Dell PowerConnect B-RX Configuration manual

53-1001986-01

31 August 2010

BigIron RX Series

Configuration Guide

Supporting Multi-Service IronWare v02.7.03

Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.

The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find-out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.

Brocade Communications Systems, Incorporated

Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: info@brocade.com

European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com

Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing 100020, China Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: china-info@brocade.com

Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit 1308 – 13th Floor Guangzhou, China Tel: +8620 3891 2000 Fax: +8620 3891 2111 E-mail: china-info@brocade.com

Document History

Title Publication number Summary of changes Date

BigIron RX Series Configuration Guide 53-1001986-01 Release 02.7.03 features Aug 2010

About This Document

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli

Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xli

List of supported features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli

Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliv

What’s new in this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlv

Enhancements in release 02.7.03 . . . . . . . . . . . . . . . . . . . . . . . xlv

Enhancements in release 02.7.02 . . . . . . . . . . . . . . . . . . . . . . xlvi

Enhancements in release 02.7.00 . . . . . . . . . . . . . . . . . . . . . . xlvii

Enhancements in release 02.6.00. . . . . . . . . . . . . . . . . . . . . xlviii

Enhancements in patch release 02.5.00c . . . . . . . . . . . . . . . . . li

Enhancements in patch release 02.5.00b . . . . . . . . . . . . . . . . . li

Enhancements in release 02.5.00. . . . . . . . . . . . . . . . . . . . . . . . li

Enhancements in patch release 02.4.00c . . . . . . . . . . . . . . . . .lii

Enhancements in release 02.4.00. . . . . . . . . . . . . . . . . . . . . . . liii

Enhancements in patch release 02.3.00a . . . . . . . . . . . . . . . . lvii

Enhancements in release 02.3.00. . . . . . . . . . . . . . . . . . . . . . lviii

Enhancements in release 02.2.01 . . . . . . . . . . . . . . . . . . . . . . lxiii

Enhancements in release 02.2.00g. . . . . . . . . . . . . . . . . . . . . lxvii

Enhancements in release 02.2.00. . . . . . . . . . . . . . . . . . . . . lxviii

Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .lxix

Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lxix

Command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . lxix

Notes, cautions, and danger notices . . . . . . . . . . . . . . . . . . . . lxix

Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lxx

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lxx

Getting technical help or reporting errors . . . . . . . . . . . . . . . . . . . . . lxx

Web access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lxxi

E-mail and telephone access . . . . . . . . . . . . . . . . . . . . . . . . . . lxxi

Chapter 1 Getting Started with the Command Line Interface

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Logging on through the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

On-line help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Command completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Scroll control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Line editing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

EXEC commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Global level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

BigIron RX Series Configuration Guide iii 53-1001986-01

CONFIG commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Navigating among command levels . . . . . . . . . . . . . . . . . . . . . . . 8

CLI command structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Searching and filtering output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Allowable characters for LAG names . . . . . . . . . . . . . . . . . . . . .13

Syntax shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Saving configuration changes. . . . . . . . . . . . . . . . . . . . . . . . . . .14

Chapter 2 Getting Familiar With the BigIron RX Series Switch Management

Applications

How to manage BigIron RX Series switch . . . . . . . . . . . . . . . . . . . . .15

Logging on through the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

On-line help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Command completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Scroll control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Line editing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Searching and filtering output from CLI commands . . . . . . . . . 17

Allowable characters for LAG names . . . . . . . . . . . . . . . . . . . . .21

Logging on through the Web Management Interface . . . . . . . . . . . . 22

Web Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Logging on through IronView Network Manager . . . . . . . . . . . . . . . . 24

Chapter 3 Using a Redundant Management Module

How management module redundancy works . . . . . . . . . . . . . . . . .25

Management module redundancy overview . . . . . . . . . . . . . . .25

Management module switchover . . . . . . . . . . . . . . . . . . . . . . . .26

Switchover implications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Management module redundancy configuration . . . . . . . . . . . . . . . 29

Changing the default active Chassis slot . . . . . . . . . . . . . . . . . .29

Managing management module redundancy. . . . . . . . . . . . . . . . . .29

File synchronization between the active and standby

management modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Manually switching over to the standby management

module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Rebooting the active and standby management

modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Monitoring management module redundancy . . . . . . . . . . . . . . . . .33

Determining management module status . . . . . . . . . . . . . . . . . 33

Displaying temperature information . . . . . . . . . . . . . . . . . . . . . .34

Displaying switchover information . . . . . . . . . . . . . . . . . . . . . . .34

iv BigIron RX Series Configuration Guide

53-1001986-01

Flash memory and PCMCIA flash card file management

commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Management focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Flash memory file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

PCMCIA flash card file system. . . . . . . . . . . . . . . . . . . . . . . . . . .39

Wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Formatting a flash card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Determining the current management focus. . . . . . . . . . . . . . . 41

Switching the management focus . . . . . . . . . . . . . . . . . . . . . . . 41

Displaying a directory of the files . . . . . . . . . . . . . . . . . . . . . . . . 42

Displaying the contents of a file . . . . . . . . . . . . . . . . . . . . . . . . .44

Displaying the hexadecimal output of a file. . . . . . . . . . . . . . . .45

Creating a subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Removing a subdirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Renaming a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Changing the read-write attribute of a file . . . . . . . . . . . . . . . . .48

Deleting a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Recovering (“undeleting”) a file . . . . . . . . . . . . . . . . . . . . . . . . .50

Appending a file to another file. . . . . . . . . . . . . . . . . . . . . . . . . .51

Copying files using the copy command . . . . . . . . . . . . . . . . . . . 51

Copying files using the cp command . . . . . . . . . . . . . . . . . . . . .55

Loading the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Saving configuration changes. . . . . . . . . . . . . . . . . . . . . . . . . . .58

File management messages. . . . . . . . . . . . . . . . . . . . . . . . . . . .59

System Monitoring Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Chapter 4 Securing Access to Management Functions

Securing access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Restricting remote access to management functions . . . . . . . . . . .65

Using ACLs to restrict remote access . . . . . . . . . . . . . . . . . . . .65

Restricting remote access to the device to specific

IP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Specifying the maximum number of login attempts for

Telnet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Restricting remote access to the device to specific VLAN IDs . 69

Disabling specific access methods. . . . . . . . . . . . . . . . . . . . . . . 71

Setting passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Setting a Telnet password . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Setting passwords for management privilege levels . . . . . . . . .73

Recovering from a lost password . . . . . . . . . . . . . . . . . . . . . . . .75

Displaying the SNMP community string . . . . . . . . . . . . . . . . . . .75

Disabling password encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Specifying a minimum password length. . . . . . . . . . . . . . . . . . . 76

Setting up local user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring a local user account . . . . . . . . . . . . . . . . . . . . . . . .77

Username, password and login rules . . . . . . . . . . . . . . . . . . . . .79

Configuring the strict password feature . . . . . . . . . . . . . . . . . . .80

BigIron RX Series Configuration Guide v 53-1001986-01

Configuring SSL security for the Web Management Interface. . . . .82

Enabling the SSL server on the device. . . . . . . . . . . . . . . . . . . .83

Importing digital certificates and RSA private key files. . . . . . .83

Generating an SSL certificate . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Configuring TACACS and TACACS+ security . . . . . . . . . . . . . . . . . . . .84

How TACACS+ differs from TACACS . . . . . . . . . . . . . . . . . . . . . . .84

TACACS and TACACS+ authentication, authorization,

and accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

TACACS and TACACS+ configuration considerations . . . . . . . . . 88

Enabling SNMP to configure TACACS and TACACS. . . . . . . . . . . 89

Identifying the TACACS and TACACS+ servers . . . . . . . . . . . . . . 89

Specifying different servers for individual AAA functions . . . . . 90

Setting optional TACACS and TACACS+ parameters . . . . . . . . .90

Configuring authentication-method lists for TACACS

and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Configuring TACACS+ authorization . . . . . . . . . . . . . . . . . . . . . . 94

Configuring TACACS+ accounting . . . . . . . . . . . . . . . . . . . . . . . . 97

Configuring an interface as the source for all TACACS

and TACACS+ packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Displaying TACACS and TACACS+ statistics and

configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Configuring RADIUS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

RADIUS authentication, authorization, and accounting . . . . .100

RADIUS configuration considerations. . . . . . . . . . . . . . . . . . . .103

RADIUS configuration procedure . . . . . . . . . . . . . . . . . . . . . . .103

Configuring Brocade-specific attributes on the

RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

Enabling SNMP to configure RADIUS . . . . . . . . . . . . . . . . . . . .105

Identifying the RADIUS server to the BigIron RX . . . . . . . . . . .105

Specifying different servers for individual AAA functions . . . .106

Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Configuring authentication-method lists for RADIUS. . . . . . . . 107

Configuring RADIUS authorization . . . . . . . . . . . . . . . . . . . . . .108

Configuring RADIUS accounting . . . . . . . . . . . . . . . . . . . . . . . .110

Configuring an interface as the source for all RADIUS

packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Displaying RADIUS configuration information . . . . . . . . . . . . .112

Configuring authentication-method lists . . . . . . . . . . . . . . . . . . . . .113

Configuration considerations for authentication-

method lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Examples of authentication-method lists. . . . . . . . . . . . . . . . .115

Chapter 5 Configuring Basic Parameters

Entering system administration information. . . . . . . . . . . . . . . . . .117

Configuring Simple Network Management Protocol traps . . . . . . .118

Specifying an SNMP trap receiver . . . . . . . . . . . . . . . . . . . . . .118

Specifying a Single trap source. . . . . . . . . . . . . . . . . . . . . . . . .119

Setting the SNMP Trap holddown time. . . . . . . . . . . . . . . . . . .119

Disabling SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

Disabling Syslog messages and traps for CLI access . . . . . . .121

vi BigIron RX Series Configuration Guide

53-1001986-01

Configuring an interface as source for all Telnet packets . . . . . . .122

Cancelling an outbound Telnet session . . . . . . . . . . . . . . . . . .123

Configuring an interface as the source for all TFTP packets . . . . .123

Configuring an interface as the source for Syslog packets . . . . . .123

Specifying a Simple Network Time Protocol (SNTP) server . . . . . .124

Setting the system clock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

New Daylight Saving Time (DST) . . . . . . . . . . . . . . . . . . . . . . . .127

Configuring CLI banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Setting a message of the day banner. . . . . . . . . . . . . . . . . . . .128

Setting a privileged EXEC CLI level banner . . . . . . . . . . . . . . .129

Displaying a message on the console when an incoming

Telnet session is detected. . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Configuring terminal display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Checking the length of terminal displays. . . . . . . . . . . . . . . . .130

Enabling or disabling routing protocols . . . . . . . . . . . . . . . . . . . . . .130

Displaying and modifying system parameter default settings . . . .131

Enabling or disabling Layer 2 switching . . . . . . . . . . . . . . . . . . . .133

CAM partitioning for the BigIron RX . . . . . . . . . . . . . . . . . . . . . . . . .134

Re-distributing CAM allocations . . . . . . . . . . . . . . . . . . . . . . . .134

Nexthop table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Changing the MAC age time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Configuring static ARP entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Pinging an IPv4 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Chapter 6 Configuring Interface Parameters

Assigning a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

Assigning an IP address to a port . . . . . . . . . . . . . . . . . . . . . . . . . .139

Speed/Duplex negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Disabling or re-enabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

Changing the default Gigabit negotiation mode . . . . . . . . . . . . . . .141

Changing the negotiation mode . . . . . . . . . . . . . . . . . . . . . . . .142

Disabling or re-enabling flow control . . . . . . . . . . . . . . . . . . . . . . . .142

Specifying threshold values for flow control . . . . . . . . . . . . . .142

Locking a port to restrict addresses . . . . . . . . . . . . . . . . . . . . . . . .143

Wait for all cards feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

Port transition hold timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Port flap dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Modifying port priority (QoS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Assigning a mirror port and monitor ports . . . . . . . . . . . . . . . . . . .146

Configuration guidelines for monitoring traffic . . . . . . . . . . . .146

Configuring port mirroring and monitoring. . . . . . . . . . . . . . . .146

BigIron RX Series Configuration Guide vii 53-1001986-01

Monitoring an individual trunk port . . . . . . . . . . . . . . . . . . . . . . . . .147

Mirror ports for Policy-Based Routing (PBR) traffic. . . . . . . . . . . . .148

About hardware-based PBR . . . . . . . . . . . . . . . . . . . . . . . . . . .148

Configuring mirror ports for PBR traffic . . . . . . . . . . . . . . . . . .149

Displaying mirror and monitor port configuration. . . . . . . . . . . . . .149

Enabling WAN PHY mode support . . . . . . . . . . . . . . . . . . . . . . . . . .150

Chapter 7 Configuring IP

Overview of configuring IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

The IP packet flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

ARP cache table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Static ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

IP Route table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

IP forwarding cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

Basic IP parameters and defaults . . . . . . . . . . . . . . . . . . . . . . . . . .154

When parameter changes take effect . . . . . . . . . . . . . . . . . . .155

IP global parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

IP interface parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Configuring IP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Configuring IP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Changing the network mask display to prefix format . . . . . . . 162

Configuring the default gateway . . . . . . . . . . . . . . . . . . . . . . . .162

GRE IP tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163

IPv6 over IPv4 tunnels in hardware . . . . . . . . . . . . . . . . . . . . .168

Configuring Domain Name Server (DNS) resolver. . . . . . . . . .172

Adding host names to the DNS cache table . . . . . . . . . . . . . . 173

Configuring packet parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Changing the encapsulation type . . . . . . . . . . . . . . . . . . . . . . . 177

Setting maximum frame size per PPCR . . . . . . . . . . . . . . . . . .178

Changing the MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Changing the router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

Specifying a single source interface for Telnet, TACACS,

TACACS+, or RADIUS packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Configuring an interface as the source for Syslog packets . . . . . .183

IP fragmentation protection . . . . . . . . . . . . . . . . . . . . . . . . . . .184

IP option attack protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

IP receive access list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Configuring ARP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

How ARP works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

Rate limiting ARP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Applying a rate limit to ARP packets on an interface. . . . . . . .187

Clearing the rate limit for ARP packets. . . . . . . . . . . . . . . . . . .188

Changing the ARP aging period. . . . . . . . . . . . . . . . . . . . . . . . .188

Creating a floating static ARP entry . . . . . . . . . . . . . . . . . . . . .190

Static route ARP validation check. . . . . . . . . . . . . . . . . . . . . . .191

viii BigIron RX Series Configuration Guide

53-1001986-01

Configuring forwarding parameters. . . . . . . . . . . . . . . . . . . . . . . . .192

Disabling ICMP messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

Disabling ICMP redirect messages . . . . . . . . . . . . . . . . . . . . . .196

Configuring static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Static route tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

Configuring a default network route . . . . . . . . . . . . . . . . . . . . .206

Configuring IP load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

Default route ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210

IP receive access list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Configuring IRDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Configuring UDP broadcast and IP helper parameters . . . . . .214

Configuring BootP/DHCP forwarding parameters . . . . . . . . . .216

Displaying IP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218

Displaying IP interface information. . . . . . . . . . . . . . . . . . . . . .221

Displaying interface name in Syslog. . . . . . . . . . . . . . . . . . . . .222

Displaying ARP entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Displaying the forwarding cache. . . . . . . . . . . . . . . . . . . . . . . .224

Displaying the IP route table . . . . . . . . . . . . . . . . . . . . . . . . . . .226

Clearing IP routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Displaying IP traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . .229

Displaying TCP traffic statistics. . . . . . . . . . . . . . . . . . . . . . . . .232

Chapter 8 Link Aggregation

Link aggregation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235

LAG formation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235

LAG load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Migration from a pre-02.6.00 trunk or LACP configuration . . . . . .239

Configuration of a LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

Creating a Link Aggregation Group (LAG) . . . . . . . . . . . . . . . .240

Deploying a LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

Commands available under LAG once it is deployed . . . . . . .244

Configuring ACL-based mirroring. . . . . . . . . . . . . . . . . . . . . . . .244

Disabling ports within a LAG . . . . . . . . . . . . . . . . . . . . . . . . . . .244

Enabling ports within a LAG . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Monitoring an individual LAG port . . . . . . . . . . . . . . . . . . . . . .245

Assigning a name to a port within a LAG . . . . . . . . . . . . . . . . .246

Enabling sFlow forwarding on a port within a LAG. . . . . . . . . .246

Setting the sFlow sampling rate for a port within a LAG . . . . .246

Displaying LAG information . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

Displaying LAG statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Chapter 9 Configuring LLDP

Terms used in this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

LLDP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

Benefits of LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254

BigIron RX Series Configuration Guide ix 53-1001986-01

General operating principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Operating modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

LLDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

TLV support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256

MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259

Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259

Configuring LLDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259

Configuration notes and considerations . . . . . . . . . . . . . . . . .260

Enabling and disabling LLDP. . . . . . . . . . . . . . . . . . . . . . . . . . .260

Changing a port’s LLDP operating mode . . . . . . . . . . . . . . . . .261

Specifying the maximum number of LLDP neighbors. . . . . . .262

Enabling LLDP SNMP notifications and Syslog messages . . .263 Specifying the minimum time between SNMP traps and

Syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263

Changing the minimum time between LLDP transmissions. .264 Changing the interval between regular LLDP transmissions .264

Changing the holdtime multiplier for transmit TTL . . . . . . . . .265

Changing the minimum time between port reinitializations. .265

LLDP TLVs advertised by the Brocade device . . . . . . . . . . . . .266

Displaying LLDP statistics and configuration settings. . . . . . .272

LLDP configuration summary . . . . . . . . . . . . . . . . . . . . . . . . . .272

LLDP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

LLDP neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

LLDP neighbors detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275

LLDP configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

Resetting LLDP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

Chapter 10 Configuring Uni-Directional Link Detection (UDLD)

Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Configuring UDLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Changing the keepalive interval . . . . . . . . . . . . . . . . . . . . . . . .280

Changing the keepalive retries . . . . . . . . . . . . . . . . . . . . . . . . .280

Displaying UDLD information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281

Displaying information for all ports. . . . . . . . . . . . . . . . . . . . . .281

Displaying link-keepalive information . . . . . . . . . . . . . . . . . . . .281

Displaying information for a single port . . . . . . . . . . . . . . . . . .282

Clearing UDLD statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Chapter 11 VLANs

Overview of Virtual Local Area Networks (VLANs). . . . . . . . . . . . . .285

Tagged, untagged, and dual-mode ports . . . . . . . . . . . . . . . . .285

Protocol-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287

x BigIron RX Series Configuration Guide

53-1001986-01

VLAN configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

VLAN ID range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Tagged VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

VLAN hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Multiple VLAN membership rules . . . . . . . . . . . . . . . . . . . . . . .288

Layer 2 control protocols on VLANs . . . . . . . . . . . . . . . . . . . . .289

Configuring port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289

VLAN byte accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Strictly or explicitly tagging a port . . . . . . . . . . . . . . . . . . . . . . .292

Assigning or changing a VLAN priority . . . . . . . . . . . . . . . . . . .292

Assigning a different ID to the default VLAN . . . . . . . . . . . . . .292

Configuring protocol-based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . .293

Configuring an MSTP instance . . . . . . . . . . . . . . . . . . . . . . . . .294

Configuring virtual routing interfaces . . . . . . . . . . . . . . . . . . . . . . .294

Bridging and routing the same protocol simultaneously

on the same device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Integrated Switch Routing (ISR) . . . . . . . . . . . . . . . . . . . . . . . .296

VLAN groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297

Configuring a VLAN group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297

Configuring super aggregated VLANs . . . . . . . . . . . . . . . . . . . . . . .299

Configuring aggregated VLANs . . . . . . . . . . . . . . . . . . . . . . . . .301

Complete CLI examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Configuring 802.1q-in-q tagging. . . . . . . . . . . . . . . . . . . . . . . . . . . .305

Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

Enabling 802.1Q-in-Q tagging. . . . . . . . . . . . . . . . . . . . . . . . . .307

Example configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Configuring 802.1q tag-type translation . . . . . . . . . . . . . . . . . . . . .308

Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Enabling 802.1q tag-type translation. . . . . . . . . . . . . . . . . . . .311

Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312

Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

Configuring a private VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . .314

Enabling broadcast, multicast or unknown unicast traffic to the

private VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316

CLI example for Figure 30 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316

Other VLAN features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Allocating memory for more VLANs or virtual routing

interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317

Hardware flooding for Layer 2 multicast and broadcast

packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Unknown unicast flooding on VLAN ports . . . . . . . . . . . . . . . .318

Flow based MAC learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

Configuring uplink ports within a port-based VLAN . . . . . . . . .319

Configuring control protocols in VLANs . . . . . . . . . . . . . . . . . .319

Other configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . .320

BigIron RX Series Configuration Guide xi 53-1001986-01

Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320

Displaying VLAN information. . . . . . . . . . . . . . . . . . . . . . . . . . .320

Displaying VLAN information for specific ports . . . . . . . . . . . .321

Displaying VLAN status and port types. . . . . . . . . . . . . . . . . . .321

Displaying VLAN group information . . . . . . . . . . . . . . . . . . . . .323

Transparent firewall mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323

Enabling a transparent firewall . . . . . . . . . . . . . . . . . . . . . . . .323

Chapter 12 Configuring Spanning Tree Protocol

IEEE 802.1D Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . .325

Enabling or disabling STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

Default STP bridge and port parameters . . . . . . . . . . . . . . . . .326

Changing STP bridge parameters . . . . . . . . . . . . . . . . . . . . . . .327

Changing STP port parameters. . . . . . . . . . . . . . . . . . . . . . . . .328

STP root guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328

Spanning Tree Protocol (STP) BPDU guard. . . . . . . . . . . . . . . .329

Displaying STP information . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

IEEE Single Spanning Tree (SSTP) . . . . . . . . . . . . . . . . . . . . . . . . . .336

SSTP defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Enabling SSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

Displaying SSTP information . . . . . . . . . . . . . . . . . . . . . . . . . . .338

PVST/PVST+ compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Overview of PVST and PVST+ . . . . . . . . . . . . . . . . . . . . . . . . . .339

VLAN tags and dual mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Enabling PVST+ support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340

Displaying PVST+ support information. . . . . . . . . . . . . . . . . . .340

Configuration examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341

SuperSpan™ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343

Customer ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344

BPDU forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344

Configuring SuperSpan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349

Chapter 13 Configuring Rapid Spanning Tree Protocol

Overview of Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . .353

Bridges and bridge port roles . . . . . . . . . . . . . . . . . . . . . . . . . .353

Assignment of port roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354

Ports on Switch 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355

Ports on Switch 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355

Ports on Switch 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355

Ports Switch 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356

Edge ports and edge port roles . . . . . . . . . . . . . . . . . . . . . . . . . . . .356

Point-to-point ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357

Bridge port states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357

Edge port and non-edge port states . . . . . . . . . . . . . . . . . . . . . . . .358

Changes to port roles and states. . . . . . . . . . . . . . . . . . . . . . . . . . .358

xii BigIron RX Series Configuration Guide

53-1001986-01

State machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358

Handshake mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359

Convergence in a simple topology . . . . . . . . . . . . . . . . . . . . . . . . . .369

Convergence at start up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370

Convergence after a link failure . . . . . . . . . . . . . . . . . . . . . . . .372

Convergence at link restoration . . . . . . . . . . . . . . . . . . . . . . . .373

Convergence in a complex RSTP topology. . . . . . . . . . . . . . . . . . . . 374

Propagation of topology change . . . . . . . . . . . . . . . . . . . . . . . .377

Compatibility of RSTP with 802.1D . . . . . . . . . . . . . . . . . . . . . . . . .380

Configuring RSTP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Enabling or disabling RSTP in a port-based VLAN . . . . . . . . . .381

Enabling or disabling RSTP on a single spanning tree . . . . . .382

Disabling or enabling RSTP on a port. . . . . . . . . . . . . . . . . . . .382

Changing RSTP bridge parameters. . . . . . . . . . . . . . . . . . . . . .382

Changing port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . .383

Fast port span . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384

Fast uplink span. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386

Displaying RSTP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388

Chapter 14 Metro Ring Protocol (MRP) Phase 1 and 2

Metro Ring Protocol (MRP) phase 1. . . . . . . . . . . . . . . . . . . . . . . . .393

MRP rings without shared interfaces . . . . . . . . . . . . . . . . . . . . . . .394

Ring initialization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395

How ring breaks are detected and healed . . . . . . . . . . . . . . . . . . .398

Master VLANs and customer VLANs in a topology group . . . . . . . .400

Configuring MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402

Adding an MRP ring to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . .403

Changing the hello and preforwarding times. . . . . . . . . . . . . .404

MRP phase 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404

Ring initialization for shared interfaces. . . . . . . . . . . . . . . . . . . . . .406

How ring breaks are detected and healed between

shared interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406

Selection of master node . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407

RHP processing in rings with shared interfaces . . . . . . . . . . .407

Normal flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408

Flow when a link breaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409

Configuring MRP with shared interfaces . . . . . . . . . . . . . . . . .409

Using MRP diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410

Enabling MRP diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . .410

Displaying MRP diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . .411

Displaying MRP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Displaying topology group information . . . . . . . . . . . . . . . . . . .411

Displaying ring information . . . . . . . . . . . . . . . . . . . . . . . . . . . .412

BigIron RX Series Configuration Guide xiii 53-1001986-01

MRP CLI example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413

Commands on switch A (master node). . . . . . . . . . . . . . . . . . .414

Commands on switch B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414

Commands on switch C. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415

Commands on switch D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Chapter 15 Virtual Switch Redundancy Protocol (VSRP)

Overview of Virtual Switch Redundancy Protocol (VSRP). . . . . . . . 417

Layer 2 and Layer 3 redundancy . . . . . . . . . . . . . . . . . . . . . . .418

Master election and failover . . . . . . . . . . . . . . . . . . . . . . . . . . .418

Configuring basic VSRP parameters . . . . . . . . . . . . . . . . . . . . . . . .423

Enabling Layer 3 VSRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424

Configuring optional VSRP parameters . . . . . . . . . . . . . . . . . . . . . .424

Disabling VSRP on a VRID . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424

Configuring authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .424

Configuring a VRID IP address . . . . . . . . . . . . . . . . . . . . . . . . .425

VSRP fast start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426

Changing the backup priority . . . . . . . . . . . . . . . . . . . . . . . . . .427

Saving the timer values received from the master . . . . . . . . .427

VSRP slow start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428

Changing the Time-To-Live (TTL) . . . . . . . . . . . . . . . . . . . . . . . .428

Changing the hello interval . . . . . . . . . . . . . . . . . . . . . . . . . . . .429

Changing the dead interval . . . . . . . . . . . . . . . . . . . . . . . . . . . .429

Changing the backup hello state and interval . . . . . . . . . . . . .429

Changing the hold-down interval . . . . . . . . . . . . . . . . . . . . . . .430

Changing the default track priority . . . . . . . . . . . . . . . . . . . . . .430

Specifying a track port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431

Disabling or re-enabling backup pre-emption . . . . . . . . . . . . .431

Port transition hold timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431

Clearing VSRP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432

VSRP and MRP signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432

Displaying VSRP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Displaying VRID information . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Displaying a summary of VSRP information. . . . . . . . . . . . . . .436

Displaying VSRP packet statistics for VSRP . . . . . . . . . . . . . . .437

Displaying the active interfaces for a VRID . . . . . . . . . . . . . . .438

Chapter 16 Topology Groups

Topology overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439

Master VLAN and member VLANs . . . . . . . . . . . . . . . . . . . . . . . . . .439

Master VLANs and customer VLANs in MRP. . . . . . . . . . . . . . . . . .440

Control ports and free ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440

Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440

Configuring a topology group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .441

xiv BigIron RX Series Configuration Guide

53-1001986-01

Displaying topology group information . . . . . . . . . . . . . . . . . . . . . .441

Displaying topology group information . . . . . . . . . . . . . . . . . . .441

Chapter 17 Configuring VRRP and VRRPE

Overview of VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443

Standard VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443

Brocade enhancements of VRRP . . . . . . . . . . . . . . . . . . . . . . .445

Overview of VRRPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

VRRP and VRRPE parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450

Configuring parameters specific to VRRP . . . . . . . . . . . . . . . . . . . .452

Configuring the owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452

Configuring basic VRRP parameters. . . . . . . . . . . . . . . . . . . . .452

Configuring the owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453

Configuring a backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453

Configuration rules for VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . .453

Configuring parameters specific to VRRPE . . . . . . . . . . . . . . . . . . .454

Configuration rules for VRRPE . . . . . . . . . . . . . . . . . . . . . . . . .454

Configuring additional VRRP and VRRPE parameters . . . . . . . . . .454

Authentication type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455

Suppression of RIP advertisements on backup routers

for the backup up interface. . . . . . . . . . . . . . . . . . . . . . . . . . . .456

Hello interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456

Dead interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456

Backup hello message state and interval . . . . . . . . . . . . . . . .457

Track port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457

Track priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457

Backup preempt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458

Master router abdication and reinstatement. . . . . . . . . . . . . .458

Displaying VRRP and VRRPE information . . . . . . . . . . . . . . . . . . . .459

Displaying summary information . . . . . . . . . . . . . . . . . . . . . . .459

Displaying detailed information . . . . . . . . . . . . . . . . . . . . . . . .461

Displaying statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464

Clearing VRRP or VRRPE statistics . . . . . . . . . . . . . . . . . . . . . .465

Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465

VRRP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465

VRRPE example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467

Chapter 18 Configuring Quality of Service

Overview of Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . .469

Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469

Processing of classified traffic . . . . . . . . . . . . . . . . . . . . . . . . .469

Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472

Configuring DSCP classification by interface . . . . . . . . . . . . . .472

Configuring port, MAC, and VLAN-based classification . . . . . . 472

BigIron RX Series Configuration Guide xv 53-1001986-01

Configuring ToS-based QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Enabling ToS-based QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Specifying trust level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Enabling marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Configuring the QoS mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . .475

Changing the CoS –> DSCP mappings. . . . . . . . . . . . . . . . . . .475

Changing the DSCP –> DSCP mappings . . . . . . . . . . . . . . . . .475

Changing the DSCP –> internal forwarding priority

mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Changing the CoS –> internal forwarding priority

mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Displaying QoS configuration information. . . . . . . . . . . . . . . . . . . . 477

Determining packet drop priority using WRED . . . . . . . . . . . . . . . .479

How WRED Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480

Calculating avg-q-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480

Calculating packets that are dropped . . . . . . . . . . . . . . . . . . .480

Using WRED with rate limiting. . . . . . . . . . . . . . . . . . . . . . . . . .481

Configuring packet drop priority using WRED . . . . . . . . . . . . . . . . .481

Enabling WRED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481

Setting the averaging-weight (Wq) parameter . . . . . . . . . . . . .481

Displaying the WRED configuration . . . . . . . . . . . . . . . . . . . . .485

Scheduling traffic for forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . .486

Configuring traffic scheduling . . . . . . . . . . . . . . . . . . . . . . . . . .486

Configuring multicast traffic engineering . . . . . . . . . . . . . . . . . . . .490

Displaying the multicast traffic engineering configuration . . .491

QoS for the oversubscribed 16 x 10GE modules . . . . . . . . . . . . . .492

Aggregation NP QOS modes . . . . . . . . . . . . . . . . . . . . . . . . . . .492

Port group assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492

Setting the server and storage modes . . . . . . . . . . . . . . . . . . .492

Switching between server and storage modes . . . . . . . . . . . .493

Qos profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493

Setting the group port weights . . . . . . . . . . . . . . . . . . . . . . . . .494

Calculating the values for WFQ storage mode traffic

scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494

Egress port shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495

Mirroring ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495

Supported ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495

Configuring QoS for the 16 x 10G module . . . . . . . . . . . . . . . .496

Chapter 19 Configuring Traffic Reduction

Traffic policing on the BigIron RX Series . . . . . . . . . . . . . . . . . . . . .499

Traffic reduction parameters and algorithm . . . . . . . . . . . . . . . . . .499

Requested rate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499

Maximum burst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500

Actual rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500

Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501

xvi BigIron RX Series Configuration Guide

53-1001986-01

Configuring rate limiting policies . . . . . . . . . . . . . . . . . . . . . . . . . . .502

Configuring a port-based rate limiting policy . . . . . . . . . . . . . .502

Configuring a port-and-priority-based rate limiting policy . . . .503

Configuring a port-and-VLAN-based rate limiting policy . . . . .503

Configuring a VLAN-group-based rate limiting policy. . . . . . . .504

Configuring a port-and-IPv6 ACL-based traffic reduction . . . .506

NP based multicast, broadcast, and unknown-unicast

rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507

Displaying traffic reduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507

Chapter 20 Layer 2 ACLs

Filtering based on ethertype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509

Configuration rules and notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509

Configuring Layer 2 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510

Creating a Layer 2 ACL table . . . . . . . . . . . . . . . . . . . . . . . . . . .510

Example Layer 2 ACL clauses . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Inserting and deleting Layer 2 ACL clauses. . . . . . . . . . . . . . .512

Binding a Layer 2 ACL table to an interface . . . . . . . . . . . . . . .512

Increasing the maximum number of clauses per

Layer 2 ACL table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512

Viewing Layer 2 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512

Example of Layer 2 ACL deny by MAC address . . . . . . . . . . . .513

Chapter 21 Access Control List

How the BigIron RX processes ACLs . . . . . . . . . . . . . . . . . . . . . . . .515

Disabling or re-enabling Access Control Lists (ACLs) . . . . . . . . . . .516

Default ACL action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516

Types of IP ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516

ACL IDs and entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Enabling support for additional ACL statements . . . . . . . . . . . . . .517

ACL-based inbound mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518

Considerations when configuring ACL-based inbound

mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518

Configuring ACL-based inbound mirroring . . . . . . . . . . . . . . . .518

Creating an ACL with a mirroring clause . . . . . . . . . . . . . . . . .518

Applying the ACL to an interface . . . . . . . . . . . . . . . . . . . . . . . .519

Specifying the destination mirror port . . . . . . . . . . . . . . . . . . .519

Configuring ACL-based mirroring for ACLs bound to virtual

interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521

Configuring numbered and named ACLs. . . . . . . . . . . . . . . . . . . . .521

Configuring standard numbered ACLs . . . . . . . . . . . . . . . . . . .521

Configuring extended numbered ACLs . . . . . . . . . . . . . . . . . . .523

Configuring standard or extended named ACLs . . . . . . . . . . .531

Configuring super ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534

BigIron RX Series Configuration Guide xvii 53-1001986-01

Displaying ACL definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536

Displaying of TCP/UDP numbers in ACLs . . . . . . . . . . . . . . . . .537

ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547

Enabling the new logging method. . . . . . . . . . . . . . . . . . . . . . .548

Specifying the wait time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .548

Modifying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .548

Adding or deleting a comment . . . . . . . . . . . . . . . . . . . . . . . . .550

Deleting ACL entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .552

From numbered ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .552

From named ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553

Applying ACLs to interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .554

Reapplying modified ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . .554

ACL automatic rebind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .554

Manually setting the ACL rebind. . . . . . . . . . . . . . . . . . . . . . . .554

Applying ACLs to a virtual routing interface . . . . . . . . . . . . . . .554

Configuring the Layer 4 session log timer . . . . . . . . . . . . . . . .555

Displaying ACL log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555

QoS options for IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556

Enabling ACL duplication check. . . . . . . . . . . . . . . . . . . . . . . . . . . .557

ACL accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .557

Displaying accounting statistics for all ACLs . . . . . . . . . . . . . .557

Displaying statistics for an interface . . . . . . . . . . . . . . . . . . . .558

Clearing the ACL statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . .559

Enabling ACL filtering of fragmented or non-fragmented

packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .560

ACL filtering for traffic switched within a virtual routing

interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561

ICMP filtering for extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . .561

Troubleshooting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563

Chapter 22 Policy-Based Routing

Policy-Based Routing (PBR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565

Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565

Configuring a PBR policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566

Configure the ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566

Configure the route map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567

Enabling PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568

Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569

Basic example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569

Setting the next hop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570

Setting the output interface to the null interface . . . . . . . . . . 571

Trunk formation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

xviii BigIron RX Series Configuration Guide

53-1001986-01

Chapter 23 Configuring IP Multicast Protocols

Overview of IP multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573

Multicast terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573

Changing global IP multicast parameters . . . . . . . . . . . . . . . . . . . . 574

Defining the maximum number of DVMRP cache entries. . . .574

Defining the maximum number of PIM cache entries. . . . . . . 574

IP multicast boundaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Configuring multicast boundaries. . . . . . . . . . . . . . . . . . . . . . .575

Displaying multicast boundaries. . . . . . . . . . . . . . . . . . . . . . . .575

Passive Multicast Route Insertion (PMRI) . . . . . . . . . . . . . . . . . . . .576

Configuring PMRI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

Displaying hardware-drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

Changing IGMP V1 and V2 parameters. . . . . . . . . . . . . . . . . . . . . .577

Modifying IGMP (V1 and V2) query interval period . . . . . . . . .577

Modifying IGMP (V1 and V2) membership time. . . . . . . . . . . .577

Modifying IGMP (V1 and V2) maximum response time. . . . . .578

Adding an interface to a multicast group . . . . . . . . . . . . . . . . . . . .578

IGMP v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579

Default IGMP version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .580

Compatibility with IGMP V1 and V2 . . . . . . . . . . . . . . . . . . . . .580

Enabling the IGMP version per interface setting. . . . . . . . . . .581

Enabling the IGMP version on a physical port within a

virtual routing interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581

Setting the query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583

Setting the group membership time. . . . . . . . . . . . . . . . . . . . .583

Setting the maximum response time . . . . . . . . . . . . . . . . . . . .583

Displaying IGMPv3 information. . . . . . . . . . . . . . . . . . . . . . . . .583

Clearing IGMP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587

IGMP V3 and source specific multicast protocols . . . . . . . . . .587

Configuring a static multicast route. . . . . . . . . . . . . . . . . . . . . . . . .587

Next hop validation check . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589

PIM dense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589

Initiating PIM multicasts on a network . . . . . . . . . . . . . . . . . . .590

Pruning a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590

Grafts to a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592

PIM DM versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592

Configuring PIM DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593

Failover time in a multi-path topology . . . . . . . . . . . . . . . . . . .597

Modifying the TTL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597

PIM Sparse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597

PIM Sparse router types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598

RP paths and SPT paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599

Configuring PIM Sparse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599

Route selection precedence for multicast. . . . . . . . . . . . . . . . . . . .604

Configuring the route precedence by specifying the route types604

Displaying the route selection . . . . . . . . . . . . . . . . . . . . . . . . . .605

BigIron RX Series Configuration Guide xix 53-1001986-01

Changing the Shortest Path Tree (SPT) threshold . . . . . . . . . . . . .606

Changing the PIM join and prune message interval . . . . . . . .607

MLL optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607

Displaying PIM Sparse configuration information and

statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607

Displaying basic PIM Sparse configuration information . . . . .608

Displaying a list of multicast groups. . . . . . . . . . . . . . . . . . . . .609

Displaying BSR information. . . . . . . . . . . . . . . . . . . . . . . . . . . .610

Displaying candidate RP information . . . . . . . . . . . . . . . . . . . .611

Displaying RP-to-group mappings . . . . . . . . . . . . . . . . . . . . . . .612

Displaying RP information for a PIM Sparse group . . . . . . . . .612

Displaying the RP set list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .613

Displaying multicast neighbor information. . . . . . . . . . . . . . . .613

Displaying information about an upstream neighbor device . 614

Displaying the PIM multicast cache . . . . . . . . . . . . . . . . . . . . .615

Displaying PIM traffic statistics. . . . . . . . . . . . . . . . . . . . . . . . . 617

PIM-SSMv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

Enabling SSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618

Configuring Multicast Source Discovery Protocol (MSDP) . . . . . . .618

Peer Reverse Path Forwarding (RPF) flooding . . . . . . . . . . . . .620

Source active caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620

Configuring MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620

Enabling MSDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621

Configuring MSDP peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621

Designating an interface’s IP address as the RP’s

IP address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622

Filtering MSDP source-group pairs . . . . . . . . . . . . . . . . . . . . . .622

Filtering incoming source-active messages . . . . . . . . . . . . . . .622

Filtering advertised source-active messages. . . . . . . . . . . . . .624

Displaying the differences before and after the source active

filters are applied. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625

Configuring MSDP mesh groups . . . . . . . . . . . . . . . . . . . . . . . . . . .627

Configuring MSDP mesh group. . . . . . . . . . . . . . . . . . . . . . . . .628

Displaying summary information . . . . . . . . . . . . . . . . . . . . . . .634

Displaying peer information . . . . . . . . . . . . . . . . . . . . . . . . . . .635

Displaying source active cache information. . . . . . . . . . . . . . .638

Clearing MSDP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638

Clearing peer information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638

Clearing the source active cache . . . . . . . . . . . . . . . . . . . . . . .639

Clearing MSDP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639

DVMRP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639

Initiating DVMRP multicasts on a network. . . . . . . . . . . . . . . .640

Pruning a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640

Grafts to a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . .642

xx BigIron RX Series Configuration Guide

53-1001986-01

Configuring DVMRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643

Enabling DVMRP globally and on an interface. . . . . . . . . . . . .643

Modifying DVMRP global parameters. . . . . . . . . . . . . . . . . . . .643

Modifying DVMRP interface parameters . . . . . . . . . . . . . . . . .646

Displaying information about an upstream neighbor

device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647

Configuring a static multicast route. . . . . . . . . . . . . . . . . . . . . . . . .647

Configuring IP multicast traffic reduction. . . . . . . . . . . . . . . . . . . .648

Enabling IP multicast traffic reduction . . . . . . . . . . . . . . . . . . .649

Layer 2 multicast filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653

PIM SM traffic snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .654

Static IGMP membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .658

Chapter 24 Configuring RIP

Overview of Routing Information Protocol (RIP) . . . . . . . . . . . . . . .661

Configuring RIP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661

Enabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661

Configuring metric parameters . . . . . . . . . . . . . . . . . . . . . . . . .662

Changing the administrative distance . . . . . . . . . . . . . . . . . . .662

Configuring redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663

Configuring route learning and advertising parameters . . . . .664

Changing the route loop prevention method . . . . . . . . . . . . . .665

Suppressing RIP route advertisement on a VRRP or VRRPE

backup interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666

Using prefix lists and route maps as route filters . . . . . . . . . .666

Setting RIP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667

Displaying RIP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668

Clearing the RIP routes from the routing table . . . . . . . . . . . .669

Chapter 25 Configuring OSPF Version 2 (IPv4)

Overview of OSPF (Open Shortest Path First) . . . . . . . . . . . . . . . . . 671

Designated routers in multi-access networks . . . . . . . . . . . . .672

Designated router election in multi-access networks . . . . . . .672

OSPF RFC 1583 and 2328 compliance. . . . . . . . . . . . . . . . . .674

Reduction of equivalent AS external LSAs . . . . . . . . . . . . . . . . 674

Support for OSPF RFC 2328 appendix E . . . . . . . . . . . . . . . . .676

Dynamic OSPF activation and configuration . . . . . . . . . . . . . .677

BigIron RX Series Configuration Guide xxi 53-1001986-01

Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677

Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678

OSPF parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678

Enable OSPF on the router . . . . . . . . . . . . . . . . . . . . . . . . . . . .679

Assign OSPF areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .679

Assigning an area range (optional) . . . . . . . . . . . . . . . . . . . . .683

Assigning interfaces to an area . . . . . . . . . . . . . . . . . . . . . . . .683

Modify interface defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683

Change the timer for OSPF authentication changes. . . . . . . .686

Block flooding of outbound LSAs on specific OSPF

interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687

Assign virtual links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687

Modify virtual link parameters . . . . . . . . . . . . . . . . . . . . . . . . .689

Configuring an OSPF non-broadcast interface. . . . . . . . . . . . .690

OSPF point-to-point links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .691

Changing the reference bandwidth for the cost on OSPF

interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .694

Define redistribution filters . . . . . . . . . . . . . . . . . . . . . . . . . . . .695

Modify default metric for redistribution . . . . . . . . . . . . . . . . . .696

Enable route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . .697

Disable or re-enable load sharing. . . . . . . . . . . . . . . . . . . . . . .698

Configure external route summarization . . . . . . . . . . . . . . . . .700

Configure default route origination. . . . . . . . . . . . . . . . . . . . . .701

Configuring a default network route . . . . . . . . . . . . . . . . . . . . .702

Modify SPF timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703

Modify redistribution metric type . . . . . . . . . . . . . . . . . . . . . . .703

Modify administrative distance. . . . . . . . . . . . . . . . . . . . . . . . .704

Configure OSPF group Link State Advertisement pacing . . . .705

OSPF ABR type 3 LSA filtering. . . . . . . . . . . . . . . . . . . . . . . . . .705

Displaying the configured OSPF area prefix list. . . . . . . . . . . .708

Modifying OSPF traps generated . . . . . . . . . . . . . . . . . . . . . . .708

Modify OSPF standard compliance setting . . . . . . . . . . . . . . . 710

Modify exit overflow interval . . . . . . . . . . . . . . . . . . . . . . . . . . .711

Specify types of OSPF Syslog messages to log . . . . . . . . . . . .711

Displaying OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .712

Displaying general OSPF configuration information . . . . . . . .712

Displaying CPU utilization and other OSPF tasks. . . . . . . . . . .713

Displaying OSPF area information . . . . . . . . . . . . . . . . . . . . . .715

Displaying OSPF neighbor information. . . . . . . . . . . . . . . . . . . 716

Displaying OSPF interface information. . . . . . . . . . . . . . . . . . . 717

Displaying OSPF route information . . . . . . . . . . . . . . . . . . . . . . 719

Displaying OSPF external link state Information . . . . . . . . . . .721

Displaying OSPF database link state information . . . . . . . . . .722

Displaying OSPF ABR and ASBR information. . . . . . . . . . . . . .723

Displaying OSPF trap status . . . . . . . . . . . . . . . . . . . . . . . . . . .724

Displaying OSPF virtual neighbor and link information. . . . . .724

OSPF graceful restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .726

xxii BigIron RX Series Configuration Guide

53-1001986-01

Chapter 26 Configuring BGP4 (IPv4 and IPv6)

Overview of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .731

Relationship between the BGP4 route table and the IP route

table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .732

How BGP4 selects a path for a route . . . . . . . . . . . . . . . . . . . .732

BGP4 message types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .734

Brocade implementation of BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . .736

Memory considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736

Configuring BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .737

When parameter changes take effect . . . . . . . . . . . . . . . . . . .739

Activating and disabling BGP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740

Note regarding disabling BGP4. . . . . . . . . . . . . . . . . . . . . . . . . 741

Entering and exiting the address family configuration level . . . . . 741

Filtering specific IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . .742

Defining an AS-path filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .743

Defining a community filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .744

Configuring a switch to allow routes with its own AS number . . . . 744

BGP Null0 routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .745

Aggregating routes advertised to BGP4 neighbors. . . . . . . . . . . . .749

Configuring the device to always compare MEDs . . . . . . . . . . . . . .749

Disabling or re-enabling comparison of the AS-path length . .750

Redistributing IBGP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .750

Disabling or re-enabling client-to-client route reflection. . . . . . . . .751

Configuring a route reflector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .751

Enabling or disabling comparison of the router IDs . . . . . . . . . . . .751

Configuring confederations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .752

Configuring route flap dampening . . . . . . . . . . . . . . . . . . . . . . . . . .755

Originating the default route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755

Changing the default local preference . . . . . . . . . . . . . . . . . . . . . .756

Changing the default metric used for redistribution. . . . . . . . . . . .756

Changing administrative distances . . . . . . . . . . . . . . . . . . . . . . . . .757

Requiring the first AS to be the neighbor’s AS . . . . . . . . . . . . . . . .758

Neighbor local-AS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .758

Enabling fast external fallover . . . . . . . . . . . . . . . . . . . . . . . . . . . . .758

Setting the local AS number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .759

Changing the maximum number of shared BGP4 paths . . . . . . . .759

Treating missing MEDs as the worst MEDs. . . . . . . . . . . . . . . . . . .760

Customizing BGP4 load sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 760

BigIron RX Series Configuration Guide xxiii 53-1001986-01

Configuring BGP4 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .761

Removing route dampening from suppressed

neighbor routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765

Encryption of BGP4 MD5 authentication keys. . . . . . . . . . . . . 766

Configuring a BGP4 peer group . . . . . . . . . . . . . . . . . . . . . . . . . . . .768

Peer group parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .768

Specifying a list of networks to advertise . . . . . . . . . . . . . . . . . . . . 771

Using the IP default route as a valid next hop for a BGP4 route . .772

Enabling next-hop recursion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .773

Modifying redistribution parameters . . . . . . . . . . . . . . . . . . . . . . . .776

Using a table map to set the tag value . . . . . . . . . . . . . . . . . . . . . .779

Changing the keep alive time and hold time. . . . . . . . . . . . . . . . . .779

Changing the BGP4 next-hop update timer. . . . . . . . . . . . . . . . . . .780

Changing the router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .780

Adding a loopback interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .781

Changing the maximum number of paths for BGP4 load sharing.781

Configuring route reflection parameters . . . . . . . . . . . . . . . . . . . . .782

Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784

Filtering AS-paths. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .785

Filtering communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .788

Defining and applying IP prefix lists . . . . . . . . . . . . . . . . . . . . .789

Defining neighbor distribute lists . . . . . . . . . . . . . . . . . . . . . . .790

Defining route maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .791

Configuring cooperative BGP4 route filtering. . . . . . . . . . . . . .799

Configuring route flap dampening . . . . . . . . . . . . . . . . . . . . . .801

Generating traps for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .806

Updating route information and resetting a neighbor

session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .806

Clearing traffic counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .812

Clearing route flap dampening statistics . . . . . . . . . . . . . . . . .813

Removing route flap dampening. . . . . . . . . . . . . . . . . . . . . . . .813

Clearing diagnostic buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814

Displaying BGP4 information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .814

Displaying summary BGP4 information . . . . . . . . . . . . . . . . . .815

Displaying the active BGP4 configuration . . . . . . . . . . . . . . . .817

Displaying summary neighbor information . . . . . . . . . . . . . . .817

Displaying BGP4 neighbor information. . . . . . . . . . . . . . . . . . .819

Displaying peer group information . . . . . . . . . . . . . . . . . . . . . .830

Displaying summary route information . . . . . . . . . . . . . . . . . .830

Displaying the BGP4 route table. . . . . . . . . . . . . . . . . . . . . . . .831

Displaying BGP4 route-attribute entries. . . . . . . . . . . . . . . . . .837

Displaying the routes BGP4 has placed in the IP route

table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .839

Displaying route flap dampening statistics . . . . . . . . . . . . . . .839

Displaying the active route map configuration . . . . . . . . . . . .840

Generalized TTL security mechanism support. . . . . . . . . . . . . . . .844

xxiv BigIron RX Series Configuration Guide

53-1001986-01

Chapter 27 Configuring MBGP

Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .848

Configuring MBGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .848

Setting the maximum number of multicast routes

supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .848

Enabling MBGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849

Adding MBGP neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849

Optional configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .850

Displaying MBGP information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .853

Displaying summary MBGP information. . . . . . . . . . . . . . . . . .853

Displaying the active MBGP configuration . . . . . . . . . . . . . . . .854

Displaying MBGP neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . .855

Displaying MBGP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .856

Displaying the IP multicast route table. . . . . . . . . . . . . . . . . . .856

Chapter 28 Configuring IS-IS (IPv4)

Relationship to IP route table . . . . . . . . . . . . . . . . . . . . . . . . . .857

Intermediate systems and end systems. . . . . . . . . . . . . . . . . .858

Domain and areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .859

Level-1 routing and Level-2 routing . . . . . . . . . . . . . . . . . . . . .859

Neighbors and adjacencies. . . . . . . . . . . . . . . . . . . . . . . . . . . .859

Designated IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .859

IS-IS CLI levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .861

Global configuration level . . . . . . . . . . . . . . . . . . . . . . . . . . . . .861

Address family configuration level . . . . . . . . . . . . . . . . . . . . . .862

Interface level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .862

Configuring IPv4 IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .863

Enabling IS-IS globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .863

Globally configuring IS-IS on a device . . . . . . . . . . . . . . . . . . . . . . .864

Setting the overload bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .864

Configuring authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .865

Changing the IS-IS Level globally . . . . . . . . . . . . . . . . . . . . . . .866

Disabling or re-enabling display of hostname . . . . . . . . . . . . .866

Changing the sequence numbers PDU interval. . . . . . . . . . . .866

Changing the maximum LSP lifetime . . . . . . . . . . . . . . . . . . . .867

Changing the LSP refresh interval . . . . . . . . . . . . . . . . . . . . . .867

Changing the LSP generation interval . . . . . . . . . . . . . . . . . . .867

Changing the LSP interval and retransmit interval . . . . . . . . .868

Changing the SPF timer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .868

Globally disabling or re-enabling hello padding. . . . . . . . . . . .868

Logging adjacency changes . . . . . . . . . . . . . . . . . . . . . . . . . . .869

Disabling partial SPF calculations . . . . . . . . . . . . . . . . . . . . . .869

BigIron RX Series Configuration Guide xxv 53-1001986-01

Configuring IPv4 address family route parameters . . . . . . . . . . . .870

Changing the metric style . . . . . . . . . . . . . . . . . . . . . . . . . . . . .870

Changing the maximum number of load sharing paths . . . . .870

Enabling advertisement of a default route . . . . . . . . . . . . . . .870

Changing the administrative distance for IPv4 IS-IS . . . . . . . . 871

Configuring summary addresses . . . . . . . . . . . . . . . . . . . . . . .872

Redistributing routes into IPv4 IS-IS . . . . . . . . . . . . . . . . . . . . .873

Changing the default redistribution metric . . . . . . . . . . . . . . .873

Redistributing static IPv4 routes into IPv4 IS-IS. . . . . . . . . . . . 874

Redistributing directly connected routes into IPv4 IS-IS . . . . . 874

Redistributing RIP routes into IPv4 IS-IS . . . . . . . . . . . . . . . . .875

Redistributing OSPF routes into IPv4 IS-IS . . . . . . . . . . . . . . . .875

Redistributing BGP4+ routes into IPv4 IS-IS . . . . . . . . . . . . . .875

Redistributing IPv4 IS-IS routes within IPv4 IS-IS . . . . . . . . . .876

Configuring ISIS properties on an interface . . . . . . . . . . . . . . . . . .876

Disabling and enabling IS-IS on an interface. . . . . . . . . . . . . . 876

Disabling or re-enabling formation of adjacencies . . . . . . . . . 876

Setting the priority for designated IS election . . . . . . . . . . . . .877

Limiting access to adjacencies with a neighbor . . . . . . . . . . .877

Changing the IS-IS level on an interface . . . . . . . . . . . . . . . . .878

Disabling and enabling hello padding on an interface . . . . . .878

Changing the hello interval . . . . . . . . . . . . . . . . . . . . . . . . . . . .878

Changing the hello multiplier . . . . . . . . . . . . . . . . . . . . . . . . . .879

Changing the metric added to advertised routes . . . . . . . . . .879

Displaying IPv4 IS-IS information. . . . . . . . . . . . . . . . . . . . . . . . . . .880

Displaying the IS-IS configuration in the running-config . . . . .880

Displaying the name mappings. . . . . . . . . . . . . . . . . . . . . . . . .880

Displaying neighbor information. . . . . . . . . . . . . . . . . . . . . . . .881

Displaying IS-IS Syslog messages. . . . . . . . . . . . . . . . . . . . . . .882

Displaying interface information. . . . . . . . . . . . . . . . . . . . . . . .883

Displaying route information . . . . . . . . . . . . . . . . . . . . . . . . . . .886

Displaying LSP database entries . . . . . . . . . . . . . . . . . . . . . . .887

Displaying traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .890

Displaying error statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .891

Clearing IS-IS information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .892

Chapter 29 BiDirectional Forwarding Detection (BFD)

Configuring BFD parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .896

Number of BFD sessions supported. . . . . . . . . . . . . . . . . . . . .896

Disabling BFD Syslog messages. . . . . . . . . . . . . . . . . . . . . . . .896

Displaying Bidirectional Forwarding Detection information . . . . . . 897

Displaying BFD information on a router . . . . . . . . . . . . . . . . . .897

Clearing BFD neighbor sessions . . . . . . . . . . . . . . . . . . . . . . . .901

Configuring BFD for the specified protocol . . . . . . . . . . . . . . . . . . .901

Configuring BFD for OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . .901

Configuring BFD for OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . .902

Configuring BFD for IS-IS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .902

xxvi BigIron RX Series Configuration Guide

53-1001986-01

Chapter 30 Configuring Secure Shell

Overview of Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . .905

SSH version 2 support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .905

Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .906

Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .906

Generating a host key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . .907

Configuring DSA challenge-response authentication . . . . . . .908

Disabling 3-DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .913

Displaying SSH connection information . . . . . . . . . . . . . . . . . . . . .913

Using secure copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .914

Chapter 31 Configuring Multi-Device Port Authentication

How multi-device port authentication works. . . . . . . . . . . . . . . . . .917

RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917

Authentication-failure actions . . . . . . . . . . . . . . . . . . . . . . . . . .918

Supported RADIUS attributes . . . . . . . . . . . . . . . . . . . . . . . . . .918

Dynamic VLAN and ACL assignments. . . . . . . . . . . . . . . . . . . .918

Support for authenticating multiple MAC addresses

on an interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .919

Support for multi-device port authentication and 802.1x

on the same interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .919

Configuring multi-device port authentication . . . . . . . . . . . . . . . . .919

Enabling multi-device port authentication . . . . . . . . . . . . . . . .919

Configuring an authentication method list for 802.1x . . . . . .920

Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .920

Specifying the format of the MAC addresses sent to the

RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .921

Specifying the authentication-failure action . . . . . . . . . . . . . .921

Defining MAC address filters. . . . . . . . . . . . . . . . . . . . . . . . . . .922

Configuring dynamic VLAN assignment . . . . . . . . . . . . . . . . . .922

Specifying to which VLAN a port is moved after its

RADIUS-specified VLAN assignment expires . . . . . . . . . . . . . .923

Saving dynamic VLAN assignments to the running

configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .924

Clearing authenticated MAC addresses. . . . . . . . . . . . . . . . . .924

Disabling aging for authenticated MAC addresses . . . . . . . . .925

Specifying the aging time for blocked MAC addresses . . . . . .925

Displaying multi-device port authentication information . . . . . . . .926

Displaying authenticated MAC address information . . . . . . . .926

Displaying multi-device port authentication configuration

information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .927

Displaying multi-device port authentication information for

a specific MAC address or port . . . . . . . . . . . . . . . . . . . . . . . . .929

Displaying the authenticated MAC addresses . . . . . . . . . . . . .930

Displaying the non-authenticated MAC addresses . . . . . . . . .930

BigIron RX Series Configuration Guide xxvii 53-1001986-01

Chapter 32 Using the MAC Port Security Feature

and Transparent Port Flooding

MAC Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931

Violation actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931

Local and global resources . . . . . . . . . . . . . . . . . . . . . . . . . . . .932

Configuring the MAC Port Security feature . . . . . . . . . . . . . . . . . . .932

Enabling the MAC Port Security feature . . . . . . . . . . . . . . . . . .932

Setting the maximum number of secure MAC addresses for

an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .933

Specifying static secure MAC addresses . . . . . . . . . . . . . . . . .934

Enabling dynamic MAC address learning. . . . . . . . . . . . . . . . .934

Denying specific MAC addresses . . . . . . . . . . . . . . . . . . . . . . .934

Autosaving secure MAC addresses to the startup-config . . . .934

Setting the MAC Port Security age timer . . . . . . . . . . . . . . . . .935

Defining security violation actions . . . . . . . . . . . . . . . . . . . . . . . . . .935

Shutdown the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .936

Restricting interface access . . . . . . . . . . . . . . . . . . . . . . . . . . .936

Denying a MAC address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938

Understanding the rules for violation action configuration . . . . . .938

Interaction between global and interface level violation

actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938

Changing the global violation action . . . . . . . . . . . . . . . . . . . .939

Changing the violation action for an interface. . . . . . . . . . . . .939

Re-enabling an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .940

Interface shutdown time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .940

Manually re-enabling a interface . . . . . . . . . . . . . . . . . . . . . . .940

Displaying MAC Port Security information. . . . . . . . . . . . . . . . . . . .940

Displaying MAC Port Security settings . . . . . . . . . . . . . . . . . . .940

Displaying the secure MAC addresses list on the device . . . .941

Displaying MAC Port Security statistics . . . . . . . . . . . . . . . . . .942

Displaying a list of MAC addresses. . . . . . . . . . . . . . . . . . . . . .943

Displaying a list of secure and denied MAC addresses. . . . . .943

Displaying information when violation action is restrict . . . . .944

Displaying information when violation action is deny . . . . . . .944

Transparent port flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .945

Chapter 33 Configuring 802.1x Port Security

Overview of 802.1x port security . . . . . . . . . . . . . . . . . . . . . . . . . . .947

IETF RFC support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .947

How 802.1x port security works. . . . . . . . . . . . . . . . . . . . . . . . . . . .947

Device roles in an 802.1x configuration . . . . . . . . . . . . . . . . .947

Communication between the devices . . . . . . . . . . . . . . . . . . .948

Controlled and uncontrolled ports . . . . . . . . . . . . . . . . . . . . . .949

Message exchange during authentication. . . . . . . . . . . . . . . .950

Authenticating multiple clients connected to the same

port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .952

802.1x port security and sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . .954

xxviii BigIron RX Series Configuration Guide

53-1001986-01

Configuring 802.1x port security . . . . . . . . . . . . . . . . . . . . . . . . . . .954

Configuring an authentication method list for 802.1x . . . . . .955

Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .955

Configuring dynamic VLAN assignment for 802.1x ports . . . .956

Disabling and enabling strict security mode for dynamic

filter assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .957

Dynamically applying existing ACLs or MAC address filter . . .958

Configuring per-user IP ACLs or MAC address filters . . . . . . . .960

Enabling 802.1x port security. . . . . . . . . . . . . . . . . . . . . . . . . .960

Setting the port control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .961

Configuring periodic re-authentication . . . . . . . . . . . . . . . . . . .962

Re-authenticating a port manually . . . . . . . . . . . . . . . . . . . . . .962

Setting the quiet period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .963

Setting the interval for retransmission of EAP-request/

identity frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .963

Specifying the number of EAP-request/identity frame

retransmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .963

Specifying a timeout for retransmission of messages

to the authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . .964

Specifying a timeout for retransmission of

EAP-request frames to the client . . . . . . . . . . . . . . . . . . . . . . .964

Initializing 802.1x on a port . . . . . . . . . . . . . . . . . . . . . . . . . . .964

Allowing multiple 802.1x clients to authenticate. . . . . . . . . . .964

Displaying 802.1x information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .966

Displaying 802.1x configuration information. . . . . . . . . . . . . .966

Displaying 802.1x statistics . . . . . . . . . . . . . . . . . . . . . . . . . . .968

Clearing 802.1x statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .969

Displaying dynamically assigned VLAN information . . . . . . . .969

Displaying information on MAC address filters and IP ACLs on an

interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .970

Displaying information about the dot1x-mac-sessions on

each port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971

Sample 802.1x configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . .973

Point-to-point configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . .973

Hub configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974

Chapter 34 Protecting Against Denial of Service Attacks

Protecting against Smurf attacks. . . . . . . . . . . . . . . . . . . . . . . . . . .977

Avoiding being an intermediary in a Smurf attack. . . . . . . . . .978

ACL-based DOS-attack prevention . . . . . . . . . . . . . . . . . . . . . .978

Protecting against TCP SYN attacks. . . . . . . . . . . . . . . . . . . . . . . . .979

TCP security enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . .980

Displaying statistics due DoS attacks . . . . . . . . . . . . . . . . . . . . . . .981

Clear DoS attack statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .982

BigIron RX Series Configuration Guide xxix 53-1001986-01

Chapter 35 Inspecting and Tracking DHCP Packets

Dynamic ARP inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .983

ARP attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .983

How DAI works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .984

Limits and restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .985

Configuring DAI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .985

Displaying ARP inspection status and ports . . . . . . . . . . . . . .986

Displaying the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .987

DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .988

How DHCP snooping works . . . . . . . . . . . . . . . . . . . . . . . . . . . .988

System reboot and the binding database . . . . . . . . . . . . . . . .989

Configuring DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . .989

DHCP relay agent information (DHCP option 82) . . . . . . . . . . . . . .990

Disabling option 82 processing . . . . . . . . . . . . . . . . . . . . . . . .991

Displaying DHCP snooping status and ports . . . . . . . . . . . . . .991

DHCP snooping configuration example . . . . . . . . . . . . . . . . . .992

IP source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .992

Limits and restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993

Enabling IP source guard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993

Chapter 36 Securing SNMP Access

Establishing SNMP community strings . . . . . . . . . . . . . . . . . . . . . .995

Encryption of SNMP community strings . . . . . . . . . . . . . . . . .995

Adding an SNMP community string . . . . . . . . . . . . . . . . . . . . .995

Displaying the SNMP community strings . . . . . . . . . . . . . . . . .996

Using the user-based security model. . . . . . . . . . . . . . . . . . . . . . . .997

Configuring your NMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .997

Configuring SNMP version 3 on the BigIron RX . . . . . . . . . . . .997

Defining the engine ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .998

Defining an SNMP group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .998

Defining an SNMP user account. . . . . . . . . . . . . . . . . . . . . . . .999

Displaying the engine ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001

Displaying SNMP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001

Displaying user information. . . . . . . . . . . . . . . . . . . . . . . . . . 1002

Interpreting varbinds in report packets . . . . . . . . . . . . . . . . 1002

Defining SNMP views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002

SNMP v3 configuration examples. . . . . . . . . . . . . . . . . . . . . 1003

Chapter 37 Enabling the Foundry Discovery Protocol (FDP) and Reading Cisco

Discovery Protocol (CDP) Packets

Using FDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005

Configuring FDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005

Displaying FDP information. . . . . . . . . . . . . . . . . . . . . . . . . . 1006

Clearing FDP and CDP information. . . . . . . . . . . . . . . . . . . . 1009

xxx BigIron RX Series Configuration Guide

53-1001986-01

+ 1394 hidden pages

Dell PowerConnect B-RX Configuration manual

Contents