RIPng configuration Displaying the RIPng configuration To display RIPng configuration information, enter the show ipv6 rip command at any CLI level.
Displaying RIPng routing table Displaying RIPng routing table To display the RIPng routing table, enter the show ipv6 rip route command at any CLI level.
Displaying RIPng routing table 1224 FastIron Configuration Guide 53-1002494-02
Chapter 31 OSPF version 2 (IPv4) Table 212 lists the individual Brocade FastIron switches and the Open Shortest Path First (OSPF) Version 2 (IPv4) features they support. These features are supported in the edge Layer 3 and full Layer 3 software images only.
OSPF overview TABLE 212 Supported OSPF V2 features (Continued) Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6450 OSPF traps Yes Yes Yes Yes Yes Exit overflow interval Yes Yes Yes Yes Yes Syslog messages Yes Yes Yes Yes Yes Clearing OSPF information Yes Yes Yes Yes Yes This chapter describes how to configure OSPF Version 2 on Brocade Layer 3 Switches using the CLI. OSPF Version 2 is supported on devices running IPv4.
OSPF overview An OSPF router can be a member of multiple areas. Routers with membership in multiple areas are known as Area Border Routers (ABRs). Each ABR maintains a separate topological database for each area the router is in. Each topological database contains all of the LSA databases for each router within a given area. The routers within the same area have identical topological databases. The ABR is responsible for forwarding routing information or changes between its border areas.
OSPF overview OSPF point-to-point links One important OSPF process is Adjacency. Adjacency occurs when a relationship is formed between neighboring routers for the purpose of exchanging routing information. Adjacent OSPF neighbor routers go beyond the simple Hello packet exchange; they exchange database information.
OSPF overview FIGURE 159 Designated and backup router election Designated Backup Router priority 10 Router A Designated Router priority 5 priority 20 Router C Router B If the DR goes off-line, the BDR automatically becomes the DR. The router with the next highest priority becomes the new BDR. This process is shown in Figure 160. NOTE Priority is a configurable option at the interface level. You can use this parameter to help bias one router as the DR.
OSPF overview When only one router on the network claims the DR role despite neighboring routers with higher priorities or router IDs, this router remains the DR. This is also true for BDRs.
OSPF overview FIGURE 161 AS External LSA reduction Routers D, E, and F are OSPF ASBRs and EBGP routers. OSPF Autonomous System (AS) Another routing domain (such as BGP4 or RIP) Router A Router D Router ID: 2.2.2.2 Router F Router B Router E Router ID: 1.1.1.1 Router C Notice that both Router D and Router E have a route to the other routing domain through Router F.
OSPF overview Algorithm for AS External LSA reduction Figure 161 shows an example in which the normal AS External LSA reduction feature is in effect. The behavior changes under the following conditions: • There is one ASBR advertising (originating) a route to the external destination, but one of the following happens: • A second ASBR comes on-line • A second ASBR that is already on-line begins advertising an equivalent route to the same destination.
OSPF overview When Appendix E is supported, the router generates the link state ID for a network as follows. 1. Does an LSA with the network address as its ID already exist? • No – Use the network address as the ID. • Yes – Go to step 2. 2. Compare the networks that have the same network address, to determine which network is more specific. The more specific network is the one that has more contiguous one bits in its network mask. For example, network 10.0.0.0 255.255.0.0 is more specific than network 10.
OSPF graceful restart Dynamic OSPF memory FastIron devices dynamically allocate memory for Link State Advertisements (LSAs) and other OSPF data structures. This eliminates overflow conditions and does not require a reload to change OSPF memory allocation. So long as the Layer 3 Switch has free (unallocated) dynamic memory, OSPF can use the memory. To display the current allocations of dynamic memory, use the show memory command.
Configuring OSPF Configuring OSPF Perform the following steps to begin using OSPF on the router. 1. “Enabling OSPF on the router” on page 1236 2. “Assigning OSPF areas” on page 1237 3. “Assigning an area range (optional)” on page 1241 4. “Assigning interfaces to an area” on page 1242. 5. “Defining redistribution filters” on page 1252 6. “Enabling route redistribution” on page 1258. 7. “Modifying the OSPF standard compliance setting” on page 1268 NOTE OSPF is automatically enabled without a system reset.
Configuring OSPF • • • • Enable redistribution Change the LSA pacing interval Modify OSPF Traps generated Modify database overflow interval Interface parameters: • • • • • • • • • Assign interfaces to an area Define the authentication key for the interface Change the authentication-change interval Modify the cost for a link Modify the dead interval Modify MD5 authentication key parameters Modify the priority of the interface Modify the retransmit interval for the interface Modify the transit delay of th
Configuring OSPF When you enter the no router ospf command, the CLI displays a warning message such as the following. Brocade(config-ospf-router)#no router ospf router ospf mode now disabled. All ospf config data will be lost when writing to flash! The Web Management Interface does not display a warning message.
Configuring OSPF • NSSA – The ASBR of an NSSA can import external route information into the area: - ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type-7 External LSAs are a special type of LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA. - ABRs translate type 7 LSAs into type 5 External LSAs, which can then be flooded throughout the AS.
Configuring OSPF NOTE This feature applies only when the Layer 3 Switch is configured as an Area Border Router (ABR) for the area. To completely prevent summary LSAs from being sent to the area, disable the summary LSAs on each OSPF router that is an ABR for the area. This feature does not apply to Not-So-Stubby Areas (NSSAs). To disable summary LSAs for a stub area, enter commands such as the following.
Configuring OSPF FIGURE 162 OSPF network containing an NSSA RIP Domain FastIron Layer 3 Switch OSPF Area 0 Backbone NSSA Area 1.1.1.1 OSPF ABR Internal ASBR FastIron Layer 3 Switch FastIron Layer 3 Switch This example shows two routing domains, a RIP domain and an OSPF domain. The ASBR inside the NSSA imports external routes from RIP into the NSSA as Type-7 LSAs, which the ASBR floods throughout the NSSA. The ABR translates the Type-7 LSAs into Type-5 LSAs.
Configuring OSPF NOTE The Layer 3 Switch does not inject the default route into an NSSA by default. NOTE You can assign one area on a router interface. For example, if the system or chassis module has 16 ports, 16 areas are supported on the chassis or module. To configure additional parameters for OSPF interfaces in the NSSA, use the ip ospf area… command at the interface level of the CLI.
Configuring OSPF The parameter specifies the portions of the IP address that a route must contain to be summarized in the summary route. In the example above, all networks that begin with 193.45 are summarized into a single route. Assigning interfaces to an area Once you define OSPF areas, you can assign interfaces to the areas. All router ports must be assigned to one of the defined areas on an OSPF router.
Configuring OSPF Auth-change-wait-time: OSPF gracefully implements authentication changes to allow all routers to implement the change and thus prevent disruption to neighbor adjacencies. During the authentication-change interval, both the old and new authentication information is supported. The default authentication-change interval is 300 seconds (5 minutes). You change the interval to a value from 0 through 14400 seconds.
Configuring OSPF Retransmit-interval: The time between retransmissions of link-state advertisements (LSAs) to adjacent routers for this interface. The value can be from 0 through 3600 seconds. The default is 5 seconds. Transit-delay: The time it takes to transmit Link State Update packets on this interface. The value can be from 0 through 3600 seconds. The default is 1 second.
Configuring OSPF Changing the timer for OSPF authentication changes When you make an OSPF authentication change, the software uses the authentication-change timer to gracefully implement the change. The software implements the change in the following ways: • Outgoing OSPF packets – After you make the change, the software continues to use the old authentication to send packets, during the remainder of the current authentication-change interval.
Configuring OSPF NOTE You cannot block LSAs on virtual links. To apply a filter to an OSPF interface to block flooding of outbound LSAs on the interface, enter the following commands at the Interface configuration level for that interface. Brocade(config-if-1/1)#ip ospf database-filter all out Brocade(config-if-1/1)#clear ip ospf all The first command in this example blocks all outbound LSAs on the OSPF interface configured on port 1/1.
Configuring OSPF For example, to configure the feature in a network with three routers connected by a hub or switch, each router must have the linking interface configured as a non-broadcast interface, and both of the other routers must be specified as neighbors. The output of the show ip ospf interface command has been enhanced to display information about non-broadcast interfaces and neighbors that are configured in the same subnet.
Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 163 Defining OSPF virtual links within a network OSPF Area 0 Router ID 209.157.22.1 FastIronC OSPF Area 1 “transit area” OSPF Area 2 Router ID 10.0.0.1 FastIronB FastIronA Example Figure 163 shows an OSPF area border router, FastIronA, that is cut off from the backbone area (area 0).
Configuring OSPF The area | parameter specifies the transit area. The parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a Brocade Layer 3 Switch, enter the show ip command. Refer to “Modifying virtual link parameters” on page 1249 for descriptions of the optional parameters. Modifying virtual link parameters OSPF has some parameters that you can modify for virtual links.
Configuring OSPF The range for the key activation wait time is from 0 through 14400 seconds. The default value is 300 seconds. Hello Interval: The length of time between the transmission of hello packets. The range is 1 through 65535 seconds. The default is 10 seconds. Retransmit Interval: The interval between the re-transmission of link state advertisements to router adjacencies for this interface. The range is 0 through 3600 seconds. The default is 5 seconds.
Configuring OSPF Changing the reference bandwidth for the cost on OSPF interfaces Each interface on which OSPF is enabled has a cost associated with it. The Layer 3 Switch advertises its interfaces and their costs to OSPF neighbors. For example, if an interface has an OSPF cost of ten, the Layer 3 Switch advertises the interface with a cost of ten to other OSPF routers. By default, an interface OSPF cost is based on the port speed of the interface.
Configuring OSPF NOTE If you specify the cost for an individual interface, the cost you specify overrides the cost calculated by the software. Interface types to which the reference bandwidth does not apply Some interface types are not affected by the reference bandwidth and always have the same cost regardless of the reference bandwidth in use: • The cost of a loopback interface is always 0.
Configuring OSPF NOTE The Layer 3 Switch advertises the default route into OSPF even if redistribution is not enabled, and even if the default route is learned through an IBGP neighbor. IBGP routes (including the default route) are not redistributed into OSPF by OSPF redistribution (for example, by the OSPF redistribute command).
Configuring OSPF Example of redefining distribution filters To configure the FastIron Layer 3 Switch acting as an ASBR in Figure 164 to redistribute OSPF, BGP4, and static routes into RIP, enter the following commands.
Configuring OSPF NOTE Do not enable redistribution until you have configured the redistribution filters. If you enable redistribution before you configure the redistribution filters, the filters will not take affect and all routes will be distributed. Preventing specific OSPF routes from being installed in the IP route table By default, all OSPF routes in the OSPF route table are eligible for installation in the IP route table.
Configuring OSPF The first three commands configure a standard ACL that denies routes to any 4.x.x.x destination network and allows all other routes for eligibility to be installed in the IP route table. The last three commands change the CLI to the OSPF configuration level and configure an OSPF distribution list that uses the ACL as input. The distribution list prevents routes to any 4.x.x.x destination network from entering the IP route table.
Configuring OSPF Using an extended ACL as input to the distribution list You can use an extended ACL with an OSPF distribution list to filter OSPF routes based on the network mask of the destination network. To use an extended ACL to configure an OSPF distribution list for denying specific routes, enter commands such as the following. Brocade(config)#ip access-list extended no_ip Brocade(config-ext-nACL)#deny ip 4.0.0.0 0.255.255.255 255.255.0.0 0.0.255.
Configuring OSPF NOTE If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in “/” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.
Configuring OSPF Example using a route map To configure a route map and use it for redistribution of routes into OSPF, enter commands such as the following. Brocade(config)#ip route 1.1.0.0 255.255.0.0 207.95.7.30 Brocade(config)#ip route 1.2.0.0 255.255.0.0 207.95.7.30 Brocade(config)#ip route 1.3.0.0 255.255.0.0 207.95.7.30 Brocade(config)#ip route 4.1.0.0 255.255.0.0 207.95.6.30 Brocade(config)#ip route 4.2.0.0 255.255.0.0 207.95.6.30 Brocade(config)#ip route 4.3.0.0 255.255.0.0 207.95.6.
Configuring OSPF NOTE When you use a route map for route redistribution, the software disregards the permit or deny action of the route map. NOTE For an external route that is redistributed into OSPF through a route map, the metric value of the route remains the same unless the metric is set by a set metric command inside the route map. The default-metric command has no effect on the route. This behavior is different from a route that is redistributed without using a route map.
Configuring OSPF FIGURE 165 Example OSPF network with four equal-cost paths OSPF Area 0 R3 H1 R1 H2 H3 FastIron R4 R5 H4 R6 In the example in Figure 165, the Brocade switch has four paths to R1: • • • • FI->R3 FI->R4 FI->R5 FI->R6 Normally, the Brocade switch will choose the path to the R1 with the lower metric. For example, if R3 metric is 1400 and R4 metric is 600, the Brocade switch will always choose R4. However, suppose the metric is the same for all four routers in this example.
Configuring OSPF Configuring external route summarization When the Layer 3 Switch is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified address range. When you configure an address range, the range takes effect immediately. All the imported routes are summarized according to the configured address range.
Configuring OSPF To display the configured summary addresses, use the show ip ospf config command at any level of the CLI. The summary addresses display at the bottom of the output as shown in the following example. Brocade#show ip ospf config some lines omitted for brevity... OSPF Redistribution Address Ranges currently defined: Range-Address Subnetmask 1.0.0.0 255.0.0.0 1.0.1.0 255.255.255.0 1.0.2.0 255.255.255.
Configuring OSPF To disable the feature, enter the no default-information-originate command. Brocade(config-ospf-router)#no default-information-originate Syntax: [no] default-information-originate [always] [metric ] [metric-type ] The always parameter advertises the default route regardless of whether the router has a default route. This option is disabled by default. The metric parameter specifies a metric for the default route.
Configuring OSPF Modifying the redistribution metric type The redistribution metric type is used by default for all routes imported into OSPF unless you specify different metrics for individual routes using redistribution filters. Type 2 specifies a big metric (three bytes). Type 1 specifies a small metric (two bytes). The default value is type 2. To modify the default value to type 1, enter the following command.
Configuring OSPF The external | inter-area | intra-area parameter specifies the route type for which you are changing the default administrative distance. The parameter specifies the new distance for the specified route type. Unless you change the distance for one of the route types using commands such as those shown above, the default is 110. To reset the administrative distance to its system default (110), enter a command such as the following.
Configuring OSPF Syntax: [no] snmp-server trap ospf To later re-enable the trap feature, enter snmp-server trap ospf. To disable a specific OSPF trap, enter the command as no snmp-server trap ospf . These commands are at the OSPF router level of the CLI.
Configuring OSPF For example, to specify that all OSPF-related Syslog messages be logged, enter the following commands. Brocade(config)#router ospf Brocade(config-ospf-router)#log all Syntax: [no] log all | adjacency | bad_packet [checksum] | database | memory | retransmit The all option causes all OSPF-related Syslog messages to be logged. If you later disable this option with the no log all command, the OSPF logging options return to their default settings.
Configuring OSPF Configuring an OSPF point-to-point link In an OSPF point-to-point link, a direct Layer 3 connection exists between a single pair of OSPF routers, without the need for Designated and Backup Designated routers. In a point-to-point link, neighboring routers become adjacent whenever they can communicate directly.
Clearing OSPF information Configuring the OSPF graceful restart time Use the following commands to specify the maximum amount of time advertised to a neighbor router to maintain routes from and forward traffic to a restarting router. Brocade(config) router ospf Brocade(config-ospf-router)# graceful-restart restart-time 120 Syntax: [no] graceful-restart restart-time The variable sets the maximum restart wait time advertised to neighbors. Possible values are from 10 through 1800 seconds.
Clearing OSPF information This command clears all OSPF neighbors and the OSPF routes exchanged with the neighbors in the Brocade OSPF link state database. After this information is cleared, adjacencies with all neighbors are re-established, and routes with these neighbors exchanged again. To clear information on the Brocade device about OSPF neighbor 10.10.10.1, enter the following command. Brocade#clear ip ospf neighbor ip 10.10.10.
Displaying OSPF information To clear information on the Brocade device about OSPF area 1, enter the following command. Brocade#clear ip ospf area 1 This command clears information about the specified area ID. Information about other OSPF areas is not affected. The command clears information about all OSPF neighbors belonging to the specified area, as well as all routes imported into the specified area.
Displaying OSPF information RFC 1583 Compatibility: Enabled Router id: 192.85.2.
Displaying OSPF information Brocade#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.03 0.06 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.09 0.08 0.00 0.00 0.00 0.09 0.00 0.00 0.00 15Min(%) 0.22 0.14 0.00 0.00 0.00 0.12 0.00 0.00 0.
Displaying OSPF information Displaying OSPF area information To display OSPF area information, enter the show ip ospf area command at any CLI level. Brocade#show ip Indx Area 1 0.0.0.0 2 192.147.60.0 3 192.147.80.0 ospf area Type Cost normal 0 normal 0 stub 1 SPFR ABR ASBR LSA Chksum(Hex) 1 0 0 1 0000781f 1 0 0 1 0000fee6 1 0 0 2 000181cd Syntax: show ip ospf area [] | [] The parameter shows information for the specified area.
Displaying OSPF information Brocade#show ip ospf neighbor detail Port 9/1 Address 20.2.0.2 Second-to-dead:39 10/1 20.3.0.2 Second-to-dead:36 1/1-1/8 23.5.0.1 Second-to-dead:33 2/1-2/2 23.2.0.1 Second-to-dead:33 Pri State 1 FULL/DR Neigh Address 20.2.0.1 Neigh ID 2.2.2.2 Ev Op Cnt 6 2 0 1 FULL/BDR 20.3.0.1 3.3.3.3 5 2 0 1 FULL/DR 23.5.0.2 16.16.16.16 6 2 0 1 FULL/DR 23.2.0.2 15.15.15.
Displaying OSPF information TABLE 214 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the Layer 3 Switch and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor. • Attempt – This state is only valid for neighbors attached to non-broadcast networks.
Displaying OSPF information Displaying OSPF interface information To display OSPF interface information, enter the show ip ospf interface command at any CLI level. Brocade#show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0 Interface Address 0.0.0.
Displaying OSPF information TABLE 215 Output of the show ip ospf interface command (Continued) Field Definition Events OSPF Interface Event: Interface_Up = 0x00 Wait_Timer = 0x01 Backup_Seen = 0x02 Neighbor_Change = 0x03 Loop_Indication = 0x04 Unloop_Indication = 0x05 Interface_Down = 0x06 Interface_Passive = 0x07 • • • • • • • • Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor: The neighbor router ID.
Displaying OSPF information TABLE 216 Field Path_Type CLI Display of OSPF route information (Continued) Definition The type of path, which can be one of the following: Inter – The path to the destination passes into another area. Intra – The path to the destination is entirely within the local area. External1 – The path to the destination is a type 1 external route. External2 – The path to the destination is a type 2 external route.
Displaying OSPF information The parameter specifies a network prefix and network mask. Here is an example. Brocade#show ip ospf redistribute route 3.1.0.0 255.255.0.0 3.1.0.0 255.255.0.0 static Displaying OSPF external link state information To display external link state information, enter the show ip ospf database external-link-state command at any CLI level.
Displaying OSPF information This OSPF external link state display shows the following information. TABLE 217 CLI display of OSPF external link state information Field Definition Area ID The OSPF area the router is in. Aging The age of the LSA, in seconds. LS ID The ID of the link-state advertisement from which the Layer 3 Switch learned this route. Router The router IP address. Seq(hex) The sequence number of the LSA.
Displaying OSPF information The status option shows status information. The summary option shows summary information. Displaying the data in an LSA You can use the CLI to display the data the Layer 3 Switch received in a specific External LSA packet or other type of LSA packet. For example, to display the LSA data in entry 3 in the External LSA table, enter the following command. Brocade#show ip ospf database external-link-state advertise 3 Index Aging LS ID Router Netmask Metric Flag 3 619 1.27.
Displaying OSPF information Displaying OSPF virtual link information To display OSPF virtual link information, enter the show ip ospf virtual-link command at any CLI level. Brocade#show ip ospf virtual-link Syntax: show ip ospf virtual-link [] The parameter displays the table beginning at the specified entry number. Displaying OSPF ABR and ASBR information To display OSPF ABR and ASBR information, enter the show ip ospf border-routers command at any CLI level.
Displaying OSPF information Displaying OSPF graceful restart information To display OSPF graceful restart information for OSPF neighbors, use the show ip ospf neighbors command. Brocade#show ip ospf neighbors Port Address Pri State Neigh Address Neigh ID 2/7 50.50.50.10 0 FULL/OTHER 50.50.50.1 10.10.10.30 < in graceful restart state, helping 1, timer 60 sec > Ev Opt Cnt 21 66 0 Syntax: show ip ospf neighbor Use the following command to display Type 9 grace LSAs on a Brocade Layer 3 switch.
Displaying OSPF information 1286 FastIron Configuration Guide 53-1002494-01
Chapter 32 OSPF version 3 (IPv6) Table 219 lists the individual Brocade FastIron switches and the Open Shortest Path First (OSPF) version 3 (IPv6) features they support. These features are supported with premium IPv6 devices running the full Layer 3 software image.
Differences between OSPF V2 and OSPF V3 • How to configure OSPF Version 3. • How to display OSPF Version 3 information and statistics. NOTE The terms Layer 3 Switch and router are used interchangeably in this chapter and mean the same thing. Differences between OSPF V2 and OSPF V3 IPv6 supports OSPF V3 functions similarly to OSPF V2 (the current version that IPv4 supports), except for the following enhancements: • Support for IPv6 addresses and prefixes.
OSPF V3 configuration OSPF V3 configuration To configure OSPF V3, you must perform the following tasks: 1. “Enabling OSPF V3” on page 1289 2. “Assigning OSPF V3 areas” on page 1290 3. “Assigning interfaces to an area” on page 1291 The following configuration tasks are optional: • Configure a virtual link between an ABR without a physical connection to a backbone area and the Brocade device in the same area with a physical connection to the backbone area.
OSPF V3 configuration The CLI displays a warning message such as the following. Brocade(config-ospf6-router)#no ipv6 router ospf ipv6 router ospf mode now disabled. All ospf config data will be lost when writing to flash! If you have disabled the protocol but have not yet saved the configuration to the startup-config file and reloaded the software, you can restore the configuration information by re-entering the command to enable the protocol (for example, ipv6 router ospf).
OSPF V3 configuration This feature disables origination of summary LSAs into a stub area, but the Brocade device still accepts summary LSAs from OSPF neighbors and floods them to other areas. The Brocade device can form adjacencies with other routers regardless of whether summarization is enabled or disabled for areas on each router. When you disable the summary LSAs, the change takes effect immediately.
OSPF V3 configuration • The transit area ID represents the shared area of the two ABRs and serves as the connection point between the two routers. This number should match the area ID value. • When assigned from the router interface requiring a logical connection, the neighbor router field is the router ID (IPv4 address) of the router that is physically connected to the backbone.
OSPF V3 configuration The ethernet | loopback | tunnel | ve parameter specifies the interface from which the router derives the source IPv6 address for communication across the virtual link. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a loopback, tunnel, or VE interface, also specify the number associated with the respective interface. To delete the source address for the virtual link, use the no form of this command.
OSPF V3 configuration Changing the reference bandwidth for the cost on OSPF V3 interfaces Each interface on which OSPF V3 is enabled has a cost associated with it. The Brocade device advertises its interfaces and their costs to OSPF V3 neighbors. For example, if an interface has an OSPF cost of ten, the Brocade device advertises the interface with a cost of ten to other OSPF routers. By default, an interface OSPF cost is based on the port speed of the interface.
OSPF V3 configuration • 155 Mbps port cost = 500/155 = 3.23, which is rounded up to 4 • 622 Mbps port cost = 500/622 = 0.80, which is rounded up to 1 • 2488 Mbps port cost = 500/2488 = 0.20, which is rounded up to 1 The costs for 10 Mbps, 100 Mbps, and 155 Mbps ports change as a result of the changed reference bandwidth. Costs for higher-speed interfaces remain the same.
OSPF V3 configuration The metric-type parameter specifies an OSPF metric type for the redistributed route. You can specify external type 1 or external type 2. If a value is not specified for this option, the Brocade device uses the value specified by the metric-type command.
OSPF V3 configuration NOTE When you use a route map for route redistribution, the software disregards the permit or deny action of the route map. NOTE For an external route that is redistributed into OSPF V3 through a route map, the metric value of the route remains the same unless the metric is set by a set metric command inside the route map or the default-metric command.
OSPF V3 configuration External route summarization When the Brocade device is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to advertise one external route as an aggregate for all redistributed routes that are covered by a specified IPv6 address range. When you configure an address range, the range takes effect immediately. All the imported routes are summarized according to the configured address range.
OSPF V3 configuration Filtering OSPF V3 routes You can filter the routes to be placed in the OSPF V3 route table by configuring distribution lists. OSPF V3 distribution lists can be applied globally or to an interface. The functionality of OSPF V3 distribution lists is similar to that of OSPFv2 distribution lists.
OSPF V3 configuration After this distribution list is configured, route 3010::/64 would be omitted from the OSPF V3 route table. Brocade#show ipv6 ospf route Current Route count: 4 Intra: 3 Inter: 0 External: 1 (Type1 0/Type2 1) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 3001::/64 --------- 0.0.0.1 :: ve 10 *IA 3015::/64 V6E---R-- 0.0.0.0 fe80::2e0:52ff:fe00:10 ve 10 *IA 3020::/64 --------- 0.0.0.0 :: ve 11 *E2 6001:5000::/64 --------- 0.0.0.
OSPF V3 configuration Configuring an OSPF V3 distribution list using a route map as input The following commands configure a route map that matches internal routes. Brocade(config)#route-map allowInternalRoutes permit 10 Brocade(config-routemap allowInternalRoutes)#match route-type internal Refer to “Policy-Based Routing” for information on configuring route maps. The following commands configure a distribution list that applies the allowInternalRoutes route map globally to OSPF V3 routes.
OSPF V3 configuration NOTE The default action rule for route-map is to deny all routes that are not explicitly permitted. If you configure a “deny” route map but want to permit other routes that do not match the rule, configure an “empty” permit route map. For example. Brocade(config)#route-map abc deny 10 Brocade(config-routemap abc)#match metric 20 Brocade(config-routemap abc)#route-map abc permit 20 Without the last line in the above example, all routes would be denied.
OSPF V3 configuration The metric-type parameter specifies the external link type associated with the default route advertised into the OSPF routing domain. The can be one of the following: • 1 – Type 1 external route • 2 – Type 2 external route If you do not use this option, the default redistribution metric type is used for the route type. NOTE If you specify a metric and metric type, the values you specify are used even if you do not use the always option.
OSPF V3 configuration Administrative distance The Brocade device can learn about networks from various protocols, including IPv6, RIPng, and OSPF V3. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. By default, the administrative distance for OSPF V3 routes is 110. The device selects one route over another based on the source of the route information. To do so, the device can use the administrative distances assigned to the sources.
OSPF V3 configuration Configuring the OSPF V3 LSA pacing interval The Brocade device paces OSPF V3 LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA refresh timer expires. The accumulated LSAs constitute a group, which the Brocade device refreshes and sends out together in one or more packets.
OSPF V3 configuration Brocade(config-ospf6-router)#external-lsdb-limit 3000 Syntax: ipv6 ospf area | The parameter can be a numerical value from 500 – 8000 seconds. To reset the maximum number of entries to its system default, enter the no form of this command. Modifying OSPF V3 interface defaults OSPF V3 has interface parameters that you can configure. For simplicity, each of these parameters has a default value.
OSPF V3 configuration • Transmit-delay: The time it takes to transmit Link State Update packets on this interface. The command syntax is ipv6 ospf transmit-delay . The value can be from 0 – 3600 seconds. The default is 1 second. Disabling or re-enabling event logging OSPF V3 does not currently support the generation of SNMP traps. Instead, you can disable or re-enable the logging of OSPF V3-related events such as neighbor state changes and database overflow conditions.
OSPF V3 configuration Among the entities that can have IPsec protection, the interfaces and areas can overlap. The interface IPsec configuration takes precedence over the area IPsec configuration when an area and an interface within that area use IPsec. Therefore, if you configure IPsec for an interface and an area configuration also exists that includes this interface, the interface’s IPsec configuration is used by that interface.
OSPF V3 configuration General considerations when configuring IPsec for OSPFv3 The IPsec component generates security associations and security policies based on certain user-specified parameters. The parameters are described with the syntax of each command in this section and also pointed out in the section with the show command examples, “IPsec examples” on page 1334.
OSPF V3 configuration The area-wide SPI that you specify is a constant for all interfaces in the area that use the area IPsec, but the use of different interfaces results in an SPDID and an SA that are unique to each interface. (Recall from “IPSec for OSPFv3” on page 1307 that the security policy database depends partly on the source IP address, so a unique SPD for each interface results.
OSPF V3 configuration The ospf keyword identifies OSPFv3 as the protocol to receive IPsec security. The authentication keyword enables authentication. The ipsec keyword specifies IPsec as the authentication protocol. The spi keyword and the variable specify the security parameter that points to the security association. The near-end and far-end values for spinum must be the same. The range for is decimal 256 – 4294967295.
OSPF V3 configuration The authentication keyword specifies that the function to specify for the area is packet authentication. The ipsec keyword specifies that IPsec is the protocol that authenticates the packets. The spi keyword and the variable specify the index that points to the security association. The near-end and far-end values for spinum must be the same. The range for is decimal 256 – 4294967295.
OSPF V3 configuration The spi keyword and the variable specify the index that points to the security association. The near-end and far-end values for spinum must be the same. The range for is decimal 256 – 4294967295. The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to provide packet-level security. In the current release, this parameter can be esp only. The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm.
Displaying OSPF V3 Information Clearing IPsec statistics This section describes the clear ipsec statistics command for clearing statistics related to IPsec. The command resets to 0 the counters (which you can view as a part of IPSecurity Packet Statistics). The counters hold IPsec packet statistics and IPsec error statistics. The following example illustrates the show ipsec statistics output.
Displaying OSPF V3 Information Displaying OSPF V3 area information To display global OSPF V3 area information for the Brocade device, enter the following command at any CLI level. Brocade#show ipv6 ospf area Area 0: Interface attached to this area: loopback 2 ethe 3/2 tunnel 2 Number of Area scoped LSAs is 6 Statistics of Area 0: SPF algorithm executed 16 times SPF last updated: 335256 sec ago Current SPF node count: 3 Router: 2 Network: 1 Maximum of Hop count to nodes: 2 ...
Displaying OSPF V3 Information Displaying OSPF V3 database information You can display a summary of the link state database or detailed information about a specified LSA type. To display a summary of a device link state database, enter the show ipv6 ospf database command at any CLI level. Brocade#show ipv6 ospf database Area ID Type LS ID Adv Rtr 0 Link 000001e6 223.223.223.223 0 Link 000000d8 1.1.1.1 0 Link 00000185 223.223.223.223 0 Iap 00000077 223.223.223.223 0 Rtr 00000124 223.223.223.
Displaying OSPF V3 Information This display shows the following information. TABLE 221 OSPF V3 database summary fields Field Description Area ID The OSPF area in which the Brocade device resides. Type Type of LSA. LSA types can be the following: • Rtr – Router LSAs (Type 1). • Net – Network LSAs (Type 2). • Inap – Inter-area prefix LSAs for ABRs (Type 3). • Inar – Inter-area router LSAs for ASBRs (Type 4). • Extn – AS external LSAs (Type 5). • Link – Link LSAs (Type 8).
Displaying OSPF V3 Information Brocade#show ipv6 ospf database extensive Area ID Type LS ID Adv Rtr Seq(Hex) Age 0 Link 00000031 1.1.1.1 80000001 35 Router Priority: 1 Options: V6E---R-LinkLocal Address: fe80::1 Number of Prefix: 1 Prefix Options: Prefix: 3002::/64 ... Area ID Type LS ID Adv Rtr Seq(Hex) Age 0 Iap 00000159 223.223.223.223 800000ab 357 Number of Prefix: 2 Referenced LS Type: Network Referenced LS ID: 00000159 Referenced Advertising Router: 223.223.223.
Displaying OSPF V3 Information The fields that display depend upon the LSA type as shown in the following table. TABLE 222 OSPF V3 detailed database information fields Field Description Router LSA (Type 1) (Rtr) fields Capability Bits A bit that indicates the capability of the Brocade device. The bit can be set to one of the following: • B – The device is an area border router. • E – The device is an AS boundary router. • V – The device is a virtual link endpoint.
Displaying OSPF V3 Information TABLE 222 OSPF V3 detailed database information fields (Continued) Field Description Network LSA (Type 2) (Net) fields Options A 24-bit field that enables IPv6 OSPF routers to support the optional capabilities. When set, the following bits indicate the following: V6 – The device should be included in IPv6 routing calculations. E – The device floods AS-external-LSAs as described in RFC 2740. MC – The device forwards multicast packets as described in RFC 1586.
Displaying OSPF V3 Information TABLE 222 OSPF V3 detailed database information fields (Continued) Field Prefix Options Prefix Description An 8-bit field of capabilities that serve as input to various routing calculations: NU – The prefix is excluded from IPv6 unicast calculations. LA – The prefix is an IPv6 interface address of the advertising router. MC – The prefix is included in IPv6 multicast routing calculations. • • • The IPv6 prefix included in the LSA.
Displaying OSPF V3 Information This display shows the following information. TABLE 223 Summary of OSPF V3 interface information Field Description Interface The interface type, and the port number or number of the interface. OSPF Status State Area The state of OSPF V3 on the interface. Possible states include the following: Enabled. Disabled. • • The status of the link. Possible status include the following: Up. Down. • • The state of the interface.
Displaying OSPF V3 Information This display shows the following information. TABLE 224 Detailed OSPF V3 interface information Field Interface status Description The status of the interface. Possible status includes the following: Up. Down. • • Type The type of OSPF V3 circuit running on the interface. Possible types include the following: • BROADCAST • POINT TO POINT UNKNOWN IPv6 Address The IPv6 address(es) assigned to the interface. Instance ID An identifier for an instance of OSPF V3.
Displaying OSPF V3 Information TABLE 224 Detailed OSPF V3 interface information (Continued) Field Description Neighbor The router ID (IPv4 address) of the neighbor. This field also identifies the neighbor as a DR or BDR, if appropriate. Interface statistics The following statistics are provided for the interface: Unknown – The number of Unknown packets transmitted and received by the interface. Also, the total number of bytes associated with transmitted and received Unknown packets.
Displaying OSPF V3 Information This display shows the following information. TABLE 225 OSPF V3 memory usage information Field Description Total Static Memory Allocated A summary of the amount of static memory allocated, in bytes, to OSPF V3. Total Dynamic Memory Allocated A summary of the amount of dynamic memory allocated, in bytes, to OSPF V3. Memory Type The type of memory used by OSPF V3. (This information is for use by Brocade technical support in case of a problem.
Displaying OSPF V3 Information TABLE 226 Summary of OSPF V3 neighbor information (Continued) Field Description BDR The router ID (IPv4 address) of the BDR. Interface [State] The interface through which the router is connected to the neighbor. The state of the interface can be one of the following: • DR – The interface is functioning as the Designated Router for OSPF V3. • BDR – The interface is functioning as the Backup Designated Router for OSPF V3.
Displaying OSPF V3 Information TABLE 227 Detailed OSPF V3 neighbor information (Continued) Field Description DbDesc bit... The Database Description packet, which includes 3 bits of information: • The first bit can be “i” or “-”. “i” indicates the inet bit is set. “-” indicates the inet bit is not set. • The second bit can be “m” or “-”. “m” indicates the more bit is set. “-” indicates the more bit is not set. • The third bit can be “m” or “s”. An “m” indicates the master. An “s” indicates standby.
Displaying OSPF V3 Information Brocade#show ipv6 ospf redistribute route Id Prefix snIpAsPathAccessListStringRegExpression 1 2002::/16 2 2002:1234::/32 Protocol Metric Type Metric Static Static Type-2 Type-2 1 1 Syntax: show ipv6 ospf redistribute route [] The parameter specifies an IPv6 network prefix. (You do not need to specify the length of the prefix.
Displaying OSPF V3 Information Brocade#show ipv6 ospf routes Current Route count: 4 Intra: 4 Inter: 0 External: 0 (Type1 0/Type2 0) Equal-cost multi-path: 0 Destination Options Area Next Hop Router Outgoing Interface *IA 2000:4::/64 V6E---R-- 0.0.0.0 :: ethe 3/2 *IA 2002:c0a8:46a::/64 V6E---R-- 0.0.0.0 :: ethe 3/2 *IA 2999::1/128 --------- 0.0.0.0 :: loopback 2 *IA 2999::2/128 V6E---R-- 0.0.0.
Displaying OSPF V3 Information TABLE 229 OSPF V3 route information (Continued) Field Description Options A 24-bit field that enables IPv6 OSPF routers to support the optional capabilities. When set, the following bits indicate the following: V6 – The device should be included in IPv6 routing calculations. E – The device floods AS-external-LSAs as described in RFC 2740. MC – The device forwards multicast packets as described in RFC 1586. N – The device handles type 7 LSAs as described in RFC 1584.
Displaying OSPF V3 Information Syntax: show ipv6 ospf spf node area [] The node keyword displays SPF node information. The area parameter specifies a particular area. You can specify the in the following formats: • As an IPv4 address; for example, 192.168.1.1. • As a numerical value from 0 – 2,147,483,647. This display shows the following information.
Displaying OSPF V3 Information TABLE 231 OSPF V3 SPF table Field Description Destination The destination of a route, which is identified by the following: • “R”, which indicates the destination is a router. “N”, which indicates the destination is a network. • An SPF node router ID (IPv4 address). If the node is a child node, it is additionally identified by an interface on which the node can be reached appended to the router ID in the format :.
Displaying OSPF V3 Information Displaying IPv6 OSPF virtual link information To display OSPF V3 virtual link information for the Brocade device, enter the show ipv6 ospf virtual-link command at any level of the CLI. Brocade#show ipv6 ospf virtual-link Index Transit Area ID Router ID 1 1 1.1.1.1 Interface Address 3003::2 State P2P Syntax: show ipv6 ospf virtual-link This display shows the following information.
Displaying OSPF V3 Information TABLE 233 OSPF V3 virtual neighbor information (Continued) Field Description State The state between the Brocade device and the virtual neighbor. The state can be one of the following: • Down • Attempt • Init • 2-Way • ExStart • Exchange • Loading • Full Interface The IPv6 address of the virtual neighbor. IPsec examples This section contains examples of IPsec configuration and the output from the IPsec-specific show commands.
Displaying OSPF V3 Information Showing IPsec policy The show ipsec policy command displays the database for the IPSec security policies. The fields for this show command output appear in the screen output example that follows. However, you should understand the layout and column headings for the display before trying to interpret the information in the example screen.
Displaying OSPF V3 Information TABLE 234 IPsec policy information (Continued) Field Description Source The source address consists of the IPv6 prefix and the TCP or UDP port identifier. Destination The destination address consists of the IPv6 prefix. Certain logical elements have a bearing on the meaning of the destination address and its format, as follows: For IPsec on an interface or area, the destination address is shown as a prefix of 0xFE80 (link local).
Displaying OSPF V3 Information Syntax: show ipsec statistics This command takes no parameters. Displaying IPsec configuration for an area The show ipv6 ospf area [] command includes information about IPsec for one area or all areas. In the example that follows, the IPsec information is in bold. IPsec is enabled in the first area (area 0) in this example but not in area 3. Note that in area 3, the IPsec key was specified as not encrypted.
Displaying OSPF V3 Information TABLE 236 Area configuration of IPsec (Continued) Field Description New Shows new SPI (if changed), authentication algorithm (currently ESP only), encryption algorithm (currently SHA1 only), and the new key. Old Shows old SPI (if changed), authentication algorithm (currently ESP only), encryption algorithm (currently SHA1 only), and the old key.
Displaying OSPF V3 Information TABLE 237 Area configuration of IPsec Field Description Authentication This field shows whether or not authentication is configured. If this field says “Not Configured,” the IPsec-related fields (bold in example screen output) are not displayed at all. KeyRolloverTime The number of seconds between each initiation of a key rollover. This field shows the configured and current times.
Displaying OSPF V3 Information Syntax: show ipv6 ospf virtual-link [brief] The optional [brief] keyword limits the display to the Transit, Area ID, Router ID, Interface Address, and State fields for each link. Changing a key In this example, the key is changed as illustrated in the two command lines that follow. Note that the SPI value is changed from 300 to 310 to comply with the requirement that you change the SPI when you change the key. Initial configuration command.
Chapter 33 BGP (IPv4) Table 238 lists individual Brocade switches and the Border Gateway Protocol (BGP4) features they support. BGP4 features are supported on FastIron X Series and Brocade FCX Series-ADV devices running the full Layer 3 software image. NOTE If the Brocade FCX Series device does not have a BGP license, you cannot configure BGP with the "router bgp" command at all. For details, see the chapter “Software-based Licensing” on page 199.
BGP4 overview • RFC 2842 (Capability Advertisement) • RFC 3065 (BGP4 Confederations) To display BGP4 configuration information and statistics, refer to “Displaying BGP4 information” on page 1421. NOTE Your Layer 3 switch management module must have 32 MB or higher to run BGP4. BGP4 overview Border Gateway Protocol 4 (BGP4) is the standard Exterior Gateway Protocol (EGP) used on the Internet to route traffic between Autonomous Systems (AS) and to maintain loop-free routing.
BGP4 overview Relationship between the BGP4 route table and the IP route table The Brocade Layer 3 switch BGP4 route table can have multiple routes to the same destination, which are learned from different BGP4 neighbors. A BGP4 neighbor is another switch that also is running BGP4. BGP4 neighbors communicate using Transmission Control Protocol (TCP) port 179 for BGP communication.
BGP4 overview How BGP4 selects a path for a route When multiple paths for the same route are known to a BGP4 router, the router uses the following algorithm to weigh the paths and determine the optimal path for the route. The optimal path depends on various parameters, which can be modified. (Refer to “Optional BGP4 configuration tasks” on page 1365.) 1. Is the next hop accessible though an Interior Gateway Protocol (IGP) route? If not, ignore the route.
BGP4 overview 8. Prefer routes in the following order: • Routes received through EBGP from a BGP4 neighbor outside of the confederation • Routes received through EBGP from a BGP4 router within the confederation • Routes received through IBGP 9. If all the comparisons above are equal, prefer the route with the lowest IGP metric to the BGP4 next hop. This is the closest internal path inside the AS to reach the destination. 10.
BGP4 overview neighbors to always be up. For directly-attached neighbors, you can configure the Brocade Layer 3 switch to immediately close the TCP connection to the neighbor and clear entries learned from an EBGP neighbor if the interface to that neighbor goes down. This capability is provided by the fast external fallover feature, which is disabled by default. • BGP Identifier – The router ID. The BGP Identifier (router ID) identifies the BGP4 router to other BGP4 routers.
BGP4 graceful restart BGP4 Router A sends a Hold Time of 5 seconds and BGP4 Router B sends a Hold Time of 4 seconds, both routers use 4 seconds as the Hold Time for their BGP4 session. The default Hold Time is 180 seconds. Generally, the Hold Time is configured to three times the value of the Keep Alive Time. If the Hold Time is 0, a BGP4 router assumes that its neighbor is alive regardless of how many seconds pass between receipt of UPDATE or KEEPALIVE messages.
Basic configuration and activation for BGP4 Basic configuration and activation for BGP4 BGP4 is disabled by default. Follow the steps below to enable BGP4 and place your Brocade Layer 3 switch into service as a BGP4 router. 1. Enable the BGP4 protocol. 2. Set the local AS number. NOTE You must specify the local AS number for BGP4 to become functional. 3. Add each BGP4 neighbor (peer BGP4 router) and identify the AS the neighbor is in. 4.
BGP4 parameters NOTE To disable BGP4 without losing the BGP4 configuration information, remove the local AS (for example, by entering the no local-as command). In this case, BGP4 retains the other configuration information but is not operational until you set the local AS again. BGP4 parameters You can modify or set the following BGP4 parameters: • • • • • • • • Optional – Define the router ID. (The same router ID also is used by OSPF.
BGP4 parameters • Optional – Define neighbor distribute lists. • Optional – Define BGP4 route maps for filtering routes redistributed into RIP and OSPF. • Optional – Define route flap dampening parameters. NOTE When using the CLI, you set global level parameters at the BGP CONFIG level of the CLI. You can reach the BGP CONFIG level by entering router bgp… at the global CONFIG level.
BGP4 memory considerations BGP4 parameter changes after resetting neighbor sessions The following parameter changes take effect only after the router BGP4 sessions are cleared, or reset using the “soft” clear option. (Refer to “Closing or resetting a neighbor session” on page 1457.) The parameter are as follows: • Change the Hold Time or Keep Alive Time. • Aggregate routes. • Add, change, or negate filter tables.
Basic configuration tasks required for BGP4 As a guideline, Layer 3 switches with a 512 MB Management 4 module can accommodate 150 through 200 neighbors, with the assumption that the Layer 3 switch receives about one million routes total from all neighbors and sends about eight million routes total to neighbors. For each additional one million incoming routes, the capacity for outgoing routes decreases by around two million.
Basic configuration tasks required for BGP4 • If the router has loopback interfaces, the default router ID is the IP address configured on the lowest numbered loopback interface configured on the Layer 3 switch. For example, if you configure loopback interfaces 1, 2, and 3 as follows, the default router ID is 9.9.9.9/24: • Loopback interface 1, 9.9.9.9/24 • Loopback interface 2, 4.4.4.4/24 • Loopback interface 3, 1.1.1.
Basic configuration tasks required for BGP4 Loopback interfaces are always up, regardless of the states of physical interfaces. Loopback interfaces are especially useful for IBGP neighbors (neighbors in the same AS) that are multiple hops away from the router. When you configure a BGP4 neighbor on the router, you can specify whether the router uses the loopback interface to communicate with the neighbor. As long as a path exists between the router and its neighbor, BGP4 information can be exchanged.
Basic configuration tasks required for BGP4 [capability orf prefixlist [send | receive]] [default-originate [route-map ]] [description ] [distribute-list in | out | in | out] [ebgp-multihop []] [filter-list in | out
Basic configuration tasks required for BGP4 default-originate [route-map ] configures the Layer 3 switch to send the default route 0.0.0.0 to the neighbor. If you use the route-map parameter, the route map injects the default route conditionally, based on the match conditions in the route map. description specifies a name for the neighbor. You can enter an alphanumeric text string up to 80 characters long. distribute-list in | out
Basic configuration tasks required for BGP4 • The parameter specifies the percentage of the value you specified for the maximum-prefix , at which you want the software to generate a Syslog message. You can specify a value from 1 (one percent) to 100 (100 percent). The default is 100. • The teardown parameter tears down the neighbor session if the maximum-prefix limit is exceeded.
Basic configuration tasks required for BGP4 route-map in | out specifies a route map the Layer 3 switch will apply to updates sent to or received from the specified neighbor. The in | out keyword specifies whether the list is applied on updates received from the neighbor or sent to the neighbor. NOTE The route map must already be configured. Refer to “Defining route maps” on page 1403. route-reflector-client specifies that this neighbor is a route-reflector client of the router.
Basic configuration tasks required for BGP4 Encryption of BGP4 MD5 authentication keys When you configure a BGP4 neighbor or neighbor peer group, you can specify an MD5 authentication string for authenticating packets exchanged with the neighbor or peer group of neighbors. For added security, the software encrypts display of the authentication string by default.
Basic configuration tasks required for BGP4 Command syntax Since the default behavior does not affect the BGP4 configuration itself but does encrypt display of the authentication string, the CLI does not list the encryption options. Syntax: [no] neighbor | password [0 | 1] The | parameter indicates whether you are configuring an individual neighbor or a peer group.
Basic configuration tasks required for BGP4 Adding a BGP4 peer group A peer group is a set of BGP4 neighbors that share common parameters. Peer groups provide the following benefits: • Simplified neighbor configuration – You can configure a set of neighbor parameters and then apply them to multiple neighbors. You do not need to individually configure the common parameters individually on each neighbor.
Basic configuration tasks required for BGP4 • • • • • • • • Outbound distribute list Outbound prefix list Remote AS, if configured for the peer group Remove private AS Route reflector client Send community Timers Update source If you want to change an outbound parameter for an individual neighbor, you must first remove the neighbor from the peer group. In this case, you cannot re-add the neighbor to the same peer group, but you can add the neighbor to a different peer group.
Basic configuration tasks required for BGP4 The commands in this example configure a peer group called “PeerGroup1” and set the following parameters for the peer group: • A description, “EastCoast Neighbors” • A remote AS number, 100 • A distribute list for outbound traffic The software applies these parameters to each neighbor you add to the peer group. You can override the description parameter for individual neighbors.
Basic configuration tasks required for BGP4 Applying a peer group to a neighbor After you configure a peer group, you can add neighbors to the group. When you add a neighbor to a peer group, you are applying all the neighbor attributes specified in the peer group to the neighbor. To add neighbors to a peer group, enter commands such as the following. Brocade(config-bgp-router)#neighbor 192.168.1.12 peer-group PeerGroup1 Brocade(config-bgp-router)#neighbor 192.168.2.
Optional BGP4 configuration tasks To shut down a BGP4 neighbor, enter commands such as the following. Brocade(config)#router bgp Brocade(config-bgp-router)#neighbor 209.157.22.26 shutdown Brocade(config-bgp-router)#write memory Syntax: [no] neighbor shutdown The parameter specifies the IP address of the neighbor. Optional BGP4 configuration tasks The following sections describe how to perform optional BGP4 configuration tasks.
Optional BGP4 configuration tasks This command changes the update timer to 15 seconds. Syntax: [no] update-time The parameter specifies the number of seconds and can be from 1 through 30. The default is 5. Enabling fast external fallover BGP4 routers rely on KEEPALIVE and UPDATE messages from neighbors to signify that the neighbors are alive.
Optional BGP4 configuration tasks How load sharing affects route selection During evaluation of multiple paths to select the best path to a given destination for installment in the IP route table, the last comparison the Layer 3 switch performs is a comparison of the internal paths: • When IP load sharing is disabled, the Layer 3 switch prefers the path to the router with the lower router ID.
Optional BGP4 configuration tasks To change the maximum number of shared paths, enter commands such as the following. Brocade(config)#router bgp Brocade(config-bgp-router)#maximum-paths 4 Brocade(config-bgp-router)#write memory Syntax: [no] maximum-paths The parameter specifies the maximum number of paths across which the Layer 3 switch can balance traffic to a given BGP4 destination. You can change the maximum number of paths to a value from 2 through 4. The default is 1.
Optional BGP4 configuration tasks To configure the Layer 3 switch to advertise network 209.157.22.0/24, enter the following command. Brocade(config-bgp-router)#network 209.157.22.0 255.255.255.0 Syntax: network [nlri multicast | unicast | multicast unicast] [route-map ] | [weight ] | [backdoor] The is the network number and the specifies the network mask.
Optional BGP4 configuration tasks The route-map parameter specifies the name of the route map you want to use to set or change BGP4 attributes for the network you are advertising. The route map must already be configured. For information about the other parameters, refer to “Defining route maps” on page 1403.
Optional BGP4 configuration tasks Advertising the default route By default, the Layer 3 switch does not originate and advertise a default route using BGP4. A BGP4 default route is the IP address 0.0.0.0 and the route prefix 0 or network mask 0.0.0.0. For example, 0.0.0.0/0 is a default route. You can enable the router to advertise a default BGP4 route using either of the following methods. NOTE The Brocade Layer 3 switch checks for the existence of an IGP route for 0.0.0.
Optional BGP4 configuration tasks It is possible for the BGP route table to contain a route whose next-hop IP address is not reachable through an IGP route, even though a hop farther away can be reached by the Layer 3 switch through an IGP route. This can occur when the IGPs do not learn a complete set of IGP routes, resulting in the Layer 3 switch learning about an internal route through IBGP instead of through an IGP.
Optional BGP4 configuration tasks Brocade#show ip route 102.0.0.1 Total number of IP routes: 37 Network Address NetMask 102.0.0.0 255.255.255.0 Gateway 10.0.0.1 Port 1/1 Cost 1 Type B The route to the next-hop gateway is a BGP route, not an IGP route, and thus cannot be used to reach 240.0.0.0/24. In this case, the Layer 3 switch tries to use the default route, if present, to reach the subnet that contains the BGP route next-hop gateway. Brocade#show ip route 240.0.0.
Optional BGP4 configuration tasks Brocade#show ip bgp route 102.0.0.0 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 102.0.0.0/24 10.0.0.1 1 100 0 BI AS_PATH: 65001 4355 1 The next-hop IP address for 102.0.0.1 is not an IGP route, which means the BGP route destination still cannot be reached through IP.
Optional BGP4 configuration tasks When selecting a route from among different sources (BGP4, OSPF, RIP, static routes, and so on), the software compares the routes on the basis of each route administrative distance. If the administrative distance of the paths is lower than the administrative distance of paths from other sources (such as static IP routes, RIP, or OSPF), the BGP4 paths are installed in the IP route table.
Optional BGP4 configuration tasks Requiring the first AS to be the neighbor AS By default, the Brocade device does not require the first AS listed in the AS_SEQUENCE field of an AS path Update from an EBGP neighbor to be the AS that the neighbor who sent the Update is in. You can enable the Brocade device for this requirement.
Optional BGP4 configuration tasks Brocade(config-bgp-router)#compare-routerid Syntax: [no] compare-routerid For more information, refer to “How BGP4 selects a path for a route” on page 1344. Configuring the Layer 3 switch to always compare Multi-Exit Discriminators (MEDs) A Multi-Exit Discriminator (MED) is a value that the BGP4 algorithm uses when comparing multiple paths received from different BGP4 neighbors in the same AS for the same route.
Optional BGP4 configuration tasks Brocade(config-bgp-router)#med-missing-as-worst Syntax: [no] med-missing-as-worst NOTE This command affects route selection only when route paths are selected based on MED comparison. It is still possible for a route path that is missing its MED to be selected based on other criteria. For example, a route path with no MED can be selected if its weight is larger than the weights of the other route paths.
Optional BGP4 configuration tasks AS1 contains a cluster with two route reflectors and two clients. The route reflectors are fully meshed with other BGP4 routers, but the clients are not fully meshed. They rely on the route reflectors to propagate BGP4 route updates. FIGURE 167 Example of a route reflector configuration AS 1 AS 2 Cluster 1 Route Reflector 1 Route Reflector 2 EBGP Switch IBGP IBGP Route Reflector Client 1 Route Reflector Client 2 10.0.1.0 10.0.2.
Optional BGP4 configuration tasks • The Layer 3 switch adds the attributes only if it is a route reflector, and only when advertising IBGP route information to other IBGP neighbors. The attributes are not used when communicating with EBGP neighbors. • A Layer 3 switch configured as a route reflector sets the ORIGINATOR_ID attribute to the router ID of the router that originated the route.
Optional BGP4 configuration tasks For more information about the neighbor command, refer to “Adding BGP4 neighbors” on page 1354. By default, the clients of a route reflector are not required to be fully meshed; the routes from a client are reflected to other clients. However, if the clients are fully meshed, route reflection is not required between clients. If you need to disable route reflection between clients, enter the following command.
Optional BGP4 configuration tasks Figure 168 shows an example of a BGP4 confederation. FIGURE 168 Example of a BGP4 confederation AS 20 Confederation 10 Sub-AS 64512 IBGP Switch A Switch B EBGP BGP4 Switch EBGP This BGP4 switch sees all traffic from Confederation 10 as traffic from AS 10. Sub-AS 64513 IBGP Switch C Switch D Switches outside the confederation do not know or care that the switches are subdivided into sub-ASs within a confederation.
Optional BGP4 configuration tasks • Configure the confederation ID. The confederation ID is the AS number by which BGP switches outside the confederation know the confederation. Thus, a BGP switch outside the confederation is not aware and does not care that your BGP switches are in multiple sub-autonomous systems. BGP switches use the confederation ID when communicating with switches outside the confederation. The confederation ID must be different from the sub-AS numbers.
Optional BGP4 configuration tasks Commands for router C BrocadeC(config)#router bgp BrocadeC(config-bgp-router)#local-as 64513 BrocadeC(config-bgp-router)#confederation identifier 10 BrocadeC(config-bgp-router)#confederation peers 64512 64513 BrocadeC(config-bgp-router)#write memory Commands for router D BrocadeD(config)#router bgp BrocadeD(config-bgp-router)#local-as 64513 BrocadeD(config-bgp-router)#confederation identifier 10 BrocadeD(config-bgp-router)#confederation peers 64512 64513 BrocadeD(config-b
Configuring BGP4 graceful restart The advertise-map parameter configures the router to advertise the more specific routes in the specified route map. The attribute-map parameter configures the router to set attributes for the aggregate routes based on the specified route map. NOTE For the suppress-map, advertise-map, and attribute-map parameters, the route map must already be defined. Refer to “Defining route maps” on page 1403 for information on defining a route map.
BGP null0 routing The variable is the maximum restart wait time advertised to neighbors. Possible values are from 1 through 3600 seconds. The default value is 120 seconds. Configuring the BGP4 graceful restart stale routes timer Use the following command to specify the maximum amount of time a helper device will wait for an end-of-RIB message from a peer before deleting routes from that peer.
BGP null0 routing Figure 169 shows a topology for a null0 routing application example. FIGURE 169 Example of a null0 routing application Internet R1 R2 R3 AS 100 R5 R6 R4 R7 The following steps configure a null0 routing application for stopping denial of service attacks from remote hosts on the internet. Configuration steps for BGP null 0 routing 1. Select one switch, S6, to distribute null0 routes throughout the BGP network. 2.
BGP null0 routing Configuration examples for BGP null 0 routing S6 The following configuration defines specific prefixes to filter. Brocade(config)#ip route 110.0.0.40/29 ethernet 3/7 tag 50 Brocade(config)#ip route 115.0.0.192/27 ethernet 3/7 tag 50 Brocade(config)#ip route 120.014.0/23 ethernet 3/7 tag 50 The following configuration redistributes routes into BGP.
BGP null0 routing Brocade(config-bgp-router)#neighbor remote-as 100 Brocade (config-bgp-router)#neighbor remote-as 100 Brocade(config-bgp-router)#neighbor remote-as 100 Brocade(config-bgp-router)#neighbor remote-as 100 Show commands for BGP null 0 routing After configuring the null0 application, you can display the output. S6 The following is the show ip route static output for S6.
BGP null0 routing Brocade#show ip bgp route Total number of BGP Routes: 126 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED s:STALE Prefix Next Hop Metric LocPrf Weight 1 30.0.1.0/24 40.0.1.3 0 100 0 AS_PATH: . .. . . . 9 110.0.0.16/30 90.0.1.3 100 0 AS_PATH: 85 10 110.0.0.40/29 199.199.1.1/32 1 1000000 32768 BL AS_PATH: 11 110.0.0.80/28 90.0.1.3 100 0 . .. . . . .. . . . 36 115.0.0.96/28 30.0.1.3 100 0 AS_PATH: 50 37 115.0.0.
Modifying redistribution parameters Modifying redistribution parameters By default, the Layer 3 Switch does not redistribute route information between BGP4 and the IP IGPs (RIP and OSPF). You can configure the switch to redistribute OSPF routes, RIP routes, directly connected routes, or static routes into BGP4 by using the following methods. To enable redistribution of all OSPF routes and directly attached routes into BGP4, enter the following commands.
Modifying redistribution parameters Redistributing RIP routes To configure BGP4 to redistribute RIP routes and add a metric of 10 to the redistributed routes, enter the following command. Brocade(config-bgp-router)#redistribute rip metric 10 Syntax: redistribute rip [metric ] [route-map ] The rip parameter indicates that you are redistributing RIP routes into BGP4. The metric parameter changes the metric. Specify a value from 0 through 4294967295. The default is 0.
Modifying redistribution parameters Redistributing static routes To configure the Layer 3 switch to redistribute static routes, enter the following command. Brocade(config-bgp-router)#redistribute static Syntax: redistribute static [metric ] [route-map ] The static parameter indicates that you are redistributing static routes into BGP4. The metric parameter changes the metric. Specify a value from 0 through 4294967295. The default is 0.
Filtering Filtering This section describes the following: • • • • • • • • “Specific IP address filtering” on page 1394 “AS-path filtering” on page 1395 “BGP4 filtering communities” on page 1399 “Defining IP prefix lists” on page 1401 “Defining neighbor distribute lists” on page 1402 “Defining route maps” on page 1403 “Using a table map to set the rag value” on page 1411 “Configuring cooperative BGP4 route filtering” on page 1411 Specific IP address filtering You can configure the router to explicitly pe
Filtering NOTE Once you define a filter, the default action for addresses that do not match a filter is “deny”. To change the default action to “permit”, configure the last filter as “permit any any”. The parameter specifies the IP address. If you want the filter to match on all addresses, enter any. The parameter specifies the portion of the IP address to match against. The is in dotted-decimal notation (IP address format).
Filtering Defining an AS-path filter To define AS-path filter 4 to permit AS 2500, enter the following command. Brocade(config-bgp-router)#as-path-filter 4 permit 2500 Syntax: as-path-filter permit | deny The parameter identifies the filter position in the AS-path filter list and can be from 1 through 100. Thus, the AS-path filter list can contain up to 100 filters. The Brocade Layer 3 switch applies the filters in numerical order, beginning with the lowest-numbered filter.
Filtering The neighbor command uses the filter-list parameter to apply the AS-path ACL to the neighbor. Refer to “Adding BGP4 neighbors” on page 1354. Using regular expressions to filter You use a regular expression for the parameter to specify a single character or multiple characters as a filter pattern. If the AS-path matches the pattern specified in the regular expression, the filter evaluation is true; otherwise, the evaluation is false.
Filtering TABLE 240 BGP4 special characters for regular expressions (Continued) Character Operation _ An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) • ) (right parenthesis) • The beginning of the input string • The end of the input string • A blank space For example, the following regular expression matches on “100” but not on “1002”, “2100”, and so on.
Filtering BGP4 filtering communities You can filter routes received from BGP4 neighbors based on community names. Use either of the following methods to do so. A community is an optional attribute that identifies the route as a member of a user-defined class of routes. Community names are arbitrary values made of two five-digit integers joined by a colon. You determine what the name means when you create the community name as one of a route attributes.
Filtering The : parameter indicates a specific community number to filter. Use this parameter to filter for a private (administrator-defined) community. You can enter up to 20 community numbers with the same command. If you want to filter for the well-known communities “LOCAL_AS”, “NO_EXPORT” or “NO_ADVERTISE”, use the corresponding keyword (described below). The internet keyword checks for routes that do not have the community attribute.
Filtering The deny | permit parameter specifies the action the software takes if a route community list matches a match statement in this ACL. To configure the community-list match statements in a route map, use the match community command. Refer to “Matching based on community ACL” on page 1406. The parameter specifies the community type or community number.
Filtering The deny | permit parameter specifies the action the software takes if a neighbor route is in this prefix list. The prefix-list matches only on this network unless you use the ge or le parameters. (See below.) The / parameter specifies the network number and the number of bits in the network mask. You can specify a range of prefix length for prefixes that are more specific than /.
Filtering Defining route maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols. A route map consists of a sequence of up to 50 instances. If you think of a route map as a table, an instance is a row in that table. The router evaluates a route according to a route map instances in ascending numerical order.
Filtering • • • • Set the MED (metric). Set the IP address of the next hop router. Set the origin to IGP or INCOMPLETE. Set the weight. For example, when you configure parameters for redistributing routes into RIP, one of the optional parameters is a route map. If you specify a route map as one of the redistribution parameters, the router will match the route against the match statements in the route map.
Filtering Specifying the match conditions Use the following command to define the match conditions for instance 1 of the route map GET_ONE. This instance compares the route updates against BGP4 address filter 11. Brocade(config-routemap GET_ONE)#match address-filters 11 Syntax: match [as-path ] | [address-filters | as-path-filters | community-filters
Filtering NOTE By default, route maps apply to both unicast and multicast traffic. The route-type internal | external-type1 | external-type2 parameter applies only to OSPF routes. This parameter compares the route type to the specified value. The tag parameter compares the route tag to the specified value. Match examples using ACLs The following sections show some detailed examples of how to configure route maps that include match statements that match on ACLs.
Filtering Matching based on next-hop router To construct match statements for a route map that match based on the IP address of the next-hop router, use either of the following methods. You can use the results of an IP ACL or an IP prefix list as the match condition. To construct a route map that matches based on the next-hop router, enter commands such as the following.
Filtering Syntax: match community exact-match The parameter specifies the name of a community list ACL. You can specify up to five ACLs. Separate the ACL names or IDs with spaces. Here is another example. Brocade(config)#ip community-list standard std_2 permit 23:45 56:78 Brocade(config)#route-map bgp3 permit 1 Brocade(config-routemap bgp3)#match community std_1 std_2 exact-match These commands configure an additional community ACL, std_2, that contains community numbers 23:45 and 57:68.
Filtering The [default] interface null0 parameter redirects the traffic to the specified interface. You can send the traffic to the null0 interface, which is the same as dropping the traffic. You can specify more than one interface, in which case the Layer 3 switch uses the first available port. If the first port is unavailable, the Layer 3 switch sends the traffic to the next port in the list.
Filtering The weight parameter sets the weight for the route. You can specify a weight value from 0 through 4294967295. Setting a BP4 route MED to the same value as the IGP metric of the next-hop route To set a route's MED to the same value as the IGP metric of the BGP4 next-hop route, when advertising the route to a neighbor, enter commands such as the following. Brocade(config)#access-list 1 permit 192.168.9.0 0.0.0.
Filtering The first command configures a community ACL containing community numbers 12:99 and 12:86. The remaining commands configure a route map that matches on routes whose destination network is specified in ACL 1, and deletes communities 12:99 and 12:86 from those routes. The route does not need to contain all the specified communities in order for them to be deleted. For example, if a route contains communities 12:86, 33:44, and 66:77, community 12:86 is deleted.
Filtering When you enable cooperative filtering, the Layer 3 switch advertises this capability in its Open message to the neighbor when initiating the neighbor session. The Open message also indicates whether the Layer 3 switch is configured to send filters, receive filters or both, and the types of filters it can send or receive. The Layer 3 switch sends the filters as Outbound Route Filters (ORFs) in Route Refresh messages.
Filtering If you do not specify the capability, both capabilities are enabled. The prefixlist parameter specifies the type of filter you want to send to the neighbor. NOTE The current release supports cooperative filtering only for filters configured using IP prefix lists. Sending and receiving ORFs Cooperative filtering affects neighbor sessions that start after the filtering is enabled, but do not affect sessions that are already established.
Route flap dampening configuration Brocade#show ip bgp neighbors 10.10.10.1 1 IP Address: 10.10.10.1, AS: 65200 (IBGP), RouterID: 10.10.10.
Route flap dampening configuration The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the Layer 3 switch stops using that route and also stops advertising it to other routers. The mechanism also allows a route penalties to reduce over time if the route stability improves. The route flap dampening mechanism uses the following parameters: • Suppression threshold – Specifies the penalty value at which the Layer 3 switch stops using the route.
Route flap dampening configuration The parameter specifies how high a route penalty can become before the Layer 3 switch suppresses the route. You can set the suppression threshold to a value from 1 through 20000. The default is 2000 (two “flaps”). The parameter specifies the maximum number of minutes that a route can be suppressed regardless of how unstable it is. You can set the maximum suppression time to a value from 1 through 20000 minutes.
Route flap dampening configuration The commands for the second entry in the route map (instance 10 in this example) perform the same functions for route 209.157.23.0. Notice that the dampening parameters are different for each route. Using a route map to configure route flap dampening for a specific neighbor You can use a route map to configure route flap dampening for a specific neighbor by performing the following tasks: • Configure an empty route map with no match or set statements.
Route flap dampening configuration The last two commands apply the route maps. The dampening route-map command applies the first route map, which enables dampening globally. The neighbor command applies the second route map to neighbor 10.10.10.1. Since the second route map does not contain match statements for specific routes, the route map enables dampening for all routes received from the neighbor.
Route flap dampening configuration Brocade#show ip bgp route 209.1.44.0/24 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 209.1.44.0/24 10.2.0.
Route flap dampening configuration Brocade#show ip bgp flap-statistics Total number of flapping routes: 414 Status Code >:best d:damped h:history *:valid Network From Flaps Since h> 192.50.206.0/23 166.90.213.77 1 0 :0 :13 h> 203.255.192.0/20 166.90.213.77 1 0 :0 :13 h> 203.252.165.0/24 166.90.213.77 1 0 :0 :13 h> 192.50.208.0/23 166.90.213.77 1 0 :0 :13 h> 133.33.0.0/16 166.90.213.77 1 0 :0 :13 *> 204.17.220.0/24 166.90.213.
Generating traps for BGP Clearing route flap dampening statistics To clear route flap dampening statistics, use the following CLI method. NOTE Clearing the dampening statistics for a route does not change the dampening status of the route. To clear all the route dampening statistics, enter the following command at any level of the CLI.
Displaying BGP4 information Displaying summary BGP4 information You can display the local AS number, the maximum number of routes and neighbors supported, and some BGP4 statistics. To view summary BGP4 information for the router, enter the show ip bgp summary command at any CLI prompt. Brocade#show ip bgp summary BGP4 Summary Router ID: 101.0.0.
Displaying BGP4 information TABLE 242 BGP4 summary information (Continued) Field Description Number of Attribute Entries Installed The number of BGP4 route-attribute entries in the router route-attributes table. To display the route-attribute table, refer to “Displaying BGP4 route-attribute entries” on page 1447. Neighbor Address The IP addresses of this router BGP4 neighbors. AS# The AS number.
Displaying BGP4 information TABLE 242 BGP4 summary information (Continued) Field Description State The state of this router neighbor session with each neighbor. The states are from this router perspective of the session, not the neighbor perspective. The state values are based on the BGP4 state machine values described in RFC 1771 and can be one of the following for each router: • IDLE – The BGP4 process is waiting to be started.
Displaying BGP4 information TABLE 242 BGP4 summary information (Continued) Field Filtered Description The routes or prefixes that have been filtered out: If soft reconfiguration is enabled, this field shows how many routes were filtered out (not placed in the BGP4 route table) but retained in memory. • If soft reconfiguration is not enabled, this field shows the number of BGP4 routes that have been filtered out. • Sent The number of BGP4 routes that the Layer 3 switch has sent to the neighbor.
Displaying BGP4 information Brocade#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.09 0.08 0.00 0.00 0.00 0.00 0.00 0.00 0.00 15Min(%) 0.22 0.14 0.00 0.00 0.00 0.00 0.00 0.00 0.
Displaying BGP4 information Displaying summary neighbor information To display summary neighbor information, enter a command such as the following at any level of the CLI. Brocade#show ip bgp neighbors 192.168.4.211 routes-summary 1 IP Address: 192.168.4.
Displaying BGP4 information TABLE 243 BGP4 route summary information for a neighbor (Continued) Field Description NLRIs Received in Update Message The number of routes received in Network Layer Reachability (NLRI) format in UPDATE messages: • Withdraws – The number of withdrawn routes the Layer 3 switch has received. • Replacements – The number of replacement routes the Layer 3 switch has received.
Displaying BGP4 information Brocade#show ip bgp neighbors 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.
Displaying BGP4 information The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
Displaying BGP4 information TABLE 244 BGP4 neighbor information (Continued) Field Description RouterID The neighbor router ID. Description The description you gave the neighbor when you configured it on the Layer 3 switch. State The state of the router session with the neighbor. The states are from this router perspective of the session, not the neighbor perspective.
Displaying BGP4 information TABLE 244 BGP4 neighbor information (Continued) Field Description RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this Layer 3 switch has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability. CooperativeFilteringCapabilit y Whether the neighbor is enabled for cooperative route filtering. Distribute-list Lists the distribute list parameters, if configured.
Displaying BGP4 information TABLE 244 BGP4 neighbor information (Continued) Field Description Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following.
Displaying BGP4 information TABLE 244 1434 BGP4 neighbor information (Continued) Field Description Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
Displaying BGP4 information TABLE 244 BGP4 neighbor information (Continued) Field Description TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Displaying BGP4 information TABLE 244 BGP4 neighbor information (Continued) Field Description RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed. Displaying route information for a neighbor You can display routes based on the following criteria: • A summary of the routes for a specific neighbor.
Displaying BGP4 information Table 245 lists the field definitions for the command output. TABLE 245 BGP4 route summary information for a neighbor Field Description Routes Received How many routes the Layer 3 switch has received from the neighbor during the current BGP4 session: • Accepted/Installed – Indicates how many of the received routes the Layer 3 switch accepted and installed in the BGP4 route table.
Displaying BGP4 information TABLE 245 BGP4 route summary information for a neighbor (Continued) Field Description NLRIs Sent in Update Message The number of NLRIs for new routes the Layer 3 switch has sent to this neighbor in UPDATE messages: • Withdraws – The number of routes the Layer 3 switch has sent to the neighbor to withdraw. • Replacements – The number of routes the Layer 3 switch has sent to the neighbor to replace routes the neighbor already has.
Displaying BGP4 information Displaying the best routes that were nonetheless not installed in the IP route table To display the BGP4 routes received from a specific neighbor that are the “best” routes to their destinations but are not installed in the Layer 3 switch IP route table, enter a command such as the following at any level of the CLI. Brocade#show ip bgp neighbors 192.168.4.
Displaying BGP4 information Brocade#show ip bgp peer-group pg1 1 BGP peer-group is pg Description: peer group abc SendCommunity: yes NextHopSelf: yes DefaultOriginate: yes Members: IP Address: 192.168.10.10, AS: 65111 Syntax: show ip bgp peer-group [] Only the parameters that have values different from their defaults are listed.
Displaying BGP4 information TABLE 246 BGP4 summary route information (Continued) Field Description IBGP routes selected as best routes The number of “best” routes in the BGP4 route table that are IBGP routes. EBGP routes selected as best routes The number of “best” routes in the BGP4 route table that are EBGP routes.
Displaying BGP4 information The community option lets you display routes for a specific community. You can specify local-as, no-export, no-advertise, internet, or a private community number. You can specify the community number as either two five-digit integer values of 1 through 65535, separated by a colon (for example, 12345:6789) or a single long integer value. The community-access-list parameter filters the display using the specified community ACL.
Displaying BGP4 information Syntax: show ip bgp routes best For information about the fields in this display, refer to Table 247 on page 1444. The fields in this display also appear in the show ip bgp display.
Displaying BGP4 information Displaying information for a specific route To display BGP4 network information by specifying an IP address within the network, enter a command such as the following at any level of the CLI. Brocade#show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight *> 9.3.4.0/24 192.168.4.
Displaying BGP4 information TABLE 247 BGP4 network information (Continued) Field Description Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight. Path The route AS path. NOTE: This field appears only if you do not enter the route option. Origin code A character the display uses to indicate the route origin.
Displaying BGP4 information These displays show the following information. TABLE 248 BGP4 route information Field Description Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route status. The status code is appears in the left column of the display, to the left of each route. The status codes are described in the command output. Prefix The network prefix and mask length.
Displaying BGP4 information TABLE 248 BGP4 route information (Continued) Field Description Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight. Atomic Whether network information in this route has been aggregated and this aggregation has resulted in information loss.
Displaying BGP4 information Table 249 lists the field definitions for the command output. TABLE 249 BGP4 route-attribute entries information Field Description Total number of BGP Attribute Entries The number of routes contained in this router BGP4 route table. Next Hop The IP address of the next hop router for routes that have this set of attributes. Metric The cost of the routes that have this set of attributes. Origin The source of the route information.
Displaying BGP4 information Brocade#show ip route Total number of IP routes: 50834 B:BGP D:Directly-Connected O:OSPF R:RIP S:Static Network Address NetMask Gateway 3.0.0.0 255.0.0.0 192.168.13.2 4.0.0.0 255.0.0.0 192.168.13.2 9.20.0.0 255.255.128.0 192.168.13.2 10.1.0.0 255.255.0.0 0.0.0.0 10.10.11.0 255.255.255.0 0.0.0.0 12.2.97.0 255.255.255.0 192.168.13.2 12.3.63.0 255.255.255.0 192.168.13.2 12.3.123.0 255.255.255.0 192.168.13.2 12.5.252.0 255.255.254.0 192.168.13.2 12.6.42.0 255.255.254.0 192.168.13.
Displaying BGP4 information TABLE 250 Route flap dampening statistics Field Description Total number of flapping routes The total number of routes in the Layer 3 switch BGP4 route table that have changed state and thus have been marked as flapping routes. Status code Indicates the dampening status of the route, which can be one of the following: > – This is the best route among those in the BGP4 route table to the route destination. • d – This route is currently dampened, and thus unusable.
Updating route information and resetting a neighbor session Brocade#show route-map setcomm route-map setcomm permit 1 set community 1234:2345 no-export This example shows the active configuration for a route map called “setcomm“. Syntax: show route-map [] Displaying BGP4 graceful restart neighbor information Use the show ip bgp neighbors command to display BGP4 restart information for BGP4 neighbors. Brocade# show ip bgp neighbors Total number of BGP Neighbors: 6 1 IP Address: 50.50.50.
Updating route information and resetting a neighbor session Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session. Soft reconfiguration does not request the neighbor or group to send its entire BGP4 table, nor does the feature reset the session with the neighbor or group. Instead, the soft reconfiguration feature stores all the route updates received from the neighbor or group.
Updating route information and resetting a neighbor session NOTE If you do not specify “in”, the command applies to both inbound and outbound updates. NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 1455. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the Layer 3 switch saves all updates received from the specified neighbor or peer group.
Updating route information and resetting a neighbor session Displaying all the routes received from the neighbor To display all the route information received in route updates from a neighbor since you enabled soft reconfiguration, enter a command such as the following at any level of the CLI. Brocade#show ip bgp neighbors 192.168.4.106 received-routes There are 97345 received routes from neighbor 192.168.4.106 Searching for matching routes, use ^C to quit...
Updating route information and resetting a neighbor session • RFC 2918, which describes the dynamic route refresh capability The dynamic route refresh capability is enabled by default and cannot be disabled. When the Layer 3 switch sends a BGP4 OPEN message to a neighbor, the Layer 3 switch includes a Capability Advertisement to inform the neighbor that the Layer 3 switch supports dynamic route refresh.
Updating route information and resetting a neighbor session NOTE The soft-outbound parameter updates all outbound routes by applying the new or changed filters, but sends only the existing routes affected by the new or changed filters to the neighbor. The soft out parameter updates all outbound routes, then sends the Layer 3 switch entire BGP4 route table (Adj-RIB-Out) to the neighbor, after changing or excluding the routes affected by the filters. Use soft-outbound if only the outbound policy is changed.
Updating route information and resetting a neighbor session Brocade#show ip bgp neighbors 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.
Clearing traffic counters neighbor as needed. This ensures that the neighbor receives only the routes you want it to contain. Even if the neighbor already contains a route learned from the Layer 3 switch that you later decided to filter out, using the soft-outbound option removes that route from the neighbor. You can specify a single neighbor or a peer group. To close a neighbor session and thus flush all the routes exchanged by the Layer 3 switch and the neighbor, enter the following command.
Clearing route flap dampening statistics Syntax: clear ip bgp neighbor all | | | traffic The all | | | option specifies the neighbor. The parameter specifies a neighbor by its IP interface with the Layer 3 switch. The specifies all neighbors in a specific peer group. The parameter specifies all neighbors within the specified AS. The all parameter specifies all neighbors.
Clearing diagnostic buffers Clearing diagnostic buffers The Layer 3 switch stores the following BGP4 diagnostic information in buffers: • The first 400 bytes of the last packet that contained an error • The last NOTIFICATION message either sent or received by the Layer 3 switch To display these buffers, use options with the show ip bgp neighbors command. Refer to “Displaying BGP4 neighbor information” on page 1428.
Chapter 34 IP Multicast Traffic Reduction on Brocade FastIron X Series switches Table 251 lists the individual Brocade FastIron X Series switches and the IP multicast traffic reduction features they support. These features are supported in the Layer 2, base Layer 3, and full Layer 3 software images, except where explicitly noted.
IGMP snooping overview An IGMP device's responsibility is to broadcast general queries periodically, and to send group queries when receiving a leave message, to confirm that none of the clients on the port still want specific traffic before removing the traffic from the port. IGMP V2 lets clients specify what group (destination address) will receive the traffic but not to specify the source of the traffic.
IGMP snooping overview MAC address. Groups having the same MAC address are switched to the same destination ports, which are the superset of individual group output ports. Thus, the use of Layer 2 CAM might cause unwanted packets to be sent to some ports. However, the switch generally needs far less Layer 2 CAM than it does Layer 4 CAM, which is required for each stream with a different source and group.
IGMP snooping overview Support for IGMP snooping and Layer 3 multicast routing together on the same device The Brocade device supports global Layer 2 IP multicast traffic reduction (IGMP snooping) and Layer 3 multicast routing (DVMRP or PIM-Sparse or PIM-Dense) together on the same device in the full Layer 3 software image, as long as the Layer 2 feature configuration is at the VLAN level. Refer to “IP multicast protocols and IGMP snooping on the same device” on page 1606.
PIM SM traffic snooping overview PIM SM traffic snooping overview When multiple PIM sparse routers connect through a snooping-enabled device, the Brocade device always forwards multicast traffic to these routers. For example, PIM sparse routers R1, R2, and R3 connect through a device. Assume R2 needs traffic, and R1 sends it to the device, which forwards it to both R2 and R3, even though R3 does not need it.
PIM SM traffic snooping overview The following figure shows another example application for PIM SM traffic snooping. This example shows devices on the edge of a Global Ethernet cloud (a Layer 2 Packet over SONET cloud). Assume that each device is attached to numerous other devices such as other Layer 2 Switches and Layer 3 Switches (routers). NOTE This example assumes that the devices are actually Brocade devices running Layer 2 Switch software.
IGMP snooping configuration NOTE Use the passive mode of IGMP snooping instead of the active mode. The passive mode assumes that a router is sending group membership queries as well as join and prune messages on behalf of receivers. The active mode configures the device to send group membership queries. • All the device ports connected to the source and receivers or routers must be in the same port-based VLAN.
IGMP snooping configuration VLAN-specific IGMP snooping tasks Perform the following VLAN-specific tasks: • • • • • • • • “Configuring the IGMP mode for a VLAN” (active or passive) “Disabling IGMP snooping on a VLAN” “Configuring the IGMP version for a VLAN” “Configuring static router ports.
IGMP snooping configuration Setting the maximum number of IGMP group addresses When IGMP snooping is enabled, by default, FastIron X Series devices support up to 4096 of IGMP group addresses, and the configurable range is from 256 through 8192. The configured number is the upper limit of an expandable database. Client memberships exceeding the group limit are not processed. Enter the system-max igmp-max-group-addr command to define the maximum number of IGMP group addresses.
IGMP snooping configuration Configuring the global IGMP mode To globally set the IGMP mode to active, enter the following command. Brocade(config)# ip multicast active Syntax: [no] ip multicast [active | passive] If you do not enter either active or passive, the passive mode is assumed. Configuring the IGMP mode for a VLAN If you specify an IGMP mode for a VLAN, it overrides the global setting. To set the IGMP mode for VLAN 20 to active, enter the following commands.
IGMP snooping configuration To specify a list of ports, enter each port as ethernet followed by a space. For example, ethernet 1/24 ethernet 6/24 ethernet 8/17 To specify a range of ports, enter the first port in the range as ethernet followed by the last port in the range. For example, ethernet 1/1 to 1/8. You can combine lists and ranges in the same command. For example: enable ethernet 1/1 to 1/8 ethernet 1/24 ethernet 6/24 ethernet 8/17.
IGMP snooping configuration Syntax: [no] ip multicast age-interval The parameter specifies the aging time. You can specify a value from 20 through 7200 seconds. The default is 260 seconds. Modifying the query interval (active IGMP snooping mode only) If IP multicast traffic reduction is set to active mode, you can modify the query interval to specify how often the device sends general queries.
IGMP snooping configuration The original command, ip igmp-report-control, has been renamed to ip multicast report-control. The original command is still accepted; however, it is renamed when you issue a show configuration command. Modifying the wait time before stopping traffic when receiving a leave message You can define the wait time before stopping traffic to a port when a leave message is received.
IGMP snooping configuration Specify the variable in one of the following formats: • FSX 800 and FSX 1600 chassis devices – • FESX compact switches – To specify a list of ports, enter each port as ethernet followed by a space. For example, ethernet 1/24 ethernet 6/24 ethernet 8/17 To specify a range of ports, enter the first port in the range as ethernet followed by the last port in the range. For example, ethernet 1/1 to 1/8.
IGMP snooping configuration To enable the tracking and fast leave feature for VLAN 20, enter the following commands. Brocade(config)# vlan 20 Brocade(config-vlan-20)# multicast tracking Syntax: [no] multicast tracking The membership tracking and fast leave features are supported for IGMP V3 only. If any port or any client is not configured for IGMP V3, then the multicast tracking command is ignored.
PIM SM snooping configuration PIM SM snooping configuration Configuring PIM SM snooping on a Brocade device consists of the following global and VLAN-specific tasks.
IGMP snooping show commands Disabling PIM SM snooping on a VLAN When PIM SM snooping is enabled globally, you can still disable it for a specific VLAN. For example, the following commands disable PIM SM snooping for VLAN 20. This setting overrides the global setting. Brocade(config)# vlan 20 Brocade(config-vlan-20)# multicast disable-pimsm-snoop Syntax: [no] multicast disable-pimsm-snoop IGMP snooping show commands This section describes the show commands for IGMP snooping.
IGMP snooping show commands Field Description Other Qr How long it took a switch with a lower IP address to become a new querier. This value is 2 x Query + Max Resp. cfg The IGMP version for the specified VLAN. In this example, VL10: cfg V3 indicates that VLAN 10 is configured for IGMP V3. vlan cfg The IGMP configuration mode, which is either passive or active. pimsm Indicates that PIM SM is enabled on the VLAN. rtr port The router ports, which are the ports receiving queries.
IGMP snooping show commands Brocade# show ip multicast group 226.1.1.1 detail Display group 226.1.1.1 in all interfaces in details. p-:physical, ST:static, QR:querier, EX:exclude, IN:include, Y:yes, N:no VL70 : 1 groups, 2 group-port, tracking_enabled group p-port ST QR life mode source 1 226.1.1.1 1/35 yes yes 120 EX 0 group: 226.1.1.1, EX, permit 0 (source, life): life=120, deny 0: group p-port ST QR life mode source 2 226.1.1.1 1/33 yes yes 120 EX 0 group: 226.1.1.
IGMP snooping show commands Displaying IGMP snooping mcache information The IGMP snooping mcache contains multicast forwarding information for VLANs. To display information in the multicast forwarding mcache, enter the show ip multicast mcache command. Brocade# show ip multicast mcache Example: (S G) cnt=: cnt is number of SW processed packets OIF: e1/22 TR(1/32,1/33), TR is trunk, e1/32 primary, e1/33 output vlan 10, 1 caches. use 1 VIDX 1 (10.10.10.2 239.0.0.
IGMP snooping show commands The following table describes the output displayed by the show ip multicast resource command. Field Description alloc The allocated number of units. in-use The number of units which are currently being used. avail The number of available units. get-fail This displays the number of resource failures. NOTE: It is important to pay attention to this field. limit The upper limit of this expandable field.
IGMP snooping show commands Field Description GSQry Number of group source-specific queries received or sent. Mbr The membership report. MbrV2 The IGMP V2 membership report. MbrV3 The IGMP V3 membership report. IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from EXCLUDE to INCLUDE. ToEX Number of times the interface mode changed from INCLUDE to EXCLUDE.
IGMP snooping show commands default V2 3/1/1 has 0 groups, This interface is Querier default V2 3/1/4 has 0 groups, This interface is Querier default V2 Syntax: show ip multicast vlan If you do not specify a , information for all VLANs is displayed. Displaying the passive interface with no other querier present The following example shows the output in which the VLAN interface is passive and no other querier is present with the lowest IP address.
IGMP snooping show commands 1/1/16 has 4 groups, This interface is Querier default V2 group: 226.6.6.6, life group: 228.8.8.8, life group: 230.0.0.0, life group: 224.4.4.4, life = = = = 240 240 240 240 1/1/24 has 1 groups, This interface is Querier default V2 group: 228.8.8.8, life = 240 2/1/16 has 4 groups, This interface is Querier default V2 group: 226.6.6.6, life group: 228.8.8.8, life group: 230.0.0.0, life group: 224.4.4.
IGMP snooping show commands 1/1/16 has 4 groups, This interface is non-Querier (passive) default V2 group: 226.6.6.6, life = 260 group: 228.8.8.8, life = 260 group: 230.0.0.0, life = 260 group: 224.4.4.4, life = 260 1/1/24 has 1 groups, This interface is non-Querier (passive) default V2 group: 228.8.8.8, life = 260 2/1/16 has 4 groups, This interface is non-Querier (passive) default V2 group: 226.6.6.6, life = 260 group: 228.8.8.8, life = 260 group: 230.0.0.0, life = 260 group: 224.4.4.
PIM SM snooping show commands PIM SM snooping show commands This section shows how to display information about PIM SM snooping, including: • “Displaying PIM SM snooping information” • “Displaying PIM SM snooping information on a Layer 2 switch” • “Displaying PIM SM snooping information for a specific group or source group pair” Displaying PIM SM snooping information To display PIM SM snooping information, enter the show ip multicast pimsm-snooping command.
PIM SM snooping show commands Brocade# show ip multicast pimsm-snooping VLAN ID 100, total 3 entries PIMSM Neighbor list: 1.100.100.12 : 3/3 expire 120 1.100.100.10 : 3/2 expire 170 1.100.100.7 : 3/1 expire 160 1 Group: 224.0.1.22, fid 08ac, NO cam Forwarding Port: 3/3 PIMv2 Group Port: 3/3 (Source, Port) list: 1 entries 2 Group: 239.255.162.2, fid 08aa, cam Forwarding Port: 3/1 3/2 PIMv2 Group Port: 3/1 3/2 (Source, Port) list: 3 entries 3 Group: 239.255.163.
PIM SM snooping show commands Field Multicast Group Description The IP address of the multicast group. NOTE: The fid and camindex values are used by Brocade Technical Support for troubleshooting. Forwarding Port The ports attached to the group receivers. A port is listed here when it receives a join message for the group, an IGMP membership report for the group, or both. PIMv2 Group Port The ports on which the Layer 2 Switch has received PIM SM join messages for the group.
Clear commands for IGMP snooping Clear commands for IGMP snooping The clear IGMP snooping commands must be used only in troubleshooting conditions, or to recover from errors. Clearing the IGMP mcache To clear the mcache on all VLANs, enter the clear ip multicast mcache command. Brocade# clear ip multicast mcache Syntax: clear ip multicast mcache Clearing the mcache on a specific VLAN To clear the mcache on a specific VLAN, enter the following command.
Clear commands for IGMP snooping 1490 FastIron Configuration Guide 53-1002494-02
Chapter 35 IP Multicast Traffic Reduction for FastIron WS and Brocade FCX and ICX Switches Table 252 lists the individual Brocade FastIron switches and the IP multicast traffic reduction features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
IGMP snooping overview An IGMP device is responsible for broadcasting general queries periodically, and sending group queries when it receives a leave message, to confirm that none of the clients on the port still want specific traffic before removing the traffic from the port. IGMPv2 lets clients specify what group (destination address) will receive the traffic but not to specify the source of the traffic.
IGMP snooping overview The value can be 4, 8, 16, or 32. Any other value is truncated to the closest lower ceiling. For example, a value of 15 is changed to 8. The default hash chain length is 4. A chain length of more than 4 may affect line rate switching. NOTE For this command to take effect, you must save the configuration and reload the switch. The hardware resource limit applies only to the VLANs where IGMP snooping is enabled.
IGMP snooping overview The implementation allows snooping on some VLANs or all VLANs. Each VLAN can independently enable or disable IGMP, or configure V2 or V3. In general, global configuration commands ip multicast apply to every VLAN except those that have local multicast configurations (which supersede the global configuration). IGMP also allows independent configuration of individual ports in a VLAN for either IGMPv2 or IGMPv3.
PIM SM traffic snooping overview VLAN specific configuration You can configure IGMP snooping on some VLANs or on all VLANs. Each VLAN can be independently enabled or disabled for IGMP snooping, and can be configured for IGMPv2 or IGMPv3. In general, the ip multicast commands apply globally to all VLANs except those configured with VLAN-specific multicast commands. The VLAN-specific multicast commands supersede the global ip multicast commands.
PIM SM traffic snooping overview FIGURE 171 PIM SM traffic reduction in an enterprise network Switch snoops for PIM SM join and prune messages. Detects source on port1/1 and receiver for source group on 5/1. Forwards multicast data from source on 1/1 to receiver via 5/1 only. Source for Groups 239.255.162.1 239.255.162.69 VLAN 2 Port1/1 Layer 2 Switch VLAN 2 Port5/1 Router 10.10.10.5 VLAN 2 Port7/1 20.20.20.
IGMP snooping configuration Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device. This is required for the PIM SM snooping feature. The devices on the edge of the Global Ethernet cloud are configured for IP multicast traffic reduction and PIM SM traffic snooping. Although this application uses multiple devices, the feature has the same requirements and works the same way as it does on a single device.
IGMP snooping configuration Configuring the hardware and software resource limits The system supports up to 8K of hardware-switched multicast streams. The configurable range is from 256 through 8192 with a default of 512. However, for ICX 6430 devices, the range is from 256 through 1024, and the default is 256. Enter the system-max igmp-snoop-mcache command to define the maximum number of IGMP snooping cache entries.
IGMP snooping configuration Modifying the age interval When the device receives a group membership report, it makes an entry for that group in the IGMP group table. The age interval specifies how long the entry can remain in the table before the device receives another group membership report. When multiple devices connect together, all devices must be configured for the same age interval, which must be at least twice the length of the query interval, so that missing one report won't stop traffic.
IGMP snooping configuration IGMPv2 membership reports of the same group from different clients are considered to be the same and are rate-limited. Use the ip multicast report-control command to alleviate report storms from many clients answering the upstream router query. Brocade(config)# ip multicast report-control Syntax: [no] ip multicast report-control The original command, ip igmp-report-control, has been renamed to ip multicast report-control.
IGMP snooping configuration Syntax: [no] ip pimsm-snooping NOTE The device must be in passive mode before it can be configured for PIM snooping. Configuring the IGMP mode for a VLAN You can configure a VLAN to use the active or passive IGMP mode. The default mode is passive.
IGMP snooping configuration Configuring the IGMP version for the VLAN You can specify the IGMP version for a VLAN. For example, the following commands configure VLAN 20 to use IGMPv3. Brocade(config)# vlan 20 Brocade(config-vlan-20)# multicast version 3 Syntax: [no] multicast version 2 | 3 If no IGMP version is specified, then the globally-configured IGMP version is used. If an IGMP version is specified for individual ports, those ports use that version, instead of the VLAN version.
IGMP snooping configuration Configuring static router ports FastIron Stackable devices forward all multicast control and data packets to router ports which receive queries. Although router ports are learned, you can force multicast traffic to specified ports even though these ports never receive queries. To configure static router ports, enter the following commands.
IGMP snooping configuration Every group on a physical port keeps its own tracking record. However, it can only track group membership; it cannot track by (source, group). For example, Client A and Client B belong to group1 but each receives traffic streams from different sources. Client A receives a stream from (source_1, group1) and Client B receives a stream from (source_2, group1).
Displaying IGMP snooping information Displaying IGMP snooping information This section describes the show commands for IGMP snooping. Displaying IGMP errors To display information about possible IGMP errors, enter the show ip multicast error command. Brocade# show ip multicast error snoop SW processed pkt: 173, up-time 160 sec Syntax: show ip multicast error The following table describes the output from the show ip multicast error command.
Displaying IGMP snooping information If the tracking and fast leave features are enabled, you can display the list of clients that belong to a particular group by entering the following command. Brocade# show ip multicast group 224.1.1.1 tracking Display group 224.1.1.1 in all interfaces with tracking enabled.
Displaying IGMP snooping information Displaying IGMP snooping mcache information The IGMP snooping mcache contains multicast forwarding information for VLANs. To display information in the multicast forwarding mcache, enter the show ip multicast mcache command. Brocade# show ip multicast mcache Example: (S G) cnt=: cnt: SW proc. count OIF: 0/1/22 TR(0/1/32,0/1/33), TR is trunk, 0/1/32 primary, 0/1/33 output vlan 1, 1 caches. use 1 VIDX 1 (1.2.10.102 225.1.1.
Displaying IGMP snooping information This output shows the number of OIF due to PIM out of the total OIF. The join or prune messages are source-specific. In this case, if the mcache is in (* G), the display function will also print the traffic source information. Displaying software resource usage for VLANs To display information about the software resources used, enter the show ip multicast resource command.
Displaying IGMP snooping information Displaying status of IGMP snooping traffic To display status information for IGMP snooping traffic, enter the show ip multicast traffic command.
Displaying IGMP snooping information Displaying IGMP snooping information by VLAN You can display IGMP snooping information for all VLANs or for a specific VLAN. For example, to display IGMP snooping information for VLAN 70, enter the show ip multicast vlan number command. Brocade# show ip multicast vlan 70 version=2, query-t=30, group-aging-t=140, max-resp-t=3, other-qr-present-t=63 VL70: dft V2, vlan cfg passive, , pimsm (vlan cfg), track, 0 grp, 1 (*G) cache, rtr ports, router ports: 0/1/13(140) 1.1.70.
Displaying IGMP snooping information Active interface with no other querier present The following example shows the output in which the VLAN interface is active and no other querier is present with the lowest IP address.
Displaying IGMP snooping information This interface is non-Querier (passive) default V2 3/1/1 has 0 groups, This interface is non-Querier (passive) default V2 3/1/4 has 0 groups, This interface is non-Querier (passive) default V2 Active interface with other querier present The following example shows the output in which the VLAN interface is active and another querier is present with the lowest IP address.
Displaying IGMP snooping information group: 224.4.4.4, life = 260 3/1/4 has 1 groups, This interface is non-Querier Querier is 8.8.8.8 Age is 0 Max response time is 100 default V2 **** Warning! has V3 (age=0) nbrs group: 236.6.6.6, life = 260 Passive interface with other querier present The following example shows the output in which the VLAN interface is passive and another querier is present with the lowest IP address.
Displaying IGMP snooping information group: 224.4.4.4, life = 260 3/1/4 has 1 groups, This interface is non-Querier (passive) Querier is 8.8.8.8 Age is 0 Max response time is 100 default V2 **** Warning! has V3 (age=0) nbrs group: 236.6.6.6, life = 260 Clear IGMP snooping commands The clear IGMP snooping commands must be used only in troubleshooting conditions, or to recover from errors.
Chapter 36 IP Multicast Protocols Table 253 lists the individual Brocade FastIron switches and the IP multicast features they support. These features are supported in the full Layer 3 software image only.
IP multicast overview NOTE This chapter applies only to IP multicast routing. To configure Layer 2 multicast features, refer to Chapter 34, “IP Multicast Traffic Reduction on Brocade FastIron X Series switches” and Chapter 35, “IP Multicast Traffic Reduction for FastIron WS and Brocade FCX and ICX Switches”. IP multicast overview Multicast protocols allow a group or channel to be accessed over different networks by multiple stations (clients) for the receipt and transmit of multicast data.
Global IP multicast parameters Supported Layer 3 multicast routing protocols Brocade Layer 3 switches support the multicast routing protocol DVMRP and PIM along with the Internet Group Membership Protocol (IGMP). PIM and DVMRP are broadcast and pruning multicast protocol that deliver IP multicast datagrams. The protocol employs reverse path lookup check and pruning to allow source-specific multicast delivery trees to reach all group members.
Global IP multicast parameters • Maximum number of DVMRP groups – You can change the maximum number of groups for which the software will allocate memory. By default, FastIron X Series Layer 3 Switches support up to 1024 DVMRP groups. • Internet Group Membership Protocol (IGMP) V1 and V2 parameters – You can change the query interval, group membership time, and maximum response time.
Global IP multicast parameters Defining the maximum number of PIM cache entries The PIM cache system parameter defines the maximum number of repeated PIM traffic being sent from the same source address and being received by the same destination address. To define this maximum, enter the system-max pim-mcache command. Brocade(config)#system-max pim-mcache 999 Syntax: system-max pim-mcache The parameter specifies the maximum number of multicast cache entries for PIM.
Global IP multicast parameters Modifying IGMP (V1 and V2) membership time The group membership time defines how long a group will remain active on an interface in the absence of a group report. To define an IGMP (V1 and V2) membership time of 240 seconds, enter the ip igmp group-membership-time command. Brocade(config)#ip igmp group-membership-time 240 Syntax: ip igmp group-membership-time The variable specifies the IGMP group membership time in number of seconds.
Global IP multicast parameters Syntax: [no] ip igmp static-group [ [ count ] | drop | [ethernet ] ] The parameter specifies the group number. The count parameter specifies the number of contiguous groups per vlan. The variable must be from 1 through 512. The drop parameter specifies the number of dropped multicast packets. The drop option is available only for static groups on a vlan.
PIM Dense Manually added groups are included in the group information displayed by the following commands: • show ip igmp group • show ip pim group PIM Dense NOTE This section describes the “dense” mode of PIM, described in RFC 1075. Refer to “PIM Sparse” on page 1531 for information about PIM Sparse. PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets.
PIM Dense For example, in Figure 172 the sender with address 207.95.5.1 is sending multicast packets to the group 229.225.0.1. If a PIM switch receives any groups other than that group, the switch discards the group and sends a prune message to the upstream PIM switch. In Figure 173, switch S5 is a leaf node with no group members in its IGMP database. Therefore, the switch must be pruned from the multicast tree.
PIM Dense 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.1 Grafts to a multicast Tree A PIM switch restores pruned branches to a multicast tree by sending graft messages towards the upstream switch.
PIM Dense The CLI commands for configuring and managing PIM DM are the same for V1 and V2. The only difference is the command you use to enable the protocol on an interface. NOTE Version 2 is the default PIM DM version. The only difference between version 1 and version 2 is the way the protocol sends messages. The change is not apparent in most configurations. You can use version 2 instead of version 1 with no impact to your network.
PIM Dense Globally Enabling and Disabling PIM without Deleting Multicast Configuration As stated above entering a no router pim command deletes the PIM configuration. If you want to disable PIM without deleting any PIM configuration, enter the following command. Brocade(config)#router pim Brocade(config-pim-router)#disable-pim Syntax: [no] disable-pim Use the [no] version of the command to re-enable PIM.
PIM Dense To apply a PIM neighbor timeout value of 360 seconds to all ports on the router operating with PIM, enter the following. Brocade(config)#router pim Brocade(config-pim-router)#nbr-timeout 360 Syntax: nbr-timeout <60-8000> The default is 180 seconds. Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds.
PIM Dense To set the prune wait time to zero, enter the following commands. Brocade(config)#router pim Brocade(config-pim-router)#prune-wait 0 Syntax: prune-wait
PIM Dense Total number of IP routes: 19 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port .. 9 172.17.41.4 255.255.255.252*137.80.127.3 v11 172.17.41.4 255.255.255.252 137.80.126.3 v10 172.17.41.4 255.255.255.252 137.80.129.1 v13 172.17.41.4 255.255.255.252 137.80.128.3 v12 10 172.17.41.8 255.255.255.252 0.0.0.
PIM Dense Configuration syntax for modifying the TTL To configure a TTL of 24, enter the following. Brocade(config-if-3/24)#ip pim ttl-threshold 24 Syntax: ip pim ttl-threshold <1-31> Dropping PIM traffic in hardware Unwanted PIM Dense or PIM Sparse multicast traffic can be dropped in hardware on Layer 3 switches. This feature does not apply to DVMRP traffic. Refer to “Passive multicast route insertion” on page 1579.
PIM Sparse TABLE 254 Output of the show ip pim dense command Field Description Prune Age The number of packets the device sends using the path through the RP before switching to using the SPT path. Prune Wait Interval The amount of time a PIM device waits before stopping traffic to neighbor devices that do not want the traffic. The value can be from zero to three seconds. The default is three seconds. Interface The type of interface and the interface number.
PIM Sparse FIGURE 174 Example of a PIM Sparse domain This interface is also the Bootstrap Router (BR) for this PIM Sparse domain, and the Rendezvous Point (RP) for the PIM Sparse groups in this domain. PIM Sparse Switch B Port2/1 207.95.8.10 Port2/2 207.95.7.1 Rendezvous Point (RP) path Port3/8 207.95.8.1 Port3/8 207.95.7.2 VE 1 207.95.6.2 VE 1 207.95.6.1 PIM Sparse Switch A PIM Sparse Switch C Shortest Path Tree (SPT) path 209.157.24.162 Source for Group 239.255.162.1 Receiver for Group 239.
PIM Sparse To enhance overall network performance, Brocade Layer 3 switches use the RP to forward only the first packet from a group source to the group receivers. After the first packet, the Layer 3 switch calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The Layer 3 switch calculates a separate SPT for each source-receiver pair.
PIM Sparse NOTE Brocade recommends that you configure the same Layer 3 switch as both the BSR and the RP. PIM Sparse limitations in this release The implementation of PIM Sparse in the current software release has the following limitations: • PIM Border Routers (PMBRs) are not supported. Thus, you cannot configure a Brocade routing interface as a PMBR interface for PIM Sparse. • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface.
PIM Sparse Configuring PIM interface parameters After you enable IP multicast routing and PIM Sparse at the global level, you must enable it on the individual interfaces connected to the PIM Sparse network. To do so, use the following CLI method. To enable PIM Sparse mode on an interface, enter commands such as the following. Brocade(config)#interface ethernet 2/2 Brocade(config-if-2/2)#ip address 207.95.7.1 255.255.255.
PIM Sparse • Enter ethernet [/] for a physical interface (port). • Enter ve for a virtual interface. • Enter loopback for a loopback interface. The parameter specifies the number of bits in a group address that are significant when calculating the group-to-RP mapping. You can specify a value from 1 – 32. NOTE Brocade recommends you specify 30 for IP version 4 (IPv4) networks. The specifies the BSR priority. You can specify a value from 0 – 255.
PIM Sparse The usage of the parameter is the same as for the rp-candidate add command. If you enter both commands shown in the example above, the net effect is that the Layer 3 switch becomes a candidate RP for groups 224.126.0.0 – 224.126.21.255 and groups 224.126.23.0 – 224.126.255.255.
PIM Sparse • Shortest Path – Each PIM Sparse router that is a DR for a multicast source calculates a shortest path tree (SPT) to all the PIM Sparse group receivers within the domain, with the Layer 3 switch itself as the root of the tree. The first time a Brocade Layer 3 switch configured as a PIM router receives a packet for a PIM receiver, the Layer 3 switch sends the packet to the RP for the group. The Layer 3 switch also calculates the SPT from itself to the receiver.
PIM Sparse The parameter specifies the number of seconds and can from 1 – 65535. The default is 60. Dropping PIM traffic in hardware Unwanted PIM Dense or PIM Sparse multicast traffic can be dropped in hardware on Layer 3 switches. This feature does not apply to DVMRP. Refer to “Passive multicast route insertion” on page 1579. ACL based RP assignment The rp-address command allows multiple static RP configurations.
PIM Sparse Displaying the static RP Use the show ip pim rp-set command to display static RP and the associated group ranges. Brocade(config)# show ip pim rp-set Static RP and associated group ranges ------------------------------------Static RP count: 4 130.1.1.1 120.1.1.1 120.2.1.1 124.1.1.1 Number of group prefixes Learnt from BSR: 0 No RP-Set present. Use the show ip pim rp-map command to display all current multicast group addresses to RP address mapping.
PIM Sparse NOTE The anycast RP address must not be the IGP router-id. • Enable PIM-SM on all interfaces on which multicast routing is desired. • Enable an IGP on each of the loopback interfaces and physical interfaces configured for PIM-SM. • Configure loopback interfaces with unique IP addresses on each of the RPs for MSDP peering. This loopback interface is also used as the MSDP originator-id.
PIM Sparse RP 1 configuration The following commands provide the configuration for the RP 1 router in Figure 175.
PIM Sparse Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade RP2(config-if-e1000-5/1)# ip pim-sparse RP2(config)# interface ethernet 5/2 RP2(config-if-e1000-5/2)# ip ospf area 0 RP2(config-if-e1000-5/2)# ip ospf cost 5 RP2(config-if-e1000-5/2)# ip address 192.5.2.
PIM Sparse Brocade Brocade Brocade Brocade 1544 PIMR2(config-if-e1000-1/3)# exit PIMR2(config)# router pim PIMR2(config-pim-router)# rp-address 10.0.0.
PIM Sparse Displaying PIM Sparse configuration information and statistics You can display the following PIM Sparse information: • • • • • • • • • • • Basic PIM Sparse configuration information Group information BSR information Candidate RP information RP-to-group mappings RP information for a PIM Sparse group RP set list PIM Neighbor information The PIM flow cache The PIM multicast cache PIM traffic statistics Displaying basic PIM Sparse configuration information To display basic configuration informati
PIM Sparse Table 255 shows the information displayed by the show ip pim sparse command. TABLE 255 Output of the show ip pim sparse command Field Description Global PIM Sparse mode settings Hello interval How frequently the Layer 3 switch sends PIM Sparse hello messages to its PIM Sparse neighbors. This field show the number of seconds between hello messages. PIM Sparse routers use hello messages to discover one another.
PIM Sparse Displaying a list of multicast groups To display a list of the IP multicast groups the Layer 3 switch is forwarding, enter the show ip pim group command at any CLI level. Brocade#show ip pim group Total number of Groups: 2 Index 1 Group 239.255.162.1 Ports e3/11 Syntax: show ip pim group This display shows the following information.
PIM Sparse Table 257 shows the information displayed for the show ip pim bsr command. TABLE 257 Output of show ip pim bsr Field Description BSR address or local BSR address The IP address of the interface configured as the PIM Sparse Bootstrap Router (BSR). Uptime The amount of time the BSR has been running. NOTE: If the word “local” does not appear in the field, this Layer 3 switch is the BSR. If the word “local” does appear, this Layer 3 switch is not the BSR.
PIM Sparse Displaying PIM resources To display the hardware resource information such as hardware allocation, availability, and limit for software data structure, enter the show ip pim resource command.
PIM Sparse Table 258 shows the information displayed for each software data structure listed in the output of the show ip pim resource command. TABLE 258 Output of show ip pim resource Field Description alloc Number of nodes of that data that are currently allocated in memory. in-use Number of allocated nodes in use avail Number of allocated nodes are not in use get-fail Number of allocated notes that failed limit Maximum number of nodes that can be allocated for a data structure.
PIM Sparse TABLE 259 Output of show ip pim rp-candidate Field Description Candidate-RP-advertisement in Indicates how many seconds will pass before the BSR sends its next RP message. NOTE: This field appears only if this Layer 3 switch is a candidate RP. RP Indicates the IP address of the Rendezvous Point (RP). NOTE: This field appears only if this Layer 3 switch is a candidate RP. group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP.
PIM Sparse Table 261 shows the information displayed by the show ip pim rp-hash command. TABLE 261 Output of show ip pim rp-hash Field Description RP Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the method through which this Layer 3 Switch learned the identity of the RP. Info source Indicates the IP address on which the RP information was received.
PIM Sparse Displaying multicast neighbor information To display information about the Layer 3 switch PIM neighbors, enter the show ip pim neighbor command at any CLI level. Brocade#show ip pim neighbor Total number of neighbors: 250 on 1 ports Port Phy_p Neighbor Holdtime v101 3/1/12 173.1.1.2 180 Port Phy_p Neighbor Holdtime v102 3/1/11 173.1.2.2 180 Port Phy_p Neighbor Holdtime v103 3/1/13 173.1.3.2 180 Port Phy_p Neighbor Holdtime v104 2/1/11 173.1.4.2 180 Port Phy_p Neighbor Holdtime v105 2/1/12 173.1.
PIM Sparse Syntax: show ip pim | dvmrp rpf where is a valid source IP address. NOTE If there are multiple equal cost paths to the source, the show ip pim rpf command output may not be accurate. If your system has multiple equal cost paths, use the command show ip pim mcache to view information about the upstream neighbor. Displaying the PIM flow cache To display the PIM flow cache, enter the following command at any CLI level. Brocade #show ip pim flowcache 228.2.2.
PIM Sparse Displaying the PIM multicast cache To display the PIM multicast cache, enter the show ip pim mcache command at any CLI level. Brocade#show ip pim mcache Total 2 entries Example: (S G) in v40 (e2/3) cnt= : e2/3 is phy. of input v40, cnt: SW hit incl. drop HW: CAM switched, SW: cpu switched, OAR: SW one?arm?routing, VL: vlan trunking: TR(e3/3,e3/4): e3/3 is primary trunk port, e3/4 is real out p.
PIM Sparse TABLE 264 Output of show ip pim mcache (Continued) Field Description Sparse Mode Indicates whether the cache entry is for regular PIM (dense mode) or PIM Sparse. This flag can have one of the following values: • 0 – The entry is not for PIM Sparse (and is therefore for the dense mode of PIM). • 1– The entry is for PIM Sparse. RPT Indicates whether the cache entry uses the RP path or the SPT path.
PIM Sparse NOTE If you have configured interfaces for standard PIM (dense mode) on the Layer 3 switch, statistics for these interfaces are listed first by the display. This display shows the following information. TABLE 265 Output of show ip pim traffic Field Description Port The port or virtual interface on which the PIM interface is configured. Hello The number of PIM Hello messages sent or received on the interface. J/P The number of Join/Prune messages sent or received on the interface.
PIM Passive PIM Passive PIM Passive is used to reduce and minimize unnecessary PIM Hello and other PIM control messages. PIM Passive allows you to specify that the interface is “passive” in regards to PIM. No PIM control packets are sent or processed (if received), but hosts can still send and receive multicast traffic and IGMP control traffic on that interface.
Multicast Source Discovery Protocol (MSDP) Figure 176 shows an example of some PIM Sparse domains. For simplicity, this example shows only one Designated Router (DR), one group source, and one receiver for the group. Only one PIM Sparse router within each domain needs to run MSDP.
Multicast Source Discovery Protocol (MSDP) FIGURE 176 PIM Sparse domains joined by MSDP routers PIM Sparse Domain 2 PIM Sparse Domain 1 Designated Router (DR) Rendezvous Point (RP) 2. RP sends SA message through MSDP to its MSDP peers in other PIM Sparse domains. Rendezvous Point (RP) 206.251.17.41 3. RP that receives the SA floods the SA to all its MSDP peers, except the one that sent the SA. Source Advertisement message 206.251.14.22 Source for Group 232.1.0.95 1.
Multicast Source Discovery Protocol (MSDP) Figure 176 shows only one peer for the MSDP router (which is also the RP here) in domain 1, so the Source Active message goes to only that peer. When an MSDP router has multiple peers, it sends a Source Active message to each of those peers. Each peer sends the Source Advertisement to its other MSDP peers. The RP that receives the Source Active message also sends a Join message for the group if the RP that received the message has receivers for the group.
Multicast Source Discovery Protocol (MSDP) However, if Source Active caching is enabled on the MSDP and RP router, the RP caches the Source Active messages it receives. In this case, even if the RP does not have a receiver for a group when the RP receives the Source Active message for the group, the RP can immediately send a Join for a new receiver that wants to join the group, without waiting for the next Source Active message from the RP in the source domain.
Multicast Source Discovery Protocol (MSDP) NOTE It is strongly recommended that you use the connect-source loopback parameter when issuing the msdp-peer command. If you do not use this parameter, the Layer 3 switch uses the subnet interface configured on the port. Also, make sure the IP address of the connect-source loopback is the same as the source IP address used by the MSDP router, the PIM-RP, and the BGP router.
Multicast Source Discovery Protocol (MSDP) • sa-filter in – Filters source-group pairs received in Source-Active messages from an MSDP neighbor • sa-filter originate – Filters source-group pairs in Source-Active messages in advertisements to an MSDP neighbor Filtering incoming source-active messages The following example configures filters for incoming Source-Active messages from three MSDP neighbors: • For peer 2.2.2.
Multicast Source Discovery Protocol (MSDP) NOTE The default action rule for route-map is to deny all routes that are not explicitly permitted. If you configure a “deny” route map but want to permit other routes that do not match the rule, configure an “empty” permit route map, as shown in the following example.
Multicast Source Discovery Protocol (MSDP) NOTE The default filter action is deny. If you want to permit some source-group pairs, use a route map. A permit action in the route map allows the Layer 3 switch to receive the matching source-group pairs. A deny action in the route map drops the matching source-group pairs. Filtering advertised source-active messages The following example configures the Layer 3 switch to advertise all source-group pairs except the ones that have source address 10.x.x.x.
Multicast Source Discovery Protocol (MSDP) The route-map parameter specifies a route map. The Layer 3 switch applies the filter to source-group pairs that match the route map. Use the match ip address command in the route map to specify an extended ACL that contains the source and group addresses. NOTE The default filter action is deny. If you want to permit some source-group pairs, use a route map.
Multicast Source Discovery Protocol (MSDP) The peer-address parameter specifies the IP address of the MSDP peer that is being placed in the group. NOTE On each of the device that will be part of the mesh-group, there must be a mesh-group definition for all the peers in the mesh-group. Up to 32 MSDP peers can be configured per mesh group. Example configuration of an MSDP mesh group In Figure 177, devices A, B, C, and D are in Mesh Group 1234.
Multicast Source Discovery Protocol (MSDP) Brocade(config)# router msdp Brocade(config-msdp-router)# Brocade(config-msdp-router)# Brocade(config-msdp-router)# Brocade(config-msdp-router)# Brocade(config-msdp-router)# Brocade(config-msdp-router)# Brocade(config-msdp-router)# Brocade(config-msdp-router)# msdp-peer 1.1.3.1 connect-source loopback 1 msdp-peer 1.1.4.1 connect-source loopback 1 msdp-peer 1.1.2.1 connect-source loopback 1 msdp-peer 17.17.17.7 mesh-group 1234 1.1.4.1 mesh-group 1234 1.1.3.
Multicast Source Discovery Protocol (MSDP) MSDP mesh group configuration for Device B The following set of commands configure the MSDP peers of Device B. All Device B peers (1.1.1.1, 1.1.3.1, and 1.1.4.1) are in the MSDP mesh group 1234. Multicast is enabled on Device B interfaces. PIM and BGP are also enabled.
Multicast Source Discovery Protocol (MSDP) Brocade(config-router-bgp)# neighbor 12.12.12.1 next-hop-self Brocade(config-router-bgp)# redistribute connected Brocade(config-router-bgp)# write memory MSDP mesh group configuration for Device C The following set of commands configure the MSDP peers of Device C (1.1.3.1) that are inside and outside MSDP mesh group 1234. Device C peers inside the mesh group 1234 are 1.1.1.1, 1.1.2.1, and 1.1.4.1. Device 35.35.35.
Multicast Source Discovery Protocol (MSDP) Brocade(config)# router bgp Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# Brocade(config-router-bsr)# local-as 333 neighbor 35.35.35.5 remote-as 555 neighbor 35.35.35.5 next-hop-self neighbor 32.32.32.2 remote-as 222 neighbor 32.32.
Multicast Source Discovery Protocol (MSDP) Brocade(config)# interface ethernet 7/8 Brocade(config-if-)# ip address 134.134.134.4 255.255.255.
Multicast Source Discovery Protocol (MSDP) This display shows the following information. TABLE 266 MSDP summary information Field Description Peer Address The IP address of the peer interface with the Layer 3 switch State The state of the MSDP router connection with the peer. The state can be one of the following: • CONNECTING – The session is in the active open state. • ESTABLISHED – The MSDP session is fully up. • INACTIVE – The session is idle.
Multicast Source Discovery Protocol (MSDP) Brocade(config-msdp-router)# show ip msdp peer Total number of MSDP Peers: 2 1 IP Address 206.251.17.
Multicast Source Discovery Protocol (MSDP) TABLE 267 MSDP peer information (Continued) Field Description Notifications Received The number of Notification messages the MSDP router has received from the peer. Source-Active Sent The number of Source Active messages the MSDP router has sent to the peer. Source-Active Received The number of Source Active messages the MSDP router has received from the peer. Last Connection Reset Reason The reason the previous session with this neighbor ended.
Multicast Source Discovery Protocol (MSDP) TABLE 267 MSDP peer information (Continued) Field Description TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Multicast Source Discovery Protocol (MSDP) Displaying source active cache information To display the Source Actives in the MSDP cache, enter the show ip msdp sa-cache command. Brocade(config-msdp-router)# show ip msdp sa-cache Total Index 1 2 3 4 5 6 7 8 9 10 Entry 4096, Used 1800 Free 2296 SourceAddr GroupAddr Age (100.100.1.254, 232.1.0.95), RP:206.251.17.41, Age:0 (100.100.1.254, 237.1.0.98), RP:206.251.17.41, Age:30 (100.100.1.254, 234.1.0.48), RP:206.251.17.41, Age:30 (100.100.1.254, 239.1.0.
Passive multicast route insertion The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed.
DVMRP overview Brocade#show ip pim mcache 1 (10.10.10.18 226.0.1.56) in v10 (e1), cnt=2 Source is directly connected Sparse Mode, RPT=0 SPT=1 REG=1 MSDP Adv=0 MSDP Create=0 fast=0 slow=0 pru=1 graft age drop age=0s up-time=2m HW=1 L2-vidx=8191 DVMRP overview Brocade routers provide multicast routing with the Distance Vector Multicast Routing Protocol (DVMRP) routing protocol. DVMRP uses Internet Group Membership Protocol (IGMP) to manage the IP multicast groups.
DVMRP overview Pruning a multicast tree After the multicast tree is constructed, pruning of the tree will occur after IP multicast packets begin to traverse the tree. As multicast packets reach leaf networks (subnets with no downstream interfaces), the local IGMP database checks for the recently arrived IP multicast packet address.
DVMRP configuration on the Layer 3 switch and interface 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
DVMRP configuration on the Layer 3 switch and interface DVMRP is enabled on each of the Brocade Layer 3 switches shown in Figure 178, on which multicasts are expected. You can enable DVMRP on each Layer 3 switch independently or remotely from one Layer 3 switch by a Telnet connection. Follow the same steps for each Layer 3 switch. Globally enabling and disabling DVMRP To globally enable DVMRP, enter the router dvmrp command.
DVMRP configuration on the Layer 3 switch and interface • Default route Modifying neighbor timeout The neighbor timeout specifies the period of time that a router will wait before it defines an attached DVMRP neighbor router as down. Possible values are 40 – 8000 seconds. The default value is 180 seconds. To modify the neighbor timeout value to 100, enter the nbr command. Brocade(config-dvmrp-router)#nbr 100 Syntax: nbr-timeout <40-8000> The default is 180 seconds.
DVMRP configuration on the Layer 3 switch and interface To modify the setting for graft retransmit time to 120, enter the graft command. Brocade(config-dvmrp-router)#graft 120 Syntax: graft-retransmit-time <5-3600> Modifying Probe Interval The Probe Interval defines how often neighbor probe messages are sent to the ALL-DVMRP-ROUTERS IP multicast group address. A router probe message lists those neighbor DVMRP routers from which it has received probes. Possible values are from 5 – 30 seconds.
DVMRP configuration on the Layer 3 switch and interface Modifying DVMRP interface parameters DVMRP global parameters come with preset values. The defaults work well in most networks, but you can modify the following interface parameters if you need to: • TTL • Metric • Advertising Modifying the TTL The time to live (TTL) value defines the minimum value required in a packet in order for the packet to be forwarded out the interface.
IP tunnel configuration Displaying information about an upstream neighbor device You can view information about the upstream neighbor device for a given source IP address for IP PIM packets. The software uses the IP route table or multicast route table to lookup the upstream neighbor device. The following shows example messages that the Brocade device can display with this command. Brocade#show ip dvmrp rpf 1.1.20.2 directly connected or through an L2 neighbor Brocade#show ip dvmrp rpf 1.2.3.
Using ACLs to control multicast features NOTE An IP tunnel must have a remote IP interface at each end. Also, for IP tunneling to work, the remote routers must be reachable by an IP routing protocol. NOTE Multiple tunnels configured on a router cannot share the same remote address. Example To configure an IP tunnel as seen in Figure 178, enter the IP tunnel destination address on an interface of the router. To configure an IP address on Router A, enter the following commands.
Using ACLs to control multicast features To configure an RP that covers multicast groups in 239.255.162.x, enter commands such as the following. Brocade(config)#access-list 2 permit 239.255.162.0 0.0.0.255 Brocade(config)#router pim Brocade(config-pim-router)#rp-address 43.43.43.1 2 To configure an RP that covers multicast groups in the 239.255.162.x range, except the 239.255.162.2 group, enter commands such as the following. Brocade(config)#access-list 5 deny host 239.255.162.
Using ACLs to control multicast features Enter the show ip pim rp-map command to display the group-to-RP mapping. router(config)# show ip pim rp-map Number of group-to-RP mappings: 5 Group address RP address ---------------------------------------1 230.0.0.1 100.1.1.1 2 230.0.0.2 100.1.1.1 3 230.0.0.3 100.1.1.1 4 230.0.0.4 100.1.1.1 5 230.0.0.5 100.1.1.1 The display shows the multicast group addresses covered by the RP candidate and the IP address of the RP for the listed multicast group.
Disabling CPU processing for select multicast groups Brocade(config)#access-list 5 deny host 239.255.162.2 Brocade(config)#access-list 5 permit 239.255.0.0 0.0.255.255 Brocade(config)#router pim Brocade(config-pim-router)#bsr-candidate loopback 1 32 100 Brocade(config-pim-router)#rp-candidate loopback 1 group-list 5 Syntax: [no] rp-candidate ethernet [/] | loopback | ve [group-list ] The parameter is required on chassis devices.
Disabling CPU processing for select multicast groups TABLE 269 Reserved multicast addresses (Continued) Multicast address Reserved for... 224.0.0.6 OSPF 224.0.0.9 RIP V2 224.0.0.13 PIM V2 224.0.0.18 VRRP 224.0.0.22 IGMP V3 reports CLI command syntax to disable CPU processing To disable CPU processing for selective multicast groups, enter commands such as the following. Brocade# config t Brocade(config)# vlan 5 Brocade(config-vlan-5)# disable multicast-to-cpu 224.0.0.
Configuring a static multicast route Syntax: show disabled-multicast-to-cpu [] For , enter a valid VLAN ID. Note that each VLAN must have at least one port added to it. Configuring a static multicast route Static multicast routes allow you to control the network path used by multicast traffic. Static multicast routes are especially useful when the unicast and multicast topologies of a network are different.
Configuring a static multicast route The example above configures two static multicast routes. The first route is for a specific source network, 207.95.10.0/24. If the Layer 3 switch receives multicast traffic for network 207.95.10.0/24, the traffic must arrive on port 1/2. The second route is for all other multicast traffic. Traffic from multicast sources other than 207.95.10.0/24 must arrive on port 2/3. Figure 181 shows an example of an IP Multicast network.
Displaying the multicast configuration for another multicast router Displaying the multicast configuration for another multicast router The Brocade implementation of Mrinfo is based on the DVMRP Internet draft by T. Pusateri, but applies to PIM and not to DVMRP. To display the PIM configuration of another PIM router, use the following commands. NOTE This feature is not supported for DVMRP. To display another PIM router PIM configuration, enter a command such as the following. Brocade#mrinfo 207.95.8.
IGMP V3 The information for the second interface in the display is “PIM/0 /1/leaf”. This information indicates that the interface is a PIM interface, has a TTL of 0 and a metric of 1, and is connected to a leaf node. IGMP V3 The Internet Group Management Protocol (IGMP) allows an IPV4 interface to communicate IP Multicast group membership information to its neighboring routers.
IGMP V3 Each IGMP V3-enabled router maintains a record of the state of each group and each physical port within a virtual routing interface. This record contains the group, group-timer, filter mode, and source records information for the group or interface. Source records contain information on the source address of the packet and source timer. If the source timer expires when the state of the group or interface is in Include mode, the record is removed.
IGMP V3 Enabling the IGMP version per interface setting To specify the IGMP version for a physical port, enter a command such as the following. Brocade(config)#interface eth 1/5 Brocade(config-if-1/5)#ip igmp version 3 To specify the IGMP version for a virtual routing interface on a physical port, enter a command such as the following. Brocade(config)#interface ve 3 Brocade(config-vif-1) ip igmp version 3 Syntax: [no] ip igmp version Enter 1, 2, or 3 for .
IGMP V3 • If the interface, to which the client belongs, has IGMP V3 clients only. Therefore, all physical ports on a virtual routing interface must have IGMP V3 enabled and no IGMP V1 or V2 clients can be on the interface. (Although IGMP V3 can handle V1 and V2 clients, these two clients cannot be on the interface in order for fast leave to take effect.) • No other client on the interface is receiving traffic from the group to which the client belongs.
IGMP V3 Setting the maximum response time Maximum response time defines how long the Layer 3 switch will wait for an IGMP (V1 and V2) response from an interface before concluding that the group member on that interface is down, and then removing the interface from the group. To change the IGMP maximum response time, enter the ip igmp max-response-time command at the global CONFIG level of the CLI.
IGMP V3 Displaying IGMP group status NOTE This report is available on Layer 3 switches. To display the status of all IGMP multicast groups on a device, enter the ip igmp group command. Brocade#show ip igmp group p-:physical, ST:static, QR:querier, EX:exclude, IN: include, Y:yes, N:no v101 : 1 groups, 1 group-port group p-port ST QR life mode source 1 239.200.1.1 1/1/11 no no 260 EX 0 To display the status of one IGMP multicast group, enter a command such as the following. Brocade#show ip igmp group 239.
IGMP V3 TABLE 270 Output of show ip igmp group Field Description Group The address of the multicast group Phy-port The physical port on which the multicast group was received. Static A “yes” entry in this column indicates that the multicast group was configured as a static group; “No” means it was not. Static multicast groups can be configured in IGMP V2 using the ip igmp static command. In IGMP V3, static sources cannot be configured in static groups.
IGMP V3 Brocade#show ip igmp interface query interval = 60, max response time= 3, group membership time=140 v5: default V2, PIM dense, addr=1.1.1.2 e4/12 has 0 groups, non-Querier (age=40), default V2 v18: default V2, DVMRP, addr=2.2.2.1 e4/20 has 0 groups, Querier, default V2 v20: configured V3, PIM dense (port down), addr=1.1.20.1 v110: configured V3, PIM dense, addr=110.110.110.1 e4/6 has 2 groups, Querier, default V3 group: 239.0.0.1, exclude, life=100, deny 13 group: 224.1.10.
IGMP V3 Displaying IGMP traffic status To display the traffic status on each virtual routing interface, enter the show ip igmp traffic command. NOTE This report is available on Layer 3 switches.
IGMP Proxy IGMP Proxy IGMP Proxy provides a means for the FastIron X Series routers to receive any or all multicast traffic from an upstream device if the router is not able to run PIM. IGMP Proxy enables the router to issue IGMP host messages on behalf of hosts that the router discovered through standard PIM interfaces.
IP multicast protocols and IGMP snooping on the same device Once IGMP Proxy is configured and the FastIron X Series router receives a query on an IGMP Proxy interface, the router sends a report in response to the query before the IGMP maximum response time expires. Displaying IGMP Proxy traffic Use the show ip igmp traffic command to see traffic for IGMP Proxy.
IP multicast protocols and IGMP snooping on the same device IP multicast protocols and IGMP snooping configuration example Figure 182 and Figure 183 show an example IGMP snooping and PIM forwarding configuration.
IP multicast protocols and IGMP snooping on the same device Both Sources for Group 230.1.1.1 Server 10.10.10.100 Server 20.20.20.1 Vlan 20 (with VE 20) e1 Vlan 10 e4 FESXv4 (DUT) e21 e13 20.20.20.x/24 30.30.30.x/24 Client 10.10.10.1 for 230.1.1.1 e3 40.40.40.x/24 FES/FESX e4 Router Client 40.40.40.1 for 230.1.1.1 IP multicast protocols and IGMP snooping CLI commands The following are the CLI commands for the configuration example shown in Figure 182 and Figure 183. 1.
IP multicast protocols and IGMP snooping on the same device Brocade(config-vif-20)#exit Brocade(config)#interface e 13 Brocade(config-if-e1000-13)#ip address 30.30.30.10/24 Brocade(config-if-e1000-13)#ip pim 3. Configure the FES/FESX neighboring device. Brocade(config)#ip route 20.20.20.0 255.255.255.0 30.30.30.10 Brocade(config)#router pim Brocade(config-pim-router)#exit Brocade(config)#interface ethernet 3 Brocade(config-if-e1000-3)#ip address 30.30.30.
IP multicast protocols and IGMP snooping on the same device 1610 FastIron Configuration Guide 53-1002494-02
Chapter 37 MLD Snooping on FastIron X Series Switches Table 273 lists the individual Brocade FastIron switches and the Multicast Listening Discovery (MLD) snooping features they support. These features are supported in the Layer 2, base Layer 3, and full Layer 3 software images.
MLD Snooping Overview An IPv6 multicast address is a destination address in the range of FF00::/8. A limited number of multicast addresses are reserved. Since packets destined for the reserved addresses may require VLAN flooding, FESX and FSX devices do not snoop in the FF0X::00X range (where X is from 00 to FF). Data packets destined to these addresses are flooded to the entire VLAN by hardware and mirrored to the CPU. Multicast data packets destined to addresses outside the FF0X::00X range are snooped.
MLD Snooping Overview For two multicast traffic streams, Source_1 and Group1 (S1,G1) and Source_2 and Group2 (S2,G2), with the same or different source addresses, if the lowest 32 bits of the 128-bit IPv6 group address are the same, they would map to the same destination MAC. Because the FESX and FSX support MAC-based forwarding for MLD snooping, the final multicast MAC address entry would be a superset of all the IPv6 groups mapped to it.
MLD Snooping Overview • A VLAN that has a connection to an IPv6 PIM-enabled port on another router should be configured as a non-querier. When multiple snooping devices connect together and there is no connection to IPv6 PIM ports, only one device should be configured as the querier. If multiple devices are configured as active, only one will continue to send queries after the devices have exchanged queries. Refer to “MLD snooping-enabled queriers and non-queriers” on page 1614.
MLD snooping configuration Because non-queriers always forward multicast data traffic and MLD messages to router ports which receive MLD queries or IPv6 PIM hellos, Brocade recommends that you configure the devices with the data traffic source (server) as queriers. If a server is attached to a non-querier, the non-querier always forwards traffic to the querier regardless of whether or not there are clients on the querier.
MLD snooping configuration • Modifying the leave wait time • Modifying the mcache age interval • Disabling error and warning messages MLD snooping VLAN-specific tasks: • • • • • • • • • • Configuring the MLD mode for the VLAN: active or passive Enabling or disabling MLD snooping for the VLAN Configuring the MLD version for the VLAN Configuring the MLD version for individual ports Configuring static groups to the entire VLAN or some ports Configuring static router ports Disabling proxy activity for a stat
MLD snooping configuration NOTE This command has no effect on a VLAN that is not snooping-enabled because all multicast traffic is VLAN flooded. Brocade(config)#interface ethernet 1/3 Brocade(config-if-e1000-1/3)#ipv6-multicast-disable Syntax: [no] ipv6-multicast-disable Configuring the global MLD mode You can configure a Brocade device for either active or passive (default) MLD mode. If you specify an MLD mode for a VLAN, the MLD mode overrides the global setting.
MLD snooping configuration Brocade(config)#ipv6 mld-snooping query-interval 120 Syntax: [no] ipv6 mld-snooping query-interval The parameter specifies the interval between queries. You can specify a value from 10 – 3600 seconds. The default is 60 seconds. Configuring the global MLD version The default version is MLDv1. You can specify the global MLD version on the device as either MLDv1 or MLDv2. For example, the following command configures the device to use MLDv2.
MLD snooping configuration Modifying the multicast cache (mcache) aging time You can set the time for an mcache to age out when it does not receive traffic. Two seconds before an mcache is aged out, the device mirrors a packet of the mcache to the CPU to reset the age. If no data traffic arrives within two seconds, the mcache is deleted. Note that in FESX and FSX devices, more than one mcache can be mapped to the same destination MAC.
MLD snooping configuration Disabling MLD snooping for the VLAN When MLD snooping is enabled globally, you can disable it for a specific VLAN. For example, the following commands disable MLD snooping for VLAN 20. This setting overrides the global setting for VLAN 20. Brocade(config)#vlan 20 Brocade(config-vlan-20)#mld-snooping disable-mld-snoop Syntax: [no] mld-snooping disable-mld-snoop Configuring the MLD version for the VLAN You can specify the MLD version for a VLAN.
MLD snooping configuration Brocade(config)#vlan 20 Brocade(config-vlan-20)#mld-snooping static-group ff05::100 count 2 ethe 1/3 ethe 1/5 to 1/7 Brocade(config-vlan-20)#mld-snooping static-group ff10::200 Syntax: [no] mld-snooping static-group [count ] [] The ipv6-address parameter is the IPv6 address of the multicast group. The count is optional, which allows a contiguous range of groups. Omitting the count is equivalent to the count being 1.
MLD snooping configuration MLDv2 requires that every client respond to queries, allowing the device to track every client. When the tracking feature is enabled, the device immediately stops forwarding traffic to the interface if an MLDv2 client sends a leave message, and there is no other client. This feature requires the entire VLAN to be configured for MLDv2 and have no MLDv1 clients.
MLD snooping configuration If the L2 protocol is unable to detect a topology change, the fast-convergence feature may not work. For example, if the direct connection between two devices switches from one interface to another, the rapid spanning tree protocol (802.1w) considers this an optimization action, rather than a topology change. In this case, other devices will not receive topology change notifications and will be unable to send queries to speed up the convergence.
MLD snooping configuration NOTE In this example, an MLDv1 group is in EXCLUDE mode with a source of 0. The group excludes traffic from the 0 (zero) source list, which actually means that all traffic sources are included. To display detailed MLD group information, enter the following command. Brocade#show ipv6 mld-snooping group ff0e::ef00:a096 detail Display group ff0e::ef00:a096 in all interfaces in details.
MLD snooping configuration Field. Description source Identifies the source list that will be included or excluded on the interface. An MLDv1 group is in EXCLUDE mode with a source of 0. The group excludes traffic from 0 (zero) source list, which actually means that all traffic sources are included.
MLD snooping configuration Displaying software resource usage for VLANs To display information about the software resources used, enter the following command. Brocade#show ipv6 mld-snooping resource alloc in-use avail get-fail mld group 512 9 503 0 mld phy port 1024 16 1008 0 snoop group hash 512 9 503 0 ….
MLD snooping configuration Displaying status of MLD snooping traffic To display status information for MLD snooping traffic, enter the ipv6 mld-snooping traffic command.
MLD snooping configuration Displaying MLD snooping information by VLAN You can display MLD snooping information for all VLANs or for a specific VLAN. For example, to display MLD snooping information for VLAN 70, enter the ipv6 mld-snooping vlan command.
MLD snooping configuration Syntax: clear ipv6 mld-snooping mcache Clearing the mcache on a specific VLAN To clear the mcache on a specific VLAN, enter the clear ipv6 mld-snooping vlan mcache command. Brocade#clear ipv6 mld-snooping vlan 10 mcache Syntax: clear ipv6 mld-snooping vlan mcache The parameter specifies the specific VLAN from which to clear the cache.
MLD snooping configuration 1630 FastIron Configuration Guide 53-1002494-02
Chapter 38 MLD Snooping on FastIron WS and Brocade FCX and ICX Switches Table 274 lists the individual Brocade FastIron switches and the Multicast Listening Discovery (MLD) snooping features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images.
MLD snooping overview The interfaces respond to general queries by sending a membership report containing one or more of the following records associated with a specific group: • Current-state record - Indicates the sources from which the interface wants to receive or not receive traffic. This record contains the source addresses of the interfaces and whether or not traffic will be included (IS_IN) or excluded (IS_EX) from that source address.
MLD snooping overview The parameter range is 4 to 32, in multiples of 4. If the input value is not a multiple of 4, then it will be changed to the multiple of 4 lower than then the input value (e.g. 11 will be changed to 8). The default hash chain length is 4. A chain length of more than 4 may affect line rate switching. NOTE For this command to take effect, you must save the configuration and reload the switch. The hardware resource limit applies only to snooping-enabled VLANs.
MLD snooping overview MLD Snooping requires hardware resources. If the device has insufficient resources, the data stream without a resource is mirrored to the CPU in addition to being VLAN flooded, which can cause high CPU usage. To avoid this situation, Brocade recommends that you avoid enabling snooping globally unless necessary. When any port of a VLAN is configured for MLDv2, the VLAN matches both source and group (S G) in hardware switching.
MLD snooping configuration MLD snooping using MLDv1 with MLDv2 MLD snooping can be configured as MLDv1 or MLDv2 on individual ports on a VLAN. An interface or router sends queries and reports that include the MLD version with which it has been configured. The version configuration applies only to the sending of queries. The snooping device recognizes and processes MLDv1 and MLDv2 packets regardless of the version configured.
MLD snooping configuration Configuring the hardware and software resource limits The system supports up to 8K of hardware-switched multicast streams. The configurable range is from 256 to 8192 and the default is 512.However, for ICX 6430, the range is from 256 to 1024, and the default is 256, while for ICX 6450, the range is from 256 to 8192 with the default as 512. Enter the system-max mld-snoop-mcache command to define the maximum number of MLD Snooping cache entries.
MLD snooping configuration Omitting both the active and passive keywords is the same as entering ipv6 mld-snooping passive. Modifying the age interval When the device receives a group membership report, it makes an entry in the MLD group table for the group in the report. The age interval specifies how long the entry can remain in the table without the device receiving another group membership report. When multiple devices connect together, all devices should be configured with the same age interval.
MLD snooping configuration You can configure report control to rate-limit report forwarding for the same group to no more than once per 10 seconds. This rate limiting does not apply to the first report answering a group-specific query. NOTE This feature applies to MLDv1 only. The leave messages are not rate limited. MLDv1 membership reports for the same group from different clients are considered to be the same, and are rate-limited.
MLD snooping configuration Configuring the MLD mode for a VLAN You can configure a VLAN for either the active or passive (default) MLD mode. The VLAN setting overrides the global setting: • Active – In active MLD mode, a device actively sends out MLD queries to identify IPv6 multicast groups on the network, and makes entries in the MLD table based on the group membership reports it receives from the network.
MLD snooping configuration Syntax: [no]mld-snooping port-version 1 | 2 ethernet [ethernet ] [to ethernet ] Configuring static groups to the entire VLAN or to individual ports A snooping-enabled VLAN cannot forward multicast traffic to ports that do not receive MLD membership reports. To allow clients to send reports, you can configure a static group which applies to the entire VLAN, or to individual ports on the VLAN.
MLD snooping configuration Enabling MLDv2 membership tracking and fast leave for the VLAN MLDv2 provides membership tracking and fast leave services to clients. In MLDv1, only one client per interface must respond to a router queries; leaving some clients invisible to the router, which makes it impossible for the device to track the membership of all clients in a group.
MLD snooping configuration Enabling fast convergence In addition to periodically sending general queries, an active (querier) device sends out general queries when it detects a new port. However, since it does not recognize the other device port-up event, the multicast traffic might still use the query-interval time to resume after a topology change.
MLD snooping configuration Displaying MLD group information To display MLD group information, enter the show ipv6 mld-snooping group command. Brocade#show ipv6 mld-snooping group p-:physical, ST:static, QR:querier, EX:exclude, IN:include, Y:yes, N:no VL1 : 263 grp, 263 grp-port, tracking_enabled group p-port ST QR life mode source 1 ff0e::ef00:a0e3 0/1/7 N Y 120 EX 0 2 ff01::1:f123:f567 0/1/9 N Y IN 1 NOTE In this example, an MLDv1 group is in EXCLUDE mode with a source of 0.
MLD snooping configuration Field Description QR Yes means the port is a querier port; No means it is not. A port becomes a non-querier port when it receives a query from a source with a lower source IP address than the port. life The number of seconds the group can remain in EXCLUDE mode. An EXCLUDE mode changes to INCLUDE if it does not receive an IS_EX or TO_EX message during a specified period of time. The default is 140 seconds. There is no life displayed in INCLUDE mode.
MLD snooping configuration Field Description uptime The up time of this mcache in minutes. vidx The vidx is shared among mcaches using the same output interfaces. The vidx specifies the output port list, which shows the index. Valid range is from 4096 to 8191. ref-cnt The number of mcaches using this vidx. Displaying software resource usage for VLANs To display information about the software resources used, enter the show ipv6 mld-snooping resource command.
MLD snooping configuration Displaying status of MLD snooping traffic To display status information for MLD snooping traffic, enter the show ipv6 mld-snooping traffic command.
MLD snooping configuration Displaying MLD snooping information by VLAN You can display MLD snooping information for all VLANs or for a specific VLAN. For example, to display MLD snooping information for VLAN 70, enter the following command.
MLD snooping configuration Clear ing mcache on a specific VLAN To clear the mcache on a specific VLAN, enter the clear ipv6 mld-snooping vlan mcache command. Brocade#clear ipv6 mld-snooping vlan 10 mcache Syntax: clear ipv6 mld-snooping vlan mcache The parameter specifies the specific VLAN from which to clear the cache. Clear ing traffic on a specific VLAN To clear the traffic counters on a specific VLAN, enter the clear ipv6 mld-snooping vlan traffic command.
Chapter 39 VRRP and VRRP-E Table 275 lists the individual Brocade FastIron switches and the Virtual Router Redundancy Protocol (VRRP) and Virtual Router Redundancy Protocol Extended (VRRP-E) features they support. NOTE VRRP is supported in the base Layer 3, edge Layer 3, and full Layer 3 codes. VRRP support in the base Layer 3 and edge Layer 3 code is the same as in the full Layer 3 code. VRRP-E is supported with premium and ADV FastIron devices that are running the edge Layer 3 or full Layer 3 code.
VRRP and VRRP-E overview NOTE You can use a Brocade Layer 3 switch configured for VRRP with another Brocade Layer 3 switch or a third-party router that is also configured for VRRP. However, you can use a Brocade Layer 3 switch configured for VRRP-E only with another Brocade Layer 3 switch that also is configured for VRRP-E. NOTE The maximum number of supported VRRP or VRRP-E router instances is 254 for IPv4 environments.
VRRP and VRRP-E overview Switch 1 is the host default gateway out of the subnet. If this interface goes down, Host1 is cut off from the rest of the network. Switch 1 is thus a single point of failure for Host1’s access to other networks. If Switch 1 fails, you could configure Host1 to use Switch 2. Configuring one host with a different default gateway might not require too much extra administration.
VRRP and VRRP-E overview Virtual router ID A virtual router ID (VRID) consists of one Master router and one or more Backup routers. The Master router is the router that owns the IP addresses you associate with the VRID. For this reason, the Master router is sometimes called the “Owner”. Configure the VRID on the router that owns the default gateway interface.
VRRP and VRRP-E overview Master negotiation The routers within a VRID use the VRRP priority values associated with each router to determine which router becomes the Master. When you configure the VRID on a router interface, you specify whether the router is the Owner of the IP addresses you plan to associate with the VRID or a Backup router.
VRRP and VRRP-E overview NOTE Regardless of the setting for the preempt parameter, the Owner always becomes the Master again when it comes back online. Track ports and track priority The Brocade implementation of VRRP enhances the protocol by giving a VRRP router the capability to monitor the state of the interfaces on the other end of the route path through the router.
VRRP and VRRP-E overview NOTE The HMAC-MD5-96 authentication type is supported for VRRP-E, but not supported for VRRP. NOTE Authentication is not supported for VRRP v3. Independent operation of VRRP alongside RIP, OSPF, and BGP4 VRRP operation is independent of RIP, OSPF, and BGP4; therefore, RIP, OSPF, and BGP4 are not affected if VRRP is enabled on one of these interfaces. Dynamic VRRP configuration All VRRP global and interface parameters take effect immediately.
VRRP and VRRP-E overview • VRID's MAC address - VRRP uses the source MAC address as a virtual MAC address defined as 00-00-5E-00-01-, where is the VRID. The Master owns the virtual MAC address. - VRRP-E uses the MAC address of the interface as the source MAC address. The MAC address is 02-04-80--, where is a two-octet hashed value for the IP address and is the VRID. • Hello packets - VRRP sends Hello messages to IP Multicast address 224.0.0.18.
VRRP and VRRP-E overview Figure 186 shows an example of a VRRP-E configuration. FIGURE 186 Switch 1 and Switch 2 are configured to provide dual redundant network access for the host Internet VRID 1 Switch 1 = Master Virtual IP address 192.53.5.254 Priority = 110 Track Port = e 2/4 Track Priority = 20 e 2/4 e 3/2 Switch 1 Switch 2 e 1/6 192.53.5.2 e 5/1 192.53.5.3 VRID 1 Switch 2 = Backup Virtual IP address 192.53.5.
Comparison of VRRP and VRRP-E ARP behavior with VRRP-E In the VRRP-E implementation, the source MAC address of the gratuitous Address Resolution Protocol (ARP) request sent by the VRRP-E Master router is the VRRP-E virtual MAC address. When the router (either the Master or Backup router) sends an ARP request or reply packet, the sender’s MAC address becomes the MAC address of the interface on the router.
Comparison of VRRP and VRRP-E Architectural differences between VRRP and VRRP-E The protocols have the following architectural differences. Management protocol • VRRP – VRRP routers send VRRP Hello and Hello messages to IP Multicast address 224.0.0.18. • VRRP-E – VRRP-E sends messages to destination MAC address 01-00-5E-00-00-02 and destination IP address 224.0.0.2 (the standard IP multicast address for “all routers”).
VRRP and VRRP-E parameters VRRP and VRRP-E parameters Table 276 lists the VRRP and VRRP-E parameters. Most of the parameters and default values are the same for both protocols. The exceptions are noted in the table. TABLE 276 Parameter Description Default For more information Protocol The Virtual Router Redundancy Protocol (VRRP) based on RFC 2338 or VRRP-Extended, the Brocade-enhanced implementation of VRRP.
VRRP and VRRP-E parameters TABLE 276 VRRP and VRRP-E parameters (Continued) Parameter Description Default For more information Authentication type The type of authentication the VRRP or VRRP-E interfaces use to validate VRRP or VRRP-E packets. • No authentication – The interfaces do not use authentication. This is the VRRP default. • Simple – The interface uses a simple text-string as a password in packets sent on the interface.
VRRP and VRRP-E parameters TABLE 276 VRRP and VRRP-E parameters (Continued) Parameter Description Default For more information Dead interval The number of seconds or milliseconds a Backup waits for a Hello message from the Master for the VRID before determining that the Master is no longer active. If the Master does not send a Hello message before the dead interval expires, the Backups negotiate (compare priorities) to select a new Master for the VRID.
VRRP and VRRP-E parameters TABLE 276 VRRP and VRRP-E parameters (Continued) Parameter Description Default For more information VRRP-E slow start timer Causes a specified amount of time to elapse between the time the original Master is restored and when it takes over from the Backup. This interval allows time for OSPF convergence when the Master is restored. For VRRP-E only. Disabled page 1679 Short-path forwarding Enables VRRP-E extension for server virtualization.
Basic VRRP parameter configuration Basic VRRP parameter configuration To implement a simple VRRP configuration using all the default values, enter the commands shown in the following sections. Configuration rules for VRRP • The interfaces of all routers in a VRID must be in the same IP subnet. • The IP addresses associated with the VRID must already be configured on the router that will be the Owner. • An IP address associated with the VRID must be on only one router.
Basic VRRP parameter configuration The variable specifies the IPv4 address of the Owner router. The IP address you assign to the Owner must be an IP address configured on an interface that belongs to the virtual router. The variable specifies the virtual router ID. The track-priority option changes the track-port priority for this interface and the VRID from the default (2) to a value from 1 through the maximum VRID supported by the device.
Basic VRRP parameter configuration Configuring a Backup for IPv4 VRRP To configure the VRRP Backup router for IPv4, enter the following commands. Brocade Router2(config)#router vrrp Brocade Router2(config)#interface ethernet 1/5 Brocade Router2(config-if-1/5)#ip-address 192.53.5.3 Brocade Router2(config-if-1/5)#ip vrrp vrid 1 Brocade Router2(config-if-1/5-vrid-1)#backup Brocade Router2(config-if-1/5-vrid-1)#advertise backup Brocade Router2(config-if-1/5-vrid-1)#ip-address 192.53.5.
Basic VRRP parameter configuration Syntax: [no] ipv6 vrrp vrid Syntax: [no] backup [priority ] Syntax: [no] advertise backup Syntax: [no] activate The variable specifies the IPv6 address of the Backup router. The variable specifies the virtual router ID. The priority option specifies the IPv6 VRRP priority for this virtual Backup router. You can specify a value from 3 through 254. The default is 100.
Basic VRRP-E parameter configuration Basic VRRP-E parameter configuration The following sections describe the configuration of the parameters specific to IPv4 and IPv6 VRRP-E. Configuration rules for VRRP-E Consider the following rules when configuring VRRP-E: • • • • • The interfaces of all routers in a VRID must be in the same IP subnet. The IP address associated with the VRID cannot be configured on any of the Layer 3 switches.
Basic VRRP-E parameter configuration NOTE You also can use the enable command to activate the configuration. This command does the same thing as the activate command. Configuring IPv6 VRRP-E To implement an IPv6 VRRP-E configuration using all the default values, enter the following commands. NOTE You must first configure the ipv6 unicast-routing command at the global configuration level to enable IPv6 VRRP-E on the router.
Additional VRRP and VRRP-E parameter configuration When the no ipv6 router vrrp-extended command is enabled, all IPv6 VRRP-E instances for a specific VRID are deleted from the interface, and the running configuration is lost when writing to flash. You must enable the write memory command to save your configuration. The following message is displayed when the no ipv6 router vrrp-extended command is enabled. Brocade Router2(config)#no ipv6 router vrrp-extended ipv6 router VRRP-E is disabled.
Additional VRRP and VRRP-E parameter configuration VRRP and VRRP-E authentication types This section describes VRRP and VRRP-E authentication parameters. Configuring authentication type The Brocade implementation of VRRP and VRRP-E supports the following authentication types for authenticating VRRP and VRRP-E traffic: • No authentication – The interfaces do not use authentication. This is the default for VRRP and VRRP-E.
Additional VRRP and VRRP-E parameter configuration VRRP-E syntax For IPv4 VRRP-E: Syntax: ip vrrp-extended auth-type no-auth | simple-text-auth | md5-auth [0 |1] For IPv6 VRRP-E: Syntax: ipv6 vrrp-extended auth-type no-auth | simple-text-auth | md5-auth [0 |1] The values for the no-auth and simple-text-auth options are the same as for VRRP. The md5-auth option configures the interface to use HMAC-MD5-96 for VRRP-E authentication.
Additional VRRP and VRRP-E parameter configuration VRRP router type A VRRP interface is either an Owner or a Backup router for a given VRID. By default, the Owner becomes the Master. A Backup router becomes the Master only if the Master becomes unavailable. A VRRP-E interface is always a Backup router for its VRID. The Backup router with the highest VRRP priority becomes the Master.
Additional VRRP and VRRP-E parameter configuration Configuring an IPv6 VRRP v3 interface as a Backup for a VRID To configure an IPv6 VRRP v3 interface as a Backup for a VRID, and set its VRRP priority and track priority, enter commands such as the following.
Additional VRRP and VRRP-E parameter configuration Suppressing RIP advertisements for the backed-up interface in Router 2 To suppress RIP advertisements for the backed-up interface in Router 2, enter the following commands. Brocade Router2(config)#router rip Brocade Router2(config-rip-router)#use-vrrp-path Syntax: use-vrrp-path The syntax is the same for VRRP and VRRP-E. Hello interval configuration The Master periodically sends Hello messages to the Backup routers.
Additional VRRP and VRRP-E parameter configuration Dead interval configuration The dead interval is the number of seconds a Backup router waits for a Hello message from the Master before determining that the Master is dead. When Backup routers determine that the Master is dead, the Backup with the highest priority becomes the new Master.
Additional VRRP and VRRP-E parameter configuration Track port configuration NOTE Track port is not supported by VRRP v3. You can configure the VRID on one interface to track the link state of another interface on the Layer 3 switch. This capability is quite useful for tracking the state of the exit interface for the path for which the VRID is providing redundancy. Refer to “Track ports and track priority” on page 1654.
Additional VRRP and VRRP-E parameter configuration Backup preempt configuration By default, a Backup that has a higher priority than another Backup that has become the Master can preempt the Master, and take over the role of Master. If you want to prevent this behavior, disable preemption. Preemption applies only to Backups and takes effect only when the Master has failed and a Backup has assumed ownership of the VRID.
Additional VRRP and VRRP-E parameter configuration TABLE 277 Time scale values (Continued) Timer Timer scale Timer value Backup Hello interval 1 60 seconds 2 30 seconds 1 2 seconds 2 1 second Hold-down interval If you configure the device to receive its timer values from the Master, the Backup also receives the timer scale value from the Master. To change the timer scale, enter a command such as the following at the global CONFIG level of the CLI.
Additional VRRP and VRRP-E parameter configuration The VRRP-E slow start timer is effective only if the VRRP-E Backup router detects another VRRP-E Master (Standby) router. It is not effective during the initial bootup. The slow start timer is effective on a Backup router if the priority of the Backup router is equal to the configured priority on the Backup state router. NOTE The VRRP-E slow start timer applies only to VRRP-E configurations. It does not apply to VRRP configurations.
Additional VRRP and VRRP-E parameter configuration FIGURE 187 VRRP-E Extension for short-path forwarding To Clients 10.32.0.X To Clients 10.0.0.X R1 WAN Link VRRPE Master 10.71.2.1 VRRPE Backup WAN Link ing Normal forward Short-path-forwarding enabled Host Server 2 (with virtualization software) Host Server 1 (with virtualization software) Virtual server 3 GW: 10.71.2.1 Virtual server 1 GW: 10.71.2.1 Virtual Servers can move between Host Server 1 and Host Server 2 Virtual server 4 GW: 10.71.2.
Additional VRRP and VRRP-E parameter configuration The revert-priority parameter uses the priority value as the threshold to determine whether the short-path forwarding (SPF) behavior is effective. Typically, when short-path forwarding is enabled, the Backup router enforces SPF. For each port that goes down, the current priority of the VRRP-E router is lowered by the number specified in the track-port command.
Forcing a Master router to abdicate to a Backup router Forcing a Master router to abdicate to a Backup router NOTE Forcing a Master router to abdicate to a Backup router is not supported for IPv6 VRRP, IPv4 VRRP-E, and IPv6 VRRP-E. It is only supported for IPv4 VRRP. You can force a VRRP Master to abdicate (give away control) of a VRID to a Backup router by temporarily changing the Master priority to a value less than that of the Backup router. The VRRP Owner always has priority 255.
Displaying VRRP and VRRP-E information To change the Master priority back to the default Owner priority 255, enter no followed by the command you entered to change the priority. For example, to change the priority of a VRRP Owner back to 255 from 110, enter the following command. Brocade(config-if-1/6-vrid-1)#no owner priority 110 You cannot set the priority to 255 using the owner priority command.
Displaying VRRP and VRRP-E information To display summary information for IPv6 VRRP-E v3 , enter the show ipv6 vrrp-extended brief command at any level of the CLI.
Displaying VRRP and VRRP-E information TABLE 278 CLI display of VRRP or VRRP-E summary information (Continued) Field Description VRID The VRID configured on this interface. If multiple VRIDs are configured on the interface, information for each VRID is listed in a separate row. CurPri The current VRRP or VRRP-E priority of this Layer 3 switch for the VRID. P Whether the backup preempt mode is enabled. If the backup preempt mode is enabled, this field contains a “P”.
Displaying VRRP and VRRP-E information The following example is for a VRRP Backup. Brocade#show ip vrrp Total number of VRRP routers defined: 1 Interface ethernet v3 auth-type simple text password VRID 3 state backup administrative-status enabled mode non-owner(backup) priority 110 current priority 110 hello-interval 1000 msec dead-interval 0 msec current dead-interval 3500 msec preempt-mode true ip-address 172.21.3.1 virtual mac address 0000.5e00.0103 advertise backup: enabled next hello sent in 00:00:26.
Displaying VRRP and VRRP-E information The ve option specifies a virtual interface. If you use this option, the command displays VRRP or VRRP-E information only for the specified virtual interface. The stat option displays statistics. Refer to “Displaying statistics” on page 1692. Table 279 shows a description of the output for the show ip vrrp and show ip vrrp-extended commands.
Displaying VRRP and VRRP-E information TABLE 279 CLI display of VRRP or VRRP-E detailed information (Continued) Field Description current priority The current VRRP, VRRP v3, VRRP-E, or IPv6 VRRP-E priority of this Layer 3 switch for the VRID.
Displaying VRRP and VRRP-E information TABLE 279 CLI display of VRRP or VRRP-E detailed information (Continued) Field Description next hello sent in
Displaying VRRP and VRRP-E information Brocade#show ipv6 vrrp vrid 1 VRID 1 Interface ethernet 5 state backup administrative-status enabled version v3 mode non-owner(backup) priority 100 current priority 100 hello-interval 1000 msec dead-interval 0 msec current dead-interval 3000 msec preempt-mode true ip-address a7a7:a7a7:a7a7::1 virtual mac address 0000.5e00.
Displaying VRRP and VRRP-E information TABLE 280 Output from the show ip vrrp vrid command (Continued) Field Description current dead interval The current value of the dead interval. This value is equal to the value configured for the dead interval. If the value for the dead interval is not configured, then the current dead interval is equal to three times the Hello interval plus Skew time (where Skew time is equal to 256 minus priority divided by 256). NOTE: This field does not apply to VRRP Owners.
Displaying VRRP and VRRP-E information Table 281 shows a description of the output for the show ip vrrp stat and show ip vrrp- extended stat commands. TABLE 281 CLI display of VRRP or VRRP-E statistics Field Description Interface statistics Interface The interface on which VRRP or VRRP-E is configured. If VRRP or VRRP-E is configured on more than one interface, the display lists the statistics separately for each interface.
Displaying VRRP and VRRP-E information Clearing VRRP or VRRP-E statistics To clear VRRP or VRRP-E statistics, enter the clear ip vrrp-stat command at the Privileged EXEC level or any configuration level of the CLI. Brocade#clear ip vrrp-stat Syntax: clear ip vrrp-stat To clear IPv6 VRRP v3 or IPv6 VRRP-E v3 statistics, enter the following command at the Privileged EXEC level or any configuration level of the CLI.
Displaying VRRP and VRRP-E information Brocade#show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 GVRP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Runtime(ms) 0 0 0 1 0 0 0 0 0 To display utilization statistics for a specific number of seconds, enter a command such as the following.
Displaying VRRP and VRRP-E information for IPv6 Displaying VRRP and VRRP-E information for IPv6 You can display information for IPv6 VRRP or VRRP-E v3. Displaying detailed information for IPv6 VRRP v3 and IPv6 VRRP-E v3 To display information for an IPv6 VRRP Owner, enter the show ipv6 vrrp command at any level of the CLI.
Displaying VRRP and VRRP-E information for IPv6 Brocade#show ipv6 vrrp Total number of VRRP routers defined: 26 Interface ethernet v52 auth-type no authentication VRID 52 state backup administrative-status enabled version v3 mode non-owner(backup) priority 101 current priority 20 track-priority 20 hello-interval 100 msec dead-interval 0 msec current dead-interval 300 msec preempt-mode true ipv6-address 2172:52::52:3 virtual mac address 0000.5e00.0234 advertise backup: enabled next hello sent in 00:00:36.
Configuration examples Configuration examples The following sections contain the CLI commands for implementing the VRRP and VRRP-E configurations shown in Figure 185 on page 1651 and Figure 186 on page 1657. VRRP example To implement the VRRP configuration shown in Figure 185 on page 1651, use the following method.
Configuration examples Configuring Switch 1 To configure VRRP Switch 1, enter the following commands. Brocade Brocade Brocade Brocade Brocade Brocade Brocade Brocade Switch1(config)#switch vrrp Switch1(config)#interface ethernet 1/6 Switch1(config-if-1/6)#ip-address 192.53.5.1 Switch1(config-if-1/6)#ip vrrp vrid 1 Switch1(config-if-1/6-vrid-1)#owner track-priority 20 Switch1(config-if-1/6-vrid-1)#track-port ethernet 2/4 Switch1(config-if-1/6-vrid-1)#ip-address 192.53.5.
Configuration examples Syntax: router vrrp Syntax: ip vrrp vrid Syntax: owner [track-priority ] Syntax: backup [priority ] [track-priority ] Syntax: track-port ethernet [/] | ve Syntax: ip-address Syntax: activate VRRP-E example To implement the VRRP-E configuration shown in Figure 186 on page 1657, use the following CLI method. Configuring Switch 1 To configure VRRP Switch 1 in Figure 186 on page 1657, enter the following commands.
Configuration examples Brocade Switch2(config-if-5/1-vrid-1)#exit Brocade Switch2(config)#interface ethernet 5/1 Brocade Switch2(config-if-5/1)#ip vrrp-extended vrid 2 Brocade Switch2(config-if-5/1-vrid-1)#backup priority 110 track-priority 20 Brocade Switch2(config-if-5/1-vrid-1)#track-port ethernet 2/4 Brocade Switch2(config-if-5/1-vrid-1)#ip-address 192.53.5.
Configuration examples 1702 FastIron Configuration Guide 53-1002494-02
Chapter 40 Rule-Based IP ACLs Table 282 and Table 283 list the individual Brocade FastIron switches and Access Control List (ACL) features they support. Table 282 lists the features supported on inbound traffic, while Table 283 lists the features supported on outbound traffic. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Rule-Based IP ACLs TABLE 282 Supported ACL features on inbound traffic Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6430 ICX 6450 Hardware usage statistics Yes Yes Yes Yes Yes Policy-based routing (PBR) (Supported in the full Layer 3 code only) Yes No Yes Yes No 1. ICX 6430 devices have only four priority queues. See “Queues for the ICX 6430 switch” on page 1973 for more information.
ACL overview 1. ACL features for outbound traffic are only supported on specific FastIron SX 800 & FastIron SX 1600 modules. Please check with your Brocade Support representative for details. 2. DSCP CoS mapping is not supported for outgoing traffic. This chapter describes how Access Control Lists (ACLs) are implemented and configured in the Brocade devices. NOTE For information about IPv6 ACLs, refer to Chapter 41, “IPv6 ACLs”.
ACL overview ACL IDs and entries ACLs consist of ACL IDs and ACL entries: • ACL ID – An ACL ID is a number from 1 – 99 (for a standard ACL) or 100 – 199 (for an extended ACL) or a character string. The ACL ID identifies a collection of individual ACL entries. When you apply ACL entries to an interface, you do so by applying the ACL ID that contains the ACL entries to the interface, instead of applying the individual entries to the interface.
How hardware-based ACLs work You can configure up to 99 standard numbered IP ACLs and 100 extended numbered IP ACLs. You also can configure up to 99 standard named ACLs and 100 extended named ACLs by number. Default ACL action The default action when no ACLs are configured on a device is to permit all traffic.
ACL configuration considerations Hardware aging of Layer 4 CAM entries Rule-based ACLs use Layer 4 CAM entries. The device permanently programs rule-based ACLs into the CAM. The entries never age out. ACL configuration considerations • See “ACL overview” on page 1705 for details on which devices support inbound and outbound ACLs.
Configuring standard numbered ACLs • A DOS attack configuration on a port will only apply on the ingress traffic. • Outbound ACLs cannot be configured through a RADIUS server as dynamic or user-based ACLs. However, outbound ACLs can still be configured with MAC-AUTH/DOT1X enabled, as they the two are configured in different directions. • The following ACL features and options are not supported on the FastIron devices: • Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.
Configuring standard numbered ACLs The parameter specifies the mask value to compare against the host address specified by the parameter. The is in dotted-decimal notation (IP address format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask mean the packet source address must match the .
Standard named ACL configuration Configuration example for standard numbered ACLs To configure a standard ACL and apply it to incoming traffic on port 1/1, enter the following commands. Brocade(config)#access-list 1 deny host 209.157.22.26 log Brocade(config)#access-list 1 deny 209.157.29.
Standard named ACL configuration The parameter allows you to specify an ACL number if you prefer. If you specify a number, you can specify from 1 – 99 for standard ACLs. NOTE For convenience, the software allows you to configure numbered ACLs using the syntax for named ACLs. The software also still supports the older syntax for numbered ACLs.
Standard named ACL configuration The host | parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied. The any parameter configures the policy to match on all host addresses. The log argument configures the device to generate Syslog entries and SNMP traps for inbound packets that are denied by the access policy.
Extended numbered ACL configuration Extended numbered ACL configuration This section describes how to configure extended numbered ACLs.
Extended numbered ACL configuration The wildcard parameter specifies the portion of the source IP host address to match against. The wildcard is in dotted-decimal notation (IP address format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask mean the packet’s source address must match the source-ip . Ones mean any value matches.
Extended numbered ACL configuration • • • • • • time-exceeded timestamp-reply timestamp-request traffic policy unreachable num NOTE The QoS options listed below are only available if a specific ICMP type is specified for the icmp-type parameter and cannot be used with the any-icmp-type option above. See “QoS options for IP ACLs” on page 1740for more information on using ACLs to perform QoS. The tcp/udp comparison operator parameter specifies a comparison operator for the TCP or UDP port number.
Extended numbered ACL configuration The precedence name | num parameter of the ip access-list command specifies the IP precedence. The precedence option for of an IP packet is set in a three-bit field following the four-bit header-length field of the packet’s header. You can specify one of the following: • critical or 5 – The ACL matches packets that have the critical precedence. If you specify the option number instead of the name, specify number 5.
Extended numbered ACL configuration The 802.1p-priority-matching option inspects the 802.1p bit in the ACL that can be used with adaptive rate limiting. Enter a value from 0 – 7. For details, refer to “Inspecting the 802.1p bit in the ACL for adaptive rate limiting” on page 1781. The dscp-cos-mapping option maps the DSCP value in incoming packets to a hardware table that provides mapping of each of the 0 – 63 DSCP values, and distributes them among eight traffic classes (internal priorities) and eight 802.
Extended numbered ACL configuration Brocade(config)#access-list Brocade(config)#access-list Brocade(config)#access-list Brocade(config)#access-list Brocade(config)#access-list Brocade(config)#access-list 102 102 102 102 102 102 perm icmp 209.157.22.0/24 209.157.21.0/24 deny igmp host rkwong 209.157.21.0/24 log deny igrp 209.157.21.0/24 host rkwong log deny ip host 209.157.21.100 host 209.157.22.1 log deny ospf any any log permit ip any any The first entry permits ICMP traffic from hosts in the 209.157.
Extended named ACL configuration The fourth entry denies UDP packets from any source to the 209.157.22.x network, if the UDP port number from the source network is 5 or 6 and the destination UDP port is 7 or 8. The fifth entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL. The following commands apply ACL 103 to the incoming traffic on ports 2/1 and 2/2.
Extended named ACL configuration Extended named ACL syntax Syntax: [no] ip access-list extended deny | permit | [ ] | [ | ] [ ] [802.1p-priority-matching <0 –7>] [dscp-cos-mapping ] [dscp-marking <0-63> [802.1p-priority-marking <0 –7>...
Extended named ACL configuration The destination-ip | hostname parameter specifies the destination IP host for the policy. If you want the policy to match on all destination addresses, enter any. The icmp-type | icmp-num parameter specifies the ICMP protocol type: • This parameter applies only if you specified icmp as the ip-protocol value. • If you use this parameter, the ACL entry is sent to the CPU for processing. • If you do not specify a message type, the ACL applies to all types of ICMP messages.
Extended named ACL configuration NOTE This operator applies only to destination TCP ports, not source TCP ports. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt. • lt – The policy applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt.
Extended named ACL configuration • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2. • max-throughput or 4 – The ACL matches packets that have the maximum throughput ToS. The decimal value for this option is 4. • min-delay or 8 – The ACL matches packets that have the minimum delay ToS. The decimal value for this option is 8. • min-monetary-cost or 1 – The ACL matches packets that have the minimum monetary cost ToS.
Applying egress ACLs to Control (CPU) traffic • You can enable logging on inbound ACLs and filters that support logging even when the ACLs and filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter to the end of the ACL or filter. The software replaces the ACL or filter command with the new one. The new ACL or filter, with logging enabled, takes effect immediately.
ACL comment text management Brocade(config)#access-list 140 permit tcp any any eq 80 Brocade(config)#access-list 140 permit tcp any any eq ftp Brocade#show ip access-lists 140 Extended IP access list 140 permit tcp any any eq http permit tcp any any eq ftp Brocade(config)#ip preserve-ACL-user-input-format Brocade#show ip access-lists 140 Extended IP access list 140 permit tcp any any eq 80 permit tcp any any eq ftp ACL comment text management ACL comment text describes entries in an ACL.
ACL comment text management The standard | extended parameter indicates the ACL type. Adding a comment to an entry in a named ACL To add comments to entries in a named ACL, enter commands such as the following. Brocade(config)#ip access-list extended TCP/UDP Brocade(config-ext-nACL)#remark The following line permits TCP packets Brocade(config-ext-nACL)#permit tcp 192.168.4.40/24 2.2.2.2/24 Brocade(config-ext-nACL)#remark The following permits UDP packets Brocade(config-ext-nACL)#permit udp 192.168.2.
Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN Syntax: show running-config The following example shows the comment text for an ACL in a show access-list display. The output is identical in a show ip access-list display. Brocade#show access-list IP access list rate-limit 100 aaaa.bbbb.cccc Extended IP access list TCP/UDP (Total flows: N/A, Total packets: N/A) ACL Remark: The following line permits TCP packets permit tcp 0.0.0.40 255.255.255.0 0.0.0.2 255.255.255.
ACL logging Brocade(config-ext-nACL)#permit ip 10.15.1.0 0.0.0.255 any log Brocade(config-ext-nACL)#permit ip 192.168.10.0 0.0.0.255 any log Brocade(config-ext-nACL)#end Brocade# ACL logging Brocade devices support ACL logging of inbound packets that are sent to the CPU for processing (denied packets). NOTE ACL logging is not supported for outbound packets or any packets that are processed in hardware (permitted packets).
ACL logging • When an ACL that includes an entry with a logging option is applied to a port that has logging enabled, and then the same ACL is applied to another port on the same system, traffic on the latter port is also logged, whether logging is explicitly enabled for that latter port or not.
ACL logging NOTE The ACL-logging command shown above is not required for FWS devices. Syntax: ACL-logging The ACL-logging command applies to IPv4 devices only. For IPv6 devices, use the logging-enable command as shown in the following example. The following shows an example configuration on an IPv6 device.
Enabling strict control of ACL filtering of fragmented packets Brocade#show log Syslog logging: enabled (0 messages dropped, 2 Buffer logging: level ACDMEINW, 9 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning Dynamic Log Buffer (50 lines): 0d00h12m18s:W:ACL: ACL: List 122 denied tcp 20.20.15.6(0)(Ethernet 4 20.20.18.6(0), 1 event(s) 0d00h12m18s:W:ACL: ACL: List 122 denied tcp 20.20.15.2(0)(Ethernet 4 20.20.18.
Enabling ACL support for switched traffic in the router image Enabling ACL support for switched traffic in the router image NOTE The bridged-routed CLI parameter applies to FSX and FESX devices only. For FWS, Brocade FCX Series and ICX devices, ACL support for switched traffic in the router image is enabled by default. There is no command to enable or disable it. For outbound traffic, ACL support is enabled on switched traffic by default. The bridged-routed command is not applicable.
Enabling ACL filtering based on VLAN membership or VE port membership Enabling ACL filtering based on VLAN membership or VE port membership NOTE This section applies to IPv4 ACLs only. IPv6 ACLs do not support ACL filtering based on VLAN membership or VE port membership. This feature is not applicable to outbound traffic. You can apply an inbound IPv4 ACL to specific VLAN members on a port (Layer 2 devices only) or to specific ports on a virtual interface (VE) (Layer 3 Devices only).
Enabling ACL filtering based on VLAN membership or VE port membership When you bind an IPv4 ACL to a port, the port filters all inbound traffic on the port. However, on a tagged port, there may be a need to treat packets for one VLAN differently from packets for another VLAN. In this case, you can configure a tagged port on a Layer 2 device to filter packets based on the packets’ VLAN membership. To apply an IPv4 ACL to a specific VLAN on a port, enter commands such as the following.
ACLs to filter ARP packets To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following. Brocade(config)#enable ACL-per-port-per-vlan ... Brocade(config)#vlan 10 name IP-subnet-vlan Brocade(config-vlan-10)#untag ethernet 1/1 to 2/12 Brocade(config-vlan-10)#router-interface ve 1 Brocade(config-vlan-10)#exit Brocade(config)#access-list 1 deny host 209.157.22.26 log Brocade(config)#access-list 1 deny 209.157.29.
ACLs to filter ARP packets Normally ARP hijacking is not a problem because IP assignments are done dynamically; however, in some cases, ARP hijacking can occur, such as when a configuration allows a router interface to share the IP address of another router interface. Since multiple VLANs and the router interfaces that are associated with each of the VLANs share the same IP segment, it is possible for two hosts in two different VLANs to fight for the same IP address in that segment.
ACLs to filter ARP packets The parameter identifies the ID of the standard ACL that will be used to filter the packet. Only the source and destination IP addresses will be used to filter the ARP packet. You can do one of the following for : • Enter an ACL ID to explicitly specify the ACL to be used for filtering. In the example above, the line FastIron(config-ve-2)# ip use-ACL-on-arp 103 specifies ACL 103 to be used as the filter.
Filtering on IP precedence and ToS values Filtering on IP precedence and ToS values To configure an extended IP ACL that matches based on IP precedence, enter commands such as the following. Brocade(config)#access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24 precedence internet Brocade(config)#access-list 103 deny tcp 209.157.21.0/24 eq ftp 209.157.22.0/24 precedence 6 Brocade(config)#access-list 103 permit ip any any The first entry in this ACL denies TCP traffic from the 209.157.21.
QoS options for IP ACLs QoS options for IP ACLs Quality of Service (QoS) options enable you to perform QoS for packets that match the ACLs. Using an ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on incoming port, VLAN membership, and so on. (This method is described in “QoS priorities-to-traffic assignment” on page 1978.) The following QoS ACL options are supported: • dscp-cos-mapping – This option is similar to the dscp-matching command (described below).
QoS options for IP ACLs or FastIron(config)#access-list 101 permit ip any any 802.1p-priority-marking or FastIron(config)#access-list 101 permit ip any any internal-priority-marking 6 The following command is not supported. FastIron(config)#access-list 101 permit ip any any dscp-marking 43 802.1p-priority-marking 4 internal-priority-marking 6 Using an ACL to map the DSCP value (DSCP CoS mapping) NOTE The dscp-cos-mapping option is supported on FSX and FESX devices only.
QoS options for IP ACLs Using an IP ACL to mark DSCP values (DSCP marking) The dscp-marking option for extended ACLs allows you to configure an ACL that marks matching packets with a specified DSCP value. You also can use DSCP marking to assign traffic to a specific hardware forwarding queue (refer to “Using an ACL to change the forwarding queue” on page 1743). For example, the following commands configure an ACL that marks all IP packets with DSCP value 5.
QoS options for IP ACLs • SX-48GCPP modules • All FastIron SX modules released in hardware release 07.3.00 and later releases, including: • SX-FI24GPP • SX-FI24HF • SX-FI2XG • SX-FI8XG Priority values range from 0 to 7. Two new ACL parameters support this feature, one required for priority marking and one optional for internal priority marking. These parameters apply to IP, and TCP, and UDP. For IP Brocade(config)#acc 104 per ip any any 802.
ACL-based rate limiting The internal-priority-marking <0 – 7> parameter assigns traffic that matches the ACL to a specific hardware forwarding queue (qosp0 – qosp7>. NOTE The internal-priority-marking parameter overrides port-based priority settings. On the FCX platform, using either 802.1p-priority-marking or 802.1p-priority-marking with internal-priority-marking performs both marking and internal prioritization.
ACL statistics NOTE Brocade devices support ACL-based rate limiting for inbound traffic. This feature is not supported for outbound traffic. For more details, including configuration procedures, refer to Chapter 42, “Traffic Policies”. ACL statistics ACL statistics is a mechanism for counting the number of packets and the number of bytes per packet to which ACL filters are applied. To see the configuration procedures for ACL statistics, refer to Chapter 42, “Traffic Policies”.
Displaying ACL information The following displays an example of the show output for an SX 800 device in which an SX-FI48GPP interface module is installed.
Troubleshooting ACLs For flow-based ACLs, the Total flows and Flows fields list the number of Layer 4 session table flows in use for the ACL. The Total packets and Packets fields apply only to flow-based ACLs. Troubleshooting ACLs Use the following methods to troubleshoot access control lists (ACLs): • To display the number of Layer 4 CAM entries being used by each ACL, enter the show access-list | | all command. Refer to “Displaying ACL information” on page 1746.
Policy-based routing (PBR) • The number of route maps that you can define is limited by the available system memory, which is determined by the system configuration and how much memory other features use. When a route map is used in a PBR policy, the PBR policy uses up to six instances of a route map, up to five ACLs in a matching policy of each route map instance, and up to six next hops in a set policy of each route map instance.
Policy-based routing (PBR) or Syntax: [no]access-list deny | permit / | Syntax: [no]access-list deny | permit host | Syntax: [no]access-list deny | permit any The parameter is the access list number and can be from 1 – 99. The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded).
Policy-based routing (PBR) The any parameter configures the policy to match on all host addresses. NOTE Do not use the log option in ACLs that will be used for PBR. Configuring the route map After you configure the ACLs, you can configure a PBR route map that matches based on the ACLs and sets routing information in the IP traffic. NOTE The match and set statements described in this section are the only route-map statements supported for PBR.
Policy-based routing (PBR) Enabling PBR After you configure the ACLs and route map entries, you can enable PBR globally, on individual interfaces, or both as described in this section. To enable PBR, you apply a route map you have configured for PBR globally or locally. Enabling PBR globally To enable PBR globally, enter a command such as the following at the global CONFIG level.
Policy-based routing (PBR) This command sets the next-hop IP address for traffic that matches a match statement in the route map. Setting the next hop The following commands configure the Brocade device to apply PBR to traffic from IP subnets 209.157.23.x, 209.157.24.x, and 209.157.25.x. In this example, route maps specify the next-hop gateway for packets from each of these subnets: • Packets from 209.157.23.x are sent to 192.168.2.1. • Packets from 209.157.24.x are sent to 192.168.2.2.
Policy-based routing (PBR) Alternatively, you can enable PBR on specific interfaces, as shown in the following example. The commands in this example configure IP addresses in the three source subnets identified in ACLs 50, 51, and 52, then apply route map test-route to the interface. Brocade(config)#interface ve 1 Brocade(config-vif-1)#ip address 209.157.23.1/24 Brocade(config-vif-1)#ip address 209.157.24.1/24 Brocade(config-vif-1)#ip address 209.157.25.
Policy-based routing (PBR) 1754 FastIron Configuration Guide 53-1002494-02
Chapter 41 IPv6 ACLs Table 286 lists the individual Brocade FastIron switches and the IPv6 Access Control Lists (ACL) features they support. These features are supported in Brocade FastIron switches that can be configured as an IPv6 host in an IPv6 network, and in devices that support IPv6 routing. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
IPv6 ACL overview You can configure an IPv6 ACL on a global basis, then apply it to the incoming IPv6 packets on specified interfaces. You can apply only one IPv6 ACL to an interface. When an interface receives an IPv6 packet, it applies the statements within the ACL in their order of appearance to the packet. As soon as a match occurs, the Brocade device takes the specified action (permit or deny the packet) and stops further comparison for that packet.
IPv6 ACL configuration notes For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IPv6 address to the website IPv6 address. IPv6 ACLs also provide support for filtering packets based on DSCP.
Configuring an IPv6 ACL Configuring an IPv6 ACL Follow the steps given below to configure an IPv6 ACL. 1. Create the ACL. 2. Enable IPv6 on the interface to which the ACL will be applied. 3. Apply the ACL to the interface. Example IPv6 configurations To configure an access list that blocks all Telnet traffic received on port 1/1 from IPv6 host 2000:2382:e0bb::2, enter the following commands.
Configuring an IPv6 ACL Here is another example. Brocade(config)# ipv6 access-list nextone Brocade(config-ipv6-access-list rtr)# deny tcp 2001:1570:21::/24 2001:1570:22::/24 Brocade(config-ipv6-access-list rtr)# deny udp any range 5 6 2001:1570:22::/24 Brocade(config-ipv6-access-list rtr)# permit ipv6 any any Brocade(config-ipv6-access-list rtr)# write memory The first condition in this ACL denies TCP traffic from the 2001:1570:21::x network to the 2001:1570:22::x network.
Configuring an IPv6 ACL • If you want to secure access in environments with many users, you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL. The permit entry permits packets that are not denied by the deny entries. Every IPv6 ACL has the following implicit conditions as its last match conditions. • permit icmp any any nd-na – Allows ICMP neighbor discovery acknowledgements.
Creating an IPv6 ACL Creating an IPv6 ACL Before an IPv6 ACL can be applied to an interface, it must first be created, and then IPv6 must be enabled on that interface.
Creating an IPv6 ACL [dscp-marking dscp-cos-mapping] [dscp-cos-mapping] For TCP Syntax: [no] ipv6 access-list Syntax: permit | deny | any | host [tcp-udp-operator [source-port-number]] | any | host [tcp-udp-operator [destination-port- number]] [ipv6-operator []] [802.1p-priority-matching ] [dscp-marking 802.
Creating an IPv6 ACL TABLE 287 Syntax descriptions IPv6 ACL arguments Description ipv6 access-list Enables the IPv6 configuration level and defines the name of the IPv6 ACL. The can contain up to 199 characters and numbers, but cannot begin with a number and cannot contain any spaces or quotation marks. permit The ACL will permit (forward) packets that match a policy in the access list. deny The ACL will deny (drop) packets that match a policy in the access list.
Creating an IPv6 ACL TABLE 287 Syntax descriptions (Continued) IPv6 ACL arguments Description // parameter specify a source prefix > and prefix length that a packet must match for the specified action (deny or permit) to occur. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
Creating an IPv6 ACL TABLE 287 Syntax descriptions (Continued) IPv6 ACL arguments ipv6-operator Description Allows you to filter the packets further by using one of the following options: dscp – The policy applies to packets that match the traffic class value in the traffic class field of the IPv6 packet header. This operator allows you to filter traffic based on TOS or IP precedence. You can specify a value from 0 – 63.
Creating an IPv6 ACL TABLE 287 Syntax descriptions (Continued) IPv6 ACL arguments Description dscp-marking Use the dscp-marking dscp-cos-mapping parameters parameters to specify a DSCP value and map that value to an internal QoS table to obtain the packet new QoS value. The following occurs when you use these parameters. • You enter 0 – 63 for the dscp-marking parameter.
Creating an IPv6 ACL • • • • router-renumbering router-solicitation time-exceeded unreachable NOTE If you do not specify a message type, the ACL applies to all types ICMP messages types.
Enabling IPv6 on an interface to which an ACL will be applied Enabling IPv6 on an interface to which an ACL will be applied Before an IPv6 ACL can be applied to an interface, it must first be created, and then IPv6 must be enabled on that interface. To enable IPv6 on an interface, enter ipv6 enable at the Interface level of the CLI, or assign an IPv6 address to the interface, as described in “IPv6 configuration on each router interface” on page 362.
Adding a comment to an IPv6 ACL entry Syntax for applying an IPv6 ACL NOTE The ipv6 traffic-filter in command is supported on FCX, ICX 6610, ICX 6430, ICX 6450, and FESX devices only. The command is not supported on FSX, FLS, FGS, and FWS devices. Syntax: ipv6 traffic-filter in For the parameter, specify the name of an IPv6 ACL created using the ipv6 access-list command. The in keyword applies the specified IPv6 ACL to incoming IPv6 packets on the interface.
Deleting a comment from an IPv6 ACL entry The following shows the comment text for the ACL named "rtr" in a show running-config display.
Displaying IPv6 ACLs Brocade#show ipv6 access-list ipv6 access-list v6-ACL1: 1 entries deny ipv6 any any ipv6 access-list v6-ACL2: 1 entries permit ipv6 any any ipv6 access-list v6-ACL3: 2 entries deny ipv6 2001:aa:10::/64 any permit ipv6 any any ipv6 access-list v6-ACL4: 2 entries deny ipv6 2002:aa::/64 any permit ipv6 any any ipv6 access-list rate-ACL: 1 entries permit ipv6 any any traffic-policy rate800M ipv6 access-list v6-ACL5: 8 entries permit tcp 2002:bb::/64 any permit ipv6 2002:bb::/64 any permit
Displaying IPv6 ACLs 1772 FastIron Configuration Guide 53-1002494-02
Chaptera 42 Traffic Policies Table 288 lists the individual Brocade FastIron switches and the traffic policy features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Traffic policies overview • ACL counting policy • Combined rate limiting and ACL counting policy The maximum number of supported active TPDs is a system-wide parameter and depends on the device you are configuring. The total number of active TPDs cannot exceed the system maximum. Refer to “Maximum number of traffic policies supported on a device” on page 1775.
Maximum number of traffic policies supported on a device TABLE 289 CoS parameters for packets that use rate limiting traffic policies Packet conformance level Packet DSCP value Traffic class and 802.
ACL-based rate limiting using traffic policies Setting the maximum number of traffic policies supported on a Layer 3 device NOTE This configuration is supported on FastIron devices with the exception of the FCX platforms. Setting the system-max for traffic policies is not required on FCX platforms as the default number of traffic policies is also the maximum number. If desired, you can adjust the maximum number of active traffic policies that a Layer 3 device will support.
ACL-based rate limiting using traffic policies • Specific VLAN members on a port (refer to “Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only)” on page 1734) • A subset of ports on a virtual interface (refer to “Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only)” on page 1735) Support for fixed rate limiting and adaptive rate limiting NOTE ACL-based fixed rate limiting is supported on all FastIron devices.
ACL-based rate limiting using traffic policies The previous commands configure a fixed rate limiting policy that allows port e5 to receive a maximum traffic rate of 100 kbps. If the port receives additional bits during a given one-second interval, the port drops the additional inbound packets that are received within that one-second interval. Syntax: [no] traffic-policy rate-limit fixed exceed-action [count] Syntax: access-list permit | deny....
ACL-based rate limiting using traffic policies TABLE 290 ACL based adaptive rate limiting parameters Parameter Definition Committed Information Rate (CIR) The guaranteed kilobit rate of inbound traffic that is allowed on a port. Committed Burst Size (CBS) The number of bytes per second allowed in a burst before some packets will exceed the committed information rate. Larger bursts are more likely to exceed the rate limit. The CBS must be a value greater than zero (0).
ACL-based rate limiting using traffic policies The software allows you to add a reference to a non-existent TPD in an ACL statement and to bind that ACL to an interface. The software does not issue a warning or error message for non-existent TPDs. Use the no form of the command to delete a traffic policy definition. Note that you cannot delete a traffic policy definition if it is currently in use on a port. To delete a traffic policy, first unbind the associated ACL.
ACL-based rate limiting using traffic policies Inspecting the 802.1p bit in the ACL for adaptive rate limiting NOTE This feature is supported on FastIron X Series IPv6 devices and Brocade FCX Series devices only. It is not supported on FastIron WS Series devices. You can configure the Brocade device to rate limit traffic for a specified 802.1p priority value. To do so, complete the following configuration steps. 1. Create an adaptive rate limiting traffic policy.
ACL statistics and rate limit counting Brocade(config)#traffic-policy TPDAfour rate-limit adaptive cir 10000 cbs 1600 pir 20000 pbs 4000 exceed-action drop The command configures an adaptive rate limiting policy that enforces a guaranteed committed rate of 10000 kbps and allows bursts of up to 1600 bytes. It also enforces a peak rate of 20000 kbps and allows bursts of 4000 bytes above the PIR limit.
ACL statistics and rate limit counting Enabling ACL statistics NOTE ACL statistics and ACL counting are used interchangeably throughout this chapter and mean the same thing. NOTE The FastIron WS does not support the use of traffic policies for ACL statistics only. However, these models do support the use of traffic policies for ACL statistics together with rate limiting traffic policies. Refer to “Enabling ACL statistics with rate limiting traffic policies” on page 1784.
ACL statistics and rate limit counting The variable is the name of the traffic policy definition. This value can be eight alphanumeric characters or less. Enabling ACL statistics with rate limiting traffic policies The configuration example in the section “Enabling ACL statistics” on page 1783 shows how to enable ACL counting without having to configure parameters for rate limiting.
ACL statistics and rate limit counting Brocade#show access-list accounting traffic-policy g_voip Traffic Policy - g_voip: General Counters: Port Region# Byte Count Packet Count ---------------------------------------------------------7 (4/1 - 4/12) 85367040 776064 All port regions 84367040 776064 Rate Limiting Counters: Port Region# Green Conformance Yellow Conformance Red Conformance ------------------ ------------------ ------------------ -----------------7 (4/1 - 4/12) 329114195612139520 375339868977817
Viewing traffic policies or Syntax: clear statistics traffic-policy The is the name of the traffic policy definition for which you want to clear traffic policy counters. Viewing traffic policies To view traffic policies that are currently defined on the Brocade device, enter the show traffic-policy command. The following example shows displayed output.Table 292 explains the output of the show traffic-policy command.
CPU rate-limiting CPU rate-limiting Unnecessary traffic to the switch CPU lowers the efficiency of the CPU and delays handling of other traffic that requires processing. CPU rate limiting is a CPU protection scheme which limits certain traffic types. CPU rate limiting identifies the traffic type and assigns a maximum rate limit to the traffic type.
CPU rate-limiting 1788 FastIron Configuration Guide 53-1002494-02
Chapter 43 802.1X Port Security Table 294 lists individual Brocade switches and the 802.1X port security features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted. TABLE 294 Supported 802.1X port security features Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6430 ICX 6450 802.
How 802.1X port security works How 802.1X port security works This section explains the basic concepts behind 802.1X port security, including device roles, how the devices communicate, and the procedure used for authenticating clients. NOTE 802.1X Port Security cannot be configured on MAC Port Security-enabled ports. Device roles in an 802.1X configuration The 802.1X standard defines the roles of Client/Supplicant, Authenticator, and Authentication Server in a network.
How 802.1X port security works Client/Supplicant – The device that seeks to gain access to the network. Clients must be running software that supports the 802.1X standard (for example, the Windows XP operating system). Clients can either be directly connected to a port on the Authenticator, or can be connected by way of a hub. Authentication server – The device that validates the Client and specifies whether or not the Client may access services on the device.
How 802.1X port security works FIGURE 190 Controlled and uncontrolled ports before and after client authentication Authentication Server Authentication Server FastIron Switch (Authenticator) Services PAE Services PAE FastIron Switch (Authenticator) Controlled Port (Unauthorized) Uncontrolled Port Physical Port PAE 802.1X-Enabled Supplicant Before Authentication Controlled Port (Authorized) Uncontrolled Port Physical Port PAE 802.
How 802.1X port security works Message exchange during authentication Figure 191 illustrates a sample exchange of messages between an 802.1X-enabled Client, a FastIron switch acting as Authenticator, and a RADIUS server acting as an Authentication Server.
How 802.1X port security works • EAP-TLS (RFC 2716) – EAP Transport Level Security (TLS) provides strong security by requiring both client and authentication server to be identified and validated through the use of public key infrastructure (PKI) digital certificates. EAP-TLS establishes a tunnel between the client and the authentication server to protect messages from unauthorized users’ eavesdropping activities.
How 802.1X port security works Syntax: [no] ip mtu The parameter specifies the MTU. Ethernet II packets can hold IP packets from 576 – 1500 bytes long. If jumbo mode is enabled, Ethernet II packets can hold IP packets from 576 – 10,222 bytes long. Ethernet SNAP packets can hold IP packets from 576 – 1492 bytes long. If jumbo mode is enabled, SNAP packets can hold IP packets from 576 to 10,214 bytes long. The default MTU is 1500 for Ethernet II packets and 1492 for SNAP packets.
How 802.1X port security works FIGURE 192 Multiple hosts connected to a single 802.1X-enabled port RADIUS Server (Authentication Server) 192.168.9.22 FastIron Switch (Authenticator) e2/1 Hub Clients/Supplicants running 802.1X-compliant client software If there are multiple hosts connected to a single 802.1X-enabled port, the Brocade device authenticates each of them individually.
How 802.1X port security works 5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate the client will be made as determined by the attempts variable in the auth-fail-max-attempts command. • Refer to “Specifying the number of authentication attempts the device makes before dropping packets” on page 1816 for information on how to do this. 6.
How 802.1X port security works • Dynamic ACL and MAC address filter assignment in 802.1X multiple-host configurations. Refer to “Dynamically applying IP ACLs and MAC address filters to 802.1X ports” on page 1806. • Dynamic multiple VLAN assignment for 802.1X ports. Refer “Dynamic multiple VLAN assignment for 802.1X ports” on page 1803. • Configure a restriction to forward authenticated and unauthenticated tagged and untagged clients to a restricted VLAN.
802.1X port security configuration 802.1X accounting When 802.1X port security is enabled on the Brocade device, you can enable 802.1X accounting. This feature enables the Brocade device to log information on the RADIUS server about authenticated 802.1X clients. The information logged on the RADIUS server includes the 802.1X client session ID, MAC address, and authenticating physical port number. 802.1X accounting works as follows. 1. A RADIUS server successfully authenticates an 802.1X client. 2. If 802.
802.1X port security configuration Configuring an authentication method list for 802.1X To use 802.1X port security, you must specify an authentication method to be used to authenticate Clients. Brocade supports RADIUS authentication with 802.1X port security. To use RADIUS authentication with 802.1X port security, you create an authentication method list for 802.1X and specify RADIUS as an authentication method, then configure communication between the Brocade device and RADIUS server.
802.
802.1X port security configuration Brocade(config)#interface ethernet 3/1 Brocade(config-if-e100-3/1)#dot1x re-auth-timeout-success 60 Syntax: [no] dot1x re-auth-timeout- success The parameter specifies the number of seconds the device will wait to re-authenticate a user after a timeout. The minimum value is 10 seconds. The maximum value is 216-1 (maximum unsigned 16-bit value). Deny user access to the network after a RADIUS timeout To set the RADIUS timeout behavior to bypass 802.
802.1X port security configuration NOTE This feature is supported on port-based VLANs only. This feature cannot be used to place an 802.1X-enabled port into a Layer 3 protocol VLAN. Automatic removal of dynamic VLAN assignments for 802.1X ports For increased security, this feature removes any association between a port and a dynamically-assigned VLAN when all 802.1x sessions for that VLAN have expired on the port.
802.1X port security configuration For example, to specify one VLAN, configure the following for the value in the Tunnel-Private-Group-ID attribute on the RADIUS server. "10" or "marketing" In this example, the port on which the Client is authenticated is assigned to VLAN 10 or the VLAN named "marketing". The VLAN to which the port is assigned must have previously been configured on the Brocade device. Specifying an untagged VLAN To specify an untagged VLAN, use the following.
802.1X port security configuration In this example, the port VLAN configuration is changed so that it transmits untagged traffic on VLAN 10, and transmits tagged traffic on VLAN 12 and the VLAN named "marketing". For a configuration example, refer to “802.1X Authentication with dynamic VLAN assignment” on page 1835. Saving dynamic VLAN assignments to the running-config file You can configure the Brocade device to save the RADIUS-specified VLAN assignments to the device's running-config file.
802.1X port security configuration Dynamically applying IP ACLs and MAC address filters to 802.1X ports The Brocade 802.1X implementation supports dynamically applying an IP ACL or MAC address filter to a port, based on information received from an Authentication Server.
802.1X port security configuration Disabling and enabling strict security mode for dynamic filter assignment By default, 802.1X dynamic filter assignment operates in strict security mode. When strict security mode is enabled, 802.1X authentication for a port fails if the Filter-ID attribute contains invalid information, or if insufficient system resources are available to implement the per-user IP ACLs or MAC address filters specified in the Vendor-Specific attribute.
802.1X port security configuration Syntax: [no] global-filter-strict-security To disable strict security mode for a specific interface, enter commands such as the following. Brocade(config)#interface e 1 Brocade(config-if-e1000-1)#dot1x disable-filter-strict-security To re-enable strict security mode for an interface, enter the following command.
802.1X port security configuration Notes for dynamically applying ACLs or MAC address filters • The in the Filter ID attribute is case-sensitive. • You can specify only numbered MAC address filters in the Filter ID attribute. Named MAC address filters are not supported. • Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters are not supported. • MAC address filters are supported only for the inbound direction. Outbound MAC address filters are not supported.
802.1X port security configuration Enabling 802.1X port security By default, 802.1X port security is disabled on Brocade devices. To enable the feature on the device and enter the dot1x configuration level, enter the following command. Brocade(config)#dot1x-enable Brocade(config-dot1x)# Syntax: [no] dot1x-enable At the dot1x configuration level, you can enable 802.1X port security on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to enable 802.
802.1X port security configuration By default, all controlled ports on the device are in the authorized state, allowing all traffic. When you activate authentication on an 802.1X-enabled interface, its controlled port is placed in the unauthorized state. When a Client connected to the interface is successfully authenticated, the controlled port is then placed in the authorized state. The controlled port remains in the authorized state until the Client logs off. To activate authentication on an 802.
802.1X port security configuration Syntax: [no] timeout re-authperiod The re-authentication interval is a global setting, applicable to all 802.1X-enabled interfaces. To re-authenticate Clients connected to a specific port manually, use the dot1x re-authenticate command. Refer to “Re-authenticating a port manually”, below. Re-authenticating a port manually When periodic re-authentication is enabled, by default the Brocade device re-authenticates Clients connected to an 802.
802.1X port security configuration Setting the wait interval for EAP frame retransmissions By default, if the Brocade device does not receive an EAP-response/identity frame from a Client, the device waits 30 seconds, then retransmits the EAP-request/identity frame. You can optionally change the amount of time the Brocade device waits before retransmitting the EAP-request/identity frame to the Client.
802.1X port security configuration Setting the wait interval for EAP frame retransmissions By default, when the Brocade device relays an EAP-Request frame from the RADIUS server to the Client, it expects to receive a response from the Client within 30 seconds. You can optionally specify the wait interval using the supptimeout command. For example, to configure the device to retransmit an EAP-Request frame if the Client does not respond within 45 seconds, enter the following command.
802.1X port security configuration • ICX devices – slotnum/portnum • FESX compact switches – portnum Allowing access to multiple hosts Brocade devices support 802.1X authentication for ports with more than one host connected to them. If there are multiple hosts connected to a single 802.1X-enabled port, the Brocade device authenticates each of them individually. Refer to “Configuring 802.1X multiple-host authentication” on page 1815. Configuring 802.
802.1X port security configuration To specify on an individual port that the authentication-failure action is to place the client port in restricted VLAN 300, enter the following command at the interface configuration level.
802.1X port security configuration Specifying the aging time for blocked clients When the Brocade device is configured to drop traffic from non-authenticated Clients, traffic from the blocked Clients is dropped in hardware, without being sent to the CPU. A Layer 2 CAM entry is created that drops traffic from the blocked Client MAC address in hardware. If no traffic is received from the blocked Client MAC address for a certain amount of time, this Layer 2 CAM entry is aged out.
802.1X accounting configuration Creating MAC address filters for EAPS on most devices For example, the following command creates a MAC address filter that denies frames with the destination MAC address of 0180.c200.0003, which is the 802.1X group MAC address on the Brocade device. Brocade(config)#mac filter 1 deny any 0180.c200.0003 ffff.ffff.ffff The following commands apply this filter to interface e 3/1.
802.1X accounting configuration An Accounting Start packet is sent to the RADIUS server when a user is successfully authenticated. The Start packet indicates the start of a new session and contains the user MAC address and physical port number. The 802.1X session state will change to Authenticated and Permit after receiving a response from the accounting server for the accounting Start packet. If the Accounting service is not available, the 802.
802.1X accounting configuration NOTE If you specify both radius and none, make sure radius comes before none.
Displaying 802.1X information Displaying 802.1X information You can display the following 802.1X-related information: • • • • The 802.1X configuration on the device and on individual ports Statistics about the EAPOL frames passing through the device 802.1X-enabled ports dynamically assigned to a VLAN User-defined and dynamically applied MAC address filters and IP ACLs currently active on the device • The 802.1X multiple-host configuration Displaying 802.
Displaying 802.1X information TABLE 296 Output from the show dot1x command (Continued) Field Description tx-period When a Client does not send back an EAP-response/identity frame, the amount of time the Brocade device waits before retransmitting the EAP-request/identity frame to a Client (default 30 seconds). Refer to “Setting the wait interval for EAP frame retransmissions” on page 1813 for information on how to change this setting.
Displaying 802.1X information The following additional information is displayed in the show dot1x config command for an interface. TABLE 297 Output from the show dot1x config command for an interface Field Description Authenticator PAE state The current status of the Authenticator PAE state machine. This can be INITIALIZE, DISCONNECTED, CONNECTING, AUTHENTICATING, AUTHENTICATED, ABORTING, HELD, FORCE_AUTH, or FORCE_UNAUTH.
Displaying 802.1X information Displaying 802.1X statistics To display 802.1X statistics for an individual port, enter the show dot1x statistics command. Brocade#show dot1x statistics e 3/3 Port 3/3 Statistics: RX EAPOL Start: 0 RX EAPOL Logoff: 0 RX EAPOL Invalid: 0 RX EAPOL Total: 0 RX EAP Resp/Id: 0 RX EAP Resp other than Resp/Id: 0 RX EAP Length Error: 0 Last EAPOL Version: 0 Last EAPOL Source: 0007.9550.
Displaying 802.1X information Clearing 802.1X statistics You can clear the 802.1X statistics counters on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to clear the 802.1X statistics counters on all interfaces on the device, enter the clear dot1x statistics all command. Brocade#clear dot1x statistics all Syntax: clear dot1x statistics all To clear the 802.1X statistics counters on interface e 3/11, enter the following command.
Displaying 802.1X information The show run command also indicates the VLAN to which the port has been dynamically assigned. The output can differ depending on whether GARP VLAN Registration Protocol (GVRP) is enabled on the device: • Without GVRP – When you enter the show run command, the output indicates that the port is a member of the VLAN to which it was dynamically assigned through 802.1X.
Displaying 802.1X information Displaying dynamically applied MAC address filters and IP ACLs To display the dynamically applied MAC address filters active on an interface, enter a command such as the following. Brocade#show dot1x mac-address-filter e 1/3 Port 1/3 MAC Address Filter information: 802.
Displaying 802.1X information Displaying the status of strict security mode The output of the show dot1x and show dot1x config commands indicate whether strict security mode is enabled or disabled globally and on an interface. Displaying the status of strict security mode globally on the device To display the status of strict security mode globally on the device, enter the show dot1x command.
Displaying 802.1X information • FESX compact switches – portnum Displaying 802.1X multiple-host authentication information You can display the following information about 802.1X multiple-host authentication: • Information about the 802.1X multiple-host configuration • The dot1x-mac-sessions on each port • The number of users connected on each port in a 802.1X multiple-host configuration Displaying 802.
Displaying 802.1X information TABLE 299 Output from the show dot1x command for multiple host authentication (Continued) Field Description Mac Session max-age The configured software aging time for dot1x-mac-sessions. Flow based multi-user policy The dynamically assigned IP ACLs and MAC address filters used in the 802.1X multiple-host configuration. The output of the show dot1x config command for an interface displays the configured port control for the interface.
Displaying 802.1X information TABLE 300 Output from the show dot1x config command (Continued) Field Description PVID mac authorized The number of devices transmitting untagged traffic on the port PVID as a result of dynamic VLAN assignment. num mac sessions The number of dot1x-mac-sessions on the port. num mac authorized The number of authorized dot1x-mac-sessions on the port.
Displaying 802.1X information Displaying information about the ports in an 802.1X multiple-host configuration To display information about the ports in an 802.1X multiple-host configuration, enter the sho do mac-s br command.
Sample 802.1X configurations Sample 802.1X configurations This section illustrates a sample point-to-point configuration and a sample hub configuration that use 802.1X port security. Point-to-point configuration Figure 193 illustrates a sample 802.1X configuration with Clients connected to three ports on the Brocade device. In a point-to-point configuration, only one 802.1X Client can be connected to each port. FIGURE 193 Sample point-to-point 802.
Sample 802.1X configurations Brocade(config)#interface e 3 Brocade(config-if-e1000-3)#dot1x port-control auto Brocade(config-if-e1000-3)#exit Hub configuration Figure 194 illustrates a configuration where three 802.1X-enabled Clients are connected to a hub, which is connected to a port on the Brocade device. The configuration is similar to that in Figure 193, except that 802.1X port security is enabled on only one port, and the multiple-hosts command is used to allow multiple Clients on the port.
Sample 802.1X configurations 802.1X Authentication with dynamic VLAN assignment Figure 195 illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration, two user PCs are connected to a hub, which is connected to port e2. Port e2 is configured as a dual-mode port. Both PCs transmit untagged traffic. The profile for User 1 on the RADIUS server specifies that User 1 PC should be dynamically assigned to VLAN 3.
Multi-device port authentication and 802.1X security on the same port ! interface ethernet 2 dot1x port-control auto dual-mode If User 1 is successfully authenticated before User 2, the PVID for port e2 would be changed from the default VLAN to VLAN 3. Had User 2 been the first to be successfully authenticated, the PVID would be changed to 20, and User 1 would not be able to gain access to the network. If there were only one device connected to the port that was sending untagged traffic, and 802.
Chapter 44 MAC Port Security Table 303 lists the individual Brocade FastIron switches and the Media Access Control (MAC) port security features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
MAC port security overview MAC port security overview You can configure the Brocade device to learn “secure” MAC addresses on an interface. The interface will forward only packets with source MAC addresses that match these learned secure addresses. The secure MAC addresses can be specified manually, or the Brocade device can learn them automatically.
MAC port security configuration • Brocade devices do not support the reserved-vlan-id command, which changes the default VLAN ID for the MAC port security feature. • The SNMP trap generated for restricted MAC addresses indicates the VLAN ID associated with the MAC address, as well as the port number and MAC address. • MAC port security is not supported on ports that have multi-device port authentication enabled.
MAC port security configuration Setting the maximum number of secure MAC addresses for an interface When MAC port security is enabled, an interface can store one secure MAC address. You can increase the number of MAC addresses that can be stored to a maximum of 64, plus the total number of global resources available. For example, to configure interface 7/11 to have a maximum of 10 secure MAC addresses, enter the following commands.
MAC port security configuration Specifying secure MAC addresses You can configure secure MAC addresses on tagged and untagged interfaces. On an untagged interface To specify a secure MAC address on an untagged interface, enter commands such as the following. Brocade(config)#interface ethernet 7/11 Brocade(config-if-e1000-7/11)#port security Brocade(config-port-security-e1000-7/11)#secure-mac-address 0050.DA18.
MAC port security configuration If you change the autosave interval, the next save happens according to the old interval, then the new interval takes effect. To change the interval immediately, disable autosave by entering the no autosave command, then configure the new autosave interval using the autosave command.
Clearing port security statistics To shut down the port for 5 minutes when a security violation occurs, enter the following commands. Brocade(config)#interface ethernet 7/11 Brocade(config-if-e1000-7/11)#port security Brocade(config-port-security-e1000-7/11)#violation shutdown 5 Syntax: violation shutdown The minutes can be from 0 through 1440 minutes. Specifying 0 shuts down the port permanently when a security violation occurs.
Displaying port security information Displaying port security information You can display the following information about the MAC port security feature: • The port security settings for an individual port or for all the ports on a specified module • The secure MAC addresses configured on the device • Port security statistics for an interface or for a module Displaying port security settings You can display the port security settings for an individual port or for all the ports on a specified module.
Displaying port security information Syntax: show port security mac Table 305 describes the output from the show port security mac command. TABLE 305 Output from the show port security mac command Field Description Port The slot and port number of the interface. Num-Addr The number of MAC addresses secured on this interface. Secure-Src-Addr The secure MAC address. Resource Whether the address was secured using a local or global resource.
Displaying port security information TABLE 306 Output from the show port security statistics command (Continued) Field Description Violation The number of security violations on the port. Shutdown/Time-Left Whether the port has been shut down due to a security violation and the number of seconds before it is enabled again. For example, to display port security statistics for interface module 7, enter the show port security statistics command.
Displaying port security information Table 307 describes the output from the show port security statistics command. TABLE 307 Output from the show port security statistics command Field Description Total ports The number of ports on the module. Total MAC address(es) The total number of secure MAC addresses on the module. Total violations The number of security violations encountered on the module.
Displaying port security information 1848 FastIron Configuration Guide 53-1002494-02
Chapter 45 Multi-Device Port Authentication Table 308 lists individual Brocade switches and the multi-device port authentication features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
How multi-device port authentication works NOTE FCX devices do not support: - multi-device authentication on dynamic (LACP) and static trunk ports - multi-device authentication and port security configured on the same port - multi-device authentication and lock-address configured on the same port Multi-device port authentication is a way to configure a Brocade device to forward or block traffic from a MAC address based on information received from a RADIUS server.
How multi-device port authentication works The request for authentication from the RADIUS server is successful only if the username and password provided in the request matches an entry in the users database on the RADIUS server. When this happens, the RADIUS server returns an Access-Accept message back to the Brocade device.
How multi-device port authentication works Support for dynamic VLAN assignment The Brocade multi-device port authentication feature supports dynamic VLAN assignment, where a port can be placed in one or more VLANs based on the MAC address learned on that interface. For details about this feature, refer to “Configuring the RADIUS server to support dynamic VLAN assignment” on page 1859.
Multi-device port authentication and 802.1X security on the same port Support for source guard protection The Brocade proprietary Source Guard Protection feature, a form of IP Source Guard, can be used in conjunction with multi-device port authentication. For details, refer to “Enabling source guard protection” on page 1864. Multi-device port authentication and 802.1X security on the same port On some Brocade devices, multi-device port authentication and 802.
Multi-device port authentication and 802.1X security on the same port Configuring Brocade-specific attributes on the RADIUS server If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept message to the Brocade device, authenticating the device. The Access-Accept message can include Vendor-Specific Attributes (VSAs) that specify additional information about the device. If you are configuring multi-device port authentication and 802.
Multi-device port authentication configuration Multi-device port authentication configuration Configuring multi-device port authentication on the Brocade device consists of the following tasks: • • • • • • • • • • • • Enabling multi-device port authentication globally and on individual interfaces Specifying the format of the MAC addresses sent to the RADIUS server (optional) Specifying the authentication-failure action (optional) Enabling and disabling SNMP traps for multi-device port authentication Defi
Multi-device port authentication configuration Example of enabling multi-device port authentication on an interface Brocade(config)#interface e 3/1 Brocade(config-if-e1000-3/1)#mac-authentication enable Syntax: [no] mac-authentication enable You can also configure multi-device port authentication commands on a range of interfaces.
Multi-device port authentication configuration Note that the restricted VLAN must already exist on the device. You cannot configure the restricted VLAN to be a non-existent VLAN. If the port is a tagged or dual-mode port, you cannot use a restricted VLAN as the authentication-failure action. To configure the device to drop traffic from non-authenticated MAC addresses in hardware, enter commands such as the following.
Multi-device port authentication configuration Configuring dynamic VLAN assignment An interface can be dynamically assigned to one or more VLANs based on the MAC address learned on that interface. When a MAC address is successfully authenticated, the RADIUS server sends the Brocade device a RADIUS Access-Accept message that allows the Brocade device to forward traffic from that MAC address.
Multi-device port authentication configuration • If the string does not match either the name or the ID of a VLAN configured on the device, then it is considered an authentication failure, and the configured authentication failure action is performed for the MAC address.
Multi-device port authentication configuration Brocade(config)#interface e 3/1 Brocade(config-if-e1000-3/1)#mac-authentication disable-ingress-filtering If the client MAC address is successfully authenticated and the correct VLAN attribute is sent by the RADIUS server, the MAC address will be successfully authenticated on the VLAN.
Multi-device port authentication configuration NOTE When a MAC session is deleted, if the port is moved back to a VLAN that is different than the runningconfig file, the system will update the running-config file to reflect the changes. This will occur even if mac-authentication save-dynamicvlan-to-config" is not configured. Automatic removal of dynamic VLAN assignments for MAC authenticated ports NOTE This feature is not supported on FWS and FCX devices.
Multi-device port authentication configuration NOTE A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When a client authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future clients on the same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on the port use dynamic ACL, then the port ACL will be applied to all traffic. The Brocade device uses information in the Filter ID to apply an IP ACL on a per-user basis.
Multi-device port authentication configuration • The RADIUS Filter ID (type 11) attribute is supported. The Vendor-Specific (type 26) attribute is not supported. • The dynamic ACL must be an extended ACL. Standard ACLs are not supported. • Multi-device port authentication and 802.1x can be used together on the same port. However, Brocade does not recommend the use of multi-device port authentication and 802.1X with dynamic ACLs together on the same port. If a single supplicant requires both 802.
Multi-device port authentication configuration Enabling denial of service attack protection NOTE This feature is not supported on FWS devices. The Brocade device does not start forwarding traffic from an authenticated MAC address in hardware until the RADIUS server authenticates the MAC address; traffic from the non-authenticated MAC addresses is sent to the CPU.
Multi-device port authentication configuration When a new MAC session begins on a port that has Source Guard Protection enabled, the session will either apply a dynamically created Source Guard ACL entry, or it will use the dynamic IP ACL assigned by the RADIUS server. If a dynamic IP ACL is not assigned, the session will use the Source Guard ACL entry. The Source Guard ACL entry is permit ip any, where is obtained from the ARP Inspection table or from the DHCP Secure table.
Multi-device port authentication configuration Clearing authenticated MAC addresses The Brocade device maintains an internal table of the authenticated MAC addresses (viewable with the show authenticated-mac-address command). You can clear the contents of the authenticated MAC address table either entirely, or just for the entries learned on a specified interface. In addition, you can clear the MAC session for an address learned on a specific interface.
Multi-device port authentication configuration You can optionally disable aging for MAC addresses subject to authentication, either for all MAC addresses or for those learned on a specified interface. Globally disabling aging of MAC addresses On most devices, you can disable aging for all MAC addresses on all interfaces where multi-device port authentication has been enabled by entering the mac-authentication disable-aging command.
Multi-device port authentication configuration On FastIron X Series devices, the hardware aging period for blocked MAC addresses is not fixed at 70 seconds. The hardware aging period for blocked MAC addresses is equal to the length of time specified with the mac-age command. As on FastIron devices, once the hardware aging period ends, the software aging period begins.
Multi-device port authentication configuration You can better control port behavior when a RADIUS timeout occurs by configuring a port on the Brocade device to automatically pass or fail user authentication. A pass essentially bypasses the authentication process and permits user access to the network. A fail bypasses the authentication process and blocks user access to the network, unless restrict-vlan is configured, in which case, the user is placed into a VLAN with restricted or limited access.
Displaying multi-device port authentication information Multi-device port authentication password override The multi-device port authentication feature communicates with the RADIUS server to authenticate a newly found MAC address. The RADIUS server is configured with the usernames and passwords of authenticated users.
Displaying multi-device port authentication information Displaying authenticated MAC address information To display information about authenticated MAC addresses on the ports where the multi-device port authentication feature is enabled, enter the show auth-mac address command.
Displaying multi-device port authentication information The following table describes the output from the show auth-mac-address configuration command. TABLE 311 Output from the show authenticated-mac-address configuration command Field Description Feature enabled Whether multi-device port authentication is enabled on the Brocade device. Number of Ports enabled The number of ports on which the multi-device port authentication feature is enabled.
Displaying multi-device port authentication information TABLE 312 Output from the show authenticated-mac-address
command Field Description MAC/IP Address The MAC address for which information is displayed. If the packet for which multi-device port authentication was performed also contained an IP address, then the IP address is displayed as well. Port The port on which the MAC address was learned. Vlan The VLAN to which the MAC address was assigned.Displaying multi-device port authentication information Displaying the non-authenticated MAC addresses To display the MAC addresses for which authentication was not successful, enter the show auth-mac-addresses unauthorized-mac command Brocade#show auth-mac-addresses unauthorized-mac ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age dot1x ------------------------------------------------------------------------------000f.ed00.
Displaying multi-device port authentication information TABLE 313 Output of show auth-mac-address (Continued) Field Description Time The time the MAC address was authenticated. If the clock is set on the Brocade device, then the actual date and time are displayed. If the clock has not been set, the time is displayed relative to when the device was last restarted. Age The age of the MAC address entry in the authenticated MAC address list. Dot1x Indicates if 802.
Displaying multi-device port authentication information Brocade#show auth-mac-addresses detailed ethernet 15/23 Port : 15/23 Dynamic-Vlan Assignment : Enabled RADIUS failure action : Block Traffic Failure restrict use dot1x : No Override-restrict-vlan : Yes Port Default VLAN : 101 ( RADIUS assigned: No) (101) Port Vlan State : DEFAULT 802.
Displaying multi-device port authentication information TABLE 314 Output from the show auth-mac-addresses detailed command (Continued) Field Description 802.1X override Dynamic PVID Indicates if 802.1X can dynamically assign a Port VLAN ID (PVID). override return to PVID If a port PVID is assigned through the multi-device port authentication feature, and 802.1X authentication subsequently specifies a different PVID, then the PVID specified through 802.
Displaying multi-device port authentication information TABLE 314 Output from the show auth-mac-addresses detailed command (Continued) Field Description Authenticated Whether the MAC address has been authenticated by the RADIUS server. Time The time at which the MAC address was authenticated. If the clock is set on the Brocade device, then the actual date and time are displayed. If the clock has not been set, then the time is displayed relative to when the device was last restarted.
Example port authentication configurations To display the table of allowed mac addresses enter the show table denied-mac command as shown. Syntax: show table The variable is the specified MAC address. Brocade#show table denied-mac ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age dot1x ------------------------------------------------------------------------------0000.0010.
Example port authentication configurations FIGURE 196 Using multi-device port authentication with dynamic VLAN assignment RADIUS Server Tunnel-Private-Group-ID: User 0002.3f7f.2e0a -> “U:102” User 0050.048e.86ac -> “T:3” FastIron Switch Port e1 Hub Untagged PC MAC: 0002.3f7f.2e0a Hub Tagged IP Phone MAC: 0050.048e.86ac In this example, multi-device port authentication is performed for both devices.
Example port authentication configurations Example 2 — multi-device port authentication with dynamic VLAN assignment Figure 197 illustrates multi-device port authentication with dynamic VLAN assignment on a Brocade device. In this configuration, a PC and an IP phone are connected to a hub, which is connected to port e1 on a Brocade device. Port e1 is configured as a dual-mode port. Also, mac-authentication disable-ingress-filtering is enabled on the port.
Example port authentication configurations mac-authentication enable mac-authentication auth-fail-vlan-id 1023 interface ethernet 1 mac-authentication enable mac-authentication auth-fail-action restrict-vlan mac-authentication enable-dynamic-vlan dual-mode Examples of multi-device port authentication and 802.1X authentication configuration on the same port The following examples show configurations that use multi-device port authentication and 802.1X authentication on the same port.
Example port authentication configurations FIGURE 198 Using multi-device port authentication and 802.1X authentication on the same port User 0050.048e.86ac (IP Phone) Profile: Foundry-802_1x-enable = 0 Tunnel-Private-Group-ID = T:IP-Phone-VLAN User 0002.3f7f.2e0a (PC) Profile: Foundry-y-802_1x-enable = 1 Tunnel-Private-Group-ID: = U:Login-VLAN RADIUS Server User 1 Profile: Tunnel-Private-Group-ID: = U:IP-User-VLAN FastIron Switch Port e1/3 Dual Mode Hub Hub Untagged PC MAC: 0002.3f7f.
Example port authentication configurations When the PC is authenticated using multi-device port authentication, the port PVID is changed to “Login-VLAN”, which is VLAN 1024 in this example. When User 1 is authenticated using 802.1X authentication, the port PVID is changed to “User-VLAN”, which is VLAN 3 in this example.
Example port authentication configurations Since there is no profile for the PC MAC address on the RADIUS server, multi-device port authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port would be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in hardware. However, the device is configured to perform 802.
Example port authentication configurations 1886 FastIron Configuration Guide 53-1002494-02
Chapter 46 Web Authentication Table 315 lists individual Brocade switches and the Web Authentication features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Web authentication configuration considerations If the authentication is unsuccessful, the appropriate page is displayed on the host browser. The host is asked to try again or call for assistance, depending on what message is configured on the Web page. If the host MAC address is authenticated by the trusted source, a Web page is displayed with a hyperlink to the URL the host originally entered. If the user clicks on the link, a new window is opened and the the user is directed to the requested URL.
Web authentication configuration considerations • Web Authentication, 802.1X port security, and multi-device port authentication are not supported concurrently on the same port. • Web Authentication is not supported on an MCT VLAN. The following applies to Web Authentication in the Layer 2 switch image: • If the management VLAN and Web Authentication VLAN are in different IP networks, make sure there is at least one routing element in the network topology that can route between these IP networks.
Web authentication configuration tasks Web authentication configuration tasks Follow the steps given below to configure Web Authentication on a device. 1. Set up any global configuration required for the FastIron switch, RADIUS server, Web server and other servers. • On a Layer 2 FastIron switch, make sure the FastIron switch has an IP address. Brocade# configure terminal Brocade(config)#ip address 10.1.1.
Enabling and disabling web authentication Brocade(config)# ip ssl private-key-file tftp • Generate one using the following global CLI command. Brocade(config)#crypto-ssl certificate generate default_cert 5. Create a Web Authentication VLAN and enable Web Authentication on that VLAN. Brocade(config)#vlan 10 Brocade(config-vlan-10)#webauth Brocade(config-vlan-10-webauth)#enable Once enabled, the CLI changes to the "webauth" configuration level.
Web authentication mode configuration Web authentication mode configuration You can configure the FastIron switch to use one of three Web Authentication modes: • Username and password – Block users from accessing the switch until they enter a valid username and password on a web login page. Refer to “Using local user databases” on page 1892. • Passcode – Blocks users from accessing the switch until they enter a valid passcode on a web login page. Refer to “Passcodes for user authentication” on page 1896.
Web authentication mode configuration This command creates a local user database named userdb1. To add user records to this database, refer to “Adding a user record to a local user database” on page 1893. Syntax: local-userdb You can create up to ten local user databases for Web Authentication. For , enter up to 31 alphanumeric characters. Adding a user record to a local user database To add a user record, enter commands such as the following.
Web authentication mode configuration [no] username password ... The [delete-all] keyword indicates that the user records in the text file will replace the user records in the specified local user database on the FastIron switch. If the [delete-all] keyword is not present, the new user records will be added to the specified local user database on the FastIron switch. The [delete-all] keyword is optional.
Web authentication mode configuration NOTE Web Authentication will use the first reachable RADIUS server listed in the configuration. The use-radius-server on individual ports is not supported for Web Authentication. 2. Enable the username and password authentication mode. Brocade(config-vlan-10-webauth)#auth-mode username-password 3. Enable the RADIUS authentication method.
Web authentication mode configuration Syntax: [no] auth-mode username-password local-user-database For , enter a valid local user database. Use the no form of the command to remove the database from the Web Authentication VLAN. Passcodes for user authentication Web Authentication supports the use of passcodes to authenticate users. Users are blocked from accessing the switch until they enter a valid passcode on a web login page.
Web authentication mode configuration Enabling passcode authentication To enable passcode authentication, enter the following command. Brocade(config-vlan-10-webauth)#auth-mode passcode This command enables Web Authentication to use dynamically-created passcodes to authenticate users in the VLAN. If the configuration includes static passcodes, they are used in conjunction with dynamically-created passcodes. Syntax: [no]auth-mode passcode Enter no auth-mode passcode to disable passcode authentication.
Web authentication mode configuration NOTE Passcodes are not stateful, meaning a software reset or reload will cause the system to erase the passcode. When the FastIron switch comes back up, a new passcode will be generated. Changing the passcode refresh duration To change the duration of time after which passcodes are refreshed, enter commands such as the following. Brocade(config-vlan-10-webauth)#auth-mode passcode refresh-type duration 4320 The passcode will be refreshed after 4320 minutes (72 hours).
Web authentication mode configuration Brocade(config-vlan-10-webauth)#auth-mode passcode grace-period 5 Syntax: auth-mode passcode grace-period is a number between 0 and 5 minutes. 0 means there is no grace period. NOTE If the grace period is re-configured while a passcode is already in the grace period, the passcode is not affected by the configuration change. The new grace period will apply only to passcodes that expire after the new grace period is set.
Web authentication mode configuration Re-sending the passcode log message If passcode logging is enabled, you can enter a CLI command to retransmit the current passcode to a Syslog message or SNMP trap. To do so, enter the auth-mode passcode resend-log command. Brocade(config-vlan-10-webauth)#auth-mode passcode resend-log Syntax: auth-mode passcode resend-log NOTE The switch retransmits the current passcode only. Passcodes that are in the grace period are not sent.
Web authentication options configuration To determine if automatic authentication is enabled on your device, issue the show webauth vlan command at the VLAN configuration level.
Web authentication options configuration The above commands configure ports 3 and 6 – 10 as trusted ports.
Web authentication options configuration Configuring the re-authentication period After a successful authentication, a user remains authenticated for a duration of time. At the end of this duration, the host is automatically logged off. The user must be re-authenticated again. To set the number of seconds a host remains authenticated before being logged off, enter a command such as the following.
Web authentication options configuration This command clears all the authenticated hosts in VLAN 25. To clear a particular host in a Web authentication VLAN, enter a command such as the following. Brocade#clear webauth vlan 25 authenticated-mac 1111.2222.3333 This command clears host 1111.2222.3333 from VLAN 25.
Web authentication options configuration Brocade(config-vlan-10-webauth)#host-max-num 300 Syntax: [no] host-max-num You can enter 0 – 8192, where 0 means there is no limit to the number of hosts that can be authenticated. The default is 0. The maximum is 8192 or the maximum number of MAC addresses the device supports. When the maximum number of hosts has been reached, the FastIron switch redirects any new host that has been authenticated successfully to the Maximum Host webpage.
Web authentication options configuration Forcing re-authentication after an inactive period You can force Web Authenticated hosts to be re-authenticated if they have been inactive for a period of time. The inactive duration is calculated by adding the mac-age-time that has been configured for the device and the configured authenticated-mac-age-time. (The mac-age-time command defines how long a port address remains active in the address table.
Web authentication options configuration Brocade(config)#vlan 10 Brocade(config-vlan-10)no webauth Syntax: no webauth FastIron Configuration Guide 53-1002494-02 1907
Web authentication options configuration Web authentication pages There are several pages that can be displayed for Web Authentication. When a user first enters a valid URL address on the Web browser, the browser is redirected to the Web Authentication URL (refer to “Defining the web authorization redirect address” on page 1906).
Web authentication options configuration FIGURE 202 Example of a login page when automatic authentication is disabled and local user database is enabled The user enters a user name and password, which are then sent for authentication. If passcode authentication is enabled, the following Login page appears. FIGURE 203 Example of a login page when automatic authentication is disabled and passcode Authentication is Enabled The user enters a passcode, which is then sent for authentication.
Web authentication options configuration FIGURE 204 Example of a try again page If the limit for the number of authenticated users on the network is exceeded, the Maximum Host Limit page is displayed (Figure 205). FIGURE 205 Example of a maximum Host limit page If the number of Web Authentication attempts by a user has been exceeded, the Maximum Attempts Limit page is displayed (Figure 206).
Web authentication options configuration FIGURE 207 Example of a web authentication success page Once a host is authenticated, that host can manually de-authenticate by clicking the Logout button in the Login Success page. The host remains logged in until the re-authentication period expires. At that time, the host is automatically logged out. However, if a re-authentication period is not configured, then the host remains logged in indefinitely.
Web authentication options configuration Displaying text for web authentication pages Use the show webauth vlan webpage command to determine what text has been configured for Web Authentication pages. Brocade#show webauth vlan 25 webpage ================================= Web Page Customizations (VLAN 25): Top (Header): Default Text "
Welcome to Brocade Communications, Inc.
Web authentication options configuration FIGURE 208 Objects in the web authentication pages that can be customized Title bar Logo Header Text box Login button Footer Customizing the title bar You can customize the title bar that appears on all Web Authentication pages (refer to Figure 208). To do so, enter a command such as the following.
Web authentication options configuration NOTE This command downloads the image file and stores it in the device flash memory. Therefore, it is not necessary to follow this command with a write memory. The parameter specifies the address of the TFTP server on which the image file resides. The parameter specifies the name of the image file on the TFTP server. Use the no webpage logo command to delete the logo from all Web Authentication pages and remove it from flash memory.
Displaying web authentication information The parameter is the address of the TFTP server on which the image resides. The parameter is the name of the text file on the TFTP server. To revert back to the default text box (none), enter the command no webpage terms. Customizing the login button You can customize the Login button that appears on the bottom of the Web Authentication Login page (refer to Figure 208). To do so, enter a command such as the following.
Displaying web authentication information authenticated-mac-age-time: 3600 (Default) dns-filter: Disable (Default) authentication mode: username and password (Default) authentication methods: radius Local user database name: Radius accounting: Enable (Default) Trusted port list: None Secure Login (HTTPS): Enable (Default) Web Page Customizations: Top (Header): Default Text Bottom (Footer): Custom Text "SNL Copyright 2009" Title: Default Text Login Button: Custom Text "Sign On" Web Page Logo: blogo.
Displaying web authentication information Field Description Trusted port list The statically-configured trusted ports of the Web Authentication VLAN. Secure login (HTTPS) Whether HTTPS is enabled or disabled. Web Page Customizations The current configuration for the text that appears on the Web Authentication pages. Either "Custom Text" or "Default Text" displays for each page type: • "Custom Text" means the message for the page has been customized. The custom text is also displayed.
Displaying web authentication information The displays shows the following information. Field Description VLAN #: Web Authentication The ID of the VLAN on which Web Authentication is enabled. Web Authenticated List MAC Address The MAC addresses that have been authenticated. User Name The authenticated username. Configuration Static/Dynamic If the MAC address was dynamically (passed Web Authentication) or statically (added to the authenticated list using the add mac command) authenticated.
Displaying web authentication information Displaying a list of blocked hosts Enter the show webauth blocked-list command to display a list of hosts that are currently blocked from any Web Authentication Attempt.
Displaying web authentication information Syntax: show local-userdb Displaying a list of users in a local user database The show local-userdb test command displays a list of all users in a particular local user database.
Chapter 47 DoS Attack Protection Table 316 lists individual Brocade switches and the DoS protection features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where noted.
Smurf attacks The attacker sends an ICMP echo request packet to the broadcast address of an intermediary network. The ICMP echo request packet contains the spoofed address of a victim network as its source. When the ICMP echo request reaches the intermediary network, it is converted to a Layer 2 broadcast and sent to the hosts on the intermediary network. The hosts on the intermediary network then send ICMP replies to the victim network.
TCP SYN attacks To set threshold values for ICMP packets received on VE 31, enter commands such as the following. Brocade(config)#interface ve 31 Brocade(config-vif-31)#ip icmp burst-normal 5000 burst-max 10000 lockup 300 Syntax: ip icmp burst-normal burst-max lockup The burst-normal parameter can be from 1 through 100,000 packets per second. The burst-max paramter can be from 1 through 100,000 packets per second.
TCP SYN attacks For example, to set threshold values for TCP SYN packets targeted at the router, enter the following command in global CONFIG mode. Brocade(config)#ip tcp burst-normal 10 burst-max 100 lockup 300 To set threshold values for TCP SYN packets received on interface 3/11, enter the following commands.
TCP SYN attacks TCP security enhancement TCP security enhancement improves upon the handling of TCP inbound segments. This enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an attacker injects or manipulates data in a TCP connection.
TCP SYN attacks Protecting against a blind injection attack In a blind TCP injection attack, a perpetrator tries to inject or manipulate data in a TCP connection. To reduce the chances of a blind injection attack, an additional check on all incoming TCP segments is performed. Displaying statistics about packets dropped because of DoS attacks To display information about ICMP and TCP SYN packets dropped because burst thresholds were exceeded, enter the show statistics dos-attack command.
Chapter 48 DHCP Table 317 lists individual Brocade switches and the Dynamic Host Configuration Protocol (DHCP) packet inspection and tracking features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Dynamic ARP inspection About Dynamic ARP Inspection Dynamic ARP Inspection (DAI) allows only valid ARP requests and responses to be forwarded.
Dynamic ARP inspection • DHCP-Snooping ARP – information collected from snooping DHCP packets when DHCP snooping is enabled on VLANs. The status of an ARP entry is either pending or valid: • Valid – the mapping is valid, and the port is resolved. This is always the case for static ARP entries. • Pending – for normal dynamic and inspection ARP entries before they are resolved, and the port mapped. Their status changes to valid when they are resolved, and the port mapped.
Dynamic ARP inspection Dynamic ARP inspection configuration Configuring DAI consists of the following steps. 1. Configure inspection ARP entries for hosts on untrusted ports.Refer to “Configuring an inspection ARP entry” on page 1930. 2. Enable DAI on a VLAN to inspect ARP packets.Refer to “Enabling DAI on a VLAN” on page 1930. 3. Configure the trust settings of the VLAN members. ARP packets received on trusted ports bypass the DAI validation process.
DHCP snooping Enabling trust on a port The default trust setting for a port is untrusted. For ports that are connected to host ports, leave their trust settings as untrusted. To enable trust on a port, enter commands such as the following . Brocade(config)#interface ethernet 1/4 Brocade(config-if-e10000-1/4)#arp inspection trust The commands change the CLI to the interface configuration level of port 1/4 and set the trust setting of port 1/4 to trusted.
DHCP snooping How DHCP snooping works When enabled on a VLAN, DHCP snooping stands between untrusted ports (those connected to host ports) and trusted ports (those connected to DHCP servers).
DHCP snooping About client IP-to-MAC address mappings Client IP addresses need not be on directly-connected networks, as long as the client MAC address is learned on the client port and the client port is in the same VLAN as the DHCP server port. In this case, the system will learn the client IP-to-MAC port mapping. Therefore, a VLAN with DHCP snooping enabled does not require a VE interface.
DHCP snooping Configuring DHCP snooping Configuring DHCP snooping consists of the following steps. 1. Enable DHCP snooping on a VLAN.Refer to “Enabling DHCP snooping on a VLAN” on page 1934. 2. For ports that are connected to a DHCP server, change their trust setting to trusted.Refer to “Enabling trust on a port” on page 1934. The following shows the default settings of DHCP snooping.
DHCP snooping Clearing the DHCP binding database You can clear the DHCP binding database using the CLI command clear DHCP. You can remove all entries in the database, or remove entries for a specific IP address only. To remove all entries from the DHCP binding database, enter the clear dhcp command. Brocade#clear dhcp To clear entries for a specific IP address, enter a command such as the following. Brocade#clear dhcp 10.10.102.
DHCP relay agent information DHCP snooping configuration example The following example configures VLAN 2 and VLAN 20, and changes the CLI to the global configuration level to enable DHCP snooping on the two VLANs. The commands are as follows.
DHCP relay agent information As illustrated in Figure 213, the DHCP relay agent (the FastIron switch), inserts DHCP option 82 attributes when relaying a DHCP request packet to a DHCP server.
DHCP relay agent information Sub-option 1 – circuit id The Circuit ID (CID) identifies the circuit or port from which a DHCP client request was sent. The FastIron switch uses this information to relay DHCP responses back to the proper circuit, for example, the port number on which the DHCP client request packet was received. Brocade FastIron devices support the General CID packet format. This simple format encodes the CID type, actual information length, VLAN ID, slot number, and port number.
DHCP relay agent information DHCP option 82 configuration When DHCP snooping is enabled on a VLAN, DHCP option 82 also is enabled by default. You do not need to perform any extra configuration steps to enable this feature. To enable DHCP snooping, refer to“Enabling DHCP snooping on a VLAN” on page 1934.
DHCP relay agent information Changing the forwarding policy When the Brocade device receives a DHCP message that contains relay agent information, by default, the device replaces the information with its own relay agent information. If desired, you can configure the device to keep the information instead of replacing it, or to drop (discard) messages that contain relay agent information. To do so, use the CLI commands in this section.
DHCP relay agent information Viewing information about DHCP option 82 processing Use the commands in this section to view information about DHCP option 82 processing. Viewing the circuit Id, remote id, and forwarding policy Use the show ip dhcp relay information command to obtain information about the circuit ID, remote ID, and forwarding policy for DHCP option 82. The following shows an example output.
IP source guard Viewing the status of DHCP option 82 and the subscriber id Use the show interfaces ethernet command to obtain information about the status of DHCP option 82 and the configured subscriber ID, if applicable. In the example below, the text in bold type displays the information specific to DHCP option 82. Brocade#show interfaces ethernet 3 GigabitEthernet3 is up, line protocol is up Hardware is GigabitEthernet, address is 00e0.5200.0002 (bia 00e0.5200.
IP source guard When IP Source Guard is first enabled, only DHCP packets are allowed and all other IP traffic is blocked. When the system learns a valid IP address, IP Source Guard then allows IP traffic. Only the traffic with valid source IP addresses are permitted. The system learns of a valid IP address from DHCP Snooping. When it learns a valid IP address, the system permits the learned source IP address.
IP source guard • 64 IP addresses • 64 VLANs • 64 rules per ACL • The number of configured ACL rules affect the rate at which hardware resources are used when IP Source Guard is enabled. Use the show access-list hw-usage on command to enable hardware usage for an ACL, followed by a show access-list command to determine the hardware usage for an ACL.
IP source guard The parameter is required on chassis devices. The parameter is a valid port number. The [vlan ] parameter is optional. If you enter a VLAN number, the binding applies to that VLAN only. If you do not enter a VLAN number, the static binding applies to all VLANs associated with the port. Note that since static IP source bindings consume system resources, you should avoid unnecessary bindings.
IP source guard 1946 FastIron Configuration Guide 53-1002494-02
Chapter Rate Limiting and Rate Shaping on FastIron X Series and FCX and ICX Series Switches 49 Table 320 lists the individual Brocade FastIron switches and the rate limiting and rate shaping features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Rate limiting in hardware When you specify the maximum number of bytes, you specify it in kilobits per second (kbps). The Fixed rate limiting policy applies to one-second intervals and allows the port to receive the number of bytes you specify in the policy, but drops additional bytes. Unused bandwidth is not carried over from one interval to the next.
Rate limiting in hardware The Fixed Rate Limiting policy allows up to 500000 bits (62500 bytes) of inbound traffic during each one-second interval. One-second interval One-second interval Once the maximum rate is reached, all additional traffic within the one-second interval is dropped.
Rate limiting in hardware Configuring an ACL-based rate limiting policy IP ACL-based rate limiting of inbound traffic provides the facility to limit the rate for IP traffic that matches the permit conditions in extended IP ACLs. This feature is available in the Layer 2 and Layer 3 code. To configure ACL-based rate limiting on a Brocade device, you create individual traffic policies, then reference the traffic policies in one or more ACL entries (also called clauses or statements).
Rate limiting in hardware Displaying the fixed rate limiting configuration To display the fixed rate limiting configuration on the device, enter the show rate-limit input command. Brocade# show rate-limit input Total rate-limited interface count: 5.
Rate shaping overview Rate shaping overview Outbound Rate Shaping is a port- level feature that is used to shape the rate and control the bandwidth of outbound traffic on a port. This feature smooths out excess and bursty traffic to the configured maximum limit before it is sent out on a port. Packets are stored in available buffers and then forwarded at a rate no greater than the configured limit. This process provides for better control over the inbound traffic of neighboring devices.
Rate shaping overview Configuring outbound rate shaping for a port To configure the maximum rate at which outbound traffic is sent out on a port, enter commands such as the following.
Rate shaping overview • On FastIron X Series devices, the configured outbound rate shaper (651 Kbps) on port 1/15 is the maximum rate of outbound traffic that is sent out on that port, since 651 Kbps is a multiple of 651 Kbps. The configured 1300 Kbps limit on port 14 is rounded up to 1302 Kbps. • On Brocade FCX Series devices, the configured outbound rate shaper (651 Kbps) on port 1/15 is the rounded to 616 Kbps. The configured 1300 Kbps limit on port 14 is rounded to 1232 Kbps.
Chapter 50 Rate Limiting on FastIron WS Series Switches Table 323 lists the individual Brocade FastIron switches and the rate limiting features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Rate limiting overview Rate limiting in hardware Each device supports line-rate rate limiting in hardware. The device creates entries in Content Addressable Memory (CAM) for the rate limiting policies. The CAM entries enable the device to perform the rate limiting in hardware instead of sending the traffic to the CPU. The device sends the first packet in a given traffic flow to the CPU, which creates a CAM entry for the traffic flow.
Fixed rate limiting on inbound port configuration Fixed rate limiting on inbound port configuration Inbound rate limiting allows you to specify the maximum number of Kbps a given port can receive. Minimum and maximum inbound rate limits Table 324 lists the minimum and maximum inbound rate limits on GbE and 10-GbE ports TABLE 324 .
Fixed rate limiting on outbound port configuration The above commands configure a fixed rate limiting policy that allows port 0/1/10, a GbE port, to receive a maximum of 1000 kilobits per second. If the port receives additional bits during a given one-second interval, the port drops all inbound packets on the port until the next one-second interval starts.
Fixed rate limiting on outbound port configuration • This feature is not supported on FastIron X Series and Brocade FCX Series devices. • Because of the hardware architecture, the effect of outbound rate limiting differs on GbE ports compared to 10-GbE ports. For example, applying the same rate limiting value on GbE and 10-GbE ports will produce different results.
ACL-based rate limiting policy configuration The above commands configure a fixed rate limiting policy that allows traffic with a priority of 7 on port 0/1/35 to transmit 1000 Kbps per second. The system rounds the configured rate to 975 Kbps. If the port transmits additional bits during a given one-second interval, the port will drop all outbound packets on the port until the next one-second interval starts.
Displaying the fixed rate limiting configuration The command lists the ports on which fixed rate limiting is configured, and provides the information listed in Table 326 for each of the ports. TABLE 326 CLI display of Fixed rate limiting information on inbound ports Field Description Total rate-limited interface count The total number of ports that are configured for Fixed rate limiting. Port The port number. Configured Input Rate The maximum rate requested for inbound traffic.
Displaying the fixed rate limiting configuration 1962 FastIron Configuration Guide 53-1002494-02
Chapter 51 Quality of Service Table 328 lists the individual Brocade FastIron switches and the Quality of Service (QoS) features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted. TABLE 328 Supported QoS features Feature FESX FSX 800 FSX 1600 FWS FCX ICX 6610 ICX 6430 ICX 6450 802.
QoS overview Processing of classified traffic The trust level in effect on an interface determines the type of QoS information the device uses for performing QoS. The Brocade device establishes the trust level based on the configuration of various features and whether the traffic is switched or routed. The trust level can be one of the following: • Ingress port default priority. • Static MAC address. • Layer 2 Class of Service (CoS) value – This is the 802.1p priority value in the Ethernet frame.
QoS overview FIGURE 220 Determining a packet trust level - FastIron X Series devices Packet received on ingress port Does the packet match an ACL that defines a priority? Yes Trust the DSCPCoS-mapping or the DSCP-marking Yes Trust the DSCP/ToS value Yes Trust the priority of the static MAC entry Yes Trust the 802.
QoS overview Figure 221 on page 1967 illustrates how the SX-FI48GPP interface module determines the trust level of a packet. The marking process for the SX-FI48GPP interface module is similar to the marking process for other FastIron SX modules. However, there are major differences between the SX-FI48GPP interface module and other FastIron SX modules. • For the SX-FI48GPP interface module, static MAC priority takes higher precedence than VLAN priority.
QoS overview FIGURE 221 Determining a packet trust level - SX-FI48GPP, SX-FI-24GPP, SX-FI-24HF, SX-FI-2XG, and SX-FI-8XG modules Packet received on ingress port Does the packet match an ACL that defines a priority? Yes Perform QoS marking according to ACL QoS action No Does the MAC address match a static entry and priority >0? Yes Trust the priority of the static MAC entry No Does the port ignore the VLAN priority? Yes Trust the port’s default priority Yes Trust the DSCP to priority mapping
QoS overview Figure 222 illustrates how FastIron WS and Brocade FCX and ICX series devices determine the trust level of a packet. As shown in the flowchart, the first criteria considered is whether the packet matches on an ACL that defines a priority. If this is not the case and the MAC address of the packet matches a static entry, the packet is classified with the priority of the static MAC entry. If neither of these is true, the packet is next classified with the ingress port default priority.
QoS overview Once a packet is classified, it is mapped to a forwarding queue. For all products except the SX-F148GPP interface module and ICX 6430 switch, there are eight queues designated from 0 through 7. The internal forwarding priority maps to one of these eight queues. For the SX-Fl48GPP interface module and ICX 6430 switch, internal forwarding priority maps to four forwarding queues. The mapping between the internal priority and the forwarding queue cannot be changed.
QoS for Brocade stackable devices TABLE 332 Default QoS mappings for FCX platforms, columns 48 to 63 DSCP value 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 802.
QoS queues QoS behavior for trusting Layer 2 (802.1p) in an IronStack By default, Layer 2 trust is enabled. Because priority 7 is reserved for stacking control packets, any ingress data traffic with priority 7 is mapped to internal hardware queue 6. All other priorities are mapped to their corresponding queues. QoS behavior for trusting Layer 3 (DSCP) in an IronStack When the trust dscp mode is enabled, packets arriving with DSCP values 56 to 63 are mapped to internal hardware queue 6.
QoS queues The queue names listed in Table 333 are the default names. If desired, you can rename the queues as shown in “Renaming the queues” on page 1989. Packets are classified and assigned to specific queues based on the criteria shown in Figure 220, Figure 221, and Figure 222. For FCX and ICX devices, ingress packets are classified into the eight priorities, which map to eight hardware queues or traffic classes (TCs) based on the priority.
QoS queues Queues for the SX-FI-8XG interface module The SX-FI-8XG interface module consists of two separate hardware Network Processors (NP). The front-end NP supports 8 hardware queues, and the back-end NP supports eight hardware queues. In the egress, traffic is destined to four adjacent ports (for example, ports 1/1 to 1/4), and aggregated into one 10GbE port in the back-end NP.
QoS queues TABLE 336 Default QoS mappings for ICX 6430, columns 0 to 15 (Continued) DSCP value 0 1 2 3 4 5 6 7 8 9 10 11 12 12 14 15 Internal forwarding priority 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Forwarding queue 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 TABLE 337 Default QoS mappings for ICX 6430, columns 16 to 31 DSCP value 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 802.
QoS queues • DSCP to internal forwarding priority mapping – You can change the mapping between the DSCP value and the internal forwarding priority value from the default values shown in Table 336 through Table 339. This mapping is used for CoS marking and determining the internal priority when the trust level is DSCP. Refer to “Changing the DSCP to internal forwarding priority mappings” on page 1984. • VLAN priority (802.1p) to hardware forwarding queue - You can change the mapping between the 802.
QoS queues The variable is the name of the profile you are creating. Profile qosp0 through qosp7 are the default queue names. The through variables are the assigned weights. If you create a profile specifying only the weights (qosp0 through qosp7) without specifying the mechanism, the default mechanism is used. The default mechanism for stacking systems is Mixed, and WRR for stand-alone systems.
QoS queues Stand-alone system (common for FCX platforms) SP SP Jumbo WRR WRR Jumbo Mixed Mixed Jumbo TC0 SP SP 3 8 15 15 TC1 SP SP 3 8 15 15 TC2 SP SP 3 8 15 15 TC3 SP SP 3 8 15 15 TC4 SP SP 3 8 15 15 TC5 SP SP 3 8 25 25 TC6 SP SP 7 8 SP SP TC7 SP SP 75 44 SP SP ICX 6430 platforms Table 340 shows the default values for scheduling type for stacking and stand-alone ICX 6430 platforms.
QoS priorities-to-traffic assignment Stand-alone system for ICX 6430 platforms (Continued) QSP6 SP SP 7 8 SP SP QSP7 SP SP 75 44 SP SP QoS priorities-to-traffic assignment By default, all traffic is in the best-effort queue (qosp0) and is honored on tagged ports on all FastIron switches. You can assign traffic to a higher queue based on the following: • Incoming port (sometimes called the ingress port) • Static MAC entry When you change the priority, you specify a number from 0 through 7.
802.1p priority override [no] static-mac-address ethernet [priority ] Syntax: The is the MAC address. Specify the port variable in one of the following formats: • • • • FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum FSX 800 and FSX 1600 chassis devices – slotnum/portnum ICX devices – slotnum/portnum FESX compact switches – portnum The priority variable can be from 0 through 7 and specifies the IEEE 802.
Marking Configuration notes and feature limitations • 802.1p priority override is supported on physical ports and trunk ports. When applied to the primary port of a trunk group, the configuration applies to all members of the trunk group. • This feature is not supported together with trust dscp. Enabling 802.1p priority override To enable 802.1p priority override, enter the following command at the interface level of the CLI.
DSCP-based QoS configuration DSCP-based QoS configuration Brocade IronWare releases support basic DSCP-based QoS (also called Type of Service (ToS)-based QoS) as described in this chapter. However, the FastIron family of switches does not support other advanced DSCP-based QoS features as described in the Enterprise Configuration and Management Guide. Brocade IronWare releases also support marking of the DSCP value.
Configuring QoS mapping configuration FastIron X Series devices FastIron X Series devices require the use of an ACL to honor DSCP-based QoS for routed traffic in the Layer 3 image, or for switched traffic in the Layer 2 image. To enable DSCP-based QoS on these devices, apply an ACL entry such as the following. Brocade(config)#access-list 101 permit ip any any dscp-cos-mapping NOTE Use the bridged-routed keyword in the ACL to honor DSCP for switched traffic in the Layer 3 image.
Configuring QoS mapping configuration Default DSCP to internal forwarding priority mappings The DSCP values are described in RFCs 2474 and 2475. Table 342 lists the default mappings of DSCP values to internal forwarding priority values.
Configuring QoS mapping configuration Changing the DSCP to internal forwarding priority mappings To change the DSCP to internal forwarding priority mappings for all the DSCP ranges, enter commands such as the following at the global CONFIG level of the CLI.
Configuring QoS mapping configuration Changing the VLAN priority 802.1p to hardware forwarding queue mappings To map a VLAN priority to a different hardware forwarding queue, enter commands such as the following at the global CONFIG level of the CLI. [no] qos tagged-priority Syntax: The variable can be from 0 through 7 and specifies the VLAN priority. The variable specifies the hardware forwarding queue to which you are reassigning the priority.
Configuring QoS mapping configuration • Front end queue 2 = 3% (qosp4) + 3% (qosp5) = 6% • Front end queue 1 = 3% (qosp2) + 3% (qosp3) = 6% • Front end queue 0 = 3% (qosp0) + 3% (qosp1) = 6% The hardware queues for mixed WRR and SP mode are calculated as follows: • • • • Front end queue 3 is Strict Priority as default values for qosp7 and qosp6 are SP Front end queue 2 = 25% (qosp4) + 15% (qosp5) = 40% Front end queue 1 = 15% (qosp2) + 15% (qosp3) = 30% Front end queue 0 = 15% (qosp0) + 15% (qosp1) = 30%
Scheduling QoS information Scheduling QoS information Scheduling is the process of mapping a packet to an internal forwarding queue based on its QoS information, and servicing the queues according to a mechanism. Scheduling for the SX-FI48GPP module The SX-FI48GPP module supports scheduling at the front-end and back-end NP. If egress congestion occurs at the front-end NP of the SX-FI48GPP module, scheduling is based on four queues instead of eight.
Scheduling QoS information By default, when you select the combined SP and WRR queueing method, the Brocade device assigns strict priority to traffic in qosp7 and qosp6, and weighted round robin priority to traffic in qosp0 through qosp5. Thus, the Brocade device schedules traffic in queue 7 and queue 6 first, based on the strict priority queueing method.
Scheduling QoS information Configuring the QoS queues Each of the queues has the following configurable parameters: • The queue name • The minimum percentage of a port outbound bandwidth guaranteed to the queue Renaming the queues The default queue names are qosp7, qosp6, qosp5, qosp4, qosp3, qosp2, qosp1, and qosp0. You can change one or more of the names if desired. To rename queue “qosp3” to “92-octane”, enter the following command.
Scheduling QoS information When the queuing method is WRR, the software internally translates the percentages into weights. The weight associated with each queue controls how many packets are processed for the queue at a given stage of a cycle through the weighted round robin algorithm. NOTE Queue cycles on the FastIron devices are based on bytes. These devices service a given number of bytes (based on the weight) in each queue cycle. FES and BI/FI queue cycles are based on packets.
Scheduling QoS information Bandwidth allocations of the hybrid WRR and SP queues NOTE On the SX-FI48GPP interface module, the bandwidth percentages for 8 to 4 queue mapping for hybrid WRR and SP queues are different from other Brocade SX modules. For more information on 8 to 4 queue mapping on the SX-FI48GPP interface module, refer to “Default scheduling configuration for the SX-FI48GPP module” on page 1985.
Viewing QoS settings Viewing QoS settings To display the QoS settings for all of the queues, enter the show qos-profiles command. The following example shows the output on an FESX device.
Viewing DSCP-based QoS settings Syntax: show qos-tos Table 348 shows the output information for the show qos-tos command. TABLE 348 DSCP-based QoS configuration information Field Description DSCP to traffic class map d1 and d2 The DSCP to forwarding priority mappings that are currently in effect. NOTE: The example shows the default mappings. If you change the mappings, the command displays the changed mappings Traffic class to 802.1 priority map Traffic Class and 802.
Viewing DSCP-based QoS settings The show qos-tos command can also be used to display configuration information for 8 to 4 queue mapping. The following example displays an 8 to 4 queue mapping configuration. Brocade#show qos-tos DSCP-->Traffic-Class map: (DSCP = d1d2: 00, 01...
Appendix A Syslog messages Table 1 lists all of the Syslog messages. Note that some of the messages apply only to Layer 3 switches. NOTE This chapter does not list Syslog messages that can be displayed when a debug option is enabled.
Syslog messages TABLE 1 1996 Brocade Syslog messages (Continued) Message level Message Explanation Alert MAC Authentication failed for on (No VLAN Info received from RADIUS server) RADIUS authentication was successful for the specified on the specified ; however, dynamic VLAN assignment was enabled for the port, but the RADIUS Access-Accept message did not include VLAN information. This is treated as an authentication failure.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Alert Power supply , , failed A power supply has failed. The is the power supply number. The describes where the failed power supply is in the chassis. Alert System: Module in slot encountered PCI config read error: Bus , Dev , Reg Offset . The module encountered a hardware configuration read error.
Syslog messages TABLE 1 1998 Brocade Syslog messages (Continued) Message level Message Explanation Alert Temperature C degrees, warning level C degrees, shutdown level C degrees Indicates an over temperature condition on the active module. The value indicates the temperature of the module. The value is the warning threshold temperature configured for the module.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Informational Security: Password has been changed for user from Password of the specified user has been changed during the specified session ID or type. can be console, telnet, ssh, web, or snmp. Informational : Logical link on interface ethernet is down.
Syslog messages TABLE 1 2000 Brocade Syslog messages (Continued) Message level Message Explanation Informational Bridge topology change, vlan , interface , changed state to A Spanning Tree Protocol (STP) topology change has occurred on a port. The is the ID of the VLAN in which the STP topology change occurred. The is the port number.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Informational DOT1X : port - mac This device doesn't support ACL with MAC Filtering on the same port The RADIUS server returned a MAC address filter while an IP ACL was applied to the port, or returned an IP ACL while a MAC address filter was applied to the port.
Syslog messages TABLE 1 2002 Brocade Syslog messages (Continued) Message level Message Explanation Informational Interface , state down A port has gone down. The is the port number. Informational Interface , state up A port has come up. The is the port number.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Informational SNMP Auth. failure, intruder IP: A user has tried to open a management session with the device using an invalid SNMP community string. The is the IP address of the host that sent the invalid community string.
Syslog messages TABLE 1 2004 Brocade Syslog messages (Continued) Message level Message Explanation Informational System: Static Mac entry with Mac Address is added from the // to // on VLANs to A MAC address is added to a range of interfaces, which are members of the specified VLAN range.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Informational Warm start The system software (flash code) has been reloaded. Informational Stack: Stack unit has been deleted to the stack system The specified unit has been deleted from the stacking system. Informational Stack unit has been elected as ACTIVE unit of the stack system The specified unit in a stack has been elected as the Master unit for the stacking system.
Syslog messages TABLE 1 2006 Brocade Syslog messages (Continued) Message level Message Explanation Notification ACL exceed max DMA L4 cam resource, using flow based ACL instead The port does not have enough Layer 4 CAM entries for the ACL. To correct this condition, allocate more Layer 4 CAM entries.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Notification DOT1X issues software but not physical port down indication of Port to other software applications The device has indicated that the specified is no longer authorized, but the actual port may still be active.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Notification Local TCP exceeds burst packets, stopping for seconds!! Threshold parameters for local TCP traffic on the device have been configured, and the maximum burst size for TCP packets has been exceeded. The first is the maximum burst size (maximum number of packets allowed). The second is the number of seconds during which additional TCP packets will be blocked on the device.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface authentication failure has occurred. The is the router ID of the Brocade device. The is the IP address of the interface on the Brocade device.
Syslog messages TABLE 1 2010 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface configuration error has occurred. The is the router ID of the Brocade device. The is the IP address of the interface on the Brocade device.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf rcvd bad pkt: Bad Checksum, rid , intf addr , pkt size , checksum , pkt src addr , pkt type The device received an OSPF packet that had an invalid checksum. The rid is the Brocade router ID. The intf addr is the IP address of the Brocade interface that received the packet.
Syslog messages TABLE 1 2012 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the Brocade device has retransmitted a Link State Advertisement (LSA). The is the router ID of the Brocade device. The is the IP address of the interface on the Brocade device.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF neighbor has changed. The is the router ID of the Brocade device. The is the IP address of the neighbor. The is the router ID of the neighbor.
Syslog messages TABLE 1 2014 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface authentication failure has occurred. The is the router ID of the Brocade device. The is the IP address of the interface on the Brocade device.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface configuration error has occurred. The is the router ID of the Brocade device. The is the IP address of the interface on the Brocade device.
Syslog messages TABLE 1 2016 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the Brocade device has retransmitted a Link State Advertisement (LSA). The is the router ID of the Brocade device.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF virtual neighbor has changed. The is the router ID of the Brocade device. The is the IP address of the neighbor. The is the router ID of the neighbor.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Notification VRRP intf state changed, intf , vrid , state A state change has occurred in a Virtual Router Redundancy Protocol (VRRP) or VRRP-E IPv4 or IPv6 interface. The is the port or interface where VRRP or VRRP-E is configured. The is the virtual router ID (VRID) configured on the interface.
Syslog messages TABLE 1 Brocade Syslog messages (Continued) Message level Message Explanation Warning list denied () (Ethernet ) -> (), 1 event(s) Indicates that an Access Control List (ACL) denied (dropped) packets. The indicates the ACL number. Numbers 1 – 99 indicate standard ACLs. Numbers 100 – 199 indicate extended ACLs.
Syslog messages TABLE 1 2020 Brocade Syslog messages (Continued) Message level Message Explanation Warning No global IP! cannot send IGMP msg. The device is configured for ip multicast active but there is no configured IP address and the device cannot send out IGMP queries. Warning No of prefixes received from BGP peer exceeds warning limit The Layer 3 switch has received more than the allowed percentage of prefixes from the neighbor.
Appendix B NIAP-CCEVS Certification Some Brocade devices have passed the Common Criteria (CC) certification testing. This testing is sponsored by the National Information Assurance Partnership (NIAP) - Common Criteria Evaluation and Validation Scheme (CCEVS). For more information regarding the NIAP-CCEVS certification process refer to the following link: http://www.niap-ccevs.org/.
Web-Management access to NIAP-CCEVS certified Brocade equipment TABLE 2 NIAP-CCEVS certified Brocade equipment and IronWare software releases Brocade product Brocade IronWare software version Discussed in ServerIron JetCore Family 11.0.
Local user password changes FastIron Configuration Guide 53-1002494-02 2023
Local user password changes 2024 FastIron Configuration Guide 53-1002494-02
Index Numerics 100BaseTX configuration, 57 31-bit subnet mask, 968 802.1Q-in-Q tagging CLI syntax, 808 configuration, 804, 806 configuration rules, 805 configuring profiles, 808 enabling, 805 802.
ACL adding a comment to an entry, 1727 adding a comment to an IPv6 entry, 1769 and IP access policies, 955 applying an IPv4 ACL to a subset of ports (Layer 3), 1735 applying an IPv4 ACL to VLAN members (Layer 2), 1734 applying egress to CPU traffic, 1725 applying IPv6 to a trunk group, 1769 applying to a virtual interface in a VLAN, 1728 comment text management, 1726 configuration example, 1711 configuration example for extended named, 1725 configuration examples for extended, 1718 configuration notes for f
Address Resolution Protocol (ARP) changing the aging period, 983 configuration, 981 configuring forwarding parameters, 986 creating static entries, 985 enabling on an interface, 984 enabling the proxy, 983, 984 enabling the proxy globally, 984 how it works, 981 rate limiting ARP packets, 982 static entry support, 986 address-lock filters, 574 aggregate links, displaying and determining status, 731 aggregated VLAN configuring, 799 verifying configuration, 801 alarm interval, setting, 500 alarm status values,
statistics, 1419 displaying cooperative filtering information, 1413 displaying CPU utilization statistics, 1425 displaying dynamic refresh information, 1456 displaying filtered routes, 1453 displaying graceful restart neighbor information, 1451 displaying information, 1421 displaying information for a specific route, 1444 displaying peer group information, 1439 displaying recursive route lookups, 1372 displaying route flap dampening statistics, 1449 displaying route information for a neighbor, 1436 displayi
1418 removing route dampening from a route, 1418 removing route flap dampening, 1459 requiring the first AS to be the neighbor AS, 1376 resetting a neighbor session, 1451 route flap dampening configuration, 1414 route reflection parameter configuration, 1378 route reflector configuration, 1380 router ID comparison, 1376 selecting a path for a route, 1344 setting parameters in the routes, 1408 setting the local AS number, 1353 show commands for BGP null 0 routing, 1389 shutting down a session with a BGP4 nei
port, 264 confirming software versions, 282 construction methods, 249 copying the flash image, 283 device roles and elections, 326 displaying chassis information, 291 displaying flash information, 289 displaying IPC statistics for a specified unit, 301 displaying memory information, 290 displaying session statistics for stack units, 297 displaying software version information, 307 displaying stack flash information, 296 displaying stack information, 293 displaying stack module information, 292 displaying st
Cisco Discovery Protocol (CDP) overview, 443 cluster client automatic configuration setting up for MCT, 841 with MCT, 835 command 100-tx, 57 aaa accounting dot1x, 1819 aaa accounting exec default start-stop radius | tacacs+ | none, 154 aaa authentication dot1x default, 1800 aaa authentication enable, 149 aaa authentication enable | login default, 168 aaa authentication enable implicit-user, 150 aaa authentication login privilege-mode, 150 aaa authentication snmp-server | web-server | enable | login default,
| none, 153 access-list, 1709, 1714, 1726, 1743, 1749, 1778 accounting, 1901 ACL-logging, 1731 address-filter, 1394 add-vlan, 792 advertise backup, 648, 1676 age, 1840 aggregate-address, 1384, 1418 aggregated-vlan, 800 alias, 11 all-client, 116 appletalk-cable-vlan, 784 area, 1239, 1290, 1311 arp, 985, 1187 as-path filter, 1396 as-path-filter, 1397, 1398 as-path-ignore, 1376 attempt-max-num, 1903 auth-fail-action restricted-vlan, 1815 auth-fail-max-attempts, 1816 auth-fail-vlanid, 1815 auth-mode none, 1900
clock timezone us, 32 community-filter, 1399 compare-routerid, 1377 confederation identifier, 1383 confederation peers, 1383 config-trunk-ind, 712 console, 274 console timeout, 115 copy flash console, 77, 79 copy flash tftp, 87 copy running-config, 87 copy running-config tftp, 84 copy startup-config tftp, 84 copy tftp flash, 88 copy tftp running-config, 86 copy tftp startup-config, 84 crypto key client generate | zeroize dsa, 196 crypto key client generate | zeroize rsa, 196 crypto key generate | zeroize rs
ip access-group frag deny, 1732 ip access-list, 1733 ip access-list extended, 1257, 1721 ip access-list standard, 1256, 1711 ip address, 365, 1037, 1054 ip arp-age, 983 ip as-path access-list, 1396 ip community-list extended, 1400 ip community-list standard, 1400 ip default-gateway, 1037 ip default-network, 1000 ip dhcp relay information policy keep, 1940 ip dhcp snooping vlan, 1934 ip dhcp-client lease, 1036 ip dhcp-server, 1021 ip dhcp-server mgmt, 1020 ip dhcp-server relay-agent-echo enable, 1021 ip dire
ipv6 nd prefix-advertisement, 389 ipv6 nd ra-hop-limit, 388 ipv6 nd ra-interval, 388 ipv6 nd ra-lifetime, 388 ipv6 nd reachable-time, 391 ipv6 nd suppress-ra, 390 ipv6 neighbor, 392 ipv6 ospf area, 1291, 1306 ipv6 ospf authentication ipsec disable, 1313 ipv6 ospf authentication ipsec spi, 1310 ipv6 rip default-information, 1218 ipv6 rip enable, 1217 ipv6 rip metric-offset, 1219 ipv6 router ospf, 1289 ipv6 router rip, 1216 ipv6 traffic-filter, 1769 ipv6 unicast-routing, 365, 386, 1669 ipx-network, 771 ipx-pr
metro-ring, 626 mirror-port ethernet, 929 mld-snooping disable-mld-snoop, 1639 mld-snooping fast-convergence, 1642 mld-snooping fast-leave-, 1641 mld-snooping proxy-off, 1640 mld-snooping router-port, 1640 mld-snooping static-group, 1640 mld-snooping tracking, 1641 mld-snooping version, 1639 monitor ethernet, 929 mrinfo, 1595 mroute, 1593 msdp-peer, 1562 mstp admin-edge-port ethernet, 1177 mstp admin-pt2pt-mac ethernet, 1177 mstp disable ethernet, 1178 mstp edge-port-auto-detect, 1177 mstp force-migration-c
1452 netbios-name-server, 1023 network, 1023, 1369 next-bootstrap-server, 1023 next-hop-enable-default, 1370 next-hop-recursion, 1374 no ip icmp unreachable, 990 no mstp instance, 1173 non-preempt-mode, 650 offset-list, 1204 optical-monitor, 500 originator-id, 1563 owner priority, 1684 permit redistribute, 1253 phy-fifo-depth, 53 ping, 95, 370 ping ipv6, 415 poison-local-routes, 1221 poison-reverse, 1221 port-down-auth-mac-cleanup, 1905 port-name, 41, 712 prefix-list, 1299 preforwarding-time, 627 priority,
show cable-diag tdr, 499 show chassis, 276, 291 show clock, 32 show flash, 289 show flash stack, 290 show interfaces management, 2 show ip pim dense, 1530 show license, 229 show logging, 23 show media, 57, 501 show memory, 290 show module, 292 show run interface, 36 show running-config interface management, 2 show sntp associations, 25 show sntp server-mode, 29 show sntp status, 27 show stack, 287, 293 show stack connection, 266, 268 show stack resource, 293 show statistics management, 3 show symmetric-flow
tftp-server, 1024 threshold, 715 timeout restrict-fwd-period, 1818 timeout tx-period, 1813 timers keep-alive, 1365 timers lsa-group-pacing, 1266, 1305 timers spf, 1264, 1303 topology-group, 609 traceroute, 96, 368, 419, 972, 1038 traceroute ipv6, 368 traffic-policy, 1778, 1781 transmit-counter profiles, 527 trunk deploy, 707 trunk ethernet, 707, 714 trunk hash-options include-layer2, 706 trust-port ethernet, 1902 tunnel destination, 377 tunnel loopback, 1053 tunnel mode gre ip, 1053 tunnel mode ipv6ip, 377
command output egress queue statistics, 531 ipv6 mld-snooping mcache, 1644 ipv6 mld-snooping resource, 1645 IPv6 tunnel interface information, 379 sFlow information, 551 show 802.
show ipv6 tcp status, 406 show ipv6 traffic, 407 show license, 229 show license unit, 229 show link-aggregate, 732 show link-error-disable, 63 show link-keepalive, 688, 689 show lldp neighbors, 491 show lldp statistics, 489, 490 show loop-detection resource, 69 show mac-address, 920 show metro, 628, 629 show mstp, 1181 show optic, 503 show pod unit, 211 show port security ethernet, 1844 show port security mac, 1844 show port security statistics, 1845 show protected-link group, 694 show qd-buffer-profile all
configuration basic port parameter, 40 basis system parameters, 18 Brocade FCX IronStack, 258 buffer profiles, 587 command authorization, 153 DNS resolver, 970 dynamic loading, 84 entering system information, 19 flow control, 47 hitless OS upgrade, 107 Interpacket Gap (IPG), 53 IP addresses, 964 IP load sharing, 1001 IP parameters on Layer 2 switches, 1037 IPv4 and IPv6 protocol stack, 365 IPv6 connectivity on a Layer 3 switch, 362 IPv6 management ACLs, 366 IPv6 management port, 362 IPv6 neighbor discovery,
DHCP server disabling or re-enabling auto-configuration, 1034 disabling or re-enabling auto-update, 1034 supported options, 1033 diagnostic error codes, 93 digital optical monitoring, 500 disabling Syslog messages and traps, 24 displaying on Layer 2 switches, 1080 Distance Vector Multicast Routing Protocol (DVMRP) configuration on Layer 3 swtich, 1582 displaying information, 1587 globally enabling and disabling, 1583 initiating multicasts on a network, 1580 modifying interface parameters, 1586 modifying par
Dynamic Host Configuration Protocol (DHCP) binding database, 1932 changing the forwarding policy, 1940 clearing the binding database, 1935 CLI commands, 1018 configuration example, 1936 configuration flow chart, 1016 configuration notes, 1014 configuration notes and feature limitations, 1933 configuring on a device, 1017 configuring snooping, 1934 default server settings, 1018 defining static IP source bindings, 1944 description of, 1013 disabling on the management port, 1020 disabling the learning of clien
Brocade FCX and ICX switches, 1491 IPv6 ACLs, 1755 IPv6 configuration on FastIron X series, FCX series, and ICX series switches, 353 Link Layer Discovery Protocol (LLDP), 447 MAC port security, 1837 MAC-based VLANs, 905 management applications, 1 Metro features, 607 MLD snooping, 1631 multi-device port authentication, 1849 network monitoring, 521 Open Shortest Path First (OSPF), 1225 Open Shortest Path First (OSPF), IPv6, 1287 Operations, Administration, and Maintenance (OAM), 71 port mirroring and monitori
example, 903 dynamic core and fixed edge configuration example, 902 fixed core and dynamic edge configuration example, 904 fixed core and fixed edge configuration examples, 904 gvrp block applicant all, 889 gvrp block-learning all | ethernet, 890 join-timer, 892 leave-timer, 892 H hitless failover description, 97 hitless failover, enabling, 100 hitless management, 97 benefits of, 98 configuration notes and feature limitations, 100 supported protocols, 98 hitless OS upgrade, 97, 104 hitless OS upgrade confi
switches configuration notes, 1493 disabling for the VLAN, 1501 displaying information, 1505 displaying information by VLAN, 1510 IGMPv2 with IGMPv3, 1495 overview, 1491 querier and non-querier configuration, 1494 VLAN-specific configuration, 1495 IGMP snooping traffic on FastIron WS and Brocade FCX and ICX switches displaying status, 1509 Integrated Switch Routing (ISR), 752 Interface 100-fx, 59 100-tx, 57 acl-mirror-port ethernet, 932 advertise-local on | off, 1586 age, 1840 arp inspection trust, 1931 bro
1202 ip tcp burst-normal burst-max lockup, 1924 ip use-acl-on-arp, 1737 ip vrrp-extended auth-type no-auth | simple-text-auth, 1672 ip vsrp auth-type no-auth | simple-text-auth, 645 ipg, 56 ipg-gmii, 54 ipg-mii, 54 ipg-xgmii, 54 ip-multicast-disable, 1471, 1498 ipv6 address, 363, 364, 365, 366 ipv6 address eui, 364 ipv6 address link-local, 365 ipv6 enable, 364 ipv6 mtu, 392 ipv6 nd dad attempt, 387 ipv6 nd managed-config-flag, 390 ipv6 nd ns-interval, 387 ipv6 nd other-config-flag, 390 ipv6 nd prefix-advert
Internet Group Management Protocol (IGMP) and IP multicast protocols on the same device, 1606 clearing statistics, 1604 default version, 1597 displaying information on Layer 3 switches, 1600 displaying proxy traffic information, 1606 displaying the status of an interface, 1602 displaying the traffic status, 1604 enabling membership tracking and fast leave, 1598 enabling on a physical port within a virtual routing interface, 1598 globally enabling, 1597 overview, 1596 proxy configuration, 1605 setting the gr
IP route table, 951 IP route table, displaying, 1074 IP routes clearing, 1077 IP source guard configuration notes and feature limitations, 1943 IP static routes enabling redistribution into RIP, 1193 IP subnet address configuring on multiple port-based VLAN, 788 IP subnet broadcasts, enabling support, 988 IP traffic displaying statistics, 1082 IP tunnels configuration, 1587 IPv4 configuring Layer 3 system parameters, 1189 disabling CPU processing for multicast groups, 1591 enabling multicast routing on GRE
385 pinging, 415 pinging and address, 370 prefixes advertised in router messages, 389 protocol names and numbers, 1756 protocol VLAN configuration, 776 restricting web access, 414 router advertisement and solicitation messages, 386 secure shell (SSH) and SCP, 417 secure shell and SCP, 367 setting flags in router advertisement messages, 390 setting neighbor solicitation parameters, 387 setting router advertisement parameters, 387 SNMP3, 417 SNTP, 417 source routing security enhancements, 393 specifying a Sys
license file copying using TFTP, 221 deleting, 222 verifying installation, 222 licensed features and part numbers, 202 Licensing for Ports on Demand, 208 Configuration considerations for stacking or trunking PoD ports, 213 Configuration considerations when configuring PoD on an interface, 213 Configuring PoD on an interface, 208 Configuring the upper PoD ports in a stack for ICX 6610 devices, 209 Upgrading or downgrading configuration considerations for PoD, 208, 212 link aggregation clearing the negotiated
Local User Database delete-all, 1893 import-users tftp filename, 1894 no username, 1893 username password, 1893 log messages for DHCP, 1036 logging, 514 logging changes to, 83 login attempts, specifying maximum number for Telnet access, 118 loop detection clearing, 68 configuring a global interval, 66 displaying resource information, 69 enabling, 66 specifying the recovery time interval, 67 M MAC address clearing entries, 563 clearing flow-based entries, 567 cluster types with MCT, 846 configuration, 561 c
management interface logging on, 12 navigating, 13 using, 14 management IP address configuring and specifying the default gateway, 1037 management port commands, 2 overview, 1 rules, 2 management privilege levels, 126 management privileges, 129 Maximum Transmision Unit (MTU) changing, 974 changing on an individual port, 975 path discovery (RFC 1191) support, 976 Maximum Transmission Unit (MTU) globally changing, 975 MDI configuration, 45 Media Dependent Interface (MDI) configuration, 45 media, displaying in
1641 global task configuration, 1635 modifying the age interval, 1637 modifying the mcache aging time, 1638 modifying the query interval, 1637 modifying the wait time, 1638 overview, 1631 turning off static group proxy, 1640 VLAN-specific task configuration, 1635 multicast neighbor displaying information, 1553 multicast protocols displaying information, 1062 multicast route configuring static, 1593 displaying the configuration, 1595 Multicast Source Discovery Protocol (MSDP) clearing information, 1578 confi
1864 enabling source guard protection, 1864 example configurations, 1879 generating SNMP traps, 1857 how it works, 1850 limiting the number of MAC addresses, 1870 password override, 1870 specifying the aging time for blocked MAC addresses, 1868 specifying the authentication-failure action, 1856 specifying the MAC addresses, 1856 specifying the RADIUS timeout action, 1868 support for DHCP snooping, 1852 support for dynamic ACLs, 1852 support for dynamic ARP inspection, 1852 support for dynamic VLAN assignmen
1228 designated routers in multi-access networks, 1228 disabling or re-enabling load sharing, 1260 displaying ABR information, 1284 displaying area information, 1275 displaying data in an LSA, 1283 displaying graceful restart information, 1285 displaying information, 1272 displaying interface information, 1276, 1278 displaying link state information, 1282 displaying route information, 1279 displaying trap status, 1284 displaying virtual link information, 1284 displaying virtual neighbor information, 1283 dy
1297 modifying virtual link parameters, 1293 overview, 1287 shortest path first timers, 1303 showing IPsec policy, 1335 showing IPSec statistics, 1336 specifying the key rollover time, 1310 P packet parameters, configuring, 973 packet types specifying a single source interface, 977 password enable read-only-password, 126 password logins, enabling, 186 passwords changing a local user password, 136 configuring, 129 configuring password history, 132 creating a password option, 135 enabling user password aging
PIM Sparse boot strap router (BSR), 1535 changing the join and prune message interval, 1538 changing the shortest path tree (SPT) threshold, 1537 configuration, 1533 configuring interface parameters, 1535 displaying information, 1545 dropping traffic, 1539 globally enabling and disabling, 1534 limitations, 1534 RP paths and SPT paths, 1533 switch types, 1532 ping IPv6 address, 370 policy-based routing (PBR), 1747 basic example, 1751 enabling, 1751 setting the next hop, 1752 setting the output interface, 175
Power over Ethernet (POE) and CPU utilization, 668 autodiscovery, 662 cabling requirements, 665 configuring power levels, 671 disabling support for power-consuming devices, 669 displaying information, 675 dynamic upgrade of power supplies, 663 enabling and disabling, 669 enabling the detection of power requirements, 670 endspan method, 660 installing firmware, 666 installing firmware on FCX platform, 667 installing firmware on FSC platform, 666 IP surveillance cameras, 666 methods for delivery, 660 midspan
R RADIUS AAA operations, 159 accounting configuration, 158 authentication configuration, 157 authentication method values, 168 authentication, authorization, and accounting (AAA), 157 authentication-method list examples, 175 authentication-method lists, 174 authorization configuration, 158 Brocade-specific attributes on the server, 161 command authorization and accounting for console commands, 170 configuration, 161 configuration considerations, 160 configuring accounting for CLI commands, 171 configuring a
rendezvous point (RP) ACL-based assignment, 1539 anycast method, 1540 configuring an ACL-based assignment, 1539 designating as an interface IP address, 1563 displaying information, 1550 restrict mode access using ACL, 112 restricting HTTP and HTTPS connection, 117 SNMP access to a specific VLAN, 119 snmp-server enable vlan, 119 SSH connection, 117 Telnet access to a specific VLAN, 119 Telnet connection, 117 TFTP access to a specific vlan, 120 Web management access to a specific VLAN, 119 restricting access
Router activate, 1700 address-filter, 1394 aggregate-address, 1384 always-compare-med, 1377 area, 1238, 1239, 1248, 1249, 1290, 1291, 1293 area | nssa | default-information-originate, 1240 area | range, 1241 area virtual-link, 1292 as-path-filter, 1396 as-path-ignore, 1376 auto-cost reference-bandwidth, 1252, 1295, 1305 bgp-redistribute-internal, 1393 bsr-candidate ethernet, 1535 client-to-client-reflection, 1381 cluster-id, 1380 community-filter, 1399 compare-routerid, 1377 confederation identifier, 1383 c
trigger-interval, 1585 update-time, 1207, 1366 use-vrrp-path, 651, 1209, 1675 virtual-link-if-address interface ethernet, 1292 router ID, changing, 976 routing between VLANs (Layer 3 only), 765 Routing Information Protocol (RIP) applying route filter to an interface, 1210 changing the administrative distance, 1204 changing the cost of routes learned on a port, 1203 changing the redistribution metric, 1206 changing the route loop prevention method, 1196, 1209 configuration, 1193 configuring a neighbor filter
security AAA for RADIUS commands, 160 AAA operations for RADIUS, 159 allowing SNMP access to Brocade device, 121 allowing SSHv2 access to Brocade device, 121 allowing Web management through HTTP for Brocade device, 121 allowing Web management through HTTPS, 122 authentication method values, 150 changing the SSL server certificate key size, 137 deleting the SSL certificate, 139 device management, 121 edge port, 177 edge ports, 176 enabling SSL server on Brocade device, 137 generating an SSL certificate, 138
show command ip ospf database external-link-state advertise, 1283 ipv6 inter tunnel, 380 show 802-1w, 1141 show aaa, 156, 172 show access-list, 1727, 1745 show access-list accounting traffic-policy, 1785 show access-list all, 1746 show arp, 1070, 1081, 1931 show authenticated-mac-address, 1866 show auth-mac-address, 1871 show boot-preference, 81 show clock, 32 show cluster, 860 show cluster ccp peer, 862 show cluster client, 861 show configuration, 589 show default value, 1191 show default values, 578 show
1507 show ip multicast resource, 1480, 1508 show ip multicast traffic, 1481, 1509 show ip multicast vlan, 1477, 1482, 1483, 1510 show ip ospf area, 1275 show ip ospf border-routers, 1284 show ip ospf config, 1272 show ip ospf database external-link-state, 1281 show ip ospf database link-state, 1282 show ip ospf interface, 1247, 1276, 1278 show ip ospf neighbor, 1276 show ip ospf neighbors, 1285 show ip ospf redistribute route, 1280 show ip ospf routes, 1279 show ip ospf trap, 1284 show ip ospf virtual-link,
show local-userdb test, 1920 show log, 1731 show logging, 508, 510, 511, 921 show loop-detection resource, 69 show loop-detection status, 68 show mac, 567, 717 show mac cluster, 847 show mac-address, 561, 567, 920 show media, 57 show media slot, 501 show metro, 628, 629 show mstp, 1181 show mstp config, 1174 show notification mac-movement threshold-rate, 576 show optic, 502 show optic slot, 503 show optic threshold, 504 show pod, 210 show port security ethernet, 1844, 1847 show port security mac, 1844 show
displaying settings, 1992 show qos-tos, 1984, 1992 show rate-limit broadcast, 36 show rate-limit fixed, 1951, 1961 show rate-limit fixed input, 1960 show rate-limit output-shaping, 1954 show rate-limit unknown-unicast, 36 show relative-utilization, 553, 554 show reserved-vlan-map, 767 show rmon statistics, 532 show route-map, 1450 show run, 131, 1035 show run interface, 36 show run interface ethernet, 1980 show sflow, 542, 550 show snmp engineid, 426, 434 show snmp group, 435 show snmp server, 372, 425, 43
1857 interpreting varbinds in report packets, 435 IPv6 support, 433 Layer 2 generated traps, 21 Layer 3 generated traps, 22 over IPv6, 417 overview, 421 restricting access to an IPv6 node, 366 setting the trap holddown time, 21 specifying a single trap source, 20 specifying a trap receiver, 19 specifying an IPv6 host as trap receiver, 433 specifying an IPv6 trap receiver, 367 trap MIB changes, 432 user-based security model, 425 using to configure MAC-based VLANs, 915 using to save and load configuration inf
187 displaying information, 188 filtering access using ACLs, 188 setting login timeout value, 187 setting port number, 187 terminating an active connection, 188 using to install a software license, 221 SSH authentication setting the number of retries, 186 SSH keys CPU priority for generation, 182 SSH2 configuration, 181 DSA challenge-response authentication, 181 password authentication, 181 RSA challenge-response authentication, 181 use with secure copy, 191 SSH2 client configuring public key authentication
509 enabling real-time display of messages, 509 message due to disabled port in loop detection, 70 message for hitless management events, 107 message types, 1995 messages for CLI access, 23 messages for hardware errors, 518 messages for hitless stacking failover and switchover, 351 messages for port flap dampening, 65 messages for VRRP-E authentication, 1672 messages on a device with the onboard clock set, 513 messages related to GRE IP tunnels, 1048 messages supported for software-based licensing, 227 over
total transmit queue depth limit, configuring, 585 trace route using DNS to initiate, 972 tracing an IPv4 route, 96 traffic counters displaying enhanced statistics, 528 for outbound traffic, 526 traffic policies configuration notes and feature limitations, 1774 CoS parameters for packets, 1775 CPU rate-limiting, 1787 enabling ACL statistics, 1783 maximum number supported on a device, 1775 overview, 1773 setting the maximum number on a Layer 3 device, 1776 using ACL-based rate limiting, 1776 viewing, 1786 Tr
U UDLD changing the keepalive interval, 688 changing the keepalive retries, 688 configuration notes and feature limitations, 686 creating a protected link group and assigning an active port, 692 UDP configuring broadcast parameters, 1009 enabling forwarding for an application, 1010 unicast limiting command syntax, 33 Uni-Directional Link Detection (UDLD) clearing statistics, 690 displaying information, 688 displaying information for a single port, 689 enabling, 686 enabling for tagged ports, 687 for tagged
virtual switch redundancy protocol (VSRP) changing the backup priority, 646 changing the timer scale, 644 configuration notes and feature limitations, 634 configuring authentication, 644 configuring basic parameters, 642 configuring fast start, 655 configuring security features on a VSRP-aware device, 645 disabling or re-enabling, 643 displaying information, 651 displaying the active interfaces for a VRID, 654 fast start, 654 interval timers, 639 MAC address failover, 639 master election and failover, 635 o
within port-based VLANs, 772 ip-proto, 785 ip-subnet, 785 IPv6 protocol configuration, 776 ipv6-proto, 776 ipx-network ethernet_snap, 787 ipx-proto, 785 Layer 2 port-based, 739 Layer 3 protocol-based, 751 loop-detection, 66 mac-vlan-permit, 914 mld-snooping active | passive, 1619, 1639 mld-snooping disable-mld-snoop, 1620, 1639 mld-snooping fast-convergence, 1623, 1642 mld-snooping fast-leave-v1, 1622, 1641 mld-snooping port-version 1 | 2, 1640 mld-snooping port-version 1 | 2 ethernet, 1620 mld-snooping pro
648 changing the dead interval setting, 648 changing the default track priority setting, 649 changing the hello interval setting, 647 changing the hold-down interval setting, 649 configuring a VRID IP address, 646 dead-interval, 648 disabling or re-enabling backup pre-emption setting, 650 enable | disable, 643 hello-interval, 648, 1675 hold-down-interval, 649 include-port-ethernet, 646 initial-ttl, 648 ip vrrp vrid, 1700 ip-address, 646 non-preempt-mode, 650, 1678 owner, 1674, 1677, 1700 owner priority | tr
1895 auth-mode username-password auth-methods radius, 1895 auth-mode username-password local-user-database, 1896 block duration, 1904 block mac, 1904 block mac duration, 1904 cycle time, 1903 dns-filter, 1905 enable, 1891 host-max-num, 1905 port-down-auth-mac-cleanup, 1905 reauth-time, 1903 secure-login, 1901 trust-port ethernet, 1902 webauth-redirect-address, 1906 webpage custom-text bottom, 1915 webpage custom-text login-button, 1915 webpage custom-text title, 1913 webpage custom-text top, 1914 webpage lo
