Foundry FESX 04.3.00, FWSX 04.3.00, FSX 04.3.00, FGS 4.3.01, FWS 4.3.01, FLS 4.3.01, FGS-STK 05.0.01, FLS-STK 05.0.01 FastIron Switch Configuration Guide
The Foundry FastIron Configuration Guide provides information on the configuration of the FESX, FWSX, and FSX devices, running software release FSX 04.3.00, the FGS, FWS, and FLS devices, running software release FGS 4.3.01, and the FGS-STK and FLS-STK devices, running software release FGS 05.0.01. The guide includes information on configuring basic system parameters, ports, and protocols, as well as advanced features such as stacking, spanning tree protocol, and IPv6.
PDF
Download
Document
Advertisement
Advertisement
Foundry® FastIron Configuration Guide Software Release FSX 04.3.00 for the FESX, FWSX, and FSX Software Release FGS 4.3.01 for FGS, FWS and FLS Software Release FGS 05.0.01 for FGS-STK and FLS-STK Release Date: December 5, 2008 Publish Date: December 5, 2008 Copyright © 2008 Foundry Networks, Inc. All rights reserved. No part of this work may be reproduced in any form or by any means – graphic, electronic or mechanical, including photocopying, recording, taping or storage in an information retrieval system – without prior written permission of the copyright owner. The trademarks, logos and service marks ("Marks") displayed herein are the property of Foundry or other third parties. You are not permitted to use these Marks without the prior written consent of Foundry or such appropriate third party. Foundry Networks, BigIron, Terathon, FastIron, IronView, JetCore, NetIron, ServerIron, TurboIron, IronWare, EdgeIron, IronPoint, the Iron family of marks and the Foundry Logo are trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. F-Secure is a trademark of F-Secure Corporation. All other trademarks mentioned in this document are the property of their respective owners. Foundry Networks 4980 Great America Parkway Santa Clara, CA 95054 Tel 408.207.1700 www.foundrynetworks.com Contents CHAPTER 1 ABOUT THIS GUIDE..................................................................................... 1-1 INTRODUCTION ...........................................................................................................................................1-1 DEVICE NOMENCLATURE .............................................................................................................................1-2 WHAT’S INCLUDED IN THIS EDITION? ...........................................................................................................1-3 WHAT’S NEW IN THIS EDITION .....................................................................................................................1-4 SOFTWARE ENHANCEMENTS IN RELEASE 05.0.01 ........................................................................................1-4 SYSTEM-LEVEL ENHANCEMENTS IN 05.0.01 ..........................................................................................1-4 MANAGEMENT ENHANCEMENTS IN 04.3.00 ...........................................................................................1-4 SUMMARY OF FEATURES IN FGS RELEASE 04.3.01 .....................................................................................1-5 HARDWARE INTRODUCED IN RELEASE 04.3.01 ......................................................................................1-5 SOFTWARE FEATURES AND ENHANCEMENTS IN RELEASE 04.3.01 .........................................................1-8 SUMMARY OF ENHANCEMENTS IN FSX RELEASE 04.3.00 ............................................................................1-9 NEW HARDWARE IN FSX 04.3.00 .........................................................................................................1-9 MANAGEMENT-LEVEL ENHANCEMENTS IN FSX 04.3.00 .......................................................................1-10 SYSTEM-LEVEL ENHANCEMENTS IN FSX 04.3.00 ................................................................................1-10 AUDIENCE ................................................................................................................................................1-11 NOMENCLATURE .......................................................................................................................................1-11 RELATED PUBLICATIONS ...........................................................................................................................1-12 UPDATES TO MANUALS .............................................................................................................................1-12 HOW TO GET HELP OR REPORT ERRORS ..................................................................................................1-12 WEB ACCESS .....................................................................................................................................1-12 E-MAIL ACCESS .................................................................................................................................1-12 TELEPHONE ACCESS ..........................................................................................................................1-13 WARRANTY COVERAGE .............................................................................................................................1-13 CHAPTER 2 GETTING FAMILIAR WITH MANAGEMENT APPLICATIONS ................................ 2-1 LOGGING ON THROUGH THE CLI ..................................................................................................................2-1 ON-LINE HELP .....................................................................................................................................2-1 December 2008 © 2008 Foundry Networks, Inc. i Foundry FastIron Configuration Guide COMMAND COMPLETION .......................................................................................................................2-2 SCROLL CONTROL ................................................................................................................................2-2 LINE EDITING COMMANDS .....................................................................................................................2-2 USING SLOT AND PORT NUMBERS WITH CLI COMMANDS ......................................................................2-3 CLI NOMENCLATURE ON FASTIRON GS AND FASTIRON LS DEVICES .....................................................2-3 CLI NOMENCLATURE ON FASTIRON GS-STK AND FASTIRON LS-STK DEVICES .....................................2-3 CLI NOMENCLATURE ON THE FASTIRON WS .........................................................................................2-4 SEARCHING AND FILTERING OUTPUT FROM CLI COMMANDS ..................................................................2-7 USING SPECIAL CHARACTERS IN REGULAR EXPRESSIONS ...................................................................2-10 CREATING AN ALIAS FOR A CLI COMMAND ..........................................................................................2-12 LOGGING ON THROUGH THE WEB MANAGEMENT INTERFACE ......................................................................2-12 NAVIGATING THE WEB MANAGEMENT INTERFACE ................................................................................2-13 LOGGING ON THROUGH IRONVIEW NETWORK MANAGER ............................................................................2-16 CHAPTER 3 FEATURE HIGHLIGHTS ................................................................................. 3-1 NOTE REGARDING IPV6 FEATURE SUPPORT ................................................................................................3-2 SUPPORTED FEATURES ..............................................................................................................................3-2 SUPPORTED MANAGEMENT FEATURES ..................................................................................................3-2 SUPPORTED SECURITY FEATURES ........................................................................................................3-4 SUPPORTED SYSTEM LEVEL FEATURES ................................................................................................3-6 SUPPORTED LAYER 2 FEATURES ..........................................................................................................3-9 SUPPORTED BASE LAYER 3 FEATURES ...............................................................................................3-12 SUPPORTED EDGE LAYER 3 FEATURES ..............................................................................................3-13 SUPPORTED FULL LAYER 3 FEATURES ................................................................................................3-14 SUPPORTED IPV6 MANAGEMENT FEATURES ..............................................................................................3-15 UNSUPPORTED FEATURES ........................................................................................................................3-16 CHAPTER 4 FOUNDRY STACKABLE DEVICES .................................................................. 4-1 FOUNDRY IRONSTACK OVERVIEW ...............................................................................................................4-1 IRONSTACK TECHNOLOGY FEATURES ...................................................................................................4-1 FOUNDRY STACKABLE MODELS ............................................................................................................4-2 FOUNDRY IRONSTACK TERMINOLOGY ...................................................................................................4-3 BUILDING AN IRONSTACK ............................................................................................................................4-5 FOUNDRY IRONSTACK TOPOLOGIES ......................................................................................................4-5 SOFTWARE REQUIREMENTS ..................................................................................................................4-6 IRONSTACK CONSTRUCTION METHODS .................................................................................................4-7 SCENARIO 1 - CONFIGURING A THREE-MEMBER IRONSTACK IN A RING TOPOLOGY USING SECURE SETUP .........................................................................................4-8 SCENARIO 2 - CONFIGURING A THREE-MEMBER IRONSTACK IN A RING TOPOLOGY USING THE AUTOMATIC SETUP PROCESS .....................................................4-13 SCENARIO 3 - CONFIGURING A THREE-MEMBER IRONSTACK IN A RING TOPOLOGY USING THE MANUAL CONFIGURATION PROCESS ...........................................4-16 VERIFYING YOUR IRONSTACK CONFIGURATION ...................................................................................4-17 IRONSTACK MANAGEMENT ........................................................................................................................4-19 ii © 2008 Foundry Networks, Inc. December 2008 MANAGING YOUR FOUNDRY IRONSTACK .............................................................................................4-19 CLI COMMAND SYNTAX ......................................................................................................................4-24 IRONSTACK CLI COMMANDS ..............................................................................................................4-24 UPGRADING SOFTWARE .....................................................................................................................4-26 MANAGING IRONSTACK PARTITIONING ................................................................................................4-31 MIB SUPPORT FOR THE IRONSTACK ...................................................................................................4-32 PERSISTENT MAC ADDRESS ..............................................................................................................4-32 UNCONFIGURING AN IRONSTACK .........................................................................................................4-34 DISPLAYING IRONSTACK INFORMATION ................................................................................................4-35 ADDING, REMOVING, OR REPLACING UNITS IN AN IRONSTACK .............................................................4-47 RENUMBERING STACK UNITS ..............................................................................................................4-48 SYSLOG, SNMP, AND TRAPS .............................................................................................................4-50 TROUBLESHOOTING AN IRONSTACK ...........................................................................................................4-51 TROUBLESHOOTING AN UNSUCCESSFUL STACK BUILD ........................................................................4-51 TROUBLESHOOTING A STACKING UPGRADE .........................................................................................4-53 TROUBLESHOOTING IMAGE COPY ISSUES ............................................................................................4-53 CONFIGURATION MISMATCHES ............................................................................................................4-54 RECOVERING FROM A CONFIGURATION OR IMAGE MISMATCH ..............................................................4-55 TROUBLESHOOTING SECURE SETUP ...................................................................................................4-56 TROUBLESHOOTING UNIT REPLACEMENT ISSUES .................................................................................4-56 MORE ABOUT IRONSTACK TECHNOLOGY ...................................................................................................4-57 CONFIGURATION, STARTUP CONFIGURATION FILES AND STACKING FLASH ...........................................4-57 FLEXIBLE STACKING PORTS ................................................................................................................4-57 IRONSTACK TOPOLOGIES ...................................................................................................................4-58 PORT DOWN AND AGING ....................................................................................................................4-58 DEVICE ROLES AND ELECTIONS ..........................................................................................................4-58 CHAPTER 5 CONFIGURING BASIC SOFTWARE FEATURES ................................................ 5-1 CONFIGURING BASIC SYSTEM PARAMETERS ................................................................................................5-1 ENTERING SYSTEM ADMINISTRATION INFORMATION ...............................................................................5-2 CONFIGURING SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP) PARAMETERS ...............................5-2 DISPLAYING VIRTUAL ROUTING INTERFACE STATISTICS .........................................................................5-5 DISABLING SYSLOG MESSAGES AND TRAPS FOR CLI ACCESS ...............................................................5-6 CONFIGURING AN INTERFACE AS THE SOURCE FOR ALL TELNET PACKETS .............................................5-7 CANCELLING AN OUTBOUND TELNET SESSION ......................................................................................5-8 CONFIGURING AN INTERFACE AS THE SOURCE FOR ALL TFTP PACKETS ................................................5-8 CONFIGURING AN INTERFACE AS THE SOURCE FOR SYSLOG PACKETS ...................................................5-8 CONFIGURING AN INTERFACE AS THE SOURCE FOR ALL SNTP PACKETS ...............................................5-9 SPECIFYING A SIMPLE NETWORK TIME PROTOCOL (SNTP) SERVER ......................................................5-9 SETTING THE SYSTEM CLOCK .............................................................................................................5-11 LIMITING BROADCAST, MULTICAST, AND UNKNOWN UNICAST TRAFFIC .................................................5-12 CONFIGURING CLI BANNERS ..............................................................................................................5-16 CONFIGURING BASIC PORT PARAMETERS ..................................................................................................5-18 ASSIGNING A PORT NAME ..................................................................................................................5-18 MODIFYING PORT SPEED AND DUPLEX MODE .....................................................................................5-19 December 2008 © 2008 Foundry Networks, Inc. iii Foundry FastIron Configuration Guide ENABLING AUTO-NEGOTIATION MAXIMUM PORT SPEED ADVERTISEMENT AND DOWN-SHIFT .................5-19 MODIFYING PORT DUPLEX MODE .......................................................................................................5-22 CONFIGURING MDI/MDIX ...................................................................................................................5-22 DISABLING OR RE-ENABLING A PORT ..................................................................................................5-23 DISABLING OR RE-ENABLING FLOW CONTROL .....................................................................................5-24 AUTO-NEGOTIATION AND ADVERTISEMENT OF FLOW CONTROL ............................................................5-24 CONFIGURING PHY FIFO RX AND TX DEPTH ......................................................................................5-26 CONFIGURING THE INTERPACKET GAP (IPG) .......................................................................................5-27 ENABLING AND DISABLING SUPPORT FOR 100BASETX ........................................................................5-29 ENABLING AND DISABLING SUPPORT FOR 100BASEFX ........................................................................5-29 CHANGING THE GIGABIT FIBER NEGOTIATION MODE ............................................................................5-30 MODIFYING PORT PRIORITY (QOS) .....................................................................................................5-31 ENABLING DYNAMIC CONFIGURATION OF VOICE OVER IP (VOIP) PHONES ............................................5-31 CONFIGURING A LOCAL MAC ADDRESS FOR LAYER 2 MANAGEMENT TRAFFIC .....................................5-36 PORT LOOP DETECTION .....................................................................................................................5-36 CHAPTER 6 OPERATIONS, ADMINISTRATION, AND MAINTENANCE .................................... 6-1 OVERVIEW ..................................................................................................................................................6-1 DETERMINING THE SOFTWARE VERSIONS INSTALLED AND RUNNING ON A DEVICE .........................................6-1 DETERMINING THE FLASH IMAGE VERSION RUNNING ON THE DEVICE .....................................................6-2 DETERMINING THE BOOT IMAGE VERSION RUNNING ON THE DEVICE ......................................................6-4 DETERMINING THE IMAGE VERSIONS INSTALLED IN FLASH MEMORY .......................................................6-4 FLASH IMAGE VERIFICATION .................................................................................................................6-4 IMAGE FILE TYPES ......................................................................................................................................6-6 UPGRADING SOFTWARE ..............................................................................................................................6-7 NOTE REGARDING UPGRADING FROM FGS 02.4.00 TO THE NEW RELEASE ...........................................6-7 MIGRATING TO THE NEW RELEASE (FESX AND FSX DEVICES ONLY) .....................................................6-7 UPGRADING THE BOOT CODE ...............................................................................................................6-8 UPGRADING THE FLASH CODE ..............................................................................................................6-8 BOOT CODE SYNCHRONIZATION FEATURE ............................................................................................6-9 IMPORTANT NOTES ABOUT DOWNGRADING FROM FSX 04.1.00 ...................................................................6-9 USING SNMP TO UPGRADE SOFTWARE ......................................................................................................6-9 CHANGING THE BLOCK SIZE FOR TFTP FILE TRANSFERS ..........................................................................6-10 REBOOTING ..............................................................................................................................................6-11 DISPLAYING THE BOOT PREFERENCE ........................................................................................................6-11 LOADING AND SAVING CONFIGURATION FILES ............................................................................................6-12 REPLACING THE STARTUP CONFIGURATION WITH THE RUNNING CONFIGURATION .................................6-13 REPLACING THE RUNNING CONFIGURATION WITH THE STARTUP CONFIGURATION .................................6-13 LOGGING CHANGES TO THE STARTUP-CONFIG FILE ............................................................................6-13 COPYING A CONFIGURATION FILE TO OR FROM A TFTP SERVER .........................................................6-13 DYNAMIC CONFIGURATION LOADING ...................................................................................................6-13 MAXIMUM FILE SIZES FOR STARTUP-CONFIG FILE AND RUNNING-CONFIG ............................................6-15 LOADING AND SAVING CONFIGURATION FILES WITH IPV6 ...........................................................................6-16 COPYING A FILE TO AN IPV6 TFTP SERVER .......................................................................................6-16 COPYING A FILE FROM AN IPV6 TFTP SERVER ...................................................................................6-17 iv © 2008 Foundry Networks, Inc. December 2008 USING THE IPV6 NCOPY COMMAND ....................................................................................................6-17 UPLOADING FILES FROM AN IPV6 TFTP SERVER ................................................................................6-18 USING SNMP TO SAVE AND LOAD CONFIGURATION INFORMATION .......................................................6-19 ERASING IMAGE AND CONFIGURATION FILES .......................................................................................6-20 SCHEDULING A SYSTEM RELOAD ...............................................................................................................6-20 RELOADING AT A SPECIFIC TIME .........................................................................................................6-20 RELOADING AFTER A SPECIFIC AMOUNT OF TIME ................................................................................6-21 DISPLAYING THE AMOUNT OF TIME REMAINING BEFORE A SCHEDULED RELOAD ...................................6-21 CANCELING A SCHEDULED RELOAD ....................................................................................................6-21 DIAGNOSTIC ERROR CODES AND REMEDIES FOR TFTP TRANSFERS ..........................................................6-21 CHAPTER 7 IPV6 MANAGEMENT ON FASTIRON GS, AND FASTIRON LS, AND FASTIRON WS DEVICES ..................................................................................................... 7-1 IPV6 MANAGEMENT OVERVIEW ...................................................................................................................7-1 IPV6 ADDRESSING ......................................................................................................................................7-1 ENABLING AND DISABLING IPV6 ON FASTIRON DEVICES ........................................................................7-2 IPV6 MANAGEMENT FEATURES ...................................................................................................................7-2 IPV6 ACCESS LIST ...............................................................................................................................7-2 IPV6 DEBUG ........................................................................................................................................7-3 IPV6 WEB MANAGEMENT USING HTTP AND HTTPS .............................................................................7-3 IPV6 LOGGING .....................................................................................................................................7-4 NAME-TO-IPV6 ADDRESS RESOLUTION USING IPV6 DNS SERVER .........................................................7-4 DEFINING AN IPV6 DNS ENTRY ............................................................................................................7-5 IPV6 PING ...........................................................................................................................................7-5 SNMP3 OVER IPV6 .............................................................................................................................7-6 SECURE SHELL AND IPV6 .....................................................................................................................7-6 IPV6 TELNET .......................................................................................................................................7-6 IPV6 TRACEROUTE ...............................................................................................................................7-7 IPV6 MANAGEMENT COMMANDS .................................................................................................................7-7 CHAPTER 8 CONFIGURING IPV6 CONNECTIVITY ON A FASTIRON X SERIES SWITCH .............................................................. 8-1 IPV6 ADDRESSING OVERVIEW .....................................................................................................................8-1 IPV6 ADDRESS TYPES ..........................................................................................................................8-2 IPV6 STATELESS AUTOCONFIGURATION ................................................................................................8-4 IPV6 CLI COMMAND SUPPORT ....................................................................................................................8-4 CONFIGURING AN IPV6 HOST ADDRESS ON A LAYER 2 SWITCH ...................................................................8-6 CONFIGURING A GLOBAL OR SITE-LOCAL IPV6 ADDRESS WITH A MANUALLY CONFIGURED INTERFACE ID AS THE SWITCH’S SYSTEM-WIDE ADDRESS ..........................................................................................8-7 CONFIGURING A LINK-LOCAL IPV6 ADDRESS AS THE SWITCH’S SYSTEM-WIDE ADDRESS .......................8-7 CONFIGURING THE MANAGEMENT PORT FOR AN IPV6 AUTOMATIC ADDRESS CONFIGURATION ......................8-7 CONFIGURING BASIC IPV6 CONNECTIVITY ON A LAYER 3 SWITCH ................................................................8-8 ENABLING IPV6 ROUTING .....................................................................................................................8-8 December 2008 © 2008 Foundry Networks, Inc. v Foundry FastIron Configuration Guide CONFIGURING IPV6 ON EACH ROUTER INTERFACE ................................................................................8-8 CONFIGURING IPV4 AND IPV6 PROTOCOL STACKS ..............................................................................8-10 IPV6 MANAGEMENT ON FASTIRON X SERIES DEVICES (IPV6 HOST SUPPORT) ...........................................8-11 IPV6 ACCESS CONTROL LISTS ...........................................................................................................8-12 RESTRICTING SNMP ACCESS TO AN IPV6 NODE ................................................................................8-12 SPECIFYING AN IPV6 SNMP TRAP RECEIVER .....................................................................................8-12 SNMP V3 OVER IPV6 ........................................................................................................................8-12 SNTP OVER IPV6 ..............................................................................................................................8-12 SECURE SHELL, SCP, AND IPV6 ........................................................................................................8-12 IPV6 TELNET .....................................................................................................................................8-12 IPV6 WEB MANAGEMENT USING HTTP AND HTTPS ...........................................................................8-13 RESTRICTING WEB MANAGEMENT ACCESS .........................................................................................8-13 CONFIGURING NAME-TO-IPV6 ADDRESS RESOLUTION USING IPV6 DNS RESOLVER .............................8-14 DEFINING AN IPV6 DNS ENTRY ..........................................................................................................8-14 USING THE IPV6 COPY COMMAND .......................................................................................................8-14 USING THE IPV6 NCOPY COMMAND ....................................................................................................8-16 IPV6 PING .........................................................................................................................................8-17 CONFIGURING AN IPV6 SYSLOG SERVER ............................................................................................8-18 VIEWING IPV6 SNMP SERVER ADDRESSES ........................................................................................8-19 DISABLING ROUTER ADVERTISEMENT AND SOLICITATION MESSAGES ...................................................8-19 IPV6 DEBUG ......................................................................................................................................8-19 DISABLING IPV6 ON A LAYER 2 SWITCH ..............................................................................................8-20 CONFIGURING A STATIC IPV6 ROUTE ........................................................................................................8-20 IPV6 OVER IPV4 TUNNELS .......................................................................................................................8-22 CONFIGURATION NOTES .....................................................................................................................8-22 CONFIGURING A MANUAL IPV6 TUNNEL ..............................................................................................8-22 CLEARING IPV6 TUNNEL STATISTICS ..................................................................................................8-23 DISPLAYING IPV6 TUNNEL INFORMATION .............................................................................................8-23 ECMP LOAD SHARING FOR IPV6 ..............................................................................................................8-26 DISABLING OR RE-ENABLING ECMP LOAD SHARING FOR IPV6 ............................................................8-27 CHANGING THE MAXIMUM NUMBER OF LOAD SHARING PATHS FOR IPV6 ..............................................8-27 ENABLING SUPPORT FOR NETWORK-BASED ECMP LOAD SHARING FOR IPV6 .....................................8-27 DISPLAYING ECMP LOAD-SHARING INFORMATION FOR IPV6 ...............................................................8-27 CONFIGURING IPV6 ICMP FEATURES ........................................................................................................8-27 CONFIGURING ICMP RATE LIMITING ...................................................................................................8-28 ENABLING IPV6 ICMP REDIRECT MESSAGES ......................................................................................8-28 CONFIGURING IPV6 NEIGHBOR DISCOVERY ...............................................................................................8-29 CONFIGURATION NOTES .....................................................................................................................8-29 NEIGHBOR SOLICITATION AND ADVERTISEMENT MESSAGES .................................................................8-29 ROUTER ADVERTISEMENT AND SOLICITATION MESSAGES ....................................................................8-30 NEIGHBOR REDIRECT MESSAGES .......................................................................................................8-30 SETTING NEIGHBOR SOLICITATION PARAMETERS FOR DUPLICATE ADDRESS DETECTION ......................8-31 SETTING IPV6 ROUTER ADVERTISEMENT PARAMETERS .......................................................................8-31 CONTROLLING PREFIXES ADVERTISED IN IPV6 ROUTER ADVERTISEMENT MESSAGES ...........................8-32 SETTING FLAGS IN IPV6 ROUTER ADVERTISEMENT MESSAGES ............................................................8-33 ENABLING AND DISABLING IPV6 ROUTER ADVERTISEMENTS ................................................................8-34 vi © 2008 Foundry Networks, Inc. December 2008 CONFIGURING REACHABLE TIME FOR REMOTE IPV6 NODES ................................................................8-34 CHANGING THE IPV6 MTU ........................................................................................................................8-34 CONFIGURING STATIC NEIGHBOR ENTRIES ...............................................................................................8-35 LIMITING THE NUMBER OF HOPS AN IPV6 PACKET CAN TRAVERSE ............................................................8-35 CLEARING GLOBAL IPV6 INFORMATION ......................................................................................................8-36 CLEARING THE IPV6 CACHE ...............................................................................................................8-36 CLEARING IPV6 NEIGHBOR INFORMATION ...........................................................................................8-36 CLEARING IPV6 ROUTES FROM THE IPV6 ROUTE TABLE .....................................................................8-37 CLEARING IPV6 TRAFFIC STATISTICS ..................................................................................................8-37 DISPLAYING GLOBAL IPV6 INFORMATION ...................................................................................................8-37 DISPLAYING IPV6 CACHE INFORMATION ..............................................................................................8-37 DISPLAYING IPV6 INTERFACE INFORMATION ........................................................................................8-39 DISPLAYING IPV6 NEIGHBOR INFORMATION .........................................................................................8-41 DISPLAYING THE IPV6 ROUTE TABLE ..................................................................................................8-42 DISPLAYING LOCAL IPV6 ROUTERS .....................................................................................................8-44 DISPLAYING IPV6 TCP INFORMATION .................................................................................................8-45 DISPLAYING IPV6 TRAFFIC STATISTICS ...............................................................................................8-49 CHAPTER 9 MONITORING HARDWARE COMPONENTS ...................................................... 9-1 VIRTUAL CABLE TESTING ............................................................................................................................9-1 CONFIGURATION NOTES .......................................................................................................................9-1 COMMAND SYNTAX ..............................................................................................................................9-2 VIEWING THE RESULTS OF THE CABLE ANALYSIS ..................................................................................9-2 DIGITAL OPTICAL MONITORING ....................................................................................................................9-4 SUPPORTED MEDIA ..............................................................................................................................9-4 CONFIGURATION LIMITATIONS ...............................................................................................................9-4 ENABLING DIGITAL OPTICAL MONITORING .............................................................................................9-4 SETTING THE ALARM INTERVAL .............................................................................................................9-5 DISPLAYING INFORMATION ABOUT INSTALLED MEDIA .............................................................................9-5 VIEWING OPTICAL MONITORING INFORMATION .......................................................................................9-8 SYSLOG MESSAGES ...........................................................................................................................9-10 CHAPTER 10 CONFIGURING SPANNING TREE PROTOCOL (STP) RELATED FEATURES ................................................................................ 10-1 STP OVERVIEW ........................................................................................................................................10-1 CONFIGURING STANDARD STP PARAMETERS ............................................................................................10-1 STP PARAMETERS AND DEFAULTS .....................................................................................................10-2 ENABLING OR DISABLING THE SPANNING TREE PROTOCOL (STP) .......................................................10-3 CHANGING STP BRIDGE AND PORT PARAMETERS ...............................................................................10-4 STP PROTECTION ENHANCEMENT ......................................................................................................10-6 DISPLAYING STP INFORMATION ..........................................................................................................10-7 CONFIGURING STP RELATED FEATURES .................................................................................................10-16 FAST PORT SPAN .............................................................................................................................10-16 December 2008 © 2008 Foundry Networks, Inc. vii Foundry FastIron Configuration Guide 802.1W RAPID SPANNING TREE (RSTP) ..........................................................................................10-18 802.1W DRAFT 3 .............................................................................................................................10-53 SINGLE SPANNING TREE (SSTP) ......................................................................................................10-57 STP PER VLAN GROUP ...................................................................................................................10-59 PVST/PVST+ COMPATIBILITY ................................................................................................................10-62 OVERVIEW OF PVST AND PVST+ ....................................................................................................10-63 VLAN TAGS AND DUAL MODE ..........................................................................................................10-63 CONFIGURING PVST+ SUPPORT ......................................................................................................10-64 DISPLAYING PVST+ SUPPORT INFORMATION ....................................................................................10-65 CONFIGURATION EXAMPLES .............................................................................................................10-65 PVRST COMPATIBILITY ..........................................................................................................................10-67 BPDU GUARD ........................................................................................................................................10-68 ENABLING BPDU PROTECTION BY PORT ..........................................................................................10-68 RE-ENABLING PORTS DISABLED BY BPDU GUARD ............................................................................10-69 DISPLAYING THE BPDU GUARD STATUS ...........................................................................................10-69 EXAMPLE CONSOLE MESSAGES ........................................................................................................10-71 ROOT GUARD .........................................................................................................................................10-71 ENABLING STP ROOT GUARD ..........................................................................................................10-72 DISPLAYING THE STP ROOT GUARD .................................................................................................10-72 DISPLAYING THE ROOT GUARD BY VLAN ..........................................................................................10-72 ERROR DISABLE RECOVERY ...................................................................................................................10-72 ENABLING ERROR DISABLE RECOVERY .............................................................................................10-73 SETTING THE RECOVERY INTERVAL ..................................................................................................10-73 DISPLAYING THE ERROR DISABLE RECOVERY STATE BY INTERFACE ..................................................10-73 DISPLAYING THE RECOVERY STATE FOR ALL CONDITIONS .................................................................10-74 DISPLAYING THE RECOVERY STATE BY PORT NUMBER AND CAUSE ...................................................10-74 ERRDISABLE SYSLOG MESSAGES .....................................................................................................10-74 802.1S MULTIPLE SPANNING TREE PROTOCOL ........................................................................................10-74 MULTIPLE SPANNING-TREE REGIONS ................................................................................................10-75 CONFIGURATION NOTES ...................................................................................................................10-76 CONFIGURING MSTP MODE AND SCOPE ..........................................................................................10-76 REDUCED OCCURRENCES OF MSTP RECONVERGENCE ....................................................................10-77 CONFIGURING ADDITIONAL MSTP PARAMETERS ...............................................................................10-79 CHAPTER 11 CONFIGURING BASIC LAYER 2 FEATURES ................................................. 11-1 ABOUT PORT REGIONS .............................................................................................................................11-1 ENABLING OR DISABLING THE SPANNING TREE PROTOCOL (STP) ..............................................................11-2 MODIFYING STP BRIDGE AND PORT PARAMETERS ..............................................................................11-2 MANAGEMENT MAC ADDRESS FOR STACKABLE DEVICES ..........................................................................11-3 MAC LEARNING RATE CONTROL ...............................................................................................................11-3 CHANGING THE MAC AGE TIME AND DISABLING MAC ADDRESS LEARNING ...............................................11-3 DISABLING THE AUTOMATIC LEARNING OF MAC ADDRESSES ...............................................................11-4 DISPLAYING THE MAC ADDRESS TABLE ..............................................................................................11-4 CONFIGURING STATIC MAC ENTRIES ........................................................................................................11-5 MULTI-PORT STATIC MAC ADDRESS ..................................................................................................11-5 viii © 2008 Foundry Networks, Inc. December 2008 CONFIGURING VLAN-BASED STATIC MAC ENTRIES ...................................................................................11-7 CLEARING MAC ADDRESS ENTRIES ..........................................................................................................11-8 ENABLING PORT-BASED VLANS ...............................................................................................................11-8 ASSIGNING IEEE 802.1Q TAGGING TO A PORT ...................................................................................11-9 DEFINING MAC ADDRESS FILTERS ............................................................................................................11-9 CONFIGURATION NOTES AND LIMITATIONS ..........................................................................................11-9 COMMAND SYNTAX ..........................................................................................................................11-10 ENABLING LOGGING OF MANAGEMENT TRAFFIC PERMITTED BY MAC FILTERS ...................................11-11 MAC FILTER OVERRIDE FOR 802.1X-ENABLED PORTS .....................................................................11-12 LOCKING A PORT TO RESTRICT ADDRESSES ............................................................................................11-13 CONFIGURATION NOTES ...................................................................................................................11-13 COMMAND SYNTAX ..........................................................................................................................11-13 DISPLAYING AND MODIFYING SYSTEM PARAMETER DEFAULT SETTINGS ....................................................11-13 CONFIGURATION CONSIDERATIONS ...................................................................................................11-14 DISPLAYING SYSTEM PARAMETER DEFAULT VALUES .........................................................................11-14 MODIFYING SYSTEM PARAMETER DEFAULT VALUES ..........................................................................11-18 DYNAMIC BUFFER ALLOCATION ...............................................................................................................11-19 DEFAULT QUEUE DEPTH LIMITS ........................................................................................................11-19 CONFIGURING THE TOTAL TRANSMIT QUEUE DEPTH LIMIT .................................................................11-20 CONFIGURING THE TRANSMIT QUEUE DEPTH LIMIT FOR A GIVEN TRAFFIC CLASS ..............................11-20 CONFIGURING THE TRANSMIT QUEUE DEPTH LIMIT FOR A GIVEN TRAFFIC CLASS ..............................11-20 REMOVING BUFFER ALLOCATION LIMITS ............................................................................................11-21 GENERIC BUFFER PROFILES .............................................................................................................11-21 REMOTE FAULT NOTIFICATION (RFN) ON 1G FIBER CONNECTIONS ..........................................................11-22 ENABLING AND DISABLING REMOTE FAULT NOTIFICATION ..................................................................11-22 LINK FAULT SIGNALING (LFS) FOR 10G ..................................................................................................11-22 CHAPTER 12 CONFIGURING METRO FEATURES .............................................................. 12-1 TOPOLOGY GROUPS .................................................................................................................................12-1 MASTER VLAN AND MEMBER VLANS .................................................................................................12-1 CONTROL PORTS AND FREE PORTS ....................................................................................................12-2 CONFIGURATION CONSIDERATIONS .....................................................................................................12-2 CONFIGURING A TOPOLOGY GROUP ....................................................................................................12-2 DISPLAYING TOPOLOGY GROUP INFORMATION ....................................................................................12-3 METRO RING PROTOCOL (MRP) ...............................................................................................................12-4 CONFIGURATION NOTES .....................................................................................................................12-5 MRP RINGS WITHOUT SHARED INTERFACES (MRP PHASE 1) ..............................................................12-6 MRP RINGS WITH SHARED INTERFACES (MRP PHASE 2) ....................................................................12-6 RING INITIALIZATION ...........................................................................................................................12-8 HOW RING BREAKS ARE DETECTED AND HEALED .............................................................................12-10 MASTER VLANS AND CUSTOMER VLANS .........................................................................................12-12 CONFIGURING MRP .........................................................................................................................12-14 USING MRP DIAGNOSTICS ...............................................................................................................12-15 DISPLAYING MRP INFORMATION .......................................................................................................12-17 MRP CLI EXAMPLE .........................................................................................................................12-19 December 2008 © 2008 Foundry Networks, Inc. ix Foundry FastIron Configuration Guide VIRTUAL SWITCH REDUNDANCY PROTOCOL (VSRP) ...............................................................................12-21 CONFIGURATION NOTES ...................................................................................................................12-22 LAYER 2 AND LAYER 3 REDUNDANCY ................................................................................................12-22 MASTER ELECTION AND FAILOVER ....................................................................................................12-23 VSRP-AWARE SECURITY FEATURES ................................................................................................12-27 VSRP PARAMETERS ........................................................................................................................12-27 CONFIGURING BASIC VSRP PARAMETERS ........................................................................................12-30 CONFIGURING OPTIONAL VSRP PARAMETERS ..................................................................................12-31 DISPLAYING VSRP INFORMATION .....................................................................................................12-38 VSRP FAST START ..........................................................................................................................12-41 VSRP AND MRP SIGNALING ............................................................................................................12-42 CHAPTER 13 CONFIGURING POWER OVER ETHERNET .................................................... 13-1 POWER OVER ETHERNET OVERVIEW .........................................................................................................13-1 TERMS USED IN THIS SECTION ...........................................................................................................13-1 METHODS FOR DELIVERING POE .......................................................................................................13-1 AUTODISCOVERY ................................................................................................................................13-3 POWER CLASS ...................................................................................................................................13-3 POWER SPECIFICATIONS ....................................................................................................................13-4 CABLING REQUIREMENTS ...................................................................................................................13-4 SUPPORTED POWERED DEVICES ........................................................................................................13-4 POE AND CPU UTILIZATION ...............................................................................................................13-5 ENABLING OR DISABLING POWER OVER ETHERNET ....................................................................................13-5 DISABLING SUPPORT FOR POE LEGACY POWER CONSUMING DEVICES ......................................................13-5 ENABLING THE DETECTION OF POE POWER REQUIREMENTS ADVERTISED VIA CDP ...................................13-6 CONFIGURATION CONSIDERATIONS .....................................................................................................13-6 COMMAND SYNTAX ............................................................................................................................13-6 SETTING THE MAXIMUM POWER LEVEL FOR A POE POWER CONSUMING DEVICE .......................................13-6 CONFIGURATION NOTES .....................................................................................................................13-7 COMMAND SYNTAX ............................................................................................................................13-7 SETTING THE POWER CLASS FOR A POE POWER CONSUMING DEVICE ......................................................13-7 CONFIGURATION NOTES .....................................................................................................................13-8 COMMAND SYNTAX ............................................................................................................................13-8 SETTING THE IN-LINE POWER PRIORITY FOR A POE PORT .........................................................................13-8 COMMAND SYNTAX ............................................................................................................................13-9 RESETTING POE PARAMETERS .................................................................................................................13-9 DISPLAYING POWER OVER ETHERNET INFORMATION ................................................................................13-10 DISPLAYING POE OPERATIONAL STATUS ..........................................................................................13-10 DISPLAYING DETAILED INFORMATION ABOUT POE POWER SUPPLIES .................................................13-14 CHAPTER 14 CONFIGURING UNI-DIRECTIONAL LINK DETECTION (UDLD) AND PROTECTED LINK GROUPS ............................................................... 14-1 UDLD OVERVIEW .....................................................................................................................................14-1 x © 2008 Foundry Networks, Inc. December 2008 CONFIGURATION CONSIDERATIONS .....................................................................................................14-2 ENABLING UDLD ...............................................................................................................................14-2 CHANGING THE KEEPALIVE INTERVAL ..................................................................................................14-2 CHANGING THE KEEPALIVE RETRIES ...................................................................................................14-2 UDLD FOR TAGGED PORTS ...............................................................................................................14-3 DISPLAYING UDLD INFORMATION .......................................................................................................14-3 CLEARING UDLD STATISTICS .............................................................................................................14-6 PROTECTED LINK GROUPS ........................................................................................................................14-6 ABOUT ACTIVE PORTS .......................................................................................................................14-6 USING UDLD WITH PROTECTED LINK GROUPS ...................................................................................14-6 CONFIGURATION NOTES .....................................................................................................................14-6 CREATING A PROTECTED LINK GROUP AND ASSIGNING AN ACTIVE PORT .............................................14-7 VIEWING INFORMATION ABOUT PROTECTED LINK GROUPS ...................................................................14-8 CHAPTER 15 CONFIGURING TRUNK GROUPS AND DYNAMIC LINK AGGREGATION .......................................................... 15-1 TRUNK GROUP OVERVIEW ........................................................................................................................15-1 TRUNK GROUP CONNECTIVITY TO A SERVER ......................................................................................15-2 TRUNK GROUP RULES ........................................................................................................................15-3 TRUNK GROUP CONFIGURATION EXAMPLES ........................................................................................15-5 FLEXIBLE TRUNK GROUP MEMBERSHIP ...............................................................................................15-7 TRUNK GROUP LOAD SHARING ...........................................................................................................15-9 CONFIGURING A TRUNK GROUP ..............................................................................................................15-11 CLI SYNTAX .....................................................................................................................................15-12 EXAMPLE 1: CONFIGURING THE TRUNK GROUPS SHOWN IN FIGURE 15.1 .........................................15-12 EXAMPLE 2: CONFIGURING A TRUNK GROUP THAT SPANS TWO GIGABIT ETHERNET MODULES IN A CHASSIS DEVICE ................................................................................15-13 EXAMPLE 3: CONFIGURING A MULTI-SLOT TRUNK GROUP WITH ONE PORT PER MODULE ..................15-13 EXAMPLE 4: CONFIGURING A TRUNK GROUP OF 10-GIGABIT ETHERNET PORTS ................................15-14 CONFIGURING TRUNK GROUPS FOR FASTIRON STACKABLE DEVICES .................................................15-14 ADDITIONAL TRUNKING OPTIONS ......................................................................................................15-16 DISPLAYING TRUNK GROUP CONFIGURATION INFORMATION .....................................................................15-19 DYNAMIC LINK AGGREGATION .................................................................................................................15-21 IRONSTACK LACP TRUNK GROUP CONFIGURATION EXAMPLE ...........................................................15-22 EXAMPLES OF VALID LACP TRUNK GROUPS .....................................................................................15-22 CONFIGURATION NOTES AND LIMITATIONS ........................................................................................15-23 ADAPTATION TO TRUNK DISAPPEARANCE ..........................................................................................15-25 FLEXIBLE TRUNK ELIGIBILITY ............................................................................................................15-25 ENABLING DYNAMIC LINK AGGREGATION ...........................................................................................15-26 HOW CHANGING A PORT’S VLAN MEMBERSHIP AFFECTS TRUNK GROUPS AND DYNAMIC KEYS ...................................................................................................................15-27 ADDITIONAL TRUNKING OPTIONS FOR LACP TRUNK PORTS ..............................................................15-28 LINK AGGREGATION PARAMETERS ....................................................................................................15-28 DISPLAYING AND DETERMINING THE STATUS OF AGGREGATE LINKS .........................................................15-32 EVENTS THAT AFFECT THE STATUS OF PORTS IN AN AGGREGATE LINK ..............................................15-32 December 2008 © 2008 Foundry Networks, Inc. xi Foundry FastIron Configuration Guide DISPLAYING LINK AGGREGATION AND PORT STATUS INFORMATION ....................................................15-33 DISPLAYING LACP STATUS INFORMATION .........................................................................................15-35 CLEARING THE NEGOTIATED AGGREGATE LINKS TABLE ...........................................................................15-35 CONFIGURING SINGLE LINK LACP ..........................................................................................................15-36 CONFIGURATION NOTES ...................................................................................................................15-36 CLI SYNTAX .....................................................................................................................................15-36 CHAPTER 16 CONFIGURING VIRTUAL LANS (VLANS).................................................... 16-1 VLAN OVERVIEW .....................................................................................................................................16-1 TYPES OF VLANS ..............................................................................................................................16-1 DEFAULT VLAN .................................................................................................................................16-5 802.1Q TAGGING ...............................................................................................................................16-6 SPANNING TREE PROTOCOL (STP) ....................................................................................................16-9 VIRTUAL ROUTING INTERFACES ..........................................................................................................16-9 VLAN AND VIRTUAL ROUTING INTERFACE GROUPS ...........................................................................16-10 DYNAMIC, STATIC, AND EXCLUDED PORT MEMBERSHIP .....................................................................16-10 SUPER AGGREGATED VLANS ...........................................................................................................16-12 TRUNK GROUP PORTS AND VLAN MEMBERSHIP ...............................................................................16-13 SUMMARY OF VLAN CONFIGURATION RULES ....................................................................................16-13 ROUTING BETWEEN VLANS ....................................................................................................................16-14 VIRTUAL ROUTING INTERFACES (LAYER 3 SWITCHES ONLY) ..............................................................16-14 BRIDGING AND ROUTING THE SAME PROTOCOL SIMULTANEOUSLY ON THE SAME DEVICE (LAYER 3 SWITCHES ONLY) .....................................................................16-14 ROUTING BETWEEN VLANS USING VIRTUAL ROUTING INTERFACES (LAYER 3 SWITCHES ONLY) .........16-14 DYNAMIC PORT ASSIGNMENT (LAYER 2 SWITCHES AND LAYER 3 SWITCHES) .....................................16-15 ASSIGNING A DIFFERENT VLAN ID TO THE DEFAULT VLAN ..............................................................16-15 ASSIGNING DIFFERENT VLAN IDS TO RESERVED VLANS 4091 AND 4092 ........................................16-15 ASSIGNING TRUNK GROUP PORTS ....................................................................................................16-16 CONFIGURING PORT-BASED VLANS .................................................................................................16-16 MODIFYING A PORT-BASED VLAN ....................................................................................................16-19 ENABLE SPANNING TREE ON A VLAN ...............................................................................................16-21 CONFIGURING IP SUBNET, IPX NETWORK AND PROTOCOL-BASED VLANS ...............................................16-22 CONFIGURATION EXAMPLE ...............................................................................................................16-22 CONFIGURING IP SUBNET, IPX NETWORK, AND PROTOCOL-BASED VLANS WITHIN PORT-BASED VLANS 16-24 CONFIGURING AN IPV6 PROTOCOL VLAN ...............................................................................................16-27 ROUTING BETWEEN VLANS USING VIRTUAL ROUTING INTERFACES (LAYER 3 SWITCHES ONLY) ...............16-28 CONFIGURING PROTOCOL VLANS WITH DYNAMIC PORTS .......................................................................16-33 AGING OF DYNAMIC PORTS ..............................................................................................................16-34 CONFIGURATION GUIDELINES ...........................................................................................................16-35 CONFIGURING AN IP, IPX, OR APPLETALK PROTOCOL VLAN WITH DYNAMIC PORTS ..........................16-35 CONFIGURING AN IP SUBNET VLAN WITH DYNAMIC PORTS ...............................................................16-35 CONFIGURING AN IPX NETWORK VLAN WITH DYNAMIC PORTS .........................................................16-36 CONFIGURING UPLINK PORTS WITHIN A PORT-BASED VLAN ...................................................................16-36 CONFIGURATION CONSIDERATIONS ...................................................................................................16-37 CONFIGURATION SYNTAX .................................................................................................................16-37 xii © 2008 Foundry Networks, Inc. December 2008 CONFIGURING THE SAME IP SUBNET ADDRESS ON MULTIPLE PORT-BASED VLANS .................................16-37 CONFIGURING VLAN GROUPS AND VIRTUAL ROUTING INTERFACE GROUPS .............................................16-40 CONFIGURING A VLAN GROUP .........................................................................................................16-40 CONFIGURING A VIRTUAL ROUTING INTERFACE GROUP .....................................................................16-41 DISPLAYING THE VLAN GROUP AND VIRTUAL ROUTING INTERFACE GROUP INFORMATION ..................16-42 ALLOCATING MEMORY FOR MORE VLANS OR VIRTUAL ROUTING INTERFACES ...................................16-42 CONFIGURING SUPER AGGREGATED VLANS ...........................................................................................16-43 CONFIGURATION NOTE .....................................................................................................................16-45 CONFIGURING AGGREGATED VLANS ................................................................................................16-45 VERIFYING THE CONFIGURATION .......................................................................................................16-47 COMPLETE CLI EXAMPLES ...............................................................................................................16-47 CONFIGURING 802.1Q TAGGING .............................................................................................................16-50 Q-IN-Q TAGGING ..............................................................................................................................16-50 CONFIGURATION RULES ...................................................................................................................16-51 ENABLING 802.1Q-IN-Q TAGGING ....................................................................................................16-51 CONFIGURING 802.1Q-IN-Q TAG PROFILES ......................................................................................16-52 EXAMPLE .........................................................................................................................................16-52 EXAMPLE .........................................................................................................................................16-52 CONFIGURING Q-IN-Q TAGGING FOR STACK DEVICES ..............................................................................16-53 EXAMPLE .........................................................................................................................................16-54 CONFIGURING PRIVATE VLANS ..............................................................................................................16-54 CONFIGURATION NOTES ...................................................................................................................16-56 COMMAND SYNTAX ..........................................................................................................................16-56 ENABLING BROADCAST OR UNKNOWN UNICAST TRAFFIC TO THE PRIVATE VLAN ...............................16-58 CLI EXAMPLE FOR FIGURE 16.21 .....................................................................................................16-58 DUAL-MODE VLAN PORTS .....................................................................................................................16-59 DISPLAYING VLAN INFORMATION ............................................................................................................16-61 DISPLAYING VLANS IN ALPHANUMERIC ORDER .................................................................................16-61 DISPLAYING SYSTEM-WIDE VLAN INFORMATION ...............................................................................16-62 DISPLAYING GLOBAL VLAN INFORMATION .........................................................................................16-64 DISPLAYING VLAN INFORMATION FOR SPECIFIC PORTS ....................................................................16-64 DISPLAYING A PORT’S VLAN MEMBERSHIP .......................................................................................16-65 DISPLAYING A PORT’S DUAL-MODE VLAN MEMBERSHIP ...................................................................16-65 DISPLAYING PORT DEFAULT VLAN IDS (PVIDS) ...............................................................................16-66 CHAPTER 17 CONFIGURING GARP VLAN REGISTRATION PROTOCOL (GVRP)................................................................................. 17-1 GVRP OVERVIEW ....................................................................................................................................17-1 APPLICATION EXAMPLES ...........................................................................................................................17-1 DYNAMIC CORE AND FIXED EDGE .......................................................................................................17-3 DYNAMIC CORE AND DYNAMIC EDGE ..................................................................................................17-3 FIXED CORE AND DYNAMIC EDGE .......................................................................................................17-4 FIXED CORE AND FIXED EDGE ............................................................................................................17-4 VLAN NAMES ..........................................................................................................................................17-4 CONFIGURATION NOTES ...........................................................................................................................17-4 December 2008 © 2008 Foundry Networks, Inc. xiii Foundry FastIron Configuration Guide CONFIGURING GVRP ...............................................................................................................................17-5 CHANGING THE GVRP BASE VLAN ID ...............................................................................................17-5 INCREASING THE MAXIMUM CONFIGURABLE VALUE OF THE LEAVEALL TIMER ........................................17-6 ENABLING GVRP ...............................................................................................................................17-6 DISABLING VLAN ADVERTISING ..........................................................................................................17-6 DISABLING VLAN LEARNING ...............................................................................................................17-7 CHANGING THE GVRP TIMERS ...........................................................................................................17-7 CONVERTING A VLAN CREATED BY GVRP INTO A STATICALLY-CONFIGURED VLAN ..................................17-8 DISPLAYING GVRP INFORMATION .............................................................................................................17-9 DISPLAYING GVRP CONFIGURATION INFORMATION .............................................................................17-9 DISPLAYING GVRP VLAN INFORMATION ..........................................................................................17-12 DISPLAYING GVRP STATISTICS ........................................................................................................17-14 DISPLAYING CPU UTILIZATION STATISTICS ........................................................................................17-16 DISPLAYING GVRP DIAGNOSTIC INFORMATION .................................................................................17-17 CLEARING GVRP STATISTICS .................................................................................................................17-17 CLI EXAMPLES .......................................................................................................................................17-17 DYNAMIC CORE AND FIXED EDGE .....................................................................................................17-17 DYNAMIC CORE AND DYNAMIC EDGE ................................................................................................17-18 FIXED CORE AND DYNAMIC EDGE .....................................................................................................17-19 FIXED CORE AND FIXED EDGE ..........................................................................................................17-19 CHAPTER 18 CONFIGURING MAC-BASED VLANS ......................................................... 18-1 OVERVIEW ................................................................................................................................................18-1 STATIC AND DYNAMIC HOSTS .............................................................................................................18-1 MAC-BASED VLAN FEATURE STRUCTURE .........................................................................................18-1 DYNAMIC MAC-BASED VLAN ...................................................................................................................18-2 CONFIGURING MAC-BASED VLANS ..........................................................................................................18-2 USING MAC-BASED VLANS AND 802.1X SECURITY ON THE SAME PORT ............................................18-3 CONFIGURING GENERIC AND FOUNDRY VENDOR-SPECIFIC ATTRIBUTES ON THE RADIUS SERVER ........................................................................................................................18-3 AGING FOR MAC-BASED VLAN .........................................................................................................18-5 DISABLING AGING FOR MAC-BASED VLAN SESSIONS ........................................................................18-6 CONFIGURING A MAC-BASED VLAN FOR A STATIC HOST ...................................................................18-6 CONFIGURING MAC-BASED VLAN FOR A DYNAMIC HOST ...................................................................18-7 CONFIGURING DYNAMIC MAC-BASED VLAN .......................................................................................18-7 CONFIGURATION NOTES ...........................................................................................................................18-8 CONFIGURATION EXAMPLE ...............................................................................................................18-10 CONFIGURING MAC-BASED VLANS USING SNMP ...........................................................................18-10 DISPLAYING THE MAC-VLAN TABLE ................................................................................................18-11 DISPLAYING THE MAC-VLAN TABLE FOR A SPECIFIC MAC ADDRESS ...............................................18-11 DISPLAYING ALLOWED MAC ADDRESSES ..........................................................................................18-13 DISPLAYING DENIED MAC ADDRESSES .............................................................................................18-14 DISPLAYING DETAILED MAC-VLAN DATA .........................................................................................18-15 DISPLAYING MAC-VLAN INFORMATION FOR A SPECIFIC INTERFACE ..................................................18-16 CLEARING MAC-VLAN INFORMATION FOR A SPECIFIC INTERFACE .....................................................18-17 xiv © 2008 Foundry Networks, Inc. December 2008 DISPLAYING MAC ADDRESSES IN A MAC-BASED VLAN ....................................................................18-17 DISPLAYING MAC-BASED VLAN LOGGING ........................................................................................18-18 SAMPLE APPLICATION .............................................................................................................................18-18 CHAPTER 19 CONFIGURING RULE-BASED IP ACCESS CONTROL LISTS (ACLS) ............................................................. 19-1 ACL OVERVIEW ......................................................................................................................................19-1 TYPES OF IP ACLS ............................................................................................................................19-1 ACL IDS AND ENTRIES .......................................................................................................................19-2 NUMBERED AND NAMED ACLS ...........................................................................................................19-2 DEFAULT ACL ACTION .......................................................................................................................19-3 HOW HARDWARE-BASED ACLS WORK ......................................................................................................19-3 HOW FRAGMENTED PACKETS ARE PROCESSED ...................................................................................19-3 HARDWARE AGING OF LAYER 4 CAM ENTRIES ...................................................................................19-3 CONFIGURATION CONSIDERATIONS ............................................................................................................19-3 CONFIGURING STANDARD NUMBERED ACLS .............................................................................................19-4 STANDARD NUMBERED ACL SYNTAX ..................................................................................................19-4 CONFIGURATION EXAMPLE FOR STANDARD NUMBERED ACLS .............................................................19-6 CONFIGURING STANDARD NAMED ACLS ...................................................................................................19-6 STANDARD NAMED ACL SYNTAX ........................................................................................................19-6 CONFIGURATION EXAMPLE FOR STANDARD NAMED ACLS ...................................................................19-8 CONFIGURING EXTENDED NUMBERED ACLS ..............................................................................................19-8 EXTENDED NUMBERED ACL SYNTAX ..................................................................................................19-8 CONFIGURATION EXAMPLES FOR EXTENDED NUMBERED ACLS .........................................................19-12 CONFIGURING EXTENDED NAMED ACLS ..................................................................................................19-13 EXTENDED NAMED ACL SYNTAX ......................................................................................................19-14 CONFIGURATION EXAMPLE FOR EXTENDED NAMED ACLS .................................................................19-17 PRESERVING USER INPUT FOR ACL TCP/UDP PORT NUMBERS ..............................................................19-17 MANAGING ACL COMMENT TEXT ............................................................................................................19-18 ADDING A COMMENT TO AN ENTRY IN A NUMBERED ACL ..................................................................19-18 ADDING A COMMENT TO AN ENTRY IN A NAMED ACL ........................................................................19-18 DELETING A COMMENT FROM AN ACL ENTRY ...................................................................................19-19 VIEWING COMMENTS IN AN ACL .......................................................................................................19-19 APPLYING AN ACL TO A VIRTUAL INTERFACE IN A PROTOCOL- OR SUBNET-BASED VLAN ......................................................................................................................19-20 ENABLING ACL LOGGING ........................................................................................................................19-21 ENABLING STRICT CONTROL OF ACL FILTERING OF FRAGMENTED PACKETS ............................................19-23 ENABLING ACL SUPPORT FOR SWITCHED TRAFFIC IN THE ROUTER IMAGE ...............................................19-24 ENABLING ACL FILTERING BASED ON VLAN MEMBERSHIP OR VE PORT MEMBERSHIP .............................19-24 CONFIGURATION NOTES ...................................................................................................................19-25 APPLYING AN IPV4 ACL TO SPECIFIC VLAN MEMBERS ON A PORT (LAYER 2 DEVICES ONLY) ...........19-25 APPLYING AN IPV4 ACL TO A SUBSET OF PORTS ON A VIRTUAL INTERFACE (LAYER 3 DEVICES ONLY) ...........................................................................19-26 USING ACLS TO FILTER ARP PACKETS ..................................................................................................19-26 CONFIGURATION CONSIDERATIONS ...................................................................................................19-27 December 2008 © 2008 Foundry Networks, Inc. xv Foundry FastIron Configuration Guide CONFIGURING ACLS FOR ARP FILTERING ........................................................................................19-27 DISPLAYING ACL FILTERS FOR ARP .................................................................................................19-28 CLEARING THE FILTER COUNT ..........................................................................................................19-28 FILTERING ON IP PRECEDENCE AND TOS VALUES ...................................................................................19-28 TCP FLAGS - EDGE PORT SECURITY ................................................................................................19-29 QOS OPTIONS FOR IP ACLS ..................................................................................................................19-30 CONFIGURATION NOTES FOR THE FASTIRON GS, FASTIRON GS-STK AND FASTIRON LS AND FASTIRON LS-STK ................................................................................19-30 USING AN ACL TO MAP THE DSCP VALUE (DSCP COS MAPPING) ..................................................19-31 USING AN IP ACL TO MARK DSCP VALUES (DSCP MARKING) .........................................................19-31 DSCP MATCHING ............................................................................................................................19-33 ACL-BASED RATE LIMITING ....................................................................................................................19-33 ACL COUNTING ......................................................................................................................................19-33 USING ACLS TO CONTROL MULTICAST FEATURES ...................................................................................19-34 DISPLAYING ACL INFORMATION ..............................................................................................................19-34 TROUBLESHOOTING ACLS ......................................................................................................................19-34 POLICY-BASED ROUTING (PBR) ..............................................................................................................19-34 CHAPTER 20 CONFIGURING IPV6 ACCESS CONTROL LISTS (ACLS) ............................................................. 20-1 ACL OVERVIEW ......................................................................................................................................20-1 CONFIGURATION NOTES .....................................................................................................................20-2 CONFIGURING AN IPV6 ACL ...............................................................................................................20-3 APPLYING AN IPV6 ACL TO AN INTERFACE .......................................................................................20-10 ADDING A COMMENT TO AN IPV6 ACL ENTRY ...................................................................................20-11 DELETING A COMMENT FROM AN IPV6 ACL ENTRY ...........................................................................20-11 ENABLING ACL LOGGING .................................................................................................................20-12 DISPLAYING IPV6 ACLS ...................................................................................................................20-12 CHAPTER 21 CONFIGURING BASE LAYER 3 AND ENABLING ROUTING PROTOCOLS ....................................................... 21-1 TCAM ENTRIES IN FWS DEVICES ............................................................................................................21-1 ADDING A STATIC IP ROUTE .....................................................................................................................21-2 ADDING A STATIC ARP ENTRY ..................................................................................................................21-2 MODIFYING AND DISPLAYING LAYER 3 SYSTEM PARAMETER LIMITS ............................................................21-3 CONFIGURATION NOTES .....................................................................................................................21-3 FGS WITH BASE LAYER 3 ..................................................................................................................21-3 FASTIRON IPV4 MODELS ....................................................................................................................21-4 FASTIRON IPV6 MODELS ....................................................................................................................21-5 DISPLAYING LAYER 3 SYSTEM PARAMETER LIMITS ..............................................................................21-5 CONFIGURING RIP ....................................................................................................................................21-6 ENABLING RIP ...................................................................................................................................21-7 ENABLING REDISTRIBUTION OF IP STATIC ROUTES INTO RIP ...............................................................21-7 xvi © 2008 Foundry Networks, Inc. December 2008 ENABLING REDISTRIBUTION ................................................................................................................21-8 ENABLING LEARNING OF DEFAULT ROUTES .........................................................................................21-8 CHANGING THE ROUTE LOOP PREVENTION METHOD ...........................................................................21-9 OTHER LAYER 3 PROTOCOLS ....................................................................................................................21-9 ENABLING OR DISABLING ROUTING PROTOCOLS ........................................................................................21-9 ENABLING OR DISABLING LAYER 2 SWITCHING .........................................................................................21-10 CONFIGURATION NOTES ...................................................................................................................21-10 COMMAND SYNTAX ..........................................................................................................................21-10 CHAPTER 22 CONFIGURING PORT MIRRORING AND MONITORING .................................... 22-1 MIRRORING SUPPORT FOR FASTIRON PLATFORMS ....................................................................................22-1 CONFIGURING PORT MIRRORING AND MONITORING ...................................................................................22-1 CONFIGURATION NOTES .....................................................................................................................22-2 COMMAND SYNTAX ............................................................................................................................22-3 CONFIGURING MIRRORING ON AN IRONSTACK ...........................................................................................22-4 CONFIGURATION NOTES .....................................................................................................................22-4 ACL-BASED INBOUND MIRRORING ............................................................................................................22-5 CREATING AN ACL-BASED INBOUND MIRROR CLAUSE FOR FGS, FGS-STK, FLS, FLS-STK, AND FWS DEVICES ............................................................................................22-5 CREATING AN ACL-BASED INBOUND MIRROR CLAUSE FOR FASTIRON X SERIES DEVICES ....................22-6 MAC FILTER-BASED MIRRORING ..............................................................................................................22-9 VLAN-BASED MIRRORING ......................................................................................................................22-10 CHAPTER 23 CONFIGURING QUALITY OF SERVICE .......................................................... 23-1 CLASSIFICATION .......................................................................................................................................23-1 PROCESSING OF CLASSIFIED TRAFFIC .................................................................................................23-1 QOS FOR FOUNDRY STACKABLE DEVICES .................................................................................................23-4 STACKING QOS PROFILE RESTRICTIONS .............................................................................................23-4 QOS BEHAVIOR FOR TRUSTING LAYER 2 (802.1P) IN AN IRONSTACK ...................................................23-4 QOS BEHAVIOR FOR TRUSTING LAYER 3 (DSCP) IN AN IRONSTACK ....................................................23-4 QOS BEHAVIOR ON PORT PRIORITY AND VLAN PRIORITY IN AN IRONSTACK ........................................23-5 QOS BEHAVIOR FOR 802.1P MARKING IN AN IRONSTACK ....................................................................23-5 QOS QUEUES ..........................................................................................................................................23-5 ASSIGNING QOS PRIORITIES TO TRAFFIC ............................................................................................23-5 MARKING ..................................................................................................................................................23-6 CONFIGURING DSCP-BASED QOS ............................................................................................................23-7 APPLICATION NOTES ..........................................................................................................................23-7 USING ACLS TO HONOR DSCP-BASED QOS ......................................................................................23-7 CONFIGURING THE QOS MAPPINGS ...........................................................................................................23-7 DEFAULT DSCP –> INTERNAL FORWARDING PRIORITY MAPPINGS .......................................................23-8 CHANGING THE DSCP –> INTERNAL FORWARDING PRIORITY MAPPINGS ..............................................23-9 CHANGING THE INTERNAL FORWARDING PRIORITY –> HARDWARE FORWARDING QUEUE MAPPINGS ...23-10 SCHEDULING ..........................................................................................................................................23-10 QOS QUEUING METHODS .................................................................................................................23-10 December 2008 © 2008 Foundry Networks, Inc. xvii Foundry FastIron Configuration Guide SELECTING THE QOS QUEUING METHOD ..........................................................................................23-11 CONFIGURING THE QOS QUEUES .....................................................................................................23-12 VIEWING QOS SETTINGS ........................................................................................................................23-15 VIEWING DSCP-BASED QOS SETTINGS ..................................................................................................23-15 CHAPTER 24 CONFIGURING RATE LIMITING AND RATE SHAPING ON FASTIRON X SERIES SWITCHES ........................................................... 24-1 OVERVIEW ................................................................................................................................................24-1 RATE LIMITING IN HARDWARE .............................................................................................................24-1 HOW FIXED RATE LIMITING WORKS ....................................................................................................24-2 CONFIGURATION NOTES .....................................................................................................................24-2 CONFIGURING A PORT-BASED RATE LIMITING POLICY .........................................................................24-2 CONFIGURING AN ACL-BASED RATE LIMITING POLICY .........................................................................24-3 DISPLAYING THE FIXED RATE LIMITING CONFIGURATION ......................................................................24-3 RATE SHAPING .........................................................................................................................................24-3 CONFIGURING OUTBOUND RATE SHAPING FOR A PORT .......................................................................24-4 CONFIGURING OUTBOUND RATE SHAPING FOR A SPECIFIC PRIORITY ...................................................24-4 CONFIGURING OUTBOUND RATE SHAPING FOR A TRUNK PORT ............................................................24-4 DISPLAYING RATE SHAPING CONFIGURATIONS ....................................................................................24-5 CHAPTER 25 CONFIGURING RATE LIMITING ON THE FGS, FGS-STK, FLS, FLS-STK AND FWS............................................. 25-1 OVERVIEW ................................................................................................................................................25-1 RATE LIMITING IN HARDWARE .............................................................................................................25-1 HOW FIXED RATE LIMITING WORKS ....................................................................................................25-1 CONFIGURING FIXED RATE LIMITING ON INBOUND PORTS ..........................................................................25-2 MINIMUM AND MAXIMUM RATES ..........................................................................................................25-2 CONFIGURATION NOTES .....................................................................................................................25-2 CONFIGURATION SYNTAX ...................................................................................................................25-3 CONFIGURING FIXED RATE LIMITING ON OUTBOUND PORTS .......................................................................25-3 MINIMUM AND MAXIMUM RATES ..........................................................................................................25-3 CONFIGURATION NOTES .....................................................................................................................25-4 PORT-BASED RATE LIMITING ..............................................................................................................25-4 PORT- AND PRIORITY-BASED RATE LIMITING .......................................................................................25-4 CONFIGURING AN ACL-BASED RATE LIMITING POLICY ...............................................................................25-5 DISPLAYING THE FIXED RATE LIMITING CONFIGURATION ............................................................................25-5 INBOUND PORTS ................................................................................................................................25-5 OUTBOUND PORTS .............................................................................................................................25-6 CHAPTER 26 CONFIGURING TRAFFIC POLICIES .............................................................. 26-1 ABOUT TRAFFIC POLICIES .........................................................................................................................26-1 CONFIGURATION NOTES AND FEATURE LIMITATIONS ..................................................................................26-1 xviii © 2008 Foundry Networks, Inc. December 2008 MAXIMUM NUMBER OF TRAFFIC POLICIES SUPPORTED ON A DEVICE ..........................................................26-2 SETTING THE MAXIMUM NUMBER OF TRAFFIC POLICIES SUPPORTED ON A LAYER 3 DEVICE .................26-2 ACL-BASED RATE LIMITING VIA TRAFFIC POLICIES ....................................................................................26-3 SUPPORT FOR FIXED RATE LIMITING AND ADAPTIVE RATE LIMITING .....................................................26-3 CONFIGURING ACL-BASED FIXED RATE LIMITING ................................................................................26-4 CONFIGURING ACL-BASED ADAPTIVE RATE LIMITING ..........................................................................26-4 SPECIFYING THE ACTION TO BE TAKEN FOR PACKETS THAT ARE OVER THE LIMIT .................................26-6 ACL AND RATE LIMIT COUNTING ...............................................................................................................26-7 ENABLING ACL COUNTING .................................................................................................................26-7 ENABLING ACL COUNTING WITH RATE LIMITING TRAFFIC POLICIES .....................................................26-8 VIEWING ACL AND RATE LIMIT COUNTERS .........................................................................................26-9 CLEARING ACL AND RATE LIMIT COUNTERS .......................................................................................26-9 VIEWING TRAFFIC POLICIES ....................................................................................................................26-10 CHAPTER 27 CONFIGURING LLDP AND LLDP-MED...................................................... 27-1 TERMS USED IN THIS CHAPTER .................................................................................................................27-1 LLDP OVERVIEW ......................................................................................................................................27-2 BENEFITS OF LLDP ............................................................................................................................27-3 LLDP-MED OVERVIEW ............................................................................................................................27-3 BENEFITS OF LLDP-MED ..................................................................................................................27-4 LLDP-MED CLASS ............................................................................................................................27-4 GENERAL OPERATING PRINCIPLES ............................................................................................................27-5 OPERATING MODES ...........................................................................................................................27-5 LLDP PACKETS .................................................................................................................................27-6 TLV SUPPORT ...................................................................................................................................27-6 MIB SUPPORT ..........................................................................................................................................27-9 SYSLOG MESSAGES ..................................................................................................................................27-9 CONFIGURING LLDP ...............................................................................................................................27-10 CONFIGURATION NOTES AND CONSIDERATIONS .................................................................................27-10 ENABLING AND DISABLING LLDP ......................................................................................................27-11 ENABLING SUPPORT FOR TAGGED LLDP PACKETS ...........................................................................27-11 CHANGING A PORT’S LLDP OPERATING MODE .................................................................................27-11 SPECIFYING THE MAXIMUM NUMBER OF LLDP NEIGHBORS ...............................................................27-13 ENABLING LLDP SNMP NOTIFICATIONS AND SYSLOG MESSAGES .....................................................27-14 CHANGING THE MINIMUM TIME BETWEEN LLDP TRANSMISSIONS .......................................................27-14 CHANGING THE INTERVAL BETWEEN REGULAR LLDP TRANSMISSIONS ...............................................27-15 CHANGING THE HOLDTIME MULTIPLIER FOR TRANSMIT TTL ..............................................................27-15 CHANGING THE MINIMUM TIME BETWEEN PORT REINITIALIZATIONS ....................................................27-16 LLDP TLVS ADVERTISED BY THE FOUNDRY DEVICE .........................................................................27-16 CONFIGURING LLDP-MED .....................................................................................................................27-23 ENABLING LLDP-MED .....................................................................................................................27-24 ENABLING SNMP NOTIFICATIONS AND SYSLOG MESSAGES FOR LLDP-MED TOPOLOGY CHANGES ......................................................................................27-24 CHANGING THE FAST START REPEAT COUNT ....................................................................................27-25 DEFINING A LOCATION ID .................................................................................................................27-25 December 2008 © 2008 Foundry Networks, Inc. xix Foundry FastIron Configuration Guide DEFINING AN LLDP-MED NETWORK POLICY ....................................................................................27-32 LLDP-MED ATTRIBUTES ADVERTISED BY THE FOUNDRY DEVICE .............................................................27-34 EXTENDED POWER-VIA-MDI INFORMATION ........................................................................................27-35 DISPLAYING LLDP STATISTICS AND CONFIGURATION SETTINGS .........................................................27-36 LLDP CONFIGURATION SUMMARY ....................................................................................................27-37 LLDP STATISTICS ............................................................................................................................27-38 LLDP NEIGHBORS ...........................................................................................................................27-39 LLDP NEIGHBORS DETAIL ................................................................................................................27-40 LLDP CONFIGURATION DETAILS .......................................................................................................27-42 RESETTING LLDP STATISTICS ................................................................................................................27-44 CLEARING CACHED LLDP NEIGHBOR INFORMATION ................................................................................27-45 CHAPTER 28 CONFIGURING IP MULTICAST TRAFFIC REDUCTION FOR THE FASTIRON GS AND GS-STK, FASTIRON LS AND LS-STK, AND FASTIRON WS.................................................................... 28-1 IGMP SNOOPING FOR FASTIRON GS AND GS-STK, FASTIRON LS AND LS-STK, AND FASTIRON WS DEVICES ...................................................................28-1 IGMP SNOOPING OVERVIEW ..............................................................................................................28-1 PIM SM TRAFFIC SNOOPING OVERVIEW .............................................................................................28-4 CONFIGURING IGMP SNOOPING .........................................................................................................28-6 DISPLAYING IGMP SNOOPING INFORMATION .....................................................................................28-12 CLEAR IGMP SNOOPING COMMANDS ...............................................................................................28-18 CHAPTER 29 CONFIGURING IP MULTICAST PROTOCOLS ................................................. 29-1 OVERVIEW OF IP MULTICASTING ...............................................................................................................29-1 IPV4 MULTICAST GROUP ADDRESSES .................................................................................................29-1 MAPPING OF IPV4 MULTICAST GROUP ADDRESSES TO ETHERNET MAC ADDRESSES ..........................29-2 SUPPORTED LAYER 3 MULTICAST ROUTING PROTOCOLS .....................................................................29-2 MULTICAST TERMS .............................................................................................................................29-2 CHANGING GLOBAL IP MULTICAST PARAMETERS .......................................................................................29-2 CHANGING DYNAMIC MEMORY ALLOCATION FOR IP MULTICAST GROUPS .............................................29-3 CHANGING IGMP V1 AND V2 PARAMETERS ........................................................................................29-4 ADDING AN INTERFACE TO A MULTICAST GROUP .......................................................................................29-5 IP MULTICAST BOUNDARIES ......................................................................................................................29-6 CONFIGURATION CONSIDERATIONS .....................................................................................................29-6 CONFIGURING MULTICAST BOUNDARIES ..............................................................................................29-6 DISPLAYING MULTICAST BOUNDARIES .................................................................................................29-6 PIM DENSE ..............................................................................................................................................29-6 INITIATING PIM MULTICASTS ON A NETWORK ......................................................................................29-7 PRUNING A MULTICAST TREE .............................................................................................................29-7 GRAFTS TO A MULTICAST TREE ..........................................................................................................29-9 PIM DM VERSIONS ............................................................................................................................29-9 CONFIGURING PIM DM ......................................................................................................................29-9 xx © 2008 Foundry Networks, Inc. December 2008 FAILOVER TIME IN A MULTI-PATH TOPOLOGY ....................................................................................29-13 MODIFYING THE TTL ........................................................................................................................29-13 PIM SPARSE ..........................................................................................................................................29-14 PIM SPARSE SWITCH TYPES ............................................................................................................29-14 RP PATHS AND SPT PATHS .............................................................................................................29-15 CONFIGURING PIM SPARSE ..............................................................................................................29-15 DISPLAYING PIM SPARSE CONFIGURATION INFORMATION AND STATISTICS .........................................29-20 PASSIVE MULTICAST ROUTE INSERTION ..................................................................................................29-34 DVMRP OVERVIEW ................................................................................................................................29-34 INITIATING DVMRP MULTICASTS ON A NETWORK ..............................................................................29-35 PRUNING A MULTICAST TREE ...........................................................................................................29-35 GRAFTS TO A MULTICAST TREE ........................................................................................................29-37 CONFIGURING DVMRP ...........................................................................................................................29-37 ENABLING DVMRP ON THE LAYER 3 SWITCH AND INTERFACE ...........................................................29-37 MODIFYING DVMRP GLOBAL PARAMETERS ......................................................................................29-37 MODIFYING DVMRP INTERFACE PARAMETERS .................................................................................29-39 DISPLAYING INFORMATION ABOUT AN UPSTREAM NEIGHBOR DEVICE .................................................29-40 CONFIGURING AN IP TUNNEL ..................................................................................................................29-40 USING ACLS TO CONTROL MULTICAST FEATURES ...................................................................................29-41 USING ACLS TO LIMIT STATIC RP GROUPS ......................................................................................29-41 USING ACLS TO LIMIT PIM RP CANDIDATE ADVERTISEMENT ............................................................29-43 DISABLING CPU PROCESSING FOR SELECTIVE MULTICAST GROUPS ........................................................29-44 CLI COMMAND SYNTAX ....................................................................................................................29-45 VIEWING DISABLED MULTICAST ADDRESSES .....................................................................................29-45 CONFIGURING A STATIC MULTICAST ROUTE ............................................................................................29-46 TRACING A MULTICAST ROUTE ................................................................................................................29-47 DISPLAYING ANOTHER MULTICAST ROUTER’S MULTICAST CONFIGURATION ..............................................29-48 IGMP V3 ...............................................................................................................................................29-49 DEFAULT IGMP VERSION .................................................................................................................29-50 COMPATIBILITY WITH IGMP V1 AND V2 ...........................................................................................29-50 GLOBALLY ENABLING THE IGMP VERSION ........................................................................................29-50 ENABLING THE IGMP VERSION PER INTERFACE SETTING ..................................................................29-51 ENABLING THE IGMP VERSION ON A PHYSICAL PORT WITHIN A VIRTUAL ROUTING INTERFACE ...........29-51 ENABLING MEMBERSHIP TRACKING AND FAST LEAVE ........................................................................29-51 SETTING THE QUERY INTERVAL ........................................................................................................29-52 SETTING THE GROUP MEMBERSHIP TIME ..........................................................................................29-52 SETTING THE MAXIMUM RESPONSE TIME ..........................................................................................29-53 IGMP V3 AND SOURCE SPECIFIC MULTICAST PROTOCOLS ...............................................................29-53 DISPLAYING IGMP V3 INFORMATION ON LAYER 3 SWITCHES .............................................................29-53 CLEARING IGMP STATISTICS ............................................................................................................29-57 IGMP PROXY .........................................................................................................................................29-58 CONFIGURATION NOTES ...................................................................................................................29-58 CONFIGURING IGMP PROXY ............................................................................................................29-58 DISPLAYING IGMP PROXY TRAFFIC ..................................................................................................29-59 IP MULTICAST PROTOCOLS AND IGMP SNOOPING ON THE SAME DEVICE .................................................29-59 CONFIGURATION EXAMPLE ...............................................................................................................29-59 December 2008 © 2008 Foundry Networks, Inc. xxi Foundry FastIron Configuration Guide CLI COMMANDS ...............................................................................................................................29-61 CHAPTER 30 CONFIGURING IP....................................................................................... 30-1 BASIC CONFIGURATION .............................................................................................................................30-1 OVERVIEW ................................................................................................................................................30-1 IP INTERFACES ..................................................................................................................................30-2 IP PACKET FLOW THROUGH A LAYER 3 SWITCH .................................................................................30-2 IP ROUTE EXCHANGE PROTOCOLS .....................................................................................................30-6 IP MULTICAST PROTOCOLS ................................................................................................................30-7 IP INTERFACE REDUNDANCY PROTOCOLS ...........................................................................................30-7 ACCESS CONTROL LISTS AND IP ACCESS POLICIES ............................................................................30-7 BASIC IP PARAMETERS AND DEFAULTS – LAYER 3 SWITCHES ....................................................................30-8 WHEN PARAMETER CHANGES TAKE EFFECT .......................................................................................30-8 IP GLOBAL PARAMETERS – LAYER 3 SWITCHES ..................................................................................30-9 IP INTERFACE PARAMETERS – LAYER 3 SWITCHES ...........................................................................30-12 BASIC IP PARAMETERS AND DEFAULTS – LAYER 2 SWITCHES ..................................................................30-14 IP GLOBAL PARAMETERS – LAYER 2 SWITCHES ................................................................................30-14 INTERFACE IP PARAMETERS – LAYER 2 SWITCHES ...........................................................................30-16 CONFIGURING IP PARAMETERS – LAYER 3 SWITCHES .............................................................................30-16 CONFIGURING IP ADDRESSES ..........................................................................................................30-16 CONFIGURING DOMAIN NAME SERVER (DNS) RESOLVER ..................................................................30-19 CONFIGURING PACKET PARAMETERS ................................................................................................30-21 CHANGING THE ROUTER ID ..............................................................................................................30-24 SPECIFYING A SINGLE SOURCE INTERFACE FOR TELNET, TACACS/TACACS+, OR RADIUS PACKETS ...............................................................................................................30-25 CONFIGURING ARP PARAMETERS ....................................................................................................30-26 CONFIGURING FORWARDING PARAMETERS .......................................................................................30-31 DISABLING ICMP MESSAGES ...........................................................................................................30-33 CONFIGURING STATIC ROUTES .........................................................................................................30-34 CONFIGURING A DEFAULT NETWORK ROUTE .....................................................................................30-40 CONFIGURING IP LOAD SHARING ......................................................................................................30-42 CONFIGURING IRDP .........................................................................................................................30-45 CONFIGURING RARP .......................................................................................................................30-46 CONFIGURING UDP BROADCAST AND IP HELPER PARAMETERS ........................................................30-48 CONFIGURING BOOTP/DHCP RELAY PARAMETERS ...........................................................................30-50 DHCP CLIENT-BASED AUTO-CONFIGURATION ..................................................................................30-52 CONFIGURATION NOTES ...................................................................................................................30-56 CONFIGURING IP PARAMETERS – LAYER 2 SWITCHES .............................................................................30-58 CONFIGURING THE MANAGEMENT IP ADDRESS AND SPECIFYING THE DEFAULT GATEWAY ..................30-58 CONFIGURING DOMAIN NAME SERVER (DNS) RESOLVER ..................................................................30-59 CHANGING THE TTL THRESHOLD ......................................................................................................30-60 CONFIGURING DHCP ASSIST ...........................................................................................................30-61 DISPLAYING IP CONFIGURATION INFORMATION AND STATISTICS ...............................................................30-64 CHANGING THE NETWORK MASK DISPLAY TO PREFIX FORMAT ..........................................................30-64 DISPLAYING IP INFORMATION – LAYER 3 SWITCHES ..........................................................................30-64 xxii © 2008 Foundry Networks, Inc. December 2008 DISPLAYING IP INFORMATION – LAYER 2 SWITCHES ..........................................................................30-80 CHAPTER 31 CONFIGURING MULTICAST LISTENING DISCOVERY (MLD) SNOOPING ON FGS, FGS-STK, FLS, FLS-STK AND FWS DEVICES ................................................................................... 31-1 OVERVIEW ................................................................................................................................................31-1 CONFIGURATION NOTES: ....................................................................................................................31-2 CONFIGURING QUERIERS AND NON-QUERIERS ....................................................................................31-3 VLAN SPECIFIC CONFIGURATION .......................................................................................................31-4 USING MLDV1 WITH MLDV2 ..............................................................................................................31-4 CONFIGURING MLD SNOOPING .................................................................................................................31-4 CONFIGURING THE HARDWARE AND SOFTWARE RESOURCE LIMITS ......................................................31-5 DISABLING TRANSMISSION AND RECEIPT OF MLD PACKETS ON A PORT ...............................................31-5 CONFIGURING THE GLOBAL MLD MODE .............................................................................................31-5 MODIFYING THE AGE INTERVAL ...........................................................................................................31-5 MODIFYING THE QUERY INTERVAL (ACTIVE MLD SNOOPING MODE ONLY) ...........................................31-6 CONFIGURING THE GLOBAL MLD VERSION .........................................................................................31-6 CONFIGURING REPORT CONTROL .......................................................................................................31-6 MODIFYING THE WAIT TIME BEFORE STOPPING TRAFFIC WHEN RECEIVING A LEAVE MESSAGE ............31-6 MODIFYING THE MULTICAST CACHE (MCACHE) AGING TIME .................................................................31-7 DISABLING ERROR AND WARNING MESSAGES .....................................................................................31-7 CONFIGURING THE MLD MODE FOR A VLAN ......................................................................................31-7 DISABLING MLD SNOOPING FOR THE VLAN .......................................................................................31-7 CONFIGURING THE MLD VERSION FOR THE VLAN ..............................................................................31-7 CONFIGURING THE MLD VERSION FOR INDIVIDUAL PORTS ...................................................................31-8 CONFIGURING STATIC GROUPS TO THE ENTIRE VLAN OR TO INDIVIDUAL PORTS .................................31-8 CONFIGURING STATIC ROUTER PORTS ...............................................................................................31-8 TURNING OFF STATIC GROUP PROXY .................................................................................................31-8 ENABLING MLDV2 MEMBERSHIP TRACKING AND FAST LEAVE FOR THE VLAN ......................................31-8 CONFIGURING FAST LEAVE FOR MLDV1 .............................................................................................31-9 ENABLING FAST CONVERGENCE .........................................................................................................31-9 DISPLAYING MLD SNOOPING INFORMATION ......................................................................................31-10 CLEAR MLD SNOOPING COMMANDS .................................................................................................31-15 CHAPTER 32 CONFIGURING MULTICAST LISTENING DISCOVERY (MLD) SNOOPING ON THE FASTIRON X SERIES SWITCH .................................................................... 32-1 OVERVIEW ................................................................................................................................................32-1 HOW MLD SNOOPING USES MAC ADDRESSES TO FORWARD MULTICAST PACKETS ............................32-2 CONFIGURATION NOTES .....................................................................................................................32-2 QUERIERS AND NON-QUERIERS ..........................................................................................................32-3 VLAN SPECIFIC CONFIGURATION .......................................................................................................32-4 USING MLDV1 WITH MLDV2 ..............................................................................................................32-4 CONFIGURING MLD SNOOPING .................................................................................................................32-4 December 2008 © 2008 Foundry Networks, Inc. xxiii Foundry FastIron Configuration Guide CONFIGURING THE HARDWARE AND SOFTWARE RESOURCE LIMITS ......................................................32-5 DISABLING TRANSMISSION AND RECEIPT OF MLD PACKETS ON A PORT ...............................................32-5 CONFIGURING THE GLOBAL MLD MODE .............................................................................................32-5 MODIFYING THE AGE INTERVAL ...........................................................................................................32-6 MODIFYING THE QUERY INTERVAL (ACTIVE MLD SNOOPING MODE ONLY) ...........................................32-6 CONFIGURING THE GLOBAL MLD VERSION .........................................................................................32-6 CONFIGURING REPORT CONTROL .......................................................................................................32-6 MODIFYING THE WAIT TIME BEFORE STOPPING TRAFFIC WHEN RECEIVING A LEAVE MESSAGE ............32-7 MODIFYING THE MULTICAST CACHE (MCACHE) AGING TIME .................................................................32-7 DISABLING ERROR AND WARNING MESSAGES .....................................................................................32-7 CONFIGURING THE MLD MODE FOR A VLAN ......................................................................................32-7 DISABLING MLD SNOOPING FOR THE VLAN .......................................................................................32-8 CONFIGURING THE MLD VERSION FOR THE VLAN ..............................................................................32-8 CONFIGURING THE MLD VERSION FOR INDIVIDUAL PORTS ...................................................................32-8 CONFIGURING STATIC GROUPS TO THE ENTIRE VLAN OR TO INDIVIDUAL PORTS .................................32-8 CONFIGURING STATIC ROUTER PORTS ...............................................................................................32-9 DISABLING STATIC GROUP PROXY ......................................................................................................32-9 ENABLING MLDV2 MEMBERSHIP TRACKING AND FAST LEAVE FOR THE VLAN ......................................32-9 CONFIGURING FAST LEAVE FOR MLDV1 ...........................................................................................32-10 ENABLING FAST CONVERGENCE .......................................................................................................32-10 DISPLAYING MLD SNOOPING INFORMATION ......................................................................................32-10 CLEARING MLD SNOOPING COUNTERS AND MCACHE .......................................................................32-15 CHAPTER 33 CONFIGURING IP MULTICAST TRAFFIC REDUCTION FOR THE FASTIRON X SERIES SWITCH....................................................... 33-1 IGMP SNOOPING OVERVIEW ....................................................................................................................33-1 MAC-BASED IMPLEMENTATION ...........................................................................................................33-2 IGMP V1, V2, AND V3 SNOOPING SUPPORT ......................................................................................33-2 QUERIERS AND NON-QUERIERS ..........................................................................................................33-3 IGMP SNOOPING ENHANCEMENTS IN SOFTWARE RELEASE 04.1.00 ....................................................33-3 CONFIGURATION NOTES AND FEATURE LIMITATIONS ............................................................................33-4 PIM SM TRAFFIC SNOOPING OVERVIEW ...................................................................................................33-4 PIM SM SNOOPING SUPPORT ............................................................................................................33-5 APPLICATION EXAMPLES .....................................................................................................................33-5 CONFIGURATION NOTES AND LIMITATIONS ..........................................................................................33-7 CONFIGURING IGMP SNOOPING ...............................................................................................................33-8 ENABLING IGMP SNOOPING GLOBALLY ON THE DEVICE ......................................................................33-9 CONFIGURING THE IGMP MODE .......................................................................................................33-10 CONFIGURING THE IGMP VERSION ...................................................................................................33-10 DISABLING IGMP SNOOPING ON A VLAN .........................................................................................33-11 DISABLING TRANSMISSION AND RECEIPT OF IGMP PACKETS ON A PORT ...........................................33-11 MODIFYING THE AGE INTERVAL FOR GROUP MEMBERSHIP ENTRIES ...................................................33-11 MODIFYING THE QUERY INTERVAL (ACTIVE IGMP SNOOPING MODE ONLY) .......................................33-12 MODIFYING THE MAXIMUM RESPONSE TIME ......................................................................................33-12 CONFIGURING REPORT CONTROL .....................................................................................................33-12 xxiv © 2008 Foundry Networks, Inc. December 2008 MODIFYING THE WAIT TIME BEFORE STOPPING TRAFFIC WHEN RECEIVING A LEAVE MESSAGE ..........33-12 MODIFYING THE MULTICAST CACHE AGE TIME ..................................................................................33-13 ENABLING OR DISABLING ERROR AND WARNING MESSAGES ..............................................................33-13 CONFIGURING STATIC ROUTER PORTS .............................................................................................33-13 TURNING OFF STATIC GROUP PROXY ...............................................................................................33-13 ENABLING IGMP V3 MEMBERSHIP TRACKING AND FAST LEAVE FOR THE VLAN ................................33-13 ENABLING FAST LEAVE FOR IGMP V2 ..............................................................................................33-14 ENABLING FAST CONVERGENCE .......................................................................................................33-14 CONFIGURING PIM SM SNOOPING ..........................................................................................................33-14 ENABLING OR DISABLING PIM SM SNOOPING ...................................................................................33-15 ENABLING PIM SM SNOOPING ON A VLAN .......................................................................................33-15 DISABLING PIM SM SNOOPING ON A VLAN ......................................................................................33-15 IGMP SNOOPING SHOW COMMANDS ......................................................................................................33-15 DISPLAYING THE IGMP SNOOPING CONFIGURATION ..........................................................................33-16 DISPLAYING IGMP SNOOPING ERRORS ............................................................................................33-17 DISPLAYING IGMP GROUP INFORMATION ..........................................................................................33-17 DISPLAYING IGMP SNOOPING MCACHE INFORMATION .......................................................................33-19 DISPLAYING USAGE OF HARDWARE RESOURCE BY MULTICAST GROUPS ............................................33-19 DISPLAYING SOFTWARE RESOURCE USAGE FOR VLANS ...................................................................33-20 DISPLAYING THE STATUS OF IGMP SNOOPING TRAFFIC ....................................................................33-21 PIM SM SNOOPING SHOW COMMANDS ...................................................................................................33-22 DISPLAYING PIM SM SNOOPING INFORMATION .................................................................................33-23 DISPLAYING PIM SM SNOOPING INFORMATION ON A LAYER 2 SWITCH ..............................................33-23 DISPLAYING PIM SM SNOOPING INFORMATION FOR A SPECIFIC GROUP OR SOURCE GROUP PAIR ................................................................................................................33-24 CLEAR COMMANDS FOR IGMP SNOOPING ...............................................................................................33-25 CLEARING THE IGMP MCACHE .........................................................................................................33-25 CLEARING THE MCACHE ON A SPECIFIC VLAN ..................................................................................33-26 CLEARING TRAFFIC ON A SPECIFIC VLAN .........................................................................................33-26 CLEARING IGMP COUNTERS ON VLANS ..........................................................................................33-26 CHAPTER 34 CONFIGURING RIP .................................................................................... 34-1 RIP OVERVIEW .........................................................................................................................................34-1 ICMP HOST UNREACHABLE MESSAGE FOR UNDELIVERABLE ARPS .....................................................34-2 RIP PARAMETERS AND DEFAULTS .............................................................................................................34-2 RIP GLOBAL PARAMETERS .................................................................................................................34-2 RIP INTERFACE PARAMETERS ............................................................................................................34-3 CONFIGURING RIP PARAMETERS ..............................................................................................................34-3 ENABLING RIP ...................................................................................................................................34-4 CONFIGURING METRIC PARAMETERS ..................................................................................................34-4 CHANGING THE ADMINISTRATIVE DISTANCE ........................................................................................34-5 CONFIGURING REDISTRIBUTION ..........................................................................................................34-5 CONFIGURING ROUTE LEARNING AND ADVERTISING PARAMETERS .......................................................34-7 CHANGING THE ROUTE LOOP PREVENTION METHOD ...........................................................................34-8 SUPPRESSING RIP ROUTE ADVERTISEMENT ON A VRRP OR VRRPE BACKUP INTERFACE ...................34-9 December 2008 © 2008 Foundry Networks, Inc. xxv Foundry FastIron Configuration Guide CONFIGURING RIP ROUTE FILTERS ....................................................................................................34-9 DISPLAYING RIP FILTERS ........................................................................................................................34-10 DISPLAYING CPU UTILIZATION STATISTICS ..............................................................................................34-11 CHAPTER 35 CONFIGURING RIPNG ................................................................................ 35-1 RIPNG OVERVIEW ....................................................................................................................................35-1 CONFIGURING RIPNG .........................................................................................................................35-1 ENABLING RIPNG ...............................................................................................................................35-2 CONFIGURING RIPNG TIMERS .............................................................................................................35-2 CONFIGURING ROUTE LEARNING AND ADVERTISING PARAMETERS .......................................................35-3 REDISTRIBUTING ROUTES INTO RIPNG ...............................................................................................35-4 CONTROLLING DISTRIBUTION OF ROUTES VIA RIPNG ..........................................................................35-5 CONFIGURING POISON REVERSE PARAMETERS ...................................................................................35-5 CLEARING RIPNG ROUTES FROM IPV6 ROUTE TABLE .........................................................................35-6 DISPLAYING RIPNG INFORMATION .......................................................................................................35-6 CHAPTER 36 CONFIGURING OSPF VERSION 2 (IPV4) .................................................... 36-1 OVERVIEW OF OSPF ................................................................................................................................36-1 OSPF POINT-TO-POINT LINKS ............................................................................................................36-2 DESIGNATED ROUTERS IN MULTI-ACCESS NETWORKS .........................................................................36-3 DESIGNATED ROUTER ELECTION IN MULTI-ACCESS NETWORKS ...........................................................36-3 OSPF RFC 1583 AND 2178 COMPLIANCE .........................................................................................36-4 REDUCTION OF EQUIVALENT AS EXTERNAL LSAS ...............................................................................36-4 SUPPORT FOR OSPF RFC 2328 APPENDIX E ....................................................................................36-6 DYNAMIC OSPF ACTIVATION AND CONFIGURATION .............................................................................36-7 DYNAMIC OSPF MEMORY ..................................................................................................................36-7 CONFIGURING OSPF ................................................................................................................................36-7 CONFIGURATION RULES .....................................................................................................................36-8 OSPF PARAMETERS ..........................................................................................................................36-8 ENABLE OSPF ON THE ROUTER .........................................................................................................36-9 ASSIGN OSPF AREAS ......................................................................................................................36-10 ASSIGNING AN AREA RANGE (OPTIONAL) ...........................................................................................36-13 ASSIGNING INTERFACES TO AN AREA ................................................................................................36-13 MODIFY INTERFACE DEFAULTS .........................................................................................................36-14 CHANGE THE TIMER FOR OSPF AUTHENTICATION CHANGES .............................................................36-16 BLOCK FLOODING OF OUTBOUND LSAS ON SPECIFIC OSPF INTERFACES .........................................36-16 CONFIGURING AN OSPF NON-BROADCAST INTERFACE .....................................................................36-17 ASSIGN VIRTUAL LINKS ....................................................................................................................36-18 MODIFY VIRTUAL LINK PARAMETERS .................................................................................................36-20 CHANGING THE REFERENCE BANDWIDTH FOR THE COST ON OSPF INTERFACES ...............................36-21 DEFINE REDISTRIBUTION FILTERS .....................................................................................................36-23 PREVENT SPECIFIC OSPF ROUTES FROM BEING INSTALLED IN THE IP ROUTE TABLE ........................36-24 MODIFY DEFAULT METRIC FOR REDISTRIBUTION ...............................................................................36-27 ENABLE ROUTE REDISTRIBUTION ......................................................................................................36-27 xxvi © 2008 Foundry Networks, Inc. December 2008 DISABLE OR RE-ENABLE LOAD SHARING ...........................................................................................36-29 CONFIGURE EXTERNAL ROUTE SUMMARIZATION ...............................................................................36-30 CONFIGURE DEFAULT ROUTE ORIGINATION .......................................................................................36-31 MODIFY SPF TIMERS .......................................................................................................................36-32 MODIFY REDISTRIBUTION METRIC TYPE ............................................................................................36-32 MODIFY ADMINISTRATIVE DISTANCE ..................................................................................................36-32 CONFIGURE OSPF GROUP LINK STATE ADVERTISEMENT (LSA) PACING ...........................................36-33 MODIFY OSPF TRAPS GENERATED ..................................................................................................36-34 MODIFY OSPF STANDARD COMPLIANCE SETTING .............................................................................36-35 MODIFY EXIT OVERFLOW INTERVAL ..................................................................................................36-35 CONFIGURING AN OSPF POINT-TO-POINT LINK .................................................................................36-35 SPECIFY TYPES OF OSPF SYSLOG MESSAGES TO LOG ....................................................................36-36 CLEARING OSPF INFORMATION ..............................................................................................................36-36 CLEARING OSPF NEIGHBOR INFORMATION .......................................................................................36-37 CLEARING OSPF TOPOLOGY INFORMATION ......................................................................................36-37 CLEARING REDISTRIBUTED ROUTES FROM THE OSPF ROUTING TABLE .............................................36-37 CLEARING INFORMATION FOR OSPF AREAS .....................................................................................36-37 DISPLAYING OSPF INFORMATION ............................................................................................................36-38 DISPLAYING GENERAL OSPF CONFIGURATION INFORMATION ............................................................36-39 DISPLAYING CPU UTILIZATION STATISTICS ........................................................................................36-39 DISPLAYING OSPF AREA INFORMATION ............................................................................................36-41 DISPLAYING OSPF NEIGHBOR INFORMATION ....................................................................................36-41 DISPLAYING OSPF INTERFACE INFORMATION ....................................................................................36-44 DISPLAYING OSPF ROUTE INFORMATION ..........................................................................................36-45 DISPLAYING OSPF EXTERNAL LINK STATE INFORMATION ..................................................................36-47 DISPLAYING OSPF LINK STATE INFORMATION ...................................................................................36-48 DISPLAYING THE DATA IN AN LSA .....................................................................................................36-49 DISPLAYING OSPF VIRTUAL NEIGHBOR INFORMATION .......................................................................36-49 DISPLAYING OSPF VIRTUAL LINK INFORMATION ................................................................................36-49 DISPLAYING OSPF ABR AND ASBR INFORMATION ...........................................................................36-49 DISPLAYING OSPF TRAP STATUS .....................................................................................................36-50 CHAPTER 37 CONFIGURING OSPF VERSION 3 (IPV6) .................................................... 37-1 OVERVIEW ................................................................................................................................................37-1 DIFFERENCES BETWEEN OSPF V2 AND OSPF V3 ....................................................................................37-1 LINK STATE ADVERTISEMENT TYPES FOR OSPF V3 ..................................................................................37-2 CONFIGURING OSPF V3 ..........................................................................................................................37-2 ENABLING OSPF V3 ..........................................................................................................................37-3 ASSIGNING OSPF V3 AREAS .............................................................................................................37-3 ASSIGNING INTERFACES TO AN AREA ..................................................................................................37-4 CONFIGURING VIRTUAL LINKS .............................................................................................................37-4 CHANGING THE REFERENCE BANDWIDTH FOR THE COST ON OSPF V3 INTERFACES ............................37-6 REDISTRIBUTING ROUTES INTO OSPF V3 ...........................................................................................37-7 FILTERING OSPF V3 ROUTES ..........................................................................................................37-10 CONFIGURING DEFAULT ROUTE ORIGINATION ...................................................................................37-14 December 2008 © 2008 Foundry Networks, Inc. xxvii Foundry FastIron Configuration Guide MODIFYING SHORTEST PATH FIRST TIMERS ......................................................................................37-14 MODIFYING ADMINISTRATIVE DISTANCE .............................................................................................37-15 CONFIGURING THE OSPF V3 LSA PACING INTERVAL ........................................................................37-16 MODIFYING EXIT OVERFLOW INTERVAL .............................................................................................37-16 MODIFYING EXTERNAL LINK STATE DATABASE LIMIT .........................................................................37-16 MODIFYING OSPF V3 INTERFACE DEFAULTS ....................................................................................37-17 DISABLING OR RE-ENABLING EVENT LOGGING ...................................................................................37-17 DISPLAYING OSPF V3 INFORMATION ......................................................................................................37-18 DISPLAYING OSPF V3 AREA INFORMATION ......................................................................................37-18 DISPLAYING OSPF V3 DATABASE INFORMATION ...............................................................................37-19 DISPLAYING OSPF V3 INTERFACE INFORMATION ..............................................................................37-24 DISPLAYING OSPF V3 MEMORY USAGE ...........................................................................................37-29 DISPLAYING OSPF V3 NEIGHBOR INFORMATION ...............................................................................37-30 DISPLAYING ROUTES REDISTRIBUTED INTO OSPF V3 .......................................................................37-32 DISPLAYING OSPF V3 ROUTE INFORMATION ....................................................................................37-33 DISPLAYING OSPF V3 SPF INFORMATION ........................................................................................37-35 DISPLAYING IPV6 OSPF VIRTUAL LINK INFORMATION .......................................................................37-38 DISPLAYING OSPF V3 VIRTUAL NEIGHBOR INFORMATION .................................................................37-38 CHAPTER 38 CONFIGURING VRRP AND VRRPE ........................................................... 38-1 OVERVIEW ................................................................................................................................................38-1 OVERVIEW OF VRRP .........................................................................................................................38-1 OVERVIEW OF VRRPE .......................................................................................................................38-5 CONFIGURATION NOTE .......................................................................................................................38-7 COMPARISON OF VRRP AND VRRPE .......................................................................................................38-7 VRRP ...............................................................................................................................................38-8 VRRPE .............................................................................................................................................38-8 ARCHITECTURAL DIFFERENCES ...........................................................................................................38-8 VRRP AND VRRPE PARAMETERS ............................................................................................................38-9 CONFIGURING BASIC VRRP PARAMETERS ..............................................................................................38-11 CONFIGURING THE OWNER ...............................................................................................................38-11 CONFIGURING A BACKUP ..................................................................................................................38-12 CONFIGURATION RULES FOR VRRP .................................................................................................38-12 CONFIGURING BASIC VRRPE PARAMETERS ............................................................................................38-12 CONFIGURATION RULES FOR VRRPE ...............................................................................................38-12 NOTE REGARDING DISABLING VRRP OR VRRPE ....................................................................................38-13 CONFIGURING ADDITIONAL VRRP AND VRRPE PARAMETERS .................................................................38-13 FORCING A MASTER ROUTER TO ABDICATE TO A STANDBY ROUTER ........................................................38-19 DISPLAYING VRRP AND VRRPE INFORMATION .......................................................................................38-20 DISPLAYING SUMMARY INFORMATION ................................................................................................38-20 DISPLAYING DETAILED INFORMATION ................................................................................................38-22 DISPLAYING STATISTICS ...................................................................................................................38-28 CLEARING VRRP OR VRRPE STATISTICS ........................................................................................38-29 DISPLAYING CPU UTILIZATION STATISTICS ........................................................................................38-29 CONFIGURATION EXAMPLES ....................................................................................................................38-31 xxviii © 2008 Foundry Networks, Inc. December 2008 VRRP EXAMPLE ..............................................................................................................................38-31 VRRPE EXAMPLE ............................................................................................................................38-32 CHAPTER 39 CONFIGURING BGP4 ................................................................................ 39-1 OVERVIEW OF BGP4 ................................................................................................................................39-1 RELATIONSHIP BETWEEN THE BGP4 ROUTE TABLE AND THE IP ROUTE TABLE ....................................39-2 HOW BGP4 SELECTS A PATH FOR A ROUTE .......................................................................................39-3 BGP4 MESSAGE TYPES .....................................................................................................................39-4 BASIC CONFIGURATION AND ACTIVATION FOR BGP4 .................................................................................39-5 NOTE REGARDING DISABLING BGP4 ..................................................................................................39-6 BGP4 PARAMETERS .................................................................................................................................39-6 WHEN PARAMETER CHANGES TAKE EFFECT .......................................................................................39-7 MEMORY CONSIDERATIONS .......................................................................................................................39-8 MEMORY CONFIGURATION OPTIONS OBSOLETED BY DYNAMIC MEMORY ..............................................39-9 BASIC CONFIGURATION TASKS ..................................................................................................................39-9 ENABLING BGP4 ON THE ROUTER ......................................................................................................39-9 CHANGING THE ROUTER ID ..............................................................................................................39-10 SETTING THE LOCAL AS NUMBER .....................................................................................................39-10 ADDING A LOOPBACK INTERFACE ......................................................................................................39-10 ADDING BGP4 NEIGHBORS ..............................................................................................................39-11 ADDING A BGP4 PEER GROUP ........................................................................................................39-16 OPTIONAL CONFIGURATION TASKS ..........................................................................................................39-20 CHANGING THE KEEP ALIVE TIME AND HOLD TIME ............................................................................39-20 CHANGING THE BGP4 NEXT-HOP UPDATE TIMER .............................................................................39-21 ENABLING FAST EXTERNAL FALLOVER ..............................................................................................39-21 CHANGING THE MAXIMUM NUMBER OF PATHS FOR BGP4 LOAD SHARING .........................................39-21 CUSTOMIZING BGP4 LOAD SHARING ................................................................................................39-23 SPECIFYING A LIST OF NETWORKS TO ADVERTISE .............................................................................39-23 CHANGING THE DEFAULT LOCAL PREFERENCE ..................................................................................39-24 USING THE IP DEFAULT ROUTE AS A VALID NEXT HOP FOR A BGP4 ROUTE .....................................39-24 ADVERTISING THE DEFAULT ROUTE ..................................................................................................39-25 CHANGING THE DEFAULT MED (METRIC) USED FOR ROUTE REDISTRIBUTION ....................................39-25 ENABLING NEXT-HOP RECURSION ....................................................................................................39-25 CHANGING ADMINISTRATIVE DISTANCES ...........................................................................................39-28 REQUIRING THE FIRST AS TO BE THE NEIGHBOR’S AS ......................................................................39-29 DISABLING OR RE-ENABLING COMPARISON OF THE AS-PATH LENGTH ...............................................39-30 ENABLING OR DISABLING COMPARISON OF THE ROUTER IDS .............................................................39-30 CONFIGURING THE LAYER 3 SWITCH TO ALWAYS COMPARE MULTI-EXIT DISCRIMINATORS (MEDS) ....39-30 TREATING MISSING MEDS AS THE WORST MEDS .............................................................................39-31 CONFIGURING ROUTE REFLECTION PARAMETERS .............................................................................39-31 CONFIGURING NOTES .......................................................................................................................39-34 AGGREGATING ROUTES ADVERTISED TO BGP4 NEIGHBORS .............................................................39-36 BGP NULL0 ROUTING ............................................................................................................................39-36 CONFIGURATION STEPS ....................................................................................................................39-37 CONFIGURATION EXAMPLES .............................................................................................................39-38 December 2008 © 2008 Foundry Networks, Inc. xxix Foundry FastIron Configuration Guide SHOW COMMANDS ...........................................................................................................................39-38 MODIFYING REDISTRIBUTION PARAMETERS ..............................................................................................39-40 REDISTRIBUTING CONNECTED ROUTES .............................................................................................39-41 REDISTRIBUTING RIP ROUTES ..........................................................................................................39-41 REDISTRIBUTING OSPF EXTERNAL ROUTES .....................................................................................39-41 REDISTRIBUTING STATIC ROUTES .....................................................................................................39-42 DISABLING OR RE-ENABLING RE-ADVERTISEMENT OF ALL LEARNED BGP4 ROUTES TO ALL BGP4 NEIGHBORS .................................................................................39-42 REDISTRIBUTING IBGP ROUTES INTO RIP AND OSPF ......................................................................39-42 FILTERING ..............................................................................................................................................39-43 FILTERING SPECIFIC IP ADDRESSES .................................................................................................39-43 FILTERING AS-PATHS .......................................................................................................................39-44 FILTERING COMMUNITIES ..................................................................................................................39-47 DEFINING IP PREFIX LISTS ...............................................................................................................39-49 DEFINING NEIGHBOR DISTRIBUTE LISTS ............................................................................................39-50 DEFINING ROUTE MAPS ...................................................................................................................39-50 USING A TABLE MAP TO SET THE TAG VALUE ...................................................................................39-57 CONFIGURING COOPERATIVE BGP4 ROUTE FILTERING .....................................................................39-58 CONFIGURING ROUTE FLAP DAMPENING .................................................................................................39-60 GLOBALLY CONFIGURING ROUTE FLAP DAMPENING ..........................................................................39-61 USING A ROUTE MAP TO CONFIGURE ROUTE FLAP DAMPENING FOR SPECIFIC ROUTES ....................39-62 USING A ROUTE MAP TO CONFIGURE ROUTE FLAP DAMPENING FOR A SPECIFIC NEIGHBOR ..............39-62 REMOVING ROUTE DAMPENING FROM A ROUTE ................................................................................39-63 REMOVING ROUTE DAMPENING FROM A NEIGHBOR’S ROUTES SUPPRESSED DUE TO AGGREGATION ..39-63 DISPLAYING AND CLEARING ROUTE FLAP DAMPENING STATISTICS .....................................................39-65 GENERATING TRAPS FOR BGP ...............................................................................................................39-66 DISPLAYING BGP4 INFORMATION ............................................................................................................39-67 DISPLAYING SUMMARY BGP4 INFORMATION .....................................................................................39-67 DISPLAYING THE ACTIVE BGP4 CONFIGURATION ..............................................................................39-70 DISPLAYING CPU UTILIZATION STATISTICS ........................................................................................39-70 DISPLAYING SUMMARY NEIGHBOR INFORMATION ...............................................................................39-72 DISPLAYING BGP4 NEIGHBOR INFORMATION .....................................................................................39-74 DISPLAYING PEER GROUP INFORMATION ...........................................................................................39-87 DISPLAYING SUMMARY ROUTE INFORMATION ....................................................................................39-88 DISPLAYING THE BGP4 ROUTE TABLE ..............................................................................................39-88 DISPLAYING BGP4 ROUTE-ATTRIBUTE ENTRIES ................................................................................39-96 DISPLAYING THE ROUTES BGP4 HAS PLACED IN THE IP ROUTE TABLE .............................................39-97 DISPLAYING ROUTE FLAP DAMPENING STATISTICS ............................................................................39-98 DISPLAYING THE ACTIVE ROUTE MAP CONFIGURATION ......................................................................39-99 UPDATING ROUTE INFORMATION AND RESETTING A NEIGHBOR SESSION ..................................................39-99 USING SOFT RECONFIGURATION .....................................................................................................39-100 DYNAMICALLY REQUESTING A ROUTE REFRESH FROM A BGP4 NEIGHBOR ......................................39-102 CLOSING OR RESETTING A NEIGHBOR SESSION ..............................................................................39-105 CLEARING AND RESETTING BGP4 ROUTES IN THE IP ROUTE TABLE ................................................39-105 CLEARING TRAFFIC COUNTERS .............................................................................................................39-105 CLEARING ROUTE FLAP DAMPENING STATISTICS ...................................................................................39-106 xxx © 2008 Foundry Networks, Inc. December 2008 REMOVING ROUTE FLAP DAMPENING ....................................................................................................39-106 CLEARING DIAGNOSTIC BUFFERS ..........................................................................................................39-106 CHAPTER 40 SECURING ACCESS TO MANAGEMENT FUNCTIONS ..................................... 40-1 SECURING ACCESS METHODS ...................................................................................................................40-1 RESTRICTING REMOTE ACCESS TO MANAGEMENT FUNCTIONS ...................................................................40-4 USING ACLS TO RESTRICT REMOTE ACCESS ......................................................................................40-4 DEFINING THE CONSOLE IDLE TIME .....................................................................................................40-7 RESTRICTING REMOTE ACCESS TO THE DEVICE TO SPECIFIC IP ADDRESSES .......................................40-7 RESTRICTING ACCESS TO THE DEVICE BASED ON IP OR MAC ADDRESS .............................................40-8 SPECIFYING THE MAXIMUM NUMBER OF LOGIN ATTEMPTS FOR TELNET ACCESS ..................................40-9 RESTRICTING REMOTE ACCESS TO THE DEVICE TO SPECIFIC VLAN IDS .............................................40-9 DESIGNATED VLAN FOR TELNET MANAGEMENT SESSIONS TO A LAYER 2 SWITCH .............................40-10 DEVICE MANAGEMENT SECURITY ......................................................................................................40-11 DISABLING SPECIFIC ACCESS METHODS ...........................................................................................40-12 SETTING PASSWORDS ............................................................................................................................40-14 SETTING A TELNET PASSWORD ........................................................................................................40-14 SETTING PASSWORDS FOR MANAGEMENT PRIVILEGE LEVELS ............................................................40-14 RECOVERING FROM A LOST PASSWORD ............................................................................................40-16 DISPLAYING THE SNMP COMMUNITY STRING ....................................................................................40-17 DISABLING PASSWORD ENCRYPTION .................................................................................................40-17 SPECIFYING A MINIMUM PASSWORD LENGTH ....................................................................................40-17 SETTING UP LOCAL USER ACCOUNTS ......................................................................................................40-17 ENHANCEMENTS TO USERNAME AND PASSWORD ..............................................................................40-18 CONFIGURING A LOCAL USER ACCOUNT ...........................................................................................40-22 CREATE PASSWORD OPTION ............................................................................................................40-24 CHANGING A LOCAL USER PASSWORD ..............................................................................................40-24 CONFIGURING SSL SECURITY FOR THE WEB MANAGEMENT INTERFACE ...................................................40-25 ENABLING THE SSL SERVER ON THE FOUNDRY DEVICE ....................................................................40-25 CHANGING THE SSL SERVER CERTIFICATE KEY SIZE ........................................................................40-25 SUPPORT FOR SSL DIGITAL CERTIFICATES LARGER THAN 2048 BYTES .............................................40-26 IMPORTING DIGITAL CERTIFICATES AND RSA PRIVATE KEY FILES ......................................................40-26 GENERATING AN SSL CERTIFICATE ..................................................................................................40-27 CONFIGURING TACACS/TACACS+ SECURITY .......................................................................................40-27 HOW TACACS+ DIFFERS FROM TACACS .......................................................................................40-27 TACACS/TACACS+ AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING .....................................40-28 TACACS AUTHENTICATION ..............................................................................................................40-29 TACACS/TACACS+ CONFIGURATION CONSIDERATIONS ..................................................................40-33 ENABLING TACACS ........................................................................................................................40-34 IDENTIFYING THE TACACS/TACACS+ SERVERS .............................................................................40-34 SPECIFYING DIFFERENT SERVERS FOR INDIVIDUAL AAA FUNCTIONS .................................................40-35 SETTING OPTIONAL TACACS/TACACS+ PARAMETERS ...................................................................40-35 CONFIGURING AUTHENTICATION-METHOD LISTS FOR TACACS/TACACS+ .......................................40-37 CONFIGURING TACACS+ AUTHORIZATION .......................................................................................40-39 CONFIGURING TACACS+ ACCOUNTING ............................................................................................40-41 December 2008 © 2008 Foundry Networks, Inc. xxxi Foundry FastIron Configuration Guide CONFIGURING AN INTERFACE AS THE SOURCE FOR ALL TACACS/TACACS+ PACKETS ....................40-42 DISPLAYING TACACS/TACACS+ STATISTICS AND CONFIGURATION INFORMATION ............................40-43 CONFIGURING RADIUS SECURITY ..........................................................................................................40-44 RADIUS AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING ........................................................40-44 RADIUS CONFIGURATION CONSIDERATIONS ....................................................................................40-48 RADIUS CONFIGURATION PROCEDURE ............................................................................................40-48 CONFIGURING FOUNDRY-SPECIFIC ATTRIBUTES ON THE RADIUS SERVER ........................................40-49 ENABLING SNMP TO CONFIGURE RADIUS ......................................................................................40-50 IDENTIFYING THE RADIUS SERVER TO THE FOUNDRY DEVICE ..........................................................40-51 SPECIFYING DIFFERENT SERVERS FOR INDIVIDUAL AAA FUNCTIONS .................................................40-51 CONFIGURING A RADIUS SERVER PER PORT ...................................................................................40-51 MAPPING A RADIUS SERVER TO INDIVIDUAL PORTS .........................................................................40-52 SETTING RADIUS PARAMETERS ......................................................................................................40-52 CONFIGURING AUTHENTICATION-METHOD LISTS FOR RADIUS ..........................................................40-54 CONFIGURING RADIUS AUTHORIZATION ...........................................................................................40-56 CONFIGURING RADIUS ACCOUNTING ...............................................................................................40-57 CONFIGURING AN INTERFACE AS THE SOURCE FOR ALL RADIUS PACKETS .......................................40-58 DISPLAYING RADIUS CONFIGURATION INFORMATION ........................................................................40-58 CONFIGURING AUTHENTICATION-METHOD LISTS ......................................................................................40-60 CONFIGURATION CONSIDERATIONS FOR AUTHENTICATION-METHOD LISTS ..........................................40-61 EXAMPLES OF AUTHENTICATION-METHOD LISTS ................................................................................40-61 TCP FLAGS - EDGE PORT SECURITY ......................................................................................................40-63 USING TCP FLAGS IN COMBINATION WITH OTHER ACL FEATURES ....................................................40-64 CHAPTER 41 CONFIGURING SSHV1 AND SCP ............................................................... 41-1 CONFIGURING SSHV1 ..............................................................................................................................41-1 SETTING THE HOST NAME AND DOMAIN NAME ....................................................................................41-2 GENERATING A HOST L KEY PAIR .......................................................................................................41-2 CONFIGURING RSA CHALLENGE-RESPONSE AUTHENTICATION ............................................................41-3 SETTING OPTIONAL PARAMETERS .......................................................................................................41-5 DISPLAYING SSH CONNECTION INFORMATION ...........................................................................................41-8 SAMPLE SSH CONFIGURATION ...............................................................................................................41-10 USING SECURE COPY WITH SSHV1 ........................................................................................................41-10 CHAPTER 42 CONFIGURING SSHV2 AND SCP ............................................................... 42-1 SSH VERSION 2 SUPPORT .......................................................................................................................42-1 TESTED SSHV2 CLIENTS ...................................................................................................................42-2 SUPPORTED FEATURES ......................................................................................................................42-2 AES ENCRYPTION FOR SSHV2 .................................................................................................................42-2 CONFIGURING SSHV2 ..............................................................................................................................42-3 RECREATING SSH KEYS ....................................................................................................................42-4 GENERATING A HOST KEY PAIR ..........................................................................................................42-4 CONFIGURING DSA CHALLENGE-RESPONSE AUTHENTICATION ............................................................42-5 SETTING OPTIONAL PARAMETERS .............................................................................................................42-7 xxxii © 2008 Foundry Networks, Inc. December 2008 SETTING THE NUMBER OF SSH AUTHENTICATION RETRIES .................................................................42-7 DEACTIVATING USER AUTHENTICATION ...............................................................................................42-7 ENABLING EMPTY PASSWORD LOGINS ................................................................................................42-8 SETTING THE SSH PORT NUMBER ......................................................................................................42-8 SETTING THE SSH LOGIN TIMEOUT VALUE .........................................................................................42-8 DESIGNATING AN INTERFACE AS THE SOURCE FOR ALL SSH PACKETS (LAYER 3 CODE ONLY) ............42-8 CONFIGURING THE MAXIMUM IDLE TIME FOR SSH SESSIONS ..............................................................42-9 FILTERING SSH ACCESS USING ACLS ......................................................................................................42-9 TERMINATING AN ACTIVE SSH CONNECTION .............................................................................................42-9 DISPLAYING SSH CONNECTION INFORMATION .........................................................................................42-10 USING SECURE COPY WITH SSHV2 ........................................................................................................42-11 ENABLING AND DISABLING SCP ........................................................................................................42-11 EXAMPLE FILE TRANSFERS USING SCP ............................................................................................42-12 CHAPTER 43 CONFIGURING 802.1X PORT SECURITY ..................................................... 43-1 IETF RFC SUPPORT ................................................................................................................................43-1 HOW 802.1X PORT SECURITY WORKS ......................................................................................................43-1 DEVICE ROLES IN AN 802.1X CONFIGURATION ....................................................................................43-1 COMMUNICATION BETWEEN THE DEVICES ............................................................................................43-2 CONTROLLED AND UNCONTROLLED PORTS .........................................................................................43-3 MESSAGE EXCHANGE DURING AUTHENTICATION .................................................................................43-4 AUTHENTICATING MULTIPLE HOSTS CONNECTED TO THE SAME PORT ..................................................43-6 802.1X PORT SECURITY AND SFLOW .................................................................................................43-8 802.1X ACCOUNTING .........................................................................................................................43-8 CONFIGURING 802.1X PORT SECURITY .....................................................................................................43-9 CONFIGURING AN AUTHENTICATION METHOD LIST FOR 802.1X ...........................................................43-9 SETTING RADIUS PARAMETERS ........................................................................................................43-9 CONFIGURING DYNAMIC VLAN ASSIGNMENT FOR 802.1X PORTS ......................................................43-12 DYNAMICALLY APPLYING IP ACLS AND MAC FILTERS TO 802.1X PORTS ..........................................43-16 ENABLING 802.1X PORT SECURITY ..................................................................................................43-19 SETTING THE PORT CONTROL ..........................................................................................................43-19 CONFIGURING PERIODIC RE-AUTHENTICATION ..................................................................................43-20 RE-AUTHENTICATING A PORT MANUALLY ..........................................................................................43-21 SETTING THE QUIET PERIOD .............................................................................................................43-21 SPECIFYING THE WAIT INTERVAL AND NUMBER OF EAP-REQUEST/IDENTITY FRAME RETRANSMISSIONS FROM THE FOUNDRY DEVICE .............................................................43-21 SPECIFYING THE WAIT INTERVAL AND NUMBER OF EAP-REQUEST/IDENTITY FRAME RETRANSMISSIONS FROM THE RADIUS SERVER .............................................................43-22 SPECIFYING A TIMEOUT FOR RETRANSMISSION OF MESSAGES TO THE AUTHENTICATION SERVER .......43-22 INITIALIZING 802.1X ON A PORT .......................................................................................................43-23 ALLOWING ACCESS TO MULTIPLE HOSTS ..........................................................................................43-23 DEFINING MAC FILTERS FOR EAP FRAMES ......................................................................................43-25 CONFIGURING VLAN ACCESS FOR NON-EAP-CAPABLE CLIENTS ......................................................43-25 CONFIGURING 802.1X ACCOUNTING .......................................................................................................43-26 802.1X ACCOUNTING ATTRIBUTES FOR RADIUS ..............................................................................43-26 December 2008 © 2008 Foundry Networks, Inc. xxxiii Foundry FastIron Configuration Guide ENABLING 802.1X ACCOUNTING .......................................................................................................43-27 DISPLAYING 802.1X INFORMATION ..........................................................................................................43-27 DISPLAYING 802.1X CONFIGURATION INFORMATION ..........................................................................43-27 DISPLAYING 802.1X STATISTICS .......................................................................................................43-30 CLEARING 802.1X STATISTICS .........................................................................................................43-31 DISPLAYING DYNAMICALLY ASSIGNED VLAN INFORMATION ...............................................................43-31 DISPLAYING INFORMATION ABOUT DYNAMICALLY APPLIED MAC FILTERS AND IP ACLS .....................43-32 DISPLAYING 802.1X MULTIPLE-HOST AUTHENTICATION INFORMATION ...............................................43-34 SAMPLE 802.1X CONFIGURATIONS .........................................................................................................43-38 POINT-TO-POINT CONFIGURATION .....................................................................................................43-38 HUB CONFIGURATION .......................................................................................................................43-39 802.1X AUTHENTICATION WITH DYNAMIC VLAN ASSIGNMENT ...........................................................43-40 USING MULTI-DEVICE PORT AUTHENTICATION AND 802.1X SECURITY ON THE SAME PORT ......................43-42 CONFIGURING FOUNDRY-SPECIFIC ATTRIBUTES ON THE RADIUS SERVER ........................................43-42 EXAMPLE CONFIGURATIONS .............................................................................................................43-43 CHAPTER 44 USING THE MAC PORT SECURITY FEATURE .............................................. 44-1 OVERVIEW ................................................................................................................................................44-1 LOCAL AND GLOBAL RESOURCES .......................................................................................................44-1 CONFIGURATION NOTES AND LIMITATIONS ..........................................................................................44-2 CONFIGURING THE MAC PORT SECURITY FEATURE ..................................................................................44-2 ENABLING THE MAC PORT SECURITY FEATURE ..................................................................................44-2 SETTING THE MAXIMUM NUMBER OF SECURE MAC ADDRESSES FOR AN INTERFACE ............................44-2 SETTING THE PORT SECURITY AGE TIMER ..........................................................................................44-3 SPECIFYING SECURE MAC ADDRESSES ..............................................................................................44-3 AUTOSAVING SECURE MAC ADDRESSES TO THE STARTUP-CONFIG FILE .............................................44-4 SPECIFYING THE ACTION TAKEN WHEN A SECURITY VIOLATION OCCURS .............................................44-4 CLEARING PORT SECURITY STATISTICS .....................................................................................................44-5 CLEARING RESTRICTED MAC ADDRESSES ..........................................................................................44-5 CLEARING VIOLATION STATISTICS .......................................................................................................44-5 DISPLAYING PORT SECURITY INFORMATION ...............................................................................................44-5 DISPLAYING PORT SECURITY SETTINGS ..............................................................................................44-5 DISPLAYING THE SECURE MAC ADDRESSES .......................................................................................44-6 DISPLAYING PORT SECURITY STATISTICS ............................................................................................44-6 DISPLAYING RESTRICTED MAC ADDRESSES ON A PORT .....................................................................44-7 CHAPTER 45 CONFIGURING MULTI-DEVICE PORT AUTHENTICATION ................................ 45-1 HOW MULTI-DEVICE PORT AUTHENTICATION WORKS .................................................................................45-1 RADIUS AUTHENTICATION .................................................................................................................45-1 AUTHENTICATION-FAILURE ACTIONS ...................................................................................................45-2 SUPPORTED RADIUS ATTRIBUTES .....................................................................................................45-2 SUPPORT FOR DYNAMIC VLAN ASSIGNMENT ......................................................................................45-2 SUPPORT FOR DYNAMIC ACLS ...........................................................................................................45-2 SUPPORT FOR AUTHENTICATING MULTIPLE MAC ADDRESSES ON AN INTERFACE .................................45-2 xxxiv © 2008 Foundry Networks, Inc. December 2008 SUPPORT FOR DYNAMIC ARP INSPECTION WITH DYNAMIC ACLS .........................................................45-2 SUPPORT FOR DHCP SNOOPING WITH DYNAMIC ACLS ......................................................................45-3 SUPPORT FOR SOURCE GUARD PROTECTION ......................................................................................45-3 USING MULTI-DEVICE PORT AUTHENTICATION AND 802.1X SECURITY ON THE SAME PORT ........................45-3 CONFIGURING FOUNDRY-SPECIFIC ATTRIBUTES ON THE RADIUS SERVER ..........................................45-4 CONFIGURING MULTI-DEVICE PORT AUTHENTICATION ................................................................................45-5 ENABLING MULTI-DEVICE PORT AUTHENTICATION ...............................................................................45-5 SPECIFYING THE FORMAT OF THE MAC ADDRESSES SENT TO THE RADIUS SERVER ..........................45-6 SPECIFYING THE AUTHENTICATION-FAILURE ACTION ............................................................................45-6 GENERATING TRAPS FOR MULTI-DEVICE PORT AUTHENTICATION .........................................................45-6 DEFINING MAC ADDRESS FILTERS .....................................................................................................45-7 CONFIGURING DYNAMIC VLAN ASSIGNMENT ......................................................................................45-7 DYNAMICALLY APPLYING IP ACLS TO AUTHENTICATED MAC ADDRESSES .........................................45-10 ENABLING DENIAL OF SERVICE ATTACK PROTECTION ........................................................................45-12 ENABLING SOURCE GUARD PROTECTION ..........................................................................................45-13 CLEARING AUTHENTICATED MAC ADDRESSES ..................................................................................45-14 DISABLING AGING FOR AUTHENTICATED MAC ADDRESSES ................................................................45-14 CHANGING THE HARDWARE AGING PERIOD FOR BLOCKED MAC ADDRESSES ....................................45-15 SPECIFYING THE AGING TIME FOR BLOCKED MAC ADDRESSES .........................................................45-15 SPECIFYING THE RADIUS TIMEOUT ACTION .....................................................................................45-16 MULTI-DEVICE PORT AUTHENTICATION PASSWORD OVERRIDE ..........................................................45-17 LIMITING THE NUMBER OF AUTHENTICATED MAC ADDRESSES ...........................................................45-18 DISPLAYING MULTI-DEVICE PORT AUTHENTICATION INFORMATION ............................................................45-18 DISPLAYING AUTHENTICATED MAC ADDRESS INFORMATION ..............................................................45-18 DISPLAYING MULTI-DEVICE PORT AUTHENTICATION CONFIGURATION INFORMATION ...........................45-19 DISPLAYING MULTI-DEVICE PORT AUTHENTICATION INFORMATION FOR A SPECIFIC MAC ADDRESS OR PORT ............................................................................................45-19 DISPLAYING THE AUTHENTICATED MAC ADDRESSES .........................................................................45-20 DISPLAYING THE NON-AUTHENTICATED MAC ADDRESSES .................................................................45-20 DISPLAYING MULTI-DEVICE PORT AUTHENTICATION INFORMATION FOR A PORT ..................................45-21 DISPLAYING MULTI-DEVICE PORT AUTHENTICATION SETTINGS AND AUTHENTICATED MAC ADDRESSES ............................................................................................45-22 EXAMPLE CONFIGURATIONS ....................................................................................................................45-24 MULTI-DEVICE PORT AUTHENTICATION WITH DYNAMIC VLAN ASSIGNMENT .......................................45-24 EXAMPLES OF MULTI-DEVICE PORT AUTHENTICATION AND 802.1X AUTHENTICATION CONFIGURATION ON THE SAME PORT .........................................................................................45-27 CHAPTER 46 PROTECTING AGAINST DENIAL OF SERVICE ATTACKS................................ 46-1 PROTECTING AGAINST SMURF ATTACKS ....................................................................................................46-1 AVOIDING BEING AN INTERMEDIARY IN A SMURF ATTACK .....................................................................46-1 AVOIDING BEING A VICTIM IN A SMURF ATTACK ...................................................................................46-2 PROTECTING AGAINST TCP SYN ATTACKS ...............................................................................................46-2 TCP SECURITY ENHANCEMENT ..........................................................................................................46-3 DISPLAYING STATISTICS ABOUT PACKETS DROPPED BECAUSE OF DOS ATTACKS ................................46-5 December 2008 © 2008 Foundry Networks, Inc. xxxv Foundry FastIron Configuration Guide CHAPTER 47 INSPECTING AND TRACKING DHCP PACKETS ............................................ 47-1 DYNAMIC ARP INSPECTION .......................................................................................................................47-1 ARP POISONING ................................................................................................................................47-1 HOW DAI WORKS ..............................................................................................................................47-1 CONFIGURATION NOTES AND FEATURE LIMITATIONS ............................................................................47-2 CONFIGURING DAI .............................................................................................................................47-3 DISPLAYING ARP INSPECTION STATUS AND PORTS .............................................................................47-4 DISPLAYING THE ARP TABLE ..............................................................................................................47-4 DHCP SNOOPING ....................................................................................................................................47-5 HOW DHCP SNOOPING WORKS .........................................................................................................47-5 SYSTEM REBOOT AND THE BINDING DATABASE ...................................................................................47-6 CONFIGURATION NOTES AND FEATURE LIMITATIONS ............................................................................47-6 CONFIGURING DHCP SNOOPING ........................................................................................................47-6 CLEARING THE DHCP BINDING DATABASE ..........................................................................................47-7 DISPLAYING DHCP SNOOPING STATUS AND PORTS ............................................................................47-7 DISPLAYING THE DHCP SNOOPING BINDING DATABASE ......................................................................47-8 DISPLAYING DHCP BINDING ENTRY AND STATUS ................................................................................47-8 DHCP SNOOPING CONFIGURATION EXAMPLE .....................................................................................47-8 IP SOURCE GUARD ..................................................................................................................................47-9 CONFIGURATION NOTES AND FEATURE LIMITATIONS ............................................................................47-9 ENABLING IP SOURCE GUARD ON A PORT ........................................................................................47-10 DEFINING STATIC IP SOURCE BINDINGS ............................................................................................47-10 ENABLING IP SOURCE GUARD PER-PORT-PER-VLAN .......................................................................47-11 ENABLING IP SOURCE GUARD ON A VE ............................................................................................47-11 DISPLAYING LEARNED IP ADDRESSES ...............................................................................................47-11 CHAPTER 48 SECURING SNMP ACCESS ....................................................................... 48-1 SNMP OVERVIEW ....................................................................................................................................48-1 ESTABLISHING SNMP COMMUNITY STRINGS .............................................................................................48-2 ENCRYPTION OF SNMP COMMUNITY STRINGS ....................................................................................48-2 ADDING AN SNMP COMMUNITY STRING .............................................................................................48-2 DISPLAYING THE SNMP COMMUNITY STRINGS ....................................................................................48-3 USING THE USER-BASED SECURITY MODEL ..............................................................................................48-4 CONFIGURING YOUR NMS .................................................................................................................48-4 CONFIGURING SNMP VERSION 3 ON FOUNDRY DEVICES ....................................................................48-5 DEFINING THE ENGINE ID ...................................................................................................................48-5 DEFINING AN SNMP GROUP ..............................................................................................................48-6 DEFINING AN SNMP USER ACCOUNT .................................................................................................48-6 DEFINING SNMP VIEWS ...........................................................................................................................48-7 SNMP VERSION 3 TRAPS .........................................................................................................................48-8 DEFINING AN SNMP GROUP AND SPECIFYING WHICH VIEW IS NOTIFIED OF TRAPS .............................48-8 DEFINING THE UDP PORT FOR SNMP V3 TRAPS ................................................................................48-9 TRAP MIB CHANGES ........................................................................................................................48-10 xxxvi © 2008 Foundry Networks, Inc. December 2008 SPECIFYING AN IPV6 HOST AS AN SNMP TRAP RECEIVER ................................................................48-10 SNMP3 OVER IPV6 .........................................................................................................................48-10 SPECIFYING AN IPV6 HOST AS AN SNMP TRAP RECEIVER ................................................................48-11 VIEWING IPV6 SNMP SERVER ADDRESSES ......................................................................................48-11 DISPLAYING SNMP INFORMATION ...........................................................................................................48-11 DISPLAYING THE ENGINE ID .............................................................................................................48-12 DISPLAYING SNMP GROUPS ............................................................................................................48-12 DISPLAYING USER INFORMATION ......................................................................................................48-12 INTERPRETING VARBINDS IN REPORT PACKETS .................................................................................48-13 SNMP V3 CONFIGURATION EXAMPLES ....................................................................................................48-13 SIMPLE SNMP V3 CONFIGURATION ..................................................................................................48-13 MORE DETAILED SNMP V3 CONFIGURATION ....................................................................................48-13 APPENDIX A USING SYSLOG ...........................................................................................A-1 OVERVIEW ................................................................................................................................................. A-1 DISPLAYING SYSLOG MESSAGES ................................................................................................................ A-2 CONFIGURING THE SYSLOG SERVICE ......................................................................................................... A-3 DISPLAYING THE SYSLOG CONFIGURATION ........................................................................................... A-4 DISABLING OR RE-ENABLING SYSLOG .................................................................................................. A-7 SPECIFYING A SYSLOG SERVER ........................................................................................................... A-7 SPECIFYING AN ADDITIONAL SYSLOG SERVER ...................................................................................... A-7 DISABLING LOGGING OF A MESSAGE LEVEL ......................................................................................... A-7 CHANGING THE NUMBER OF ENTRIES THE LOCAL BUFFER CAN HOLD ................................................... A-8 CHANGING THE LOG FACILITY .............................................................................................................. A-8 RETAINING SYSLOG MESSAGES AFTER A SOFT REBOOT ...................................................................... A-9 CLEARING THE SYSLOG MESSAGES FROM THE LOCAL BUFFER ........................................................... A-10 DISPLAYING TCP/UDP PORT NUMBERS IN SYSLOG MESSAGES ......................................................... A-10 SYSLOG MESSAGES FOR HARDWARE ERRORS ................................................................................... A-10 SYSLOG MESSAGES ................................................................................................................................. A-11 APPENDIX B NETWORK MONITORING ..............................................................................B-1 BASIC MANAGEMENT ................................................................................................................................. B-1 VIEWING SYSTEM INFORMATION ........................................................................................................... B-1 VIEWING CONFIGURATION INFORMATION .............................................................................................. B-2 VIEWING PORT STATISTICS .................................................................................................................. B-3 VIEWING STP STATISTICS ................................................................................................................... B-6 CLEARING STATISTICS ......................................................................................................................... B-6 TRAFFIC COUNTERS FOR OUTBOUND TRAFFIC ..................................................................................... B-6 RMON SUPPORT ...................................................................................................................................... B-9 MAXIMUM NUMBER OF ENTRIES ALLOWED IN THE RMON CONTROL TABLE .......................................... B-9 STATISTICS (RMON GROUP 1) ............................................................................................................ B-9 HISTORY (RMON GROUP 2) ............................................................................................................. B-12 ALARM (RMON GROUP 3) ................................................................................................................ B-12 EVENT (RMON GROUP 9) ................................................................................................................. B-12 December 2008 © 2008 Foundry Networks, Inc. xxxvii Foundry FastIron Configuration Guide SFLOW .................................................................................................................................................... B-13 SFLOW SUPPORT FOR IPV6 PACKETS ................................................................................................ B-13 CONFIGURATION CONSIDERATIONS .................................................................................................... B-14 CONFIGURING AND ENABLING SFLOW ................................................................................................ B-15 CONFIGURING A UTILIZATION LIST FOR AN UPLINK PORT ........................................................................... B-23 COMMAND SYNTAX ........................................................................................................................... B-23 DISPLAYING UTILIZATION PERCENTAGES FOR AN UPLINK .................................................................... B-23 APPENDIX C IEEE COMPLIANCE .................................................................................................................................... C-1 RFC SUPPORT .......................................................................................................................................... C-3 INTERNET DRAFTS ................................................................................................................................... C-10 APPENDIX D NIAP-CCEVS CERTIFICATION ....................................................................D-1 NIAP-CCEVS CERTIFIED FOUNDRY EQUIPMENT AND IRONWARE RELEASES ............................................... D-1 WEB MANAGEMENT ACCESS TO NIAP-CCEVS CERTIFIED FOUNDRY EQUIPMENT ....................................... D-1 WARNING: LOCAL USER PASSWORD CHANGES .......................................................................................... D-2 xxxviii © 2008 Foundry Networks, Inc. December 2008 Chapter 1 About This Guide Introduction This guide describes the following product families from Foundry Networks: • FastIron X Series devices: • FastIron Edge Switch X Series (FESX) Layer 2/Layer 3 switch • FastIron Edge Switch X Series Expanded (FESXE) Layer 2/Layer 3 switch • FastIron Workgroup Switch X Series (FWSX) Layer 2 switch • FastIron SuperX Switch (FSX) Layer 2/Layer 3 switch • FastIron SX 800, 1600, and 1600-ANR Layer 2/Layer 3 switch • FastIron GS, FastIron LS, and FastIron WS Layer 2 and Base Layer 3 devices • FastIron GS-STK and FastIron LS-STK Stackable Switches This guide includes procedures for configuring the software. The software procedures show how to perform tasks using the CLI. This guide also describes how to monitor Foundry products using statistics and summary screens. This guide applies to the FastIron models listed in Table 1.1. Device Nomenclature This guide contains the terms FastIron Edge Switch X Series, FastIron SuperX, FastIron SX, FastIron Workgroup Switch X Series, FastIron GS, FastIron LS, FastIron WS, FastIron GS-STK and FastIron LS-STK. Each term refers to a specific set of devices, as shown in Table 1.1. Table 1.1: FastIron Family of Switches This Name Refers to These Devices FastIron X Series Devices1: FastIron Edge Switch X Series Expanded (FESXE) December 2008 FESX624E-PREM6, FESX624HFE-PREM6, FESX648E-PREM6 © 2008 Foundry Networks, Inc. 1-1 Foundry FastIron Configuration Guide Table 1.1: FastIron Family of Switches (Continued) This Name Refers to These Devices FastIron Edge Switch X Series (FESX) FESX424, FESX424HF, FESX424-POE, FESX424PREM, FESX424HF-PREM, FESX424POE PREM, FESX448, FESX448 PREM, FESX624, FESX624HF, FESX624-PREM, FESX624-PREM6, FESX624HFPREM, FESX624HF-PREM6, FESX648, FESX648PREM, FESX648-PREM6 FastIron SuperX Management Modules FastIron SuperX Management modules with: • 400MHz / 256MB • 466MHz / 512MB NOTE: For a complete list of the FSX Management modules and their part numbers, see the Foundry FastIron X Series Chassis Hardware Installation Guide. FastIron SX Management Modules FastIron SX 800/1600 Management modules with: • 667MHz / 512MB NOTE: For a complete list of the SX 800/1600 Management modules and their part numbers, see the Foundry FastIron X Series Chassis Hardware Installation Guide. FastIron Workgroup Switch X Series (FWSX) FWSX424 and FWSX448 FastIron GS, LS, and WS Devices: FastIron GS (FGS) FGS624P, FGS648P, and FGS624XGP, FGS624-POE, FGS648-POE, FGS624XG-POE, FGS648XG-POE FastIron LS (FLS) FLS624 and FLS648 FastIron GS-STK FGS624P-STK, FGS648P-STK, FGS624P-DC-STK, FGS648P-DC-STK, FGS624P-POE-STK, FGS648PPOE-STK, FGS624P-POE-DC-STK, FGS648P-POEDC-STK, FGS624XGP-STK, FGS624XGP-DC-STK, FGS624XGP-POE-STK, FGS624XGP-POE-DC-STK, FGS624P-EPREM, FGS648P-EPREM, FGS624PPOE-EPREM, FGS648P-POE-EPREM, FGS624PPOE-DC-EPREM, FGS648P-POE-DC-EPREM, FGS624XGP-POE-EPREM, FGS648XGP-POEEPREM, FGSXGP-POE-DC-EPREM, FGS648XGPPOE-DC-EPREM FastIron LS-STK FLS624-STK, FLS648-STK FastIron WS (FWS) FWS624, FWS648, FWS624G, FWS648G, FWS624POE, FWS648-POE, FWS624G-POE, FWS648G-POE, FWS624-EPREM, FWS648-EPREM, FWS624GEPREM, FWS648G-EPREM, FWS624-POE-EPREM, FWS648-POE-EPREM, FWS624G-POE-EPREM, FWS648G-POE-EPREM 1. The FastIron X Series product family includes compact switch models and chassis models. The compact models are referred to as the FESX switches. The chassis systems are referred to as the FastIron SX switches. The chassis systems have three models: FastIron SuperX, FastIron SX 800, and FastIron SX 1600. 1-2 © 2008 Foundry Networks, Inc. December 2008 About This Guide What’s Included in This Edition? This edition describes the following software releases: • For the FESX, FESXE, FSX, FSX 800, FSX 1600, FSX 1600-ANR, and FWSX: • • For the FastIron GS and LS products: • • • FSX 04.3.00 and earlier 04.3.01 For the FastIron GS-STK and LS-STK products: • 05.0.01 • 05.0.00 and earlier For the FastIron WS products • 04.3.01 and earlier What’s New in this Edition This edition describes the features in the following software releases: • FGS-STK and FLS-STK 05.0.01 • FGS, FLS, and FWS 04.3.01 • FSX 04.3.00 Software Enhancements in Release 05.0.01 Software release 05.0.01 is designed specifically for FGS-STK and FLS-STK devices, amd FGS and FLS devices that have been upgraded to support stacking. The folliowing tables list the feature enhancements for release 05.0.01. System-Level Enhancements in 05.0.01 Feature Description See details in... DHCP Auto Configuration DHCP Client-Based Auto-Configuration allows FGS-STK and FLS-STK devices to automatically obtain leased IP addresses through a DHCP server, negotiate address lease renewal, and obtain a configuration file. Chapter: Configuring IP December 2008 © 2008 Foundry Networks, Inc. Section: “DHCP ClientBased Auto-Configuration” on page 30-52 1-3 Foundry FastIron Configuration Guide Management Enhancements in 04.3.00 Feature Description See details in... VCT (Virtual Cable Testing) With release 05.0.01, FastIron stackable devices support Virtual Cable Test (VCT) technology, which can diagnose a conductor (wire or cable) by sending a pulsed signal into the conductor, then examining the reflection of that pulse. This method of cable analysis is referred to as Time Domain Reflectometry (TDR). Chapter: Monitoring Hardware Components Web based GUI A Web-based user interface allows you to configure your IronStack using a Web browser. Book: Web Management Interface User Guide for the FastIron GS-STK and LSSTK Digital Optical Monitorimg You can enable your IronStack to monitor the temperature and signal power levels for the optical transceivers in specified ports. This feature is also supported for stacking-enabled XFP ports. Chapter: Monitoring Hardware Components Section: “Virtual Cable Testing” on page 9-1 Section: “Digital Optical Monitoring” on page 9-4 Summary of Features in FGS Release 04.3.01 This section contains a summary of the new software features and enhancements release 04.3.01. Hardware Introduced in Release 04.3.01 The following table lists the models that support FGS release 04.3.01. FastIron WS POE and POE EPREM Models FWS624-POE Includes 20 x 10/100 Mbps 802.3af PoE ports plus 4-port Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity. FWS648-POE Includes 44 x 10/100 Mbps 802.3af PoE ports plus 4-port Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity. FWS624-POE-EPREM Includes 20 x 10/100 Mbps 802.3af PoE ports plus 4-port Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity. Ships with EdgePREM IronWare software upgrade. FWS648-POE-EPREM Includes 44 x 10/100 Mbps 802.3af PoE ports plus 4-port Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity. Ships with EdgePREM IronWare software upgrade. FWS624G-POE Includes 20 x 10/100/1000 Mbps 802.3af PoE ports plus 4-port Combo copper/ fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity. 1-4 © 2008 Foundry Networks, Inc. December 2008 About This Guide FWS648G-POE Includes 44 x 10/100/1000 Mbps 802.3af PoE ports plus 4-port Combo copper/ fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity. FWS624G-POE-EPREM Includes 20 x 10/100/1000 Mbps 802.3af PoE ports plus 4-port Combo copper/ fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity. Ships with EdgePREM IronWare software upgrade. FWS648G-POE-EPREM Includes 44 x 10/100/1000 Mbps 802.3af PoE ports plus 4-port Combo copper/ fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity. Ships with EdgePREM IronWare software upgrade. FastIron GS EPREM Models FGS624P-EPREM Includes 20 x 10/100/1000 Mbps ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps copper (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity and one modular AC power supply. Can be upgraded to support 802.3af PoE with the addition of a PoE DIMM (Part # FGS24GCPOE). Ships with EdgePREM IronWare software upgrade. FGS648P-EPREM Includes 44 x 10/100/1000 Mbps ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity and one modular AC power supply. Can be upgraded to support 802.3af PoE with the addition of two PoE DIMM (Part # FGS-24GCPOE). Ships with EdgePREM IronWare software upgrade. FGS624P-DC-EPREM Includes 20 x 10/100/1000 Mbps ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps copper (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity and one modular DC power supply. Can be upgraded to support 802.3af PoE with the addition of a PoE DIMM (Part # FGS24GCPOE). Ships with EdgePREM IronWare software upgrade. FGS648P-DC-EPREM Includes 44 x 10/100/1000 Mbps ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps (RJ45) or 100/1000 Mbps Ethernet Fiber (SFP) connectivity and one modular DC power supply. Can be upgraded to support 802.3af PoE with the addition of two PoE DIMM (Part# FGS-24GCPOE). Ships with EdgePREM IronWare software upgrade. FGS624P-POE-EPREM Includes 20 x 10/100/1000 Mbps 802.3af PoE ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE copper (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity and one modular AC power supply. Ships with EdgePREM IronWare software upgrade. FGS648P-POE-EPREM Includes 44 x 10/100/1000 Mbps 802.3 PoE ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity and one modular AC power supply. The switch ships with EdgePREM IronWare software upgrade. FGS624P-POE-DC-EPREM Includes 20 x 10/100/1000 Mbps 802.3af PoE ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE copper (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity and one modular DC power supply. Ships with EdgePREM IronWare software upgrade. FGS648P-POE-DC-EPREM Includes 44 x 10/100/1000 Mbps 802.3 PoE ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps 802.3af PoE (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity and one modular DC power supply. Ships with EdgePREM IronWare software upgrade. December 2008 © 2008 Foundry Networks, Inc. 1-5 Foundry FastIron Configuration Guide FGS624XGP-EPREM Includes 20 x 10/100/1000 Mbps ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps copper (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity, 1-port XFP 10 Gigabit Ethernet, and one modular AC power supply. Can be upgraded to support 802.3af PoE with the addition of a PoE DIMM (Part # FGS-24GCPOE). Ships with EdgePREM IronWare software upgrade. FGS624XGP-DC-EPREM Includes 20 x 10/100/1000 Mbps ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps copper (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity, 1-port XFP 10 Gigabit Ethernet, and one modular DC power supply. Can be upgraded to support 802.3af PoE with the addition of a PoE DIMM (Part # FGS-24GCPOE). Ships with EdgePREM IronWare software upgrade. FGS624XGP-POE-DC-EPREM Includes 20 x 10/100/1000 Mbps ports plus 4 Combo copper/fiber Gigabit Ethernet ports supporting 10/100/1000 Mbps copper (RJ45) or 100/1000 Ethernet Fiber (SFP) connectivity, 1-port XFP 10 Gigabit Ethernet, and one modular DC power supply. Ships with EdgePREM IronWare software upgrade. FastIron LS EPREM Models FLS624-EPREM Premium version of the FLS624 supports EPREM software image. FLS648-EPREM Premium version of the FLS648 supports EPREM software image. EPREM Upgrade Kits for FastIron GS and FastIron LS Models FGS_FLS_624-L3U FGS_FLS_648-L3U 1-6 EPREM Upgrade Kit for 24-port FGS and FLS devices: • Electrostatic Discharge (ESD) protection kit • EPREM EEPROM • CD with documentation and software • Installation Instructions EPREM Upgrade Kit for 48-port FGS and FLS devices: • Electrostatic Discharge (ESD) protection kit • EPREM EEPROM • CD with documentation and software • Installation Instructions © 2008 Foundry Networks, Inc. December 2008 About This Guide Software Features and Enhancements in Release 04.3.01 The following table lists the features supported on FastIron GS, WS, and LS devices in release 04.3.01. Feature Description See... When enabled on a VLAN, DHCP snooping stands between untrusted ports (those connected to host ports) and trusted ports (those connected to DHCP servers). “How DHCP Snooping Works” on page 47-5 DAI allows only valid ARP requests and responses to be forwarded. “How DAI Works” on page 47-1 MRP II for FGS and FLS standalone, and FWS devices MRP II allows MRP rings to share the same interfaces as long as the interfaces belong to the same VLAN. “MRP Rings with Shared Interfaces (MRP Phase 2)” on page 12-6 Q-in-Q tagging for 24-port FGS and FLS standalone, and FWS devices Q-in-Q tagging allows the addition of two tags. This release adds Q-in-Q support for 24-port devices. “802.1Q-in-Q Tagging” on page 16-8 Equal-Cost Multi-Path (ECMP) load sharing helps select the shortest path to a destination from among a number of equal-cost paths. “Configuring IP Load Sharing” on page 30-42 OSPF IPv4 OSPF uses link-state advertisements (LSAs) to update neighboring routers about interfaces. “Configuring OSPF Version 2 (IPv4)” RIP v1 and v2 RIP uses distance vectors to measure the cost of a route, which is often equal to the number of hops between the Foundry device and the destination network. “Configuring RIP” Route only support By default, Foundry Layer 3 Switches support Layer 2 switching. If you want to disable Layer 2 switching, you can do so globally or on individual ports, depending on the version of software your device is running. “Displaying Layer 3 System Parameter Limits” on page 21-5 Route redistribution You can enable the software to redistribute static routes from the IP route table into RIP. Redistribution is disabled by default. “Enabling Redistribution” on page 21-8 Security Features DHCP Snooping for FGS and FLS standalone models (FWS models supported in release 04.3.00) Dynamic ARP Inspection (DAI) FGS and FLS standalone models (FWS models supported in release 04.3.00) System Features (FGS and FLS 48-port models supported in release 03.0.00. FWS 48-port models supported in release 04.3.00) ECMP EPREM Features Supported December 2008 © 2008 Foundry Networks, Inc. 1-7 Foundry FastIron Configuration Guide Feature Description See... Routes in hardware maximum FGS, FLS, and FWS support 1000 routes in hardware N/A VRRP VRRP provides redundancy to routers within a LAN. VRRP allows you to provide alternate router paths for a host without changing the IP address or MAC address by which the host knows its gateway. “Overview of VRRP” on page 38-1 Summary of Enhancements in FSX Release 04.3.00 New Hardware in FSX 04.3.00 Feature Description See details in... FSX 1600-ANR Chassis The FSX 1600 Acoustic Noise-Reduced (ANR) chassis is an enhanced version of the FSX 1600 chassis. Compared to the FSX 1600, the FSX 1600-ANR has improved, redirected airflow, better thermal dissipation, and reduced acoustic noise. Book: Foundry FastIron X Series Chassis Hardware Installation Guide The following IPv4 management modules are new in this release: Book: Foundry FastIron X Series Chassis Hardware Installation Guide New IPv4 8-port Management modules for the FSX 800 and FSX 1600 • SX-FI8GMR4 • SX-FI8GMR4-PREM Chapter: Product Overview Section: FSX 1600 Chassis Chapter: Product Overview Section: FSX 800 and FSX 1600 Management Modules New fiber optic transceiver, including software support for digital optical monitoring and show media output This release supports the following new 10GBase fiber optic transceiver: • 10G-XFP-1310-MMF When installed in the FastIron switch, the output of the show media command displays 10GBase-1310-MMF. When digital optical monitoring is enabled, the device can monitor the temperature and signal power levels for this transceiver type. Console messages and syslog messages are sent when optical operating conditions fall below or rise above the recommended thresholds. Book: Foundry FastIron X Series Chassis Hardware Installation Guide and Book: Foundry FastIron Stackable Hardware Installation Guide Chapter: Hardware Specifications Section: Cable Specifications and Book: Foundry FastIron Configuration Guide Chapter: Monitoring Hardware Components Section: Digital Optical Monitoring 1-8 © 2008 Foundry Networks, Inc. December 2008 About This Guide Management-Level Enhancements in FSX 04.3.00 Feature Description See details in... 802.1X Accounting 802.1X accounting enables the recording of information about 802.1X clients who were successfully authenticated and allowed access to the network. Recorded information includes the client’s session ID, MAC address, and authenticating physical port number. “Configuring 802.1X Accounting” on page 43-26 System-Level Enhancements in FSX 04.3.00 Feature Description See details in... FastIron X Series IPv6capable switches and modules support up to 8 ports in a trunk, aggregate link, or multislot trunk group Starting in release FSX 04.3.00 on FastIron X Series IPv6 devices, you can configure up to 8 ports in a trunk group, 802.3ad aggregate link, and multi-slot trunk group. “Trunk Group Rules” on page 15-3 Additional trunking options for ports in an 802.3ad trunk NOTE: This feature does not apply to IPv4 devices, which still support a maximum of 4 ports in a trunk group, 802.3ad aggregate link, and multi-slot trunk group. Additional trunking options are supported on individual ports that are part of an 802.3ad aggregate link. Previous releases allow you to configure trunking options on individual ports that are part of a manually-created trunk group only. “Additional Trunking Options” on page 15-16 The following trunking options are supported on LACP trunk ports: December 2008 • Naming a trunk port • Disabling a trunk port • Enabling a trunk port • Monitoring a trunk port • Configuring rate limiting on a trunk port • Enabling sFlow forwarding on a trunk port • Configuring the sFlow subsampling rate on a trunk port © 2008 Foundry Networks, Inc. 1-9 Foundry FastIron Configuration Guide Feature Description See details in... Enhancement to the show chassis command output The output of the show chassis command now displays the chassis type. For example: Book: Foundry FastIron X Series Chassis Hardware Installation Guide • • • • FESX424HF-PREM FastIron SuperX FastIron SX 800 ANR-FastIron SX 1600-PREM Chapter: Managing the Chassis and Modules Section: Displaying Chassis Status and Temperature Readings and Book: Foundry FastIron Stackable Hardware Installation Guide Chapter: Managing the FastIron Compact Switch Section: Viewing the Chassis Type Enhancement to the show version command output For the FSX 1600-ANR chassis, the output of the show version command includes a description of the hardware. For example: “Viewing System Information” on page B-1 HW: ANR-Chassis FastIron SX 1600 Enhancement to the SNMP MIB object snChasType For the FSX 1600-ANR chassis, the SNMP object snChasType returns the chassis type ANR-Chassis. Book: Foundry MIB Reference Guide Chapter: Physical Properties of a Device Section: General Chassis New SNMP MIB objects The following MIB objects are new in this release: Book: Foundry MIB Reference Guide • snAgentCpuUtilPercent • snAgentCpuUtil100thPercent These objects replace the MIB object snAgentCpuUtilValue, which was deprecated in this release. Chapter: Monitoring and Logging Section: System CPU Utility Table Audience This guide is designed for network installers, system administrators, and resellers who will configure the software for the FastIron family of switches. This guide assumes a working knowledge of Layer 2 and Layer 3 switching and routing concepts. If you are using Layer 3 code, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP4, DVMRP, IGMP, PIM, VRRP, and VRRPE. Nomenclature This guide uses the following typographical conventions to show information: 1 - 10 © 2008 Foundry Networks, Inc. December 2008 About This Guide Italic highlights the title of another publication and occasionally emphasizes a word or phrase. Bold highlights a CLI command. Bold Italic highlights a term that is being defined. NOTE: A note emphasizes an important fact or calls your attention to a dependency. WARNING: A warning calls your attention to a possible hazard that can cause injury or death. CAUTION: A caution calls your attention to a possible hazard that can damage equipment. Related Publications The following Foundry Networks documents supplement the information in this guide. • Foundry FastIron X Series Chassis Hardware Installation Guide – provides hardware installation procedures for the FastIron chassis devices (FSX, FSX 800 and FSX 1600). • Foundry FastIron Compact Switch Hardware Installation Guide – provides hardware installation procedures for the FastIron compact switches (FES, FESX, and FWSX). • Foundry FastIron GS Compact Layer 2 Switch Hardware Installation Guide – provides hardware installation procedures for the FastIron GS and FastIron GS-STK. • Foundry FastIron LS Compact Switch Hardware Installation Guide – provides hardware installation procedures for the FastIron LS and FastIron LS-STK. • Foundry FastIron WS Compact Switch Hardware Installation Guide – provides hardware installation procedures for the FastIron WS. • Foundry Management Information Base Reference – contains the Simple Network Management Protocol (SNMP) Management Information Base (MIB) objects supported on Foundry devices. NOTE: For the latest edition of these documents, which contain the most up-to-date information, see Product Manuals at kp.foundrynet.com. Updates to Manuals Manuals for this product may be updated between releases. For the latest edition of manuals, check the Foundry Knowledge Portal at kp.foundrynet.com. How to Get Help or Report Errors Foundry Networks is committed to ensuring that your investment in our products remains cost-effective. If you need assistance, or find errors in the manuals, contact Foundry Networks using one of the following options: Web Access Go to kp.foundrynet.com and log in to the Knowledge Portal (KP) to obtain more information about a product, or to report documentation errors. To report errors, click on Cases > Create a New Ticket. Make sure you specify the document title in the ticket description. E-mail Access Send an e-mail to [email protected] December 2008 © 2008 Foundry Networks, Inc. 1 - 11 Foundry FastIron Configuration Guide Telephone Access 1.877.TURBOCALL (887.2622) United States 1.408-207-1600 Outside the United States Warranty Coverage Contact Foundry Networks using any of the methods listed above for information about the standard and extended warranties. 1 - 12 © 2008 Foundry Networks, Inc. December 2008 Chapter 2 Getting Familiar with Management Applications This chapter describes how to manage a Foundry device using the command line interface (CLI), the Web management interface, and IronView Network Manager software. Logging on through the CLI Once an IP address is assigned to a Foundry device running Layer 2 software or to an interface on the Foundry device running Layer 3 software, you can access the CLI either through the direct serial connection to the device or through a local or remote Telnet session. You can initiate a local Telnet or SNMP connection by attaching a cable to a port and specifying the assigned management station IP address. The commands in the CLI are organized into the following levels: • User EXEC – Lets you display information and perform basic tasks such as pings and traceroutes. • Privileged EXEC – Lets you use the same commands as those at the User EXEC level plus configuration commands that do not require saving the changes to the system-config file. • CONFIG – Lets you make configuration changes to the device. To save the changes across reboots, you need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for VLANs, for routing protocols, and other configuration areas. NOTE: By default, any user who can open a serial or Telnet connection to the Foundry device can access all these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can configure the device to use a RADIUS or TACACS/TACACS+ server for authentication. See the chapter “Securing Access to Management Functions” . On-Line Help To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at this point in the command string. If you enter an invalid command followed by ?, a message appears indicating the command was unrecognized. For example: FastIron(config)#rooter ip Unrecognized command December 2008 © 2008 Foundry Networks, Inc. 2-1 Foundry FastIron Configuration Guide Command Completion The CLI supports command completion, so you do not need to enter the entire name of a command or option. As long as you enter enough characters of the command or option name to avoid ambiguity with other commands or options, the CLI understands what you are typing. Scroll Control By default, the CLI uses a page mode to paginate displays that are longer than the number of rows in your terminal emulation window. For example, if you display a list of all the commands at the global CONFIG level but your terminal emulation window does not have enough rows to display them all at once, the page mode stops the display and lists your choices for continuing the display. Here is an example: aaa all-client appletalk arp boot some lines omitted for brevity... ipx lock-address logging mac --More--, next page: Space, next line: Return key, quit: Control-c The software provides the following scrolling options: • Press the Space bar to display the next page (one screen at a time). • Press the Return or Enter key to display the next line (one line at a time). • Press Ctrl-C or Ctrl-Q to cancel the display. Line Editing Commands The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command. Table 2.1: CLI Line Editing Commands 2-2 Ctrl-Key Combination Description Ctrl-A Moves to the first character on the command line. Ctrl-B Moves the cursor back one character. Ctrl-C Escapes and terminates command prompts and ongoing tasks (such as lengthy displays), and displays a fresh command prompt. Ctrl-D Deletes the character at the cursor. Ctrl-E Moves to the end of the current command line. Ctrl-F Moves the cursor forward one character. Ctrl-K Deletes all characters from the cursor to the end of the command line. © 2008 Foundry Networks, Inc. December 2008 Getting Familiar with Management Applications Table 2.1: CLI Line Editing Commands (Continued) Ctrl-Key Combination Description Ctrl-L; Ctrl-R Repeats the current command line on a new line. Ctrl-N Enters the next command line in the history buffer. Ctrl-P Enters the previous command line in the history buffer. Ctrl-U; Ctrl-X Deletes all characters from the cursor to the beginning of the command line. Ctrl-W Deletes the last word you typed. Ctrl-Z Moves from any CONFIG level of the CLI to the Privileged EXEC level; at the Privileged EXEC level, moves to the User EXEC level. Using Slot and Port Numbers with CLI Commands NOTE: The FastIron GS running software release 02.5.00 and later use stack-unit, slot, and port numbers. See “CLI Nomenclature on FastIron GS and FastIron LS Devices” on page 2-3. Many CLI commands and displays use port numbers, or slot numbers with port numbers. The ports are labelled on the front panel of the device. The FSX uses chassis-based port numbering which consists of a slot number and a port number. When you enter CLI commands on the FSX, you must specify both the slot number and the port number. The FESX and FWSX devices do not use this type of numbering. When you enter commands on these devices, just specify the port number. The slot numbers used in the FSX CLI examples apply only to Chassis devices. Here is an example. The following commands change the CLI from the global CONFIG level to the configuration level for the first port on the device. • FSX commands: FastIron(config)#interface e 1/1 FastIron(config-if-1/1)# • FESX and FWSX commands: FastIron(config)#interface e1 FastIron(config-if-e1000-1)# CLI Nomenclature on FastIron GS and FastIron LS Devices Platform Support: • FGS and FLS devices running software release 02.5.00 and later The CLI uses stack number and chassis-based port numbering (stacknum/slot/port). However, stacking is not currently supported for the FastIron GS and FastIron LS. CLI Nomenclature on FastIron GS-STK and FastIron LS-STK Devices Platform Support: • FGS-STK and FLS-STK devices running software release 05.0.00 and later The stacking CLI uses stack unit IDs and chassis-based port numbering (<stack-unit>/<slot>/<port>). See “Foundry Stackable Devices” on page 4-1 for more information about FGS-STK and FLS-STK devices. December 2008 © 2008 Foundry Networks, Inc. 2-3 Foundry FastIron Configuration Guide CLI Nomenclature on the FastIron WS Platform Support: • FWS devices running software release 04.3.00 or later The FastIron WS uses stack-unit/slot/port nomenclature. Stacking is not currently supported for the FastIron WS, although the CLI supports the full stacking nomenclature. Slot and Port Number Labeling on FastIron GS and FastIron LS Devices Platform Support: • FGS and FLS devices running software release 02.5.00 and later When you enter CLI commands that include the port number as part of the syntax, you will need to specify the stack number (0 in current releases), the slot number, and the port number. The slot and port numbers are labelled on the front of the FGS624XGP, FGS624XGP-POE, and other FastIron GS and FastIron LS models that are shipped in accordance with the new port numbering scheme. For older models, an upgrade label kit is available. FGS624P and FGS624P-POE Figure 2.1 shows port numbers on the FGS624P and FGS624P-POE models as they appeared prior to release 02.5.00. Figure 2.1 FGS624P and FGS624P-POE Port Numbers (Prior to Release 02.5.00) Ports 1 - 4 1F 2F 3F 4F Lnk Act Console Stack 1 2 3 4 Lnk-Act Odd Even PoE 5 6 7 8 PS1 PS2 Pwr 25 26 FGS-2XG Lnk Act 1 2 3 4 5 6 7 8 9 10 Ports 25 and 26 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Ports 1 - 24 Figure 2.2 shows slot and port numbers on the FGS624P and FGS624P-POE models as they appear after release 02.5.00. Figure 2.2 FGS624P and FGS624P-POE Slot and Port Numbers (Release 02.5.00 and later) Slot 1 (ports 1/1 - 1/4) 1F 2F 3F 4F Lnk Act Console Stack 1 2 3 4 Lnk-Act Odd Even 5 6 7 8 2 Lnk PoE Slot 1 PS1 PS2 Pwr 1 Slot 2 FGS-2XG Act 1 2 3 4 Slot 2 (ports 2/1 and 2/2) 2-4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Slot 1 (ports 1/1 - 1/24) © 2008 Foundry Networks, Inc. December 2008 Getting Familiar with Management Applications Table 2.2 shows a comparison of the old and new port numbers. Table 2.2: Port Numbers on the FGS624P and FGS624P-POE Port Type Port Numbers in PreRelease 02.5.00 Port Numbers Starting in Release 02.5.00 (Stack/Slot/Port) GbE Copper and Fiber 1 – 24 0/1/1 – 0/1/24 10-GbE 25 0/2/1 10-GbE 26 0/2/2 FGS648P and FGS648P-POE Figure 2.3 shows the pre-release 02.5.00 port numbers on the FGS648P and FGS648P-POE. Figure 2.3 FGS648P and FGS648P-POE Port Numbers (Pre-Release 02.5.00) GbE Fiber Ports (1F - 4F) 1F 2F 3F GbE Copper Ports (1 - 48) Stack 1 2 3 4 Console 4F Lnk Act Lnk-Act Odd Even PoE 5 6 7 8 PS1 PS2 Pwr 49 50 Lnk Act 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 Optional 2-port 10-GbE Module (port 49 and 50) Figure 2.4 shows the new slot and port numbers in release 02.5.00 on the FGS648P and FGS648P-POE. Figure 2.4 FGS648P and FGS648P-POE Slot and Port Numbers (Release 02.5.00 and Later) Slot 1 (ports 1/1 - 1/4) 1F 2F 3F Stack 1 2 3 4 Console 4F Lnk Act Lnk-Act Odd Even 5 6 7 8 2 PoE Slot 1 PS1 PS2 Pwr 1 Slot 2 Lnk Act 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 Slot 1 (ports 1/1 - 1/48) Slot 2 (ports 2/1 and 2/2) Table 2.3 shows a comparison of the old and new port numbers. Table 2.3: Port Numbers on the FGS648P and FGS648P-POE Port Type Port Numbers in PreRelease 02.5.00 Port Numbers Starting in Release 02.5.00 (Stack/Slot/Port) GbE Copper and Fiber 1 – 48 0/1/1 – 0/1/48 December 2008 © 2008 Foundry Networks, Inc. 2-5 Foundry FastIron Configuration Guide Table 2.3: Port Numbers on the FGS648P and FGS648P-POE Port Type Port Numbers in PreRelease 02.5.00 Port Numbers Starting in Release 02.5.00 (Stack/Slot/Port) 10-GbE 49 0/2/1 10-GbE 50 0/2/2 FGS624XGP and FGS624XGP-POE Figure 2.5 shows the slot and port numbers on the FGS624XGP and FGS624XGP-POE. Figure 2.5 FGS624XGP and FGS624XGP-POE Slot and Port Numbers Slot 1 (ports 1/1 - 1/4) 1F 2F 3F 4F Lnk Act Console Stack 1 2 3 4 Lnk-Act Odd Even 5 6 7 8 2 Lnk PoE Slot 1 PS1 PS2 Pwr 1 Slot 2 FGS-2XG Act 1 2 3 4 5 6 Slot 2 (ports 2/1 and 2/2) 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Slot 1 (ports 1/1 - 1/24) Table 2.4 shows the port numbers. , Table 2.4: Port Numbers on the FGS624XGP and FGS624XGP-POE-POE Port Type Port Numbers (Stack/Slot/Port) GbE Copper and Fiber 0/1/1 – 0/1/48 2-port 10-GbE (left-most port) 0/2/1 2-port 10-GbE (right-most-port) 0/2/2 1-port 10-GbE 0/3/1 Using the FastIron GS and FastIron LS Port Nomenclature Platform Support: • FGS and FLS devices running software release 02.5.00 and later When you enter a CLI command that includes the port number as part of the syntax, you must use the stack/slot/ port number format. For example, the following commands change the CLI from the global CONFIG level to the configuration level for the first port on the device. • FastIron GS commands prior to release 02.5.00: FGS624(config)#interface e 1 FGS624(config-if-e1000-1)# • FastIron GS commands starting in release 02.5.00: FGS624(config)#interface e 0/1/1 2-6 © 2008 Foundry Networks, Inc. December 2008 Getting Familiar with Management Applications FGS624(config-if-e1000-0/1/1)# NOTE: The stack-unit for these devices is always 0, until the device is upgraded to run stacking introduced in release 05.0.00 • FastIron GS-STK and FastIron LS-STK commands starting in release 05.0.00: FGS624(config)#interface e 2/1/1 FGS624(config-if-e1000-2/1/1)# Syntax: ethernet <stack-unit>/<slotnum>/<portnum> The <stack-unit> parameter is required on FastIron GS devices running software release 02.5.00 or later. This number is currently always 0. For FastIron GS-STK and LS-STK devices (introduced with release 05.0.00) and FastIron GS and LS devices that have been upgraded to run the stacking features available with release 05.0.00, <stack-unit> equals the ID number of the device in a stack and can be any number from 1 through 8. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. Using the FastIron WS Port Nomenclature Platform Support: • FWS devices running software release 04.3.00 and later When you enter a CLI command that includes the port number as part of the syntax, you must use the stack-unit/ slot/port number format. For example, the following commands change the CLI from the global CONFIG level to the configuration level for the first port on the device. FWS624(config)#interface e 0/1/1 FWS624(config-if-e1000-0/1/1)# Syntax: ethernet <stack-unit>/<slotnum>/<portnum> The <stack-unit> and <slotnum> parameters are required on FastIron WS devices running software release 04.3.00 or later. The <portnum> parameter is a valid port number. Searching and Filtering Output from CLI Commands You can filter CLI output from show commands and at the --More-- prompt. You can search for individual characters, strings, or construct complex regular expressions to filter the output. Searching and Filtering Output from Show Commands You can filter output from show commands to display lines containing a specified string, lines that do not contain a specified string, or output starting with a line containing a specified string. The search string is a regular expression consisting of a single character or string of characters. You can use special characters to construct complex regular expressions. See “Using Special Characters in Regular Expressions” on page 2-10 for information on special characters used with regular expressions. Displaying Lines Containing a Specified String The following command filters the output of the show interface command for port 3/11 so it displays only lines containing the word “Internet”. This command can be used to display the IP address of the interface. FastIron#show interface e 3/11 | include Internet Internet address is 192.168.1.11/24, MTU 1518 bytes, encapsulation ethernet Syntax: <show-command> | include <regular-expression> December 2008 © 2008 Foundry Networks, Inc. 2-7 Foundry FastIron Configuration Guide NOTE: The vertical bar ( | ) is part of the command. Note that the regular expression specified as the search string is case sensitive. In the example above, a search string of “Internet” would match the line containing the IP address, but a search string of “internet” would not. Displaying Lines That Do Not Contain a Specified String The following command filters the output of the show who command so it displays only lines that do not contain the word “closed”. This command can be used to display open connections to the Foundry device. FastIron#show who | exclude closed Console connections: established you are connecting to this session 2 seconds in idle Telnet connections (inbound): 1 established, client ip address 192.168.9.37 27 seconds in idle Telnet connection (outbound): SSH connections: Syntax: <show-command> | exclude <regular-expression> Displaying Lines Starting with a Specified String The following command filters the output of the show who command so it displays output starting with the first line that contains the word “SSH”. This command can be used to display information about SSH connections to the Foundry device. FastIron#show who | begin SSH SSH connections: 1 established, client ip address 192.168.9.210 7 seconds in idle 2 closed 3 closed 4 closed 5 closed Syntax: <show-command> | begin <regular-expression> Searching and Filtering Output at the --More-- Prompt The --More-- prompt displays when output extends beyond a single page. From this prompt, you can press the Space bar to display the next page, the Return or Enter key to display the next line, or Ctrl-C or Q to cancel the display. In addition, you can search and filter output from this prompt. 2-8 © 2008 Foundry Networks, Inc. December 2008 Getting Familiar with Management Applications At the --More-- prompt, you can press the forward slash key ( / ) and then enter a search string. The Foundry device displays output starting from the first line that contains the search string, similar to the begin option for show commands. For example: --More--, next page: Space, next line: Return key, quit: Control-c /telnet The results of the search are displayed: searching... telnet temperature terminal traceroute undebug undelete whois write Telnet by name or IP address temperature sensor commands display syslog TraceRoute to IP node Disable debugging functions (see also 'debug') Undelete flash card files WHOIS lookup Write running configuration to flash or terminal To display lines containing only a specified search string (similar to the include option for show commands) press the plus sign key ( + ) at the --More-- prompt and then enter the search string. --More--, next page: Space, next line: Return key, quit: Control-c +telnet The filtered results are displayed: filtering... telnet Telnet by name or IP address To display lines that do not contain a specified search string (similar to the exclude option for show commands) press the minus sign key ( - ) at the --More-- prompt and then enter the search string. --More--, next page: Space, next line: Return key, quit: Control-c -telnet The filtered results are displayed: filtering... temperature terminal traceroute undebug undelete whois write temperature sensor commands display syslog TraceRoute to IP node Disable debugging functions (see also 'debug') Undelete flash card files WHOIS lookup Write running configuration to flash or terminal As with the commands for filtering output from show commands, the search string is a regular expression consisting of a single character or string of characters. You can use special characters to construct complex regular expressions. See the next section for information on special characters used with regular expressions. December 2008 © 2008 Foundry Networks, Inc. 2-9 Foundry FastIron Configuration Guide Using Special Characters in Regular Expressions You use a regular expression to specify a single character or multiple characters as a search string. In addition, you can include special characters that influence the way the software matches the output against the search string. These special characters are listed in the following table. Table 2.5: Special Characters for Regular Expressions Character Operation . The period matches on any single character, including a blank space. For example, the following regular expression matches “aaz”, “abz”, “acz”, and so on, but not just “az”: a.z * The asterisk matches on zero or more sequential instances of a pattern. For example, the following regular expression matches output that contains the string “abc”, followed by zero or more Xs: abcX* + The plus sign matches on one or more sequential instances of a pattern. For example, the following regular expression matches output that contains "de", followed by a sequence of “g”s, such as “deg”, “degg”, “deggg”, and so on: deg+ ? The question mark matches on zero occurrences or one occurrence of a pattern. For example, the following regular expression matches output that contains "dg" or "deg": de?g Note: Normally when you type a question mark, the CLI lists the commands or options at that CLI level that begin with the character or string you entered. However, if you enter CtrlV and then type a question mark, the question mark is inserted into the command line, allowing you to use it as part of a regular expression. ^ A caret (when not used within brackets) matches on the beginning of an input string. For example, the following regular expression matches output that begins with “deg”: ^deg $ A dollar sign matches on the end of an input string. For example, the following regular expression matches output that ends with “deg”: deg$ 2 - 10 © 2008 Foundry Networks, Inc. December 2008 Getting Familiar with Management Applications Table 2.5: Special Characters for Regular Expressions (Continued) Character Operation _ An underscore matches on one or more of the following: • , (comma) • { (left curly brace) • } (right curly brace) • ( (left parenthesis) • ) (right parenthesis) • The beginning of the input string • The end of the input string • A blank space For example, the following regular expression matches on “100” but not on “1002”, “2100”, and so on. _100_ [] Square brackets enclose a range of single-character patterns. For example, the following regular expression matches output that contains “1”, “2”, “3”, “4”, or “5”: [1-5] You can use the following expression symbols within the brackets. These symbols are allowed only inside the brackets. • ^ – The caret matches on any characters except the ones in the brackets. For example, the following regular expression matches output that does not contain “1”, “2”, “3”, “4”, or “5”: [^1-5] • | - The hyphen separates the beginning and ending of a range of characters. A match occurs if any of the characters within the range is present. See the example above. A vertical bar separates two alternative values or sets of values. The output can match one or the other value. For example, the following regular expression matches output that contains either “abc” or “defg”: abc|defg () Parentheses allow you to create complex expressions. For example, the following complex expression matches on “abc”, “abcabc”, or “defg”, but not on “abcdefgdefg”: ((abc)+)|((defg)?) If you want to filter for a special character instead of using the special character as described in the table above, enter “\” (backslash) in front of the character. For example, to filter on output containing an asterisk, enter the asterisk portion of the regular expression as “\*”. FastIron#show ip route bgp | include \* December 2008 © 2008 Foundry Networks, Inc. 2 - 11 Foundry FastIron Configuration Guide Creating an Alias for a CLI Command Platform Support: • FGS and FLS devices running software release 03.0.00 and later • FastIron WS devices running software release 05.0.00 and later • FastIron X Series devices running software release 03.2.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later You can create aliases for CLI commands. An alias serves as a shorthand version of a longer CLI command. For example, you can create an alias called shoro for the CLI command show ip route. Then when you enter shoro at the command prompt, the show ip route command is executed. To create an alias called shoro for the CLI command show ip route, enter the following command: FastIron(config)#alias shoro = show ip route Syntax: [no] alias <alias-name> = <cli-command> The <alias-name> must be a single word, without spaces. After the alias is configured, entering shoro at either the Privileged EXEC or CONFIG levels of the CLI, executes the show ip route command. To create an alias called wrsbc for the CLI command copy running-config tftp 10.10.10.10 test.cfg, enter the following command: FastIron(config)#alias wrsbc = copy running-config tftp 10.10.10.10 test.cfg To remove the wrsbc alias from the Foundry device’s configuration, enter one of the following commands: FastIron(config)#no alias wrsbc or FastIron(config)#unalias wrsbc Syntax: unalias <alias-name> The specified <alias-name> must be the name of an alias already configured on the Foundry device. To display the aliases currently configured on the Foundry device, enter the following command at either the Privileged EXEC or CONFIG levels of the CLI: FastIron#alias wrsbc shoro copy running-config tftp 10.10.10.10 test.cfg show ip route Syntax: alias Configuration Notes • You cannot include additional parameters with the alias at the command prompt. For example, after you create the shoro alias, shoro bgp would not be a valid command. • If configured on the Foundry device, authentication, authorization, and accounting is performed on the actual command, not on the alias for the command. • To save an alias definition to the device’s startup-config file, use the write memory command. Logging On through the Web Management Interface To use the Web management interface, open a Web browser and enter the IP address of the Foundry device’s management port in the Location or Address field. The Web browser contacts the Foundry device and displays a Login panel, such as the one shown below for the FESX. 2 - 12 © 2008 Foundry Networks, Inc. December 2008 Getting Familiar with Management Applications Figure 2.6 Web Management Interface Login Panel NOTE: If you are unable to connect with the device through a Web browser due to a proxy problem, it may be necessary to set your Web browser to direct Internet access instead of using a proxy. For information on how to change a proxy setting, refer to the on-line help provided with your Web browser. To log in, click on the Login link. The following dialog box is displayed. Figure 2.7 Web Management Interface Login Dialog The login username and password you enter depends on whether your device is configured with AAA authentication for SNMP. If AAA authentication for SNMP is not configured, you can use the user name “get” and the default read-only password “public” for read-only access. However, for read-write access, you must enter “set” for the user name, and enter a read-write community string you have configured on the device for the password. There is no default read-write community string. You must add one using the CLI. As an alternative to using the SNMP community strings to log in, you can configure the Foundry device to secure Web management access using local user accounts or Access Control Lists (ACLs). Navigating the Web Management Interface When you log into a device, the System configuration panel is displayed. This panel allows you to enable or disable major system features. You can return to this panel from any other panel by selecting the Home link. The Site Map link gives you a view of all available options on a single screen. Figure 2.8 displays the first Web management interface panel for Layer 3 Switch features, while Figure 2.9 displays the first panel for Layer 2 Switch features. These panels allow you to configure the features supported by the Layer 3 Switch and Layer 2 Switch software. December 2008 © 2008 Foundry Networks, Inc. 2 - 13 Foundry FastIron Configuration Guide Figure 2.8 First Panel for Layer 3 Switch Features NOTE: If you are using Internet Explorer 6.0 to view the Web management interface, make sure the version you are running includes the latest service packs. Otherwise, the navigation tree (the left-most pane in Figure 2.8) will not display properly. For information on how to load the latest service packs, refer to the on-line help provided with your Web browser. Figure 2.9 First Panel for Layer 2 Switch Features NOTE: If you are using Internet Explorer 6.0 to view the Web management interface, make sure the version you are running includes the latest service packs. Otherwise, the navigation tree (the left-most pane in Figure 2.8) will not display properly. For information on how to load the latest service packs, refer to the on-line help provided with your Web browser. The left pane of the Web management interface window contains a “tree view,” similar to the one found in Windows Explorer. Configuration options are grouped into folders in the tree view. These folders, when expanded, reveal additional options. To expand a folder, click on the plus sign to the left of the folder icon. 2 - 14 © 2008 Foundry Networks, Inc. December 2008 Getting Familiar with Management Applications You can configure the appearance of the Web management interface by using one of the following methods. Using the CLI, you can modify the appearance of the Web management interface with the web-management command. To cause the Web management interface to display the List view by default: FastIron(config)#web-management list-menu To disable the front panel frame: FastIron(config)#no web-management front-panel When you save the configuration with the write memory command, the changes will take place the next time you start the Web management interface, or if you are currently running the Web management interface, the changes will take place when you click the Refresh button on your browser. USING THE WEB MANAGEMENT INTERFACE 1. Click on the plus sign next to Configure in the tree view to expand the list of configuration options. 2. Click on the plus sign next to System in the tree view to expand the list of system configuration links. 3. Click on the plus sign next to Management in the tree view to expand the list of system management links. 4. Click on the Web Preference link to display the Web Management Preferences panel. 5. Enable or disable elements on the Web management interface by clicking on the appropriate radio buttons on the panel. The following figure identifies the elements you can change. Front Panel Front Panel Frame Menu Type (Tree View shown) Page Menu Bottom Frame Menu Frame NOTE: The tree view is available when you use the Web management interface with Netscape 4.0 or higher or Internet Explorer 4.0 or higher browsers. If you use the Web management interface with an older browser, the Web management interface displays the List view only, and the Web Management Preferences panel does not include an option to display the tree view. December 2008 © 2008 Foundry Networks, Inc. 2 - 15 Foundry FastIron Configuration Guide 6. When you have finished, click the Apply button on the panel, then click the Refresh button on your browser to activate the changes. 7. To save the configuration, click the plus sign next to the Command folder, then click the Save to Flash link. NOTE: The only changes that become permanent are the settings to the Menu Type and the Front Panel Frame. Any other elements you enable or disable will go back to their default settings the next time you start the Web management interface. Logging on Through IronView Network Manager See the Foundry IronView® Network Manager - IronPoint Edition User Guide for information about using IronView Network Manager. 2 - 16 © 2008 Foundry Networks, Inc. December 2008 Chapter 3 Feature Highlights FESX, FSX, FSX 800, and FSX 1600 devices support many of the applicable system-level, Layer 2, and Layer 3 features supported on the BigIron chassis devices. FGS, FLS, FWS, and FGS-STK and FLS-STK devices support system-level, Layer 2, and base Layer 3 features. FGS, FLS, and FWS EPREM devices support Edge Layer 3 features. FWSX devices support system-level and Layer 2 features only. The features that are available depend on the type of software image the device is running. You can run one of the following types of software images on these devices: • Layer 2 (supported on all models) • Base Layer 3 (supported on the FESX, FSX, FSX 800, FSX 1600, FGS, FLS, FWS standard, and FGS-STK and FLS-STK models) • Edge Layer 3 (supported on FGS, FLS, and FWS EPREM models) • Full Layer 3 (supported on FESX, FSX, FSX 800, and FSX 1600 premium models only) Table 3.1 lists the software that is loaded into the device’s primary and secondary flash areas at the factory. All of the flash images are included on the CD-ROM that ships with each device. Table 3.1: Default Software Loads Model Software Images Primary Flash Secondary Flash All FESX, FSX, FSX 800, and FSX 1600 standard models Layer 2 Base Layer 3 All FESX, FSX, FSX 800, and FSX 1600 premium (PREM) models Full Layer 3 Layer 2 All FWSX models Layer 2 N/A All FGS and FGS-STK models Layer 2 Base Layer 3 All FLS and FLS-STK models Layer 2 Base Layer 3 All FGS, FLS and FWS EPREM models Edge Layer 3 Layer 2 All FWS standard models Layer 2 Base Layer 3 December 2008 © 2008 Foundry Networks, Inc. 3-1 Foundry FastIron Configuration Guide Note Regarding IPv6 Feature Support The following IPv6 Layer 3 features are supported only with the IPv6 Layer 3 PROM and the full Layer 3 image: • IPv6 unicast routing (multicast routing is not supported) • OSPF V3 • RIPng • IPv6 ICMP redirect messages • IPv6 route redistribution • IPv6 static routes • IPv6 over IPv4 tunnels in hardware • IPv6 Layer 3 forwarding Supported Features Table 3.2 lists the feature highlights in the FastIron X Series, FGS, FLS, FWS, and FGS-STK and FLS-STK software. Supported Management Features Table 3.2 lists the management features that are supported for the FastIron platforms. Table 3.2: Supported Management Features Category, Description, and Configuration Notes Supported on FESX, FSX, FSX 800, FSX 1600, FWSX 802.1X accounting X AAA support for console commands X Access Control Lists (ACLs) for controlling management access X DHCP Client-Based Auto-Configuration FGS, FLS FGS-STK FLS-STK FWS X X X X X X X X X Combined DSCP and internal marking in one ACL rule X DSCP Mapping for values 1 through 8 X Configuring an interface as the source for all TFTP, Syslog, and SNTP packets X Disabling TFTP Access X IronView Network Manager (optional standalone and HP OpenView GUI) X X P-Bridge and Q-Bridge MIBs - RFC 2674 X X X X Port flap dampening X X X X 3-2 © 2008 Foundry Networks, Inc. December 2008 Feature Highlights Table 3.2: Supported Management Features (Continued) Category, Description, and Configuration Notes Supported on FESX, FSX, FSX 800, FSX 1600, FWSX FGS, FLS FGS-STK FLS-STK FWS Remote monitoring (RMON) X X X X Retaining Syslog messages after a soft reboot X sFlow X X X X • RFC 3176 • For inbound traffic only • 802.1X username export support for encrypted and non-encrypted EAP types sFlow support for IPv6 packets X Serial and Telnet access to industry-standard Command Line Interface (CLI) X X X X Show log on all terminals X X X X SNMP v1, v2, v3 X X X X SNMP V3 traps X X X X Specifying the maximum number of entries allowed in the RMON Control Table X Specifying which IP address will be included in a DHCP/BOOTP reply packet X Traffic counters for outbound traffic X Web-based GUI X X X X Web-based management HTTPS/SSL X X X X December 2008 © 2008 Foundry Networks, Inc. 3-3 Foundry FastIron Configuration Guide Supported Security Features Table 3.3 lists the supported security features for FastIron products. Table 3.3: Supported Security Features Category, Description, and Configuration Notes Supported on FESX, FSX, FSX 800, FSX 1600, FWSX FGS, FLS FGS-STK FLS-STK FWS 802.1X dynamic assignment for ACL, MAC filter, and VLAN X X X X 802.1X port security X X X X Access Control Lists (ACLs) for filtering transit traffic X X X X Address locking (for MAC addresses) X X X X AES Encryption for SSH v2 X X X X Authentication, Authorization and Accounting (AAA) X X X X X X X X DHCP Snooping X X Dynamic ACLs with Multi-Device Port Authentication X X Dynamic ARP Inspection X X EAP Pass-through Support X X X X Enhancements to username and password X X X X HTTPS X X X X IP Source Guard X Layer 2 MAC filtering X X X X Local passwords X X X X MAC authentication password override X X X X MAC filter override of 802.1X X X X X Ability to disable MAC Learning X X X X MAC port security X X X X Multi-device port authentication X X X X • • Support for inbound ACLs only. These devices do not support outbound ACLs. RADIUS, TACACS/TACACS+ Denial of Service (DoS) protection • • 3-4 TCP SYN Attacks and ICMP Attacks X X X X Filtering on source and destination MAC addresses © 2008 Foundry Networks, Inc. December 2008 Feature Highlights Table 3.3: Supported Security Features (Continued) Category, Description, and Configuration Notes Supported on FESX, FSX, FSX 800, FSX 1600, FWSX FGS, FLS FGS-STK FLS-STK FWS Multiple-device port authentication with dynamic VLAN assignment X X X X MAC authentication RADIUS timeout action X X X X 802.1X authentication RADIUS timeout action X X X X Secure Copy (SCP) X X X X Secure Shell (SSH) v2 Server X X X X X X X Packet filtering on TCP Flags December 2008 © 2008 Foundry Networks, Inc. 3-5 Foundry FastIron Configuration Guide Supported System Level Features Table 3.4 lists the supported system features for FastIron products. Table 3.4: Supported System Level Features Supported on Category, Description, and Configuration Notes FESX, FSX, FSX 800, FSX 1600, FWSX FGS, FLS FGSSTK, FLS-STK FWS 10/100/1000 port speed X X X X 16,000 MAC addresses per switch X X X X 802.3ad link aggregation (dynamic trunk groups) X X X X ACL-Based Mirroring X X X X ACL-Based Rate Limiting X X X X • Foundry ports enabled for link aggregation follow the same rules as ports configured for trunk groups. See “Trunk Group Rules” on page 15-3. • FastIron X Series devices support ACL-based fixed and adaptive rate limiting on inbound ports • FGS, FLS, FWS, FGS-STK and FLS-STK devices support ACL-based fixed rate limiting on inbound ports ACL filtering based on VLAN membership or VE port membership X ACL logging of denied packets X • ACL logging is supported for denied packets, which are sent to the CPU for logging • ACL logging is not supported for permitted packets • Packets that are denied by ACL filters are logged in the Syslog based on a sample time-period. ACL statistics X ACLs to filter ARP packets X Alias Command X X X X Asymmetric flow control X X X X Auto MDI/MDIX X X X X Auto-negotiation X X X X Automatic removal of Dynamic VLAN for 802.1X ports X X X X Automatic removal of Dynamic VLAN for MAC authenticated ports X X X X Broadcast, multicast, and unknown-unicast rate limiting X X X X • 3-6 Responds to flow control packets, but does not generate them. © 2008 Foundry Networks, Inc. December 2008 Feature Highlights Table 3.4: Supported System Level Features (Continued) Supported on Category, Description, and Configuration Notes FESX, FSX, FSX 800, FSX 1600, FWSX FGS, FLS FGSSTK, FLS-STK FWS Boot and reload after 5 minutes at or above shutdown temperature X X X X DiffServ support X X X X Digital Optical Monitoring X X X X Displaying interface names in Syslog X X X X Displaying TCP/UDP port numbers in Syslog messages X X X X Dynamic buffer allocation X X X X Fixed rate limiting X X X X X X X X X X X • • FESX, FSX, FSX 800, FSX 1600, and FWSX, and FESX6 support: • Port-based rate limiting on inbound ports • Fixed rate limiting is not supported on 10-Gigabit Ethernet ports. • Fixed rate limiting is not supported on tagged ports in the full Layer 3 router image FGS, FLS, FWS, FGS-STK and FLS-STK devices support: • Port-based fixed rate limiting on inbound ports • Port-based and port- and priority-based rate limiting on outbound ports • The above are supported on Gigabit and 10-Gigabit Ethernet ports. Foundry Discovery Protocol (FDP) / Cisco Discovery Protocol (CDP) Generic buffer profile Multi-port static MAC address X X X X Multiple Syslog server logging X X X X Negative temperature setting X X X X OSPF Version 2 MIB X X • • Up to six Syslog servers RFC 1850 Outbound rate shaping • X X FGS, FLS, FWS, FGS-STK and FLS-STK devices do not support outbound rate shaping. They support outbound rate limiting December 2008 © 2008 Foundry Networks, Inc. 3-7 Foundry FastIron Configuration Guide Table 3.4: Supported System Level Features (Continued) Supported on Category, Description, and Configuration Notes FESX, FSX, FSX 800, FSX 1600, FWSX FGS, FLS FGSSTK, FLS-STK FWS Outbound rate limiting X X X X Path MTU Discovery (RFC 1191) support X Port mirroring and monitoring X X X X Power over Ethernet X X (FGS only) X (FGS only) X Priority mapping using ACLs X X X X Protected link groups X X X X Specifying a Simple Network Time Protocol (SNTP) Server X X X X Specifying the minimum number of ports in a trunk group X X X X Static MAC entries with option to set priority X X X X Virtual Cable Testing (VCT) technology X X X X • • • 3-8 Mirroring of both inbound and outbound traffic on individual ports is supported. Supported on GbE ports only. Not supported on 10-GbE ports. Uses Time Domain Reflectometry (TDR) technology to detect and report cable statistics such as; local and remote link pair, cable length, and link status. © 2008 Foundry Networks, Inc. December 2008 Feature Highlights Supported Layer 2 Features Table 3.5 lists the supported Layer 2 features for FastIron products. Table 3.5: Supported Layer 2 Features Supported on Category, Description, and Configuration Notes FESX, FSX, FGS, FSX 800, FLS FSX 1600, FWSX FGS-STK FWS FLS-STK 802.1D Spanning Tree Support X X X X X X X X 802.1s Multiple Spanning Tree X X X X 802.1W Rapid Spanning Tree (RSTP) X X X X PVST/PVST+ compatibility X X X X PVRST+ compatibility X X X X PVRST compatibility X X X X ACL-based rate limiting QoS X X X X BPDU Guard X X X X Root Guard X X X X Configuring Uplink Ports Within a Port-Based VLAN X X X X Dynamic Host Configuration Protocol (DHCP) Assist X X X X Extended MRP ring IDs from 1 – 1023 X IGMP v1/v2 Snooping Global X X X X IGMP v3 Snooping Global X (*,G) X (S,G) X (S,G) X (S,G) IGMP v1/v2/v3 Snooping per VLAN X X X X • Enhanced IronSpan support includes Fast Port Span and Single-instance Span • Foundry Layer 2 devices (switches) support up to 254 spanning tree instances for VLANs. • Foundry Layer 3 devices (routers) support up to 254 spanning tree instances for VLANs. 802.1p Quality of Service (QoS) • Strict Priority (SP). • Weighted Round Robin (WRR) • Combined SP and WRR • 8 priority queues • 802.1W RSTP support allows for sub-second convergence (both final standard and draft 3 supported) December 2008 © 2008 Foundry Networks, Inc. 3-9 Foundry FastIron Configuration Guide Table 3.5: Supported Layer 2 Features (Continued) Supported on Category, Description, and Configuration Notes FESX, FSX, FGS, FSX 800, FLS FSX 1600, FWSX FGS-STK FWS FLS-STK IGMP v2/v3 Fast Leave (membership tracking) X X X X IGMP Filters X X X X Interpacket Gap (IPG) adjustment X X X X Jumbo frames X X X X Jumbo frames 10/100 support (up to 10240 bytes) X X X X Link Fault Signaling (LFS) for 10-Gigabit Ethernet ports X X X X LLDP and LLDP-MED X X X X X X X • 1-Gigabit and 10-Gigabit Ethernet ports • Up to 9216 bytes • Note: The maximum configurable frame size for jumbo frames in an IronStack is 10,232. MAC-Based VLANs • Dynamic MAC-Based VLAN Activation Metro Ring Protocol 1 (MRP 1) X X X X Metro Ring Protocol 2 (MRP 2) X X X X MLD Snooping V1/V2 X X X X X X X • MLD V1/V2 snooping (global and local) • MLD fast leave for V1 • MLD tracking and fast leave for V2 • Static MLD and IGMP groups with support for proxy Multicast static group traffic filtering (for snooping scenarios) PIM-SM V2 Snooping X X X X Remote Fault Notification (RFN) for Gigabit Ethernet ports X X X X 802.3ad link aggregation (dynamic trunk groups) X X X X X X X X • Foundry ports enabled for link aggregation follow the same rules as ports configured for trunk groups. See “Trunk Group Rules” on page 15-3. LACP • LACP trunk group ports follow the same configuration rules as for statically configured trunk group ports. • Support for single link LACP 3 - 10 © 2008 Foundry Networks, Inc. December 2008 Feature Highlights Table 3.5: Supported Layer 2 Features (Continued) Supported on Category, Description, and Configuration Notes FESX, FSX, FGS, FSX 800, FLS FSX 1600, FWSX FGS-STK FWS FLS-STK Trunk groups X X X X Flexible trunk group membership X X X X Topology groups X X X X Uni-directional Link Detection (UDLD) (Link keepalive) X X X X Virtual Switch Redundancy Protocol (VSRP) X X X X VoIP Autoconfiguration and CDP X X X X VSRP-Aware security features X X X X VLAN Support: X X X X Super Aggregated VLANs X X X X VLAN Q-in-Q Tagging (tag-type 8100 over 8100 encapsulation) X X X X X X X • Option to include L2 in trunk hash calculation • Support for trunk threshold for static trunk groups • 4096 maximum VLANs • 802.1Q with tagging • Dual-mode VLANs • GVRP • Layer 2 VLANS (untagged ports only) • Port-based VLANs • Protocol VLANs (AppleTalk, IPv4, dynamic IPv6, and IPX) • Layer 3 Subnet VLANs (Appletalk, IP subnet network, and IPX) • VLAN groups • Private VLANs VLAN-based mirroring VSRP and MRP signaling X X X X VSRP Fast Start X X X X VSRP timer scaling X X X X December 2008 © 2008 Foundry Networks, Inc. 3 - 11 Foundry FastIron Configuration Guide Supported Base Layer 3 Features Base Layer 3 software images include all of the management, security, system, and Layer 2 features listed in the previous tables, plus the features listed in Table 3.6. Table 3.6: Supported Base Layer 3 Features Supported on Category, Description, and Configuration Notes FESX, FSX, FSX 800, FSX 1600 FGS, FLS FGS-STK FWS FLS-STK ACL-based rate limiting QoS X X X X DHCP Relay X X X X DVMRP X ECMP X X IP helper X X X X RIP V1 and V2 (advertising only) X X X X Routing for directly connected IP subnets X X X X Static IP routing X X X X X X X X X X X X • Static RIP support only. The Foundry device with Base Layer 3 does not learn RIP routes from other Layer 3 devices. However, the device does advertise directly connected routes. • Up to 4000 IP route entries for FESX, FSX, FWSX • Up to 1000 hardware entries for FGS, FWS and FLS - shared with ACLs and MAC features Virtual Interfaces • X Up to 255 virtual interfaces VRRP timer scaling 3 - 12 © 2008 Foundry Networks, Inc. December 2008 Feature Highlights Supported Edge Layer 3 Features Edge Layer 3 software images include all of the base Layer 3 features listed in the previous tables, plus the features shown in Table 3.7. NOTE: Edge Layer 3 images are supported on FGS, FLS, and FWS edge premium (EPREM) models. Table 3.7: Supported Edge Layer 3 Features Supported on Category, Description, and Configuration Notes FGS, FLS EPREM OSPF V2 (IPv4) X X Full RIP V1 and V2 X X Route-only support (Global configuration level only) X X Route redistribution X X 1000 routes in hardware maximum X X December 2008 © 2008 Foundry Networks, Inc. FGS-STK FLS-STK FWS EPREM 3 - 13 Foundry FastIron Configuration Guide Supported Full Layer 3 Features Full Layer 3 software images include all of the management, security, system, Layer 2, base Layer 3 and edge Layer 3 features listed in the previous tables, plus the features shown in Table 3.8. NOTE: Full Layer 3 features are supported on FastIron X Series premium devices only. Table 3.8: Supported Full Layer 3 Features Supported on: Category, Description, and Configuration Notes FESX, FSX, FSX 800, FSX 1600 6,000 active host routes maximum X BGP4 X IGMP V1, V2, and V3 (for multicast routing scenarios) X IP multicast routing protocols (DVMRP, PIM-SM, PIM-DM) X • ICMP Redirect messages X IGMPv3 fast leave (for routing) X IPv6 Layer 3 forwarding1 X IPv6 over IPv4 tunnels in hardware1 X IPv6 Redistribution1 X IPv6 Static Routes1 X OSPF V3 (IPv6)1 X Policy-Based Routing (PBR) X • 3 - 14 Layer 3 Switches support up to 1024 PIM groups and 1024 DVMRP groups by default This feature is not supported on Base Layer 3 RIPng (IPv6)1 X Route-only support X • Disabling Layer 2 Switching at the CLI Interface level as well as the Global CONFIG level. • This feature is not supported on virtual interfaces Route redistribution (including BGP4) X Routes in hardware maximum: X • FSX devices support up to 256,000 routes in hardware • FESX devices support up to 100,000 routes in hardware © 2008 Foundry Networks, Inc. December 2008 Feature Highlights Table 3.8: Supported Full Layer 3 Features (Continued) Supported on: Category, Description, and Configuration Notes FESX, FSX, FSX 800, FSX 1600 VRRP-E X NOTE: VRRP-E is supported in the full Layer 3 code only. It is not supported in the base Layer 3 code. VRRP-E slow start timer X VRRP-E timer scale X 1. This feature is enabled by the IPv6 PROM (IPv6 full layer 3 image). Supported IPv6 Management Features Table 3.9 shows the IPV6 management features that are supported in Foundry devices that can be configured as an IPv6 host in an IPv6 network, and in devices that support IPv6 routing. Table 3.9: Supported IPv6 Management Features Supported on Category, Description, and Configuration Notes FESX, FSX, FSX 800, FSX 1600, FWSX FGS, FLS Link-Local IPv6 Address X X X IPv6 Access List X X X IPv6 copy X X X IPv6 ncopy X X X IPv6 debug X X X IPv6 ping X X X IPv6 traceroute X X X DNS server name resolution X X X HTTP/HTTPS X X X Logging (Syslog) X X X RADIUS X X X SCP X X X SSH X X X SNMP v1, v2, v3 X X X December 2008 © 2008 Foundry Networks, Inc. FGS-STK FWS FLS-STK 3 - 15 Foundry FastIron Configuration Guide Table 3.9: Supported IPv6 Management Features Supported on Category, Description, and Configuration Notes FESX, FSX, FSX 800, FSX 1600, FWSX FGS, FLS SNTP X X X Syslog X X X TACACS/TACACS+ X X X Telnet X X X TFTP X X X Traps X X X FGS-STK FWS FLS-STK Unsupported Features Table 3.10 lists the features that are not supported on the FastIron X Series and FGS, FWS, and FLS devices. If required, these features are available on other Foundry devices. Table 3.10: Unsupported Features Unsupported Features System Level Features not Supported • ACL logging of permitted packets. Note that ACL logging is supported for denied packets, which are sent to the CPU for logging. • Broadcast and multicast MAC filters • Outbound ACLs Layer 2 Features not Supported • SuperSpan • VLAN-based priority Layer 3 Features not Supported 3 - 16 • AppleTalk • Base Layer 3 features and full Layer 3 features are not supported on the FWSX • BGP4+ • Foundry Standby Router Protocol (FSRP) • IPv6 Multicast Routing • IPX • IS-IS • Multiprotocol Border Gateway Protocol (MBGP) © 2008 Foundry Networks, Inc. December 2008 Feature Highlights Table 3.10: Unsupported Features (Continued) Unsupported Features • Multiprotocol Label Switching (MPLS) • Multiprotocol Source Discovery Protocol (MSDP) • Network Address Translation (NAT) December 2008 © 2008 Foundry Networks, Inc. 3 - 17 Foundry FastIron Configuration Guide 3 - 18 © 2008 Foundry Networks, Inc. December 2008 Chapter 4 Foundry Stackable Devices This chapter provides information about Foundry FGS-STK and FLS-STK stackable devices and IronStack technology. This chapter contains the following sections: • “Foundry IronStack Overview” on page 4-1 - Provides a brief overview of Foundry IronStack technology, including stacking terminology and FastIron GS-STK and FastIron LS-STK model descriptions. • “Building an IronStack” on page 4-5 - Provides scenarios for building an IronStack, including procedural steps and CLI examples. • “IronStack Management” on page 4-19 - Provides information about how to manage your IronStack, including procedures for merging stacks, replacing units in an IronStack, changing stack ID numbers, and other management tasks. • “Troubleshooting an IronStack” on page 4-52 - Provides troubleshooting information and procedures for your IronStack. • “More About IronStack Technology” on page 4-58 - Provides additional information about stacking technology. Foundry IronStack Overview This section gives a brief overview of IronStack technology, including IronStack terminology. This section also lists the FastIron GS-STK and FastIron LS-STK models that support stacking. This section contains the following topics: • “IronStack Technology Features” on page 4-1 • “Foundry Stackable Models” on page 4-2 • “Foundry IronStack Terminology” on page 4-3 IronStack Technology Features A stack is a group of devices that are connected so that they operate as a single chassis. Foundry IronStack stacking technology features include: • Management by a single IP address • Support for up to eight units per stack • Flexible stacking ports • Linear and ring stack topology support • Secure Setup utility to make stack setup easy and secure December 2008 © 2008 Foundry Networks, Inc. 4-1 Foundry FastIron Configuration Guide • Active Controller, Standby Controller, and member units in a stack • Active Controller management of entire stack • Active Controller download of software images to all stack units • Standby Controller for stack redundancy • Active Controller maintenance of information database for all stack units • Packet switching in hardware between ports on stack units • All protocols operate on an IronStack in the same way as on a chassis system. Foundry Stackable Models Platform Support: • FastIron GS-STK and FastIron LS-STK devices running software version 05.0.00 and later All FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 or later can be active members of a Foundry IronStack. Existing FGS and FLS models can be upgraded in the field to support stacking using the Upgrade Kit. For information about how to order and install the Upgrade Kit, see the Foundry FastIron GS Compact Layer 2 Switch Hardware Installation Guide and the Foundry FastIron LS Hardware Installation Guide. The FGS-STK and FLS-STK models, and the upgrade kits are listed below: FGS-STK Models • FGS624P-STK - 24 port stackable device, POE upgradeable • FGS648P-STK - 48 port stackable device, POE upgradeable • FGS624P-DC-STK - 24 port DC power stackable device, POE upgradeable • FGS648P-DC-STK - 48 port DC power stackable device, POE upgradeable • FGS624P-POE-STK - 24 port stackable device with POE • FGS648P-POE-STK - 48 port stackable device with POE • FGS624P-POE-DC-STK - 24 port DC power stackable device with POE • FGS648P-POE-DC-STK - 48 port DC power stackable device with POE • FGS624XGP-STK - 24 port stackable device with one 10G Ethernet port, POE upgradeable • FGS624XGP-DC-STK - 24 port DC stacking device with one 10G Ethernet port, POE upgradeable • FGS624XGP-POE-STK - 24 port stacking device with one 10G Ethernet port and POE • FGS624XGP-POE-DC-STK - 24 port DC stacking device with one 10G Ethernet port and POE FLS-STK Models • FLS624-STK - 24-port stackable device • FLS648-STK - 48-port stackable device Upgrade Kits 4-2 • FGS624-STK-CXU • FGS648-STK-CXU • FGS624-STK-U • FGS648-STK-U • FLS624-STK-CXU • FLS648-STK-CXU © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices • FLS624-STK-U • FLS648-STK-U Foundry IronStack Terminology Stack Unit Roles: • Active Controller - Handles stack management and configures all system- and interface-level features. • Future Active Controller - The unit that will take over as Active Controller after the next reload, if it’s priority has been changed to the highest priority. When a priority for a stack unit is changed to be higher than the existing Active Controller, the takeover does not happen immediately to prevent disruptions in the stack operation. • Standby Controller - The stack member with the highest priority after the Active Controller. The Standby Controller takes over if the current Active Controller fails. • Stack Member - A unit functioning in the stack in a capacity other than Active or Standby Controller. • Stack Unit - Any device functioning within the stack, including the Active Controller and Standby Controller. • Upstream Stack Unit - An upstream unit is connected to the first stacking port on the Active Controller. (The left-hand port as you face the stacking ports.) See Figure 4.1 and Figure 4.2. • Downstream Stack Unit - A downstream unit is connected to the second stacking port on the Active Controller. (The right-hand port as you face the stacking ports.) See Figure 4.1 and Figure 4.2. General Terminology: • Bootup Role - the role a unit takes during bootup. This role can be standalone, Active Controller, Standby Controller, or stack member. The Active Controller or a standalone unit can access the full range of the CLI. Until a stack is formed, the local consoles on the Standby Controller and stack members provide access to a limited form of the CLI, such as the show, stack, and a few debug commands. When the stack is formed, all local consoles are directed to the Active Controller, which can access the entire CLI. The last line of output from the show version command indicates that unit’s role, unless it is a standalone unit, in which case it is now shown. For example: My stack unit ID = 1, bootup role = active • Clean Unit - A unit that contains no startup flash configuration or run time configuration. To erase old configuration information, enter the erase startup-config command and reset the unit. • Control Path - A path across stacking links dedicated to carrying control traffic such as commands to program hardware or software image data for upgrades. A stack unit must join the control path to operate fully in the stack. • Interprocessor Communications (IPC) - The process by which proprietary packets are exchanged between stack unit CPUs. • IronStack - A set of Foundry stackable units (maximum of eight) and their connected stacking links so that: all units can be accessed through their common connections, a single unit can manage the entire stack, and configurable entities, such as VLANs and trunk groups, can have members on multiple stack units. • Non-Functioning Stack Unit - A stack unit that is recognized as a stack member, and is communicating with the Active Controller over the Control Path, but is in a non-functioning state. Because of this state, traffic from the non-stack ports will not be forwarded into the stack - they will be dropped or discarded. This may be caused by an image or configuration mismatch. • Sequential Connection - Stack unit IDs, beginning with the Active Controller, are sequential. For example, 1, 3, 4, 6, 7 is sequential if Active Controller is 1 (gaps are allowed). 1, 7, 6, 4, 3 are non-sequential in a linear topology, but become sequential in a ring topology when counted from the other direction as: 1, 3, 4, 6, 7. • Standalone Unit - A unit that is not enabled for stacking, or an Active Controller without any Standby Controller or stack members. • Stacking Link - A cable that connects a stacking port on one unit to a stacking port on another unit. December 2008 © 2008 Foundry Networks, Inc. 4-3 Foundry FastIron Configuration Guide 4-4 • Stack Path - A data path formed across the stacking links to determine the set of stack members that are present in the stack topology, and their locations in the stack. • Stacking Port - A physical interface on a stack unit that connects a stacking link. Stacking ports are point-topoint links that exchange proprietary packets. Stacking ports must be 10 Gigabit Ethernet ports, and cannot be configured for any other purpose while operating as stacking ports. Foundry stacking units contain two ports that can be stacking ports. However, the flexible stacking port feature also allows you to use one port as a stacking port and the other port as a regular data port. See “Controlling Stack Topology” on page 4-30. • Stack Slot - slot in a stack is synonymous with line module in a chassis. Table 4.2 shows which ports represent slot 1, 2, 3, and 4 for FGS-STK and FLS-STK devices. Slots 2 and 3 on FLS-STK devices contain the stacking ports. Slot 2 contains stacking ports on FGS-STK devices. • Stack Topology - A contiguously-connected set of stack units in an IronStack that are currently communicating with each other. All units that are present in the stack topology appear in output from the show stack command. • Static Configuration - A configuration that remains in the Active Controller’s database even if the unit it refers to is removed from the stack. Static configurations are derived from the startup configuration file during the boot sequence, are manually entered, or are converted from dynamic configurations after a write memory command is issued. • Dynamic Configuration - A unit configuration that is dynamically learned by a new stack unit from the Active Controller. A dynamic configuration disappears when the unit leaves the stack. © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Building an IronStack This section describes how to build an IronStack. Before you begin, you should be familiar with the supported stack topologies and the software requirements. When you are ready to build your stack, you can go directly to the instructions. This section contains the following topics: • “Foundry IronStack Topologies” on page 4-5 • “Software Requirements” on page 4-6 • “IronStack Construction Methods” on page 4-7 • “Scenario 1 - Configuring a Three-Member IronStack in a Ring Topology using Secure Setup” on page 4-8 • “Scenario 2 - Configuring a Three-Member IronStack in a Ring Topology using the Automatic Setup Process” on page 4-13 • “Scenario 3 - Configuring a Three-Member IronStack in a Ring Topology using the Manual Configuration Process” on page 4-16 • “Verifying Your IronStack Configuration” on page 4-17 Foundry IronStack Topologies Foundry IronStack technology supports linear and ring stack topologies. Although Foundry stackable units may be connected in a simple linear topology, Foundry recommends a ring topology because it offers the best redundancy and the most resilient operation. Figure 4.1 shows a linear stack topology. Figure 4.2 shows a ring stack topology. These illustrations depict only one cabling configuration, but cabling methods may differ depending on requirements. For information about how to physically connect your stacking units, see the Foundry FastIron GS Compact Layer 2 Switch Hardware Installation Guide and the Foundry FastIron LS Hardware Installation Guide. NOTE: A Foundry IronStack can contain all FGS devices, all FLS devices, or any combination of the two. Because stack ports are located on the front panel of FGS devices, and on the rear panel of FLS devices, building a mixed-environment stack will require longer cables than an unmixed stack. Plan your installation accordingly. For more information about connecting mixed stacks, see the Foundry FastIron GS Compact Layer 2 Switch Hardware Installation Guide and the Foundry FastIron LS Hardware Installation Guide. December 2008 © 2008 Foundry Networks, Inc. 4-5 Foundry FastIron Configuration Guide Figure 4.1 Linear Stack Topology Note: In linear topologies, stack units at either end of the stack use only one stacking port. The unused stacking port may be used as a data port. 1F 2F 3F Stack 1 2 3 4 Console 4F Lnk Act Lnk-Act Odd Even PoE 5 6 7 8 PS1 PS2 Pwr 1 2 Slot 2 FGS-2XG Lnk Upstream unit Act 1 2 1F 2F 3F 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Stack 1 2 3 4 Console 4F Lnk Act 3 4 23 24 Lnk-Act Odd Even PoE 5 6 7 8 PS1 PS2 Pwr 1 2 Slot 2 FGS-2XG Lnk Active Controller Act 1 2 1F 2F 3F Stack 1 2 3 4 Console 4F Lnk Act 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Lnk-Act Odd Even Downstream unit 5 6 7 8 PS1 PS2 Pwr PoE Lnk Act 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 Figure 4.2 Ring Stack Topology Upstream and Downstream Unit 1F 2F 3F Stack 1 2 3 4 Console 4F Lnk Act Lnk-Act Odd Even PoE 5 6 7 8 PS1 PS2 Pwr 25 26 FGS-2XG Lnk Act 1 2 1F 2F 3F 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Stack 1 2 3 4 Console 4F Lnk Act 3 4 23 24 Lnk-Act Odd Even PoE 5 6 7 8 PS1 PS2 Pwr 25 26 Active Controller FGS-2XG Lnk Act 1 2 1F 2F 3F 4F Lnk Act 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Stack 1 2 3 4 Console Lnk-Act Odd Even PoE 5 6 7 8 PS1 PS2 Pwr 49 50 Lnk Act 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 Upstream and Downstream unit Note: In ring topologies, stack units are considered both upstream and downstream because every unit can be reached from either direction. Software Requirements Support for stacking is added in FGS software release 05.0.00. Earlier releases do not support stacking. All units in an IronStack must be running the same version of release 05.X.XX software. 4-6 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices IronStack Construction Methods There are three ways to build an IronStack: 1. Use the Secure Setup utility to form your stack. Secure Setup gives you control over the design of your stack topology and provides security through password verification. For the Secure Setup procedure, see “Scenario 1 - Configuring a Three-Member IronStack in a Ring Topology using Secure Setup” on page 4-8. 2. Automatic stack configuration. With this method, you enter all configuration information, including the module type and the priorities of all members into the unit you decide will be the Active Controller and set its priority to be the highest. When you enable stacking on the Active Controller the stack then forms automatically. This method requires that you start with clean units (except for the Active Controller) that do not contain startup or run time configurations. See “Scenario 2 - Configuring a Three-Member IronStack in a Ring Topology using the Automatic Setup Process” on page 4-13. 3. Manual stack configuration. With this method, you configure every unit individually, and enable stacking on each unit. Once the units are connected together, they will automatically operate as an IronStack. With this method the unit with the highest priority becomes the Active Controller, and ID assignment is determined by the sequence in which you physically connect the units. See “Scenario 3 - Configuring a Three-Member IronStack in a Ring Topology using the Manual Configuration Process” on page 4-16. Configuration Notes Before you configure your IronStack, consider the following guidelines: • Consider the number of units, and the mix of units your stack will contain, and how the stacking ports on the units will be connected. For more information see the Foundry FastIron GS Compact Layer 2 Switch Hardware Installation Guide, or the Foundry FastIron LS Hardware Installation Guide. • The stack should be physically cabled in a linear or ring topology. Connect only those units that will be active in the stack. • Make sure all units intended for the stack are running the same software version (release 05.0.00 and later). See “Confirming Software Versions” on page 4-28. December 2008 © 2008 Foundry Networks, Inc. 4-7 Foundry FastIron Configuration Guide Scenario 1 - Configuring a Three-Member IronStack in a Ring Topology using Secure Setup This scenario describes how to build an IronStack using the Secure Setup utility. Secure Setup lets you easily configure your entire stack through the Active Controller, which propagates the configuration to all stack members. Secure Setup is the most secure way to build an IronStack, and gives you the most control over how your stack is built. For example, Secure Setup offers three security features that prevent unauthorized devices from accessing or joining an IronStack: • Authentication of secure setup packets provides verification that these packets are from genuine Foundry stack unit. MD5-based port verification confirms stacking ports. • Superuser password is required to allow password-protected devices to become members of an IronStack. • The stack disable command. When this command is issued, a unit does not listen for or send stacking packets, which means that no other device in the network can force the stacking-disabled unit to join an IronStack. Secure Setup can also be used to add units to an existing IronStack (see “Adding, Removing, or Replacing Units in an IronStack” on page 4-48)and to change the stack IDs of stack members (see “IronStack Unit Identification” on page 4-23). When Secure Setup is issued on a unit that is not already the Active Controller, this unit becomes the Active Controller, and, if it does not have an assigned priority, Secure Setup assigns it a priority of 128. Any unit that then tries to join the stack must have an assigned priority less than 128. If Secure Setup discovers a unit with a priority of 128 or higher, it changes this unit’s priority to 118. NOTE: Secure Setup works for units within a single stack. It does not work across stacks. Figure 4.2 on page 4-6 shows an IronStack with three units in a ring topology. Refer to this figure as you follow the procedure steps for this scenario. To configure a three-member stack in a ring topology using Secure Setup, perform the following steps: 1. Connect the devices using the stacking ports and stack cabling. For more information see the appropriate hardware installation guides. 2. Power on the units. 3. Connect your console to the intended Active Controller. The unit through which you run Secure Setup becomes the Active Controller by default. 4. Issue the stack enable command on the intended Active Controller: FGS648-STK FGS648-STK FGS648-STK FGS648-STK 5. Switch#config t Switch(config)#stack enable Switch(config)#exit Switch# Enter the stack secure-setup command. As shown In the following example, this command triggers a Foundry proprietary discovery protocol that begins the discovery process in both upstream and downstream directions. The discovery process produces a list of upstream and downstream devices that are available to join the stack. Secure Setup can detect up to 7 units in each direction (14 total), but since the maximum number of units in a stack is 8, you must select a maximum of 7 units from both directions. NOTE: To exit the secure setup, enter ^C at any time. You should see output similar to the following: 4-8 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FLS648-STK Switch#stack secure-setup FLS648-STK Switch#Discovering the stack topology... Current Discovered Topology - RING Available UPSTREAM units Hop(s) Type Mac Address 1 FLS624 0012.f239.2d40 2 FLS624 0012.f2d5.2100 Available DOWNSTREAM units Hop(s) Type Mac Address 1 FLS624 0012.f2d5.2100 2 FGS624 0012.f239.2d40 Do you accept the topology (RING) (y/n)?: y If you accept the topology, you will see output similar to the following: Selected Topology: Active Id Type 1 FLS648 Mac Address 00e0.52ab.cd00 Selected UPSTREAM units Hop(s) Id Type Mac Address 1 3 FLS624 0012.f239.2d40 2 2 FGS624 0012.f2d5.2100 Selected DOWNSTREAM units Hop(s) Id Type Mac Address 1 2 FGS624 0012.f2d5.2100 2 3 FLS624 0012.f239.2d40 Do you accept the unit id's (y/n)?: y To accept the unit ID assignments, type y. If you do not want to accept the ID assignments, type n. You can use Secure Setup to renumber the units in your stack. See “Renumbering Stack Units” on page 4-49. If you accept the unit IDs, the stack is formed, and you can see the stack topology using the show stack command: December 2008 © 2008 Foundry Networks, Inc. 4-9 Foundry FastIron Configuration Guide FLS624-STK Switch#show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Pri State 1 S FLS648 active 00e0.52ab.cd00 128 local 2 D FLS624 standby 0012.f2d5.2100 60 remote 3 D FGS624 member 0012.f239.2d40 0 remote config Comment Ready Ready Ready active standby +---+ +---+ +---+ -2/1| 1 |3/1--2/1| 2 |3/1--2/2| 3 |2/1| +---+ +---+ +---+ | | | |-------------------------------------| Current stack management MAC is 00e0.52ab.cd00 NOTE: For field descriptions for the show stack command, see “Displaying Stack Information” on page 4-40. NOTE: In this output, D indicates a dynamic configuration. After you perform a write memory, this display will change to S, for static configuration. 6. The Active Controller automatically checks all prospective stack members to see if they are password protected. If a unit is password protected, you will be asked to enter the password before you can add the unit. If you do not know the password, take one of the following actions: • Discontinue Secure Setup by entering ^C • Obtain the device password from the administrator • Continue Secure Setup for your stack. The password-protected device and all devices connected behind it will not be included in the setup process. In the following example, the second unit is password protected, so you are asked for the password. 4 - 10 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FGS624-STK Switch#stack secure-setup FGS624-STK Switch#Discovering the stack topology... Verifying password for the password protected units... Found UPSTREAM units Hop(s) Type Mac Address 1 2 FLS648 001b.ed5e.c480 2 3 FGS648 00e0.5205.0000 Enter password for FGS648 located at 2 hop(s): **** Enter the number of the desired UPSTREAM units (1-2)[1]: 2 Selected Topology: Active Id Type 1 FGS624 Mac Address 00e0.5201.4000 Selected UPSTREAM units Hop(s) Id Type Mac Address 1 2 FLS648 001b.ed5e.c480 2 3 FGS648 00e0.5205.0000 Do you accept the unit id's (y/n)?: y 7. When the Active Controller has finished the authentication process, you will see output that shows the suggested assigned stack IDs for each member. You can accept these recommendations, or you can manually configure stack IDs. Enter the show stack command to verify that all units are in the ready state: FGS624-STK Switch#show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Pri State 1 S FGS624 active 00e0.5201.4000 128 local 2 S FLS648 standby 001b.ed5e.c480 0 remote 3 S FGS648 member 00e0.5205.0000 0 remote config Comment Ready Ready Ready active standby +---+ +---+ +---+ -2/1| 1 |3/1--2/1| 2 |3/1--2/2| 3 |2/1| +---+ +---+ +---+ | | | |-------------------------------------| Current stack management MAC is 00e0.5201.4000 FLS624-STK Switch# NOTE: For field descriptions for the show stack command, see “Displaying Stack Information” on page 440. 8. Enter the write memory command on the Active Controller once all of the stack units are active. This command initiates configuration synchronization, which copies the Active Controller’s configuration file to the rest of the stack units. December 2008 © 2008 Foundry Networks, Inc. 4 - 11 Foundry FastIron Configuration Guide NOTE: The Secure Setup process may modify your configuration with information about new units, stacking ports, etc. For this reason, it is very important to save this information by issuing the write memory command. If you do not do this, you may lose your configuration information the next time the stack reboots. The Secure Setup process for your stack is now complete. NOTE: During the Secure Setup process, after 1 minute of inactivity, authentication for stack members will expire and you will need to restart the process. 4 - 12 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Scenario 2 - Configuring a Three-Member IronStack in a Ring Topology using the Automatic Setup Process 1. Power on the devices. 2. This process requires clean devices (except for the Active Controller) that do not contain any configuration information. To change a device to a clean device, enter the erase startup-config command and reset the device. When all of the devices are clean, continue with the next step. NOTE: The physical connections must be sequential, and must match the stack configuration. 3. Log in to the device that you want to be the Active Controller. 4. Configure the rest of the units by assigning ID numbers and module information on each unit.The stack ID can be any number from 1 through 8. FLS624-STK FLS624-STK FLS624-STK FLS624-STK FLS624-STK FLS624-STK FLS624-STK FLS624-STK FLS624-STK Switch#config t Switch(config)#stack unit 2 Switch(config-unit-2)#module 1 fls-24-port-copper-base-module Switch(config-unit-2)#module 2 fls-xfp-1-port-10g-module Switch(config-unit-2)#module 3 fls-xfp-1-port-10g-module Switch(config-unit-2)#stack unit 3 Switch(config-unit-3)#module 1 fls-24-port-copper-base-module Switch(config-unit-3)#module 2 fls-xfp-1-port-10g-module Switch(config-unit-3)#module 3 fls-xfp-1-port-10g-module NOTE: Each stack unit must have a unique ID number. 5. Assign a priority to the Active Controller using the priority command, as shown: FLS624-STK Switch(config)#stack unit 1 FLS624-STK Switch(config-stack-1)#priority 255 Syntax: priority <num from 0-255> (255 is the highest priority) 6. Assign a priority to the unit that will act as Standby Controller: FLS624-STK Switch#config t FLS624-STK Switch(config)#stack unit 2 FLS624-STK Switch(config-unit-2)#priority 240 7. Do a write memory command to save your settings. 8. Enter the stack enable command. 9. Physically connect the devices in a stack topology, which triggers an election during which the stack is automatically configured. For more information about cabling the devices, see the appropriate hardware installation guides. NOTE: When you are configuring individual stack units, you can skip ID numbers. However, the sequence in which the units are connected must match the order in which you configure them. For example, you could configure unit 1 as FGS624, unit 3 as FGS648, unit 4 as FGS624, unit 6 as FLS624 and unit 7 as FLS648. The physical connection order must be: Active (FGS624), FGS648 (3), FGS624 (4), FLS624 (6) and FLS648 (7). The Active Controller is stack unit 1. 10. Verify your stack configuration by entering the show running config command: December 2008 © 2008 Foundry Networks, Inc. 4 - 13 Foundry FastIron Configuration Guide FLS624-STK Switch#show running config Current configuration: ! ver 05.0.00 ! stack unit 1 module 1 fls-24-port-copper-base-module module 2 fls-xfp-1-port-10g-module module 3 fls-xfp-1-port-10g-module priority 255 stack unit 2 module 1 fls-24-port-copper-base-module module 2 fls-xfp-1-port-10g-module module 3 fls-xfp-1-port-10g-module priority 240 stack unit 3 module 1 fls-24-port-copper-base-module module 2 fls-xfp-1-port-10g-module module 3 fls-xfp-1-port-10g-module stack enable ! NOTE: For field descriptions for the show running config command, see “Displaying Running Configuration Information” on page 4-43. 11. To see information about your stack, enter the show stack command: FLS624-STK Switch#show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Pri State 1 S FLS624 active 00e0.5200.0100 255 local 2 S FLS624 standby 0012.f2eb.afc0 240 remote 3 S FGS624 member 001b.ed5d.a1c0 0 remote config Comment Ready Ready Ready active standby +---+ +---+ +---+ -2/1| 1 |3/1--2/1| 2 |3/1--2/2| 3 |2/1| +---+ +---+ +---+ | | | |-------------------------------------| Current stack management MAC is 00e0.5200.0100 FLS624-STK Switch# NOTE: For field descriptions for the show stack command, see “Displaying Stack Information” on page 4-40. Configuration Notes for Scenario 2 Consider the following items when building a stack using the automatic setup process: • 4 - 14 If a new unit configuration matches other unit configurations, the Active Controller gives this unit the lowest sequential ID. For example, in a stack configuration that contains eight FGS624 configurations, but only units 1, 4 and 8 are currently active, if you place a new FGS624 unit between units 4 and 8, the new unit will be assigned ID 5, even though it might match unused IDs 2, 3, 5, 6, and 7, because 5 is the lowest sequential ID. © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices • In a ring topology, the same new unit might assume either ID if either direction produces sequential IDs. For example, in a four-member stack where IDs 2 and 4 are reserved, a new unit could assume either I2 or ID 4 because either ID 1,2,3 or 1, 3, 4 is sequential. December 2008 © 2008 Foundry Networks, Inc. 4 - 15 Foundry FastIron Configuration Guide Scenario 3 - Configuring a Three-Member IronStack in a Ring Topology using the Manual Configuration Process 1. Power on the devices. Do not connect the stacking cables at this point. 2. Assign a priority of 255 to unit 1, and a priority of 240 to unit 3 using the priority command. You do not have to assign a priority to the third device. Enter the stack enable command on each device. In this example, device 1 will be the Active Controller and device 2 will be the Standby Controller. Unit 1: FLS624-STK Switch#config t FLS624-STK Switch(config)#stack unit 1 FLS624-STK Switch(config-unit-1)#priority 255 FLS624-STK Switch(config-unit-1)#stack enable Enable stacking. This unit actively participates in stacking FLS624-STK Switch(config-unit-1)#write memory Write startup-config done. FLS624-STK Switch(config-unit-1)#Flash Memory Write (8192 bytes per dot) .Flash to Flash Done. FLS624-STK Switch(config-unit-1)#end Unit 2: FLS624-STK Switch#config t FLS624-STK Switch(config)#stack enable Enable stacking. This unit actively participates in stacking FLS624-STK Switch(config)#Handle election, was standalone --> member, assignedID=2, T=261285 ms. Write startup-config done. FLS624-STK Switch(config-unit-1)#Flash Memory Write (8192 bytes per dot) .Flash to Flash Done. FLS624-STK Switch(config-unit-1)#end FLS624-STK Switch#config t Unit 3: FLS624-STK FLS624-STK FLS624-STK FLS624-STK Switch#config t Switch(config)#stack unit 1 Switch(config-unit-1)#priority 240 Switch(config-unit-1)#stack enable Enable stacking. This unit actively participates in stacking FLS624-STK Switch(config-unit-1)#end 3. Connect the devices in a stack topology. The Active Controller will retain its ID. The rest of the units are assigned unique ID numbers depending on the sequence in which you connected them. For more information about cabling the devices, see the appropriate hardware installation guides. NOTE: This method does not guarantee sequential stack IDs. If you want to change stack IDs to make them sequential, you can use Secure Setup. See “Renumbering Stack Units” on page 4-49. 4 - 16 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Verifying Your IronStack Configuration 1. Log in to the Active Controller and verify the stack information by entering the show running-config and show stack or show stack detail commands. If your stack is configured properly, you should see the following: • One Active Controller, one Standby Controller, and stack members. • All stack members show a status of Ready FLS624-STK Switch(config)#show running-configuration Current configuration: ! ver 05.0.00 ! stack unit 1 module 1 fgs-24-port-management-module module 2 fgs-cx4-2-port-10g-module module 3 fgs-xfp-1-port-10g-module priority 255 stack unit 2 module 1 fgs-48-port-management-module module 2 fgs-xfp-2-port-10g-module stack unit 3 module 1 fls-48-port-copper-base-module module 2 fls-xfp-1-port-10g-module module 3 fls-cx4-1-port-10g-module priority 240 stack enable FLS624-STK Switch#show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Pri State 1 S FLS624 active 0012.f2eb.a900 128 local 2 S FLS648 standby 00f0.424f.4243 60 remote 3 S FGS624 member 00e0.5201.0100 0 remote config Comment Ready Ready Ready active standby +---+ +---+ +---+ -2/1| 1 |3/1--2/1| 2 |3/1--2/2| 3 |2/1| +---+ +---+ +---+ | | | |-------------------------------------| Current stack management MAC is 0012.f2eb.a900 FLS624-STK Switch# NOTE: For field descriptions for the show running config command, see “Displaying Running Configuration Information” on page 4-43. NOTE: For field descriptions for the show stack command, see “Displaying Stack Information” on page 4-40. The ouput from the show stack command contains a visual diagram of the stack. The dashed line between ports 1/2/1 and 3/2/1 indicates that this stack is configured in a ring topology. If the link between ports 1/2/1 December 2008 © 2008 Foundry Networks, Inc. 4 - 17 Foundry FastIron Configuration Guide and 3/2/1 is lost, the stack topology changes to linear, and the diagram changes to resemble the following: active standby +---+ +---+ +---+ -2/1| 1 |3/1--2/1| 2 |3/1--2/2| 3 |2/1+---+ +---+ +---+ The interfaces at either of a stack member are stacking ports. If no interface is displayed, it indicates that there is no stacking port configured. For example, the following diagram shows that stack units 1 and 3 each have only one stacking port configured: active standby +---+ +---+ +---+ | 1 |3/1--2/1| 2 |3/1--2/2| 3 | +---+ +---+ +---+ For more detailed information, you can enter the show stack detail command: FLS624-STK Switch#show stack detail alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Prio State 1 S FLS624 active 00e0.5200.0100 255 local 2 S FLS648 member 0012.f2eb.afc0 0 remote 3 S FLS648 standby 001b.ed5d.a1c0 240 remote ID 1 2 3 Stack Port Status Stack-port1 Stack-port2 up (1/2/1) up (1/3/1) up (2/2/1) up (2/3/1) up (3/2/1) up (3/3/1) Comment Ready Ready Ready Neighbors Stack-port1 Stack-port2 none 2 1 3 2 none NOTE: For field descriptions for the show stack detail command, see “Displaying Stack Information” on page 440. 4 - 18 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices IronStack Management This section describes how to manage your IronStack, and includes the following topics: • “Managing Your Foundry IronStack” on page 4-19 • “IronStack Management MAC Address” on page 4-21 • “IronStack Unit Identification” on page 4-23 • “CLI Command Syntax” on page 4-24 • “IronStack CLI Commands” on page 4-24 • “Logging in through IronView Network Manager” on page 4-20 • “Managing IronStack Partitioning” on page 4-31 • “MIB Support for the IronStack” on page 4-32 • “Displaying IronStack Information” on page 4-35 • “Adding, Removing, or Replacing Units in an IronStack” on page 4-48 • “Syslog, SNMP, and Traps” on page 4-51 Managing Your Foundry IronStack Your Foundry IronStack can be managed through a single IP address. You can manage the stack using this IP address even if you remove the Active Controller or any member from the stack. You can also connect to the Active Controller through Telnet or SSH using this address. All management functions, such as SNMP, use this IP address to acquire MIB information and other management data. A Foundry IronStack can be configured and managed using the command line interface (CLI) over a serial connection to a console port, or using IronView Network Manager. To determine what version of IronView Network Manager supports IronStack see the Foundry IronView Network Manager User Guide. Logging in through the CLI You can access the IronStack, and the CLI in one of two ways: • Through a direct serial connection to the console port • Through a local or remote Telnet session using the stack IP address You can initiate a local Telnet or SNMP connection by attaching a cable to a port and specifying the assigned management station IP address. The stacking commands in the CLI are organized into the following levels: • Global – Commands issued in the global mode are applied to the entire stack. • Stack Member Configuration Mode – Commands issued in this mode apply to the specified stack member. Configuration information resides in the Active Controller. • Configuration Mode – This is where you make configuration changes to the unit. To save changes across reloads, you need to save them to the Active Controller startup-config file. The configuration mode contains sub-levels for individual ports, for VLANs, for routing protocols, and other configuration areas. NOTE: By default, any user who can open a serial or Telnet connection to the IronStack can access all of these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can configure the Active Controller to use a RADIUS or TACACS/TACACS+ server for authentication. See the chapter “Securing Access to Management Functions” on page 40-1. December 2008 © 2008 Foundry Networks, Inc. 4 - 19 Foundry FastIron Configuration Guide Logging in through IronView Network Manager IronView Network Manager supports stack technology. To determine what version of IronView Network Manager supports stack technology and to find information on IronView Network Manager, see the Foundry IronView Network Manager User Guide. Logging in through the Console Port When a device becomes a stack member in the IronStack, it establishes a remote connection to a virtual console port on the Active Controller. Input and output are relayed between the physical console port on the stack member and the virtual console port on the Active Controller. Since each stack member connects to an independent virtual console port on the Active Controller, the console ports on multiple stack units may be used simultaneously. However, messages displayed on the Active Controller's physical console port during a reload will not be visible on the console ports of the stack members because the remote connections are not established until the software loading process is complete. Is is preferable to connect a cable to the console port on the stack unit that will normally be the Active Controller, rather than to the console port of one of the other stack units. When a stack unit establishes communication with the Active Controller, it also establishes a remote console session to the Active Controller. In a normally functioning IronStack, a console cable may be connected to any of the stack units and provide access to the same commands on the Active Controller. You can terminate a session by entering Ctrl-O followed by 'x' or 'X', or by entering the 'exit' command from the User EXEC level, or by entering the 'logout' command at any level. NOTE: For the rconsole connections from the stack units to the Active Controller, the escape sequence and other methods of terminating the session are not available. NOTE: Error messages that are generated during a reload of the Active Controller will not appear on rconsole connections from the stack units to the Active Controller. To see these error messages, you must connect a console cable to the Active Controller itself. To establish an rconsole session, enter the rconsole command as shown: FGS648P-STK Switch#rconsole 1 Syntax: rconsole <stack-unit> The following example shows how to establish rconsole sessions to stack members. Notice that the show stack command on the stack members displays different information than what is shown when the show stack command is entered on the Active Controller: To see the status of your stack units, enter the show stack command on the Active Controller: 4 - 20 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FGS648P-STK Switch#show stack alone: standalone, D: dynamic config, S: ID Type Role Mac Address 1 S FGS648P active 0012.f2de.8100 2 S FGS624P standby 0012.f2e2.ba40 3 S FGS624P member 001b.ed7a.22c0 static config Pri State 128 local 0 remote 0 remote Comment Ready Ready Ready active standby +---+ +---+ +---+ -2/1| 1 |3/1--2/1| 2 |3/1--2/2| 3 |2/1| +---+ +---+ +---+ | | | |-------------------------------------| Current stack management MAC is 0012.f2de.8100 FLS648P-STK Switch# NOTE: For field descriptions for the show stack command, see “Displaying Stack Information” on page 4-40. Establish a remote console session with stack unit 2: FGS648P-STK Switch#rconsole 2 Connecting to unit 2... (Press Ctrl-O X to exit) rconsole-2@FGS624P Switch#show stack ID Type Role Mac Address Prio State 2 S FGS624P standby 0012.f2e2.ba40 0 local Comment Ready rconsole-2@FGS648P Switch#exit rconsole-2@FGS648P Switch>exit Disconnected. Returning to local session... Establish a remote console session with stack unit 3: FGS648P-STK Switch#rconsole 3 Connecting to unit 3... (Press Ctrl-O X to exit) rconsole-3@FLS624P Switch#show stack ID Type Role Mac Address Prio State 3 S FGS624P member 001b.ed7a.22c0 0 local Comment Ready rconsole-3@FLS624P Switch#logout Disconnected. Returning to local session... FGS648P-STK Switch# IronStack Management MAC Address The IronStack is identified in the network by a single MAC address, usually the MAC address of the Active Controller (the default). If a new Active Controller is elected, the MAC address of the new Active Controller (by default) becomes the MAC address for the entire stack. However, you can manually configure your stack to use a specified MAC address. See “Manual Allocation of the IronStack MAC Address” on page 4-22. In an IronStack, the management MAC address is generated by the software, and is always the MAC address of the Active Controller’s first port. This ensures that the management MAC address remains consistent across stack reboots, and helps prevent frequent topology changes as a result of protocol enable, disable, and configuration changes. December 2008 © 2008 Foundry Networks, Inc. 4 - 21 Foundry FastIron Configuration Guide When you are configuring Layer 2 protocols on stack units, such as STP, RSTP, and MSTP, the management MAC address of the Active Controller acts as the Bridge ID. You can also configure the IronStack to retain its original MAC address, or wait for a specified amount of time before assuming the address of a new Active Controller, using the Persistent MAC Address feature (see “Persistent MAC Address” on page 4-32). NOTE: All physical IP interfaces on IronStack devices share the same MAC address. For this reason, if more than one connection is made between two devices, one of which is an FGS-STK or FLS-STK device, Foundry recommends the use of virtual interfaces. It is not recommended to connect two or more physical IP interfaces between two routers. Manual Allocation of the IronStack MAC Address You can manually configure your IronStack to use a specific MAC address. This overrides the default condition where the stack uses the MAC address of whatever unit is currently serving as Active Controller. NOTE: This command is useful for administration purposes, however it should be used with caution to prevent duplication of MAC addresses. To configure a stack MAC address manually, enter the following command: FGS648P-STK Switch#stack mac 0000.0000.0011 Syntax: [no] stack mac <mac-address> • mac-address - a hexidecimal MAC address in the xxxx.xxxx.xxxx format Enter the no form of this command to return the MAC address to that of the Active Controller. Output for this command resembles the following: FLS648-STK Switch(config)#stack mac 0000.0000.0011 FLS648-STK Switch(config)# FLS648-STK Switch(config)# FLS648-STK Switch(config)#show running-config Current configuration: ! ver 05.0.01 100T7e1 ! stack 1 module 1 fls-48-port-copper-base-module module 2 fls-cx4-1-port-10g-module priority 80 stack 2 module 1 fls-24-port-copper-base-module module 2 fls-cx4-1-port-10g-module module 3 fls-cx4-1-port-10g-module stack enable stack mac 0000.0000.0011 ! ! To display the stack MAC address, enter the show chassis command: 4 - 22 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FGS648P-STK Switch#show chassis The stack unit 1 chassis info: Power supply 1 (NA - AC - Regular) present, status ok Power supply 2 not present Fan 1 ok Fan 2 ok Exhaust Side Temperature Readings: Current temperature : 35.5 Warning level.......: 80.0 Shutdown level......: 90.0 Intake Side Temperature Readings: Current temperature : 33.5 Boot Prom MAC: 0012.f2de.9440 Management MAC: 0000.0000.0011 deg-C deg-C deg-C deg-C The stack unit 2 chassis info: Power supply 1 (NA - AC - Regular) present, status ok Power supply 2 not present Fan 1 ok Fan 2 ok --More--, next page: Space, next line: Return key, quit: Control-c NOTE: For field descriptions for the show chassis command, see “Displaying Chassis Information” on page 437. IronStack Unit Identification Stack units are identified by numbers 1 though 8. You can display stack unit IDs by entering the show stack command (see “Displaying IronStack Information” on page 4-35). A new device (one that has not been connected in an IronStack or has not been manually assigned a stack unit number) ships with a default number of 1. Once you enable stacking and the unit becomes part of an IronStack, its default stack unit number changes to the lowest available number in the stack. Stack units must each have a unique identification number. Every stack member, including any standalone units, retains its stack unit number unless that number is already being used in the stack, or until you manually renumber the unit using Secure Setup. For more information about how to renumber stack IDs using Secure Setup, see “Renumbering Stack Units” on page 4-49 IronStack Unit Priority A unit with a higher priority is more likely to be elected Active Controller. The priority value can be 0 to 255 with a priority of 255 being the highest. The default priority value assigned to the Active Controller and Standby is 128. You can assign the highest priority value to the stack unit you want to function as the Active Controller. When you enter a new priority value for a stack unit, that value takes effect immediately, but does not affect the current Active Controller until the next reset. See “Changing the Priority of a Stack Unit” on page 4-24. You can give your Active and Standby Controllers the same priority, or different priorities (Active highest, Standby second-highest). When Active and Standby Controllers have the same priority, if the Active fails and the Standby takes over, then the original Active becomes operational again, it will not be able to resume its original role. In the same situation, when the priorities of the Active and Standby Controllers are different, the old Active Controller will regain its role and will reset the other units. December 2008 © 2008 Foundry Networks, Inc. 4 - 23 Foundry FastIron Configuration Guide If you want to assign the same priority to the Active and Standby Controllers, you must do so after the stack is formed. This prevents the intended Standby Controller from becoming the Active Controller during stack construction. Changing the priority of a stack member will trigger an election that takes effect immediately unless the Active Controller’s role changes. If this is the case, the changes will not take effect until after the next stack reload. To display stack member priority values, enter the show stack command: FLS624-STK Switch(config-unit-3)#show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 1 S FLS624 active 0012.f2eb.a900 128 local Ready 2 S FLS624 standby 00f0.424f.4243 0 remote Ready, member after reload 3 S FLS624 member 001b.ed5d.a100 200 remote Ready, active after reload FLS624-STK Switch(config-unit-3)# Changing the Priority of a Stack Unit To change the priority value for a stack unit, enter the priority command: FLS624-STK Switch(Config)#stack unit 1 FLS624-STK Switch(Config-unit-1)#priority 128 Syntax: priority <num from 0-255> (255 is the highest priority) CLI Command Syntax CLI syntax that refers to stack units must contain all of the following parameters: Syntax: command [<stack-unit>|<slotnum>|<portnum>] • <stack-unit> - required on stackable FastIron devices running software release 0.5.00 or later. If the FastIron GS or LS device is operating as a standalone, the stack-unit will always be 1. Stack IDs can be any number from 1 through 8. • <slotnum> - required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. For stackable devices, slotnum refers to specific groups of ports on each device. • <portnum>- a valid port number. • <port-list> - you can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. IronStack CLI Commands CLI commands specific to stacking are listed in Table 4.1, with a link to the description for each command. For more information about CLI commands and syntax conventions, see the “Getting Familiar with Management Applications” chapter. Table 4.1: Stacking CLI Commands Command Description Location... copy flash flash “Copying the Flash Image to a Stack Unit from the Active Controller” on page 4-29 clear stack ipc “Troubleshooting an Unsuccessful Stack Build” on page 4-52 4 - 24 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Table 4.1: Stacking CLI Commands Command Description Location... kill console “Configuring TACACS/TACAS+ for Devices in a Foundry IronStack” on page 40-28 priority “Changing the Priority of a Stack Unit” on page 4-24 rconsole “Logging in through the Console Port” on page 4-20 reload stack unit “Reloading a Stack Unit” on page 4-29 show chassis “Displaying Chassis Information” on page 4-37 show flash “Displaying Flash Information” on page 4-36 show memory “Displaying Memory Information” on page 4-36 show module “Displaying Stack Module Information” on page 4-39 show running-config “Displaying Running Configuration Information” on page 4-43 show stack “Displaying Stack Information” on page 4-40 show stack detail “Displaying Stack Information” on page 4-40 show stack ipc “Troubleshooting an Unsuccessful Stack Build” on page 4-52 show stack neighbors “Displaying Stack Neighbors” on page 4-42 show stack stack-port “Displaying Stack Port Information” on page 4-42 show statistics stack-port “Displaying Stacking Port Statistics” on page 4-46 show interfaces stack-ports “Displaying Stacking Port Interface Information” on page 4-45 show version “Displaying Software Version Information” on page 4-44 stack enable “Stacking Mode” on page 4-25 stack disable “Stacking Mode” on page 4-25 stack mac [mac-address] “IronStack Management MAC Address” on page 4-21 stack persistent-mac-timer “Persistent MAC Address” on page 4-32 stack-port “Configuring Stacking Ports” on page 4-29 stack secure-setup “Scenario 1 - Configuring a Three-Member IronStack in a Ring Topology using Secure Setup” on page 4-8 stack unconfigure “Unconfiguring an IronStack” on page 4-34 stack unconfigure rollback “Unconfiguring an IronStack” on page 4-34 Stacking Mode When a unit is stack-enabled or joins a stack either actively or passively, it reserves Priority Queue 7 for stacking traffic control, assigns buffers for the stacking ports, and configures the first two 10 Gigabit ports as stacking ports. NOTE: Designated stacking ports cannot contain any configuration information, such as vlan membership, etc. If configuration information exists, stack enable will fail. You must remove all configuration information from the port and re-issue the stack enable command. December 2008 © 2008 Foundry Networks, Inc. 4 - 25 Foundry FastIron Configuration Guide To enable stacking mode on a new unit before you add it to the stack, enter the following command: FLS648-STK Switch(config)#stack enable Enable stacking. This unit actively participates in stacking Syntax: [no] stack enable To see the configuration of the stack at any time, enter the show stacking configuration command. To remove stacking capability, enter the no stack enable command. This prevents the unit from actively sending out probe messages, however the unit could still be called to join a stack by an Active Controller. To prevent this, enter the stack disable command: The stack disable command prevents a unit from sending or listening for any stacking probe messages. In this mode, the unit cannot be forced to join a stack. FLS648 Switch(config)#stack disable Syntax: [no] stack disable To remove this restriction, enter the no stack disable command. Upgrading Software This section describes how to upgrade devices currently running release 04.2.00 or earlier to release 04.1.00. NOTE: If you are running software versions earlier than 04.2.00 (for example, 04.1.00, 04.1.01...), you must first upgrade to release 04.2.00 or later (e.g., 04.3.01) non-stacking software before upgrading to 05.0.01. Software releases that are numbered 04.x.xx and lower are non-stacking releases. Software release that are numbered 05.x.xx and higher are stacking releases. Perform the following steps to upgrade software version 04.2.00 to version 04.1.00: 1. Perform the memory and EEPROM upgrade on the device. For more information, see the instructions that shipped with your upgrade kit. NOTE: Software version 04.1.00 will not work on standalone devices that have not been upgraded to support IronStack stacking technology. 2. Copy new boot code using the following command: FGS624P-STK Switch#copy tftp flash X.X.X.X FGZ05000.bin bootrom You should see output similar to the following: FGS624P-STK Switch#Flash Memory Write (8192 bytes per dot)........................... (Boot Flash Update)Erase.........Write............. TFTP to Flash Done 3. Copy the 04.1.00 software image using the following command: FGS624P-STK Switch#copy tftp flash X.X.X.X FGS05001.bin primary FGS624P-STK Switch#Flash Memory Write (8192 bytes per dot) ........................ ................................................................................ ................................................................... TFTP to Flash Done FGS624P-STK Switch#show flash Compressed Pri Code size = 3096603, Version 05.0.01 (FGS05001.bin) Compressed Sec Code size = 2873963, Version 04.2.00 (fgs04200.bin) Compressed BootROM Code size = 416315, Version 05.0.01T7e5 Code Flash Free Space = 196608 4 - 26 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FGS624P-STK Switch# 4. Restart the device with the upgraded 04.1.00 software and proceed to step 5. If you encounter a problem at this step, make sure the memory DIMM and stacking EEPROM are installed correctly. If the stacking EEPROM is missing or not installed correctly or if you have installed the wrong EEPROM, you may see output similar to the following: FGS MEM size: 0x10000000 FGS Flash config.... FGS Boot Code Version 05.0.01 Enter ‘b’ to stop at boot.... BOOT INFO: load monitor from primary, size=103408 BOOT INFO: load image from primary.......... BOOT INFO: bootparam at 000543e8, mp_flash_size=002ee6c5 BOOT INFO: code decompression completed BOOT INFO: branch to 00400100 Starting Main Task....... ***************************************************************************** ERR: This software needs License PROM to be installed in the system ***************************************************************************** System Reset! If your memory DIMM is not installed correctly, you will see output similar to the following: FGS Mem size: 0x8000000 Flash Config... FGS Boot Code Version 05.0.01 Enter ‘b’ to stop at boot..... BOOT INFO: load monitor from primary, size = 103380 BOOT INFO: debug enabled!! BOOT INFO: load image from primary... BOOT INFO: bootparam at 00054338 mp_flash_size = 002f1aeb BOOT INFO: code decompression completed BOOT INFO: branch to 00400100 Starting Main Task... ***************************************************************************** ERR: This software requires 256M memory to be installed in the system. ***************************************************************************** System Reset! NOTE: You will also see this message if your memory is installed correctly, but your boot code is not 05.0.00a or later. NOTE: If you do not have the correct EEPROM for the upgrade, you will need to recover your 4.2 image. For information about how to do this see “Recovering an Earlier Version of a Startup Configuration” on page 4-35. 5. When you have confirmed that your hardware upgrade is installed correctly, restart to system and check the software version using the show version command: FLS624-STK Switch#show version SW: Version 05.0.11T7e1 Copyright (c) 1996-2008 Foundry Networks, Inc. Compiled on Nov 21 2008 at 12:26:40 labeled as FGS05001 (3094296 bytes) from Primary FGS05001.bin BootROM: Version 05.0.00 ============================================================================= STACKID 1: FGS-24G-24-port Management Module + PoE Serial#: CY02083345 P-ASIC 0: type D804, rev 01 December 2008 © 2008 Foundry Networks, Inc. 4 - 27 Foundry FastIron Configuration Guide ================================================================================ STACKID: SL 2: FGS-2XGC 2-port 10G Module (2-CX4) =============================================================================== 400 MHz Power PC processor 8245 (version 129/1014) 66 MHz bus 512 KB boot flash memory 8192 KB code flash memory 256 MB DRAM Monitor Option is on The system uptime is 36 minutes 4 seconds The system: started=warm start reloaded=by “reload” NOTE: For detailed information about how to build your IronStack, see Chapter 4, Foundry Stackable Devices, in the Foundry FastIron Configuration Guide. Confirming Software Versions All units in an IronStack must be running the same software image. To confirm this, check the software version on all devices that you want to add to your IronStack. Upgrade any units that are running older versions of the software before you build your stack. 1. Attach a console to the console port of the stack unit. 2. Enter the show version command. Output similar to the following is displayed: FLS624-STK Switch#show version SW: Version 05.0.00T7e1 Copyright (c) 1996-2008 Foundry Networks, Inc. Compiled on Sep 02 2008 at 12:26:40 labeled as FGS05000 (3094296 bytes) from Primary fgs05000.bin STACKID 2: compiled on Sep 02 2008 at 12:26:40 labeled as FGS05000 (3094296 bytes) from Primary fgs05000.bin STACKID 3: compiled on Sep 02 2008 at 12:26:40 labeled as FGS05000 (3094296 bytes) from Primary fgs05000.bin BootROM: Version 04.0.00T7e5 (FEv2) If any unit is running an incorrect version of the software, it will appear as non-operational. You must install the correct version on this unit for it to operate properly in the stack. NOTE: A stack unit in a non-operational state can still receive an image file from the Active Controller. Running 5.X Software Images on Devices with 4.X or 3.X Startup Configuration Files Release 05.0.00 can read startup-config.txt files generated by earlier software images but a 05.0.00 startupconfig.txt file cannot be read by earlier software images. In addition, some features that are supported in release 04.2.00, such as DHCP-client, are not supported in 05.0.00. To recover a pre-05-0.00 startup-config.txt file, use the stack unconfigure rollback command (see “Recovering an Earlier Version of a Startup Configuration” on page 4-35 for more information.) When you boot a 5.x image on a device with a 4.x or 3.x startup-config.txt file, the operation should be transparent. The system automatically performs interface format conversion from 0/X/X to 1/X/X. The pre-5.0 startup-config.txt is renamed to start-config.v4 when a write memory command is issued, or when the Active Controller tries to synchronize all startup configurations. NOTE: If you enter the erase startup-config or stack unconfigure clean commands, all startup-config txtrelated files, such as startup-config.v4 and startup-config.old are erates. You will no longer be able to recover pre 5.x startup-config.txt files. 4 - 28 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Running 4.X Software Images on Devices with 5.X Startup Configuration Files Devices running 4.2 or later non-stacking software (i.e., 4.X) cannot read 5.X startup-config.txt files. You should recover the 4.X startup-config.txt file before running a 4.X software image. Use the stack unconfigure rollback command on devices running the 5.X image. See (see “Recovering an Earlier Version of a Startup Configuration” on page 4-35 for more information.) Copying the Flash Image to a Stack Unit from the Active Controller Syntax: copy flash flash To copy the flash image to a stack unit from the Active Controller primary or secondary flash, enter the following command: FLS624-STK Switch#copy flash flash unit-id-pri 2 Syntax: copy flash flash [primary | secondary | unit-id-pri | unit-id-sec] • primary - Copy secondary to primary • secondary - Copy primary to secondary • unit-id-pri - Copy active primary image to unit-id • unit-id-sec - Copy active secondary image to unit-id The unit-id-pri or unit-id-sec keywords are used to copy the images to a stack member from the Active Controller primary and secondary flash, respectively. For example: FLS624-STK Switch#copy flash flash unit-id-pri ? ASCII string unit-id (1-8) list or all FLS624-STK Switch#copy flash flash unit-id-pri 2 Reloading a Stack Unit To reload a stack unit, enter the following command: FLS624-STK Switch#reload Syntax: reload [after | at | cancel | unit-id] • after - schedule reloading after certain time period • at - schedule reloading at an exact later time • cancel - cancel scheduled reload • unit-id - stack members to reload FLS624-STK Switch#reload unit-id ? ASCII string unit-id list: 2,3,5-7,8 (no space) FLS624-STK Switch#reload unit-id 2,4-6,8 Reload request sent to specified stack member(s)... NOTE: The unit-id list can be a combination, such as 2,4-6,8 (tokens must be separated by comma and there is no space). Configuring Stacking Ports When stacking is enabled on FGS-STK and FLS-STK devices, the first two ports can act as stacking ports. The stacking ports for FGS-STK devices are ports X/2/1 and X/2/2. The stacking ports for FLS-STK devices are ports X/2/1 and X/3/1. You have the option to configure only one of these ports as a stacking port, in which case the other port functions as a regular port. Table 4.2 identifies these ports for each model: December 2008 © 2008 Foundry Networks, Inc. 4 - 29 Foundry FastIron Configuration Guide Table 4.2: Stack Unit Slots Device Slot 1 Slot 2 Slot 3 Slot 4 FLS624-STK 24 10/100/1000 ports on front panel Left 10Gb port on back panel Right 10Gb port on back panel 10Gb uplink port on front panel FLS648-STK 48 10/100/1000 ports on front panel Left 10Gb port on back panel Right 10Gb port on back panel N/A FGS624-STK 24 10/100/1000 ports on front panel Two 10Gb ports on front panel 10Gb uplink port on front panel N/A FGS648-STK 48 10/100/1000 ports on front panel Two 10Gb ports on front panel N/A N/A NOTE: Avoid connecting stacking ports to non-stacking ports. Stacking ports have a proprietary packet format that renders them incompatible with regular ports even when they are forwarding regular packets. In linear topologies, make sure that end units have only one stacking port configured (Secure Setup automatically configures only one stacking port for an end unit). Configuring a Single Stack Port To configure a single stack port, enter a command similar to the following: FGS624XGP-STK Switch(config)#stack unit 3 FGS624XGP-STK Switch(config-unit-3)#stack-port 3/2/1 Syntax: [no] stack-port <stack-unit/slotnum/portnum> If you enter an incorrect stack port number, you will get an error similar to the following: FGS624XGP-STK Switch(config-unit-3)#stack-port 3/4/1 Error! port 3/4/1 is invalid FGS624XGP-STK Switch(config-unit-3)#stack-port 3/2/1 To return both ports to stacking status, enter the no stack-port command on the single stacking port. This converts both ports to stacking ports. By default, if both ports are stacking ports, they are not displayed by the system. If only one port is configured as a stacking port, the system displays this port. Controlling Stack Topology Because FGS-STK and FLS-STK devices allow you to use one of the two ports intended for stacking as a regular data port, you can control the size of your stack. The following example shows a stack where the exisiting ring topology is changed so that only one unit in the upstream direction is connected via a stacking port, which limits the size of the stack to two units. 4 - 30 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FLS624-STK Switch#stack secure-setup FLS624-STK Switch#Discovering the stack topology... Current Discovered Topology - RING Available UPSTREAM units Hop(s) Type Mac Address 1 FLS624 0012.f2d5.2100 2 FLS624 001b.ed5d.9940 Available DOWNSTREAM units Hop(s) Type Mac Address 1 FLS624 001b.ed5d.9940 2 FLS624 0012.f2d5.2100 Do you accept the topology (RING) (y/n)?: n Available UPSTREAM units Hop(s) Type Mac Address 1 FLS624 0012.f2d5.2100 2 FLS624 001b.ed5d.9940 Available DOWNSTREAM units Hop(s) Type Mac Address 1 FLS624 001b.ed5d.9940 2 FLS624 0012.f2d5.2100 Enter the number of the desired UPSTREAM units (0-2)[0]: 1 Enter the number of the desired DOWNSTREAM units (0-1)[0]: Selected Topology: Active Id Type 1 FLS624 Mac Address 0012.f239.2d40 Selected UPSTREAM units Hop(s) Id Type Mac Address 1 2 FLS624 0012.f2d5.2100 Do you accept the unit id's (y/n)?: y FLS624-STK Switch#Election, was alone --> active, assigned-ID=1 reset unit 2: diff bootup id=1 FLS624-STK Switch#show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Pri State 1 S FLS624 active 0012.f239.2d40 128 local 2 S FLS624 standby 0012.f2d5.2100 0 remote | config Comment Ready Ready Managing IronStack Partitioning When a unit in an IronStack with a linear topology fails, the IronStack divides (partitions) into two or more separate stacks that all have the same configuration. This may cause an IP address conflict in the network. If you want to keep the stacks separate, you will need to change the IP address of each new stack. When a stack breaks into partitions, the partition with the Active Controller remains operational. If a partition contains the Standby Controller, this partition will become operational because the Standby Controller will assume the Active role and will reload the partition units. A partition without an Active or Standby Controller will not December 2008 © 2008 Foundry Networks, Inc. 4 - 31 Foundry FastIron Configuration Guide function. To reconfigure these units to act in standalone mode, you must first do an stack unconfigure me command on each unit. See “Unconfiguring an IronStack” on page 4-34. To reverse the partitioning, reconnect all of the units into the original stack topology using the stacking ports. This is the same as merging stacks. If the original Active Controller again has the highest priority, it will regain it’s role. If two partition Active Controllers have the same priority, the Active Controller with the most stack members will win the election. This process helps minimize traffic interruption. • Ring topology stacks do not partition in the event of a member failure. Operation is interrupted briefly while the stack recalculates a new path. Ring topologies are more stable than linear topologies because they provide redundant pathways in case of accidental failure. Merging IronStacks IronStacks may be merged, but the total number of stack units must not exceed 8. For example, you could combine two stacks with 4 units each into a single stack of 8 units. You can merge stacks by connecting them together using the stacking ports. Before doing this, make sure that none of the stacking ports have been reconfigured as data ports (for example, ports on an end unit in a linear stack topology). You cannot use Secure Setup to merge stacks because Secure Setup does not work across stack boundaries. When stacks are merged, an election is held among the Active Controllers. The winner retains its configuration and the IDs of all of its original stack members. The remaining stack units lose their configuration and are reset. If the IDs of the losing stack units conflict with the IDs of the winning units they may change, and the IDs will no longer be sequential. You can use Secure Setup to renumber the members in the newly merged stack. The following examples show how stack merging works: • If a stack partitions into multiple stacks because of a connection failure, and you fix the connection, the stack partitions will merge back into the original stack with no change to stack IDs, because in this case all stack IDs are distinct. • In a linear stack topology, the end units of the stack will have only one stacking port configured. Before you can merge two linear stacks, you must reconfigure the end units so that both ports are stacking ports. MIB Support for the IronStack All statistics about packets received and sent, RMON, jumbo frames, runts, giants, and other instances are gathered via the stack interfaces and are accessible through SNMP. The functionality for an IronStack is the same as that for a standard 10 Gigabit interface. Information includes types of modules, including optics modules. NOTE: A type counter has been added to count the number of packets greater than 1518 bytes (jumbo frames). For detailed information about stacking MIBs, see the Foundry MIB Guide. Persistent MAC Address The MAC address for the entire IronStack is determined by the MAC address of the Active Controller. When an Active Controller is removed from the stack, and a new Active Controller is elected, by default the MAC address of the new Active Controller becomes the MAC address for the IronStack. When you enable the Persistent MAC Address feature, you configure a time delay before the stack MAC address changes. During this configured interval, if the previous Active Controller is reinstalled in the stack, the stack continues to use the MAC address of this unit, even though it may no longer be the Active Controller. If the previous Active Controller does not rejoin the stack during the specified time interval, the stack assumes the address of the new Active Controller as the stack MAC address. The Persistent MAC Address feature allows you to configure a period of time during which the original base MAC address will not change if Active Controller fails, or is removed for maintenance. This timer is triggered when the Standby Controller becomes the Active Controller. When the timer expires, the new Active Controller will change the previous MAC address to its base MAC address and advertise this MAC address to management VLANs to update the ARP peer table. If you want to use the new address, you will have to re-enter the stack-persistent-mactimer command again to reactivate the persistent MAC address, 4 - 32 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices stack persistent-mac-timer Syntax: [no] stack persistent-mac-timer <number> • <number> - the number of minutes during which the IronStack will retain the original MAC Address if the Active Controller fails or is removed for service. The valid value range is from 5 - 6000 minutes. If you enter a 0, it means “keep this address forever”. The default is 60 minutes. To enable Persistent MAC Address, enter the following command: FGS624P-STK Switch(config)#stack persistent-mac-timer <number> To disable Persistent MAC Address, enter the following command: FGS624P-STK Switch#no stack persistent-mac-timer Syntax: [no] stack persistent-mac-timer <number> NOTE: If you enter the [no] version of this command while the persistent MAC address timer is active, the stack will disregard the persistent MAC address and will assume the MAC address of the new Active Controller. In the following example, the persistent MAC timer has been set to the default of 60 minutes. NOTE: Persistent MAC and stack MAC cannot be used together. FLS648-STK Switch(config)#stack persistent-mac 60 FLS648-STK Switch(config)#show running-config Current configuration: ! ver 05.0.011T7e1 ! stack 1 module 1 fls-48-port-copper-base-module module 2 fls-cx4-1-port-10g-module priority 80 stack 2 module 1 fls-24-port-copper-base-module module 2 fls-cx4-1-port-10g-module module 3 fls-cx4-1-port-10g-module stack 3 module 1 fgs-48-port-management-module module 2 fgs-cx4-2-port-10g-module priority 40 stack enable stack persistent-mac 60 stack mac 0012.f2d5.9380 To display the stack MAC addresses, enter the show stack command: December 2008 © 2008 Foundry Networks, Inc. 4 - 33 Foundry FastIron Configuration Guide FGS648P-STK Switch(config)#show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Prio State Comment 1 S FGS648p active 0012.f2d5.9380 80 local Ready 2 S FGS648 member 00e0.6666.8880 0 remote Ready 3 S FGS624 standby 0012.f2dc.0ec0 40 remote Ready Current persistent MAC is 0012.f2d5.9380 FLS648p-STK Switch(config)#stack mac 111.111.111 Error: persistent stacking MAC address timer is configured The following example shows what the Persistent MAC information looks like in the output of the show stack command when the Standby Controller becomes the Active Controller: FGS648P-STK Switch#show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Prio 1 S FGS648P active 0000.0000.0000 80 2 S FGS648 standby 00e0.6666.8880 0 3 S FGS624 master 0012.f2dc.0ec0 40 FGS648P-STK Switch#Persistent MAC timer expires config State Comment reserved remote Ready local Ready in 59 minutes 52 seconds. Unconfiguring an IronStack The stack unconfigure command is a run time command that returns stack units to their pre-stacking state. When a stack unit is unconfigured, its stacking flash is removed, and its startup-config.txt flash file is recovered. These actions apply to all units to which this command is applied, regardless of the unit’s role in the stack. When the stack unconfigure command is applied to the Active Controller, it removes stack enable from the run time config but not from the startup config. If you want to remove stack enable from the Active Controller permanently, you must enter the write memory command. When the stack unconfigure command is applied to the Standby Controller or a stack member (besides the Active Controller) it removes stack enable from the recovered startup-config.txt and resets the unit. When a stack unit that did not have an original startup-config file is unconfigured, it becomes a clean unit. It is possible that this unit could automatically rejoin the stack if its module configuration matches that of the Active Controller. To prevent this from happening accidentally, it is best to first disconnect the unit, and then issue the stack unconfigure me command on it. To remove the configuration from a specific IronStack unit, or from the entire stack, enter a command similar to the following: FGS648P-STK Switch#stack unconfigure 3 Syntax: stack unconfigure <stack-unit> | all | me | clean| rollback ] • stack unit - unconfigure the stack member with this ID • all - unconfigure every unit including this unit • me - unconfigure this unit only • clean - removes all startup configuration files including v4 and v5 and makes this a clean unit • rollback - recovers the earlier version (4 or 3) of a startup configuration (see “Recovering an Earlier Version of a Startup Configuration” on page 4-35.) NOTE: The stack unconfigure me command is available to all units, while stack unconfigure all and stack unconfigure <stack-unit> are available on the Active Controller only. The following example shows a session where stack unit 2 is unconfigured. 4 - 34 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FLS624-STK Switch#show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Pri State 1 S FLS624 active 0012.f2eb.a900 128 local 2 S FLS648 standby 00f0.424f.4243 0 remote 3 S FGS624 member 00e0.5201.0100 0 remote config Comment Ready Ready Ready FLS624-STK Switch#stack unconfigure 2 Will recover pre-stacking startup config of this unit, and reset it. Are you sure? (enter 'y' or 'n'): y Stack 2 deletes stack bootup flash and recover startup-config.txt from .old FLS624-STK Switch#show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Pri State 1 S FLS624 active 0012.f2eb.a900 128 local 2 S FLS648 member 0000.0000.0000 0 reserved 3 S FGS624 standby 00e0.5201.0100 0 remote config Comment Ready Ready When the stack unconfigure 2 command is issued, stack unit 2 recovers the startup-config.txt from the startupconfig.old configuration file that was saved when this unit downloaded its configuration from the Active Controller. As the output shows, stack member 2 has been removed from the stack, and ID 2 is now is reserved for a replacement unit. Stack member 3 is now the Standby Controller. For field descriptions of the show stack command output, see Recovering an Earlier Version of a Startup Configuration The stack unconfigure rollback command recovers the earlier version (4 or 3) of a startup configuration. When a system that is running stacking (05.0.00 and later) discovers that its startup configuration is an earlier version, it saves this configuration to a startup-config.v4 when a write memory command is issued, or when the Active Controller tries to synchronize all startup configurations. The stack unconfigure rollback command is similar to the stack unconfigure command except that it does not remove “stack enable” from the run time or startup configuration. stack unconfigure and stack unconfigure rollback are unrelated commands that recover different startupconfig.txt files. Both commands permanently delete the current startup-config.txt and replace it with a pre-stacking (pre-05.0.00) startup-config.txt file. NOTE: When you issue the stack unconfigure rollback command to recover the previous startup-config.v4 file, DO NOT issue a write memory command, as write memory will overwrite the recovered file. You should reboot from a pre-5.x image without doing a write memory. If you enter the erase startup-config or stack unconfigure clean commands, all startup-config txt-related files, such as startup-config.v4 and startup-config.old are erates. You will no longer be able to recover pre 5.x startupconfig.txt files. Syntax: stack unconfigure rollback [unit-id | all | me] • DECIMAL - recover the version 4 startup config for the stack member with this ID • all - recover the version 4 startup config for every unit including this unit • me - recover the version 4 startup config for this unit only Displaying IronStack Information This section describes the show commands for an IronStack, including output examples and field descriptions. December 2008 © 2008 Foundry Networks, Inc. 4 - 35 Foundry FastIron Configuration Guide Displaying Flash Information Use the show flash command to display flash memory information for all members of a stack, or for a specified stack member. Syntax: show flash <stack-id> Output from the show flash command for a stack resembles the following (for a stack with three members): From the Active Controller for the entire stack: FGS624P-STK Switch#show flash Stack unit 1: Compressed Pri Code size = 3034232, Version 05.0.00T7e1 (fgs05000.bin) Compressed Sec Code size = 2873568, Version 04.2.00T7e1 (fgs04200.bin) Compressed BootROM Code size = 405217, Version 04.0.00T7e5 Code Flash Free Space = 2146304 Stack unit 2: Compressed Pri Code size = 3034232, Version 05.0.00T7e1 (fgs05000.bin) Compressed Sec Code size = 2873523, Version 04.2.00aT7e1 (fgs04200a.bin) Compressed BootROM Code size = 403073, Version 03.0.00T7e5 Code Flash Free Space = 24117248 Stack unit 3: Compressed Pri Code size = 3034232, Version 05.0.00T7e1 (fgs05000.bin) Compressed Sec Code size = 2873568, Version 04.2.00T7e1 (fgs04200.bin) Compressed BootROM Code size = 405217, Version 04.0.00T7e5 Code Flash Free Space = 2252800 FGS624P-STK Switch# For stack member 3 only: FGS624P-STK Switch#show flash stack 3 Stack unit 3: Compressed Pri Code size = 3034232, Version 05.0.00T7e1 (fgs05000.bin) Compressed Sec Code size = 2873568, Version 04.2.00T7e1 (fgs04200.bin) Compressed BootROM Code size = 405217, Version 04.0.00T7e5 Code Flash Free Space = 2252800 FGS624P-STK Switch# Table 4.3 describes the fields displayed in this example: Table 4.3: Field definitions for the show flash command This Field... Decsribes... Compressed Pri Code size The compressed size, version, and image name for the Primary Code Compressed Sec Code size The compressed size, version, and image name for the Secondary Code Compressed BootROM Code size The compressed size and version for the BootROM Code Code Flash Free Space The amount of available free space on the Flash memory Displaying Memory Information The show memory command displays information about stack units. The following example shows output from this command for a stack with eight units: 4 - 36 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Syntax: show memory FGS648P-STK Switch#show memory Stack unit 1: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes Stack unit 2: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes Stack unit 3: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes Stack unit 4: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes Stack unit 5: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes Stack unit 6: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes Stack unit 7: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes Stack unit 8: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes BR-FGS648P Router# total, 182820476 bytes free, 23% used total, 172751776 bytes free, 27% used total, 172751776 bytes free, 27% used total, 172751776 bytes free, 27% used total, 107140664 bytes free, 54% used total, 172751740 bytes free, 27% used total, 182820504 bytes free, 23% used total, 182811440 bytes free, 23% used Table 4.4 describes the fields displayed in this output example: Table 4.4: Field definitions for the show memory command This Field... Decsribes... Total DRAM: The size (in bytes) of DRAM Dynamic memory The total number of bytes in dynamic memory, including the number of bytes that are available (free, or unused), and the percentage of memory used. Displaying Chassis Information The show chassis command displays chassis information for each stack unit. Output resembles the following (in this example, a three member stack): Syntax: show chassis December 2008 © 2008 Foundry Networks, Inc. 4 - 37 Foundry FastIron Configuration Guide FGS648P-STK Switch#show chassis The stack unit 1 chassis info: Power supply 1 (NA - AC - Regular) present, status ok Power supply 2 not present Fan 1 ok Fan 2 ok Exhaust Side Temperature Readings: Current temperature : 33.0 Warning level.......: 85.0 Shutdown level......: 90.0 Intake Side Temperature Readings: Current temperature : 31.0 Boot Prom MAC: 0012.f2e4.6e00 Management MAC: 0012.f2e4.6e00 deg-C deg-C deg-C deg-C The stack unit 2 chassis info: Power supply 1 (NA - AC - Regular) present, status ok Power supply 2 not present Fan 1 ok Fan 2 ok Exhaust Side Temperature Readings: Current temperature : 32.5 Warning level.......: 85.0 Shutdown level......: 90.0 Intake Side Temperature Readings: Current temperature : 31.0 Boot Prom MAC: 0012.f2e3.11c0 deg-C deg-C deg-C deg-C The stack unit 3 chassis info: Power supply 1 (NA - AC - Regular) present, status ok Power supply 2 not present Fan 1 ok Fan 2 ok Exhaust Side Temperature Readings: Current temperature : 31.5 Warning level.......: 85.0 Shutdown level......: 90.0 Intake Side Temperature Readings: Current temperature : 32.0 Boot Prom MAC: 0012.f2db.e500 deg-C deg-C deg-C deg-C Table 4.5 describes the fields displayed in this output example: 4 - 38 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Table 4.5: Field definitions for the show chassis command This Field... Decsribes... Power Supply 1 The status of the primary power supply. Power Supply 2 The status of the secondary power supply, if present. Fan 1 and Fan 2 The status of the cooling fans Exhaust Side Temperature Readings From the air exhaust side of the chassis, the current temperature reading, the warning level temperature setting, and the shutdown level temperature setting. Intake Side Temperature Reading The current temperature reading from the air intake side of the chassis. Boot Prom MAC: The MAC address of the boot prom Management MAC: For the Active Controller only, the management MAC address Displaying Stack Module Information The show module command displays information about the stack unit modules. Output resembles the following: Syntax: show module FLS648P-STK Switch(config)#show module Module S1:M1 FGS-24G 24-port Management Module + PoE S1:M2 FGS-2XGC 2-port 10G Module (2-CX4) S1:M3 FGS-1XG 1-port 10G Module (1-XFP) S3:M1 FLS-48G 48-port Management Module S3:M2 FLS-1XG 1-port 10G Module (1-XFP) S3:M3 FLS-1XGC 1-port 10G Module (1-CX4) S4:M1 FLS-48G 48-port Management Module S4:M2 FLS-1XGC 1-port 10G Module (1-CX4) S4:M3 FLS-1XG 1-port 10G Module (1-XFP) S5:M1 FLS-24G 24-port Management Module S5:M2 FLS-1XG 1-port 10G Module (1-XFP) S5:M3 FLS-1XG 1-port 10G Module (1-XFP) S5:M4 FLS-1XG 1-port 10G Module (1-XFP) S6:M1 FLS-24G 24-port Management Module S6:M2 FLS-1XGC 1-port 10G Module (1-CX4) S6:M3 FLS-1XGC 1-port 10G Module (1-CX4) S7:M1 FLS-48G 48-port Management Module S7:M2 FLS-1XGC 1-port 10G Module (1-CX4) S7:M3 FLS-1XGC 1-port 10G Module (1-CX4) S8:M1 FLS-48G 48-port Management Module S8:M2 FLS-1XG 1-port 10G Module (1-XFP) S8:M3 FLS-1XG 1-port 10G Module (1-XFP) FLS648P-STK Switch(config)# Status OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK Ports 24 2 1 48 1 1 48 1 1 24 1 1 1 24 1 1 48 1 1 48 1 1 Starting MAC 00e0.5201.4000 00e0.5201.4018 00e0.5201.401a 001b.ed5e.c480 001b.ed5e.c4b0 001b.ed5e.c4b1 001b.ed5e.ac00 001b.ed5e.ac30 001b.ed5e.ac31 001b.ed5d.a180 001b.ed5d.a198 001b.ed5d.a199 001b.ed5d.a19a 00e0.5200.3000 00e0.5200.3018 00e0.5200.3019 00e0.4444.0000 00e0.4444.0030 00e0.4444.0031 0012.f2eb.d540 0012.f2eb.d570 0012.f2eb.d571 Table 4.5 describes the fields displayed in this output example: December 2008 © 2008 Foundry Networks, Inc. 4 - 39 Foundry FastIron Configuration Guide Table 4.6: Field definitions for the show module command This Field... Decsribes... Module Identifies the module, by stack unit ID, module number, module type Status The status of this module Ports The number of ports in this module Starting MAC The starting MAC address for this module Displaying Stack Information The show stack command displays general information about an IronStack, for all members, for a specified member, and with additional detail if required. Syntax: show stack <stack-unit> | <detail> The following output covers the entire stack: FLS648-STK Switch(config)#show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 1 S FLS648 active 0012.f2eb.a900 130 local Ready 2 S FLS648 standby 00f0.424f.4243 0 remote Ready 3 S FGS624 member 00e0.5201.0100 0 remote Ready 4 S FGS624 member 0000.0000.0000 0 reserved If you add a stack member ID, output is displayed for that member only: FGS648-STK Switch#show stack 1 ID Type Role Mac Address 1 S FGS648 active 0012.f2eb.a900 Prio State 130 local Comment Ready FGS648-STK Switch#show stack 2 ID Type Role Mac Address 2 S FGS648 standby 00f0.424f.4243 Prio State 0 remote Comment Ready, member after reload FGS648-STK Switch#show stack 3 ID Type Role Mac Address 3 S FGS624 member 00f0.424f.4243 Prio State 0 remote Comment Ready If you add detail to the show stack command, output resembles the following: 4 - 40 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FLS648P-STK Switch(config)#show stack detail ID 1 2 3 4 5 6 7 8 S S S S S S S S Type FGS624 FGS624 FGS624 FGS624 FGS624 FGS624 FGS624 FGS624 Role member member member active standby member member member Mac Address 00e0.5201.4000 00e0.5205.0000 001b.ed5e.c480 001b.ed5e.ac00 001b.ed5d.a180 00e0.5200.3000 00e0.4444.0000 0012.f2eb.d540 Stack Port Status Stack-port1 Stack-port2 up (1/2/1) up (1/2/2) up (2/2/1) up (2/2/2) up (3/2/1) up (3/3/1) up (4/2/1) up (4/3/1) up (5/2/1) up (5/3/1) up (6/2/1) up (6/3/1) up (7/2/1) up (7/3/1) up (8/2/1) up (8/3/1) ID 1 2 3 4 5 6 7 8 Prio 0 0 0 128 0 0 0 0 State remote remote remote local remote remote remote remote Comment Ready Ready Ready Ready Ready Ready Ready Ready Neighbors Stack-port1 3 5 2 7 8 1 6 4 Stack-port2 6 3 1 8 2 7 4 5 Table 4.7 describes the fields displayed by the show stack command. Table 4.7: Field descriptions for the show stack command This field Indicates... alone: Standalone This device is operating as a standalone device S: static configuration The configuration for this unit is static (has been saved with a write memory command). D: dynamic configuration The configuration for this unit is dynamic and may be overwritten by a new stack unit. To change to a static configuration, enter the write memory command. ID The stack identification number for this unit. Type The model of this unit. Role The role of this unit within the stack. MAC address The MAC address of this unit. Priority The priority assigned to this unit. State The operational state of this unit. Comments Additional information about this unit (optional). Table 4.8 describes the output from the show stack detail command (in addition to the show stack command fields shown in the previous table). December 2008 © 2008 Foundry Networks, Inc. 4 - 41 Foundry FastIron Configuration Guide Table 4.8: Field descriptions for the show stack detail command This field Indicates... Stack Port Status Indicates stacking port status for each stack unit. Neighbors Identifies stack neighbors (by unit ID) for each stack unit. ID The stack identification number for this unit. Stack-port 1 Indicates the port state (up or down) and identifies the port by number (stack-ID/slot/port). Stack-port 2 Indicates the port state (up or down) and identifies the port by number (stack-ID/slot/port). Displaying Stack Neighbors The show stack neighbors command displays information about stack member neighbors. Syntax: show stack neighbors FGS648P-STK Switch#show stack neighbors ID Stack-port1 Stack-port2 1 3 2 2 1 3 3 2 1 The topology of stack system is ring, and has 3 stack unit(s) From left to right (starting with active unit): 1 2 3 FGS648P-STK Switch# Table 4.9 describes the output from the show stack neighbors command. Table 4.9: Field descriptions for the show stack neighbors command This field Indicates... ID The stack identification number for this unit. Stack-port2 Identifies the neighbor stack unit for stack-port1 for this unit id Stack-port 2 Identifies the neighbor stack unit for stack-port2 for this unit id Displaying Stack Port Information The show stack stack-ports command displays information about stack port status. Syntax: show stack stack-ports FLS648-STK Switch(config)#show stack stack-ports ID Stack-port1 Stack-port2 1 up (1/2/1) up (1/2/2) 2 up (2/2/1) up (2/2/2) 3 up (3/2/1) up (3/3/1) 4 up (4/2/1) up (4/3/1) 5 up (5/2/1) up (5/3/1) 4 - 42 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Table 4.10 describes the output from the show stack stack-portscommand. Table 4.10: Field descriptions for the show stack stack-ports command This field Indicates... ID The stack identification number for this unit Stack-port1 Indicates port state (up or down) and identifies the port by number (stack-ID/slot/port) Stack-port 2 Indicates port state (up or down) and identifies the port by number (stack-ID/slot/port) Displaying Running Configuration Information The show running-config command displays information about the current configuration for the stack. Syntax: show running-config FLS648P-STK Switch(config)#show running-config Current configuration: ! ver 05.0.00T7e1 ! stack unit 1 module 1 fgs-24-port-management-module module 2 fgs-cx4-2-port-10g-module module 3 fgs-xfp-1-port-10g-module stack-port 1/2/1 1/3/1 stack unit 2 module 1 fgs-48-port-management-module module 2 fgs-xfp-2-port-10g-module stack unit 3 module 1 fls-48-port-copper-base-module module 2 fls-xfp-1-port-10g-module module 3 fls-cx4-1-port-10g-module stack unit 4 module 1 fls-48-port-copper-base-module module 2 fls-cx4-1-port-10g-module module 3 fls-xfp-1-port-10g-module priority 128 stack enable Table 4.11 describes the output from the show running-config command. Table 4.11: Field descriptions for the show running-config command This field Indicates... Stack unit <#> The stack identification number for this unit. Module <#> Identifies the configuration for modules on this unit. Pri Indicates that a priority has been assigned to this stack unit Displaying Configured Stacking Ports The stacking ports may display in the output from the show running-config command in three different ways: 1. When stacking is enabled, the output shows both stacking ports: December 2008 © 2008 Foundry Networks, Inc. 4 - 43 Foundry FastIron Configuration Guide stack unit 1 module 1 fgs-24-port-management-module module 2 fgs-cx4-2-port-10g-module module 3 fgs-xfp-1-port-10g-module stack-port 1/2/1 1/3/1 2. When stacking is not enabled, neither stacking port is displayed: stack unit module 1 module 2 module 3 1 fgs-24-port-management-module fgs-cx4-2-port-10g-module fgs-xfp-1-port-10g-module 3. If one stacking port is configured, that port will be displayed regardless of whether or not stacking is enabled: stack unit 1 module 1 fgs-24-port-management-module module 2 fgs-cx4-2-port-10g-module module 3 fgs-xfp-1-port-10g-module stack-port 1/3/1 Displaying Software Version Information The show version command shows the software version that the stack is running. Note that the last line of this output shows this unit’s bootup ID and role. Output resembles the following: Syntax: show version 4 - 44 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FLS648P-STK Switch(config)#show version SW: Version 05.0.01T7e1 Copyright (c) 1996-2008 Foundry Networks, Inc. Compiled on Jul 23 2008 at 02:38:03 labeled as FGS05000 (3054675 bytes) from Primary fgs05000.bin STACKID 1: compiled on Jul 23 2008 at 02:38:03 labeled as FGS05000 (3054675 bytes) from Primary fgs05000.bin STACKID 2: compiled on Jul 23 2008 at 02:38:03 labeled as FGS05000 (3054675 bytes) from Primary fgs05000.bin STACKID 3: compiled on Jul 23 2008 at 02:38:03 labeled as FGS05000 (3054675 bytes) from Primary fgs05000.bin BootROM: Version 04.0.00T7e5 (FEv2) HW: Chassis FLS648 ========================================================================== STACKID 1: SL 1: FGS-24G 24-port Management Module + PoE Serial #: PR11060248 P-ASIC 0: type D804, rev 01 ========================================================================== STACKID 1: SL 2: FGS-2XGC 2-port 10G Module (2-CX4) ========================================================================== STACKID 1: SL 3: FGS-1XG 1-port 10G Module (1-XFP) ========================================================================== STACKID 2: SL 1: FLS-48G 48-port Management Module Serial #: AN07510010 P-ASIC 0: type D804, rev 01 P-ASIC 1: type D804, rev 01 ========================================================================== STACKID 2: SL 2: FLS-1XG 1-port 10G Module (1-XFP) ========================================================================== STACKID 2: SL 3: FLS-1XGC 1-port 10G Module (1-CX4) ========================================================================== STACKID 3: SL 1: FLS-48G 48-port Management Module Serial #: AN07510269 P-ASIC 0: type D804, rev 01 P-ASIC 1: type D804, rev 01 ========================================================================== STACKID 3: SL 2: FLS-1XGC 1-port 10G Module (1-CX4) ========================================================================== STACKID 3: SL 3: FLS-1XG 1-port 10G Module (1-XFP) ========================================================================== ========================================================================== 400 MHz Power PC processor 8248 (version 130/2014) 66 MHz bus 512 KB boot flash memory 30720 KB code flash memory 128 MB DRAM Monitor Option is on The system uptime is 18 minutes 4 seconds STACKID 1 system uptime 18 minutes 4 seconds STACKID 2 system uptime 18 minutes 3 seconds STACKID 3 system uptime 18 minutes 3 seconds The system started at 21:08:51 GMT+00 Fri Jul 25 2008 The system : started=warm start reloaded=by "reload" My stack unit ID = 1, bootup role = active Displaying Stacking Port Interface Information This section describes the following commands: The show interfaces stack-ports command displays information about the stacking ports on all stack units. December 2008 © 2008 Foundry Networks, Inc. 4 - 45 Foundry FastIron Configuration Guide Syntax: show interfaces stack-ports FGS648P-STK Switch#show interfaces stack-ports Port Link State 1/2/1 Up Forward 1/2/2 Up Forward 2/2/1 Up Forward 2/2/2 Up Forward 3/2/1 Up Forward 3/2/2 Up Forward 4/2/1 Up Forward 4/2/2 Up Forward FGS648P-STK Switch# Dupl Full Full Full Full Full Full Full Full Speed 10G-CX4 10G-CX4 10G-CX4 10G-CX4 10G-CX4 10G-CX4 10G-CX4 10G-CX4 Trunk None None None None None None None None Tag No No No No No No No No P l l l l l l l l MAC Name 0012.f2e4.6e30 0012.f2e4.6e31 0012.f2e3.11f0 0012.f2e3.11f1 0012.f2db.e530 0012.f2db.e531 0012.f2e2.c770 0012.f2e2.c771 Table 4.12 describes the fields displayed by the show interfaces stack-ports command: Table 4.12: Field descriptions for the show interfaces stack-ports command This field Indicates... Port The stack identification number for this unit. Link Identifies the configuration for modules on this unit. State Indicates that a priority has been assigned to this stack unit Dupl Indicates whether the port is configured as half or full duplex Speed Indicates the port speed Trunk Indicates whether the port is part of a trunk Tag Indicates whether the port is tagged or untagged P Port priority MAC The MAC address of the port Name An optional name assigned to the port Displaying Stacking Port Statistics The show statistics stack-ports command displays information about all stacking ports in an IronStack topology: Syntax: show statistics stack-ports 4 - 46 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FGS648P-STK Switch#show statistics stack-ports Port 1/2/1 1/2/2 2/2/1 2/2/2 3/2/1 3/2/2 4/2/1 4/2/2 5/2/1 5/2/2 6/2/1 6/3/1 7/2/1 7/3/1 In Packets 22223 35506 3161 24721 3048 13540 2862 3626 3183 3265 14020 3652 17705 4047 TOTAL 154559 FGS648P-STK Switch# Out Packets 4528 3844 34173 3676 23881 2857 13537 3184 3621 13508 3655 17705 3658 21802 153629 In Errors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Out Errors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Table 4.13 describes the fields displayed by the show statistics stack-ports command: Table 4.13: Field definitions for the show statistics stack-ports command This field Indicates... Port The stack identification number for this unit. In Packets The number of incoming packets on this port Out Packets The number of outgoing packets on this port In Errors The number of incoming errors on this port Out Errors The number of outgoing errors on this port December 2008 © 2008 Foundry Networks, Inc. 4 - 47 Foundry FastIron Configuration Guide Adding, Removing, or Replacing Units in an IronStack The following sections describe how to add, remove, or replace units in an IronStack. The recommended method is to connect units to the stack before you supply power to the units, however, you can also connect powered units. Installing a New Unit in an IronStack using Secure Setup This method can be applied to clean units, or units that have existing configurations. 1. Connect the new unit to the stack by connecting the 10G stacking ports. 2. Run Secure Setup on the Active Controller and assign an ID to the new unit. The Active Controller will reset the new unit. 3. Once the new unit boots and joins the stack, do a write memory on the Active Controller. Installing a New Unit using Static Configuration If the new unit is a clean unit and the connection is sequential you can add it using the static setup process. 1. Enter the module configuration of the new unit into the Active Controller's configuration. 2. Connect the new unit to the stack using the 10G stacking ports. The sequence in which you connect the unit must match that of the Active Controller configuration. The Active Controller automatically resets the unit. 3. Once the new unit boots and joins the stack, do a write memory on the Active Controller. You should see the following message: Done hot swap: Set stack unit 3 to Fully-Operational:16 Configuration Notes Configuration on a new unit can be accomplished in three ways: • If the Active Controller has no configuration information for the new unit, it learns the new unit's configuration. This is a dynamic configuration and will disappear if the new units leaves the stack. In order for the configuration to stay on the Active Controller (to make it a static configuration), you must do a write memory on the Active Controller. • If the Active controller has configuration information for a new unit, and it matches the base module (module 1) of the new unit, no action is necessary. If configuration information for non-base modules on the new unit does not match the information on the Active Controller, the Active Controller learns the configuration for the new unit's module types and merges it with the information it has for the base module. This merged configuration remains static and will stay on the Active Controller even if the new unit leaves the stack. • If the Active Controller has configuration information for the new unit, but it does not match the base module of the new unit, a configuration mismatch can occur where the configuration related to this unit is removed even after the mismatch is resolved. See “Recovering from a Configuration or Image Mismatch” on page 4-56 for more information. Removing a Unit from an IronStack To remove a unit from the stack, disconnect the cables from the stacking ports. This can be done whether the units are powered-on or powered-off. When you remove a unit that is powered-on, it is still in stacking enabled mode. To remove the stacking files, enter the stack unconfigure me or stack unconfigure clean command. When the unit reboots, it will operate as a standalone unit. See “Unconfiguring an IronStack” on page 4-34. When a unit is removed from a stack, the Active Controller deletes this unit configuration if it is a dynamically learned. See “Foundry IronStack Terminology” on page 4-3 for definitions of static and dynamic configurations. Replacing an IronStack Unit Replacing with a Clean Unit If the stack unit ID numbering is sequential, you can easily swap a failed unit with an identical clean unit by following this procedure: 1. Remove the old unit from the stack. 2. Make sure that the replacement unit’s configuration is identical to that of the failed unit. 3. Connect the new unit to the stack using the same stacking ports as the old unit used. 4 - 48 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices 4. If the replacement unit’s configuration matches the configuration on the Active Controller, the Active Controller rests the new unit, it automatically becomes active in the stack, and the stack retains its original topology. Replacing with Multiple Clean Units If you are replacing multiple old units with clean units, the Active Controller replaces the unit with the lowest ID first. For example, if you remove units 5 and 6 (which are FGS624P-STK devices), the Active Controller assigns ID 5 to the first new FGS624P-STK device you install. If you wanted this particular unit to replace unit 6, instead of unit 5, you must use Secure Setup. You must use Secure Setup If the replacement is not a clean unit, the connection is not sequential, or you don't want the Active Controller to trigger an automatic replacement. Use the following steps: 1. Remove the old stack unit from the stack 2. Connect the new unit to the existing stack using the same stacking ports as the old unit used. 3. Run secure setup to select the old unit’s ID for the new unit. The Active Controller resets the unit, and it joins the stack. NOTE: Adding, removing or replacing a stack unit which is not at the end of linear topology may cause the other units in the stack to reset if these units lose their path to the Active controller during the process. Adding or removing a unit in a ring topology should not cause the other units to reset because each unit can still find a path to the Active Controller. Moving a Unit to Another Stack Moving a member from a stack and to another stack might result in non-sequential ID assignment. The Active Controller will honor the new unit's original ID if that ID is not being used in the new stack. The Active Controller will assign a new ID if the original ID is already being used. To prevent non-sequential stack ID assignments, configure the unit that is moving as a clean unit before adding it to the new stack. Removing an Active Controller from a Powered Stack To remove an Active Controller from a powered stack, disconnect the Active Controller. The Standby Controller waits for 30 seconds and then assumes the role of Active Controller. A single Active Controller device functions as a standalone unit even it is still stacking-enabled. You do not have to issue a stack unconfigure me command for an Active Controller. Renumbering Stack Units You can use Secure Setup to renumber stack units in a previously constructed stack. In the following example, three units make up a stack, yet two of the units are numbered 5 and 6 (the Active Controller is numbered 1). Since this stack is only going to contain 3 units, you can renumber the other units so that they are unit 2 and unit 3. The most effective way to number your stack members is sequentially. You can skip numbers, but they should still be sequential, from 1 to 8. Sequential numbering makes it easy to replace stack units, and easier to troubleshoot issues. NOTE: In a ring topology, 1, 2, 4, 5, and 1, 5, 4, 2 are both sequential. EXAMPLE: FGS624-STK Switch#stack secure-setup FLS624-STK Switch#Discovering the stack topology... Available UPSTREAM units Hop(s) Type Mac Address 1 FLS624 0012.f2d5.2100 2 FLS624 001b.ed5d.9940 Enter the number of the desired UPSTREAM units (1-2)[1]: 2 December 2008 © 2008 Foundry Networks, Inc. 4 - 49 Foundry FastIron Configuration Guide Selected topology: Active id Type Mac Address 1 FLS624 0012.f239.2d40 Selected UPSTREAM units Hop(s) id Type Mac Address 1 5 FLS624 0012.f2d5.2100 2 6 FLS624 001b.ed5d.9940 Do you accept the unit ids? (y/n)?: n Enter an unused id for the UPSTREAM FLS623 unit a 1 hop(s) (1-8)[5]: 2 Enter an unused id for the UPSTREAM FLS624 unit at 2 hop(s) (1-8) [6]: 3 FLS624-STK Switch# Election, was active, no role change, assigned-ID=1 reset unit 2: diff bootup id=5 reset unit 3: diff bootup id=6 Election, was active, no role change, assigned-ID=1 FLS624-STK ID Type 1 S FLS624 2 S FLS624 3 S FLS624 Switch#show stack Role Mac Address Pri active 0012.f239.2d40 128 standby 0012.f2d5.2100 0 member 001b.ed5d.9940 0 State local remote remote Comment Ready Ready Ready Configuration Notes • Renumbering may result in the removal of a unit’s configuration if the stack unit’s base module does not match the configuration on the Active Controller. However, Secure Setup renumbering never changes the interface configuration. For example, if you switch the IDs of identical units 2 and 3, the Active Controller does not change 2/1/5 to 3/1/5 and vice versa. • If the configuration for the ID you select for a specific unit does not match the configuration on that unit, Secure setup will change the static configuration into a dynamic configuration so it can be overwritten by the learned configuration. • When swapping IDs for two or more identical units - for example, if units 2, 3, and 4 are identical, changing 2 to 3, 3 to 4, and 4 to 2 will not affect the configurations of the units except that the units will reset and assume the new IDs. • If you swap IDs for two units that are not identical - for example, unit 2 is an FGS624 and unit 3 is an FLS624, you may cause a configuration mismatch. If this happens, the Active Controller removes the configurations and resets both units. When both units boot with new IDs, the Active Controller learns their module types and creates new unit configurations for both. However, all interface configuration information related to units 2 and 3 is gone. • When you renumber identical units using Secure Setup, the configurations are not mapped to the new units (since the configurations match exactly). However, if you switch the IDs of units that are not identical, a configuration mismatch occurs. See “Recovering from a Configuration or Image Mismatch” on page 4-56 • When you assign an unused ID to a stack unit, the unit is reset with the new ID. All unit and interface configuration information related to the old stack ID is deleted. The Active Controller learns the configuration for the new unit (instead of creating interface configuration for the new unit. • Release 5.0 does not support user changes to the Active Controller ID. • Secure Setup does not swap configuration information for units that have had their IDs changed. For example, it does not change the 2/1/3 interface configuration or VLAN membership information into 3/1/3 information if the unit ID changes from 2 to 3. • If the configuration for a unit being replaced does not match the new unit type, the Active Controller removes the unit configuration and associated interface configuration. 4 - 50 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices • All learned configurations due to mismatches or the addition of new units are dynamic configurations. To convert them into static configurations, do a write memory to preserve the configurations if a unit is removed from the stack. Syslog, SNMP, and Traps Syslog messages from stack units are forwarded to, and can be viewed from, the Active Controller. All stack units support SNMP gets, sets, and traps, which are managed by the Active Controller. An SNMP trap is sent from a stack unit to the stack Active Controller, and forwarded from the Active Controller to an SNMPconfigured server. An external network management station can execute SNMP gets and sets for MIBs and collect information about any port on the stack. SNMP traps can be configured for the insertion or removal of a stack unit or uplink module, and for optic identification. For more information about Syslog messages, see the appendix “Using Syslog” on page A-1. Configuring SNMP for an IronStack SNMP server and feature configuration is the same for an IronStack as it is for standalone units. In an IronStack, SNMP gets and sets are processed by the Active Controller for the Standby Controller and all stack members. SNMP traps generated by the Standby Controller and stack members are propagated to the configured SNMP server through the Active Controller. For more information about how to configure an SNMP server for FastIron devices, see the chapter “Securing SNMP Access” on page 48-1. SNMP Engine IDs for Stackable Devices For Foundry stacking devices, if an engine ID is not manually created or a stack MAC address is not specified and saved, the stack will lose its engine ID if the Active Controller fails and the Standby Controller takes over, because the Standby Controller creates a new engine ID at bootup. To prevent this from happening, you will need to either create a new engine ID or create a new stack MAC address to ensure that the engine ID is saved to the startup configuration. This should be done before the SNMPv3 user is created. If a new Active Controller is elected (for example, the Standby Controller becomes the Active Controller) you will see the following results: • If you have configured the engineID saved it to the startup configuration file, the new stack configuration will use the saved Engine ID. • If you have not configured an engineID, but a stack MAC address is configured, the new stack configuration will retain the original engineID since it is based on the stack MAC address. • If you have not configured an engineID, and no stack MAC address is configured, the new stack configuration will use the default engineID - which is based on its own management MAC address of the new Active Controller. Since the engine ID will have changed, any SNMPv3 Clients will need to be reconfigured with the new engineID. December 2008 © 2008 Foundry Networks, Inc. 4 - 51 Foundry FastIron Configuration Guide Troubleshooting an IronStack The most common reason for an unsuccessful stack build is either a software configuration mismatch, a hardware configuration mismatch, or a combination of both. The following sections describe common troubleshooting procedures for an IronStack: • “Troubleshooting an Unsuccessful Stack Build” on page 4-52 • “Troubleshooting a Stacking Upgrade” on page 4-54 • “Troubleshooting Image Copy Issues” on page 4-54 • “Configuration Mismatches” on page 4-55 • “Recovering from a Configuration or Image Mismatch” on page 4-56 • “Troubleshooting Secure Setup” on page 4-57 • “Troubleshooting Unit Replacement Issues” on page 4-57 Troubleshooting an Unsuccessful Stack Build If you are unable to build a stack, (for example, the show stack command does not display any stack units), perform the following steps: 1. Enter the show run command on each unit to make sure the configuration contains “stack enable”. If it does not, enter the stack enable command on the unit. Before a stack is formed, you can still access the console port on each device. Once a stack is successfully formed, you are redirected to the Active Controller. NOTE: If you are building a stack using Secure Setup, you do not have to enter stack enable on each unit. 2. Check that all of your stacking port connections are secure and working properly. Enter the show interface stack on each device to confirm that the stacking port links are up and the ports are in the forward state. FLS624-STK Switch#show interfaces stack Port Link State Dupl Speed Trunk 1/2/1 Up Forward Full 10G None 1/2/2 Up Forward Full 10G None Tag No No P MAC Name 1 0012.f2eb.a902 1 0012.f2eb.a904 3. Confirm that all of the devices are running the same software image 4. Use the show log command to display any IPC version mismatch messages. These messages appear in one minute when receiving mismatched probe packets, and then once every 10 minutes. 5. Type show stack ipc to see if any traffic has been sent or received. Enter clear stack ipc to clear the traffic statistics and then enter show stack ipc again so you can easily see differences in traffic flow. 4 - 52 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices FLS648-STK Switch#show stack ipc Recv IPC 330 packets Message types have callbacks: 1 : Reliable IPC message .... more message types removed. Send message types: [5]=190, [6]=10, [14]=126, Recv message types: [5]=224, [6]=6, [20]=1, [27]=9, Statistics: send pkt num send msg num send frag pkt num pkt buf alloc : : : : 964, 964, 0, 964, 2 : Reliable IPC atomic batch [9]=636, [11]=2, [14]=90, [18]=2, recv pkt num recv msg num recv frag pkt num : : : 330, 330, 0, Reliable-mail send success receive time us target ID 0 0 0 0 target MAC 0 0 2 0 There is 0 current jumbo IPC session Possible errors: *** state not ready : 1, If the send message types: field is empty, it means that stack enable has not been configured. If the number of Recv IPC packets increases, but there are no Recv message types, then the packets are being dropped for various reasons, including the wrong IPC version, or a checksum error. The Possible errors field will list reasons for packet loss. NOTE: A small “***state not ready” count is normal, but if it continues to increase a problem is indicated. 7. If the results of a show stack command show other stack members, but lists them as non-operational, this could be due to an image mismatch, or a configuration mismatch. In the event of an image mismatch, you can download the correct images to the entire stack from the Active Controller. See “Configuration Mismatches” on page 4-55 for more information about configuration mismatches. NOTE: If your intended stacking ports are connected in a ring topology, they will not all appear to be in the forwarding state because of spanning tree, but Secure Setup can still build the stack. 8. If you run out of flash memory while doing a write memory, your stack devices may contain very large startup-config.v4 or startup-config.old files, which are preserved for recovery purposes (see “Unconfiguring an IronStack” on page 4-34 for more information). If you do not need these files, you can delete them using the flash delete command. Enter the show dir command to see all flash files. 9. Check to be sure you don’t have any stacking to non-stacking connections. If you see the following message: Warning! Proc ???? packet in 2m from 0012.f2222.8300, Wrong dev/port: dev=4, port=18, DSA=4971100 497--E You might have stacking to non-stacking port connections This indicates that you may have a connection between a stacking port and a non-stacking port. This message will appear every 10 minutes after the first display. If you see this message once only, and your connections are correct, your stack should be operating properly. Only repeat displays of this message indicate a problem. December 2008 © 2008 Foundry Networks, Inc. 4 - 53 Foundry FastIron Configuration Guide Troubleshooting a Stacking Upgrade After you upgrade your FGS or FLS to support stacking, (see the Foundry FastIron GS Compact Switch Hardware Installation Guide for more information about hardware upgrades for stacking), restart the device with the upgraded 05.0.00 software. If you encounter a problem at this step, make sure the memory DIMM and stacking EEPROM are installed correctly. If they are not installed correctly, you may see output similar to the following: FGS MEM size: 0x10000000 FGS Flash config.... FGS Boot Code Version 05.0.00 Enter ‘b’ to stop at boot.... BOOT INFO: load monitor from primary, size=103408 BOOT INFO: load image from primary.......... BOOT INFO: bootparam at 000543e8, mp_flash_size=002ee6c5 BOOT INFO: code decompression completed BOOT INFO: branch to 00400100 Starting Main Task....... ***************************************************************************** ERR: This software needs License PROM to be installed in the system ***************************************************************************** System Reset! If your memory DIMM is not installed correctly, you will see output similar to the following: FGS Mem size: 0x8000000 Flash Config... FGS Boot Code Version 05.0.00 Enter ‘b’ to stop at boot..... BOOT INFO: load monitor from primary, size = 103380 BOOT INFO: debug enabled!! BOOT INFO: load image from primary... BOOT INFO: bootparam at 00054338 mp_flash_size = 002f1aeb BOOT INFO: code decompression completed BOOT INFO: branch to 00400100 Starting Main Task ... ***************************************************************************** ERR: This software requires 256M memory to be installed in the system. ***************************************************************************** System Reset! Check your upgraded hardware for the following situations: • EEPROM is installed incorrectly in the socket. Make sure Pin 1 on the EEPROM matches the Pin 1 hole in the socket. • Make sure your memory DIMM is securely installed in the memory DIMM holder. See the hardware installation guide or the instructions that came with your upgrade kit for more information. Troubleshooting Image Copy Issues The copy tftp flash command copies the image to all stack units including the Active Controller. The copy flash flash command copies the image from the Active Controller’s primary or secondary flash to a stack member’s primary or secondary flash image respectively. If you are unable to copy an image to one or more stack units, check the following: • Make sure the unit is actually part of the stack. Use the show stack command. • If a unit joins a stack after the image copy command was issued, you will need to copy the image to this unit separately. 4 - 54 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Configuration Mismatches Generally, when a stack unit is added to or removed from the stack, its static configuration is not overwritten by the Active Controller. However, Secure Setup allows you to overwrite a static configuration on a unit, in which case the Active Controller deletes the configuration for the old unit, and adds the configuration of the new unit. A configuration mismatch occurs when the base module configuration for a replacement stack unit does not match the run time configuration on the Active Controller (for example, if you remove an FGS624P-STK unit and try to replace it with an FLS624-STK unit). If the configuration on the Active Controller is static, it cannot be overwritten by the new configuration, and a configuration mismatch occurs. Configuration mismatches can happen during manual setups, or when moving a unit from one stack to another stack. Secure Setup will try to overwrite a configuration mismatch even if the configuration is static. The overwrite attempt may fail if there are multi-slot trunk or LACP configurations on the ports of the unit to be overwritten. If this is the case, Secure Setup will be unable to resolve the mismatch. When you renumber identical units using Secure Setup, the configurations are not mapped to the new units (since they match exactly). However, if you switch the IDs of units that are not identical, a configuration mismatch occurs. Configuration mismatches can also occur when LACP or multi-slot trunking configurations exist on the modules of replacement units. In these cases, you will need to manually remove the LACP or multi-slot trunking configuration on the replacement unit before you try to add it to the stack. When a configuration mismatch occurs, port-related functions on all ports are disabled on the mismatched unit (except for the stacking ports). All other functions are unaffected. For example, the Active Controller can still copy the unit's image or reset the unit. Please refer to “Recovering from a Configuration or Image Mismatch” on page 456. Software Image Mismatches IronStack technology requires that all units in a stack must be running the same version of software image. In cases where the software version differs, there are two levels of mismatch: Major Mismatch A major mismatch indicates an Interprocessor Communications (IPC)-related data structure change, or an election algorithm change, or that a version of the software that does not support stacking is installed on a unit. This can happen when the software undergoes a major change (such as a change from 05.0.00 to 05.1.00). When a major mismatch occurs, the system logs and prints a message similar to the following: Warning! Recv 424 IPC in 1m from 0012.f21b.a900 e1/1/25: wrong version 5 !=6. Please make sure all units run the same image. In a major mismatch, the stack cannot be built and will not operate. You must download the correct version of the software to the mismatched units individually. Minor Mismatch With a minor mismatch, an operating stack can still exist, but traffic is dropped from all ports except for the stacking ports for units with the mismatched software. You can download the correct image to the mismatched devices from the Active Controller. A minor software mismatch means that there is no IPC or election algorithm change, but there is a release version disparity. Minor software mismatches can happen with patch release upgrades. The system logs and prints a message similar to the following: Warning! put stack unit 2 to non-operational reason=image mismatch The show stack command displays output similar to the following: FLS624-STK Switch#show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 1 S FLS624 active 0012.f2eb.a900 128 local Ready 2 S FLS648 standby 00f0.424f.4243 0 remote NON-OP: image mismatch 3 S FGS624 member 00e0.5201.0100 0 remote Ready If the configuration of a stack unit does not match the configuration of the Active Controller, the stack unit will not function. You must manually correct the configuration error for the unit to become operational within the stack. In December 2008 © 2008 Foundry Networks, Inc. 4 - 55 Foundry FastIron Configuration Guide this example, unit 2 is non-operational due to an image mismatch. To correct this situation, use the copy flash flash command (see “Copying the Flash Image to a Stack Unit from the Active Controller” on page 4-29). Recovering from a Configuration or Image Mismatch When a configuration mismatch occurs, the Active Controller logs and displays a config mismatch message, and puts the mismatched unit into a non-operational state. In the following example, the original stack unit 3 has failed, and a replacement unit has been installed that does not match the configuration of the original unit. You should see the following message: Warning! put stack unit 3 to non-operational reason= config mismatch To recover from a configuration or image mismatch, perform the following steps: 1. Enter the stack secure setup command. 2. Enter the show stack command to see the status of the stack, and a show running-config command to see the configurations of the stack units. If Secure Setup doesn’t resolve the configuration mismatch, proceed to step 3: FLS624-STK Switch#show stack alone: standalone, D: dynamic config, ID Type Role Mac Address Pri 1 FLS624 active 0012.f2eb.a900 128 2 FLS648 member 00f0.424f.4243 0 3 FGS624 standby 00e0.5201.0100 0 FLS624-STK stack unit module 1 module 3 module 4 priority S: static config State Comment local Ready remote Ready remote NON-OP: config mismatch Switch#show running config 1 fls-24-port-copper-base-module fls-cx4-1-port-10g-module fls-xfp-1-port-10g-module 128 stack unit 2 module 1 fgs-24-port-management-module module 3 fgs-xfp-1-port-10g-module stack unit 3 module 1 fls-48-port-copper-base-module module 2 fls-cx4-1-port-10g-module module 3 fls-cx4-1-port-10g-module stack enable 3. To resolve the mismatch, you must remove the configuration for stack unit 3. Use the following command: FLS624-STK Switch#no stack unit 3 If you are unable to remove the configuration because of a multi-slot trunk configuration, it means Secure Setup cannot overwrite the Active Controller's configuration due to multi-slot trunking configurations on the ports of the unit to be overwritten. You must first manually remove the multi-slot trunk configuration. 4. When you have successfully deleted the mismatched stack unit, a re-election is triggered, and the Active Controller learns the correct module configuration from the Standby Controller or from other stack members. To recover from an image mismatch, perform the following steps: 1. Use the copy flash flash command to replace a mis-matched image with the correct image. See “Copying the Flash Image to a Stack Unit from the Active Controller” on page 4-29. 2. Reset the unit. After the reset, the unit will contain the new image and the mis-match condition will not exist. To verify, use the show stack command. 4 - 56 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices Troubleshooting Secure Setup Secure Setup can be used to form linear and ring stack topologies. For information about the procedure see “Scenario 1 - Configuring a Three-Member IronStack in a Ring Topology using Secure Setup” on page 4-8. During this procedure, if Secure Setup does not detect all the units that should be detected, perform the following checks: • Make sure that all the cables are properly connected • Make sure that all the relevant ports are in UP state • Make sure that all the units are running the same image • Make sure that you do "stack enable" only on the unit that you want to make the Active Controller • Make sure that "stack disable" is not configured on any prospective members • Make sure that the connection is sequential (see “Foundry IronStack Terminology” on page 4-3, Sequential Connection.) If Secure Setup times out (this may happen due to inactivity), you will not be able to make any changes in your configuration or stack topology until you restart the session by entering the stack secure-setup command. The unit discovery process is triggered when Secure Setup is initiated. However, if the stack unit is placed in a topology where another unit in the stack is already running the discovery process, the current discovery process is terminated. If this is the case, you will see a message similar to the following: "Topology discovery is already in progress originated from <mac-address>. Please try later." This means a discovery process is already active and was initiated from the unit with the <mac-address> mentioned in the message. You will need to re-issue Secure Setup. If there is already an active discovery process, Secure Setup may not discover all the intended units. If this is the case, you will need to restart the Secure Setup process. Troubleshooting Unit Replacement Issues If you are unsuccessful in building a stack using the automatic setup process (see “Scenario 2 - Configuring a Three-Member IronStack in a Ring Topology using the Automatic Setup Process” on page 4-13), or adding or replacing a unit in a stack, consider the following issues: • Make sure that the number of units in your stack does not exceed the maximum of 8 • Make sure that the replacement unit is a clean unit (does not contain a startup-config.txt file) • Make sure that the replacement unit running configuration does not contain “stack enable” • Make sure the replacement unit running configuration does not contain “stack disable” • Make sure that the configurations of the stack ports on the Active Controller match the physical connections to the unit December 2008 © 2008 Foundry Networks, Inc. 4 - 57 Foundry FastIron Configuration Guide More About IronStack Technology This section discusses stacking technology in greater detail than the information presented in Section 1. In this section, you will find the following topics: • “Configuration, Startup Configuration Files and Stacking Flash” on page 4-58 • “Flexible Stacking Ports” on page 4-58 • “IronStack Topologies” on page 4-59 • “Device Roles and Elections” on page 4-59 Configuration, Startup Configuration Files and Stacking Flash Stacking system behavior is defined by the run time configuration, which can be displayed using the show run command. The write memory command stores the run time configuration in a flash file called startup-config.txt. During bootup, the system reads and applies the startup-config.txt file to the run time configuration. The startupconfig.txt file can be shown using the show config command. The stacking system installs a stacking.boot file on each unit that tells the unit what its role is during the boot process. The stacking.boot file is generated whenever there is an election that defines the roles for all units. When an Active Controller is booted, or a write memory command is issued, the Active Controller synchronizes its startup-config.txt file to every stack unit. The original startup-config.txt files in the Standby Controller and other stack members are renamed to startup-config.old. If you issue the “stack unconfigure me” command on the Standby Controller or stack member directly, these units will recover their original startup-config.txt files and reboot as standalone devices. If you enter the stack unconfigure all command from the Active Controller all devices will recover their old startup-config.txt files and become standalone devices. When this happens, the startup-config.old file is renamed to startup-config.txt, and the stacking.boot file is removed. For more information, see “Unconfiguring an IronStack” on page 4-34. Whenever a change is made to a stack unit's configuration, such as priority, (which could affect stack elections) an election is held, and the result is written into the stacking.boot file. A prompt message appears on the console that suggests you do a write memory. For an Active Controller role change to take effect, you will need to reset the entire stack. If you do not do a write memory, and reset the stack, the stack units will continue to operate in their roles as defined by the stacking.boot file. After the reset, each unit readjusts based on the current run time configuration. However, you may get different results depending on what has not been saved. If you have renumbered the stack unit IDs, you may see a configuration mismatch, because your changes no longer match the Active Controller’s configuration. If you change priorities to elect an Active Controller, the new Active Controller will assume its role after a reboot whether you have done a write memory or not. If you do not save your priority change before the next reboot, the reboot will trigger an election that may result in a different winner based on the priority in the unsaved configuration. The new winner assumes its role after the next reboot. If you change the stacking port configuration and do not save your changes, you may encounter connectivity errors. To recover from a configuration error, run Secure Startup to define the correct stacking port. NOTE: You should always do a write memory after making stacking-related configuration changes such as priority and stacking ports. If you do not want to keep the changes, change the the configuration back to the previous version, and do a write memory. Do not discard configuration changes by using the reset without a write memory. Flexible Stacking Ports Because FGS-STK and FLS-STK devices do not have dedicated stacking ports, they offer the flexibility to use each 10G port as a stacking port or a regular data port. Each stack member contains two full-duplex 10Gbps possible stack ports, and can operate in a stack with up to 40 Gbps throughput. When stacking is enabled, the first 4 - 58 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices two 10Gb ports become stacking ports by default. You have the option, however, to configure only one of the 10Gb ports as a stacking port and use the other 10Gb port as a regular data port. For the locations of these ports on FGS-STK and FLS-STK devices, see Table 4.2 on page 4-30. IronStack Topologies Foundry IronStack technology supports both linear and ring stack topologies. Because the unicast switching follows the shortest path in a ring topology, this topology offers the strongest redundancy. When the ring is broken, the stack recalculates the forwarding path the resumes the flow of traffic within a few seconds. In a ring topology, all stack members must have two stacking ports, however, In a linear topology, both end units use only one stacking port, leaving the other port available as a data port. To see an illustrated example of each topology, see “Foundry IronStack Topologies” on page 4-5. Port Down and Aging If a unit is powered down, or the stacking link is removed, the system immediately detects the port down and knows that its neighbor is gone. That unit is immediately removed from the Active Controller. If a unit is gone or no longer stack-enabled, but its stacking link is still on, it will take 20 seconds to age the neighbor out. The following message will be logged and displayed: Warning! my mac=00f0.424f.4243, age out up-stream Device Roles and Elections There are three distinct roles played by units that are part of an IronStack: • Active Controller • Standby Controller • Stack member Active Controller The Active Controller contains the saved and running configuration files for each stack member. The configuration files include the system-level settings for the stack, and the interface-level settings for each stack member, as well as MIB counters and port status. The Standby Controller also has a synchronized copy of the Active Controller’s startup config file for use in the event the Active Controller fails. When a stack is formed, the console function for each stack member is automatically redirected to the Active Controller console. The Active Controller console port handles all stack management functions, as well as ping, Telnet sessions, and tftp image downloads for every stack member. If you connect to the console port on a stack member that is not the Active Controller, you are automatically directed through the console of the Active Controller. The Active Controller synchronizes its start-up configuration with the Standby Controller and the rest of the stack members. You can recover the previous flash configuration of the Standby Controller and the stack members by issuing the stack unconfigure command. For an example of this command and the output generated, see “Unconfiguring an IronStack” on page 4-34. The Active Controller may reset the rest of the stack members, if necessary. However, if the Active Controller itself must be reset because of a role or ID change, you must issue the reset command. If the Active Controller fails, the Standby controller waits 30 seconds, and then takes over as Active Controller, resetting itself and all other stack members. If the old Active Controller becomes operational, it may or may not resume its role as Active, depending on the configured priorities. Standby Controller In addition to the Active Controller, another stack member is elected as the Standby Controller. After a default interval of 30 seconds, the Standby Controller takes over if the Active Controller fails. NOTE: Because it can take as long as 20 seconds to age out a neighbor, the Standby takeover period may last up to 50 seconds. See “Port Down and Aging” on page 4-59.) December 2008 © 2008 Foundry Networks, Inc. 4 - 59 Foundry FastIron Configuration Guide The Standby Controller synchronizes its configuration with the Active Controller at each reset. Bootup Role When a stack unit boots, it boots in a particular role, such as standalone, Active Controller, Standby Controller, or stack member. When the bootup role is Standby Controller or stack member, the CLI available to the unit is limited to show and stack commands. A unit in the role of Standby or stack member will not act without instructions from the Active Controller. To convert a Standby Controller or stack member into a standalone device, use the stack unconfigure me command, (see “Unconfiguring an IronStack” on page 4-34). The last line of the show version output identifies the unit’s role unless If the unit is a standalone. For example: My stack unit ID = 1, bootup role = active My stack unit ID = 3, bootup role = standby Active Controller and Standby Controller Elections Whenever there is a topology change in the stack (a reset, unit failure, or the addition or removal of members), elections are held to determine the status of the Active Controller and Standby Controller. Any election takes effect after the next stack reset. The following conditions, in the order shown, determine which units will serve as Active Controller and Standby Controller after an election: • Boot as active controller - The unit that was the Active Controller before the stack reload (unless the Standby Controller is manually configured with a higher priority). This ensures the persistence of the Active Controller. • Priority - The unit with the highest priority value • Greater number of members - The unit that has control over the greater number of stack members • Lowest boot stack ID - The unit that has the lowest boot stack ID (1-8, 1 is the lowest) • MAC address - The member with the lowest MAC address Active Controller and Standby Controller Resets If the Active Controller is reset or removed from the stack, the entire stack reloads and Active Controller and Standby Controller elections are initiated. If the unit functioning as the previous Active Controller is no longer part of the stack, the Standby Controller unit becomes the new Active Controller. After a reset, if no stack member qualifies as Active Controller, the existing Standby Controller waits 30 seconds and then assumes the role of Active Controller. If both Active and Standby Controllers are removed the rest of the stack will continue to function because they are operating on whatever is programmed in the hardware. The stack members will not be able to learn any new addresses. You will see the following message every few minutes: Stack member is non-operational because of no Active or Standby Controller You can recover to standalone mode by “stack unconfigure me” Use stack unconfigure me to restore the units into standalone devices with a pre-stacking configuration. Selecting a Standby Unit You can choose a Standby Controller by configuring a stack unit's priority to be the second highest, or the same as the Active Controller. If the priorities are configured the same for both, when the original Active Controller fails, the Standby Controller takes over. If the original Active Controller becomes active again, it will not win back its active role, which helps to minimize interruption of the stack. However, if the original Active Controller has the higher priority, it will win back its role and reset all of the stack units. Standby Controller Election Criteria The Standby Controller election is based on the following criteria: 1. The highest priority 2. Bootup as Active Controller 3. Bootup as Standby Controller 4 - 60 © 2008 Foundry Networks, Inc. December 2008 Foundry Stackable Devices 4. The lowest boot ID 5. The lowest MAC address Since Standby election candidates must have startup configurations that have been synchronized with the Active Controller, if the Active Controller does not have a startup-config.txt file, there will not be a Standby controller. Once a write memory is performed on the Active Controller, the startup-config.txt file is written and synchronized to all stack members, and a Standby Controller can be elected. December 2008 © 2008 Foundry Networks, Inc. 4 - 61 Foundry FastIron Configuration Guide 4 - 62 © 2008 Foundry Networks, Inc. December 2008 Chapter 5 Configuring Basic Software Features Foundry devices are configured at the factory with default parameters that allow you to begin using the basic features of the system immediately. However, many of the advanced features such as VLANs or routing protocols for the device must first be enabled at the system (global) level before they can be configured. If you use the Command Line Interface (CLI) to configure system parameters, you can find these system level parameters at the Global CONFIG level of the CLI. NOTE: Before assigning or modifying any router parameters, you must assign the IP subnet (interface) addresses for each port. NOTE: For information about configuring IP addresses, DNS resolver, DHCP assist, and other IP-related parameters, see the chapter “Configuring IP” on page 30-1. For information about the Syslog buffer and messages, see the Appendix “Using Syslog” on page A-1. Configuring Basic System Parameters The procedures in this section describe how to configure the basic system parameters listed in Table 5.1. Table 5.1: Basic System Parameters Basic System Parameter See Page System name, contact, and location 5-2 SNMP trap receiver, trap source address, and other parameters 5-2 Single source address for all Telnet packets 5-7 Single source address for all TFTP packets 5-8 Single source address for all Syslog packets 5-8 Single source address for all SNTP packets 5-9 System time using a Simple Network Time Protocol (SNTP) server or local system counter 5-9 December 2008 © 2008 Foundry Networks, Inc. 5-1 Foundry FastIron Configuration Guide Table 5.1: Basic System Parameters (Continued) Basic System Parameter See Page System clock 5-11 Broadcast, multicast, or unknown-unicast limits, if required to support slower third-party devices 5-12 Banners that are displayed on users’ terminals when they enter the Privileged EXEC CLI level or access the device through Telnet 5-16 NOTE: For information about the Syslog buffer and messages, see “Using Syslog” on page A-1. Entering System Administration Information You can configure a system name, contact, and location for a Foundry device and save the information locally in the configuration file for future reference. This information is not required for system operation but is suggested. When you configure a system name, the name replaces the default system name in the CLI command prompt. The name, contact, and location each can be up to 32 alphanumeric characters. Here is an example of how to configure a system name, system contact, and location: FastIron(config)#hostname zappa zappa(config)#snmp-server contact Support Services zappa(config)#snmp-server location Centerville zappa(config)#end zappa#write memory Syntax: hostname <string> Syntax: snmp-server contact <string> Syntax: snmp-server location <string> The text strings can contain blanks. The SNMP text strings do not require quotation marks when they contain blanks but the host name does. NOTE: The chassis name command does not change the CLI prompt. Instead, the command assigns an administrative ID to the device. Configuring Simple Network Management Protocol (SNMP) Parameters Use the procedures in this section to perform the following configuration tasks: • Specify an SNMP trap receiver. • Specify a source address and community string for all traps sent by the device. • Change the holddown time for SNMP traps • Disable individual SNMP traps. (All traps are enabled by default.) • Disable traps for CLI access that is authenticated by a local user account, a RADIUS server, or a TACACS/ TACACS+ server. NOTE: To add and modify “get” (read-only) and “set” (read-write) community strings, see the chapter “Securing Access to Management Functions” on page 40-1. 5-2 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Specifying an SNMP Trap Receiver You can specify a trap receiver to ensure that all SNMP traps sent by the Foundry device go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network. When you specify the host, you also specify a community string. The Foundry device sends all the SNMP traps to the specified host(s) and includes the specified community string. Administrators can therefore filter for traps from a Foundry device based on IP address or community string. When you add a trap receiver, the software automatically encrypts the community string you associate with the receiver when the string is displayed by the CLI or Web management interface. If you want the software to show the community string in the clear, you must explicitly specify this when you add a trap receiver. In either case, the software does not encrypt the string in the SNMP traps sent to the receiver. To specify the host to which the device sends all SNMP traps, use one of the following methods. To add a trap receiver and encrypt the display of the community string, enter commands such as the following: To specify an SNMP trap receiver and change the UDP port that will be used to receive traps, enter a command such as the following: FastIron(config)#snmp-server host 2.2.2.2 0 mypublic port 200 FastIron(config)#write memory Syntax: snmp-server host <ip-addr> [0 | 1] <string> [port <value>] The <ip-addr> parameter specifies the IP address of the trap receiver. The 0 | 1 parameter specifies whether you want the software to encrypt the string (1) or show the string in the clear (0). The default is 0. The <string> parameter specifies an SNMP community string configured on the Foundry device. The string can be a read-only string or a read-write string. The string is not used to authenticate access to the trap host but is instead a useful method for filtering traps on the host. For example, if you configure each of your Foundry devices that use the trap host to send a different community string, you can easily distinguish among the traps from different Foundry devices based on the community strings. The command in the example above adds trap receiver 2.2.2.2 and configures the software to encrypt display of the community string. When you save the new community string to the startup-config file (using the write memory command), the software adds the following command to the file: snmp-server host 2.2.2.2 1 <encrypted-string> To add a trap receiver and configure the software to encrypt display of the community string in the CLI and Web management interface, enter commands such as the following: FastIron(config)#snmp-server host 2.2.2.2 0 FastIron-12 FastIron(config)#write memory The port <value> parameter allows you to specify which UDP port will be used by the trap receiver. This parameter allows you to configure several trap receivers in a system. With this parameter, IronView Network Manager Network Manager and another network management application can coexist in the same system. Foundry devices can be configured to send copies of traps to more than one network management application. Specifying a Single Trap Source You can specify a single trap source to ensure that all SNMP traps sent by the Foundry device use the same source IP address. When you configure the SNMP source address, you specify the Ethernet port, loopback interface, or virtual interface that is the source for the traps. The Foundry device then uses the lowest-numbered IP address configured on the port or interface as the source IP address in the SNMP traps sent by the device. Identifying a single source IP address for SNMP traps provides the following benefits: • If your trap receiver is configured to accept traps only from specific links or IP addresses, you can use this feature to simplify configuration of the trap receiver by configuring the Foundry device to always send the traps from the same link or source address. • If you specify a loopback interface as the single source for SNMP traps, SNMP trap receivers can receive traps regardless of the states of individual links. Thus, if a link to the trap receiver becomes unavailable but December 2008 © 2008 Foundry Networks, Inc. 5-3 Foundry FastIron Configuration Guide the receiver can be reached through another link, the receiver still receives the trap, and the trap still has the source IP address of the loopback interface. To specify a port, loopback interface, or virtual interface whose lowest-numbered IP address the Foundry device must use as the source for all SNMP traps sent by the device, use the following CLI method. To configure the device to send all SNMP traps from the first configured IP address on port 4, enter the following commands: FastIron(config)#snmp trap-source ethernet 4 FastIron(config)#write memory Syntax: snmp-server trap-source loopback <num> | ethernet [<stack-unit>]|[<slotnum>]|<portnum> | ve <num> The <num> parameter is a loopback interface or virtual interface number. If you specify an Ethernet port, the <slotnum> parameter is required on chassis devices. If you specify an Ethernet port the [<stack-unit>] parameter is required on all FGS, FWS, and FLS devices, and FGS-STK and FLS-STK devices. To specify a loopback interface as the device’s SNMP trap source, enter commands such as the following: FastIron(config)#int loopback 1 FastIron(config-lbif-1)#ip address 10.0.0.1/24 FastIron(config-lbif-1)#exit FastIron(config)#snmp-server trap-source loopback 1 The commands in this example configure loopback interface 1, assign IP address 10.00.1/24 to the loopback interface, then designate the interface as the SNMP trap source for this device. Regardless of the port the Foundry device uses to send traps to the receiver, the traps always arrive from the same source IP address. Setting the SNMP Trap Holddown Time When a Foundry device starts up, the software waits for Layer 2 convergence (STP) and Layer 3 convergence (OSPF) before beginning to send SNMP traps to external SNMP servers. Until convergence occurs, the device might not be able to reach the servers, in which case the messages are lost. By default, a Foundry device uses a one-minute holddown time to wait for the convergence to occur before starting to send SNMP traps. After the holddown time expires, the device sends the traps, including traps such as “cold start” or “warm start” that occur before the holddown time expires. You can change the holddown time to a value from one second to ten minutes. To change the holddown time for SNMP traps, enter a command such as the following at the global CONFIG level of the CLI: FastIron(config)#snmp-server enable traps holddown-time 30 The command in this example changes the holddown time for SNMP traps to 30 seconds. The device waits 30 seconds to allow convergence in STP and OSPF before sending traps to the SNMP trap receiver. Syntax: [no] snmp-server enable traps holddown-time <secs> The <secs> parameter specifies the number of seconds and can be from 1 – 600 (ten minutes). The default is 60 seconds. Disabling SNMP Traps Foundry devices come with SNMP trap generation enabled by default for all traps. You can selectively disable one or more of the following traps. NOTE: By default, all SNMP traps are enabled at system startup. 5-4 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Layer 2 Traps The following traps are generated on devices running Layer 2 software: • SNMP authentication keys • Power supply failure • Fan failure • Cold start • Link up • Link down • Bridge new root • Bridge topology change • Locked address violation Layer 3 Traps The following traps are generated on devices running Layer 3 software: • SNMP authentication key • Power supply failure • Fan failure • Cold start • Link up • Link down • Bridge new root • Bridge topology change • Locked address violation • BGP4 • OSPF • VRRP • VRRPE To stop link down occurrences from being reported, enter the following: FastIron(config)#no snmp-server enable traps link-down Syntax: [no] snmp-server enable traps <trap-type> Displaying Virtual Routing Interface Statistics Platform Support: • FastIron X Series devices running software release 03.2.00 and later – L2, BL3, L3 In software releases prior to FSX 04.1.00, this feature enables SNMP to extract and display virtual routing interface statistics from the ifTable (32-bit counters). Starting with software release FSX 04.1.00, this feature enables SNMP to extract and display virtual routing interface statistics from the ifXTable (64-bit counters). The following describes the limitations of this feature: • The Foundry device counts traffic from all virtual interfaces (VEs). For example, in a configuration with two VLANs (VLAN 1 and VLAN 20) on port 1, when traffic is sent on VLAN 1, the counters (VE statistics) increase for both VE 1 and VE 20. December 2008 © 2008 Foundry Networks, Inc. 5-5 Foundry FastIron Configuration Guide • The counters include all traffic on each virtual interface, even if the virtual interface is disabled. • The counters include traffic that is denied by ACLs or MAC filters. To enable SNMP to display VE statistics, enter the following command: FastIron(config)#enable snmp ve-statistics Syntax: [no] enable snmp ve-statistics Use the no form of the command to disable this feature once it is enabled. Note that the above CLI command enables SNMP to display virtual interface statistics. It does not enable the CLI or Web Management Interface to display the statistics. Disabling Syslog Messages and Traps for CLI Access Foundry devices send Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS/TACACS+ server. NOTE: The Privileged EXEC level is sometimes called the “Enable” level, because the command for accessing this level is enable. The feature is enabled by default. Examples of Syslog Messages for CLI Access When a user whose access is authenticated by a local user account, a RADIUS server, or a TACACS/TACACS+ server logs into or out of the CLI’s User EXEC or Privileged EXEC mode, the software generates a Syslog message and trap containing the following information: • The time stamp • The user name • Whether the user logged in or out • The CLI level the user logged into or out of (User EXEC or Privileged EXEC level) NOTE: Messages for accessing the User EXEC level apply only to access through Telnet. The device does not authenticate initial access through serial connections but does authenticate serial access to the Privileged EXEC level. Messages for accessing the Privileged EXEC level apply to access through the serial connection or Telnet. The following examples show login and logout messages for the User EXEC and Privileged EXEC levels of the CLI: FastIron#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 12 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dynamic Log Buffer (50 entries): Oct 15 18:01:11:info:dg logout from USER EXEC mode Oct 15 17:59:22:info:dg logout from PRIVILEGE EXEC mode Oct 15 17:38:07:info:dg login to PRIVILEGE EXEC mode Oct 15 17:38:03:info:dg login to USER EXEC mode 5-6 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Syntax: show logging The first message (the one on the bottom) indicates that user “dg” logged in to the CLI’s User EXEC level on October 15 at 5:38 PM and 3 seconds (Oct 15 17:38:03). The same user logged into the Privileged EXEC level four seconds later. The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session. Disabling the Syslog Messages and Traps Logging of CLI access is enabled by default. If you want to disable the logging, enter the following commands: FastIron(config)#no logging enable user-login FastIron(config)#write memory FastIron(config)#end FastIron#reload Syntax: [no] logging enable user-login Configuring an Interface as the Source for All Telnet Packets You can designate the lowest-numbered IP address configured on an interface as the source IP address for all Telnet packets from the device. Identifying a single source IP address for Telnet packets provides the following benefits: • If your Telnet server is configured to accept packets only from specific links or IP addresses, you can use this feature to simplify configuration of the Telnet server by configuring the Foundry device to always send the Telnet packets from the same link or source address. • If you specify a loopback interface as the single source for Telnet packets, Telnet servers can receive the packets regardless of the states of individual links. Thus, if a link to the Telnet server becomes unavailable but the client or server can be reached through another link, the client or server still receives the packets, and the packets still have the source IP address of the loopback interface. The software contains separate CLI commands for specifying the source interface for Telnet, TACACS/TACACS+, and RADIUS packets. You can configure a source interface for one or more of these types of packets. To specify an interface as the source for all Telnet packets from the device, use the following CLI method. The software uses the lowest-numbered IP address configured on the interface as the source IP address for Telnet packets originated by the device. To specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all Telnet packets, enter commands such as the following: FastIron(config)#int loopback 2 FastIron(config-lbif-2)#ip address 10.0.0.2/24 FastIron(config-lbif-2)#exit FastIron(config)#ip telnet source-interface loopback 2 The commands in this example configure loopback interface 2, assign IP address 10.0.0.2/24 to the interface, then designate the interface as the source for all Telnet packets from the device. Syntax: ip telnet source-interface ethernet [<stack-unit>]|[<slotnum>]|<portnum> | loopback <num> | ve <num> If you specify an Ethernet port, the <slotnum> parameter is required on chassis devices. If you specify an Ethernet port the[<stack-unit> parameter is required on all FGS, FWS, and FLS devices. The following commands configure an IP interface on an Ethernet port and designate the address port as the source for all Telnet packets from the device. FastIron(config)#interface ethernet 4 FastIron(config-if-e1000-4)#ip address 209.157.22.110/24 FastIron(config-if-e1000-4)#exit FastIron(config)#ip telnet source-interface ethernet 4 December 2008 © 2008 Foundry Networks, Inc. 5-7 Foundry FastIron Configuration Guide Cancelling an Outbound Telnet Session If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the connection is frozen), you can terminate the Telnet session by doing the following: 1. At the console, press Ctrl-^ (Ctrl-Shift-6). 2. Press the X key to terminate the Telnet session. Pressing Ctrl-^ twice in a row causes a single Ctrl-^ character to be sent to the Telnet server. After you press Ctrl-^, pressing any key other than X or Ctrl-^ returns you to the Telnet session. Configuring an Interface as the Source for All TFTP Packets Platform Support: • FastIron X Series devices running software release 02.5.00 and later You can configure the device to use the lowest-numbered IP or IPv6 address configured on a loopback interface, virtual interface, or Ethernet port as the source for all TFTP packets from the device. The software uses the lowest-numbered IP or IPv6 address configured on the interface as the source IP address for the packets. For example, to specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all TFTP packets, enter commands such as the following: FastIron(config)#int ve 1 FastIron(config-vif-1)#ip address 10.0.0.3/24 FastIron(config-vif-1)#exit FastIron(config)#ip tftp source-interface ve 1 The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then designate the interface's address as the source address for all TFTP packets. Syntax: [no] ip tftp source-interface ethernet [<stack-unit>]|[<slotnum>]|<portnum> | loopback <num> | ve <num> If you specify an Ethernet port, the <slotnum> parameter is required on chassis devices. If you specify an Ethernet port the <stack-unit> parameter is required on all FGS, FWS, and FLS devices. The default is the lowest-numbered IP address configured on the port through which the packet is sent. The address therefore changes, by default, depending on the port. Configuring an Interface as the Source for Syslog Packets Platform Support: • FastIron X Series devices running software release 02.5.00 and later You can configure the device to use the lowest-numbered IP or IPv6 address configured on a loopback interface, virtual interface, or Ethernet port as the source for all Syslog packets from the device. The software uses the lowest-numbered IP or IPv6 address configured on the interface as the source IP address for the packets. For example, to specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all Syslog packets, enter commands such as the following: FastIron(config)#int ve 1 FastIron(config-vif-1)#ip address 10.0.0.4/24 FastIron(config-vif-1)#exit FastIron(config)#ip syslog source-interface ve 1 The commands in this example configure virtual interface 1, assign IP address 10.0.0.4/24 to the interface, then designate the interface's address as the source address for all Syslog packets. Syntax: [no] ip syslog source-interface ethernet [<stack-unit>]|[<slotnum>]|<portnum> | loopback <num> | ve <num> If you specify an Ethernet port, the <slotnum> parameter is required on chassis devices. 5-8 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features If you specify an Ethernet port the <stack-unit> parameter is required on all FGS, FWS, and FLS devices. The default is the lowest-numbered IP or IPv6 address configured on the port through which the packet is sent. The address therefore changes, by default, depending on the port. Configuring an Interface as the Source for All SNTP Packets Platform Support: • FastIron X Series devices running software release 02.5.00 and later You can configure the device to use the lowest-numbered IP or IPv6 address configured on a loopback interface, virtual interface, or Ethernet port as the source for all SNTP packets from the device. The software uses the lowest-numbered IP or IPv6 address configured on the interface as the source IP address for the packets. For example, to specify the lowest-numbered IP address configured on a virtual interface as the device’s source for all SNTP packets, enter commands such as the following: FastIron(config)#int ve 1 FastIron(config-vif-1)#ip address 10.0.0.5/24 FastIron(config-vif-1)#exit FastIron(config)#ip sntp source-interface ve 1 The commands in this example configure virtual interface 1, assign IP address 10.0.0.5/24 to the interface, then designate the interface's address as the source address for all SNTP packets. Syntax: [no] ip sntp source-interface ethernet [<slotnum>/]<portnum> | loopback <num> | ve <num> The default is the lowest-numbered IP or IPv6 address configured on the port through which the packet is sent. The address therefore changes, by default, depending on the port. Specifying a Simple Network Time Protocol (SNTP) Server You can configure the Foundry device to consult SNTP servers for the current system time and date. NOTE: Foundry devices do not retain time and date information across power cycles. Unless you want to reconfigure the system time counter each time the system is reset, Foundry Networks recommends that you use the SNTP feature. To identify an SNTP server with IP address 208.99.8.95 to act as the clock reference for a Foundry device, enter the following: FastIron(config)#sntp server 208.99.8.95 Syntax: sntp server <ip-addr> | <hostname> [<version>] The <version> parameter specifies the SNTP version the server is running and can be from 1 – 4. The default is 1. You can configure up to three SNTP servers by entering three separate sntp server commands. By default, the Foundry device polls its SNTP server every 30 minutes (1800 seconds). To configure the Foundry device to poll for clock updates from a SNTP server every 15 minutes, enter the following: FastIron(config)#sntp poll-interval 900 Syntax: [no] sntp poll-interval <1-65535> To display information about SNTP associations, enter the following command: FastIron#show sntp associations address ref clock ~207.95.6.102 0.0.0.0 ~207.95.6.101 0.0.0.0 * synced, ~ configured December 2008 st 16 16 when 202 202 poll 4 0 delay 0.0 0.0 © 2008 Foundry Networks, Inc. disp 5.45 0.0 5-9 Foundry FastIron Configuration Guide Syntax: show sntp associations The following table describes the information displayed by the show sntp associations command. Table 5.2: Output from the show sntp associations command This Field... Displays... (leading character) One or both of the following: *Synchronized to this peer ~Peer is statically configured address IP address of the peer ref clock IP address of the peer’s reference clock st NTP stratum level of the peer when Amount of time since the last NTP packet was received from the peer poll Poll interval in seconds delay Round trip delay in milliseconds disp Dispersion in seconds To display information about SNTP status, enter the following command: FastIron#show sntp status Clock is unsynchronized, stratum = 0, no reference clock precision is 2**0 reference time is 0 .0 clock offset is 0.0 msec, root delay is 0.0 msec root dispersion is 0.0 msec, peer dispersion is 0.0 msec Syntax: show sntp status The following table describes the information displayed by the show sntp status command. Table 5.3: Output from the show sntp status command This Field... Indicates... unsynchronized System is not synchronized to an NTP peer. synchronized System is synchronized to an NTP peer. stratum NTP stratum level of this system reference clock IP Address of the peer (if any) to which the unit is synchronized precision Precision of this system's clock (in Hz) reference time Reference time stamp clock offset Offset of clock to synchronized peer root delay Total delay along the path to the root clock 5 - 10 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Table 5.3: Output from the show sntp status command (Continued) This Field... Indicates... root dispersion Dispersion of the root path peer dispersion Dispersion of the synchronized peer SNTP over IPv6 Platform Support: • FastIron X Series devices running software release 02.4.00 and later • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 and later To enable the Foundry device to send SNTP packets over IPv6, enter a command such as the following at the Global CONFIG level of the CLI: FastIron(config)#sntp server ipv6 3000::400 Syntax: sntp server ipv6 <ipv6-address> The <ipv6-address> is the IPv6 address of the SNTP server. When you enter the IPv6 address, you do not need to specifry the prefix length. A prefix length of 128 is implied. Setting the System Clock In addition to SNTP support, Foundry switches and routers also allow you to set the system time counter. The time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP server. The counter merely starts the system time and date clock with the time and date you specify. NOTE: You can synchronize the time counter with your SNTP server time by entering the sntp sync command from the Privileged EXEC level of the CLI. NOTE: Unless you identify an SNTP server for the system time and date, you will need to re-enter the time and date following each reboot. For more details about SNTP, see “Specifying a Simple Network Time Protocol (SNTP) Server” on page 5-9. To set the system time and date to 10:15:05 on October 15, 2003, enter the following command: FastIron#clock set 10:15:05 10-15-2003 Syntax: [no] clock set <hh:mm:ss> <mm-dd-yy> | <mm-dd-yyyy> By default, Foundry switches and routers do not change the system time for daylight saving time. To enable daylight saving time, enter the following command: FastIron#clock summer-time Syntax: clock summer-time Although SNTP servers typically deliver the time and date in Greenwich Mean Time (GMT), you can configure the Foundry device to adjust the time for any one-hour offset from GMT or for one of the following U.S. time zones: • US Pacific • Alaska December 2008 © 2008 Foundry Networks, Inc. 5 - 11 Foundry FastIron Configuration Guide • Aleutian • Arizona • Central • East-Indiana • Eastern • Hawaii • Michigan • Mountain • Pacific • Samoa To change the time zone to Australian East Coast time (which is normally 10 hours ahead of GMT), enter the following command: FastIron(config)#clock timezone gmt+10 Syntax: clock timezone gmt | us <time-zone> You can enter one of the following values for <time-zone>: • US time zones (us): alaska, aleutian, arizona, central, east-indiana, eastern, hawaii, michigan, mountain, pacific, samoa. • GMT time zones (gmt): gmt+0:00 to gmt+12:00 in increments of 1, and gmt-0:00 to gmt-12:00 in decrements of 1 are supported. • FGS Release 03.0.00 adds support for the following additional time zones: gmt+11:30, gmt+10:30, gmt+09:30, gmt+06:30, gmt+05:30, gmt+04:30, gmt+03:30, gmt-03:30, gmt-08:30, gmt-09:30. New Start and End Dates for US Daylight Saving Time NOTE: This feature applies to US time zones only. Starting in 2007, Foundry’s software will automatically change the system clock to Daylight Saving Time (DST), in compliance with the new federally mandated start of daylight saving time, which is extended one month beginning in 2007. The DST will start at 2:00am on the second Sunday in March and will end at 2:00am on the first Sunday in November. The DST feature is automatic, but to trigger the device to the correct time, the device must be configured to the US time zone, not the GMT offset. To configure your device to use the US time zone, enter the following command: FastIron(config)#clock timezone us pacific Syntax: [no] clock timezone us <timezone-type> Enter pacific, eastern, central, or mountain for <timezone-type>. This command must be configured on every device that follows the US DST. To verify the change, run a show clock command: FastIron#show clock Refer to October 19, 2006 - Daylight Saving Time 2007 Advisory, posted on kp.foundrynet.com for more information Limiting Broadcast, Multicast, and Unknown Unicast Traffic FastIron devices can forward all flooded traffic at wire speed within a VLAN. However, some third-party networking devices cannot handle high rates of broadcast, multicast, or unknown-unicast traffic. If high rates of 5 - 12 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features traffic are being received by the FastIron on a given port of that VLAN, you can limit the number of broadcast, multicast, or unknown-unicast packets or bytes received each second on that port. This can help to control the number of such packets or bytes that are flooded on the VLAN to other devices. Byte-based limiting for broadcast, multicast, and unknown unicast traffic provides the ability to rate limit traffic based on byte count instead of packet count. When the byte mode is enabled, packets will be received on a port as long as the number of bytes received per second is less than the corresponding limit. Once the limit is reached, further packets will be dropped. Packet-based and byte-based limiting can be configured simultaneously on the same port. For example, you can configure the broadcast limit in packet mode and the unknown unicast limit in the byte mode on the same port. When you enable broadcast limiting, the total number of broadcast packets or bytes received on the port will not exceed the number you specify. To also limit multicast packets, enable them after you enable broadcast limiting. In this case, the total number of broadcast and multicast packets or bytes received on the port will not exceed the number you specify. On FastIron devices, unknown unicast limiting is independent of broadcast and multicast limiting. Configuration Considerations for FastIron X Series Devices On FastIron X Series devices, when you configure unknown-unicast limiting, the rate applies to all ports in the port range for which unknown unicast is enabled. A 1-Gigabit port range consists of 12 ports. For example, the FESX424 has 2 port ranges; ports 1 – 12 are one port range, and ports 13 – 24 are another port range. If you enable unknown unicast limiting on port 2, the configuration applies to the ports from 1 – 12 that have unknown unicast limiting enabled. 10-Gigabit ports are not grouped into ranges. So if your device has two 10-Gigabit uplinks, you can configure different unknown-unicast limits for each 10-Gigabit port. Command Syntax for Packet-based Limiting Platform Support: • FGS, FWS, and FLS – all software releases • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FastIron X Series – all software releases To enable broadcast limiting on a group of ports by counting the number of packets received, enter commands such as the following: FastIron(config)#interface ethernet 1 to 8 FastIron(config-mif-e1000-1-8)#broadcast limit 65536 These commands configure packet-based broadcast limiting on ports 1 – 8. On each port, the maximum number of broadcast packets per second cannot exceed 65,536. These commands for a FastIron GS or LS device will be slightly different, using the <stack-unit>/slotnum/portnum nomenclature, as shown here: FGS624(config)#interface ethernet 0/1/1 to 0/1/8 FGS634(config-mif-e1000-0/1/1-0/1/8)#broadcast limit 65536 These commands for a FastIron GS-STK or LS-STK device operating in a stack will resemble the following: FastIron(config)#interface ethernet 1/1/1 to 1/1/8 FastIron(config-mif-e1000-1/1/1-1/1/8)#broadcast limit 65536 To include multicasts in the 65536 packets per second limit on each of the ports, enter the following command after enabling broadcast limiting: FastIron(config-mif-e1000-1-8)#multicast limit To enable unknown unicast limiting by counting the number of packets received, enter commands such as the following: FastIron#config terminal FastIron(config)#int e 1 December 2008 © 2008 Foundry Networks, Inc. 5 - 13 Foundry FastIron Configuration Guide FastIron(config-if-e1000-1)#unknown-unicast limit 65536 The combined number of inbound Unknown Unicast packets permitted for ports 1 to 12 is now set to 65536 FastIron((config-if-e1000-1)# Syntax: [no] broadcast limit <num> Syntax: [no] multicast limit Syntax: [no]unknown-unicast limit <num> The <num> parameter specifies the maximum number of packets per second and can be any number that is a multiple of 65536, up to a maximum value of 2147418112. If you enter the multicast limit command, multicast packets are included in the limit you specify. If you specify 0, limiting is disabled. If you specify a number that is not a multiple of 65536, the software rounds the number to the next multiple of 65536. Limiting is disabled by default. Command Syntax for Byte-based Limiting Platform Support: • FastIron X Series devices running software release 04.0.00 and later – L2, BL3, L3 To enable broadcast limiting on a group of ports by counting the number of bytes received, enter commands such as the following: FastIron(config)#interface ethernet 9 to 10 FastIron(config-mif-e1000-9-10)#broadcast limit 131072 bytes These commands configure byte-based broadcast limiting on ports 9 and 10. On each port, the total number of bytes received from broadcast packets cannot exceed 131,072 per second. To include multicasts in the 131072 bytes per second limit on each of the ports, enter the following command after enabling broadcast limiting: FastIron(config-mif-e1000-1-8)#multicast limit To enable unknown unicast limiting, enter commands such as the following: FastIron#config terminal FastIron(config)#int e 13 FastIron(config-if-e1000-13)#unknown-unicast limit 65536 bytes The combined number of bytes of inbound Unknown Unicast packets permitted for ports 13 to 24 is now set to 65536 FastIron((config-if-e1000-13)# Syntax: [no] broadcast limit <num> bytes Syntax: [no] multicast limit Syntax: [no]unknown-unicast limit <num> bytes The <num> parameter specifies the maximum number of bytes per second and can be any number that is a multiple of 65536, up to a maximum value of 2147418112. If you enter the multicast limit command, multicast packets are included in the limit you specify. If you specify 0, limiting is disabled. If you specify a number that is not a multiple of 65536, the software rounds the number to the next multiple of 65536. Limiting is disabled by default. Viewing Broadcast, Multicast, and Unknown Unicast Limits You can use the show run interface command to display the broadcast, multicast, and unknown-unicast limits configured on the device. Starting in software release FSX 04.2.00, you can use the following commands, in addition to the show run interface command, to display the broadcast, multicast, and unknown-unicast limits configured on the device: • show rate-limit unknown-unicast • show rate-limit broadcast 5 - 14 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Use the show run interface command to view the broadcast, multicast, and unknown-unicast limit configured on each port. For example: FastIron#show run interface interface ethernet 4 broadcast limit 1245184 bytes multicast limit ! interface ethernet 5 broadcast limit 1245184 bytes multicast limit ! interface ethernet 12 unknown-unicast limit 524288 ! interface ethernet 13 unknown-unicast limit 65536 bytes ! interface ethernet 14 broadcast limit 65536 ! interface ethernet 23 broadcast limit 131072 multicast limit ! Syntax: show run interface Use the show rate-limit unknown-unicast command to display the unknown unicast limit for each port region to which it applies. For example: FastIron#show rate-limit unknown-unicast Unknown Unicast Limit Settings: Port Region Combined Limit Packets/Bytes 1 - 12 524288 Packets 13 - 24 65536 Bytes Syntax: show rate-limit unknown-unicast Use the show rate-limit broadcast command to display the broadcast limit or broadcast and multicast limit for each port to which it applies. For example: FastIron#show rate-limit broadcast Broadcast/Multicast Limit Settings: Port Limit Packets/Bytes Packet Type(s) 4 1245184 Bytes Broadcast + Multicast 5 1245184 Bytes Broadcast + Multicast 14 65536 Packets Broadcast only 23 131072 Packets Broadcast + Multicast Syntax: show rate-limit broadcast December 2008 © 2008 Foundry Networks, Inc. 5 - 15 Foundry FastIron Configuration Guide Configuring CLI Banners Foundry devices can be configured to display a greeting message on users’ terminals when they enter the Privileged EXEC CLI level or access the device through Telnet. In addition, a Foundry device can display a message on the Console when an incoming Telnet CLI session is detected. Setting a Message of the Day Banner You can configure the Foundry device to display a message on a user’s terminal when he or she establishes a Telnet CLI session. For example, to display the message “Welcome to FESX!” when a Telnet CLI session is established: FastIron(config)#banner motd $ (Press Return) Enter TEXT message, End with the character '$'. Welcome to FESX! $ A delimiting character is established on the first line of the banner motd command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. FastIron X Series devices running software release FSX 04.2.00 or later support banner text of up to 4000 characters long, which can consist of multiple lines. FGS, FLS, FGS-STK, FLS-STK, and FWS devices also support up to 4000 characters. FastIron X Series devices running a software release prior to FSX 04.2.00 support up to 2048 characters, which can consist of multiple lines. Syntax: [no] banner motd <delimiting-character> | banner motd <delimiting-character> To remove the banner, enter the no banner motd command. NOTE: The banner <delimiting-character> command is equivalent to the banner motd <delimiting-character> command. When you access the Web management interface, the banner is displayed: Requiring Users to Press the Enter Key after the Message of the Day Banner In releases prior to 03.0.01a for FastIron X Series devices, users were required to press the Enter key after the Message of the Day (MOTD) was displayed, prior to logging in to the Foundry device on a console or via a Telnet session. Beginning with release 03.0.01a, this requirement is disabled by default. Unless configured, users do not have to press Enter after the MOTD banner is displayed. For example, if the MOTD "Authorized Access Only" is configured, by default, the following messages are displayed when a user access the Foundry device via Telnet: Authorized Access Only ... Username: The user can then login to the device. However, if the requirement to press the Enter key is enabled, the following messages are displayed when accessing the switch via Telnet: Authorized Access Only ... Press <Enter> to accept and continue the login process.... The user must press the Enter key before the login prompt is displayed. 5 - 16 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Also, on the console, the following messages are displayed if the requirement to press the Enter key is disabled: Press Enter key to login Authorized Access Only ... User Access Verification Please Enter Login Name: However, if the requirement to press the Enter key after a MOTD is enabled, the following messages are displayed when accessing the switch on the console: Press Enter key to login Authorized Access Only ... Press <Enter> to accept and continue the login process.... The user must press the Enter key to continue to the login prompt. To enable the requirement to press the Enter key after the MOTD is displayed, enter a command such as the following: FastIron(config)#banner motd require-enter-key Syntax: [no] banner motd require-enter-key Use the no form of the command to disable the requirement. Setting a Privileged EXEC CLI Level Banner You can configure the Foundry device to display a message when a user enters the Privileged EXEC CLI level. For example: FastIron(config)#banner exec_mode #(Press Return) Enter TEXT message, End with the character '#'. You are entering Privileged EXEC level Don’t foul anything up! # As with the banner motd command, you begin and end the message with a delimiting character; in this example, the delimiting character is #(pound sign). The delimiting character can be any character except “ (doublequotation mark) and cannot appear in the banner text. The text in between the pound signs is the contents of the banner. FastIron X Series devices running software release FSX 04.2.00 or later support banner text of up to 4000 characters, which can consist of multiple lines. FGS/FLS devices, as well as FastIron X Series devices running a software release prior to FSX 04.2.00 support up to 2048 characters, which can consist of multiple lines. Syntax: [no] banner exec_mode <delimiting-character> To remove the banner, enter the no banner exec_mode command. Displaying a Console Message when an Incoming Telnet Session Is Detected You can configure the Foundry device to display a message on the Console when a user establishes a Telnet session. This message indicates where the user is connecting from and displays a configurable text message. For example: FastIron(config)#banner incoming $ (Press Return) Enter TEXT message, End with the character '$'. Incoming Telnet Session!! $ When a user connects to the CLI using Telnet, the following message appears on the Console: Telnet from 209.157.22.63 Incoming Telnet Session!! As with the banner motd command, you begin and end the message with a delimiting character; in this example, the delimiting character is $(dollar sign). The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. The text in between the dollar signs is the contents of the banner. December 2008 © 2008 Foundry Networks, Inc. 5 - 17 Foundry FastIron Configuration Guide FastIron X Series devices running software release FSX 04.2.00 or later support banner text of up to 4000 characters, which can consist of multiple lines. FGS/FLS devices, as well as FastIron X Series devices running a software release prior to FSX 04.2.00, support up to 2048 characters, which can consist of multiple lines. Syntax: [no] banner incoming <delimiting-character> To remove the banner, enter the no banner incoming command. Configuring Basic Port Parameters The procedures in this section describe how to configure the port parameters shown in Table 5.4 Table 5.4: Basic Port Parameters Port Parameter See Page Name 5-18 Speed 5-19 Auto-negotiation maximum port speed advertisement and down-shift 5-19 Duplex mode 5-22 MDI/MDIX detection 5-22 Port status (enable or disable) 5-23 Flow control 5-24 Auto-negotiation and advertisement of flow control 5-24 Configuring PHY FIFO Rx and TX Depth 5-26 Interpacket Gap (IPG) 5-27 Gigabit fiber negotiate mode 5-30 QoS priority 5-31 Dynamic configuration of Voice over IP (VoIP) phones 5-31 Port flap dampening 5-32 All Foundry ports are pre-configured with default values that allow the device to be fully operational at initial startup without any additional configuration. However, in some cases, changes to the port parameters may be necessary to adjust to attached devices or other network requirements. Assigning a Port Name A port name can be assigned to help identify interfaces on the network. You can assign a port name to physical ports, virtual interfaces, and loopback interfaces. To assign a name to a port: FastIron(config)#interface e 2 FastIron(config-if-e1000-2)#port-name Marsha Syntax: port-name <text> The <text> parameter is an alphanumeric string. The name can be up to 64 characters long. The name can contain blanks. You do not need to use quotation marks around the string, even when it contains blanks. 5 - 18 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Modifying Port Speed and Duplex Mode The Gigabit Ethernet copper ports on the Foundry device are designed to auto-sense and auto-negotiate the speed and duplex mode of the connected device. If the attached device does not support this operation, you can manually enter the port speed to operate at either 10, 100, or 1000 Mbps. The default and recommended setting is 10/100/1000 auto-sense. NOTE: You can modify the port speed of copper ports only. This feature does not apply to fiber ports. For optimal link operation, link ports on devices that do not support 803.3u must be configured with like parameters, such as speed (10,100,1000), duplex (half, full), MDI/MDIX, and Flow Control. Configuration Syntax The following commands change the port speed of interface 8 from the default of 10/100/1000 auto-sense, to 100 Mbps operating in full-duplex mode. FastIron(config)#interface e 8 FastIron(config-if-e1000-8)#speed-duplex 100-full Syntax: speed-duplex <value> where <value> can be one of the following: • 10-full • 10-half • 100-full • 100-half • 1000-full-master • 1000-full-slave • auto The default is auto (auto-negotiation). Use the no form of the command to restore the default. NOTE: When setting the speed and duplex-mode of an interface to 1000-full, configure one side of the link as master (1000-full-master) and the other side as slave (1000-full-slave). NOTE: For optimal link operation, link ports on devices that do not support 803.3u must be configured with like parameters, such as speed (10,100,1000), duplex (half, full), MDI/MDIX, and Flow Control. Enabling Auto-Negotiation Maximum Port Speed Advertisement and DownShift Platform Support: • FastIron X Series devices running software release 2.3.01 and later • FGS and FLS devices running software release 02.5.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later December 2008 © 2008 Foundry Networks, Inc. 5 - 19 Foundry FastIron Configuration Guide NOTE: For optimal link operation, link ports on devices that do not support 803.3u must be configured with like parameters, such as speed (10,100,1000), duplex (half, full), MDI/MDIX, and Flow Control. Maximum Port speed advertisement and Port speed down-shift are enhancements to the auto-negotiation feature, a mechanism for accommodating multi-speed network devices by automatically configuring the highest performance mode of inter-operation between two connected devices. • Port speed down-shift enables Gigabit copper ports on the Foundry device to establish a link at 1000 Mbps over a 4-pair wire when possible, or to down-shift to 100 Mbps if the medium is a 2-pair wire. • Maximum port speed advertisement enables you to configure an auto-negotiation maximum speed that Gigabit copper ports on the Foundry device will advertise to the connected device. You can configure a port to advertise a maximum speed of either 100 Mbps or 10 Mbps. When the maximum port speed advertisement feature is configured on a port that is operating at 100 Mbps maximum speed, the port will advertise 10/100 Mbps capability to the connected device. Similarly, if a port is configured at 10 Mbps maximum speed, the port will advertise 10 Mbps capability to the connected device. The port speed down-shift and maximum port speed advertisement features operate dynamically at the physical link layer between two connected network devices. They examine the cabling conditions and the physical capabilities of the remote link, then configure the speed of the link segment according to the highest physical-layer technology that both devices can accommodate. The port speed down-shift and maximum port speed advertisement features operate dynamically at the physical link layer, independent of logical trunk group configurations. Although Foundry recommends that you use the same cable types and auto-negotiation configuration on all members of a trunk group, you could utilize the autonegotiation features conducive to your cabling environment. For example, in certain circumstances, you could configure each port in a trunk group to have its own auto-negotiation maximum port speed advertisement or port speed down-shift configuration. Application Notes • Port speed down-shift and maximum port speed advertisement work only when auto-negotiation is enabled (CLI command speed-duplex auto). If auto-negotiation is OFF, the device will reject the port speed downshift and maximum port speed advertisement configuration. • When port speed down-shift or maximum port speed advertisement is enabled on a port, the device will reject any configuration attempts to set the port to a forced speed mode (100 Mbps or 1000 Mbps). • When the port speed down-shift feature is enabled on a combo port, the port will not support true media automatic detection, meaning the device will not be able to detect and select the fiber or copper connector based on link availability. Enabling Port Speed Down-Shift Platform Support: • FastIron X Series devices running software release 04.0.00 and later • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or laterr To enable port speed down-shift on a port that has auto-negotiation enabled, enter a command such as the following at the Global CONFIG level of the CLI: FastIron(config)#link-config gig copper autoneg-control down-shift e 1 e 2 The above command configures Gigabit copper ports 1 and 2 to establish a link at 1000 Mbps over a 4-pair wire when possible, or to down-shift (reduce the speed) to 100 Mbps when the medium is a 2-pair wire. Syntax: [no] link-config gig copper autoneg-control down-shift ethernet [<stack-unit>/<slotnum>/]<portnum>] [ethernet [<stack-unit>/<slotnum>/]<portnum>] 5 - 20 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. You can enable port speed down-shift on one or two ports at a time. To disable port speed down-shift after it has been enabled, enter the no form of the command. Configuring Port Speed Down-Shift and Auto-Negotiation for a Range of Ports Port speed down-shift and auto-negotiation can be configured for an entire range of ports with a single command. For example, to configure down-shift on ports 0/1/1 to 0/1/10 and 0/1/15 to 0/1/20 on the device, enter: FastIron(config)#link-config gig copper autoneg-control down-shift ethe 0/1/1 to 0/ 1/10 ethe 0/1/15 to 0/1/20 To configure down-shift on ports 5 to 13 and 17 to 19 on the FESX, enter: FastIron(config)#link-config gig copper autoneg-control down-shift ethe 5 to 13 ethe 17 to 19 Syntax: [no] link-config gig copper autoneg-control [down-shift | 100m-auto | 10m-auto> <port-list> The <port-list> is the list of ports to which the command will be applied. For <port-list>, specify the ports in one of the following formats: • FastIron GS and LS, FastIron GS-STK and LS-STK, and FastIron WS compact switches – <stack-unit/ slotnum/portnum> • FastIron chassis devices – <slotnum/portnum> • FESX, and FWSX compact switches – <portnum> You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. The output from the show run command for this configuration will resemble the following: FastIron#show run Current configuration: ! ver 04.0.00b64T7el ! module 1 fgs-48-port-management-module module 2 fgs-cx4-2-port-10g-module ! link-config gig copper autoneg-control down-shift ethe 0/1/1 to 0/1/10 ethe 0/1/15 to 0/1/20 ! ! ip address 10.44.9.11 255.255.255.0 ip default-gateway 10.44.9.1 ! end To disable selective auto-negotiation of 100m-auto on ports 0/1/21 to 0/1/25 and 0/1/30, enter: FastIron(config)#no link-config gig copper autoneg-control 100m-auto ethe 0/1/21 to 0/1/25 ethe 0/1/30 December 2008 © 2008 Foundry Networks, Inc. 5 - 21 Foundry FastIron Configuration Guide NOTE: This feature works with Layer 2 and Layer 3 images. Configuring Maximum Port Speed Advertisement To configure a maximum port speed advertisement of 10 Mbps on a port that has auto-negotiation enabled, enter a command such as the following at the Global CONFIG level of the CLI: FastIron(config)#link-config gig copper autoneg-control 10m e 1 To configure a maximum port speed advertisement of 100 Mbps on a port that has auto-negotiation enabled, enter the following command at the Global CONFIG level of the CLI: FastIron(config)#link-config gig copper autoneg-control 100m e 2 Syntax: [no] link-config gig copper autoneg-control 10m | 100m ethernet [<stack-unit>/<slotnum>/]<portnum> [ethernet [<stack-unit>/<slotnum>/]<portnum>] The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. You can enable maximum port speed advertisement on one or two ports at a time. To disable maximum port speed advertisement after it has been enabled, enter the no form of the command. Modifying Port Duplex Mode You can manually configure a 10/100 Mbps port to accept either full-duplex (bi-directional) or half-duplex (unidirectional) traffic. NOTE: You can modify the port duplex mode of copper ports only. This feature does not apply to fiber ports. Port duplex mode and port speed are modified by the same command. Configuration Syntax To change the port speed of interface 8 from the default of 10/100/1000 auto-sense to 10 Mbps operating at fullduplex, enter the following: FastIron(config)#interface e 8 FastIron(config-if-e1000-8)#speed-duplex 10-full Syntax: speed-duplex <value> The <value> can be one of the following: • 10-full • 10-half • 100-full • 100-half • auto (default) Configuring MDI/MDIX The Foundry FastIron devices support automatic Media Dependent Interface (MDI) and Media Dependent Interface Crossover (MDIX) detection on all Gigabit Ethernet Copper ports. 5 - 22 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features MDI/MDIX is a type of Ethernet port connection using twisted pair cabling. The standard wiring for end stations is MDI, whereas the standard wiring for hubs and switches is MDIX. MDI ports connect to MDIX ports using straightthrough twisted pair cabling. For example, an end station connected to a hub or a switch uses a straight-through cable. MDI-to-MDI and MDIX-to-MDIX connections use crossover twisted pair cabling. So, two end stations connected to each other, or two hubs or switches connected to each other, use crossover cable. The auto MDI/MDIX detection feature can automatically correct errors in cable selection, making the distinction between a straight-through cable and a crossover cable insignificant. Configuration Notes • This feature applies to copper ports only. • The mdi-mdix auto command works only when auto-negotiation is ON. If auto-negotiation is OFF and you enter the command mdi-mdix auto, the device automatically resets the port to an MDIX only port. In this case, although the Foundry device does not apply the mdi-mdix auto configuration, it accepts and saves it. Consequently, when auto-negotiation is turned back ON, the Foundry device applies the mdi-mdix auto configuration. • The mdi-mdix mdi and mdi-mdix mdix commands work independently of auto-negotiation. Thus, these commands work whether auto-negotiation is turned ON or OFF. • Do not use the mdi-mdix commands on ports that are manually configured with a speed/duplex of 100-full. In this case, make sure the other port (remote end of the connection) is also configured to 100-full and a cross-over cable is used if the connected device is another switch, hub, or router, or a straight-through cable if the connected device is a host NIC. Configuration Syntax The auto MDI/MDIX detection feature is enabled on all Gigabit copper ports by default. For each port, you can disable auto MDI/MDIX, designate the port as an MDI port, or designate the port as an MDIX port. To turn off automatic MDI/MDIX detection and define a port as an MDI only port: FastIron(config-if-e1000-2)#mdi-mdix mdi To turn off automatic MDI/MDIX detection and define a port as an MDIX only port: FastIron(config-if-e1000-2)#mdi-mdix mdix To turn on automatic MDI/MDIX detection on a port that was previously set as an MDI or MDIX port: FastIron(config-if-e1000-2)#mdi-mdix auto Syntax: mdi-mdix <mdi | mdix | auto> After you enter the mdi-mdix command, the Foundry device resets the port and applies the change. To display the MDI/MDIX settings, including the configured value and the actual resolved setting (for mdi-mdix auto), enter the command show interface at any level of the CLI. Disabling or Re-Enabling a Port A port can be made inactive (disable) or active (enable) by selecting the appropriate status option. The default value for a port is enabled. To disable port 8 of a Foundry device, enter the following: FastIron(config)#interface e 8 FastIron(config-if-e1000-8)#disable Syntax: disable You also can disable or re-enable a virtual interface. To do so, enter commands such as the following: FastIron(config)#interface ve v1 FastIron(config-vif-1)#disable Syntax: disable December 2008 © 2008 Foundry Networks, Inc. 5 - 23 Foundry FastIron Configuration Guide To re-enable a virtual interface, enter the enable command at the Interface configuration level. For example, to reenable virtual interface v1, enter the following command: FastIron(config-vif-1)#enable Syntax: enable Disabling or Re-Enabling Flow Control You can configure full-duplex ports on a system to operate with or without flow control (802.3x). Flow control is enabled by default. To disable flow control on full-duplex ports on a system, enter the following: FastIron(config)#no flow-control To turn the feature back on: FastIron(config)#flow-control Syntax: [no] flow-control NOTE: For optimal link operation, link ports on devices that do not support 803.3u must be configured with like parameters, such as speed (10,100,1000), duplex (half, full), MDI/MDIX, and Flow Control. Auto-Negotiation and Advertisement of Flow Control Platform Support: • FastIron X Series devices running software release 03.2.00 and later • FGS and FLS devices running software release 03.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later Auto-negotiation of flow control can be enabled and advertised for 10/100/1000M ports. To enable and advertise flow control capability, enter the following commands: FastIron(config)#interface ethernet 0/1/21 FastIron(config-if-e1000-0/1/21)#flow-control To also enable auto-negotiation of flow control, enter the following commands: FastIron(config)#interface ethernet 0/1/21 FastIron(config-if-e1000-0/1/21)#flow-control neg-on Syntax: #[no] flow-control [neg-on] • flow-control [default] - Enable flow control, advertise flow control and disable negotiation of flow control • flow-control neg-on - Advertise flow control and enable negotiation of flow control • no flow-control - Disable flow control, disable advertising flow control and also disable negotiation of flow control Commands may be entered in IF (single port) or MIF (multiple ports at once) mode. For example, enter: FastIron(config)#interface ethernet 0/1/21 FastIron(config-if-e1000-0/1/21)#flow-control This command enables flow-control on port 0/1/21. FastIron(config)#interface e 0/1/11 to 0/1/15 FastIron(config-mif-0/1/11-0/1/15)#flow-control 5 - 24 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features This command enables flow-control on ports 0/1/11 to 0/1/15. Displaying Flow-Control Status The show interface <port> command displays configuration, operation, and negotiation status where applicable. For example, on a device running the FGS software release 03.0.00 and later, issuing the command for 10/100/ 1000M port 0/1/21 displays the following output: FastIron#show interfaces ethernet 0/1/21 GigabitEthernet0/1/21 is up, line protocol is up Hardware is GigabitEthernet, address is 00e0.5204.4014 (bia 00e0.5204.4014) Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx Configured mdi mode AUTO, actual MDIX Member of L2 VLAN ID 1, port is untagged, port state is LISTENING BPDU Guard is disabled, Root Protect is disabled STP configured to ON, priority is level0 Flow Control is config enabled, oper enabled, negotiation disabled Mirror disabled, Monitor disabled Not member of any active trunks Not member of any configured trunks No port name Inter-Packet Gap (IPG) is 96 bit times 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 multicasts, 0 unicasts 0 input errors, 0 CRC, 0 frame, 0 ignored 0 runts, 0 giants 5 packets output, 320 bytes, 0 underruns Transmitted 0 broadcasts, 5 multicasts, 0 unicasts 0 output errors, 0 collisions Issuing the command on a device running the FSX software release 03.2.00 and later displays the following output: FastIron#show interface ethernet 18/1 GigabitEthernet18/1 is up, line protocol is up Hardware is GigabitEthernet, address is 0012.f228.0600 (bia 0012.f228.0798) Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx Configured mdi mode AUTO, actual MDIX Member of 4 L2 VLANs, port is tagged, port state is FORWARDING BPDU guard is Disabled, ROOT protect is Disabled Link Error Dampening is Disabled STP configured to ON, priority is level0, flow control enabled Flow Control is config enabled, oper enabled, negotiation disabled mirror disabled, monitor disabled Not member of any active trunks Not member of any configured trunks No port name IPG MII 96 bits-time, IPG GMII 96 bits-time IP MTU 1500 bytes, encapsulation ethernet 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 848 bits/sec, 0 packets/sec, 0.00% utilization 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 multicasts, 0 unicasts 0 input errors, 0 CRC, 0 frame, 0 ignored 0 runts, 0 giants 10251 packets output, 1526444 bytes, 0 underruns Transmitted 1929 broadcasts, 8293 multicasts, 29 unicasts 0 output errors, 0 collisions December 2008 © 2008 Foundry Networks, Inc. 5 - 25 Foundry FastIron Configuration Guide The line highlighted in bold will resemble one of the following, depending on the configuration: • If flow control and auto-negotiation are enabled (and a neighbor does not negotiate flow control), the display shows: Flow Control is config enabled, oper disabled, negotiation enabled • If flow control is enabled, and auto-negotiation is disabled, the output shows: Flow Control is config enabled, oper enabled, negotiation disabled • If flow control is disabled, the display shows: Flow Control is config disabled, oper disabled NOTE: For 10 Gigabit ports, the display shows Flow Control is enabled, or Flow Control is disabled, depending on the configuration. NOTE: Auto-negotiation of flow control is not supported on 10 Gigabit ports and copper/fiber combination ports. NOTE: When any of the commands are applied to a port that is up, the port will be disabled and re-enabled. NOTE: When flow-control is enabled, the hardware can only advertise Pause. It does not advertise Asym. Configuring PHY FIFO Rx and Tx Depth Platform Support: • FGS and FLS devices running software release 03.1.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later FGS Release 03.1.00 adds a new command to increase the FIFO (First In, First Out) depth to adjust for clock differences between connecting devices, if necessary. PHY devices on FGS, FWS, and FLS and FGS-STK and FLS-STK models contain transmit and receive synchronizing FIFOs to adjust for frequency differences between clocks. The phy-fifo-depth command allows you to configure the depth of the transmit and receive FIFOs. There are 4 settings (0-3) with 0 as the default. A higher setting indicates a deeper FIFO. The default setting works for most connections. However, if the clock differences are greater than the default will handle, CRCs and errors will begin to appear on the ports. Raising the FIFO depth setting will adjust for clock differences. Foundry recommends that you disable the port before applying this command, and re-enable the port. Applying the command while traffic is flowing through the port can cause CRC and other errors for any packets that are actually passing through the PHY while the command is being applied. Syntax: [no] phy-fifo-depth <setting> • <setting> is a value between 0 and 3. (0 is the default.) This command can be issued for a single port from the IF config mode or for multiple ports from the MIF config mode. NOTE: Higher settings give better tolerance for clock differences with the partner phy, but may marginally increase latency as well. 5 - 26 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Configuring the Interpacket Gap (IPG) Platform Support: • FastIron X Series devices running software release 03.0.00 and later • FGS and FLS devices running software release 03.0.00 and later (see “Configuring IPG on a FastIron GS, FastIron WS, and FastIron LS, and FastIron GS-STK and FastIron LS-STK” on page 5-28) • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later IPG is the time delay, in bit time, between frames transmitted by the device. You configure IPG at the interface level. The command you use depends on the interface type on which IPG is being configured. The default interpacket gap is 96 bits-time, which is 9.6 microseconds for 10 Mbps Ethernet, 960 nanoseconds for 100 Mbps Ethernet, 96 nanoseconds for 1 Gbps Ethernet, and 9.6 nanoseconds for 10 Gbps Ethernet. Configuration Notes When configuring IPG, note the following: • IPG configuration commands are based on "port regions". All ports within the same port region should have the same IPG configuration. If a port region contains two or more ports, changes to the IPG configuration for one port are applied to all ports in the same port region. When you enter a value for IPG, the CLI displays the ports to which the IPG configuration is applied. For example: FastIron(config-if-e1000-7/1)#ipg-gmii 120 IPG 120(112) has been successfully configured for ports 7/1 to 7/12 • When you enter a value for IPG, the device applies the closest valid IPG value for the port mode to the interface. For example, if you specify 120 for a 1 Gigabit Ethernet port in 1 Gigabit mode, the device assigns 112 as the closest valid IPG value to program into hardware. Configuring IPG on a Gigabit Ethernet Port On a Gigabit Ethernet port, you can configure IPG for 10/100 mode and for Gigabit Ethernet mode. 10/100M Mode To configure IPG on a Gigabit Ethernet port for 10/100M mode, enter the following command. FastIron(config)#interface ethernet 7/1 FastIron(config-if-e1000-7/1)#ipg-mii 120 IPG 120(120) has been successfully configured for ports 7/1 to 7/12 Syntax: [no] ipg-mii <bit time> Enter 12-124 for <bit time>. The default is 96 bit time. 1G Mode To configure IPG on a Gigabit Ethernet port for 1-Gigabit Ethernet mode, enter commands such as the following: FastIron(config)#interface ethernet 7/1 FastIron(config-if-e1000-7/1)#ipg-gmii 120 IPG 120(112) has been successfully configured for ports 0/7/1 to 7/12 Syntax: [no] ipg-gmii <bit time> Enter 48 - 112 for <bit time>. The default is 96 bit time. Configuring IPG on a 10-Gigabit Ethernet Interface To configure IPG on a 10-Gigabit Ethernet interface, enter commands such as the following: FastIron(config)#interface ethernet 9/1 FastIron(config-if-e10000-9/1)#ipg-xgmii 120 IPG 120(128) has been successfully configured for port 9/1 Syntax: [no] ipg-xgmii <bit time> December 2008 © 2008 Foundry Networks, Inc. 5 - 27 Foundry FastIron Configuration Guide Enter 96-192 for <bit time>. The default is 96 bit time. Configuring IPG on a FastIron GS, FastIron WS, and FastIron LS, and FastIron GS-STK and FastIron LS-STK Platform Support: • FGS and FLS devices running software release 03.0.00 • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later On FGS, FWS, and FLS, and FGS-STK and FLS-STK devices, you can configure an IPG for each port. An IPG is a configurable time delay between successive data packets. You can configure an IPG with a range from 48-120 bit times in multiples of 8, with a default of 96. The IPG may be set from either the interface configuration level or the multiple interface level. When an IPG is applied to a trunk group, it applies to all ports in the trunk group. When you are creating a new trunk group, the IPG setting on the primary port is automatically applied to the secondary ports. Syntax: [no] ipg <value> To configure an IPG of 112 on Ethernet interface 0/1/21, for example, enter the following command: FGS624P Switch(config)#interface ethernet 0/1/21 FGS624P Switch(config-if-e1000-0/1/21)#ipg 112 or, for multiple interface levels, to configure IPG for ports 0/1/11 and 0/1/14 through 0/1/17, enter the following commands: FGS624P Switch(config)#interface ethernet 0/1/11 e 0/1/14 to 0/1/17 FGS624P Switch(config-mif-0/1/11,0/1/14-0/1/17)#ipg 104 As a result of this configuration, the output from the show interface e 0/1/21 command is: FGS624P Switch#show interfaces ethernet 0/1/21 GigabitEthernet 0/1/21 is up, line protocol is up Hardware is GigabitEthernet, address is 00e0.5204.4014 (bia 00e0.5204.4014) Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx Configured mdi mode AUTO, actual MDIX Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING BPDU Guard is disabled, Root Protect is disabled STP configured to ON, priority is level0 Flow Control is config enabled, oper enabled, negotiation disabled Mirror disabled, Monitor disabled Not member of any active trunks Not member of any configured trunks No port name Inter-Packet Gap (IPG) is 112 bit times IP MTU 10222 bytes 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 248 bits/sec, 0 packets/sec, 0.00% utilization 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 multicasts, 0 unicasts 0 input errors, 0 CRC, 0 frame, 0 ignored 0 runts, 0 giants 80 packets output, 5120 bytes, 0 underruns Transmitted 0 broadcasts, 80 multicasts, 0 unicasts 0 output errors, 0 collisions This feature is supported on 10/100/1000M ports. 5 - 28 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Enabling and Disabling Support for 100BaseTX Platform Support: FastIron X Series compact switches running software release 03.1.00 and later You can configure a 1000Base-TX SFP (part number E1MG-TX) to operate at a speed of 100 Mbps. To do so, enter the following command at the Interface level of the CLI: FastIron(config-if-e1000-11)#100-tx After the link is up, it will be in 100M/full-duplex mode, as shown in the following example: FastIron SuperX Switch#show in b e 11 Port Link State Dupl Speed Trunk 11 Up Forward Full 100M None Tag No Priori level10 MAC Name 0000.d213.c74b The show media command will display the SFP transceiver as 1G M-TX. Syntax: [no] 100-tx To disable support, enter the no form of the command. Configuration Notes • This feature requires that autonegotiation be enabled on the other end of the link. • Although combo ports (ports 1 – 4) on Hybrid Fiber (HF) models support the 1000Base-TX SFP, they cannot be configured to operate at 100Mbps. The 100Mbps operating speed is supported only with non-combo ports. • 1000Base-TX modules must be configured individually, one interface at a time. • 1000Base-TX modules do not support Digital Optical Monitoring. • This module requires a Cat5 cable and uses an RJ45 connector. • Hotswap is supported for this module when it is configured in 100M mode. Enabling and Disabling Support for 100BaseFX Some Foundry FastIron devices support 100BaseFX fiber transceivers. After you physically install a 100BaseFX transceiver, you must enter a CLI command to enable it. NOTE: The CLI syntax for enabling and disabling 100BaseFX support on a Compact device differs from the syntax for a chassis device. Follow the appropriate instructions below. Compact Device This section shows how to enable 100BaseFX on a Compact device. The Foundry device supports the following types of SFPs for 100BaseFX: • Multimode SFP – maximum distance is 2 kilometers • Bidirectional singlemode SFP – maximum distance is 10 kilometers • Long Reach (LR) – maximum distance is 40 kilometers (introduced in software release FSX 03.1.00) • Intermediate Reach (IR) – maximum distance is 15 kilometers (introduced in software release FSX 03.1.00) NOTE: Connect the 100BaseFX fiber transceiver after configuring both sides of the link. Otherwise, the link could become unstable, fluctuating between up and down states. To enable 100BaseFX on a fiber port, enter the following command at the Global CONFIG level of the CLI: December 2008 © 2008 Foundry Networks, Inc. 5 - 29 Foundry FastIron Configuration Guide FastIron(config)#link-config gig fiber 100base-fx e 4 The above command enables 100BaseFX on port 4. The following command enables 100BaseFX on ports 3 and 4 FastIron(config)#link-config gig fiber 100base-fx e 3 e 4 Syntax: [no] link-config gig fiber 100base-fx ethernet [<stacknum>/<slotnum>/]<portnum> ethernet [<stacknum>/ <slotnum>/]<portnum> The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. You can specify one or two ethernet ports at a time, as shown in the above examples. To disable 100BaseFX support on a fiber port, enter the no form of the command. Note that you must disable 100BaseFX support before inserting a different type of module In the same port. Otherwise, the device will not recognize traffic traversing the port. FSX 100/1000 Interface Module The FSX 100/1000 Interface module and 100BaseFX SFP was introduced in software release 02.4.00. NOTE: The following procedure applies to the FSX 100/1000 Fiber interface module only. The CLI syntax for enabling and disabling 100BaseFX support on the FSX differs than on a Compact device. Make sure you refer to the appropriate procedures. The FSX 100/1000 fiber interface module supports the following types of SFPs for 100BaseFX: • Multimode SFP – maximum distance is 2 kilometers • Bidirectional single mode SFP – maximum distance is 10 kilometers • Long Reach (LR) – maximum distance is 40 kilometers (introduced in software release FSX 03.1.00) • Intermediate Reach (IR) – maximum distance is 15 kilometers (introduced in software release FSX 03.1.00) NOTE: Connect the 100BaseFX fiber transceiver after configuring both sides of the link. Otherwise, the link could become unstable, fluctuating between up and down states. To enable support for 100BaseFX on an FSX fiber port, enter commands such as the following: FastIron(config)#interface e 1/6 FastIron(config-if-1/6)#100-fx The above commands enable 100BaseFX on port 6 in slot 1. Syntax: [no] 100-fx To disable 100BaseFX support on a fiber port, enter the no form of the command. Note that you must disable 100BaseFX support before inserting a different type of module In the same port. Otherwise, the device will not recognize traffic traversing the port. Changing the Gigabit Fiber Negotiation Mode The globally configured Gigabit negotiation mode is the default mode for all Gigabit fiber ports. You can override the globally configured default and set individual ports to the following: • 5 - 30 Negotiate-full-auto – The port first tries to perform a handshake with the other port to exchange capability information. If the other port does not respond to the handshake attempt, the port uses the manually © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features configured configuration information (or the defaults if an administrator has not set the information). This is the default. • Auto-Gigabit – The port tries to perform a handshake with the other port to exchange capability information. • Negotiation-off – The port does not try to perform a handshake. Instead, the port uses configuration information manually configured by an administrator. To change the mode for individual ports, enter commands such as the following: FastIron(config)#int ethernet 1 to 4 FastIron(config-mif-1-4)#gig-default auto-gig This command overrides the global setting and sets the negotiation mode to auto-Gigabit for ports 1 – 4. Syntax: gig-default neg-full-auto | auto-gig | neg-off Modifying Port Priority (QoS) You can give preference to the inbound traffic on specific ports by changing the Quality of Service (QoS) level on those ports. For information and procedures, see the chapter “Configuring Quality of Service” on page 23-1. Enabling Dynamic Configuration of Voice over IP (VoIP) Phones Platform Support: • FastIron X Series devices running software release 02.2.00 and later You can configure a FastIron device to automatically detect and re-configure a VoIP phone when it is physically moved from one port to another within the same device. To do so, you must configure a voice VLAN ID on the port to which the VoIP phone is connected. The software stores the voice VLAN ID in the port’s database for retrieval by the VoIP phone. The dynamic configuration of a VoIP phone works in conjunction with the VoiP phone’s discovery process. Upon installation, and sometimes periodically, a VoIP phone will query the Foundry device for VoIP information and will advertise information about itself, such as, device ID, port ID, and platform. When the Foundry device receives the VoIP phone’s query, it sends the voice VLAN ID in a reply packet back to the VoIP phone. The VoIP phone then configures itself within the voice VLAN. As long as the port to which the VoIP phone is connected has a voice VLAN ID, the phone will configure itself into that voice VLAN. If you change the voice VLAN ID, the software will immediately send the new ID to the VoIP phone, and the VoIP phone will re-configure itself with the new voice VLAN. Configuration Notes • • This feature works with any VoIP phone that: • Runs CDP • Sends a VoIP VLAN query message • Can configure its voice VLAN after receiving the VoIP VLAN reply Automatic configuration of a VoIP phone will not work if one of the following applies: • You do not configure a voice VLAN ID for a port with a VoIP phone • You remove the configured voice VLAN ID from a port without configuring a new one • You remove the port from the voice VLAN • Make sure the port is able to intercept CDP packets (cdp run command). • Some VoIP phones may require a reboot after configuring or re-configuring a voice VLAN ID. For example, if your VoIP phone queries for VLAN information only once upon boot up, you must reboot the VoIP phone before it can accept the VLAN configuration. If your phone is powered by a PoE device, you can reboot the phone by disabling then re-enabling the port. • Foundry devices do not currently support Cisco 7970 VOIP phones. December 2008 © 2008 Foundry Networks, Inc. 5 - 31 Foundry FastIron Configuration Guide Enabling Dynamic Configuration of a Voice over IP (VoIP) Phone You can create a voice VLAN ID for a port, or for a group of ports. To create a voice VLAN ID for a port, enter commands such as the following: FastIron(config)#interface e 2 FastIron(config-if-e1000-2)#voice-vlan 1001 To create a voice VLAN ID for a group of ports, enter commands such as the following: FastIron(config)#interface e 1-8 FastIron(config-mif-1-8)#voice-vlan 1001 Syntax: [no] voice-vlan <voice-vlan-num> where <voice-vlan-num> is a valid VLAN ID between 1 – 4095. To remove a voice VLAN ID, use the no form of the command. Viewing Voice VLAN Configurations You can view the configuration of a voice VLAN for a particular port or for all ports. To view the voice VLAN configuration for a port, specify the port number with the show voice-vlan command. The following example shows the command output results. FastIron#show voice-vlan ethernet 2 Voice vlan ID for port 2: 1001 The following example shows the message that appears when the port does not have a configured voice VLAN. FastIron#show voice-vlan ethernet 2 Voice vlan is not configured for port 2. To view the voice VLAN for all ports, use the show voice-vlan command. The following example shows the command output results. FastIron#show voice-vlan Port ID 2 8 15 Voice-vlan 1001 150 200 Syntax: show voice-vlan ethernet [[<stacknum>/<slotnum>/]<portnum>] If you specify an ethernet port, note the following: The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. Configuring Port Flap Dampening Platform Support: • FastIron X Series devices running software release 03.0.00 and later • FGS and FLS devices running software release 04.0.00 and later 5 - 32 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later Port Flap Dampening increases the resilience and availability of the network by limiting the number of port state transitions on an interface. If the port link state toggles from up to down for a specified number of times within a specified period, the interface is physically disabled for the specified wait period. Once the wait period expires, the port’s link state is re-enabled. However, if the wait period is set to zero (0) seconds, the port’s link state will remain disabled until it is manually reenabled. Configuration Notes • When a flap dampening port becomes a member of a trunk group, that port, as well as all other member ports of that trunk group, will inherit the primary port’s configuration. This means that the member ports will inherit the primary port’s flap dampening configuration, regardless of any previous configuration. • The Foundry device counts the number of times a port’s link state toggles from "up to down", and not from "down to up". • The sampling time or window (the time during which the specified toggle threshold can occur before the wait period is activated) is triggered when the first "up to down" transition occurs. • "Up to down" transitions include UDLD-based toggles, as well as the physical link state. Configuring Port Flap Dampening on an Interface This feature is configured at the interface level. FastIron(config)#interface ethernet 2/1 FastIron(config-if-e10000-2/1)#link-error-disable 10 3 10 Syntax: [no] link-error-disable <toggle-threshold> <sampling-time-in-sec> <wait-time-in-sec> The <toggle-threshold> is the number of times a port’s link state goes from up to down and down to up before the wait period is activated. The default is 0. Enter a valid value range from 1-50. The <sampling-time-in-sec> is the amount of time during which the specified toggle threshold can occur before the wait period is activated. The default is 0 seconds. Enter 0 – 65535 seconds. The <wait-time-in-sec> is the amount of time the port remains disabled (down) before it becomes enabled. Entering 0 – 65535 seconds; 0 indicates that the port will stay down until an administrative override occurs. Configuring Port Flap Dampening on a Trunk You can configure the port flap dampening feature on the primary port of a trunk using the link-error-disable command. Once configured on the primary port, the feature is enabled on all ports that are members of the trunk. You cannot configure port flap dampening on port members of the trunk. Enter commands such as the following on the primary port of a trunk. FastIron(config)#interface ethernet 2/1 FastIron(config-if-e10000-2/1)#link-error-disable 10 3 10 Re-enabling a Port Disabled by Port Flap Dampening A port disabled by port flap dampening is automatically re-enabled once the wait period expires; however, if the wait period is set to zero (0) seconds, you must re-enable the port by entering the following command on the disabled port: FastIron(config)#interface ethernet 2/1 FastIron(config-if-e10000-2/1)#no link-error-disable 10 3 10 December 2008 © 2008 Foundry Networks, Inc. 5 - 33 Foundry FastIron Configuration Guide Displaying Ports Configured with Port Flap Dampening Ports that have been disabled due to the port flap dampening feature are identified in the output of the show linkerror-disable command. The following shows an example output. FastIron#show link-error-disable Port 2/1 is forced down by link-error-disable. Use the show link-error-disable all command to display the ports with the port flap dampening feature enabled. For FSX software releases prior to release 03.2.00 and for FGS software releases, the output of the command shows the following: FastIron#show link-error-disable all Port8/1 is configured for link-error-disable threshold:1, sampling_period:10, waiting_period:0 Port8/2 is configured for link-error-disable threshold:1, sampling_period:10, waiting_period:0 Port8/3 is configured for link-error-disable threshold:1, sampling_period:10, waiting_period:0 Port8/4 is configured for link-error-disable threshold:1, sampling_period:10, waiting_period:0 Port8/5 is configured for link-error-disable threshold:4, sampling_period:10, waiting_period:2 Port8/9 is configured for link-error-disable threshold:2, sampling_period:20, waiting_period:0 For FastIron X Series devices running software release 03.2.00, the output of the command shows the following: FastIron#show link-error-disable all Port -----------------Config--------------# Threshold Sampling-Time Shutoff-Time ------------- ------------- -----------11 3 120 600 12 3 120 500 ------Oper---State Counter ----- ------Idle N/A Down 424 Table 5.5 defines the port flap dampening statistics displayed by the show link-error-disable all command. Table 5.5: Output of show link-error-disable 5 - 34 This Column... Displays... Port # The port number. Threshold The number of times the port’s link state will go from up to down and down to up before the wait period is activated. Sampling-Time The number of seconds during which the specified toggle threshold can occur before the wait period is activated. Shutoff-Time The number of seconds the port will remain disabled (down) before it becomes enabled. A zero (0) indicates that the port will stay down until an administrative override occurs. © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features Table 5.5: Output of show link-error-disable This Column... Displays... State The port’s state can be one of the following: Counter • Idle – The link is normal and no link state toggles have been detected or sampled. • Down – The port is disabled because the number of sampled errors exceeded the configured threshold. • Err – The port sampled one or more errors. • If the port’s state is Idle, this field displays N/A. • If the port’s state is Down, this field shows the remaining value of the shutoff timer. • If the port’s state is Err, this field shows the number of errors sampled. Syntax: show link-error-disable [all] Also in FastIron X Series devices running software release 03.2.00 and later, the show interface command indicates if the port flap dampening feature is enabled on the port. For example: FastIron#show interface ethernet 15 GigabitEthernet15 is up, line protocol is up Link Error Dampening is Enabled Hardware is GigabitEthernet, address is 00e0.5200.010e (bia 00e0.5200.010e) Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx Configured mdi mode AUTO, actual MDIX FastIron#show interface ethernet 17 GigabitEthernet17 is ERR-DISABLED, line protocol is down Link Error Dampening is Enabled Hardware is GigabitEthernet, address is 00e0.5200.010e (bia 00e0.5200.010e) Configured speed auto, actual unknown, configured duplex fdx, actual unknown The line “Link Error Dampening” displays “Enabled” if port flap dampening is enabled on the port or “Disabled” if the feature is disabled on the port. The feature is enabled on the ports in the two examples above. Also, the characters “ERR-DISABLED” is displayed for the “GigabitEthernet” line if the port is disabled because of link errors. Syntax: show interface ethernet <port-number> In addition to the show commands above, the output of the show interface brief command for devices running FastIron X Series devices running software release 03.2.00 indicates if a port is down due to link errors. For example: FastIron#show interface brief e17 Port 17 Link State ERR-DIS None Dupl Speed Trunk Tag Priori MAC Name None None 15 Yes level0 00e0.5200.010e The ERR-DIS entry under the “Link” column indicates the port is down due to link errors. Syslog Messages for Port Flap Dampening The following Syslog messages are generated on devices running FSX software release 03.2.00 and later. December 2008 © 2008 Foundry Networks, Inc. 5 - 35 Foundry FastIron Configuration Guide • If the threshold for the number of times that a port’s link toggles from “up” to “down” then “down” to “up” has been exceeded, the following Syslog message is displayed: 0d00h02m10s:I:ERR_DISABLE: Link flaps on port ethernet 16 exceeded threshold; port in err-disable state • If the wait time (port is down) expires and the port is brought up the following Syslog message is displayed: 0d00h02m41s:I:ERR_DISABLE: Interface ethernet 16, err-disable recovery timeout Configuring a Local MAC Address for Layer 2 Management Traffic Platform Support: • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later By default, Foundry Layer 2 devices use the MAC address of the first port as the MAC address for Layer 2 management traffic. For example, when the Foundry device receives an ARP request for its management IP address, it responds with the first port’s MAC address. This may cause problems in some configurations where the Foundry device uses the same MAC address for management traffic as for switched traffic. Starting with the software releases listed above, you can configure the Foundry device to use a different MAC address for Layer 2 management traffic than for switched traffic. When you issue the use-local-managementmac, the Foundry device changes a local bit in the first port’s MAC address and uses this MAC address for management traffic. The second bit of the first port’s MAC address is changed to 2. For example, if the MAC address is 00e0.5201.9900 after the feature is enabled, the switch uses 02e0.5201.9900 for management functions. Switched traffic will continue to use the first port’s MAC address without the local bit setting. EXAMPLE: FastIron(config)#use-local-management-mac FastIron(config)#write memory FastIron(config)#end FastIron#reload Syntax: [no] use-local-management-mac NOTE: You must save the configuration and reload the software to place the change into effect. NOTE: This feature is only available for the switch code. It is not available for router code. Port Loop Detection Platform Support: • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later • FastIron X Series devices running software release 04.1.00 and later – L2, BL3, L3 This feature allows the Foundry device to disable a port that is on the receiving end of a loop by sending test packets. You can configure the time period during which test packets are sent. Strict Mode and Loose Mode There are two types of loop detection; Strict Mode and Loose Mode. In Strict Mode, a port is disabled only if a packet is looped back to that same port. Strict Mode overcomes specific hardware issues where packets are echoed back to the input port. In Strict Mode, loop detection must be configured on the physical port. 5 - 36 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features In Loose Mode, loop detection is configured on the VLAN of the receiving port. Loose Mode disables the receiving port if packets originate from any port or VLAN on the same device. The VLAN of the receiving port must be configured for loop detection in order to disable the port. Recovering Disabled Ports Once a loop is detected on a port, it is placed in Err-Disable state. The port will remain disabled until one of the following occurs: • You manually disable and enable the port at the Interface Level of the CLI. • You enter the command clear loop-detection. This command clears loop detection statistics and enables all Err-Disabled ports. • The device automatically re-enables the port. To set your device to automatically re-enable Err-Disabled ports, see “Configuring the Device to Automatically Re-Enable Ports” . Configuration Notes The following information applies to Loose Mode loop detection: • With Loose Mode, two ports of a loop are disabled. • Different VLANs may disable different ports. A disabled port affects every VLAN using it. • Loose Mode floods test packets to the entire VLAN. This can impact system performance if too many VLANs are configured for Loose Mode loop detection. NOTE: Foundry recommends that you limit the use of Loose Mode. If you have a large number of VLANS, configuring loop detection on all of them can significantly affect system performance because of the flooding of test packets to all configured VLANs. An alternative to configuring loop detection in a VLAN-group of many VLANs is to configure a separate VLAN with the same tagged port and configuration, and enable loop detection on this VLAN only. NOTE: When loop detection is used with L2 loop prevention protocols, such as spanning tree (STP), the L2 protocol takes higher priority. Loop detection cannot send or receive probe packets if ports are blocked by L2 protocols, so it doesn’t detect L2 loops when STP is running because loops within a VLAN have been prevented by STP. Loop detection running in Loose Mode can detect and break L3 loops because STP cannot prevent loops across different VLANs. In these instances, the ports are not blocked and loop detection is able to send out probe packets in one VLAN and receive packets in another VLAN. In this way, loop detection running in Loose Mode disables both ingress and egress ports. Enabling Loop Detection Use the loop-detection command to enable loop detection on a physical port (Strict Mode) or a VLAN (Loose Mode). Loop detection is disabled by default. The following example shows a Strict Mode configuration. FastIron(config)#interface ethernet 1/1 FastIron(config-if-e1000-1/1)#loop-detection The following example shows a Loose Mode configuration: FastIron(config)#vlan20 FastIron(config-vlan-20)#loop-detection By default, the port will send test packets every one second, or the number of seconds specified by the loopdetection-interval command. See “Configuring a Global Loop Detection Interval” on page 5-38. Syntax: [no] loop-detection Use the [no] form of the command to disable loop detection. December 2008 © 2008 Foundry Networks, Inc. 5 - 37 Foundry FastIron Configuration Guide Configuring a Global Loop Detection Interval The loop detection interval specifies how often a test packet is sent on a port. When loop detection is enabled, the loop detection time unit is 0.1 second, with a default of 10 (one second). The range is from 1 (one tenth of a second) to 100 (10 seconds). You can use the show loop-detection status command to view the loop detection interval. To configure the global loop detection interval, enter a command similar to the following: FastIron(config)#loop-detection-interval 50 This command sets the loop-detection interval to 5 seconds (50 x 0.1). To revert to the default global loop detection interval of 10, enter one of the following: FastIron(config)#loop-detection-interval 10 OR FastIron(config)#no loop-detection-interval 50 Syntax: [no] loop-detection-interval <number> where <number> is a value from 1 to 100. The system multiplies your entry by 0.1 to calculate the interval at which test packets will be sent. Configuring the Device to Automatically Re-Enable Ports To configure the Foundry device to automatically re-enable ports that were disabled because of a loop detection, enter the following command: FastIron(config)#errdisable recovery cause loop-detection The above command will cause the Foundry device to automatically re-enable ports that were disabled because of a loop detection. By default, the device will wait 300 seconds before re-enabling the ports. You can optionally change this interval to a value from 10 to 65535 seconds. See “Specifying the Recovery Time Interval” on page 538. Syntax: [no] errdisable recovery cause loop-detection Use the [no] form of the command to disable this feature. Specifying the Recovery Time Interval The recovery time interval specifies the number of seconds the Foundry device will wait before automatically reenabling ports that were disabled because of a loop detection. (See also “Configuring the Device to Automatically Re-Enable Ports” on page 5-38.) By default, the device will wait 300 seconds. To change the recovery time interval, enter a command such as the following: FastIron(config)#errdisable recovery interval 120 The above command configures the device to wait 120 seconds (2 minutes) before re-enabling the ports. To revert back to the default recovery time interval of 300 seconds (5 minutes), enter one of the following commands: FastIron(config)#errdisable recovery interval 300 OR FastIron(config)#no errdisable recovery interval 120 Syntax: [no] errdisable recovery interval <seconds> where <seconds> is a number from 10 to 65535. Clearing Loop-Detection To clear loop detection statistics and re-enable all ports that are in Err-Disable state because of a loop detection, enter the following command: 5 - 38 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Software Features FastIron#clear loop-detection Displaying Loop-Detection Information Use the show loop-detection status command to display loop detection status, as shown: FastIron#show loop-detection status loop detection packets interval: 10 (unit 0.1 sec) Number of err-disabled ports: 3 You can re-enable err-disable ports one by one by "disable" then "enable" under interface config, re-enable all by "clear loop-detect", or configure "errdisable recovery cause loop-detection" for automatic recovery index port/vlan status #errdis sent-pkts recv-pkts 1 1/13 untag, LEARNING 0 0 0 2 1/15 untag, BLOCKING 0 0 0 3 1/17 untag, DISABLED 0 0 0 4 1/18 ERR-DISABLE by itself 1 6 1 5 1/19 ERR-DISABLE by vlan 12 0 0 0 6 vlan12 2 ERR-DISABLE ports 2 24 2 If a port is errdisabled in Strict mode, it shows “ERR-DISABLE by itself”. If it is errdisabled due to its associated vlan, it shows “ERR-DISABLE by vlan ?” The following command displays the current disabled ports, including the cause and the time: FastIron#show loop-detection disable Number of err-disabled ports: 3 You can re-enable err-disable ports one by one by "disable" then "enable" under interface config, re-enable all by "clear loop-detect", or configure "errdisable recovery cause loop-detection" for automatic recovery index port caused-by disabled-time 1 1/18 itself 00:13:30 2 1/19 vlan 12 00:13:30 3 1/20 vlan 12 00:13:30 This example shows the disabled ports, the cause, and the time the port was disabled. If loop-detection is configured on a physical port, the disable cause will show “itself”. For VLANs configured for loop-detection, the cause will be a VLAN. The following command shows the hardware and software resources being used by the loop-detection feature: Vlans configured loop-detection use 1 HW MAC Vlans not configured but use HW MAC: 1 10 configuration pool linklist pool alloc in-use 16 6 16 10 avail get-fail 10 0 6 0 limit 3712 3712 get-mem 6 10 size init 15 16 16 16 Syslog Message The following message is logged when a port is disabled due to loop detection. This message also appears on the console: loop-detect: port ?\?\? vlan ?, into errdisable state The Errdisable function logs a message whenever it re-enables a port. December 2008 © 2008 Foundry Networks, Inc. 5 - 39 Foundry FastIron Configuration Guide 5 - 40 © 2008 Foundry Networks, Inc. December 2008 Chapter 6 Operations, Administration, and Maintenance This chapter describes how to perform management, administration, and maintenance operations on FastIron devices. These operations include software image management, upgrade management, and scheduling system maintenance tasks. Overview For easy software image management, all Foundry devices support the download and upload of software images between the flash modules on the devices and a Trivial File Transfer Protocol (TFTP) server on the network. Foundry devices have two flash memory modules: • Primary flash – The default local storage device for image files and configuration files. • Secondary flash – A second flash storage device. You can use the secondary flash to store redundant images for additional booting reliability or to preserve one software image while testing another one. Only one flash device is active at a time. By default, the primary image will become active upon reload. You can update the software contained on a flash module using TFTP to copy the update image from a TFTP server onto the flash module. In addition, you can copy software images and configuration files from a flash module to a TFTP server. NOTE: Foundry devices are TFTP clients but not TFTP servers. You must perform the TFTP transaction from the Foundry device. You cannot “put” a file onto the Foundry device using the interface of your TFTP server. NOTE: Foundry FGS-STK and FLS-STK devices do not support booting from TFTP. NOTE: If you are attempting to transfer a file using TFTP but have received an error message, see “Diagnostic Error Codes and Remedies for TFTP Transfers” on page 6-21. Determining the Software Versions Installed and Running on a Device Use the following methods to display the software versions running on the device and the versions installed in flash memory. December 2008 © 2008 Foundry Networks, Inc. 6-1 Foundry FastIron Configuration Guide Determining the Flash Image Version Running on the Device To determine the flash image version running on a device, enter the show version command at any level of the CLI. Some examples are shown below. Compact Devices To determine the flash image version running on a Compact device, enter the show version command at any level of the CLI. The following shows an example output. FastIron#show version SW: Version 03.0.00T53 Copyright (c) 1996-2002 Foundry Networks, Inc. Compiled on Mar 26 2003 at 13:50:31 labeled as FER03000 (3089381 bytes) from Primary fer03000.bin HW: Stackable FES2402-PREM-ILP ========================================================================== 330 MHz Power PC processor 8245 (version 129/1014) 66 MHz bus 512 KB boot flash memory 16384 KB code flash memory 128 MB DRAM Monitor Option is on The system uptime is 4 days 4 hours 8 minutes 33 seconds The system : started=warm start The version information is shown in bold type in this example. 6-2 • “03.0.00T53” indicates the flash code version number. The “T53” is used by Foundry for record keeping. • “labeled as FER03000” indicates the flash code image label. The label indicates the image type and version and is especially useful if you change the image file name. • “Primary fer03000.bin” indicates the flash code image file name that was loaded. © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance Chassis Devices To determine the flash image version running on a chassis device, enter the show version command at any level of the CLI. The following is an example output. FastIron Switch#show version ========================================================================== Active Management CPU: SW: Version 03.1.00aT3e3 Copyright (c) 1996-2006 Foundry Networks, Inc. Compiled on Nov 07 2006 at 10:20:07 labeled as SXR03100a (3613675 bytes) from Primary sxr03100a.bin BootROM: Version 03.0.01T3e5 (FEv2) HW: Chassis FastIron SX 1600-PREM Serial #: TE15065544 ========================================================================== Standby Management CPU: SW: Version 03.1.00aT3e3 Copyright (c) 1996-2006 Foundry Networks, Inc. Compiled on Nov 07 2006 at 10:20:07 labeled as SXR03100a BootROM: Version 03.0.01T3e5 (FEv2) ========================================================================== SL 1: SX-F424C 24-port Gig Copper Serial #: CH03060022 P-ASIC 0: type 00D1, rev D2 ========================================================================== SL 5: SX-F42XG 2-port 10G Serial #: CH19050324 P-ASIC 8: type 01D1, rev 00 P-ASIC 9: type 01D1, rev 00 ========================================================================== SL 9: SX-FIZMR4 0-port Management Serial #: Non-exist ========================================================================== SL 10: SX-FIZMR4 0-port Management Serial #: Non-exist ========================================================================== SL 13: SX-F424C 24-port Gig Copper Serial #: Non-exist P-ASIC 24: type 00D1, rev D2 P-ASIC 25: type 00D1, rev D2 ========================================================================== SL 18: SX-F42XG 2-port 10G Serial #: CH13050374 P-ASIC 34: type 01D1, rev 00 P-ASIC 35: type 01D1, rev 00 ========================================================================== Active Management Module: 660 MHz Power PC processor 8541 (version 32/0020) 66 MHz bus 512 KB boot flash memory 16384 KB code flash memory 512 MB DRAM Standby Management Module: 660 MHz Power PC processor 8541 (version 32/0020) 66 MHz bus 512 KB boot flash memory 16384 KB code flash memory 512 MB DRAM The system uptime is 2 days 4 hours 33 minutes 52 seconds The system : started=warm start reloaded=by "reload" December 2008 © 2008 Foundry Networks, Inc. 6-3 Foundry FastIron Configuration Guide The version information is shown in bold type in this example. • “03.1.00aT3e3” indicates the flash code version number. The “T3e3” is used by Foundry for record keeping. • “labeled as SXR03100a” indicates the flash code image label. The label indicates the image type and version and is especially useful if you change the image file name. • “Primary SXR03100a.bin” indicates the flash code image file name that was loaded. Determining the Boot Image Version Running on the Device To determine the boot image running on a device, enter the show flash command at any level of the CLI. The following shows an example output. FastIron#show flash Active Management Module (Slot 9): Compressed Pri Code size = 3613675, Version 03.1.00aT3e3 (sxr03100a.bin) Compressed Sec Code size = 2250218, Version 03.1.00aT3e1 (sxs03100a.bin) Compressed BootROM Code size = 524288, Version 03.0.01T3e5 Code Flash Free Space = 9699328 Standby Management Module (Slot 10): Compressed Pri Code size = 3613675, Version 03.1.00aT3e3 (sxr03100a.bin) Compressed Sec Code size = 2250218, Version 03.1.00aT3e1 (sxs03100a.bin) Compressed BootROM Code size = 524288, Version 03.0.01T3e5 Code Flash Free Space = 524288 The boot code version is shown in bold type. Determining the Image Versions Installed in Flash Memory Enter the show flash command to display the boot and flash images installed on the device. An example of the command’s output is shown in “Determining the Boot Image Version Running on the Device” . • The “Compressed Pri Code size” line lists the flash code version installed in the primary flash area. • The “Compressed Sec Code size” line lists the flash code version installed in the secondary flash area. • The “Boot Monitor Image size” line lists the boot code version installed in flash memory. The device does not have separate primary and secondary flash areas for the boot image. The flash memory module contains only one boot image. NOTE: To minimize the boot-monitor image size, ping and tftp operations performed in the boot-monitor mode are restricted to copper ports on the FastIron Chassis management modules and to copper ports on the FastIron stackable swtich combination copper and fiber ports. The fiber ports on these modules do not have the ability to ping or tftp from the boot-monitor mode. Flash Image Verification Platform Support: • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later • FastIron X Series devices running software release 04.0.00 and later The Flash Image Verification feature allows you to verify boot images based on hash codes, and to generate hash codes where needed. This feature lets you select from three data integrity verification algorithms: • 6-4 MD5 - Message Digest algorithm (RFC 1321) © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance • SHA1 - US Secure Hash Algorithm (RFC 3174) • CRC - Cyclic Redundancy Checksum algorithm CLI Commands Use the following command syntax to verify the flash image: Syntax: verify md5 | sha1 | crc32 <ASCII string> | primary | secondary [<hash code>] • md5 – Generates a 16-byte hash code • sha1 – Generates a 20-byte hash code • crc32 – Generates a 4 byte checksum • ascii string – A valid image filename • primary – The primary boot image (primary.img) • secondary – The secondary boot image (secondary.img) • hash code – The hash code to verify The following examples show how the verify command can be used in a variety of circumstances: To generate an MD5 hash value for the secondary image, enter the following command: FastIron#verify md5 secondary FastIron#.........................Done Size = 2044830, MD5 01c410d6d153189a4a5d36c955653862 To generate a SHA-1 hash value for the secondary image, enter the following command: FastIron#verify sha secondary FastIron#.........................Done Size = 2044830, SHA1 49d12d26552072337f7f5fcaef4cf4b742a9f525 To generate a CRC32 hash value for the secondary image, enter the following command: FastIron#verify crc32 secondary FastIron#.........................Done Size = 2044830, CRC32 b31fcbc0 To verify the hash value of a secondary image with a known value, enter the following commands: FastIron#verify md5 secondary 01c410d6d153189a4a5d36c955653861 FastIron#.........................Done Size = 2044830, MD5 01c410d6d153189a4a5d36c955653862 Verification FAILED. In the previous example, the codes did not match, and verification failed. If verification succeeds, the output will look like this: FastIron#verify md5 secondary 01c410d6d153189a4a5d36c955653861 FastIron#.........................Done Size = 2044830, MD5 01c410d6d153189a4a5d36c955653861 Verification SUCEEDED. The following examples show this process for SHA-1 and CRC32 algorithms: FastIron#verify sha secondary 49d12d26552072337f7f5fcaef4cf4b742a9f525 FastIron#.........................Done Size = 2044830, sha 49d12d26552072337f7f5fcaef4cf4b742a9f525 Verification SUCCEEDED. December 2008 © 2008 Foundry Networks, Inc. 6-5 Foundry FastIron Configuration Guide and: FastIron#verify crc32 secondary b31fcbc0 FastIron#.........................Done Size = 2044830, CRC32 b31fcbc0 Verification SUCCEEDED. Image File Types This section lists the boot and flash image file types supported on the FastIron family of switches and how to install them. For information about a specific version of code, see the release notes. Table 6.1: Software Image Files Product Boot Image1 Flash Image FESX pre-release 02.3.01 FEXZxxxxx.bin FEXSxxxxx.bin FESX release 02.3.01 through pre-release 03.0.00 FEXZxxxxx.bin SXSxxxxx.bin (Layer 2) or SXLxxxxx.bin (Base Layer 3) or SXRxxxxx.bin (Full Layer 3) FESX release 03.0.00 and later SXZxxxxx.bin SXSxxxxx.bin (Layer 2) or SXLxxxxx.bin (Base Layer 3) or SXRxxxxx.bin (Full Layer 3) FGS and FLS FGZxxxxx.bin FGSxxxxx.bin (Layer 2) or FGLxxxxx.bin (Base Layer 3) FGS-STK and FLS-STK FGSxxxxx.bin FGSxxxxx.bin (Layer 2) or FGLxxxxx.bin (Base Layer 3) FWS <FWSxxxxx.bin> Need images here FSX, FSX 800, and FSX 1600 SXZxxxxx.bin SXSxxxxx.bin (Layer 2) or SXLxxxxx.bin (Base Layer 3) or SXRxxxxx.bin (Full Layer 3) FWSX FWXZxxxxx.bin FWXSxxxxx.bin (Layer 2) 1. These images are applicable to these devices only and are not interchangeable. For example, you cannot load FWSX boot or flash images on a FSX device, and vice versa. Also, you cannot load other images, such as B2R or B2S, for BigIron devices, on the FastIron family of switches. 6-6 © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance Upgrading Software Use the following procedures to upgrade the software. NOTE: This section does not describe how to upgrade a FESX or FSX base model to a premium (PREM) model. To perform this upgrade, you need an upgrade kit. Contact Foundry Networks for information. Note Regarding Upgrading from FGS 02.4.00 to the New Release When upgrading to release 02.5.00, the software automatically converts the saved system configuration to the new stack/slot/port nomenclature (see “CLI Nomenclature on FastIron GS and FastIron LS Devices” on page 2-3). The software makes the configuration change only for the saved configuration when the device is started. Software release 02.5.00 is not backward-compatible. If the software is downgraded from release 02.5.00, the configuration must be reloaded. Migrating to the New Release (FESX and FSX devices only) Beginning with release 02.3.01, FESX and FSX devices share the same flash images. In releases prior to 02.3.01, FESX and FSX flash images were separate and were issued via separate software releases. Starting with release 02.3.01, the flash images for these devices were merged and are now issued in the same software release. The new, combined flash images may create unique software upgrade circumstances for FESX and FSX devices. (FWSX devices are not affected by the software merge.) If your device is currently running software release 02.2.00 or later (FESX devices), or 02.2.01a or later (FSX devices), your device is not affected by the software merge. However, if your FESX or FSX device is running a release earlier than these versions, you must first upgrade the software on your device to FESX release 02.2.00 or later, or FSX release 02.2.01a or later, before loading the new software image. Earlier releases will not allow you to load the 02.3.01 or later software image. To determine which software version is running on your device, use the show version command. See the following sections for information on how to upgrade the software images on your device. Upgrading from FESX pre-02.2.00 or FSX pre-02.2.01a to the New Release If your device is running a software release earlier than FESX 02.2.00 or FSX 02.2.01a, you must first upgrade it to FESX 02.2.00 or later, or FSX 02.2.01a or later, before you can upgrade it to the new release. Follow the instructions, below. 1. Upgrade your device to software release FESX 02.2.00 or later, or FSX 02.2.01a or later. Follow the steps presented in “Upgrading Software” on page 6-7 and “Upgrading the Flash Code” on page 6-8. Make sure you reload the software after loading the flash code. 2. Upgrade your device to the new software release. Refer to one of the following sections: • FESX – “Upgrading from FESX 02.2.00 or later to the New Release” on page 6-7. • FSX – “Upgrading from FSX 02.2.01a or later to the New Release” on page 6-7. Upgrading from FESX 02.2.00 or later to the New Release 1. Upgrade the boot code to the new version (FEXZ0xxxx.bin) using the steps presented in “Upgrading Software” on page 6-7. 2. Upgrade the flash code to the new version using the steps presented in “Upgrading the Flash Code” on page 6-8. Upgrading from FSX 02.2.01a or later to the New Release 1. Upgrade the boot code to the new version (SXZ0xxxx.bin) using the steps presented in “Upgrading Software” on page 6-7. 2. Upgrade the flash code to the new version using the steps presented in “Upgrading the Flash Code” on page 6-8. December 2008 © 2008 Foundry Networks, Inc. 6-7 Foundry FastIron Configuration Guide Upgrading the Boot Code NOTES: • If you are upgrading a FESX or FSX device, see “Migrating to the New Release (FESX and FSX devices only)” on page 6-7 before performing the steps in this section. • If you are upgrading an FGS device from release 02.4.00, see “Note Regarding Upgrading from FGS 02.4.00 to the New Release” on page 6-7 before performing the steps in this section. 1. Place the new boot code on a TFTP server to which the Foundry device has access. 2. Enter the following command at the Privileged EXEC level of the CLI (example: FastIron Switch#) to copy the boot code from the TFTP server into flash memory: • copy tftp flash <ip-addr> <image-file-name> bootrom NOTE: Use the copy tftp flash command to copy the boot code to the Foundry device only during a maintenance window. Attempting to do so during normal networking operations can cause disruption to the network. 3. Verify that the code has been successfully copied by entering the following command at any level of the CLI: • show flash The output will display the compressed boot ROM code size and the boot code version. 4. Upgrade the flash code as instructed in the following section. Upgrading the Flash Code NOTE: If you are upgrading a FESX or FSX device, see “Migrating to the New Release (FESX and FSX devices only)” on page 6-7 before performing the steps in this section. 1. Place the new flash code on a TFTP server to which the Foundry device has access. 2. Enter the following command at the Privileged EXEC level of the CLI (example: FastIron Switch#) to copy the flash code from the TFTP server into the flash memory: • 3. copy tftp flash <ip-addr> <image-file-name> primary | secondary Verify that the flash code has been successfully copied by entering the following command at any level of the CLI: • show flash 4. If the flash code version is correct, go to Step 5. Otherwise, go to Step 1. 5. Reload the software by entering one of the following commands: • reload (this command boots from the default boot source, which is the primary flash area by default) • boot system flash primary | secondary NOTE: Release 03.1.00a added a confirmation step in the boot system flash process. This step occurs after a boot system flash primary/secondary command is entered and gives an administrator the opportunity to make last minute changes or corrections before performing a reload. The example below shows the confirmation step: FastIron Switch#boot system flash primary Are you sure? (enter ‘Y’ or ‘N’): y 6-8 © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance Boot Code Synchronization Feature Release 03.1.00a added support for automatic synchronization of the boot image in the active and redundant management modules. When the new boot image is copied into the active module, it is automatically synchronized with the redundant management module. NOTE: There is currently no option for manual synchronization of the boot image. To activate the boot synchronization process, enter the following command: FastIron#copy tftp flash 192.168.255.102 superx/boot/sxz03001.bin bootrom The system responds with the following message: FastIron#Load to buffer (8192 bytes per dot) ..................Write to boot flash...................... TFTP to Flash Done. FastIron#Synchronizing with standby module... Boot image synchronization done. Important Notes About Downgrading from FSX 04.1.00 When downgrading from software release FSX 04.1.00 to an earlier release, you must do the following: • If the system-max ip-route configuration is present, prior to downgrading the software, you must modify the value to reflect the maximum value supported in the earlier release. This is because software release 04.1.00 supports a maximum value of 524288, which is a higher value than in previous releases. For more information, see “Modifying System Parameter Default Values” on page 11-18. • If the Layer 3 switch has an IPv6 PROM installed, you must remove the following IPv6 configurations from the system, as these features are not supported in release FSX 04.0.01: Global CONFIG commands: • ipv6 unicast-routing • ipv6 router rip • ipv6 router ospf Interface level commands: • ipv6 rip • ipv6 ospf Tunnel Interface command: • tunnel mode ipv6ip Using SNMP to Upgrade Software You can use a third-party SNMP management application such as HP OpenView to upgrade software on a Foundry device. NOTE: The syntax shown in this section assumes that you have installed HP OpenView in the “/usr” directory. NOTE: Foundry recommends that you make a backup copy of the startup-config file before you upgrade the software. If you need to run an older release, you will need to use the backup copy of the startup-config file. December 2008 © 2008 Foundry Networks, Inc. 6-9 Foundry FastIron Configuration Guide 1. Configure a read-write community string on the Foundry device, if one is not already configured. To configure a read-write community string, enter the following command from the global CONFIG level of the CLI: snmp-server community <string> ro | rw where <string> is the community string and can be up to 32 characters long. 2. On the Foundry device, enter the following command from the global CONFIG level of the CLI: no snmp-server pw-check This command disables password checking for SNMP set requests. If a third-party SNMP management application does not add a password to the password field when it sends SNMP set requests to a Foundry device, by default the Foundry device rejects the request. 3. From the command prompt in the UNIX shell, enter the following command: /usr/OV/bin/snmpset -c <rw-community-string> <fdry-ip-addr> 1.3.6.1.4.1.1991.1.1.2.1.5.0 ipaddress <tftpip-addr> 1.3.6.1.4.1.1991.1.1.2.1.6.0 octetstringascii <file-name> 1.3.6.1.4.1.1991.1.1.2.1.7.0 integer <command-integer> where: <rw-community-string> is a read-write community string configured on the Foundry device. <fdry-ip-addr> is the Foundry device’s IP address. <tftp-ip-addr> is the TFTP server’s IP address. <file-name> is the image file name. <command-integer> is one of the following: 20 – Download the flash code into the device’s primary flash area. 22 – Download the flash code into the device’s secondary flash area. Changing the Block Size for TFTP File Transfers When you use TFTP to copy a file to or from a Foundry device, the device transfers the data in blocks of 8192 bytes by default. You can change the block size to one of the following if needed: • 4096 • 2048 • 1024 • 512 • 256 • 128 • 64 • 32 • 16 To change the block size for TFTP file transfers, enter a command such as the following at the global CONFIG level of the CLI: FastIron(config)#flash 2047 set flash copy block size to 2048 Syntax: [no] flash <num> The software rounds up the <num> value you enter to the next valid power of two, and displays the resulting value. In this example, the software rounds the value up to 2048. 6 - 10 © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance NOTE: If the value you enter is one of the valid powers of two for this parameter, the software still rounds the value up to the next valid power of two. Thus, if you enter 2048, the software rounds the value up to 4096. Rebooting You can use boot commands to immediately initiate software boots from a software image stored in primary or secondary flash on a Foundry device or from a BootP or TFTP server. You can test new versions of code on a Foundry device or choose the preferred boot source from the console boot prompt without requiring a system reset. NOTE: It is very important that you verify a successful TFTP transfer of the boot code before you reset the system. If the boot code is not transferred successfully but you try to reset the system, the system will not have the boot code with which to successfully boot. By default, the Foundry device first attempts to boot from the image stored in its primary flash, then its secondary flash, and then from a TFTP server. You can modify this booting sequence at the global CONFIG level of the CLI using the boot system… command. To initiate an immediate boot from the CLI, enter one of the boot system… commands. NOTE: In FastIron X Series devices running software release 03.0.00 and higher, the boot system tftp command is supported on ports e 1 through e 12 only. Displaying the Boot Preference Use the show boot-preference command to display the boot sequence in the startup config and running config files. The boot sequence displayed is also identified as either user-configured or the default. The following example shows the default boot sequence preference. FastIron#show boot-preference Boot system preference (Configured): Use Default Boot system preference(Default): Boot system flash primary Boot system flash secondary The following example shows a user-configured boot sequence preference: FastIron#show boot-preference Boot system preference(Configured): Boot system flash secondary Boot system tftp 10.1.1.1 FGS04000b1.bin Boot system flash primary Boot system preference (Default) Boot system flash primary Boot system flash secondary Syntax: show boot-preference December 2008 © 2008 Foundry Networks, Inc. 6 - 11 Foundry FastIron Configuration Guide Platform Support: • FastIron X Series devices running software release 04.0.00 • FGS and FLS devices running software release 04.0.00 • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later The results of the show run command for the configured example above appear as follows: FastIron#show run Current Configuration: ! ver 04.0.00x1T7el ! module 1 fgs-48-port-copper-base-module module 2 fgs-xfp-1-port-10g-module module 3 fgs-xfp-1-port-10g-module ! alias cp=copy tf 10.1.1.1 FGS04000bl.bin pri ! ! boot sys fl sec boot sys df 10.1.1.1 FGS04000bl.bin boot sys fl pri ip address 10.1.1.4 255.255.255.0 snmp-client 10.1.1.1 ! end Loading and Saving Configuration Files For easy configuration management, all Foundry devices support both the download and upload of configuration files between the devices and a TFTP server on the network. You can upload either the startup configuration file or the running configuration file to the TFTP server for backup and use in booting the system. • Startup configuration file – This file contains the configuration information that is currently saved in flash. To display this file, enter the show configuration command at any CLI prompt. • Running configuration file – This file contains the configuration active in the system RAM but not yet saved to flash. These changes could represent a short-term requirement or general configuration change. To display this file, enter the show running-config or write terminal command at any CLI prompt. Each device can have one startup configuration file and one running configuration file. The startup configuration file is shared by both flash modules. The running configuration file resides in DRAM. When you load the startup-config file, the CLI parses the file three times. 1. During the first pass, the parser searches for system-max commands. A system-max command changes the size of statically configured memory. 2. During the second pass, the parser implements the system-max commands if present and also implements trunk configuration commands (trunk command) if present. 3. During the third pass, the parser implements the remaining commands. 6 - 12 © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance Replacing the Startup Configuration with the Running Configuration After you make configuration changes to the active system, you can save those changes by writing them to flash memory. When you write configuration changes to flash memory, you replace the startup configuration with the running configuration. To replace the startup configuration with the running configuration, enter the following command at any Enable or CONFIG command prompt: FastIron#write memory Replacing the Running Configuration with the Startup Configuration If you want to back out of the changes you have made to the running configuration and return to the startup configuration, enter the following command at the Privileged EXEC level of the CLI: FastIron#reload Logging Changes to the Startup-Config File You can configure a Foundry device to generate a Syslog message when the startup-config file is changed. The trap is enabled by default. The following Syslog message is generated when the startup-config file is changed: startup-config was changed If the startup-config file was modified by a valid user, the following Syslog message is generated: startup-config was changed by <username> To disable or re-enable Syslog messages when the startup-config file is changed, use the following command: Syntax: [no] logging enable config-changed Copying a Configuration File to or from a TFTP Server To copy the startup-config or running-config file to or from a TFTP server, use one of the following methods. NOTE: You can name the configuration file when you copy it to a TFTP server. However, when you copy a configuration file from the server to a Foundry device, the file is always copied as “startup-config” or “runningconfig”, depending on which type of file you saved to the server. To initiate transfers of configuration files to or from a TFTP server using the CLI, enter one of the following commands: • copy startup-config tftp <tftp-ip-addr> <filename> – Use this command to upload a copy of the startup configuration file from the Layer 2 Switch or Layer 3 Switch to a TFTP server. • copy running-config tftp <tftp-ip-addr> <filename> – Use this command to upload a copy of the running configuration file from the Layer 2 Switch or Layer 3 Switch to a TFTP server. • copy tftp startup-config <tftp-ip-addr> <filename> – Use this command to download a copy of the startup configuration file from a TFTP server to a Layer 2 Switch or Layer 3 Switch. Dynamic Configuration Loading You can load dynamic configuration commands (commands that do not require a reload to take effect) from a file on a TFTP server into a Foundry device’s running-config. You can make configuration changes off-line, then load the changes directly into the device’s running-config, without reloading the software. Usage Considerations • Use this feature only to load configuration information that does not require a software reload to take effect. For example, you cannot use this feature to change statically configured memory (system-max command) or December 2008 © 2008 Foundry Networks, Inc. 6 - 13 Foundry FastIron Configuration Guide to enter trunk group configuration information into the running-config. • Do not use this feature if you have deleted a trunk group but have not yet placed the changes into effect by saving the configuration and then reloading. When you delete a trunk group, the command to configure the trunk group is removed from the device’s running-config, but the trunk group remains active. To finish deleting a trunk group, save the configuration (to the startup-config file), then reload the software. After you reload the software, then you can load the configuration from the file. • Do not load port configuration information for secondary ports in a trunk group. Since all ports in a trunk group use the port configuration settings of the primary port in the group, the software cannot implement the changes to the secondary port. Preparing the Configuration File A configuration file that you create must follow the same syntax rules as the startup-config file the device creates. • The configuration file is a script containing CLI configuration commands. The CLI reacts to each command entered from the file in the same way the CLI reacts to the command if you enter it. For example, if the command results in an error message or a change to the CLI configuration level, the software responds by displaying the message or changing the CLI level. • The software retains the running-config that is currently on the device, and changes the running-config only by adding new commands from the configuration file. If the running config already contains a command that is also in the configuration file you are loading, the CLI rejects the new command as a duplicate and displays an error message. For example, if the running-config already contains a a command that configures ACL 1, the software rejects ACL 1 in the configuration file, and displays a message that ACL 1 is already configured. • The file can contain global CONFIG commands or configuration commands for interfaces, routing protocols, and so on. You cannot enter User EXEC or Privileged EXEC commands. • The default CLI configuration level in a configuration file is the global CONFIG level. Thus, the first command in the file must be a global CONFIG command or “ ! ”. The ! (exclamation point) character means “return to the global CONFIG level”. NOTE: You can enter text following “ ! “ as a comment. However, the “ !” is not a comment marker. It returns the CLI to the global configuration level. NOTE: If you copy-and-paste a configuration into a management session, the CLI ignores the “ ! “ instead of changing the CLI to the global CONFIG level. As a result, you might get different results if you copy-andpaste a configuration instead of loading the configuration using TFTP. • Make sure you enter each command at the correct CLI level. Since some commands have identical forms at both the global CONFIG level and individual configuration levels, if the CLI’s response to the configuration file results in the CLI entering a configuration level you did not intend, then you can get unexpected results. For example, if a trunk group is active on the device, and the configuration file contains a command to disable STP on one of the secondary ports in the trunk group, the CLI rejects the commands to enter the interface configuration level for the port and moves on to the next command in the file you are loading. If the next command is a spanning-tree command whose syntax is valid at the global CONFIG level as well as the interface configuration level, then the software applies the command globally. Here is an example: The configuration file contains these commands: interface ethernet 2 no spanning-tree The CLI responds like this: FastIron(config)#interface ethernet 2 Error - cannot configure secondary ports of a trunk FastIron(config)#no spanning-tree FastIron(config)# • 6 - 14 If the file contains commands that must be entered in a specific order, the commands must appear in the file © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance in the required order. For example, if you want to use the file to replace an IP address on an interface, you must first remove the old address using “no” in front of the ip address command, then add the new address. Otherwise, the CLI displays an error message and does not implement the command. Here is an example: The configuration file contains these commands: interface ethernet 11 ip address 10.10.10.69/24 The running-config already has a command to add an address to port 11, so the CLI responds like this: FastIron(config)#interface ethernet 11 FastIron(config-if-e1000-11)#ip add 10.10.10.69/24 Error: can only assign one primary ip address per subnet FastIron(config-if-e1000-11)# To successfully replace the address, enter commands into the file as follows: interface ethernet 11 no ip address 20.20.20.69/24 ip address 10.10.10.69/24 This time, the CLI accepts the command, and no error message is displayed: FastIron(config)#interface ethernet 11 FastIron(config-if-e1000-11)#no ip add 20.20.20.69/24 FastIron(config-if-e1000-111)#ip add 10.10.10.69/24 FastIron(config-if-e1000-11) • Always use the end command at the end of the file. The end command must appear on the last line of the file, by itself. Loading the Configuration Information into the Running-Config To load the file from a TFTP server, use either of the following commands: • copy tftp running-config <ip-addr> <filename> • ncopy tftp <ip-addr> <filename> running-config NOTE: If you are loading a configuration file that uses a truncated form of the CLI command access-list, the software will not go into batch mode. For example, the following command line will initiate batch mode: access-list 131 permit host pc1 host pc2 The following command line will not initiate batch mode: acc 131 permit host pc1 host pc2 Maximum File Sizes for Startup-Config File and Running-Config Each Foundry device has a maximum allowable size for the running-config and the startup-config file. If you use TFTP to load additional information into a device’s running-config or startup-config file, it is possible to exceed the maximum allowable size. If this occurs, you will not be able to save the configuration changes. The maximum size for the running-config and the startup-config file is 64K each. To determine the size of a Foundry device’s running-config or startup-config file, copy it to a TFTP server, then use the directory services on the server to list the size of the copied file. To copy the running-config or startup-config file to a TFTP server, use one of the following commands. • Commands to copy the running-config to a TFTP server: • copy running-config tftp <ip-addr> <filename> • ncopy running-config tftp <ip-addr> <from-name> December 2008 © 2008 Foundry Networks, Inc. 6 - 15 Foundry FastIron Configuration Guide • Commands to copy the startup-config file to a TFTP server: • copy startup-config tftp <ip-addr> <filename> • ncopy startup-config tftp <ip-addr> <from-name> Loading and Saving Configuration Files with IPv6 Platform Support: • FastIron X Series devices running software release 02.4.00 and later • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later The copy command for IPv6 allows you to do the following: • Copy a file from a specified source to an IPv6 TFTP server • Copy a file from an IPv6 TFTP server to a specified destination Copying a File to an IPv6 TFTP Server You can copy a file from the following sources to an IPv6 TFTP server: • Flash memory • Running configuration • Startup configuration Copying a File from Flash Memory For example, to copy the primary or secondary boot image from the device’s flash memory to an IPv6 TFTP server, enter a command such as the following: FastIron#copy flash tftp 2001:7382:e0ff:7837::3 test.img secondary This command copies the secondary boot image named test.img from flash memory to a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3. Syntax: copy flash tftp <ipv6-address> <source-file-name> primary | secondary The <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy to the IPv6 TFTP server. The primary keyword specifies the primary boot image, while the secondary keyword specifies the secondary boot image. Copying a File from the Running or Startup Configuration For example, to copy the running configuration to an IPv6 TFTP server, enter a command such as the following: FastIron#copy running-config tftp 2001:7382:e0ff:7837::3 newrun.cfg This command copies the running configuration to a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 and names the file on the TFTP server newrun.cfg. Syntax: copy running-config | startup-config tftp <ipv6-address> <destination-file-name> Specify the running-config keyword to copy the running configuration file to the specified IPv6 TFTP server. Specify the startup-config keyword to copy the startup configuration file to the specified IPv6 TFTP server. The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. 6 - 16 © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance The <destination-file-name> parameter specifies the name of the file that is copied to the IPv6 TFTP server. Copying a File from an IPv6 TFTP Server You can copy a file from an IPv6 TFTP server to the following destinations: • Flash memory • Running configuration • Startup configuration Copying a File to Flash Memory For example, to copy a boot image from an IPv6 TFTP server to the primary or secondary storage location in the device’s flash memory, enter a command such as the following: FastIron#copy tftp flash 2001:7382:e0ff:7837::3 test.img secondary This command copies a boot image named test.img from an IPv6 TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 to the secondary storage location in the device’s flash memory. Syntax: copy tftp flash <ipv6-address> <source-file-name> primary | secondary The <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy from the IPv6 TFTP server. The primary keyword specifies the primary storage location in the device’s flash memory, while the secondary keyword specifies the secondary storage location in the device’s flash memory. Copying a File to the Running or Startup Configuration For example, to copy a configuration file from an IPv6 TFTP server to the ’s running or startup configuration, enter a command such as the following. FastIron#copy tftp running-config 2001:7382:e0ff:7837::3 newrun.cfg overwrite This command copies the newrun.cfg file from the IPv6 TFTP server and overwrites the ’s running configuration file with the contents of newrun.cfg. NOTE: To activate this configuration, you must reload (reset) the device. Syntax: copy tftp running-config | startup-config <ipv6-address> <source-file-name> [overwrite] Specify the running-config keyword to copy the running configuration from the specified IPv6 TFTP server. Specify the startup-config keyword to copy the startup configuration from the specified IPv6 TFTP server. The <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file that is copied from the IPv6 TFTP server. The overwrite keyword specifies that the device should overwrite the current configuration file with the copied file. If you do not specify this parameter, the device copies the file into the current running or startup configuration but does not overwrite the current configuration. Using the IPv6 Ncopy Command Platform Support: • FastIron X Series devices running software release 02.4.00 and later • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later December 2008 © 2008 Foundry Networks, Inc. 6 - 17 Foundry FastIron Configuration Guide • FWS devices running software release 04.3.00 or later The ncopy command for IPv6 allows you to do the following: • Copy a primary or secondary boot image from flash memory to an IPv6 TFTP server. • Copy the running configuration to an IPv6 TFTP server. • Copy the startup configuration to an IPv6 TFTP server • Upload various files from an IPv6 TFTP server. Copying a Primary or Secondary Boot Image from Flash Memory to an IPv6 TFTP Server For example, to copy the primary or secondary boot image from the device’s flash memory to an IPv6 TFTP server, enter a command such as the following: FastIron#ncopy flash primary tftp 2001:7382:e0ff:7837::3 primary.img This command copies the primary boot image named primary.img from flash memory to a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3. Syntax: ncopy flash primary | secondary tftp <ipv6-address> <source-file-name> The primary keyword specifies the primary boot image, while the secondary keyword specifies the secondary boot image. The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy from flash memory. Copying the Running or Startup Configuration to an IPv6 TFTP Server For example, to copy a device’s running or startup configuration to an IPv6 TFTP server, enter a command such as the following: FastIron#ncopy running-config tftp 2001:7382:e0ff:7837::3 bakrun.cfg This command copies a device’s running configuration to a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 and names the destination file bakrun.cfg. Syntax: ncopy running-config | startup-config tftp <ipv6-address> <destination-file-name> Specify the running-config keyword to copy the device’s running configuration or the startup-config keyword to copy the device’s startup configuration. The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <destination-file-name> parameter specifies the name of the running configuration that is copied to the IPv6 TFTP server. Uploading Files from an IPv6 TFTP Server You can upload the following files from an IPv6 TFTP server: • Primary boot image. • Secondary boot image. • Running configuration. • Startup configuration. Uploading a Primary or Secondary Boot Image from an IPv6 TFTP Server For example, to upload a primary or secondary boot image from an IPv6 TFTP server to a device’s flash memory, enter a command such as the following: FastIron#ncopy tftp 2001:7382:e0ff:7837::3 primary.img flash primary 6 - 18 © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance This command uploads the primary boot image named primary.img from a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 to the device’s primary storage location in flash memory. Syntax: ncopy tftp <ipv6-address> <source-file-name> flash primary | secondary The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy from the TFTP server. The primary keyword specifies the primary location in flash memory, while the secondary keyword specifies the secondary location in flash memory. Uploading a Running or Startup Configuration from an IPv6 TFTP Server For example to upload a running or startup configuration from an IPv6 TFTP server to a device, enter a command such as the following: FastIron#ncopy tftp 2001:7382:e0ff:7837::3 newrun.cfg running-config This command uploads a file named newrun.cfg from a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 to the device. Syntax: ncopy tftp <ipv6-address> <source-file-name> running-config | startup-config The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy from the TFTP server. Specify the running-config keyword to upload the specified file from the IPv6 TFTP server to the device. The device copies the specified file into the current running configuration but does not overwrite the current configuration. Specify the startup-config keyword to upload the specified file from the IPv6 TFTP server to the device. The the device copies the specified file into the current startup configuration but does not overwrite the current configuration. Using SNMP to Save and Load Configuration Information You can use a third-party SNMP management application such as HP OpenView to save and load a Foundry device’s configuration. To save and load configuration information using HP OpenView, use the following procedure. NOTE: The syntax shown in this section assumes that you have installed HP OpenView in the “/usr” directory. 1. Configure a read-write community string on the Foundry device, if one is not already configured. To configure a read-write community string, enter the following command from the global CONFIG level of the CLI: snmp-server community <string> ro | rw where <string> is the community string and can be up to 32 characters long. 2. On the Foundry device, enter the following command from the global CONFIG level of the CLI: no snmp-server pw-check This command disables password checking for SNMP set requests. If a third-party SNMP management application does not add a password to the password field when it sends SNMP set requests to a Foundry device, by default the Foundry device rejects the request. 3. From the command prompt in the UNIX shell, enter the following command: /usr/OV/bin/snmpset -c <rw-community-string> <fdry-ip-addr> 1.3.6.1.4.1.1991.1.1.2.1.5.0 ipaddress <tftpip-addr> 1.3.6.1.4.1.1991.1.1.2.1.8.0 octetstringascii <config-file-name> 1.3.6.1.4.1.1991.1.1.2.1.9.0 integer <command-integer> December 2008 © 2008 Foundry Networks, Inc. 6 - 19 Foundry FastIron Configuration Guide where: <rw-community-string> is a read-write community string configured on the Foundry device. <fdry-ip-addr> is the Foundry device’s IP address. <tftp-ip-addr> is the TFTP server’s IP address. <config-file-name> is the configuration file name. <command-integer> is one of the following: 20 – Upload the startup-config file from the Foundry device’s flash memory to the TFTP server. 21 – Download a startup-config file from a TFTP server to the Foundry device’s flash memory. 22 – Upload the running-config from the Foundry device’s flash memory to the TFTP server. 23 – Download a configuration file from a TFTP server into the Foundry device’s running-config. NOTE: Option 23 adds configuration information to the running-config on the device, and does not replace commands. If you want to replace configuration information in the device, use “no” forms of the configuration commands to remove the configuration information, then use configuration commands to create the configuration information you want. Follow the guidelines in “Dynamic Configuration Loading” on page 6-13. Erasing Image and Configuration Files To erase software images or configuration files, use the commands described below. These commands are valid at the Privileged EXEC level of the CLI. • erase flash primary erases the image stored in primary flash of the system. • erase flash secondary erases the image stored in secondary flash of the system. • erase startup-config erases the configuration stored in the startup configuration file; however, the running configuration remains intact until system reboot. Scheduling a System Reload In addition to reloading the system manually, you can configure the Foundry device to reload itself at a specific time or after a specific amount of time has passed. NOTE: The scheduled reload feature requires the system clock. You can use a Simple Network Time Protocol (SNTP) server to set the clock or you can set the device clock manually. See “Specifying a Simple Network Time Protocol (SNTP) Server” on page 5-9 or “Setting the System Clock” on page 5-11. Reloading at a Specific Time To schedule a system reload for a specific time, use the reload at command. For example, to schedule a system reload from the primary flash module for 6:00:00 AM, April 1, 2003, enter the following command at the global CONFIG level of the CLI: FastIron#reload at 06:00:00 04-01-03 Syntax: reload at <hh:mm:ss> <mm-dd-yy> [primary | secondary] <hh:mm:ss> is the hours, minutes, and seconds. <mm-dd-yy> is the month, day, and year. primary | secondary specifies whether the reload is to occur from the primary code flash module or the secondary code flash module. The default is primary. 6 - 20 © 2008 Foundry Networks, Inc. December 2008 Operations, Administration, and Maintenance Reloading after a Specific Amount of Time To schedule a system reload to occur after a specific amount of time has passed on the system clock, use reload after command. For example, to schedule a system reload from the secondary flash one day and 12 hours later, enter the following command at the global CONFIG level of the CLI: FastIron#reload after 01:12:00 secondary Syntax: reload after <dd:hh:mm> [primary | secondary] <dd:hh:mm> is the number of days, hours, and minutes. primary | secondary specifies whether the reload is to occur from the primary code flash module or the secondary code flash module. Displaying the Amount of Time Remaining Before a Scheduled Reload To display how much time is remaining before a scheduled system reload, enter the following command from any level of the CLI: FastIron#show reload Canceling a Scheduled Reload To cancel a scheduled system reload using the CLI, enter the following command at the global CONFIG level of the CLI: FastIron#reload cancel Diagnostic Error Codes and Remedies for TFTP Transfers If an error occurs with a TFTP transfer to or from a Foundry Layer 2 Switch or Layer 3 Switch, one of the following error codes displays on the console. Error code Message Explanation and action 1 Flash read preparation failed. A flash error occurred during the download. 2 Flash read failed. Retry the download. If it fails again, contact customer support. 3 Flash write preparation failed. 4 Flash write failed. 5 TFTP session timeout. TFTP failed because of a time out. Check IP connectivity and make sure the TFTP server is running. 6 TFTP out of buffer space. The file is larger than the amount of room on the device or TFTP server. If you are copying an image file to flash, first copy the other image to your TFTP server, then delete it from flash. (Use the erase flash... CLI command at the Privileged EXEC level to erase the image in the flash.) If you are copying a configuration file to flash, edit the file to remove unneeded information, then try again. 7 TFTP busy, only one TFTP session can be active. Another TFTP transfer is active on another CLI session, or Web management session, or IronView Network Manager session. Wait, then retry the transfer. December 2008 © 2008 Foundry Networks, Inc. 6 - 21 Foundry FastIron Configuration Guide Error code Message Explanation and action 8 File type check failed. You accidentally attempted to copy the incorrect image code into the system. For example, you might have tried to copy a Chassis image into a Compact device. Retry the transfer using the correct image. 16 TFTP remote - general error. 17 TFTP remote - no such file. 18 TFTP remote - access violation. 19 TFTP remote - disk full. 20 TFTP remote - illegal operation. 21 TFTP remote - unknown transfer ID. 22 TFTP remote - file already exists. 23 TFTP remote - no such user. The TFTP configuration has an error. The specific error message describes the error. Correct the error, then retry the transfer. 6 - 22 © 2008 Foundry Networks, Inc. December 2008 Chapter 7 IPv6 Management on FastIron GS, and FastIron LS, and FastIron WS Devices This chapter describes the IPv6 management features available for FastIron GS, and FastIron LS, and FastIron WS devices, including command syntax and management examples. NOTE: For details about IPv6 management on FastIron X Series devices, see “IPv6 Management on FastIron X Series Devices (IPv6 Host Support)” on page 8-11. IPv6 Management Overview IPv6 was designed to replace IPv4, the Internet protocol that is most commonly used currently throughout the world. IPv6 increases the number of network address bits from 32 (IPv4) to 128, which provides more than enough unique IP addresses to support all of the network devices on the planet into the future. IPv6 is expected to quickly become the network standard. Foundry FastIron devices that support IPv6 may be used as management hosts. Interfaces on these devices are configured with IPv6 addresses, but do not have full IPv6 routing enabled. IPv6 is available on all FastIron devices that are running Layer 2, Base Layer 3, or Full Layer 3 software images. NOTE: Foundry FastIron devices can serve as management hosts on an IPv6 network. However, IPv6 routing functionality is not supported for these devices. IPv6 Addressing IPv4 is limited because of the 32-bit addressing format, which cannot satisfy potential increases in the number of users, geographical needs, and emerging applications. To address this limitation, IPv6 introduces a new 128-bit addressing format. An IPv6 address is composed of 8 fields of 16-bit hexadecimal values separated by colons (:). Figure 7.1 shows the IPv6 address format. December 2008 © 2008 Foundry Networks, Inc. 7-1 Foundry FastIron Configuration Guide Figure 7.1 IPv6 Address Format Network Prefix Interface ID HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH 128 Bits HHHH = Hex Value 0000 - FFFF As shown in Figure 7.1, HHHH is a 16-bit hexadecimal value, while H is a 4-bit hexadecimal value. The following is an example of an IPv6 address: 2001:0000:0000:0200:002D:D0FF:FE48:4672 Note that this IPv6 address includes hexadecimal fields of zeros. To make the address less cumbersome, you can do the following: • Omit the leading zeros; for example, 2001:0:0:200:2D:D0FF:FE48:4672. • Compress the successive groups of zeros at the beginning, middle, or end of an IPv6 address to two colons (::) once per address; for example, 2001::200:2D:D0FF:FE48:4672. When specifying an IPv6 address in a command syntax, keep the following in mind: • You can use the two colons (::) only once in the address to represent the longest successive hexadecimal fields of zeros • The hexadecimal letters in IPv6 addresses are not case-sensitive As shown in Figure 7.1, the IPv6 network prefix is composed of the left-most bits of the address. As with an IPv4 address, you can specify the IPv6 prefix using the <prefix>/<prefix-length> format, where the following applies: The <prefix> parameter is specified as 16-bit hexadecimal values separated by a colon. The <prefix-length> parameter is specified as a decimal value that indicates the left-most bits of the IPv6 address. The following is an example of an IPv6 prefix: 2001:FF08:49EA:D088::/64 Enabling and Disabling IPv6 on FastIron Devices IPv6 is enabled by default for Foundry devices that support it. If desired, you can disable IPv6 on a global basis on an device by entering the following command at the Global CONFIG level of the CLI: FastIron(config)#no ipv6 enable Syntax: no ipv6 enable To re-enable IPv6 after it has been disabled, enter the ipv6 enable command. IPv6 Management Features Platform Support: • FGS and FLS devices running software release 04.0.00 and later • FWS devices running software release 04.3.00 or later This section describes the CLI management commands that are available to FastIron devices that support IPv6. IPv6 Access List When you enter the ipv6 access-list command, the Foundry device enters the IPv6 Access List configuration level, where you can access several commands for configuring IPv6 ACL entries. 7-2 © 2008 Foundry Networks, Inc. December 2008 IPv6 Management on FastIron GS, and FastIron LS, and FastIron WS Devices NOTE: Unlike IPv4, there is no distinction between standard and extended ACLs in IPv6. EXAMPLE: FastIron(config)#ipv6 access-list netw FastIron(config-ipv6-access-list-netw)# Syntax: [no] ipv6 access-list <acl name> The <acl name> parameter specifies a name for the IPv6 ACL. An IPv6 ACL name cannot start with a numeral, for example, 1access. Also, an IPv4 ACL and an IPv6 ACL cannot share the same name. IPv6 Debug Platform Support: • FGS and FLS devices running software release 04.0.00 and later • FWS devices running software release 04.3.00 or later The debug ipv6 commands enable the collection of information about IPv6 configurations for troubleshooting. Syntax: debug ipv6 <address> <cache> <icmp> <mld> <nd> <packet> <ra> • address - IPv6 address • cache - IPv6 cache entry • icmp - ICMPv6 • mld - MLD protocol activity • <add-del-oif>[<all><clear>] <clear> <detail> <down-port> <error> <group> <level> <mcache-group> <mcache-source> <packet> <phy-port> <prime-port> <show> <source> <timer> <vlan> • nd - neighbor discovery • packet - IPv6 packet • ra - router add IPv6 Web Management using HTTP and HTTPS Platform Support: • FGS and FLS devices running software release 04.0.00 and later • FWS devices running software release 04.3.00 or later When you have an IPv6 management station connected to a switch with an IPv6 address applied to the management port, you can manage the switch from a Web browser by entering http://[<ipv6 address>] or https://[<ipv6 address>] in the browser address field. NOTE: You must enclose the IPv6 address with square brackets [ ] in order for the Web browser to work. Restricting Web Access Platform Support: • FGS and FLS devices running software release 04.0.00 and later • FWS devices running software release 04.3.00 or later You can restrict Web management access to include only management functions on a Foundry device that is acting as an IPv6 host, or restrict access so that the Foundry host can be reached by a specified IPv6 device. December 2008 © 2008 Foundry Networks, Inc. 7-3 Foundry FastIron Configuration Guide Restricting Web Management Access by Specifying an IPv6 ACL You can specify an IPv6 ACL that restricts Web management access to management functions on the device that is acting as the IPv6 host. For example: FastIron(config)#access-list 12 deny host 2000:2383:e0bb::2/128 log FastIron(config)#access-list 12 deny 30ff:3782::ff89/128 log FastIron(config)#access-list 12 deny 3000:4828::fe19/128 log FastIron(config)#access-list 12 permit any FastIron(config)#web access-group ipv6 12 Syntax: web access-group ipv6 <ipv6 ACL name> where <ipv6 ACL name> is a valid IPv6 ACL. Restricting Web Management Access to an IPv6 Host You can specify a single device with an IPv6 address to have Web management access to the host device. No other device except the one with the specified IPv6 address can access the Foundry device’s Web management interface. For example: FastIron(config)# web client ipv6 3000:2383:e0bb::2/128 Syntax: web client ipv6 <ipv6-address> The <ipv6-address> you specify must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373. IPv6 Logging Platform Support: • FGS and FLS devices running software release 04.0.00 and later • FWS devices running software release 04.3.00 or later This feature allows you to specify an IPv6 server as the Syslog server. Specifying an IPv6 Syslog Server To specify an IPv6 Syslog server, enter the log host ipv6 command as shown below: EXAMPLE: FastIron(config)#log host ipv6 2000:2383:e0bb::4/128 Syntax: [no] log host ipv6 <ipv6-address> [<udp-port-num>] The <ipv6-address> must be in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <udp-port-num> optional parameter specifies the UDP application port used for the Syslog facility. Possible values: See above. Default value: N/A Name-to-IPv6 Address Resolution using IPv6 DNS Server The Domain Name Server (DNS) resolver feature lets you use a host name to perform Telnet, ping, and traceroute commands. You can also define a DNS domain on a Foundry device and thereby recognize all hosts within that domain. After you define a domain name, the Foundry device automatically appends the appropriate domain to the host and forwards it to the domain name server. For example, if the domain “newyork.com” is defined on a Foundry device, and you want to initiate a ping to host “NYC01” on that domain, you need to reference only the host name in the command instead of the host name and its domain name. For example, you could enter either of the following commands to initiate the ping: FastIron#ping nyc01 FastIron#ping nyc01.newyork.com 7-4 © 2008 Foundry Networks, Inc. December 2008 IPv6 Management on FastIron GS, and FastIron LS, and FastIron WS Devices Defining an IPv6 DNS Entry IPv6 defines new DNS record types to resolve queries for domain names to IPv6 addresses, as well as IPv6 addresses to domain names. Foundry devices running IPv6 software support AAAA DNS records, which are defined in RFC 1886. AAAA DNS records are analogous to the A DNS records used with IPv4. They store a complete IPv6 address in each record. AAAA records have a type value of 28. To establish an IPv6 DNS entry for the device, enter the following command: FastIron(config)#ipv6 dns domain-name companynet.com Syntax: [no] ipv6 dns domain-name <domain name> To define an IPv6 DNS server address, enter the following command: FastIron(config)#ipv6 dns server-address 200::1 Syntax: [no] ipv6 dns server-address <ipv6-addr> [<ipv6-addr>] [<ipv6-addr>] [<ipv6-addr>] As an example, in a configuration where ftp6.companynet.com is a server with an IPv6 protocol stack, when a user pings ftp6.companynet.com, the Foundry device attempts to resolve the AAAA DNS record. In addition, if the DNS server does not have an IPv6 address, as long as it is able to resolve AAAA records, it can still respond to DNS queries. IPv6 Ping The ping command allows you to verify the connectivity from a Foundry device to an IPv6 device by performing an ICMP for IPv6 echo test. For example, to ping a device with the IPv6 address of 2001:3424:847f:a385:34dd::45 from the Foundry device, enter the following command: FastIron#ping ipv6 2001:3424:847f:a385:34dd::45 Syntax: ping ipv6 <ipv6-address> [outgoing-interface [<port> | ve <number>]] [source <ipv6-address>] [count <number>] [timeout <milliseconds>] [ttl <number>] [size <bytes>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief] • The <ipv6-address> parameter specifies the address of the router. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. • The outgoing-interface keyword specifies a physical interface over which you can verify connectivity. If you specify a physical interface, such as an Ethernet interface, you must also specify the port number of the interface. If you specify a virtual interface, such as a VE, you must specify the number associated with the VE. • The source <ipv6-address> parameter specifies an IPv6 address to be used as the origin of the ping packets. • The count <number> parameter specifies how many ping packets the router sends. You can specify from 1 4294967296. The default is 1. • The timeout <milliseconds> parameter specifies how many milliseconds the router waits for a reply from the pinged device. You can specify a timeout from 1 - 4294967296 milliseconds. The default is 5000 (5 seconds). • The ttl <number> parameter specifies the maximum number of hops. You can specify a TTL from 1 - 255. The default is 64. • The size <bytes> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. You can specify from 0 - 4000. The default is 16. • The no-fragment keyword turns on the "don't fragment" bit in the IPv6 header of the ping packet. This option is disabled by default. • The quiet keyword hides informational messages such as a summary of the ping parameters sent to the device, and instead only displays messages indicating the success or failure of the ping. This option is disabled by default. • The verify keyword verifies that the data in the echo packet (the reply packet) is the same as the data in the December 2008 © 2008 Foundry Networks, Inc. 7-5 Foundry FastIron Configuration Guide echo request (the ping). By default the device does not verify the data. • The data <1 - 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default data pattern, "abcd", in the packet's data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet. NOTE: For parameters that require a numeric value, the CLI does not check that the value you enter is within the allowed range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid value. • The brief keyword causes ping test characters to be displayed. The following ping test characters are supported: ! Indicates that a reply was received. . Indicates that the network server timed out while waiting for a reply. U Indicates that a destination unreachable error PDU was received. I Indicates that the user interrupted ping. SNMP3 over IPv6 Foundry FastIron devices support IPv6 for SNMP version 3. For more information about how to configure SNMP, see the chapter “Securing SNMP Access” on page 48-1. Secure Shell and IPv6 Secure Shell (SSH) is a mechanism that allows secure remote access to management functions on the Foundry device. SSH provides a function similar to Telnet. You can log in to and configure the Foundry device using a publicly or commercially available SSH client program, just as you can with Telnet. However, unlike Telnet, which provides no security, SSH provides a secure, encrypted connection to the Foundry device. To open an SSH session between an IPv6 host running an SSH client program and the Foundry device, open the SSH client program and specify the IPv6 address of the device. For more information about configuring SSH on the Foundry device, see “Configuring SSHv2 and SCP” on page 42-1. IPv6 Telnet Telnet sessions can be established between a Foundry device to a remote IPv6 host, and from a remote IPv6 host to the Foundry device using IPv6 addresses. The telnet command establishes a Telnet connection from a Foundry device to a remote IPv6 host using the console. Up to five read-access Telnet sessions are supported on the router at one time. Write-access through Telnet is limited to one session, and only one outgoing Telnet session is supported on the router at one time. To see the number of open Telnet sessions at any time, enter the show telnet command. EXAMPLE: To establish a Telnet connection to a remote host with the IPv6 address of 3001:2837:3de2:c37::6, enter the following command: FastIron#telnet 3001:2837:3de2:c37::6 Syntax: telnet <ipv6-address> [<port-number> | outgoing-interface ethernet <port> | ve <number>] The <ipv6-address> parameter specifies the address of a remote host. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <port-number> parameter specifies the port number on which the Foundry device establishes the Telnet connection. You can specify a value between 1 - 65535. If you do not specify a port number, the Foundry device establishes the Telnet connection on port 23. If the IPv6 address you specify is a link-local address, you must specify the outgoing-interface ethernet <port> | ve <number> parameter. This parameter identifies the interface that must be used to reach the remote host. If you 7-6 © 2008 Foundry Networks, Inc. December 2008 IPv6 Management on FastIron GS, and FastIron LS, and FastIron WS Devices specify an Ethernet interface, you must also specify the port number associated with the interface. If you specify a VE interface, also specify the VE number. Establishing a Telnet Session From an IPv6 Host To establish a Telnet session from an IPv6 host to the Foundry device, open your Telnet application and specify the IPv6 address of the Layer 3 Switch. IPv6 Traceroute The traceroute command allows you to trace a path from the Foundry device to an IPv6 host. The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests display all responses to a minimum TTL of 1 second and a maximum TTL of 30 seconds. In addition, if there are multiple equal-cost routes to the destination, the Foundry device displays up to three responses. For example, to trace the path from the Foundry device to a host with an IPv6 address of 3301:23dd:349e:a384::34, enter the following command: FastIron#traceroute ipv6 3301:23dd:349e:a384::34 Syntax: traceroute ipv6 <ipv6-address> The <ipv6-address> parameter specifies the address of a host. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. IPv6 Management Commands The following management CLI commands are available in FastIron devices that support IPv6: • show ipv6 traffic • clear ipv6 traffic • show ipv6 TCP • show ipv6 access-list • show ipv6 mld-snooping • clear ipv6 mld-snooping • show ipv6 neighbor • clear ipv6 neighbor December 2008 © 2008 Foundry Networks, Inc. 7-7 Foundry FastIron Configuration Guide 7-8 © 2008 Foundry Networks, Inc. December 2008 Chapter 8 Configuring IPv6 Connectivity on a FastIron X Series Switch This chapter explains IPv6 addressing and features and how to configure them on a Foundry FastIron X Series switch. NOTE: With exception to IPv6 host features, the commands in this chapter are supported on FastIron X Series switches running software release 04.1.00 and later. IPv6 host features, covered in “IPv6 Management on FastIron X Series Devices (IPv6 Host Support)” on page 8-11, have been supported on FastIron X Series switches since software release 02.4.00. NOTE: This chapter does not describe IPv6 routing protocols, which are covered in separate chapters throughout this guide. IPv6 Addressing Overview IPv6 was designed to replace IPv4, the Internet protocol that is most commonly used currently throughout the world. IPv6 increases the number of network address bits from 32 (IPv4) to 128 bits, which provides more than enough unique IP addresses to support all of the network devices on the planet into the future. IPv6 is expected to quickly become the network standard. An IPv6 address is composed of 8 fields of 16-bit hexadecimal values separated by colons (:). Figure 8.1 shows the IPv6 address format. Figure 8.1 IPv6 Address Format Network Prefix Interface ID HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH 128 Bits HHHH = Hex Value 0000 - FFFF As shown in Figure 8.1, HHHH is a 16-bit hexadecimal value, while H is a 4-bit hexadecimal value. The following is an example of an IPv6 address: 2001:0000:0000:0200:002D:D0FF:FE48:4672 December 2008 © 2008 Foundry Networks, Inc. 8-1 Foundry FastIron Configuration Guide Note that this IPv6 address includes hexadecimal fields of zeros. To make the address less cumbersome, you can do the following: • Omit the leading zeros; for example, 2001:0:0:200:2D:D0FF:FE48:4672. • Compress the successive groups of zeros at the beginning, middle, or end of an IPv6 address to two colons (::) once per address; for example, 2001::200:2D:D0FF:FE48:4672. When specifying an IPv6 address in a command syntax, keep the following in mind: • You can use the two colons (::) only once in the address to represent the longest successive hexadecimal fields of zeros • The hexadecimal letters in IPv6 addresses are not case-sensitive As shown in Figure 8.1, the IPv6 network prefix is composed of the left-most bits of the address. As with an IPv4 address, you can specify the IPv6 prefix using the <prefix>/<prefix-length> format, where the following applies: The <prefix> parameter is specified as 16-bit hexadecimal values separated by a colon. The <prefix-length> parameter is specified as a decimal value that indicates the left-most bits of the IPv6 address. The following is an example of an IPv6 prefix: 2001:FF08:49EA:D088::/64 IPv6 Address Types As with IPv4 addresses, you can assign multiple IPv6 addresses to a switch interface. Table 8.1 presents the three major types of IPv6 addresses that you can assign to a switch interface. A major difference between IPv4 and IPv6 addresses is that IPv6 addresses support scope, which describes the topology in which the address may be used as a unique identifier for an interface or set of interfaces. Unicast and multicast addresses support scoping as follows: • 8-2 Unicast addresses support two types of scope: global scope and local scope. In turn, local scope supports site-local addresses and link-local addresses. Table 8.1 describes global, site-local, and link-local addresses and the topologies in which they are used. © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch • Multicast addresses support a scope field, which Table 8.1 describes. . Table 8.1: IPv6 address types Address Type Description Address Structure Unicast An address for a single interface. A packet sent to a unicast address is delivered to the interface identified by the address. Depends on the type of the unicast address: • Aggregatable global address—An address equivalent to a global or public IPv4 address. The address structure is as follows: a fixed prefix of 2000::/3 (001), a 45-bit global routing prefix, a 16-bit subnet ID, and a 64-bit interface ID. • Site-local address—An address used within a site or intranet. (This address is similar to a private IPv4 address.) A site consists of multiple network links. The address structure is as follows: a fixed prefix of FEC0::/10 (1111 1110 11), a 16-bit subnet ID, and a 64-bit interface ID. • Link-local address—An address used between directly connected nodes on a single network link. The address structure is as follows: a fixed prefix of FE80::/10 (1111 1110 10) and a 64-bit interface ID. • IPv4-compatible address—An address used in IPv6 transition mechanisms that tunnel IPv6 packets dynamically over IPv4 infrastructures. The address embeds an IPv4 address in the low-order 32 bits and the high-order 96 bits are zeros. The address structure is as follows: 0:0:0:0:0:0:A.B.C.D. • Loopback address—An address (0:0:0:0:0:0:0:1 or ::1) that a switch can use to send an IPv6 packet to itself. You cannot assign a loopback address to a physical interface. • Unspecified address—An address (0:0:0:0:0:0:0:0 or ::) that a node can use until you configure an IPv6 address for it. Multicast An address for a set of interfaces belonging to different nodes. Sending a packet to a multicast address results in the delivery of the packet to all interfaces in the set. A multicast address has a fixed prefix of FF00::/8 (1111 1111). The next 4 bits define the address as a permanent or temporary address. The next 4 bits define the scope of the address (node, link, site, organization, global). Anycast An address for a set of interfaces belonging to different nodes. Sending a packet to an anycast address results in the delivery of the packet to the closest interface identified by the address. An anycast address looks similar to a unicast address, because it is allocated from the unicast address space. If you assign a unicast address to multiple interfaces, it is an anycast address. An interface assigned an anycast address must be configured to recognize the address as an anycast address. An anycast address can be assigned to a switch only. An anycast address must not be used as the source address of an IPv6 packet. A switch automatically configures a link-local unicast address for an interface by using the prefix of FE80::/10 (1111 1110 10) and a 64-bit interface ID. The 128-bit IPv6 address is then subjected to duplicate address detection to ensure that the address is unique on the link. If desired, you can override this automatically configured address by explicitly configuring an address. December 2008 © 2008 Foundry Networks, Inc. 8-3 Foundry FastIron Configuration Guide IPv6 Stateless Autoconfiguration Foundry routers use the IPv6 stateless autoconfiguration feature to enable a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. The automatic configuration of a host interface is performed without the use of a server, such as a Dynamic Host Configuration Protocol (DHCP) server, or manual configuration. The automatic configuration of a host interface works in the following way: a switch on a local link periodically sends switch advertisement messages containing network-type information, such as the 64-bit prefix of the local link and the default route, to all nodes on the link. When a host on the link receives the message, it takes the local link prefix from the message and appends a 64-bit interface ID, thereby automatically configuring its interface. (The 64-bit interface ID is derived from the MAC address of the host’s NIC.) The 128-bit IPv6 address is then subjected to duplicate address detection to ensure that the address is unique on the link. The duplicate address detection feature verifies that a unicast IPv6 address is unique before it is assigned to a host interface by the stateless auto configuration feature. Duplicate address detection uses neighbor solicitation messages to verify that a unicast IPv6 address is unique. NOTE: For the stateless auto configuration feature to work properly, the advertised prefix length in switch advertisement messages must always be 64 bits. The IPv6 stateless autoconfiguration feature can also automatically reconfigure a host’s interfaces if you change the ISP for the host’s network. (The host’s interfaces must be renumbered with the IPv6 prefix of the new ISP.) The renumbering occurs in the following way: a switch on a local link periodically sends advertisements updated with the prefix of the new ISP to all nodes on the link. (The advertisements still contain the prefix of the old ISP.) A host can use the addresses created from the new prefix and the existing addresses created from the old prefix on the link. When you are ready for the host to use the new addresses only, you can configure the lifetime parameters appropriately using the ipv6 nd prefix-advertisement command. During this transition, the old prefix is removed from the switch advertisements. At this point, only addresses that contain the new prefix are used on the link.. IPv6 CLI Command Support Table 8.2 lists the IPv6 CLI commands supported. Table 8.2: IPv6 CLI Command Support IPv6 Command Description clear ipv6 cache Deletes all entries in the dynamic host cache. clear ipv6 mld-snooping Deletes MLD-snooping-related counters or cache entries. X X clear ipv6 neighbor Deletes all dynamic entries in the IPv6 neighbor table. X X clear ipv6 ospf Clears OSPF-related entries. X clear ipv6 rip Clears RIP-related entries. X clear ipv6 route Deletes all dynamic entries in the IPv6 route table. X clear ipv6 traffic Resets all IPv6 packet counters. clear ipv6 tunnel Clears statistics for IPv6 tunnels 8-4 © 2008 Foundry Networks, Inc. Switch Code Router Code X X X X December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Table 8.2: IPv6 CLI Command Support IPv6 Command Description Switch Code Router Code copy tftp Downloads a copy of a Foundry software image from a TFTP server into the system flash using IPv6. X X debug ipv6 Displays IPv6 debug information. X X ipv6 access-class Configures access control for IPv6 management traffic. X X ipv6 access-list Configures an IPv6 access control list for IPv6 access control. X X ipv6 address Configures an IPv6 address on an interface (router) or globally (switch) X X ipv6 debug Enables IPv6 debugging. X X ipv6 dns domain-name Configures an IPv6 domain name. X X ipv6 dns server-address Configures an IPv6 DNS server address. X X ipv6 enable Enables IPv6 on an interface. X X ipv6 hop-limit Sets the IPv6 hop limit. X ipv6 icmp Configures IPv6 ICMP parameters X Ipv6 load-sharing Enables IPv6 load sharing X Ipv6 mld-snooping Configures MLD snooping ipv6 mtu Configures the maximum length of an IPv6 packet that can be transmitted on a particular interface. X ipv6 nd Configures neighbor discovery. X ipv6 neighbor Maps a static IPv6 address to a MAC address in the IPv6 neighbor table. X ipv6 ospf Configures OSPF V3 parameters on an interface. X ipv6 prefix-list Builds an IPv6 prefix list. X ipv6 redirects Enables the sending of ICMP redirect messages on an interface. X ipv6 rip Configures RIPng parameters on an interface X ipv6 route Configures an IPv6 static route. X ipv6 router Enables an IPv6 routing protocol. X ipv6 traffic-filter Applies an IPv6 ACL to an interface. ipv6 unicast-routing Enables IPv6 unicast routing. log host ipv6 Configures the IPv6 Syslog server. X X ping ipv6 Performs an ICMP for IPv6 echo test. X X December 2008 © 2008 Foundry Networks, Inc. X X X X X 8-5 Foundry FastIron Configuration Guide Table 8.2: IPv6 CLI Command Support IPv6 Command Description Switch Code Router Code show ipv6 Displays some global IPv6 parameters, such IPv6 DNS server address. X X show ipv6 access-list Displays configured IPv6 access control lists. X X show ipv6 cache Displays the IPv6 host cache. X show ipv6 interface Displays IPv6 information for an interface. X show ipv6 mld-snooping Displays information about MLD snooping. X X show ipv6 neighbor Displays the IPv6 neighbor table. X X show ipv6 ospf Displays information about OSPF V3. X show ipv6 prefix-lists Displays the configured IPv6 prefix lists. X show ipv6 rip Displays information about RIPng. X show ipv6 route Displays IPv6 routes. X show ipv6 router Displays IPv6 local routers. X show ipv6 tcp Displays information about IPv6 TCP sessions. X X show ipv6 traffic Displays IPv6 packet counters. X X show ipv6 tunnel Displays information about IPv6 tunnels X X snmp-client ipv6 Restricts SNMP access to a certain IPv6 node. X X snmp-server host ipv6 Specifies the recipient of SNMP notifications. X X sntp server ipv6 Enables the Foundry device to send SNTP packets over IPv6. X X telnet Enables a Telnet connection from the Foundry device to a remote IPv6 host using the console. X X web access-group ipv6 Restricts Web management access to certain IPv6 hosts as determined by IPv6 ACLs. X X web client ipv6 Restricts Web management access to certain IPv6 hosts. X X Configuring an IPv6 Host Address on a Layer 2 Switch In a Layer 3 (router) configuration, each port can be configured separately with an IPv6 address. This is accomplished using the interface configuration process that is described in “Configuring IPv6 on Each Router Interface” on page 8-8. In a Layer 2 (switch) configuration, individual ports cannot be configured with an IP address (IPv4 or IPv6). In this situation, the switch has one IP address for the management port and one IP address for the system. This has previously been supported for IPv4 but not for IPv6. There is support for configuring an IPv6 address on the management port as described in “Configuring the Management Port for an IPv6 Automatic Address Configuration” on page 8-7, and for configuring a system-wide IPv6 address on a Layer 2 switch. Configuration of the system-wide IPv6 address is exactly like configuration of 8-6 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch an IPv6 address in router mode, except that the IPv6 configuration is at the Global Config level instead of at the Interface Config level. The process for defining the system-wide interface for IPv6 is described in the following sections: • “Configuring a Global or Site-Local IPv6 Address with a Manually Configured Interface ID as the Switch’s System-wide Address” on page 8-7 • “Configuring a Link-Local IPv6 Address as the Switch’s System-Wide Address” on page 8-7 NOTE: When configuring an Ipv6 host address on a Layer 2 switch that has multiple VLANs, make sure the configuration includes a designated management VLAN that identifies the VLAN to which the global IP address belongs. See “Designated VLAN for Telnet Management Sessions to a Layer 2 Switch” on page 40-10. Configuring a Global or Site-Local IPv6 Address with a Manually Configured Interface ID as the Switch’s System-wide Address To configure a global or site-local IPv6 Address with a manually configured interface ID, as a switch’s system-wide address, enter a command such as the following at the Global Config level: FastIron(config)#ipv6 address 2001:200:12D:1300:240:D0FF:FE48:4000:1/64 Syntax: ipv6 address <ipv6-prefix>/<prefix-length> You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter in decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. Configuring a Link-Local IPv6 Address as the Switch’s System-Wide Address To enable IPv6 and automatically configure a global interface enter commands such as the following: FastIron(config)#ipv6 enable This command enables IPv6 on the switch and specifies that the interface is assigned an automatically computed link-local address. Syntax: [no] ipv6 enable To override a link-local address that is automatically computed for the global interface with a manually configured address, enter a command such as the following: FastIron(config)#ipv6 address FE80::240:D0FF:FE48:4672 link-local This command explicitly configures the link-local address FE80::240:D0FF:FE48:4672 for the global interface. Syntax: ipv6 address <ipv6-address> link-local You must specify the <ipv6-address> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The link-local keyword indicates that the router interface should use the manually configured link-local address instead of the automatically computed link-local address. Configuring the Management Port for an IPv6 Automatic Address Configuration You can have the management port configured to automatically obtain an IPv6 address. This process is the same for any other port and is described in detail in the “Configuring a Global IPv6 Address with an Automatically Computed EUI-64 Interface ID” on page 8-9 December 2008 © 2008 Foundry Networks, Inc. 8-7 Foundry FastIron Configuration Guide Configuring Basic IPv6 Connectivity on a Layer 3 Switch To configure basic IPv6 connectivity on a Foundry Layer 3 Switch, you must do the following: • Enable IPv6 routing globally on the switch • Configure an IPv6 address or explicitly enable IPv6 on each router interface over which you plan to forward IPv6 traffic • Configure IPv4 and IPv6 protocol stacks. (This step is mandatory only if you want a router interface to send and receive both IPv4 and IPv6 traffic.) All other configuration tasks in this chapter are optional. Enabling IPv6 Routing By default, IPv6 routing is disabled. To enable the forwarding of IPv6 traffic globally on the Layer 3 switch, enter the following command: FastIron(config)#ipv6 unicast-routing Syntax: [no] ipv6 unicast-routing To disable the forwarding of IPv6 traffic globally on the Foundry device, enter the no form of this command. Configuring IPv6 on Each Router Interface To forward IPv6 traffic on a router interface, the interface must have an IPv6 address, or IPv6 must be explicitly enabled. By default, an IPv6 address is not configured on a router interface. If you choose to configure a global or site-local IPv6 address for an interface, IPv6 is also enabled on the interface. Further, when you configure a global or site-local IPv6 address, you must decide on one of the following in the low-order 64 bits: • A manually configured interface ID. • An automatically computed EUI-64 interface ID. If you prefer to assign a link-local IPv6 address to the interface, you must explicitly enable IPv6 on the interface, which causes a link-local address to be automatically computed for the interface. If preferred, you can override the automatically configured link-local address with an address that you manually configure. This section provides the following information: • Configuring a global or site-local address with a manually configured or automatically computed interface ID for an interface. • Automatically or manually configuring a link-local address for an interface. • Configuring IPv6 anycast addresses Configuring a Global or Site-Local IPv6 Address on an Interface Configuring a global or site-local IPv6 address on an interface does the following: • Automatically configures an interface ID (a link-local address), if specified. • Enables IPv6 on that interface. Additionally, the configured interface automatically joins the following required multicast groups for that link: 8-8 • Solicited-node multicast group FF02:0:0:0:0:1:FF00::/104 for each unicast address assigned to the interface. • Solicited-node for subnet anycast address for each unicast assigned address • Solicited-node for anycast address FF02:0:0:0:0:1:FF00::0000 • All-nodes link-local multicast group FF02::1 • All-routers link-local multicast group FF02::2 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch The neighbor discovery feature sends messages to these multicast groups. For more information, see “Configuring IPv6 Neighbor Discovery” on page 8-29. Configuring a Global or Site-Local IPv6 Address with a Manually Configured Interface ID To configure a global or site-local IPv6 address, including a manually configured interface ID, for an interface, enter commands such as the following: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 address 2001:200:12D:1300:240:D0FF: FE48:4672:/64 These commands configure the global prefix 2001:200:12d:1300::/64 and the interface ID ::240:D0FF:FE48:4672, and enable IPv6 on Ethernet interface 3/1. Syntax: ipv6 address <ipv6-prefix>/<prefix-length> You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. Configuring a Global IPv6 Address with an Automatically Computed EUI-64 Interface ID To configure a global IPv6 address with an automatically computed EUI-64 interface ID in the low-order 64-bits, enter commands such as the following: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 address 2001:200:12D:1300::/64 eui-64 These commands configure the global prefix 2001:200:12d:1300::/64 and an interface ID, and enable IPv6 on Ethernet interface 3/1. Syntax: ipv6 address <ipv6-prefix>/<prefix-length> eui-64 You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. The eui-64 keyword configures the global address with an EUI-64 interface ID in the low-order 64 bits. The interface ID is automatically constructed in IEEE EUI-64 format using the interface’s MAC address. Configuring a Link-Local IPv6 Address on an Interface To explicitly enable IPv6 on a router interface without configuring a global or site-local address for the interface, enter commands such as the following: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 enable These commands enable IPv6 on Ethernet interface 3/1 and specify that the interface is assigned an automatically computed link-local address. Syntax: [no] ipv6 enable NOTE: When configuring VLANs that share a common tagged interface with a physical or Virtual Ethernet (VE) interface, Foundry recommends that you override the automatically computed link-local address with a manually configured unique address for the interface. If the interface uses the automatically computed address, which in the case of physical and VE interfaces is derived from a global MAC address, all physical and VE interfaces will have the same MAC address. To override a link-local address that is automatically computed for an interface with a manually configured address, enter commands such as the following: FastIron(config)#interface ethernet 3/1 December 2008 © 2008 Foundry Networks, Inc. 8-9 Foundry FastIron Configuration Guide FastIron(config-if-e1000-3/1)#ipv6 address FE80::240:D0FF:FE48:4672 link-local These commands explicitly configure the link-local address FE80::240:D0FF:FE48:4672 for Ethernet interface 3/1. Syntax: ipv6 address <ipv6-address> link-local You must specify the <ipv6-address> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The link-local keyword indicates that the router interface should use the manually configured link-local address instead of the automatically computed link-local address. Configuring an IPv6 Anycast Address on an Interface In IPv6, an anycast address is an address for a set of interfaces belonging to different nodes. Sending a packet to an anycast address results in the delivery of the packet to the closest interface configured with the anycast address. An anycast address looks similar to a unicast address, because it is allocated from the unicast address space. If you assign an IPv6 unicast address to multiple interfaces, it is an anycast address. On the Foundry device, you configure an interface assigned an anycast address to recognize the address as an anycast address. For example, the following commands configure an anycast address on interface 2/1: FastIron(config)#int e 2/1 FastIron(config-if-e1000-2/1)#ipv6 address 2002::/64 anycast Syntax: ipv6 address <ipv6-prefix>/<prefix-length> [anycast] IPv6 anycast addresses are described in detail in RFC 1884. See RFC 2461 for a description of how the IPv6 Neighbor Discovery mechanism handles anycast addresses. Configuring IPv4 and IPv6 Protocol Stacks One situation in which you must configure a router to run both IPv4 and IPv6 protocol stacks is if it is deployed as an endpoint for an IPv6 over IPv4 tunnel. Each router interface that will send and receive both IPv4 and IPv6 traffic must be configured with an IPv4 address and an IPv6 address. (An alternative to configuring a router interface with an IPv6 address is to explicitly enable IPv6 using the ipv6 enable command. For more information about using this command, see “Configuring a LinkLocal IPv6 Address on an Interface” on page 8-9.) To configure a router interface to support both the IPv4 and IPv6 protocol stacks, use commands such as the following: FastIron(config)#ipv6 unicast-routing FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ip address 192.168.1.1 255.255.255.0 FastIron(config-if-e1000-3/1)#ipv6 address 2001:200:12d:1300::/64 eui-64 These commands globally enable IPv6 routing and configure an IPv4 address and an IPv6 address for Ethernet interface 3/1. Syntax: [no] ipv6 unicast-routing To disable IPv6 traffic globally on the router, enter the no form of this command. Syntax: ip address <ip-address> <sub-net-mask> [secondary] You must specify the <ip-address> parameter using 8-bit values in dotted decimal notation. You can specify the <sub-net-mask> parameter in either dotted decimal notation or as a decimal value preceded by a slash mark (/). The secondary keyword specifies that the configured address is a secondary IPv4 address. To remove the IPv4 address from the interface, enter the no form of this command. 8 - 10 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Syntax: ipv6 address <ipv6-prefix>/<prefix-length> [eui-64] This syntax specifies a global or site-local IPv6 address. For information about configuring a link-local IPv6 address, see “Configuring a Link-Local IPv6 Address on an Interface” on page 8-9. You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. The eui-64 keyword configures the global address with an EUI-64 interface ID in the low-order 64 bits. The interface ID is automatically constructed in IEEE EUI-64 format using the interface’s MAC address. If you do not specify the eui-64 keyword, you must manually configure the 64-bit interface ID as well as the 64-bit network prefix. For more information about manually configuring an interface ID, see “Configuring a Global or Site-Local IPv6 Address on an Interface” on page 8-8. IPv6 Management on FastIron X Series Devices (IPv6 Host Support) Platform Support: FastIron X Series devices running software release 02.4.00 and later – L2, BL3, L3 You can configure a FastIron X Series switch to serve as an IPv6 host in an IPv6 network. An IPv6 host has IPv6 addresses on its interfaces, but does not have full IPv6 routing enabled on it. This section describes the following IPv6 host features: • “IPv6 Access Control Lists” • “Restricting SNMP Access to an IPv6 Node” • “Specifying an IPv6 SNMP Trap Receiver” • “SNMP V3 over IPv6” • “SNTP over IPv6” on page 8-12 • “Secure Shell, SCP, and IPv6” • “IPv6 Telnet” • “IPv6 Web Management using HTTP and HTTPS” • “Restricting Web Management Access” • “Configuring Name-to-IPv6 Address Resolution using IPv6 DNS Resolver” • “Defining an IPv6 DNS Entry” • “Using the IPv6 copy Command” • “Using the IPv6 ncopy Command” • “IPv6 Ping” • “Configuring an IPv6 Syslog Server” • “Viewing IPv6 SNMP Server Addresses” • “Disabling Router Advertisement and Solicitation Messages” • “IPv6 Debug” • “Disabling IPv6 on a Layer 2 Switch” The following IPv6 host feature is also supported: • “Configuring a Link-Local IPv6 Address as the Switch’s System-Wide Address” December 2008 © 2008 Foundry Networks, Inc. 8 - 11 Foundry FastIron Configuration Guide IPv6 Access Control Lists You can configure an IPv6 ACL to filter traffic to or from an IPv6 host. To do so, see “Configuring IPv6 Access Control Lists (ACLs)” on page 20-1, Restricting SNMP Access to an IPv6 Node You can restrict SNMP access (which includes IronView Network Manager) to the device to the IPv6 host whose IP address you specify. To do so, enter a command such as the following: FastIron(config)#snmp-client ipv6 2001:efff:89::23 Syntax: snmp-client ipv6 <ipv6-address> The <ipv6-address> you specify must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373. Specifying an IPv6 SNMP Trap Receiver You can specify an IPv6 host as a trap receiver to ensure that all SNMP traps sent by the device will go to the same SNMP trap receiver or set of receivers, typically one or more host devices on the network. To do so, enter a command such as the following: FastIron(config)#snmp-server host ipv6 2001:efff:89::13 Syntax: snmp-server host ipv6 <ipv6-address> The <ipv6-address> you specify must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373. SNMP V3 over IPv6 Foundry FastIron devices support IPv6 for SNMP version 3. For more information about how to configure SNMP, see the chapter “Securing SNMP Access” on page 48-1. SNTP over IPv6 To enable the Foundry device to send SNTP packets over IPv6, enter a command such as the following at the Global CONFIG level of the CLI: FastIron(config)#sntp server ipv6 3000::400 Syntax: sntp server ipv6 <ipv6-address> The <ipv6-address> is the IPv6 address of the SNTP server. When you enter the IPv6 address, you do not need to specifry the prefix length. A prefix length of 128 is implied. Secure Shell, SCP, and IPv6 Secure Shell (SSH) is a mechanism that allows secure remote access to management functions on the Foundry device. SSH provides a function similar to Telnet. You can log in to and configure the Foundry device using a publicly or commercially available SSH client program, just as you can with Telnet. However, unlike Telnet, which provides no security, SSH provides a secure, encrypted connection to the Foundry device. To open an SSH session between an IPv6 host running an SSH client program and the Foundry device, open the SSH client program and specify the IPv6 address of the device. For more information about configuring SSH on the Foundry device, see “Configuring SSHv2 and SCP” on page 42-1. IPv6 Telnet Telnet sessions can be established between a Foundry device to a remote IPv6 host, and from a remote IPv6 host to the Foundry device using IPv6 addresses. The telnet command establishes a Telnet connection from a Foundry device to a remote IPv6 host using the console. Up to five read-access Telnet sessions are supported on the router at one time. Write-access through 8 - 12 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Telnet is limited to one session, and only one outgoing Telnet session is supported on the router at one time. To see the number of open Telnet sessions at any time, enter the show telnet command. EXAMPLE: To establish a Telnet connection to a remote host with the IPv6 address of 3001:2837:3de2:c37::6, enter the following command: FastIron#telnet 3001:2837:3de2:c37::6 Syntax: telnet <ipv6-address> [<port-number> | outgoing-interface ethernet <port> | ve <number>] The <ipv6-address> parameter specifies the address of a remote host. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <port-number> parameter specifies the port number on which the Foundry device establishes the Telnet connection. You can specify a value between 1 - 65535. If you do not specify a port number, the Foundry device establishes the Telnet connection on port 23. If the IPv6 address you specify is a link-local address, you must specify the outgoing-interface ethernet <port> | ve <number> parameter. This parameter identifies the interface that must be used to reach the remote host. If you specify an Ethernet interface, you must also specify the port number associated with the interface. If you specify a VE interface, also specify the VE number. Establishing a Telnet Session From an IPv6 Host To establish a Telnet session from an IPv6 host to the Foundry device, open your Telnet application and specify the IPv6 address of the Layer 3 Switch. IPv6 Web Management using HTTP and HTTPS When you have an IPv6 management station connected to a switch with an IPv6 address applied to the management port, you can manage the switch from a Web browser by entering one of the following in the browser address field: http://[<ipv6 address>] or https://[<ipv6 address>] NOTE: You must enclose the IPv6 address with square brackets [ ] in order for the Web browser to work. Restricting Web Management Access You can restrict Web management access to include only management functions on a Foundry device that is acting as an IPv6 host, or restrict access so that the Foundry host can be reached by a specified IPv6 device. Restricting Web Management Access by Specifying an IPv6 ACL You can specify an IPv6 ACL that restricts Web management access to management functions on the device that is acting as the IPv6 host. For example: FastIron(config)#access-list 12 deny host 2000:2383:e0bb::2/128 log FastIron(config)#access-list 12 deny 30ff:3782::ff89/128 log FastIron(config)#access-list 12 deny 3000:4828::fe19/128 log FastIron(config)#access-list 12 permit any FastIron(config)#web access-group ipv6 12 Syntax: web access-group ipv6 <ipv6 ACL name> where <ipv6 ACL name> is a valid IPv6 ACL. Restricting Web Management Access to an IPv6 Host You can restrict Web management access to the device to the IPv6 host whose IP address you specify. No other device except the one with the specified IPv6 address can access the Foundry device’s Web management interface. For example: December 2008 © 2008 Foundry Networks, Inc. 8 - 13 Foundry FastIron Configuration Guide FastIron(config)#web client ipv6 3000:2383:e0bb::2/128 Syntax: web client ipv6 <ipv6-address> The <ipv6-address> you specify must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373. Configuring Name-to-IPv6 Address Resolution using IPv6 DNS Resolver The Domain Name Server (DNS) resolver feature lets you use a host name to perform Telnet and ping commands. You can also define a DNS domain on a Foundry device and thereby recognize all hosts within that domain. After you define a domain name, the Foundry device automatically appends the appropriate domain to the host and forwards it to the domain name server. For example, if the domain “newyork.com” is defined on a Foundry device, and you want to initiate a ping to host “NYC01” on that domain, you need to reference only the host name in the command instead of the host name and its domain name. For example, you could enter either of the following commands to initiate the ping: FastIron#ping ipv6 nyc01 FastIron#ping ipv6 nyc01.newyork.com Defining an IPv6 DNS Entry IPv6 defines new DNS record types to resolve queries for domain names to IPv6 addresses, as well as IPv6 addresses to domain names. Foundry devices running IPv6 software support AAAA DNS records, which are defined in RFC 1886. AAAA DNS records are analogous to the A DNS records used with IPv4. They store a complete IPv6 address in each record. AAAA records have a type value of 28. To establish an IPv6 DNS entry for the device, enter the following command: FastIron(config)#ipv6 dns domain-name companynet.com Syntax: [no] ipv6 dns domain-name <domain name> To define an IPv6 DNS server address, enter the following command: FastIron(config)#ipv6 dns server-address 200::1 Syntax: [no] ipv6 dns server-address <ipv6-addr> [<ipv6-addr>] [<ipv6-addr>] [<ipv6-addr>] As an example, in a configuration where ftp6.companynet.com is a server with an IPv6 protocol stack, when a user pings ftp6.companynet.com, the Foundry device attempts to resolve the AAAA DNS record. In addition, if the DNS server does not have an IPv6 address, as long as it is able to resolve AAAA records, it can still respond to DNS queries. Using the IPv6 copy Command The copy command for IPv6 allows you to do the following: • Copy a file from a specified source to an IPv6 TFTP server. • Copy a file from an IPv6 TFTP server to a specified destination. Copying a File to an IPv6 TFTP Server You can copy a file from the following sources to an IPv6 TFTP server: • Flash memory. • Running configuration. • Startup configuration. Copying a File from Flash Memory For example, to copy the primary or secondary boot image from the device’s flash memory to an IPv6 TFTP server, enter a command such as the following: 8 - 14 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch FastIron#copy flash tftp 2001:7382:e0ff:7837::3 test.img secondary This command copies the secondary boot image named test.img from flash memory to a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3. Syntax: copy flash tftp <ipv6-address> <source-file-name> primary | secondary The <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy to the IPv6 TFTP server. The primary keyword specifies the primary boot image, while the secondary keyword specifies the secondary boot image. Copying a File from the Running or Startup Configuration For example, to copy the running configuration to an IPv6 TFTP server, enter a command such as the following: FastIron#copy running-config tftp 2001:7382:e0ff:7837::3 newrun.cfg This command copies the running configuration to a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 and names the file on the TFTP server newrun.cfg. Syntax: copy running-config | startup-config tftp <ipv6-address> <destination-file-name> Specify the running-config keyword to copy the running configuration file to the specified IPv6 TFTP server. Specify the startup-config keyword to copy the startup configuration file to the specified IPv6 TFTP server. The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <destination-file-name> parameter specifies the name of the file that is copied to the IPv6 TFTP server. Copying a File from an IPv6 TFTP Server You can copy a file from an IPv6 TFTP server to the following destinations: • Flash memory. • Running configuration. • Startup configuration. Copying a File to Flash Memory For example, to copy a boot image from an IPv6 TFTP server to the primary or secondary storage location in the device’s flash memory, enter a command such as the following: FastIron#copy tftp flash 2001:7382:e0ff:7837::3 test.img secondary This command copies a boot image named test.img from an IPv6 TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 to the secondary storage location in the device’s flash memory. Syntax: copy tftp flash <ipv6-address> <source-file-name> primary | secondary The <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy from the IPv6 TFTP server. The primary keyword specifies the primary storage location in the device’s flash memory, while the secondary keyword specifies the secondary storage location in the device’s flash memory. Copying a File to the Running or Startup Configuration For example, to copy a configuration file from an IPv6 TFTP server to the router’s running or startup configuration, enter a command such as the following. FastIron#copy tftp running-config 2001:7382:e0ff:7837::3 newrun.cfg overwrite This command copies the newrun.cfg file from the IPv6 TFTP server and overwrites the router’s running configuration file with the contents of newrun.cfg. December 2008 © 2008 Foundry Networks, Inc. 8 - 15 Foundry FastIron Configuration Guide NOTE: To activate this configuration, you must reload (reset) the device. Syntax: copy tftp running-config | startup-config <ipv6-address> <source-file-name> [overwrite] Specify the running-config keyword to copy the running configuration from the specified IPv6 TFTP server. Specify the startup-config keyword to copy the startup configuration from the specified IPv6 TFTP server. The <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file that is copied from the IPv6 TFTP server. The overwrite keyword specifies that the device should overwrite the current configuration file with the copied file. If you do not specify this parameter, the device copies the file into the current running or startup configuration but does not overwrite the current configuration. NOTE: You cannot use the overwrite option from non-console sessions, because it will disconnect the session. Using the IPv6 ncopy Command The ncopy command for IPv6 allows you to do the following: • Copy a primary or secondary boot image from flash memory to an IPv6 TFTP server. • Copy the running configuration to an IPv6 TFTP server. • Copy the startup configuration to an IPv6 TFTP server • Upload various files from an IPv6 TFTP server. Copying a Primary or Secondary Boot Image from Flash Memory to an IPv6 TFTP Server For example, to copy the primary or secondary boot image from the device’s flash memory to an IPv6 TFTP server, enter a command such as the following: FastIron#ncopy flash primary tftp 2001:7382:e0ff:7837::3 primary.img This command copies the primary boot image named primary.img from flash memory to a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3. Syntax: ncopy flash primary | secondary tftp <ipv6-address> <source-file-name> The primary keyword specifies the primary boot image, while the secondary keyword specifies the secondary boot image. The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy from flash memory. Copying the Running or Startup Configuration to an IPv6 TFTP Server For example, to copy a device’s running or startup configuration to an IPv6 TFTP server, enter a command such as the following: FastIron#ncopy running-config tftp 2001:7382:e0ff:7837::3 bakrun.cfg This command copies a device’s running configuration to a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 and names the destination file bakrun.cfg. Syntax: ncopy running-config | startup-config tftp <ipv6-address> <destination-file-name> Specify the running-config keyword to copy the device’s running configuration or the startup-config keyword to copy the device’s startup configuration. 8 - 16 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <destination-file-name> parameter specifies the name of the running configuration that is copied to the IPv6 TFTP server. Uploading Files from an IPv6 TFTP Server You can upload the following files from an IPv6 TFTP server: • Primary boot image. • Secondary boot image. • Running configuration. • Startup configuration. Uploading a Primary or Secondary Boot Image from an IPv6 TFTP Server For example, to upload a primary or secondary boot image from an IPv6 TFTP server to a device’s flash memory, enter a command such as the following: FastIron#ncopy tftp 2001:7382:e0ff:7837::3 primary.img flash primary This command uploads the primary boot image named primary.img from a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 to the device’s primary storage location in flash memory. Syntax: ncopy tftp <ipv6-address> <source-file-name> flash primary | secondary The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy from the TFTP server. The primary keyword specifies the primary location in flash memory, while the secondary keyword specifies the secondary location in flash memory. Uploading a Running or Startup Configuration from an IPv6 TFTP Server For example to upload a running or startup configuration from an IPv6 TFTP server to a device, enter a command such as the following: FastIron#ncopy tftp 2001:7382:e0ff:7837::3 newrun.cfg running-config This command uploads a file named newrun.cfg from a TFTP server with the IPv6 address of 2001:7382:e0ff:7837::3 to the device. Syntax: ncopy tftp <ipv6-address> <source-file-name> running-config | startup-config The tftp <ipv6-address> parameter specifies the address of the TFTP server. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <source-file-name> parameter specifies the name of the file you want to copy from the TFTP server. Specify the running-config keyword to upload the specified file from the IPv6 TFTP server to the device. The device copies the specified file into the current running configuration but does not overwrite the current configuration. Specify the startup-config keyword to upload the specified file from the IPv6 TFTP server to the device. The the device copies the specified file into the current startup configuration but does not overwrite the current configuration. IPv6 Ping The ping command allows you to verify the connectivity from a Foundry device to an IPv6 device by performing an ICMP for IPv6 echo test. For example, to ping a device with the IPv6 address of 2001:3424:847f:a385:34dd::45 from the Foundry device, enter the following command: December 2008 © 2008 Foundry Networks, Inc. 8 - 17 Foundry FastIron Configuration Guide FastIron#ping ipv6 2001:3424:847f:a385:34dd::45 Syntax: ping ipv6 <ipv6-address> [outgoing-interface [<port> | ve <number>]] [source <ipv6-address>] [count <number>] [timeout <milliseconds>] [ttl <number>] [size <bytes>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief] • The <ipv6-address> parameter specifies the address of the router. You must specify this address in hexadecimal using 16-bit values between colons as documented in RFC 2373. • The outgoing-interface keyword specifies a physical interface over which you can verify connectivity. If you specify a physical interface, such as an Ethernet interface, you must also specify the port number of the interface. If you specify a virtual interface, such as a VE, you must specify the number associated with the VE. • The source <ipv6-address> parameter specifies an IPv6 address to be used as the origin of the ping packets. • The count <number> parameter specifies how many ping packets the router sends. You can specify from 1 4294967296. The default is 1. • The timeout <milliseconds> parameter specifies how many milliseconds the router waits for a reply from the pinged device. You can specify a timeout from 1 - 4294967296 milliseconds. The default is 5000 (5 seconds). • The ttl <number> parameter specifies the maximum number of hops. You can specify a TTL from 1 - 255. The default is 64. • The size <bytes> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. You can specify from 0 - 4000. The default is 16. • The no-fragment keyword turns on the "don't fragment" bit in the IPv6 header of the ping packet. This option is disabled by default. • The quiet keyword hides informational messages such as a summary of the ping parameters sent to the device, and instead only displays messages indicating the success or failure of the ping. This option is disabled by default. • The verify keyword verifies that the data in the echo packet (the reply packet) is the same as the data in the echo request (the ping). By default the device does not verify the data. • The data <1 - 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default data pattern, "abcd", in the packet's data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet. NOTE: For parameters that require a numeric value, the CLI does not check that the value you enter is within the allowed range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid value. • The brief keyword causes ping test characters to be displayed. The following ping test characters are supported: ! Indicates that a reply was received. . Indicates that the network server timed out while waiting for a reply. U Indicates that a destination unreachable error PDU was received. I Indicates that the user interrupted ping. Configuring an IPv6 Syslog Server To enable IPv6 logging, specify an IPv6 Syslog server. Enter a command such as the following: FastIron(config)#log host ipv6 2000:2383:e0bb::4/128 Syntax: log host ipv6 <ipv6-address> [<udp-port-num>] The <ipv6-address> must be in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <udp-port-num> optional parameter specifies the UDP application port used for the Syslog facility. 8 - 18 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Viewing IPv6 SNMP Server Addresses Some of the show commands display IPv6 addresses for IPv6 SNMP servers. The following shows an example output for the show snmp server command. FastIron#show snmp server Contact: Location: Community(ro): ..... Traps Warm/Cold start: Link up: Link down: Authentication: Locked address violation: Power supply failure: Fan failure: Temperature warning: STP new root: STP topology change: vsrp: Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Total Trap-Receiver Entries: 4 Trap-Receiver IP-Address Port-Number Community 1 192.147.201.100 162 ..... 2 4000::200 162 ..... 3 192.147.202.100 162 ..... 4 3000::200 162 ..... Disabling Router Advertisement and Solicitation Messages Router advertisement and solicitation messages enable a node on a link to discover the routers on the same link. By default, router advertisement and solicitation messages are permitted on the device. To disable these messages, configure an IPv6 access control list that denies them. The following shows an example configuration. EXAMPLE: FastIron(config)#ipv6 access-list rtradvert FastIron(config)#deny icmp any any router-advertisement FastIron(config)#deny icmp any any router-solicitation FastIron(config)#permit ipv6 any any IPv6 Debug The debug ipv6 commands enable the collection of information about IPv6 configurations for troubleshooting. Syntax: debug ipv6 <address> <cache> <icmp> <mld> <nd> <packet> <ra> • address - IPv6 address • cache - IPv6 cache entry December 2008 © 2008 Foundry Networks, Inc. 8 - 19 Foundry FastIron Configuration Guide • icmp - ICMPv6 • mld - MLD protocol activity • <add-del-oif>[<all><clear>] <clear> <detail> <down-port> <error> <group> <level> <mcache-group> <mcache-source> <packet> <phy-port> <prime-port> <show> <source> <timer> <vlan> • nd - neighbor discovery • packet - IPv6 packet • ra - router add Disabling IPv6 on a Layer 2 Switch IPv6 is enabled by default in the Layer 2 switch code. If desired, you can disable IPv6 on a global basis on a device running the switch code. To do so, enter the following command at the Global CONFIG level of the CLI: FastIron(config)#no ipv6 enable Syntax: no ipv6 enable To re-enable IPv6 after it has been disabled, enter ipv6 enable. NOTE: IPv6 is disabled by default in the router code and must be configured on each interface that will support IPv6. Configuring a Static IPv6 Route You can configure a static IPv6 route to be redistributed into a routing protocol, but you cannot redistribute routes learned by a routing protocol into the static IPv6 routing table. Before configuring a static IPv6 route, you must enable the forwarding of IPv6 traffic on the Layer 3 switch using the ipv6 unicast-routing command and enable IPv6 on at least one interface by configuring an IPv6 address or explicitly enabling IPv6 on that interface. For more information on performing these configuration tasks, see “Configuring IPv4 and IPv6 Protocol Stacks” on page 8-10. To configure a static IPv6 route for a destination network with the prefix 8eff::0/32, a next-hop gateway with the global address 4fee:2343:0:ee44::1, and an administrative distance of 110, enter the following command: FastIron(config)#ipv6 route 8eff::0/32 4fee:2343:0:ee44::1 distance 110 Syntax: ipv6 route <dest-ipv6-prefix>/<prefix-length> <next-hop-ipv6-address> [<metric>] [distance <number>] To configure a static IPv6 route for a destination network with the prefix 8eff::0/32 and a next-hop gateway with the link-local address fe80::1 that the Layer 3 switch can access through Ethernet interface 3/1, enter the following command: FastIron(config)#ipv6 route 8eff::0/32 ethernet 1 fe80::1 Syntax: ipv6 route <dest-ipv6-prefix>/<prefix-length> [ ethernet <slot/port> | ve <num> | null0 ] <next-hop-ipv6address> [<metric>] [distance <number>] To configure a static IPv6 route for a destination network with the prefix 8eff::0/32 and a next-hop gateway that the Layer 3 switch can access through tunnel 1, enter the following command: FastIron(config)#ipv6 route 8eff::0/32 tunnel 1 Syntax: ipv6 route <dest-ipv6-prefix>/<prefix-length> <interface> <port> [<metric>] [distance <number>] 8 - 20 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Table 8.3 describes the parameters associated with this command and indicates the status of each parameter. Table 8.3: Static IPv6 route parameters Parameter Configuration Details Status The IPv6 prefix and prefix length of the route’s destination network. You must specify the <dest-ipv6prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. Mandatory for all static IPv6 routes. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6prefix> parameter and precede the <prefix-length> parameter. The route’s next-hop gateway, which can be one of the following: You can specify the next-hop gateway as one of the following types of IPv6 addresses: • The IPv6 address of a nexthop gateway. • A global address. • A link-local address. • A tunnel interface. Mandatory for all static IPv6 routes. If you specify a global address, you do not need to specify any additional parameters for the next-hop gateway. If you specify a link-local address, you must also specify the interface through which to access the address. You can specify one of the following interfaces: • An Ethernet interface. • A tunnel interface. • A virtual interface (VE). If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE or tunnel interface, also specify the VE or tunnel number. You can also specify the next-hop gateway as a tunnel interface. If you specify a tunnel interface, also specify the tunnel number. The route’s metric. You can specify a value from 1 – 16. Optional for all static IPv6 routes. (The default metric is 1.) The route’s administrative distance. You must specify the distance keyword and any numerical value. Optional for all static IPv6 routes. (The default administrative distance is 1.) December 2008 © 2008 Foundry Networks, Inc. 8 - 21 Foundry FastIron Configuration Guide A metric is a value that the Layer 3 switch uses when comparing this route to other static routes in the IPv6 static route table that have the same destination. The metric applies only to routes that the Layer 3 switch has already placed in the IPv6 static route table. The administrative distance is a value that the Layer 3 switch uses to compare this route with routes from other route sources that have the same destination. (The Layer 3 switch performs this comparison before placing a route in the IPv6 route table.) This parameter does not apply to routes that are already in the IPv6 route table. In general, a low administrative distance indicates a preferred route. By default, static routes take precedence over routes learned by routing protocols. If you want a dynamic route to be chosen over a static route, you can configure the static route with a higher administrative distance than the dynamic route. IPv6 Over IPv4 Tunnels Platform Support: FastIron X Series devices running software release 04.1.00 and later – L2, BL3, L3 To enable communication between isolated IPv6 domains using the IPv4 infrastructure, you can manually configure IPv6 over IPv4 tunnels that provide static point-point connectivity. As shown in Figure 8.2, these tunnels encapsulate an IPv6 packet within an IPv4 packet. Figure 8.2IPv6 over an IPv4 Tunnel IPv6 Traffic Over IPv4 Tunnel IPv6 Network NetIron 4802 PS1 Power Supply Status PS1 Link PS2 Pwr Activity PS2 Lnk/ Act FDX Lnk/ Act FDX NetIron 4802 Console 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 41 43 45 47 42 44 46 48 Link 49 50 Activity PS1 IPv4 Network Power Supply Status PS1 Link PS2 Pwr Dual-Stack L3 Switch Activity PS2 Lnk/ Act FDX Lnk/ Act FDX Console 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 41 43 45 47 42 44 46 48 IPv6 Network Link 49 50 Activity Dual-Stack L3 Switch IPv6 Host IPv6 Header IPv6 Host IPv6 Data IPv4 Header IPv6 Header IPv6 Data IPv6 Header IPv6 Data In general, a manually configured tunnel establishes a permanent link between switches in IPv6 domains. A manually configured tunnel has explicitly configured IPv4 addresses for the tunnel source and destination. This tunneling mechanism requires that the Layer 3 switch at each end of the tunnel run both IPv4 and IPv6 protocol stacks. The Layer 3 switches running both protocol stacks, or dual-stack routers, can interoperate directly with both IPv4 and IPv6 end systems and routers. See “Configuring IPv4 and IPv6 Protocol Stacks” on page 8-10. Configuration Notes • The local tunnel configuration must include both source and destination addresses. • The remote side of the tunnel must have the opposite source/destination pair. • A tunnel interface supports static and dynamic IPv6 configuration settings and routing protocols. • Duplicate Address Detection (DAD) is not currently supported with IPv6 tunnels. Make sure tunnel endpoints do not have duplicate IP addresses. • Neighbor Discovery (ND) is not supported with IPv6 tunnels. Configuring a Manual IPv6 Tunnel You can use a manually configured tunnel to connect two isolated IPv6 domains. You should deploy this point-topoint tunnelling mechanism if you need a permanent and stable connection. To configure a manual IPv6 tunnel, enter commands such as the following on a Layer 3 Switch running both IPv4 and IPv6 protocol stacks on each end of the tunnel: FastIron(config)#interface tunnel 1 FastIron(config-tnif-1)#tunnel source ethernet 3/1 FastIron(config-tnif-1)#tunnel destination 198.162.100.1 8 - 22 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch FastIron(config-tnif-1)#tunnel mode ipv6ip FastIron(config-tnif-1)#ipv6 enable This example creates tunnel interface 1 and assigns a global IPv6 address with an automatically computed EUI64 interface ID to it. The IPv4 address assigned to Ethernet interface 3/1 is used as the tunnel source, while the IPv4 address 192.168.100.1 is configured as the tunnel destination. The tunnel mode is specified as a manual IPv6 tunnel. Finally, the tunnel is enabled. Note that instead of entering ipv6 enable, you could specify an IPv6 address, for example, ipv6 address 2001:b78:384d:34::/64 eui-64, which would also enable the tunnel. Syntax: [no] interface tunnel <number> For the <number> parameter, specify a value between 1 – 8. Syntax: [no] tunnel source <ipv4-address> | ethernet <port> | loopback <number> | ve <number> The tunnel source can be an IP address or an interface. For <ipv4-address>, use 8-bit values in dotted decimal notation. The ethernet | loopback | ve parameter specifies an interface as the tunnel source. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a loopback, VE, or interface, also specify the loopback, VE, or number, respectively. Syntax: [no] tunnel destination <ipv4-address> Specify the <ipv4-address> parameter using 8-bit values in dotted decimal notation. Syntax: [no] tunnel mode ipv6ip ipv6ip indicates that this is an IPv6 manual tunnel. Syntax: ipv6 enable The ipv6 enable command enables the tunnel. Alternatively, you could specify an IPv6 address, which would also enable the tunnel. Syntax: ipv6 address <ipv6-prefix>/<prefix-length> [eui-64] The ipv6 address command enables the tunnel. Alternatively, you could enter ipv6 enable, which would also enable the tunnel. Specify the <ipv6-prefix> parameter in hexadecimal format using 16-bit values between colons as documented in RFC 2373. Specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. The eui-64 keyword configures the global address with an EUI-64 interface ID in the low-order 64 bits. The interface ID is automatically constructed in IEEE EUI-64 format using the interface’s MAC address. Clearing IPv6 Tunnel Statistics You can clear statistics (reset all fields to zero) for all IPv6 tunnels or for a specific tunnel interface. For example, to clear statistics for tunnel 1, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI: FastIron#clear ipv6 tunnel 1 To clear statistics for all IPv6 tunnels, enter the following command: FastIron#clear ipv6 tunnel Syntax: clear ipv6 tunnel [<number>] The <number> parameter specifies the tunnel number. Displaying IPv6 Tunnel Information Use the commands in this section to display the configuration, status, and counters associated with IPv6 tunnels. December 2008 © 2008 Foundry Networks, Inc. 8 - 23 Foundry FastIron Configuration Guide Displaying a Summary of Tunnel Information To display a summary of tunnel information, enter the following command at any level of the CLI: FastIron#show ipv6 tunnel IP6 Tunnels Tunnel Mode Packet Received 1 configured 0 2 configured 0 Packet Sent 0 22419 Syntax: show ipv6 tunnel This display shows the following information. Table 8.4: IPv6 Tunnel Summary Information This Field... Displays... Tunnel The tunnel interface number. Mode The tunnel mode. Possible modes include the following: • configured – Indicates a manually configured tunnel. Packet Received The number of packets received by a tunnel interface. Note that this is the number of packets received by the CPU. It does not include the number of packets processed in hardware. Packet Sent The number of packets sent by a tunnel interface. Note that this is the number of packets sent by the CPU. It does not include the number of packets processed in hardware. Displaying Tunnel Interface Information To display status and configuration information for tunnel interface 1, enter the following command at any level of the CLI: FastIron#show interfaces tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel Tunnel source ve 30 Tunnel destination is 2.2.2.10 Tunnel mode ipv6ip No port name MTU 1480 bytes, encapsulation IPV4 Syntax: show interfaces tunnel <number> The <number> parameter indicates the tunnel interface number for which you want to display information. 8 - 24 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch This display shows the following information. Table 8.5: IPv6 Tunnel Interface Information This Field... Displays... Tunnel interface status The status of the tunnel interface can be one of the following: Line protocol status • up – The tunnel mode is set and the tunnel interface is enabled. • down – The tunnel mode is not set. • administratively down – The tunnel interface was disabled with the disable command. The status of the line protocol can be one of the following: • up – IPv4 connectivity is established. • down – The line protocol is not functioning and is down. Hardware is tunnel The interface is a tunnel interface. Tunnel source The tunnel source can be one of the following: • An IPv4 address • The IPv4 address associated with an interface/port. Tunnel destination The tunnel destination can be an IPv4 address. Tunnel mode The tunnel mode can be the following: • ipv6ip – indicates a manually configured tunnel Port name The port name configured for the tunnel interface. MTU The setting of the IPv6 maximum transmission unit (MTU). Displaying Interface Level IPv6 Settings To display Interface level IPv6 settings for tunnel interface 1, enter the following command at any level of the CLI: FastIron#show ipv6 inter tunnel 1 Interface Tunnel 1 is up, line protocol is up IPv6 is enabled, link-local address is fe80::3:4:2 [Preferred] Global unicast address(es): 1001::1 [Preferred], subnet is 1001::/64 1011::1 [Preferred], subnet is 1011::/64 Joined group address(es): ff02::1:ff04:2 ff02::5 ff02::1:ff00:1 ff02::2 ff02::1 MTU is 1480 bytes ICMP redirects are enabled No Inbound Access List Set No Outbound Access List Set OSPF enabled December 2008 © 2008 Foundry Networks, Inc. 8 - 25 Foundry FastIron Configuration Guide The display command above reflects the following configuration: FastIron#show running-config interface tunnel 1 ! interface tunnel 1 port-name ManualTunnel1 tunnel mode ipv6ip tunnel source loopback 1 tunnel destination 2.1.1.1 ipv6 address 1011::1/64 ipv6 address 1001::1/64 ipv6 ospf area 0 This display shows the following information. Table 8.6: Interface Level IPv6 Tunnel Information This Field... Displays... Interface Tunnel status The status of the tunnel interface can be one of the following: Line protocol status • up – IPv4 connectivity is established. • down – The tunnel mode is not set. • administratively down – The tunnel interface was disabled with the disable command. The status of the line protocol can be one of the following: • up – IPv6 is enabled via the ipv6 enable or ipv6 address command. • down – The line protocol is not functioning and is down. ECMP Load Sharing for IPv6 The IPv6 route table selects the best route to a given destination from among the routes in the tables maintained by the configured routing protocols (BGP4, OSPF, static, and so on). The IPv6 route table can contain more than one path to a given destination. When this occurs, the Foundry device selects the path with the lowest cost for insertion into the routing table. If more than one path with the lowest cost exists, all of these paths are inserted into the routing table, subject to the configured maximum number of load sharing paths (by default 4). The device uses Equal-Cost Multi-Path (ECMP) load sharing to select a path to a destination. When a route is installed by routing protocols or configured static route for the first time, and the IPv6 route table contains multiple, equal-cost paths to that route, the device checks the IPv6 neighbor for each next hop. Every next hop where the link layer address has been resolved will be stored in hardware. The device will initiate neighbor discovery for the next hops whose link layer addresses are not resolved. The hardware will hash the packet and choose one of the paths. The number of paths would be updated in hardware as the link layer gets resolved for a next hop. If the path selected by the device becomes unavailable, the IPv6 neighbor should change state and trigger the update of the destination in the hardware. Foundry devices support network-based ECMP load-sharing methods for IPv6 traffic. The Foundry device distributes traffic across equal-cost paths based on a XOR of some bits from the MAC source address, MAC destination address, IPv6 source address, IPv6 destination address, IPv6 flow label, IPv6 next header. The 8 - 26 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch software selects a path based on a calculation involving the maximum number of load-sharing paths allowed and the actual number of paths to the destination network. This is the default ECMP load-sharing method for IPv6. You can manually disable or enable ECMP load sharing for IPv6 and specify the number of equal-cost paths the device can distribute traffic across. In addition, you can display information about the status of ECMP load-sharing on the device. Disabling or Re-Enabling ECMP Load Sharing for IPv6 ECMP load sharing for IPv6 is enabled by default. To disable the feature, enter the following command: FastIron(config)#no ipv6 load-sharing If you want to re-enable the feature after disabling it, you must specify the number of load-sharing paths. The maximum number of paths the device supports is a value from 2 – 6. By entering a command such as the following, iPv6 load-sharing will be re-enabled. FastIron(config)#ipv6 load-sharing 4 Syntax: [no] ipv6 load-sharing<num> The <num> parameter specifies the number of paths and can be from 2 – 6. The default is 4. Changing the Maximum Number of Load Sharing Paths for IPv6 By default, IPv6 ECMP load sharing allows traffic to be balanced across up to four equal paths. You can change the maximum number of paths the device supports to a value from 2 – 6. To change the number of ECMP load sharing paths for IPv6, enter a command such as the following: FastIron(config)#ipv6 load-sharing 6 Syntax: [no] ipv6 load-sharing [<num>] The <num> parameter specifies the number of paths and can be from 2 – 6. The default is 4. Enabling Support for Network-Based ECMP Load Sharing for IPv6 • Network-based ECMP load sharing is supported. In this configuration, traffic is distributed across equal-cost paths based on the destination network address. Routes to each network are stored in CAM and accessed when a path to a network is required. Because multiple hosts are likely to reside on a network, this method uses fewer CAM entries. Displaying ECMP Load-Sharing Information for IPv6 To display the status of ECMP load sharing for IPv6, enter the following command: FastIron#show ipv6 Global Settings unicast-routing enabled, hop-limit 64 No Inbound Access List Set No Outbound Access List Set Prefix-based IPv6 Load-sharing is Enabled, Number of load share paths: 4 Syntax: show ipv6 Configuring IPv6 ICMP Features As with the Internet Control Message Protocol (ICMP) for IPv4, ICMP for IPv6 provides error and informational messages. Foundry’s implementation of the stateless auto configuration, neighbor discovery, and path MTU discovery features use ICMP messages. This section explains how to configure following IPv6 ICMP features: • ICMP rate limiting December 2008 © 2008 Foundry Networks, Inc. 8 - 27 Foundry FastIron Configuration Guide • ICMP redirects Configuring ICMP Rate Limiting You can limit the rate at which IPv6 ICMP error messages are sent out on a network. IPv6 ICMP implements a token bucket algorithm. To illustrate how this algorithm works, imagine a virtual bucket that contains a number of tokens. Each token represents the ability to send one ICMP error message. Tokens are placed in the bucket at a specified interval until the maximum number of tokens allowed in the bucket is reached. For each error message that ICMP sends, a token is removed from the bucket. If ICMP generates a series of error messages, messages can be sent until the bucket is empty. If the bucket is empty of tokens, error messages cannot be sent until a new token is placed in the bucket. You can adjust the following elements related to the token bucket algorithm: • The interval at which tokens are added to the bucket. The default is 100 milliseconds. • The maximum number of tokens in the bucket. The default is 10 tokens. For example, to adjust the interval to 1000 milliseconds and the number of tokens to 100 tokens, enter the following command: FastIron(config)# ipv6 icmp error-interval 1000 100 Syntax: ipv6 icmp error-interval <interval> [<number-of-tokens>] The interval in milliseconds at which tokens are placed in the bucket can range from 0 – 2147483647. The maximum number of tokens stored in the bucket can range from 1 – 200. NOTE: If you retain the default interval value or explicitly set the value to 100 milliseconds, output from the show run command does not include the setting of the ipv6 icmp error-interval command because the setting is the default. Also, if you configure the interval value to a number that does not evenly divide into 100000 (100 milliseconds), the system rounds up the value to a next higher value that does divide evenly into 100000. For example, if you specify an interval value of 150, the system rounds up the value to 200. ICMP rate limiting is enabled by default. To disable ICMP rate limiting, set the interval to zero. Enabling IPv6 ICMP Redirect Messages Platform Support: • FastIron X Series devices running software release 04.2.00 or later – L3 You can enable a Layer 3 switch to send an IPv6 ICMP redirect message to a neighboring host to inform it of a better first-hop router on a path to a destination. By default, the sending of IPv6 ICMP redirect messages by a Layer 3 switch is disabled. (For more information about how ICMP redirect messages are implemented for IPv6, see “Configuring IPv6 Neighbor Discovery” on page 8-29.) NOTE: This feature is supported on Virtual Ethernet (VE) interfaces only. For example, to enable the sending of IPv6 ICMP redirect messages on VE 2, enter the following commands: FastIron(config)#interface ve2 FastIron(config-vif-2)#ipv6 redirects To disable the sending of IPv6 ICMP redirect messages after it has been enabled on VE 2, enter the following commands: FastIron(config)#interface ve2 FastIron(config-vif-2)#no ipv6 redirects 8 - 28 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Syntax: [no] ipv6 redirects Use the show ipv6 interface command to verify that the sending of IPv6 ICMP redirect messages is enabled on a particular interface. Configuring IPv6 Neighbor Discovery The neighbor discovery feature for IPv6 uses IPv6 ICMP messages to do the following: • Determine the link-layer address of a neighbor on the same link. • Verify that a neighbor is reachable. • Track neighbor routers. An IPv6 host is required to listen for and recognize the following addresses that identify itself: • Link-local address. • Assigned unicast address. • Loopback address. • All-nodes multicast address. • Solicited-node multicast address. • Multicast address to all other groups to which it belongs. You can adjust the following IPv6 neighbor discovery features: • Neighbor solicitation messages for duplicate address detection. • Router advertisement messages: • • Interval between router advertisement messages. • Value that indicates a router is advertised as a default router (for use by all nodes on a given link). • Prefixes advertised in router advertisement messages. • Flags for host stateful autoconfiguration. Amount of time during which an IPv6 node considers a remote node reachable (for use by all nodes on a given link). Configuration Notes NOTE: For all solicitation and advertisement messages, Foundry uses seconds as the unit of measure instead of milliseconds. • If you add a port to a port-based VLAN, and the port has IPv6 neighbor discovery configuration, the system will clean up the neighbor discovery configuration from the port and display the following message on the console: ND6 port config on the new member ports removed • Neighbor discovery is not supported on tunnel interfaces. Neighbor Solicitation and Advertisement Messages Neighbor solicitation and advertisement messages enable a node to determine the link-layer address of another node (neighbor) on the same link. (This function is similar to the function provided by the Address Resolution Protocol [ARP] in IPv4.) For example, node 1 on a link wants to determine the link-layer address of node 2 on the same link. To do so, node 1, the source node, multicasts a neighbor solicitation message. The neighbor solicitation message, which has a value of 135 in the Type field of the ICMP packet header, contains the following information: December 2008 © 2008 Foundry Networks, Inc. 8 - 29 Foundry FastIron Configuration Guide • Source address: IPv6 address of node 1 interface that sends the message. • Destination address: solicited-node multicast address (FF02:0:0:0:0:1:FF00::/104) that corresponds the IPv6 address of node 2. • Link-layer address of node 1. • A query for the link-layer address of node 2. After receiving the neighbor solicitation message from node 1, node 2 replies by sending a neighbor advertisement message, which has a value of 136 in the Type field of the ICMP packet header. The neighbor solicitation message contains the following information: • Source address: IPv6 address of the node 2 interface that sends the message. • Destination address: IPv6 address of node 1. • Link-layer address of node 2. After node 1 receives the neighbor advertisement message from node 2, nodes 1 and 2 can now exchange packets on the link. After the link-layer address of node 2 is determined, node 1 can send neighbor solicitation messages to node 2 to verify that it is reachable. Also, nodes 1, 2, or any other node on the same link can send a neighbor advertisement message to the all-nodes multicast address (FF02::1) if there is a change in their link-layer address. Router Advertisement and Solicitation Messages Router advertisement and solicitation messages enable a node on a link to discover the routers on the same link. Each configured router interface on a link sends out a router advertisement message, which has a value of 134 in the Type field of the ICMP packet header, periodically to the all-nodes link-local multicast address (FF02::1). A configured router interface can also send a router advertisement message in response to a router solicitation message from a node on the same link. This message is sent to the unicast IPv6 address of the node that sent the router solicitation message. At system startup, a host on a link sends a router solicitation message to the all-routers multicast address (FF01). Sending a router solicitation message, which has a value of 133 in the Type field of the ICMP packet header, enables the host to automatically configure its IPv6 address immediately instead of awaiting the next periodic router advertisement message. Because a host at system startup typically does not have a unicast IPv6 address, the source address in the router solicitation message is usually the unspecified IPv6 address (0:0:0:0:0:0:0:0). If the host has a unicast IPv6 address, the source address is the unicast IPv6 address of the host interface sending the router solicitation message. Entering the ipv6 unicast-routing command automatically enables the sending of router advertisement messages on all configured router Ethernet interfaces. You can configure several router advertisement message parameters. For information about disabling the sending of router advertisement messages and the router advertisement parameters that you can configure, see “Enabling and Disabling IPv6 Router Advertisements” on page 8-34 and “Setting IPv6 Router Advertisement Parameters” on page 8-31. Neighbor Redirect Messages After forwarding a packet, by default, a router can send a neighbor redirect message to a host to inform it of a better first-hop router. The host receiving the neighbor redirect message will then readdress the packet to the better router. A router sends a neighbor redirect message only for unicast packets, only to the originating node, and to be processed by the node. A neighbor redirect message has a value of 137 in the Type field of the ICMP packet header. 8 - 30 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Setting Neighbor Solicitation Parameters for Duplicate Address Detection Although the stateless auto configuration feature assigns the 64-bit interface ID portion of an IPv6 address using the MAC address of the host’s NIC, duplicate MAC addresses can occur. Therefore, the duplicate address detection feature verifies that a unicast IPv6 address is unique before it is assigned to a host interface by the stateless auto configuration feature. Duplicate address detection verifies that a unicast IPv6 address is unique. If duplicate address detection identifies a duplicate unicast IPv6 address, the address is not used. If the duplicate address is the link-local address of the host interface, the interface stops processing IPv6 packets. NOTE: Duplicate Address Detection (DAD) is not currently supported with IPv6 tunnels. Make sure tunnel endpoints do not have duplicate IP addresses. You can configure the following neighbor solicitation message parameters that affect duplicate address detection while it verifies that a tentative unicast IPv6 address is unique: • The number of consecutive neighbor solicitation messages that duplicate address detection sends on an interface. By default, duplicate address detection sends three neighbor solicitation messages without any follow-up messages. • The interval in seconds at which duplicate address detection sends a neighbor solicitation message on an interface. By default, duplicate address detection sends a neighbor solicitation message every 1000 milliseconds. For example, to change the number of neighbor solicitation messages sent on Ethernet interface 3/1 to two and the interval between the transmission of the two messages to 9 seconds, enter the following commands: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 nd dad attempt 2 FastIron(config-if-e1000-3/1)#ipv6 nd ns-interval 9000 Syntax: [no] ipv6 nd dad attempt <number> Syntax: [no] ipv6 nd ns-interval <number> For the number of neighbor solicitation messages, specify a number from 0 – 255. The default is 3. Configuring a value of 0 disables duplicate address detection processing on the specified interface. To restore the number of messages to the default value, use the no form of this command. For the interval between neighbor solicitation messages and the value for the retrans timer in router advertisements, specify a number from 0 – 4294967295 milliseconds. The default value for the interval between neighbor solicitation messages is 1000 milliseconds. The default value for the retrans timer is 0. Foundry does not recommend very short intervals in normal IPv6 operation. When a non-default value is configured, the configured time is both advertised and used by the router itself. To restore the default interval, use the no form of this command. Setting IPv6 Router Advertisement Parameters You can adjust the following parameters for router advertisement messages: • The interval (in seconds) at which an interface sends router advertisement messages. By default, an interface sends a router advertisement message every 200 seconds. • The "router lifetime" value, which is included in router advertisements sent from a particular interface. The value (in seconds) indicates if the router is advertised as a default router on this interface. If you set the value of this parameter to 0, the router is not advertised as a default router on an interface. If you set this parameter to a value that is not 0, the router is advertised as a default router on this interface. By default, the router lifetime value included in router advertisement messages sent from an interface is 1800 seconds. • The hop limit to be advertised in the router advertisement. When adjusting these parameter settings, Foundry recommends that the interval between router advertisement transmission be less than or equal to the router lifetime value if the router is advertised as a default router. For December 2008 © 2008 Foundry Networks, Inc. 8 - 31 Foundry FastIron Configuration Guide example, to adjust the interval of router advertisements to 300 seconds and the router lifetime value to 1900 seconds on Ethernet interface 3/1, enter the following commands: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 nd ra-interval 300 FastIron(config-if-e1000-3/1)#ipv6 nd ra-lifetime 1900 FastIron(config-if-e1000-3/1)#ipv6 nd ra-hop-limit 1 Here is another example with a specified range: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 nd ra-interval range 33 55 FastIron(config-if-e1000-3/1)#ipv6 nd ra-lifetime 1900 FastIron(config-if-e1000-3/1)#ipv6 nd ra-hop-limit 1 Syntax: [no] ipv6 nd ra-interval <number> | <min range value> <max range value> Syntax: [no] ipv6 nd ra-lifetime <number> Syntax: ipv6 nd ra-hop-limit <number> <number> is a value from 0 – 255. The default is 64. The ipv6 nd ra-interval <number> can be a value between 3 – 1800 seconds. The default is 200 seconds. The actual RA interval will be from .5 to 1.5 times the configured or default value. For example, in the above configuration, for ipv6 nd ra-interval 300, the range would be 150 – 450. To restore the default interval of 200 seconds, use the no form of the command. The ipv6 nd ra-interval range <min range value> <max range value> command lets you specify a range of values instead of a single value: The <min range value> specifies the minimum number of seconds allowed between sending unsolicited multicast router advertisements from the interface. The default is 0.33 times the <max range value> if the <max range value> is greater than or equal to 9 seconds. Otherwise, the default is the value specified by the <max range value>. The <min range value> can be a number between -3 – (.75 x <max range value>). The <max range value> parameter specifies the maximum number of seconds allowed between sending unsolicited multicast router advertisements from the interface. This number can be between 4 – 1800 seconds and must be greater than the <min range value> x 1.33. The default is 600 seconds. The ipv6 nd ra-lifetime <number> is a value between 0 – 9000 seconds. To restore the router lifetime value of 1800 seconds, use the no form of the command. The ipv6 nd ra-hop-limit <number> is a value from 0 – 255. The default is 64. NOTE: By default, router advertisements will always have the MTU option. To suppress the MTU option, use the following command at the Interface level of the CLI: ipv6 nd suppress-mtu-option. Controlling Prefixes Advertised in IPv6 Router Advertisement Messages By default, router advertisement messages include prefixes configured as addresses on router interfaces using the ipv6 address command. You can use the ipv6 nd prefix-advertisement command to control exactly which prefixes are included in router advertisement messages. Along with which prefixes the router advertisement messages contain, you can also specify the following parameters: • Valid lifetime—(Mandatory) The time interval (in seconds) in which the specified prefix is advertised as valid. The default is 2592000 seconds (30 days). When the timer expires, the prefix is no longer considered to be valid. • Preferred lifetime—(Mandatory) The time interval (in seconds) in which the specified prefix is advertised as preferred. The default is 604800 seconds (7 days). When the timer expires, the prefix is no longer considered to be preferred. • Onlink flag—(Optional) If this flag is set, the specified prefix is assigned to the link upon which it is advertised. Nodes sending traffic to addresses that contain the specified prefix consider the destination to be reachable 8 - 32 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch on the local link. • Autoconfiguration flag—(Optional) If this flag is set, the stateless auto configuration feature can use the specified prefix in the automatic configuration of 128-bit IPv6 addresses for hosts on the local link, provided the specified prefix is aggregatable, as specified in RFC 2374. For example, to advertise the prefix 2001:e077:a487:7365::/64 in router advertisement messages sent out on Ethernet interface 3/1 with a valid lifetime of 1000 seconds, a preferred lifetime of 800 seconds, and the Onlink and Autoconfig flags set, enter the following commands: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 nd prefix-advertisement 2001:e077:a487:7365::/64 1000 800 onlink autoconfig Syntax: [no] ipv6 nd prefix-advertisement <ipv6-prefix>/<prefix-length> <valid-lifetime> <preferred-lifetime> [autoconfig] [onlink] You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. The valid lifetime and preferred lifetime is a numerical value between 0 – 4294967295 seconds. The default valid lifetime is 2592000 seconds (30 days), while the default preferred lifetime is 604800 seconds (7 days). To remove a prefix from the router advertisement messages sent from a particular interface, use the no form of this command. Setting Flags in IPv6 Router Advertisement Messages An IPv6 router advertisement message can include the following flags: • Managed Address Configuration—This flag indicates to hosts on a local link if they should use the stateful autoconfiguration feature to get IPv6 addresses for their interfaces. If the flag is set, the hosts use stateful autoconfiguration to get addresses as well as non-IPv6-address information. If the flag is not set, the hosts do not use stateful autoconfiguration to get addresses and if the hosts can get non-IPv6-address information from stateful autoconfiguration is determined by the setting of the Other Stateful Configuration flag. • Other Stateful Configuration—This flag indicates to hosts on a local link if they can get non-IPv6 address autoconfiguration information. If the flag is set, the hosts can use stateful autoconfiguration to get non-IPv6address information. NOTE: When determining if hosts can use stateful autoconfiguration to get non-IPv6-address information, a set Managed Address Configuration flag overrides an unset Other Stateful Configuration flag. In this situation, the hosts can obtain nonaddress information. However, if the Managed Address Configuration flag is not set and the Other Stateful Configuration flag is set, then the setting of the Other Stateful Configuration flag is used. By default, the Managed Address Configuration and Other Stateful Configuration flags are not set in router advertisement messages. For example, to set these flags in router advertisement messages sent from Ethernet interface 3/1, enter the following commands: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 nd managed-config-flag FastIron(config-if-e1000-3/1)#ipv6 nd other-config-flag Syntax: [no] ipv6 nd managed-config-flag Syntax: [no] ipv6 nd other-config-flag To remove either flag from router advertisement messages sent on an interface, use the no form of the respective command. December 2008 © 2008 Foundry Networks, Inc. 8 - 33 Foundry FastIron Configuration Guide Enabling and Disabling IPv6 Router Advertisements If IPv6 unicast routing is enabled on an Ethernet interface, by default, this interface sends IPv6 router advertisement messages. However, by default, non-LAN interface types, for example, tunnel interfaces, do not send router advertisement messages. To disable the sending of router advertisement messages on an Ethernet interface, enter commands such as the following: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 nd suppress-ra To enable the sending of router advertisement messages on a tunnel interface, enter commands such as the following: FastIron(config)#interface tunnel 1 FastIron(config-tnif-1)#no ipv6 nd suppress-ra Syntax: [no] ipv6 nd suppress-ra Configuring Reachable Time for Remote IPv6 Nodes You can configure the duration (in seconds) that a router considers a remote IPv6 node reachable. By default, a router interface uses the value of 30 seconds. The router advertisement messages sent by a router interface include the amount of time specified by the ipv6 nd reachable-time command so that nodes on a link use the same reachable time duration. By default, the messages include a default value of 0. Foundry does not recommend configuring a short reachable time duration, because a short duration causes the IPv6 network devices to process the information at a greater frequency. For example, to configure the reachable time of 40 seconds for Ethernet interface 3/1, enter the following commands: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 nd reachable-time 40 Syntax: [no] ipv6 nd reachable-time <seconds> For the <seconds> parameter, specify a number from 0 – 3600 seconds. To restore the default time, use the no form of this command. NOTE: The actual reachable time will be from .5 to 1.5 times the configured or default value. Changing the IPv6 MTU The IPv6 MTU is the maximum length of an IPv6 packet that can be transmitted on a particular interface. If an IPv6 packet is longer than an MTU, the host that originated the packet fragments the packet and transmits its contents in multiple packets that are shorter than the configured MTU. You can configure the MTU on individual interfaces. Per RFC 2460, the minimum IPv6 MTU for any interface is 1280 bytes. For example, to configure the MTU on Ethernet interface 3/1 as 1280 bytes, enter the following commands: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#ipv6 mtu 1280 Syntax: [no] ipv6 mtu <bytes> You can specify between 1280 – 1500 bytes. If a nondefault value is configured for an interface, router advertisements include an MTU option. You can configure an IPv6 MTU greater than 1500 bytes, although the default remains at 1500 bytes. The value of the MTU you can define depends on the following: • 8 - 34 For a physical port, the maximum value of the MTU is the equal to the maximum frame size of the port minus © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch 18 (Layer 2 MAC header + CRC). • For a virtual routing interface, the maximum value of the MTU is the maximum frame size configured for the VLAN to which it is associated, minus 18 (Layer 2 MAC header + CRC). If a maximum frame size for a VLAN is not configured, then configure the MTU based on the smallest maximum frame size of all the ports of the VLAN that corresponds to the virtual routing interface, minus 18 (Layer 2 MAC header + CRC). To define IPv6 MTU globally, enter: FastIron(config)#ipv6 mtu 1300 To define IPv6 MTU on an interface, enter: FastIron(config-if-e1000-2/1)#ipv6 mtu Syntax: ipv6 mtu <value> NOTE: If a the size of a jumbo packet received on a port is equal to the maximum frame size – 18 (Layer 2 MAC header + CRC) and if this value is greater than the outgoing port’s IPv4/IPv6 MTU, then it will be forwarded in the CPU. Configuring Static Neighbor Entries In some special cases, a neighbor cannot be reached using the neighbor discovery feature. In this situation, you can add a static entry to the IPv6 neighbor discovery cache, which causes a neighbor to be reachable at all times without using neighbor discovery. (A static entry in the IPv6 neighbor discovery cache functions like a static ARP entry in IPv4.) NOTE: A port that has a statically assigned IPv6 entry cannot be added to a VLAN. NOTE: Static neighbor configurations will be cleared on secondary ports when a trunk is formed. For example, to add a static entry for a neighbor with the IPv6 address 3001:ffe0:2678:47b and link-layer address 0004.6a2b.8641 that is reachable through Ethernet interface 3/1, enter the following command: FastIron(config)#ipv6 neighbor 3001:ffe0:2678:47b ethernet 3/1 0004.6a2b.8641 Syntax: [no] ipv6 neighbor <ipv6-address> ethernet <port> | ve <ve-number> [ethernet <port>] <link-layeraddress> The <ipv6-address> parameter specifies the address of the neighbor. The ethernet | ve parameter specifies the interface through which to reach a neighbor. If you specify an Ethernet interface, specify the port number of the Ethernet interface. If you specify a VE, specify the VE number and then the Ethernet port numbers associated with the VE. The link-layer address is a 48-bit hardware address of the neighbor. If you attempt to add an entry that already exists in the neighbor discovery cache, the software changes the already existing entry to a static entry. To remove a static IPv6 entry from the IPv6 neighbor discovery cache, use the no form of this command. Limiting the Number of Hops an IPv6 Packet Can Traverse By default, the maximum number of hops an IPv6 packet can traverse is 64. You can change this value to between 0 – 255 hops. For example, to change the maximum number of hops to 70, enter the following command: FastIron(config)#ipv6 hop-limit 70 Syntax: [no] ipv6 hop-limit <number> December 2008 © 2008 Foundry Networks, Inc. 8 - 35 Foundry FastIron Configuration Guide Use the no form of the command to restore the default value. hop-limit 0 will transmit packets with default (64) hop limit. <number> can be from 0 – 255. Clearing Global IPv6 Information You can clear the following global IPv6 information: • Entries from the IPv6 cache. • Entries from the IPv6 neighbor table. • IPv6 routes from the IPv6 route table. • IPv6 traffic statistics. Clearing the IPv6 Cache You can remove all entries from the IPv6 cache or specify an entry based on the following: • IPv6 prefix. • IPv6 address. • Interface type. For example, to remove entries for IPv6 address 2000:e0ff::1, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI: FastIron#clear ipv6 cache 2000:e0ff::1 Syntax: clear ipv6 cache [<ipv6-prefix>/<prefix-length> | <ipv6-address> | ethernet <port> | tunnel <number> | ve <number>] You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. You must specify the <ipv6-address> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The ethernet | tunnel | ve parameter specifies the interfaces for which you can remove cache entries. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE or tunnel interface, also specify the VE or tunnel number, respectively. Clearing IPv6 Neighbor Information You can remove all entries from the IPv6 neighbor table or specify an entry based on the following: • IPv6 prefix • IPv6 address • Interface type For example, to remove entries for Ethernet interface 3/1, enter the following command at the Privileged EXEC level or any of the CONFIG levels of the CLI: FastIron#clear ipv6 neighbor ethernet 3/1 Syntax: clear ipv6 neighbor [<ipv6-prefix>/<prefix-length> | <ipv6-address> | ethernet <port> | ve <number>] You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. 8 - 36 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch You must specify the <ipv6-address> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The ethernet | ve parameter specifies the interfaces for which you can remove cache entries. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE, also specify the VE number. Clearing IPv6 Routes from the IPv6 Route Table You can clear all IPv6 routes or only those routes associated with a particular IPv6 prefix from the IPv6 route table and reset the routes. For example, to clear IPv6 routes associated with the prefix 2000:7838::/32, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI: FastIron#clear ipv6 route 2000:7838::/32 Syntax: clear ipv6 route [<ipv6-prefix>/<prefix-length>] The <ipv6-prefix>/<prefix-length> parameter clears routes associated with a particular IPv6 prefix. You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6prefix> parameter and precede the <prefix-length> parameter. Clearing IPv6 Traffic Statistics To clear all IPv6 traffic statistics (reset all fields to zero), enter the following command at the Privileged EXEC level or any of the Config levels of the CLI: FastIron(config)#clear ipv6 traffic Syntax: clear ipv6 traffic Displaying Global IPv6 Information You can display output for the following global IPv6 parameters: • IPv6 cache • IPv6 interfaces • IPv6 neighbors • IPv6 route table • Local IPv6 routers • IPv6 TCP connections and the status of individual connections • IPv6 traffic statistics Displaying IPv6 Cache Information The IPv6 cache contains an IPv6 host table that has indices to the next hop gateway and the router interface on which the route was learned. December 2008 © 2008 Foundry Networks, Inc. 8 - 37 Foundry FastIron Configuration Guide To display IPv6 cache information, enter the following command at any CLI level: FastIron#show ipv6 cache Total number of cache entries: 10 IPv6 Address 1 5000:2::2 2 2000:4::106 3 2000:4::110 4 2002:c0a8:46a::1 5 5005::2e0:52ff:fe99:9737 6 5005::ffff:ffff:feff:ffff 7 5005::c0a8:46a 8 5005::c0a8:46a 9 2999::1 10 5005::2e0:52ff:fe99:9700 Next Hop LOCAL LOCAL DIRECT LOCAL LOCAL LOCAL LOCAL LOCAL LOCAL LOCAL Port tunnel 2 ethe 3/2 ethe 3/2 ethe 3/2 ethe 3/2 loopback 2 tunnel 2 tunnel 6 loopback 2 ethe 3/1 Syntax: show ipv6 cache [<index-number> | <ipv6-prefix>/<prefix-length> | <ipv6-address> | ethernet <port> | ve <number> | tunnel <number>] The <index-number> parameter restricts the display to the entry for the specified index number and subsequent entries. The <ipv6-prefix>/<prefix-length> parameter restricts the display to the entries for the specified IPv6 prefix. You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. The ethernet | ve | tunnel parameter restricts the display to the entries for the specified interface. The <ipv6address> parameter restricts the display to the entries for the specified IPv6 address. You must specify this parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE interface, also specify the VE number. If you specify a tunnel interface, also specify the tunnel number. This display shows the following information: Table 8.7: IPv6 cache information fields This Field... Displays... Total number of cache entries The number of entries in the cache table. IPv6 Address The host IPv6 address. Next Hop The next hop, which can be one of the following: Port 8 - 38 • Direct – The next hop is directly connected to the router. • Local – The next hop is originated on this router. • <ipv6 address> – The IPv6 address of the next hop. The port on which the entry was learned. © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Displaying IPv6 Interface Information To display IPv6 interface information, enter the following command at any CLI level: FastIron#show ipv6 interface Routing Protocols : R - RIP O - OSPF Interface Status Routing Global Unicast Address Ethernet 3/3 down/down R Ethernet 3/5 down/down Ethernet 3/17 up/up 2017::c017:101/64 Ethernet 3/19 up/up 2019::c019:101/64 VE 4 down/down VE 14 up/up 2024::c060:101/64 Loopback 1 up/up ::1/128 Loopback 2 up/up 2005::303:303/128 Loopback 3 up/up Syntax: show ipv6 interface [<interface> [<port-number> |<number>]] The <interface> parameter displays detailed information for a specified interface. For the interface, you can specify the Ethernet, loopback, tunnel, or VE keywords. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a loopback, tunnel, or VE interface, also specify the number associated with the interface. This display shows the following information: Table 8.8: General IPv6 interface information fields This Field... Displays... Routing protocols A one-letter code that represents a routing protocol that can be enabled on an interface. Interface The interface type, and the port number or number of the interface. Status The status of the interface. The entry in the Status field will be either “up/up” or “down/down”. Routing The routing protocols enabled on the interface. Global Unicast Address The global unicast address of the interface. December 2008 © 2008 Foundry Networks, Inc. 8 - 39 Foundry FastIron Configuration Guide To display detailed information for a specific interface, enter a command such as the following at any CLI level: FastIron#show ipv6 interface ethernet 3/1 Interface Ethernet 3/1 is up, line protocol is up IPv6 is enabled, link-local address is fe80::2e0:52ff:fe99:97 Global unicast address(es): Joined group address(es): ff02::9 ff02::1:ff99:9700 ff02::2 ff02::1 MTU is 1500 bytes ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 3 ND reachable time is 30 seconds ND advertised reachable time is 0 seconds ND retransmit interval is 1 seconds ND advertised retransmit interval is 0 seconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds No Inbound Access List Set No Outbound Access List Set RIP enabled This display shows the following information: Table 8.9: Detailed IPv6 interface information fields This Field... Displays... Interface/line protocol status The status of interface and line protocol. If you have disabled the interface with the disable command, the status will be “administratively down”. Otherwise, the status is either “up” or “down”. IPv6 status/link-local address The status of IPv6. The status is either “enabled” or “disabled”. Displays the link-local address, if one is configured for the interface. Global unicast address(es) Displays the global unicast address(es), if one or more are configured for the interface. Joined group address(es) The multicast address(es) that a router interface listens for and recognizes. MTU The setting of the maximum transmission unit (MTU) configured for the IPv6 interface. The MTU is the maximum length an IPv6 packet can have to be transmitted on the interface. If an IPv6 packet is longer than an MTU, the host that originated the packet fragments the packet and transmits its contents in multiple packets that are shorter than the configured MTU. ICMP The setting of the ICMP redirect parameter for the interface. ND The setting of the various neighbor discovery parameters for the interface. Access List The inbound and outbound access control lists applied to the interface. 8 - 40 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Table 8.9: Detailed IPv6 interface information fields This Field... Displays... Routing protocols The routing protocols enabled on the interface. Displaying IPv6 Neighbor Information You can display the IPv6 neighbor table, which contains an entry for each IPv6 neighbor with which the router exchanges IPv6 packets. To display the IPv6 neighbor table, enter the following command at any CLI level: FastIron(config)#show ipv6 neighbor Total number of Neighbor entries: 3 IPv6 Address 5555::55 2000:4::110 fe80::2e0:52ff:fe91:bb37 fe80::2e0:52ff:fe91:bb40 LinkLayer-Addr State Age Port 0002.0002.0002 *REACH0 e 3/11 00e0.5291.bb37 REACH 20 e 3/1 00e0.5291.bb37 DELAY 1 e 3/2 00e0.5291.bb40 STALE 5930e 3/3 5 4 5 vlan IsR 0 1 1 1 Syntax: show ipv6 neighbor [<ipv6-prefix>/<prefix-length> | <ipv6-address> | <interface> [<port> |<number>]] The <ipv6-prefix>/<prefix-length> parameters restrict the display to the entries for the specified IPv6 prefix. You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. The <ipv6-address> parameter restricts the display to the entries for the specified IPv6 address. You must specify this parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. The <interface> parameter restricts the display to the entries for the specified router interface. For this parameter, you can specify the Ethernet or VE keywords. If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE interface, also specify the VE number. This display shows the following information: I Table 8.10: IPv6 neighbor information fields This Field... Displays... Total number of neighbor entries The total number of entries in the IPv6 neighbor table. IPv6 Address The 128-bit IPv6 address of the neighbor. Link-Layer Address The 48-bit interface ID of the neighbor. December 2008 © 2008 Foundry Networks, Inc. 8 - 41 Foundry FastIron Configuration Guide Table 8.10: IPv6 neighbor information fields This Field... Displays... State The current state of the neighbor. Possible states are as follows: • INCOMPLETE – Address resolution of the entry is being performed. • *REACH – The static forward path to the neighbor is functioning properly. • REACH – The forward path to the neighbor is functioning properly. • STALE – This entry has remained unused for the maximum interval. While stale, no action takes place until a packet is sent. • DELAY – This entry has remained unused for the maximum interval, and a packet was sent before another interval elapsed. • PROBE – Neighbor solicitation are transmitted until a reachability confirmation is received. Age The number of seconds the entry has remained unused. If this value remains unused for the number of seconds specified by the ipv6 nd reachable-time command (the default is 30 seconds), the entry is removed from the table. Port The physical port on which the entry was learned. vlan The VLAN on which the entry was learned. IsR Determines if the neighbor is a router or host: 0 – Indicates that the neighbor is a host. 1 – Indicates that the neighbor is a router. Displaying the IPv6 Route Table To display the IPv6 route table, enter the following command at any CLI level: FastIron#show ipv6 route IPv6 Routing Table - 7 entries: Type Codes: C - Connected, S - Static, R - RIP, O - OSPF, B - BGP OSPF Sub Type Codes: O - Intra, Oi - Inter, O1 - Type1 external, O2 - Type2 external Type IPv6 Prefix C 2000:4::/64 S 2002::/16 S 2002:1234::/32 C 2002:c0a8:46a::/64 C 2999::1/128 O 2999::2/128 C 5000:2::/64 Next Hop Router :: :: :: :: :: fe80::2e0:52ff:fe91:bb37 :: Interface Dis/Metric ethe 3/2 0/0 tunnel 6 1/1 tunnel 6 1/1 ethe 3/2 0/0 loopback 2 0/0 ethe 3/2 110/1 tunnel 2 0/0 Syntax: show ipv6 route [<ipv6-address> | <ipv6-prefix>/<prefix-length> | bgp | connect | ospf | rip | static | summary] The <ipv6-address> parameter restricts the display to the entries for the specified IPv6 address. You must specify the <ipv6-address> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. 8 - 42 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch The <ipv6-prefix>/<prefix-length> parameters restrict the display to the entries for the specified IPv6 prefix. You must specify the <ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the <prefix-length> parameter as a decimal value. A slash mark (/) must follow the <ipv6-prefix> parameter and precede the <prefix-length> parameter. The bgp keyword restricts the display to entries for BGP4+ routes. The connect keyword restricts the display to entries for directly connected interface IPv6 routes. The ospf keyword restricts the display to entries for OSPFv3 routes. The rip keyword restricts the display to entries for RIPng routes. The static keyword restricts the display to entries for static IPv6 routes. The summary keyword displays a summary of the prefixes and different route types. The following table lists the information displayed by the show ipv6 route command. Table 8.11: IPv6 route table fields This Field... Displays... Number of entries The number of entries in the IPv6 route table. Type The route type, which can be one of the following: • C – The destination is directly connected to the router. • S – The route is a static route. • R – The route is learned from RIPng. • O – The route is learned from OSPFv3. • B – The route is learned from BGP4+. IPv6 Prefix The destination network of the route. Next-Hop Router The next-hop router. Interface The interface through which this router sends packets to reach the route's destination. Dis/Metric The route’s administrative distance and metric value. To display a summary of the IPv6 route table, enter the following command at any CLI level: FastIron#show ipv6 route summary IPv6 Routing Table - 7 entries: 4 connected, 2 static, 0 RIP, 1 OSPF, 0 BGP Number of prefixes: /16: 1 /32: 1 /64: 3 /128: 2 The following table lists the information displayed by the show ipv6 route summary command: Table 8.12: IPv6 route table summary fields This Field... Displays... Number of entries The number of entries in the IPv6 route table. December 2008 © 2008 Foundry Networks, Inc. 8 - 43 Foundry FastIron Configuration Guide Table 8.12: IPv6 route table summary fields (Continued) This Field... Displays... Number of route types The number of entries for each route type. Number of prefixes A summary of prefixes in the IPv6 route table, sorted by prefix length. Displaying Local IPv6 Routers The Foundry device can function as an IPv6 host, instead of an IPv6 router, if you configure IPv6 addresses on its interfaces but don’t enable IPv6 routing using the ipv6 unicast-routing command. From the IPv6 host, you can display information about IPv6 routers to which the host is connected. The host learns about the routers through their router advertisement messages. To display information about the IPv6 routers connected to an IPv6 host, enter the following command at any CLI level: FastIron#show ipv6 router Router fe80::2e0:80ff:fe46:3431 on Ethernet 50, last update 0 min Hops 64, Lifetime 1800 sec Reachable time 0 msec, Retransmit time 0 msec Syntax: show ipv6 router If you configure your Foundry device to function as an IPv6 router (you configure IPv6 addresses on its interfaces and enable IPv6 routing using the ipv6 unicast-routing command) and you enter the show ipv6 router command, you will receive the following output: No IPv6 router in table Meaningful output for this command is generated for Foundry devices configured to function as IPv6 hosts only. This display shows the following information: Table 8.13: IPv6 local router information fields This Field... Displays... Router <ipv6 address> on <interface> <port> The IPv6 address for a particular router interface. Last update The amount of elapsed time (in minutes) between the current and previous updates received from a router. Hops The default value that should be included in the Hop Count field of the IPv6 header for outgoing IPv6 packets. The hops value applies to the router for which you are displaying information and should be followed by IPv6 hosts attached to the router. A value of 0 indicates that the router leaves this field unspecified. Lifetime The amount of time (in seconds) that the router is useful as the default router. 8 - 44 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Table 8.13: IPv6 local router information fields This Field... Displays... Reachable time The amount of time (in milliseconds) that a router assumes a neighbor is reachable after receiving a reachability confirmation. The reachable time value applies to the router for which you are displaying information and should be followed by IPv6 hosts attached to the router. A value of 0 indicates that the router leaves this field unspecified. Retransmit time The amount of time (in milliseconds) between retransmissions of neighbor solicitation messages. The retransmit time value applies to the router for which you are displaying information and should be followed by IPv6 hosts attached to the router. A value of 0 indicates that the router leaves this field unspecified. Displaying IPv6 TCP Information You can display the following IPv6 TCP information: • General information about each TCP connection on the router, including the percentage of free memory for each of the internal TCP buffers. • Detailed information about a specified TCP connection. To display general information about each TCP connection on the router, enter the following command at any CLI level: FastIron#show ipv6 tcp connections Local IP address:port <-> Remote IP address:port 192.168.182.110:23 <-> 192.168.8.186:4933 192.168.182.110:8218 <-> 192.168.182.106:179 192.168.182.110:8039 <-> 192.168.2.119:179 192.168.182.110:8159 <-> 192.168.2.102:179 2000:4::110:179 <-> 2000:4::106:8222 Total 5 TCP connections TCP state ESTABLISHED ESTABLISHED SYN-SENT SYN-SENT ESTABLISHED (1440) TCP MEMORY USAGE PERCENTAGE FREE TCP = 98 percent FREE TCP QUEUE BUFFER = 99 percent FREE TCP SEND BUFFER = 97 percent FREE TCP RECEIVE BUFFER = 100 percent FREE TCP OUT OF SEQUENCE BUFFER = 100 percent Syntax: show ipv6 tcp connections This display shows the following information: Table 8.14: General IPv6 TCP connection fields This Field... Displays... Local IP address:port The IPv4 or IPv6 address and port number of the local router interface over which the TCP connection occurs. December 2008 © 2008 Foundry Networks, Inc. 8 - 45 Foundry FastIron Configuration Guide Table 8.14: General IPv6 TCP connection fields (Continued) This Field... Displays... Remote IP address:port The IPv4 or IPv6 address and port number of the remote router interface over which the TCP connection occurs. TCP state The state of the TCP connection. Possible states include the following: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request. • ESTABLISHED – Data can be sent and received over the connection. This is the normal operational state of the connection. • FIN-WAIT-1 – Waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent. • FIN-WAIT-2 – Waiting for a connection termination request from the remote TCP. • CLOSE-WAIT – Waiting for a connection termination request from the local user. • CLOSING – Waiting for a connection termination request acknowledgment from the remote TCP. • LAST-ACK – Waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request). • TIME-WAIT – Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. • CLOSED – There is no connection state. FREE TCP = <percentage> The percentage of free TCP control block (TCP) space. FREE TCP QUEUE BUFFER = <percentage> The percentage of free TCP queue buffer space. FREE TCP SEND BUFFER = <percentage> The percentage of free TCP send buffer space. FREE TCP RECEIVE BUFFER = <percentage> The percentage of free TCP receive buffer space. FREE TCP OUT OF SEQUENCE BUFFER = <percentage> The percentage of free TCP out of sequence buffer space. 8 - 46 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch To display detailed information about a specified TCP connection, enter a command such as the following at any CLI level: FastIron#show ipv6 tcp status 2000:4::110 179 2000:4::106 8222 TCP: TCP = 0x217fc300 TCP: 2000:4::110:179 <-> 2000:4::106:8222: state: ESTABLISHED Port: 1 Send: initial sequence number = 242365900 Send: first unacknowledged sequence number = 242434080 Send: current send pointer = 242434080 Send: next sequence number to send = 242434080 Send: remote received window = 16384 Send: total unacknowledged sequence number = 0 Send: total used buffers 0 Receive: initial incoming sequence number = 740437769 Receive: expected incoming sequence number = 740507227 Receive: received window = 16384 Receive: bytes in receive queue = 0 Receive: congestion window = 1459 Syntax: show ipv6 tcp status <local-ip-address> <local-port-number> <remote-ip-address> <remote-portnumber> The <local-ip-address> parameter can be the IPv4 or IPv6 address of the local interface over which the TCP connection is taking place. The <local-port-number> parameter is the local port number over which a TCP connection is taking place. The <remote-ip-address> parameter can be the IPv4 or IPv6 address of the remote interface over which the TCP connection is taking place. The <remote-port-number> parameter is the local port number over which a TCP connection is taking place. This display shows the following information: Table 8.15: Specific IPv6 TCP connection fields This Field... Displays... TCP = <location> The location of the TCP. <local-ip-address> <local-port-number> <remote-ip-address> <remote-port-number> <state> <port> This field provides a general summary of the following: • The local IPv4 or IPv6 address and port number. • The remote IPv4 or IPv6 address and port number. • The state of the TCP connection. For information on possible states, see Table on page 8-45. • The port numbers of the local interface. Send: initial sequence number = <number> The initial sequence number sent by the local router. Send: first unacknowledged sequence number = <number> The first unacknowledged sequence number sent by the local router. December 2008 © 2008 Foundry Networks, Inc. 8 - 47 Foundry FastIron Configuration Guide Table 8.15: Specific IPv6 TCP connection fields (Continued) This Field... Displays... Send: current send pointer = <number> The current send pointer. Send: next sequence number to send = <number> The next sequence number sent by the local router. Send: remote received window = <number> The size of the remote received window. Send: total unacknowledged sequence number = <number> The total number of unacknowledged sequence numbers sent by the local router. Send: total used buffers <number> The total number of buffers used by the local router in setting up the TCP connection. Receive: initial incoming sequence number = <number> The initial incoming sequence number received by the local router. Receive: expected incoming sequence number = <number> The incoming sequence number expected by the local router. Receive: received window = <number> The size of the local router’s receive window. Receive: bytes in receive queue = <number> The number of bytes in the local router’s receive queue. Receive: congestion window = <number> The size of the local router’s receive congestion window. 8 - 48 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Displaying IPv6 Traffic Statistics To display IPv6 traffic statistics, enter the following command at any CLI level: FastIron#show ipv6 traffic IP6 Statistics 36947 received, 66818 sent, 0 forwarded, 36867 delivered, 0 rawout 0 bad vers, 23 bad scope, 0 bad options, 0 too many hdr 0 no route, 0 can't forward, 0 redirect sent 0 frag recv, 0 frag dropped, 0 frag timeout, 0 frag overflow 0 reassembled, 0 fragmented, 0 ofragments, 0 can't frag 0 too short, 0 too small, 11 not member 0 no buffer, 66819 allocated, 21769 freed 0 forward cache hit, 46 forward cache miss ICMP6 Statistics Received: 0 dest unreach, 0 pkt too big, 0 time exceeded, 0 param prob 2 echo req, 1 echo reply, 0 mem query, 0 mem report, 0 mem red 0 router soli, 2393 router adv, 106 nei soli, 3700 nei adv, 0 redirect 0 bad code, 0 too short, 0 bad checksum, 0 bad len 0 reflect, 0 nd toomany opt, 0 badhopcount Sent: 0 dest unreach, 0 pkt too big, 0 time exceeded, 0 param prob 1 echo req, 2 echo reply, 0 mem query, 0 mem report, 0 mem red 0 router soli, 2423 router adv, 3754 nei soli, 102 nei adv, 0 redirect 0 error, 0 can't send error, 0 too freq Sent Errors: 0 unreach no route, 0 admin, 0 beyond scope, 0 address, 0 no port 0 pkt too big, 0 time exceed transit, 0 time exceed reassembly 0 param problem header, 0 nextheader, 0 option, 0 redirect, 0 unknown UDP Statistics 470 received, 7851 sent, 6 no port, 0 input errors TCP Statistics 57913 active opens, 0 passive opens, 57882 failed attempts 159 active resets, 0 passive resets, 0 input errors 565189 in segments, 618152 out segments, 171337 retransmission Syntax: show ipv6 traffic This display shows the following information: Table 8.16: IPv6 traffic statistics fields This Field... Displays... IPv6 statistics received The total number of IPv6 packets received by the router. sent The total number of IPv6 packets originated and sent by the router. forwarded The total number of IPv6 packets received by the router and forwarded to other routers. December 2008 © 2008 Foundry Networks, Inc. 8 - 49 Foundry FastIron Configuration Guide Table 8.16: IPv6 traffic statistics fields (Continued) This Field... Displays... delivered The total number of IPv6 packets delivered to the upper layer protocol. rawout This information is used by Foundry Technical Support. bad vers The number of IPv6 packets dropped by the router because the version number is not 6. bad scope The number of IPv6 packets dropped by the router because of a bad address scope. bad options The number of IPv6 packets dropped by the router because of bad options. too many hdr The number of IPv6 packets dropped by the router because the packets had too many headers. no route The number of IPv6 packets dropped by the router because there was no route. can’t forward The number of IPv6 packets the router could not forward to another router. redirect sent This information is used by Foundry Technical Support. frag recv The number of fragments received by the router. frag dropped The number of fragments dropped by the router. frag timeout The number of fragment timeouts that occurred. frag overflow The number of fragment overflows that occurred. reassembled The number of fragmented IPv6 packets that the router reassembled. fragmented The number of IPv6 packets fragmented by the router to accommodate the MTU of this router or of another device. ofragments The number of output fragments generated by the router. can’t frag The number of IPv6 packets the router could not fragment. too short The number of IPv6 packets dropped because they are too short. too small The number of IPv6 packets dropped because they don’t have enough data. not member The number of IPv6 packets dropped because the recipient is not a member of a multicast group. no buffer The number of IPv6 packets dropped because there is no buffer available. forward cache miss The number of IPv6 packets received for which there is no corresponding cache entry. ICMP6 statistics Some ICMP statistics apply to both Received and Sent, some apply to Received only, some apply to Sent only, and some apply to Sent Errors only. Applies to Received and Sent dest unreach The number of Destination Unreachable messages sent or received by the router. pkt too big The number of Packet Too Big messages sent or received by the router. 8 - 50 © 2008 Foundry Networks, Inc. December 2008 Configuring IPv6 Connectivity on a FastIron X Series Switch Table 8.16: IPv6 traffic statistics fields (Continued) This Field... Displays... time exceeded The number of Time Exceeded messages sent or received by the router. param prob The number of Parameter Problem messages sent or received by the router. echo req The number of Echo Request messages sent or received by the router. echo reply The number of Echo Reply messages sent or received by the router. mem query The number of Group Membership Query messages sent or received by the router. mem report The number of Membership Report messages sent or received by the router. mem red The number of Membership Reduction messages sent or received by the router. router soli The number of Router Solicitation messages sent or received by the router. router adv The number of Router Advertisement messages sent or received by the router. nei soli The number of Neighbor Solicitation messages sent or received by the router. nei adv The number of Router Advertisement messages sent or received by the router. redirect The number of redirect messages sent or received by the router. Applies to Received Only bad code The number of Bad Code messages received by the router. too short The number of Too Short messages received by the router. bad checksum The number of Bad Checksum messages received by the router. bad len The number of Bad Length messages received by the router. nd toomany opt The number of Neighbor Discovery Too Many Options messages received by the router. badhopcount The number of Bad Hop Count messages received by the router. Applies to Sent Only error The number of Error messages sent by the router. can’t send error The number of times the node encountered errors in ICMP error messages. too freq The number of times the node has exceeded the frequency of sending error messages. Applies to Sent Errors Only unreach no route The number of Unreachable No Route errors sent by the router. admin The number of Admin errors sent by the router. beyond scope The number of Beyond Scope errors sent by the router. address The number of Address errors sent by the router. no port The number of No Port errors sent by the router. December 2008 © 2008 Foundry Networks, Inc. 8 - 51 Foundry FastIron Configuration Guide Table 8.16: IPv6 traffic statistics fields (Continued) This Field... Displays... pkt too big The number of Packet Too Big errors sent by the router. time exceed transit The number of Time Exceed Transit errors sent by the router. time exceed reassembly The number of Time Exceed Reassembly errors sent by the router. param problem header The number of Parameter Problem Header errors sent by the router. nextheader The number of Next Header errors sent by the router. option The number of Option errors sent by the router. redirect The number of Redirect errors sent by the router. unknown The number of Unknown errors sent by the router. UDP statistics received The number of UDP packets received by the router. sent The number of UDP packets sent by the router. no port The number of UDP packets dropped because the packet did not contain a valid UDP port number. input errors This information is used by Foundry Technical Support. TCP statistics active opens The number of TCP connections opened by the router by sending a TCP SYN to another device. passive opens The number of TCP connections opened by the router in response to connection requests (TCP SYNs) received from other devices. failed attempts This information is used by Foundry Technical Support. active resets The number of TCP connections the router reset by sending a TCP RESET message to the device at the other end of the connection. passive resets The number of TCP connections the router reset because the device at the other end of the connection sent a TCP RESET message. input errors This information is used by Foundry Technical Support. in segments The number of TCP segments received by the router. out segments The number of TCP segments sent by the router. retransmission The number of segments that the router retransmitted because the retransmission timer for the segment had expired before the device at the other end of the connection had acknowledged receipt of the segment. 8 - 52 © 2008 Foundry Networks, Inc. December 2008 Chapter 9 Monitoring Hardware Components The procedures in this chapter describe how to configure the software to monitor hardware components on FastIron devices. You can configure the software to do the following: • Detect and report statistics about a cable connected to a copper port • Monitor temperature and signal power levels for optical transceivers Table 9.1 lists which FastIron devices support the features discussed in this chapter. Table 9.1: Hardware Components Monitoring Support for FastIron Devices Feature FastIron X Series FGS, FWS, FLS FGS-STK, FLSSTK Virtual cable testing X X X Digital optical monitoring X X X Virtual Cable Testing FastIron devices support Virtual Cable Test (VCT) technology. VCT technology enables the diagnosis of a conductor (wire or cable) by sending a pulsed signal into the conductor, then examining the reflection of that pulse. This method of cable analysis is referred to as Time Domain Reflectometry (TDR). By examining the reflection, the Foundry device can detect and report cable statistics such as local and remote link pair, cable length, and link status. Configuration Notes • This feature is supported on copper ports only. It is not supported on fiber ports. • The port to which the cable is connected must be enabled when you issue the command to diagnose the cable. If the port is disabled, the command is rejected. • If the port is operating at 100 Mbps half-duplex, the TDR test on one pair will fail. • If the remote pair is set to forced 100 Mbps, any change in MDI/MDIX may cause the device to interpret the Multilevel Threshold-3 (MLT-3) as a reflected pulse, in which case, the device will report a faulty condition. In this scenario, it is recommended that you run the TDR test a few times for accurate results. December 2008 © 2008 Foundry Networks, Inc. 9-1 Foundry FastIron Configuration Guide Command Syntax To diagnose a cable using TDR, enter commands such as the following at the Privileged EXEC level of the CLI: FastIron# phy cable-diag tdr 1 The above command diagnoses the cable attached to port 1. When you issue the phy-cable-diag command, the command brings the port down for a second or two, then immediately brings the port back up. Syntax: phy cable-diag tdr <port-num> For <portnum>, specify the port in one of the following formats: • FastIron GS and LS compact switches – <stack-unit/slotnum/portnum> • FastIron chassis devices – <slotnum/portnum> • FESX, and FWSX compact switches – <portnum> Viewing the Results of the Cable Analysis To display the results of the cable analysis, enter a command such as the following at the Privileged EXEC level of the CLI: FastIron>show cable-diag tdr 1 Port Speed Local pair Pair Length --------- ----- ---------- ----------01 1000M Pair A <50M Pair B <50M Pair C <50M Pair D <50M Remote pair ----------Pair B Pair A Pair D Pair C Pair status ----------Terminated Terminated Terminated Terminated In the above output, Local pair indicates the assignment of wire pairs from left to right, where Pair A is the leftmost pair. Table 9.2 shows the Local pair mapping to the T568A pin/pair and color assignment from the TIA/EIA568-B standard. Table 9.2: Local Pair Definition Local Pair T568A Pair and Color Assignment Pair A Pair 3 (green) Pair B Pair 2 (orange) Pair C Pair 1 (blue) Pair D Pair 4 (brown) Figure 9.1 illustrates the T568A pin/pair assignment. 9-2 © 2008 Foundry Networks, Inc. December 2008 Monitoring Hardware Components Figure 9.1 T568A Pin/Pair Assignment Pair 2 Orange Pair 3 Green Pair 1 Blue Pair 4 Brown PC STRAIGHT-THRU HUB TX+ 1 1 RX+ TX- 2 2 RX- RX+ 3 3 TX+ 4 4 5 5 RX- 6 RJ-45 JACK T568A STANDARD 6 TX- 7 7 8 8 Syntax: show cable-diag tdr <port-num> For <portnum>, specify the port in one of the following formats: • FastIron GS and LS compact switches – <stack-unit/slotnum/portnum> • FastIron chassis devices – <slotnum/portnum> • FESX, and FWSX compact switches – <portnum> Table 9.3 defines the fields shown in the command output. Table 9.3: Cable Statistics This Line... Displays... Port The port that was tested. Speed The port’s current line speed. Local pair The local link name. See Table 9.2. Pair Length The cable length when terminated, or the distance to the point of fault when the line is not up. Remote pair The remote link name. Pair status The status of the link. This field displays one of the following: December 2008 • Terminated: The link is up. • Shorted: A short is detected in the cable. • Open: An opening is detected in the cable. • ImpedMis: The impedance is mismatched. • Failed: The TDR test failed. © 2008 Foundry Networks, Inc. 9-3 Foundry FastIron Configuration Guide Digital Optical Monitoring You can configure your Foundry device to monitor optical transceivers in the system, either globally or by specified ports. When this feature is enabled, the system will monitor the temperature and signal power levels for the optical transceivers in the specified ports. Console messages and syslog messages are sent when optical operating conditions fall below or rise above the XFP or SFP manufacturer’s recommended thresholds. Supported Media Digital optical monitoring is supported with the following Foundry-qualified media types: • 1000Base-BX-D • 1000Base-BX-U • 1000Base-LHA • 1000Base-LHB • 1000Base-LX • 1000Base-SX • 1000Base-SX 2 • 100Base-FX-SR • 100Base-FX-IR • 100Base-FX-LR • 10GBase-1310 • 10GBase-ER • 10GBase-LR • 10GBase-SR • 10GBase-ZR • 10GBase-ZRD Configuration Limitations A Foundry chassis device can monitor a maximum of 24 SFPs and 12 XFPs. Enabling Digital Optical Monitoring To enable optical monitoring on all Foundry-qualified optics installed in the device, use the following command: FastIron(config)#optical-monitor To enable optical monitoring on a specific port, use the following command: FastIron(config)#interface ethernet 1/1 FastIron(config-if-e10000-1/1)#optical-monitor To enable optical monitoring on a range of ports, use the following command: FastIron(config)#interface ethernet 1/1 to 1/2 FastIron(config-mif-e10000-1/1-1/2)#optical-monitor Syntax: [no] optical-monitor Use the no form of the command to disable digital optical monitoring. 9-4 © 2008 Foundry Networks, Inc. December 2008 Monitoring Hardware Components Setting the Alarm Interval You can optionally change the interval between which alarms and warning messages are sent. The default interval is three minutes. To change the interval, use the following command: FastIron(config)#interface ethernet 1/1 to 1/2 FastIron(config-mif-e10000-1/1-1/2)#optical-monitor 10 Syntax: [no] optical-monitor [<alarm-interval>] For <alarm-interval>, enter a value between 1 and 65535. Enter 0 to disable alarms and warning messages. NOTE: The commands no optical-monitor and optical-monitor 0 perform the same function. That is, they both disable digital optical monitoring. Displaying Information about Installed Media Use the show media, show media slot, and show media ethernet commands to obtain information about the media devices installed per device, per slot, and per port. In release 04.1.00 and later, the results displayed from these commands provide the Type, Vendor, Part number, Version and Serial number of the SFP or XFP optical device installed in the port. 1G M-C indicates 1-Gigabit copper media. If no SFP or XFP device is installed in a port, the “Type” field will display “EMPTY”. The following example outputs are from a FastIron X Series device running software release 04.1.00. The display outputs on your device may differ, depending on the software version running on the device. December 2008 © 2008 Foundry Networks, Inc. 9-5 Foundry FastIron Configuration Guide Use the show media command to obtain information about the media devices installed in a device. FastIron#show media Port 1: Type : 1G M-SX2(SFP) Vendor: Foundry Networks Part# : TRPAG1XRPBSS-FY Port 2: Type : EMPTY Port 3: Type : EMPTY Port 4: Type : 100M M-FX-SR(SFP) Vendor: Foundry Networks Part# : FTLF1217P2BTL-F1 Port 5: Type : 1G M-C Port 6: Type : 1G M-C Port 7: Type : 1G M-C Port 8: Type : 1G M-C Port 9: Type : 1G M-C Port 10: Type : 1G M-C Port 11: Type : 1G M-C Port 12: Type : 1G M-C Port 13: Type : 1G M-C Port 14: Type : 1G M-C Port 15: Type : 1G M-C Port 16: Type : 1G M-C Port 17: Type : 1G M-C Port 18: Type : 1G M-C Port 19: Type : 1G M-C Port 20: Type : 1G M-C Port 21: Type : 1G M-C Port 22: Type : 1G M-C Port 23: Type : 1G M-C Port 24: Type : 1G M-C Port 25: Type : 10G XG-SR(XFP) Vendor: Foundry Networks Part# : JXPR01SW05306 Port 26: Type : EMPTY 9-6 Version: 0000 Serial#: 0635000468 Version: A Serial#: UCQ003A Version: 02 Serial#: F617604000A3 © 2008 Foundry Networks, Inc. December 2008 Monitoring Hardware Components Use the show media slot command to obtain information about the media device installed in a slot. FastIron>show media slot 1 Port 1/1: Type : 1G M-SX(SFP) Vendor: Foundry Networks Part# : PL-XPL-VC-S13-19 Port 1/2: Type : 1G M-SX(SFP) Vendor: Foundry Networks Part# : PL-XPL-VC-S13-19 Port 1/3: Type : EMPTY Port 1/4: Type : 1G M-SX(SFP) Vendor: FINISAR CORP. Part# : FTRJ-8519-3 Port 1/5: Type : EMPTY Port 1/6: Type : EMPTY Port 1/7: Type : 100M M-FX-IR(SFP) Vendor: Foundry Networks Part# : FTLF1323P1BTR-FD Port 1/8: Type : EMPTY Port 1/9: Type : 100M M-FX-LR(SFP) Vendor: Foundry Networks Part# : FTLF1323P1BTL-FD Port 1/10: Type : EMPTY Port 1/11: Type : 100M M-FX-SR(SFP) Vendor: Foundry Networks Part# : FTLF1217P2BTL-F1 Port 1/12: Type : EMPTY Port 1/13: Type : 100M M-FX-IR(SFP) Vendor: Foundry Networks Part# : FTLF1323P1BTR-F1 Version: Serial#: 425HC109 Version: Serial#: 411HC0AH Version: X1 Serial#: H11654K Version: A Serial#: UCT000T Version: A Serial#: UD3085J Version: A Serial#: UCQ003J Version: A Serial#: PCA2XC5 ....some lines omitted for brevity.... Use the show media ethernet command to obtain information about the media device installed in a port. FastIron>show media e 1/17 Port 1/17: Type : 1G M-SX(SFP) Vendor: Foundry Networks Part# : PL-XPL-VC-S13-19 Version: Serial#: 425HC109 Syntax: show media [slot <slot-num> | ethernet [<slot-num>/]<port-num>] December 2008 © 2008 Foundry Networks, Inc. 9-7 Foundry FastIron Configuration Guide Viewing Optical Monitoring Information To view temperature and power information for all qualified XFPs and SFPs in a particular slot, use the show optic command. The following shows an example output. FastIron>show optic 4 Port Temperature Tx Power Rx Power Tx Bias Current +----+-----------+----------+------------+-------------------+ 4/1 30.8242 C -001.8822 dBm -002.5908 dBm 41.790 mA Normal Normal Normal Normal 4/2 31.7070 C -001.4116 dBm -006.4092 dBm 41.976 mA Normal Normal Normal Normal 4/3 30.1835 C -000.5794 dBm 0.000 mA Normal Low-Alarm Normal Low-Alarm 4/4 0.0000 C 0.000 mA Normal Normal Normal Normal Syntax: show optic [<slot number>] NOTE: This function takes advantage of information stored and supplied by the manufacturer of the XFP or SFP transceiver. This information is an optional feature of the Multi-Source Agreement standard defining the optical interface. Not all component suppliers have implemented this feature set. In such cases where the XFP or SFP transceiver does not supply the information, a “Not Available” message will be displayed for the specific port on which the module is installed. The following table describes the information displayed by the show optic command. Table 9.4: Output from the show optic command This Field... Displays... Port The Foundry port number. Temperature • The operating temperature, in degrees Celsius, of the optical transceiver. • The alarm status, as described in Table 9.5. • The transmit power signal, in decibels (dB), of the measured power referenced to one milliwatt (mW). • The alarm status, as described in Table 9.5. • The receive power signal, in decibels (dB), of the measured power referenced to one milliwatt (mW). • The alarm status, as described in Table 9.5 • The transmit bias power signal, in milliamperes (mA). • The alarm status, as described in Table 9.5. Tx Power Rx Power Tx Bias Current For Temperature, Tx Power, Rx Power, and Tx Bias Current in the show optic command output, values are displayed along with one of the following alarm status values: Low-Alarm, Low-Warn, Normal, High-Warn or High- 9-8 © 2008 Foundry Networks, Inc. December 2008 Monitoring Hardware Components Alarm. The thresholds that determine these status values are set by the manufacturer of the optical transceivers. Table 9.5 describes each of these status values. Table 9.5: Alarm Status Value Description Status Value Description Low-Alarm Monitored level has dropped below the "low-alarm" threshold set by the manufacturer of the optical transceiver. Low-Warn Monitored level has dropped below the "low-warn" threshold set by the manufacturer of the optical transceiver. Normal Monitored level is within the "normal" range set by the manufacturer of the optical transceiver. High-Warn Monitored level has climbed above the "high-warn" threshold set by the manufacturer of the optical transceiver. High-Alarm Monitored level has climbed above the "high-alarm" threshold set by the manufacturer of the optical transceiver. Viewing Optical Transceiver Thresholds The thresholds that determine the alarm status values for an optical transceiver are set by the manufacturer of the XFP or SFP. To view the thresholds for a qualified optical transceiver in a particular port, use the show optic threshold command as shown below. FastIron>show optic threshold 2/2 Port 2/2 sfp monitor thresholds: Temperature High alarm Temperature Low alarm Temperature High warning Temperature Low warning Supply Voltage High alarm Supply Voltage Low alarm Supply Voltage High warning Supply Voltage Low warning TX Bias High alarm TX Bias Low alarm TX Bias High warning TX Bias Low warning TX Power High alarm TX Power Low alarm TX Power High warning TX Power Low warning RX Power High alarm RX Power Low alarm RX Power High warning RX Power Low warning 5a00 d300 5500 d800 9088 7148 8ca0 7530 7530 01f4 61a8 05dc 1f07 02c4 18a6 037b 2710 0028 1f07 0032 90.0000 -45.0000 85.0000 -40.0000 C C C C 60.000 mA 1.000 mA 50.000 mA 3.000 mA -001.0001 dBm -011.4996 dBm -001.9997 dBm -010.5012 dBm 000.0000 dBm -023.9794 dBm -001.0001 dBm -023.0102 dBm Syntax: show optic threshold <port-num> For <portnum>, specify the port in one of the following formats: • FastIron GS and LS compact switches – <stack-unit/slotnum/portnum> • FastIron chassis devices – <slotnum/portnum> • FESX, and FWSX compact switches – <portnum> December 2008 © 2008 Foundry Networks, Inc. 9-9 Foundry FastIron Configuration Guide For Temperature, Supply Voltage, TX Bias, TX Power, and RX Power, values are displayed for each of the following four alarm and warning settings: High alarm, Low alarm, High warning, and Low warning. The hexadecimal values are the manufacturer’s internal calibrations, as defined in the SFF-8472 standard. The other values indicate at what level (above the high setting or below the low setting) the system should send a warning message or an alarm. Note that these values are set by the manufacturer of the optical transceiver, and cannot be configured. Syslog Messages The system generates Syslog messages for optical transceivers when: • The temperature, supply voltage, TX Bias, TX power, or TX power value goes above or below the high or low warning or alarm threshold set by the manufacturer. • The optical transceiver does not support digital optical monitoring. • The optical transceiver is not qualified, and therefore not supported by Foundry. For details about the above Syslog messages, see the chapter “Using Syslog” on page A-1. 9 - 10 © 2008 Foundry Networks, Inc. December 2008 Chapter 10 Configuring Spanning Tree Protocol (STP) Related Features This chapter describes how to configure Spanning Tree Protocol (STP) and other STP parameters on Foundry Layer 3 Switches using the CLI. STP related features, such as RSTP and PVST, extend the operation of standard STP, enabling you to fine tune standard STP and avoid some of its limitations. STP Overview The Spanning Tree Protocol (STP) eliminates Layer 2 loops in networks, by selectively blocking some ports and allowing other ports to forward traffic, based on global (bridge) and local (port) parameters you can configure. You can enable or disable STP on a global basis (for the entire device), a port-based VLAN basis (for the individual Layer 2 broadcast domain), or an individual port basis. Configuration procedures are provided for the standard STP bridge and port parameters as well as Foundry features listed in Table 10.6. Configuring Standard STP Parameters Foundry Layer 2 Switches and Layer 3 Switches support standard STP as described in the IEEE 802.1D specification. STP is enabled by default on Layer 2 Switches but disabled by default on Layer 3 Switches. By default, each port-based VLAN on a Foundry device runs a separate spanning tree (a separate instance of STP). A Foundry device has one port-based VLAN (VLAN 1) by default that contains all the device’s ports. Thus, by default each Foundry device has one spanning tree. However, if you configure additional port-based VLANs on a Foundry device, then each of those VLANs on which STP is enabled and VLAN 1 all run separate spanning trees. If you configure a port-based VLAN on the device, the VLAN has the same STP state as the default STP state on the device. Thus, on Layer 2 Switches, new VLANs have STP enabled by default. On Layer 3 Switches, new VLANs have STP disabled by default. You can enable or disable STP in each VLAN separately. In addition, you can enable or disable STP on individual ports. December 2008 © 2008 Foundry Networks, Inc. 10 - 1 Foundry FastIron Configuration Guide STP Parameters and Defaults Table 10.1 lists the default STP states for Foundry devices. Table 10.1: Default STP States Device Type Default STP Type Default STP State Default STP State of New VLANs1 Layer 2 Switch MSTP2 Enabled Enabled Layer 3 Switch MSTP Disabled Disabled 1. When you create a port-based VLAN, the new VLAN’s STP state is the same as the default STP state on the device. The new VLAN does not inherit the STP state of the default VLAN. 2. MSTP stands for “Multiple Spanning Tree Protocol”. In this type of STP, each port-based VLAN, including the default VLAN, has its own spanning tree. References in this documentation to “STP” apply to MSTP. The Single Spanning Tree Protocol (SSTP) is another type of STP. SSTP includes all VLANs on which STP is enabled in a single spanning tree. See “Single Spanning Tree (SSTP)” on page 10-57. Table 10.2 lists the default STP bridge parameters. The bridge parameters affect the entire spanning tree. If you are using MSTP, the parameters affect the VLAN. If you are using SSTP, the parameters affect all VLANs that are members of the single spanning tree. Table 10.2: Default STP Bridge Parameters Parameter Description Default and Valid Values Forward Delay The period of time spent by a port in the listening and learning state before moving on to the learning or forwarding state, respectively. 15 seconds Possible values: 4 – 30 seconds The forward delay value is also used for the age time of dynamic entries in the filtering database, when a topology change occurs. Maximum Age Hello Time Priority The interval a bridge will wait for a configuration BPDU from the root bridge before initiating a topology change. 20 seconds The interval of time between each configuration BPDU sent by the root bridge. 2 seconds A parameter used to identify the root bridge in a spanning tree (instance of STP). The bridge with the lowest value has the highest priority and is the root. 32768 Possible values: 6 – 40 seconds Possible values: 1 – 10 seconds Possible values: 0 – 65535 A higher numerical value means a lower priority; thus, the highest priority is 0. 10 - 2 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features NOTE: If you plan to change STP bridge timers, Foundry recommends that you stay within the following ranges, from section 8.10.2 of the IEEE STP specification. 2 * (forward_delay -1) >= max_age max_age >= 2 * (hello_time +1) Table 10.3 lists the default STP port parameters. The port parameters affect individual ports and are separately configurable on each port. Table 10.3: Default STP Port Parameters Parameter Description Default and Valid Values Priority The preference that STP gives this port relative to other ports for forwarding traffic out of the spanning tree. 128 A higher numerical value means a lower priority. Possible values in FastIron X Series pre-release 03.0.00, and in FGS pre-release 03.0.00: 8 – 252 (configurable in increments of 4) Possible values in FastIron X Series and FGS/FLS release 03.0.00 and later: 0 – 240 (configurable in increments of 16) Path Cost The cost of using the port to reach the root bridge. When selecting among multiple links to the root bridge, STP chooses the link with the lowest path cost and blocks the other paths. Each port type has its own default STP path cost. 10 Mbps – 100 100 Mbps – 19 Gigabit – 4 10 Gigabit – 2 Possible values are 0 – 65535 Enabling or Disabling the Spanning Tree Protocol (STP) STP is enabled by default on devices running Layer 2 code. STP is disabled by default on devices running Layer 3 code. You can enable or disable STP on the following levels: • Globally – Affects all ports and port-based VLANs on the device. • Port-based VLAN – Affects all ports within the specified port-based VLAN. When you enable or disable STP within a port-based VLAN, the setting overrides the global setting. Thus, you can enable STP for the ports within a port-based VLAN even when STP is globally disabled, or disable the ports within a port-based VLAN when STP is globally enabled. • Individual port – Affects only the individual port. However, if you change the STP state of the primary port in a trunk group, the change affects all ports in the trunk group. NOTE: The CLI converts the STP groups into topology groups when you save the configuration. For backward compatibility, you can still use the STP group commands. However, the CLI converts the commands into the topology group syntax. Likewise, the show stp-group command displays STP topology groups. December 2008 © 2008 Foundry Networks, Inc. 10 - 3 Foundry FastIron Configuration Guide Enabling or Disabling STP Globally Use the following method to enable or disable STP on a device on which you have not configured port-based VLANs. NOTE: When you configure a VLAN, the VLAN inherits the global STP settings. However, once you begin to define a VLAN, you can no longer configure standard STP parameters globally using the CLI. From that point on, you can configure STP only within individual VLANs. To enable STP for all ports in all VLANs on a Foundry device, enter the following command: FastIron(config)#spanning-tree This command enables a separate spanning tree in each VLAN, including the default VLAN. Syntax: [no] spanning-tree Enabling or Disabling STP in a Port-Based VLAN Use the following procedure to disable or enable STP on a device on which you have configured a port-based VLAN. Changing the STP state in a VLAN affects only that VLAN. To enable STP for all ports in a port-based VLAN, enter commands such as the following: FastIron(config)#vlan 10 FastIron(config-vlan-10)#spanning-tree Syntax: [no] spanning-tree Enabling or Disabling STP on an Individual Port Use the following procedure to disable or enable STP on an individual port. NOTE: If you change the STP state of the primary port in a trunk group, it affects all ports in the trunk group. To enable STP on an individual port, enter commands such as the following: FastIron(config)#interface 1/1 FastIron(config-if-e1000-1/1)#spanning-tree Syntax: [no] spanning-tree Changing STP Bridge and Port Parameters Table 10.2 on page 10-2 and Table 10.3 on page 10-3 list the default STP parameters. If you need to change the default value for an STP parameter, use the following procedures. Changing STP Bridge Parameters NOTE: If you plan to change STP bridge timers, Foundry recommends that you stay within the following ranges, from section 8.10.2 of the IEEE STP specification. 2 * (forward_delay -1) >= max_age max_age >= 2 * (hello_time +1) To change a Foundry device’s STP bridge priority to the highest value to make the device the root bridge, enter the following command: FastIron(config)#spanning-tree priority 0 10 - 4 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features The command in this example changes the priority on a device on which you have not configured port-based VLANs. The change applies to the default VLAN. If you have configured a port-based VLAN on the device, you can configure the parameters only at the configuration level for individual VLANs. Enter commands such as the following: FastIron(config)#vlan 20 FastIron(config-vlan-20)#spanning-tree priority 0 To make this change in the default VLAN, enter the following commands: FastIron(config)#vlan 1 FastIron(config-vlan-1)#spanning-tree priority 0 Syntax: [no] spanning-tree [forward-delay <value>] | [hello-time <value>] | [maximum-age <value>] | [priority <value>] The forward-delay <value> parameter specifies the forward delay and can be a value from 4 – 30 seconds. The default is 15 seconds. NOTE: You can configure a Foundry device for faster convergence (including a shorter forward delay) using Fast Span. See “Configuring STP Related Features” on page 10-16. The hello-time <value> parameter specifies the hello time and can be a value from 1 – 10 seconds. The default is 2 seconds. NOTE: This parameter applies only when this device or VLAN is the root bridge for its spanning tree. The maximum-age <value> parameter specifies the amount of time the device waits for receipt of a configuration BPDU from the root bridge before initiating a topology change. You can specify from 6 – 40 seconds. The default is 20 seconds. The priority <value> parameter specifies the priority and can be a value from 0 – 65535. A higher numerical value means a lower priority. Thus, the highest priority is 0. The default is 32768. You can specify some or all of these parameters on the same command line. If you specify more than one parameter, you must specify them in the order shown above, from left to right. Changing STP Port Parameters To change the path and priority costs for a port, enter commands such as the following: FastIron(config)#vlan 10 FastIron(config-vlan-10)#spanning-tree ethernet 5 path-cost 15 priority 64 Syntax: spanning-tree ethernet [<slotnum>/]<portnum> path-cost <value> | priority <value> | disable | enable The <portnum> parameter specifies the interface. If you are configuring a chassis device, specify the slot number as well as the port number (<slotnum>/<portnum>). The path-cost <value> parameter specifies the port’s cost as a path to the spanning tree’s root bridge. STP prefers the path with the lowest cost. You can specify a value from 0 – 65535. The default depends on the port type: • 10 Mbps – 100 • 100 Mbps – 19 • Gigabit – 4 • 10 Gigabit – 2 The priority <value> parameter specifies the preference that STP gives this port relative to other ports for forwarding traffic out of the spanning tree. The value you can specify depends on the software version running on the device, as follows: December 2008 © 2008 Foundry Networks, Inc. 10 - 5 Foundry FastIron Configuration Guide • In releases prior to 03.0.00, you can specify a value from 8 – 252, in increments of 4. If you enter a value that is not divisible by four the software rounds to the nearest value that is. The default is 128. A higher numerical value means a lower priority; thus, the highest priority is 8. • Starting in software release 03.0.00, you can specify a value from 0 – 240, in increments of 16. If you enter a value that is not divisible by 16, the software returns an error message. The default value is 128. A higher numerical value means a lower priority; thus, the highest priority is 0. NOTE: If you are upgrading a device that has a configuration saved under an earlier software release, and the configuration contains a value from 0 – 7 for a port’s STP priority, the software changes the priority to the default when you save the configuration while running the new release. The disable | enable parameter disables or re-enables STP on the port. The STP state change affects only this VLAN. The port’s STP state in other VLANs is not changed. STP Protection Enhancement Platform Support: • FESX devices running software release 02.1.01 and later • FSX and FWSX devices running software release 02.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later STP protection provides the ability to prohibit an end station from initiating or participating in an STP topology change. The 802.1W Spanning Tree Protocol (STP) detects and eliminates logical loops in a redundant network by selectively blocking some data paths (ports) and allowing only the best data paths to forward traffic. In an STP environment, switches, end stations, and other Layer 2 devices use Bridge Protocol Data Units (BPDUs) to exchange information that STP will use to determine the best path for data flow. When a Layer 2 device is powered ON and connected to the network, or when a Layer 2 device goes down, it sends out an STP BPDU, triggering an STP topology change. In some instances, it is unnecessary for a connected device, such as an end station, to initiate or participate in an STP topology change. In this case, you can enable the STP Protection feature on the Foundry port to which the end station is connected. Foundry’s STP Protection feature disables the connected device’s ability to initiate or participate in an STP topology change, by dropping all BPDUs received from the connected device. Enabling STP Protection You can enable STP Protection on a per-port basis. To prevent an end station from initiating or participating in STP topology changes, enter the following command at the Interface level of the CLI: FastIron#(config) interface e 2 FastIron#(config-if-e1000-2)#stp-protect This command causes the port to drop STP BPDUs sent from the device on the other end of the link. Syntax: [no] stp-protect The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. Enter the no form of the command to disable STP protection on the port. 10 - 6 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Clearing BPDU Drop Counters For each port that has STP Protection enabled, the Foundry device counts and records the number of dropped BPDUs. You can use CLI commands to clear the BPDU drop counters for all ports on the device, or for a specific port on the device. To clear the BPDU drop counters for all ports on the device that have STP Protection enabled, enter the following command at the Global CONFIG level of the CLI: FastIron(config)#clear stp-protect-statistics To clear the BPDU drop counter for a specific port that has STP Protection enabled, enter the following command at the Global CONFIG level of the CLI: FastIron#clear stp-protect-statistics e 2 Syntax: clear stp-protect-statistics [ethernet [<stack-unit><slotnum>/]<port-num>] | [ethernet [<stackunit><slotnum>/]portnum>] The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. Viewing the STP Protection Configuration You can view the STP Protection configuration for all ports on a device, or for a specific port only. The show stpprotect command output shows the port number on which STP Protection is enabled, and the number of BPDUs dropped by each port. To view the STP Protection configuration for all ports on the device, enter the following command at any level of the CLI: FastIron#show stp-protect Port ID BPDU Drop Count 3 478 5 213 6 0 12 31 To view STP Protection configuration for a specific port, enter the following command at any level of the CLI: FastIron#show stp-protect e 3 STP-protect is enabled on port 3. BPDU drop count is 478 If you enter the show stp-protect command for a port that does not have STP protection enabled, the following message displays on the console: FastIron#show stp-protect e 4 STP-protect is not enabled on port 4. Syntax: show stp-protect [ethernet [<slotnum>/]<portnum>] Displaying STP Information You can display the following STP information: • All the global and interface STP settings December 2008 © 2008 Foundry Networks, Inc. 10 - 7 Foundry FastIron Configuration Guide • CPU utilization statistics • Detailed STP information for each interface • STP state information for a port-based VLAN • STP state information for an individual interface Displaying STP Information for an Entire Device To display STP information, enter the following command at any level of the CLI: FastIron#show span VLAN 1 BPDU cam_index is 3 and the Master DMA Are(HEX) STP instance owned by VLAN 1 Global STP (IEEE 802.1D) Parameters: VLAN Root ID ID Root Root Prio Cost Port rity Hex 1 800000e0804d4a00 0 Root 8000 Max Age sec 20 Hello sec 2 Hold sec 1 Fwd dly sec 15 Last Chang sec 689 Chg cnt Bridge Address 1 00e0804d4a00 Port STP Parameters: Port Num 1 2 3 4 5 6 7 Prio rity Hex 80 80 80 80 80 80 80 Path Cost State Fwd Trans Design Cost Designated Root Designated Bridge 19 0 0 0 19 19 0 FORWARDING DISABLED DISABLED DISABLED FORWARDING BLOCKING DISABLED 1 0 0 0 1 0 0 0 0 0 0 0 0 0 800000e0804d4a00 0000000000000000 0000000000000000 0000000000000000 800000e0804d4a00 800000e0804d4a00 0000000000000000 800000e0804d4a00 0000000000000000 0000000000000000 0000000000000000 800000e0804d4a00 800000e0804d4a00 0000000000000000 <lines for remaining ports excluded for brevity> Syntax: show span [vlan <vlan-id>] | [pvst-mode] | [<num>] | [detail [vlan <vlan-id> [ethernet [<stackunit><slotnum>/]<portnum>] | <num>]] The vlan <vlan-id> parameter displays STP information for the specified port-based VLAN. The pvst-mode parameter displays STP information for the device’s Per VLAN Spanning Tree (PVST+) compatibility configuration. See “PVST/PVST+ Compatibility” on page 10-62 The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. The <num> parameter displays only the entries after the number you specify. For example, on a device with three port-based VLANs, if you enter 1, then information for the second and third VLANs is displayed, but information for the first VLAN is not displayed. Information is displayed according to VLAN number, in ascending order. The entry number is not the same as the VLAN number. For example, if you have port-based VLANs 1, 10, and 2024, then the command output has three STP entries. To display information for VLANs 10 and 2024 only, enter show span 1. 10 - 8 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features The detail parameter and its additional optional parameters display detailed information for individual ports. See “Displaying Detailed STP Information for Each Interface” on page 10-12. The show span command shows the following information. Table 10.4: CLI Display of STP Information This Field... Displays... Global STP Parameters VLAN ID The port-based VLAN that contains this spanning tree (instance of STP). VLAN 1 is the default VLAN. If you have not configured port-based VLANs on this device, all STP information is for VLAN 1. Root ID The ID assigned by STP to the root bridge for this spanning tree. Root Cost The cumulative cost from this bridge to the root bridge. If this device is the root bridge, then the root cost is 0. Root Port The port on this device that connects to the root bridge. If this device is the root bridge, then the value is “Root” instead of a port number. Priority Hex This device or VLAN’s STP priority. The value is shown in hexadecimal format. Note: If you configure this value, specify it in decimal format. See “Changing STP Bridge Parameters” on page 10-4. Max age sec The number of seconds this device or VLAN waits for a configuration BPDU from the root bridge before deciding the root has become unavailable and performing a reconvergence. Hello sec The interval between each configuration BPDU sent by the root bridge. Hold sec The minimum number of seconds that must elapse between transmissions of consecutive Configuration BPDUs on a port. Fwd dly sec The number of seconds this device or VLAN waits following a topology change and consequent reconvergence. Last Chang sec The number of seconds since the last time a topology change occurred. Chg cnt The number of times the topology has changed since this device was reloaded. Bridge Address The STP address of this device or VLAN. Note: If this address is the same as the Root ID, then this device or VLAN is the root bridge for its spanning tree. Port STP Parameters Port Num The port number. Priority Hex The port’s STP priority, in hexadecimal format. Note: If you configure this value, specify it in decimal format. See “Changing STP Port Parameters” on page 10-5. Path Cost December 2008 The port’s STP path cost. © 2008 Foundry Networks, Inc. 10 - 9 Foundry FastIron Configuration Guide Table 10.4: CLI Display of STP Information (Continued) This Field... Displays... State The port’s STP state. The state can be one of the following: • BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is FORWARDING. When a port is in this state, the port does not transmit or receive user frames, but the port does continue to receive STP BPDUs. • DISABLED – The port is not participating in STP. This can occur when the port is disconnected or STP is disabled on the port. • FORWARDING – STP is allowing the port to send and receive frames. • LISTENING – STP is responding to a topology change and this port is listening for a BPDU from neighboring bridge(s) in order to determine the new topology. No user frames are transmitted or received during this state. • LEARNING – The port has passed through the LISTENING state and will change to the FORWARDING state, depending on the results of STP’s reconvergence. The port does not transmit or receive user frames during this state. However, the device can learn the MAC addresses of frames that the port receives during this state and make corresponding entries in the MAC table. Fwd Trans The number of times STP has changed the state of this port between BLOCKING and FORWARDING. Design Cost The cost to the root bridge as advertised by the designated bridge that is connected to this port. If the designated bridge is the root bridge itself, then the cost is 0. The identity of the designated bridge is shown in the Design Bridge field. Designated Root The root bridge as recognized on this port. The value is the same as the root bridge ID listed in the Root ID field. Designated Bridge The designated bridge to which this port is connected. The designated bridge is the device that connects the network segment on the port to the root bridge. Displaying CPU Utilization Statistics You can display CPU utilization statistics for STP and the IP protocols. To display CPU utilization statistics for STP for the previous one-second, one-minute, five-minute, and fifteenminute intervals, enter the following command at any level of the CLI: FastIron#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.00 0.00 STP 0.00 0.03 VRRP 0.00 0.00 10 - 10 5Min(%) 0.09 0.08 0.00 0.00 0.00 0.00 0.00 0.04 0.00 15Min(%) 0.22 0.14 0.00 0.00 0.00 0.00 0.00 0.07 0.00 © 2008 Foundry Networks, Inc. Runtime(ms) 9 13 0 0 0 0 0 4 0 December 2008 Configuring Spanning Tree Protocol (STP) Related Features If the software has been running less than 15 minutes (the maximum interval for utilization statistics), the command indicates how long the software has been running. Here is an example: FastIron#show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 GVRP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Runtime(ms) 0 0 0 1 0 0 0 0 0 To display utilization statistics for a specific number of seconds, enter a command such as the following: FastIron#show process cpu 2 Statistics for last 1 sec and 80 ms Process Name Sec(%) Time(ms) ARP 0.00 0 BGP 0.00 0 GVRP 0.00 0 ICMP 0.01 1 IP 0.00 0 OSPF 0.00 0 RIP 0.00 0 STP 0.01 0 VRRP 0.00 0 When you specify how many seconds’ worth of statistics you want to display, the software selects the sample that most closely matches the number of seconds you specified. In this example, statistics are requested for the previous two seconds. The closest sample available is actually for the previous 1 second plus 80 milliseconds. Syntax: show process cpu [<num>] The <num> parameter specifies the number of seconds and can be from 1 – 900. If you use this parameter, the command lists the usage statistics only for the specified number of seconds. If you do not use this parameter, the command lists the usage statistics for the previous one-second, one-minute, five-minute, and fifteen-minute intervals. Displaying the STP State of a Port-Based VLAN When you display information for a port-based VLAN, that information includes the STP state of the VLAN. December 2008 © 2008 Foundry Networks, Inc. 10 - 11 Foundry FastIron Configuration Guide To display information for a port-based VLAN, enter a command such as the following at any level of the CLI. The STP state is shown in bold type in this example. FastIron#show vlans Total PORT-VLAN entries: 2 Maximum PORT-VLAN entries: 16 legend: [S=Slot] PORT-VLAN Untagged Untagged Untagged Untagged Tagged Uplink 1, Name DEFAULT-VLAN, Priority level0, Spanning tree On Ports: (S3) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Ports: (S3) 17 18 19 20 21 22 23 24 Ports: (S4) 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Ports: (S4) 18 19 20 21 22 23 24 Ports: None Ports: None PORT-VLAN Untagged Untagged Tagged Uplink 2, Name greenwell, Priority level0, Spanning tree Off Ports: (S1) 1 2 3 4 5 6 7 8 Ports: (S4) 1 Ports: None Ports: None Syntax: show vlans [<vlan-id> | ethernet [<slotnum>/]<portnum> The <vlan-id> parameter specifies a VLAN for which you want to display the configuration information. The <portnum> parameter specifies a port. If you use this parameter, the command lists all the VLAN memberships for the port. If you use this command on a chassis device, specify the slot number as well as the port number (<slotnum>/]<portnum>). Displaying Detailed STP Information for Each Interface To display the detailed STP information, enter the following command at any level of the CLI: FastIron#show span detail ====================================================================== VLAN 1 - MULTIPLE SPANNING TREE (MSTP) ACTIVE ====================================================================== Bridge identifier - 0x800000e0804d4a00 Active global timers - Hello: 0 Port 1/1 is FORWARDING Port - Path cost: 19, Priority: 128, Root: 0x800000e052a9bb00 Designated - Bridge: 0x800000e052a9bb00, Interface: 1, Path cost: 0 Active Timers - None BPDUs - Sent: 11, Received: 0 Port 1/2 is DISABLED Port 1/3 is DISABLED Port 1/4 is DISABLED <lines for remaining ports excluded for brevity> If a port is disabled, the only information shown by this command is “DISABLED”. If a port is enabled, this display shows the following information. Syntax: show span detail [vlan <vlan-id> [ethernet [<stack-unit>/<slotnum>/]<portnum> | <num>] The vlan <vlan-id> parameter specifies a VLAN. 10 - 12 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features The <portnum> parameter specifies an individual port within the VLAN (if specified). If you use the command on a chassis device, specify the slot number as well as the port number (<slotnum>/<portnum>). The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. The <num> parameter specifies the number of VLANs you want the CLI to skip before displaying detailed STP information. For example, if the device has six VLANs configured (VLAN IDs 1, 2, 3, 99, 128, and 256) and you enter the command show span detail 4, detailed STP information is displayed for VLANs 128 and 256 only. NOTE: If the configuration includes VLAN groups, the show span detail command displays the master VLANs of each group but not the member VLANs within the groups. However, the command does indicate that the VLAN is a master VLAN. The show span detail vlan <vlan-id> command displays the information for the VLAN even if it is a member VLAN. To list all the member VLANs within a VLAN group, enter the show vlan-group [<groupid>] command. The show span detail command shows the following information. Table 10.5: CLI Display of Detailed STP Information for Ports This Field... Displays... Active Spanning Tree protocol The VLAN that contains the listed ports and the active Spanning Tree protocol. The STP type can be one of the following: • MULTIPLE SPANNNG TREE (MSTP) • GLOBAL SINGLE SPANNING TREE (SSTP) Note: If STP is disabled on a VLAN, the command displays the following message instead: “Spanning-tree of port-vlan <vlan-id> is disabled.” Bridge identifier The STP identity of this device. Active global timers The global STP timers that are currently active, and their current values. The following timers can be listed: December 2008 • Hello – The interval between Hello packets. This timer applies only to the root bridge. • Topology Change (TC) – The amount of time during which the topology change flag in Hello packets will be marked, indicating a topology change. This timer applies only to the root bridge. • Topology Change Notification (TCN) – The interval between Topology Change Notification packets sent by a non-root bridge toward the root bridge. This timer applies only to non-root bridges. © 2008 Foundry Networks, Inc. 10 - 13 Foundry FastIron Configuration Guide Table 10.5: CLI Display of Detailed STP Information for Ports (Continued) This Field... Displays... Port number and STP state The internal port number and the port’s STP state. The internal port number is one of the following: • The port’s interface number, if the port is the designated port for the LAN. • The interface number of the designated port from the received BPDU, if the interface is not the designated port for the LAN. The state can be one of the following: • BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is FORWARDING. When a port is in this state, the port does not transmit or receive user frames, but the port does continue to receive STP BPDUs. • DISABLED – The port is not participating in STP. This can occur when the port is disconnected or STP is administratively disabled on the port. • FORWARDING – STP is allowing the port to send and receive frames. • LISTENING – STP is responding to a topology change and this port is listening for a BPDU from neighboring bridge(s) in order to determine the new topology. No user frames are transmitted or received during this state. • LEARNING – The port has passed through the LISTENING state and will change to the BLOCKING or FORWARDING state, depending on the results of STP’s reconvergence. The port does not transmit or receive user frames during this state. However, the device can learn the MAC addresses of frames that the port receives during this state and make corresponding entries in the MAC table. Note: If the state is DISABLED, no further STP information is displayed for the port. Port Path cost The port’s STP path cost. Port Priority This port’s STP priority. The value is shown as a hexadecimal number. Root The ID assigned by STP to the root bridge for this spanning tree. Designated Bridge The MAC address of the designated bridge to which this port is connected. The designated bridge is the device that connects the network segment on the port to the root bridge. Designated Port The port number sent from the designated bridge. Designated Path Cost The cost to the root bridge as advertised by the designated bridge that is connected to this port. If the bridge is the root bridge itself, then the cost is 0. The identity of the designated bridge is shown in the Designated Bridge field. 10 - 14 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Table 10.5: CLI Display of Detailed STP Information for Ports (Continued) This Field... Displays... Active Timers The current values for the following timers, if active: BPDUs Sent and Received • Message age – The number of seconds this port has been waiting for a hello message from the root bridge. • Forward delay – The number of seconds that have passed since the last topology change and consequent reconvergence. • Hold time – The number of seconds that have elapsed since transmission of the last Configuration BPDU. The number of BPDUs sent and received on this port since the software was reloaded. Displaying Detailed STP Information for a Single Port in a Specific VLAN Enter a command such as the following to display STP information for an individual port in a specific VLAN. FastIron#show span detail vlan 1 ethernet 7/1 Port 7/1 is FORWARDING Port - Path cost: 19, Priority: 128, Root: 0x800000e052a9bb00 Designated - Bridge: 0x800000e052a9bb00, Interface: 7, Path cost: 0 Active Timers - None BPDUs - Sent: 29, Received: 0 Syntax: show span detail [vlan <vlan-id> [ethernet [<slotnum>/]<portnum> | <num>] Displaying STP State Information for an Individual Interface To display STP state information for an individual port, you can use the methods in “Displaying STP Information for an Entire Device” on page 10-8 or “Displaying Detailed STP Information for Each Interface” on page 10-12. You also can display STP state information for a specific port using the following method. To display information for a specific port, enter a command such as the following at any level of the CLI: FastIron#show interface ethernet 3/11 FastEthernet3/11 is up, line protocol is up Hardware is FastEthernet, address is 00e0.52a9.bb49 (bia 00e0.52a9.bb49) Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING STP configured to ON, priority is level0, flow control enabled mirror disabled, monitor disabled Not member of any active trunks Not member of any configured trunks No port name MTU 1518 bytes, encapsulation ethernet 5 minute input rate: 352 bits/sec, 0 packets/sec, 0.00% utilization 5 minute output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 1238 packets input, 79232 bytes, 0 no buffer Received 686 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 ignored 529 multicast 918 packets output, 63766 bytes, 0 underruns 0 output errors, 0 collisions December 2008 © 2008 Foundry Networks, Inc. 10 - 15 Foundry FastIron Configuration Guide The STP information is shown in bold type in this example. Syntax: show interfaces [ethernet [<stack-unit>/<slotnum>/]<portnum>] | [loopback <num>] | [slot <slot-num>] | [ve <num>] | [brief] The <stack-unit> option is required on FGS and FLS devices running software release 2.5 and later, and on FGSSTK and FLS-STK devices running software version 5.0 and later. You also can display the STP states of all ports by entering a command such as the following, which uses the brief parameter: FastIron#show interface brief Port 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/8 Link Down Down Down Down Down Down Down Down State None None None None None None None None Dupl None None None None None None None None Speed None None None None None None None None Trunk None None None None None None None None . . some rows omitted for brevity . 3/10 Down None None None None 3/11 Up Forward Full 100M None Tag No No No No No No No No Priori level0 level0 level0 level0 level0 level0 level0 level0 MAC Name 00e0.52a9.bb00 00e0.52a9.bb01 00e0.52a9.bb02 00e0.52a9.bb03 00e0.52a9.bb04 00e0.52a9.bb05 00e0.52a9.bb06 00e0.52a9.bb07 No No level0 00e0.52a9.bb4a level0 00e0.52a9.bb49 In the example above, only one port, 3/11, is forwarding traffic toward the root bridge. Configuring STP Related Features STP features extend the operation of standard STP, enabling you to fine tune standard STP and avoid some of its limitations. This section describes how to configure these parameters on Foundry Layer 3 Switches using the CLI. Fast Port Span When STP is running on a device, message forwarding is delayed during the spanning tree recalculation period following a topology change. The STP forward delay parameter specifies the period of time a bridge waits before forwarding data packets. The forward delay controls the listening and learning periods of STP reconvergence. You can configure the forward delay to a value from 4 – 30 seconds. The default is 15 seconds. Thus, using the standard forward delay, convergence requires 30 seconds (15 seconds for listening and an additional 15 seconds for learning) when the default value is used. This slow convergence is undesirable and unnecessary in some circumstances. The Fast Port Span feature allows certain ports to enter the forwarding state in four seconds. Specifically, Fast Port Span allows faster convergence on ports that are attached to end stations and thus do not present the potential to cause Layer 2 forwarding loops. Because the end stations cannot cause forwarding loops, they can safely go through the STP state changes (blocking to listening to learning to forwarding) more quickly than is allowed by the standard STP convergence time. Fast Port Span performs the convergence on these ports in four seconds (two seconds for listening and two seconds for learning). In addition, Fast Port Span enhances overall network performance in the following ways: • 10 - 16 Fast Port Span reduces the number of STP topology change notifications on the network. When an end station attached to a Fast Span port comes up or down, the Foundry device does not generate a topology © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features change notification for the port. In this situation, the notification is unnecessary since a change in the state of the host does not affect the network’s topology. • Fast Port Span eliminates unnecessary MAC cache aging that can be caused by topology change notifications. Bridging devices age out the learned MAC addresses in their MAC caches if the addresses are unrefreshed for a given period of time, sometimes called the MAC aging interval. When STP sends a topology change notification, devices that receive the notification use the value of the STP forward delay to quickly age out their MAC caches. For example, if a device’s normal MAC aging interval is 5 minutes, the aging interval changes temporarily to the value of the forward delay (for example, 15 seconds) in response to an STP topology change. In normal STP, the accelerated cache aging occurs even when a single host goes up or down. Because Fast Port Span does not send a topology change notification when a host on a Fast Port Span port goes up or down, the unnecessary cache aging that can occur in these circumstances under normal STP is eliminated. Fast Port Span is a system-wide parameter and is enabled by default. Thus, when you boot a device, all the ports that are attached only to end stations run Fast Port Span. For ports that are not eligible for Fast Port Span, such as ports connected to other networking devices, the device automatically uses the normal STP settings. If a port matches any of the following criteria, the port is ineligible for Fast Port Span and uses normal STP instead: • The port is 802.1Q tagged • The port is a member of a trunk group • The port has learned more than one active MAC address • An STP Configuration BPDU has been received on the port, thus indicating the presence of another bridge on the port. You also can explicitly exclude individual ports from Fast Port Span if needed. For example, if the only uplink ports for a wiring closet switch are Gigabit ports, you can exclude the ports from Fast Port Span. Disabling and Re-enabling Fast Port Span Fast Port Span is a system-wide parameter and is enabled by default. Thus all ports that are eligible for Fast Port Span use it. To disable or re-enable Fast Port Span, enter the following commands: FastIron(config)#no fast port-span FastIron(config)#write memory Syntax: [no] fast port-span NOTE: The fast port-span command has additional parameters that let you exclude specific ports. These parameters are shown in the following section. To re-enable Fast Port Span, enter the following commands: FastIron(config)#fast port-span FastIron(config)#write memory Excluding Specific Ports from Fast Port Span To exclude a port from Fast Port Span while leaving Fast Port Span enabled globally, enter commands such as the following: FastIron(config)#fast port-span exclude ethernet 1 FastIron(config)#write memory To exclude a set of ports from Fast Port Span, enter commands such as the following: FastIron(config)#fast port-span exclude ethernet 1 ethernet 2 ethernet 3 FastIron(config)#write memory To exclude a contiguous (unbroken) range of ports from Fast Span, enter commands such as the following: December 2008 © 2008 Foundry Networks, Inc. 10 - 17 Foundry FastIron Configuration Guide FastIron(config)#fast port-span exclude ethernet 1 to 24 FastIron(config)#write memory Syntax: [no] fast port-span [exclude ethernet [<slotnum>/]<portnum> [ethernet [<slotnum>/]<portnum> | to [<slotnum>/]<portnum>]] To re-enable Fast Port Span on a port, enter a command such as the following: FastIron(config)#no fast port-span exclude ethernet 1 FastIron(config)#write memory This command re-enables Fast Port Span on port 1 only and does not re-enable Fast Port Span on other excluded ports. You also can re-enable Fast Port Span on a list or range of ports using the syntax shown above this example. To re-enable Fast Port Span on all excluded ports, disable and then re-enable Fast Port Span by entering the following commands: FastIron(config)#no fast port-span FastIron(config)#fast port-span FastIron(config)#write memory Disabling and then re-enabling Fast Port Span clears the exclude settings and thus enables Fast Port Span on all eligible ports. To make sure Fast Port Span remains enabled on the ports following a system reset, save the configuration changes to the startup-config file after you re-enable Fast Port Span. Otherwise, when the system resets, those ports will again be excluded from Fast Port Span. 802.1W Rapid Spanning Tree (RSTP) Foundry’s earlier implementation of Rapid Spanning Tree Protocol (RSTP), which was 802.1W Draft 3, provided only a subset of the IEEE 802.1W standard; whereas the 802.1W RSTP feature provides the full standard. The implementation of the 802.1W Draft 3 is referred to as RSTP Draft 3. RSTP Draft3 will continue to be supported on Foundry devices for backward compatibility. However, customers who are currently using RSTP Draft 3 should migrate to 802.1W. The 802.1W feature provides rapid traffic reconvergence for point-to-point links within a few milliseconds (0 – 500 milliseconds), following the failure of a bridge or bridge port. This reconvergence occurs more rapidly than the reconvergence provided by the 802.1D Spanning Tree Protocol (STP)) or by RSTP Draft 3. NOTE: This rapid convergence will not occur on ports connected to shared media devices, such as hubs. To take advantage of the rapid convergence provided by 802.1W, make sure to explicitly configure all point-to-point links in a topology. The convergence provided by the standard 802.1W protocol occurs more rapidly than the convergence provided by previous spanning tree protocols because: • Classic or legacy 802.1D STP protocol requires a newly selected Root port to go through listening and learning stages before traffic convergence can be achieved. The 802.1D traffic convergence time is calculated using the following formula: 2 x FORWARD_DELAY + BRIDGE_MAX_AGE. If default values are used in the parameter configuration, convergence can take up to 50 seconds. (In this document STP will be referred to as 802.1D.) • RSTP Draft 3 works only on bridges that have Alternate ports, which are the precalculated “next best root port”. (Alternate ports provide back up paths to the root bridge.) Although convergence occurs from 0 – 500 milliseconds in RSTP Draft 3, the spanning tree topology reverts to the 802.1D convergence if an Alternate port is not found. • Convergence in 802.1w bridge is not based on any timer values. Rather, it is based on the explicit handshakes between Designated ports and their connected Root ports to achieve convergence in less than 500 milliseconds. 10 - 18 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Bridges and Bridge Port Roles A bridge in an 802.1W rapid spanning tree topology is assigned as the root bridge if it has the highest priority (lowest bridge identifier) in the topology. Other bridges are referred to as non-root bridges. Unique roles are assigned to ports on the root and non-root bridges. Role assignments are based on the following information contained in the Rapid Spanning Tree Bridge Packet Data Unit (RST BPDU): • Root bridge ID • Path cost value • Transmitting bridge ID • Designated port ID The 802.1W algorithm uses this information to determine if the RST BPDU received by a port is superior to the RST BPDU that the port transmits. The two values are compared in the order as given above, starting with the Root bridge ID. The RST BPDU with a lower value is considered superior. The superiority and inferiority of the RST BPDU is used to assign a role to a port. If the value of the received RST BPDU is the same as that of the transmitted RST BPDU, then the port ID in the RST BPDUs are compared. The RST BPDU with the lower port ID is superior. Port roles are then calculated appropriately. The port’s role is included in the BPDU that it transmits. The BPDU transmitted by an 802.1W port is referred to as an RST BPDU, while it is operating in 802.1W mode. Ports can have one of the following roles: • Root – Provides the lowest cost path to the root bridge from a specific bridge • Designated – Provides the lowest cost path to the root bridge from a LAN to which it is connected • Alternate – Provides an alternate path to the root bridge when the root port goes down • Backup – Provides a backup to the LAN when the Designated port goes down • Disabled – Has no role in the topology Assignment of Port Roles At system start-up, all 802.1W-enabled bridge ports assume a Designated role. Once start-up is complete, the 802.1W algorithm calculates the superiority or inferiority of the RST BPDU that is received and transmitted on a port. On a root bridge, each port is assigned a Designated port role, except for ports on the same bridge that are physically connected together. In these type of ports, the port that receives the superior RST BPDU becomes the Backup port, while the other port becomes the Designated port. On non-root bridges, ports are assigned as follows: • The port that receives the RST BPDU with the lowest path cost from the root bridge becomes the Root port. • If two ports on the same bridge are physically connected, the port that receives the superior RST BPDU becomes the Backup port, while the other port becomes the Designated port. • If a non-root bridge already has a Root port, then the port that receives an RST BPDU that is superior to those it can transmit becomes the Alternate port. • If the RST BPDU that a port receives is inferior to the RST BPDUs it transmits, then the port becomes a Designated port. • If the port is down or if 802.1W is disabled on the port, that port is given the role of Disabled port. Disabled ports have no role in the topology. However, if 802.1W is enabled on a port with a link down and the link of that port comes up, then that port assumes one of the following port roles: Root, Designated, Alternate, or Backup. December 2008 © 2008 Foundry Networks, Inc. 10 - 19 Foundry FastIron Configuration Guide The following example (Figure 10.1) explains role assignments in a simple RSTP topology. NOTE: All examples in this document assume that all ports in the illustrated topologies are point-to-point links and are homogeneous (they have the same path cost value) unless otherwise specified. The topology in Figure 10.1 contains four bridges. Switch 1 is the root bridge since it has the lowest bridge priority. Switch 2 through Switch 4 are non-root bridges. Figure 10.1 Simple 802.1W Topology Port7 Switch 1 Bridge priority = 100 Port2 Port3 Port2 Port8 Switch 2 Bridge priority = 200 Port4 Port3 Port2 Port3 Switch 3 Bridge priority = 300 Port4 Port3 Port4 Switch 4 Bridge priority = 400 Ports on Switch 1 All ports on Switch 1, the root bridge, are assigned Designated port roles. Ports on Switch 2 Port2 on Switch 2 directly connects to the root bridge; therefore, Port2 is the Root port. Switch 2’s bridge priority value is superior to that of Switch 3 and Switch 4; therefore, the ports on Switch 2 that connect to Switch 3 and Switch 4 are given the Designated port role. Furthermore, Port7 and Port8 on Switch 2 are physically connected. The RST BPDUs transmitted by Port7 are superior to those Port8 transmits. Therefore, Port8 is the Backup port and Port7 is the Designated port. Ports on Switch 3 Port2 on Switch 3 directly connects to the Designated port on the root bridge; therefore, it assumes the Root port role. The root path cost of the RST BPDUs received on Port4/Switch 3 is inferior to the RST BPDUs transmitted by the port; therefore, Port4/Switch 3 becomes the Designated port. Similarly Switch 3 has a bridge priority value inferior to Switch 2. Port3 on Switch 3 connects to Port 3 on Switch 2. This port will be given the Alternate port role, since a Root port is already established on this bridge. Ports Switch 4 Switch 4 is not directly connected to the root bridge. It has two ports with superior incoming RST BPDUs from two separate LANs: Port3 and Port4. The RST BPDUs received on Port3 are superior to the RST BPDUs received on port 4; therefore, Port3 becomes the Root port and Port4 becomes the Alternate port. 10 - 20 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Edge Ports and Edge Port Roles Foundry’s implementation of 802.1W allows ports that are configured as Edge ports to be present in an 802.1W topology. (Figure 10.2). Edge ports are ports of a bridge that connect to workstations or computers. Edge ports do not register any incoming BPDU activities. Edge ports assume Designated port roles. Port flapping does not cause any topology change events on Edge ports since 802.1W does not consider Edge ports in the spanning tree calculations. Figure 10.2 Topology with Edge Ports Switch 1 Bridge priority = 600 Port2 Port3 Port2 Switch 2 Bridge priority = 1000 Port3 Port2 Port5 Edge Port Port3 Switch 3 Bridge priority = 2000 Port5 Edge Port However, if any incoming RST BPDU is received from a previously configured Edge port, 802.1W automatically makes the port as a non-edge port. This is extremely important to ensure a loop free Layer 2 operation since a non-edge port is part of the active RSTP topology. The 802.1W protocol can auto-detect an Edge port and a non-edge port. An administrator can also configure a port to be an Edge port using the CLI. It is recommended that Edge ports are configured explicitly to take advantage of the Edge port feature, instead of allowing the protocol to auto-detect them. Point-to-Point Ports To take advantage of the 802.1W features, ports on an 802.1W topology should be explicitly configured as pointto-point links using the CLI. Shared media should not be configured as point-to-point links. NOTE: Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops. The topology in Figure 10.3 is an example of shared media that should not be configured as point-to-point links. In Figure 10.3, a port on a bridge communicates or is connected to at least two ports. December 2008 © 2008 Foundry Networks, Inc. 10 - 21 Foundry FastIron Configuration Guide Figure 10.3 Example of Shared Media Bridge Port States Ports roles can have one of the following states: • Forwarding – 802.1W is allowing the port to send and receive all packets. • Discarding – 802.1W has blocked data traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is forwarding. When a port is in this state, the port does not transmit or receive data frames, but the port does continue to receive RST BPDUs. This state corresponds to the listening and blocking states of 802.1D. • Learning – 802.1W is allowing MAC entries to be added to the filtering database but does not permit forwarding of data frames. The device can learn the MAC addresses of frames that the port receives during this state and make corresponding entries in the MAC table. • Disabled – The port is not participating in 802.1W. This can occur when the port is disconnected or 802.1W is administratively disabled on the port. A port on a non-root bridge with the role of Root port is always in a forwarding state. If another port on that bridge assumes the Root port role, then the old Root port moves into a discarding state as it assumes another port role. A port on a non-root bridge with a Designated role starts in the discarding state. When that port becomes elected to the Root port role, 802.1W quickly places it into a forwarding state. However, if the Designated port is an Edge port, then the port starts and stays in a forwarding state and it cannot be elected as a Root port. A port with an Alternate or Backup role is always in a discarding state. If the port’s role changes to Designated, then the port changes into a forwarding state. If a port on one bridge has a Designated role and that port is connected to a port on another bridge that has an Alternate or Backup role, the port with a Designated role cannot be given a Root port role until two instances of the forward delay timer expires on that port. Edge Port and Non-Edge Port States As soon as a port is configured as an Edge port using the CLI, it goes into a forwarding state instantly (in less than 100 msec): When the link to a port comes up and 802.1W detects that the port is an Edge port, that port instantly goes into a forwarding state. If 802.1W detects that port as a non-edge port, the port state is changed as determined by the result of processing the received RST BPDU. The port state change occurs within four seconds of link up or after two hello timer expires on the port. Changes to Port Roles and States To achieve convergence in a topology, a port’s role and state changes as it receives and transmits new RST BPDUs. Changes in a port’s role and state constitute a topology change. Besides the superiority and inferiority of the RST BPDU, bridge-wide and per-port state machines are used to determine a port’s role as well as a port’s state. Port state machines also determine when port role and state changes occur. 10 - 22 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features State Machines The bridge uses the Port Role Selection state machine to determine if port role changes are required on the bridge. This state machine performs a computation when one of the following events occur: • New information is received on any port on the bridge • The timer expires for the current information on a port on the bridge Each port uses the following state machines: • Port Information – This state machine keeps track of spanning-tree information currently used by the port. It records the origin of the information and ages out any information that was derived from an incoming BPDU. • Port Role Transition – This state machine keeps track of the current port role and transitions the port to the appropriate role when required. It moves the Root port and the Designated port into forwarding states and moves the Alternate and Backup ports into discarding states. • Port Transmit – This state machine is responsible for BPDU transmission. It checks to ensure only the maximum number of BPDUs per hello interval are sent every second. Based on what mode it is operating in, it sends out either legacy BPDUs or RST BPDUs. In this document legacy BPDUs are also referred to as STP BPDUs. • Port Protocol Migration – This state machine deals with compatibility with 802.1D bridges. When a legacy BPDU is detected on a port, this state machine configures the port to transmit and receive legacy BPDUs and operate in the legacy mode. • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode. It also flushes the MAC table when a topology change event takes place. • Port State Transition – This state machine transitions the port to a discarding, learning, or forwarding state and performs any necessary processing associated with the state changes. • Port Timers – This state machine is responsible for triggering any of the state machines described above, based on expiration of specific port timers. In contrast to the 802.1D standard, the 802.1W standard does not have any bridge specific timers. All timers in the CLI are applied on a per-port basis, even though they are configured under bridge parameters. 802.1W state machines attempt to quickly place the ports into either a forwarding or discarding state. Root ports are quickly placed in forwarding state when both of the following events occur: • It is assigned to be the Root port. • It receives an RST BPDU with a proposal flag from a Designated port. The proposal flag is sent by ports with a Designated role when they are ready to move into a forwarding state. When a the role of Root port is given to another port, the old Root port is instructed to reroot. The old Root port goes into a discarding state and negotiates with its peer port for a new role and a new state. A peer port is the port on the other bridge to which the port is connected. For example, in Figure 10.4, Port1 of Switch 200 is the peer port of Port2 of Switch 100. A port with a Designated role is quickly placed into a forwarding state if one of the following occurs: • The Designated port receives an RST BPDU that contains an agreement flag from a Root port • The Designated port is an Edge port However, a Designated port that is attached to an Alternate port or a Backup port must wait until the forward delay timer expires twice on that port while it is still in a Designated role, before it can proceed to the forwarding state. Backup ports are quickly placed into discarding states. Alternate ports are quickly placed into discarding states. A port operating in 802.1W mode may enter a learning state to allow MAC entries to be added to the filtering database; however, this state is transient and lasts only a few milliseconds, if the port is operating in 802.1W mode and if the port meets the conditions for rapid transition. December 2008 © 2008 Foundry Networks, Inc. 10 - 23 Foundry FastIron Configuration Guide Handshake Mechanisms To rapidly transition a Designated or Root port into a forwarding state, the Port Role Transition state machine uses handshake mechanisms to ensure loop free operations. It uses one type of handshake if no Root port has been assigned on a bridge, and another type if a Root port has already been assigned. Handshake When No Root Port is Elected If a Root port has not been assigned on a bridge, 802.1W uses the Proposing -> Proposed -> Sync -> Synced -> Agreed handshake: • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 10.4). The Designated port continues to send this flag in its RST BPDU until it is placed in a forwarding state (Figure 10.7) or is forced to operate in 802.1D mode. (See “Compatibility of 802.1W with 802.1D” on page 10-43). • Proposed – When a port receives an RST BPDU with a proposal flag from the Designated port on its point-topoint link, it asserts the Proposed signal and one of the following occurs (Figure 10.4): • If the RST BPDU that the port receives is superior to what it can transmit, the port assumes the role of a Root port. (See the section on “Bridges and Bridge Port Roles” on page 10-19.) • If the RST BPDU that the port receives is inferior to what it can transmit, then the port is given the role of Designated port. NOTE: Proposed will never be asserted if the port is connected on a shared media link. In Figure 10.4, Port3/Switch 200 is elected as the Root port Figure 10.4 Proposing and Proposed Stage Switch 100 Root Bridge RST BPDU sent with a Proposal flag Designated port Proposing Port1 Root port Proposed Switch 200 Port2 Port2 Port3 Switch 300 • 10 - 24 Port3 Switch 400 Sync – Once the Root port is elected, it sets a sync signal on all the ports on the bridge. The signal tells the © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features ports to synchronize their roles and states (Figure 10.5). Ports that are non-edge ports with a role of Designated port change into a discarding state. These ports have to negotiate with their peer ports to establish their new roles and states. Figure 10.5 Sync Stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync BigIron Switch 200 Port2 Sync Discarding Port2 Port3 Sync Discarding Port3 Switch 300 Switch 400 Indicates a signal • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports. Once all bridge ports asserts a synced signal, the Root port asserts its own synced signal (Figure 10.6). December 2008 © 2008 Foundry Networks, Inc. 10 - 25 Foundry FastIron Configuration Guide Figure 10.6 Synced Stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Synced BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 300 Switch 400 Indicates a signal • 10 - 26 Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state. © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.7 Agree Stage Switch 100 Root Bridge Port1 Designated port Forwarding RST BPDU sent with an Agreed flag Port1 Root port Synced Forwarding BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 300 Switch 400 Indicates a signal At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200. Switch 200 updates the information on the Switch 200’s Designated ports (Port2 and Port3) and identifies the new root bridge. The Designated ports send RST BPDUs, containing proposal flags, to their downstream bridges, without waiting for the hello timers to expire on them. This process starts the handshake with the downstream bridges. For example, Port2/Switch 200 sends an RST BPDU to Port2/Switch 300 that contains a proposal flag. Port2/ Switch 300 asserts a proposed signal. Ports in Switch 300 then set sync signals on the ports to synchronize and negotiate their roles and states. Then the ports assert a synced signal and when the Root port in Switch 300 asserts it’s synced signal, it sends an RST BPDU to Switch 200 with an agreed flag. This handshake is repeated between Switch 200 and Switch 400 until all Designated and Root ports are in forwarding states. Handshake When a Root Port Has Been Elected If a non-root bridge already has a Root port, 802.1W uses a different type of handshake. For example, in Figure 10.8, a new root bridge is added to the topology. December 2008 © 2008 Foundry Networks, Inc. 10 - 27 Foundry FastIron Configuration Guide Figure 10.8 Addition of a New Root Bridge Port2 Designated port Switch 100 Switch 60 Port2 Port1 Designated port Port4 Designated port Port1 Root port Switch 200 Port2 Port2 Switch 300 Port4 Port3 Port3 Switch 400 The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (“Handshake When No Root Port is Elected” on page 10-24). The former root bridge becomes a non-root bridge and establishes a Root port (Figure 10.9). However, since Switch 200 already had a Root port in a forwarding state, 802.1W uses the Proposing -> Proposed -> Sync and Reroot -> Sync and Rerooted -> Rerooted and Synced -> Agreed handshake: • 10 - 28 Proposing and Proposed – The Designated port on the new root bridge (Port4/Switch 60) sends an RST BPDU that contains a proposing signal to Port4/Switch 200 to inform the port that it is ready to put itself in a forwarding state (Figure 10.9). 802.1W algorithm determines that the RST BPDU that Port4/Switch 200 received is superior to what it can generate, so Port4/Switch 200 assumes a Root port role. © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.9 New Root Bridge Sending a Proposal Flag Handshake Completed Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Proposing Port1 Proposing Port1 Root port Forwarding RST BPDU sent with a Proposing flag Switch 200 Port2 Port2 Switch 300 • Port3 Port4 Designated port Proposed Port3 Switch 400 Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge. The signal tells the ports that a new Root port has been assigned and they are to renegotiate their new roles and states. The other ports on the bridge assert their sync and reroot signals. Information about the old Root port is discarded from all ports. Designated ports change into discarding states (Figure 10.10). December 2008 © 2008 Foundry Networks, Inc. 10 - 29 Foundry FastIron Configuration Guide Figure 10.10 Sync and Reroot Port2 Designated port Switch 100 Port4 Designated port Proposing Port1 Proposing Switch 60 Port2 Root port Port1 Root port Sync Reroot Forwarding BigIron Switch 200 Port2 Sync Reroot Discarding Port3 Sync Reroot Discarding Port2 Port4 Root port Sync Reroot Discarding Port3 Switch 300 Switch 400 Indicates a signal • 10 - 30 Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue to assert their sync signals as they continue in their discarding states. They also continue to negotiate their roles and states with their peer ports (Figure 10.11). © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.11 Sync and Rerooted Port2 Designated port Switch 100 Port4 Designated port Port1 Proposing Switch 60 Port2 Root port Port1 Designated port Sync Rerooted Discarding BigIron Switch 200 Port2 Sync Rerooted Discarding Port2 Switch 300 Port3 Sync Rerooted Discarding Port4 Root port Sync Rerooted Discarding Port3 Switch 400 Indicates an 802.1W signal controlled by the current Root port • Synced and Agree – When all the ports on the bridge assert their synced signals, the new Root port asserts its own synced signal and sends an RST BPDU to Port4/Switch 60 that contains an agreed flag (Figure 10.11). The Root port also moves into a forwarding state. December 2008 © 2008 Foundry Networks, Inc. 10 - 31 Foundry FastIron Configuration Guide Figure 10.12 Rerooted, Synced, and Agreed Port2 Designated port Switch 100 Switch 60 Port2 Root port Port4 Designated port Forwarding Port1 Proposing Port1 Rerooted Synced Discarding RST BPDU sent with an Agreed flag BigIron Switch 200 Port2 Rerooted Synced Discarding Port3 Rerooted Synced Discarding Port2 Port4 Root port Rerooted Synced Forwarding Port3 Switch 300 Switch 400 Indicates a signal The old Root port on Switch 200 becomes an Alternate Port (Figure 10.13). Other ports on that bridge are elected to appropriate roles. The Designated port on Switch 60 goes into a forwarding state once it receives the RST BPDU with the agreed flag. 10 - 32 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.13 Handshake Completed After Election of New Root Port Port2 Designated port Switch 100 Switch 60 Port2 Root port Port4 Designated port Port1 Proposing Port1 Alternate port Switch 200 Port2 Port4 Root port Port3 Proposing Port2 Switch 300 Proposing Port3 Switch 400 Recall that Switch 200 sent the agreed flag to Port4/Switch 60 and not to Port1/Switch 100 (the port that connects Switch 100 to Switch 200). Therefore, Port1/Switch 100 does not go into forwarding state instantly. It waits until two instances of the forward delay timer expires on the port before it goes into forwarding state. At this point the handshake between the Switch 60 and Switch 200 is complete. The remaining bridges (Switch 300 and Switch 400) may have to go through the reroot handshake if a new Root port needs to be assigned. December 2008 © 2008 Foundry Networks, Inc. 10 - 33 Foundry FastIron Configuration Guide Convergence in a Simple Topology The examples in this section illustrate how 802.1W convergence occurs in a simple Layer 2 topology at start-up. NOTE: The remaining examples assume that the appropriate handshake mechanisms occur as port roles and states change. Convergence at Start Up In Figure 10.14, two bridges Switch 2 and Switch 3 are powered up. There are point-to-point connections between Port3/Switch 2 and Port3/Switch 3. Figure 10.14 Convergence Between Two Bridges Bridge priority = 1500 Switch 2 Port3 Designated port Port3 Root port Switch 3 Bridge priority = 2000 At power up, all ports on Switch 2 and Switch 3 assume Designated port roles and are at discarding states before they receive any RST BPDU. Port3/Switch 2, with a Designated role, transmits an RST BPDU with a proposal flag to Port3/Switch 3. A ports with a Designated role sends the proposal flag in its RST BPDU when they are ready to move to a forwarding state. Port3/Switch 3, which starts with a role of Designated port, receives the RST BPDU and finds that it is superior to what it can transmit; therefore, Port3/Switch 3 assumes a new port role, that of a Root port. Port3/Switch 3 transmits an RST BPDU with an agreed flag back to Switch 2 and immediately goes into a forwarding state. Port3/Switch 2 receives the RST BPDU from Port3/Switch 3 and immediately goes into a forwarding state. Now 802.1W has fully converged between the two bridges, with Port3/Switch 3 as an operational root port in forwarding state and Port3/Switch 2 as an operational Designated port in forwarding state. Next, Switch 1 is powered up (Figure 10.15). 10 - 34 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.15 Simple Layer 2 Topology Port3 Designated port Bridge priority = 1500 Switch 2 Port2 Root port Port2 Designated port Port3 Designated port Port5 Backup port Switch 1 Bridge priority = 1000 Port4 Designated port Port3 Alternate port Bridge priority = 2000 Switch 3 Port4 Root port The point-to-point connections between the three bridges are as follows: • Port2/Switch 1 and Port2/Switch 2 • Port4/Switch 1 and Port4/Switch 3 • Port3/Switch 2 and Port3/Switch 3 Ports 3 and 5 on Switch 1 are physically connected together. At start up, the ports on Switch 1 assume Designated port roles, which are in discarding state. They begin sending RST BPDUs with proposal flags to move into a forwarding state. When Port4/Switch 3 receives these RST BPDUs 802.1W algorithm determines that they are better than the RST BPDUs that were previously received on Port3/Switch 3. Port4/Switch 3 is now selected as Root port. This new assignment signals Port3/Switch 3 to begin entering the discarding state and to assume an Alternate port role. As it goes through the transition, Port3/Switch 3 negotiates a new role and state with its peer port, Port3/Switch 2. Port4/Switch 3 sends an RST BPDU with an agreed flag to Port4/Switch 1. Both ports go into forwarding states. Port2/Switch 2 receives an RST BPDU. The 802.1W algorithm determines that these RST BPDUs that are superior to any that any port on Switch 2 can transmit; therefore, Port2/Switch 2 assumes the role of a Root port. The new Root port then signals all ports on the bridge to start synchronization. Since none of the ports are Edge ports, they all enter the discarding state and assume the role of Designated ports. Port3/Switch 2, which previously had a Designated role with a forwarding state, starts the discarding state. They also negotiate port roles and states with their peer ports. Port3/Switch 2 also sends an RST BPU to Port3/Switch 3 with a proposal flag to request permission go into a forwarding state. The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2. The 802.1W algorithm determines that the RST BPDUs Port3/Switch 3 received are superior to those it can transmit; however, they are not superior to those that are currently being received by the current Root port (Port4). Therefore, Port3 retains the role of Alternate port. December 2008 © 2008 Foundry Networks, Inc. 10 - 35 Foundry FastIron Configuration Guide Ports 3/Switch 1 and Port5/Switch 1 are physically connected. Port5/Switch 1 received RST BPDUs that are superior to those received on Port3/Switch 1; therefore, Port5/Switch 1 is given the Backup port role while Port3 is given the Designated port role. Port3/Switch 1, does not go directly into a forwarding state. It waits until the forward delay time expires twice on that port before it can proceed to the forwarding state. Once convergence is achieved, the active Layer 2 forwarding path converges as shown in Figure 10.16. Figure 10.16 Active Layer 2 Path Port3 Designated port Port2 Root port Bridge priority = 1500 Switch 2 Port3 Designated port Port2 Designated port Port5 Backup port Switch 1 Bridge priority = 1000 Port4 Designated port Port3 Alternate port Bridge priority = 2000 Port4 Root port Switch 3 Indicates the active Layer 2 path Convergence After a Link Failure What happens if a link in the 802.1W topology fails? For example, Port2/Switch, which is the port that connects Switch 2 to the root bridge (Switch 1), fails. Both Switch 2 and Switch 1 notice the topology change (Figure 10.17). 10 - 36 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.17 Link Failure in the Topology Port3 Port2 Bridge priority = 1500 Port2 Switch 2 Port3 Switch 1 Bridge priority = 1000 Port4 Port3 Bridge priority = 2000 Port5 Port4 Switch 3 Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port. Port3/Switch 2, which currently has a Designated port role, sends an RST BPDU to Switch 3. The RST BPDU contains a proposal flag and a bridge ID of Switch 2 as its root bridge ID. When Port3/Switch 3 receives the RST BPDUs, 802.1W algorithm determines that they are inferior to those that the port can transmit. Therefore, Port3/Switch 3 is given a new role, that of a Designated port. Port3/Switch 3 then sends an RST BPDU with a proposal flag to Switch 2, along with the new role information. However, the root bridge ID transmitted in the RST BPDU is still Switch 1. When Port3/Switch 2 receives the RST BPDU, 802.1W algorithm determines that it is superior to the RST BPDU that it can transmit; therefore, Port3/Switch 2 receives a new role; that of a Root port. Port3/Switch 2 then sends an RST BPDU with an agreed flag to Port3/Switch 3. Port3/Switch 2 goes into a forwarding state. When Port3/Switch 3 receives the RST BPDU that Port3/Switch 2 sent, Port3/Switch 3 changes into a forwarding state, which then completes the full convergence of the topology. Convergence at Link Restoration When Port2/Switch 2 is restored, both Switch 2 and Switch 1 recognize the change. Port2/Switch 1 starts assuming the role of a Designated port and sends an RST BPDU containing a proposal flag to Port2/Switch 2. When Port2/Switch 2 receives the RST BPDUs, 802.1W algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states. Port3/Switch 2, which was the previous Root port, enters a discarding state and negotiates with other ports on the bridge to establish its new role and state, until it finally assumes the role of a Designated port. Next, the following happens: • Port3/Switch 2, the Designated port, sends an RST BPDU, with a proposal flag to Port3/Switch 3. • Port2/Switch 2 also sends an RST BPDU with an agreed flag to Port2/Switch 1 and then places itself into a forwarding state. December 2008 © 2008 Foundry Networks, Inc. 10 - 37 Foundry FastIron Configuration Guide When Port2/Switch 1 receives the RST BPDU with an agreed flag sent by Port2/Switch 2, it puts that port into a forwarding state. The topology is now fully converged. When Port3/Switch 3 receives the RST BPDU that Port3/Switch 2 sent, 802.1W algorithm determines that these RST BPDUs are superior to those that Port3/Switch 3 can transmit. Therefore, Port3/Switch 3 is given a new role, that of an Alternate port. Port3/Switch 3 immediately enters a discarding state. Now Port3/Switch 2 does not go into a forwarding state instantly like the Root port. It waits until the forward delay timer expires twice on that port while it is still in a Designated role, before it can proceed to the forwarding state. The wait, however, does not cause a denial of service, since the essential connectivity in the topology has already been established. When fully restored, the topology is the same as that shown on Figure 10.15. Convergence in a Complex 802.1W Topology The following is an example of a complex 802.1W topology. Figure 10.18 Complex 802.1W Topology Bridge priority = 200 Port7 Bridge priority = 1000 Port8 Port5 Switch 1 Port2 Port2 Switch 3 Bridge priority = 300 Port3 Port4 Switch 5 Port4 Port3 Port3 Port4 Port2 Switch 2 Port3 Port2 Bridge priority = 60 Switch 4 Port4 Port5 Bridge priority = 400 Port5 Port3 Switch 6 Bridge priority = 900 In Figure 10.18, Switch 5 is selected as the root bridge since it is the bridge with the highest priority. Lines in the figure show the point-to-point connection to the bridges in the topology. Switch 5 sends an RST BPDU that contains a proposal flag to Port5/Switch 2. When handshakes are completed in Switch 5, Port5/Switch 2 is selected as the Root port on Switch 2. All other ports on Switch 2 are given Designated port role with discarding states. Port5/Switch 2 then sends an RST BPDU with an agreed flag to Switch 5 to confirm that it is the new Root port and the port enters a forwarding state. Port7 and Port8 are informed of the identity of the new Root port. 802.1W algorithm selects Port7 as the Designated port while Port8 becomes the Backup port. Port3/Switch 5 sends an RST BPDU to Port3/Switch 6 with a proposal flag. When Port3/Switch 5 receives the RST BPDU, handshake mechanisms select Port3 as the Root port of Switch 6. All other ports are given a Designated port role with discarding states. Port3/Switch 6 then sends an RST BPDU with an agreed flag to Port3/ Switch 5 to confirm that it is the Root port. The Root port then goes into a forwarding state. 10 - 38 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Now, Port4/Switch 6 receives RST BPDUs that are superior to what it can transmit; therefore, it is given the Alternate port role. The port remains in discarding state. Port5/Switch 6 receives RST BPDUs that are inferior to what it can transmit. The port is then given a Designated port role. Next Switch 2 sends RST BPDUs with a proposal flag to Port3/Switch 4. Port3 becomes the Root port for the bridge; all other ports are given a Designated port role with discarding states. Port3/Switch 4 sends an RST BPDU with an agreed flag to Switch 2 to confirm that it is the new Root port. The port then goes into a forwarding state. Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is then given an Alternate port role, and remains in discarding state. Likewise, Port5/Switch 4 receives an RST BPDU that is superior to what it can transmit. The port is also given an Alternate port role, and remains in discarding state. Port2/Switch 2 transmits an RST BPDU with a proposal flag to Port2/Switch 1. Port2/Switch 1 becomes the Root port. All other ports on Switch 1 are given Designated port roles with discarding states. Port2/Switch 1 sends an RST BPDU with an agreed flag to Port2/Switch 2 and Port2/Switch 1 goes into a forwarding state. Port3/Switch 1 receives an RST BPDUs that is inferior to what it can transmit; therefore, the port retains its Designated port role and goes into forwarding state only after the forward delay timer expires twice on that port while it is still in a Designated role. Port3/Switch 2 sends an RST BPDU to Port3/Switch 3 that contains a proposal flag. Port3/Switch 3 becomes the Root port, while all other ports on Switch 3 are given Designated port roles and go into discarding states. Port3/ Switch 3 sends an RST BPDU with an agreed flag to Port3/Switch 2 and Port3/Switch 3 goes into a forwarding state. Now, Port2/Switch 3 receives an RST BPDUs that is superior to what it can transmit so that port is given an Alternate port state. Port4/Switch 3 receives an RST BPDU that is inferior to what it can transmit; therefore, the port retains its Designated port role. Ports on all the bridges in the topology with Designated port roles that received RST BPDUs with agreed flags go into forwarding states instantly. However, Designated ports that did not receive RST BPDUs with agreed flags must wait until the forward delay timer expires twice on those port. Only then will these port move into forwarding states. The entire 802.1W topology converges in less than 300 msec and the essential connectivity is established between the designated ports and their connected root ports. After convergence is complete, Figure 10.19 shows the active Layer 2 path of the topology in Figure 10.18. December 2008 © 2008 Foundry Networks, Inc. 10 - 39 Foundry FastIron Configuration Guide Figure 10.19 Active Layer 2 Path in Complex Topology Bridge priority = 200 Port7 Bridge priority = 1000 Port8 Port5 Switch 1 Port2 Port2 Switch 3 Port3 Switch 5 Port4 Port3 Port4 Port4 Bridge priority = 300 Port2 Switch 2 Port3 Port2 Bridge priority = 60 Switch 4 Port4 Port5 Bridge priority = 400 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Propagation of Topology Change The Topology Change state machine generates and propagates the topology change notification messages on each port. When a Root port or a Designated port goes into a forwarding state, the Topology Change state machine on those ports send a topology change notice (TCN) to all the bridges in the topology to propagate the topology change. NOTE: Edge ports, Alternate ports, or Backup ports do not need to propagate a topology change. The TCN is sent in the RST BPDU that a port sends. Ports on other bridges in the topology then acknowledge the topology change once they receive the RST BPDU, and send the TCN to other bridges until all the bridges are informed of the topology change. For example, Port3/Switch 2 in Figure 10.20, fails. Port4/Switch 3 becomes the new Root port. Port4/Switch 3 sends an RST BPDU with a TCN to Port4/Switch 4. To propagate the topology change, Port4/Switch 4 then starts a TCN timer on itself, on the bridge’s Root port, and on other ports on that bridge with a Designated role. Then Port3/Switch 4 sends RST BPDU with the TCN to Port4/Switch 2. (Note the new active Layer 2 path in Figure 10.20.) 10 - 40 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.20 Beginning of Topology Change Notice Bridge priority = 200 Port7 Bridge priority = 1000 Port8 Port5 Port2 Switch 1 Port2 Port3 Bridge priority = 300 Port4 Switch 5 Port4 Port3 Port3 Port3 Switch 3 Port2 Switch 2 Port3 Port2 Bridge priority = 60 Port4 Switch 4 Port4 Port5 Switch 4 Bridge priority = 400 Port5 Port3 Switch 6 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Switch 2 then starts the TCN timer on the Designated ports and sends RST BPDUs that contain the TCN as follows (Figure 10.21): • Port5/Switch 2 sends the TCN to Port2/Switch 5 • Port4/Switch 2 sends the TCN to Port4/Switch 6 • Port2/Switch 2 sends the TCN to Port2/Switch 1 December 2008 © 2008 Foundry Networks, Inc. 10 - 41 Foundry FastIron Configuration Guide Figure 10.21 Sending TCN to Bridges Connected to Switch 2 Bridge priority = 200 Port7 Bridge priority = 1000 Port8 Port5 Port2 Switch 1 Port2 Bridge priority = 60 Port2 Switch 2 Switch 5 Port3 Port3 Port2 Port3 Port3 Port3 Switch 3 Bridge priority = 300 Port4 Port4 Switch 4 Port4 Port5 Bridge priority = 400 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Then Switch 1, Switch 5, and Switch 6 send RST BPDUs that contain the TCN to Switch 3 and Switch 4 to complete the TCN propagation (Figure 10.22). 10 - 42 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.22 Completing the TCN Propagation Port7 Port8 Port5 Switch 1 Port2 Bridge priority = 1000 Port2 Switch 2 Bridge priority = 200 Port2 Switch 5 Bridge priority = 60 Port3 Port4 Port3 Port2 Port3 Port3 Switch 3 Bridge priority = 300 Port4 Port3 Port4 Switch 4 Bridge priority = 400 Port4 Port5 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Compatibility of 802.1W with 802.1D 802.1W-enabled bridges are backward compatible with IEEE 802.1D bridges. This compatibility is managed on a per-port basis by the Port Migration state machine. However, intermixing the two types of bridges in the network topology is not advisable if you want to take advantage of the rapid convergence feature. Compatibility with 802.1D means that an 802.1W-enabled port can send BPDUs in the STP or 802.1D format when one of the following events occur: • The port receives a legacy BPDU. A legacy BPDU is an STP BPDU or a BPDU in an 802.1D format. The port that receives the legacy BPDU automatically configures itself to behave like a legacy port. It sends and receives legacy BPDUs only. • The entire bridge is configured to operate in an 802.1D mode when an administrator sets the bridge parameter to zero at the CLI, forcing all ports on the bridge to send legacy BPDUs only. Once a port operates in the 802.1D mode, 802.1D convergence times are used and rapid convergence is not realized. For example, in Figure 10.23, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. December 2008 © 2008 Foundry Networks, Inc. 10 - 43 Foundry FastIron Configuration Guide Figure 10.23 802.1W Bridges with an 802.1D Bridge Switch 10 802.1W Switch 20 802.1D Switch 30 802.1W Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other. This state will continue until the administrator enables the force-migration-check command to force the bridge to send RSTP BPDU during a migrate time period. If ports on the bridges continue to hear only STP BPDUs after this migrate time period, those ports will return to sending STP BPDUs. However, when the ports receive RST BPDUs during the migrate time period, the ports begin sending RST BPDUs. The migrate time period is non-configurable. It has a value of three seconds. NOTE: The IEEE standards state that 802.1W bridges need to interoperate with 802.1D bridges. IEEE standards set the path cost of 802.1W bridges to be between 1 and 200,000,000; whereas path cost of 802.1D bridges are set between 1 and 65,535. In order for the two bridge types to be able to interoperate in the same topology, the administrator needs to configure the bridge path cost appropriately. Path costs for either 802.1W bridges or 802.1D bridges need to be changed; in most cases, path costs for 802.1W bridges need to be changed. Configuring 802.1W Parameters on a Foundry Device The remaining 802.1W sections explain how to configure the 802.1W protocol in a Foundry device. NOTE: With RSTP running, enabling static trunk on ports that are members of VLAN 4000 will keep the system busy for 20 to 25 seconds. Foundry devices are shipped from the factory with 802.1W disabled. Use the following methods to enable or disable 802.1W. You can enable or disable 802.1W at the following levels: • Port-based VLAN – Affects all ports within the specified port-based VLAN. When you enable or disable 802.1W within a port-based VLAN, the setting overrides the global setting. Thus, you can enable 802.1W for the ports within a port-based VLAN even when 802.1W is globally disabled, or disable the ports within a portbased VLAN when 802.1W is globally enabled. • Individual port – Affects only the individual port. However, if you change the 802.1W state of the primary port in a trunk group, the change affects all ports in the trunk group. Enabling or Disabling 802.1W in a Port-Based VLAN Use the following procedure to disable or enable 802.1W on a device on which you have configured a port-based VLAN. Changing the 802.1W state in a VLAN affects only that VLAN. To enable 802.1W for all ports in a port-based VLAN, enter commands such as the following: FastIron(config)#vlan 10 FastIron(config-vlan-10)#spanning-tree 802-1w Syntax: [no] spanning-tree 802-1w Note Regarding Pasting 802.1W Settings into the Running Configuration If you paste 802.1W settings into the running configuration, and the pasted configuration includes ports that are already up, the ports will initially operate in STP legacy mode before operating in 802.1W RSTP mode. For example, the following pasted configuration will cause ports e 1 and e 2 to temporarily operate in STP legacy mode, because these ports are already up and running. 10 - 44 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features conf t vlan 120 tag e 1 to e 2 spanning-tree 802-1w spanning-tree 802-1w priority 1001 end To avoid this issue, 802.1W commands/settings that are pasted into the configuration should be in the following order: 1. Ports that are not yet connected 2. 802.1W RSTP settings 3. Ports that are already up For example: conf t vlan 120 untag e 3 spanning-tree 802-1w spanning-tree 802-1w priority 1001 tag e 1 to 2 end In the above configuration, untagged port e3 is added to VLAN 120 before the 802.1W RSTP settings, and ports e1 and e2 are added after the 802.1W RSTP settings. When these commands are pasted into the running configuration, the ports will properly operate in 802.1W RSTP mode. Enabling or Disabling 802.1W on a Single Spanning Tree To enable 802.1W for all ports of a single spanning tree, enter a command such as the following: FastIron(config-vlan-10)#spanning-tree single 802-1w Syntax: [no] spanning-tree single 802-1w Disabling or Enabling 802.1W on an Individual Port The spanning-tree 802-1w or spanning-tree single 802-1w command must be used to initially enable 802.1W on ports. Both commands enable 802.1W on all ports that belong to the VLAN or to the single spanning tree. Once 802.1W is enabled on a port, it can be disabled on individual ports. 802.1W that have been disabled on individual ports can then be enabled as required. NOTE: If you change the 802.1W state of the primary port in a trunk group, the change affects all ports in that trunk group. To disable or enable 802.1W on an individual port, enter commands such as the following: FastIron(config)#interface e 1 FastIron(config-if-e1000-1)#no spanning-tree Syntax: [no] spanning-tree Changing 802.1W Bridge Parameters When you make changes to 802.1W bridge parameters, the changes are applied to individual ports on the bridge. To change 802.1W bridge parameters, use the following methods. To designate a priority for a bridge, enter a command such as the following: FastIron(config)#spanning-tree 802-1w priority 10 The command in this example changes the priority on a device on which you have not configured port-based VLANs. The change applies to the default VLAN. If you have configured a port-based VLAN on the device, you December 2008 © 2008 Foundry Networks, Inc. 10 - 45 Foundry FastIron Configuration Guide can configure the parameters only at the configuration level for individual VLANs. Enter commands such as the following: FastIron(config)#vlan 20 FastIron(config-vlan-20)#spanning-tree 802-1w priority 0 To make this change in the default VLAN, enter the following commands: FastIron(config)#vlan 1 FastIron(config-vlan-1)#spanning-tree 802-1w priority 0 Syntax: spanning-tree 802-1w [forward-delay <value>] | [hello-time <value>] | [max-age <time>] | [force-version <value>] | [priority <value>] The forward-delay <value> parameter specifies how long a port waits before it forwards an RST BPDU after a topology change. This can be a value from 4 – 30 seconds. The default is 15 seconds. The hello-time <value> parameter specifies the interval between two hello packets. This parameter can have a value from 1 – 10 seconds. The default is 2 seconds. The max-age <value> parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. You can specify a value from 6 – 40 seconds. The default is 20 seconds. The value of max-age must be greater than the value of forward-delay to ensure that the downstream bridges do not age out faster than the upstream bridges (those bridges that are closer to the root bridge). The force-version <value> parameter forces the bridge to send BPDUs in a specific format. You can specify one of the following values: • 0 – The STP compatibility mode. Only STP (or legacy) BPDUs will be sent. • 2 – The default. RST BPDUs will be sent unless a legacy bridge is detected. If a legacy bridge is detected, STP BPDUs will be sent instead. The default is 2. The priority <value> parameter specifies the priority of the bridge. You can enter a value from 0 – 65535. A lower numerical value means the bridge has a higher priority. Thus, the highest priority is 0. The default is 32768. You can specify some or all of these parameters on the same command line. If you specify more than one parameter, you must specify them in the order shown above, from left to right. Changing Port Parameters The 802.1W port commands can be enabled on individual ports or on multiple ports, such as all ports that belong to a VLAN. The 802.1W port parameters are preconfigured with default values. If the default parameters meet your network requirements, no other action is required. You can change the following 802.1W port parameters using the following method. FastIron(config)#vlan 10 FastIron(config-vlan-10)#spanning-tree 802-1w ethernet 5 path-cost 15 priority 64 Syntax: spanning-tree 802-1w ethernet [<slotnum>/]<portnum> path-cost <value> | priority <value> | [adminedge-port] | [admin-pt2pt-mac] | [force-migration-check] The <portnum> parameter specifies the interface used. If you are configuring a chassis device, specify the slot number as well as the port number (<slotnum>/<portnum>). 10 - 46 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features The path-cost <value> parameter specifies the cost of the port’s path to the root bridge. 802.1W prefers the path with the lowest cost. You can specify a value from 1 – 20,000,000. Table 10.6 shows the recommended path cost values from the IEEE standards. Table 10.6: Recommended Path Cost Values of 802.1W Link Speed Recommended (Default) 802.1W Path Cost Values Recommended 802.1W Patch Cost Range Less than 100 kilobits per second 200,000,000 20,000,000 – 200,000,000 1 Megabit per second 20,000,000 2,000,000 – 200,000,000 10 Megabits per second 2,000,000 200,000 – 200,000,000 100 Megabits per second 200,000 20,000 – 200,000,000 1 Gigabit per second 20,000 2,000 – 200,000,000 10 Gigabits per second 2,000 200 – 20,000 100 Gigabits per second 200 20 – 2,000 1 Terabits per second 20 2 – 200 10 Terabits per second 2 1 – 20 The priority <value> parameter specifies the preference that 802.1W gives to this port relative to other ports for forwarding traffic out of the topology. Y • In releases prior to 03.0.00, you can specify a value from 8 – 252, in increments of 4. If you enter a value that is not divisible by four the software rounds to the nearest value that is. The default is 128. A higher numerical value means a lower priority; thus, the highest priority is 8. • Starting in software release 03.0.00, you can specify a value from 0 – 240, in increments of 16. If you enter a value that is not divisible by 16, the software returns an error message. The default value is 128. A higher numerical value means a lower priority; thus, the highest priority is 0. Set the admin-edge-port to enabled or disabled. If set to enabled, then the port becomes an edge port in the domain. Set the admin-pt2pt-mac to enabled or disabled. If set to enabled, then a port is connected to another port through a point-to-point link. The point-to-point link increases the speed of convergence. This parameter, however, does not auto-detect whether or not the link is a physical point-to-point link. The force-migration-check parameter forces the specified port to sent one RST BPDU. If only STP BPDUs are received in response to the sent RST BPDU, then the port will go return to sending STP BPDUs. EXAMPLE: Suppose you want to enable 802.1W on a system with no active port-based VLANs and change the hello-time from the default value of 2 to 8 seconds. Additionally, suppose you want to change the path and priority costs for port 5 only. To do so, enter the following commands. FastIron(config)#spanning-tree 802-1w hello-time 8 FastIron(config)#spanning-tree 802-1w ethernet 5 path-cost 15 priority 64 December 2008 © 2008 Foundry Networks, Inc. 10 - 47 Foundry FastIron Configuration Guide Displaying Information about 802-1W To display a summary of 802-1W, use the following command: FastIron#show 802-1w --- VLAN 1 [ STP Instance owned by VLAN 1 ] ---------------------------VLAN 1 BPDU cam_index is 2 and the IGC and DMA master Are(HEX) 0 1 2 3 Bridge IEEE 802.1W Parameters: Bridge Bridge Bridge Bridge Force tx Identifier MaxAge Hello FwdDly Version Hold hex sec sec sec cnt 800000e080541700 20 2 15 Default 3 RootBridge Identifier hex 800000e0804c9c00 RootPath Cost 200000 DesignatedBridge Identifier hex 800000e0804c9c00 Root Port 1 Max Age sec 20 Fwd Dly sec 15 Port IEEE 802.1W Parameters: <--- Config Params -->|<-------------- Current state Port Pri PortPath P2P Edge Role State DesignaNum Cost Mac Port ted cost 1 128 200000 F F ROOT FORWARDING 0 2 128 200000 F F DESIGNATED FORWARDING 200000 3 128 200000 F F DESIGNATED FORWARDING 200000 4 128 200000 F F BACKUP DISCARDING 200000 Hel lo sec 2 -----------------> Designated bridge 800000e0804c9c00 800000e080541700 800000e080541700 800000e080541700 Syntax: show 802-1w [vlan <vlan-id>] The vlan <vlan-id> parameter displays 802.1W information for the specified port-based VLAN. The show 802.1w display command shows the information listed in Table 10.7. Table 10.7: CLI Display of 802.1W Summary This Field... Displays... VLAN ID The port-based VLAN that owns the STP instance. VLAN 1 is the default VLAN. If you have not configured port-based VLANs on this device, all 802.1W information is for VLAN 1. Bridge IEEE 802.1W Parameters Bridge Identifier The ID of the bridge. Bridge Max Age The configured max age for this bridge. The default is 20. Bridge Hello The configured hello time for this bridge.The default is 2. Bridge FwdDly The configured forward delay time for this bridge. The default is 15. Force-Version The configured force version value. One of the following value is displayed: 10 - 48 • 0 – The bridge has been forced to operate in an STP compatibility mode. • 2 – The bridge has been forced to operate in an 802.1W mode. (This is the default.) © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Table 10.7: CLI Display of 802.1W Summary (Continued) This Field... Displays... txHoldCnt The number of BPDUs that can be transmitted per Hello Interval. The default is 3. Root Bridge Identifier ID of the Root bridge that is associated with this bridge Root Path Cost The cost to reach the root bridge from this bridge. If the bridge is the root bridge, then this parameter shows a value of zero. Designated Bridge Identifier The bridge from where the root information was received.It can be from the root bridge itself, but it could also be from another bridge. Root Port The port on which the root information was received. This is the port that is connected to the Designated Bridge. Max Age The max age is derived from the Root port. An 802.1W-enabled bridge uses this value, along with the hello and message age parameters to compute the effective age of an RST BPDU. The message age parameter is generated by the Designated port and transmitted in the RST BPDU. RST BPDUs transmitted by a Designated port of the root bridge contains a message value of zero. Effective age is the amount of time the Root port, Alternate port, or Backup port retains the information it received from its peer Designated port. Effective age is reset every time a port receives an RST BPDU from its Designated port. If a Root port does not receive an RST BPDU from its peer Designated port for a duration more than the effective age, the Root port ages out the existing information and recomputes the topology. If the port is operating in 802.1D compatible mode, then max age functionality is the same as in 802.1D (STP). Fwd Dly The number of seconds a non-edge Designated port waits until it can apply any of the following transitions, if the RST BPDU it receives does not have an agreed flag: • Discarding state to learning state • Learning state to forwarding state When a non-edge port receives the RST BPDU it goes into forwarding state within 4 seconds or after two hello timers expire on the port. Fwd Dly is also the number of seconds that a Root port waits for an RST BPDU with a proposal flag before it applies the state transitions listed above. If the port is operating in 802.1D compatible mode, then forward delay functionality is the same as in 802.1D (STP). Hello The hello value derived from the Root port. It is the number of seconds between two Hello packets. Port IEEE 802.1W Parameters Port Num The port number shown in a slot#/port#format. Pri The configured priority of the port. The default is 128 or 0x80. Port Path Cost The configured path cost on a link connected to this port. December 2008 © 2008 Foundry Networks, Inc. 10 - 49 Foundry FastIron Configuration Guide Table 10.7: CLI Display of 802.1W Summary (Continued) This Field... Displays... P2P Mac Indicates if the point-to-point-mac parameter is configured to be a point-to-point link: Edge port Role • T – The link is configured as a point-to-point link. • F – The link is not configured as a point-to-point link. This is the default. Indicates if the port is configured as an operational Edge port: • T – The port is configured as an Edge port. • F – The port is not configured as an Edge port. This is the default. The current role of the port: • Root • Designated • Alternate • Backup • Disabled Refer to “Bridges and Bridge Port Roles” on page 10-19 for definitions of the roles. State The port’s current 802.1W state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge Port States” on page 10-22 and “Edge Port and NonEdge Port States” on page 10-22. Designated Cost The best root path cost that this port received, including the best root path cost that it can transmit. Designated Bridge The ID of the bridge that sent the best RST BPDU that was received on this port. 10 - 50 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features To display detailed information about 802-1W, using the following command: FastIron#show 802-1w detail ====================================================================== VLAN 1 - MULTIPLE SPANNING TREE (MSTP - IEEE 802.1W) ACTIVE ====================================================================== BridgeId 800000e080541700, forceVersion 2, txHoldCount 3 Port 1 - Role: ROOT - State: FORWARDING PathCost 200000, Priority 128, AdminOperEdge F, AdminPt2PtMac F DesignatedPriority - Root: 0x800000e0804c9c00, Bridge: 0x800000e080541700 ActiveTimers - rrWhile 4 rcvdInfoWhile 4 MachineStates - PIM: CURRENT, PRT: ROOT_PORT, PST: FORWARDING TCM: ACTIVE, PPM: SENDING_STP, PTX: TRANSMIT_IDLE Received - RST BPDUs 0, Config BPDUs 1017, TCN BPDUs 0 Port 2 - Role: DESIGNATED - State: FORWARDING PathCost 200000, Priority 128, AdminOperEdge F, AdminPt2PtMac F DesignatedPriority - Root: 0x800000e0804c9c00, Bridge: 0x800000e080541700 ActiveTimers - helloWhen 0 MachineStates - PIM: CURRENT, PRT: DESIGNATED_PORT, PST: FORWARDING TCM: ACTIVE, PPM: SENDING_RSTP, PTX: TRANSMIT_IDLE Received - RST BPDUs 0, Config BPDUs 0, TCN BPDUs 0 Syntax: show 802-1w detail [vlan <vlan-id>] The vlan <vlan-id> parameter displays 802.1W information for the specified port-based VLAN. The show spanning-tree 802.1W command shows the following information. Table 10.8: CLI Display of show spanning-tree 802.1W This Field... Displays... VLAN ID ID of the VLAN that owns the instance of 802.1W and whether or not it is active. Bridge ID ID of the bridge. forceVersion the configured version of the bridge: • 0 – The bridge has been forced to operate in an STP compatible mode. • 2 – The bridge has been forced to operate in an 802.1W mode. txHoldCount The number of BPDUs that can be transmitted per Hello Interval. The default is 3. Port ID of the port in slot#/port#format. December 2008 © 2008 Foundry Networks, Inc. 10 - 51 Foundry FastIron Configuration Guide Table 10.8: CLI Display of show spanning-tree 802.1W (Continued) This Field... Displays... Role The current role of the port: • Root • Designated • Alternate • Backup • Disabled Refer to “Bridges and Bridge Port Roles” on page 10-19for definitions of the roles. State The port’s current 802.1W state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge Port States” on page 10-22 and “Edge Port and NonEdge Port States” on page 10-22. Path Cost The configured path cost on a link connected to this port. Priority The configured priority of the port. The default is 128 or 0x80. AdminOperEdge Indicates if the port is an operational Edge port. Edge ports may either be auto-detected or configured (forced) to be Edge ports using the CLI: AdminP2PMac DesignatedPriority 10 - 52 • T – The port is and Edge port. • F – The port is not an Edge port. This is the default. Indicates if the point-to-point-mac parameter is configured to be a point-to-point link: • T – The link is a point-to-point link • F – The link is not a point-to-point link. This is the default. Shows the following: • Root – Shows the ID of the root bridge for this bridge. • Bridge – Shows the ID of the Designated bridge that is associated with this port. © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Table 10.8: CLI Display of show spanning-tree 802.1W (Continued) This Field... Displays... ActiveTimers Shows what timers are currently active on this port and the number of seconds they have before they expire: Machine States • rrWhile – Recent root timer. A non-zero value means that the port has recently been a Root port. • rcvdInfoWhile – Received information timer. Shows the time remaining before the information held by this port expires (ages out). This timer is initialized with the effective age parameter. (See “Max Age” on page 10-49.) • rbWhile – Recent backup timer. A non-zero value means that the port has recently been a Backup port. • helloWhen – Hello period timer. The value shown is the amount of time between hello messages. • tcWhile – Topology change timer. The value shown is the interval when topology change notices can be propagated on this port. • fdWhile – Forward delay timer. • mdelayWhile – Migration delay timer. The amount of time that a bridge on the same LAN has to synchronize its migration state with this port before another BPDU type can cause this port to change the BPDU that it transmits. The current states of the various state machines on the port: • PIM – State of the Port Information state machine. • PRT – State of the Port Role Transition state machine. • PST – State of the Port State Transition state machine. • TCM – State of the Topology Change state machine. • PPM – State of the Port Protocol Migration. • PTX – State of the Port Transmit state machine. Refer to the section “State Machines” on page 10-23 for details on state machines. Received Shows the number of BPDU types the port has received: • RST BPDU – BPDU in 802.1W format. • Config BPDU – Legacy configuration BPDU (802.1D format). • TCN BPDU – Legacy topology change BPDU (802.1D format). 802.1W Draft 3 As an alternative to full 802.1W, you can configure 802.1W Draft 3. 802.1W Draft 3 provides a subset of the RSTP capabilities described in the 802.1W STP specification. 802.1W Draft 3 support is disabled by default. When the feature is enabled, if a root port on a Foundry device that is not the root bridge becomes unavailable, the device can automatically Switch over to an alternate root port, without reconvergence delays. 802.1W Draft 3 does not apply to the root bridge, since all the root bridge’s ports are always in the forwarding state. December 2008 © 2008 Foundry Networks, Inc. 10 - 53 Foundry FastIron Configuration Guide Figure 10.24 shows an example of an optimal STP topology. In this topology, all the non-root bridges have at least two paths to the root bridge (Switch 1 in this example). One of the paths is through the root port. The other path is a backup and is through the alternate port. While the root port is in the forwarding state, the alternate port is in the blocking state. Figure 10.24 802.1W Draft 3 RSTP Ready for Failover The arrow shows the path to the root bridge Root Bridge Bridge priority = 2 Bridge priority = 6 Root port = 3/3 Alternate = 3/4 Port 1/2 FWD Port 2/2 FWD Port 1/4 FWD Port 2/4 FWD Switch 2 Switch 1 Port 1/3 FWD Port 2/3 FWD Port 3/3 FWD Port 4/3 BLK Switch 3 Port 3/4 BLK Port 4/4 FWD Switch 4 Bridge priority = 4 Root port = 2/2 Alternate = 2/3, 2/4 Bridge priority = 8 Root port = 4/4 Alternate = 4/3 If the root port on a Switch becomes unavailable, 802.1W Draft 3 immediately fails over to the alternate port, as shown in Figure 10.25. 10 - 54 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.25 802.1W Draft 3 RSTP Failover to Alternate Root Port The arrow shows the path to the root bridge Root Bridge Bridge priority = 2 Port 1/2 FWD Port 2/2 FWD Port 1/4 FWD Port 2/4 FWD Switch 2 Switch 1 Bridge priority = 4 Root port = 2/2 Alternate = 2/3, 2/4 Port 2/3 FWD Port 1/3 DISABLED X Port 4/3 BLK Port 3/3 unavailable Bridge priority = 6 Root port = 3/4 Switch 3 Port 3/4 FWD Port 4/4 FWD Switch 4 Bridge priority = 8 Root port = 4/4 Alternate = 4/3 In this example, port 3/3 on Switch 3 has become unavailable. In standard STP (802.1D), if the root port becomes unavailable, the Switch must go through the listening and learning stages on the alternate port to reconverge with the spanning tree. Thus, port 3/4 must go through the listening and learning states before entering the forwarding state and thus reconverging with the spanning tree. 802.1W Draft 3 avoids the reconvergence delay by calculating an alternate root port, and immediately failing over to the alternate port if the root port becomes unavailable. The alternate port is in the blocking state as long as the root port is in the forwarding state, but moves immediately to the active state if the root port becomes unavailable. Thus, using 802.1W Draft 3, Switch 3 immediately fails over to port 3/4, without the delays caused by the listening and learning states. 802.1W Draft 3 selects the port with the next-best cost to the root bridge. For example, on Switch 3, port 3/3 has the best cost to the root bridge and thus is selected by STP as the root port. Port 3/4 has the next-best cost to the root bridge, and thus is selected by 802.1W Draft 3 as the alternate path to the root bridge. Once a failover occurs, the Switch no longer has an alternate root port. If the port that was an alternate port but became the root port fails, standard STP is used to reconverge with the network. You can minimize the reconvergence delay in this case by setting the forwarding delay on the root bridge to a lower value. For example, if the forwarding delay is set to 15 seconds (the default), change the forwarding delay to a value from 3 – 10 seconds. During failover, 802.1W Draft 3 flushes the MAC addresses leaned on the unavailable root port, selects the alternate port as the new root port, and places that port in the forwarding state. If traffic is flowing in both directions on the new root port, addresses are flushed (moved) in the rest of the spanning tree automatically. Reconvergence Time Spanning tree reconvergence using 802.1W Draft 3 can occur within one second. December 2008 © 2008 Foundry Networks, Inc. 10 - 55 Foundry FastIron Configuration Guide After the spanning tree reconverges following the topology change, traffic also must reconverge on all the bridges attached to the spanning tree. This is true regardless of whether 802.1W Draft 3 or standard STP is used to reconverge the spanning tree. Traffic reconvergence happens after the spanning tree reconvergence, and is achieved by flushing the Layer 2 information on the bridges. • Following 802.1W Draft 3 reconvergence of the spanning tree, traffic reconvergence occurs in the time it takes for the bridge to detect the link changes plus the STP maximum age set on the bridge. • If standard STP reconvergence occurs instead, traffic reconvergence takes two times the forward delay plus the maximum age. NOTE: 802.1W Draft 3 does not apply when a failed root port comes back up. When this happens, standard STP is used. Configuration Considerations 802.1W Draft 3 is disabled by default. To ensure optimal performance of the feature before you enable it: • Configure the bridge priorities so that the root bridge is one that supports 802.1W Draft 3. (Use a Foundry device or third-party device that supports 802.1W Draft 3.) • Change the forwarding delay on the root bridge to a value lower than the default 15 seconds. Foundry recommends a value from 3 – 10 seconds. The lower forwarding delay helps reduce reconvergence delays in cases where 802.1W Draft 3 is not applicable, such as when a failed root port comes back up. • Configure the bridge priorities and root port costs so that each device has an active path to the root bridge if its root port becomes unavailable. For example, port 3/4 is connected to port 2/4 on Switch 2, which has the second most favorable bridge priority in the spanning tree. NOTE: If reconvergence involves changing the state of a root port on a bridge that supports 802.1D STP but not 802.1W Draft 3, then reconvergence still requires the amount of time it takes for the ports on the 802.1D bridge to change state to forwarding (as needed), and receive BPDUs from the root bridge for the new topology. Enabling 802.1W Draft 3 802.1W Draft 3 is disabled by default. The procedure for enabling the feature differs depending on whether single STP is enabled on the device. NOTE: STP must be enabled before you can enable 802.1W Draft 3. Enabling 802.1W Draft 3 When Single STP Is Not Enabled By default, each port-based VLAN on the device has its own spanning tree. To enable 802.1W Draft 3 in a portbased VLAN, enter commands such as the following: FastIron(config)#vlan 10 FastIron(config-vlan-10)#spanning-tree rstp Syntax: [no] spanning-tree rstp This command enables 802.1W Draft 3. You must enter the command separately in each port-based VLAN in which you want to run 802.1W Draft 3. NOTE: This command does not also enable STP. To enable STP, first enter the spanning-tree command without the rstp parameter. After you enable STP, enter the spanning-tree rstp command to enable 802.1W Draft 3. To disable 802.1W Draft 3, enter the following command: 10 - 56 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features FastIron(config-vlan-10)#no spanning-tree rstp Enabling 802.1W Draft 3 When Single STP Is Enabled To enable 802.1W Draft 3 on a device that is running single STP, enter the following command at the global CONFIG level of the CLI: FastIron(config)#spanning-tree single rstp Syntax: [no] spanning-tree single rstp This command enables 802.1W Draft 3 on the whole device. NOTE: This command does not also enable single STP. To enable single STP, first enter the spanning-tree single command without the rstp parameter. After you enable single STP, enter the spanning-tree single rstp command to enable 802.1W Draft 3. To disable 802.1W Draft 3 on a device that is running single STP, enter the following command: FastIron(config)#no spanning-tree single rstp Single Spanning Tree (SSTP) By default, each port-based VLAN on a Foundry device runs a separate spanning tree, which you can enable or disable on an individual VLAN basis. Alternatively, you can configure a Foundry device to run a single spanning tree across all ports and VLANs on the device. The Single STP feature (SSTP) is especially useful for connecting a Foundry device to third-party devices that run a single spanning tree in accordance with the 802.1Q specification. SSTP uses the same parameters, with the same value ranges and defaults, as the default STP support on Foundry devices. See “STP Parameters and Defaults” on page 10-2. SSTP Defaults SSTP is disabled by default. When you enable the feature, all VLANs on which STP is enabled become members of a single spanning tree. All VLANs on which STP is disabled are excluded from the single spanning tree. • To add a VLAN to the single spanning tree, enable STP on that VLAN. • To remove a VLAN from the single spanning tree, disable STP on that VLAN. When you enable SSTP, all the ports that are in port-based VLANs with STP enabled become members of a single spanning tree domain. Thus, the ports share a single BPDU broadcast domain. The Foundry device places all the ports in a non-configurable VLAN, 4094, to implement the SSTP domain. However, this VLAN does not affect port membership in the port-based VLANs you have configured. Other broadcast traffic is still contained within the individual port-based VLANs. Therefore, you can use SSTP while still using your existing VLAN configurations without changing your network. In addition, SSTP does not affect 802.1Q tagging. Tagged and untagged ports alike can be members of the single spanning tree domain. NOTE: When SSTP is enabled, the BPDUs on tagged ports go out untagged. If you disable SSTP, all VLANs that were members of the single spanning tree run MSTP instead. In MSTP, each VLAN has its own spanning tree. VLANs that were not members of the single spanning tree were not enabled for STP. Therefore, STP remains disabled on those VLANs. Enabling SSTP To enable SSTP, use one of the following methods. December 2008 © 2008 Foundry Networks, Inc. 10 - 57 Foundry FastIron Configuration Guide NOTE: If the device has only one port-based VLAN (the default VLAN), then the device is already running a single instance of STP. In this case, you do not need to enable SSTP. You need to enable SSTP only if the device contains more than one port-based VLAN and you want all the ports to be in the same STP broadcast domain. To configure the Foundry device to run a single spanning tree, enter the following command at the global CONFIG level. FastIron(config)#spanning-tree single NOTE: If the device has only one port-based VLAN, the CLI command for enabling SSTP is not listed in the CLI. The command is listed only if you have configured a port-based VLAN. To change a global STP parameter, enter a command such as the following at the global CONFIG level: FastIron(config) spanning-tree single priority 2 This command changes the STP priority for all ports to 2. To change an STP parameter for a specific port, enter commands such as the following: FastIron(config) spanning-tree single ethernet 1 priority 10 The commands shown above override the global setting for STP priority and set the priority to 10 for port 1/1. Here is the syntax for the global STP parameters. Syntax: [no] spanning-tree single [forward-delay <value>] [hello-time <value>] | [maximum-age <time>] | [priority <value>] Here is the syntax for the STP port parameters. Syntax: [no] spanning-tree single [ethernet [<slotnum>/]<portnum> path-cost <value> | priority <value>] NOTE: Both commands listed above are entered at the global CONFIG level. Displaying SSTP information To verify that SSTP is in effect, enter the following commands at any level of the CLI: FastIron#show span Syntax: show span [vlan <vlan-id>] | [pvst-mode] | [<num>] | [detail [vlan <vlan-id> [ethernet [<slotnum>/]<portnum>] | <num>]] The vlan <vlan-id> parameter displays STP information for the specified port-based VLAN. The pvst-mode parameter displays STP information for the device’s Per VLAN Spanning Tree (PVST+) compatibility configuration. See “PVST/PVST+ Compatibility” on page 10-62. The <num> parameter displays only the entries after the number you specify. For example, on a device with three port-based VLANs, if you enter 1, then information for the second and third VLANs is displayed, but information for the first VLAN is not displayed. Information is displayed according to VLAN number, in ascending order. The entry number is not the same as the VLAN number. For example, if you have port-based VLANs 1, 10, and 2024, then the command output has three STP entries. To display information for VLANs 10 and 2024 only, enter show span 1. The detail parameter and its additional optional parameters display detailed information for individual ports. See “Displaying Detailed STP Information for Each Interface” on page 10-12. 10 - 58 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features STP per VLAN Group STP per VLAN group is an STP enhancement that provides scalability while overcoming the limitations of the following scalability alternatives: • Standard STP – You can configure up to 254 instances of standard STP on a Foundry FastIron X Series device. It is possible to need more instances of STP than this in large configurations. Using STP per VLAN group, you can aggregate STP instances. • Single STP – Single STP allows all the VLANs to run STP, but each VLAN runs the same instance of STP, resulting in numerous blocked ports that do not pass any Layer 2 traffic. STP per VLAN group uses all available links by load balancing traffic for different instances of STP on different ports. A port that blocks traffic for one spanning tree forwards traffic for another spanning tree. STP per VLAN group allows you to group VLANs and apply the same STP parameter settings to all the VLANs in the group. Figure 10.26 shows an example of a STP per VLAN group implementation. Figure 10.26 STP per VLAN Group Example Member VLAN 3 Member VLAN 4 Foundry Device STP group 1 Master VLAN 2 Member VLAN 3 Member VLAN 4 STP priority 1 STP group 2 Master VLAN 12 Member VLAN 13 Member VLAN 14 STP priority 2 Member VLAN 13 Member VLAN 14 A master VLAN contains one or more member VLANs. Each of the member VLANs in the STP Group runs the same instance of STP and uses the STP parameters configured for the master VLAN. In this example, the Foundry device is configured with VLANs 3, 4, 13, and 14. VLANs 3 and 4 are grouped in master VLAN 2, which is in STP group 1. VLANs 13 and 14 are grouped in master VLAN 12, which is in STP group 2. The VLANs in STP group 1 all share the same spanning tree. The VLANs in STP group 2 share a different spanning tree. All the portss are tagged. The ports must be tagged so that they can be in both a member VLAN and the member's master VLAN. For example, ports 1/1 – 1/4 are in member VLAN 3 and also in master VLAN 2 (since master VLAN 2 contains member VLAN 3). STP Load Balancing Notice that the STP groups each have different STP priorities. In configurations that use the STP groups on multiple devices, you can use the STP priorities to load balance the STP traffic. By setting the STP priorities for the same STP group to different values on each device, you can cause each of the devices to be the root bridge for a different STP group. This type of configuration distributes the traffic evenly across the devices and also ensures that ports that are blocked in one STP group’s spanning tree are used by another STP group’s spanning tree for forwarding. See “Configuration Example for STP Load Sharing” on page 10-60 for an example using STP load sharing. Configuring STP per VLAN Group To configure STP per VLAN group: • Configure the member VLANs. • Optionally, configure master VLANs to contain the member VLANs. This is useful when you have a lot of member VLANs and you do not want to individually configure STP on each one. Each of the member VLANs in the STP group uses the STP settings of the master VLAN. • Configure the STP groups. Each STP group runs a separate instance of STP. December 2008 © 2008 Foundry Networks, Inc. 10 - 59 Foundry FastIron Configuration Guide Here are the CLI commands for implementing the STP per VLAN group configuration shown in Figure 10.26. The following commands configure the member VLANs (3, 4, 13, and 14) and the master VLANs (2 and 12). Notice that changes to STP parameters are made in the master VLANs only, not in the member VLANs. FastIron(config)#vlan 2 FastIron(config-vlan-2)#spanning-tree priority 1 FastIron(config-vlan-2)#tagged ethernet 1/1 to 1/4 FastIron(config-vlan-2)#vlan 3 FastIron(config-vlan-3)#tagged ethernet 1/1 to 1/4 FastIron(config-vlan-3)#vlan 4 FastIron(config-vlan-4)#tagged ethernet 1/1 to 1/4 FastIron(config-vlan-4)#vlan 12 FastIron(config-vlan-12)#spanning-tree priority 2 FastIron(config-vlan-12)#tagged ethernet 1/1 to 1/4 FastIron(config-vlan-12)#vlan 13 FastIron(config-vlan-13)#tagged ethernet 1/1 to 1/4 FastIron(config-vlan-13)#vlan 14 FastIron(config-vlan-14)#tagged ethernet 1/1 to 1/4 FastIron(config-vlan-14)#exit The following commands configure the STP groups. FastIron(config)#stp-group 1 FastIron(config-stp-group-1)#master-vlan FastIron(config-stp-group-1)#member-vlan FastIron(config-stp-group-1)#exit FastIron(config)#stp-group 2 FastIron(config-stp-group-2)#master-vlan FastIron(config-stp-group-2)#member-vlan 2 3 to 4 12 13 to 14 Syntax: [no] stp-group <num> This command changes the CLI to the STP group configuration level. The following commands are valid at this level. The <num> parameter specifies the STP group ID and can be from 1 – 32. Syntax: [no] master-vlan <num> This command adds a master VLAN to the STP group. The master VLAN contains the STP settings for all the VLANs in the STP per VLAN group. The <num> parameter specifies the VLAN ID. An STP group can contain one master VLAN. NOTE: If you delete the master VLAN from an STP group, the software automatically assigns the first member VLAN in the group to be the new master VLAN for the group. Syntax: [no] member-vlan <num> [to <num>] This command adds additional VLANs to the STP group. These VLANs also inherit the STP settings of the master VLAN in the group. Syntax: [no] member-group <num> This command adds a member group (a VLAN group) to the STP group. All the VLANs in the member group inherit the STP settings of the master VLAN in the group. The <num> parameter specifies the VLAN group ID. NOTE: This command is optional and is not used in the example above. For an example of this command, see “Configuration Example for STP Load Sharing” . Configuration Example for STP Load Sharing Figure 10.27 shows another example of a STP per VLAN group implementation. 10 - 60 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Figure 10.27 More Complex STP per VLAN Group Example Member VLANs 2 - 200 Member VLANs 202 - 400 Member VLANs 402 - 600 Root bridge for master VLAN 1 FWD 1 BLK 1 5/1 Root bridge for master VLAN 201 FWD 1 FWD 1 5/3 5/2 Member VLANs 3802 - 4000 BLK 1 Root bridge for master VLAN 401 Root bridge for master VLAN 3801 In this example, each of the devices in the core is configured with a common set of master VLANs, each of which contains one or more member VLANs. Each of the member VLANs in an STP group runs the same instance of STP and uses the STP parameters configured for the master VLAN. The STP group ID identifies the STP instance. All VLANs within an STP group run the same instance of STP. The master VLAN specifies the bridge STP parameters for the STP group, including the bridge priority. In this example, each of the devices in the core is configured to be the default root bridge for a different master VLAN. This configuration ensures that each link can be used for forwarding some traffic. For example, all the ports on the root bridge for master VLAN 1 are configured to forward BPDUs for master VLAN’s spanning tree. Ports on the other devices block or forward VLAN 1’s traffic based on STP convergence. All the ports on the root bridge for VLAN 2 forward VLAN 2’s traffic, and so on. All the portss are tagged. The ports must be tagged so that they can be in both a member VLAN and the member's master VLAN. For example, port 1/1 – and ports 5/1, 5/2, and 5/3 are in member VLAN 2 and master VLAN 1 (since master VLAN a contains member VLAN 2). Here are the commands for configuring the root bridge for master VLAN 1 in figure Figure 10.26 for STP per VLAN group. The first group of commands configures the master VLANs. Notice that the STP priority is set to a different value for each VLAN. In addition, the same VLAN has a different STP priority on each device. This provides load balancing by making each of the devices a root bridge for a different spanning tree. FastIron(config)#vlan 1 FastIron(config-vlan-1)#spanning-tree priority 1 FastIron(config-vlan-1)#tag ethernet 1/1 ethernet 5/1 to 5/3 FastIron(config-vlan-1)#vlan 201 FastIron(config-vlan-201)#spanning-tree priority 2 FastIron(config-vlan-201)#tag ethernet 1/2 ethernet 5/1 to 5/3 FastIron(config-vlan-201)#vlan 401 FastIron(config-vlan-401)#spanning-tree priority 3 FastIron(config-vlan-401)#tag ethernet 1/3 ethernet 5/1 to 5/3 ... FastIron(config-vlan-3601)#vlan 3801 FastIron(config-vlan-3801)#spanning-tree priority 20 FastIron(config-vlan-3801)#tag ethernet 1/20 ethernet 5/1 to 5/3 FastIron(config-vlan-3801)#exit December 2008 © 2008 Foundry Networks, Inc. 10 - 61 Foundry FastIron Configuration Guide The next group of commands configures VLAN groups for the member VLANs. Notice that the VLAN groups do not contain the VLAN numbers assigned to the master VLANs. Also notice that no STP parameters are configured for the groups of member VLANs. Each group of member VLANs will inherit its STP settings from its master VLAN. Set the bridge priority for each master VLAN to the highest priority (1) on one of the devices in the STP per VLAN group configuration. By setting the bridge priority to the highest priority, you make the device the default root bridge for the spanning tree. To ensure STP load balancing, make each of the devices the default root bridge for a different master VLAN. FastIron(config)#vlan-group 1 vlan 2 to 200 FastIron(config-vlan-group-1)#tag ethernet 1/1 ethernet 5/1 to 5/3 FastIron(config-vlan-group-1)#vlan-group 2 vlan 202 to 400 FastIron(config-vlan-group-2)#tag ethernet 1/2 ethernet 5/1 to 5/3 FastIron(config-vlan-group-2)#vlan-group 3 vlan 402 to 600 FastIron(config-vlan-group-2)#tag ethernet 1/3 ethernet 5/1 to 5/3 ... FastIron(config-vlan-group-19)#vlan-group 20 vlan 3082 to 4000 FastIron(config-vlan-group-20)#tag ethernet 1/20 ethernet 5/1 to 5/3 FastIron(config-vlan-group-20)#exit The following group of commands configures the STP groups. Each STP group in this configuration contains one master VLAN, which contains a VLAN group. This example shows that an STP group also can contain additional VLANs (VLANs not configured in a VLAN group). FastIron(config)#stp-group 1 FastIron(config-stp-group-1)#master-vlan 1 FastIron(config-stp-group-1)#member-group 1 FastIron(config-stp-group-1)#member-vlan 4001 4004 to 4010 FastIron(config-stp-group-1)#stp-group 2 FastIron(config-stp-group-2)#master-vlan 201 FastIron(config-stp-group-2)#member-group 2 FastIron(config-stp-group-2)#member-vlan 4002 4003 4011 to 4015 FastIron(config-stp-group-2)#stp-group 3 FastIron(config-stp-group-3)#master-vlan 401 FastIron(config-stp-group-3)#member-group 3 ... FastIron(config-stp-group-19)#stp-group 20 FastIron(config-stp-group-20)#master-vlan 3081 FastIron(config-stp-group-20)#member-group 20 PVST/PVST+ Compatibility The FastIron family of switches support Cisco's Per VLAN Spanning Tree plus (PVST+), by allowing the device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices1. NOTE: Foundry ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected. You do not need to perform any configuration steps to enable PVST+ support. However, to support the IEEE 802.1Q BPDUs, you might need to enable dual-mode support. Foundry’s support for Cisco's Per VLAN Spanning Tree plus (PVST+), allows a Foundry device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices. Foundry ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected. The enhancement allows a port that is in PVST+ compatibility mode due to auto-detection to revert to the default MSTP mode when one of the following events occurs: 1.Cisco user documentation for PVST/PVST+ refers to the IEEE 802.1Q spanning tree as the Common Spanning Tree (CST). 10 - 62 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features • The link is disconnected or broken • The link is administratively disabled • The link is disabled by interaction with the link-keepalive protocol This enhancement allows a port that was originally interoperating with PVST+ to revert to MSTP when connected to a Foundry device. Overview of PVST and PVST+ Per VLAN Spanning Tree (PVST) is a Cisco proprietary protocol that allows a Cisco device to have multiple spanning trees. The Cisco device can interoperate with spanning trees on other PVST devices but cannot interoperate with IEEE 802.1Q devices. An IEEE 802.1Q device has all its ports running a single spanning tree. PVST+ is an extension of PVST that allows a Cisco device to also interoperate with devices that are running a single spanning tree (IEEE 802.1Q). Enhanced PVST+ support allows a Foundry device to interoperate with PVST spanning trees and the IEEE 802.1Q spanning tree at the same time. IEEE 802.1Q and PVST regions cannot interoperate directly but can interoperate indirectly through PVST+ regions. PVST BPDUs are tunnelled through 802.1Q regions, while PVST BPDUs for VLAN 1 (the IEEE 802.1Q VLAN) are processed by PVST+ regions. Figure 10.28 shows the interaction of IEEE 802.1Q, PVST, and PVST+ regions. Figure 10.28 Interaction of IEEE 802.1Q, PVST, and PVST+ Regions PVST BPDUs tunneled through the IEEE 802.1Q region 802.1D BPDUs PVST+ Region dual mode port 802.1D BPDUs IEEE 802.1Q Region dual mode port PVST+ Region Do not connect PVST BPDUs (over ISL trunks) PVST BPDUs (over ISL trunks) PVST Region VLAN Tags and Dual Mode The dual-mode feature enables a port to send and receive both tagged and untagged frames. When the dualmode feature is enabled on a port, the port is an untagged member of one of its VLANs and is at the same time a tagged member of all its other VLANs. The untagged frames are supported on the port’s Port Native VLAN. The dual-mode feature must be enabled on a Foundry port in order to interoperate with another vendor’s device. Some vendors use VLAN 1 by default to support the IEEE 802.1Q-based standard spanning tree protocols, such as 802.1d and 802.1w for sending untagged frames on VLAN 1. On Foundry FastIron switches, by default, the Port Native VLAN is the same as the Default VLAN, which is VLAN 1. Thus, to support IEEE 802.1Q in a typical December 2008 © 2008 Foundry Networks, Inc. 10 - 63 Foundry FastIron Configuration Guide configuration, a port must be able to send and receive untagged frames for VLAN 1 and tagged frames for the other VLANs, and interoperate with other vendor’s devices using VLAN 1. If you want to use tagged frames on VLAN 1, you can change the default VLAN ID to an ID other than 1. You also can specify the VLAN on which you want the port to send and receive untagged frames (the Port Native VLAN). The Port Native VLAN ID does not need to be the same as the default VLAN. Make sure that the untagged (native) VLAN is also changed on the interoperating vendor side to match that on the Foundry side. To support the IEEE 802.1Q with non-standard proprietary protocols such as PVST and PVST+, a port must always send and receive untagged frames on VLAN 1 on both sides. In this case, enable the dual-mode 1 feature to allow untagged BPDUs on VLAN 1and use Native VLAN 1 on the interoperating vendor side. You should not use VLAN 1 for tagged frames in this case. Configuring PVST+ Support PVST+ support is automatically enabled when the port receives a PVST BPDU. You can manually enable the support at any time or disable the support if desired. If you want a tagged port to also support IEEE 802.1Q BPDUs, you need to enable the dual-mode feature on the port. The dual-mode feature is disabled by default and must be enabled manually. A port that is in PVST+ compatibility mode due to auto-detection reverts to the default MSTP mode when one of the following events occurs: • The link is disconnected or broken • The link is administratively disabled • The link is disabled by interaction with the link-keepalive protocol This allows a port that was originally interoperating with PVST+ to revert to MSTP when connected to a Foundry device. Enabling PVST+ Support Manually To immediately enable PVST+ support on a port, enter commands such as the following: FastIron(config)#interface ethernet 1/1 FastIron(config-if-1/1)#pvst-mode Syntax: [no] pvst-mode NOTE: If you disable PVST+ support, the software still automatically enables PVST+ support if the port receives a BPDU with PVST+ format. NOTE: If 802.1W and pvst-mode (either by auto-detection or by explicit configuration) are enabled on a tagged VLAN port, 802.1W will treat the PVST BPDUs as legacy 802.1D BPDUs. Enabling Dual-Mode Support To enable the dual-mode feature on a port, enter the following command at the interface configuration level for the port: FastIron(config-if-1/1)#dual-mode Syntax: [no] dual-mode [<vlan-id>] The <vlan-id> specifies the port’s Port Native VLAN. This is the VLAN on which the port will support untagged frames. By default, the Port Native VLAN is the same as the default VLAN (which is VLAN 1 by default). For more information about the dual-mode feature, see “Dual-Mode VLAN Ports” on page 16-59. 10 - 64 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Displaying PVST+ Support Information To display PVST+ information for ports on a Foundry device, enter the following command at any level of the CLI: FastIron#show span pvst-mode PVST+ Enabled on: Port Method 1/1 Set by configuration 1/2 Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. Table 10.9: CLI Display of PVST+ Information This Field... Displays... Port The Foundry port number. Note: The command lists information only for the ports on which PVST+ support is enabled. Method The method by which PVST+ support was enabled on the port. The method can be one of the following: • Set by configuration – You enabled the support. • Set by auto-detect – The support was enabled automatically when the port received a PVST+ BPDU. Configuration Examples The following examples show configuration examples for two common configurations: • Untagged IEEE 802.1Q BPDUs on VLAN 1 and tagged PVST+ BPDUs on other VLANs • Tagged IEEE 802.1Q BPDUs on VLAN 1 and untagged BPDUs on another VLAN Tagged Port Using Default VLAN 1 as its Port Native VLAN Figure 10.29 shows an example of a PVST+ configuration that uses VLAN 1 as the untagged default VLAN and VLANs 2, 3, and 4 as tagged VLANs. Figure 10.29 Default VLAN 1 for Untagged BPDUs Untagged IEEE BPDU for VLAN 1 Untagged PVST BPDU for VLAN 1 Tagged PVST BPDUs for VLANs 2, 3, 4 Port 1/1 Port 3/2 Cisco device To implement this configuration, enter the following commands. Commands on the Foundry Device: December 2008 © 2008 Foundry Networks, Inc. 10 - 65 Foundry FastIron Configuration Guide FastIron(config)#vlan-group 1 vlan 2 to 4 FastIron(config-vlan-group-1)#tagged ethernet 1/1 FastIron(config-vlan-group-1)#exit FastIron(config)#interface ethernet 1/1 FastIron(config-if-1/1)#dual-mode FastIron(config-if-1/1)#pvst-mode These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port. The dual-mode feature allows the port to send and receive untagged frames for the default VLAN (VLAN 1 in this case) in addition to tagged frames for VLANs 2, 3, and 4. Enabling the PVST+ support ensures that the port is ready to send and receive PVST+ BPDUs. If you do not manually enable PVST+ support, the support is not enabled until the port receives a PVST+ BPDU. The configuration leaves the default VLAN and the port’s Port Native VLAN unchanged. The default VLAN is 1 and the port’s Port Native VLAN also is 1. The dual-mode feature supports untagged frames on the default VLAN only. Thus, port 1/1 can send and receive untagged BPDUs for VLAN 1 and can send and receive tagged BPDUs for the other VLANs. Port 1/1 will process BPDUs as follows: • Process IEEE 802.1Q BPDUs for VLAN 1. • Process tagged PVST BPDUs for VLANs 2, 3, and 4. • Drop untagged PVST BPDUs for VLAN 1. Untagged Port Using VLAN 2 as Port Native VLAN Figure 10.30 shows an example in which a port’s Port Native VLAN is not VLAN 1. In this case, VLAN 1 uses tagged frames and VLAN 2 uses untagged frames. Figure 10.30 Port Native VLAN 2 for Untagged BPDUs Untagged IEEE BPDU for VLAN 1 Tagged PVST BPDU for VLAN 1 Untagged PVST BPDU for VLAN 2 Port 1/1 Port 3/2 Cisco device To implement this configuration, enter the following commands. Commands on the Foundry Device: FastIron(config)#default-vlan-id 4000 FastIron(config)#vlan 1 FastIron(config-vlan-1)#tagged ethernet 1/1 FastIron(config-vlan-1)#exit FastIron(config)#vlan 2 FastIron(config-vlan-2)#tagged ethernet 1/1 FastIron(config-vlan-2)#exit FastIron(config)#interface ethernet 1/1 FastIron(config-if-1/1)#dual-mode 2 FastIron(config-if-1/1)#pvst-mode FastIron(config-if-1/1)#exit These commands change the default VLAN ID, configure port 1/1 as a tagged member of VLANs 1 and 2, and enable the dual-mode feature and PVST+ support on port 1/1. Since VLAN 1 is tagged in this configuration, the default VLAN ID must be changed from VLAN 1 to another VLAN ID. Changing the default VLAN ID from 1 allows the port to process tagged frames for VLAN 1. VLAN 2 is specified with the dual-mode command, which makes VLAN 2 the port’s Port Native VLAN. As a result, the port processes untagged frames and untagged PVST BPDUs on VLAN 2. 10 - 66 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features NOTE: Although VLAN 2 becomes the port’s untagged VLAN, the CLI still requires that you add the port to the VLAN as a tagged port, since the port is a member of more than one VLAN. Port 1/1 will process BPDUs as follows: • Process IEEE 802.1Q BPDUs for VLAN 1. • Process untagged PVST BPDUs for VLAN 2. • Drop tagged PVST BPDUs for VLAN 1. Note that when VLAN 1 is not the default VLAN, the ports must have the dual-mode feature enabled in order to process IEEE 802.1Q BPDUs. For example, the following configuration is incorrect: FastIron(config)#default-vlan-id 1000 FastIron(config)#vlan 1 FastIron(config-vlan-1)#tagged ethernet 1/1 to 1/2 FastIron(config-vlan-1)#exit FastIron(config)#interface ethernet 1/1 FastIron(config-if-1/1)#pvst-mode FastIron(config-if-1/1)#exit FastIron(config)#interface ethernet 1/2 FastIron(config-if-1/2)#pvst-mode FastIron(config-if-1/2)#exit In the configuration above, all PVST BPDUs associated with VLAN 1 would be discarded. Since IEEE BPDUs associated with VLAN 1 are untagged, they are discarded because the ports in VLAN 1 are tagged. Effectively, the BPDUs are never processed by the Spanning Tree Protocol. STP assumes that there is no better bridge on the network and sets the ports to FORWARDING. This could cause a Layer 2 loop. The following configuration is correct: FastIron(config)#default-vlan-id 1000 FastIron(config)#vlan 1 FastIron(config-vlan-1)#tagged ethernet 1/1 to 1/2 FastIron(config-vlan-1)#exit FastIron(config)#interface ethernet 1/1 FastIron(config-if-1/1)#pvst-mode FastIron(config-if-1/1)#dual-mode FastIron(config-if-1/1)#exit FastIron(config)#interface ethernet 1/2 FastIron(config-if-1/2)#pvst-mode FastIron(config-if-1/2)#dual-mode FastIron(config-if-1/2)#exit Setting the ports as dual-mode ensures that the untagged IEEE 802.1Q BPDUs reach the VLAN 1 instance. PVRST Compatibility Platform Support: • FastIron X Series devices running software release 02.5.00 and later • FGS and FLS devices running software release 02.5.00 and later PVRST, the "rapid" version of per-VLAN spanning tree (PVST), is a Cisco proprietary protocol. PVRST corresponds to Foundry’s full implementation of IEEE 802.1w (RSTP). Likewise, PVST, also a Cisco proprietary protocol, corresponds to Foundry’s implementation of IEEE 802.1D (STP). • In releases prior to 02.5.00, when a Foundry device receives a PVRST packet on a port running 802.1w, the 802.1w state machines for that port falls back to the classic or legacy, 802.1D compatibility mode. Once December 2008 © 2008 Foundry Networks, Inc. 10 - 67 Foundry FastIron Configuration Guide moved to the legacy 802.1D mode, the Foundry device works in the standard STP mode and the rapid convergence advantage of 802.1w is no longer available. • Software release 02.5.00 implements compatibility with PVRST on Foundry’s FastIron X Series and FastIron GS devices. When a Foundry device receives PVRST BPDUs on a port configured to run 802.1w, it recognizes and processes these BPDUs and continues to operate in 802.1w mode. PVRST compatibility is automatically enabled in software release 02.5.00 and later when a port receives a PVRST BPDU. BPDU Guard Platform Support: • FastIron X Series devices running software release 03.2.00 and later • FGS and FLS devices running software release 03.0.00 and late • FGS-STK and FLS-STK devices running software release 05.0.00 and laterr • FWS devices running software release 04.3.00 or later In an STP environment, switches, end stations, and other Layer 2 devices use Bridge Protocol Data Units (BPDUs) to exchange information that STP will use to determine the best path for data flow. The BPDU guard, an enhancement to STP, removes a node that reflects BPDUs back in the network. It enforces the STP domain borders and keeps the active topology predictable by not allowing any network devices behind a BPDU guard-enabled port to participate in STP. In some instances, it is unnecessary for a connected device, such as an end station, to initiate or participate in an STP topology change. In this case, you can enable the STP BPDU guard feature on the Foundry port to which the end station is connected. Foundry's STP BPDU guard shuts down the port and puts it into an errdisable state. This disables the connected device's ability to initiate or participate in an STP topology. A log message is then generated for a BPDU guard violation, and a CLI message is displayed to warn the network administrator of a severe invalid configuration. The BPDU guard feature provides a secure response to invalid configurations because the administrator must manually put the interface back in service if errdisable recovery is not enabled. Enabling BPDU Protection by Port You enable STP BPDU guard on individual interfaces. The feature is disabled by default. To enable STP BPDU guard on a specific port, enter commands such as the following: FastIron(config) interface ethe 2/1 FastIron(config-if-e1000-2/1)#stp-bpdu-guard or FGS624P Switch(config) interface ethe 0/1/2 FGS624P Switch(config-if-e1000-0/1/2)#stp-bpdu-guard Syntax: [no] stp-bpdu-guard The no parameter disables the BPDU guard on this interface. You can also use the multiple interface command to enable this feature on multiple ports at once. For example, FastIron(config)#interface ethernet 1/1 to 1/9 FastIron(config-mif-1/1-1/9)#stp-bpdu-guard FastIron(config-mif-1/1-1/9)# or FGS624P Switch(config)#interface ethernet 0/1/1 to 0/1/9 FGS624P Switch(config-mif-0/1/1-0/1/9)#stp-bpdu-guard FGS624P Switch(config-mif-0/1/1-0/1/9)# This will enable stp-bpdu-guard on ports 0/1/1 to 0/1/9 10 - 68 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Re-enabling Ports Disabled by BPDU Guard When a BPSU Guard-enabled port is disabled by BPSU Guard, the Foundry device will place the port in errdisable state and display a message on the console indicating that the port is errdisabled (see “Example Console Messages” on page 10-71). In addition, the show interface command output will indicate that the port is errdisabled. For example: FastIron#show int e 2 Gigabit Ethernet2 is ERR-DISABLED (bpduguard), line protocol is down To re-enable a port that is in errdisable state, you must first disable the port then re-enable it. Enter commands such as the following: FastIron(config)#int e 2 FastIron(config-if-e1000-2)#disable FastIron(config-if-e1000-2)#enable If you attempt to enable an errdisabled port without first disabling it, the following error message will appear on the console: FastIron(config-if-e1000-2)#enable Port 2 is errdisabled, do disable first and then enable to enable it Displaying the BPDU Guard Status To display the BPDU guard state, enter the show running configuration or the show stp-bpdu-guard command. For FastIron X Series devices: FastIron#show stp-bpdu-guard BPDU Guard Enabled on: Interface Violation Port 1 No Port 2 No Port 3 No Port 4 No Port 5 No Port 6 No Port 7 No Port 8 No Port 9 No Port 10 No Port 11 No Port 12 Yes Port 13 No For FGS and FLS, and FGS-STK and FLS-STK devices: FGS624P Switch#show stp-bpdu-guard BPDU Guard Enabled on: Ports: (Stk0/S1) 2 3 4 5 9 Ports: (Stk0/S1) 17 18 19 20 21 10 22 11 23 12 24 13 14 15 16 Syntax: show stp-bpdu-guard Example Configurations EXAMPLE: The following example shows how to configure BPDU guard at interface level and to verify the configuration by issuing the show stp-bpdu-guard and the show interface commands. For FastIron X Series devices running software release 03.2.00: FastIron Router(config)#interface ethernet 1 December 2008 © 2008 Foundry Networks, Inc. 10 - 69 Foundry FastIron Configuration Guide FastIron Router(config-if-e1000-1)#stp-bpdu-guard FastIron Router(config-if-e1000-1)# FastIron Router(config-if-e1000-1)#show stp-bpdu-guard BPDU Guard Enabled on: Port 1 FastIron(config-if-e1000-1)# FastIron(config-if-e1000-1)#show interfaces ethernet 1 GigabitEthernet1 is up, line protocol is up Hardware is GigabitEthernet, address is 000c.dba0.7100 (bia 000c.dba0.7100) Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx Configured mdi mode AUTO, actual MDI Member of L2 VLAN ID 2, port is untagged, port state is FORWARDING BPDU guard is Enabled, ROOT protect is Disabled STP configured to ON, priority is level0, flow control enabled mirror disabled, monitor disabled Not member of any active trunks Not member of any configured trunks No port name IPG MII 96 bits-time, IPG GMII 96 bits-time IP MTU 1500 bytes 300 second input rate: 8 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 256 bits/sec, 0 packets/sec, 0.00% utilization 88 packets input, 15256 bytes, 0 no buffer Received 75 broadcasts, 13 multicasts, 0 unicasts 1 input errors, 0 CRC, 0 frame, 0 ignored 0 runts, 0 giants 4799 packets output, 313268 bytes, 0 underruns Transmitted 90 broadcasts, 4709 For FGS and FLS devices running software release 03.0.00: FGS624P Switch(config)#interface ethernet 0/1/1 FGS624P Switch(config-if-e1000-0/1/1)#stp-bpdu-guard FGS624P Switch(config-if-e1000-0/1/1)#exit FGS624P Switch#show stp-bpdu-guard BPDU Guard Enabled on: Ports: (Stk0/S1) 1 FGS624P Switch#show interfaces ethernet 0/1/1 GigabitEthernet0/1/1 is down, line protocol is down Hardware is GigabitEthernet, address is 00e0.5204.4000 (bia 00e0.5204.4000) Configured speed auto, actual unknown, configured duplex fdx, actual unknown Configured mdi mode AUTO, actual unknown Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING BPDU Guard is enabled, Root Protect is disabled STP configured to ON, priority is level0 Flow Control is config enabled, oper disabled, negotiation disabled Mirror disabled, Monitor disabled Not member of any active trunks Not member of any configured trunks No port name Inter-Packet Gap (IPG) is 96 bit times 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 multicasts, 0 unicasts 0 input errors, 0 CRC, 0 frame, 0 ignored 10 - 70 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features 0 runts, 0 giants 0 packets output, 0 bytes, 0 underruns Transmitted 0 broadcasts, 0 multicasts, 0 unicasts 0 output errors, 0 collisions FGS624P Switch(config)# Example Console Messages A console message such as the following is generated after a BPDU guard violation occurs on a system that is running MSTP: FastIron(config-if-e1000-23)#MSTP: Received BPDU on BPDU guard enabled Port 23,errdisable Port 23 A console message such as the following is generated after a BPDU guard violation occurs on a system that is running STP: FastIron(config)#STP: Received BPDU on BPDU guard enabled Port 23 (vlan=1), errdisable Port 23 A console message such as the following is generated after a BPDU guard violation occurs on a system that is running RSTP: FastIron(config-vlan-1)#RSTP: Received BPDU on BPDU guard enabled Port 23 (vlan=1),errdisable Port 23 Root Guard Platform Support: • FastIron X Series devices running software release 03.2.00 and later • FGS and FLS devices running software release 03.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later The standard STP (802.1D), RSTP (802.1W) or 802.1S does not provide any way for a network administrator to securely enforce the topology of a switched layer 2 network. The forwarding topology of a switched network is calculated based on the root bridge position, along with other parameters. This means any switch can be the root bridge in a network as long as it has the lowest bridge ID. The administrator cannot enforce the position of the root bridge. A better forwarding topology comes with the requirement to place the root bridge at a specific predetermined location. Root Guard can be used to predetermine a root bridge location and prevent rogue or unwanted switches from becoming the root bridge. When root guard is enabled on a port, it keeps the port in a designated role. If the port receives a superior STP Bridge Protocol Data Units (BPDU), it puts the port into a ROOT-INCONSISTANT state and triggers a log message and an SNMP trap. The ROOT-INCONSISTANT state is equivalent to the BLOCKING state in 802.1D and to the DISCARDING state in 802.1W. No further traffic is forwarded on this port. This allows the bridge to prevent traffic from being forwarded on ports connected to rogue or misconfigured STP bridges. Once the port stops receiving superior BPDUs, root guard automatically sets the port back to learning, and eventually to a forwarding state through the spanning-tree algorithm. Configure root guard on all ports where the root bridge should not appear. This establishes a protective network perimeter around the core bridged network, cutting it off from the user network. NOTE: Root guard may prevent network connectivity if it is improperly configured. Root guard must be configured on the perimeter of the network rather than the core. NOTE: Root guard is not supported when MSTP is enabled. December 2008 © 2008 Foundry Networks, Inc. 10 - 71 Foundry FastIron Configuration Guide Enabling STP Root Guard An STP root guard is configured on an interface by entering commands similar to the following: FastIron(config)#interface ethernet 5/5 FastIron(config-if-e10000-5/5)spanning-tree root-protect Syntax: [no] spanning-tree root-protect Enter the no form of the command to disable STP root guard on the port. Displaying the STP Root Guard To display the STP root guard state, enter the show running configuration or the show spanning-tree rootprotect command. FastIron#show spanning-tree root-protect Root Protection Enabled on: Port 1 Syntax: show spanning-tree root-protect Displaying the Root Guard by VLAN You can display root guard information for all VLANs or for a specific VLAN. For example, to display root guard violation information for VLAN 7. Syntax: show spanning-tree [<vlan-id>] If you do not specify a <vlan-id>, information for all VLANs is displayed. For example, to display root guard violation information for VLAN 7. FastIron#show spanning-tree vlan 7 STP instance owned by VLAN 7 Global STP (IEEE 802.1D) Parameters: VLAN Root Root Root Prio Max He- Ho- Fwd Last Chg Bridge ID ID Cost Port rity Age llo ld dly Chang cnt Address Hex sec sec sec sec sec 7 a000000011112220 0 Root a000 20 2 1 15 4 4 000011112220 Port STP Parameters: Port Prio Path State Fwd Design Designated Designated Num rity Cost Trans Cost Root Bridge Hex 1 80 19 ROOT-INCONS 2 0 a000000011112220 a000000011112220 Error Disable Recovery In case a BPDU guard violation occurs, a port is placed into an errdisable state which is functionally equivalent to a Disable state. Once in an errdiable state, it remains in that state until one of the following methods is used to return the port to an Enabled state: 1 Manually disabling and enabling that interface 2 Automatically, through the errdisable recovery mechanism The errdisable recovery interval command is used to configure a time-out for ports in errdisable state, after which the ports are re-enabled automatically. When BPDU guard puts a port into errdisabled state, the port remains in errdisabled state unless it is enabled manually by issuing a disable command and then the enable command on the associated interface or you have errdisable recovery turned on. The errdisable command allows you to choose the type of error that automatically reenables the port after a specified amount of time. 10 - 72 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Enabling Error Disable Recovery To enable errdisable recovery for BPDU Guard, enter a command such as the following: FastIron(config)#errdisable recovery cause bpduguard To enable error disable recovery for any reason, enter a command such as the following: FastIron(config)#errdisable recovery cause all Syntax: errdisable recovery [cause < bpduguard l all >] The cause is the reason why the port is in the errdisable state. Valid values are bpduguard and all. Use the bpduguard parameter to allow the port to recover from the errdisabled state, if the state was caused by a BPDU guard violation. The all parameter allows ports to recover from an errdisabled state, if the state was caused by any reason other than a BPDU Guard violation. Setting the Recovery Interval The errdisable recovery interval command allows you to configure a timeout for ports in errdisable state, after which the ports are reenabled automatically. To set the errdisable recovery time-out interval, enter a command such as the following: FastIron(config)#errdisable recovery interval 20 Syntax: [no] errdisable recovery interval <seconds> The seconds paramter allows you to set the timeout value for the recovery mechanism when the port is in an errdisabled state. Once this timeout value expires, the ports are automatically re-enabled. Valid values are from 10 to 65535 seconds (10 seconds to 24 hours). Displaying the Error Disable Recovery State by Interface The port status of errdisabled displays in the output of the show interface and the show interface brief commands. In this example, errdisable is enabled on interface ethernet 1 and errdisable is enabled because of a BPDU guard violation. FastIron#show interfaces ethernet 1 GigabitEthernet1 is ERR-DISABLED (bpduguard), line protocol is down BPDU guard is Enabled, ROOT protect is Disabled Hardware is GigabitEthernet, address is 000c.dba0.7100 (bia 000c.dba0.7100) Configured speed auto, actual unknown, configured duplex fdx, actual unknown Configured mdi mode AUTO, actual unknown Member of L2 VLAN ID 2, port is untagged, port state is DISABLED STP configured to ON, priority is level0, flow control enabled mirror disabled, monitor disabled Not member of any active trunks Not member of any configured trunks No port name IPG MII 96 bits-time, IPG GMII 96 bits-time IP MTU 1500 bytes 300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 145 packets input, 23561 bytes, 0 no buffer Received 124 broadcasts, 21 multicasts, 0 unicasts 1 input errors, 0 CRC, 0 frame, 0 ignored 0 runts, 0 giants 5067 packets output, 330420 bytes, 0 underruns Transmitted 90 broadcasts, 4977 multicasts, 0 unicasts 0 output errors, 0 collisions December 2008 © 2008 Foundry Networks, Inc. 10 - 73 Foundry FastIron Configuration Guide Displaying the Recovery State for All Conditions Use the show errdisable recovery command to display all the default error disable recovery state for all possible conditions. In this example, port 6 is undergoing a recovery. FastIron#show errdisable recovery ErrDisable Reason Timer Status -------------------------------------all reason Disabled bpduguard Enabled Timeout Value: 300 seconds Interface that will be enabled at the next timeout: Interface Errdisable reason Time left (sec) -------------- ----------------- --------------Port 6 bpduguard 297 Syntax: show errdisable recovery Displaying the Recovery State by Port Number and Cause To see which ports are under an errdisabled state, use the show errdisable summary command. This command not only shows the port number, but also displays the reason why the port is in an errdisable state and the method used to recover the port. In this example, port 6 is errdisabled for a BPDU guard violation. FastIron#show errdisable summary Port 6 ERR_DiSABLED for bpduguard Syntax: show errdisable summary Errdisable Syslog Messages When the system places a port into an errdisabled state for BPDU guard, a log message is generated. When the errdisable recovery timer expires, a log message is also generated. A Syslog message such as the following is generated after a port is placed into an errdisable state for BPDU guard. STP: VLAN 50 BPDU-guard port 3 detect (Received BPDU), putting into err-disable state A Syslog message such as the following is generated after the recovery timer expires. ERR_DISABLE: Interface ethernet 3, err-disable recovery timeout 802.1s Multiple Spanning Tree Protocol Platform Support: • FastIron X Series devices running software release 03.2.00 and later • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later Multiple Spanning Tree Protocol (MSTP), as defined in IEEE 802.1s, allows multiple VLANs to be managed by a single STP instance and supports per-VLAN STP. As a result, several VLANs can be mapped to a reduced number of spanning-tree instances. This ensures loop-free topology for one or more VLANs that have the similar layer-2 topology. The Foundry implementation supports up to 16 spanning tree instances in an MSTP enabled bridge which means that it can support up to 16 different Layer 2 topologies. The spanning tree algorithm used by MSTP is RSTP which provides quick convergence. 10 - 74 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Multiple Spanning-Tree Regions Using MSTP, the entire network runs a common instance of RSTP. Within that common instance, one or more VLANs can be individually configured into distinct regions. The entire network runs the common spanning tree instance (CST) and the regions run a local instance. The local instance is known as Internal Spanning Tree (IST). The CST treats each instance of IST as a single bridge. Consequently, ports are blocked to prevent loops that might occur within an IST and also throughout the CST. With the exception of the provisions for multiple instances, MSTP operates exactly like RSTP. For example, in Figure 10.31 a network is configured with two regions: Region 1 and Region 2. The entire network is running an instance of CST. Each of the regions is running an instance of IST. In addition, this network contains Switch 1 running MSTP that isn’t configured in a region and consequently is running in the CIST instance. In this configuration, the regions are each regarded as a single bridge to the rest of the network, as is Switch 1. The CST prevents loops from occurring across the network. Consequently, a port is blocked at port 1/2 of switch 4. Additionally, loops must be prevented in each of the IST instances. Within the IST Region 1, a port is blocked at port 1/2 of switch 4 to prevent a loop in that region. Within Region 2, a port is blocked at port 3/2 of switch 3 to prevent a loop in that region. Figure 10.31 MSTP Configured Network BigIron Switch 1 Port 2 / 1 Region 1 Port 2 / 2 BigIron Region 2 Port 1 / 2 Switch 2 Port 1 /4 Port 1 / 3 BigIron Port 1 / 1 Switch 2 Port 1 / 1 BigIro n Port 2 / 1 Port 2 / 1 Port 3 / 1 BigIron Port 1 / 5 BigIron Switch 3 Switch 3 Switch 5 Port 3 / 2 Port 3 / 2 BigIron Port 2 / 2 Port 2 / 3 Port 1 / 4 Port 1 / 2 Port 3/ 3 Port 1 / 1 BigIron Switch 4 Switch 4 Port 2 / 3 BigIron Port 3/ 1 Port 1 / 2 Port 1 / 3 BigIron Switch 5 Switch 6 Port 1 / 2 The following definitions describe the STP instances that define an MSTP configuration: Common Spanning (CST) – CST is defined in 802.1q and assumes one spanning-tree instance for the entire bridged network regardless of the number of VLANs. In MSTP, an MSTP region appears as a virtual bridge that runs CST. Internal Spanning Tree (IST) – IST is a new terminology introduced in 802.1s. An MSTP bridge must handle at least these two instances: one IST and one or more MSTIs (Multiple Spanning Tree Instances). Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance known as IST, which extends CST inside the MST region. IST always exists if the switch runs MSTP. Besides IST, this implementation supports up to 15 MSTIs, numbered from 1 to 4094. Common and Internal Spanning Trees (CIST) – CIST is a collection of the ISTs in each MST region and the CST that interconnects the MST regions and single spanning trees. Multiple Spanning Tree Instance (MSTI) – The MSTI is identified by an MST identifier (MSTid) value between 1 and 4094. MSTP Region – These are clusters of bridges that run multiple instances of the MSTP protocol. Multiple bridges detect that they are in the same region by exchanging their configuration (instance to VLAN December 2008 © 2008 Foundry Networks, Inc. 10 - 75 Foundry FastIron Configuration Guide mapping), name, and revision-level. Therefore, if you need to have two bridges in the same region, the two bridges must have identical configurations, names, and revision-levels. Also, one or more VLANs can be mapped to one MSTP instance (IST or MSTI) but a VLAN cannot be mapped to multiple MSTP instances. NOTE: One or more VLANs can be mapped to one MSTP instance (IST or MSTI) but a VLAN cannot be mapped to multiple MSTP instances. Configuration Notes When configuring MSTP, note the following: • With MSTP running, enabling static trunk on ports that are members of many VLANs (4000 or more VLANs) will keep the system busy for 20 to 25 seconds. Configuring MSTP Mode and Scope With the introduction of MSTP, a system can be either under MSTP mode or not under MSTP mode. The default state is to not be under MSTP mode. MSTP configuration can only be performed in a system under MSTP mode. With a system configured under MSTP mode, there is a concept called MSTP scope. MSTP scope defines the VLANs that are under direct MSTP control. You cannot run 802.1D or 802.1w on any VLAN (even outside of MSTP scope) and you cannot create topology groups when a system is under MSTP mode. While a VLAN group will still be supported when a system is under MSTP mode, the member VLAN should either be all in the MSTP scope or all out of the MSTP scope. When a system is configured from non-MSTP mode to MSTP mode, the following changes are made to the system’s configuration: • All 802.1D and 802.1w STP instances are deleted regardless of whether the VLAN is inside the MSTP scope or not • All topology groups are deleted • Any GVRP configuration is deleted • Any VSRP configuration is deleted • Single-span (if configured) is deleted • MRP running on a VLAN inside MSTP scope is deleted • The CIST is created and all VLANS inside the MSTP scope are attached with the CIST Make sure that no physical layer-2 loops exist prior to switching from non-MSTP mode to MSTP mode. If, for example, you have an L2 loop topology configured as a redundancy mechanism before you perform the switch, a Layer 2 storm should be expected. To configure a system into MSTP mode, use the following command at the Global Configuration level: FastIron(config)#mstp scope all Syntax: [no] mstp scope all NOTE: MSTP is not operational however until the mstp start command is issued as described in “Activating MSTP on a Switch” on page 10-82. Once the system is configured into MSTP mode, CIST (sometimes referred to as “instance 0”) is created and all existing VLANs inside the MSTP scope are controlled by CIST. In addition, whenever you create a new VLAN inside MSTP scope, it is put under CIST control by default. In the Foundry MSTP implementation however, a VLAN ID can be pre-mapped to another MSTI as described in “Configuring an MSTP Instance” on page 10-80. A VLAN whose ID is pre-mapped, will attach to the specified MSTI instead of to the CIST when created. 10 - 76 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features NOTE: Once under MSTP mode, CIST always controls all ports in the system. If you do not want a port to run MSTP, configure the no spanning-tree command under the specified interface configuration. Using the [no] option on a system that is configured for MSTP mode changes the system to non-MSTP mode. When this switch is made, all MSTP instances are deleted together with all MSTP configurations. ALL VLANs inside the original MSTP scope will not run any Layer-2 protocols after the switch. Reduced Occurrences of MSTP Reconvergence Platform Support: • FastIron X Series devices running software release FSX 04.2.00b and later In releases prior to FSX 04.2.00b, reconvergence of MSTP occurs whenever a VLAN is created or deleted. Reconvergence is triggered when the VLAN to MSTI mapping for a newly created VLAN is added to the running configuration, and when an existing VLAN to MSTI mapping is deleted from the running configuration. Starting with release FSX 04.2.00b, when a VLAN is deleted, the Foundry device retains the associated VLAN to MSTI mapping instead of deleting it from the configuration. This way, a VLAN can be pre-mapped to an MSTI and MSTP reconvergence may not be necessary when a VLAN is added to or deleted from the configuration. As long as the VLAN being created or deleted is pre-mapped to an MSTI, and the VLAN to MSTI mapping has not changed, MSTP reconvergence will not occur. NOTE: MSTP reconvergence occurs when the VLAN to MSTI mapping is changed using the mstp instance command. You can optionally remove VLAN to MSTI mappings from the configuration. See “Deleting a VLAN to MSTI Mapping” on page 10-79. The following shows an example application. December 2008 © 2008 Foundry Networks, Inc. 10 - 77 Foundry FastIron Configuration Guide Example Application The following example shows the running configuration file before and after deleting a VLAN from the configuration. in releases FSX 04.2.00b and later, as shown below, the VLAN to MSTI mapping is retained in the running configuration, even after the VLAN is deleted. FastIron(config-vlan-20)#show run Current configuration: ! ver 04.2.00bT3e1 ! ! vlan 1 name DEFAULT-VLAN by port no spanning-tree ! vlan 10 by port tagged ethe 1 to 2 no spanning tree ! vlan 20 by port tagged ethe 1 to 2 no spanning-tree ! mstp scope all mstp instance 0 vlan 1 mstp instance 1 vlan 20 mstp start <----- VLAN 20 configuration some lines ommitted for brevity... FastIron(config-vlan-20)#no vlan 20 FastIron(config-vlan-20)#show run Current configuration: ! ver 04.2.00bT3e1 ! ! vlan 1 name DEFAULT-VLAN by port no spanning-tree ! vlan 10 by port tagged ethe 1 to 2 no spanning-tree ! mstp scope all mstp instance 0 vlan 1 mstp instance 1 vlan 10 mstp instance 1 vlan 20 mstp start <----- VLAN 20 deleted <----- VLAN to MSTI mapping kept in running configuration, even though VLAN 20 was deleted some lines ommitted for brevity... 10 - 78 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Deleting a VLAN to MSTI Mapping You can optionally remove a VLAN to MSTI mapping using the no mstp instance command. To do so, enter a command such as the following: FastIron(config) #no mstp instance 7 vlan 4 to 7 This command deletes the VLAN to MSTI mapping from the running configuration and triggers an MSTP reconvergence. Syntax: no mstp instance <instance-number> vlan <vlan-id> | vlan-group <group-id> ] The instance parameter defines the number for the instance of MSTP that you are deleting. The vlan parameter identifies one or more VLANs or a range of VLANs to the instance defined in this command. The vlan-group parameter identifies one or more VLAN groups to the instance defined in this command. Viewing the MSTP Configuration Digest The MSTP Configuration Digest indicates the occurrence of an MSTP reconvergence. The Configuration Digest is recalculated whenever an MSTP reconvergence occurs. To view the Configuration Digest, use the show mstp config command. The following shows an example output. SW-FESX624F+2XG Switch(config-vlan-20)#show mstp config MSTP CONFIGURATION -----------------Scope : all system Name : Revision : 0 Version : 3 (MSTP mode) Config Digest: 0x9bbda9c70d91f633e1e145fbcbf8d321 Status : Started Instance -------0 1 VLANs -----------------------------------------------------1 10 20 Syntax: show mstp config Configuring Additional MSTP Parameters To configure a switch for MSTP, you could configure the name and the revision on each switch that is being configured for MSTP. You must then create an MSTP Instance and assign an ID. VLANs are then assigned to MSTP instances. These instances must be configured on all switches that interoperate with the same VLAN assignments. Port cost, priority and global parameters can then be configured for individual ports and instances. In addition, operational edge ports and point-to-point links can be created and MSTP can be disabled on individual ports. Each of the commands used to configure and operate MSTP are described in the following: • “Setting the MSTP Name” • “Setting the MSTP Revision Number” • “Configuring an MSTP Instance” • “Configuring Bridge Priority for an MSTP Instance” • “Setting the MSTP Global Parameters” • “Setting Ports To Be Operational Edge Ports” December 2008 © 2008 Foundry Networks, Inc. 10 - 79 Foundry FastIron Configuration Guide • “Setting Automatic Operational Edge Ports” • “Setting Point-to-Point Link” • “Disabling MSTP on a Port” • “Forcing Ports to Transmit an MSTP BPDU” • “Activating MSTP on a Switch” Setting the MSTP Name Each switch that is running MSTP is configured with a name. It applies to the switch which can have many different VLANs that can belong to many different MSTP regions. To configure an MSTP name, use a command such as the following at the Global Configuration level: FastIron(config)#mstp name foundry Syntax: [no] mstp name <name> The name parameter defines an ASCII name for the MSTP configuration. The default name is for the name variable to be blank. Setting the MSTP Revision Number Each switch that is running MSTP is configured with a revision number. It applies to the switch which can have many different VLANs that can belong to many different MSTP regions. To configure an MSTP revision number, use a command such as the following at the Global Configuration level: FastIron(config)#mstp revision 4 Syntax: [no] mstp revision <revision-number> The revision parameter specifies the revision level for MSTP that you are configuring on the switch. It can be a number from 0 and 65535. The default revision number is 0. Configuring an MSTP Instance An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. Foundry’s implementation of MSTP allows you to assign VLANS or ranges of VLANs to an MSTP instance before or after they have been defined. If pre-defined, a VLAN will be placed in the MSTI that it was assigned to immediately when the VLAN is created. Otherwise, the default operation is to condition of assign all new VLANs to the CIST. VLANs assigned to the CIST by default can be moved later to a specified MSTI. To configure an MSTP instance and map one or more VLANs to that MSTI, use a command such as the following at the Global Configuration level: FastIron(config) #mstp instance 7 vlan 4 to 7 Syntax: [no] mstp instance <instance-number> [ vlan <vlan-id> | vlan-group <group-id> ] The instance parameter defines the number for the instance of MSTP that you are configuring. The value 0 (which identifies the CIST) cannot be used. You can have up to 15 instances, number 1 – 4094. The vlan parameter assigns one or more VLANs or a range of VLANs to the instance defined in this command. The vlan-group parameter assigns one or more VLAN groups to the instance defined in this command. The no option moves a VLAN or VLAN group from it’s assigned MSTI back into the CIST. NOTE: The system does not allow an MSTI without any VLANs mapped to it. Consequently, removing all VLANs from an MSTI, deletes the MSTI from the system. The CIST by contrast will exist regardless of whether or not any VLANs are assigned to it or not. Consequently, if all VLANs are moved out of a CIST, the CIST will still exist and functional. 10 - 80 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Configuring Bridge Priority for an MSTP Instance Priority can be configured for a specified instance. To configure priority for an MSTP instance, use a command such as the following at the Global Configuration level: FastIron(config)#mstp instance 1 priority 8192 Syntax: [no] mstp instance <instance-number> priority <priority-value> The <instance-number> variable is the number for the instance of MSTP that you are configuring. You can set a priority to the instance that gives it forwarding preference over lower priority instances within a VLAN or on the switch. A higher number for the priority variable means a lower forwarding priority. Acceptable values are 0 - 61440 in increments of 4096. The default value is 32768. Setting the MSTP Global Parameters MSTP has many of the options available in RSTP as well as some unique options. To configure MSTP Global parameters for all instances on a switch: FastIron(config)#mstp force-version 0 forward-delay 10 hello-time 4 max-age 12 maxhops 9 Syntax: [no] mstp force-version <mode-number> forward-delay <value> hello-time <value> max-age <value> max-hops <value> The force-version parameter forces the bridge to send BPDUs in a specific format. You can specify one of the following <mode-number> values: • 0 – The STP compatibility mode. Only STP BPDUs will be sent. This is equivalent to single STP. • 2 – The RSTP compatibility mode. Only RSTP BPDUS will be sent. This is equivalent to single STP. • 3 – MSTP mode. In this default mode, only MSTP BPDUS will be sent. The forward-delay <value> specifies how long a port waits before it forwards an RST BPDU after a topology change. This can be a value from 4 – 30 seconds. The default is 15 seconds. The hello-time <value> parameter specifies the interval between two hello packets. The parameter can have a value from 1 – 10 seconds. The default is 2 seconds. The max-age <value> parameter specifies the amount of time the device waits to receive a hello packet before it initiates a topology change. You can specify a value from 6 – 40 seconds, where the value adheres to the following formula: max age equal to or greater than 2 x (hello-time + 1) AND max age equal to or greater than 2 x (forward-delay – 1) The default max-age is 20 seconds. The max-hops <value> parameter specifies the maximum hop count. You can specify a value from 1 – 40 hops. The default value is 20 hops. Setting Ports To Be Operational Edge Ports You can define specific ports as edge ports for the region in which they are configured to connect to devices (such as a host) that are not running STP, RSTP, or MSTP. If a port is connected to an end device such as a PC, the port can be configured as an edge port. To configure ports as operational edge ports enter a command such as the following: FastIron(config)#mstp admin-edge-port ethernet 3/1 Syntax: [no] mstp admin-edge-port ethernet <stack-unit/slotnum/portnum> The <stack-unit> parameter is required on FGS and FLS devices running software version 2.5 and later, and on FGS-STK and FLS-STK devices running software version 5.0 and later. The <slotnum/portnum> parameter specifies a port or range of ports as edge ports in the instance in which they are configured. December 2008 © 2008 Foundry Networks, Inc. 10 - 81 Foundry FastIron Configuration Guide Setting Automatic Operational Edge Ports You can configure a FastIron router to automatically set a port as an operational edge port if the port does not receive any BPDUs since link-up. If the port receives a BPDU later, it is automatically reset to become an operational non-edge port. This feature is set globally to apply to all ports on a router where it is configured. This feature is configured as shown in the following: FastIron(config)#mstp edge-port-auto-detect Syntax: [no] mstp edge-port-auto-detect NOTE: If this feature is enabled, it takes the port about 3 seconds longer to come to the enable state. Setting Point-to-Point Link You can set a point-to-point link between ports to increase the speed of convergence. To create a point-to-point link between ports, use a command such as the following at the Global Configuration level: FastIron(config)#mstp admin-pt2pt-mac ethernet 2/5 ethernet 4/5 Syntax: [no] mstp admin-pt2pt-mac ethernet <stack-unit/slotnum/portnum> The <stack-unit> parameter is required on FGS and FLS devices running software version 2.5 and later, and on FGS-STK and FLS-STK devices running software version 5.0 and later. The <slotnum/portnum> parameter specifies a port or range of ports as edge ports in the instance in which they are configured. Disabling MSTP on a Port To disable MSTP on a specific port, use a command such as the following at the Global Configuration level: FastIron(config)#mstp disable ethernet 2/1 Syntax: [no] mstp disable ethernet <stack-unit/slotnum/portnum> The <stack-unit> parameter is required on FGS and FLS devices running software version 2.5 and later, and on FGS-STK and FLS-STK devices running software version 5.0 and later. The <slotnum/portnum> variable specifies the location of the port for which you want to disable MSTP. NOTE: When a port is disabled for MSTP, it behaves as blocking for all the VLAN traffic that is controlled by MSTIs and the CIST. Forcing Ports to Transmit an MSTP BPDU To force a port to transmit an MSTP BPDU, use a command such as the following at the Global Configuration level: FastIron(config)#mstp force-migration-check ethernet 3/1 Syntax: [no] mstp force-migration-check ethernet <stack-unit/slotnum/portnum> The <stack-unit> parameter is required on FGS and FLS devices running software version 2.5 and later, and on FGS-STK and FLS-STK devices running software version 5.0 and later. The <slotnum/portnum> variable specifies the port or ports from which you want to transmit an MSTP BPDU. Activating MSTP on a Switch MSTP scope must be enabled on the switch as described in “Configuring MSTP Mode and Scope” on page 10-76 before MSTP can be enabled. To enable MSTP on your switch, use the following at the Global Configuration level: FastIron(config)#mstp start 10 - 82 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Syntax: [no] mstp start The [no] option disables MSTP from operating on a switch. EXAMPLE: In Figure 10.32 four Foundry device routers are configured in two regions. There are four VLANs in four instances in Region 2. Region 1 is in the CIST. Figure 10.32 SAMPLE MSTP Configuration BigIron Region 1 Port 2 / 16 Core1 Ports 2/13 - 2/14 Ports 2/9 - 2/12 Port 10 / 1 Ports 3/17 - 3/20 RTR1 Ports 3/1 - 3/2 BigIron BigIron Port 10 / 2 Port 3/10 BigIron Core2 Ports 3/5 - 3/6 Ports 3/5 - 3/6 LAN4 Region 2 RTR1 Configuration FastIron(config-vlan-4093)#tagged ethernet 10/1 to 10/2 FastIron(config-vlan-4093)#exit FastIron(config)#mstp scope all FastIron(config)#mstp name Reg1 FastIron(config)#mstp revision 1 FastIron(config)#mstp admin-pt2pt-mac ethernet 10/1 to 10/2 FastIron(config)#mstp start FastIron(config)#hostname RTR1 Core 1 Configuration FastIron(config)#trunk ethernet 2/9 to 2/12 ethernet FastIron(config-vlan-1)#name DEFAULT-VLAN by port FastIron(config-vlan-1)#exit FastIron(config)#vlan 20 by port FastIron(config-vlan-20)#tagged ethernet 2/9 to 2/14 FastIron(config-vlan-20)#exit FastIron(config)#vlan 21 by port FastIron(config-vlan-21)#tagged ethernet 2/9 to 2/14 FastIron(config-vlan-21)#exit FastIron(config)#vlan 22 by port FastIron(config-vlan-22)#tagged ethernet 2/9 to 2/14 FastIron(config-vlan-22)#exit FastIron(config)#vlan 23 by port FastIron(config)#mstp scope all FastIron(config)#mstp name HR FastIron(config)#mstp revision 2 FastIron(config)#mstp instance 20 vlan 20 FastIron(config)#mstp instance 21 vlan 21 FastIron(config)#mstp instance 22 vlan 22 December 2008 © 2008 Foundry Networks, Inc. 2/13 to 2/14 ethernet 2/16 ethernet 2/16 ethernet 2/16 10 - 83 Foundry FastIron Configuration Guide FastIron(config)#mstp instance 0 priority 8192 FastIron(config)#mstp admin-pt2pt-mac ethernet 2/9 to 2/14 FastIron(config)#mstp admin-pt2pt-mac ethernet 2/16 FastIron(config)#mstp disable ethernet 2/240. FastIron(config)#mstp start FastIron(config)#hostname CORE1 Core2 Configuration FastIron(config)#trunk ethernet 3/5 to 3/6 ethernet FastIron(config)#vlan 1 name DEFAULT-VLAN by port FastIron(config-vlan-1)#exit FastIron(config)#vlan 20 by port FastIron(config-vlan-20)#tagged ethernet 3/5 to 3/6 FastIron(config-vlan-20)#exit FastIron(config)#vlan 21 by port FastIron(config-vlan-21)#tagged ethernet 3/5 to 3/6 FastIron(config-vlan-21)#exit FastIron(config)#vlan 22 by port FastIron(config-vlan-22)#tagged ethernet 3/5 to 3/6 FastIron(config-vlan-22)#exit FastIron(config)#mstp scope all FastIron(config)#mstp name HR FastIron(config)#mstp revision 2 FastIron(config)#mstp instance 20 vlan 20 FastIron(config)#mstp instance 21 vlan 21 FastIron(config)#mstp instance 22 vlan 22 FastIron(config)#mstp admin-pt2pt-mac ethernet 3/17 FastIron(config)#mstp admin-pt2pt-mac ethernet 3/10 FastIron(config)#mstp disable ethernet 3/7 ethernet FastIron(config)#mstp start FastIron(config)#hostname CORE2 3/17 to 3/20 ethernet 3/17 to 3/20 ethernet 3/17 to 3/20 ethernet 3/17 to 3/20 to 3/20 ethernet 3/5 to 3/6 3/24 LAN 4 Configuration FastIron(config)#trunk ethernet 3/5 to 3/6 ethernet 3/1 to 3/2 FastIron(config)#vlan 1 name DEFAULT-VLAN by port FastIron(config-vlan-1)#exit FastIron(config)#vlan 20 by port FastIron(config-vlan-20)#tagged ethernet 3/1 to 3/2 ethernet 3/5 to 3/6 FastIron(config)#exit FastIron(config)#vlan 21 by port FastIron(config-vlan-21)#tagged ethernet 3/1 to 3/2 ethernet 3/5 to 3/6 FastIron(config-vlan-21)#exit FastIron(config)#vlan 22 by port FastIron(config-vlan-22)#tagged ethernet 3/1 to 3/2 ethernet 3/5 to 3/6 FastIron(config)#mstp scope all FastIron(config)#mstp config name HR FastIron(config)#mstp revision 2 FastIron(config)#mstp instance 20 vlan 20 FastIron(config)#mstp instance 21 vlan 21 FastIron(config)#mstp instance 22 vlan 22 FastIron(config)#mstp admin-pt2pt-mac ethernet 3/5 to 3/6 ethernet 3/1 to 3/2 FastIron(config)#mstp start FastIron(config)#hostname LAN4 Displaying MSTP Statistics MSTP statistics can be displayed using the commands shown below. 10 - 84 © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features To display all general MSTP information, enter the following command: FastIron#show mstp MSTP Instance 0 (CIST) - VLANs: 1 ---------------------------------------------------------------------------Bridge Bridge Bridge Bridge Bridge Root Root Root Root Identifier MaxAge Hello FwdDly Hop MaxAge Hello FwdDly Hop hex sec sec sec cnt sec sec sec cnt 8000000cdb80af01 20 2 15 20 20 2 15 19 Root ExtPath Bridge Cost hex 8000000480bb9876 2000 Port Num 3/1 Pri PortPath Cost 128 2000 RegionalRoot IntPath Bridge Cost hex 8000000cdb80af01 0 P2P Edge Role Mac Port T F ROOT Designated Root Bridge Port hex 8000000480bb9876 3/1 State Designated cost FORWARDING 0 Designated bridge 8000000480bb9876 MSTP Instance 1 - VLANs: 2 ---------------------------------------------------------------------------Bridge Max RegionalRoot IntPath Designated Root Root Identifier Hop Bridge Cost Bridge Port Hop hex cnt hex hex cnt 8001000cdb80af01 20 8001000cdb80af01 0 8001000cdb80af01 Root 20 Port Num 3/1 Pri PortPath Cost 128 2000 Role State Designated cost FORWARDING 0 MASTER Designated bridge 8001000cdb80af01 Syntax: show mstp <instance-number> The <instance-number> variable specifies the MSTP instance that you want to display information for. Table 10.10: Output from Show MSTP This Field... Displays... MSTP Instance The ID of the MSTP instance whose statistics are being displayed. For the CIST, this number is 0. VLANs: The number of VLANs that are included in this instance of MSTP. For the CIST this number will always be 1. Bridge Identifier The MAC address of the bridge. Bridge MaxAge sec Displays configured Max Age. Bridge Hello sec Displays configured Hello variable. Bridge FwdDly sec Displays configured FwdDly variable. Bridge Hop cnt Displays configured Max Hop count variable. Root MaxAge sec Max Age configured on the root bridge. Root Hello sec Hello interval configured on the root bridge. December 2008 © 2008 Foundry Networks, Inc. 10 - 85 Foundry FastIron Configuration Guide Table 10.10: Output from Show MSTP (Continued) This Field... Displays... Root FwdDly sec FwdDly interval configured on the root bridge. Root Hop Cnt Current hop count from the root bridge. Root Bridge Bridge identifier of the root bridge. ExtPath Cost The configured path cost on a link connected to this port to an external MSTP region. Regional Root Bridge The Regional Root Bridge is the MAC address of the Root Bridge for the local region. IntPath Cost The configured path cost on a link connected to this port within the internal MSTP region. Designated Bridge The MAC address of the bridge that sent the best BPDU that was received on this port. Root Port Port indicating shortest path to root. Set to "Root" if this bridge is the root bridge. Port Num The port number of the interface. Pri The configured priority of the port. The default is 128. PortPath Cost Configured or auto detected path cost for port. P2P Mac Indicates if the port is configured with a point-to-point link: Edge Role State Designated Cost 10 - 86 • T – The port is configured in a point-to-point link • F – The port is not configured in a point-to-point link Indicates if the port is configured as an operational edge port: • T – indicates that the port is defined as an edge port. • F – indicates that the port is not defined as an edge port The current role of the port: • Master • Root • Designated • Alternate • Backup • Disabled The port’s current spanning tree state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Port path cost to the root bridge. © 2008 Foundry Networks, Inc. December 2008 Configuring Spanning Tree Protocol (STP) Related Features Table 10.10: Output from Show MSTP (Continued) This Field... Displays... Max Hop cnt The maximum hop count configured for this instance. Root Hop cnt Hop count from the root bridge. Displaying MSTP Information for a Specified Instance The following example displays MSTP information specified for an MSTP instance. FastIron#show mstp 1 MSTP Instance 1 - VLANs: 2 ---------------------------------------------------------------------------Bridge Max RegionalRoot IntPath Designated Root Root Identifier Hop Bridge Cost Bridge Port Hop hex cnt hex hex cnt 8001000cdb80af01 20 8001000cdb80af01 0 8001000cdb80af01 Root 20 Port Num 3/1 Pri PortPath Cost 128 2000 Role MASTER State Designated cost FORWARDING 0 Designated bridge 8001000cdb80af01 See Table 10.10 for details about the display parameters. Displaying MSTP Information for CIST Instance 0 Instance 0 is the Common and Internal Spanning Tree Instance (CIST). When you display information for this instance there are some differences with displaying other instances. The following example displays MSTP information for CIST Instance 0. FastIron#show mstp 0 MSTP Instance 0 (CIST) - VLANs: 1 ---------------------------------------------------------------------------Bridge Bridge Bridge Bridge Bridge Root Root Root Root Identifier MaxAge Hello FwdDly Hop MaxAge Hello FwdDly Hop hex sec sec sec cnt sec sec sec cnt 8000000cdb80af01 20 2 15 20 20 2 15 19 Root ExtPath Bridge Cost hex 8000000480bb9876 2000 Port Num 3/1 Pri PortPath Cost 128 2000 December 2008 RegionalRoot IntPath Bridge Cost hex 8000000cdb80af01 0 P2P Edge Role Mac Port T F ROOT State Designated Root Bridge Port hex 8000000480bb9876 3/1 Designated cost FORWARDING 0 © 2008 Foundry Networks, Inc. Designated bridge 8000000480bb9876 10 - 87 Foundry FastIron Configuration Guide To display details about the MSTP configuration, enter the following command: FastIron#show mstp conf MSTP CONFIGURATION -----------------Name : Reg1 Revision : 1 Version : 3 (MSTP mode) Status : Started Instance VLANs -------- -----------------------------------------------------0 4093 To display details about the MSTP that is configured on the device, enter the following command: FastIron#show mstp detail MSTP Instance 0 (CIST) - VLANs: 4093 ---------------------------------------------------------------------------Bridge: 800000b000c00000 [Priority 32768, SysId 0, Mac 00b000c00000] FwdDelay 15, HelloTime 2, MaxHops 20, TxHoldCount 6 Port 6/54 - Role: DESIGNATED - State: FORWARDING PathCost 20000, Priority 128, OperEdge T, OperPt2PtMac F, Boundary T Designated - Root 800000b000c00000, RegionalRoot 800000b000c00000, Bridge 800000b000c00000, ExtCost 0, IntCost 0 ActiveTimers - helloWhen 1 MachineState - PRX-DISCARD, PTX-IDLE, PPM-SENDING_RSTP, PIM-CURRENT PRT-ACTIVE_PORT, PST-FORWARDING, TCM-INACTIVE BPDUs - Rcvd MST 0, RST 0, Config 0, TCN 0 Sent MST 6, RST 0, Config 0, TCN 0 See Table 10.10 for explanation about the parameters in the output. Syntax: show mstp [<mstp-id> | configuration | detail] [ | begin <string> | exclude <string> | include <string>] Enter an MSTP ID for <mstp-id>. 10 - 88 © 2008 Foundry Networks, Inc. December 2008 Chapter 11 Configuring Basic Layer 2 Features The procedures in this chapter describe how to configure basic Layer 2 parameters. Foundry devices are configured at the factory with default parameters that allow you to begin using the basic features of the system immediately. However, many of the advanced features such as VLANs or routing protocols for the device must first be enabled at the system (global) level before they can be configured. If you use the Command Line Interface (CLI) to configure system parameters, you can find these system level parameters at the Global CONFIG level of the CLI. NOTE: • Before assigning or modifying any router parameters, you must assign the IP subnet (interface) addresses for each port. • For information about configuring IP addresses, DNS resolver, DHCP assist, and other IP-related parameters, see the chapter “Configuring IP” on page 30-1. • For information about the Syslog buffer and messages, see “Using Syslog” on page A-1. About Port Regions Ports on the X Series devices are grouped into regions. For a few features, you will need to know the region to which a port belongs. However, for most features, a port’s region does not affect configuration or operation of the feature. NOTE: Port regions do not apply to trunk group configurations on the X Series devices. However, port regions do apply to port monitoring and unknown unicast configurations. FastIron Edge Switch X424 and X424HF, and FastIron Workgroup Switch X424: • Ports 1 – 12 • Ports 13 – 24 • Port 25 • Port 26 FastIron Edge Switch X448 and FastIron Workgroup Switch X448: December 2008 © 2008 Foundry Networks, Inc. 11 - 1 Foundry FastIron Configuration Guide • Ports 1 – 12 • Ports 13 – 24 • Port 25 – 36 • Port 37 – 48 • Port 49 • Port 50 FastIron SuperX: • Management Module: • • • • Ports 1 – 12 24-port Gigabit Ethernet Copper Interface Module • Ports 1 – 12 • Ports 13 – 24 24-port Gigabit Ethernet Fiber Interface Module: • Ports 1 – 12 • Ports 13 – 24 2-port 10-Gigabit Ethernet Fiber Interface Module • Port 1 • Port 2 Enabling or Disabling the Spanning Tree Protocol (STP) STP (IEEE 802.1D bridge protocol) is supported on all Foundry devices. STP detects and eliminates logical loops in the network. STP also ensures that the least cost path is taken when multiple paths exist between ports or VLANs. If the selected path fails, STP searches for and then establishes an alternate path to prevent or limit retransmission of data. NOTE: This section provides instructions for enabling and disabling STP. For configuration procedures and information about Foundry’s STP, see the chapter “Configuring Spanning Tree Protocol (STP) Related Features” on page 10-1 in this guide. STP must be enabled at the system level to allow assignment of this capability on the VLAN level. On devices running Layer 2 code, STP is enabled by default. On devices running Layer 3 code, STP is disabled by default. To enable STP for all ports on a Foundry device: FastIron(config)#spanning tree Syntax: [no] spanning-tree You can also enable and disable spanning tree on a port-based VLAN and on an individual port basis, and enable advanced STP features. See “Configuring Spanning Tree Protocol (STP) Related Features” on page 10-1. Modifying STP Bridge and Port Parameters You can modify the following STP Parameters: • Bridge parameters – forward delay, maximum age, hello time, and priority • Port parameters – priority and path cost For configuration details, see “Changing STP Bridge and Port Parameters” on page 10-4. 11 - 2 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Layer 2 Features Management MAC Address for Stackable Devices Platform Support: • FGS-STK and FLS-STK devices running software release 05.0.00 and later In an IronStack consisting of FGS-STK and FLS-STK devices, the management MAC address of the Active Controller is always used as the STP bridge ID. The Active Controller’s management MAC address is always used for control protocols for the following reasons: • Unlike standalone devices, each stack member has a different range of MAC addresses • In a stack, the management MAC address is software generated, and is always the MAC address of the Active Controller’s first port. This ensures consistency across the stack during resets, assuming that the Active Controller is always the same unit. • This helps avoid the disruption of frequent topology changes in the stack. For more information about stacking and Foundry stackable devices, see Foundry Stackable Devices on page <cross-ref to come>. MAC Learning Rate Control Platform Support: • FGS and FLS devices running software version 03.0.00 and later FGS software release 03.0.00 adds support for a new CLI command that allows users to set a rate limit to control CPU address updating. The range for this rate limit is 200 - 50,000 per second. The MAC learning rate limit applies to each packet processor, which means that for a system with two packet processors, each processor can send address messages to the CPU at the established rate limit. Syntax: [no] cpu-limit addr-msgs <msgsRateLimit> NOTE: Actual rates in hardware may have a variance of +200 or -100. Changing the MAC Age Time and Disabling MAC Address Learning You can change the MAC address age timer using the mac-age-time command. • On FastIron X Series devices running pre-release 02.5.00 software, and on the FastIron GS, learned MAC address entries do not age out until they are unused for 300 – 600 seconds. • On FastIron X Series devices running software release 02.5.00 or later, the maximum number of seconds that can be allocated to the MAC age timer has increased from 600 seconds to 14000 seconds. In addition, you can specify the MAC age timer in 10 second intervals, whereas releases prior to 02.5.00 allow 60 second intervals only. For example, in release 02.5.00, you can specify 10, 20, or 14000 as the MAC age timer, but not 122. In releases prior to 02.5.00, you can specify 60 and 120, but not 100. To change the MAC age time, enter a command such as the following: FastIron(config)#mac-age-time 60 Syntax: [no] mac-age-time <secs> <secs> specifies the number of seconds. Possible values differ depending on the version of software running on your device, as follows: • On FastIron X Series devices running pre-release 02.5.00 software, and on FastIron GS devices, you can configure 0 or a value from 60 – 600 (seconds), in 60-second intervals. If you set the MAC age time to 0, aging is disabled. • On FastIron X Series devices running software release 02.5.00 through 03.1.00x, you can configure 0 or a value from 10 – 14000 (seconds), in 10-second intervals. If you set the MAC age time to 0, aging is disabled. December 2008 © 2008 Foundry Networks, Inc. 11 - 3 Foundry FastIron Configuration Guide • On FastIron X Series devices running software FSX release 03.2.00 or later, you can configure 0 or a value from 10 – 86,400 (seconds), in 10-second intervals. If you set the MAC age time to 0, aging is disabled. NOTE: Usually, the actual MAC age time is from one to two times the configured value. For example, if you set the MAC age timer to 60 seconds, learned MAC entries age out after remaining unused for between 60 – 120 seconds. However, if all of the following conditions are met, then the MAC entries age out after a longer than expected duration: • The MAC age timer is greater than 630 seconds. • The number of MAC entries is over 6000. • All MAC entries are learned from the same packet processor. • All MAC entries age out at the same time. Disabling the Automatic Learning of MAC Addresses Platform Support: • FastIron X Series devices running software release 03.2.00 and later • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later By default, when a packet with an unknown Source MAC address is received on a port, the Foundry device learns this MAC address on the port. You can prevent a physical port from learning MAC addresses by entering the following command: FastIron(config)#interface ethernet 3/1 FastIron(config-if-e1000-3/1)#mac-learn-disable Syntax: [no] mac-learn disable Use the no form of the command to allow a physical port to learn MAC addresses. Configuration Notes and Feature Limitations • This command is not available on virtual routing interfaces. Also, if this command is configured on the primary port of a trunk, MAC address learning will be disabled on all the ports in the trunk. • Entering the mac-learn-disable command on tagged ports disables MAC learning for that port in all VLANs to which that port is a member. For example, if tagged port 3/1 is a member of VLAN 10, 20, and 30 and you issue the mac-learn-disable command on port 3/1, port 3/1 will not learn MAC addresses, even if it is a member of VLAN 10, 20, and 30. Displaying the MAC Address Table To display the MAC table, enter the following command: FastIron#show mac-address Total active entries from all ports = 3 Total static entries from all ports = 1 MAC-Address Port Type VLAN 1234.1234.1234 15 Static 1 0004.8038.2f24 14 Dynamic 1 0004.8038.2f00 13 Dynamic 1 0010.5a86.b159 10 Dynamic 1 11 - 4 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Layer 2 Features In the output of the show mac-address command, the Type column indicates whether the MAC entry is static or dynamic. A static entry is one you create using the static-mac-address command. A dynamic entry is one that is learned by the software from network traffic. The output of the show mac-address command on FESX, FSX, and FWSX devices include an Index column which indicates the index where the entry exists in the hardware MAC table. NOTE: The show mac-address command output does not include MAC addresses for management ports, since these ports do not support typical MAC learning and MAC-based forwarding. Configuring Static MAC Entries Static MAC addresses can be assigned to Foundry devices. NOTE: Foundry devices running Layer 3 code also support the assignment of static IP Routes, static ARP, and static RARP entries. For details on configuring these types of static entries, see “Configuring Static Routes” on page 30-34 and “Creating Static ARP Entries” on page 30-30. You can manually input the MAC address of a device to prevent it from being aged out of the system address table. This option can be used to prevent traffic for a specific device, such as a server, from flooding the network with traffic when it is down. Additionally, the static MAC address entry is used to assign higher priorities to specific MAC addresses. You can specify traffic priority (QoS) and VLAN membership (VLAN ID) for the MAC Address as well as specify the device type of either router or host. The default and maximum configurable MAC table sizes can differ depending on the device. To determine the default and maximum MAC table sizes for your device, display the system parameter values. See “Displaying and Modifying System Parameter Default Settings” on page 11-13. Multi-Port Static MAC Address Platform Support: • FGS and FLS devices running software release 04.1.00 and later • FWS devices running software release 04.3.00 or later • FastIron X Series devices running software release 04.1.00 and later – L2, BL3, L3 • FGS-STK and FLS-STK devices running software release 05.0.00 and later Many applications, such as Microsoft NLB, Juniper IPS, and Netscreen Firewall, use the same MAC address to announce load-balancing services. As a result, a switch must be able to learn the same MAC address on several ports. Multi-port static MAC allows you to statically configure a MAC address on multiple ports using a single command. Starting in software release FSX 04.2.00, this feature can be used to configure unicast as well as IPv4 and IPv6 multicast MAC addresses on one or more ports. However, when a multicast MAC address is configured, the corresponding MAC address entry cannot be used for IGMP snooping. In releases prior to FSX 04.2.00, this feature can be used to configure unicast MAC addresses on one or more ports. For IPv4 multicast addresses (range 0100.5e00.000 to 0100.5e7f.ffff) and IPv6 multicast addresses (range 3333.0000.0000 to 3333.ffff.ffff), use IGMP/MLD snooping. Other multicast addresses can also be configured on the ports using this feature. Configuration Notes • The FastIron GS and LS, and GS-STK and LS-STK support a maximum of 7 multi-port static MAC addresses. • FastIron X Series devices support a maximum of 15 multi-port static MAC addresses. December 2008 © 2008 Foundry Networks, Inc. 11 - 5 Foundry FastIron Configuration Guide • Hosts or physical interfaces normally join multicast groups dynamically, but you can also statically configure a host or an interface to join a multicast group. • The following limitations apply to FastIron GS and LS, and GS-STK and LS-STK devices, FastIron X Series devices running pre-release FSX 04.2.00 software, and FastIron X Series devices running release FSX 04.2.00 or later that have the source_port_group_suppression_enable flag enabled: • This feature is not supported on ports that are already deployed on a trunk. If attempted, the system will return a port overlap error. • External trunks cannot be created and deployed on ports on which static MAC addresses are configured. • This feature is not supported on a set of ports that overlap with a set of ports on which static MAC entries are configured, unless the port list in both sets is identical NOTE: For more information about source port group suppression, see “Configuring a Multi-Port Static MAC Address with Source Port Group Suppression” on page 11-6. Configuring a Multi-Port Static MAC Address For example, to add a static entry for a server with a MAC address of 0045.5563.67ff and a priority of 7, enter the following command: FastIron(config)#static-mac-address 0045.5563.67ff ethernet 4/2 ethernet 4/3 ethernet 4/4 priority 7 To specify a range of ports, enter the following command: FastIron(config)#static-mac-address 0045.5563.67ff ethernet 4/2 to 4/6 priority 7 Syntax: [no] static-mac-address <mac-addr> ethernet [<slotnum>/]<portnum> ethernet [<slotnum>/]<portnum> ethernet [<slotnum>/]<portnum> …. [priority <num>] OR Syntax: [no] static-mac-address <mac-addr> ethernet [<slotnum>/]<portnum> to ethernet [<slotnum>]<portnum> [priority <num>] The <slotnum> parameter is required on chassis devices. The <portnum> parameter is a valid port number. The priority <num> is optional and can be a value from 0 – 7 (0 is lowest priority and 7 is highest priority). The default priority is 0. NOTE: The location of the static-mac-address command in the CLI depends on whether you configure portbased VLANs on the device. If the device does not have more than one port-based VLAN (VLAN 1, which is the default VLAN that contains all the ports), the static-mac-address command is at the global CONFIG level of the CLI. If the device has more than one port-based VLAN, then the static-mac-address command is not available at the global CONFIG level. In this case, the command is available at the configuration level for each port-based VLAN. Configuring a Multi-Port Static MAC Address with Source Port Group Suppression Platform Support: • FastIron X Series devices running software release 04.2.00 and later – L2, BL3, L3 In releases prior to FSX 04.2.00, multi-port static MAC entries are not supported on ports that are part of a trunk group. This is because the Foundry device creates an internal trunk to bundle the ports together for the multi-port static MAC configuration. Since a switch port can be a member of only one trunk at a time, trunking is not supported with multi-port static MAC entries. Starting in software release 04.2.00, by default, multi-port static MAC entries are supported on ports that are part of a trunk group. If desired, you can configure the device to work as in pre-release FSX 04.2.00, by enabling 11 - 6 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Layer 2 Features source port group suppression. When enabled, packets coming in through one of the specified ports with a destination MAC address equal to the configured static MAC address, will not be forwarded back to these set of ports. When source port group suppression is enabled, the following limitations apply: • Multi-port static MAC address entries are not supported on ports that are already deployed in a trunk. If configuration is attempted, the system will return a port overlap error. • External trunks cannot be created and deployed on ports on which static MAC addresses with source port group suppression is enabled. • Multi-port static MAC address entries are not supported on a set of ports that overlap with a set of ports on which static MAC entries are configured, unless the port list in both sets is identical. To add a static entry for a server with a MAC address of 0045.5563.67ff and enable source port group suppression, enter a command such as the following: FastIron(config)#static-mac-address 0045.5563.67ff ethernet 4/2 to 4/6 source_port_group_suppression_enable priority 7 Syntax: [no] static-mac-address <mac-addr> ethernet [<slotnum>/]<portnum> ethernet [<slotnum>/]<portnum> ethernet [<slotnum>/]<portnum> …. [source_port_group_suppression_enable] [priority <num>] OR Syntax: [no] static-mac-address <mac-addr> ethernet [<slotnum>/]<portnum> to ethernet [<slotnum>]<portnum> [source_port_group_suppression_enable] [priority <num>] The <slotnum> parameter is required on chassis devices. The <portnum> parameter is a valid port number. The source_port_group_suppression_enable parameter is optional. This creates an internal trunk for the specified ports. The priority <num> is optional and can be a value from 0 – 7 (0 is lowest priority and 7 is highest priority). The default priority is 0. NOTE: The location of the static-mac-address command in the CLI depends on whether you configure portbased VLANs on the device. If the device does not have more than one port-based VLAN (VLAN 1, which is the default VLAN that contains all the ports), the static-mac-address command is at the global CONFIG level of the CLI. If the device has more than one port-based VLAN, then the static-mac-address command is not available at the global CONFIG level. In this case, the command is available at the configuration level for each port-based VLAN. Configuring VLAN-based Static MAC Entries Platform Support: • FastIron X Series devices running software release 04.0.00 and later – L2, BL3, and L3 • FGS and FLS devices running software release 04.0.00 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later You can configure a VLAN to drop packets that have a particular source or destination MAC address. You can configure a maximum of 2048 static MAC address drop entries on a Foundry device. Use the CLI command show running-config to view the static MAC address drop entries currently configured on the device. December 2008 © 2008 Foundry Networks, Inc. 11 - 7 Foundry FastIron Configuration Guide Command Syntax To configure a VLAN to drop packets with a source or destination MAC address of 1145.5563.67FF, enter the following commands: FastIron(config)#vlan 2 FastIron(config-vlan-2)#static-mac-address 1145.5563.67FF drop Syntax: [no] static-mac-address <mac-addr> drop Use the no form of the command to remove the static MAC address drop configuration. Clearing MAC Address Entries You can remove learned MAC address entries from the MAC address table. The types of MAC address can be removed are as follows: • All MAC address entries • All MAC address entries for a specified Ethernet port • All MAC address entries for a specified VLAN • All specified MAC address entry in all VLANs For example, to remove entries for the MAC address 000d.cd80.00d0 in all VLANs, enter the following command at the Privilege EXEC level of the CLI: FastIron#clear mac-address 000d.cb80.00d0 Syntax: clear mac-address <mac-address> | ethernet <port-num> | vlan <vlan-num> If you enter clear mac-address without any parameter, the software removes all MAC address entries. Use the <mac-address> parameter to remove a specific MAC address from all VLANs. Specify the MAC address in the following format: HHHH.HHHH.HHHH. Use the ethernet <port-num> parameter to remove all MAC addresses for a specific Ethernet port. Use the vlan <num> parameter to remove all MAC addresses for a specific VLAN. Enabling Port-Based VLANs When using the CLI, port and protocol-based VLANs are created by entering one of the following commands at the global CONFIG level of the CLI. To create a port-based VLAN, enter commands such as the following: FastIron(config)#vlan 222 by port FastIron(config)#vlan 222 name Mktg Syntax: vlan <num> by port Syntax: vlan <num> name <string> The <num> parameter specifies the VLAN ID. The valid range for VLAN IDs starts at 1 on all systems but the upper limit of the range differs depending on the device. In addition, you can change the upper limit on some devices using the system max-vlans... command. The <string> parameter is the VLAN name and can be a string up to 32 characters. You can use blank spaces in the name if you enclose the name in double quotes (for example, “Product Marketing”.) You can configure up to 4063 port-based VLANs on a device running Layer 2 code or 4061 port-based VLANs on a device running Layer 3 code. Each port-based VLAN can contain either tagged or untagged ports. A port cannot be a member of more than one port-based VLAN unless the port is tagged. On both device types, valid VLAN IDs are 1 – 4095. You can configure up to the maximum number of VLANs within that ID range. 11 - 8 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Layer 2 Features NOTE: VLAN IDs 4087, 4090, and 4093 are reserved for Foundry internal use only. VLAN 4094 is reserved for use by Single STP. Also, in releases prior to 04.0.00, VLAN IDs 4091 and 4092 are reserved for Foundry internal use only. Starting in release 04.0.00, if you want to use VLANs 4091 and 4092 as configurable VLANs, you can assign them to different VLAN IDs. For more information, see “Assigning Different VLAN IDs to Reserved VLANs 4091 and 4092” on page 16-15. NOTE: The second command is optional and also creates the VLAN if the VLAN does not already exist. You can enter the first command after you enter the second command if you first exit to the global CONFIG level of the CLI. Assigning IEEE 802.1Q Tagging to a Port When a port is tagged, it allows communication among the different VLANs to which it is assigned. A common use for this might be to place an email server that multiple groups may need access to on a tagged port, which in turn, is resident in all VLANs that need access to the server. NOTE: Tagging does not apply to the default VLAN. When using the CLI, ports are defined as either tagged or untagged at the VLAN level. Command Syntax Suppose you want to make port 5 a member of port-based VLAN 4, a tagged port. To do so, enter the following: FastIron(config)#vlan 4 FastIron(config-vlan-4)#tagged e 5 Syntax: tagged ethernet [<slotnum>/]<portnum> [to [<slotnum>/]<portnum> [ethernet [<slotnum>/]<portnum>...]] The <slotnum> parameter is required on chassis devices. Defining MAC Address Filters MAC layer filtering enables you to build access lists based on MAC layer headers in the Ethernet/IEEE 802.3 frame. You can filter on the source and destination MAC addresses. The filters apply to incoming traffic only. You configure MAC filters globally, then apply them to individual interfaces. To apply MAC filters to an interface, you add the filters to that interface’s MAC filter group. NOTE: FastIron GS-STK and FastIron LS-STK devices do not support the configuration of both global DoS attack and MAC filters. The device takes the action associated with the first matching filter. If the packet does not match any of the filters in the access list, the default action is to drop the packet. If you want the system to permit traffic by default, you must specifically indicate this by making the last entry in the access list a permit filter. Here is an example: mac filter <last-index-number> permit any any. For devices running Layer 3 code, the MAC filter is applied only to those inbound packets that are to be switched. This includes those ports associated with a virtual routing interface. However, the filter is not applied to the virtual routing interface. It is applied to the physical port. When you create a MAC filter, it takes effect immediately. You do not need to reset the system. However, you do need to save the configuration to flash memory to retain the filters across system resets. Configuration Notes and Limitations • MAC filtering on FastIron devices is performed in hardware. December 2008 © 2008 Foundry Networks, Inc. 11 - 9 Foundry FastIron Configuration Guide • Layer 2 MAC filtering on FastIron devices differ from other Foundry devices in that you can only filter on source and destination MAC addresses. Other Foundry devices allow you to also filter on the encapsulation type and frame type. • Layer 2 MAC filtering on FastIron devices differs from the FES and BigIron in that MAC filtering applies to all traffic, including management traffic. To exclude management traffic from being filtered, configure a MAC filter that explicitly permits all traffic headed to the management MAC (destination) address. The MAC address for management traffic is always the MAC address of port 1. The following configuration notes apply to Foundry Layer 3 devices: • Use MAC Layer 2 filters only for switched traffic. If a routing protocol (for example, IP) is configured on an interface, a MAC filter defined on that interface is not applied to inbound packets. If you want to filter inbound route traffic, configure a route filter. • You cannot use Layer 2 filters to filter Layer 4 information. • MAC Layer 2 filters are not supported on tagged ports in the base Layer 3 and full Layer 3 images. Command Syntax To configure and apply a MAC filter, enter commands such as the following: FastIron(config)#mac filter 1 deny 3565.3475.3676 ffff.0000.0000 FastIron(config)#mac filter 1024 permit any any FastIron(config)#int e 1 FastIron(config-if-e1000-1)#mac filter-group 1 1024 These commands configure a filter to deny ARP traffic with a source MAC address that begins with “3565” to any destination. The second filter permits all traffic that is not denied by another filter. NOTE: Once you apply a MAC filter to a port, the device drops all Layer 2 traffic on the port that does not match a MAC permit filter on the port. Syntax: [no] mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask | any The permit | deny argument determines the action the software takes when a match occurs. The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f’s (ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes. The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask. In this case, the filter matches on all MAC addresses. The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same as those for the <src-mac> <mask> | any parameter. Syntax: [no] mac filter log-enable Globally enables logging for filtered packets. Syntax: [no] mac filter-group log-enable Enables logging for filtered packets on a specific port. Syntax: [no] mac filter-group <filter-list> Applies MAC filters to a port. NOTE: The filters must be applied as a group. For example, if you want to apply four filters to an interface, they must all appear on the same command line. 11 - 10 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Layer 2 Features NOTE: You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the filter group again containing all the filters you want to apply to the port. NOTE: If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group. When a MAC filter is applied to or removed from an interface, a Syslog message such as the following is generated: SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 MAC Filter applied to port 0/1/2 by tester from telnet session (filter id=5 ). SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 MAC Filter removed from port 0/1/2 by tester from telnet session (filter id=5 ). The Syslog messages indicate that a MAC filter was applied to the specified port by the specified user during the specified session type. Session type can be Console, Telnet, SSH, Web, SNMP, or others. The filter IDs that were added or removed are listed. Enabling Logging of Management Traffic Permitted by MAC Filters You can configure the Foundry device to generate Syslog entries and SNMP traps for management traffic that is permitted by Layer 2 MAC filters. Management traffic applies to packets that are destined for the CPU, such as control packets. You can enable logging of permitted management traffic on a global basis or an individual port basis. The first time an entry in a MAC filter permits a management packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for management packets permitted by MAC filters are at the warning level of the Syslog. When the first Syslog entry for a management packet permitted by a MAC filter is generated, the software starts a five-minute timer. After this, the software sends Syslog messages every five minutes. The messages list the number of management packets permitted by each MAC filter during the previous five-minute interval. If a MAC filter does not permit any packets during the five-minute interval, the software does not generate a Syslog entry for that MAC filter. NOTE: For a MAC filter to be eligible to generate a Syslog entry for permitted management packets, logging must be enabled for the filter. The Syslog contains entries only for the MAC filters that permit packets and have logging enabled. When the software places the first entry in the log, the software also starts the five-minute timer for subsequent log entries. Thus, five minutes after the first log entry, the software generates another log entry and SNMP trap for permitted management packets. Configuration Notes MAC filter logging is supported in the following FastIron configurations: • FESX devices running software release 02.1.01 or later • All FSX devices and associated software releases • All FWSX devices and associated software releases These releases support MAC filter logging of management traffic only. Command Syntax To configure Layer 2 MAC filter logging globally, enter the following CLI commands at the global CONFIG level: FastIron(config)#mac filter log-enable December 2008 © 2008 Foundry Networks, Inc. 11 - 11 Foundry FastIron Configuration Guide FastIron(config)#write memory Syntax: [no] mac filter log-enable To configure Layer 2 MAC filter logging for MAC filters applied to ports 1 and 3, enter the following CLI commands: FastIron(config)#int ethernet 1 FastIron(config-if-e1000-1)#mac filter-group log-enable FastIron(config-if-e1000-1)#int ethernet 3 FastIron(config-if-e1000-3)#mac filter-group log-enable FastIron(config-if-e1000-3)#write memory Syntax: [no] mac filter-group log-enable MAC Filter Override for 802.1X-Enabled Ports Platform Support: • FastIron X Series devices running software release 03.1.00a and later • FGS and FLS devices running software release 4.1 and later • FGS-STK and FLS-STK devices running software release 05.0.00 and later • FWS devices running software release 04.3.00 or later The MAC filtering feature on an 802.1X-enabled port allows 802.1X and non-802.1X devices to share the same physical port. For example, this feature enables you to connect a PC and a non-802.1X device, such as a Voice Over IP (VOIP) phone, to the same 802.1X-enabled port on the Foundry device. The IP phone will bypass 802.1X authentication and the PC will require 802.1X authentication. To enable this feature, first create a MAC filter, then bind it to an interface on which 802.1X is enabled. The MAC filter includes a mask that can match on any number of bytes in the MAC address. The mask can eliminate the need to enter MAC addresses for all non-802.1X devices connected to the Foundry device, and the ports to which these devices are connected. Configuration Notes • This feature is supported on untagged, tagged, and dual-mode ports. • You can configure this feature on ports that have ACLs and MAC filters defined. Configuration Syntax To configure MAC filtering on an 802.1X-enabled port, enter commands such as the following: FastIron#(config)#mac filter 1 permit 0050.04ab.9429 ffff.ffff.0000 any FastIron#(config)#int e1/2 FastIron#(config-if-e1000-1/2)#dot1x auth-filter 1 3 to 5 10 The first line defines a MAC filter that matches on the first four bytes (ffff.ffff.0000) of the source MAC address 0050.04ab.9429, and any destination MAC address. The permit action creates an 802.1X session in the FORCE AUTHORIZE state, meaning that the device is placed unconditionally in the authorized state, bypassing 802.1X authentication and allowing all traffic from the specified MAC address. If no match is found, the implicit action is to authenticate the client. The last line binds MAC filters 1, 3, 4, 5, and 10 to interface 2. Syntax: mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask | any Syntax: dot1x auth-filter <filter-list> The permit | deny argument determines the action the software takes when a match occurs. In the previous example, the permit action creates an 802.1X session in the FORCE AUTHORIZE state, meaning that the device is placed unconditionally in the authorized state, bypassing 802.1X authentication and allowing all traffic from the specified MAC address. The deny action creates an 802.1X session in the FORCE UNAUTHORIZE state, meaning that the device will never be authorized, even if it has the appropriate credentials. 11 - 12 © 2008 Foundry Networks, Inc. December 2008 Configuring Basic Layer 2 Features The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address value and a comparison mask, or the keyword any to filter on all MAC addresses. Specify the mask using f (ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. The filter matches on all MAC addresses that contain aabb as the first two bytes and accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask. In this case, the filter matches on all MAC addresses. If no match is found, the implicit action is to authenticate the client. The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same as those for the <src-mac> <mask> | any parameter. Note that the 802.1x Authentication filter (dot1x auth-filter) does not use the destination MAC address in the MAC filter. The <filter-num> command identifies the MAC filter. The maximum number of supported MAC filters is determined by the mac-filter-sys default or configured value. The dot1x auth-filter <filter-list> command binds MAC filters to a port. The following rules apply when using the dot1x auth-filter command: • When you add filters to or modify the dot1x auth-filter, the system clears all 802.1X sessions on the port. Consequently, all users that are logged in will need to be re-authenticated. • The maximum number of filters that can be bound to a port is limited by the mac-filter-port default or configured value. • The filters must be applied as a group. For example, if you want to apply four filters to an interface, they must all appear on the same command line. • You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the filter group again containing all the filters you want to apply to the port. If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group. Locking a Port to Restrict Addresses Address-lock filters allow you to limit the number of devices that have access to a specific port. Access violations are reported as SNMP traps. This feature is disabled by default. A maximum of 2048 entries can be specified for access. The default address count is eight. Configuration Notes • Static trunk ports and link-aggregation configured ports on FastIron devices do not support the lock-address option. • The MAC port security feature is a more robust version of this feature. See the chapter “Using the MAC Port Security Feature” on page 44-1. Command Syntax To enable address locking for port 2 and place a limit of 15 entries, enter a command such as the following: FastIron(config)#lock e 2 addr 15 Syntax: lock-address ethernet [<stack-unit>/<slotnum>/]<portnum> [addr-count <num>] The <stack-unit> parameter is required on FastIron GS and LS devices running software release 02.5.00 or later, and FastIron GS-STK and FastIron LS-STK devices running software release 05.0.00 and later. The <slotnum> parameter is required on chassis devices and on FastIron GS devices running software release 02.5.00 or later. The <portnum> parameter is a valid port number. The <num> parameter is a value from 1 – 2048. December 2008 © 2008 Foundry Networks, Inc. 11 - 13 Foundry FastIron Configuration Guide Displaying and Modifying System Parameter Default Settings Foundry devices have default table sizes for the system parameters shown in the following display outputs. The table sizes determine the maximum number of entries the tables can hold. You can adjust individual table sizes to accommodate your configuration needs. The tables you can configure, as well as the default values and valid ranges for each table, differ depending on the Foundry device you are configuring. To display the adjustable tables on your Foundry device, use the show default values command. The following shows example outputs. Configuration Considerations • Changing the table size for a parameter reconfigures the device’s memory. Whenever you reconfigure the memory on a Foundry device, you must save the change to the startup-config file, then reload the software to place the change into effect. • Configurable tables and their defaults and maximum values differ on FastIron IPv4 devices versus IPv6capable devices. • For more information about Layer 3 system parameter limits, see “Modifying and Displaying Layer 3 System Parameter Limits” on page 21-3. Displayin