53-1003053-01
®
30 September 2013
Brocade TurboIron 24X
Series
Configuration Guide
Supporting FastIron Software Release 08.0.01
Copyright © 2013 Brocade Communications Systems, Inc. All Rights Reserved.
ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and
Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of
Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names
mentioned may be trademarks of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning
any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to
this document at any time, without notice, and assumes no responsibility for its use. This informational document describes
features that may not be currently available. Contact a Brocade sales office for information on feature and product availability.
Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with
respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that
accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other
open source license agreements. To find out which open source software is included in Brocade products, view the licensing
terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters
Brocade Communications Systems, Inc.
130 Holger Way
San Jose, CA 95134
Tel: 1-408-333-8000
Fax: 1-408-333-8101
E-mail: info@brocade.com
European Headquarters
Brocade Communications Switzerland Sàrl
Centre Swissair
Tour B - 4ème étage
29, Route de l'Aéroport
Case Postale 105
CH-1215 Genève 15
Switzerland
Tel: +41 22 799 5640
Fax: +41 22 799 5641
E-mail: emea-info@brocade.com
Asia-Pacific Headquarters
Brocade Communications Systems China HK, Ltd.
No. 1 Guanghua Road
Chao Yang District
Units 2718 and 2818
Beijing 100020, China
Tel: +8610 6588 8888
Fax: +8610 6588 9999
E-mail: china-info@brocade.com
Asia-Pacific Headquarters
Brocade Communications Systems Co., Ltd. (Shenzhen WFOE)
Citic Plaza
No. 233 Tian He Road North
Unit 1308 – 13th Floor
Guangzhou, China
Tel: +8620 3891 2000
Fax: +8620 3891 2111
E-mail: china-info@brocade.com
Document History
Title Publication number Summary of changes Date
Brocade TurboIron 24X Series
Configuration Guide
53-1003053-01 Release 08.0.00 has been
updated for Release
08.0.01
September 2013
Contents
About This Document
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Device nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
What’s new in this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxii
Notes, cautions, and danger notices . . . . . . . . . . . . . . . . . . . .xxxii
Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Getting technical help or reporting errors . . . . . . . . . . . . . . . . . . . xxxiii
Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Chapter 1 Feature Highlights
Introduction to features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported management features . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Supported system-level features . . . . . . . . . . . . . . . . . . . . . . . . . 3
Supported Layer 2 features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Supported Layer 3 features on TurboIron X Series devices . . . . 7
Supported IPv6 management features . . . . . . . . . . . . . . . . . . . . . . . . 8
Unsupported features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2 Getting Familiar with Management Applications
Using the management port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
How the management port works. . . . . . . . . . . . . . . . . . . . . . . . 11
CLI Commands for use with the management port. . . . . . . . . .11
Logging on through the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
On-line help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Command completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Scroll control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Line editing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Using and port number with CLI commands. . . . . . . . . . . . . . . . . . .15
CLI nomenclature on TurboIron X Series devices . . . . . . . . . . .15
Searching and filtering output from CLI commands . . . . . . . . .15
Using special characters in regular expressions . . . . . . . . . . . .18
Creating an alias for a CLI command . . . . . . . . . . . . . . . . . . . . . 19
Brocade TurboIron 24X Series Configuration Guide iii
53-1003053-01
Logging on through Brocade Network Advisor . . . . . . . . . . . . . . . . .20
Chapter 3 Configuring Basic Software Features
Configuring basic system parameters . . . . . . . . . . . . . . . . . . . . . . . .21
Entering system administration information . . . . . . . . . . . . . . .22
Configuring Simple Network Management Protocol (SNMP)
parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Disabling Syslog messages and traps for CLI access . . . . . . . .26
Configuring an interface as the source for all Telnet packets . 27
Cancelling an outbound Telnet session . . . . . . . . . . . . . . . . . . .28
Specifying a Simple Network Time Protocol (NTPv4) server . . .28
Setting the system clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Limiting broadcast, multicast, and unknown unicast traffic. . . 31
Configuring basic port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Assigning a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Modifying port speed and duplex mode. . . . . . . . . . . . . . . . . . .35
Auto speed detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Modifying port duplex mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Disabling or re-enabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Disabling or re-enabling flow control . . . . . . . . . . . . . . . . . . . . .37
Auto-negotiation and advertisement of flow control . . . . . . . . . 37
TurboIron X SeriesConfiguring the Interpacket Gap (IPG) . . . . .38
Changing the Gbps fiber negotiation mode . . . . . . . . . . . . . . . .39
Modifying port priority (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Configuring port flap dampening . . . . . . . . . . . . . . . . . . . . . . . .39
Port loop detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Chapter 4 Operations, Administration, and Maintenance
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Determining the software versions installed and
running on a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Determining the flash image version running on the device . .48
Determining the image versions installed in flash memory . . . 48
Flash image verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Image file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Upgrading software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Upgrading the boot code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Upgrading the flash code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Boot code synchronization feature. . . . . . . . . . . . . . . . . . . . . . . 51
Using SNMP to upgrade software . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Changing the block size for TFTP file transfers . . . . . . . . . . . . . . . . . 52
Rebooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Displaying the boot preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
iv Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Loading and saving configuration files . . . . . . . . . . . . . . . . . . . . . . .54
Replacing the startup configuration with the
running configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Replacing the running configuration with the
startup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Logging changes to the startup-config file. . . . . . . . . . . . . . . . .55
Copying a configuration file to or from a TFTP server . . . . . . . . 55
Dynamic configuration loading . . . . . . . . . . . . . . . . . . . . . . . . . .56
Maximum file sizes for startup-config file and running-config . 58
Scheduling a system reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Reloading at a specific time . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Reloading after a specific amount of time. . . . . . . . . . . . . . . . .59
Displaying the amount of time remaining
before a scheduled reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Canceling a scheduled reload. . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Diagnostic error codes and remedies for TFTP transfers. . . . . . . . .60
Chapter 5 Securing Access to Management Functions
Securing access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Restricting remote access to management functions . . . . . . . . . . .65
Using ACLs to restrict remote access . . . . . . . . . . . . . . . . . . . . .65
Defining the console idle time . . . . . . . . . . . . . . . . . . . . . . . . . .67
Restricting remote access to the device to specific IP addresses68
Restricting access to the device based on IP or
MAC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Specifying the maximum number of login attempts
for Telnet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Restricting remote access to the device to specific
VLAN IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Designated VLAN for Telnet management sessions to a Layer 2
Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Device management security . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Disabling specific access methods. . . . . . . . . . . . . . . . . . . . . . . 72
Setting passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Setting a Telnet password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Setting passwords for management privilege levels . . . . . . . . . 74
Recovering from a lost password . . . . . . . . . . . . . . . . . . . . . . . . 77
Displaying the SNMP community string . . . . . . . . . . . . . . . . . . . 77
Specifying a minimum password length. . . . . . . . . . . . . . . . . . . 77
Setting up local user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Enhancements to username and password . . . . . . . . . . . . . . .78
Configuring a local user account . . . . . . . . . . . . . . . . . . . . . . . .82
Create password option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Changing a local user password . . . . . . . . . . . . . . . . . . . . . . . . .84
Brocade TurboIron 24X Series Configuration Guide v
53-1003053-01
Configuring TACACS/TACACS+ security . . . . . . . . . . . . . . . . . . . . . . .84
How TACACS+ differs from TACACS. . . . . . . . . . . . . . . . . . . . . . .85
TACACS/TACACS+ authentication, authorization,
and accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
TACACS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
TACACS/TACACS+ configuration considerations . . . . . . . . . . . .89
Enabling TACACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Identifying the TACACS/TACACS+ servers. . . . . . . . . . . . . . . . . . 90
Specifying different servers for individual AAA functions . . . . . 90
Setting optional TACACS/TACACS+ parameters. . . . . . . . . . . . .91
Configuring authentication-method lists for TACACS/TACACS+ 92
Configuring TACACS+ authorization . . . . . . . . . . . . . . . . . . . . . .94
Configuring TACACS+ accounting . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring an interface as the source for all
TACACS/TACACS+ packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Displaying TACACS/TACACS+ statistics and
configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Configuring RADIUS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
RADIUS authentication, authorization, and accounting . . . . .100
RADIUS configuration considerations. . . . . . . . . . . . . . . . . . . .103
RADIUS configuration procedure . . . . . . . . . . . . . . . . . . . . . . .104
Configuring Brocade-specific attributes on the RADIUS server104
Enabling SNMP to configure RADIUS . . . . . . . . . . . . . . . . . . . .105
Identifying the RADIUS server to the device. . . . . . . . . . . . . . .106
Specifying different servers for individual AAA functions . . . .106
Configuring a RADIUS server per port . . . . . . . . . . . . . . . . . . .106
Mapping a RADIUS server to individual ports . . . . . . . . . . . . . 107
Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Configuring authentication-method lists for RADIUS. . . . . . . .109
Configuring RADIUS authorization . . . . . . . . . . . . . . . . . . . . . .111
Configuring RADIUS accounting . . . . . . . . . . . . . . . . . . . . . . . .113
Configuring an interface as the source for all
RADIUS packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Displaying RADIUS configuration information . . . . . . . . . . . . .114
Configuring authentication-method lists . . . . . . . . . . . . . . . . . . . . .115
Configuration considerations for authentication- method lists116
Examples of authentication-method lists. . . . . . . . . . . . . . . . .117
Chapter 6 Configuring SSH2 and SCP
SSH version 2 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Tested SSH2 clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
AES encryption for SSH2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Configuring SSH2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Recreating SSH keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Generating a host key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Configuring DSA challenge-response authentication . . . . . . .123
vi Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Setting optional parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Setting the number of SSH authentication retries . . . . . . . . .126
Deactivating user authentication . . . . . . . . . . . . . . . . . . . . . . .126
Enabling empty password logins. . . . . . . . . . . . . . . . . . . . . . . .126
Setting the SSH port number . . . . . . . . . . . . . . . . . . . . . . . . . .127
Setting the SSH login timeout value. . . . . . . . . . . . . . . . . . . . .127
Designating an interface as the source for all SSH
packets (Layer 3 code only). . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Configuring the maximum idle time for SSH sessions . . . . . .128
Filtering SSH access using ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Terminating an active SSH connection . . . . . . . . . . . . . . . . . . . . . .128
Displaying SSH connection information . . . . . . . . . . . . . . . . . . . . .128
Using Secure copy with SSH2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Enabling and disabling SCP . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Example file transfers using SCP . . . . . . . . . . . . . . . . . . . . . . .130
Chapter 7 Configuring IPv6 Connectivity
IPv6 addressing overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
IPv6 address types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
IPv6 stateless autoconfiguration . . . . . . . . . . . . . . . . . . . . . . .136
IPv6 CLI command support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Configuring an IPv6 host address on a Layer 2 switch. . . . . . . . . .137
Enabling IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Configuring a global or site-local IPv6 address with a
manually configured interface ID . . . . . . . . . . . . . . . . . . . . . . .138
Configuring the management port for an IPv6 automatic address
configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Configuring basic IPv6 connectivity on a Layer 3 switch . . . . . . . .138
Configuring IPv6 on each router interface . . . . . . . . . . . . . . . .138
IPv6 management (IPv6 host support) . . . . . . . . . . . . . . . . . . . . . .141
Restricting SNMP access to an IPv6 node. . . . . . . . . . . . . . . .141
Specifying an IPv6 SNMP trap receiver . . . . . . . . . . . . . . . . . .141
SNMP V3 over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
SNTP over IPv6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Secure Shell, SCP, and IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . .142
IPv6 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Configuring name-to-IPv6 address resolution using IPv6 DNS
resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Defining an IPv6 DNS entry. . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Using the IPv6 copy command . . . . . . . . . . . . . . . . . . . . . . . . .143
Using the IPv6 ncopy command . . . . . . . . . . . . . . . . . . . . . . . .145
IPv6 ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Configuring an IPv6 Syslog server . . . . . . . . . . . . . . . . . . . . . .148
Viewing IPv6 SNMP server addresses . . . . . . . . . . . . . . . . . . .149
Disabling IPv6 on a Layer 2 switch. . . . . . . . . . . . . . . . . . . . . .149
Brocade TurboIron 24X Series Configuration Guide vii
53-1003053-01
Clearing global IPv6 information . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Clearing the IPv6 cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Clearing IPv6 neighbor information . . . . . . . . . . . . . . . . . . . . .150
Clearing IPv6 traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . .151
Displaying global IPv6 information. . . . . . . . . . . . . . . . . . . . . . . . . .151
Displaying IPv6 cache information . . . . . . . . . . . . . . . . . . . . . .151
Displaying IPv6 interface information. . . . . . . . . . . . . . . . . . . .152
Displaying IPv6 neighbor information. . . . . . . . . . . . . . . . . . . .154
Displaying IPv6 TCP information . . . . . . . . . . . . . . . . . . . . . . . .155
Displaying IPv6 traffic statistics . . . . . . . . . . . . . . . . . . . . . . . .158
Chapter 8 Securing SNMP Access
SNMP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Establishing SNMP community strings . . . . . . . . . . . . . . . . . . . . . .164
Encryption of SNMP community strings . . . . . . . . . . . . . . . . . .164
Adding an SNMP community string . . . . . . . . . . . . . . . . . . . . .164
Displaying the SNMP community strings . . . . . . . . . . . . . . . . .166
Configuring your NMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Configuring SNMP version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Defining the engine id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Defining an SNMP group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Defining an SNMP user account. . . . . . . . . . . . . . . . . . . . . . . .169
Defining SNMP views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
SNMP version 3 traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Defining an SNMP group and specifying which
view is notified of traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Defining the UDP port for SNMP v3 traps . . . . . . . . . . . . . . . .172
Trap MIB changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Specifying an IPv6 host as an SNMP trap receiver . . . . . . . . .173
Displaying SNMP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Displaying the Engine ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Displaying SNMP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Displaying user information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Interpreting varbinds in report packets . . . . . . . . . . . . . . . . . .175
SNMP v3 Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . .175
Simple SNMP v3 configuration . . . . . . . . . . . . . . . . . . . . . . . . .175
More detailed SNMP v3 configuration . . . . . . . . . . . . . . . . . . . 176
Chapter 9 Enabling the Foundry Discovery Protocol and Reading Cisco
Discovery Protocol Packets
Using FDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configuring FDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Displaying FDP information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Clearing FDP and CDP information. . . . . . . . . . . . . . . . . . . . . .181
viii Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Reading CDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Enabling interception of CDP packets globally . . . . . . . . . . . .182
Enabling interception of CDP packets on an interface . . . . . .182
Displaying CDP information. . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Clearing CDP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Chapter 10 Configuring LLDP
Terms used in this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
LLDP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Benefits of LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
General operating principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Operating modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
LLDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
TLV support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Configuring LLDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Configuration notes and considerations . . . . . . . . . . . . . . . . .194
Enabling and disabling LLDP. . . . . . . . . . . . . . . . . . . . . . . . . . .195
Changing a port LLDP operating mode . . . . . . . . . . . . . . . . . .195
Specifying the maximum number of LLDP neighbors. . . . . . .196
Enabling LLDP SNMP notifications and syslog messages . . . 197
Changing the minimum time between LLDP transmissions . .198
Changing the interval between regular LLDP transmissions .199
Changing the holdtime multiplier for transmit TTL . . . . . . . . .199
Changing the minimum time between port reinitializations. .199
LLDP TLVs advertised by the device . . . . . . . . . . . . . . . . . . . . .200
Displaying LLDP statistics and configuration settings. . . . . . .205
LLDP configuration summary . . . . . . . . . . . . . . . . . . . . . . . . . .205
LLDP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
LLDP neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
LLDP neighbors detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
LLDP configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
Resetting LLDP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Clearing cached LLDP neighbor information. . . . . . . . . . . . . . . . . .211
Chapter 11 Monitoring Hardware Components
Hardware support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Brocade TurboIron 24X Series Configuration Guide ix
53-1003053-01
Digital optical monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Supported media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Media not supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Supported media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Media not supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Configuration limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Enabling digital optical monitoring . . . . . . . . . . . . . . . . . . . . . .214
Setting the alarm interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Displaying information about installed media . . . . . . . . . . . . .215
Viewing optical monitoring information . . . . . . . . . . . . . . . . . .216
Syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Chapter 12 Using Syslog
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Displaying Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Enabling real-time display of Syslog messages. . . . . . . . . . . .222
Enabling real-time display for a Telnet or SSH session . . . . . .222
Show log on all terminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Configuring the Syslog service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Displaying the Syslog configuration . . . . . . . . . . . . . . . . . . . . .223
Disabling or re-enabling Syslog. . . . . . . . . . . . . . . . . . . . . . . . .227
Specifying a Syslog server. . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Specifying an additional Syslog server. . . . . . . . . . . . . . . . . . .227
Disabling logging of a message level . . . . . . . . . . . . . . . . . . . .228
Changing the number of entries the local buffer can hold. . .228
Changing the log facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Displaying Interface names in Syslog messages. . . . . . . . . . .229
Displaying TCP or UDP port numbers in Syslog messages . . .230
Clearing the Syslog messages from the local buffer . . . . . . . .230
Appendix 13 Network Monitoring
Basic management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Viewing system information . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Viewing configuration information . . . . . . . . . . . . . . . . . . . . . .232
Viewing port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Viewing STP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Clearing statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Traffic counters for outbound traffic. . . . . . . . . . . . . . . . . . . . .235
RMON support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Maximum number of entries allowed in the
RMON control table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Statistics (RMON group 1). . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
History (RMON group 2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Alarm (RMON group 3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Event (RMON group 9). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
x Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
sFlow support for IPv6 packets. . . . . . . . . . . . . . . . . . . . . . . . .242
Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . .243
Configuring and enabling sFlow . . . . . . . . . . . . . . . . . . . . . . . .244
Displaying sFlow information . . . . . . . . . . . . . . . . . . . . . . . . . .249
Configuring a utilization list for an uplink port . . . . . . . . . . . . . . . .251
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Displaying utilization percentages for an uplink . . . . . . . . . . .252
Chapter 14 Configuring Basic Layer 2 Features
Enabling or disabling the Spanning Tree Protocol (STP). . . . . . . . .255
Modifying STP bridge and port parameters . . . . . . . . . . . . . . .256
Changing the MAC age time and disabling MAC address learning256
Disabling the automatic learning of MAC addresses . . . . . . .256
Displaying the MAC address table . . . . . . . . . . . . . . . . . . . . . .257
Configuring static MAC entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Multi-port static MAC address. . . . . . . . . . . . . . . . . . . . . . . . . .258
Configuring VLAN-based static MAC entries . . . . . . . . . . . . . . . . . .259
Enabling port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Assigning IEEE 802.1Q tagging to a port . . . . . . . . . . . . . . . . .260
Defining MAC address filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Configuration notes and limitations . . . . . . . . . . . . . . . . . . . . .261
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Enabling logging of management traffic
permitted by MAC filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
MAC address filter override for 802.1X-enabled ports. . . . . . . . . .264
MAC address filter override configuration notes . . . . . . . . . . .264
MAC address filter override configuration syntax . . . . . . . . . .264
Displaying and modifying system parameter default settings . . . .265
Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . .265
Displaying system parameter default values . . . . . . . . . . . . . .265
Modifying system parameter default values . . . . . . . . . . . . . .267
Egress buffer thresholds for QoS priorities . . . . . . . . . . . . . . . . . . .267
Cut-Through Switching Support. . . . . . . . . . . . . . . . . . . . . . . . .269
Default settings for egress buffer thresholds . . . . . . . . . . . . .269
Disabling and re-enabling the default settings
for egress buffer thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Setting the egress buffer threshold for all QoS
priorities on a port or group of ports . . . . . . . . . . . . . . . . . . . .270
Setting the egress buffer threshold for a specific
QoS priority on a port or group of ports . . . . . . . . . . . . . . . . . .270
Link Fault Signaling (LFS) for 10G . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Jumbo frame support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Brocade TurboIron 24X Series Configuration Guide xi
53-1003053-01
Chapter 15 Configuring Metro Features
Topology groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Master VLAN and member VLANs . . . . . . . . . . . . . . . . . . . . . .273
Control ports and free ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuring a topology group . . . . . . . . . . . . . . . . . . . . . . . . . .275
Displaying topology group information . . . . . . . . . . . . . . . . . . . 276
Metro Ring Protocol (MRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
MRP rings without shared interfaces (MRP Phase 1) . . . . . . .279
MRP rings with shared interfaces (MRP Phase 2). . . . . . . . . .280
Ring initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
How ring breaks are detected and healed . . . . . . . . . . . . . . . .285
Alarm RHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Master VLANs and customer VLANs. . . . . . . . . . . . . . . . . . . . .289
Configuring MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Using MRP diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Displaying MRP information . . . . . . . . . . . . . . . . . . . . . . . . . . .294
MRP CLI example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Virtual Switch Redundancy Protocol (VSRP) . . . . . . . . . . . . . . . . . .298
Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Layer 2 and Layer 3 redundancy . . . . . . . . . . . . . . . . . . . . . . .300
Master election and failover . . . . . . . . . . . . . . . . . . . . . . . . . . .300
VSRP-Aware security features. . . . . . . . . . . . . . . . . . . . . . . . . .305
VSRP parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Configuring basic VSRP parameters. . . . . . . . . . . . . . . . . . . . .308
Configuring optional VSRP parameters . . . . . . . . . . . . . . . . . .309
Displaying VSRP information. . . . . . . . . . . . . . . . . . . . . . . . . . .318
VSRP fast start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
VSRP and MRP signaling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Chapter 16 Configuring Uni-Directional Link Detection (UDLD)
UDLD overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . .325
Enabling UDLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Changing the Keepalive interval . . . . . . . . . . . . . . . . . . . . . . . .326
Changing the Keepalive retries . . . . . . . . . . . . . . . . . . . . . . . . .326
UDLD for tagged ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Displaying UDLD information . . . . . . . . . . . . . . . . . . . . . . . . . .327
Clearing UDLD statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Chapter 17 Configuring Trunk Groups and Dynamic Link Aggregation
Trunk group overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Trunk group connectivity to a server. . . . . . . . . . . . . . . . . . . . .332
Trunk group rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Trunk group configuration examples . . . . . . . . . . . . . . . . . . . .334
Flexible trunk group membership. . . . . . . . . . . . . . . . . . . . . . .334
Trunk group load sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
xii Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring a trunk group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
CLI syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Example 1: Configuring the trunk groups shown in Figure 75337
Example 2: Configuring a trunk group that spans
two Gbps Ethernet modules in a chassis device. . . . . . . . . . .338
Example 3: Configuring a multi-slot trunk group
with one port per module . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Example 4: Configuring a trunk group of 10 Gbps
Ethernet ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Additional trunking options . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Displaying trunk group configuration information . . . . . . . . . . . . .343
Dynamic link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
Examples of valid LACP trunk groups . . . . . . . . . . . . . . . . . . . .345
Configuration notes and limitations . . . . . . . . . . . . . . . . . . . . .345
Adaptation to trunk disappearance . . . . . . . . . . . . . . . . . . . . .347
Flexible trunk eligibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Enabling dynamic link aggregation. . . . . . . . . . . . . . . . . . . . . .348
How changing the VLAN membership of a port affects
trunk groups and dynamic keys . . . . . . . . . . . . . . . . . . . . . . . .350
Link aggregation parameters . . . . . . . . . . . . . . . . . . . . . . . . . .350
Displaying and determining the status of aggregate links . . . . . . .355
Events that affect the status of ports in an aggregate link. . .355
Displaying link aggregation and port status information . . . .356
Displaying LACP status information . . . . . . . . . . . . . . . . . . . . .358
Clearing the negotiated aggregate links table . . . . . . . . . . . . . . . .358
Configuring single link LACP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
CLI syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Chapter 18 Configuring Virtual LANs (VLANs)
VLAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Types of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
802.1Q tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . .369
Virtual routing interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
VLAN and virtual routing interface groups . . . . . . . . . . . . . . . .371
Dynamic, static, and excluded port membership . . . . . . . . . .372
Super aggregated VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Trunk group ports and VLAN membership . . . . . . . . . . . . . . . . 374
Brocade TurboIron 24X Series Configuration Guide xiii
53-1003053-01
Routing between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Virtual routing interfaces (Layer 3 Switches only) . . . . . . . . . . 374
Routing between VLANs using virtual routing
interfaces (Layer 3 Switches only) . . . . . . . . . . . . . . . . . . . . . .375
Dynamic port assignment (Layer 2 Switches
and Layer 3 Switches) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Assigning a different VLAN ID to the default VLAN . . . . . . . . . 376
Assigning different VLAN IDs to reserved VLANs 4091 and 4092376
Assigning trunk group ports . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Configuring port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . .378
Modifying a port-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . .381
Enable spanning tree on a VLAN . . . . . . . . . . . . . . . . . . . . . . .382
Configuring IP subnet, IPX network andprotocol-based VLANs . . .383
Configuration example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Routing between VLANs using virtual routing
interfaces (Layer 3 Switches only) . . . . . . . . . . . . . . . . . . . . . . . . . .385
Configuring uplink ports within a port-based VLAN . . . . . . . . . . . .391
Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . .391
Configuration syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Configuring the same IP subnet address on multiple
port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Configuring VLAN groups and virtual routing interface groups . . .395
Configuring a VLAN group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Configuring a virtual routing interface group . . . . . . . . . . . . . .397
Displaying the VLAN group and virtual routing
interface group information . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Allocating memory for more VLANs or virtual routing interfaces398
Configuring super aggregated VLANs . . . . . . . . . . . . . . . . . . . . . . .399
Configuration note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Configuring aggregated VLANs . . . . . . . . . . . . . . . . . . . . . . . . .403
Verifying the configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Complete CLI examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Configuring 802.1Q-in-Q tagging . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Enabling 802.1Q-in-Q tagging. . . . . . . . . . . . . . . . . . . . . . . . . .408
Example configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Configuring private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Configuration notes and limitations . . . . . . . . . . . . . . . . . . . . .413
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
CLI example for Figure 52 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Dual-mode VLAN ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418
Displaying VLANs in alphanumeric order . . . . . . . . . . . . . . . . .418
Displaying system-wide VLAN information . . . . . . . . . . . . . . . .419
Displaying VLAN information for specific ports . . . . . . . . . . . .420
xiv Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Chapter 19 Configuring Port Mirroring and Monitoring
Mirroring support by platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Configuring port mirroring and monitoring . . . . . . . . . . . . . . . . . . .423
Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424
Monitoring a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Monitoring an individual trunk port . . . . . . . . . . . . . . . . . . . . .425
ACL-based inbound mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Creating an ACL-based inbound mirror clause . . . . . . . . . . . . .426
MAC filter-based mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430
Configuring MAC filter-based mirroring. . . . . . . . . . . . . . . . . . .430
Chapter 20 Configuring IP
Basic configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
IP packet flow through a Layer 3 Switch. . . . . . . . . . . . . . . . . .435
IP route exchange protocols . . . . . . . . . . . . . . . . . . . . . . . . . . .439
IP multicast protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
IP interface redundancy protocols . . . . . . . . . . . . . . . . . . . . . .440
Access Control Lists and IP access policies. . . . . . . . . . . . . . .440
Basic IP parameters and defaults – Layer 3 Switches. . . . . . . . . .441
When parameter changes take effect . . . . . . . . . . . . . . . . . . .441
IP global parameters – Layer 3 Switches . . . . . . . . . . . . . . . . .442
IP interface parameters – Layer 3 Switches . . . . . . . . . . . . . .445
Basic IP parameters and defaults – Layer 2 Switches. . . . . . . . . .446
IP global parameters – Layer 2 Switches . . . . . . . . . . . . . . . . .446
Interface IP parameters – Layer 2 Switches . . . . . . . . . . . . . .447
Configuring IP parameters – Layer 3 Switches . . . . . . . . . . . . . . . . 447
Configuring IP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448
Configuring 31-bit subnet masks on point-to-point networks.450
Configuring packet parameters . . . . . . . . . . . . . . . . . . . . . . . .452
Changing the router ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Specifying a single source interface for Telnet,
TACACS/TACACS+, or RADIUS Packets . . . . . . . . . . . . . . . . . . .456
Configuring ARP parameters. . . . . . . . . . . . . . . . . . . . . . . . . . .458
Configuring forwarding parameters . . . . . . . . . . . . . . . . . . . . .462
Disabling ICMP messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Configuring static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Configuring a default network route . . . . . . . . . . . . . . . . . . . . . 473
Configuring IP load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configuring IRDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
Configuring RARP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Configuring UDP broadcast and IP helper parameters . . . . . .481
Configuring BootP/DHCP relay parameters . . . . . . . . . . . . . . .483
Brocade TurboIron 24X Series Configuration Guide xv
53-1003053-01
Configuring IP parameters – Layer 2 Switches . . . . . . . . . . . . . . . .484
Configuring the management IP address and specifying
the default gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .485
Configuring Domain Name Server (DNS) resolver. . . . . . . . . .486
Changing the TTL threshold . . . . . . . . . . . . . . . . . . . . . . . . . . .487
Configuring DHCP Assist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
Displaying IP configuration information and statistics . . . . . . . . . .492
Changing the network mask display to prefix format . . . . . . .492
Displaying IP information – Layer 3 Switches . . . . . . . . . . . . .492
Displaying IP information – Layer 2 Switches . . . . . . . . . . . . .506
Chapter 21 Configuring Spanning Tree Protocol (STP) Related Features
STP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Configuring standard STP parameters. . . . . . . . . . . . . . . . . . . . . . .511
STP parameters and defaults . . . . . . . . . . . . . . . . . . . . . . . . . .512
Enabling or disabling the Spanning Tree Protocol (STP) . . . . .513
Changing STP bridge and port parameters . . . . . . . . . . . . . . .514
STP protection enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Displaying STP information . . . . . . . . . . . . . . . . . . . . . . . . . . . .517
Configuring STP related features . . . . . . . . . . . . . . . . . . . . . . . . . . .524
802.1W Rapid Spanning Tree (RSTP). . . . . . . . . . . . . . . . . . . .525
802.1W Draft 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .562
Single Spanning Tree (SSTP) . . . . . . . . . . . . . . . . . . . . . . . . . . .566
PVST/PVST+ compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Overview of PVST and PVST+ . . . . . . . . . . . . . . . . . . . . . . . . . .569
VLAN tags and dual mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . .570
Configuring PVST+ support . . . . . . . . . . . . . . . . . . . . . . . . . . . .571
Displaying PVST+ support information. . . . . . . . . . . . . . . . . . .571
Configuration examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572
PVRST compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
BPDU guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
Enabling BPDU protection by port. . . . . . . . . . . . . . . . . . . . . . .575
Re-enabling ports disabled by BPDU guard . . . . . . . . . . . . . . .576
Displaying the BPDU guard status . . . . . . . . . . . . . . . . . . . . . . 576
Example console messages . . . . . . . . . . . . . . . . . . . . . . . . . . .577
Root guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .577
Enabling STP root guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .578
Displaying the STP root guard . . . . . . . . . . . . . . . . . . . . . . . . . .578
802.1s Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . .578
Multiple spanning-tree regions . . . . . . . . . . . . . . . . . . . . . . . . .578
Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .580
Configuring MSTP mode and scope . . . . . . . . . . . . . . . . . . . . .580
Configuring additional MSTP parameters . . . . . . . . . . . . . . . .581
Chapter 22 Configuring RIP
RIP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
ICMP host unreachable message for undeliverable ARPs . . .591
xvi Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
RIP parameters and defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592
RIP global parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592
RIP interface parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593
Configuring RIP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593
Enabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593
Configuring metric parameters . . . . . . . . . . . . . . . . . . . . . . . . .594
Changing the administrative distance. . . . . . . . . . . . . . . . . . .595
Configuring redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
Configuring route learning and advertising parameters . . . . .598
Changing the route loop prevention method . . . . . . . . . . . . . .599
Suppressing RIP route advertisement on a VRRP
or VRRPE backup interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
Configuring RIP route filters . . . . . . . . . . . . . . . . . . . . . . . . . . .600
Displaying RIP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601
Displaying CPU utilization statistics . . . . . . . . . . . . . . . . . . . . . . . . .602
Chapter 23 Configuring OSPF Version 2 (IPv4)
Overview of OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605
OSPF point-to-point Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Designated routers in multi-access networks . . . . . . . . . . . . .608
Designated router election in multi-access networks . . . . . . .608
OSPF RFC 1583 and 2178 compliance . . . . . . . . . . . . . . . . . .609
Reduction of equivalent AS External LSAs . . . . . . . . . . . . . . . .610
Support for OSPF RFC 2328 Appendix E . . . . . . . . . . . . . . . . .612
Dynamic OSPF activation and configuration . . . . . . . . . . . . . .613
Brocade TurboIron 24X Series Configuration Guide xvii
53-1003053-01
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .613
Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .614
OSPF parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .614
Enable OSPF on the router . . . . . . . . . . . . . . . . . . . . . . . . . . . .615
Assign OSPF areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Assigning an area range (optional). . . . . . . . . . . . . . . . . . . . . .620
Assigning interfaces to an area . . . . . . . . . . . . . . . . . . . . . . . .620
Modify interface defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620
Change the timer for OSPF authentication changes. . . . . . . .623
Block flooding of outbound LSAs on specific OSPF interfaces624
Assign virtual links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .624
Modify virtual link parameters . . . . . . . . . . . . . . . . . . . . . . . . .626
Changing the reference bandwidth for the cost on
OSPF interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627
Define redistribution filters . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Prevent specific OSPF routes from being installed in the
IP route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Modify default metric for redistribution . . . . . . . . . . . . . . . . . .634
Enable route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
Disable or re-enable load sharing. . . . . . . . . . . . . . . . . . . . . . .636
Configure external route summarization . . . . . . . . . . . . . . . . .637
Configure default route origination. . . . . . . . . . . . . . . . . . . . . .639
Modify SPF timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640
Modify redistribution metric type . . . . . . . . . . . . . . . . . . . . . . .640
Modify administrative distance. . . . . . . . . . . . . . . . . . . . . . . . .641
Configure OSPF group Link State Advertisement
(LSA) pacing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .642
Modify OSPF traps generated . . . . . . . . . . . . . . . . . . . . . . . . . .642
Modify OSPF standard compliance setting . . . . . . . . . . . . . . .643
Modify exit overflow interval . . . . . . . . . . . . . . . . . . . . . . . . . . .643
Specifying the types of OSPF Syslog messages to log . . . . . .644
Clearing OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .644
Clearing OSPF neighbor information . . . . . . . . . . . . . . . . . . . .644
Clearing OSPF topology information . . . . . . . . . . . . . . . . . . . . .645
Clearing redistributed routes from the OSPF routing table . . .645
Clearing information for OSPF areas . . . . . . . . . . . . . . . . . . . .645
Displaying OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646
Displaying general OSPF configuration information . . . . . . . .646
Displaying CPU utilization statistics . . . . . . . . . . . . . . . . . . . . . 647
Displaying OSPF area information . . . . . . . . . . . . . . . . . . . . . .649
Displaying OSPF neighbor information. . . . . . . . . . . . . . . . . . .649
Displaying OSPF interface information. . . . . . . . . . . . . . . . . . .651
Displaying OSPF route information . . . . . . . . . . . . . . . . . . . . . .653
Displaying OSPF external link state information . . . . . . . . . . .655
Displaying OSPF link state information . . . . . . . . . . . . . . . . . .656
Displaying the data in an LSA . . . . . . . . . . . . . . . . . . . . . . . . . .656
Displaying OSPF virtual neighbor information . . . . . . . . . . . . .657
Displaying OSPF virtual link information . . . . . . . . . . . . . . . . .657
Displaying OSPF ABR and ASBR information. . . . . . . . . . . . . .657
Displaying OSPF trap status . . . . . . . . . . . . . . . . . . . . . . . . . . .658
xviii Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Chapter 24 Configuring BGP4
Overview of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660
Relationship between the BGP4 route table and the IP route table
660
How BGP4 selects a path for a route . . . . . . . . . . . . . . . . . . . .661
BGP4 message types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
Basic configuration and activation for BGP4 . . . . . . . . . . . . . . . . .665
Note regarding disabling BGP4. . . . . . . . . . . . . . . . . . . . . . . . .665
BGP4 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666
When parameter changes take effect . . . . . . . . . . . . . . . . . . .667
Memory considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668
Memory configuration options obsoleted by dynamic memory669
Basic configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .669
Enabling BGP4 on the router . . . . . . . . . . . . . . . . . . . . . . . . . .669
Changing the router ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .669
Setting the local AS number . . . . . . . . . . . . . . . . . . . . . . . . . . .670
Adding a loopback interface . . . . . . . . . . . . . . . . . . . . . . . . . . .670
Adding BGP4 neighbors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Adding a BGP4 peer group . . . . . . . . . . . . . . . . . . . . . . . . . . . .677
Optional configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .681
Changing the Keep Alive Time and Hold Time . . . . . . . . . . . . .681
Changing the BGP4 next-hop update timer . . . . . . . . . . . . . . .682
Enabling fast external fallover. . . . . . . . . . . . . . . . . . . . . . . . . .682
Changing the maximum number of paths for
BGP4 load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683
Customizing BGP4 load sharing . . . . . . . . . . . . . . . . . . . . . . . .684
Specifying a list of networks to advertise. . . . . . . . . . . . . . . . .685
Changing the default local preference . . . . . . . . . . . . . . . . . . .686
Using the IP default route as a valid next hop for
a BGP4 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Advertising the default route. . . . . . . . . . . . . . . . . . . . . . . . . . .687
Changing the default MED (Metric) used for
route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Enabling next-hop recursion . . . . . . . . . . . . . . . . . . . . . . . . . . .688
Changing administrative distances . . . . . . . . . . . . . . . . . . . . .691
Requiring the first AS to be the neighbor AS . . . . . . . . . . . . . .692
Disabling or re-enabling comparison of the AS-Path length . .692
Enabling or disabling comparison of the router IDs . . . . . . . .693
Configuring the Layer 3 Switch to always compare
Multi-Exit Discriminators (MEDs) . . . . . . . . . . . . . . . . . . . . . . .693
Treating missing MEDs as the worst MEDs . . . . . . . . . . . . . . .694
Configuring route reflection parameters . . . . . . . . . . . . . . . . .694
Aggregating routes advertised to BGP4 neighbors . . . . . . . . .698
Brocade TurboIron 24X Series Configuration Guide xix
53-1003053-01
Modifying redistribution parameters . . . . . . . . . . . . . . . . . . . . . . . .699
Redistributing connected routes. . . . . . . . . . . . . . . . . . . . . . . .699
Redistributing RIP routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .700
Redistributing OSPF external routes. . . . . . . . . . . . . . . . . . . . .700
Redistributing static routes. . . . . . . . . . . . . . . . . . . . . . . . . . . .701
Disabling or re-enabling re-advertisement of all learned
BGP4 routes to all BGP4 neighbors . . . . . . . . . . . . . . . . . . . . .701
Redistributing IBGP routes into RIP and OSPF. . . . . . . . . . . . .701
Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .702
Filtering specific IP addresses . . . . . . . . . . . . . . . . . . . . . . . . .702
Filtering AS-paths. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703
Filtering communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707
Defining IP prefix lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .709
Defining neighbor distribute lists . . . . . . . . . . . . . . . . . . . . . . .710
Defining route maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .711
Using a table map to set the rag value. . . . . . . . . . . . . . . . . . . 719
Configuring cooperative BGP4 route filtering. . . . . . . . . . . . . .719
Configuring route flap dampening . . . . . . . . . . . . . . . . . . . . . . . . . .722
Globally configuring route flap dampening . . . . . . . . . . . . . . .723
Using a route map to configure route flap dampening
for specific routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .724
Using a route map to configure route flap dampening for
a specific neighbor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .725
Removing route dampening from a route. . . . . . . . . . . . . . . . .726
Removing route dampening from a neighbor routes
suppressed due to aggregation . . . . . . . . . . . . . . . . . . . . . . . .726
Displaying and clearing route flap dampening statistics . . . .727
Generating traps for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .729
Displaying BGP4 information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .729
Displaying summary BGP4 information . . . . . . . . . . . . . . . . . .729
Displaying the active BGP4 configuration . . . . . . . . . . . . . . . .731
Displaying CPU utilization statistics . . . . . . . . . . . . . . . . . . . . .732
Displaying summary neighbor information . . . . . . . . . . . . . . .733
Displaying BGP4 neighbor information. . . . . . . . . . . . . . . . . . .735
Displaying peer group information . . . . . . . . . . . . . . . . . . . . . .746
Displaying summary route information . . . . . . . . . . . . . . . . . . 747
Displaying the BGP4 route table. . . . . . . . . . . . . . . . . . . . . . . .748
Displaying BGP4 route-attribute entries . . . . . . . . . . . . . . . . . .754
Displaying the routes BGP4 has placed in the
IP route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755
Displaying route flap dampening statistics . . . . . . . . . . . . . . .756
Displaying the active route map configuration . . . . . . . . . . . .757
Updating route information and resetting a neighbor session . . .758
Using soft reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .758
Dynamically requesting a route refresh from
a BGP4 neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .761
Closing or resetting a neighbor session . . . . . . . . . . . . . . . . . . 764
Clearing and resetting BGP4 routes in the IP route table . . . .764
Clearing traffic counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765
xx Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Clearing route flap dampening statistics. . . . . . . . . . . . . . . . . . . . .765
Removing route flap dampening . . . . . . . . . . . . . . . . . . . . . . . . . . .765
Clearing diagnostic buffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .766
Chapter 25 Configuring IP Multicast Traffic Reduction
IGMP snooping overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .767
IGMP V1, V2, and V3 snooping support . . . . . . . . . . . . . . . . . .768
Queriers and non-queriers . . . . . . . . . . . . . . . . . . . . . . . . . . . .768
IGMP snooping enhancements. . . . . . . . . . . . . . . . . . . . . . . . .769
Configuration notes and feature limitations . . . . . . . . . . . . . .769
PIM SM traffic snooping overview . . . . . . . . . . . . . . . . . . . . . . . . . . 771
PIM SM snooping support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Application examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Configuration notes and limitations . . . . . . . . . . . . . . . . . . . . .773
Configuring IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .773
Enabling IGMP snooping globally on the device . . . . . . . . . . .775
Configuring the IGMP mode . . . . . . . . . . . . . . . . . . . . . . . . . . .775
Configuring the IGMP version . . . . . . . . . . . . . . . . . . . . . . . . . .776
Disabling IGMP snooping on a VLAN . . . . . . . . . . . . . . . . . . . . 776
Disabling transmission and receipt of IGMP packets
on a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
Modifying the age interval for group membership entries . . .777
Modifying the query interval (active IGMP snooping
mode only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
Modifying the maximum response time. . . . . . . . . . . . . . . . . .778
Configuring report control . . . . . . . . . . . . . . . . . . . . . . . . . . . . .778
Modifying the wait time before stopping traffic when receiving a
leave message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .778
Modifying the multicast cache age time . . . . . . . . . . . . . . . . .779
Enabling or disabling error and warning messages . . . . . . . .779
Configuring static router ports . . . . . . . . . . . . . . . . . . . . . . . . .779
Turning off static group proxy . . . . . . . . . . . . . . . . . . . . . . . . . .779
IGMP V3 membership tracking and fast leave . . . . . . . . . . . .780
Fast leave for IGMP V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .780
Fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .781
Configuring PIM SM snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . .781
Enabling or disabling PIM SM snooping. . . . . . . . . . . . . . . . . .781
Enabling PIM SM snooping on a VLAN . . . . . . . . . . . . . . . . . . .782
Disabling PIM SM snooping on a VLAN . . . . . . . . . . . . . . . . . .782
IGMP snooping show commands. . . . . . . . . . . . . . . . . . . . . . . . . . .782
Displaying the IGMP snooping configuration . . . . . . . . . . . . . .782
Displaying IGMP snooping errors . . . . . . . . . . . . . . . . . . . . . . .783
Displaying IGMP group information . . . . . . . . . . . . . . . . . . . . .784
Displaying IGMP snooping mcache information . . . . . . . . . . .785
Displaying software resource usage for VLANs . . . . . . . . . . . .786
Displaying the status of IGMP snooping traffic . . . . . . . . . . . .787
Brocade TurboIron 24X Series Configuration Guide xxi
53-1003053-01
PIM SM snooping show commands. . . . . . . . . . . . . . . . . . . . . . . . .788
Displaying PIM SM snooping information. . . . . . . . . . . . . . . . .788
Displaying PIM SM snooping information on a Layer 2 switch788
Displaying PIM SM snooping information for a specific
group or source group pair . . . . . . . . . . . . . . . . . . . . . . . . . . . .789
Clear commands for IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . .790
Clearing the IGMP mcache . . . . . . . . . . . . . . . . . . . . . . . . . . . .790
Clearing the mcache on a specific VLAN . . . . . . . . . . . . . . . . .790
Clearing traffic on a specific VLAN . . . . . . . . . . . . . . . . . . . . . .791
Clearing IGMP counters on VLANs . . . . . . . . . . . . . . . . . . . . . .791
Chapter 26 Configuring IP Multicast Protocols
Overview of IP multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .793
IPv4 multicast group addresses . . . . . . . . . . . . . . . . . . . . . . . .794
Mapping of IPv4 Multicast group addresses to
Ethernet MAC addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .794
Supported Layer 3 multicast routing protocols . . . . . . . . . . . .794
Multicast terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .794
Changing global IP multicast parameters . . . . . . . . . . . . . . . . . . . .795
Changing dynamic memory allocation for IP multicast groups795
Changing IGMP V1 and V2 parameters . . . . . . . . . . . . . . . . . .796
PIM Dense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .798
Initiating PIM multicasts on a network . . . . . . . . . . . . . . . . . . .798
Pruning a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .799
Grafts to a multicast Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . .801
PIM DM versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .802
Configuring PIM DM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .802
Failover time in a multi-path topology . . . . . . . . . . . . . . . . . . .806
Modifying the TTL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .806
PIM Sparse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .806
PIM Sparse switch types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .807
RP paths and SPT paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .808
Configuring PIM Sparse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .808
Displaying PIM Sparse configuration information
and statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
Passive multicast route insertion. . . . . . . . . . . . . . . . . . . . . . . . . . .830
Multicast Source Discovery Protocol (MSDP) . . . . . . . . . . . . . . . . .830
Peer Reverse Path Forwarding (RPF) flooding . . . . . . . . . . . . .832
Source active caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .832
Configuring MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .833
Designating an interface IP address as
the RP IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .834
Filtering MSDP source-group pairs . . . . . . . . . . . . . . . . . . . . . .835
MSDP mesh groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .838
Displaying MSDP information . . . . . . . . . . . . . . . . . . . . . . . . . .844
Clearing MSDP information. . . . . . . . . . . . . . . . . . . . . . . . . . . .848
xxii Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Using ACLs to control multicast features. . . . . . . . . . . . . . . . . . . . .849
Using ACLs to limit static RP groups. . . . . . . . . . . . . . . . . . . . .849
Using ACLs to limit PIM RP candidate advertisement . . . . . . .851
Tracing a multicast route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .852
Displaying the multicast configuration for another multicast router853
IGMP V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .854
Default IGMP version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .855
Compatibility with IGMP V1 and V2 . . . . . . . . . . . . . . . . . . . . .855
Globally enabling the IGMP version . . . . . . . . . . . . . . . . . . . . .856
Enabling the IGMP version per interface setting. . . . . . . . . . .856
Enabling the IGMP version on a physical port within
a virtual routing interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . .856
Enabling membership tracking and fast leave . . . . . . . . . . . .857
Setting the query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . .857
Setting the group membership time. . . . . . . . . . . . . . . . . . . . .858
Setting the maximum response time . . . . . . . . . . . . . . . . . . . .858
Displaying IGMP V3 information on Layer 3 Switches. . . . . . .858
Clearing IGMP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .862
Chapter 27 Configuring VRRP and VRRPE
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .863
Overview of VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .864
Overview of VRRPE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .868
Configuration note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
Comparison of VRRP and VRRPE. . . . . . . . . . . . . . . . . . . . . . . . . . . 871
VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
VRRPE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .871
Architectural differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
VRRP and VRRPE parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .872
Configuring basic VRRP parameters . . . . . . . . . . . . . . . . . . . . . . . .874
Configuring the Owner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .875
Configuring a Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .875
Configuration rules for VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . .875
Configuring basic VRRPE parameters . . . . . . . . . . . . . . . . . . . . . . .875
Configuration rules for VRRPE . . . . . . . . . . . . . . . . . . . . . . . . .876
Note regarding disabling VRRP or VRRPE . . . . . . . . . . . . . . . . . . . .876
Configuring additional VRRP and VRRPE parameters . . . . . . . . . . 876
Forcing a Master router to abdicate to a standby router . . . . . . . .883
Displaying VRRP and VRRPE information . . . . . . . . . . . . . . . . . . . .884
Displaying summary information . . . . . . . . . . . . . . . . . . . . . . .884
Displaying detailed information . . . . . . . . . . . . . . . . . . . . . . . .886
Displaying statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .891
Clearing VRRP or VRRPE statistics . . . . . . . . . . . . . . . . . . . . . .892
Displaying CPU utilization statistics . . . . . . . . . . . . . . . . . . . . .892
Brocade TurboIron 24X Series Configuration Guide xxiii
53-1003053-01
Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894
VRRP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894
VRRPE example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .895
Chapter 28 Configuring Rule-Based IP Access Control Lists
ACL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .897
Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .898
ACL IDs and entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .898
Numbered and named ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . .899
Default ACL action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .899
How hardware-based ACLs work . . . . . . . . . . . . . . . . . . . . . . . . . . .899
How fragmented packets are processed . . . . . . . . . . . . . . . . .899
Hardware aging of Layer 4 CAM entries . . . . . . . . . . . . . . . . . .900
Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .900
Configuring standard numbered ACLs. . . . . . . . . . . . . . . . . . . . . . .901
Standard numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . .901
Configuration example for standard numbered ACLs . . . . . . .902
Configuring standard named ACLs . . . . . . . . . . . . . . . . . . . . . . . . .903
Standard named ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . .903
Configuration example for standard named ACLs . . . . . . . . . .904
Configuring extended numbered ACLs . . . . . . . . . . . . . . . . . . . . . .905
Extended numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . .906
Configuration examples for extended numbered ACLs . . . . . .909
Configuring extended named ACLs . . . . . . . . . . . . . . . . . . . . . . . . .911
Extended named ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Configuration example for extended named ACLs. . . . . . . . . .915
Preserving user input for ACL TCP/UDP port numbers. . . . . . . . . .915
Managing ACL comment text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .916
Adding a comment to an entry in a numbered ACL. . . . . . . . .916
Applying an ACL to a virtual interface in a protocol-
or subnet-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
Enabling ACL logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
Enabling strict control of ACL filtering of fragmented packets. . . .919
Enabling ACL support for switched traffic in the router image . . .920
Enabling ACL filtering based on VLAN membership or VE port
membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .920
Applying an IPv4 ACL to specific VLAN members on
a port (Layer 2 devices only) . . . . . . . . . . . . . . . . . . . . . . . . . . .921
Applying an IPv4 ACL to a subset of ports on a virtual
interface (Layer 3 devices only) . . . . . . . . . . . . . . . . . . . . . . . .922
Filtering on IP precedence and ToS values . . . . . . . . . . . . . . . . . . .922
QoS options for IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .923
DSCP matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .924
ACL-based rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .925
xxiv Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Using ACLs to control multicast features. . . . . . . . . . . . . . . . . . . . .925
Enabling and viewing hardware usage statistics for an ACL . . . . .925
Displaying ACL information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .926
Troubleshooting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .926
Chapter 29 Configuring Traffic Policies
About traffic policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .929
Configuration notes and feature limitations . . . . . . . . . . . . . . . . . .930
Maximum number of traffic policies supported on a device . . . . .931
Setting the maximum number of traffic policies supported
on a Layer 3 device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931
ACL-based rate limiting using traffic policies. . . . . . . . . . . . . . . . . .931
Support for fixed rate limiting and adaptive rate limiting . . . .932
Configuring ACL-based fixed rate limiting. . . . . . . . . . . . . . . . .932
Configuring ACL-based adaptive rate limiting . . . . . . . . . . . . .933
Specifying the action to be taken for packets that are
over the limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .935
ACL and rate limit counting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .936
Enabling ACL statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .937
Enabling ACL statistics with rate limiting traffic policies. . . . .938
Viewing ACL and rate limit counters . . . . . . . . . . . . . . . . . . . . .938
Clearing ACL and rate limit counters . . . . . . . . . . . . . . . . . . . .939
Viewing traffic policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .939
Chapter 30 Configuring 802.1X Port Security
IETF RFC support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .941
How 802.1X port security works . . . . . . . . . . . . . . . . . . . . . . . . . . .941
Device roles in an 802.1X configuration . . . . . . . . . . . . . . . . .941
Communication between the devices . . . . . . . . . . . . . . . . . . .942
Controlled and uncontrolled ports . . . . . . . . . . . . . . . . . . . . . .944
Message exchange during authentication. . . . . . . . . . . . . . . .945
Authenticating multiple hosts connected to the same port . .947
802.1X port security and sFlow . . . . . . . . . . . . . . . . . . . . . . . .950
Brocade TurboIron 24X Series Configuration Guide xxv
53-1003053-01
Configuring 802.1X port security. . . . . . . . . . . . . . . . . . . . . . . . . . .950
Configuring an authentication method list for 802.1X . . . . . .950
Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .951
Configuring dynamic VLAN assignment for 802.1X ports . . . .954
Dynamically applying IP ACLs and MAC filters to
802.1X ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .958
Enabling 802.1X port security. . . . . . . . . . . . . . . . . . . . . . . . . .961
Setting the port control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .962
Configuring periodic re-authentication . . . . . . . . . . . . . . . . . . .963
Re-authenticating a port manually . . . . . . . . . . . . . . . . . . . . . .963
Setting the quiet period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .964
Specifying the wait interval and number of EAP-request/
identity frame retransmissions . . . . . . . . . . . . . . . . . . . . . . . . .964
Specifying the wait interval and number of EAP-request/
identity frame retransmissions from the RADIUS server . . . .965
Specifying a timeout for retransmission of messages to the
authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .966
Initializing 802.1X on a port . . . . . . . . . . . . . . . . . . . . . . . . . . .966
Allowing access to multiple hosts. . . . . . . . . . . . . . . . . . . . . . .966
Configuring VLAN access for non-EAP-capable clients . . . . . .968
Displaying 802.1X information. . . . . . . . . . . . . . . . . . . . . . . . . . . . .969
Displaying 802.1X configuration information . . . . . . . . . . . . .970
Displaying 802.1X statistics . . . . . . . . . . . . . . . . . . . . . . . . . . .972
Clearing 802.1X statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .973
Displaying dynamically assigned VLAN information . . . . . . . .973
Displaying information about dynamically applied
MAC filters and IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
Displaying 802.1X multiple-host authentication
information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .975
Sample 802.1X configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . .979
Point-to-point configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
Hub configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .981
802.1X Authentication with dynamic VLAN assignment . . . . .983
Using multi-device port authentication and 802.1X security
on the same port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .984
Configuring Brocade-specific attributes on the RADIUS server985
Example configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .986
Chapter 31 Using the MAC Port Security Feature
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .991
Local and global resources . . . . . . . . . . . . . . . . . . . . . . . . . . . .991
Configuration notes and feature limitations . . . . . . . . . . . . . .992
xxvi Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring the MAC port security feature . . . . . . . . . . . . . . . . . . .992
Enabling the MAC port security feature . . . . . . . . . . . . . . . . . .992
Setting the maximum number of secure MAC addresses
for an interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993
Setting the port security age timer . . . . . . . . . . . . . . . . . . . . . .993
Specifying secure MAC addresses . . . . . . . . . . . . . . . . . . . . . .993
Autosaving secure MAC addresses to the
startup-config file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .994
Specifying the action taken when a security
violation occurs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .995
Clearing port security statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .996
Clearing restricted MAC addresses. . . . . . . . . . . . . . . . . . . . . .996
Clearing violation statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .996
Displaying port security information . . . . . . . . . . . . . . . . . . . . . . . .996
Displaying port security settings . . . . . . . . . . . . . . . . . . . . . . . .997
Displaying the secure MAC addresses . . . . . . . . . . . . . . . . . . . 997
Displaying port security statistics . . . . . . . . . . . . . . . . . . . . . . .998
Displaying restricted MAC addresses on a port. . . . . . . . . . . .998
Chapter 32 Configuring Multi-Device Port Authentication
How multi-device port authentication works. . . . . . . . . . . . . . . . . .999
RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .999
Authentication-failure actions . . . . . . . . . . . . . . . . . . . . . . . . 1000
Supported RADIUS attributes . . . . . . . . . . . . . . . . . . . . . . . . 1000
Support for dynamic VLAN assignment . . . . . . . . . . . . . . . . .1001
Support for dynamic ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001
Support for authenticating multiple MAC addresses
on an interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001
Using multi-device port authentication and
802.1X security on the same port . . . . . . . . . . . . . . . . . . . . . . . . .1001
Configuring Brocade-specific attributes on the RADIUS server1002
Configuring multi-device port authentication . . . . . . . . . . . . . . . 1003
Enabling multi-device port authentication . . . . . . . . . . . . . . 1003
Specifying the format of the MAC addresses sent
to the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004
Specifying the authentication-failure action . . . . . . . . . . . . 1004
Generating traps for multi-device port authentication . . . . 1005
Defining MAC address filters. . . . . . . . . . . . . . . . . . . . . . . . . 1005
Configuring dynamic VLAN assignment . . . . . . . . . . . . . . . . 1006
Dynamically applying IP ACLs to authenticated MAC
addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008
Enabling denial of service attack protection . . . . . . . . . . . . .1010
Clearing authenticated MAC addresses. . . . . . . . . . . . . . . . .1011
Disabling aging for authenticated MAC addresses . . . . . . . .1011
Changing the hardware aging period for blocked
MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1012
Specifying the aging time for blocked MAC addresses . . . . .1013
Specifying the RADIUS timeout action . . . . . . . . . . . . . . . . . .1013
Multi-device port authentication password override . . . . . . .1014
Limiting the number of authenticated MAC addresses. . . . .1015
Brocade TurboIron 24X Series Configuration Guide xxvii
53-1003053-01
Displaying multi-device port authentication information . . . . . . .1015
Displaying authenticated MAC address information . . . . . . .1015
Displaying multi-device port authentication configuration
information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
Displaying multi-device port authentication information
for a specific MAC address or por t . . . . . . . . . . . . . . . . . . . . .1016
Displaying the authenticated MAC addresses . . . . . . . . . . . .1017
Displaying the non-authenticated MAC addresses . . . . . . . .1017
Displaying multi-device port authentication
information for a port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1018
Displaying multi-device port authentication settings
and authenticated MAC addresses . . . . . . . . . . . . . . . . . . . .1018
Chapter 33 Protecting Against Denial of Service Attacks
Protecting against Smurf attacks. . . . . . . . . . . . . . . . . . . . . . . . . 1023
Avoiding being a victim in a Smurf attack . . . . . . . . . . . . . . .1024
Protection against ICMP attacks. . . . . . . . . . . . . . . . . . . . . . .1024
Protecting against TCP SYN attacks. . . . . . . . . . . . . . . . . . . . . . . 1025
Protection against TCP-SYN attacks . . . . . . . . . . . . . . . . . . . 1025
TCP security enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . 1026
Displaying statistics about packets dropped
because of DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1027
Displaying statistics about packets dropped due to
DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
Chapter 34 Configuring Rate Limiting and Rate Shaping
Rate limiting overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Rate limiting in hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
How Fixed Rate Limiting works . . . . . . . . . . . . . . . . . . . . . . . 1030
Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030
Configuring a port-based rate limiting policy . . . . . . . . . . . . .1031
Configuring an ACL-based rate limiting policy . . . . . . . . . . . .1031
Displaying the fixed rate limiting configuration . . . . . . . . . . .1031
Rate shaping overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Configuring outbound rate shaping for a port . . . . . . . . . . . 1033
Configuring outbound rate shaping for a specific priority. . 1033
Configuring outbound rate shaping for a trunk port . . . . . . 1033
Displaying rate shaping configurations . . . . . . . . . . . . . . . . 1033
Chapter 35 Configuring Quality of Service
Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Processing of classified traffic . . . . . . . . . . . . . . . . . . . . . . . 1035
QoS queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Assigning QoS priorities to traffic . . . . . . . . . . . . . . . . . . . . . 1039
Buffer allocation/threshold for QoS queues . . . . . . . . . . . . .1041
Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1041
xxviii Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring DSCP-based QoS. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1041
Application notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042
Using ACLs to honor DSCP-based QoS . . . . . . . . . . . . . . . . . 1042
Configuring the QoS mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . 1042
Default DSCP –> Internal forwarding priority mappings . . . 1042
Changing the DSCP –> internal forwarding priority mappings1043
Changing the internal forwarding priority –> hardware
forwarding queue mappings . . . . . . . . . . . . . . . . . . . . . . . . . 1044
Scheduling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045
QoS Queuing methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045
Selecting the QoS queuing method . . . . . . . . . . . . . . . . . . . 1046
Configuring the QoS queues . . . . . . . . . . . . . . . . . . . . . . . . . 1046
Viewing QoS settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1049
Viewing DSCP-based QoS settings. . . . . . . . . . . . . . . . . . . . . . . . 1049
Appendix A Syslog messages
Appendix B Software Specifications
IEEE compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1075
RFC support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1075
Internet drafts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080
Appendix C NIAP-CCEVS Certification
NIAP-CCEVS certified TurboIron X Series equipment and
Ironware releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1081
Local user password changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082
Brocade TurboIron 24X Series Configuration Guide xxix
53-1003053-01
xxx Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
About This Document
In this chapter
•Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
•Device nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
•What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
•Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
•Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
•Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
•Getting technical help or reporting errors . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
•Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Introduction
This guide describes the following product families from Brocade:
• TurboIron X Series switch
This guide includes procedures for configuring the software. The software procedures show how to
perform tasks using the CLI. This guide also describes how to monitor TurboIron products using
statistics and summary screens.
This guide applies to the TurboIron X Series models.
Device nomenclature
Tab le 1 lists the terms (product names) contained in this guide and the specific set of devices to
which each term refers.
TABLE 1 TurboIron X Series family of switches
This name Refers to these devices
TurboIron 24X Devices
TurboIron 24X (TIX) TurboIron 24X or TurboIron
Brocade TurboIron 24X Series Configuration Guide xxxi
53-1003053-01
What’s new in this document
NOTE
CAUTION
There are no enhancements in FastIron release 08.0.01 for TurboIron 24X.
Document conventions
This section describes text formatting conventions and important notice formats used in this
document.
Text formatting
The narrative-text formatting conventions that are used are as follows:
bold text Identifies command names
Identifies the names of user-manipulated GUI elements
Identifies keywords
Identifies text to enter at the CLI
italic text Provides emphasis
Identifies <variables>
Identifies document titles
code text Identifies CLI output
For readability, command names in the narrative portions of this guide are presented in bold: for
example, show version.
Notes, cautions, and danger notices
The following notices and statements are used in this manual. They are listed below in order of
increasing severity of potential hazards.
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference
to related information.
A Caution statement alerts you to situations that can be potentially hazardous to you or cause
damage to hardware, firmware, software, or data.
xxxii Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Notice to the reader
NOTE
This document may contain references to the trademarks of the following corporations. These
trademarks are the properties of their respective companies and corporations.
Related publications
The following documents supplement the information in this guide:
• FastIron Ethernet Switch Administration Guide
• FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide
• FastIron Ethernet Switch Layer 3 Routing Configuration Guide
• FastIron Ethernet Switch IP Multicast Configuration Guide
• FastIron Ethernet Switch Security Configuration Guide
• FastIron Ethernet Switch Software Upgrade Guide
• FastIron Switch Stacking Configuration Guide
• FastIron Ethernet Switch Traffic Management Guide
• FastIron Ethernet Switch Software Licensing Guide
• FastIron Feature Support Matrix
• Brocade TurboIron 24X Series Configuration Guide
• Brocade ICX 6430-C Switch Installation Guide
• Brocade ICX 6430 and ICX 6450 Stackable Switches Hardware Installation Guide
• Brocade FCX Series Hardware Installation Guide
• Brocade FastIron ICX 6610 Stackable Switch Hardware Installation Guide
• Brocade ICX 6650 Ethernet Switch Installation Guide
• Brocade FastIron SX Series Chassis Hardware Installation Guide
• Brocade TurboIron 24X Series Hardware Installation Guide
• Brocade ICX 6450-C12-PD Switch Installation Guide
• Brocade FastIron FCX, ICX, and TurboIron Diagnostic Reference
• Unified IP MIB Reference
For the latest edition of these documents, which contain the most up-to-date information, go to
http://www.brocade.com/products.
Getting technical help or reporting errors
To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the
latest e-mail and telephone contact information.
Brocade TurboIron 24X Series Configuration Guide xxxiii
53-1003053-01
Document feedback
Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and
completeness of this document. However, if you find an error or an omission, or you think that a
topic needs further development, we want to hear from you. Forward your feedback to:
documentation@brocade.com
Provide the title and version number of the document and as much detail as possible about your
comment, including the topic heading and page number and your suggestions for improvement.
xxxiv Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Chapter
Feature Highlights
In this chapter
•Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
•Supported IPv6 management features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
•Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Introduction to features
The features that are available on a device depend on the type of software image the device is
running. You can run one of the following types of software images on these devices:
• Layer 2 is supported on all models
• Layer 3 features supported on TurboIron devices only.
Tab le 2 lists the software that is loaded into the primary and secondary flash areas at the factory.
TABLE 2 Default software loads
Model Software images
1
All TurboIron models Layer 2 Layer 2
Supported features
The tables in this section list the feature highlights in the TurboIron software.
Supported management features
Tab le 3 lists the supported management features. These features are supported in the Layer 2
software images..
TABLE 3 Supported management features
Category, description, and configuration
notes
AAA support for console commands Yes
Access Control Lists (ACLs) for controlling
management access
Alias Command Yes
Primary flash Secondary flash
TurboIron X Series
Yes
Brocade TurboIron 24X Series Configuration Guide 1
53-1003053-01
Supported features
TABLE 3 Supported management features (Continued)
Category, description, and configuration
notes
TurboIron X Series
Combined DSCP and internal marking in
one ACL rule
Disabling TFTP Access Yes
Brocade Network Advisor Yes
P-Bridge and Q-Bridge MIBs Yes
Remote monitoring (RMON) Yes
sFlow:
Yes
Yes
• For inbound traffic only
• 802.1X username export support
for encrypted and non-encrypted
EAP types
Serial and Telnet access to
industry-standard Command Line
Interface (CLI)
Show log on all terminals Yes
SNMP v1, v2, v3 Yes
SNMP V3 traps Yes
Specifying the maximum number of
entries allowed in the RMON Control
Tab le
Traffic counters for outbound traffic Yes
Yes
Yes
Supported security features
Tab le 4 lists the supported security features. These features are supported in the Layer 2 software
images.
TABLE 4 Supported security features
Category, description, and configuration
notes
802.1X port security Yes
802.1X authentication RADIUS timeout
action
802.1X dynamic assignment for ACL,
MAC filter, and VLAN
Access Control Lists (ACLs) for filtering
transit traffic:
• Support for inbound ACLs only.
These devices do not support
outbound ACLs.
AES Encryption for SNMP v3 Yes
AES Encryption for SSH v2 Yes
TurboIron X Series
Yes
Yes
Yes
2 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
TABLE 4 Supported security features (Continued)
Category, description, and configuration
notes
TurboIron X Series
Supported features
Authentication, Authorization and
Accounting (AAA):
Yes
• RADIUS, TACACS/TACACS+
Denial of Service (DoS) protection:
Yes
• TCP SYN Attacks and ICMP Attacks
Local passwords Yes
MAC filter override of 802.1X Yes
MAC filtering:
Yes
• Filtering on source and destination
MAC addresses
Ability to disable MAC Learning Yes
MAC port security Yes
Multi-device port authentication Yes
Multi-device port authentication with
dynamic ACLs
Multi-device port authentication with
dynamic VLAN assignment
Multi-device port authentication
password override
Multi-device port authentication RADIUS
timeout action
Secure Copy (SCP) Yes
Secure Shell (SSH) v2 Server Yes
Packet filtering on TCP Flags Yes
Yes
Yes
Yes
Yes
Supported system-level features
Tab le 5 lists the supported system-level features. These features are supported in the Layer 2
software images.
TABLE 5 Supported system-level features
Category, description, and configuration
notes
10/100/1000 port speed Yes
1 Gbps and 10 Gbps configurable port
speed on fiber ports
16,000 MAC addresses per switch Yes
32,000 MAC addresses per switch Yes
ACL-Based Mirroring Yes
Brocade TurboIron 24X Series Configuration Guide 3
53-1003053-01
TurboIron X Series
Yes
Supported features
TABLE 5 Supported system-level features (Continued)
Category, description, and configuration
notes
TurboIron X Series
ACL-Based Rate Limiting:
Yes
• TurboIron X Series devices support
ACL-based fixed and adaptive rate
limiting on inbound ports
ACL filtering based on VLAN membership
or VE port membership
ACL logging of denied packets:
Yes
Yes
• ACL logging is supported for denied
packets, which are sent to the CPU
for logging
• ACL logging is not supported for
permitted packets
• Packets that are denied by ACL
filters are logged in the Syslog
based on a sample time-period.
ACL statistics Yes
Asymmetric flow control:
Yes
• Responds to flow control packets,
but does not generate them
Auto-negotiation Yes
Broadcast, multicast, and
unknown-unicast rate limiting
Boot and reload after 5 minutes at or
above shutdown temperature
Cut-through switching Yes
DiffServ support Yes
Digital Optical Monitoring Yes
Displaying interface names in Syslog Yes
Displaying TCP/UDP port numbers in
Syslog messages
DSCP Mapping for values 1 through 8 Yes
Dynamic buffer allocation Yes
Egress buffer thresholds Yes
Fixed rate limiting:
Yes
Yes
Yes
Yes
• TurboIron X Series devices support:
• Port-based rate limiting on
inbound ports
• Not supported on 10 GbE ports
on TurboIron X Series devices.
• Fixed rate limiting is not
supported on tagged ports in
the full Layer 3 router image
4 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
TABLE 5 Supported system-level features (Continued)
Category, description, and configuration
notes
TurboIron X Series
Supported features
Foundry Discovery Protocol (FDP) / Cisco
Discovery Protocol (CDP)
LLDP Yes
MAC filter-based mirroring Yes
Multi-port static MAC address Yes
Multiple Syslog server logging:
Yes
Yes
• Up to six Syslog servers
Negative temperature setting Yes
Outbound rate shaping Yes
Port flap dampening Yes
Port mirroring and monitoring:
Yes
• Mirroring of both inbound and
outbound traffic on individual ports
is supported.
Priority mapping using ACLs Yes
Specifying a Simple Network Time
Protocol (SNTP) Server
Specifying the minimum number of ports
in a trunk group
Static MAC entries with option to set
traffic priority
Yes
Yes
Yes
Supported Layer 2 features
Layer 2 software images include all of the management, security, and system-level features listed
in the previous tables, plus the features listed in Table 6.
TABLE 6 Supported Layer 2 features
Category, description, and configuration
notes
802.1D Spanning Tree Support:
• Enhanced IronSpan support
includes Fast Port Span and
Single-instance Span
• TurboIron X Series devices support
up to 510 spanning tree instances
for VLANs.
802.1p Quality of Service (QoS):
• Strict Priority (SP)
• Weighted Round Robin (WRR)
• Combined SP and WRR
• 8 priority queues
Brocade TurboIron 24X Series Configuration Guide 5
53-1003053-01
TurboIron X Series
Yes
Yes
Supported features
TABLE 6 Supported Layer 2 features (Continued)
Category, description, and configuration
notes
802.1s Multiple Spanning Tree Yes
802.1W Rapid Spanning Tree (RSTP):
• 802.1W RSTP support allows for
802.3ad link aggregation (dynamic trunk
groups):
• TurboIron X Series ports enabled for
ACL-based rate limiting QoS Yes
BPDU Guard Yes
Dynamic Host Configuration Protocol
(DHCP) Assist
IGMP v1/v2 Snooping Global Yes
IGMP v3 Snooping Global Yes
IGMP v1/v2/v3 Snooping per VLAN Yes
IGMP v2/v3 Fast Leave (membership
tracking)
Interpacket Gap (IPG) adjustment Yes
Jumbo frames:
• 1 Gbps and 10 Gbps Ethernet ports
• Up to 9216 bytes
Jumbo frames 10/100 support :
• Up to 10240 bytes
LACP:
• LACP trunk group ports follow the
• Support for single link LACP
Link Fault Signaling (LFS) for 10 Gbps
Ethernet ports
Metro Ring Protocol 1 (MRP 1) Yes
Metro Ring Protocol 2 (MRP 2)
TurboIron X Series devices support Alarm
RHP
PIM-SM V2 Snooping Yes
PVST/PVST+ compatibility Yes
TurboIron X Series
Yes
sub-second convergence (both final
standard and draft 3 supported)
Yes
link aggregation follow the same
rules as ports configured for trunk
groups. Refer to “Trunk group rules”
on page 333.
Yes
(*,G and S,G)
Yes
Yes
Yes
Yes
same configuration rules as for
statically configured trunk group
ports.
Yes
Yes
6 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
TABLE 6 Supported Layer 2 features (Continued)
Category, description, and configuration
notes
PVRST+ compatibility Yes
Root Guard Yes
Super Aggregated VLANs Yes
Tru n k gro u ps:
TurboIron X Series
Yes
• Trunk threshold for static trunk
groups
• Flexible trunk group membership
Topology groups Yes
Uni-directional Link Detection (UDLD)
(Link keepalive)
Uplink Ports Within a Port-Based VLAN Yes
VLAN Support:
Yes
• 802.1Q with tagging Yes
• Dual-mode VLANs Yes
• Protocol VLANs (AppleTalk, IPv4,
and IPX)
Yes
• VLAN groups Yes
• Private VLANs Yes
VLAN Q-in-Q Tagging (tag-type 8100 over
8100 encapsulatio n)
VLAN-based mirroring No
Virtual Switch Redundancy Protocol
(VSRP)
VSRP-Aware security features Yes
VSRP and MRP signaling Yes
VSRP Fast Start Yes
VSRP timer scaling Yes
Yes
Yes
Supported features
Supported Layer 3 features on TurboIron X Series devices
• ECMP
• RIP V1 and V2 (advertising only): Static RIP support only. The TurboIron X Series does not learn
RIP routes from other Layer 3 devices. However, the device does advertise directly connected
routes.
• Routing for directly connected IP subnets
• Static IP routing:
• Virtual Interfaces: Up to 255 virtual interfaces
• VRRP
Brocade TurboIron 24X Series Configuration Guide 7
53-1003053-01
Supported IPv6 management features
• OSPF V2 (IPv4)
• Route-only support (Global and interface configuration levels )
• VRRP
• Anycast RP
• IGMP V1, V2, and V3 (for multicast routing scenarios)
• IP multicast routing protocols (PIM-SM, PIM-DM): TurboIron X Series devices support PIM-SM
and PIM-DM
• ICMP Redirect messages
• Multiprotocol Source Discovery Protocol (MSDP)
• Route-only support:
• Disabling Layer 2 Switching at the CLI Interface level as well as the Global CONFIG level.
• This feature is not supported on virtual interfaces
• VRRP-E
• DHCP relay
• IP helper
Supported IPv6 management features
Tab le 7 shows the IPV6 management features that are supported for TurboIron X Series devices
that can be configured as IPv6 hosts in an IPv6 network.
TABLE 7 Supported IPv6 management features
Category, description, and
configuration notes
Link-Local IPv6 Address Yes
IPv6 copy Yes
IPv6 ncopy Yes
IPv6 debug Yes
IPv6 ping Yes
IPv6 traceroute Yes
DNS server name resolution Yes
Logging (Syslog) Yes
RADIUS Yes
SCP Yes
SSH Yes
SNMP v1, v2, v3 Yes
SNTP Yes
Syslog Yes
TACACS/TACACS+ Yes
TurboIron X Series
8 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
TABLE 7 Supported IPv6 management features
Category, description, and
configuration notes
Tel net Yes
TFTP Yes
Tra ps Yes
Unsupported features
Tab le 8 lists the features that are not supported on the TurboIron X Series devices. If required,
these features are available on other TurboIron X Series devices.
TABLE 8 Unsupported Features
Unsupported features
System-level features not supported:
• Broadcast and multicast MAC filters
Layer 2 features not supported:
• SuperSpan
• VLAN-based priority
Layer 3 features not supported:
• AppleTalk
• Foundry Standby Router Protocol (FSRP)
• IPv6 Multicast Routing
• IPX
• IS-IS
• Multiprotocol Border Gateway Protocol (MBGP)
• Multiprotocol Label Switching (MPLS)
• Network Address Translation (NAT)
Web Management
Unsupported features
TurboIron X Series
Brocade TurboIron 24X Series Configuration Guide 9
53-1003053-01
Unsupported features
10 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Chapter
Getting Familiar with Management Applications
In this chapter
•Using the management port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
•Logging on through the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
•Using and port number with CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . 15
•Logging on through Brocade Network Advisor. . . . . . . . . . . . . . . . . . . . . . . . 20
Using the management port
The management port is an out-of-band port that customers can use to manage their devices
without interfering with the in-band ports. The management port is widely used to download
images and configurations and for Telnet sessions.
The MAC address for the management port is derived from the base MAC address of the unit, plus
the number of ports in the base module.
2
How the management port works
The following rules apply to management ports:
• Any packets that are specifically addressed to the management port MAC address or the
broadcast MAC address are forwarded accordingly. All other packets are filtered out.
• No packet received on a management port is sent to any in-band ports, and no packets
received on in-band ports are sent to a management port.
• A management port is not part of any VLAN
• Protocols are not supported on the management port.
• Creating a management VLAN disables the management port on the device.
• All features that can be configured from the global configuration mode can also be configured
from the interface level of the manamement port. Features that are configured through the
management port take effect globally, not on the management port itself (on switches only).
For switches, any in-band port may be used for management purposes. A Router sends Layer 3
packets using the MAC address of the port as the source MAC address.
CLI Commands for use with the management port
The following CLI commands can be used with a management port.
To display the current configuration, use the show running-config interface management
command.
Syntax: show running-config interface management <num>
Brocade TurboIron 24X Series Configuration Guide 11
53-1003053-01
Using the management port
TurboIron(config-if-mgmt)#ip addr 10.44.9.64/24
TurboIron(config)#show running-config interface management 1
interface management 1
ip address 10.44.9/64 255.255.255.0
To display the current configuration, use the show interfaces management command.
Syntax: show interfaces management <num>
TurboIron(config)#show interfaces management 1
GigEthernetmgmt1 is up, line protocol is up
Hardware is GigEthernet, address is 0000.0076.544a (bia 0000.0076.544a)
Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
Configured mdi mode AUTO, actual none
BPRU guard is disabled, ROOT protect is disabled
Link Error Dampening is Disabled
STP configured to OFF, priority is level0, mac-learning is enabled
Flow Control is config disabled, oper enabled
Mirror disabled, Monitor disabled
Not member of any active trunks
Not member of any configured trunks
No port name
IPG MII 0 bits-time, IPG GMII 0 bits-time
IP MTU 1500 bytes
300 second input rate: 83728 bits/sec, 130 packets/sec, 0.01% utilization
300 second output rate: 24 bits/sec, 0 packets/sec, 0.00% utilization
39926 packets input, 3210077 bytes, 0 no buffer
Received 4353 broadcasts, 32503 multicasts, 370 unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0 giants
22 packets output, 1540 bytres, 0 underruns
Transmitted 0 broadcasts, 6 multicasts, 16 unicasts
0 output errors, 0 collisions
To display the management interface information in brief form, enter the show interfaces brief
management command.
Syntax: show interfaces brief management <num>
TurboIron#show interfacde brief management 1
To display management port statistics, enter the show statistics management command.
Syntax: show statistics management <num>
12 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Logging on through the CLI
NOTE
TurboIron#show statistics management 1
Port Link State Dup Speed Trunk Tag Pvid Pri MAC Name
mgmt1 Up None Full100M None No 1 0 00000.0000.0118
InOctets 3210941 OutOctets 1540
InPkts 39939 OutPackets 22
InBroadcastPkts 4355 OutbroadcastPkts 0
InMultiastPkts 35214 OutMulticastPkts 6
InUnicastPkts 370 OutUnicastPkts 16
InBadPkts 0
InFragments 0
InDiscards 0 OutErrors 0
CRC 0 Collisions 0
InErrors 0 LateCollisions 0
InGiantPkts 0
InShortPkts 0
InJabber 0
InFlowCtrlPkts 0 OutFlowCtrlPkts 0
InBitsPerSec 83728 OutBitsPerSec 24
InPktsPerSec 130 OutPktsPerSec 0
InUtilization 0.01% OutUtilization 0.00%
To display the management interface statistics in brief form, enter the show statistics brief
management command.
Syntax: show statistics brief management <num>
Logging on through the CLI
Once an IP address is assigned to an Brocade device running Layer 2 software or to an interface on
an Brocade device running Layer 3 software, you can access the CLI either through the direct serial
connection to the device or through a local or remote Telnet session.
You can initiate a local Telnet or SNMP connection by attaching a cable to a port and specifying the
assigned management station IP address.
The commands in the CLI are organized into the following levels:
• User EXEC – Lets you display information and perform basic tasks such as pings and
traceroutes.
• Privileged EXEC – Lets you use the same commands as those at the User EXEC level plus
Brocade TurboIron 24X Series Configuration Guide 13
53-1003053-01
configuration commands that do not require saving the changes to the system-config file.
• CONFIG – Lets you make configuration changes to the device. To save the changes across
reboots, you need to save them to the system-config file. The CONFIG level contains sub-levels
for individual ports, for VLANs, for routing protocols, and other configuration areas.
By default, any user who can open a serial or Telnet connection to the Brocade device can access
all these CLI levels. To secure access, you can configure Enable passwords or local user accounts,
or you can configure the device to use a RADIUS or TACACS/TACACS+ server for authentication.
Refer to Chapter 5, “Securing Access to Management Functions”.
Logging on through the CLI
On-line help
To display a list of available commands or command options, enter “?” or press Tab. If you have not
entered part of a command at the command prompt, all the commands supported at the current
CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the
options you can enter at this point in the command string.
If you enter an invalid command followed by ?, a message appears indicating the command was
unrecognized. An example is given below.
TurboIron(config)#rooter ip
Unrecognized command
Command completion
The CLI supports command completion, so you do not need to enter the entire name of a command
or option. As long as you enter enough characters of the command or option name to avoid
ambiguity with other commands or options, the CLI understands what you are typing.
Scroll control
By default, the CLI uses a page mode to paginate displays that are longer than the number of rows
in your terminal emulation window. For example, if you display a list of all the commands at the
global CONFIG level but your terminal emulation window does not have enough rows to display
them all at once, the page mode stops the display and lists your choices for continuing the display.
An example is given below.
aaa
all-client
appletalk
arp
boot
some lines omitted for brevity...
ipx
lock-address
logging
mac
--More--, next page: Space, next line:
Return key, quit: Control-c
The software provides the following scrolling options:
• Press the Space bar to display the next page (one screen at a time).
• Press the Return or Enter key to display the next line (one line at a time).
• Press Ctrl+C or Ctrl+Q to cancel the display.
Line editing commands
The CLI supports the following line editing commands. To enter a line-editing command, use the
CTRL+key combination for the command by pressing and holding the CTRL key, then pressing the
letter associated with the command.
14 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Using and port number with CLI commands
TABLE 9 CLI line editing commands
Ctrl+Key combination Description
Ctrl+A Moves to the first character on the command line.
Ctrl+B Moves the cursor back one character.
Ctrl+C Escapes and terminates command prompts and ongoing tasks (such as
lengthy displays), and displays a fresh command prompt.
Ctrl+D Deletes the character at the cursor.
Ctrl+E Moves to the end of the current command line.
Ctrl+F Moves the cursor forward one character.
Ctrl+K Deletes all characters from the cursor to the end of the command line.
Ctrl+L; Ctrl+R Repeats the current command line on a new line.
Ctrl+N Enters the next command line in the history buffer.
Ctrl+P Enters the previous command line in the history buffer.
Ctrl+U; Ctrl+X Deletes all characters from the cursor to the beginning of the command line.
Ctrl+W Deletes the last word you typed.
Ctrl+Z Moves from any CONFIG level of the CLI to the Privileged EXEC level; at the
Privileged EXEC level, moves to the User EXEC level.
Using and port number with CLI commands
Many CLI commands require users to enter port numbers as part of the command syntax, and
many show command outputs display port numbers. The port numbers are entered and displayed
in one of the following formats.
CLI nomenclature on TurboIron X Series devices
The TurboIron X Series devices use port numbers only. When you enter CLI commands that require
port numbers as part of the syntax, just specify the port number.
Here are some examples. The following commands change the CLI from the global CONFIG level to
the configuration level for the first port on the device:
• TurboIron X Series commands
TurboIron(config)#interface e1
TurboIron(config-if-e10000-1)#
Searching and filtering output from CLI commands
You can filter CLI output from show commands and at the --More-- prompt. You can search for
individual characters, strings, or construct complex regular expressions to filter the output.
Brocade TurboIron 24X Series Configuration Guide 15
53-1003053-01
Using and port number with CLI commands
NOTE
Searching and filtering output from Show commands
You can filter output from show commands to display lines containing a specified string, lines that
do not contain a specified string, or output starting with a line containing a specified string. The
search string is a regular expression consisting of a single character or string of characters. You
can use special characters to construct complex regular expressions. Refer to “Using special
characters in regular expressions” on page 18 for information on special characters used with
regular expressions.
Using include to display lines containing a specified string
The include modifier filters the output of the show interface command for port 11 so it displays only
lines containing the word “Internet”. This command can be used to display the IP address of the
interface.
TurboIron#show interface e 11 | include Internet
Internet address is 192.168.1.11/24, MTU 1518 bytes, encapsulation ethernet
Syntax: show-command | include <regular-expression>
The vertical bar ( | ) is part of the command.
The regular expression specified as the search string is case sensitive. In the example above, a
search string of “Internet” would match the line containing the IP address, but a search string of
“internet” would not.
Using exclude to display lines that do not contain a specified string
The exclude modifier filters the output of the show who command so it displays only lines that do
not contain the word “closed”. This command can be used to display open connections to the
device
TurboIron#show who | exclude closed
Console connections:
established
you are connecting to this session
2 seconds in idle
Telnet connections (inbound):
1 established, client ip address 192.168.9.37
27 seconds in idle
Telnet connection (outbound):
SSH connections:
Syntax: show-command | exclude <regular-expression>
Using begin to display lines starting with a specified string
The begin modifier filters the output of the show who command so it displays output starting with
the first line that contains the word “SSH”. This command can be used to display information
about SSH connections to the device.
TurboIron#show who | begin SSH
SSH connections:
1 established, client ip address 192.168.9.210
7 seconds in idle
2 closed
16 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Using and port number with CLI commands
3 closed
4 closed
5 closed
Syntax: show-command | begin <regular-expression>
Searching and filtering output at the --More-- prompt
The --More-- prompt displays when output extends beyond a single page. From this prompt, you can
press the Space bar to display the next page, the Return or Enter key to display the next line, or
Ctrl+C or Q to cancel the display. In addition, you can search and filter output from this prompt.
At the --More-- prompt, you can press the forward slash key ( / ) and then enter a search string. The
device displays output starting from the first line that contains the search string, similar to the
begin modifier for show commands. An example is given below.
--More--, next page: Space, next line: Return key, quit: Control-c
/telnet
The results of the search are displayed.
searching...
telnet Telnet by name or IP address
temperature temperature sensor commands
terminal display syslog
traceroute TraceRoute to IP node
undebug Disable debugging functions (see also 'debug')
undelete Undelete flash card files
whois WHOIS lookup
write Write running configuration to flash or terminal
To display lines containing only a specified search string (similar to the include modifier for show
commands) press the plus sign key ( + ) at the --More-- prompt and then enter the search string.
--More--, next page: Space, next line: Return key, quit: Control-c
+telnet
The filtered results are displayed.
filtering...
telnet Telnet by name or IP address
To display lines that do not contain a specified search string (similar to the exclude modifier for
show commands) press the minus sign key ( - ) at the --More-- prompt and then enter the search
string.
--More--, next page: Space, next line: Return key, quit: Control-c
-telnet
The filtered results are displayed.
filtering...
temperature temperature sensor commands
terminal display syslog
traceroute TraceRoute to IP node
Brocade TurboIron 24X Series Configuration Guide 17
53-1003053-01
Using and port number with CLI commands
undebug Disable debugging functions (see also 'debug')
undelete Undelete flash card files
whois WHOIS lookup
write Write running configuration to flash or terminal
As with the modifiers for filtering output from show commands, the search string is a regular
expression consisting of a single character or string of characters. You can use special characters
to construct complex regular expressions. See the next section for information on special
characters used with regular expressions.
Using special characters in regular expressions
You use a regular expression to specify a single character or multiple characters as a search string.
In addition, you can include special characters that influence the way the software matches the
output against the search string. These special characters are listed in the following table.
TABLE 10 Special characters for regular expressions
Character Operation
. The period matches on any single character, including a blank space.
For example, the following regular expression matches “aaz”, “abz”, “acz”, and so on, but not just
“az”:
a.z
* The asterisk matches on zero or more sequential instances of a pattern.
For example, the following regular expression matches output that contains the string “abc”,
followed by zero or more Xs:
abcX*
+ The plus sign matches on one or more sequential instances of a pattern.
For example, the following regular expression matches output that contains "de", followed by a
sequence of “g”s, such as “deg”, “degg”, “deggg”, and so on:
deg+
? The question mark matches on zero occurrences or one occurrence of a pattern.
For example, the following regular expression matches output that contains "dg" or "deg":
de?g
NOTE: Normally when you type a question mark, the CLI lists the commands or options at that CLI
level that begin with the character or string you entered. However, if you enter Ctrl+V and
then type a question mark, the question mark is inserted into the command line, allowing
you to use it as part of a regular expression.
^ A caret (when not used within brackets) matches on the beginning of an input string.
For example, the following regular expression matches output that begins with “deg”:
^deg
$ A dollar sign matches on the end of an input string.
For example, the following regular expression matches output that ends with “deg”:
deg$
18 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Using and port number with CLI commands
TABLE 10 Special characters for regular expressions (Continued)
Character Operation
_ An underscore matches on one or more of the following:
• , (comma)
• { (left curly brace)
• } (right curly brace)
• ( (left parenthesis)
• ) (right parenthesis)
• The beginning of the input string
• The end of the input string
• A blank space
For example, the following regular expression matches on “100” but not on “1002”, “2100”, and
so on.
_100_
[ ] Square brackets enclose a range of single-character patterns.
For example, the following regular expression matches output that contains “1”, “2”, “3”, “4”, or
“5”:
[1-5]
You can use the following expression symbols within the brackets. These symbols are allowed
only inside the brackets.
• ^ – The caret matches on any characters except the ones in the brackets. For example, the
following regular expression matches output that does not contain “1”, “2”, “3”, “4”, or “5”:
[^1-5]
• - The hyphen separates the beginning and ending of a range of characters. A match occurs if
any of the characters within the range is present. See the example above.
| A vertical bar separates two alternative values or sets of values. The output can match one or the
other value.
For example, the following regular expression matches output that contains either “abc” or “defg”:
abc|defg
( ) Parentheses allow you to create complex expressions.
For example, the following complex expression matches on “abc”, “abcabc”, or “defg”, but not on
“abcdefgdefg”:
((abc)+)|((defg)?)
If you want to filter for a special character instead of using the special character as described in the
table above, enter “\” (backslash) in front of the character. For example, to filter on output
containing an asterisk, enter the asterisk portion of the regular expression as “\*”.
TurboIron#show ip route bgp | include \*
Creating an alias for a CLI command
You can crea te aliases for CLI commands. An alias serves as a shorthand version of a longer CLI
command. For example, you can create an alias called shoro for the CLI command show ip route.
Then when you enter shoro at the command prompt, the show ip route command is executed.
To create an alias called shoro for show ip route, enter the following command.
TurboIron(config)#alias shoro = show ip route
Syntax: [no] alias <alias-name> = <cli-command>
The <alias-name> must be a single word, without spaces.
Brocade TurboIron 24X Series Configuration Guide 19
53-1003053-01
Logging on through Brocade Network Advisor
After the alias is configured, entering shoro at either the Privileged EXEC or CONFIG levels of the CLI
executes the show ip route command.
To create an alias called wrsbc for copy running-config tftp 10.10.10.10 test.cfg, enter the following
command.
TurboIron(config)#alias wrsbc = copy running-config tftp 10.10.10.10 test.cfg
To re m ove the wrsbc alias from the configuration, enter one of the following commands.
TurboIron(config)#no alias wrsbc
or
TurboIron(config)#unalias wrsbc
Syntax: unalias <alias-name>
The specified <alias-name> must be the name of an alias already configured on the device.
To display the aliases currently configured on the device, enter the following command at either the
Privileged EXEC or CONFIG levels of the CLI.
TurboIron#alias
wrsbc copy running-config tftp 10.10.10.10 test.cfg
shoro show ip route
Syntax: alias
Configuration notes
The following configuration notes apply to this feature:
• You cannot include additional parameters with the alias at the command prompt. For example,
after you create the shoro alias, shoro bgp would not be a valid command.
• If configured on the device, authentication, authorization, and accounting is performed on the
actual command, not on the alias for the command.
• To save an alias definition to the startup-config file, use the write memory command.
Logging on through Brocade Network Advisor
Refer to the Brocade Network Advisor manuals for information about using Brocade Network
Advisor.
20 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Chapter
NOTE
NOTE
Configuring Basic Software Features
In this chapter
•Configuring basic system parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
•Configuring basic port parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configuring basic system parameters
Brocade devices are configured at the factory with default parameters that allow you to begin using
the basic features of the system immediately. However, many of the advanced features such as
VLANs or routing protocols for the device must first be enabled at the system (global) level before
they can be configured. If you use the Command Line Interface (CLI) to configure system
parameters, you can find these system level parameters at the Global CONFIG level of the CLI.
Before assigning or modifying any router parameters, you must assign the IP subnet (interface)
addresses for each port.
3
For information about configuring IP addresses, DNS resolver, DHCP assist, and other IP-related
parameters, refer to Chapter 20, “Configuring IP”.
For information about the Syslog buffer and messages, refer to Chapter 12, “Using Syslog”.
The procedures in this section describe how to configure the basic system parameters listed in
Tab le 11.
TABLE 11 Basic system parameters
Basic system parameter See page
System name, contact, and location page 22
SNMP trap receiver, trap source address, and other parameters page 22
Single source address for all Telnet packets page 27
Single source address for all TFTP packets page 28
Single source address for all Syslog packets page 28
Single source address for all NTPv4 packets page 28
System time using a Simple Network Time Protocol (NTPv4) server or local system counter page 28
System clock page 29
Broadcast, multicast, or unknown-unicast limits, if required to support slower third-party
devices
page 31
Brocade TurboIron 24X Series Configuration Guide 21
53-1003053-01
Configuring basic system parameters
NOTE
NOTE
NOTE
For information about the Syslog buffer and messages, refer to Chapter 12, “Using Syslog”.
Entering system administration information
You can configure a system name, contact, and location for a device and save the information
locally in the configuration file for future reference. This information is not required for system
operation but is suggested. When you configure a system name, the name replaces the default
system name in the CLI command prompt.
The name, contact, and location each can be up to 32 alphanumeric characters.
Here is an example of how to configure a system name, system contact, and location.
TurboIron(config)#hostname zappa
zappa(config)#snmp-server contact Support Services
zappa(config)#snmp-server location Centerville
zappa(config)#end
zappa#write memory
Syntax: hostname <string>
Syntax: snmp-server contact string>
Syntax: snmp-server location <string>
The text strings can contain blanks. The SNMP text strings do not require quotation marks when
they contain blanks but the host name does.
The chassis name command does not change the CLI prompt. Instead, the command assigns an
administrative ID to the device.
Configuring Simple Network Management Protocol (SNMP) parameters
Use the procedures in this section to perform the following configuration tasks:
• Specify an SNMP trap receiver.
• Specify a source address and community string for all traps sent by the device.
• Change the holddown time for SNMP traps
• Disable individual SNMP traps. (All traps are enabled by default.)
• Disable traps for CLI access that is authenticated by a local user account, a RADIUS server, or
a TACACS/TACACS+ server.
To add and modify “get” (read-only) and “set” (read-write) community strings, refer to Chapter 5,
“Securing Access to Management Functions”.
22 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic system parameters
Specifying an SNMP trap receiver
You can specify a trap receiver to ensure that all SNMP traps sent by the device go to the same
SNMP trap receiver or set of receivers, typically one or more host devices on the network. When
you specify the host, you also specify a community string. The device sends all the SNMP traps to
the specified hosts and includes the specified community string. Administrators can therefore filter
for traps from a device based on IP address or community string.
When you add a trap receiver, the software automatically encrypts the community string you
associate with the receiver when the string is displayed by the CLI. If you want the software to show
the community string in the clear, you must explicitly specify this when you add a trap receiver. In
either case, the software does not encrypt the string in the SNMP traps sent to the receiver.
To specify the host to which the device sends all SNMP traps, use one of the following methods.
To add a trap receiver and encrypt the display of the community string, enter commands such as
the following.
To specify an SNMP trap receiver and change the UDP port that will be used to receive traps, enter
a command such as the following.
TurboIron(config)#snmp-server host 10.2.2.2 0 mypublic port 200
TurboIron(config)#write memory
Syntax: snmp-server host <ip-addr> [0 | 1] <string> [port <value>]
The <ip-addr> parameter specifies the IP address of the trap receiver.
The 0 | 1 parameter specifies whether you want the software to encrypt the string (1) or show the
string in the clear (0). The default is 0.
The <string> parameter specifies an SNMP community string configured on the device. The string
can be a read-only string or a read-write string. The string is not used to authenticate access to the
trap host but is instead a useful method for filtering traps on the host. For example, if you configure
each of your devices that use the trap host to send a different community string, you can easily
distinguish among the traps from different devices based on the community strings.
The command in the example above adds trap receiver 10.2.2.2 and configures the software to
encrypt display of the community string. When you save the new community string to the
startup-config file (using the write memory command), the software adds the following command
to the file.
snmp-server host 10.2.2.2 1 <encrypted-string>
To add a trap receiver and configure the software to encrypt display of the community string in the
CLI, enter commands such as the following.
device(config)#snmp-server host 10.2.2.2 0 device-12
device(config)#write memory
The port <value> parameter allows you to specify which UDP port will be used by the trap receiver.
This parameter allows you to configure several trap receivers in a system. With this parameter,
device and another network management application can coexist in the same system. Devices can
be configured to send copies of traps to more than one network management application.
Brocade TurboIron 24X Series Configuration Guide 23
53-1003053-01
Configuring basic system parameters
Specifying a single trap source
You can specify a single trap source to ensure that all SNMP traps sent by the device use the same
source IP address. When you configure the SNMP source address, you specify the Ethernet port,
loopback interface, or virtual interface that is the source for the traps. The device then uses the
lowest-numbered IP address configured on the port or interface as the source IP address in the
SNMP traps sent by the device.
Identifying a single source IP address for SNMP traps provides the following benefits:
• If your trap receiver is configured to accept traps only from specific links or IP addresses, you
can use this feature to simplify configuration of the trap receiver by configuring the device to
always send the traps from the same link or source address.
• If you specify a loopback interface as the single source for SNMP traps, SNMP trap receivers
can receive traps regardless of the states of individual links. Thus, if a link to the trap receiver
becomes unavailable but the receiver can be reached through another link, the receiver still
receives the trap, and the trap still has the source IP address of the loopback interface.
To specify a port, loopback interface, or virtual interface whose lowest-numbered IP address the
device must use as the source for all SNMP traps sent by the device, use the following CLI method.
To configure the device to send all SNMP traps from the first configured IP address on port 4, enter
the following commands.
TurboIron(config)#snmp trap-source ethernet 4
TurboIron(config)#write memory
Syntax: snmp-server trap-source loopback <num> | ethernet <portnum> | ve <num>
The <num> parameter is a loopback interface or virtual interface number.
To specify a loopback interface as the SNMP trap source for the device, enter commands such as
the following.
TurboIron(config)#int loopback 1
TurboIron(config-lbif-1)#ip address 10.0.0.1/24
TurboIron(config-lbif-1)#exit
TurboIron(config)#snmp-server trap-source loopback 1
The commands in this example configure loopback interface 1, assign IP address 10.00.1/24 to
the loopback interface, then designate the interface as the SNMP trap source for this device.
Regardless of the port the device uses to send traps to the receiver, the traps always arrive from
the same source IP address.
Setting the SNMP trap holddown time
When a device starts up, the software waits for Layer 2 convergence (STP) and Layer 3
convergence (OSPF) before beginning to send SNMP traps to external SNMP servers. Until
convergence occurs, the device might not be able to reach the servers, in which case the messages
are lost.
By default, a device uses a one-minute holddown time to wait for the convergence to occur before
starting to send SNMP traps. After the holddown time expires, the device sends the traps,
including traps such as “cold start” or “warm start” that occur before the holddown time expires.
You can change the holddown time to a value from one second to ten minutes.
To change the holddown time for SNMP traps, enter a command such as the following at the global
CONFIG level of the CLI.
24 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic system parameters
NOTE
TurboIron(config)#snmp-server enable traps holddown-time 30
The command in this example changes the holddown time for SNMP traps to 30 seconds. The
device waits 30 seconds to allow convergence in STP and OSPF before sending traps to the SNMP
trap receiver.
Syntax: [no] snmp-server enable traps holddown-time <secs>
The <secs> parameter specifies the number of seconds and can be from 1 – 600 (ten minutes).
The default is 60 seconds.
Disabling SNMP traps
TurboIron X Series devices come with SNMP trap generation enabled by default for all traps. You
can selectively disable one or more of the following traps.
By default, all SNMP traps are enabled at system startup.
Layer 2 traps
The following traps are generated on devices running Layer 2 software:
• SNMP authentication keys
• Power supply failure
• Fan failure
• Cold start
• Link up
• Link down
• Bridge new root
• Bridge topology change
• Locked address violation
Layer 3 traps
The following traps are generated on devices running Layer 3 software:
• SNMP authentication key
• Power supply failure
• Fan failure
• Cold start
• Link up
• Link down
• Bridge new root
• Bridge topology change
• Locked address violation
• BGP4
• OSPF
• VRRP
Brocade TurboIron 24X Series Configuration Guide 25
53-1003053-01
Configuring basic system parameters
NOTE
NOTE
TurboIron#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Buffer logging: level ACDMEINW, 12 messages logged
level code: A=alert C=critical D=debugging M=emergency E=error
I=informational N=notification W=warning
Static Log Buffer:
Dec 15 19:04:14:A:Fan 1, fan on right connector, failed
Dynamic Log Buffer (50 entries):
Oct 15 18:01:11:info:dg logout from USER EXEC mode
Oct 15 17:59:22:info:dg logout from PRIVILEGE EXEC mode
Oct 15 17:38:07:info:dg login to PRIVILEGE EXEC mode
Oct 15 17:38:03:info:dg login to USER EXEC mode
• VRRP-E
To stop link down occurrences from being reported, enter the following.
TurboIron(config)#no snmp-server enable traps link-down
Syntax: [no] snmp-server enable traps <trap-type>
Disabling Syslog messages and traps for CLI access
TurboIron X Seriesdevices send Syslog messages and SNMP traps when a user logs into or out of
the User EXEC or Privileged EXEC level of the CLI. The feature applies to users whose access is
authenticated by an authentication-method list based on a local user account, RADIUS server, or
TACACS/TACACS+ server.
The Privileged EXEC level is sometimes called the “Enable” level, because the command for
accessing this level is enable.
The feature is enabled by default.
Examples of Syslog messages for CLI access
When a user whose access is authenticated by a local user account, a RADIUS server, or a
TACACS/TACACS+ server logs into or out of the CLI User EXEC or Privileged EXEC mode, the
software generates a Syslog message and trap containing the following information:
• The time stamp
• The user name
• Whether the user logged in or out
• The CLI level the user logged into or out of (User EXEC or Privileged EXEC level)
Messages for accessing the User EXEC level apply only to access through Telnet. The device does
not authenticate initial access through serial connections but does authenticate serial access to the
Privileged EXEC level. Messages for accessing the Privileged EXEC level apply to access through the
serial connection or Telnet.
The following examples show login and logout messages for the User EXEC and Privileged EXEC
levels of the CLI.
Syntax: show logging
26 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic system parameters
The first message (the one on the bottom) indicates that user “dg” logged in to the CLI User EXEC
level on October 15 at 5:38 PM and 3 seconds (Oct 15 17:38:03). The same user logged into the
Privileged EXEC level four seconds later.
The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could
have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further
authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user
ended the CLI session.
Disabling the Syslog messages and traps
Logging of CLI access is enabled by default. If you want to disable the logging, enter the following
commands.
TurboIron(config)#no logging enable user-login
TurboIron(config)#write memory
TurboIron(config)#end
TurboIron#reload
Syntax: [no] logging enable user-login
Configuring an interface as the source for all Telnet packets
You can designate the lowest-numbered IP address configured on an interface as the source IP
address for all Telnet packets from the device. Identifying a single source IP address for Telnet
packets provides the following benefits:
• If your Telnet server is configured to accept packets only from specific links or IP addresses,
you can use this feature to simplify configuration of the Telnet server by configuring the device
to always send the Telnet packets from the same link or source address.
• If you specify a loopback interface as the single source for Telnet packets, Telnet servers can
receive the packets regardless of the states of individual links. Thus, if a link to the Telnet
server becomes unavailable but the client or server can be reached through another link, the
client or server still receives the packets, and the packets still have the source IP address of
the loopback interface.
The software contains separate CLI commands for specifying the source interface for Telnet,
TACACS/TACACS+, and RADIUS packets. You can configure a source interface for one or more of
these types of packets.
To specify an interface as the source for all Telnet packets from the device, use the following CLI
method. The software uses the lowest-numbered IP address configured on the interface as the
source IP address for Telnet packets originated by the device.
To specify the lowest-numbered IP address configured on a virtual interface as the device source
for all Telnet packets, enter commands such as the following.
TurboIron(config)#int loopback 2
TurboIron(config-lbif-2)#ip address 10.0.0.2/24
TurboIron(config-lbif-2)#exit
TurboIron(config)#ip telnet source-interface loopback 2
The commands in this example configure loopback interface 2, assign IP address 10.0.0.2/24 to
the interface, then designate the interface as the source for all Telnet packets from the device.
Syntax: ip telnet source-interface ethernet <portnum> | loopback <num> | ve <num>
The following commands configure an IP interface on an Ethernet port and designate the address
port as the source for all Telnet packets from the device.
Brocade TurboIron 24X Series Configuration Guide 27
53-1003053-01
Configuring basic system parameters
NOTE
TurboIron#show sntp associations
address ref clock st when poll delay disp
~10.95.6.102 0.0.0.0 16 202 4 0.0 5.45
~10.95.6.101 0.0.0.0 16 202 0 0.0 0.0
* synced, ~ configured
TurboIron(config)#interface ethernet 4
TurboIron(config-if-e10000-4)#ip address 10.157.22.110/24
TurboIron(config-if-e10000-4)#exit
TurboIron(config)#ip telnet source-interface ethernet 4
Cancelling an outbound Telnet session
If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the
connection is frozen), you can terminate the Telnet session by doing the following.
1. At the console, press Ctrl+^ (Ctrl+Shift-6).
2. Press the X key to terminate the Telnet session.
Pressing Ctrl+^ twice in a row causes a single Ctrl+^ character to be sent to the Telnet server. After
you press Ctrl+^, pressing any key other than X or Ctrl+^ returns you to the Telnet session.
Specifying a Simple Network Time Protocol (NTPv4) server
You can configure the device to consult NTPv4 servers for the current time and date.
TurboIron X Series devices do not retain time and date information across power cycles. Unless you
want to reconfigure the system time counter each time the system is reset, Brocade recommends
that you use the NTPv4 feature.
To identify an NTPv4 server with IP address 10.99.8.95 to act as the clock reference for a device,
enter the following.
TurboIron(config)#sntp server 10.99.8.95
Syntax: sntp server <ip-addr> | <hostname> [<version>]
The <version> parameter specifies the NTPv4 version the server is running and can be from 1 – 4.
The default is 1. You can configure up to three NTPv4 servers by entering three separate sntp
server commands.
By default, the device polls its NTPv4 server every 30 minutes (1800 seconds). To configure the
device to poll for clock updates from a NTPv4 server every 15 minutes, enter the following.
TurboIron(config)#sntp poll-interval 900
Syntax: [no] sntp poll-interval <1-65535>
To display information about NTPv4 associations, enter the following command.
Syntax: show sntp associations
The following table describes the information displayed by the show sntp associations command.
28 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic system parameters
TurboIron#show sntp status
Clock is unsynchronized, stratum = 0, no reference clock
precision is 2**0
reference time is 0 .0
clock offset is 0.0 msec, root delay is 0.0 msec
root dispersion is 0.0 msec, peer dispersion is 0.0 msec
TABLE 12 Output from the show sntp associations command
This field... Displays...
(leading character) One or both of the following:
*Synchronized to this peer
~ Peer is statically configured
address IP address of the peer
ref clock IP address of the peer reference clock
st NTP stratum level of the peer
when Amount of time since the last NTP packet was received from the peer
poll Poll interval in seconds
delay Round trip delay in milliseconds
disp Dispersion in seconds
To display information about NTPv4 status, enter the following command.
Syntax: show sntp status
The following table describes the information displayed by the show sntp status command.
TABLE 13 Output from the show sntp status command
This field... Indicates...
unsynchronized System is not synchronized to an NTP peer.
synchronized System is synchronized to an NTP peer.
stratum NTP stratum level of this system
reference clock IP Address of the peer (if any) to which the unit is synchronized
precision Precision of this system's clock (in Hz)
reference time Reference time stamp
clock offset Offset of clock to synchronized peer
root delay Total delay along the path to the root clock
root dispersion Dispersion of the root path
peer dispersion Dispersion of the synchronized peer
Setting the system clock
In addition to NTPv4 support, switches and routers also allow you to set the system time counter.
The time counter setting is not retained across power cycles and is not automatically synchronized
with an NTPv4 server. The counter merely starts the system time and date clock with the time and
date you specify.
Brocade TurboIron 24X Series Configuration Guide 29
53-1003053-01
Configuring basic system parameters
NOTE
NOTE
You can synchronize the time counter with your NTPv4 server time by entering the sntp sync
command from the Privileged EXEC level of the CLI.
Unless you identify an NTPv4 server for the system time and date, you will need to re-enter the time
and date following each reboot.
For more details about NTPv4, refer to “Specifying a Simple Network Time Protocol (NTPv4) server”
on page 28.
To set the system time and date to 10:15:05 on October 15, 2003, enter the following command.
TurboIron#clock set 10:15:05 10-15-2003
Syntax: [no] clock set <hh:mm:ss> | <mm-dd-yy> | <mm-dd-yyyy>
By default, switches and routers do not change the system time for daylight saving time. To enable
daylight saving time, enter the following command.
TurboIron(config)#clock summer-time
Syntax: clock summer-time
Although NTPv4 servers typically deliver the time and date in Greenwich Mean Time (GMT), you can
configure the device to adjust the time for any one-hour offset from GMT or for one of the following
U.S. time zones:
• US Pacific
• Alaska
• Aleutian
• Arizona
• Central
• East-Indiana
• Eastern
• Hawaii
• Michigan
• Mountain
• Pacific
• Samoa
To change the time zone to Australian East Coast time (which is normally 10 hours ahead of GMT),
enter the following command.
TurboIron(config)#clock timezone gmt gmt+10
Syntax: clock timezone gmt gmt | us <time-zone>
You can enter one of the following values for <time-zone>:
• US time zones (us): alaska, aleutian, arizona, central, east-indiana, eastern, hawaii, michigan,
mountain, pacific, samoa.
• GMT time zones (gmt): gmt+0:00 to gmt+12:00 in increments of 1, and gmt-0:00 to gmt-12:00
in decrements of 1 are supported.
30 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic system parameters
NOTE
New start and end dates for US daylight saving time
This feature applies to US time zones only.
Starting in 2007, the system will automatically change the system clock to Daylight Saving Time
(DST), in compliance with the new federally mandated start of daylight saving time, which is
extended one month beginning in 2007. The DST will start at 2:00am on the second Sunday in
March and will end at 2:00am on the first Sunday in November.
The DST feature is automatic, but to trigger the device to the correct time, the device must be
configured to the US time zone, not the GMT offset. To configure your device to use the US time
zone, enter the following command.
TurboIron(config)#clock timezone us pacific
Syntax: [no] clock timezone us <timezone-type>
Enter pacific, eastern, central, or mountain for <timezone-type>.
This command must be configured on every device that follows the US DST.
To verify the change, run a show clock command.
TurboIron#show clock
Limiting broadcast, multicast, and unknown unicast traffic
TurboIron X Series devices can forward all flooded traffic at wire speed within a VLAN. However,
some third-party networking devices cannot handle high rates of broadcast, multicast, or
unknown-unicast traffic. If high rates of traffic are being received by the device on a given port of
that VLAN, you can limit the number of broadcast, multicast, or unknown-unicast packets or bytes
received each second on that port. This can help to control the number of such packets or bytes
that are flooded on the VLAN to other devices.
Byte-based limiting for broadcast, multicast, and unknown unicast traffic provides the ability to rate
limit traffic based on byte count instead of packet count. When the byte mode is enabled, packets
will be received on a port as long as the number of bytes received per second is less than the
corresponding limit. Once the limit is reached, further packets will be dropped.
TurboIron X Seriesdevices do not support packet-based and byte-based limiting simultaneously on
the same port. For example, if you configure packet-based limiting for broadcast traffic, you must
also configure packet-based limiting for multicast and unknown unicast traffic. Likewise, if you
configure byte-based limiting for broadcast traffic, you must also configure byte-based limiting for
multicast and unknown unicast traffic.
Command syntax for packet-based limiting
To enable broadcast limiting on a group of ports by counting the number of packets received, enter
commands such as the following.
TurboIron(config)#interface ethernet 1 to 8
TurboIron(config-mif-e10000-1-8)#broadcast limit 65536
These commands configure packet-based broadcast limiting on ports 1 – 8. On each port, the
maximum number of broadcast packets per second cannot exceed 65,536 packets per second.
Brocade TurboIron 24X Series Configuration Guide 31
53-1003053-01
Configuring basic system parameters
NOTE
On TurboIron X Series devices, multicast limiting is independent of broadcast limiting. To enable
multicast limiting on devices, enter commands such as the following.
TurboIron(config)#interface ethernet 1 to 8
TurboIron(config-mif-e10000-1-8)#multicast limit 65536
To enable unknown unicast limiting by counting the number of packets received, enter commands
such as the following.
TurboIron(config)#interface eth 1
TurboIron(config-if-e10000-1)#unknown-unicast limit 65536
The combined number of inbound Unknown Unicast packets permitted
for ports 1 to 12 is now set to 65536
TurboIron((config-if-e10000-1)#
Syntax: [no] broadcast limit <num>
Syntax: [no] unknown-unicast limit <num>
Syntax: [no]
or
Syntax: [no] multicast limit <num>
The multicast limit <num> command applies to devices only.
The <num> variable specifies the maximum number of packets per second. Acceptable values
differ depending on the device you are configuring:
• On TurboIron X Seriesdevices, <num> can be any number between 1 and 8388607 (packets
per second). The actual value will be determined by the system. Once you enter the value, the
CLI will display a message indicating the actual value. The following shows an example
configuration.
TurboIron(config)#interface ethernet 9
TurboIronconfig-mif-e10000-9)#multicast limit 50
Multicast limit in pkts/sec set to 31
If you specify 0, limiting is disabled. Limiting is disabled by default.
Command syntax for byte-based limiting
TurboIron X Series devices limit traffic based on kilobits per second (kbps). To enable limiting, refer
to the appropriate section, below.
TurboIron X Series devices
To enable broadcast limiting on a group of ports by counting the number of kilobits received, enter
commands such as the following.
TurboIron(config)#interface ethernet 9 to 10
TurboIron(config-mif-e10000-9-10)#broadcast limit 131072 kbps
Broadcast limit in kbits/sec set to 130000
These commands configure broadcast limiting on ports 9 and 10. On each port, the total number
of kilobits received from broadcast packets cannot exceed 130,000 per second.
To enable multicast limiting, enter commands such as the following.
32 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic system parameters
TurboIron#show run interface
interface ethernet 4
broadcast limit 1245184 bytes
multicast limit
!
interface ethernet 5
broadcast limit 1245184 bytes
multicast limit
!
interface ethernet 12
unknown-unicast limit 524288
!
interface ethernet 13
unknown-unicast limit 65536 bytes
!
interface ethernet 14
broadcast limit 65536
!
interface ethernet 23
broadcast limit 131072
multicast limit
!
TurboIron(config)#interface ethernet 8
TurboIron(config-mif-e10000-1-8)#multicast limit 9000 kbps
Multicast limit in kbits/sec set to 8064
To enable unknown unicast limiting, enter commands such as the following.
TurboIron(config)#int e 13
TurboIron(config-if-e10000-13)#unknown-unicast limit 65536 kbps
Unknown unicast limit in kbits/sec set to 64000
Syntax: [no] broadcast limit <num> kbps
Syntax: [no] multicast limit <num> kbps
Syntax: [no] unknown-unicast limit <num> kbps
The <num> variable can be any number between 1 and 10000000. The actual value will be
determined by the system. Once you enter the value, the CLI will display a message indicating the
actual value, as shown in the configuration examples above. If you specify 0, limiting is disabled.
Limiting is disabled by default.
Viewing broadcast, multicast, and unknown unicast limits
You can use the show run interface command to display the broadcast, multicast, and
unknown-unicast limits configured on the device.
In addition to the show run interface command, to display the broadcast, multicast, and
unknown-unicast limits configured on the device:
• show rate-limit unknown-unicast
• show rate-limit broadcast
Use the show run interface command to view the broadcast, multicast, and unknown-unicast limit
configured on each port.
Brocade TurboIron 24X Series Configuration Guide 33
53-1003053-01
Syntax: show run interface
Configuring basic port parameters
TurboIron#show rate-limit unknown-unicast
Unknown Unicast Limit Settings:
Port Region Combined Limit Packets/Bytes
1 - 12 524288 Packets
13 - 24 65536 Bytes
TurboIron#show rate-limit broadcast
Broadcast/Multicast Limit Settings:
Port Limit Packets/Bytes Packet Type(s)
4 1245184 Bytes Broadcast + Multicast
5 1245184 Bytes Broadcast + Multicast
14 65536 Packets Broadcast only
23 131072 Packets Broadcast + Multicast
Use the show rate-limit unknown-unicast command to display the unknown unicast limit for each
port region to which it applies.
Syntax: show rate-limit unknown-unicast
Use the show rate-limit broadcast command to display the broadcast limit or broadcast and
multicast limit for each port to which it applies.
Syntax: show rate-limit broadcast
Configuring basic port parameters
The procedures in this section describe how to configure the port parameters shown in Tab le 14.
TABLE 14 Basic port parameters
Port parameter See page
Name page 35
Speed page 35
Duplex mode page 36
Port status (enable or disable) page 36
Flow control page 37
Auto-negotiation and advertisement of flow control page 37
Configuring PHY FIFO Rx and TX Depth page 38
Interpacket Gap (IPG) page 38
Gbps fiber negotiate mode page 39
QoS priority page 39
Port flap dampening page 39
All ports are pre-configured with default values that allow the device to be fully operational at initial
startup without any additional configuration. However, in some cases, changes to the port
parameters may be necessary to adjust to attached devices or other network requirements.
34 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic port parameters
NOTE
NOTE
Assigning a port name
A port name can be assigned to help identify interfaces on the network. You can assign a port
name to physical ports, virtual interfaces, and loopback interfaces.
To assign a name to a port.
TurboIron(config)#interface e 2
TurboIron(config-if-e10000-2)#port-name Marsha
Syntax: port-name <text>
The <text> parameter is an alphanumeric string. The name can be up to 64 characters long. The
name can contain blanks. You do not need to use quotation marks around the string, even when it
contains blanks.
Modifying port speed and duplex mode
This section describes how to modify port speed and duplex mode on TurboIron X Series devices.
Copper ports
The Gigabit Ethernet copper ports are designed to auto-sense and auto-negotiate the speed and
duplex mode of the connected device. If the attached device does not support this operation, you
can manually enter the port speed to operate at either 10, 100, or 1000 Mbps. The default and
recommended setting is 10/100/1000 auto-sense.
On TurboIron X Series devices, you can modify the port speed of copper ports and the 24 fiber ports.
For optimal link operation, copper ports on devices that do not support 803.3u must be configured
with like parameters, such as speed (10,100,1000), duplex (half, full), and Flow Control.
Fiber ports on the TurboIron X Series
The fiber ports on the TurboIron X Series devices support 1 GbE and 10 GbE connections,
depending on the SFP optic installed in the port. SFP+ optics are used for 10 GbE filber
connections, and SFP optics are used for 1 GbE fiber connections. The default setting is 10 GbE
full-duplex mode with SFP+ optics. To use 1 GbE in a 10 GbE port, insert an SFP optic and change
the speed-duplex to 1 GbE (speed-duplex 1000).
Configuration syntax
The following commands change the port speed of fiber interface 8 on a TurboIron X Series device
from the default of 10 Gbps to 1 Gbps.
TurboIron(config)#interface e 8
TurboIron(config-if-e10000-8)#speed-duplex 1000
Syntax: speed-duplex <value>
where< value> can be one of the following:
• 10-full – 10 Mbps, full duplex
Brocade TurboIron 24X Series Configuration Guide 35
53-1003053-01
Configuring basic port parameters
NOTE
NOTE
NOTE
• 10-half – 10 Mbps, half duplex
• 100-full – 100 Mbps, full duplex
• 100-half – 100 Mbps, half duplex
• 1000 – 1 Gbps, full duplex (not supported on TurboIron X Series 10-GbE ports only)
• 1000-full-master – 1 Gbps, full duplex master (supported on the TurboIron X Series)
• 1000-full-slave – 1 Gbps, full duplex slave (not supported on the TurboIron X Series)
• 10000 – 10 Gbps, full duplex (supported on TurboIron X Series 10-GbE ports only)
• auto – auto-negotiation
The default for copper ports is auto (auto-negotiation).
The default for fiber ports on the TurboIron X Series is 10000 (10 Gbps, full duplex).
Use the no form of the command to restore the default.
On TurboIron X Series devices, when 10/100/1000 copper ports (ports 25 – 28) auto-negotiate to
either 1 Gbps or 100 Mbps, the green and amber LEDs will be lit solid (ON) when the link is up, and
the amber LED will blink when traffic flows through the port. On TurboIron X Series devices, if the
speed is set to Auto for a 1G port, the port auto-negotiates the flow control with the neighboring port.
Auto speed detect
On TurboIron X Series devices, if you insert a 1G SFP, the device detects the media change and
automatically change the speed to support 1G for that port. This happens when the configured
speed is 10G. The configured speed continues to be 10G, but the port comes up with operational
speed of 1G. This removes the need for explicitly configuring speed-duplex 1000 for SFPs where
the device is able to detect the media type.
All the po r ts wi th 1G SF Ps which need to form a trunk (static or dynamic), need to use either the Auto
speed detect feature to come up in 1G mode or use the speed-duplex 1000 command. Configuring
speed-duplex 1000 on only few of the ports to be part of the trunk will prevent trunk creation.
Modifying port duplex mode
You can manually configure a 10/100 Mbps port to accept either full-duplex (bi-directional) or
half-duplex (uni-directional) traffic.
You can modify the port duplex mode of copper ports only. This feature does not apply to fiber ports.
Port duplex mode and port speed are modified by the same command, which is speed-duplex.
Disabling or re-enabling a port
A port can be made inactive (disable) or active (enable) by selecting the appropriate status option.
The default value for a port is enabled.
To disable port 8 of a device, enter the following.
36 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic port parameters
NOTE
TurboIron(config)#interface e 8
TurboIron(config-if-e10000-8)#disable
Syntax: disable
You also can disable or re-enable a virtual interface. To do so, enter commands such as the
following.
TurboIron(config)#interface ve v1
TurboIron(config-vif-1)#disable
Syntax: disable
To re-enable a virtual interface, enter the enable command at the Interface configuration level. For
example, to re-enable virtual interface v1, enter the following command.
TurboIron(config-vif-1)#enable
Syntax: enable
Disabling or re-enabling flow control
You can configure full-duplex ports on a system to operate with or without flow control (802.3x).
Flow control is enabled by default.
To disable flow control on full-duplex ports on a system, enter the following.
TurboIron(config)#no flow-control
To turn the feature back on.
TurboIron(config)#flow-control
Syntax: [no] flow-control
For optimal link operation, link ports on devices that do not support 803.3u must be configured with
like parameters, such as speed (10,100,1000), duplex (half, full), and Flow Control.
Auto-negotiation and advertisement of flow control
Auto-negotiation of flow control can be enabled and advertised for 10/100/1000M ports. To
enable and advertise flow control capability, enter the following commands.
TurboIron(config)#interface ethernet 21
TurboIron(config-if-e10000-21)#flow-control
To also enable auto-negotiation of flow control, enter the following commands.
TurboIron(config)#interface ethernet 21
TurboIron(config-if-e10000-21)#flow-control neg-on
Syntax: #[no] flow-control [neg-on]
• flow-control [default] - Enable flow control, advertise flow control and disable negotiation of
flow control
• flow-control neg-on - Advertise flow control and enable negotiation of flow control
• no flow-control - Disable flow control, disable advertising flow control and also disable
negotiation of flow control
Brocade TurboIron 24X Series Configuration Guide 37
53-1003053-01
Configuring basic port parameters
Commands may be entered in IF (single port) or MIF (multiple ports at once) mode.
TurboIron(config)#interface ethernet 21
TurboIron(config-if-e10000-21)#flow-control
This command enables flow-control on port 21.
TurboIron(config)#interface e 11 to 15
TurboIron(config-mif-11-15)#flow-control
This command enables flow-control on ports 11 to 15.
TurboIron X SeriesConfiguring the Interpacket Gap (IPG)
IPG is the time delay, in bit time, between frames transmitted by the device. You configure IPG at
the interface level. The command you use depends on the interface type on which IPG is being
configured.
The default interpacket gap is 96 bits-time, which is 9.6 microseconds for 10 Mbps Ethernet, 960
nanoseconds for 100 Mbps Ethernet, 96 nanoseconds for 1 Gbps Ethernet, and 9.6 nanoseconds
for 10 Gbps Ethernet.
Configuration notes
• When you enter a value for IPG, the device applies the closest valid IPG value for the port mode
to the interface. For example, if you specify 120 for a 1 Gbps Ethernet port in 1 Gbps mode, the
device assigns 112 as the closest valid IPG value to program into hardware.
Configuring IPG on a Gbps Ethernet port
On a Gbps Ethernet port, you can configure IPG for 10/100 mode and for Gbps Ethernet mode.
10/100M mode
To configure IPG on a Gbps Ethernet port for 10/100M mode, enter the following command.
TurboIron(config)#interface ethernet 1
TurboIron(config-if-e10000-1)#ipg-mii 120
IPG 120(120) has been successfully configured for ports 1 to 12
Syntax: [no] ipg-mii <bit time>
Enter 12-124 for <bit time>. The default is 96 bit time.
1G mode
To configure IPG on a Gbps Ethernet port for 1-Gbps Ethernet mode, enter commands such as the
following.
TurboIron(config)#interface ethernet 1
TurboIron(config-if-e10000-1)#ipg-gmii 120
IPG 120(112) has been successfully configured for ports 1 to 12
Syntax: [no] ipg-gmii <bit time>
Enter 48 - 112 for <bit time>. The default is 96 bit time.
38 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic port parameters
NOTE
Configuring IPG on a 10 Gbps Ethernet interface
To configure IPG on a 10 Gbps Ethernet interface, enter commands such as the following.
TurboIron(config)#interface ethernet 1
TurboIron(config-if-e10000-1)#ipg-xgmii 120
IPG 120(128) has been successfully configured for port 1
Syntax: [no] ipg-xgmii <bit time>
Enter 96-192 for <bit time>. The default is 96 bit time.
Changing the Gbps fiber negotiation mode
The globally configured Gbps negotiation mode is the default mode for all Gbps fiber ports. You
can override the globally configured default and set individual ports to the following:
• Negotiate-full-auto – The port first tries to perform a handshake with the other port to
exchange capability information. If the other port does not respond to the handshake attempt,
the port uses the manually configured configuration information (or the defaults if an
administrator has not set the information). This is the default.
• Auto-Gbps – The port tries to perform a handshake with the other port to exchange capability
information.
• Negotiation-off – The port does not try to perform a handshake. Instead, the port uses
configuration information manually configured by an administrator.
To change the mode for individual ports, enter commands such as the following.
TurboIron(config)#int ethernet 1 to 4
TurboIron(config-mif-1-4)#gig-default auto-gig
This command overrides the global setting and sets the negotiation mode to auto-Gbps for ports 1
– 4.
Syntax: gig-default neg-full-auto | auto-gig | neg-off
When Gbps negotiation mode is turned off (CLI command gig-default neg-off), the device may
inadvertently take down both ends of a link. This is a hardware limitation for which there is currently
no workaround.
Modifying port priority (QoS)
You can give preference to the inbound traffic on specific ports by changing the Quality of Service
(QoS) level on those ports. For information and procedures, refer to Chapter 35, “Configuring
Quality of Service”.
Configuring port flap dampening
Port Flap Dampening increases the resilience and availability of the network by limiting the number
of port state transitions on an interface.
Brocade TurboIron 24X Series Configuration Guide 39
53-1003053-01
Configuring basic port parameters
If the port link state toggles from up to down for a specified number of times within a specified
period, the interface is physically disabled for the specified wait period. Once the wait period
expires, the port link state is re-enabled. However, if the wait period is set to zero (0) seconds, the
port link state will remain disabled until it is manually re-enabled.
Configuration notes
• When a flap dampening port becomes a member of a trunk group, that port, as well as all
other member ports of that trunk group, will inherit the primary port configuration. This means
that the member ports will inherit the primary port flap dampening configuration, regardless of
any previous configuration.
• The device counts the number of times a port link state toggles from "up to down", and not
from "down to up".
• The sampling time or window (the time during which the specified toggle threshold can occur
before the wait period is activated) is triggered when the first "up to down" transition occurs.
• "Up to down" transitions include UDLD-based toggles, as well as the physical link state.
Configuring port flap dampening on an interface
This feature is configured at the interface level.
TurboIron(config)#interface ethernet 1
TurboIron(config-if-e10000-1)#link-error-disable 10 3 10
Syntax: [no] link-error-disable <toggle-threshold> <sampling-time-in-sec> <wait-time-in-sec>
The <toggle-threshold> is the number of times a port link state goes from up to down and down to
up before the wait period is activated. The default is 0. Enter a valid value range from 1-50.
The <sampling-time-in-sec> is the amount of time during which the specified toggle threshold can
occur before the wait period is activated. The default is 0 seconds. Enter 0 – 65535 seconds.
The <wait-time-in-sec> is the amount of time the port remains disabled (down) before it becomes
enabled. Entering 0 – 65535 seconds; 0 indicates that the port will stay down until an
administrative override occurs.
Configuring port flap dampening on a trunk
You can configure the port flap dampening feature on the primary port of a trunk using the
link-error-disable command. Once configured on the primary port, the feature is enabled on all
ports that are members of the trunk. You cannot configure port flap dampening on port members
of the trunk.
Enter commands such as the following on the primary port of a trunk.
TurboIron(config)#interface ethernet 1
TurboIron(config-if-e10000-1)#link-error-disable 10 3 10
Re-enabling a port disabled by port flap dampening
A port disabled by port flap dampening is automatically re-enabled once the wait period expires;
however, if the wait period is set to zero (0) seconds, you must re-enable the port by entering the
following command on the disabled port.
40 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic port parameters
TurboIron#show link-error-disable
Port 1 is forced down by link-error-disable.
TurboIron#show link-error-disable all
Port -----------------Config--------------- ------Oper--- # Threshold Sampling-Time Shutoff-Time State Counter
----- --------- ------------- ------------ ----- ------ 11 3 120 600 Idle N/A
12 3 120 500 Down 424
TurboIron(config)#interface ethernet 1
TurboIron(config-if-e10000-1)#no link-error-disable 10 3 10
Displaying ports configured with port flap dampening
Ports that have been disabled due to the port flap dampening feature are identified in the output of
the show link-error-disable command. The following shows an example output.
Use the show link-error-disable all command to display the ports with the port flap dampening
feature enabled.
For TurboIron X Series devices, the output of the command shows the following.
Tab le 15 defines the port flap dampening statistics displayed by the show link-error-disable all
command.
TABLE 15 Output of show link-error-disable
This column... Displays...
Port # The por t number.
Threshold The number of times the port link state will go from up to down and
down to up before the wait period is activated.
Sampling-Time The number of seconds during which the specified toggle threshold can
occur before the wait period is activated.
Shutoff-Time The number of seconds the port will remain disabled (down) before it
becomes enabled. A zero (0) indicates that the port will stay down until
an administrative override occurs.
State The port state can be one of the following:
• Idle – The link is normal and no link state toggles have been
detected or sampled.
• Down – The port is disabled because the number of sampled errors
exceeded the configured threshold.
• Err – The port sampled one or more errors.
Counter
• If the port state is Idle, this field displays N/A.
• If the port state is Down, this field shows the remaining value of the
shutoff timer.
• If the port state is Err, this field shows the number of errors
sampled.
Syntax: show link-error-disable [all]
Also, in TurboIron X Series devices, the show interface command indicates if the port flap
dampening feature is enabled on the port.
Brocade TurboIron 24X Series Configuration Guide 41
53-1003053-01
Configuring basic port parameters
TurboIron#show interface ethernet 15
GigabitEthernet15 is up, line protocol is up
Link Error Dampening is Enabled
Hardware is GigabitEthernet, address is 0000.0000.010e (bia 0000.0000.010e)
Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
Configured mdi mode AUTO, actual MDIX
TurboIron#show interface ethernet 17
GigabitEthernet17 is ERR-DISABLED, line protocol is down
Link Error Dampening is Enabled
Hardware is GigabitEthernet, address is 0000.0000.010e (bia 0000.0000.010e)
Configured speed auto, actual unknown, configured duplex fdx, actual unknown
TurboIron#show interface brief e17
Port Link State Dupl Speed Trunk Tag Priori MAC Name
17 ERR-DIS None None None 15 Yes level0 0000.0000.010e
The line “Link Error Dampening” displays “Enabled” if port flap dampening is enabled on the port
or “Disabled” if the feature is disabled on the port. The feature is enabled on the ports in the two
examples above. Also, the characters “ERR-DISABLED” is displayed for the “GbpsEthernet” line if
the port is disabled because of link errors.
Syntax: show interface ethernet <port-number>
In addition to the show commands above, the output of the show interface brief command for
TurboIron X Series devices, indicates if a port is down due to link errors.
The ERR-DIS entry under the “Link” column indicates the port is down due to link errors.
Port loop detection
This feature allows the device to disable a port that is on the receiving end of a loop by sending test
packets. You can configure the time period during which test packets are sent.
Strict mode and loose mode
There are two types of loop detection; Strict Mode and Loose Mode. In Strict Mode, a port is
disabled only if a packet is looped back to that same port. Strict Mode overcomes specific
hardware issues where packets are echoed back to the input port. In Strict Mode, loop detection
must be configured on the physical port.
In Loose Mode, loop detection is configured on the VLAN of the receiving port. Loose Mode
disables the receiving port if packets originate from any port or VLAN on the same device. The VLAN
of the receiving port must be configured for loop detection in order to disable the port.
Recovering disabled ports
Once a loop is detected on a port, it is placed in Err-Disable state. The port will remain disabled
until one of the following occurs:
• You manually disable and enable the port at the Interface Level of the CLI.
• You enter the command clear loop-detection. This command clears loop detection statistics
and enables all Err-Disabled ports.
42 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic port parameters
NOTE
NOTE
• The device automatically re-enables the port. To set your device to automatically re-enable
Err-Disabled ports, refer to “Configuring the device to automatically re-enable ports” on
page 44.
Configuration notes
• Loopback detection packets are sent and received on both tagged and untagged ports.
Therefore, this feature cannot be used to detect a loop across separate devices.
• On TurboIron X Series devices, the port loop detection feature works only on untagged ports.
The following information applies to Loose Mode loop detection:
• With Loose Mode, two ports of a loop are disabled.
• Different VLANs may disable different ports. A disabled port affects every VLAN using it.
• Loose Mode floods test packets to the entire VLAN. This can impact system performance if too
many VLANs are configured for Loose Mode loop detection.
Brocade recommends that you limit the use of Loose Mode. If you have a large number of VLANS,
configuring loop detection on all of them can significantly affect system performance because of the
flooding of test packets to all configured VLANs. An alternative to configuring loop detection in a
VLAN-group of many VLANs is to configure a separate VLAN with the same tagged port and
configuration, and enable loop detection on this VLAN only.
When loop detection is used with Layer 2 loop prevention p rotocols, such as spanning tree (STP) , the
Layer 2 protocol takes higher priority. Loop detection cannot send or receive probe packets if ports
are blocked by Layer 2 protocols, so it does not detect Layer 2 loops when STP is running because
loops within a VLAN have been prevented by STP. Loop detection running in Loose Mode can detect
and break Layer 3 loops because STP cannot prevent loops across different VLANs. In these
instances, the ports are not blocked and loop detection is able to send out probe packets in one
VLAN and receive packets in another VLAN. In this way, loop detection running in Loose Mode
disables both ingress and egress ports.
Enabling loop detection
Use the loop-detection command to enable loop detection on a physical port (Strict Mode) or a
VLAN (Loose Mode). Loop detection is disabled by default. The following example shows a Strict
Mode configuration.
TurboIron(config)#interface ethernet 1
TurboIron(config-if-e10000-1)#loop-detection
The following example shows a Loose Mode configuration.
TurboIron(config)#vlan20
TurboIron(config-vlan-20)#loop-detection
By default, the port will send test packets every one second, or the number of seconds specified by
the loop-detection-interval command. Refer to “Configuring a global loop detection interval” on
page 44.
Syntax: [no] loop-detection
Use the [no] form of the command to disable loop detection.
Brocade TurboIron 24X Series Configuration Guide 43
53-1003053-01
Configuring basic port parameters
Configuring a global loop detection interval
The loop detection interval specifies how often a test packet is sent on a port. When loop detection
is enabled, the loop detection time unit is 0.1 second, with a default of 10 (one second). The range
is from 1 (one tenth of a second) to 100 (10 seconds). You can use the show loop-detection status
command to view the loop detection interval.
To configure the global loop detection interval, enter a command similar to the following.
TurboIron(config)#loop-detection-interval 50
This command sets the loop-detection interval to 5 seconds (50 x 0.1).
To revert to the default global loop detection interval of 10, enter one of the following.
TurboIron(config)#loop-detection-interval 10
OR
TurboIron(config)#no loop-detection-interval 50
Syntax: [no] loop-detection-interval <number>
where <number> is a value from 1 to 100. The system multiplies your entry by 0.1 to calculate the
interval at which test packets will be sent.
Configuring the device to automatically re-enable ports
To configure the device to automatically re-enable ports that were disabled because of a loop
detection, enter the following command.
TurboIron(config)#errdisable recovery cause loop-detection
The above command will cause the device to automatically re-enable ports that were disabled
because of a loop detection. By default, the device will wait 300 seconds before re-enabling the
ports. You can optionally change this interval to a value from 10 to 65535 seconds. Refer to
“Specifying the recovery time interval” on page 44.
Syntax: [no] errdisable recovery cause loop-detection
Use the [no] form of the command to disable this feature.
Specifying the recovery time interval
The recovery time interval specifies the number of seconds the device will wait before
automatically re-enabling ports that were disabled because of a loop detection. (Refer to
“Configuring the device to automatically re-enable ports” on page 44.) By default, the device will
wait 300 seconds. To change the recovery time interval, enter a command such as the following.
TurboIron(config)#errdisable recovery interval 120
This command configures the device to wait 120 seconds (2 minutes) before re-enabling the ports.
To revert to the default recovery time interval of 300 seconds (5 minutes), enter one of the
following commands.
TurboIron(config)#errdisable recovery interval 300
OR
TurboIron(config)#no errdisable recovery interval 120
44 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring basic port parameters
Syntax: [no] errdisable recovery interval <seconds>
where <seconds> is a number from 10 to 65535.
Clearing loop-detection
To clear loop detection statistics and re-enable all ports that are in Err-Disable state because of a
loop detection, enter the following command.
TurboIron#clear loop-detection
Displaying loop-detection information
Use the show loop-detection status command to display loop detection status, as shown.
TurboIron#show loop-detection status
loop detection packets interval: 10 (unit 0.1 sec)
Number of err-disabled ports: 3
You can re-enable err-disable ports one by one by "disable" then "enable"
under interface config, re-enable all by "clear loop-detect", or
configure "errdisable recovery cause loop-detection" for automatic recovery
index port/vlan status #errdis sent-pkts recv-pkts
1 13 untag, LEARNING 0 0 0
2 15 untag, BLOCKING 0 0 0
3 17 untag, DISABLED 0 0 0
4 18 ERR-DISABLE by itself 1 6 1
5 19 ERR-DISABLE by vlan 12 0 0 0
6 vlan12 2 ERR-DISABLE ports 2 24 2
If a port is errdisabled in Strict mode, it shows “ERR-DISABLE by itself”. If it is errdisabled due to its
associated vlan, it shows “ERR-DISABLE by vlan ?”
The following command displays the current disabled ports, including the cause and the time.
TurboIron#show loop-detection disable
Number of err-disabled ports: 3
You can re-enable err-disable ports one by one by "disable" then "enable"
under interface config, re-enable all by "clear loop-detect", or
configure "errdisable recovery cause loop-detection" for automatic recovery
index port caused-by disabled-time
1 18 itself 00:13:30
2 19 vlan 12 00:13:30
3 20 vlan 12 00:13:30
This example shows the disabled ports, the cause, and the time the port was disabled. If
loop-detection is configured on a physical port, the disable cause will show “itself”. For VLANs
configured for loop-detection, the cause will be a VLAN.
The following command shows the hardware and software resources being used by the
loop-detection feature.
Vlans configured loop-detection use 1 HW MAC
Vlans not configured but use HW MAC: 1 10
alloc in-use avail get-fail limit get-mem size init
configuration pool 16 6 10 0 3712 6 15 16
linklist pool 16 10 6 0 3712 10 16 16
Brocade TurboIron 24X Series Configuration Guide 45
53-1003053-01
Configuring basic port parameters
Syslog message
The following message is logged when a port is disabled due to loop detection. This message also
appears on the console.
loop-detect: port ?\?\? vlan ?, into errdisable state
The Errdisable function logs a message whenever it re-enables a port.
46 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Chapter
NOTE
Operations, Administration, and Maintenance
In this chapter
•Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
•Determining the software versions installed and running on a device . . . . 48
•Image file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
•Upgrading software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
•Using SNMP to upgrade software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
•Changing the block size for TFTP file transfers . . . . . . . . . . . . . . . . . . . . . . . 52
•Rebooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
•Displaying the boot preference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
•Loading and saving configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
•Scheduling a system reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
•Diagnostic error codes and remedies for TFTP transfers . . . . . . . . . . . . . . . 60
4
Overview
For easy software image management, all devices support the download and upload of software
images between the flash modules on the devices and a Trivial File Transfer Protocol (TFTP) server
on the network.
TurboIron X Series devices have two flash memory modules:
• Primary flash – The default local storage device for image files and configuration files.
• Secondary flash – A second flash storage device. You can use the secondary flash to store
redundant images for additional reload reliability or to preserve one software image while
testing another one.
Only one flash device is active at a time. By default, the primary image will become active upon
reload.
You can update the software contained on a flash module using TFTP to copy the update image
from a TFTP server onto the flash module. In addition, you can copy software images and
configuration files from a flash module to a TFTP server.
TurboIron X Series devices are TFTP clients but not TFTP servers. You must perform the TFTP
transaction from the device. You cannot “put” a file onto the device using the interface of your TFTP
server.
Brocade TurboIron 24X Series Configuration Guide 47
53-1003053-01
Determining the software versions installed and running on a device
NOTE
TurboIron#show version
SW: Version 07.2.02b071T203 Copyright (c) 1996-2010 Brocade Communications
Systems, Inc.
Compiled on Dec 02 2010 at 08:07:06 labeled as TIR07202b071
(6092645 bytes) from Secondary TIR07202b071
Compressed Boot-Monitor Image size = 373767, Version:04.1.00T205 (grz04100)
HW: Stackable TurboIron-X24
==========================================================================
Serial #: XXXXXXXXXXX
P-ASIC 0: type B820, rev 01 subrev 00
==========================================================================
833 MHz Power PC processor 8541 (version 32/0020) 66 MHz bus
512 KB boot flash memory
31744 KB code flash memory
512 MB DRAM
The system uptime is 5 minutes 34 seconds
The system : started=warm start reloaded=by "reload"
If you are attempting to transfer a file using TFTP but have received an error message, refer to
“Diagnostic error codes and remedies for TFTP transfers” on page 60.
Determining the software versions installed and
running on a device
Use the following methods to display the software versions running on the device and the versions
installed in flash memory.
Determining the flash image version running on the device
To determine the flash image version running on a device, enter the show version command at any
level of the CLI. Some examples are shown below.
Compact devices
To determine the flash image version running on a Compact device, enter the show version
command at any level of the CLI. The following shows an example output.
The version information is shown in bold type in this example:
• “07.2.02b071T203” indicates the flash code version number. The “T203” is used by Brocade
for record keeping.
• “labeled as TIR07202b071” indicates the flash code image label. The label indicates the
48 Brocade TurboIron 24X Series Configuration Guide
image type and version and is especially useful if you change the image file name.
• “Secondary TIR07202b071” indicates the flash code image file name that was loaded.
Determining the image versions installed in flash memory
Enter the show flash command to display the boot and flash images installed on the device.
53-1003053-01
Determining the software versions installed and running on a device
• The “Compressed Pri Code size” line lists the flash code version installed in the primary flash
area.
• The “Compressed Sec Code size” line lists the flash code version installed in the secondary
flash area.
• The “Boot Monitor Image size” line lists the boot code version installed in flash memory. The
device does not have separate primary and secondary flash areas for the boot image. The
flash memory module contains only one boot image.
Flash image verification
The Flash Image Verification feature allows you to verify boot images based on hash codes, and to
generate hash codes where needed. This feature lets you select from three data integrity
verification algorithms:
• MD5 - Message Digest algorithm (RFC 1321)
• SHA1 - US Secure Hash Algorithm (RFC 3174)
• CRC - Cyclic Redundancy Checksum algorithm
CLI commands
Use the following command syntax to verify the flash image:
Syntax: verify md5 | sha1 | crc32 <ASCII string> | primary | secondary [<hash code>]
• md5 – Generates a 16-byte hash code
• sha1 – Generates a 20-byte hash code
• crc32 – Generates a 4 byte checksum
• ascii string – A valid image filename
• primary – The primary boot image (primary.img)
• secondary – The secondary boot image (secondary.img)
• hash code – The hash code to verify
The following examples show how the verify command can be used in a variety of circumstances.
To generate an MD5 hash value for the secondary image, enter the following command.
TurboIron#verify md5 secondary
TurboIron#.........................Done
Size = 2044830, MD5 01c410d6d153189a4a5d36c955653862
To generate a SHA-1 hash value for the secondary image, enter the following command.
TurboIron#verify sha secondary
TurboIron#.........................Done
Size = 2044830, SHA1 49d12d26552072337f7f5fcaef4cf4b742a9f525
To generate a CRC32 hash value for the secondary image, enter the following command.
TurboIron#verify crc32 secondary
TurboIron#.........................Done
Size = 2044830, CRC32 b31fcbc0
To verify the hash value of a secondary image with a known value, enter the following commands.
Brocade TurboIron 24X Series Configuration Guide 49
53-1003053-01
Image file types
TurboIron#verify md5 secondary 01c410d6d153189a4a5d36c955653861
TurboIron#.........................Done
Size = 2044830, MD5 01c410d6d153189a4a5d36c955653862
Verification FAILED.
In the previous example, the codes did not match, and verification failed. If verification succeeds,
the output will look like this.
TurboIron#verify md5 secondary 01c410d6d153189a4a5d36c955653861
TurboIron#.........................Done
Size = 2044830, MD5 01c410d6d153189a4a5d36c955653861
Verification SUCEEDED.
The following examples show this process for SHA-1 and CRC32 algorithms.
TurboIron#verify sha secondary 49d12d26552072337f7f5fcaef4cf4b742a9f525
TurboIron#.........................Done
Size = 2044830, sha 49d12d26552072337f7f5fcaef4cf4b742a9f525
Verification SUCCEEDED.
and
TurboIron#verify crc32 secondary b31fcbc0
TurboIron#.........................Done
Size = 2044830, CRC32 b31fcbc0
Verification SUCCEEDED.
Image file types
This section lists the boot and flash image file types supported on the TurboIron X Series of
switches and how to install them. For information about a specific version of code, refer to the
release notes.
TABLE 16 Software image files
Product Boot image
TurboIron X Series TRZxxxxx.bin TISxxxxx.bin (Layer 2)
1.
Upgrading software
Use the following procedures to upgrade the software.
Upgrading the boot code
Follow the steps given below to upgrade the boot code.
1. Place the new boot code on a TFTP server to which the device has access.
2. Enter the following command at the Privileged EXEC level of the CLI to copy the boot code from
the TFTP server into flash memory:
1
Flash image
• copy tftp flash <ip-addr> <image-file-name> bootrom
50 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Upgrading software
NOTE
NOTE
Use the copy tftp flash command to copy the boot code to the device only during a
maintenance window. Attempting to do so during normal networking operations can cause
disruption to the network.
3. Verify that the code has been successfully copied by entering the following command at any
level of the CLI:
• show flash
The output will display the compressed boot ROM code size and the boot code version.
4. Upgrade the flash code as instructed in the following section.
Upgrading the flash code
Follow the steps given below to upgrade the flash code.
1. Place the new flash code on a TFTP server to which the device has access.
2. Enter the following command at the Privileged EXEC level of the CLI to copy the flash code from
the TFTP server into the flash memory.
copy tftp flash <ip-addr> <image-file-name> primary | secondary
3. Verify that the flash code has been successfully copied by entering the following command at
any level of the CLI.
show flash
4. If the flash code version is correct, go to step 5. Otherwise, go to step 1.
5. Reload the software by entering one of the following commands:
• reload (this command boots from the default boot source, which is the primary flash area
by default)
• hitless-reload primary | secondary
• boot system flash primary | secondary
The boot system flash process occurs after a boot system flash primary/secondary
command is entered and gives an administrator the opportunity to make last minute
changes or corrections before performing a reload. The example below shows the
confirmation step.
TurboIron#boot system flash primary
Are you sure? (enter ‘Y’ or ‘N’): y
Boot code synchronization feature
When the new boot image is copied into the active module, it is automatically synchronized with the
redundant management module.
There is currently no option for manual synchronization of the boot image.
To activate the boot synchronization process, enter the following command.
TurboIron#copy tftp flash 192.168.255.102 GRZ04100.bin bootrom
Brocade TurboIron 24X Series Configuration Guide 51
53-1003053-01
Using SNMP to upgrade software
NOTE
The system responds with the following message.
TurboIron#Load to buffer (8192 bytes per dot)
..................Write to boot flash......................
TFTP to Flash Done.
TurboIron#Synchronizing with standby module...
Boot image synchronization done.
Using SNMP to upgrade software
You can use a third-party SNMP management application to upgrade software on a device.
Brocade recommends that you make a backup copy of the startup-config file before you upgrade the
software. If you need to run an older release, you will need to use the backup copy of the
startup-config file.
1. Configure a read-write community string on the device, if one is not already configured. To
configure a read-write community string, enter the following command from the global CONFIG
level of the CLI.
snmp-server community <string> ro | rw
where <string> is the community string and can be up to 32 characters long.
2. On the device, enter the following command from the global CONFIG level of the CLI.
no snmp-server pw-check
This command disables password checking for SNMP set requests. If a third-party SNMP
management application does not add a password to the password field when it sends SNMP
set requests to a device, by default the device rejects the request.
Changing the block size for TFTP file transfers
When you use TFTP to copy a file to or from a device, the device transfers the data in blocks of
8192 bytes by default. You can change the block size to one of the following if needed:
• 4096
• 2048
• 1024
• 512
• 256
• 128
• 64
• 32
• 16
To change the block size for TFTP file transfers, enter a command such as the following at the
global CONFIG level of the CLI.
52 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
NOTE
Rebooting
NOTE
NOTE
Rebooting
TurboIron(config)#flash 2047
set flash copy block size to 2048
Syntax: [no] flash <num>
The software rounds up the <num> value you enter to the next valid power of two, and displays the
resulting value. In this example, the software rounds the value up to 2048.
If the value you enter is one of the valid powers of two for this parameter, the software still rounds
the value up to the next valid power of two. Thus, if you enter 2048, the software rounds the value
up to 4096.
You can use boot commands to immediately initiate software boots from a software image stored
in primary or secondary flash on a device or from a BootP or TFTP server. You can test new
versions of code on a device or choose the preferred boot source from the console boot prompt
without requiring a system reset.
It is very important that you verify a successful TFTP transfer of the boot code before you reset the
system. If the boot code is not transferred successfully but you try to reset the system, the system
will not have the boot code with which to successfully boot.
By default, the device first attempts to boot from the image stored in its primary flash, then its
secondary flash, and then from a TFTP server. You can modify this booting sequence at the global
CONFIG level of the CLI using the boot system… command.
To initiate an immediate boot from the CLI, enter one of the boot system… commands.
If you are booting the device from a TFTP server through a fiber connection, use the following
command: boot system tftp <ip-address> <filename> fiber-port.
Displaying the boot preference
Use the show boot-preference command to display the boot sequence in the startup config and
running config files. The boot sequence displayed is also identified as either user-configured or the
default.
The following example shows the default boot sequence preference.
TurboIron#show boot-preference
Boot system preference (Configured):
Use Default
Boot system preference(Default):
Boot system flash primary
Boot system flash secondary
The following example shows a user-configured boot sequence preference.
Brocade TurboIron 24X Series Configuration Guide 53
53-1003053-01
Loading and saving configuration files
TurboIron#show boot-preference
Boot system preference(Configured):
Boot system flash secondary
Boot system tftp 10.1.1.1 TIX04200b1.bin
Boot system flash primary
Boot system preference (Default)
Boot system flash primary
Boot system flash secondary
Syntax: show boot-preference
The results of the show run command for the configured example above appear as follows.
TurboIron#show run
Current Configuration:
!
boot sys fl sec
boot sys df 10.1.1.1 TIX04200b1.bin
boot sys fl pri
ip address 10.1.1.4 255.255.255.0
snmp-client 10.1.1.1
!
end
Loading and saving configuration files
For easy configuration management, all devices support both the download and upload of
configuration files between the devices and a TFTP server on the network.
You can upload either the startup configuration file or the running configuration file to the TFTP
server for backup and use in booting the system:
• Startup configuration file – This file contains the configuration information that is currently
saved in flash. To display this file, enter the show configuration command at any CLI prompt.
• Running configuration file – This file contains the configuration active in the system RAM but
not yet saved to flash. These changes could represent a short-term requirement or general
configuration change. To display this file, enter the show running-config or write terminal
command at any CLI prompt.
Each device can have one startup configuration file and one running configuration file. The startup
configuration file is shared by both flash modules. The running configuration file resides in DRAM.
When you load the startup-config file, the CLI parses the file three times.
1. During the first pass, the parser searches for system-max commands. A system-max
command changes the size of statically configured memory.
2. During the second pass, the parser implements the system-max commands if present and also
implements trunk configuration commands (trunk command) if present.
3. During the third pass, the parser implements the remaining commands.
54 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Loading and saving configuration files
NOTE
Replacing the startup configuration with the running configuration
After you make configuration changes to the active system, you can save those changes by writing
them to flash memory. When you write configuration changes to flash memory, you replace the
startup configuration with the running configuration.
To replace the startup configuration with the running configuration, enter the following command
at any Enable or CONFIG command prompt.
TurboIron#write memory
Replacing the running configuration with the startup configuration
If you want to back out of the changes you have made to the running configuration and return to
the startup configuration, enter the following command at the Privileged EXEC level of the CLI.
TurboIron#reload
Logging changes to the startup-config file
You can configure a device to generate a Syslog message when the startup-config file is changed.
The trap is enabled by default.
The following Syslog message is generated when the startup-config file is changed.
startup-config was changed
If the startup-config file was modified by a valid user, the following Syslog message is generated.
startup-config was changed by <username>
To disable or re-enable Syslog messages when the startup-config file is changed, use the following
command.
Syntax: [no] logging enable config-changed
Copying a configuration file to or from a TFTP server
To copy the startup-config or running-config file to a TFTP server using the CLI, use one of the
following commands.
You can name the configuration file when you copy it to a TFTP server.
• copy startup-config tftp <tftp-ip-addr> <filename> – Use this command to upload a copy of the
startup configuration file from the device to a TFTP server.
• copy running-config tftp <tftp-ip-addr> <filename> – Use this command to upload a copy of
the running configuration file from the device to a TFTP server.
Brocade TurboIron 24X Series Configuration Guide 55
53-1003053-01
Loading and saving configuration files
NOTE
To copy the startup-config or running-config file from a TFTP server using the CLI, use one of the
following commands.
When you copy a configura tion file from the TFTP server to a device, the filename should not contain
the "/" and "\" characters. If required, you can specify the filename along with its path, for example,
“ip/turboiron/config1.txt”. However, the file is always copied as “startup-config” or “running-config”,
depending on which type of file you saved to the server.
• copy tftp startup-config <tftp-ip-addr> <filename> – Use this command to download a copy of
the startup configuration file from a TFTP server to a device.
• copy tftp running-config <tftp-ip-addr> <filename> – Use this command to download a copy of
the running configuration file from a TFTP server to a device.
Dynamic configuration loading
You can load dynamic configuration commands (commands that do not require a reload to take
effect) from a file on a TFTP server into the running-config on the device device. You can make
configuration changes off-line, then load the changes directly into the device running-config,
without reloading the software.
Usage considerations
• Use this feature only to load configuration information that does not require a software reload
to take effect. For example, you cannot use this feature to change statically configured
memory (system-max command) or to enter trunk group configuration information into the
running-config.
• Do not use this feature if you have deleted a trunk group but have not yet placed the changes
into effect by saving the configuration and then reloading. When you delete a trunk group, the
command to configure the trunk group is removed from the device running-config, but the
trunk group remains active. To finish deleting a trunk group, save the configuration (to the
startup-config file), then reload the software. After you reload the software, then you can load
the configuration from the file.
• Do not load port configuration information for secondary ports in a trunk group. Since all ports
in a trunk group use the port configuration settings of the primary port in the group, the
software cannot implement the changes to the secondary port.
Preparing the configuration file
A configuration file that you create must follow the same syntax rules as the startup-config file the
device creates.
• The configuration file is a script containing CLI configuration commands. The CLI reacts to
each command entered from the file in the same way the CLI reacts to the command if you
enter it. For example, if the command results in an error message or a change to the CLI
configuration level, the software responds by displaying the message or changing the CLI level.
56 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Loading and saving configuration files
NOTE
NOTE
• The software retains the running-config that is currently on the device, and changes the
running-config only by adding new commands from the configuration file. If the running config
already contains a command that is also in the configuration file you are loading, the CLI
rejects the new command as a duplicate and displays an error message. For example, if the
running-config already contains a a command that configures ACL 1, the software rejects ACL
1 in the configuration file, and displays a message that ACL 1 is already configured.
• The file can contain global CONFIG commands or configuration commands for interfaces,
routing protocols, and so on. You cannot enter User EXEC or Privileged EXEC commands.
• The default CLI configuration level in a configuration file is the global CONFIG level. Thus, the
first command in the file must be a global CONFIG command or “ ! ”. The ! (exclamation point)
character means “return to the global CONFIG level”.
You can enter text following “ ! “ as a comment. However, the “ !” is not a comment marker. It
returns the CLI to the global configuration level.
If you copy-and-paste a configuration into a management session, the CLI ignores the “ ! “
instead of changing the CLI to the global CONFIG level. As a result, you might get different
results if you copy-and-paste a configuration instead of loading the configuration using TFTP.
• Make sure you enter each command at the correct CLI level. Since some commands have
identical forms at both the global CONFIG level and individual configuration levels, if the CLI
response to the configuration file results in the CLI entering a configuration level you did not
intend, then you can get unexpected results.
For example, if a trunk group is active on the device, and the configuration file contains a
command to disable STP on one of the secondary ports in the trunk group, the CLI rejects the
commands to enter the interface configuration level for the port and moves on to the next
command in the file you are loading. If the next command is a spanning-tree command whose
syntax is valid at the global CONFIG level as well as the interface configuration level, then the
software applies the command globally. Here is an example.
The configuration file contains these commands.
interface ethernet 2
no spanning-tree
The CLI responds like this.
TurboIron(config)#interface ethernet 2
Error - cannot configure secondary ports of a trunk
TurboIron(config)#no spanning-tree
TurboIron(config)#
• If the file contains commands that must be entered in a specific order, the commands must
appear in the file in the required order. For example, if you want to use the file to replace an IP
address on an interface, you must first remove the old address using “no” in front of the ip
address command, then add the new address. Otherwise, the CLI displays an error message
and does not implement the command. Here is an example.
The configuration file contains these commands.
interface ethernet 11
ip address 10.10.10.69/24
Brocade TurboIron 24X Series Configuration Guide 57
53-1003053-01
Loading and saving configuration files
NOTE
The running-config already has a command to add an address to port 11, so the CLI responds
like this.
TurboIron(config)#interface ethernet 11
TurboIron(config-if-e10000-11)#ip add 10.10.10.69/24
Error: can only assign one primary ip address per subnet
TurboIron(config-if-e10000-11)#
To successfully replace the address, enter commands into the file as follows.
interface ethernet 11
no ip address 10.20.20.69/24
ip address 10.10.10.69/24
This time, the CLI accepts the command, and no error message is displayed.
TurboIron(config)#interface ethernet 11
TurboIron(config-if-e10000-11)#no ip add 10.20.20.69/24
TurboIron(config-if-e10000-11)#ip add 10.10.10.69/24
TurboIron(config-if-e10000-11)
• Always use the end command at the end of the file. The end command must appear on the
last line of the file, by itself.
Loading the configuration information into the running-config
To load the file from a TFTP server, use either of the following commands:
• copy tftp running-config <ip-addr> <filename>
• ncopy tftp <ip-addr> <filename> running-config
If you are loading a configuration file that uses a truncated form of the CLI command access-list, the
software will not go into batch mode.
For example, the following command line will initiate batch mode.
access-list 131 permit host pc1 host pc2
The following command line will not initiate batch mode.
acc 131 permit host pc1 host pc2
Maximum file sizes for startup-config file and running-config
Each device has a maximum allowable size for the running-config and the startup-config file. If you
use TFTP to load additional information into a device running-config or startup-config file, it is
possible to exceed the maximum allowable size. If this occurs, you will not be able to save the
configuration changes.
The maximum size for the running-config and the startup-config file is 64K each.
To determine the size of a running-config or star tup-config file, copy it to a TFTP server, then use the
directory services on the server to list the size of the copied file. To copy the running-config or
startup-config file to a TFTP server, use one of the following commands:
• Commands to copy the running-config to a TFTP server:
• copy running-config tftp <ip-addr> <filename>
58 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
• ncopy running-config tftp <ip-addr> <from-name>
NOTE
• Commands to copy the startup-config file to a TFTP server:
• copy startup-config tftp <ip-addr> <filename>
• ncopy startup-config tftp <ip-addr> <from-name>
Scheduling a system reload
In addition to reloading the system manually, you can configure the device to reload itself at a
specific time or after a specific amount of time has passed.
The scheduled reload feature requires the system clock. You can use a Simple Network Time
Protocol (SNTP) server to set the clock or you can set the device clock manually. Refer to “Specifying
a Simple Network Time Protocol (NTPv4) server” on page 28 or “Setting the system clock” on
page 29.
Reloading at a specific time
Scheduling a system reload
To schedule a system reload for a specific time, use the reload at command. For example, to
schedule a system reload from the primary flash module for 6:00:00 AM, April 1, 2003, enter the
following command at the global CONFIG level of the CLI.
TurboIron#reload at 06:00:00 04-01-03
Syntax: reload at <hh:mm:ss> <mm-dd-yy> [primary | secondary]
• <hh:mm:ss> is hours, minutes, and seconds.
• <mm-dd-yy> is month, day, and year.
• primary | secondary specifies whether the reload is to occur from the primary code flash
module or the secondary code flash module. The default is primary.
Reloading after a specific amount of time
To schedule a system reload to occur after a specific amount of time has passed on the system
clock, use reload after command. For example, to schedule a system reload from the secondary
flash one day and 12 hours later, enter the following command at the global CONFIG level of the
CLI.
TurboIron#reload after 01:12:00 secondary
Syntax: reload after <dd:hh:mm> [primary | secondary]
• <dd:hh:mm> is the number of days, hours, and minutes.
• primary | secondary specifies whether the reload is to occur from the primary code flash
module or the secondary code flash module.
Brocade TurboIron 24X Series Configuration Guide 59
53-1003053-01
Diagnostic error codes and remedies for TFTP transfers
Displaying the amount of time remaining before a scheduled reload
To display how much time is remaining before a scheduled system reload, enter the following
command from any level of the CLI.
TurboIron#show reload
Canceling a scheduled reload
To cancel a scheduled system reload using the CLI, enter the following command at the global
CONFIG level of the CLI.
TurboIron#reload cancel
Diagnostic error codes and remedies for TFTP transfers
If an error occurs with a TFTP transfer to or from a device one of the following error codes is
displayed on the console.
TABLE 17 Diagnostic error codes for TFTP transfer
Error
code
1 Flash read preparation failed. A flash error occurred during the download.
2Flash read failed.
3 Flash write preparation failed.
4 Flash write failed.
5 TFTP session timeout. TFTP failed because of a time out.
6 TFTP out of buffer space. The file is larger than the amount of room on the device or TFTP server.
7 TFTP busy, only one TFTP
8 File type check failed. You accidentally attempted to copy the incorrect image code into the
Message Explanation and action
Retry the download. If it fails again, contact customer support.
Check IP connectivity and make sure the TFTP server is running.
If you are copying an image file to flash, first copy the other image to
your TFTP server, then delete it from flash. (Use the erase flash... CLI
command at the Privileged EXEC level to erase the image in the flash.)
If you are copying a configuration file to flash, edit the file to remove
unneeded information, then try again.
Another TFTP transfer is active on another CLI session or Brocade
session can be active.
Network Advisor session.
Wait, then retry the transfer.
system.
Retry the transfer using the correct image.
60 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Diagnostic error codes and remedies for TFTP transfers
TABLE 17 Diagnostic error codes for TFTP transfer
Error
code
16 TFTP remote - general error. The TFTP configuration has an error. The specific error message
17 TFTP remote - no such file.
18 TFTP remote - access violation.
19 TFTP remote - disk full.
20 TFTP remote - illegal operation.
21 TFTP remote - unknown
22 TFTP remote - file already
23 TFTP remote - no such user.
Message Explanation and action
describes the error.
Correct the error, then retry the transfer.
transfer ID.
exists.
Brocade TurboIron 24X Series Configuration Guide 61
53-1003053-01
Diagnostic error codes and remedies for TFTP transfers
62 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Chapter
NOTE
Securing Access to Management Functions
In this chapter
•Securing access methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
•Restricting remote access to management functions . . . . . . . . . . . . . . . . . 65
•Setting passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
•Setting up local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
•Configuring TACACS/TACACS+ security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
•Configuring RADIUS security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
•Configuring authentication-method lists . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
This chapter explains how to secure access to management functions on a device.
For all devices, RADIUS Challenge is supported for 802.1x authentication but not for login
authentication. Also, multiple challenges are supported for TACACS+ login authentication.
5
Securing access methods
The following table lists the management access methods available on a device, how they are
secured by default, and the ways in which they can be secured.
TABLE 18 Ways to secure management access to devices
Access method How the access
Serial access to the CLI Not secured Establish passwords for management privilege
Access to the Privileged
EXEC and CONFIG levels
of the CLI
Ways to secure the access method See page
method is secured
by default
levels
Not secured Establish a password for Telnet access to the
CLI
Establish passwords for management privilege
levels
Set up local user accounts page 78
Configure TACACS/TACACS+ security page 84
Configure RADIUS security page 100
page 74
page 74
page 74
Brocade TurboIron 24X Series Configuration Guide 63
53-1003053-01
Securing access methods
TABLE 18 Ways to secure management access to devices (Continued)
Access method How the access
Telnet access Not secured Regulate Telnet access using ACLs page 65
Secure Shell (SSH) access Not configured Configure SSH page 945
SNMP (Brocade Network
Advisor) access
method is secured
by default
SNMP read or
read-write
community strings
and the password
to the Super User
privilege level
NOTE: SNMP read
or
read-write
community
strings are
always
required
for SNMP
access to
the device.
Ways to secure the access method See page
Allow Telnet access only from specific IP
addresses
Restrict Telnet access based on a client MAC
address
Allow Telnet access only from specific MAC
addresses
Specify the maximum number of login attempts
for Telnet access
Disable Telnet access page 73
Establish a password for Telnet access page 74
Establish passwords for privilege levels of the
CLI
Set up local user accounts page 78
Configure TACACS/TACACS+ security page 84
Configure RADIUS security page 100
Regulate SSH access using ACLs page 66
Allow SSH access only from specific IP
addresses
Allow SSH access only from specific MAC
addresses
Establish passwords for privilege levels of the
CLI
Set up local user accounts page 78
Configure TACACS/TACACS+ security page 84
Configure RADIUS security page 100
Regulate SNMP access using ACLs page 66
Allow SNMP access only from specific IP
addresses
Disable SNMP access page 73
Allow SNMP access only to clients connected to
a specific VLAN
Establish passwords to management levels of
the CLI
Set up local user accounts page 78
Establish SNMP read or read-write community
strings
page 68
page 69
page 70
page 70
page 74
page 68
page 69
page 74
page 68
page 71
page 74
page 84
64 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Restricting remote access to management functions
TABLE 18 Ways to secure management access to devices (Continued)
Access method How the access
method is secured
by default
Ways to secure the access method See page
TFTP access Not secured Allow TFTP access only to clients connected to a
specific VLAN
Disable TFTP access page 73
Restricting remote access to management functions
You can restrict access to management functions from remote sources, including Telnet and SNMP.
The following methods for restricting remote access are supported:
• Using ACLs to restrict Telnet or SNMP access
• Allowing remote access only from specific IP addresses
• Allowing Telnet and SSH access only from specific MAC addresses
• Allowing remote access only to clients connected to a specific VLAN
• Specifically disabling Telnet or SNMP access to the device
The following sections describe how to restrict remote access to a device using these methods.
Using ACLs to restrict remote access
You can use standard ACLs to control the following access methods to management functions on a
device:
page 71
• Teln et
• SSH
• SNMP
Consider the following to configure access control for these management access methods.
1. Configure an ACL with the IP addresses you want to allow to access the device.
2. Configure a Telnet access group, SSH access group, Web access group, and SNMP community
strings. Each of these configuration items accepts an ACL as a parameter. The ACL contains
entries that identify the IP addresses that can use the access method.
The following sections present examples of how to secure management access using ACLs. Refer
to Chapter 28, “Configuring Rule-Based IP Access Control Lists” for more information on
configuring ACLs.
Using an ACL to restrict Telnet access
To configure an ACL that restricts Telnet access to the device, enter commands such as the
following.
Brocade TurboIron 24X Series Configuration Guide 65
53-1003053-01
Restricting remote access to management functions
NOTE
TurboIron(config)#access-list 12 deny host 10.157.22.98 log
TurboIron(config)#access-list 12 deny 10.157.23.0 0.0.0.255 log
TurboIron(config)#access-list 12 deny 10.157.24.0/24 log
TurboIron(config)#access-list 12 permit any
TurboIron(config)#ssh access-group 12
TurboIron(config)#write memory
TurboIron(config)#access-list 10 deny host 10.157.22.32 log
TurboIron(config)#access-list 10 deny 10.157.23.0 0.0.0.255 log
TurboIron(config)#access-list 10 deny 10.157.24.0 0.0.0.255 log
TurboIron(config)#access-list 10 deny 10.157.25.0/24 log
TurboIron(config)#access-list 10 permit any
TurboIron(config)#telnet access-group 10
TurboIron(config)#write memory
Syntax: telnet access-group <num>
The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.
The commands above configure ACL 10, then apply the ACL as the access list for Telnet access.
The device allows Telnet access to all IP addresses except those listed in ACL 10.
To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end
of the ACL.
Example
TurboIron(config)#access-list 10 permit host 10.157.22.32
TurboIron(config)#access-list 10 permit 10.157.23.0 0.0.0.255
TurboIron(config)#access-list 10 permit 10.157.24.0 0.0.0.255
TurboIron(config)#access-list 10 permit 10.157.25.0/24
TurboIron(config)#telnet access-group 10
TurboIron(config)#write memory
The ACL in this example permits Telnet access only to the IP addresses in the permit entries and
denies Telnet access from all other IP addresses.
Using an ACL to restrict SSH access
To configure an ACL that restricts SSH access to the device, enter commands such as the following.
Syntax: ssh access-group <num>
The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.
These commands configure ACL 12, then apply the ACL as the access list for SSH access. The
device denies SSH access from the IP addresses listed in ACL 12 and permits SSH access from all
other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny SSH
access from all IP addresses.
In this example, the command ssh access-group 10 could have been used to apply the ACL
configured in the example for Telnet access. You can use the same ACL multiple times.
Using ACLs to restrict SNMP access
To restrict SNMP access to the device using ACLs, enter commands such as the following.
66 Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Loading...