Page 1
Foundry Switch and Router
Installation and Configuration Guide
2100 Gold Street
P.O. Box 649100
San Jose, CA 95164-9100
Tel 408.586.1700
Fax 408.586.1900
www.foundrynetworks.com
Page 2
December 2000
Copyright 2000 by Foundry Networks, Inc.
Page 3
December 2000 iii
Contents
CHAPTER 1
G
ETTING STARTED...................................................................................... 1-1
INTRODUCTION ...........................................................................................................................................1-1
A
UDIENCE ..................................................................................................................................................1-1
N
OMENCLATURE .........................................................................................................................................1-1
R
ELATED PUBLICATIONS .............................................................................................................................1-2
W
HAT’S NEW IN THIS EDITION? ..................................................................................................................1-2
N
EW HARDWARE ..................................................................................................................................1-2
L
AYER 3 ENHANCEMENTS .....................................................................................................................1-2
S
YSTEM LEVEL ENHANCEMENTS ...........................................................................................................1-3
H
OW TO GET HELP .....................................................................................................................................1-4
W
EB ACCESS .......................................................................................................................................1-4
E
MAIL ACCESS .....................................................................................................................................1-4
T
ELEPHONE ACCESS ............................................................................................................................1-4
W
ARRANTY COVERAGE ...............................................................................................................................1-4
CHAPTER 2
I
NSTALLING A FOUNDRY LAYER 2 SWITCH OR LAYER 3 SWITCH .................. 2-1
UNPACKING A SYSTEM ................................................................................................................................2-1
P
ACKAGE CONTENTS ...........................................................................................................................2-1
G
ENERAL REQUIREMENTS ....................................................................................................................2-1
S
UMMARY OF INSTALLATION PROCEDURES ..................................................................................................2-1
I
NSTALLATION PRECAUTIONS .......................................................................................................................2-3
P
REPARING THE INSTALLATION SITE ............................................................................................................2-3
C
ABLING INFRASTRUCTURE ..................................................................................................................2-3
I
NSTALLATION LOCATION ......................................................................................................................2-3
I
NSTALLING OR REMOVING OPTIONAL MODULES (CHASSIS DEVICES ONLY) ..................................................2-4
I
NSTALLING MODULES ..........................................................................................................................2-4
R
EMOVING MODULES ...........................................................................................................................2-5
I
NSTALLING OR REMOVING REDUNDANT POWER SUPPLIES (CHASSIS DEVICES ONLY) ...................................2-6
Page 4
Foundry Switch and Router Installation and Configuration Guide
iv December 2000
DETERMINING POWER SUPPLY STATUS ................................................................................................2-6
I
NSTALLING POWER SUPPLIES ..............................................................................................................2-6
R
EMOVING POWER SUPPLIES ...............................................................................................................2-7
R
EPLACING FANS (4-SLOT AND 8-SLOT CHASSIS DEVICES ONLY) ..............................................................2-10
R
EQUIRED TOOLS ..............................................................................................................................2-10
DETERMINING WHICH FAN HAS FAILED ...............................................................................................2-10
F
OUR-SLOT CHASSIS .........................................................................................................................2-11
E
IGHT-SLOT CHASSIS ........................................................................................................................2-12
REPLACING A FAN TRAY (15-SLOT CHASSIS DEVICES ONLY) .....................................................................2-13
V
ERIFYING PROPER OPERATION ...............................................................................................................2-13
A
TTACHING A PC OR TERMINAL ................................................................................................................2-14
ASSIGNING PERMANENT PASSWORDS .......................................................................................................2-16
C
ONFIGURING IP ADDRESSES ...................................................................................................................2-17
L
AYER 3 SWITCHES ............................................................................................................................2-17
LAYER 2 SWITCHES ............................................................................................................................2-18
M
OUNTING THE CHASSIS OR STACKABLE DEVICE ......................................................................................2-19
D
ESKTOP INSTALLATION .....................................................................................................................2-19
R
ACK MOUNT INSTALLATION – CHASSIS DEVICES ...............................................................................2-19
R
ACK MOUNT INSTALLATION – STACKABLE DEVICES ...........................................................................2-20
P
OWERING ON A SYSTEM .........................................................................................................................2-21
C
ONNECTING NETWORK DEVICES .............................................................................................................2-22
C
ONNECTORS ....................................................................................................................................2-22
C
ABLE LENGTH ..................................................................................................................................2-22
C
ONNECTING TO ETHERNET OR FAST ETHERNET HUBS .......................................................................2-24
C
ONNECTING TO WORKSTATIONS, SERVERS, OR ROUTERS .................................................................2-24
I
NSTALLING OR REMOVING A GBIC .....................................................................................................2-25
T
ROUBLESHOOTING NETWORK CONNECTIONS .....................................................................................2-26
T
ESTING CONNECTIVITY ............................................................................................................................2-26
P
INGING AN IP ADDRESS ....................................................................................................................2-26
T
RACING A ROUTE .............................................................................................................................2-26
M
ANAGING THE DEVICE ............................................................................................................................2-27
L
OGGING ON THROUGH THE CLI .........................................................................................................2-27
L
OGGING ON THROUGH THE WEB MANAGEMENT INTERFACE ...............................................................2-29
L
OGGING ON THROUGH IRONVIEW ......................................................................................................2-31
S
WAPPING MODULES (CHASSIS DEVICES ONLY) .........................................................................................2-31
CHAPTER 3
S
ECURING ACCESS TO MANAGEMENT FUNCTIONS ....................................... 3-1
SECURING ACCESS METHODS .....................................................................................................................3-1
R
ESTRICTING REMOTE ACCESS TO MANAGEMENT FUNCTIONS .....................................................................3-3
U
SING ACLS TO RESTRICT REMOTE ACCESS .......................................................................................3-4
R
ESTRICTING REMOTE ACCESS TO THE DEVICE TO SPECIFIC IP ADDRESSES .........................................3-5
R
ESTRICTING REMOTE ACCESS TO THE DEVICE TO SPECIFIC VLAN IDS ...............................................3-6
D
ISABLING SPECIFIC ACCESS METHODS ...............................................................................................3-7
S
ETTING PASSWORDS ................................................................................................................................3-9
Page 5
December 2000 v
SETTING A TELNET PASSWORD ...........................................................................................................3-9
S
ETTING PASSWORDS FOR MANAGEMENT PRIVILEGE LEVELS ..............................................................3-10
R
ECOVERING FROM A LOST PASSWORD ..............................................................................................3-11
D
ISPLAYING THE SNMP COMMUNITY STRING ......................................................................................3-12
D
ISABLING PASSWORD ENCRYPTION ...................................................................................................3-12
SETTING UP LOCAL USER ACCOUNTS .......................................................................................................3-12
C
ONFIGURING A LOCAL USER ACCOUNT .............................................................................................3-13
E
STABLISHING SNMP COMMUNITY STRINGS .............................................................................................3-14
ENCRYPTION OF SNMP COMMUNITY STRINGS ...................................................................................3-15
A
DDING AN SNMP COMMUNITY STRING .............................................................................................3-15
D
ISPLAYING THE SNMP COMMUNITY STRINGS ....................................................................................3-16
CONFIGURING TACACS/TACACS+ SECURITY .........................................................................................3-18
H
OW TACACS+ DIFFERS FROM TACACS .........................................................................................3-18
TACACS/TACACS+ A
UTHENTICATION, AUTHORIZATION, AND ACCOUNTING .......................................3-18
TACACS/TACACS+ CONFIGURATION CONSIDERATIONS ....................................................................3-22
I
DENTIFYING THE TACACS/TACACS+ SERVERS ...............................................................................3-22
S
ETTING OPTIONAL TACACS/TACACS+ PARAMETERS .....................................................................3-23
C
ONFIGURING AUTHENTICATION-METHOD LISTS FOR TACACS/TACACS+ .........................................3-24
C
ONFIGURING TACACS+ AUTHORIZATION .........................................................................................3-25
C
ONFIGURING TACACS+ ACCOUNTING ..............................................................................................3-27
C
ONFIGURING AN INTERFACE AS THE SOURCE FOR ALL TACACS/TACACS+ PACKETS ......................3-27
D
ISPLAYING TACACS/TACACS+ STATISTICS AND CONFIGURATION INFORMATION ..............................3-28
C
ONFIGURING RADIUS SECURITY ............................................................................................................3-33
RADIUS A
UTHENTICATION, AUTHORIZATION, AND ACCOUNTING ..........................................................3-33
RADIUS C
ONFIGURATION CONSIDERATIONS ......................................................................................3-36
RADIUS C
ONFIGURATION PROCEDURE ..............................................................................................3-36
C
ONFIGURING FOUNDRY-SPECIFIC ATTRIBUTES ON THE RADIUS SERVER ..........................................3-36
I
DENTIFYING THE RADIUS SERVER TO THE FOUNDRY DEVICE ............................................................3-37
S
ETTING RADIUS PARAMETERS ........................................................................................................3-38
C
ONFIGURING AUTHENTICATION-METHOD LISTS FOR RADIUS ............................................................3-38
C
ONFIGURING RADIUS AUTHORIZATION .............................................................................................3-40
C
ONFIGURING RADIUS ACCOUNTING .................................................................................................3-40
C
ONFIGURING AN INTERFACE AS THE SOURCE FOR ALL RADIUS PACKETS .........................................3-41
D
ISPLAYING RADIUS CONFIGURATION INFORMATION ..........................................................................3-42
C
ONFIGURING AUTHENTICATION-METHOD LISTS ........................................................................................3-47
C
ONFIGURATION CONSIDERATIONS FOR AUTHENTICATION-METHOD LISTS ............................................3-48
E
XAMPLES OF AUTHENTICATION-METHOD LISTS ..................................................................................3-48
CHAPTER 4
C
ONFIGURING SECURE SHELL..................................................................... 4-1
SETTING THE HOST NAME AND DOMAIN NAME .............................................................................................4-2
G
ENERATING A HOST RSA KEY PAIR ..........................................................................................................4-2
P
ROVIDING THE PUBLIC KEY TO CLIENTS ..............................................................................................4-2
C
ONFIGURING RSA CHALLENGE-RESPONSE AUTHENTICATION .....................................................................4-3
I
MPORTING AUTHORIZED PUBLIC KEYS INTO THE FOUNDRY DEVICE .......................................................4-3
Page 6
Foundry Switch and Router Installation and Configuration Guide
vi December 2000
ENABLING RSA CHALLENGE-RESPONSE AUTHENTICATION ....................................................................4-5
S
ETTING OPTIONAL PARAMETERS ...............................................................................................................4-5
S
ETTING THE NUMBER OF SSH AUTHENTICATION RETRIES ...................................................................4-5
S
ETTING THE SERVER RSA KEY SIZE ...................................................................................................4-5
D
EACTIVATING USER AUTHENTICATION .................................................................................................4-6
ENABLING EMPTY PASSWORD LOGINS ..................................................................................................4-6
S
ETTING THE SSH PORT NUMBER ........................................................................................................4-6
S
ETTING THE SSH LOGIN TIMEOUT VALUE ...........................................................................................4-6
DESIGNATING AN INTERFACE AS THE SOURCE FOR ALL SSH PACKETS ..................................................4-7
V
IEWING SSH CONNECTION INFORMATION ..................................................................................................4-7
S
AMPLE SSH CONFIGURATION ...................................................................................................................4-9
USING SECURE COPY .................................................................................................................................4-9
CHAPTER 5
U
SING REDUNDANT MANAGEMENT MODULES .............................................. 5-1
CONFIGURATION CONSIDERATIONS ..............................................................................................................5-2
T
EMPERATURE SENSOR ..............................................................................................................................5-2
S
WITCHOVER ..............................................................................................................................................5-2
M
ANAGEMENT SESSIONS ......................................................................................................................5-2
S
YSLOG AND SNMP TRAPS .................................................................................................................5-3
MAC A
DDRESS CHANGES ....................................................................................................................5-3
C
ONFIGURING THE REDUNDANT MANAGEMENT PARAMETERS .......................................................................5-3
I
NSTALLING REDUNDANT MANAGEMENT MODULES ................................................................................5-3
D
ETERMINING REDUNDANT MANAGEMENT MODULE STATUS ..................................................................5-8
D
ISPLAYING SWITCHOVER MESSAGES .................................................................................................5-10
F
ILE SYNCHRONIZATION BETWEEN THE ACTIVE AND STANDBY REDUNDANT MANAGEMENT MODULES ..........5-11
D
ISPLAYING THE SYNCHRONIZATION SETTINGS ...................................................................................5-12
I
MMEDIATELY SYNCHRONIZING SOFTWARE ..........................................................................................5-13
A
UTOMATING SYNCHRONIZATION OF SOFTWARE .................................................................................5-14
S
WITCHING OVER TO THE STANDBY REDUNDANT MANAGEMENT MODULE ..................................................5-16
PCMCIA F
LASH CARD FILE MANAGEMENT COMMANDS .............................................................................5-17
PCMCIA S
LOTS ................................................................................................................................5-18
S
UBDIRECTORIES ...............................................................................................................................5-18
F
ILE AND SUBDIRECTORY NAMING CONVENTIONS ................................................................................5-19
W
ILDCARDS .......................................................................................................................................5-19
F
ORMATTING A FLASH CARD ..............................................................................................................5-20
D
ETERMINING THE FLASH CARD SLOT AND SUBDIRECTORY PATH THAT C URRENTLY HAVE THE MANAGEMENT
F
OCUS ........................................................................................................................................5-20
S
WITCHING THE MANAGEMENT FOCUS ................................................................................................5-21
D
ISPLAYING A DIRECTORY OF THE FILES ON A FLASH CARD ................................................................5-21
D
ISPLAYING THE CONTENTS OF A FILE ................................................................................................5-23
D
ISPLAY A HEXADECIMAL DUMP OF THE DATA IN A FILE ......................................................................5-23
C
REATING A SUBDIRECTORY ..............................................................................................................5-24
R
EMOVING A SUBDIRECTORY ..............................................................................................................5-25
R
ENAMING A FILE ...............................................................................................................................5-25
Page 7
December 2000 vii
CHANGING THE READ-WRITE ATTRIBUTE OF A FILE .............................................................................5-25
D
ELETING A FILE FROM A FLASH CARD ...............................................................................................5-26
R
ECOVERING (“UNDELETING”) A FILE ..................................................................................................5-26
A
PPENDING A FILE TO ANOTHER FILE .................................................................................................5-27
C
OPYING FILES ..................................................................................................................................5-27
LOADING THE STARTUP-CONFIG FILE FROM A PCMCIA FLASH CARD DURING SYSTEM LOAD .............5-30
F
ILE MANAGEMENT MESSAGES ...........................................................................................................5-32
T
EMPERATURE SENSOR ............................................................................................................................5-33
DISPLAYING THE TEMPERATURE .........................................................................................................5-33
D
ISPLAYING TEMPERATURE MESSAGES ..............................................................................................5-34
C
HANGING TEMPERATURE WARNING AND SHUTDOWN LEVELS .............................................................5-35
CHANGING THE CHASSIS POLLING INTERVAL .......................................................................................5-36
CHAPTER 6
U
SING PACKET OVER SONET (POS) MODULES ......................................... 6-1
INSTALLING A POS MODULE .......................................................................................................................6-2
U
PGRADING POS SOFTWARE FROM A TFTP SERVER ..................................................................................6-3
U
PGRADING THE BOOT CODE ...............................................................................................................6-3
U
PGRADING THE FLASH CODE ..............................................................................................................6-3
C
ONFIGURING POS BOOT PARAMETERS .....................................................................................................6-3
C
HANGING THE BOOT SOURCE .............................................................................................................6-4
B
OOTING THE MODULE FROM TFTP .....................................................................................................6-4
C
OPYING A POS IMAGE FILE FROM A FLASH CARD TO A POS MODULE’S FLASH MEMORY .....................6-4
C
ONFIGURING POS INTERFACES .................................................................................................................6-5
A
DDING AN IP ADDRESS .......................................................................................................................6-5
C
HANGING THE INTERFACE STATE ........................................................................................................6-6
C
HANGING THE ENCAPSULATION TYPE ..................................................................................................6-6
C
HANGING THE CLOCK SOURCE ...........................................................................................................6-6
C
HANGING THE LOOPBACK PATH ..........................................................................................................6-7
C
HANGING THE MTU ............................................................................................................................6-7
C
HANGING THE CRC LENGTH ..............................................................................................................6-7
D
ISABLING OR REENABLING KEEPALIVE MESSAGES ...............................................................................6-8
C
HANGING THE BANDWIDTH .................................................................................................................6-8
C
HANGING THE POS FLAGS .................................................................................................................6-8
C
HANGING THE FRAME TYPE ................................................................................................................6-9
E
NABLING OR DISABLING ATM SCRAMBLING .........................................................................................6-9
C
ONFIGURING POS FOR FRAME RELAY ....................................................................................................6-10
C
HANGING THE ENCAPSULATION TYPE ................................................................................................6-10
S
PECIFYING THE FRAME RELAY INTERFACE TYPE ................................................................................6-10
S
PECIFYING THE DLCI .......................................................................................................................6-10
S
PECIFYING THE LMI TYPE ................................................................................................................6-11
V
ERIFYING THE CONFIGURATION .........................................................................................................6-11
C
ONFIGURING POS FOR LAYER 2 SWITCHING ...........................................................................................6-11
L
INK REDUNDANCY AND LOAD BALANCING ..........................................................................................6-14
C
ONFIGURATION PROCEDURES ...........................................................................................................6-16
Page 8
Foundry Switch and Router Installation and Configuration Guide
viii December 2000
CONFIGURING A POS PORT FOR LAYER 2 SWITCHING ........................................................................6-16
C
ONFIGURING STP PARAMETERS .......................................................................................................6-17
C
ONFIGURING THE POS PORTS INTO A TRUNK GROUP .......................................................................6-19
D
ISPLAYING LAYER 2 POS PORT INFORMATION ..................................................................................6-20
D
ISPLAYING POS INFORMATION ................................................................................................................6-21
DISPLAYING THE SOFTWARE VERSION RUNNING ON THE MODULE .......................................................6-21
D
ISPLAYING GENERAL MODULE INFORMATION .....................................................................................6-22
D
ETERMINING POS MODULE STATUS .................................................................................................6-22
DISPLAYING INTERFACE PARAMETERS .................................................................................................6-23
D
ISPLAYING POS STATISTICS .............................................................................................................6-26
C
ONFIGURING AUTOMATIC PROTECTION SWITCHING (APS) .......................................................................6-27
BASIC POS APS CONFIGURATION ......................................................................................................6-27
M
ULTI-GROUP APS CONFIGURATION ..................................................................................................6-28
S
INGLE-DEVICE APS CONFIGURATION ................................................................................................6-30
CONFIGURING OPTIONAL PARAMETERS ...............................................................................................6-30
D
ISPLAYING POS APS INFORMATION .................................................................................................6-33
F
OUNDRY POS INTERFACE SPECIFICATIONS .......................................................................................6-33
CHAPTER 7
U
PDATING SOFTWARE IMAGES AND
C
ONFIGURATION FILES................................................................................ 7-1
DOWNLOADING AND UPLOADING A SOFTWARE IMAGE ON A TFTP SERVER ...................................................7-1
U
PGRADING THE BOOT CODE ...............................................................................................................7-2
U
PGRADING THE FLASH CODE ..............................................................................................................7-2
C
HANGING THE BLOCK SIZE FOR TFTP FILE TRANSFERS ......................................................................7-3
U
SING THE EXECUTABLE BOOT COMMAND ............................................................................................7-4
L
OADING AND SAVING CONFIGURATION FILES ..............................................................................................7-5
R
EPLACING THE STARTUP CONFIGURATION WITH THE RUNNING CONFIGURATION ...................................7-6
R
EPLACING THE RUNNING CONFIGURATION WITH THE STARTUP CONFIGURATION ...................................7-6
L
OGGING CHANGES TO THE STARTUP-CONFIG FILE ..............................................................................7-6
C
OPYING A CONFIGURATION FILE TO OR FROM A TFTP SERVER ...........................................................7-7
M
AXIMUM FILE SIZES FOR STARTUP-CONFIG FILE AND RUNNING-CONFIG ..............................................7-8
D
IAGNOSTIC ERROR CODES AND REMEDIES FOR TFTP TRANSFERS .....................................................7-9
S
AVING OR ERASING IMAGE AND CONFIGURATION FILES ............................................................................7-10
S
CHEDULING A SYSTEM RELOAD ...............................................................................................................7-10
R
ELOADING AT A SPECIFIC TIME .........................................................................................................7-10
R
ELOADING AFTER A SPECIFIC AMOUNT OF TIME ................................................................................7-10
D
ISPLAYING THE AMOUNT OF TIME REMAINING BEFORE A SCHEDULED RELOAD ...................................7-11
C
ANCELING A SCHEDULED RELOAD ....................................................................................................7-11
CHAPTER 8
S
OFTWARE OVERVIEW................................................................................ 8-1
SOFTWARE FEATURE SUMMARY ..................................................................................................................8-1
F
LASH IMAGES .....................................................................................................................................8-2
D
ETERMINING THE FLASH VERSION A DEVICE IS RUNNING .....................................................................8-3
Page 9
December 2000 ix
FEATURE LIST ......................................................................................................................................8-3
S
HOWING SYSTEM DEFAULTS ...............................................................................................................8-6
A
CCESS AND MANAGEMENT FEATURES .......................................................................................................8-7
S
ECURE SHELL (SSH) .........................................................................................................................8-7
M
ANAGEMENT INTERFACES ..................................................................................................................8-8
MULTIPLE LEVELS OF ACCESS CONTROL ............................................................................................8-10
A
CCESS CONTROL LISTS (ACLS) .......................................................................................................8-11
D
YNAMIC CONFIGURATION ..................................................................................................................8-11
SOFT REBOOT ...................................................................................................................................8-11
S
CHEDULED SYSTEM RELOAD ............................................................................................................8-11
T
ELNET ..............................................................................................................................................8-11
TRIVIAL FILE TRANSFER PROTOCOL (TFTP) .......................................................................................8-11
S
IMPLE NETWORK TIME PROTOCOL (SNTP) .......................................................................................8-12
D
OMAIN NAME SERVER (DNS) RESOLVER ..........................................................................................8-12
SNMPV2C SUPPORT .........................................................................................................................8-12
R
EMOTE MONITORING (RMON) STATISTICS .......................................................................................8-13
S
YSLOG LOGGING ..............................................................................................................................8-13
P
ING AND TRACEROUTE FACILITIES ....................................................................................................8-13
P
ORT MIRRORING ..............................................................................................................................8-14
I
RONCLAD QUALITY OF SERVICE (QOS) ....................................................................................................8-14
IP T
YPE OF SERVICE (TOS) MAPPING ................................................................................................8-14
S
ELECTABLE QUEUING METHOD .........................................................................................................8-14
C
ONFIGURABLE BANDWIDTH PERCENTAGES ........................................................................................8-14
802.1
Q PRIORITY MAPPING ................................................................................................................8-15
Q
UEUE ASSIGNMENT BY TRAFFIC TYPE ..............................................................................................8-15
L
AYER 2 SWITCHING FEATURES ................................................................................................................8-15
MAC S
WITCHING ...............................................................................................................................8-15
S
TATIC MAC ENTRIES .......................................................................................................................8-15
S
TANDARD SPANNING TREE PROTOCOL (STP) ...................................................................................8-16
I
RONSPAN STP ENHANCEMENTS ........................................................................................................8-16
T
RUNK GROUPS .................................................................................................................................8-16
P
ORT-BASED VIRTUAL LANS (VLANS) ...............................................................................................8-17
VLAN T
AGGING .................................................................................................................................8-17
MAC F
ILTERS ....................................................................................................................................8-17
A
DDRESS-LOCK FILTERS ....................................................................................................................8-17
D
YNAMIC HOST CONFIGURATION PROTOCOL (DHCP) ASSIST .............................................................8-18
IP M
ULTICAST CONTAINMENT .............................................................................................................8-18
L
AYER 3 SWITCHING FEATURES ................................................................................................................8-18
P
ROTOCOL-BASED VIRTUAL LANS (VLANS) .......................................................................................8-18
IP R
OUTER ACCELERATION ................................................................................................................8-19
IPX R
OUTER ACCELERATION ..............................................................................................................8-20
IP
AND IPX ROUTER ACCELERATION POLICIES ....................................................................................8-20
L
AYER 3 ROUTING FEATURES ...................................................................................................................8-20
M
ULTI-NETTING ..................................................................................................................................8-20
M
ULTIPLE IP SUB-NETS PER INTERFACE .............................................................................................8-21
M
ULTIPLE IPX FRAME TYPE SUPPORT PER INTERFACE .......................................................................8-21
Page 10
Foundry Switch and Router Installation and Configuration Guide
x December 2000
MULTI-PORT SUBNETS (INTEGRATED SWITCH-ROUTING) .....................................................................8-21
S
TATIC IP ROUTES, ADDRESS RESOLUTION PROTOCOL (ARP) ENTRIES, AND REVERSE ARP (RARP)
E
NTRIES ......................................................................................................................................8-21
IP/RIP R
OUTING ................................................................................................................................8-21
B
ORDER GATEWAY PROTOCOL (BGP4) ROUTING ...............................................................................8-22
IP ACCESS AND QOS FILTERS ............................................................................................................8-22
IP R
OUTE FILTERS .............................................................................................................................8-23
IPX R
OUTING .....................................................................................................................................8-23
IPX FORWARD FILTERS ......................................................................................................................8-23
IPX/RIP
AND IPX/SAP FILTERS .........................................................................................................8-23
A
PPLETALK ROUTING .........................................................................................................................8-23
APPLETALK ZONE AND NETWORK FILTERS ..........................................................................................8-24
IP M
ULTICAST ROUTING (PIM AND DVMRP) ......................................................................................8-24
R
EDISTRIBUTION FILTERS ...................................................................................................................8-24
USER DATAGRAM PROTOCOL (UDP) HELPER .....................................................................................8-24
L
AYER 4 SWITCHING FEATURES ................................................................................................................8-25
S
ESSION SWITCHING ..........................................................................................................................8-25
TCP/UDP A
CCESS POLICIES .............................................................................................................8-25
L
AYER 4 CACHING FEATURES ...................................................................................................................8-25
T
RANSPARENT CACHE SWITCHING (TCS) ...........................................................................................8-25
TCS P
OLICY FILTERS .........................................................................................................................8-25
L
OAD BALANCING AND REDUNDANCY FEATURES ........................................................................................8-26
S
ERVER LOAD BALANCING (SLB) .......................................................................................................8-26
R
OUTER SUPPORT FOR GLOBALLY-DISTRIBUTED SLB .........................................................................8-26
F
IREWALL LOAD BALANCING ...............................................................................................................8-26
V
IRTUAL ROUTER REDUNDANCY PROTOCOL (VRRP) ..........................................................................8-26
F
OUNDRY SERVER REDUNDANCY PROTOCOL (FSRP) .........................................................................8-27
L
AYER 4 SWITCH REDUNDANCY ..........................................................................................................8-27
CHAPTER 9
H
ARDWARE OVERVIEW ............................................................................... 9-1
CHASSIS SYSTEMS .....................................................................................................................................9-1
B
IGIRON ..............................................................................................................................................9-1
N
ETIRON INTERNET BACKBONE ROUTER ...............................................................................................9-3
F
ASTIRON II FAMILY .............................................................................................................................9-5
N
ETIRON AND BIGIRON REDUNDANT MANAGEMENT MODULES ...............................................................9-6
B
IGIRON STANDARD MANAGEMENT MODULES .......................................................................................9-9
N
ETIRON AND BIGIRON FORWARDING MODULES .................................................................................9-10
S
TACKABLE DEVICES ...............................................................................................................................9-12
F
ASTIRON WORKGROUP LAYER 2 SWITCH ..........................................................................................9-12
S
ERVERIRON SWITCH .........................................................................................................................9-12
N
ETIRON LAYER 3 SWITCH ................................................................................................................9-13
T
URBOIRON LAYER 2 AND LAYER 3 SWITCHES ....................................................................................9-13
S
YSTEM ARCHITECTURE ...........................................................................................................................9-13
C
HASSIS ARCHITECTURE ....................................................................................................................9-13
Page 11
December 2000 xi
STACKABLE ARCHITECTURE ................................................................................................................9-13
P
HYSICAL VIEW ........................................................................................................................................9-15
S
LOT AND PORT NUMBERS .................................................................................................................9-16
AC P
OWER CONNECTOR ....................................................................................................................9-17
B
UFFERING ........................................................................................................................................9-17
FANS .................................................................................................................................................9-17
LED
S ................................................................................................................................................9-17
P
ORTS ...............................................................................................................................................9-19
EXPANSION PORT MODULES (STACKABLE DEVICES ONLY) ...................................................................9-20
AC P
OWER SUPPLY ...........................................................................................................................9-20
S
TANDARD AND REDUNDANT POWER OPTIONS ...................................................................................9-20
DC POWER SUPPLY ...........................................................................................................................9-21
T
EMPERATURE SENSOR .....................................................................................................................9-21
R
ESET BUTTON ..................................................................................................................................9-21
CHAPTER 10
C
ONFIGURING BASIC FEATURES................................................................ 10-1
USING THE WEB MANAGEMENT INTERFACE FOR BASIC CONFIGURATION CHANGES .....................................10-2
C
ONFIGURING BASIC SYSTEM PARAMETERS ..............................................................................................10-3
E
NTERING SYSTEM ADMINISTRATION INFORMATION .............................................................................10-4
C
ONFIGURING SIMPLE NETWORK MANAGEMENT (SNMP) PARAMETERS ...............................................10-5
C
ONFIGURING AN INTERFACE AS THE SOURCE FOR ALL TELNET PACKETS .........................................10-10
S
PECIFYING A SIMPLE NETWORK TIME PROTOCOL (SNTP) SERVER ..................................................10-10
S
ETTING THE SYSTEM CLOCK ...........................................................................................................10-12
C
ONFIGURING THE SYSLOG SERVICE ................................................................................................10-14
C
HANGING THE DEFAULT GIGABIT NEGOTIATION MODE .....................................................................10-22
L
IMITING BROADCAST, MULTICAST, OR UNKNOWN-UNICAST RATES ...................................................10-24
C
ONFIGURING CLI BANNERS ............................................................................................................10-25
C
ONFIGURING BASIC PORT PARAMETERS ................................................................................................10-26
A
SSIGNING A PORT NAME ................................................................................................................10-28
M
ODIFYING PORT SPEED .................................................................................................................10-29
M
ODIFYING PORT MODE ..................................................................................................................10-30
D
ISABLING OR RE-ENABLING A PORT ................................................................................................10-30
D
ISABLING OR RE-ENABLING FLOW CONTROL ...................................................................................10-31
C
HANGING THE 802.3X GIGABIT NEGOTIATION MODE ........................................................................10-32
M
ODIFYING PORT PRIORITY (QOS) ...................................................................................................10-33
C
ONFIGURING BASIC LAYER 2 PARAMETERS ...........................................................................................10-33
E
NABLING OR DISABLING THE SPANNING TREE PROTOCOL (STP) .....................................................10-34
E
NABLING OR DISABLING LAYER 2 SWITCHING (LAYER 3 SWITCHES ONLY) ........................................10-36
C
HANGING THE MAC AGE TIME .......................................................................................................10-38
C
ONFIGURING STATIC MAC ENTRIES ...............................................................................................10-38
E
NABLING PORT-BASED VLANS .......................................................................................................10-40
C
ONFIGURING TRUNK GROUPS .........................................................................................................10-41
C
ONFIGURING IP MULTICAST TRAFFIC REDUCTION (LAYER 2 SWITCHES ONLY) ..................................10-56
D
EFINING MAC ADDRESS FILTERS ...................................................................................................10-61
D
EFINING BROADCAST AND MULTICAST FILTERS ...............................................................................10-66
Page 12
Foundry Switch and Router Installation and Configuration Guide
xii December 2000
LOCKING A PORT TO RESTRICT ADDRESSES .....................................................................................10-68
C
ONFIGURING BASIC LAYER 3 PARAMETERS ...........................................................................................10-68
E
NABLING OR DISABLING ROUTING PROTOCOLS ................................................................................10-68
E
NABLING IP OR IPX ROUTER ACCELERATION ..................................................................................10-69
D
ISPLAYING AND MODIFYING SYSTEM PARAMETER DEFAULT SETTINGS ....................................................10-70
ASSIGNING A MIRROR PORT AND MONITOR PORTS ..................................................................................10-73
D
ISPLAYING THE CURRENT MIRROR AND MONITOR PORT CONFIGURATION ........................................10-74
CHAPTER 11
I
RONCLAD QUALITY OF SERVICE (QOS) .................................................... 11-1
THE QUEUES ............................................................................................................................................11-1
AUTOMATIC QUEUE MAPPING FOR IP TYPE OF SERVICE (TOS) VALUES .............................................11-2
Q
UEUING METHODS ..................................................................................................................................11-3
S
ELECTING THE QUEUING METHOD .....................................................................................................11-3
CONFIGURING THE QUEUES ................................................................................................................11-3
D
ISPLAYING THE IRONCLAD QOS PROFILE CONFIGURATION .....................................................................11-10
A
SSIGNING QOS PRIORITIES TO TRAFFIC ................................................................................................11-11
C
HANGING A PORT’S PRIORITY .........................................................................................................11-11
C
HANGING A LAYER 2 PORT-BASED VLAN’S PRIORITY .....................................................................11-12
R
EASSIGNING 802.1P PRIORITIES TO DIFFERENT QUEUES .................................................................11-14
A
SSIGNING STATIC MAC ENTRIES TO PRIORITY QUEUES ..................................................................11-16
A
SSIGNING IP AND LAYER 4 SESSIONS TO PRIORITY QUEUES ...........................................................11-18
A
SSIGNING APPLETALK SOCKETS TO PRIORITY QUEUES ...................................................................11-26
C
ONFIGURING A UTILIZATION LIST FOR AN UPLINK PORT ..........................................................................11-27
D
ISPLAYING UTILIZATION PERCENTAGES FOR AN UPLINK .........................................................................11-28
CHAPTER 12
C
ONFIGURING SPANNING TREE PROTOCOL (STP) AND IRONSPAN ............. 12-1
CONFIGURING STANDARD STP PARAMETERS ............................................................................................12-1
STP P
ARAMETERS AND DEFAULTS .....................................................................................................12-2
E
NABLING OR DISABLING THE SPANNING TREE PROTOCOL (STP) .......................................................12-3
C
HANGING STP BRIDGE AND PORT PARAMETERS ...............................................................................12-4
D
ISPLAYING STP INFORMATION ..........................................................................................................12-7
C
ONFIGURING IRONSPAN FEATURES .......................................................................................................12-16
F
AST PORT SPAN .............................................................................................................................12-16
F
AST UPLINK SPAN ..........................................................................................................................12-18
S
INGLE SPANNING TREE ..................................................................................................................12-19
PVST/PVST+ C
OMPATIBILITY ..........................................................................................................12-23
E
NABLING PVST/PVST+ STATICALLY ..............................................................................................12-24
D
ISPLAYING PVST INFORMATION ......................................................................................................12-25
Page 13
December 2000 xiii
CHAPTER 13
U
SING ACCESS CONTROL LISTS (ACLS)................................................... 13-1
OVERVIEW ................................................................................................................................................13-1
U
SAGE GUIDELINES FOR ACCESS CONTROL LISTS (ACLS) ........................................................................13-2
ACL S
UPPORT ON THE FOUNDRY PRODUCTS .....................................................................................13-2
ACL IDS AND ENTRIES .......................................................................................................................13-3
D
EFAULT ACL ACTION .......................................................................................................................13-3
C
ONTROLLING MANAGEMENT ACCESS TO THE DEVICE ........................................................................13-4
ACL LOGGING ...................................................................................................................................13-4
S
UPPORT FOR UP TO 4096 ACCESS CONTROL LISTS (ACLS) ..............................................................13-4
D
ISABLING OR RE-ENABLING ACCESS CONTROL LISTS (ACLS) ..................................................................13-5
ENABLING ACL MODE ........................................................................................................................13-5
D
ISABLING ACL MODE .......................................................................................................................13-6
C
ONFIGURING STANDARD ACLS ...............................................................................................................13-6
STANDARD ACL SYNTAX ....................................................................................................................13-7
C
ONFIGURING EXTENDED ACLS ..............................................................................................................13-10
F
ILTERING ON IP PRECEDENCE AND TOS VALUES ............................................................................13-11
E
XTENDED ACL SYNTAX ..................................................................................................................13-12
C
ONFIGURING NAMED ACLS ...................................................................................................................13-19
M
ODIFYING ACLS ...................................................................................................................................13-20
A
PPLYING AN ACL TO A SUBSET OF PORTS ON A VIRTUAL INTERFACE .....................................................13-22
E
NABLING STRICT TCP OR UDP MODE ..................................................................................................13-22
E
NABLING STRICT TCP MODE ..........................................................................................................13-23
E
NABLING STRICT UDP MODE .........................................................................................................13-23
D
ISPLAYING ACLS ..................................................................................................................................13-24
D
ISPLAYING THE LOG ENTRIES ................................................................................................................13-24
P
OLICY-BASED ROUTING (PBR) ..............................................................................................................13-25
C
ONFIGURING PBR ..........................................................................................................................13-26
E
NABLING PBR ................................................................................................................................13-28
C
ONFIGURATION EXAMPLES .............................................................................................................13-28
CHAPTER 14
I
RONCLAD RATE LIMITING......................................................................... 14-1
FIXED RATE LIMITING ................................................................................................................................14-2
H
OW FIXED RATE LIMITING WORKS ....................................................................................................14-2
C
ONFIGURING FIXED RATE LIMITING ...................................................................................................14-3
D
ISPLAYING FIXED RATE LIMITING INFORMATION .................................................................................14-3
A
DAPTIVE RATE LIMITING ..........................................................................................................................14-5
E
XAMPLES OF ADAPTIVE RATE LIMITING APPLICATIONS .......................................................................14-6
A
DAPTIVE RATE LIMITING PARAMETERS ..............................................................................................14-9
H
OW ADAPTIVE RATE LIMITING WORKS ............................................................................................14-11
C
ONFIGURING ADAPTIVE RATE LIMITING ...........................................................................................14-14
C
OMPLETE CLI EXAMPLES ...............................................................................................................14-19
D
ISABLING RATE LIMITING EXEMPTION FOR CONTROL PACKETS ........................................................14-21
Page 14
Foundry Switch and Router Installation and Configuration Guide
xiv December 2000
CHAPTER 15
C
ONFIGURING IP....................................................................................... 15-1
BASIC CONFIGURATION .............................................................................................................................15-1
O
VERVIEW ................................................................................................................................................15-2
IP I
NTERFACES ..................................................................................................................................15-2
IP PACKET FLOW THROUGH A LAYER 3 SWITCH .................................................................................15-3
IP R
OUTE EXCHANGE PROTOCOLS .....................................................................................................15-7
IP M
ULTICAST PROTOCOLS ................................................................................................................15-7
IP INTERFACE REDUNDANCY PROTOCOLS ...........................................................................................15-8
N
ETWORK ADDRESS TRANSLATION .....................................................................................................15-8
A
CCESS CONTROL LISTS AND IP ACCESS POLICIES ............................................................................15-8
BASIC IP PARAMETERS AND DEFAULTS – LAYER 3 SWITCHES ....................................................................15-9
W
HEN PARAMETER CHANGES TAKE EFFECT .......................................................................................15-9
IP G
LOBAL PARAMETERS – LAYER 3 SWITCHES ................................................................................15-10
IP INTERFACE PARAMETERS – LAYER 3 SWITCHES ...........................................................................15-14
B
ASIC IP PARAMETERS AND DEFAULTS – LAYER 2 SWITCHES ..................................................................15-16
IP G
LOBAL PARAMETERS – LAYER 2 SWITCHES ................................................................................15-16
I
NTERFACE IP PARAMETERS – LAYER 2 SWITCHES ...........................................................................15-18
C
ONFIGURING IP PARAMETERS – LAYER 3 SWITCHES .............................................................................15-19
C
ONFIGURING IP ADDRESSES ..........................................................................................................15-19
C
ONFIGURING DOMAIN NAME SERVER (DNS) RESOLVER ..................................................................15-23
C
ONFIGURING PACKET PARAMETERS ................................................................................................15-24
C
HANGING THE ROUTER ID ..............................................................................................................15-26
S
PECIFYING A SINGLE SOURCE INTERFACE FOR TELNET, TACACS/TACACS+, OR RADIUS PACKETS ......
15-27
C
ONFIGURING ARP PARAMETERS ....................................................................................................15-29
R
ATE LIMITING ARP PACKETS ..........................................................................................................15-30
C
ONFIGURING FORWARDING PARAMETERS .......................................................................................15-35
D
ISABLING ICMP MESSAGES ...........................................................................................................15-37
D
ISABLING ICMP REDIRECTS ...........................................................................................................15-39
C
ONFIGURING STATIC ROUTES .........................................................................................................15-39
C
ONFIGURING A DEFAULT NETWORK ROUTE .....................................................................................15-49
C
ONFIGURING IP LOAD SHARING ......................................................................................................15-51
O
PTIMIZING THE IP FORWARDING CACHE ..........................................................................................15-63
C
ONFIGURING IRDP .........................................................................................................................15-66
C
ONFIGURING RARP .......................................................................................................................15-68
C
ONFIGURING UDP BROADCAST AND IP HELPER PARAMETERS ........................................................15-70
C
ONFIGURING BOOTP/DHCP FORWARDING PARAMETERS ................................................................15-73
C
ONFIGURING IP PARAMETERS – LAYER 2 SWITCHES .............................................................................15-76
C
ONFIGURING THE MANAGEMENT IP ADDRESS AND SPECIFYING THE DEFAULT GATEWAY ..................15-76
C
ONFIGURING DOMAIN NAME SERVER (DNS) RESOLVER ..................................................................15-77
C
HANGING THE TTL THRESHOLD ......................................................................................................15-79
C
ONFIGURING DHCP ASSIST ...........................................................................................................15-79
D
ISPLAYING IP CONFIGURATION INFORMATION AND STATISTICS ...............................................................15-83
C
HANGING THE NETWORK MASK DISPLAY TO PREFIX FORMAT ..........................................................15-83
Page 15
December 2000 xv
DISPLAYING IP INFORMATION – LAYER 3 SWITCHES ..........................................................................15-83
D
ISPLAYING IP INFORMATION – LAYER 2 SWITCHES ........................................................................15-104
CHAPTER 16
C
ONFIGURING RIP .................................................................................... 16-1
ICMP HOST UNREACHABLE MESSAGE FOR UNDELIVERABLE ARPS .....................................................16-1
RIP P
ARAMETERS AND DEFAULTS .............................................................................................................16-1
RIP G
LOBAL PARAMETERS .................................................................................................................16-1
RIP INTERFACE PARAMETERS ............................................................................................................16-3
C
ONFIGURING RIP PARAMETERS ..............................................................................................................16-3
E
NABLING RIP ...................................................................................................................................16-3
CHANGING THE RIP TYPE ON A PORT .................................................................................................16-4
C
ONFIGURING METRIC PARAMETERS ..................................................................................................16-5
C
HANGING THE ADMINISTRATIVE DISTANCE ........................................................................................16-6
CONFIGURING REDISTRIBUTION ..........................................................................................................16-7
C
ONFIGURING ROUTE LEARNING AND ADVERTISING PARAMETERS .......................................................16-9
C
HANGING THE ROUTE LOOP PREVENTION METHOD .........................................................................16-12
S
UPPRESSING RIP ROUTE ADVERTISEMENT ON A VRRP OR VRRPE BACKUP INTERFACE .................16-13
C
ONFIGURING RIP ROUTE FILTERS ..................................................................................................16-13
D
ISPLAYING RIP FILTERS ........................................................................................................................16-16
D
ISPLAYING CPU UTILIZATION STATISTICS ..............................................................................................16-18
CHAPTER 17
C
ONFIGURING OSPF ................................................................................ 17-1
OVERVIEW OF OSPF ................................................................................................................................17-1
D
ESIGNATED ROUTERS IN MULTI-ACCESS NETWORKS .........................................................................17-2
D
ESIGNATED ROUTER ELECTION ........................................................................................................17-3
OSPF RFC 1583
AND 2178 COMPLIANCE .........................................................................................17-4
R
EDUCTION OF EQUIVALENT AS EXTERNAL LSAS ...............................................................................17-4
D
YNAMIC OSPF ACTIVATION AND CONFIGURATION .............................................................................17-6
D
YNAMIC OSPF MEMORY ..................................................................................................................17-6
C
ONFIGURING OSPF ................................................................................................................................17-7
C
ONFIGURATION RULES .....................................................................................................................17-7
OSPF P
ARAMETERS ..........................................................................................................................17-7
E
NABLE OSPF ON THE ROUTER .........................................................................................................17-8
A
SSIGN OSPF AREAS ........................................................................................................................17-9
A
SSIGNING AN AREA RANGE (OPTIONAL) ..........................................................................................17-15
A
SSIGNING INTERFACES TO AN AREA ................................................................................................17-16
M
ODIFY INTERFACE DEFAULTS .........................................................................................................17-18
B
LOCK FLOODING OF OUTBOUND LSAS ON SPECIFIC OSPF INTERFACES .........................................17-20
A
SSIGN VIRTUAL LINKS ....................................................................................................................17-21
M
ODIFY VIRTUAL LINK PARAMETERS .................................................................................................17-24
D
EFINE REDISTRIBUTION FILTERS .....................................................................................................17-26
M
ODIFY DEFAULT METRIC FOR REDISTRIBUTION ...............................................................................17-29
E
NABLE ROUTE REDISTRIBUTION ......................................................................................................17-30
Page 16
Foundry Switch and Router Installation and Configuration Guide
xvi December 2000
DISABLE OR RE-ENABLE LOAD SHARING ...........................................................................................17-32
C
ONFIGURE EXTERNAL ROUTE SUMMARIZATION ...............................................................................17-33
C
ONFIGURE DEFAULT ROUTE ORIGINATION .......................................................................................17-34
M
ODIFY SPF TIMERS .......................................................................................................................17-35
M
ODIFY REDISTRIBUTION METRIC TYPE ............................................................................................17-35
MODIFY ADMINISTRATIVE DISTANCE ..................................................................................................17-36
C
ONFIGURE OSPF GROUP LINK STATE ADVERTISEMENT (LSA) PACING ...........................................17-36
M
ODIFY OSPF TRAPS GENERATED ..................................................................................................17-37
MODIFY OSPF STANDARD COMPLIANCE SETTING .............................................................................17-38
M
ODIFY EXIT OVERFLOW INTERVAL ..................................................................................................17-39
M
ODIFY THE MAXIMUM NUMBER OF ROUTES .....................................................................................17-39
MODIFY LSDB LIMITS ......................................................................................................................17-40
D
ISPLAYING OSPF INFORMATION ............................................................................................................17-41
D
ISPLAYING GENERAL OSPF CONFIGURATION INFORMATION ............................................................17-41
DISPLAYING CPU UTILIZATION STATISTICS ........................................................................................17-42
D
ISPLAYING OSPF AREA INFORMATION ............................................................................................17-43
D
ISPLAYING OSPF NEIGHBOR INFORMATION ....................................................................................17-44
D
ISPLAYING OSPF INTERFACE INFORMATION ....................................................................................17-46
D
ISPLAYING OSPF ROUTE INFORMATION ..........................................................................................17-46
D
ISPLAYING OSPF EXTERNAL LINK STATE INFORMATION ..................................................................17-48
D
ISPLAYING OSPF LINK STATE INFORMATION ...................................................................................17-49
D
ISPLAYING THE DATA IN AN LSA .....................................................................................................17-49
D
ISPLAYING OSPF VIRTUAL NEIGHBOR INFORMATION .......................................................................17-50
D
ISPLAYING OSPF VIRTUAL LINK INFORMATION ................................................................................17-50
D
ISPLAYING OSPF ABR AND ASBR INFORMATION ...........................................................................17-51
D
ISPLAYING OSPF TRAP STATUS .....................................................................................................17-51
CHAPTER 18
C
ONFIGURING IP MULTICAST PROTOCOLS................................................. 18-1
OVERVIEW OF IP MULTICASTING ...............................................................................................................18-1
M
ULTICAST TERMS .............................................................................................................................18-1
C
HANGING GLOBAL IP MULTICAST PARAMETERS .......................................................................................18-2
C
HANGING IGMP PARAMETERS ..........................................................................................................18-2
E
NABLING HARDWARE FORWARDING FOR ALL FRAGMENTS OF IP MULTICAST PACKETS .......................18-4
PIM D
ENSE OVERVIEW .............................................................................................................................18-4
I
NITIATING PIM MULTICASTS ON A NETWORK ......................................................................................18-4
P
RUNING A MULTICAST TREE .............................................................................................................18-4
G
RAFTS TO A MULTICAST TREE ..........................................................................................................18-6
C
ONFIGURING PIM ...................................................................................................................................18-7
E
NABLING PIM ON THE ROUTER AND AN INTERFACE ...........................................................................18-7
M
ODIFYING PIM GLOBAL PARAMETERS ..............................................................................................18-8
M
ODIFYING PIM INTERFACE PARAMETERS ........................................................................................18-11
PIM S
PARSE OVERVIEW .........................................................................................................................18-12
PIM S
PARSE ROUTER TYPES ...........................................................................................................18-12
RP P
ATHS AND SPT PATHS .............................................................................................................18-13
Page 17
December 2000 xvii
CONFIGURING PIM SPARSE ....................................................................................................................18-13
L
IMITATIONS IN THIS RELEASE ..........................................................................................................18-13
C
ONFIGURING GLOBAL PARAMETERS ................................................................................................18-14
C
ONFIGURING PIM INTERFACE PARAMETERS ....................................................................................18-14
C
ONFIGURING PIM SPARSE GLOBAL PARAMETERS ...........................................................................18-15
STATICALLY SPECIFYING THE RP ......................................................................................................18-16
C
HANGING THE SHORTEST PATH TREE (SPT) THRESHOLD ...............................................................18-17
C
HANGING THE PIM JOIN AND PRUNE MESSAGE INTERVAL ...............................................................18-17
DISPLAYING PIM SPARSE CONFIGURATION INFORMATION AND STATISTICS .........................................18-18
C
ONFIGURING MULTICAST SOURCE DISCOVERY PROTOCOL (MSDP) .......................................................18-30
P
EER REVERSE PATH FORWARDING (RPF) FLOODING ......................................................................18-31
SOURCE ACTIVE CACHING ................................................................................................................18-31
C
ONFIGURING MSDP .......................................................................................................................18-31
D
ISPLAYING MSDP INFORMATION .....................................................................................................18-32
CLEARING MSDP INFORMATION .......................................................................................................18-38
DVMRP O
VERVIEW ................................................................................................................................18-39
I
NITIATING DVMRP MULTICASTS ON A NETWORK .............................................................................18-39
P
RUNING A MULTICAST TREE ...........................................................................................................18-39
G
RAFTS TO A MULTICAST TREE ........................................................................................................18-41
C
ONFIGURING DVMRP ...........................................................................................................................18-42
E
NABLING DVMRP ON THE ROUTER AND INTERFACE ........................................................................18-42
M
ODIFYING DVMRP GLOBAL PARAMETERS ......................................................................................18-43
M
ODIFYING DVMRP INTERFACE PARAMETERS .................................................................................18-47
C
ONFIGURING AN IP TUNNEL ..................................................................................................................18-50
C
ONFIGURING A STATIC MULTICAST ROUTE ............................................................................................18-52
T
RACING A MULTICAST ROUTE ................................................................................................................18-53
D
ISPLAYING ANOTHER MULTICAST ROUTER’S MULTICAST CONFIGURATION ..............................................18-55
CHAPTER 19
C
ONFIGURING BGP4 ................................................................................ 19-1
OVERVIEW OF BGP4 ................................................................................................................................19-2
R
ELATIONSHIP BETWEEN THE BGP4 ROUTE TABLE AND THE IP ROUTE TABLE ....................................19-2
H
OW BGP4 SELECTS A PATH FOR A ROUTE .......................................................................................19-3
BGP4 M
ESSAGE TYPES .....................................................................................................................19-4
B
ASIC CONFIGURATION AND ACTIVATION FOR BGP4 .................................................................................19-6
N
OTE REGARDING DISABLING BGP4 ..................................................................................................19-6
BGP4 P
ARAMETERS .................................................................................................................................19-7
W
HEN PARAMETER CHANGES TAKE EFFECT .......................................................................................19-9
M
EMORY CONSIDERATIONS .......................................................................................................................19-9
M
EMORY CONFIGURATION OPTIONS OBSOLETED BY DYNAMIC MEMORY ............................................19-10
C
ONFIGURING BGP4 ..............................................................................................................................19-10
B
ASIC CONFIGURATION TASKS ................................................................................................................19-11
E
NABLING BGP4 ON THE ROUTER ....................................................................................................19-11
C
HANGING THE ROUTER ID ..............................................................................................................19-12
S
ETTING THE LOCAL AS NUMBER .....................................................................................................19-13
Page 18
Foundry Switch and Router Installation and Configuration Guide
xviii December 2000
ADDING A LOOPBACK INTERFACE ......................................................................................................19-13
A
DDING BGP4 NEIGHBORS ..............................................................................................................19-14
A
DDING A BGP4 PEER GROUP ........................................................................................................19-21
O
PTIONAL CONFIGURATION TASKS ..........................................................................................................19-27
C
HANGING THE KEEP ALIVE TIME AND HOLD TIME ............................................................................19-27
ENABLING FAST EXTERNAL FALLOVER ..............................................................................................19-27
C
HANGING THE MAXIMUM NUMBER OF PATHS FOR BGP4 LOAD SHARING .........................................19-28
S
PECIFYING A LIST OF NETWORKS TO ADVERTISE .............................................................................19-30
CHANGING THE DEFAULT LOCAL PREFERENCE ..................................................................................19-32
A
DVERTISING THE DEFAULT INFORMATION ORIGINATE .......................................................................19-32
C
HANGING THE DEFAULT MED (METRIC) USED FOR ROUTE REDISTRIBUTION ....................................19-33
CHANGING ADMINISTRATIVE DISTANCES ...........................................................................................19-33
C
ONFIGURING THE LAYER 3 SWITCH TO ALWAYS COMPARE MULTI-EXIT DISCRIMINATORS (MEDS) ....19-35
S
YNCHRONIZING ROUTES .................................................................................................................19-36
AUTOMATICALLY SUMMARIZING SUBNET ROUTES INTO CLASS A, B, OR C NETWORKS .......................19-36
C
ONFIGURING ROUTE REFLECTION PARAMETERS .............................................................................19-37
C
ONFIGURING CONFEDERATIONS ......................................................................................................19-40
A
GGREGATING ROUTES ADVERTISED TO BGP4 NEIGHBORS .............................................................19-43
M
ODIFYING REDISTRIBUTION PARAMETERS .......................................................................................19-45
F
ILTERING SPECIFIC IP ADDRESSES .................................................................................................19-48
F
ILTERING AS-PATHS .......................................................................................................................19-50
F
ILTERING COMMUNITIES ..................................................................................................................19-55
D
EFINING IP PREFIX LISTS ...............................................................................................................19-58
D
EFINING NEIGHBOR DISTRIBUTE LISTS ............................................................................................19-61
D
EFINING ROUTE MAPS ...................................................................................................................19-63
U
SING A TABLE MAP TO SET THE TAG VALUE ...................................................................................19-72
C
ONFIGURING ROUTE FLAP DAMPENING .................................................................................................19-73
G
LOBALLY CONFIGURING ROUTE FLAP DAMPENING ..........................................................................19-73
U
SING A ROUTE MAP TO CONFIGURE ROUTE FLAP DAMPENING FOR SPECIFIC ROUTES ....................19-75
U
SING A ROUTE MAP TO CONFIGURE ROUTE FLAP DAMPENING FOR A SPECIFIC NEIGHBOR ..............19-80
R
EMOVING ROUTE DAMPENING FROM A ROUTE ................................................................................19-82
D
ISPLAYING AND CLEARING ROUTE FLAP DAMPENING STATISTICS .....................................................19-83
S
TATICALLY ALLOCATING MEMORY IN EARLIER SOFTWARE RELEASES .....................................................19-84
C
HANGING THE MAXIMUM NUMBER OF NEIGHBORS ...........................................................................19-84
C
HANGING THE MAXIMUM NUMBER OF ROUTES ................................................................................19-85
C
HANGING THE MAXIMUM NUMBER OF ROUTE-ATTRIBUTE ENTRIES ...................................................19-86
D
ISPLAYING BGP4 INFORMATION ............................................................................................................19-88
D
ISPLAYING SUMMARY BGP4 INFORMATION .....................................................................................19-88
D
ISPLAYING THE ACTIVE BGP4 CONFIGURATION ..............................................................................19-91
D
ISPLAYING CPU UTILIZATION STATISTICS ........................................................................................19-91
D
ISPLAYING SUMMARY NEIGHBOR INFORMATION ...............................................................................19-92
D
ISPLAYING BGP4 NEIGHBOR INFORMATION .....................................................................................19-95
D
ISPLAYING SUMMARY ROUTE INFORMATION ..................................................................................19-107
D
ISPLAYING THE BGP4 ROUTE TABLE ............................................................................................19-107
D
ISPLAYING BGP4 ROUTE-ATTRIBUTE ENTRIES ..............................................................................19-114
D
ISPLAYING THE ROUTES BGP4 HAS PLACED IN THE IP ROUTE TABLE ...........................................19-116
Page 19
December 2000 xix
DISPLAYING ROUTE FLAP DAMPENING STATISTICS ..........................................................................19-116
D
ISPLAYING THE ACTIVE ROUTE MAP CONFIGURATION ....................................................................19-118
C
LEARING TRAFFIC COUNTERS .............................................................................................................19-118
C
LEARING ROUTE FLAP DAMPENING STATISTICS ...................................................................................19-119
U
PDATING ROUTE INFORMATION AND RESETTING A NEIGHBOR SESSION ................................................19-119
DYNAMICALLY REQUESTING A ROUTE REFRESH FROM A BGP4 NEIGHBOR ......................................19-119
C
LOSING OR RESETTING A NEIGHBOR SESSION ..............................................................................19-121
R
EMOVING ROUTE FLAP DAMPENING ....................................................................................................19-122
CLEARING DIAGNOSTIC BUFFERS ..........................................................................................................19-123
CHAPTER 20
N
ETWORK ADDRESS TRANSLATION ........................................................... 20-1
PORT ADDRESS TRANSLATION ..................................................................................................................20-3
M
AXIMUM NUMBER OF ADDRESSES ....................................................................................................20-4
PROTOCOLS SUPPORTED FOR NAT ..........................................................................................................20-4
C
ONFIGURING NAT ..................................................................................................................................20-4
C
ONFIGURING STATIC ADDRESS TRANSLATIONS ..................................................................................20-5
C
ONFIGURING DYNAMIC NAT PARAMETERS ........................................................................................20-5
E
NABLING NAT ..................................................................................................................................20-7
C
HANGING TRANSLATION TABLE TIMEOUTS .........................................................................................20-7
D
ISPLAYING THE ACTIVE NAT TRANSLATIONS ...........................................................................................20-8
D
ISPLAYING NAT STATISTICS ...................................................................................................................20-9
C
LEARING TRANSLATION TABLE ENTRIES ................................................................................................20-11
NAT D
EBUG COMMANDS ........................................................................................................................20-12
C
ONFIGURATION EXAMPLES ....................................................................................................................20-14
P
RIVATE NAT CLIENTS CONNECTED TO THE LAYER 3 SWITCH BY A LAYER 2 SWITCH ........................20-14
P
RIVATE NAT CLIENTS CONNECTED DIRECTLY TO THE LAYER 3 SWITCH ...........................................20-16
CHAPTER 21
C
ONFIGURING VRRP AND VRRPE ........................................................... 21-1
OVERVIEW ................................................................................................................................................21-2
O
VERVIEW OF VRRP .........................................................................................................................21-2
O
VERVIEW OF VRRPE .......................................................................................................................21-6
C
OMPARISON OF VRRP, VRRPE, AND FSRP ..........................................................................................21-8
VRRP ...............................................................................................................................................21-8
VRRPE .............................................................................................................................................21-8
FSRP ................................................................................................................................................21-8
A
RCHITECTURAL DIFFERENCES ...........................................................................................................21-8
VRRP
AND VRRPE PARAMETERS ............................................................................................................21-9
C
ONFIGURING BASIC VRRP PARAMETERS ..............................................................................................21-12
C
ONFIGURING THE OWNER ...............................................................................................................21-12
C
ONFIGURING A BACKUP ..................................................................................................................21-12
C
ONFIGURATION RULES FOR VRRP .................................................................................................21-12
C
ONFIGURING BASIC VRRPE PARAMETERS ............................................................................................21-13
C
ONFIGURATION RULES FOR VRRPE ...............................................................................................21-13
Page 20
Foundry Switch and Router Installation and Configuration Guide
xx December 2000
NOTE REGARDING DISABLING VRRP OR VRRPE ....................................................................................21-13
C
ONFIGURING ADDITIONAL VRRP AND VRRPE PARAMETERS .................................................................21-13
F
ORCING A MASTER ROUTER TO ABDICATE TO A STANDBY ROUTER ........................................................21-18
D
ISPLAYING VRRP AND VRRPE INFORMATION .......................................................................................21-19
D
ISPLAYING SUMMARY INFORMATION ................................................................................................21-19
DISPLAYING DETAILED INFORMATION ................................................................................................21-21
D
ISPLAYING STATISTICS ...................................................................................................................21-27
C
LEARING VRRP OR VRRPE STATISTICS ........................................................................................21-30
DISPLAYING CPU UTILIZATION STATISTICS ........................................................................................21-30
C
ONFIGURATION EXAMPLES ....................................................................................................................21-31
VRRP E
XAMPLE ..............................................................................................................................21-31
VRRPE EXAMPLE ............................................................................................................................21-35
CHAPTER 22
C
ONFIGURING FSRP ................................................................................ 22-1
OVERVIEW OF FOUNDRY STANDBY ROUTER PROTOCOL (FSRP) ...............................................................22-1
FSRP S
UPPORT ON VIRTUAL INTERFACES ..........................................................................................22-3
A
CTIVE AND STANDBY ROUTERS .........................................................................................................22-3
T
RACK PORTS ....................................................................................................................................22-3
I
NDEPENDENT OPERATION OF RIP AND OSPF ....................................................................................22-5
D
YNAMIC FSRP CONFIGURATION .......................................................................................................22-5
D
IFFERENCES BETWEEN FSRP AND VRRP ..............................................................................................22-5
C
ONFIGURING FSRP ................................................................................................................................22-6
C
ONFIGURATION RULES FOR FSRP ....................................................................................................22-6
E
NABLE FSRP ON THE ROUTER .........................................................................................................22-6
A
SSIGN VIRTUAL ROUTER IP ADDRESSES ...........................................................................................22-7
A
SSIGN THE TRACK PORT(S) ..............................................................................................................22-8
A
SSIGNING THE ACTIVE ROUTER ........................................................................................................22-8
M
ODIFY PORT PARAMETERS (OPTIONAL) .............................................................................................22-9
C
ONFIGURING FSRP ON VIRTUAL INTERFACES .................................................................................22-11
CHAPTER 23
C
ONFIGURING IPX .................................................................................... 23-1
OVERVIEW OF IPX ....................................................................................................................................23-1
M
ULTIPLE IPX FRAME TYPE SUPPORT PER INTERFACE .......................................................................23-1
C
ONFIGURING IPX ....................................................................................................................................23-1
D
YNAMIC IPX CONFIGURATION ...........................................................................................................23-2
E
NABLE IPX ......................................................................................................................................23-2
E
NABLE NETBIOS .............................................................................................................................23-3
A
SSIGN IPX NETWORK NUMBER, FRAME TYPE, ENABLE NETBIOS ON AN INTERFACE ...........................23-3
D
EFINE AND ASSIGN A FORWARD FILTER AND GROUP .........................................................................23-5
D
EFINE AND ASSIGN AN IPX/RIP FILTER AND GROUP .........................................................................23-7
C
ONFIGURING IPX SAP ACCESS CONTROL LISTS (ACLS) ...................................................................23-9
E
NABLE ROUND-ROBIN GNS REPLIES ..............................................................................................23-10
F
ILTER GNS REPLIES ......................................................................................................................23-10
Page 21
December 2000 xxi
DISABLE GNS REPLIES ....................................................................................................................23-11
M
ODIFY MAXIMUM SAP AND RIP ROUTE ENTRIES ............................................................................23-11
M
ODIFY RIP AND SAP HOP COUNT INCREMENT ...............................................................................23-12
M
ODIFY THE RIP ADVERTISEMENT PACKET SIZE ...............................................................................23-13
M
ODIFY THE SAP ADVERTISEMENT PACKET SIZE ..............................................................................23-13
MODIFY THE RIP ADVERTISEMENT INTERVAL ....................................................................................23-14
M
ODIFY THE SAP ADVERTISEMENT INTERVAL ...................................................................................23-14
M
ODIFY THE AGE TIMER FOR LEARNED IPX ROUTES ........................................................................23-15
MODIFY THE AGE TIMER FOR LEARNED SAP ENTRIES ......................................................................23-15
D
ISPLAYING IPX CONFIGURATION INFORMATION AND STATISTICS .............................................................23-16
D
ISPLAYING GLOBAL IPX CONFIGURATION INFORMATION ..................................................................23-16
DISPLAYING IPX INTERFACE INFORMATION ........................................................................................23-17
D
ISPLAYING THE IPX FORWARDING CACHE .......................................................................................23-19
D
ISPLAYING THE IPX ROUTE TABLE ..................................................................................................23-20
DISPLAYING THE IPX SERVER TABLE ................................................................................................23-21
D
ISPLAYING IPX TRAFFIC STATISTICS ...............................................................................................23-22
CHAPTER 24
C
ONFIGURING APPLETALK........................................................................ 24-1
OVERVIEW OF APPLETALK ........................................................................................................................24-1
A
DDRESS ASSIGNMENT ......................................................................................................................24-1
N
ETWORK COMPONENTS ....................................................................................................................24-1
Z
ONE FILTERING ................................................................................................................................24-2
N
ETWORK FILTERING .........................................................................................................................24-3
S
EED AND NON-SEED ROUTERS .........................................................................................................24-3
A
PPLETALK COMPONENTS SUPPORTED ON FOUNDRY ROUTERS ................................................................24-3
S
ESSION LAYER SUPPORT ..................................................................................................................24-3
T
RANSPORT LAYER SUPPORT .............................................................................................................24-3
N
ETWORK LAYER SUPPORT ................................................................................................................24-4
D
ATA LINK SUPPORT ..........................................................................................................................24-4
D
YNAMIC APPLETALK ACTIVATION AND CONFIGURATION .....................................................................24-4
C
ONFIGURING APPLETALK ROUTING .........................................................................................................24-4
E
NABLE APPLETALK ...........................................................................................................................24-4
C
ONFIGURING A SEED APPLETALK ROUTER ........................................................................................24-5
C
ONFIGURING A NON-SEED APPLETALK ROUTER ................................................................................24-7
E
NABLING APPLETALK ROUTING AT THE GLOBAL (SYSTEM) LEVEL ......................................................24-8
E
NABLE APPLETALK ROUTING ON AN INTERFACE ................................................................................24-8
M
ODIFYING APPLETALK INTERFACE CONFIGURATIONS .........................................................................24-9
F
ILTERING APPLETALK ZONES AND NETWORKS .......................................................................................24-10
D
EFINING ZONE FILTERS ..................................................................................................................24-10
D
EFINE ADDITIONAL ZONE FILTERS ...................................................................................................24-12
N
ETWORK FILTERING .......................................................................................................................24-14
R
OUTING BETWEEN APPLETALK VLANS USING VIRTUAL INTERFACES ......................................................24-14
M
ODIFYING APPLETALK GLOBAL PARAMETERS ........................................................................................24-17
A
PPLETALK ARP AGE ......................................................................................................................24-17
Page 22
Foundry Switch and Router Installation and Configuration Guide
xxii December 2000
APPLETALK ARP RETRANSMIT COUNT .............................................................................................24-18
A
PPLETALK ARP RETRANSMIT INTERVAL ..........................................................................................24-18
A
PPLETALK GLEAN PACKETS ...........................................................................................................24-19
A
PPLETALK QOS SOCKET ................................................................................................................24-19
A
PPLETALK RTMP UPDATE INTERVAL ..............................................................................................24-19
APPLETALK ZIP QUERY INTERVAL ....................................................................................................24-20
D
ISPLAYING APPLETALK INFORMATION ....................................................................................................24-20
C
LEARING APPLETALK INFORMATION .......................................................................................................24-21
CHAPTER 25
C
ONFIGURING VIRTUAL LANS (VLANS).................................................... 25-1
OVERVIEW ................................................................................................................................................25-1
T
YPES OF VLANS ..............................................................................................................................25-1
D
EFAULT VLAN .................................................................................................................................25-5
802.1Q TAGGING ...............................................................................................................................25-6
S
PANNING TREE PROTOCOL (STP) ....................................................................................................25-8
V
IRTUAL INTERFACES .........................................................................................................................25-9
VLAN
AND VIRTUAL INTERFACE GROUPS .........................................................................................25-10
D
YNAMIC, STATIC, AND EXCLUDED PORT MEMBERSHIP .....................................................................25-10
S
UPER AGGREGATED VLANS ...........................................................................................................25-13
T
RUNK GROUP PORTS AND VLAN MEMBERSHIP ...............................................................................25-13
S
UMMARY OF VLAN CONFIGURATION RULES ....................................................................................25-14
R
OUTING BETWEEN VLANS (ROUTERS ONLY) ........................................................................................25-14
V
IRTUAL INTERFACES (ROUTERS ONLY) .............................................................................................25-14
B
RIDGING AND ROUTING THE SAME PROTOCOL SIMULTANEOUSLY ON THE SAME DEVICE (ROUTERS ONLY) ..
25-15
R
OUTING BETWEEN VLANS USING VIRTUAL INTERFACES (ROUTERS ONLY) .......................................25-15
D
YNAMIC PORT ASSIGNMENT (ROUTERS ONLY) .................................................................................25-15
D
YNAMIC PORT ASSIGNMENT (LAYER 2 AND LAYER 3 SWITCHES) ......................................................25-16
A
SSIGNING A DIFFERENT VLAN ID TO THE DEFAULT VLAN ..............................................................25-16
A
SSIGNING TRUNK GROUP PORTS ....................................................................................................25-16
C
ONFIGURING PORT-BASED VLANS .................................................................................................25-16
M
ODIFYING A PORT-BASED VLAN ....................................................................................................25-20
C
ONFIGURING IP SUB-NET, IPX NETWORK AND PROTOCOL-BASED VLANS .............................................25-23
C
ONFIGURING IP SUB-NET, IPX NETWORK, AND PROTOCOL-BASED VLANS WITHIN PORT-BASED VLANS ........
25-25
R
OUTING BETWEEN VLANS USING VIRTUAL INTERFACES (ROUTERS ONLY) ..............................................25-29
C
ONFIGURING APPLETALK CABLE VLANS ...............................................................................................25-34
C
ONFIGURATION GUIDELINES ...........................................................................................................25-34
C
ONFIGURATION EXAMPLE ...............................................................................................................25-35
C
ONFIGURING PROTOCOL VLANS WITH DYNAMIC PORTS .......................................................................25-37
A
GING OF DYNAMIC PORTS ..............................................................................................................25-37
C
ONFIGURATION GUIDELINES ...........................................................................................................25-37
C
ONFIGURING AN IP, IPX, OR APPLETALK PROTOCOL VLAN WITH DYNAMIC PORTS ..........................25-37
C
ONFIGURING AN IP SUB-NET VLAN WITH DYNAMIC PORTS .............................................................25-38
Page 23
December 2000 xxiii
CONFIGURING AN IPX NETWORK VLAN WITH DYNAMIC PORTS .........................................................25-39
C
ONFIGURING UPLINK PORTS WITHIN A PORT-BASED VLAN ...................................................................25-39
C
ONFIGURING THE SAME IP SUB-NET ADDRESS ON MULTIPLE PORT-BASED VLANS ...............................25-40
C
ONFIGURING VLAN GROUPS AND VIRTUAL INTERFACE GROUPS ............................................................25-43
C
ONFIGURING A VLAN GROUP .........................................................................................................25-43
CONFIGURING A VIRTUAL INTERFACE GROUP ....................................................................................25-44
D
ISPLAYING THE VLAN GROUP AND VIRTUAL INTERFACE GROUP INFORMATION ................................25-45
A
LLOCATING MEMORY FOR MORE VLANS OR VIRTUAL INTERFACES ..................................................25-45
CONFIGURING SUPER AGGREGATED VLANS ...........................................................................................25-47
C
ONFIGURING AGGREGATED VLANS ................................................................................................25-50
C
OMPLETE CLI EXAMPLES ...............................................................................................................25-51
CONFIGURING MAC VLANS (STACKABLE FASTIRON BACKBONE LAYER 2 SWITCH ONLY) .........................25-54
C
ONFIGURING A MAC VLAN LIST ....................................................................................................25-55
L
OADING A MAC VLAN LIST ............................................................................................................25-56
SPECIFYING A DEFAULT VLAN FOR MAC ADDRESSES THAT ARE NOT IN THE MAC VLAN LIST .........25-56
C
LEARING MAC VLAN ENTRIES FROM THE MAC TABLE ...................................................................25-57
C
ONFIGURING VLANS USING THE WEB MANAGEMENT INTERFACE ...........................................................25-57
C
ONFIGURING A PORT-BASED VLAN ................................................................................................25-57
C
ONFIGURING A PROTOCOL-BASED VLAN ........................................................................................25-58
C
ONFIGURING AN IP SUB-NET VLAN ...............................................................................................25-59
C
ONFIGURING AN IPX NETWORK VLAN ............................................................................................25-61
C
ONFIGURING AN APPLETALK CABLE VLAN .....................................................................................25-62
D
ISPLAYING VLAN INFORMATION ............................................................................................................25-63
D
ISPLAYING SYSTEM-WIDE VLAN INFORMATION ...............................................................................25-63
D
ISPLAYING VLAN INFORMATION FOR SPECIFIC PORTS ....................................................................25-64
CHAPTER 26
R
OUTE HEALTH INJECTION........................................................................ 26-1
CONFIGURATION EXAMPLE ........................................................................................................................26-2
HTTP H
EALTH CHECK ALGORITHM ...........................................................................................................26-4
C
ONFIGURATION CONSIDERATIONS ............................................................................................................26-5
CLI S
YNTAX .............................................................................................................................................26-5
G
LOBAL CONFIG LEVEL ....................................................................................................................26-5
R
EAL SERVER LEVEL .........................................................................................................................26-5
I
NTERFACE LEVEL ..............................................................................................................................26-6
C
ONFIGURING THE HTTP HEALTH CHECK ON THE LAYER 3 SWITCH ..........................................................26-6
CLI C
OMMANDS FOR NETIRON N1 ......................................................................................................26-7
CLI C
OMMANDS FOR BIGIRON B1 .......................................................................................................26-7
CLI C
OMMANDS FOR NETIRON N2 ......................................................................................................26-8
D
ISPLAYING SERVER AND APPLICATION PORT INFORMATION ......................................................................26-8
D
ISPLAYING SERVER INFORMATION .....................................................................................................26-8
D
ISPLAYING KEEPALIVE INFORMATION .................................................................................................26-9
Page 24
Foundry Switch and Router Installation and Configuration Guide
xxiv December 2000
APPENDIX A
P
ROTECTING AGAINST DENIAL OF SERVICE ATTACKS..................................A-1
PROTECTING AGAINST SMURF ATTACKS ..................................................................................................... A-1
A
VOIDING BEING AN INTERMEDIARY IN A SMURF ATTACK ...................................................................... A-2
A
VOIDING BEING A VICTIM IN A SMURF ATTACK .................................................................................... A-2
PROTECTING AGAINST TCP SYN ATTACKS ................................................................................................ A-3
D
ISPLAYING STATISTICS ABOUT PACKETS DROPPED BECAUSE OF DOS ATTACKS ........................................ A-4
APPENDIX B
N
ETWORK MONITORING ..............................................................................B-1
RMON SUPPORT ...................................................................................................................................... B-1
STATISTICS (RMON GROUP 1) ............................................................................................................ B-1
H
ISTORY (RMON GROUP 2) ............................................................................................................... B-2
A
LARM (RMON GROUP 3) .................................................................................................................. B-2
EVENT (RMON GROUP 9) ................................................................................................................... B-3
V
IEWING SYSTEM INFORMATION ................................................................................................................. B-3
V
IEWING CONFIGURATION INFORMATION ..................................................................................................... B-3
V
IEWING PORT STATISTICS ........................................................................................................................ B-4
V
IEWING STP STATISTICS .......................................................................................................................... B-4
C
LEARING STATISTICS ...............................................................................................................................B-5
APPENDIX C
P
OLICIES AND FILTERS ...............................................................................C-1
SCOPE ...................................................................................................................................................... C-2
D
EFAULT FILTER ACTIONS ......................................................................................................................... C-3
P
OLICY AND FILTER PRECEDENCE .............................................................................................................. C-4
Q
OS ................................................................................................................................................... C-4
P
RECEDENCE AMONG FILTERS ON DIFFERENT LAYERS ........................................................................ C-4
P
RECEDENCE AMONG FILTERS ON THE SAME LAYER ........................................................................... C-5
F
OUNDRY POLICIES ................................................................................................................................... C-5
Q
UALITY-OF-SERVICE POLICIES ........................................................................................................... C-6
L
AYER 3 POLICIES ...............................................................................................................................C-8
L
AYER 4 POLICIES ............................................................................................................................. C-20
F
OUNDRY FILTERS ................................................................................................................................... C-23
L
AYER 2 FILTERS .............................................................................................................................. C-24
L
AYER 3 FILTERS .............................................................................................................................. C-28
L
AYER 4 FILTERS .............................................................................................................................. C-39
APPENDIX D
H
ARDWARE SPECIFICATIONS.......................................................................D-1
ELECTRICAL SPECIFICATIONS ..................................................................................................................... D-1
P
HYSICAL DIMENSIONS .............................................................................................................................. D-2
O
PERATING ENVIRONMENT ........................................................................................................................ D-3
S
TORAGE ENVIRONMENT ........................................................................................................................... D-3
E
LECTROMAGNETIC EMISSIONS .................................................................................................................. D-3
Page 25
December 2000 xxv
SAFETY AGENCY APPROVALS .................................................................................................................... D-3
APPENDIX E
S
OFTWARE SPECIFICATIONS .......................................................................E-1
STANDARDS COMPLIANCE .......................................................................................................................... E-1
RFC SUPPORT .......................................................................................................................................... E-2
I
NTERNET DRAFTS .............................................................................................................................. E-4
Page 26
Foundry Switch and Router Installation and Configuration Guide
xxvi December 2000
Page 27
December 2000 1 - 1
Chapter 1
Getting Started
Introduction
This guide describes the Layer 2 Switch, Layer 3 Switch, and ServerIron product families and features from
Foundry Networks. Procedures are provided for installing the hardware and configuring the software. The
software procedures show how to perform tasks using the CLI and using the Web management interface.
This guide also describes how to monitor Foundry products using statistics and summary screens.
Audience
This manual is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and
routing.
If you are using a Foundry Layer 3 Switch, you should be familiar with the following protocols if applicable to your
network – IP, RIP, OSPF, BGP4, IGMP, PIM, DVMRP, IPX, AppleTalk, FSRP, and VRRP.
Nomenclature
This guide uses the following typographical conventions to show information:
Italic highlights the title of another publication and occasionally emphasizes a word or phrase.
Bold highlights a CLI command.
Bold Italic highlights a term that is being defined.
Underline
highlights a link on the Web management interface.
Capitals highlights field names and buttons that appear in the Web management interface.
NOTE: A note emphasizes an important fact or calls your attention to a dependency.
WAR N ING: A warning calls your attention to a possible hazard that can cause injury or death.
CAUTION: A caution calls your attention to a possible hazard that can damage equipment.
Page 28
Foundry Switch and Router Installation and Configuration Guide
1 - 2 December 2000
Related Publications
The following Foundry Networks documents supplement the information in this guide.
• Foundry Switch and Router Command Line Interface Reference – provides a list and syntax information for
all the switch and router CLI commands.
• Foundry Diagnostic Guide – provides descriptions of diagnostic commands that can help you diagnose and
solve issues on switches and Layer 3 Switchs.
• Foundry ServerIron Installation and Configuration Guide – provides complete information about the Foundry
ServerIron and its Server Load Balancing (SLB), Transparent Cache Switching (TCS), and Firewall Load
Balancing (FWLB) features.
• ServerIron Application Guide – provides setup procedures for the ServerIron’s Layer 4 – 7 features.
• IronView Network Management User’s Guide – provides information about the IronView SNMP management
application for the Foundry Networks product family. The guide describes how to install the IronView SNMP
application and how to make and save configuration changes on Foundry Layer 2 Switches and Layer 3
Switches. The guide also describes how to monitor Foundry products using statistics and summary screens.
To order additional copies of these manuals, do one of the following:
• Call 1-877-TURBOCALL (887-2622) in the United States or 408.586.1881 outside the United States.
• Send email to info@foundrynet.com.
What’s New In This Edition?
The following tables list the new features and changes since the last edition of the manual (September 2000).
New Hardware
Layer 3 Enhancements
Hardware Description See Page
NetIron 1500 A 15-slot NetIron Chassis device
BigIron 15000 A 15-slot BigIron Chassis device
FastIron III A 15-slot FastIron Chassis device
FastIron II management
modules that support
redundancy
You can add management redundancy to a FastIron II by
installing two of the new FastIron II management modules that
support redundant configuration.
9-5
NetIron and BigIron mini-GBIC
management module
This new management module provides eight slots for miniGBICs and supports redundant configurations.
9-7
Enhancement Description See Page
Authentication encryption for
OSPF
By default, the software now encrypts OSPF text passwords
and MD5 authentication keys configured on a Layer 3 Switch.
17-20
17-25
Page 29
Getting Started
December 2000 1 - 3
System Level Enhancements
Authentication encryption for
BGP4
By default, the software now encrypts the MD5 authentication
strings associated with BGP4 neighbors and neighbor peer
groups.
19-20
Enhancement Description See Page
Rate limiting for ARP packets You can limit the number of ARP packets the Foundry device
receives each second.
15-30
Configurable link hold-down
timer
A new CLI command, interface link-hold-down, lets you
specify a number of milliseconds you want the software to wait
before bringing up a specific port following a software reload.
Enter this command at the global CONFIG level of the CLI.
Note: This enhancement applies only to Layer 3 Switches.
does not
affect this
document
New CLI command to display
CPU utilization statistics
The show process cpu command shows the percentage of
CPU processing that each protocol has used since startup and
had used at various time intervals.
12-11
15-86
16-18
17-42
19-91
21-30
New CLI command to display
detailed Spanning Tree
Protocol (STP) information
The show span detail command displays detailed STP
information for each port on the device.
12-12
Enhancement to show vlan
command
The show vlan command orders the display of VLANs
according to VLAN ID. In previous software releases, the
command displayed the VLANs according to the order in which
they were configured.
does not
affect this
document
Configuration changes to IP
multicast traffic reduction no
longer require a software
reload
Changes to a Layer 2 Switch’s IP multicast traffic reduction
feature do not require a software reload. You can set or
change any of the configurable parameters and the change
takes effect immediately.
does not
affect this
document
New commands for displaying
and clearing IP multicast traffic
reduction statistics
You can display IGMP traffic statistics for VLANs, clear traffic
statistics, and display and clear IGMP report statistics on an
individual multicast group basis.
10-60
Configurable block size for
TFTP file transfers
You can change the size of the data blocks the software uses
when you use TFTP to transfer a file to or from the Foundry
device.
7-3
Option to suppress Telnet
connection rejection
messages
You can disable the message that the Foundry device sends to
a Telnet client that is denied access to the device.
3-9
Enhancement Description See Page
Page 30
Foundry Switch and Router Installation and Configuration Guide
1 - 4 December 2000
How to Get Help
Foundry Networks technical support will ensure that the fast and easy access that you have come to expect from
your Foundry Networks products will be maintained.
Web Access
• http://www.foundrynetworks.com
Email Access
Technical requests can also be sent to the following email address:
• support@foundrynet.com
Telephone Access
• 1-877-TURBOCALL (887-2622) United States
• 408.586.1881 Outside the United States
Warranty Coverage
Contact Foundry Networks using any of the methods listed above for information about the standard and
extended warranties.
Enhanced software version
information
The show version and show flash commands provide more
information about the software on the device.
does not
affect this
document
New strict mode for ACL
processing of UDP traffic
You can configure a Foundry device to send all UDP packets to
the CPU for ACL comparison, instead of just the first UDP
packet with specific source and destination information.
13-23
New MIB tables for Adaptive
Rate Limiting
The Foundry MIB contains two new tables for port and VLAN
Adaptive Rate Limiting information.
• snPortCARTable – Contains port-related management
objects
• snVLanCARTable – Contains VLAN-related management
objects
The Foundry MIB is contained in the MIBxxxxx.mib file, where
xxxxx is the flash code version of the corresponding software
release. For example, MIB file MIB07105.mib corresponds
with software release 07.1.05.
does not
affect this
document
Enhancement Description See Page
Page 31
December 2000 2 - 1
Chapter 2
Installing a Foundry Layer 2 Switch
or Layer 3 Switch
This chapter describes how to install Foundry Layer 2 Switches and Layer 3 Switches and attach them to your
network. For information about basic software configuration, see “Configuring Basic Features” on page 10-1.
Unpacking a System
The Foundry systems ship with all of the following items. Please review the list below and verify the contents.
If any items are missing, please contact the place of purchase.
Package Contents
• Foundry Networks Layer 2 Switch or Layer 3 Switch
• 115V AC power cable
• Rack mount brackets and mounting screws
• CD-ROM containing software images and the user documentation (including this guide)
• Warranty card
General Requirements
To manage the system, you need the following items for serial connection to the switch or router:
• A management station, such as a PC running a terminal emulation application.
• A straight-through EIA/TIA DB-9 serial cable (M/F). The serial cable can be ordered separately from Foundry
Networks. If you prefer to build your own cable, see the pinout information in “Attaching a PC or Terminal” on
page 2-14.
You use the serial connection to perform basic configuration tasks including assigning an IP address and network
mask to the system. This information is required for managing the system using the Web management interface
or IronView or using the CLI through Telnet.
WAR N ING: Do not use the handles on the power supply units to lift or carry a Chassis device.
Summary of Installation Procedures
Follow the steps listed below to install your Layer 2 Switch or Layer 3 Switch. Details for each of the steps
highlighted below are provided later in this chapter.
Page 32
Foundry Switch and Router Installation and Configuration Guide
2 - 2 December 2000
1. Ensure that the physical environment that will host the device has the proper cabling and ventilation. See
“Preparing the Installation Site” on page 2-3.
2. Chassis devices only – If needed, insert or remove chassis modules. There are many optional modules
designed for the module slots on the Chassis devices. Depending on where you plan to install a device, it
might be easier to install the modules first. However, the modules are “hot swappable”, and can be installed
or removed after the device is mounted and powered-on. See “Installing or Removing Optional Modules
(Chassis Devices Only)” on page 2-4.
NOTE: If you are installing redundant management modules (Management II or higher), see “Using
Redundant Management Modules” on page 5-1 for complete installation, configuration, and management
instructions for the modules.
3. Chassis devices only – Optionally insert or remove redundant power supplies. The 4-slot Chassis devices
can hold one or two power supplies. The 4-slot and 15-slot Chassis devices can hold up to four power
supplies. If you need to install a power supply, it may be easier to install it before mounting the device,
although the power supplies are “hot swappable”, and can be installed or removed after the device is
mounted and powered-on. See “Installing or Removing Redundant Power Supplies (Chassis Devices Only)”
on page 2-6.
CAUTION: Remove the power cord from a power supply before you install it in or remove it from the device.
Otherwise, the power supply or the device could be damaged as a result. (The device can be running while a
power supply is being installed or removed, but the power supply itself should not be connected to a power
source.)
4. Chassis devices only – Optionally replace cooling fans. Generally, this procedure is not required during
installation but is included in case you ever need to replace a fan after the device is placed in operation. See
“Replacing Fans (4-Slot and 8-Slot Chassis Devices Only)” on page 2-10 or “Replacing a Fan Tray (15-Slot
Chassis Devices Only)” on page 2-13.
5. Verify that the system and module LEDs are registering the proper LED state after power-on of the system.
See “Verifying Proper Operation” on page 2-13.
6. A terminal or PC serial port connection is all that is required to support configuration on the device. See
“Attaching a PC or Terminal” on page 2-14.
7. No default password is assigned to the Command Line Interface (CLI). For additional access security, assign
a password. See “Assigning Permanent Passwords” on page 2-16.
8. Before attaching equipment to the device, you need to configure an interface IP address to the sub-net on
which it will be located. Initial IP address configuration is performed using the CLI with a direct serial
connection. Subsequent IP address configuration can be performed using the Web management interface.
See “Configuring IP Addresses” on page 2-17.
9. Foundry devices can be installed on a desktop or in an equipment rack. See “Mounting the Chassis or
Stackable Device” on page 2-19.
10. Once the device is physically installed, plug the device into a nearby power source that adheres to the
regulatory requirements outlined in this manual. See “Powering On a System” on page 2-21.
11. Once you power on the device and assign IP addresses, the system is ready to accept network equipment.
See “Connecting Network Devices” on page 2-22.
12. Test IP connectivity to other devices by pinging them and tracing routes. See “Testing Connectivity” on
page 2-26.
13. Continue configuring the device using the CLI or the Web management interface. See “Managing the Device”
on page 2-27.
NOTE: You also can use IronView to manage the device. See the IronView Network Management User’s
Guide for information.
Page 33
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 3
14. Secure access to the device. See “Securing Access to Management Functions” on page 3-1.
Installation Precautions
Follow these precautions when installing a Foundry device:
WAR N ING: The Chassis devices are heavy when fully populated with modules and power supplies. TWO OR
MORE PEOPLE ARE REQUIRED WHEN LIFTING, HANDLING, OR MOUNTING THESE DEVICES.
WAR N ING: Do not use the handles on the power supply units to lift or carry Chassis devices.
WAR N ING: Make sure the rack or cabinet housing the device is adequately secured to prevent it from becoming
unstable or falling over.
WAR N ING: Mount the devices you install in a rack or cabinet as low as possible, placing the heaviest device at
the bottom and progressively placing lighter devices above.
CAUTION:
• Make sure that the power source circuits are properly grounded, then use the power cord supplied with the
device to connect it to the power source.
If the installation requires a different power cord than the one supplied with the device, make sure you use a
power cord displaying the mark of the safety agency that defines the regulations for power cords in your
country. The mark is your assurance that the power cord can be used safely with the device.
• Ensure that the device does not overload the power circuits, wiring, and over-current protection. To
determine the possibility of overloading the supply circuits, add the ampere ratings of all devices installed on
the same circuit as the device. Compare this total with the rating limit for the circuit. The maximum ampere
ratings are usually printed on the devices near the AC power connectors.
• Do not install the device in an environment where the operating ambient temperature might exceed
40
o
C (104o F).
• Make sure the air flow around the front, sides, and back of the device is not restricted.
• To provide additional safety and proper airflow to the device, make sure that slot cover plates are installed on
all chassis slots that do not have either a module or power supply installed.
• Never leave tools or body parts inside the chassis.
Preparing the Installation Site
Cabling Infrastructure
Ensure that the proper cabling is installed in the site. See “Hardware Overview” on page 9-1 for a summary of
supported cabling types and their specifications.
Installation Location
Before installing the device, plan its location and orientation relative to other devices and equipment. Allow at
least 3" of space at the front of the device for the twisted-pair, fiber-optic, and power cabling. Also, allow a
minimum of 3" of space between the sides and the back of the device and walls or other obstructions.
Page 34
Foundry Switch and Router Installation and Configuration Guide
2 - 4 December 2000
Installing or Removing Optional Modules (Chassis Devices Only)
NOTE: If you are installing redundant management modules (Management II or higher), see “Using Redundant
Management Modules” on page 5-1 for complete installation, configuration, and management instructions for the
modules.
Installing Modules
To install a module in the chassis, do the following:
1. Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as
ground.
WAR N ING: To avoid risk of shock, do not attach the clip end to the air flow panel of the power supply.
2. Remove the blank face plate from the slot in which the module will be installed. Place the blank face plate in
a safe place for future use.
3. Remove the module from its packaging.
4. Insert the module into the chassis slot and slide the card along the card guide until the card ejectors on the
front of the module touch the chassis.
NOTE: Modules for the 8-slot and 15-slot Chassis devices slide in vertically with port number 1 at the top
(Figure 2.4). Modules for the 4-slot Chassis devices slide in horizontally with port number 1 on the left (Figure
2.5).
5. Push the ejectors toward the center of the module until they are flush with the front panel of the module. The
module will be fully seated in the backplane.
6. Tighten the two screws at either end of the module.
CAUTION: If one or more of the slots remains unused, make sure that a slot cover plate is still attached over
each unused slot for safe operation and proper system cooling.
NOTE: If installing a module into a slot previously occupied by a different type of module, you must use the
CLI to configure the new module (use the CLI command module <slot-num> <module-type>) and then use
the write memory command to save the configuration and the reload command to reset the device. See
“Swapping Modules (Chassis devices only)” on page 2-31. If the slot has never contained a module or you
are swapping in exactly the same type of module, you do not need to enter these commands.
Page 35
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 5
Figure 2.1 Installing a module
Removing Modules
To remove a module from the chassis, do the following:
1. Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as
ground.
WAR N ING: To avoid risk of shock, do not attach the clip end to the air flow panel of the power supply.
2. Loosen the two screws on the ends of the module.
3. Pull the card ejectors towards you, and away from the module front panel. The card will unseat from the
backplane.
4. Pull the module out of the chassis and place in an anti-static bag for storage.
5. Cover the slot with the blank face plate that shipped with the chassis.
CAUTION: If you remove a module and do not replace it, cover the slot opening with one of the blank plates
you received with the device to provide additional safety and airflow for the system.
NOTE: Modules can be installed and removed when the unit is powered on (hot swap). You do not need to
power the system down. You do not need to change the slot’s configuration unless you plan to insert a
different type of module. See “Swapping Modules (Chassis devices only)” on page 2-31.
Page 36
Foundry Switch and Router Installation and Configuration Guide
2 - 6 December 2000
Installing or Removing Redundant Power Supplies (Chassis Devices
Only)
Determining Power Supply Status
If you are replacing a power supply that has failed and you are not sure which supply has failed, enter the
following command at any CLI command prompt:
BigIron# show chassis
This command displays status information for the fans and the power supplies. The power supplies are numbered
in the display. The power supply numbers correspond to the following positions. These positions assume you are
facing the front of the chassis, not the rear.
Installing Power Supplies
To install a power supply in the chassis, do the following:
CAUTION: Power supplies are hot swappable but Foundry Networks recommends that you disconnect the
power supply from AC power before installing or removing the supply. The device can be running while a
power supply is being installed or removed, but the power supply itself should not be connected to a power
source. Otherwise, the power supply or other parts of the device could be damaged.
1. Use a screwdriver to remove the blank power supply face plate. This will expose the empty power supply
slot.
2. Remove the power supply from its packaging.
3. Hold the bar on the front panel of the power supply and insert the power supply into the empty power supply
slot. Use the module guides provided on either side of the compartment.
CAUTION: Carefully follow the mechanical guides on each side of the power supply slot and make sure the
power supply is properly inserted in the guides. Never insert the power supply upside down.
4. Continue to slide the power supply towards the back of the chassis until the two metal rods and the connector
make contact with the back connector. Then push the power supply until the front panel of the power supply
is flush with the rest of the chassis.
5. Use a screwdriver to tighten the two screws on either side of the power supply.
6. Connect the power cord to the front of the power supply.
7. Connect the power plug into an outlet.
Table 2.1: Power Supply Positions in Foundry Chassis Devices
Product Power Supply 1
Position
Power Supply 2
Position
Power Supply 3
Position
Power Supply 4
Position
4-slot Chassis devices left side right side n/a n/a
8-slot Chassis devices bottom second from
bottom
second from top top
15-slot Chassis devices left side second left second right right side
Page 37
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 7
Figure 2.2 Installing a power supply
Removing Power Supplies
To remove a power supply module from the chassis, do the following:
CAUTION: Power supplies are hot swappable. However, Foundry Networks recommends that you disconnect
the power supply from AC power before installing or removing the supply. The device can be running while a
power supply is being installed or removed, but the power supply itself should not be connected to a power
source. Otherwise, the power supply or other parts of the device could be damaged.
1. Unplug the power supply AC power cord from the outlet.
2. Disconnect the power cord from the power supply.
3. Use a screwdriver to loosen the screws on either side of the power supply.
4. Hold the bar on the front panel of the power supply and pull outward. This will disconnect the power supply
from the backplane.
5. Continue to pull the power supply until it is removed from the chassis.
6. Place the power supply in an anti-static bag for storage.
7. Cover the power supply slot with the blank power supply cover that came with the device.
8. Use a screwdriver to tighten the screws.
Page 38
Foundry Switch and Router Installation and Configuration Guide
2 - 8 December 2000
Figure 2.3 Fifteen-slot Chassis device
BigIron
Page 39
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 9
Figure 2.4 Eight-slot Chassis device
Figure 2.5 Four-slot Chassis device
BigIron
8000
3
5
4
2
B8G
Link
Activity
61
7
8
Link
Activity
Link
Activity
Link
Activity
8 Gigabit
B24E
10/100
BASE-TX
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Link
Activity
Link
Activity
Link
Activity
Link
Activity
3
5
4
2
B8G
61
7
8
8 Gigabit
B24E
10/100
BASE-TX
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
3
5
4
2
B8G
Link
Activity
61
7
8
Link
Activity
Link
Activity
Link
Activity
8 Gigabit
3
5
4
2
B8G
Link
Activity
61
7
8
Link
Activity
Link
Activity
Link
Activity
8 Gigabit
3
5
4
2
B8G
Link
Activity
61
7
8
Link
Activity
Link
Activity
Link
Activity
8 Gigabit
Link
Activity
13 6
7
8
5
4
2
Pwr
Link
Activity
Link
Activity
Link
Activity
B8GM
8 Gig
+ Mgmt
Link
Activity
13 6
7
8
5
4
2
Pwr
Link
Activity
Link
Activity
Link
Activity
B8GM
8 Gig
+ Mgmt
3
5
4
2
B8G
Link
Activity
61
7
8
Link
Activity
Link
Activity
Link
Activity
8 Gigabit
B24E
10/100
BASE-TX
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
3
5
4
2
B8G
Link
Activity
61
7
8
Link
Activity
Link
Activity
Link
Activity
8 Gigabit
BigIron
4000
Page 40
Foundry Switch and Router Installation and Configuration Guide
2 - 10 December 2000
Replacing Fans (4-Slot and 8-Slot Chassis Devices Only)
The 4-slot and 8-slot Chassis devices contain field-upgradable fans. The fans are upgradable on an individual
basis. You need to replace only the fan that has failed.
The 4-slot Chassis devices contain four fans:
• Two fans are mounted to the inside of the rear chassis panel.
• Two fans are mounted to a removable tray on the upper left side of the chassis. (The fans are on the right
side if you are facing the rear of the chassis.)
The 8-slot Chassis devices contain six fans:
• Two fans are mounted to the inside of the rear chassis panel.
• Four fans are mounted to two removable trays in the top of the chassis, above the highest module slot. The
fans are on the right if you are facing the front of the chassis.
Each fan in a four-slot or eight-slot chassis is connected to the chassis backplane by a three-hole connector.
Make a note of the connector each fan uses. The software recognizes the fan position based on the connector.
NOTE: When you connect a fan cable to a fan connector on the backplane or fan tray, make sure the red wire in
the connector is on the right side (for horizontally oriented connectors) or facing down (for vertically oriented
connectors). If you accidentally reverse the wires, the fan will not operate.
Also, make sure the fan cable connector is seated over all three pins on the backplane connector.
Required Tools
You need the following tools for this procedure:
• Phillips-head screwdriver
• Flat-head screwdriver
• Pair of wire cutters
Determining Which Fan Has Failed
If you are not sure which fan has failed, enter the following command at any CLI command prompt:
BigIron# show chassis
This command displays status information for the fans and the power supplies. The fans are numbered in the
display. The fan numbers correspond to the following fan positions. These positions assume you are facing the
front of the chassis, not the rear.
NOTE: The software monitors the fans in the top of the 8-slot chassis in pairs, not individually. Thus, fan position
3 indicates the left fan tray and fan position 4 indicates the right fan tray.
Table 2.2: Fan Positions in Foundry Chassis Devices
Product Fan 1 Position Fan 2 Position Fan 3 Position Fan 4 Position
4-slot Chassis device Fan tray on left
side; back fan
Fan tray on left
side; front fan
Rear fan,
left side
Rear fan,
right side
8-slot Chassis device Rear fan,
top
Rear fan,
bottom
top fan tray,
left side
top fan tray,
right side
Page 41
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 11
Four-Slot Chassis
To replace a fan in a 4-slot chassis:
1. Power down the chassis and remove the power cables from the chassis power supplies.
2. Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as
ground.
WAR N ING: To avoid risk of shock, do not attach the clip end to the air flow panel of the power supply.
3. Remove all 18 Phillips-head screws from the rear panel of the chassis.
NOTE: The fans on the rear panel are connected to the chassis backplane by wire cables. Be careful when
you remove the rear panel to avoid accidentally damaging the cables or connectors.
4. Unplug the fan cables from the backplane and set the rear panel on a workbench. If you do not need to
replace a fan in the fan tray mounted on the side of the chassis, skip to step 8; otherwise, go to step 5.
5. Loosen the two flat-head screws that fasten the side fan tray to the chassis.
6. Carefully pull the side fan tray out of the chassis and set the tray on a workbench.
NOTE: The fastener push-ons that fasten the fans to the fan tray may catch on the chassis. In this case,
gently move the fan tray from side to side as you pull the tray back to free it from the chassis.
7. Unplug the fan cables from the backplane and set the fan tray on the workbench.
8. Use the wire cutters to cut the tie wraps fastening the wires of the two fans together.
9. Gently use the wire cutters or similar tool to remove the four plastic fastener push-ons that fasten the failed
fan to the rear panel or fan tray.
NOTE: Be careful when removing the fastener pushons. They are reusable.
10. Remove the fan.
11. Align the new fan over the fastener holes on the rear panel or fan tray, then insert the fastener push-ons to
fasten the new fan in place.
12. Fasten new tie wraps around the wires to keep them neatly together and away from other components.
13. If you replaced a fan on the rear panel and did not remove the fan tray mounted on the side of the chassis,
skip to step 15; otherwise, go to step 14.
14. Gently reinsert the fan tray into the chassis and partially tighten both screws. Then tighten the upper screw,
then the lower screw.
NOTE: Make sure you tighten the upper screw first to properly align the tray in the chassis.
15. Plug the fan cables into the three-pin connectors on the backplane.
WAR N ING: When you connect a fan cable to a fan connector on the backplane, make sure the red wire in the
connector is on the right side of the connector. If you accidentally reverse the wires, the fan will not operate.
Also, make sure the fan cable connector is seated over all three pins on the backplane connector.
16. Align the rear panel over the rear screw holes.
17. Screw the 18 Phillips-head screws back in.
Page 42
Foundry Switch and Router Installation and Configuration Guide
2 - 12 December 2000
18. Verify that all chassis modules and power supplies are fully seated and all cover plates and panels are fully
fastened.
19. Reconnect the power and power on the chassis.
20. Access the CLI and enter the show chassis command to verify that all fans are now operating normally.
Eight-Slot Chassis
To replace a fan in an 8-slot chassis:
1. Remove the power cables from the chassis power supplies.
2. Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as
ground.
WAR N ING: To avoid risk of shock, do not attach the clip end to the air flow panel of the power supply.
3. Remove all 34 Phillips-head screws from the rear panel of the chassis.
NOTE: The fans on the rear panel are connected to the chassis backplane by wire cables. Be careful when
you remove the rear panel to avoid accidentally damaging the cables or connectors.
4. Unplug the fan cables from the backplane and set the rear panel on the workbench. If you do not need to
replace a fan in one of the fan trays mounted on the top of the chassis, skip to step 8; otherwise, go to step 5.
5. Loosen the two flat-head screws that fasten the fan tray containing the failed fan to the chassis.
6. Unplug the fan cables from the backplane.
7. Carefully pull the fan tray out of the chassis and set the tray on a workbench.
NOTE: The fastener push-ons that fasten the fans to the fan rack may catch on the chassis. In this case,
gently move the fan rack from side to side as you pull the rack back to free it from the chassis.
8. Use the wire cutters to cut the tie wraps fastening the wires of the two fans together.
9. Gently use the wire cutters or similar tool to remove the four plastic fastener push-ons that fasten the failed
fan to the rear panel or fan tray.
NOTE: Be careful when removing the fastener push-ons. They are reusable.
10. Remove the fan.
11. Align the new fan over the fastener holes on the rear panel or fan tray, then insert the fastener push-ons to
fasten the new fan in place.
12. Fasten new tie wraps around the wires to keep them neatly together and away from other components.
13. If you replaced a fan on the rear panel and did not remove the fan tray in the side of the chassis, skip to step
15; otherwise, go to step 14.
14. Gently reinsert the fan tray into the chassis and tighten both screws.
15. Plug the fan cables onto the three-pin connectors on the backplane.
WAR N ING: When you connect a fan cable to a fan connector on the backplane, make sure the red wire in the
connector is on the right side (for horizontally oriented connectors) or facing down (for vertically oriented connectors). If you accidentally reverse the wires, the fan will not operate.
Also, make sure the fan cable connector is seated over all three pins on the backplane connector.
16. Align the rear panel over the rear screw holes.
Page 43
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 13
17. Screw the 34 Phillips-head screws back in.
18. Verify that all chassis modules and power supplies are fully seated and all cover plates and panels are fully
fastened.
19. Reconnect the power cables and power on the chassis.
20. Access the CLI and enter the show chassis command to verify that all fans are now operating normally.
Replacing a Fan Tray (15-Slot Chassis Devices Only)
The 15-slot Chassis devices contain field-upgradable, hot-swappable fans. If a fan fails, you can remove the fan
tray and replace it with a new fan tray without powering off the chassis device.
NOTE: To avoid overheating, do not leave the chassis powered on for more than a few minutes without a fan tray
installed.
To replace a fan in a 15-slot chassis:
1. Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as
ground.
WAR N ING: To avoid risk of shock, do not attach the clip end to the air flow panel of the power supply.
2. Loosen the two screws on the fan tray. The fan tray is located above the power supply bays and below the air
filter tray.
3. Carefully pull the fan tray out of the chassis and set the tray on a workbench or other static-free area.
4. Insert the new fan tray into the fan tray slot and push it in until the face plate is flush with the chassis.
5. Tighten the two screws on the fan tray.
6. Access the CLI and enter the show chassis command to verify that all fans are operating normally.
Verifying Proper Operation
After you have installed any modules or redundant power supplies, but before mounting the device in its network
location, verify that the device is working properly by plugging it into a power source and verifying that it passes its
self test.
If your device has more than one power supply installed, repeat this procedure for each power supply.
1. Connect the power cord supplied with the device to the power connector on the power supply on the front of
the device.
2. Insert the other end into a properly grounded electrical outlet.
3. Verify that the LED on each power supply is a solid green.
NOTE: The devices do not have power switches. They power on when you connect a power cord to the
device and to a power source.
If your installation requires a different power cord than that supplied with the device, make sure you obtain a
power cord displaying the mark of the safety agency that defines the regulations for power cords in your
country. The mark is your assurance that the power cord can be used safely with the device.
Page 44
Foundry Switch and Router Installation and Configuration Guide
2 - 14 December 2000
4. Verify proper operation by observing the LEDs:
• Chassis devices – Make sure the LED on each power supply is a solid green. Also make sure that some
of the port LEDs on each module momentarily light up. The LEDs indicate that the device is performing
diagnostics. After the diagnostics are complete, the LEDs will be dark except for the ones that are
attached by cables to other devices. If the links on these cables are good and the connected device is
powered on, the link LEDs will light.
NOTE: If all of the LEDs on a module do not light up during the diagnostics, this does not indicate an error.
Only some of the LEDs are lighted during the diagnostics.
• Fixed-port devices (Stackable devices) – All the port LEDs should flash momentarily, usually in
sequence, while the device performs diagnostics. After the diagnostics are complete, the LEDs will be
dark except for the ones that are attached by cables to other devices. If the links on these cables are
good and the connected device is powered on, the link LEDs will light.
For more details on specific LED conditions after system start-up, see “LEDs” on page 9-17.
Attaching a PC or Terminal
To assign an IP address, you must have access to the Command Line Interface (CLI). The CLI is a text-based
interface that can be accessed through a direct serial connection to the device and through Telnet connections.
The CLI is described in detail in the Foundry Switch and Router Command Line Interface Reference.
You need to assign an IP address using the CLI. You can access the CLI by attaching a serial cable to the
Console port. After you assign an IP address, you can access the system through Telnet, the Web management
interface, or IronView.
To attach a management station using the serial port:
1. Connect a PC or terminal to the serial port of the system using a straight-through cable. The serial port has a
male DB-9 connector.
NOTE: You need to run a terminal emulation program on the PC.
2. Open the terminal emulation program and set the session parameters as follows:
• Baud: 9600 bps
• Data bits: 8
• Parity: None
• Stop bits: 1
• Flow control: None
When you establish the serial connection to the system, press Enter to display one of the following CLI prompts in
the terminal emulation window:
• NetIron>
• BigIron>
• FastIron>
• FastIronII>
• TurboIron>
• ServerIron>
NOTE: If you install Layer 2 Switch code on a Layer 3 Switch, the command prompt begins with “SW-” to
indicate the software change. This is true even if you change the system name.
Page 45
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 15
If you see one of these prompts, you are now connected to the system and can proceed to “Assigning Permanent
Passwords” on page 2-16.
You can customize the prompt by changing the system name. See “Entering System Administration Information”
on page 10-4.
If you do not see one of these prompts:
1. Make sure the cable is securely connected to your PC and to the Foundry system.
2. Check the settings in your terminal emulation program. In addition to the session settings listed above, make
sure the terminal emulation session is running on the same serial port you attached to the Foundry system.
The EIA/TIA 232 serial communication port serves as a connection point for management by a PC or SNMP
workstation. Foundry switches and Layer 3 Switches come with a standard male DB-9 connector, shown in
Figure 2.6.
Figure 2.6 Serial port pin and signalling details
Most PC serial ports also require a cable with a female DB-9 connector.
Terminal connections will vary, requiring either a DB-9 or DB-25 connector, male or female.
Serial cable options between a Foundry switch or router and a PC or terminal are shown in Figure 2.7.
NOTE: As indicated in Figure 2.6 and Figure 2.7, some of the wires should not be connected. If you do connect
the wires that are labeled “Reserved”, you might get unexpected results with some terminals.
1
5
96
Pin Assignment
DB-9 male
Pin Number
1
2
3
4
5
6
7
8
9
Switch Signal
Reserved
TXD (output)
RXD (input)
GND
CTS (input)
RTS (output)
Reserved
Reserved
Reserved
Page 46
Foundry Switch and Router Installation and Configuration Guide
2 - 16 December 2000
Figure 2.7 Serial port pin assignments showing cable connection options to a terminal or PC
Assigning Permanent Passwords
The CLI contains the following access levels:
• EXEC at the User level – The level you enter when you first start a CLI session. At this level, you can view
some system information but you cannot configure system or port parameters.
• EXEC at the Privileged level – This level is also called the Enable level and can be secured by a password.
You can perform tasks such as manage files on the flash module, save the system configuration to flash, and
clear caches at this level.
• CONFIG – The configuration level. This level lets you configure the system’s IP address and configure
switching and routing features. To access the CONFIG mode, you must already be logged into the Privileged
level of the EXEC mode.
By default, there are no CLI passwords. To secure CLI access, you must assign passwords. See “Securing
Access to Management Functions” on page 3-1 for more information.
NOTE: You must use the CLI to assign a password. You cannot assign a password using the IronView SNMP
application or the Web management interface.
You can set the following levels of Enable passwords:
• Super User – Allows complete read-and-write access to the system. This is generally for system
administrators and is the only password level that allows you to configure passwords.
NOTE: You must set a super user password before you can set other types of passwords.
• Port Configuration – Allows read-and-write access for specific ports but not for global (system-wide)
parameters.
• Read Only – Allows access to the Privileged EXEC mode and CONFIG mode but only with read access.
USING THE CLI
To set passwords:
1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode:
BigIron> enable
2. Access the CONFIG level of the CLI by entering the following command:
1
2
3
4
5
6
7
8
9
1
2
3
4
5
6
7
8
9
Reserved
DB-9 to DB-9
Female Switch
Reserved
Reserved
Reserved
Terminal or PC
1
2
3
4
5
6
7
8
9
8
3
2
20
7
6
4
5
22
Reserved
DB-9 to DB-25
Female Switch
Reserved
Reserved
Reserved
Terminal or PC
Page 47
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 17
BigIron# configure terminal
BigIron(config)#
3. Enter the following command to set the super-user password:
BigIron(config)# enable super-user-password <text>
NOTE: You must set the super-user password before you can set other types of passwords.
4. Enter the following commands to set the port configuration and read-only passwords:
BigIron(config)# enable port-config-password <text>
BigIron(config)# enable read-only-password <text>
NOTE: If you forget your super-user password, see “Recovering from a Lost Password” on page 3-11.
Syntax: enable super-user-password | read-only-password | port-config-password <text>
Passwords can be up to 32 characters long.
Configuring IP Addresses
You must configure at least one IP address using the serial connection to the CLI before you can manage the
system using the other management interfaces. In addition, Foundry routers require an IP sub-net address for the
sub-net in which you plan to place them in your network.
Foundry devices support both classical IP network masks (Class A, B, and C sub-net masks, and so on) and
Classless Interdomain Routing (CIDR) network prefix masks.
• To enter a classical network mask, enter the mask in IP address format. For example, enter
“209.157.22.99 255.255.255.0” for an IP address with a Class-C sub-net mask.
• To enter a prefix number for a network mask, enter a forward slash ( / ) and the number of bits in the mask
immediately after the IP address. For example, enter “209.157.22.99/24” for an IP address that has a
network mask with 24 significant (“mask”) bits.
By default, the CLI displays network masks in classical IP address format (example: 255.255.255.0). You can
change the display to the prefix format. See “Changing the Network Mask Display to Prefix Format” on page 15-
83.
NOTE: If your network uses a BootStrap Protocol (BootP) server or a Dynamic Host Configuration Protocol
(DHCP) server, you can allow the Foundry device to obtain IP information from the server.
Layer 3 Switches
Before attaching equipment to a Foundry router, you must assign an interface IP address to the sub-net on which
the router will be located. You must use the serial connection to assign the first IP address. For subsequent
addresses, you also can use the CLI through Telnet, the Web management interface, or IronView.
By default, you can configure up to 24 IP interfaces on each port, virtual interface, and loopback interface. On
Stackable Layer 3 Switches, you can increase this amount to up to 64 IP sub-net addresses per port by increasing
the size of the sub-net-per-interface table. See “Displaying and Modifying System Parameter Default Settings” on
page 10-70.
The following procedure shows how to add an IP address and mask to a router port.
1. At the opening CLI prompt, enter enable.
BigIron> enable
2. Enter the following command at the Privileged EXEC level prompt (for example, BigIron#), then press Enter.
This command erases the factory test configuration if still present:
Page 48
Foundry Switch and Router Installation and Configuration Guide
2 - 18 December 2000
BigIron# erase startup-config
WAR N ING: Use this step only for new systems. If you enter this command on a system you have already
configured, the command erases the configuration. If you accidentally do erase the configuration on a configured
system, enter the write memory command to save the running configuration to the startup-config file.
3. Access the configuration level of the CLI by entering the following command:
BigIron# configure terminal Privileged EXEC Level
BigIron(config)# Global CONFIG Level
4. Configure the IP addresses and mask addresses for the interfaces on the router.
BigIron(config)# int e 1/5
BigIron(config-if-1/5)# ip address 192.22.3.44 255.255.255.0
NOTE: You can use the syntax ip address <ip-addr>/<mask-bits> if you know the sub-net mask length. In
the above example, you could enter ip address 192.22.3.44/24.
Syntax: enable [<password>]
Syntax: configure terminal
Syntax: [no] ip address <ip-addr> <ip-mask> [secondary]
or
Syntax: [no] ip address <ip-addr>/<mask-bits> [secondary]
Use the secondary parameter if you have already configured an IP address within the same sub-net on the
interface.
Layer 2 Switches
To configure an IP Address to a Foundry switch:
1. At the opening CLI prompt, enter enable.
FastIronII> enable
2. Enter the following command at the Privileged EXEC level prompt (for example, FastIronII#), then press
Enter. This command erases the factory test configuration if still present:
FastIronII# erase startup-config
WAR N ING: Use this step only for new systems. If you enter this command on a system you have already
configured, the command erases the configuration. If you accidentally do erase the configuration on a configured
system, enter the write memory command to save the running configuration to the startup-config file.
3. Access the configuration level of the CLI by entering the following command:
FastIronII# configure terminal Privileged EXEC Level
FastIronII(config)# Global CONFIG Level
4. Configure the IP address and mask for the switch.
FastIronII(config)# ip address 192.22.3.44 255.255.255.0
5. Set a default gateway address for the switch.
FastIronII(config)# ip default-gateway 192.22.3.1
NOTE: You do not need to assign a default gateway address for single sub-net networks.
Page 49
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 19
Syntax: enable [<password>]
Syntax: configure terminal
Syntax: [no] ip address <ip-addr> <ip-mask>
or
Syntax: [no] ip address <ip-addr>/<mask-bits>
Syntax: ip default-gateway <ip-addr>
Mounting the Chassis or Stackable Device
You can install Foundry systems on a desktop or in an equipment rack.
WAR N ING: The Chassis devices are very heavy, especially when fully populated with modules and power
supplies. TWO OR MORE PEOPLE ARE REQUIRED WHEN LIFTING, HANDLING, OR MOUNTING THESE
DEVICES.
WAR N ING: Do not use the handles on the power supply units to lift or carry Chassis devices.
WAR N ING: Make sure the rack or cabinet housing the device is adequately secured to prevent it from becoming
unstable or falling over.
WAR N ING: Mount the devices you install in a rack or cabinet as low as possible, placing the heaviest device at
the bottom and progressively placing lighter devices above.
Desktop Installation
1. Set the device on a flat desktop, table, or shelf. Make sure that adequate ventilation is provided for the
system – a 3-inch clearance is recommended on each side.
2. Go to “Testing Connectivity” on page 2-26.
Rack Mount Installation – Chassis Devices
1. Remove the rack mount kit from the shipping carton. The kit should include two L-shaped mounting brackets
and mounting screws.
NOTE: You need a #2 Phillips-head screwdriver for installation.
2. Attach the mounting brackets to the sides of the device as illustrated in Figure 2.8.
3. Attach the system in the rack as illustrated in Figure 2.8.
4. Go to “Powering On a System” on page 2-21.
Page 50
Foundry Switch and Router Installation and Configuration Guide
2 - 20 December 2000
Figure 2.8 Installing a Chassis device in a rack mount
Rack Mount Installation – Stackable Devices
NOTE: You need a #2 Phillips-head screwdriver for installation.
1. Remove the rack mount kit from the shipping carton. The kit contains two L-shaped mounting brackets and
mounting screws.
2. Attach the mounting brackets to the sides of the device as illustrated in Figure 2.9.
3. Attach the device in the rack as illustrated in Figure 2.9.
4. Proceed to “Testing Connectivity” on page 2-26.
NOTE: If you are installing a Chassis device, see “Installing or Removing Optional Modules (Chassis Devices
Only)” on page 2-4 and “Installing or Removing Redundant Power Supplies (Chassis Devices Only)” on page 2-6
before proceeding to “Testing Connectivity” on page 2-26.
Page 51
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 21
Figure 2.9 Installing a Stackable device in a rack mount
Powering On a System
After you complete the physical installation of the system, you can power on the system.
1. Ensure that all modules and power supplies are fully and properly inserted and no module slots or power
supply slots are uncovered.
WAR N ING: Never leave tools or body parts inside the chassis.
2. Remove the power cord from the shipping package.
3. Attach the AC power cable to the AC connector on the rear panel. For Chassis devices, the AC connector is
located on the front of the Chassis device, embedded within each power supply.
4. Insert the power cable plug into a 115V/120V outlet.
NOTE: When you power on a Chassis device that requires multiple power supplies, make sure you apply
power to all the supplies (or at least the minimum number of supplies required for your configuration) at the
same time. Otherwise, the device either will not boot at all, or will boot and then repeatedly display a warning
message stating that you need to add more power supplies.
NOTE: Foundry devices are designed to provide uninterrupted service even when you insert or remove
modules. Therefore, the systems do not have separate on/off power switches. To turn the system off, simply
unplug the power cord(s).
NOTE: The socket should be installed near the equipment and should be easily accessible.
NOTE: If the outlet is not rated 115/120V, stop and get the appropriate cable for the outlet.
NetIron
Page 52
Foundry Switch and Router Installation and Configuration Guide
2 - 22 December 2000
Connecting Network Devices
Foundry devices can support connections to other vendors’ routers, switches, and hubs as well other Foundry
devices.
Connectors
• 10BaseT/100BaseTX ports come with RJ45 jacks for standard unshielded twisted pair (UTP/Category 5)
cable connections.
• 100BaseFX ports come equipped with MT-RJ connectors.
• 1000BaseSX ports come equipped with SC connectors.
• 1000BaseLX ports come equipped with SC connectors.
• 1000BaseLH ports come equipped with SC connectors.
• 1000BaseT ports come equipped with RJ-45 connectors.
Figure 2.10 Pin assignment and signalling for 10/100BaseTX and 1000BaseT ports
Cable Length
• 100BaseTX: Cable length should not exceed 100 meters.
• 1000BaseTX: Cable length should not exceed 100 meters.
• 100BaseFX: Cable length should not exceed 2 kilometers.
• 1000BaseSX: Cable length should not exceed 550 meters when operating with multi-mode cabling.
• 1000BaseLX:
• Cable length of 2 – 550 meters is supported on 62.5 µm multi-mode fiber (MMF) cabling.
• Cable length of 2 – 550 meters is supported on 50 µm multi-mode fiber (MMF) cabling.
• Cable length of 2 – 5000 meters is supported on 9 µm single-mode fiber (SMF) cabling.
• 1000BaseLH: Cable length should not exceed 70 kilometers for LHA or 150 kilometers for LHB.
Pin Assignment Pin Number
1
2
3
4
5
6
7
8
Pin Number
1
2
3
4
5
6
7
8
8
1
1
8
MDI-X ports
RD+
RDTD
Not used
TD-
Not used
Not used
Not used
100BaseTX and 1000BaseT
10BaseT
MDI-X ports
RD+
RDTD
CMT
TD-
CMT
CMT
CMT
Page 53
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 23
NOTE: Cable installation and network configuration will affect overall transmission capability. The numbers
provided above represent the accepted recommendations of the various standards. For network-specific
recommendations, consult your local Foundry reseller or system engineer.
Table 2.3: Cable length summary table
Fiber Type Core
Diameter
(microns)
Modal
Bandwidth
(MHz*km)
Minimum
Range
(meters)
1000BaseSX MMF 62.5 160
2 – 200
a
a. The TIA 568 building wiring standard specifies 160/500 MHz*km MMF (Multi-mode
Fiber).
MMF 62.5 200
2 – 275
b
b. The international ISO/IEC 11801 building wiring standard specifies 200/500
MHz*km MMF.
MMF 50 400 2 – 500
MMF 50 500
2 – 550
c
c. The ANSI Fibre Channel specification specifies 500/500 MHz*km 50 micron MMF
and 500/500 MHz*km fiber has been proposed for addition to ISO/IEC 11801.
1000BaseLX MMF 62.5 500 2 – 550
MMF 50 400 2 – 550
MMF 50 500 2 – 550
SMF 9 n/a 2 – 5000
1000BaseLHA SMF 9 n/a 2 – 70000
(70km)
1000BaseLHB SMF 9 n/a 2 – 150000
(150km)
Page 54
Foundry Switch and Router Installation and Configuration Guide
2 - 24 December 2000
Connecting to Ethernet or Fast Ethernet Hubs
For connections to Ethernet hubs, a 10/100BaseTX or 1000BaseT switch, or another Foundry device, a crossover
cable is required (Figure 2.11 or Figure 2.12). If the hub is equipped with an uplink port, it will require a straightthrough cable instead of a crossover cable.
Figure 2.11 UTP crossover cable
Figure 2.12 Cat-5 crossover cable for 1000BaseT
NOTE: The 802.3ab standard calls for automatic negotiation of the connection between two 1000BaseT ports.
Consequently, a crossover cable may not be required; a straight-through cable may work as well.
Connecting to Workstations, Servers, or Routers
Straight-through UTP cabling is required for direct UTP attachment to workstations, servers, or routers using
network interface cards (NICs).
Fiber cabling with SC connectors is required for direct attachment to Gigabit NICs or switches and routers.
1
2
3
4
5
6
7
8
1
2
3
4
5
6
7
8
1
8
UTP Crossover Cable
10/100BaseTX
unused
unused
unused
unused
unused
unused
unused
unused
1
2
3
4
5
6
7
8
1
2
3
4
5
6
7
8
1
8
Cat-5 Crossover Cable
1000BaseT
Page 55
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 25
Installing or Removing a GBIC
Some modules use Gigabit Interface Converters (GBICs) or miniature GBICs (mini-GBICs), which are individually
insertable and removable port connectors. To insert or remove a GBIC or mini-GBIC, use the following
procedures.
WAR N ING: The GBICs are Class 1 Laser products. See “Installation Precautions” on page 2-3 for other
hardware installation precautions.
NOTE: The procedures for GBICs and mini-GBICs are different. Use the procedure that applies to the type of
GBIC on your module.
Installing or Removing a Standard GBIC
To install a GBIC:
1. Put on an electrostatic discharge (ESD) wrist strap and attach the clip end to a metal surface (such as an
equipment rack) to act as ground.
2. Remove the GBIC from its protective packaging.
3. Gently insert the GBIC into the slot on the front panel of the module until the GBIC clicks into place. The
GBICs are keyed to prevent incorrect insertion.
4. Remove the protective covering from the port connectors and store the covering for future use.
5. Insert the interface cable.
To remove a GBIC:
1. Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as
ground.
2. Disconnect the interface cable from the GBIC.
3. Insert the protective covering into the port connectors.
4. Squeeze and hold the tabs on each side of the GBIC, then gently pull the GBIC out of the module.
5. Store the GBIC in a safe, static-free place.
Installing or Removing a Mini-GBIC
To install a mini-GBIC:
1. Put on an electrostatic discharge (ESD) wrist strap and attach the clip end to a metal surface (such as an
equipment rack) to act as ground.
2. Remove the mini-GBIC from its protective packaging.
3. Gently insert the mini-GBIC into the slot on the front panel of the module until the mini-GBIC clicks into place.
The mini-GBICs are keyed to prevent incorrect insertion. A tab on the bottom of the mini-GBIC locks the miniGBIC to the front panel of the module.
4. Remove the protective covering from the port connectors and store the covering for future use.
5. Insert the interface cable.
To remove a mini-GBIC:
1. Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as
ground.
2. Disconnect the interface cable from the mini-GBIC.
3. Insert the protective covering into the port connectors.
4. Pull the sliding tab on the bottom of the mini-GBIC forward, away from the front panel of the module. Pulling
this tab unlocks the mini-GBIC from the front panel.
Page 56
Foundry Switch and Router Installation and Configuration Guide
2 - 26 December 2000
5. Pull the mini-GBIC out of the module.
6. Store the mini-GBIC in a safe, static-free place.
Troubleshooting Network Connections
• For the indicated port, verify that both ends of the cabling (at the device and the connected device) are snug.
• Verify the connected device and device are both powered on and operating correctly.
• Verify that you have used the correct cable type for the connection:
• For twisted-pair connections to an end node, use straight-through cabling.
• For fiber-optic connections, verify that the transmit port on the device is connected to the receive port on
the connected device, and that the receive port on device is connected to the transmit port on the
connected device.
• Verify that the port has not been disabled through a configuration change. You can use the CLI. If you have
configured an IP address on the device, you also can use the Web management interface or IronView.
• If the other procedures don’t resolve the problem, try using a different port or a different cable.
Testing Connectivity
After you install the network cables, you can test network connectivity to other devices by pinging those devices.
You also can perform trace routes.
Pinging an IP Address
To verify that a Foundry device can reach another device through the network, enter a command such as the
following at any level of the CLI on the Foundry device:
BigIron> ping 192.33.4.7
Syntax: ping <ip addr> | <hostname> [source <ip addr>] [count <num>] [timeout <msec>] [ttl <num>] [size
<byte>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief]
See the Foundry Switch and Router Command Line Interface Reference for information about the parameters.
NOTE: If you address the ping to the IP broadcast address, the device lists the first four responses to the ping.
Tracing a Route
To determine the path through which a Foundry device can reach another device, enter a command such as the
following at any level of the CLI on the Foundry device:
BigIron> traceroute 192.33.4.7
Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>]
[source-ip <ip addr>]
The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests
display all responses to a given TTL. In addition, if there are multiple equal-cost routes to the destination, the
Foundry device displays up to three responses by default.
See the Foundry Switch and Router Command Line Interface Reference for information about the command
syntax.
Page 57
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 27
Managing the Device
You can manage a Foundry device using any of the following applications:
• Command Line Interface (CLI) – a text-based interface accessible through a direct serial connection or a
Telnet session.
• Web management interface – A GUI-based management interface accessible through an HTTP (web
browser) connection.
• IronView – An optional SNMP-based standalone GUI application.
Logging on Through the CLI
Once an IP address is assigned to a Layer 2 Switch or ServerIron or to an interface on the Layer 3 Switch, you
can access the CLI either through the direct serial connection to the device or through a local or remote Telnet
session.
You can initiate a local Telnet or SNMP connection by attaching a straight-through RJ-45 cable to a port and
specifying the assigned management station IP address.
The commands in the CLI are organized into the following levels:
• User EXEC – Lets you display information and perform basic tasks such as pings and traceroutes.
• Privileged EXEC – Lets you use the same commands as those at the User EXEC level plus configuration
commands that do not require saving the changes to the system-config file.
• CONFIG – Lets you make configuration changes to the device. To save the changes across reboots, you
need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for
VLANs, for routing protocols, and other configuration areas.
NOTE: By default, any user who can open a serial or Telnet connection to the Foundry device can access all
these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can
configure the device to use a RADIUS or TACACS/TACACS+ server for authentication. See “Securing Access to
Management Functions” on page 3-1.
On-Line Help
To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part
of a command at the command prompt, all the commands supported at the current CLI level are listed. If you
enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at this point in the
command string.
If you enter an invalid command followed by ?, a message appears indicating the command was unrecognized.
For example:
BigIron(config)# rooter ip
Unrecognized command
Command Completion
The CLI supports command completion, so you do not need to enter the entire name of a command or option. As
long as you enter enough characters of the command or option name to avoid ambiguity with other commands or
options, the CLI understands what you are typing.
Scroll Control
By default, the CLI uses a page mode to paginate displays that are longer than the number of rows in your
terminal emulation window. For example, if you display a list of all the commands at the global CONFIG level but
your terminal emulation window does not have enough rows to display them all at once, the page mode stops the
display and lists your choices for continuing the display.
Here is an example:
aaa
Page 58
Foundry Switch and Router Installation and Configuration Guide
2 - 28 December 2000
all-client
appletalk
arp
boot
some lines omitted for brevity...
ipx
lock-address
logging
mac
--More--, next page: Space, next line:
Return key, quit: Control-c
The software provides the following scrolling options:
• Press the Space bar to display the next page (one screen at time).
• Press the Return or Enter key to display the next line (one line at a time).
• Press CTRL + C to cancel the display.
Line Editing Commands
The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key
combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the
command.
Table 2.4: CLI Line Editing Commands
Ctrl-Key Combination Description
Ctrl-A Moves to the first character on the command line.
Ctrl-B Moves the cursor back one character.
Ctrl-C Escapes and terminates command prompts and ongoing tasks
(such as lengthy displays), and displays a fresh command
prompt.
Ctrl-D Deletes the character at the cursor.
Ctrl-E Moves to the end of the current command line.
Ctrl-F Moves the cursor forward one character.
Ctrl-K Deletes all characters from the cursor to the end of the command
line.
Ctrl-L; Ctrl-R Repeats the current command line on a new line.
Ctrl-N Enters the next command line in the history buffer.
Ctrl-P Enters the previous command line in the history buffer.
Ctrl-U; Ctrl-X Deletes all characters from the cursor to the beginning of the
command line.
Ctrl-W Deletes the last word you typed.
Ctrl-Z Moves from any CONFIG level of the CLI to the Privileged EXEC
level; at the Privileged EXEC level, moves to the User EXEC
level.
Page 59
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 29
For a complete list of CLI commands and syntax information for each command, see the Foundry Switch and
Router Command Line Interface Reference.
Logging On Through the Web Management Interface
To use the Web management interface, open a web browser and enter the IP address of the Foundry device in
Location or Address field. The web browser contacts the Foundry device and displays a login dialog, as shown in
Figure 2.13.
NOTE: If you are unable to connect with the device through a Web browser due to a proxy problem, it may be
necessary to set your Web browser to direct Internet access instead of using a proxy. For information on how to
change a proxy setting, refer to the on-line help provided with your Web browser.
Figure 2.13 Web management interface login dialog
By default, you can use the user name “get” and the default read-only password “public” for read-only access.
However, for read-write access, you must enter “set” for the user name, and enter a read-write community string
you have configured on the device for the password. Beginning with software release 05.1.00, there is no default
read-write community string. You must add one using the CLI. See “Establishing SNMP Community Strings” on
page 3-14.
As an alternative to using the SNMP community strings to log in, you can configure the Foundry device to secure
Web management access using local user accounts or Access Control Lists (ACLs). See “Securing Access to
Management Functions” on page 3-1.
If you have configured a greeting banner (using the banner motd CLI command), a panel with the greeting is
displayed first. Click on the Login link to proceed to the Login dialog. Here is an example of the greeting panel:
Page 60
Foundry Switch and Router Installation and Configuration Guide
2 - 30 December 2000
Navigating the Web Management Interface
When you log into a device, the System configuration panel is displayed. This panel allows you to enable or
disable major system features. You can return to this panel from any other panel by selecting the Home
link.
The Site Map link gives you a view of all available options on a single screen.
The left pane of the Web management interface window contains a “tree view,” similar to the one found in
Windows Explorer. Configuration options are grouped into folders in the tree view. These folders, when
expanded, reveal additional options. To expand a folder, click on the plus sign to the left of the folder icon.
You can configure the appearance of the Web management interface by using one of the following methods.
USING THE CLI
Using the CLI, you can modify the appearance of the Web management interface with the web-management
command.
To cause the Web management interface to display the List view by default:
BigIron(config)# web-management list-menu
To disable the front panel frame:
BigIron(config)# no web-management front-panel
When you save the configuration with the write memory command, the changes will take place the next time you
start the Web management interface, or if you are currently running the Web management interface, the changes
will take place when you click the Refresh button on your browser.
USING THE WEB MANAGEMENT INTERFACE
1. Click on the plus sign next to Configure in the tree view to expand the list of configuration options.
2. Click on the plus sign next to System in the tree view to expand the list of system configuration links.
3. Click on the plus sign next to Management in the tree view to expand the list of system management links.
4. Click on the Web Preference
link to display the Web Management Preferences panel.
5. Enable or disable elements on the Web management interface by clicking on the appropriate radio buttons on
the panel. The following figure identifies the elements you can change.
Page 61
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 31
NOTE: The tree view is available when you use the Web management interface with Netscape 4.0 or higher
or Internet Explorer 4.0 or higher browsers. If you use the Web management interface with an older browser,
the Web management interface displays the List view only, and the Web Management Preferences panel
does not include an option to display the tree view.
6. When you have finished, click the Apply button on the panel, then click the Refresh button on your browser to
activate the changes.
7. To save the configuration, click the plus sign next to the Command folder, then click the Save to Flash
link.
NOTE: The only changes that become permanent are the settings to the Menu Type and the Front Panel
Frame. Any other elements you enable or disable will go back to their default settings the next time you start
the Web management interface.
Logging on Through IronView
See the IronView Network Management User’s Guide for information about using IronView.
Swapping Modules (Chassis devices only)
After you physically insert a module into the Chassis device, you need to enter the location and type of module in
the software if that slot was previously configured for a different module type.
• Slots in a 4-slot chassis are numbered 1 – 4, from top to bottom.
• Slots in an 8-slot chassis are numbered 1 – 8, from left to right.
• Slots in a 15-slot chassis are numbered 1 – 15, from left to right.
See “Slot and Port Numbers” on page 9-16 for more information about slot and port numbering.
Front Panel Frame
Front Panel
Page Menu
Bottom Frame
Menu Frame
Menu Type
(Tree View shown)
Page 62
Foundry Switch and Router Installation and Configuration Guide
2 - 32 December 2000
NOTE: If the slot has never contained a module or you are swapping in exactly the same type of module, you do
not need to use the module command. The slot requires configuration only if it has already been configured for
another type of module.
USING THE CLI
To add a module to a Chassis device:
BigIron(config)# module 3 bi-8-port-gig-management-module
Syntax: module <slot-num> <module-type>
The <slot-num> parameter indicates the chassis slot number.
The <module-type> parameter specifies the platform, module type, and port configuration of the module.
NOTE: Module options that begin with “bi” and are for the Management IV module also are applicable to the
NetIron Internet Backbone router.
USING THE WEB MANAGEMENT INTERFACE
To configure a chassis slot for a module:
1. Log on to the device using a valid user name and password for read-write access. The System configuration
panel is displayed.
2. Click on the Module
link to display the Module panel, as shown in the following example.
3. Click the Add Module
link to display the following panel.
Page 63
Installing a Foundry Layer 2 Switch or Layer 3 Switch
December 2000 2 - 33
4. Select slot number from the Slot pulldown menu.
• Slots in a 4-slot chassis are numbered 1 – 4, from top to bottom.
• Slots in an 8-slot chassis are numbered 1 – 8, from left to right.
• Slots in a 15-slot chassis are numbered 1 – 15, from left to right.
5. Select the module type from the Module Type pulldown menu.
6. Click the Add button to save the change to the device’s running-config file.
7. Select the Save
link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device’s flash memory.
Page 64
Foundry Switch and Router Installation and Configuration Guide
2 - 34 December 2000
Page 65
December 2000 3 - 1
Chapter 3
Securing Access to Management Functions
This chapter explains how to secure access to management functions on a Foundry device. It contains the
following sections:
•“Securing Access Methods” on page 3-1 lists the management access methods available on a Foundry
device and the ways you can secure each one
•“Restricting Remote Access to Management Functions” on page 3-3 explains how to restrict access to
management functions from remote sources, including Telnet, the Web management interface, and SNMP
•“Setting Passwords” on page 3-9 explains how to set passwords for Telnet access and management privilege
levels
•“Setting Up Local User Accounts” on page 3-12 explains how to define user accounts to regulate who can
access management functions
•“Establishing SNMP Community Strings” on page 3-14 explains how to configure SNMP read-only and read-
write community strings on a Foundry device
•“Configuring TACACS/TACACS+ Security” on page 3-18 explains how to configure TACACS/TACACS+
authentication, authorization, and accounting
•“Configuring RADIUS Security” on page 3-33 explains how to configure RADIUS authentication,
authorization, and accounting
•“Configuring Authentication-Method Lists” on page 3-47 explains how to set the order that authentication
methods are consulted when more than one is used with an access method
Securing Access Methods
The following table lists the management access methods available on a Foundry device, how they are secured
by default, and the ways in which they can be secured.
Table 3.1: Ways to secure management access to Foundry devices
Access method How the access
method is secured
by default
Ways to secure the access method See
page
Serial access to the CLI Not secured Establish passwords for management privilege
levels
3-10
Page 66
Foundry Switch and Router Installation and Configuration Guide
3 - 2 December 2000
Access to the Privileged EXEC
and CONFIG levels of the CLI
Not secured Establish a password for Telnet access to the
CLI
3-9
Establish passwords for management privilege
levels
3-10
Set up local user accounts 3-12
Configure TACACS/TACACS+ security 3-18
Configure RADIUS security 3-33
Telnet access Not secured Regulate Telnet access using ACLs 3-4
Allow Telnet access only from specific IP
addresses
3-5
Allow Telnet access only to clients connected
to a specific VLAN
3-6
Disable Telnet access 3-7
Establish a password for Telnet access 3-9
Establish passwords for privilege levels of the
CLI
3-10
Set up local user accounts 3-12
Configure TACACS/TACACS+ security 3-18
Configure RADIUS security 3-33
Secure Shell (SSH) access Not configured Configure SSH 4-1
Establish passwords for privilege levels of the
CLI
3-10
Set up local user accounts 3-12
Configure TACACS/TACACS+ security 3-18
Configure RADIUS security 3-33
Table 3.1: Ways to secure management access to Foundry devices (Continued)
Access method How the access
method is secured
by default
Ways to secure the access method See
page
Page 67
Securing Access to Management Functions
December 2000 3 - 3
Restricting Remote Access to Management Functions
You can restrict access to management functions from remote sources, including Telnet, the Web management
interface, and SNMP. The following methods for restricting remote access are supported:
• Using ACLs to restrict Telnet, Web management interface, or SNMP access
• Allowing remote access only from specific IP addresses
• Allowing remote access only to clients connected to a specific VLAN
• Specifically disabling Telnet, Web management interface, or SNMP access to the device
The following sections describe how to restrict remote access to a Foundry device using these methods.
Web management access SNMP read or read-
write community
strings
Regulate Web management access using
ACLs
3-4
Allow Web management access only from
specific IP addresses
3-6
Allow Web management access only to clients
connected to a specific VLAN
3-7
Disable Web management access 3-7
Set up local user accounts 3-12
Establish SNMP read or read-write community
strings
3-14
Configure TACACS/TACACS+ security 3-18
Configure RADIUS security 3-33
SNMP (IronView) access SNMP read or read-
write community
strings and the
password to the Super
User privilege level
Note: SNMP read or
read-write community
strings are always
required for SNMP
access to the device.
Regulate SNMP access using ACLs 3-5
Allow SNMP access only from specific IP
addresses
3-6
Disable SNMP access 3-8
Allow SNMP access only to clients connected
to a specific VLAN
3-7
Establish passwords to management levels of
the CLI
3-10
Set up local user accounts 3-12
Establish SNMP read or read-write community
strings
3-14
TFTP access Not secured Allow TFTP access only to clients connected
to a specific VLAN
3-7
Table 3.1: Ways to secure management access to Foundry devices (Continued)
Access method How the access
method is secured
by default
Ways to secure the access method See
page
Page 68
Foundry Switch and Router Installation and Configuration Guide
3 - 4 December 2000
Using ACLs to Restrict Remote Access
You can use standard ACLs to control the following access methods to management functions on a Foundry
device:
• Telnet access
• Web management access
• SNMP access
To configure access control for these management access methods:
1. Configure an ACL with the IP addresses you want to allow to access the device
2. Configure a Telnet access group, web access group, and SNMP community strings. Each of these
configuration items accepts an ACL as a parameter. The ACL contains entries that identify the IP addresses
that can use the access method.
The following sections present examples of how to secure management access using ACLs. See Chapter 13,
“Using Access Control Lists (ACLs)”, for more information on configuring ACLs.
Using an ACL to Restrict Telnet Access
To configure an ACL that restricts Telnet access to the device, enter commands such as the following:
BigIron(config)# access-list 10 deny host 209.157.22.32 log
BigIron(config)# access-list 10 deny 209.157.23.0 0.0.0.255 log
BigIron(config)# access-list 10 deny 209.157.24.0 0.0.0.255 log
BigIron(config)# access-list 10 deny 209.157.25.0/24 log
BigIron(config)# access-list 10 permit any
BigIron(config)# telnet access-group 10
BigIron(config)# write memory
Syntax: telnet access-group <num>
The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.
The commands above configure ACL 10, then apply the ACL as the access list for Telnet access. The device
allows Telnet access to all IP addresses except those listed in ACL 10.
To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL.
For example:
BigIron(config)# access-list 10 permit host 209.157.22.32
BigIron(config)# access-list 10 permit 209.157.23.0 0.0.0.255
BigIron(config)# access-list 10 permit 209.157.24.0 0.0.0.255
BigIron(config)# access-list 10 permit 209.157.25.0/24
BigIron(config)# telnet access-group 10
BigIron(config)# write memory
The ACL in this example permits Telnet access only to the IP addresses in the permit entries and denies Telnet
access from all other IP addresses.
Using an ACL to Restrict Web Management Access
To configure an ACL that restricts Web management access to the device, enter commands such as the following:
BigIron(config)# access-list 12 deny host 209.157.22.98 log
BigIron(config)# access-list 12 deny 209.157.23.0 0.0.0.255 log
BigIron(config)# access-list 12 deny 209.157.24.0/24 log
BigIron(config)# access-list 12 permit any
BigIron(config)# web access-group 12
BigIron(config)# write memory
Syntax: web access-group <num>
The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.
Page 69
Securing Access to Management Functions
December 2000 3 - 5
These commands configure ACL 12, then apply the ACL as the access list for Web management access. The
device denies Web management access from the IP addresses listed in ACL 12 and permits Web management
access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny
Web management access from all IP addresses.
NOTE: In this example, the command web access-group 10 could have been used to apply the ACL configured
in the example for Telnet access. You can use the same ACL multiple times.
Using ACLs to Restrict SNMP Access
To restrict SNMP access to the device using ACLs, enter commands such as the following:
NOTE: The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and Web
management access using ACLs.
BigIron(config)# access-list 25 deny host 209.157.22.98 log
BigIron(config)# access-list 25 deny 209.157.23.0 0.0.0.255 log
BigIron(config)# access-list 25 deny 209.157.24.0 0.0.0.255 log
BigIron(config)# access-list 30 deny 209.157.25.0 0.0.0.255 log
BigIron(config)# access-list 30 deny 209.157.26.0/24 log
BigIron(config)# access-list 30 permit any
BigIron(config)# snmp-server community public ro 25
BigIron(config)# snmp-server community private rw 30
BigIron(config)# write memory
Syntax: snmp-server community <string> ro | rw <num>
The <string> parameter specifies the SNMP community string the user must enter to gain SNMP access.
The ro parameter indicates that the community string is for read-only (“get”) access. The rw parameter indicates
the community string is for read-write (“set”) access.
The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.
These commands configure ACLs 25 and 30, then apply the ACLs to community strings.
ACL 25 is used to control read-only access using the “public” community string. ACL 30 is used to control read-
write access using the “private” community string.
Restricting Remote Access to the Device to Specific IP Addresses
By default, a Foundry device does not control remote management access based on the IP address of the
managing device. You can restrict remote management access to a single IP address for the following access
methods:
• Telnet access
• Web management access
• SNMP access
In addition, if you want to restrict all three access methods to the same IP address, you can do so using a single
command.
The following examples show the CLI commands for restricting remote access. You can specify only one IP
address with each command. However, you can enter each command ten times to specify up to ten IP addresses.
NOTE: You cannot restrict remote management access using the Web management interface.
Restricting Telnet Access to a Specific IP Address
To allow Telnet access to the Foundry device only to the host with IP address 209.157.22.39, enter the following
command:
Page 70
Foundry Switch and Router Installation and Configuration Guide
3 - 6 December 2000
BigIron(config)# telnet-client 209.157.22.39
Syntax: [no] telnet-client <ip-addr>
Restricting Web Management Access to a Specific IP Address
To allow Web management access to the Foundry device only to the host with IP address 209.157.22.26, enter
the following command:
BigIron(config)# web-client 209.157.22.26
Syntax: [no] web-client <ip-addr>
Restricting SNMP Access to a Specific IP Address
To allow SNMP access (which includes IronView) to the Foundry device only to the host with IP address
209.157.22.14, enter the following command:
BigIron(config)# snmp-client 209.157.22.14
Syntax: [no] snmp-client <ip-addr>
Restricting All Remote Management Access to a Specific IP Address
To allow Telnet, Web, and SNMP management access to the Foundry device only to the host with IP address
209.157.22.69, you can enter three separate commands (one for each access type) or you can enter the following
command:
BigIron(config)# all-client 209.157.22.69
Syntax: [no] all-client <ip-addr>
Restricting Remote Access to the Device to Specific VLAN IDs
You can restrict management access to a Foundry device to ports within a specific port-based VLAN. VLANbased access control applies to the following access methods:
• Telnet access
• Web management access
• SNMP access
• TFTP access
By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given
access method based on VLAN ID, access to the device using that method is restricted to only the ports within the
specified VLAN.
VLAN-based access control works in conjunction with other access control methods. For example, suppose you
configure an ACL to permit Telnet access only to specific client IP addresses, and you also configure VLAN-based
access control for Telnet access. In this case, the only Telnet clients that can access the device are clients that
have one of the IP addresses permitted by the ACL and are connected to a port that is in a permitted VLAN.
Clients who have a permitted IP address but are connected to a port in a VLAN that is not permitted still cannot
access the device through Telnet.
Restricting Telnet Access to a Specific VLAN
To allow Telnet access only to clients in a specific VLAN, enter a command such as the following:
BigIron(config)# telnet server enable vlan 10
The command in this example configures the device to allow Telnet management access only to clients connected
to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management
access.
Syntax: [no] telnet server enable vlan <vlan-id>
Page 71
Securing Access to Management Functions
December 2000 3 - 7
Restricting Web Management Access to a Specific VLAN
To allow Web management access only to clients in a specific VLAN, enter a command such as the following:
BigIron(config)# web-management enable vlan 10
The command in this example configures the device to allow Web management access only to clients connected
to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management
access.
Syntax: [no] web-management enable vlan <vlan-id>
Restricting SNMP Access to a Specific VLAN
To allow SNMP access only to clients in a specific VLAN, enter a command such as the following:
BigIron(config)# snmp-server enable vlan 40
The command in this example configures the device to allow SNMP access only to clients connected to ports
within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Syntax: [no] snmp-server enable vlan <vlan-id>
Restricting TFTP Access to a Specific VLAN
To allow TFTP access only to clients in a specific VLAN, enter a command such as the following:
BigIron(config)# tftp client enable vlan 40
The command in this example configures the device to allow TFTP access only to clients connected to ports within
port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Syntax: [no] tftp client enable vlan <vlan-id>
Disabling Specific Access Methods
You can specifically disable the following access methods:
• Telnet access
• Web management access
• SNMP access
NOTE: If you disable Telnet access, you will not be able to access the CLI except through a serial connection to
the management module. If you disable SNMP access, you will not be able to use IronView or third-party SNMP
management applications.
Disabling Telnet Access
Telnet access is enabled by default. You can use a Telnet client to access the CLI on the device over the network.
If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from
establishing CLI sessions with the device, enter the following command:
BigIron(config)# no telnet-server
To re-enable Telnet operation, enter the following command:
BigIron(config)# telnet-server
Syntax: [no] telnet-server
Disabling Web Management Access
If you want to prevent access to the device through the Web management interface, you can disable the Web
management interface.
Page 72
Foundry Switch and Router Installation and Configuration Guide
3 - 8 December 2000
NOTE: As soon as you make this change, the device stops responding to Web management sessions. If you
make this change using your Web browser, your browser can contact the device, but the device will not reply once
the change takes place.
USING THE CLI
To disable the Web management interface, enter the following command:
BigIron(config)# no web-management
To re-enable the Web management interface, enter the following command:
BigIron(config)# web-management
Syntax: [no] web-management
USING THE WEB MANAGEMENT INTERFACE
1. Log on to the device using a valid user name and password for read-write access. The System configuration
panel is displayed.
2. Select the Management
link from the System configuration panel to display the Management panel.
3. Click Disable next to Web Management.
4. Click the Apply button to save the change to the device’s running-config file.
5. Select the Save
link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device’s flash memory.
Disabling SNMP Access
SNMP is enabled by default on all Foundry devices. SNMP is required if you want to manage a Foundry device
using IronView.
To disable SNMP, use one of the following methods.
USING THE CLI
To disable SNMP management of the device:
BigIron(config)# snmp disable
To later re-enable SNMP management of the device:
BigIron(config)# no snmp disable
Syntax: [no] snmp disable
USING THE WEB MANAGEMENT INTERFACE
1. Log on to the device using a valid user name and password for read-write access. The System configuration
dialog is displayed.
2. Select the Management
link from the System configuration panel to display the Management panel.
3. Click Disable next to SNMP.
4. Click the Apply button to save the change to the device’s running-config file.
5. Select the Save
link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device’s flash memory.
Page 73
Securing Access to Management Functions
December 2000 3 - 9
Setting Passwords
Passwords can be used to secure the following access methods:
• Telnet access can be secured by setting a Telnet password. See “Setting a Telnet Password” on page 3-9.
• Access to the Privileged EXEC and CONFIG levels of the CLI can be secured by setting passwords for
management privilege levels. See “Setting Passwords for Management Privilege Levels” on page 3-10.
This section also provides procedures for enhancing management privilege levels, recovering from a lost
password, and disabling password encryption.
NOTE: You also can configure up to 16 user accounts consisting of a user name and password, and assign each
user account a management privilege level. See “Setting Up Local User Accounts” on page 3-12.
Setting a Telnet Password
By default, the device does not require a user name or password when you log in to the CLI using Telnet. You can
assign a password for Telnet access using one of the following methods.
USING THE CLI
To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG
level:
BigIron(config)# enable telnet password letmein
Syntax: [no] enable telnet password <string>
USING THE WEB MANAGEMENT INTERFACE
1. Log on to the device using a valid user name and password for read-write access. The System configuration
panel is displayed.
2. Select the Management
link from the System configuration panel to display the Management panel.
3. Enter the password in the Telnet Password field.
4. Click the Apply button to save the change to the device’s running-config file.
5. Select the Save
link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device’s flash memory.
Suppressing Telnet Connection Rejection Messages
By default, if a Foundry device denies Telnet management access to the device, the software sends a message to
the denied Telnet client. You can optionally suppress the rejection message. When you enable the option, a
denied Telnet client does not receive a message from the Foundry device. Instead, the denied client simply does
not gain access.
To suppress the connection rejection message, use the following CLI method.
USING THE CLI
To suppress the connection rejection message sent by the device to a denied Telnet client, enter the following
command at the global CONFIG level of the CLI:
BigIron(config)# telnet server suppress-reject-message
Syntax: [no] telnet server suppress-reject-message
USING THE WEB MANAGEMENT INTERFACE
You cannot configure this option using the Web management interface.
Page 74
Foundry Switch and Router Installation and Configuration Guide
3 - 10 December 2000
Setting Passwords for Management Privilege Levels
You can set one password for each of the following management privilege levels:
• Super User level – Allows complete read-and-write access to the system. This is generally for system
administrators and is the only management privilege level that allows you to configure passwords.
• Port Configuration level – Allows read-and-write access for specific ports but not for global (system-wide)
parameters.
• Read Only level – Allows access to the Privileged EXEC mode and CONFIG mode of the CLI but only with
read access.
You can assign a password to each management privilege level. You also can configure up to 16 user accounts
consisting of a user name and password, and assign each user account to one of the three privilege levels. See
“Setting Up Local User Accounts” on page 3-12.
NOTE: You must use the CLI to assign a password for management privilege levels. You cannot assign a
password using the Web management interface.
If you configure user accounts in addition to privilege level passwords, the device will validate a user’s access
attempt using one or both methods (local user account or privilege level password), depending on the order you
specify in the authentication-method lists. See “Configuring Authentication-Method Lists” on page 3-47.
USING THE CLI
To set passwords for management privilege levels:
1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode:
BigIron> enable
BigIron#
2. Access the CONFIG level of the CLI by entering the following command:
BigIron# configure terminal
BigIron(config)#
3. Enter the following command to set the Super User level password:
BigIron(config)# enable super-user-password <text>
NOTE: You must set the Super User level password before you can set other types of passwords.
4. Enter the following commands to set the Port Configuration level and Read Only level passwords:
BigIron(config)# enable port-config-password <text>
BigIron(config)# enable read-only-password <text>
NOTE: If you forget your Super User level password, see “Recovering from a Lost Password” on page 3-11.
Augmenting Management Privilege Levels
Each management privilege level provides access to specific areas of the CLI by default:
• Super User level provides access to all commands and displays.
• Port Configuration level gives access to:
• The User EXEC and Privileged EXEC levels
• The port-specific parts of the CONFIG level
• All interface configuration levels
• Read Only level gives access to:
• The User EXEC and Privileged EXEC levels
Page 75
Securing Access to Management Functions
December 2000 3 - 11
You can grant additional access to a privilege level on an individual command basis. To grant the additional
access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the
individual command.
NOTE: This feature applies only to management privilege levels on the CLI. You cannot augment management
access levels for the Web management interface.
To enhance the Port Configuration privilege level so users also can enter IP commands at the global CONFIG
level:
BigIron(config)# privilege configure level 4 ip
In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of
the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port
Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter
indicates that the enhanced access is for the IP commands. Users who log in with valid Port Configuration level
user names and passwords can enter commands that begin with “ip” at the global CONFIG level.
Syntax: [no] privilege <cli-level> level <privilege-level> <command-string>
The <cli-level> parameter specifies the CLI level and can be one of the following values:
• exec – EXEC level; for example, BigIron> or BigIron#
• configure – CONFIG level; for example, BigIron(config)#
• interface – Interface level; for example, BigIron(config-if-6)#
• virtual-interface – Virtual-interface level; for example, BigIron(config-vif-6)#
• rip-router – RIP router level; for example, BigIron(config-rip-router)#
• ospf-router – OSPF router level; for example, BigIron(config-ospf-router)#
• dvmrp-router – DVMRP router level; for example, BigIron(config-dvmrp-router)#
• pim-router – PIM router level; for example, BigIron(config-pim-router)#
• bgp-router – BGP4 router level; for example, BigIron(config-bgp-router)#
• port-vlan – Port-based VLAN level; for example, BigIron(config-vlan)#
• protocol-vlan – Protocol-based VLAN level
The <privilege-level> indicates the number of the management privilege level you are augmenting. You can
specify one of the following:
• 0 – Super User level (full read-write access)
• 4 – Port Configuration level
• 5 – Read Only level
The <command-string> parameter specifies the command you are allowing users with the specified privilege level
to enter. To display a list of the commands at a CLI level, enter “?” at that level's command prompt.
Recovering from a Lost Password
Recovery from a lost password requires direct access to the serial port and a system reset.
NOTE: You can perform this procedure only from the CLI.
To recover from a lost password:
1. Start a CLI session over the serial interface to the device.
2. Reboot the device.
3. At the initial boot prompt at system startup, enter b to enter the boot monitor mode.
Page 76
Foundry Switch and Router Installation and Configuration Guide
3 - 12 December 2000
4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the
device to bypass the system password check.
5. Enter boot system flash primary at the prompt.
6. After the console prompt reappears, assign a new password.
Displaying the SNMP Community String
If you want to display the SNMP community string, enter the following commands:
BigIron(config)# enable password-display
BigIron(config)# show snmp server
The enable password-display command enables display of the community string, but only in the output of the
show snmp server command. Display of the string is still encrypted in the startup-config file and running-config.
Enter the command at the global CONFIG level of the CLI.
Disabling Password Encryption
When you configure a password, then save the configuration to the Foundry device’s flash memory, the password
is also saved to flash as part of the configuration file. By default, the passwords are encrypted so that the
passwords cannot be observed by another user who displays the configuration file. Even if someone observes the
file while it is being transmitted over TFTP, the password is encrypted.
NOTE: You cannot disable password encryption using the Web management interface.
If you want to remove the password encryption, you can disable encryption by entering the following command:
BigIron(config)# no service password-encryption
Syntax: [no] service password-encryption
Setting Up Local User Accounts
You can define up to 16 local user accounts on a Foundry device. User accounts regulate who can access the
management functions in the CLI using the following methods:
• Telnet access
• Web management access
• SNMP access
NOTE: Local user accounts are not supported on the FastIron Workgroup Layer 2 Switch or the non-octal
NetIron.
Local user accounts provide greater flexibility for controlling management access to Foundry devices than do
management privilege level passwords and SNMP community strings. You can continue to use the privilege level
passwords and the SNMP community strings as additional means of access authentication. Alternatively, you can
choose not to use local user accounts and instead continue to use only the privilege level passwords and SNMP
community strings. Local user accounts are backward-compatible with configuration files that contain privilege
level passwords. See “Setting Passwords for Management Privilege Levels” on page 3-10.
If you configure local user accounts, you also need to configure an authentication-method list for Telnet access,
Web management access, and SNMP access. See “Configuring Authentication-Method Lists” on page 3-47.
For each local user account, you specify a user name. You also can specify the following parameters:
• A password
• A management privilege level, which can be one of the following:
• Super User level – Allows complete read-and-write access to the system. This is generally for system
administrators and is the only privilege level that allows you to configure passwords. This is the default.
Page 77
Securing Access to Management Functions
December 2000 3 - 13
• Port Configuration level – Allows read-and-write access for specific ports but not for global (system-wide)
parameters.
• Read Only level – Allows access to the Privileged EXEC mode and CONFIG mode but only with read
access.
Configuring a Local User Account
To configure a local user account, use one of the following methods.
USING THE CLI
To configure a local user account, enter a command such as the following at the global CONFIG level of the CLI.
BigIron(config)# username wonka password willy
This command adds a local user account with the user name “wonka” and the password “willy”. This account has
the Super User privilege level; this user has full access to all configuration and display features.
NOTE: If you configure local user accounts, you must grant Super User level access to at least one account
before you add accounts with other privilege levels. You need the Super User account to make further
administrative changes.
BigIron(config)# username waldo privilege 5 password whereis
This command adds a user account for user name “waldo”, password “whereis”, with the Read Only privilege
level. Waldo can look for information but cannot make configuration changes.
Syntax: [no] username <user-string> privilege <privilege-level> password | nopassword <password-string>
The privilege parameter specifies the privilege level for the account. You can specify one of the following:
• 0 – Super User level (full read-write access)
• 4 – Port Configuration level
• 5 – Read Only level
The default privilege level is 0. If you want to assign Super User level access to the account, you can enter the
command without privilege 0, as shown in the command example above.
The password | nopassword parameter indicates whether the user must enter a password. If you specify
password, enter the string for the user's password.
NOTE: You must be logged on with Super User access (privilege level 0) to add user accounts or configure other
access parameters.
To display user account information, enter the following command:
BigIron(config)# show users
Syntax: show users
USING THE WEB MANAGEMENT INTERFACE
To configure a local user account using the Web management interface, use the following procedure.
NOTE: Before you can add a local user account using the Web management interface, you must enable this
capability by entering the password any command at the global CONFIG level of the CLI.
1. Log on to the device using a valid user name and password for read-write access. The System configuration
dialog is displayed.
2. Select the Management
link from the System configuration panel to display the Management panel.
3. Select the User Account
link.
Page 78
Foundry Switch and Router Installation and Configuration Guide
3 - 14 December 2000
• If any user accounts are already configured on the device, the account information is listed in a table.
Select the Add User Account
link to display the following panel. Notice that the password display is
encrypted. If you want the passwords to be displayed in clear text, you can use the CLI to disable
encryption of password displays. See “Disabling Password Encryption” on page 3-12.
• If the device does not have any user accounts configured, the following panel is displayed.
4. Enter the user name in the User Name field. The name cannot contain blanks.
5. Enter the password in the Password field. The password cannot contain blanks.
6. Select the management privilege level from the Privilege pulldown menu. You can select one of the following:
• 0 (Read-Write) – equivalent to Super User level access. The user can display and configure everything.
• 4 (Port-Config) – allows the user to configure port parameters but not global parameters.
• 5 (Read-Only) – allows the user to display information but not to make configuration changes.
7. Click the Add button to save the change to the device’s running-config file.
8. Repeat steps 4 – 7 for each user account. You can add up to 16 accounts.
9. Select the Save
link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device’s flash memory.
Establishing SNMP Community Strings
The default passwords for Web management access are actually the SNMP community strings configured on the
device.
• The default read-only community string is “public”. To open a read-only Web management session, enter
“get” and “public” for the user name and password.
• Beginning with software release 05.1.00, there is no default read-write community string. Thus, by default,
you cannot open a read-write management session using the Web management interface. You first must
configure a read-write community string using the CLI. Then you can log on using “set” as the user name and
the read-write community string you configure as the password.
You can configure as many additional read-only and read-write community strings as you need. The number of
strings you can configure depends on the memory on the device. There is no practical limit.
The Web management interface supports only one read-write session at a time. When a read-write session is
open on the Web management interface, subsequent sessions are read-only, even if the session login is “set” with
a valid read-write password.
NOTE: If you delete the startup-config file, the device automatically re-adds the default “public” read-only
community string the next time you load the software.
Page 79
Securing Access to Management Functions
December 2000 3 - 15
NOTE: As an alternative to the SNMP community strings, you can secure Web management access using local
user accounts or ACLs. See “Setting Up Local User Accounts” on page 3-12 or “Using an ACL to Restrict Web
Management Access” on page 3-4.
Encryption of SNMP Community Strings
The software automatically encrypts SNMP community strings. Users with read-only access or who do not have
access to management functions in the CLI cannot display the strings. For users with read-write access, the
strings are encrypted in the CLI but are shown in the clear in the Web management interface.
Encryption is enabled by default. You can disable encryption for individual strings or trap receivers if desired. See
the next section for information about encryption.
Adding an SNMP Community String
To add a community string, use either of the following methods. When you add a community string, you can
specify whether the string is encrypted or clear. By default, the string is encrypted.
USING THE CLI
To add an encrypted community string, enter commands such as the following:
BigIron(config)# snmp-server community private rw
BigIron(config)# write memory
Syntax: snmp-server community [0 | 1] <string> ro | rw
The <string> parameter specifies the community string name. The string can be up to 32 characters long.
The ro | rw parameter specifies whether the string is read-only (ro) or read-write (rw).
The 0 | 1 parameter affects encryption for display of the string in the running-config and the startup-config file.
Encryption is enabled by default. When encryption is enabled, the community string is encrypted in the CLI
regardless of the access level you are using. In the Web management interface, the community string is
encrypted at the read-only access level but is visible at the read-write access level.
The encryption option can be omitted (the default) or can be one of the following.
• 0 – Disables encryption for the community string you specify with the command. The community string is
shown as clear text in the running-config and the startup-config file. Use this option of you do not want
display of the community string to be encrypted.
• 1 – Assumes that the community string you enter is the encrypted form, and decrypts the value before using
it.
NOTE: If you want the software to assume that the value you enter is the clear-text form, and to encrypt display
of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default
behavior.
If you specify encryption option 1, the software assumes that you are entering the encrypted form of the
community string. In this case, the software decrypts the community string you enter before using the value for
authentication. If you accidentally enter option 1 followed by the clear-text version of the community string,
authentication will fail because the value used by the software will not match the value you intended to use.
The command in the example above adds the read-write SNMP community string “private”. When you save the
new community string to the startup-config file (using the write memory command), the software adds the
following command to the file:
snmp-server community 1 <encrypted-string> rw
To add an non-encrypted community string, you must explicitly specify that you do not want the software to
encrypt the string. Here is an example:
BigIron(config)# snmp-server community 0 private rw
Page 80
Foundry Switch and Router Installation and Configuration Guide
3 - 16 December 2000
BigIron(config)# write memory
The command in this example adds the string “private” in the clear, which means the string is displayed in the
clear. When you save the new community string to the startup-config file, the software adds the following
command to the file:
snmp-server community 0 private rw
Displaying the SNMP Community Strings
To display the configured community strings, enter the following command at any CLI level:
BigIron(config)# show snmp server
Syntax: show snmp server
See the Foundry Switch and Router Command Line Interface Reference for an example of the information
displayed by the command.
NOTE: If display of the strings is encrypted, the strings are not displayed. Encryption is enabled by default.
USING THE WEB MANAGEMENT INTERFACE
NOTE: To make configuration changes, including changes involving SNMP community strings, you must first
configure a read-write community string using the CLI. Alternatively, you must configure another authentication
method and log on to the CLI using a valid password for that method.
1. Log on to the device using a valid user name and password for read-write access. The System configuration
panel is displayed.
NOTE: If you have configured the device to secure Web management access using local user accounts,
you must instead enter the user name and password of one of the user accounts. See “Setting Up Local User
Accounts” on page 3-12.
2. Select the Management link from the System configuration panel to display the following panel.
Page 81
Securing Access to Management Functions
December 2000 3 - 17
3. Select the Community String
link to display the SNMP Community String panel, as shown in the following
example. This example shows the table listed for a system that is configured only with the default read-only
community string “public”.
4. Select the Add Community String
link to display a panel such as the following.
5. Select the community string type:
• Select Get for a read-only string.
• Select Set for a read-write string.
6. Enter the community string in the Community String field.
7. Select the Encrypt checkbox to remove the checkmark if you want to disable encryption of the string display.
Encryption prevents other users from seeing the string in the CLI or Web management interface. If you
disable encryption, other users can view the community string. Encryption is enabled by default.
Page 82
Foundry Switch and Router Installation and Configuration Guide
3 - 18 December 2000
To re-enable encryption, select the checkbox to place a checkmark in the box.
8. Click the Add button to save the change to the device’s running-config file.
9. Repeat steps 5 – 7 for each string you want to add. You can add as many strings as you need. The limit
depends only on the available system memory.
10. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device’s flash memory.
Configuring TACACS/TACACS+ Security
You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to
authenticate the following kinds of access to the Foundry device
• Telnet access
• SSH access
• Web management access
• Access to the Privileged EXEC level and CONFIG levels of the CLI
NOTE: You cannot authenticate IronView (SNMP) access to a Foundry device using TACACS/TACACS+.
The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is
sent between a Foundry device and an authentication database on a TACACS/TACACS+ server. TACACS/
TACACS+ services are maintained in a database, typically on a UNIX workstation or PC with a TACACS/
TACACS+ server running.
How TACACS+ Differs from TACACS
TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an
enhancement to TACACS and uses TCP to ensure reliable delivery.
TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating
the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the
Foundry device and the TACACS+ server. TACACS+ allows for arbitrary length and content authentication
exchanges, which allow any authentication mechanism to be utilized with the Foundry device. TACACS+ is
extensible to provide for site customization and future development features. The protocol allows the Foundry
device to request very precise access control and allows the TACACS+ server to respond to each component of
that request.
NOTE: TACACS+ provides for authentication, authorization, and accounting, but an implementation or
configuration is not required to employ all three.
TACACS/TACACS+ Authentication, Authorization, and Accounting
When you configure a Foundry device to use a TACACS/TACACS+ server for authentication, the device prompts
users who are trying to access the CLI for a user name and password, then verifies the password with the
TACACS/TACACS+ server.
If you are using TACACS+, Foundry recommends that you also configure authorization, in which the Foundry
device consults a TACACS+ server to determine which management privilege level (and which associated set of
commands) an authenticated user is allowed to use. You can also optionally configure accounting, which causes
the Foundry device to log information on the TACACS+ server when specified events occur on the device.
Page 83
Securing Access to Management Functions
December 2000 3 - 19
NOTE: In releases prior to 07.1.00, a user logging into the device via Telnet or SSH would first enter the User
EXEC level. The user could then enter the enable command to get to the Privileged EXEC level.
Starting with release 07.1.00, a user that is successfully authenticated by a RADIUS or TACACS+ server is
automatically placed at the Privileged EXEC level after login.
TACACS Authentication
When TACACS authentication takes place, the following events occur:
1. A user attempts to gain access to the Foundry device by doing one of the following:
• Logging into the device using Telnet, SSH, or the Web management interface
• Entering the Privileged EXEC level or CONFIG level of the CLI
2. The user is prompted for a username and password.
3. The user enters a username and password.
4. The Foundry device sends a request containing the username and password to the TACACS server.
5. The username and password are validated in the TACACS server’s database.
6. If the password is valid, the user is authenticated.
TACACS+ Authentication
When TACACS+ authentication takes place, the following events occur:
1. A user attempts to gain access to the Foundry device by doing one of the following:
• Logging into the device using Telnet, SSH, or the Web management interface
• Entering the Privileged EXEC level or CONFIG level of the CLI
2. The user is prompted for a username.
3. The user enters a username.
4. The Foundry device obtains a password prompt from a TACACS+ server.
5. The user is prompted for a password.
6. The user enters a password.
7. The Foundry device sends the password to the TACACS+ server.
8. The password is validated in the TACACS+ server’s database.
9. If the password is valid, the user is authenticated.
TACACS+ Authorization
Foundry devices support two kinds of TACACS+ authorization:
• Exec authorization determines a user’s privilege level when they are authenticated
• Command authorization consults a TACACS+ server to get authorization for commands entered by the user
When TACACS+ exec authorization takes place, the following events occur:
1. A user logs into the Foundry device using Telnet, SSH, or the Web management interface
2. The user is authenticated.
3. The Foundry device consults the TACACS+ server to determine the privilege level of the user.
4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the privilege level
of the user.
5. The user is granted the specified privilege level.
Page 84
Foundry Switch and Router Installation and Configuration Guide
3 - 20 December 2000
When TACACS+ command authorization takes place, the following events occur:
1. A Telnet, SSH, or Web management interface user previously authenticated by a TACACS+ server enters a
command on the Foundry device.
2. The Foundry device looks at its configuration to see if the command is at a privilege level that requires
TACACS+ command authorization.
3. If the command belongs to a privilege level that requires authorization, the Foundry device consults the
TACACS+ server to see if the user is authorized to use the command.
4. If the user is authorized to use the command, the command is executed.
TACACS+ Accounting
TACACS+ accounting works as follows:
1. One of the following events occur on the Foundry device:
• A user logs into the management interface using Telnet or SSH
• A user enters a command for which accounting has been configured
• A system event occurs, such as a reboot or reloading of the configuration file
2. The Foundry device checks its configuration to see if the event is one for which TACACS+ accounting is
required.
3. If the event requires TACACS+ accounting, the Foundry device sends a TACACS+ Accounting Start packet to
the TACACS+ accounting server, containing information about the event.
4. The TACACS+ accounting server acknowledges the Accounting Start packet.
5. The TACACS+ accounting server records information about the event.
6. When the event is concluded, the Foundry device sends an Accounting Stop packet to the TACACS+
accounting server.
7. The TACACS+ accounting server acknowledges the Accounting Stop packet.
AAA Operations for TACACS/TACACS+
The following table lists the sequence of authentication, authorization, and accounting operations that take place
when a user gains access to a Foundry device that has TACACS/TACACS+ security configured.
User Action Applicable AAA Operations
User attempts to gain access to the
Privileged EXEC and CONFIG levels of
the CLI
Enable authentication:
aaa authentication enable default <method-list>
Exec authorization (TACACS+):
aaa authorization exec default tacacs+
System accounting start (TACACS+):
aaa accounting system default start-stop <method-list>
Page 85
Securing Access to Management Functions
December 2000 3 - 21
User logs in using Telnet/SSH Login authentication:
aaa authentication login default <method-list>
Exec authorization (TACACS+):
aaa authorization exec default tacacs+
Exec accounting start (TACACS+):
aaa accounting exec default <method-list>
System accounting start (TACACS+):
aaa accounting system default start-stop <method-list>
User logs into the Web management
interface
Web authentication:
aaa authentication web-server default <method-list>
Exec authorization (TACACS+):
aaa authorization exec default tacacs+
User logs out of Telnet/SSH session Command authorization for logout command (TACACS+):
aaa authorization commands <privilege-level> default <method-list>
Command accounting (TACACS+):
aaa accounting commands <privilege-level> default start-stop
<method-list>
EXEC accounting stop (TACACS+):
aaa accounting exec default start-stop <method-list>
User enters system commands
(for example, reload, boot system)
Command authorization (TACACS+):
aaa authorization commands <privilege-level> default <method-list>
Command accounting (TACACS+):
aaa accounting commands <privilege-level> default start-stop
<method-list>
System accounting stop (TACACS+):
aaa accounting system default start-stop <method-list>
User enters the command:
[no] aaa accounting system default
start-stop <method-list>
Command authorization (TACACS+):
aaa authorization commands <privilege-level> default <method-list>
Command accounting (TACACS+):
aaa accounting commands <privilege-level> default start-stop
<method-list>
System accounting start (TACACS+):
aaa accounting system default start-stop <method-list>
User Action Applicable AAA Operations
Page 86
Foundry Switch and Router Installation and Configuration Guide
3 - 22 December 2000
TACACS/TACACS+ Configuration Considerations
• You must deploy at least one TACACS/TACACS+ server in your network.
• Foundry devices support authentication using up to eight TACACS/TACACS+ servers. The device tries to
use the servers in the order you add them to the device’s configuration.
• You can select only one primary authentication method for each type of access to a device (CLI through
Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select TACACS+ as the primary
authentication method for Telnet CLI access, but you cannot also select RADIUS authentication as a primary
method for the same type of access. However, you can configure backup authentication methods for each
access type.
• You can configure the Foundry device to authenticate using a TACACS or TACACS+ server, not both.
TACACS Configuration Procedure
For TACACS configurations, use the following procedure:
1. Identify TACACS servers. See “Identifying the TACACS/TACACS+ Servers” on page 3-22.
2. Set optional parameters. See “Setting Optional TACACS/TACACS+ Parameters” on page 3-23.
3. Configure authentication-method lists. See “Configuring Authentication-Method Lists for TACACS/
TACACS+” on page 3-24.
TACACS+ Configuration Procedure
For TACACS+ configurations, use the following procedure:
1. Identify TACACS+ servers. See “Identifying the TACACS/TACACS+ Servers” on page 3-22.
2. Set optional parameters. See “Setting Optional TACACS/TACACS+ Parameters” on page 3-23.
3. Configure authentication-method lists. See “Configuring Authentication-Method Lists for TACACS/
TACACS+” on page 3-24.
4. Optionally configure TACACS+ authorization. See “Configuring TACACS+ Authorization” on page 3-25.
5. Optionally configure TACACS+ accounting. See “Configuring TACACS+ Accounting” on page 3-27.
Identifying the TACACS/TACACS+ Servers
To use TACACS/TACACS+ servers to authenticate access to a Foundry device, you must identify the servers to
the Foundry device.
For example, to identify three TACACS/TACACS+ servers, enter commands such as the following:
BigIron(config)# tacacs-server host 207.94.6.161
BigIron(config)# tacacs-server host 207.94.6.191
BigIron(config)# tacacs-server host 207.94.6.122
Syntax: tacacs-server <ip-addr>|<hostname> [auth-port <number>]
The <ip-addr>|<hostname> parameter specifies the IP address or host name of the server. You can enter up to
eight tacacs-server host commands to specify up to eight different servers.
User enters other commands Command authorization (TACACS+):
aaa authorization commands <privilege-level> default <method-list>
Command accounting (TACACS+):
aaa accounting commands <privilege-level> default start-stop
<method-list>
User Action Applicable AAA Operations
Page 87
Securing Access to Management Functions
December 2000 3 - 23
NOTE: To specify the server’s host name instead of its IP address, you must first identify a DNS server using the
ip dns server-address <ip-addr> command at the global CONFIG level.
If you add multiple TACACS/TACACS+ authentication servers to the Foundry device, the device tries to reach
them in the order you add them. For example, if you add three servers in the following order, the software tries the
servers in the same order:
1. 207.94.6.161
2. 207.94.6.191
3. 207.94.6.122
You can remove a TACACS/TACACS+ server by entering no followed by the tacacs-server command. For
example, to remove 207.94.6.161, enter the following command:
BigIron(config)# no tacacs-server host 207.94.6.161
NOTE: If you erase a tacacs-server command (by entering “no” followed by the command), make sure you also
erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (See “Configuring
Authentication-Method Lists for TACACS/TACACS+” on page 3-24.) Otherwise, when you exit from the CONFIG
mode or from a Telnet session, the system continues to believe it is TACACS/TACACS+ enabled and you will not
be able to access the system.
The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the
authentication port on the server. The default port number is 49.
Setting Optional TACACS/TACACS+ Parameters
You can set the following optional parameters in a TACACS/TACACS+ configuration:
• TACACS+ key – This parameter specifies the value that the Foundry device sends to the TACACS+ server
when trying to authenticate user access.
• Retransmit interval – This parameter specifies how many times the Foundry device will resend an
authentication request when the TACACS/TACACS+ server does not respond. The retransmit value can be
from 1 – 5 times. The default is 3 times.
• Dead time – This parameter specifies how long the Foundry device waits for the primary authentication server
to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time
value can be from 1 – 5 seconds. The default is 3 seconds.
• Timeout – This parameter specifies how many seconds the Foundry device waits for a response from a
TACACS/TACACS+ server before either retrying the authentication request, or determining that the TACACS/
TACACS+ servers are unavailable and moving on to the next authentication method in the authenticationmethod list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
Setting the TACACS+ Key
The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent over
the network. The value for the key parameter on the Foundry device should match the one configured on the
TACACS+ server. The key can be from 1 – 32 characters in length.
NOTE: The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are
configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the Foundry device.
To specify a TACACS+ server key:
BigIron(config)# tacacs-server key rkwong
Syntax: tacacs-server key <key-string>
Page 88
Foundry Switch and Router Installation and Configuration Guide
3 - 24 December 2000
Setting the Retransmission Limit
The retransmit parameter specifies how many times the Foundry device will resend an authentication request
when the TACACS/TACACS+ server does not respond. The retransmit limit can be from 1 – 5 times. The default
is 3 times.
To set the TACACS/TACACS+ retransmit limit:
BigIron(config)# tacacs-server retransmit 5
Syntax: tacacs-server retransmit <number>
Setting the Dead Time Parameter
The dead-time parameter specifies how long the Foundry device waits for the primary authentication server to
reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can
be from 1 – 5 seconds. The default is 3 seconds.
To set the TACACS/TACACS+ dead-time value:
BigIron(config)# tacacs-server dead-time 5
Syntax: tacacs-server dead-time <number>
Setting the Timeout Parameter
The timeout parameter specifies how many seconds the Foundry device waits for a response from the TACACS/
TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+
server is unavailable and moving on to the next authentication method in the authentication-method list. The
timeout can be from 1 – 15 seconds. The default is 3 seconds.
BigIron(config)# tacacs-server timeout 5
Syntax: tacacs-server timeout <number>
Configuring Authentication-Method Lists for TACACS/TACACS+
You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC level and
CONFIG levels of the CLI. When configuring TACACS/TACACS+ authentication, you create authenticationmethod lists specifically for these access methods, specifying TACACS/TACACS+ as the primary authentication
method.
Within the authentication-method list, TACACS/TACACS+ is specified as the primary authentication method and
up to six backup authentication methods are specified as alternates. If TACACS/TACACS+ authentication fails
due to an error, the device tries the backup authentication methods in the order they appear in the list.
When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a
separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and
CONFIG levels of the CLI.
To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method for
securing Telnet/SSH access to the CLI:
BigIron(config)# enable telnet authentication
BigIron(config)# aaa authentication login default tacacs local
The commands above cause TACACS/TACACS+ to be the primary authentication method for securing Telnet/SSH
access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, authentication is
performed using local user accounts instead.
To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method for
securing access to Privileged EXEC level and CONFIG levels of the CLI:
BigIron(config)# aaa authentication enable default tacacs local none
The command above causes TACACS/TACACS+ to be the primary authentication method for securing access to
Privileged EXEC level and CONFIG levels of the CLI. If TACACS/TACACS+ authentication fails due to an error
Page 89
Securing Access to Management Functions
December 2000 3 - 25
with the server, local authentication is used instead. If local authentication fails, no authentication is used; the
device automatically permits access.
Syntax: [no] aaa authentication enable | login default <method1> [<method2>] [<method3>] [<method4>]
[<method5>] [<method6>] [<method7>]
The web-server | enable | login parameter specifies the type of access this authentication-method list controls.
You can configure one authentication-method list for each type of access.
NOTE: If you configure authentication for Web management access, authentication is performed each time a
page is requested from the server. When frames are enabled on the Web management interface, the browser
sends an HTTP request for each frame. The Foundry device authenticates each HTTP request from the browser.
To limit authentications to one per page, disable frames on the Web management interface.
The <method1> parameter specifies the primary authentication method. The remaining optional <method>
parameters specify additional methods to try if an error occurs with the primary method. A method can be one of
the values listed in the Method Parameter column in the following table.
NOTE: For examples of how to define authentication-method lists for types of authentication other than TACACS/
TACACS+, see “Configuring Authentication-Method Lists” on page 3-47.
Configuring TACACS+ Authorization
Foundry devices support TACACS+ authorization for controlling access to management functions in the CLI.
Two kinds of TACACS+ authorization are supported:
• Exec authorization determines a user’s privilege level when they are authenticated
• Command authorization consults a TACACS+ server to get authorization for commands entered by the user
Table 3.2: Authentication Method Values
Method Parameter Description
line Authenticate using the password you configured for Telnet access. The
Telnet password is configured using the enable telnet password…
command. See “Setting a Telnet Password” on page 3-9.
enable Authenticate using the password you configured for the Super User
privilege level. This password is configured using the enable super-
user-password… command. See “Setting Passwords for Management
Privilege Levels” on page 3-10.
local Authenticate using a local user name and password you configured on
the device. Local user names and passwords are configured using the
username… command. See “Configuring a Local User Account” on
page 3-13.
tacacs Authenticate using the database on a TACACS server. You also must
identify the server to the device using the tacacs-server command.
tacacs+ Authenticate using the database on a TACACS+ server. You also must
identify the server to the device using the tacacs-server command.
radius Authenticate using the database on a RADIUS server. You also must
identify the server to the device using the radius-server command.
none Do not use any authentication method. The device automatically
permits access.
Page 90
Foundry Switch and Router Installation and Configuration Guide
3 - 26 December 2000
Configuring Exec Authorization
When TACACS+ exec authorization is performed, the Foundry device consults a TACACS+ server to determine
the privilege level of the authenticated user. To configure TACACS+ exec authorization on the Foundry device,
enter the following command:
BigIron(config)# aaa authorization exec default tacacs+
Syntax: aaa authorization exec default tacacs+ | none
Configuring an Attribute-Value Pair on the TACACS+ Server
During TACACS+ exec authorization, the TACACS+ server sends the Foundry device a response containing an AV (Attribute-Value) pair that specifies the privilege level of the user. When it receives the response, the Foundry
device extracts the first A-V pair configured for the Exec service and uses it to determine the user’s privilege level.
To set a user’s privilege level, you configure an A-V pair for the Exec service on the TACACS+ server that specifies
the user’s privilege level. For example:
user=bob {
default service = permit
member admin
# Global password
global = cleartext "cat"
service = exec {
privlvl = 0
}
}
In this example, the first A-V pair configured for the Exec service is privlvl = 0, which grants the user full readwrite access. The Attribute name in the A-V pair is not significant. The Value must be an integer (0, 4, or 5) that
indicates the privilege level of the user. When no privilege level is specified, the default privilege level of 5 (readonly) is used. The A-V pair can also be embedded in the group configuration for the user. See your TACACS+
documentation for the configuration syntax relevant to your server.
Configuring Command Authorization
When TACACS+ command authorization is enabled, the Foundry device consults a TACACS+ server to get
authorization for commands entered by the user.
You enable TACACS+ command authorization by specifying a privilege level whose commands require
authorization. For example, to configure the Foundry device to perform authorization for the commands available
at the Super User privilege level (that is, all commands on the device), enter the following command:
BigIron(config)# aaa authorization commands 0 default tacacs+
Syntax: aaa authorization commands <privilege-level> default tacacs+ | radius | none
The <privilege-level> parameter can be one of the following:
• 0 – Authorization is performed for commands available at the Super User level (all commands)
• 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-
only commands)
• 5 – Authorization is performed for commands available at the Read Only level (read-only commands)
NOTE: TACACS+ command authorization is performed only for commands entered from Telnet or SSH
sessions. No authorization is performed for commands entered at the console, the Web management interface,
or IronView.
Page 91
Securing Access to Management Functions
December 2000 3 - 27
Configuring TACACS+ Accounting
Foundry devices support TACACS+ accounting for recording information about user activity and system events.
When you configure TACACS+ accounting on a Foundry device, information is sent to a TACACS+ accounting
server when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring TACACS+ Accounting for Telnet/SSH (Shell) Access
To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a
Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out:
BigIron(config)# aaa accounting exec default start-stop tacacs+
Syntax: aaa accounting exec default start-stop radius | tacacs+ | none
Configuring TACACS+ Accounting for CLI Commands
You can configure TACACS+ accounting for CLI commands by specifying a privilege level whose commands
require accounting. For example, to configure the Foundry device to perform TACACS+ accounting for the
commands available at the Super User privilege level (that is; all commands on the device), enter the following
command:
BigIron(config)# aaa accounting commands 0 default start-stop tacacs+
An Accounting Start packet is sent to the TACACS+ accounting server when a user enters a command, and an
Accounting Stop packet is sent when the service provided by the command is completed.
NOTE: If authorization is enabled, and the command requires authorization, then authorization is performed
before accounting takes place. If authorization fails for the command, no accounting takes place.
Syntax: aaa accounting commands <privilege-level> default start-stop radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
• 0 – Records commands available at the Super User level (all commands)
• 4 – Records commands available at the Port Configuration level (port-config and read-only commands)
• 5 – Records commands available at the Read Only level (read-only commands)
Configuring TACACS+ Accounting for System Events
You can configure TACACS+ accounting to record when system events occur on the Foundry device. System
events include rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to the TACACS+ accounting server when a
system event occurs, and a Accounting Stop packet to be sent when the system event is completed:
BigIron(config)# aaa accounting system default start-stop tacacs+
Syntax: aaa accounting system default start-stop radius | tacacs+ | none
Configuring an Interface as the Source for All TACACS/TACACS+ Packets
You can designate the lowest-numbered IP address configured an Ethernet port, POS port, loopback interface, or
virtual interface as the source IP address for all TACACS/TACACS+ packets from the Layer 3 Switch. Identifying
a single source IP address for TACACS/TACACS+ packets provides the following benefits:
• If your TACACS/TACACS+ server is configured to accept packets only from specific links or IP addresses, you
can use this feature to simplify configuration of the TACACS/TACACS+ server by configuring the Foundry
device to always send the TACACS/TACACS+ packets from the same link or source address.
• If you specify a loopback interface as the single source for TACACS/TACACS+ packets, TACACS/TACACS+
servers can receive the packets regardless of the states of individual links. Thus, if a link to the TACACS/
TACACS+ server becomes unavailable but the client or server can be reached through another link, the client
or server still receives the packets, and the packets still have the source IP address of the loopback interface.
Page 92
Foundry Switch and Router Installation and Configuration Guide
3 - 28 December 2000
The software contains separate CLI commands for specifying the source interface for Telnet, TACACS/TACACS+,
and RADIUS packets. You can configure a source interface for one or more of these types of packets.
To specify an Ethernet or POS port or a loopback or virtual interface as the source for all TACACS/TACACS+
packets from the device, use the following CLI method. The software uses the lowest-numbered IP address
configured on the port or interface as the source IP address for TACACS/TACACS+ packets originated by the
device.
To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all TACACS/
TACACS+ packets, enter commands such as the following:
BigIron(config)# int ve 1
BigIron(config-vif-1)# ip address 10.0.0.3/24
BigIron(config-vif-1)# exit
BigIron(config)# ip tacacs source-interface ve 1
The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then
designate the interface as the source for all TACACS/TACACS+ packets from the Layer 3 Switch.
Syntax: ip tacacs source-interface ethernet <portnum> | pos <portnum> | loopback <num> | ve <num>
The <num> parameter is a loopback interface or virtual interface number. If you specify an Ethernet or POS port,
the <portnum> is the port’s number (including the slot number, if you are configuring a chassis device).
Displaying TACACS/TACACS+ Statistics and Configuration Information
The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device.
For example:
BigIron# show aaa
Tacacs+ key: foundry
Tacacs+ retries: 1
Tacacs+ timeout: 15 seconds
Tacacs+ dead-time: 3 minutes
Tacacs+ Server: 207.95.6.90 Port:49:
opens=6 closes=3 timeouts=3 errors=0
packets in=4 packets out=4
no connection
Radius key: networks
Radius retries: 3
Radius timeout: 3 seconds
Radius dead-time: 3 minutes
Radius Server: 207.95.6.90 Auth Port=1645 Acct Port=1646:
opens=2 closes=1 timeouts=1 errors=0
packets in=1 packets out=4
no connection
The following table describes the TACACS/TACACS+ information displayed by the show aaa command.
Table 3.3: Output of the show aaa command for TACACS/TACACS+
Field Description
Tacacs+ key The setting configured with the tacacs-server key command. At the Super User
privilege level, the actual text of the key is displayed. At the other privilege levels, a
string of periods (....) is displayed instead of the text.
Tacacs+ retries The setting configured with the tacacs-server retransmit command.
Tacacs+ timeout The setting configured with the tacacs-server timeout command.
Tacacs+ dead-time The setting configured with the tacacs-server dead-time command.
Page 93
Securing Access to Management Functions
December 2000 3 - 29
The show web command displays the privilege level of Web management interface users. For example:
ServerIron(config)#show web
User Privilege IP address
set 0 192.168.1.234
Syntax: show web
USING THE WEB MANAGEMENT INTERFACE
To configure TACACS/TACACS+ using the Web management interface:
1. Log on to the device using a valid user name and password for read-write access. The System configuration
panel is displayed.
2. If you configuring TACACS/TACACS+ authentication for Telnet access to the CLI, go to step 3. Otherwise, go
to step 7.
3. Select the Management
link to display the Management configuration panel.
4. Select Enable next to Telnet Authentication. You must enable Telnet authentication if you want to use
TACACS/TACACS+ or RADIUS to authenticate Telnet access to the device.
5. Click Apply to apply the change.
6. Select the Home
link to return to the System configuration panel.
7. Select the TACACS
link from the System configuration panel to display the TACACS panel.
8. If needed, change the Authentication port and Accounting port. (The default values work in most networks.)
9. Enter the key if applicable.
NOTE: The key parameter applies only to TACACS+ servers, not to TACACS servers. If you are configuring
for TACACS authentication, do not configure a key on the TACACS server and do not enter a key on the
Foundry device.
10. Click Apply if you changed any TACACS/TACACS+ parameters.
11. Select the TACACS Server link.
• If any TACACS/TACACS+ servers are already configured on the device, the servers are listed in a table.
Select the Add TACACS Server link to display the following panel.
• If the device does not have any TACACS servers configured, the following panel is displayed.
Tacacs+ Server For each TACACS/TACACS+ server, the IP address, port, and the following
statistics are displayed:
opens Number of times the port was opened for communication with the
server
closes Number of times the port was closed normally
timeouts Number of times port was closed due to a timeout
errors Number of times an error occurred while opening the port
packets in Number of packets received from the server
packets out Number of packets sent to the server
connection The current connection status. This can be “no connection” or “connection active”.
Table 3.3: Output of the show aaa command for TACACS/TACACS+
Field Description
Page 94
Foundry Switch and Router Installation and Configuration Guide
3 - 30 December 2000
12. Enter the server’s IP address in the IP Address field.
13. If needed, change the Authentication port and Accounting port. (The default values work in most networks.)
14. Click Home
to return to the System configuration panel, then select the Save link at the bottom of the dialog.
Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash
memory.
15. Select the Management
link to display the Management panel.
16. Select the Authentication Methods
link to display the Login Authentication Sequence panel, as shown in the
following example.
17. Select the type of access for which you are defining the authentication method list from the Type field’s
pulldown menu. Each type of access must have a separate authentication-method list. For example, to
define the authentication-method list for logging into the CLI, select Login.
18. Select the primary authentication method by clicking on the radio button next to the method. For example, to
use a TACACS+ server as the primary means of authentication for logging on to the CLI, select TACACS+.
19. Click the Add button to save the change to the device’s running-config file.
The access type and authentication method you selected are displayed in the table at the top of the dialog.
Each time you add an authentication method for a given access type, the software assigns a sequence
number to the entry. When the user tries to log in using the access type you selected, the software tries the
authentication sources in ascending sequence order until the access request is either approved or denied.
Each time you add an entry for a given access type, the software increments the sequence number. Thus, if
Page 95
Securing Access to Management Functions
December 2000 3 - 31
you want to use multiple authentication methods, make sure you enter the primary authentication method
first, the secondary authentication method second, and so on.
If you need to delete an entry, select the access type and authentication method for the entry, then click
Delete.
20. Click Home
to return to the System configuration panel, then select the Save link at the bottom of the dialog.
Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash
memory.
21. To configure TACACS+ authorization, select the Management
link to display the Management panel and
select the Authorization Methods
link to display the Authorization Method panel, as shown in the following
example.
22. To configure TACACS+ exec authorization, select Exec from the Type field’s pulldown menu.
23. To configure TACACS+ command authorization, select Commands from the Type field’s pulldown menu and
select a privilege level by clicking on one of the following radio buttons:
• 0 – Authorization is performed for commands available at the Super User level (all commands)
• 4 – Authorization is performed for commands available at the Port Configuration level (port-config and
read-only commands)
• 5 – Authorization is performed for commands available at the Read Only level (read-only commands)
NOTE: TACACS+ command authorization is performed only for commands entered from Telnet or SSH
sessions. No authorization is performed for commands entered at the console, the Web management
interface, or IronView.
24. Click on the radio button next to TACACS+.
25. Click the Add button to save the change to the device’s running-config file.
The authorization method you selected are displayed in the table at the top of the dialog. Each time you add
an authorization method for a given access type, the software assigns a sequence number to the entry.
When authorization is performed, the software tries the authorization sources in ascending sequence order
until the request is either approved or denied. Each time you add an entry for a given access type, the
software increments the sequence number. Thus, if you want to use multiple authentication methods, make
Page 96
Foundry Switch and Router Installation and Configuration Guide
3 - 32 December 2000
sure you enter the primary authentication method first, the secondary authentication method second, and so
on.
If you need to delete an entry, select the access type and authorization method for the entry, then click Delete.
26. To configure TACACS+ accounting, select the Management
link to display the Management panel and select
the Accounting Methods
link to display the Accounting Method panel, as shown in the following example.
27. To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user
establishes a Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user
logs out, select Exec from the Type field’s pulldown menu.
28. To configure TACACS+ accounting for CLI commands, select Commands from the Type field’s pulldown menu
and select a privilege level by clicking on one of the following radio buttons:
• 0 – Records commands available at the Super User level (all commands)
• 4 – Records commands available at the Port Configuration level (port-config and read-only commands)
• 5 – Records commands available at the Read Only level (read-only commands)
29. To configure TACACS+ accounting to record when system events occur on the Foundry device, select
System from the Type field’s pulldown menu.
30. Click on the radio button next to TACACS+.
31. Click the Add button to save the change to the device’s running-config file.
The accounting method you selected are displayed in the table at the top of the dialog. Each time you add an
accounting method for a given access type, the software assigns a sequence number to the entry. When
accounting is performed, the software tries the accounting sources in ascending sequence order until the
request is either approved or denied. Each time you add an entry for a given access type, the software
increments the sequence number. Thus, if you want to use multiple accounting methods, make sure you
enter the primary accounting method first, the secondary accounting method second, and so on.
If you need to delete an entry, select the access type and accounting method for the entry, then click Delete.
32. Select the Save
link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device’s flash memory.
Page 97
Securing Access to Management Functions
December 2000 3 - 33
Configuring RADIUS Security
You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of
access to the Foundry switch or router:
• Telnet access
• SSH access
• Web management access
• Access to the Privileged EXEC level and CONFIG levels of the CLI
NOTE: Foundry devices do not support RADIUS security for SNMP (IronView) access.
RADIUS Authentication, Authorization, and Accounting
When RADIUS authentication is implemented, the Foundry device consults a RADIUS server to verify user
names and passwords. You can optionally configure RADIUS authorization, in which the Foundry device
consults a list of commands supplied by the RADIUS server to determine whether a user can execute a command
he or she has entered, as well as accounting, which causes the Foundry device to log information on a RADIUS
accounting server when specified events occur on the device.
NOTE: In releases prior to 07.1.00, a user logging into the device via Telnet or SSH would first enter the User
EXEC level. The user could then enter the enable command to get to the Privileged EXEC level.
Starting with release 07.1.00, a user that is successfully authenticated by a RADIUS or TACACS+ server is
automatically placed at the Privileged EXEC level after login.
RADIUS Authentication
When RADIUS authentication takes place, the following events occur:
1. A user attempts to gain access to the Foundry device by doing one of the following:
• Logging into the device using Telnet, SSH, or the Web management interface
• Entering the Privileged EXEC level or CONFIG level of the CLI
2. The user is prompted for a username and password.
3. The user enters a username and password.
4. The Foundry device sends a RADIUS Access-Request packet containing the username and password to the
RADIUS server.
5. The RADIUS server validates the Foundry device using a shared secret (the RADIUS key).
6. The RADIUS server looks up the username in its database.
7. If the username is found in the database, the RADIUS server validates the password.
8. If the password is valid, the RADIUS server sends an Access-Accept packet to the Foundry device,
authenticating the user. Within the Access-Accept packet are three Foundry vendor-specific attributes that
indicate:
• The privilege level of the user
• A list of commands
• Whether the user is allowed or denied usage of the commands in the list
The last two attributes are used with RADIUS authorization, if configured.
9. The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on
the Foundry device. The user is granted the specified privilege level. If you configure RADIUS authorization,
the user is allowed or denied usage of the commands in the list.
Page 98
Foundry Switch and Router Installation and Configuration Guide
3 - 34 December 2000
RADIUS Authorization
When RADIUS authorization takes place, the following events occur:
1. A user previously authenticated by a RADIUS server enters a command on the Foundry device.
2. The Foundry device looks at its configuration to see if the command is at a privilege level that requires
RADIUS command authorization.
3. If the command belongs to a privilege level that requires authorization, the Foundry device looks at the list of
commands delivered to it in the RADIUS Access-Accept packet when the user was authenticated. (Along
with the command list, an attribute was sent that specifies whether the user is permitted or denied usage of
the commands in the list.)
NOTE: After RADIUS authentication takes place, the command list resides on the Foundry device. The
RADIUS server is not consulted again once the user has been authenticated. This means that any changes
made to the user’s command list on the RADIUS server are not reflected until the next time the user is
authenticated by the RADIUS server, and the new command list is sent to the Foundry device.
4. If the command list indicates that the user is authorized to use the command, the command is executed.
RADIUS Accounting
RADIUS accounting works as follows:
1. One of the following events occur on the Foundry device:
• A user logs into the management interface using Telnet or SSH
• A user enters a command for which accounting has been configured
• A system event occurs, such as a reboot or reloading of the configuration file
2. The Foundry device checks its configuration to see if the event is one for which RADIUS accounting is
required.
3. If the event requires RADIUS accounting, the Foundry device sends a RADIUS Accounting Start packet to
the RADIUS accounting server, containing information about the event.
4. The RADIUS accounting server acknowledges the Accounting Start packet.
5. The RADIUS accounting server records information about the event.
6. When the event is concluded, the Foundry device sends an Accounting Stop packet to the RADIUS
accounting server.
7. The RADIUS accounting server acknowledges the Accounting Stop packet.
AAA Operations for RADIUS
The following table lists the sequence of authentication, authorization, and accounting operations that take place
when a user gains access to a Foundry device that has RADIUS security configured.
User Action Applicable AAA Operations
User attempts to gain access to the
Privileged EXEC and CONFIG levels of
the CLI
Enable authentication:
aaa authentication enable default <method-list>
System accounting start:
aaa accounting system default start-stop <method-list>
Page 99
Securing Access to Management Functions
December 2000 3 - 35
User logs in using Telnet/SSH Login authentication:
aaa authentication login default <method-list>
EXEC accounting Start:
aaa accounting exec default start-stop <method-list>
System accounting Start:
aaa accounting system default start-stop <method-list>
User logs into the Web management
interface
Web authentication:
aaa authentication web-server default <method-list>
User logs out of Telnet/SSH session Command authorization for logout command:
aaa authorization commands <privilege-level> default <method-list>
Command accounting:
aaa accounting commands <privilege-level> default start-stop
<method-list>
EXEC accounting stop:
aaa accounting exec default start-stop <method-list>
User enters system commands
(for example, reload, boot system)
Command authorization:
aaa authorization commands <privilege-level> default <method-list>
Command accounting:
aaa accounting commands <privilege-level> default start-stop
<method-list>
System accounting stop:
aaa accounting system default start-stop <method-list>
User enters the command:
[no] aaa accounting system default
start-stop <method-list>
Command authorization:
aaa authorization commands <privilege-level> default <method-list>
Command accounting:
aaa accounting commands <privilege-level> default start-stop
<method-list>
System accounting start:
aaa accounting system default start-stop <method-list>
User enters other commands Command authorization:
aaa authorization commands <privilege-level> default <method-list>
Command accounting:
aaa accounting commands <privilege-level> default start-stop
<method-list>
User Action Applicable AAA Operations
Page 100
Foundry Switch and Router Installation and Configuration Guide
3 - 36 December 2000
RADIUS Configuration Considerations
• You must deploy at least one RADIUS server in your network.
• Foundry devices support authentication using up to eight RADIUS servers. The device tries to use the
servers in the order you add them to the device’s configuration. If one RADIUS server is not responding, the
Foundry device tries the next one in the list.
• You can select only one primary authentication method for each type of access to a device (CLI through
Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary
authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the
primary method for the same type of access. However, you can configure backup authentication methods for
each access type.
RADIUS Configuration Procedure
Use the following procedure to configure a Foundry device for RADIUS:
1. Configure Foundry vendor-specific attributes on the RADIUS server. See “Configuring Foundry-Specific
Attributes on the RADIUS Server” on page 3-36.
2. Identify the RADIUS server to the Foundry device. See “Identifying the RADIUS Server to the Foundry
Device” on page 3-37.
3. Set RADIUS parameters. See “Setting RADIUS Parameters” on page 3-38.
4. Configure authentication-method lists. See “Configuring Authentication-Method Lists for RADIUS” on page 3-
38.
5. Optionally configure RADIUS authorization. See “Configuring RADIUS Authorization” on page 3-40.
6. Optionally configure RADIUS accounting. “Configuring RADIUS Accounting” on page 3-40.
Configuring Foundry-Specific Attributes on the RADIUS Server
During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server
sends an Access-Accept packet to the Foundry device, authenticating the user. Within the Access-Accept packet
are three Foundry vendor-specific attributes that indicate:
• The privilege level of the user
• A list of commands
• Whether the user is allowed or denied usage of the commands in the list
You must add these three Foundry vendor-specific attributes to your RADIUS server’s configuration, and
configure the attributes in the individual or group profiles of the users that will access the Foundry device.
Loading...